Category Archives: Blog

Our thoughts and ideas about the latest in web technologies.

Shellshock, Heartbleed, and the Gradual Downfall of Open Source

The number 404 with shatter marks
credit: Wired.com
Back in April, we reported about Heartbleed, a vulnerability found in OpenSSL, the open source version of SSL. SSL is designed to protect the transmission of secure and important information over the web.

A new bug turned exploit has recently been discovered. This one is called Shellshock, and it lies in the very base structure of the internet itself. In fact, Wired says this is just the beginning.

In 1987, Brian Fox drove from Boston, Massachusetts, to Santa Barbara, California, with two massive reel tapes in the trunk of his car. On those tapes was Bash, a tool for the UNIX operating system he had written and tagged with a license that let anyone use the code and even redistribute it to others. After arriving in California, Fox continued to work on Bash, and gained other developers on his team to develop it as well. Eventually, Chet Ramey, a developer from Case Western Reserve University in Cleveland, took charge of the project and works on Bash in his spare time.

Bash found its way onto tens of thousands of machines. But somewhere along the way, in about 1992, one engineer typed a bug into the code. Last week, more then twenty years later, security researchers finally noticed this flaw in Fox’s ancient program. They called it Shellshock, and they warned it could allow hackers to wreak havoc on the modern internet. – Wired.com

Ramey isn’t positive, but told Wired he wouldn’t be surprised if he himself coded the bug back around 1992. That makes it possibly the oldest, significant-yet-unpatched bug currently known. At least, as far as anyone can figure out.

It makes one wonder if Open Source is as good as people claim it is.

Open Source is accessible. It’s often free, or very cheap, and extremely customizable due to its nature of having source code that isn’t hidden behind compiled executables. Anyone with programming knowledge can peer into its depths and change, update, or fix what they see. The idea behind Open Source was to use the “Many Eyes” rule developed by Linus Torvalds. It touted faster software releases and fixes, more secure software, and less bugs. In an ideal Open Source world, this would likely be the case.

“[T]here’s a lot of code that doesn’t actually get very many eyes at all,” Torvalds told Wired. “And a lot of open-source projects don’t actually have all that many developers involved, even when they are fairly core.”

This lack of developers defeats the purpose and idea behind Open Source and the “Many Eyes” ideal.

Another situation this brings to light is the lack of security auditing that is actually being. A lot of older code that sites at the core of the internet was created in a time when auditing that software didn’t really make sense. They never predicted that it would be such an integral piece of the communications network they created. And, by the time auditing made sense, the software had already been in use for 15 years. That doesn’t mean that large companies with the manpower and ability to do such audits shouldn’t actually do them, but they didn’t because it was just accepted to be safe.

Even with Shellshock, Brian Fox is still proud of the project he once drove across the country. “Its been 27 years of that software being out there before a bug was found,” [Ramey] says. “That’s a pretty impressive ration of usage to bugs found.” – Wired.com

PCWorld Magazine reported that patches have already been released, and have also already been hacked. According to their article, “…neither patch addressed the underlying risky behavior of parsing remotely originating strings.”

Red Hat product security researcher Florian Weimer has developed a more durable patch, and Ramey has accepted it as Bash-4.3 Official Patch 27, official last Saturday. Google security engineer Michal Zalewski recommends deploying Weimer’s patch manually unless your Linux distribution is already deploying it on their own. An easy way to tell is by typing foo='() { echo not patched; }’ bash -c foo on your command line. It will either respond that the command was not found or it will respond that your system is not patched.

This patch from Weimer also covers several other vulnerabilities recently discovered by Zalewski, two of which have not yet been publicly announced.

Happy Autumn 2014!

Autumn 2014 Google Doodle
Today’s Google Doodle celebrates the Autumnal Equinox, credit: google.com
Today’s Google Doodle celebrates the colors of Fall with an animated image showing a figure walking along a line of trees. As the figure passes, the trees each change colors from shades of grey to shades of red and gold before falling off to reveal the Google name spelled by the trees’ bare branches. A single leaf remains for a second longer before drifting down to rest on the head of the figure.

