Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Discussions

Bass Bass Knows the way the wind is flowing.
  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    Yes. Talking about sanitizing all user input against all possible vulnerabilities is a silly strawman that only you keep bringing up, and is totally irrelevant to the whole discussion.

    I'm saying XSS and CSRF are fundamental problems in the web-stack. Those are two very specific classes of vulnerability that don't affect other platforms and other languages. It turns out that both are pretty easy to defend against - but the fact that you have to defend against them in the first place is because the web is broken

    And the fact that you still can't point to a single non-trivial website that hasn't been affected by them - including those with brilliant engineers, buckets of money and legions of security consultants - should probably give you a bit of a hint that this isn't just an esoteric information-theoretic problem. It's a fundamental flaw caused by the mis-design of the web in the 90s.

    At it's core, XSS is a fundamental flaw in textually generated HTML. If HTML were generated via DOM manipulations, XSS would not exist. XSS will continue to exist, until web-developers as a whole move away from dynamically generating textual HTML.

    XSS is a consequence of the pervasive anti-pattern of websites generating HTML textually; the few frameworks that get close to eliminating it are those which force the programmer away from textual output of HTML.

    The problem isn't that HTML is human-readable. Python files, batch files and WScript files are all human readable, but don't (as a whole) suffer from code-injection flaws. The fact that this affects the web is because of the pervasive anti-pattern of textual generation. Not an inevitable consequence of human readability.

    And CSRF is a fundamental flaw in HTTP. The statelessness of being able to visit a form submission page without first visiting the form page is precisely because of the statelessness of HTTP. CSRF is literally a hack that every website has to add to their forms to compensate for the fact that HTTP was mis-designed to be stateless in the 90s.

    These are architectural flaws in the web. Not silly implementation flaws by individual junior developers. The problem lies in the way the web was mis-designed.

    HTTP has all the tools built right into the protocol to prevent CSRF. And XSS can be easily avoided by not treating the site HTML as a text macro. So saying web technology is fundamentally flawed is just silly at best and FUD at worst.

    The web has actually made things better because in the pre-web days people would use fat clients with raw x86 code in them that can do who knows what with your computer.

  • Why no Silverlight or Flash

    , evildictait​or wrote

    https://news.ycombinator.com/item?id=518752https://xach.livejournal.com/214252.html

    And no it really isn't impossible to sanitize user input against xss or csrf. If you think that, you should seriously step away from the keyboard and get immediate remedial security help from someone else at work, because frankly that attitude makes you a danger to yourself, your company and your users.

    And most people writing python aren't catting lots of python scripts together. Whereas the vast majority of everyone who has a non-trivial website glues bits of HTML together with attacker-controlled data and shoves it out to the user's browser. This is the problem.

    XSS and CSRF are architectural problems with the web in the same way that buffer overflows are an architectural problem in non-memory safe languages. And while we can all see it's theoretically possible to write a real webapp with no XSS or CSRF, it just doesn't happen in real life.

    The web was mis-designed back in the 90s, and we've been slowly upgrading the web to fix all of the horrendous architectural flaws hard-coded into the design back in the 90s.

    So yeah, please don't layer it on thick with ridiculous claims that the web doesn't have any serious problems in the web-stack, because it's just total BS and you know it.

    What's with the strawman? I said sanitize user input against all possible vulnerabilities, not just two well characterized ones. This is not some kind of controversial thing, Cohen's undecidability proof is not esoteric knowledge amongst cybersecurity professionals.

    No, you haven't proven that there is any serious flaws with the web stack, only that it is possible to create vulnerabilities if you do stupid things like cat user data with HTML. Perhaps it is a flaw with how some people create web applications. But there are frameworks out there that do not treat dynamic web applications like text macros, and as a plus make a lot more sense for creating the kind of responsive web applications people want to use anyway. As such there is no "fundamental flaw" with the web stack. Only a bunch of flawed people doing flawed things with it. :)

  • Nadella: Microsoft loves Linux

    , Ian2 wrote

    I was worried when a Linux signature turned up on my network so I blocked it's mac address (it was our Nest thermostat)

    Linux is also on smart TVs, set top boxes, [some] home routers, and more. :) It's possible you have more Linux systems in your home then you think!

  • Nadella: Microsoft loves Linux

    @vesuvius:

    Agreed.

  • Nadella: Microsoft loves Linux

    http://www.theregister.co.uk/2014/10/20/microsoft_cloud_event/

    This is a pretty big deal, considering the last CEO called Linux a cancer. :)

  • A few interesting nuggets from MSFT earnings

    , cbae wrote

    *snip*

    How many years have rags like the Register dug into the numbers and predicted Microsoft's demise? 



