Archive for July, 2007

Short, Clean URIs Are More Secure

Tuesday, July 31st, 2007

There are lots of reasons to use clean, short, readable URIs. Search engines like them. People have some hope of dictating or typing them correctly. Email clients are less likely to mung or truncate them. They give people navigational cues and an extra way to navigate a website. You can even fit them on one billboard (unlike say this one).

One generally ignored advantage is security.

Many phishing, XSS, CSRF and all URI exploits rely at least in part in part on putting stuff the user does not understand in the URI.

Here are a few real URIs from popular websites all found inside a minute within 3 clicks of the home page:

Having let people get used to that sort of garbage from sites that they should be able to trust, you can’t really be surprised that normal people can’t tell the difference between an XSS attack hidden in URL encoded JavaScript and a real, valid, safe URI. Even abnormal people who can decode a few common URL encodings in their heads are not really scrolling across the hidden nine tenths of the address bar to look at that lot.

It won’t help everybody. There are always going to be people who are happy to believe that their bank sends them email from a free address like bank.of.amerika@hotmail.com, and sufficiently sophisticated social engineering is always going to work on some people, some of the time, but the sites that are particularly popular with phishing attacks are making it unnecessarily easy.

If commonly used sites had short, sensible URIs it would not take genius on the part of slightly cynical users to notice that every real bank URI they had seen in the past looked something like https://www.bankofamerica.com/myaccount/login so the 300 character monstrosity full of percent symbols and ampersands that they were being presented with is a little on the fishy side.

Now, go and tidy your room.

OSCON 2007 Talk: Striving for Less Ugly Charts and Graphs From PHP

Friday, July 27th, 2007

Here are the slides for my talk today.

Striving for Less Ugly Charts and Graphs From PHP

My Proudest Achievement: A Downloadable Certificate from eBay

Thursday, July 26th, 2007

eBay amuses me. They sent me a message the other day telling me that in recognition for my sterling efforts in buying other people’s junk and sometimes selling my own junk I could download a certificate. The message said “We’re cheering you on every day” and “We hope you’ll download your Turquoise Star Certificate and display it proudly.”

Presumably, there must be people out there who feel special when they get a form letter or the geniuses that populate big company marketing departments would not send them out all the time, right?

Here’s their message:

Congratulations! You’ve achieved a feedback rating of 100! With a Turquoise Star beside your user name, you are an active and well-established member of the eBay community.

We want to thank you for helping make eBay, The World’s Online Marketplaceā„¢, a safe and vibrant place to trade. Your success is our success. We’re cheering you on every day.

We hope you’ll download your Turquoise Star Certificate and display it proudly. You’ve certainly earned it! (You will need Adobe Acrobat Reader. If you don’t have it, get it here.)

Again, congratulations on your success, and keep shooting for the stars!

Meg Whitman
President and CEO, eBay Inc.

Here’s my reply:

Dear eBay,

I recently got a message in my eBay messages signed “Meg Whitman President and CEO, eBay Inc.” congratulating me on getting feedback rating of 100 and being given a turquoise star.

It said “We hope you’ll download your Turquoise Star Certificate and display it proudly.” Naturally, I was very pleased to see this. After all, it is not every day that the CEO of a major internet company personally sends me a message, and not every day I get a certificate to proudly display behind my desk.

Naturally, the first thing I did was bid on a certificate frame in an eBay auction so I would have somewhere to display it proudly as instructed. (Item number 200119977791)

However, after admiring it on my wall for a while I started having nagging doubts. I realised that the message from Meg (I hope she does not mind me calling her Meg, after all, she is sending me messages) does not include my name. It probably was not personally sent by her at all.

Worse yet, my certificate does not have my name on it either. If one of my coworkers steals it, they could easily pretend that they were awarded a Turquoise Star Achievement Award rather than me. Surely eBay has access to the kind of advanced technology required to insert a custom name into a PDF file?

My state of mind only went downhill from there. I realized that anybody can go to http://pages.ebay.com/awards/StarAwardTurquoise.pdf (the URL Meg kindly sent me) and print out a Turquoise Star Achievement Award of their own. The high esteem that my coworkers were holding me in because of my Turquoise Star Achievement Award could be diluted at any moment by somebody else printing an award they did not earn.

The final slap in the face was when I realized that just by guessing file names, I could download better awards.
http://pages.ebay.com/awards/StarAwardPurple.pdf
http://pages.ebay.com/awards/StarAwardGreen.pdf

How am I supposed to take pride in my award when I know that anybody else could simply print out a better one? My coworkers respect and admiration for me could evaporate instantly when somebody else figures out these URLs and prints a better Achievement Award than mine.

Do you think Meg would be happy if her MBA from Harvard Business School was suddenly rendered valueless by a link allowing anybody to print out a DBA from Harvard’s web site?

The seller of the certificate frame does not specify a return policy, so I don’t know if they will accept disillusionment with the award contained in the frame as a valid reason for a refund.

Luke Welling
Turquoise Star Achievement Award holder

Of course, eBay being eBay it is hard to tell if my message went to a person or to a very small script. I did get a reply. They promised to investigate whether the email really came from eBay or whether it was a phishing message.

And, of course USPS being USPS, the frame I ordered on eBay was smashed before it reached me.

Glory is such a fleeting thing.

Self Esteem and O’Reilly Animals

Thursday, July 26th, 2007

Listening to James Reinders talk about Intel Open Sourcing their Threading Building Blocks got me thinking about O’Reilly animals.

James seemed kind of underwhelmed at being assigned a canary.

Intel Threading Building Blocks: Outfitting C++ for Multi-core Processor Parallelism

To be honest, I can see why. As mascots go, canaries are not an A-list animal. If half the other mascots would eat yours, and the other half could accidentally step on it and kill it, then you have not been well served.

Sure, there are only so many A-list animals to go around. It is not so surprising that the lions, tigers, elephants are already taken, but B-list can be fine too. Perl has adopted the camel with an enthusiasm far beyond what camels are used to. Hugh and Dave got a good one for their PHP and MySQL book. The platypus is a great animal for PHP. Sure, it looks like it was put together out of parts of other animals, but it is reasonably attractive, and has the kind of street cred you get from being poisonous.

But really, a canary? A scallop? A sand dollar? A moth? A beetle? It is hard to find glamour or prestige in mollusks and other invertebrates that that spend their short lives munching on decomposing waste.

I wonder if many of the people who get an invertebrate or a puny vertebrate ever write a second book for the same publisher, or if they quietly slink away and hide their book inside a Harry Potter dust jacket.

OSCON 2007 Tutorial: PHP and MySQL Best Practices

Wednesday, July 25th, 2007

Here are the slides for our talk today.

best_practices.pdf

If this site is slow, you can try http://www.laurathomson.com