lookout.netJekyll2018-09-30T23:26:13-07:00https://www.lookout.net/Chris Weberhttps://www.lookout.net/cweb@protonmail.comhttps://www.lookout.net/articles/spring-break-road-trip-Washington2018-04-15T00:00:00-07:002018-04-15T00:00:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p>While most other families were sensibly sitting on a warm beach in Hawaii, I took my daughters on a road trip across Washington State for spring break 2018 to see some amazing sights right here in our back yard. We did a little camping, some hiking, scrambling, caving, ziplining, and treated ourselves to a lodge stay for a couple nights. If you're looking for a fun route to try sometime, this is a good 5 day trip.</p>
<p><img src="https://www.lookout.net/images/springbreaktrip.png" alt="2018 spring break road trip" class="centered"></a></p>
<p>First stop was Palouse Falls State Park in Eastern Washington, kind of out in the middle of nowhere. The weather was perfect for the 4.5 hour drive.</p>
<p><img src="https://www.lookout.net/images/roadtrip.jpg" alt="2018 spring break road trip" class="centered"></a></p>
<p>Palouse Falls was raging, that's my daughter standing in the top left, about 400 feet above the canyon floor.</p>
<p><img src="https://www.lookout.net/images/roadtrip-palouse-falls.jpg" alt="2018 spring break road trip" class="centered"></a></p>
<p>Looking the other way, the canyon winds its way toward the Snake River. This canyon was formed practically overnight by cataclysmic floods at the end of the last ice age around 12-15,000 years ago.</p>
<p><img src="https://www.lookout.net/images/roadtrip-palouse-canyon.jpg" alt="2018 spring break road trip" class="centered"></a></p>
<p>We stayed the night in the State Park then hiked down to the top of the waterfall the next day before headed back out toward Maryhill State Park to see the Stonehenge replica. The shot below is from the backside of the canyon, where we hiked along the river leading to the top of the waterfall.</p>
<p><img src="https://www.lookout.net/images/roadtrip-palouse-hike.jpg" alt="2018 spring break road trip" class="centered"></a></p>
<p>We arrived at the Stonehenge replica in Maryhill in the early afternoon and had the whole place to ourselves, so what did we do but play hide and seek of course.</p>
<p><img src="https://www.lookout.net/images/roadtrip-stonehenge-hide.jpg" alt="Maryhill Stonehenge hide and seek" class="centered"></a></p>
<p><img src="https://www.lookout.net/images/roadtrip-stonehenge.jpg" alt="Maryhill Stonehenge hide and seek" class="centered"></a></p>
<p>Here's a look at the Stonehenge replica under the milk way during a new moon, a shot I grabbed a few months earlier.</p>
<p><img src="https://www.lookout.net/images/maryhill-stonehenge.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>Our camp site at Maryhill State Park was pretty sweet, this time of year there's nobody around so it's easy pickins, waterfront and all.</p>
<p><img src="https://www.lookout.net/images/roadtrip-campground.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>Afterwards we took off to go scrambling up Horse Thief Butte, on the way to Skamania lodge and the Ape Caves.</p>
<p><img src="https://www.lookout.net/images/roadtrip-scrambling.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>It was a lot of fun scrambling through the butte, we got to the top in no time, maybe 20 minutes, and had the whole place to ourselves.</p>
<p><img src="https://www.lookout.net/images/roadtrip-butte.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>Then it was on to Skamania Lodge, for some tree-top adventure climbing and zip lining.</p>
<p><img src="https://www.lookout.net/images/roadtrip-canopy.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p><img src="https://www.lookout.net/images/roadtrip-ziphang.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p><img src="https://www.lookout.net/images/roadtrip-zip2.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p><img src="https://www.lookout.net/images/roadtrip-zip.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>And on one of the off days, we took a short trip across the Columbia river to check out some of the Oregon waterfalls right off the road.</p>
<p><img src="https://www.lookout.net/images/roadtrip-waterfall.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>Finally we took off toward Mt. St. Helens and the Ape Caves. The road was totally empty and pretty gorgeous.</p>
<p><img src="https://www.lookout.net/images/roadtrip-roadsthelens.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>It was our first time at the Ape Caves, some thousands-year old lava tubes that stretch for a couple miles. There are tons of lava tubes in the area but these are accessible and traveled. Apparently you're supposed to enter them from the bottom, but we missed that memo and entered them from the top. This meant we had to walk down-grade instead of up, which was a little more challenging.</p>
<p><img src="https://www.lookout.net/images/roadtrip-cave-entrance.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p><img src="https://www.lookout.net/images/roadtrip-caves.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>Definitely need layers and good flashlights for the caves, it gets a little chilly and it's super dark. Wet in places too, we had rain jackets on luckily.</p>
<p><img src="https://www.lookout.net/images/roadtrip-cave-skylight.jpg" alt="Maryhill Stonehenge at night" class="centered"></a></p>
<p>Overall it was a fun and memorable trip, something to do in about 5-7 days and this was a good time of year to do it to avoid the crowds.</p>
