Alex Muller

Yesterday I was at the Hackspace to learn about web exploits and security testing from Darren McDonald. The following is a write-up of what we did and learnt that afternoon.

The brief warning we were given at the beginning went something like this: if you try and compromise somebody’s machine without their permission, you stand a decent chance of being prosecuted under the Computer Misuse Act. Which probably means never getting a job involving computers again. All the hardware we were trying to break yesterday was owned by Darren.

To start, we were pointed to the (free) Burp Suite and shown how to intercept HTTP requests by proxying traffic through 127.0.0.1:8080. Every request and response is shown in Burp before being passed on, with the option to modify any part of the request before it reaches the server.

As a web developer, I’d always heard that relying on client-side validation was A Bad Idea, but I’d never seen just what can happen if you don’t validate input server-side. The moral of the story?

If you’re relying on the browser to provide decent, well-formed information (including from things like hidden fields): don’t.

We were shown a purposefully badly written online store as an example, where the cost of a product was a parameter in the request (!). Using something like Burp, it’s easy to set a GET or POST parameter (the cost, in this case) to whatever you want.

And then it was time to talk about XSS. The simplest test for a cross-site scripting vulnerability on this site was to enter <script>alert(1)</script> into an input field. The example we were given was a guestbook, and we ended up with dialog boxes, JavaScript redirects and XKCD comics galore. I was reminded of the #cashgordon incident last year.

An hour after the session began, I was thinking about how session cookies are actually a huge headache, and one I hadn’t considered before Firesheep got everybody thinking. Using Darren’s session ID, it was easy to steal his session and abuse his “10% staff discount”.

We worked through some examples of pages with progressively better and better input sanitation, thinking about what the developer had done to protect their site and how we could get around it.

Moving on, we looked at SQL injection attacks and how you can then tell which kind of database the site is using. I’ve been working on limiting the permissions on, for example, the WordPress database user here, and this reinforced just how important it is.

Apparently 10—20% of sites have some kind of SQL injection vulnerability, which is a worryingly large number.

It was great to get a broad overview of the basics of web security, and it’s given me plenty to think about for past and future projects. Brilliant to see a couple of people interested in joining the Hackspace after attending the session, too. Many thanks to Darren for taking the afternoon to share his expertise, and I’m looking forward to the next one.

David was kind enough to invite me back to St Paul’s yesterday to hear Fraser Speirs, the chap behind FlickrExport and Darkslide, talk about his rollout of an iPad to every pupil at Cedars School of Excellence near Glasgow.

Fraser spoke about the situation that led up to the iPad decision; the scarcity of MacBooks in his school, the lack of faith in the iPod touch as a complete desktop replacement. He talked about the deployment process, and how it’s completely changed the way many subjects are taught.

The example he gave that stuck with me was Art. A teacher can use Brushes on the iPad to create a drawing that illustrates a particular artistic technique. Brushes will create a ‘recording’ (a timelapse) of the creation, which can be exported and played back. And then, the magic: during a class the teacher can talk over the video and carefully explain the technique. If you’re an Art teacher and that doesn’t make you want an iPad… I’m speechless.

Then, the Q&A (I’m paraphrasing from memory – please correct me if I’ve got this wrong). George asked whether Fraser was worried that he was sending kids out into the world who couldn’t use Microsoft Office.

Fraser responded by saying that it wasn’t a worry, but it was something to think about. He went on to say that there’s no way to tell what the world of work will be like in 2023, when some of these kids will leave school.

Having worked in a huge organisation for (only!) six months so far, this worried me. I’ve experienced the brain-achingly slow rate at which IT in corporations—at least this corporation—moves. Internet Explorer 8 was released in March 2009; it’s being pushed out in June 2011, over two years later. Our Windows 7 release will start in November this year and conclude in September 2014, a full five years after the retail release. By 2015, all 100,000 employees will be running Windows 7. I’m willing to bet (and this is a total guess, I don’t work in IT or have any inside information) that even in 2023, Microsoft will be an important part of this company’s infrastructure.

Is that a good thing? Nope, not one bit. But what’s going to happen here? Will the next generation start avoiding job ads that require some kind of Microsoft Office competency? I’m really worried about the future for large companies that have such a heavy reliance on Microsoft who haven’t learnt to adapt yet. To offer, for example, new starters the OS of their choice. This talk has prompted some really interesting conversations here about the future of education and work, thank you Fraser.

I don’t know where to start with this.

My Favourite Windows 7 Feature from Alex Muller on Vimeo.

The taskbar glow is just gorgeous. It takes the most prominent colour in the icon, and makes the entire application bar glow that colour.

Dear Apple,

I’ve had my iPhone almost a year now. It’s been out for a little over twenty-four months, if I can add up right. Is there a decent reason that I have still have to jump through hoops to add music I play to Last.fm? Sure, Last.fm is a comparatively small site¹ – but you’re touting Facebook and Flickr exporting features as a pretty major upgrade to iPhoto. Plus, I can’t imagine that something like this would be particularly difficult for you guys to code.

It’s not like scrobbling is really data-intensive, either. Basically, I just don’t see why you haven’t done it yet.

Cheers,

Alex

Click the images for bigger versions. No, you get no points for realising I did them in Photoshop; it’s not tough.

Here’s one I’ve never seen before, never even seen it mentioned, and it was pretty cool to happen upon. If you right click on a user in System Preferences » Accounts, you get a sheet that looks a little like this:

Is it just me, or is that big red WARNING: one of the least Apple-esque things on the Mac?

I took the photo below as a bit of a joke (hey, Vaio stickers are a joke… right?) but it’s interesting to have a record of the "old" Google Reader which was on my screen at the time. When it recently changed, I remember quite a few people complaining at how the layout seemed less intuitive; now, of course, I’d easily vote for the new, cleaner look.

Sometimes, I guess you just have to get through a few days or weeks of your users complaining at change – especially in this fairly new space of constantly evolving online software. And other times, the change isn’t so great and your users might actually have valid concerns (hey, Facebook, look over here).

Here’s hoping Tweetie for Mac fills the void.

I’ve had the chance to play with Plasq’s new beta-invite-only software Skitch for about a month now, and it’s really great.

At the same time however, it highlights (for me at least) a problem with beta software in general. I’ve been sitting, making silly little pictures, happily using this software. The thing I’ve failed to take into account is that so far, it’s been completely free.

I wonder what happens when I have to pay £15 for the software – chances are, I’ll stop using it… and this goes for everything, including (but not limited to) Gmail, Flickr and Lastfm. As a side note, I actually do pay a tiny amount for some extra features on Lastfm and probably would pay for Gmail if they implemented the same system. So beta software is all well and good, but remember that it won’t stay beta forever (or maybe it will, who knows these days).

And as for invite-only sites and software: keep doing it, but make sure I get an invite – it makes me feel all special inside…