Metro states, “Equinox, from the Latin for ‘equal night’, occurs when the Earth’s axis tilts neither towards nor away from the Sun, making day and night of roughly equal length – though not exactly.”

According to a list on Wikipedia, the equinox for both March and September have important cultural significance in addition to seasonal weather changes and hours of daylight vs night. Some examples include Mabon, a pagan festival of thanksgiving for the fruits of the earth and a recognition of the need to share them to secure the blessings of the Goddess and the God during the coming winter months, for the Northern hemisphere, and Ostara, inaugurating the new year on the Zodiacal calendar, as well as the time of rebirth or return for vegetation gods and a time of great fertility for the Southern hemisphere.

Oops! Was Your GMail Password Leaked?

GMail Envelope Logo
5 Million GMail Passwords Leaked in Russian Bitcoin Forum, credit: Cairo on Flickr
Today, it was reported that a Russian Bitcoin Forum was the location of a massive leak of approximately 5 million GMail usernames and passwords. The list was reportedly posted on Tuesday, according to Russian site, CNews. According to the poster of the list, approximately 60% of the accounts were still accurate.

However, the “leak” appears to be a list of passwords that were phished and scammed from users over a length of time, and many may have already been updated or the accounts themselves are long since inactive and/or suspended.

The leak also includes account information from Yandex, the largest Russian search engine.

According to Google and Yandex via CNews, their systems have not been compromised, hence the theory that the list of accounts were from various phishing attempts over time. If you’re not certain and want to be safe, it is best to change your password. Changing any and all account passwords on a regular basis is always a good idea and security practice.

A site, https://isleaked.com/en.php, is using the leaked list and running a search of it to find potentially compromised accounts. You can enter your GMail address into the form, and it will search. If you do not want to enter your email address, you can enter portions of the address and it will search for similar patterns. For example, entering du****7**gmail.com will match any email address with those characters that might be on the list.

USB Security Flaw Exploits Functionality

USB Devices
Credit: Tasha Chawner, foryoudesigns on Flickr
From Wired and Gizmodo, word is circulating that the very design and functionality of USB devices has created a fundamental security loophole.

Security researchers Karsten Nohl and Jakob Lell are presenting their findings at the BlackHat conference in early August. They have found a way to reverse engineer the very firmware that controls communication between the USB device (your mouse, your keyboard, that flash drive your latest business contact gave you with their resume) and the computer it is plugged into. They were able to install malware into this firmware that is undetectable and undeletable. Using this method, they were able to take complete control of a computer the device was connected to.

You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean… [But these] problems can’t be patched. We’re exploiting the very way that USB is designed. – Karsten Nohl (source: Wired/Gizmodo)

It’s also possible for a clean USB device to be plugged into an infected computer, and be infected as a result.

Nohl and Lell are torn whether to release the code they were able to develop to BlackHat at this time because of the damage it can cause. With all the malware that is possible, this delivery method makes it possible to take over any part of a computer or even mobile devices that connect via USB. It can be used to spy on internet traffic, phone calls, reroute through malicious websites, trace emails, record and transmit passwords, just about anything.

The only known method of avoiding infection is to “treat USB devices like hypodermic needles that can’t be shared among users,” according to Nohl. However, this is largely inconvenient and against the very model of how USB was supposed to work.

Additionally, there was the issue of NSA spying revealed by Edward Snowden earlier this year. University of Pennsylvania computer science professor Matt Blaze states, “I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.”

Today’s Google Doodle

This Venn diagram illustrates that bats are mammals that have wings.
Mammals ∩ Has Wings = Bats
Credit: google.com
August 4th is the birthday of logician and philosopher John Venn, best known for introducing the Venn diagram. A Venn diagram is a graphical representation illustrating multiple groups and their relationships to one another. Many internet memes have been made using a Venn diagram to illustrate funny and sometimes serious topics in the world.

Today, Google created a Doodle to illustrate Venn diagrams with simple equations and cute drawings as a way to pay homage to the man who created them. It even gives a little shoutout to Chris Hadfield, a Canadian astronaut who used social media to educate the world about space through YouTube and Twitter, and best known for his international space station rendition of David Bowie’s “Space Oddity”.