<p><a href="https://www.lookout.net/articles/spring-break-road-trip-washington.html">Spring break road trip - Palouse, Stonehenge, Skamania, Ape Caves</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on April 15, 2018.</p>https://www.lookout.net/articles/child-privacy-security-guide2017-04-06T00:00:00-07:002017-04-06T00:00:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p>This guide is meant to be a quick look at some of the risks facing you and your kid as they start going online with an iPhone or other mobile device. Much of the content is equally relevant to a laptop or other computing device, the problem statement being something like.</p>
<p><strong>Oh shit, my kid is now on the Internet, help me!</strong></p>
<p><strong>TL;DR</strong> If this is too much to read, skip straight to the suggestions for what you can do to save your child's mind and soul from the manipulative matrix of the Archons, the suggestions are split into two main threads:</p>
<ul>
<li>The <a href="#psychological-mitigations">psychological defenses</a></li>
<li>The <a href="#technical-mitigations">technical protections</a></li>
</ul>
<p>I also talk a lot about setting boundaries for children, which means having clear rules. I'm sharing some of my own contracts that I've created and pushing them to the front of this article because they are sort of foundational.</p>
<ul>
<li><a href="https://www.lookout.net/files/child-computer-use-agreement.pdf">Child Computer Use Agreement</a></li>
<li><a href="https://www.lookout.net/files/child-tech-contract.pdf">Child Technology Contract</a></li>
</ul>
<p>Certainly there are many ways to vary these contracts, but I wanted to keep my own simple one pager. Something I could read over with my own kids, and they would understand. Going through this process was better than not doing it, as it raised more questions and perspectives, and set a minimum bar for everyone's understanding.</p>
<p>Furthermore, it's important to understand who the actors are that impact you and your child's privacy. I know, I'm already veering of the 'child' focus and yes this does all extend to grown ups too. The actors who are interested in collecting and exploiting your data (from browsing histories to email communications) include foreign and domestic governments to vast advertising networks (consider them all listening to everything all the time), to more isolated criminals, bullies, and trolls. It's not about "I have nothing to hide" - we are far beyond that, this is about regaining some level of control over your life.</p>
<h2>Table of Contents</h2>
<ul>
<li><a href="#a-little-background">A Little Background</a></li>
<li><a href="#psychological">Psychological</a>
<ul>
<li><a href="#psych-threats">Threats</a>
<ul>
<li><a href="#addiction">Addiction</a></li>
<li><a href="#distraction">Distraction</a></li>
<li><a href="#bullying">Bullying</a></li>
<li><a href="#situational-awareness">Situational awareness</a></li>
<li><a href="#relational-dysfunction">Relational dysfunction</a></li>
<li><a href="#hijacking-the-imagination">Hijacking the imagination</a></li>
<li><a href="#criminals">Criminals</a></li>
<li><a href="#content">Content</a></li>
</ul></li>
<li><a href="#psychological-mitigations">Mitigations</a>
<ul>
<li><a href="#establish-rules">Establish rules, talk through them</a></li>
<li><a href="#disconnect">Disconnect for god's sake</a></li>
<li><a href="#content-filtering">Content filtering</a></li>
</ul></li>
<li><a href="#benefits">Benefits</a>
<ul>
<li><a href="#location-awareness">Location awareness</a></li>
<li><a href="#flashlight">Flashlight</a></li>
<li><a href="#communication">Communication</a></li>
</ul></li>
</ul></li>
<li><a href="#technical">Technical</a>
<ul>
<li><a href="#platform-choice">Platform Choice</a>
<ul>
<li><a href="#apple">Apple, Android, or Windows?</a></li>
</ul></li>
<li><a href="#tech-threats">Threats</a>
<ul>
<li><a href="#mobile-surveillance">A mobile device <em>is</em> a surveillance tool.</a></li>
<li><a href="#lifetime">A lifetime of surveillance</a></li>
<li><a href="#identity-theft">Identity theft</a></li>
<li><a href="#hacked">Hacked</a></li>
</ul></li>
<li><a href="#technical-mitigations">Mitigations</a>
<ul>
<li><a href="#private-email">Get a private email account</a></li>
<li><a href="#get-brave">Get Brave</a></li>
<li><a href="#strong-passcode">Set a strong passcode</a></li>
<li><a href="#fingerprint-security">Enable fingerprint security</a></li>
<li><a href="#install-a-vpn">Install a VPN</a></li>
<li><a href="#get-opendns">Get OpenDNS</a></li>
<li><a href="#get-encrypted-messaging">Get encrypted messaging</a></li>
<li><a href="#install-ghostery">Install Ghostery</a></li>
<li><a href="#raise-awareness">Raise awareness</a></li>
<li><a href="#consider-the-philosophy-of-privacy">Consider the philosophy of privacy</a></li>
<li><a href="#duckduckgo">Change your search engine to DuckDuckGo</a></li>
<li><a href="#password-manager">Start using a password manager</a></li>
<li><a href="#updates">Install updates immediately</a></li>
<li><a href="#identity-theft">Subscribe to an identity theft monitoring service</a></li>
</ul></li>
</ul></li>
<li><a href="#links">Links</a></li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
<p><a name="a-little-background"></a></p>
<h2>A Little Background</h2>
<p>Consider a recent article in Wired called '<a href="https://www.wired.com/2017/04/tim-berners-lee-inventor-web-plots-radical-overhaul-creation/">Tim Berners-Lee, Inventor of the Web, Plots a Radical Overhaul of His Creation</a>'. Sir Tim Berners-Lee has been an advocate of user privacy since the Web was born, and recognizes that:</p>
<blockquote>
<p>"Today, huge companies like Amazon, Facebook, Google, and Netflix dominate the web.