    My guess is 0 or greater.

  • Why no Silverlight or Flash

    That's a different website, consequently going by a similar name. I'm sorry, but this won't be as easy as the same Google searches I did. :)

    And no, it is not impossible to sanitize user input. Thats a pretty odd claim.

    Yes, it is actually impossible to sanitize user input for all arbitrary vulnerabilities (Cohen; 1998). You can sanitize for some list of known vulnerabilities, but sanitizing for all possible vulnerabilities is proven to be beyond computability. In the "non-computable function (eg. halting problem)" sense. Finally, Turing machines are relevant here. :)

    and it's not about human readability either - python doesn't suffer this, and nor do wscript files or batch files. It's about the way html is generated on the fly as though it were a text file, instead of recognizing its a Dom.

    Right. The same underlying problem though, if I generate dynamic Python files by cat'ing user data with them, I get the same problem. But that would be silly, no? That's not the correct way to develop web applications either.

  • Why no Silverlight or Flash

    I think I get what you are trying to say. So your beef with HTML is that is human readable. It comes from the fact that HTML is understandable to humans. So people will code methods like cat'ing user data with the page. But that's just a bad programming practice and easily avoided. You can in theory serve up any kind of data this way, not just HTML. But people don't understand machine code for instance, so they are less likely to program in this manner. But at the same time, the fact that HTML is human readable is a big reason for its success and popularity, I'd think. :)

    It's a bit like why we even use the von Neumann architecture to begin with, the code-as-data idea leads to many problems but also simpler and more flexible computer systems. Security is important, but it's only a tangential concern. If you give security concerns veto rights over all decision making the end result always ends up being a non-functioning system. Because a non-functioning system is the only truly secure system.

  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    If it's security FUD, surely it won't be hard for you to find a single counter-example. Come on, Bass, I'm really low-balling it for you here. Just ONE.

    *snip*

    And yet it doesn't affect other platforms that allow a translation between code and data - like WinForms. You can reflectively load code from a string, but I can point to literally hundreds of WinForms apps that never did, and are secure - but you cannot point to a single non-trivial website that has never had an XSS or CSRF vulnerability.

    *snip*

    No. I'm saying that XSS and CSRF are fundamental problems in the design of the web, because substantially all websites have had one or other or both at some point in their past - even when designed by the best engineers in the industry, like engineers at Microsoft, Google, Facebook and Twitter, and companies with huge wallets like banks.

    If you can't even find a single example of a non-trivial website that has never had XSS or CSRF, then they are not "just an implementation bug" or a problem with the fact that the web's languages are Turing-complete - it is an inherent and critical flaw in the underlying system itself.

    XSS and CSRF are systemic platform vulnerabilities in the way that memory-corruption vulnerabilities are systemic platform vulnerabilities in C/C++ - and the fact that XSS and CSRF exist is not because the web is a von-neumann architecture (which it isn't), but because the web was fundamentally mis-designed in the 90s.

    If HTML wasn't generated by a script, but was generated by direct manipulation of a DOM, and HTTP wasn't stateless, it was stateful, these vulnerabilities would simply not exist. The fact that they do is because of a foundational problem with how the web was designed.

    Hacker News maybe? I couldn't find anything on Google about it having a XSS vuln in its past, and I figure if it did someone would find one given its audience. :)

    I provided evidence (see Cohen; 1998) that any system that allows for user input can be compromised, and not only that, that we will NEVER truly fix this, because it's mathematically impossible to perfectly sanitize user input from all possible vulnerabilities.

    All and all, most garden variety XSS vulnerabilities are actually fairly trivial to avoid and come from sloppy coding. Obviously, there is always someone sneakier then you think, but remember, mathematically impossible. :)

  • Why no Silverlight or Flash

    , evildictait​or wrote

    *snip*

    The bug in jQuery, which is 30% of the Internet just by itself, plus the bug in Wordpress which is a further 22%, takes us past the 50% mark straight out of the gate.

    And then I listed all of the major tech companies, and several banks.

    But yeah, I look forward to your counterexample.

    Still not substantially all. I'm sorry if it seems like I'm being pedantic, but you made a really egregious claim that came off as security FUD.

    Any system that treats data and code interchangeably requires active mitigation, and even so, it is impossible to guarantee safety, as Cohen has proven. Since von Neumann systems treat code and data equivalently, it follows that it is actually impossible to guarantee that a user input will not be malicious. So forgive me for not understanding how your beef with the web doesn't affect every other von Neumann system in existence.

    But let me understand, your argument is that the web itself flawed because popular and complex software systems that happened to interact with the web have even had vulnerabilities in the past?