Visit http://www.google.com/doodles for more fun, cute and worldly Doodles featured on Google’s homepage throughout the years. And, if you’re in grade school, you can even Doodle 4 Google and have your design featured as Google’s logo for a day.

A Kindle Fire… Phone?

Amazon Fire Phone Home Screen showing grid layout of apps
Amazon Fire Phone, photo credit: pcmag.com
That’s right. Amazon has made phone. It’s called, not surprisingly, the Fire Phone. It’s only available through AT&T. However, considering how exclusive devices only last so long, I can see this eventually being ported to other service providers.

At the same time, I’ve been looking over the reviews. CNN calls it “a shopping device that makes calls”. They weren’t impressed with it as a standalone device compared to others beyond the fact that it has great shopping options for Amazon products and stores. c|net  said it “failed to ignite”. There are the cool 3D graphics, fresh looking OS, top-notch one-handed operation, and great Amazon service integration, but it has  a less extensive app store, disappointing battery life, and a sluggish performance. The pros don’t stand high enough above the cons to make this a premium phone. And engadget says, “wait for the sequel”.

For me, my personal pet peeve is the lack of expandable memory, something that keeps me Android loyal and away from Apple. My Samsung Galaxy has a MicroSD slot that makes migrating media and adding more space really convenient. Sure, you can get cloud storage like Dropbox and ZipCloud, but it doesn’t have Google Drive, and cloud storage is useless if you have a bad signal. Add to that the fact that I don’t have to get a new device to get more local storage, and I’m not moving off Android any time soon.

The user reviews seem to be pretty balanced. Some positives are the Amazon integration, getting Kindle books easily on their device, and Amazon Prime availability. The Dynamic Perspective is creating a sensation, but the gimmick of it seems to be wearing off pretty fast. But, the battery life, lack of Google apps, and the price point seem to be major complaints. One user even complained that it ran hot, which, to them, was a funny coincidence for the name.

One good thing, though, is their SDK marketing. Check out the product page for the phone. Check out the features. There’s a link right there in the feature descriptions that takes you over to their developer site where you can snag your own SDK and start making apps. And judging by some of the apps already available, it looks like people have been on the SDK bandwagon for a while already. You can get the phone and already download a large selection of apps just for your device, if you have the memory space.

All in all, if I were looking for a new phone at this time, my research is telling me to move on.

Heartbleed. Is It Bad? Oh, Yes… Yes, It Is.

Heartbleed is a massive security flaw in the OpenSSL toolkit.
Heartbleed is a massive security flaw in the OpenSSL toolkit. It is untraceable and allows hackers to impersonate security certificates.

So, by now you’ve probably heard of this horrible vulnerability in the OpenSSL encryption technology. According to Wikipedia:

OpenSSL is  an open-source implementation of the SSL and TLS protocols.

The OpenSSL website bills it as:

a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) andTransport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

But what about security?

Recently, a flaw was discovered in the toolkit that allowed for massive exploits, and basically left everything wide open and untraceable. Naturally, this sent the Internet community into a frenzy of changing passwords and updating code and trying to patch vulnerabilities.

Patching isn’t the only issue here. Current certificates that had been issued under the unpatched versions still exist, and now comes the dilemma of revoking and reissuing all those certificates. In fact, because of this little problem, some experts are even advising against changing your passwords right away because they still have the very real possibility of being hijacked all over again.

There is also the problem of knowing who was affected and who wasn’t. Not all websites use OpenSSL as their encryption toolkit. Many do because it is open source and free, but there are still plenty who paid and use other toolkits to secure their sites. You don’t have to change every single password you use, only the ones on the affected sites. Several locations have compiled long lists of affected sites that you can scroll through to check for ones you use, but others, like security firm LastPass, have set up online checkers that look at specific websites for you and let you know if they have the bugged OpenSSL on them.