These corporate giants enjoy an enormous amount of control not only over what people
see and do online but over users’ private data." </p>
</blockquote>
<p>The state of the Web today, what got us here, is the advertising-centric business model of the Web that has led masses of people to expect services for free, and to almost without any thought willingly hand over all of their transactional and communication information to service providers. However, the tide may be turning, as people start to see the Internet in the way it was originally seen, a network where the people control their own information. Sir Tim Berners-Lee and others believe that we are in a transition period where people are just starting to recognize the value of their personal data, and that:</p>
<blockquote>
<p>"A tipping point could be reached where people will realize ‘that data belongs to me'"</p>
</blockquote>
<p>He is working on a new project to <a href="https://github.com/solid/">decentralize the Web</a>, and give users control over their own data. For more perspective from Sir Tim Berners-Lee, read his article '<a href="http://webfoundation.org/2017/03/web-turns-28-letter/">Three challenges for the web, according to its inventor</a>' written on March 12, 2017, the Web's 28th birthday.</p>
<p>There are many highly-respected advocates for privacy and for a new Web that recharts the current advertising-centric course we are on. <a href="http://www.jaronlanier.com/">Jaron Lanier</a>, inventor of Virtual Reality, has the ear of many Silicon Valley elite and has been suggesting they offer users alternatives to 'free' services that are supported purely by advertising. His concepts of rewarding artists and content creators through a micropayment economy, along with the negative economic effects that the current advertising model of the Web will lead us to, are explored in his book <a href="https://www.amazon.com/exec/obidos/ASIN/1451654960/simonsayscom">Who Own's the Future</a>. </p>
<p>My guide here was originally meant to explore some of the privacy, security, and psychological risks facing children as they go online into this Brave New World that welcomes them with a vast, largely invisible, corporate and government surveillance system, and offer suggestions for how to protect them. Consider the following illustration - a mind map outlining the content.</p>
<p><a name="psychological"></a></p>
<h2>Psychological</h2>
<p>The psychological aspects of owning a mobile device range from the threats of addiction to the benefits of knowing your kid's location at any given moment.</p>
<p><a name="psych-threats"></a></p>
<h3>Threats</h3>
<p>From addiction to bullying to coming across horrific and mind-altering content that should never have been seen, the Internet has plenty to offer.</p>
<p><a name="addiction"></a></p>
<h4>Addiction</h4>
<p>Any parent who has used their iPad as a babysitter knows the addiction-effect all too well. Are you reading this with a glass of wine as your child veges out on their iPad? Are you one of those people who takes their kids to dinner and let's them zone out on the thing for the entire time? Maybe you're the addicted one eh?</p>
<h5>Screen addiction</h5>
<p>Of course kids have addictions, and this will be one of them. Prepare yourself, you probably don't like seeing people walk down the street while staring into their devices, texting friends while eating dinner with their family, or driving with one hand on the wheel and another on their device. This will be them if given a clear runway, so setting up some clear boundaries can help.</p>
<h5>'Like' addiction</h5>
<p>Once they get into any social environment, addiction will take a new form. It turns from device addiction into 'like' addiction, the impulsive want to see others liking their post, image, or comment. It seems like an important area to explore with the child, not in a way that you have to control it, but in a way that you can talk about it with them.</p>
<h4>Distraction</h4>
<p>What were we talking about? Did I miss something?</p>
<h5>Notification nightmare</h5>
<p>Who really likes notifications? Ding, buzz, whoot, constant noise and vibration about events that are almost always insignificant and can wait. </p>
<h5>Lose ability to focus</h5>
<p>It's not just notifications though, it's the devices and information overload in general which are leading us to a culture devoid of patience and focus. Too many screens to flip through, too many messages to parse I'll just read the headlines. How can we cultivate focus? Reading, drawing, journaling, watching birds, karate, there are so many ways.</p>
<p><a name="bullying"></a></p>
<h4>Bullying</h4>
<p>This is a big one for a lot of parents, especially those who have witnessed just how nasty some kids can get. Bullying can really mess with someone's head, kid or adult. How it's integrated and handled really depends on how psychologically mature someone is and how they can move through the moment. </p>
<p>Most of us probably don't want our kids to go out of their way to verbally assault and threaten another person, and we sure don't like it when they're on the receiving end. We've heard or witnessed tragic stories, from physical attacks to middle school girls committing suicide.</p>
<p><a name="situational-awareness"></a></p>
<h4>Situational awareness</h4>
