Holy crap! It just occured to me that DonkeyOnAWaffle has been up an entire YEAR! In that year I managed to do 71 posts, which beats my original hope of averaging one post a week. I don't think I have ever had a blog last as long as this one and it just goes to show you what reader feedback can do to help encourage a person... oh wait.. scratch that last line. Either way, happy one year birthday DOAW! Let's shoot for two a week in 2008! (yeah right).
And now for content that is relative to the site. Microsoft has opened their protocols up for public use. The specifications for a large number of previously proprietary protocols can be found HERE. I'm sure we will see some vulnerabilities released in short order giving thanks to this link. And now I command all of you to "go forth and PWN!".
Have you ever needed a piece of software to do a minor little task and gone to our favorite seer of the Intertubes (Google) for a response? Have you really thought about the security of the particular program you are downloading and installing on your PC? Well luckily for us Dustin Brooks (finder) and Jeff Atwood of "Coding Horror" blog fame have done both.
Dustin needed an application that would download all of his gmail data to his local drive. So instead of coding something up himself, which I'm sure he could have done, he did a Google search and discovered G-Archiver. *DO NOT DOWNLOAD AND USE*. G-Archiver is a little utility that goes through your gmail account and archives all of the messages to your local drive. The application costs $29.95. This is all fine and good. However it also sends your login and password information off to the author's (John Terry) private gmail account. This is not so good. The author is charging you to steal your credentials!
Having written a few free tools in my lifetime, I'm appalled at the fact that someone would stoop to such underhanded methods. At the same time I suppose I should admit that I'm not at all surprised by this fact. I've written tools that help security professionals in their effort to secure web sites and it's never once occured to me to steal the credentials of anyone in the process. I guess I'm just to ethical to even consider crossing that line. I mean heck, if I was going to steal something, it wouldn't be user's email addresses, it would be millions of dollars from an online bank.... but I digress.
Back to the questions at hand. Will this type of issue make you, as a consumer of free tools, question the security of all utilities you download in the future? Or will we all continue to just download, consume, and hope like hell that we don't get owned? In this case the public was lucky that the application was written in a language that could be easily reversed using reflections. What if the application was written and compiled in a language that wasn't so easily reversed and the strings were obfuscated effectively enough to deter trivial location of the backdoor? Would it have been caught? I'm guessing not. How many other issues similar to this one exist? Just when I thought the world was getting to be a better place.....
Interestingly enough, if you do a bit of whois searching you will see that the contact information on the whois database was changed as of Tue, 11 Mar 2008 14:55:16 UTC. I'm guessing someone wants to run and hide. It now belongs to the following contact:
Inc., MateMedia hostmaster@matemediainc.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
(877) 309-7521
Thanks Chris Wysopal at Veracode for the blog posting that tipped me off. After googling a bit I see it's a few days old, but it just brough up too many questions not to post on it.
I came across an interesting transcript of a presentation today. Linus Torvalds, of Linux Kernel fame, gave a presentation at Google discussing the good, the bad, and the ugly, of source code revision management. His general mantra is "You are all stupid and ugly", but that being said he has an interesting take on source code repositories as well as discussing the specifics of his custom open source repo, "git".
While the talk was actually quite interesting to read from a personality point of view (Linus is never short on jabs and opinions), it is also interesting to read from a repository point of view. It never really occurred to me how much a centralized source code management system could be improved upon. It has been in use for so many years, it's just one of those things that you assume is being done right. I guess it makes sense to never assume (You think I'd have learned that by now).
I have mirrored the transcript HERE.
One quote that caught my eye:
"If you have ever done any security work, and it did not involve the concept of network of trust, then it wasn't a security work, it was masturbation. I don't know what you were doing but trust me, it's the only way you can do security, and it's the only way you can do development. The way I work, I don't trust everybody. in fact I am a very cynical and untrusting person. I think most of you are completely incompetent."
I guess I'm not only incompetent, but according to Linus I masturbate for a living! If you can get past the attitude, it's a pretty interesting take on a very old topic.