In the end, it really just shows that paying attention to your records like credit reports, changing passwords often, using complex and secure passwords, and all those other internet safety tips have real meaning. Always be safe because you’re less likely to be sorry.

Internet Browser Wars and the Importance of Cross-Platform Testing

Originally written by Jessica Sullivan, Founder of Crystal Realm Designs, as Web Producer for The EGC Group.

Firefox, Safari, Opera, Internet Explorer, Chrome logos
With all the browser choices out there, how do you choose? Which one is the most standards compliant?

Since the beginning of browser based internet, different browsers have caused web developers a lot of headaches.

In the late 1990s, when the big browsers were still Internet Explorer and Netscape Navigator, NetMechanic.com illustrated just that difference between the two early powerhouses. Back then, there were even differences in what HTML tags were supported, such as <blink> for Netscape and <marquee> for Internet Explorer.

While Netscape and a few other old browsers have now fallen by the wayside in favor of Firefox and Chrome, browser differences are still the bane of a developer’s existence. A designer, for instance, can create an amazing template in Photoshop on their Mac, send it over to the developer (who is often using a PC), who will then create the HTML mock-up, test it in whatever browsers they have downloaded, and then send back the test link. The designer will look at it in a different browser version on a different operating system, and say that it’s all wrong.

A great resource for developers is the site, W3Schools.com. A lot of developers use it to find quick tutorials about web technologies that they haven’t used in a long time, or to double check something they weren’t sure about. The site has an entire section dedicated to browser stats, operating system stats, and display settings.

While the browser-specific tags that once separated Internet Explorer from Netscape Navigator are pretty much gone, today’s big browsers all display spacing (such as margins and padding) differently with cascading style sheets. Often, this can push elements on the page too far in one direction in one browser, but too far in the other direction in a different browser. Depending on how a viewer’s zoom setting is set, the text size will look different. Depending on the user’s screen resolution, pictures can often appear smaller or bigger, clearer or more pixelated. In most situations, these problems are not due to the developer not coding the page properly, but rather, the settings of the computer it’s being displayed on.

A Mac with Safari will display a page differently than a Mac with Firefox or a PC with Chrome. Testing for every possible combination in existence is downright counterproductive. Each version of an operating system or browser will also display differently from other versions of the same combination. A Windows XP computer using Internet Explorer 8 is going to display a website differently than a Windows 8 computer using Internet Explorer 10.

The philosophy of web development presented by NetMechanic.com in the article linked to earlier tends to be a timely standard that doesn’t seem to be going out of style anytime soon; it’s one that covers most possibilities without leaving your QA team under a heap of tests to run: Develop for the latest two browsers, at middle-of-the-road display setting, and aim for the last operating system version, not the latest. While it’s great to say that you can offer state-of-the-art techniques and brand new technology, keep in mind that it takes a while for new browser versions to propagate across an internet audience. You might end up with a large number of end users (or a client) who can’t see your cool, new CSS special effects.

It might also be a good idea to encourage your clients to upgrade to one of the latest two browser versions. This will allow them to see exactly what you intended your work to look like. Even after that, however, individual browser settings (allowing JavaScript, cookie settings, security level) and sometimes even network settings (blocked scripts, blacklisted ad servers) can have a major effect as well. Always make sure your intentions of what you want to develop are clear at the contract level before you start working, or you may end up programming for a lot of individual browser settings instead of a standard default setting.

Until standards of support are set across the entire internet industry, this is something that will likely remain an issue for developers and ad agencies in the future. It’s always best to be prepared and to have tools at your disposal to help ease the development process. Microsoft offers a tool called ‘Expression’ that attempts to emulate many different browser versions and settings so you can get an idea of what something will look like. Adobe also has one available called ‘BrowserLab’. Last summer, SmashingMagazine.com wrote an article reviewing various testing tools that are available for developers to use. Some are free, some are subscription based, and some are a flat fee.

Keep in mind, while these tools are very helpful in finding many of the problems, they’re not fool-proof and still can’t test for every single combination of settings, versions, and hardware (let alone mobile!) that an end user might have. In this internet-driven age, finding a common denominator is very hard to do.