<p>I've heard from law enforcement that criminals see easy targets in people walking down the street with screens in their faces. Anyone who's checked out, who's busy texting or looking at their screen will lose some situational awareness. An assailant will take advantage of that and attack. </p>
<p>Be aware, always be aware.</p>
<p><a name="relational-dysfunction"></a></p>
<h4>Relational dysfunction</h4>
<p>All of us who work in tech know the old phrase, that engineers prefer working with computers because they're much easier to understand than humans. Carry that forward to today where this comforting, reassuring, understandable piece of tech that always listens and does what I say is now with me 24x7. </p>
<p>Well, I don't really know how much more dysfunctional our relationships can get, but I suppose there's always room to fall. Human relationships are easy when events are on the surface, or when times are good. But go deeper, add a dose of stress, some conflict, a life trauma, or a bitter disagreement, and things get hard. </p>
<p>Maturing is the process of relating to each other in ethically responsible ways through a variety of challenging situations. Dysfunction could be treating another person in an ethically unresponsible way, only thinking about one's self, being a narcissist. Or it could just be the awkard ways in which we interact and respond to each other. </p>
<p><a name="hijacking-the-imagination"></a></p>
<h4>Hijacking the imagination</h4>
<p>Do kids give up day dreaming? Do they lose ability to focus on an imaginary story? Does their curiosity get stunted? I'm not saying that, I'm saying their imagination is hijacked, it's taken from them.</p>
<p>This one seems to be related to how much time they spend on the device and whether they have any usage rules. </p>
<p>We've all heard about how Disney or Hollywood in general hijacks the imagination, because audio and video are one of our most powerful and influential mediums. The stories get into our minds, into our dreams, into our imaginations. It's truly an awesome medium, but what happens when we're immersed in it every day? When does our imagination have it's own space to exist, to be hungry, to seek, without being fed?</p>
<p><a name="criminals"></a></p>
<h4>Criminals</h4>
<p>When kids start to go online many parents share a common concern about child predators, scammers, and general sleaze balls. I dare not explore all the possibilities here, or review the historical cases, because well, I just don't want to. </p>
<p>This can be mitigated by having rules around information sharing, checking in on what your kids are doing, and listening to what they like to do so you can learn more about their habits.</p>
<p><a name="content"></a></p>
<h4>Content</h4>
<p>Of course there's this threat that the Internet is full of some of the most disturbing content one could ever imagine, and many could never imagine. These are dark corners where most of us do not tread, and we certainly don't want our kids treading there. Make them aware that they may come across things they won't like, or far far worse, things that they will never forget.</p>
<p><a name="psychological-mitigations"></a></p>
<h3>Mitigations</h3>
<p>Here are some things you can do to protect and reduce the chance that something bad will happen, or the impact of it when it does. Also, these are generally good hygiene habits to start building now.</p>
<p><a name="establish-rules"></a></p>
<h4>Establish rules, talk through them</h4>
<p>To curb unconstrained addictions and distractions, implement a set of clear rules, present them to your child in the form of a contract, read them over together, and have the child sign. Review these rules every now and again, once or twice a year, as a refresher or to make changes.</p>
<p>For reference, I am sharing my own <a href="https://www.lookout.net/files/child-computer-use-agreement.pdf">Child Computer Use Agreement</a> for you to use or modify.</p>
<h5>Determine times and places of use</h5>
<p>Rules should describe things like times of use and usage locations. For example, some people want to keep devices out of the bedroom, others are ok with that but don't want them in there over night, instead using a charging table in the hall or other public area for over-nights. Times of use could something like limiting to 1 hour per day, or 4 days on and 3 days off each week. </p>
<p>For reference, I am sharing my own <a href="https://www.lookout.net/files/child-tech-contract.pdf">Child Technology Contract</a> for you to use or modify.</p>
<h5>Discuss bullying and ways to handle it</h5>
<p>The rule here is, in a nutshell, if a chat or other conversation is starting to get nasty or make you feel bad, then get away from it, ignore it. </p>
<p>We told our kids that if they ever feel like someone is being mean or hurtful, then they should come find us so we can take a look and talk about it. It can be good to look at these things together, and talking about it can help kids learn to let go of things, not get attached to them. Bullies and trolls are just trying to bait people, and life is too short.</p>
<p>On the flip side, if your kid <em>is</em> the bully, then it may be time for a humility check. I'll ask the psychologists to chime in here on tools and techniques that can help when a child feels compelled to beat up another child. But my hunch is that, that need is based in the age-old power struggle. Bullies are usually making up for an emotional gap, a fear and shortcoming. </p>
