Web Browser Security: Disabling Java And Having Certain Applications Still Run

 Computing, Security  No Responses »
May 122013
 

The immediate reaction amongst security professionals to hearing about Java security exploits is to ask: “Haven’t you disabled Java in the browser yet?”. Disabling Java in the browser is both sensible, and a touch naive.

Browsing the big bad Internet with Java enabled is sort of like wandering around a major tourist attraction with an overly stuffed wallet half-poking out of your back pocket. An invitation for the less than moral to try their luck.

So disabling the use of Java within a web browser seems like a sensible suggestion, and is almost always the right thing to do in a domestic situation.

But in a corporate environment, there is almost certainly some “application” in use that requires Java (or even worse, IE6). And as soon as it is made plain that disabling Java will (or might) prevent corporate applications from working the reaction is to reject the measure to disable Java. Which is perfectly understandable – the cost to an organisation of a certain loss of access to a corporate application may very well be greater that the potential loss due to an unknown threat.

Or perhaps the cost of the former can be measured; whereas the cost of the later cannot.

However this overlooks a relatively simple solution to the problem :-

  1. Use one browser to run corporate applications. This can be as simple as a voluntary measure, or be made compulsory through a variety of controls. It could even go as far as to implement icons to access web-based applications as if they were desktop applications, using a browser deliberately configured to make general web browsing impossible or at least painful.
  2. Use a separate browser to access the Internet. This can be configured differently to prevent the use of dangerous plugins, and indeed can be updated without performing the whole bank of testing needed to confirm compatibility with corporate applications.

We have grown too used to assuming that a computer needs only a single web browser, and that all “applications” accessed through the web, should be accessed through that single web browser. Ignoring the fact that there are different requirements for browsing the web in general, and making use of corporate applications.

There are organisations where access to the Internet is banned because the risk to the organisation is too great. Other organisations reduce the risk by the use of the “air gap” where separate computers are used – one to access corporate applications, and the other to access the Internet.

That is going a little bit too far for most organisations, but that does not mean that increasing the “gap” between Internet access and corporate applications is not a sensible move. And using separate web browsers is the first step along the road of increasing that gap.

Datashur iStorage Encrypted USB Stick

 Computing, Security  No Responses »
May 012013
 

Sigh. Yet another company under the foolish impression that you have to stick an “i” in front of something to make it cool. Which is a bit of a shame really, because this is sort of cool :-

What it is, is an encrypted USB memory stick but unlike most others, this one does not rely on software. You enter the appropriate PIN code on the built in pad, and the storage is unlocked. With everything built into the stick there are a number of advantages :-

  1. It’s a lot simpler. There’s no special software to run to decrypt and encrypt a special file on the memory stick. 
  2. Because it’s simpler, it’s harder to make mistakes – there’s no chance of accidentally writing unencrypted data to the stick – don’t laugh, it happens!
  3. Also because it’s not based around a software package, there’s no platform limitations – it’ll work fine with all the odd platforms you can find out there – Linux, Android devices, PS3s, old Unix workstations (if you can find a USB hole to plug it into), etc.

However it’s not perfect :-

  1. There’s concern about how long the keypad will remain reliable for. It should be more than reliable enough, as normal keyboards are reliable for millions of key strokes, and this keypad may well be more reliable (it’s simpler). 
  2. Because the PIN is only effective whilst the memory stick is “mounted”, it may require a lot of PIN entries when used in certain ways – such as a bootable device.
  3. Entering the PIN whilst the memory stick is attached may be tricky; it might be better used on an extension lead. Although it’s possible to enter the PIN whilst disconnected, this doesn’t seem natural.
  4. Given the environment that most USB sticks live in (i.e. pockets or handbags), there is a concern that moisture, dust, or fluff could work itself into the casing and interfere with the workings. However the case that fits over the keyboard seems to fit quite well including a rubber seal that should help.

One thing that came as a surprise when I first got it was that it has a re-chargeable battery which seems a touch odd until you realise that some operations can only take place when this stick is not connected. This includes changing the default PIN code, and of course this numbskull took an age to realise that you cannot set the PIN code when it is connected to the computer!

Once that was sorted out, it took very little longer to have a properly working USB stick. It works very much the same as any other USB stick except that when it becomes “unmounted” (I use this under Linux) it refuses to act as a USB memory stick until the PIN is re-entered.

Physically it is on the larger size of what is sensibly carried around in the pocket, but obviously could not be much smaller without making the keypad smaller than it is. Whilst usable, any smaller and the current keypad would become very awkward to use for those with larger hands (such as me).

Long term robustness will have to wait until it has been in my pocket for more than a week. However so far, the following observations have occurred :-

  1. The paintwork of the external casing (the cover for the stick itself) may not be especially robust as a few scratches have already appeared.
  2. The wire loop for attaching to a keyring feels a little flimsy, but perhaps that is because the expectation is for a key ring rather than a loop of wire.
  3. The mechanism for unscrewing the wire is a little fiddly.

