Zero day exploits in Windows

And why Microsoft isn’t happy with Google.

So far this year Google has released information for 3 (fairly) major security holes in windows that could be exploited for a variety reasons. Obviously mostly trojans wanting banking information and the likes.

Microsoft isn’t happy because they were working on a patch for the last 2, with one of the patches being released only 2 days after Google released the exploit, the other one (released today) had a patch pushed from January to the February patch day because they weren’t happy with the patch.

So one would think that Microsoft is right and Google is wrong.

I happen to disagree.

One of the reasons that Google (and other people who publish exploits) have such a tight schedule is that security holes, even after the people responsible were notified, had a tendency of staying unpatched for a very long time. Microsoft’s internet explorer in particular had a reputation for being vulnerable to exploits that Microsoft had known about for over a year. These days Microsoft is doing a much better job. But Microsoft isn’t doing a much better job because they feel the need to make their products more secure (although much has changed and they actually do), but because they now know that the exploits will be released after 90 days.

Many companies have proven that it’s possible to fix vulnerabilities within 90 days. Even Microsoft isn’t doing so bad usually. One has to consider, though, that Windows contains millions of lines of code. So some hidden bugs could be fairly hard to track down. They also do have some of the best programmers working on it, though, so this really shouldn’t be an issue.

If Google is being consistent and doesn’t, for example, give RIM extra time to work on a patch, I think this is a good thing. I think 90 days is enough time. I think Microsoft is capable of providing patches for their products in time, with no problems. I just don’t think that they’re making this a priority. Or they need to streamline their project management and have the right people working on stuff in time.

I really don’t think Microsoft needs 60 days to work on a patch, so I think that they just started late. Start early, have the right people working on it and none of this will be a problem.


The most trusted name …. in malware ????

So as many of you know (yes I like to pretend more than one person reads this) I work in a computer store and I used to (I don’t much anymore) fix people’s computers. Fixing people’s computers in most cases means get the viruses and other malware off. So there are a few programs that I see all the time where I can just tell that the computer has a virus somewhere. Anything with the word ‘optimizer’ or ‘downloader’ in the name is an obvious candidate.

Anyone working in IT for more than a few weeks knows how that crap gets onto your computer. You download a program from a shady source, forget to uncheck the “Install more shady shit on my computer” checkbox and voila you’re good to go. And just as obviously anyone working in IT more than two weeks knows how to uncheck that box, or go to advanced settings (even if it’s greyed out). And I have obviously never had a program like that on my computer. Until a few days ago.

I was downloading Filezilla from Sourceforge, which is a fairly highly regarded ftp client. I’ve been using it for years without a problem as well. Somehow the filezilla homepage makes me download the thing from sourceforge, which really isn’t a problem. I trust(ed) sourceforge, and it’s really not regarded as a shady source for stuff. So then sourceforge makes me download some sourceforge downloader crap which slightly troubles me. I really shouldn’t have to download something to download something (legal, and free !). So I do go ahead and go to advanced settings in the installer to make it not install some shitty toolbar and mess up my internet shit. And then (!!!) without asking (!!!) it installs pc optimizer pro. Which starts running immediately.

This all happened over a week ago and I’m still pissed off about it. I will never trust sourceforge with anything. And I urge everyone to switch over to github or any other credible site to host your stuff. It really isn’t worth getting your potential customers all pissed off over something you don’t get any benefit from.

Thoughts about the Go Language

and programming languages in general

As you can read on my about me page, I have pretty much always been into learning new languages. This is more true for programming languages than spoken ones, but I do think I’m fairly good at this english one. So recently (shocking since it hasn’t existed that long) I came across Google’s Go language and I have been reading about the features of the language and the design choices the inventors have made.

Now I have to say that I have thought about designing my own programming language for quite a while now (almost a decade) and while I haven’t even started trying to implement it I have spent quite a bit of time writing down features it needs to have, features that are nice to have, etc. Now there are some obvious features that every recent language seems to have, like Object Orientation, Threads, C-style syntax, etc. I was quite surprised that Go went a different way on a few things that seem obvious at first.

Go doesn’t quite have Classes, that is to say that it doesn’t have Inheritance. That seems like a glaringly obvious mistake on their part, but since they had some very smart people think about it for a long time, I’m more inclined to trust them on it than myself. The interesting thing here is Interfaces (no grammatically this makes no sense, but I’m leaving it). If an Object has all the same interfaces as another Object what purpose would there be in the Objects not being interchangable. If it could be used as a different Object without anything failing, why wouldn’t it be allowed to.

C-Style syntax is another thing that’s seemingly obvious, but everyone differs from it a little bit (and they all kinda have to since C doesn’t have classes). Go doesn’t really go that far off the beaten path here, but some things are noteworthy. Variable declarations are the first and most obvious thing. I don’t think turning everything around is a good idea really, but I can live with it. In C# you have someclass somename = new someclass(arguments); which I will be the first to admit is a bit redundant. Still I would have probably gone with: new someclass(arguments) somename instead of the Go equivalent somename:= someclass(arguments).

Semicolons are gone as well. You still can throw them in there to end a statement if you want to have more than one statement in one line of code, but for the most part you probably won’t be using them. I have always thought that that was the way it was supposed to be, but I did favor the consistency of the semicolon over just ending a statement at the end of a line like VB. So here I can have both.