<p>Kid wants power, kid finds a weaker victim, kid beats them up and feels powerful. Temporary dopamine rush. It's the hero / anti-hero, and your kid is now the anti-hero. So in this case, maybe a life lesson in shame needs to be surfaced. Some psychologists tie this behavior back to the way our Western culture has abandoned the old rites of passage. A rite of passage can be a powerfully humbling experience, but it requires an event that doesn't fit into our normal day to day. This could be something like a 'vision quest' which pits a growing child against their own mortality and forces them to see their relationship with others in a new light. Typically these events are saved for older children as they move into adulthood. In the Pacific Northwest, there are plenty of opportunities for something like a vision quest rite of passage, through church groups, wilderness organizations, etc. </p>
<p>I don't really have any advice to offer that would help a bully recognize their responsibility to others, and move more into a hero role. But it feels like talking to them, getting them outside, out of their element, in a position where they have to help others less fortunate, rather than hurt them, might be a good way to think about it.</p>
<h5>Exercise a parents right to spot check</h5>
<p>Another important rule to get clear on is the parent's right to 'spot audit'. In short, your child must understand that the parent can and will search their device, read their messages, look at their browsing history, and anything else because you know, it's for the kid's safety. Implement this right, and exercise it before you face a battle of losing it. </p>
<p>And, you must actually do this. Tell the kid, okay, you're getting audited, and actually look over their device. Skim through messages, look at what apps are installed, and review the browser history.</p>
<h5>Set rules about information sharing</h5>
<p>We want our kids to be smart, but smartness comes from experience, and we don't want the experience of unaddressed bullying or a child predator. </p>
<p>Teach kids that they never give out the following information: </p>
<ul>
<li>Their name<br></li>
<li>Their address<br></li>
<li>Their phone number<br></li>
<li>Their personal email address<br></li>
<li>Their school name<br></li>
</ul>
<p>Or their parents information, or basically anything about themselves. My general rule here is - if you want to tell someone online something personal that identifies you, then come talk with a parent about it first and let us decide together.</p>
<p><a name="disconnect"></a></p>
<h4>Disconnect for god's sake</h4>
<p>Who doesn't like to disconnect? I've heard some people fear the idea of not being able to check their email, a business deal might fall through, or some other emergency might go unnoticed. And then they do it, and thank god, they love it. </p>
<p>Go outdoors for a hike, leave your device at home or disable it. Take one weekend per month and make a no-computer family weekend. Shake things up.</p>
<p><a name="content-filtering"></a></p>
<h4>Content filtering</h4>
<p>Content filtering blocks porn, violent, and other disturbing sites that can leave lasting impressions. The kinds of things you wish you never saw, but you can never un-see. </p>
<p>Imagine the crime-fighters at Facebook, Microsoft, and other companies who's job is to review horrifying content. They have to deal with serious psychological, emotional trauma from witnessing some of the photos and videos they review. </p>
<p>None of us want our children to see that stuff. Some of the best content filters are VPNs like Freedome, or DNS providers like OpenDNS.</p>
<p><a name="benefits"></a></p>
<h3>Benefits</h3>
<p>Of course this was supposed to be something like a threat model, but now it's time to stray and consider some of the benefits with your kid owning their own mobile device. I'm sure there are many benefits I'm not thinking about or haven't listed here, so consider this just a start.</p>
<p><a name="location-awareness"></a></p>
<h4>Location awareness</h4>
<p>Location sharing is a feature built into Apple's iPhone, making it super easy for parents to see where their kids are located at any time. It exists on other platforms as well as other applications. On your kid's iPhone, you can just enable location sharing and then see where they are located from your own iPhone. </p>
<p><a name="flashlight"></a></p>
<h4>Flashlight</h4>
<p>It's always good to have a flashlight available. Make sure you're kid knows how to turn it on.</p>
<p><a name="communication"></a></p>
<h4>Communication</h4>
<p>Knowing your kid can get in touch with you and you them can be comforting. Make sure they know how to dial 911 and how to call you or an emergency contact. Go through the drill with them a few times so they have it practiced.</p>
<p><a name="technical"></a></p>
<h2>Technical</h2>
<p>This section intends to focus more on the technical threats to privacy and security, and provides a list of things you can do to easily protect your kid, and yourself for that matter.</p>
<p><a name="platform-choice"></a></p>
<h3>Platform Choice</h3>
<p>You may be all over the place, using Apple, Windows, and Google tech simultaneously, or you may decide you want to settle on one platform.</p>
<p><a name="apple"></a></p>
<h4>Apple, Android, or Windows?</h4>