The “Real” History of the Web

 Computing, History  No Responses »
Apr 302013
 

Today’s news stories include an item on CERN’s initiative to re-create the very first web page, and it included a tiny bit of history of the web.

The only trouble? Their (the BBC’s that is) history of the web doesn’t quite match my memories of how it happened, and as it so happens I was there. Not at CERN of course, and I can’t claim to be a particularly significant part of the history of the web. But I did create one of the earliest web servers in 1992, and again in 1993 (the archived copy was made in 1997).

The big error in the BBC’s article was the importance of the discussion of whether CERN should try to retain control of the web or leave it to the public to decide. Whilst that decision was undoubtedly important – particularly for keeping the web standardised – it wasn’t quite as important as described as by 1993, the web was already “out there”.

CERN did release the very first server software to support the web, and the very first web browser way back in 1991. The server software (at least by the time I saw it) was pretty much a standard Unix-based piece of software so it could be compiled and run on pretty much any Unix-based machine. The browser (WorldWideWeb) on the other hand was restricted to NeXT-based machines which were relatively rare; most people were restricted to a text based browser called Lynx. The popularity of the web took off when an NCSA project introduced a graphical web browser called Mosaic.

If it had not been for Mosaic, it is quite possible that another graphical web browser would have popularised the web anyway – CERN’s browser had shown what was possible. And Mosaic was not the only graphical browser being created at the time.

The other thing that is often overlooked was that CERN’s “web” wasn’t unique in being an application with a “browser” and a “server” that allowed information to be fetched across the Internet and displayed appropriately. One of the biggest competitors was Gopher, but there were others around at the time. Indeed most early web browsers would happily display “gopher pages”.

The unique “selling” point of CERN’s web, was the use of hypertext as the main content which allowed for information to be presented on the same page as navigation content – most alternatives would have hierarchical menus to browse through until you found the information you wanted at the bottom of the tree.

By 1993, CERN’s “web” was already so widely in use that they had no choice about keeping it to themselves; indeed the decision made by CERN was to formally make their software “public domain” but it was effectively after the horse had bolted.

This sounds like an attempt to trivialise what CERN did – it isn’t. They deserve plenty of credit for what they did, but neither should we forget that something very similar was already happening, and in the end it was the people who created the first interesting web pages and not just the people at CERN who deserve the credit for today’s web.

Discarding Log Messages with rsyslogd

 Computing, Working Notes  No Responses »
Apr 252013
 

Normally when I want to do something other than the “standard” thing with logging, I replace whatever came with the server with syslog-ng, but I’ve just had an urgent need to do something with rsyslog. Specifically exclude any messages with reference to a certain card that was generating “corrected” errors at a vast frequency … enough that my /var filesystem was filling up regularly.

Turns out to be surprisingly easy, if you figure out how to get rsyslogd to read the updated configuration.

First the rule :-

:msg, contains, "pcieport 0000:00:09.0" ~

This more or less translates as look for the string “pcieport …” in the complete message sent to syslog and if it appears then discard.

It turns out (quite sensibly) that this needs to appear before any rule sending messages off to a file to get stored for later. And of course the configuration file to edit was /etc/rsyslog.conf.

Before blindly restarting, it’s quite nice to have something that will check the syntax of what you’ve just written to make sure it is valid. Nobody gets this stuff right first time! Turns out there’s a simple way :-

# rsyslogd -f /etc/rsyslog.conf -N 1

Once that stopped giving an error, I needed to get the running daemon to accept configuration changes. It seems that whilst it accepts SIGHUP, it perhaps does not re-read the configuration file so a full restart is necessary :-

# /etc/init.d/rsyslog restart

What’s With The Twelve Times Table?

 Politics  No Responses »
Apr 162013
 

In recently announced plans, it appears that the government is going to change the primary school curriculum to include (amongst other things) teaching the times tables up to 12. Now I’m not sure about the other plans, but the insistence on the 12 times table sounds a little to me like an old-school Tory frothing at the mouth declaring that if they had to learn the 12 times table then everyone else should do as well.

Why did we learn the 12 times table? Yes, me too! Who knows, but it may have something to do with 12 inches to the foot. Which of course is totally irrelevant these days given we have sensible decimal based units.

There are those who say that the bigger the times table you learn, the more useful it is. True enough, but once you get past the 10 times table, the incremental value diminishes. And there’s one thing that people forget: Learning the times table is just about the most tedious learning it is possible to do and each extra increment to the size of the times table we teach children should have a damn big incremental value.

Or to put in other words, the larger you make the times table, the more children get turned off maths. Is it worth turning children off maths for those extra 2 numbers 11 and 12? Far better to avoid putting off those children and just teach the 10 times table. If you know that, and a few tricks, then any multiplication is possible.

And frankly a lot of simple arithmetic tricks can be sold as “cheats” which is undoubtedly a nifty way of getting children to have fun whilst learning maths.

 

 

 

 Older Entries  Newer Entries