Last, for this post anyway, we have Threads. With every living being having a multicore processor this seems obvious. We do need concurrency. There just isn’t a way around concurrency anymore. The obvious choice seems to be using threads. It’s what everyone else does and it’s fairly simple to implement. You can just let the Operating System’s scheduler figure out when to give another thread the ability to do something. After thinking about this for a long time and writing a few multithreaded programs I have always favored erlang style concurrency. You need a way to pass a message to a different thread and using global (omg !) or shared variables doesn’t seem like a very safe way to do it. Everything else (locking, mutex, etc.) just seems like a workaround for the initial mistake.

So would I make the same choices (after reading a lot about Go) ? Mostly I would have to go with yes. In loops you don’t need the brackets if you have to have the curly braces, same with if statements, semicolons also seem redundant at the end of a line, so I would stick with all that. Concurrency is also an easy one, I like the way Go does it. Classes is where I would go the old fashioned way, but I might well change my mind on it, because Duck typing seems much easier for the programmer. You don’t need to figure out long class diagrams before you write the first line of code.

In short the inventors of the Go language are obviously much smarter than I am, so I’m not really surprised that they changed my mind about a lot of features of a programming language.

SQL Injection

and how to avoid it

SQL Injection seems to be one of the most common ways that hackers can steal passwords or other stuff that’s commonly saved in a database.

How it’s done: A lot of websites send some user input to a database inside of a query unfiltered. Heise has written an article on this EIGHT years ago, and yet it seems like quite a few people who should know better still don’t filter the input that gets sent to the database. This article goes into a bit of detail on how it’s done, but basically you find a way to get your own input sent to the database by the website. Let’s assume you have a Login form somewhere, that asks for username and password. Let’s then assume you have an SQL Query like this: “SELECT first_name from users WHERE username = ‘$username’ AND password = ‘$password'”. Now if you just replace $username and $password with whatever the user enters you might end up with a username like “‘; DROP TABLE users;–“. If you replace your username with that string that’s been entered into the username field of your form you will end up not having a table named users anymore.

The last article I linked goes into a bit more detail and how to use it more effectively on websites that are scripted to use index.php as the main page of the site and having it dynamically create websites with content from the database.

How to prevent SQL Injections: The obvious way would be to just str_replace(“”, “”, $username), but if it was that easy I wouldn’t bother writing this. Php even has a function that was supposed to account for all different ways people could mess with the user input. Now even the php manual says that it’s discouraged in favor of the top choices for avoiding SQL Injections. First, however, I suggest a different approach that no one really has commented on. You could just get the SHA-1 hash (hell even md5) for all the variables you’re using in a query. Obviously you would also have to save the hash of everything in the database. The where clause wouldn’t look like “WHERE id = 1” but “WHERE id = ‘356a192b7913b04c54574d18c28d46e6395428ab'”. Obviously the hash function always produces a string of the numbers 0-9 and the letters a-f, which means that it’s completely safe.

The more obvious choices, though, are either mysqli or PDO. Both of those php extensions support prepared statements and parameterized queries.

I have replaced all the SQL on my website to use PDO and the above query would look something like:

$query = $connection->prepare(“SELECT first_name FROM users WHERE username = :username AND password = :password”);

$query->bindParam(‘:username’, $username, PDO::PARAM_STR);

$query->bindParam(‘:password’, hashpassword($password), PDO::PARAM_STR);

obviously we calculate a hash of the password first. We bind both parameters and after that we can just $query->execute(); to send it to the database. Obviously inserting a row into the database like one would when putting a blog post into it gets quite a bit longer than it would ordinarily be, but as long as something that can be changed by users gets sent to the database one must take precautions.

I seriously hope people will be more security conscious in the future and at least think about what can happen when we send stuff to the database. Maybe eventually we can get rid of SQL Injections, cross site scripting, cross site request forgeries and session stealing. I have a feeling that it’ll be a while, though.

Keyboard Layouts

Phil Haack made a very nice post a long time ago about him switching to dvorak (june 5th, 2007). I incidentally already commented on that post sometime last year.

My point of this post is to pimp my own keyboard layout, obviously. I have switched to the aforementioned dvorak keyboard layout a while back, can’t remember the exact time, but it must have been in 2003. Ever since then i had the problem of dealing with the german letters (äöüß) that aren’t included in that layout. However, there are some other issues as well. Since I’m a programmer I have very specific needs for a keyboard layout. I need to have braces, brackets, the backslash, dollar sign, and many other keys that are much more rarely used by non-programmers. That whole assembly of problems was then solved for me by the makers of the neo layout. Unfortunately for me, those guys keep “improving” the layout. How is that a problem you may wonder. Even besides the obvious issue of there not being an adoption of the layout because it keeps changing. I now have the problem of (at least the guys are smart enough to use subversion) having to remember the revision my keyboard layout was in. If i forget i have to go through about 900 revisions of my keyboard layout and try to figure out if the one is the one I’m looking for. If i ever had to format or something and lost it that is.

Now for the point of this post (did anyone read this far ?). I have developed my very own keyboard layout, with a colleague of mine. This is how it looks:

The DevIL Keyboard Layout
DevIL Layout

This keyboard layout is very close to one of the revisions of the layout I had been using before, with the subtle difference of keys not changing places every 2 weeks. It is available here as an autohotkey script. After testing the layout extensively I will be releasing the final version, and i will upload a compiled script, so no one has to install autohotkey.