<p>Quite simply, which device do you get your child? You have to choose a platform. If you were to ask me, when it comes to mobile devices, I am a fan of the Apple iPhone for a variety of reasons:</p>
<p>1) Tim Cook has made privacy a high priority and has voiced this publicly, and stood behind it legally. "You are the product" for other manufacturers, who rely on your data to subsidize the costs of their devices and software. For Apple, you pay the higher premium for iPhones and iPads so that your data is protected, not exploited. </p>
<p>2) They control their own ecosystem which means their devices are consistently maintained and updated, the app store is relatively ok at finding naughty apps, and the attack surface available to a malicious app is smaller than it is for Android devices. </p>
<p>3) I like their family sharing stuff. It's not perfect, but it is nice that I can setup a shared credit card, and require my kids to request app purchases which I will be able to approve or deny. Plus, family sharing allows us to make one app or content/movie/music purchase and share it across our devices.</p>
<p>I love Microsoft as well, but more for their business applications like Office 365 and <a href="https://www.microsoft.com/net/core">.NET Core</a>, and Google for their core services.</p>
<p><a name="tech-threats"></a></p>
<h3>Threats</h3>
<p>Let's count some of the ways these powerful tools can be used against your child.</p>
<p><a name="mobile-surveillance"></a></p>
<h4>A mobile device <em>is</em> a surveillance tool.</h4>
<p>A mobile device <em>is</em> a surveillance tool. Get that straight in your mind. Just the process of switching from cell tower to cell tower gives telcos a tracking capability, and we haven't even talked about GPS and Wi-Fi yet, browser activity, searches, apps, photos, etc. </p>
<p>Now this is the typical pros and cons thing, because in the unlikely situation that something happened and a legal investigation needed to be started, then this location information would be extremely valuable and comforting. But this same information can be abused by naughty businesses out there who make a living tracking people and collecting data without consent.</p>
<p><a name="lifetime"></a></p>
<h4>A lifetime of surveillance</h4>
<p>You may have heard that privacy is dead, well given mass surveillance and behemoth search, social, and advertising conglomerates that exist it sure seems that way, but it's not really dead, it just requires some awareness and knowledge. I'm planning to write a privacy guide that goes into detail about protections, so for now I will keep it brief. </p>
<p>Consider that kids getting online today are entering an increasingly sophisticated surveillance system that will become even more advanced over their lifetimes. It's reasonable to think that these kids could have their entire digital footprint aggregated from multiple sources and stored basically forever. </p>
<p>Imagine the year 2030, when someone with access to 15 or 20 years of your child's data can do things like: </p>
<ul>
<li>Replay or analyze years of Internet searches and browsing history<br></li>
<li>Construct a heat map of all the things your kid has liked over the years<br></li>
<li>Run a visual display of physical movements over time, showing all the places your kid has been with ability to speed up or slow down the travel<br></li>
<li>Reconstruct specific conversations from chat rooms or comment threads<br></li>
<li>Build a high-level 'social score' based on automated psychoanalysis of all gathered information<br></li>
<li>Build a social graph of relationships, friends, family, doctors, co-workers, and more<br></li>
<li>Run a simulation on expected future activities, likes, product purchases, travel plans, and political positions</li>
</ul>
<p><a name="identity-theft"></a></p>
<h4>Identity theft</h4>
<p>I don't want to scare the crap out of you, but this will scare the crap out of you. As if all the other threats weren't bad enough, children are becoming an increasingly sought after target for identity thieves. Consider the key findings from a <a href="https://www.cylab.cmu.edu/files/pdfs/reports/2011/child-identity-theft.pdf">2011 Report on Child Identity Theft</a></p>
<p><img src="https://www.lookout.net/images/child-identity-theft-findings.png" alt="Child Identity Theft" title="Stats from 2011"></p>
<p>These findings do not look good for child identity theft. </p>
<ul>
<li>51 times more child identity theft than adult<br></li>
<li>IDs used to purchase homes and automobiles, get loans and credit cards, as well as obtain employment and drivers licenses.<br></li>
<li>The largest fraud was $725,000 against a 16 year old girl. Her family has been dealing with that nightmare for years, and the girl will be too.<br></li>
<li>10% of the victims were under the age of 5.<br></li>
</ul>
<p>With recent health care industry breaches, criminals have acquired mounds of valuable identity data including social security numbers, home addresses, parent names, full names, health records, and more. They may choose to sell this on the black market or sit on some of the identities until a future date.</p>
<p><a name="hacked"></a></p>
<h4>Hacked</h4>
<p>I don't like using the word hacked to describe your device getting pwned. Normally we'd call this a breach, a compromise, or an attack. But 'hacked' works too. </p>
<p>Security is important if you care at all about what's stored on your kid's device, and from photos to email to browser search history and private conversations, I'm betting it's important to you. </p>
<h5>Information stolen</h5>
<p>A jealous boyfriend hacks his girlfriends phone, and starts rifling through her messages and email. </p>
<p>Some hacker at school gets into the phone just for fun, and then dumps the information to a public website or social network. </p>
<p>There are many scenarios to consider, bottom line is, you probably don't want your kids information getting stolen.</p>
<h5>Identity impersonation</h5>
<p>Now that your kid's phone has been hacked, their identity can be impersonated. That means whoever has hacked the device, can send email messages as your kid, visit sites under the guise of your kid's identity, or otherwise look like them in whatever actions they do. </p>
<p>This attacker will also gain access to VPNs, Wi-Fi networks, and any other systems that the device has been configured to automatically log into.</p>
<p><a name="technical-mitigations"></a></p>
<h3>Mitigations</h3>
<p>Things you can do to protect and reduce the chance that something bad will happen, or the impact of it when it does. Also, these are generally good hygiene habits to start building now.</p>
<p><a name="private-email"></a></p>
<h4>Get a private and secure email account</h4>
<p>Maybe you've been using the same free email for the last 10 or 15 years, giving your email provider and their third party partners free reign to mine your messaging data, link it up with millions of other inboxes, and build valuable trends and predictive analytics that feed the colassal advertising empire. And as your life's correspondence is gathered, stored, and analyzed, you are making those companies billions of dollars. And that's not even considering the other actors who are interested in wholesale communication collection, such as foreign and domestic government surveillance programs. </p>
<p>While the best things in life are free, the best things on the Internet are not. Get Protonmail <a href="https://protonmail.com">https://protonmail.com</a> accounts for yourself and your family. You can start with the free account, but I suggest paying for the Protonmail Plus account. Protonmail is beautifully engineered from a company based in Switzerland and has many useful features, it's a pleasure to use. Protonmail will give you secure and private email, that's fully encrypted, so that even the staff at Protonmail can't read your messages. There is no advertising, no trackers, and no third-parties snooping in on your inbox and conversations. </p>
<p><a href="https://www.hushmail.com/">Hushmail</a> is another good alternative from a Canadian company, and I suggest the paid account if you go with them. And if you go with Apple as your platform of choice, an iCloud email account is an okay way to get started.</p>
<p><a name="get-brave"></a></p>
<h4>Get Brave</h4>
<p><a href="https://www.brave.com/">Brave</a> is a new Web browser created by Brendan Eich, inventor of JavaScript and co-founder of Mozilla, who brought us the Firefox Web browser. JavaScript is the most important programming language that powers the Web, it's practically synonymous with the World Wide Web. The Brave browser has a radical mission to set the Web on a new course, by rewarding site content creators with optional micropayments, and by replacing problematic trackers and advertisers with a more secure and private Ad platform.</p>
<p>Get <a href="https://www.brave.com/">Brave</a> for your kid and for yourself, it's built on Google Chrome's core Web browser technology.</p>
<p><a name="strong-passcode"></a></p>
<h4>Set a strong passcode</h4>
<p>You know that default 4-digit PIN that you setup with your phone? Ya, change that right away. Change the passcode to the stronger password option, and use a non-guessable password, something that's not a simple word or combination of words. The best passwords are a collection of random letters, numbers, and special characters.</p>
<p><a name="fingerprint-security"></a></p>
<h4>Enable fingerprint security</h4>
<p>On iPhone this is called TouchId, and you can turn it on to gain an extra layer of security. Many apps support TouchId, so if the phone gets hacked, it provides an extra layer of protection that will prevent the attacker from opening the app.</p>
<p><a name="install-a-vpn"></a></p>
<h4>Install a VPN</h4>
<p>A Virtual Private Network (VPN) provides numerous privacy and security benefits. For privacy, a VPN encrypts your network communications so they cannot be intercepted, tampered, logged, or otherwise spied on. </p>
<p>VPN's can also provide content protection, blocking known sites that are categorized as porn, violent, criminal, or some other thing you don't want your child exposed to. </p>
<p>Some options include ProtonVPN by the makers of Protonmail. Also, Freedome VPN by F-Secure. </p>
<p>With a VPN installed, I would run it basically all the time, but many people will find it imperative while traveling or on public Wi-Fi networks (school, library, hotel).</p>
<p><a name="get-opendns"></a></p>
<h4>Get OpenDNS</h4>
<p>OpenDNS home and family shield is free, get it - <a href="https://www.opendns.com/home-internet-security/">https://www.opendns.com/home-internet-security/</a> </p>
<p>It will give you several benefits: </p>
<ul>
<li>Ability to see DNS requests (names of the sites your kids are visiting). So you didn't know your kid was on Instagram before? Well now you do!<br></li>
<li>Ability to block content by type. So some doofus, I mean friend, sends your kid a link to a porn site. Well guess what, they won't be able to open it, OpenDNS blocks it!<br></li>
</ul>
<p>OpenDNS has a vast network of domain data that's always updated. They categorize sites in a variety of ways so that you can easily block sites that host porn, violence, criminal, or other content. They also help to block trackers and other advertising sites that may abuse privacy. </p>
<p><a name="get-encrypted-messaging"></a></p>
<h4>Get encrypted messaging</h4>
<p>So, here's the thing about messaging. Consider the default or normal set of messaging apps to essentially be like passing a letter across the classroom to its intended recipient, where everybody it passes by has a chance to read it, including the teacher. </p>
<p>SMS is definitely insecure, avoid it when possible. Who knows what telcos do with those messages, they have a lot of leeway to sell data to third parties, and I consider it untrusted. </p>
<p>To get straight to the point, iMessage is much better, and I am fine with the kids using that. It's actually really good, as Apple designed it so that messages are encrypted on their servers, so even Apple cannot read messages sent over iMessage. </p>
<p>If you prefer another step up, get Signal by <a href="https://whispersystems.org">Whisper Systems</a>. </p>
<p>Your kid may want to use Snapchat or something similar, but they do not offer any encryption at the time I'm writing this. WhatsApp does offer end-to-end encryption, but they have suffered from several rookie mistakes over the years, and I'm not sure where they're at now.</p>
<p><a name="install-ghostery"></a></p>
<h4>Install Ghostery</h4>
<p>Ghostery is a Web browser plugin that blocks a variety of trackers. A tracker is some technology that literally tracks your Web activity, what sites you visit, what links you click, and sometimes more like what search terms you enter or other information you provide. </p>
<p><a href="https://www.ghostery.com/">https://www.ghostery.com/</a> </p>
<p>Install this in each of your browsers.</p>
<p><a name="raise-awareness"></a></p>
<h4>Raise awareness</h4>
<p>Let's get something straight. Online privacy isn't just a matter of "oh I don't care that Google can read all of my Gmail." The scope of privacy is huge, massive, well beyond any one service provider. It's a state of mind and a state of our future reality.</p>
<p>Let's start with the social media masters first. Consider this, you are logged into your Facebook or Twitter account. You open another tab in your browser, do a search, click a link, and open a webpage on a new site. In many cases, Facebook and Twitter will be notified of all those activities and the exact site and webpage you opened. This is because of how trackers work, the way sites share information with each other on the surface, through your browser. </p>
<p>Whenever you see a Facebook 'like' button on a page or a Twitter 'tweet this' button, those sites have already been notified that you loaded that page, before you even click to like or tweet. And they've been notified of how you arrived there.</p>
<p><a name="consider-the-philosophy-of-privacy"></a></p>
<h4>Consider the philosophy of privacy</h4>
<p>Sit down with your kids from time to time and explain a few things to them. But don't just lecture, we all get enough of that, and I'm probably doing it right now. Instead ask them some questions, and help them find answers and really, deeply understand more about the technology they are using, and the implications of mass government or corporate surveillance. If you're not comfortable with your own knowledge here, then follow some of my links below and educate yourself a bit, or see what your kid responds with, maybe they already know more than you do. </p>
<p>Basics - how does the Internet work kids? Well most simply, it's a network of nodes that can send messages to each other. It's a lot like nature's first Internet - mycellium, a substrate of mushrooms' root system where messages can travel great distances, many miles in some cases. Ya, I had to throw that out there. </p>
<p>Footprints - imagine kids, that as you walk across the Internet, you leave footprints in the sand, only the ocean never washes them away - they are forever. Make sure the kid gets that every message they send, every search they make, every webpage they visit, becomes a part of their permanent record. Not unlike the Akashic record, in that everything done online leaves an imprint and in this case it all links back to you as a person. Yes, we can learn a lot about you after 10 years of Internet activity. </p>
<p>That brings us to privacy. Think of privacy as a right, use it or lose it. This is our new reality of global surveillance and what privacy really means. </p>
<p>Discuss it. Go watch Edward Snowden's original disclosure interview with Glenn Greenwald. Don't get caught up with what you think of him, if he's a traitor or a heretical hero, or what you've heard, just go spend the 10 minutes to listen to the very first disclosure about mass surveillance ever released - <a href="https://www.youtube.com/watch?v=0hLjuVyIIrs">https://www.youtube.com/watch?v=0hLjuVyIIrs.</a> </p>
<p>Then, talk about the value of privacy. Do some research if you have to. Look up '<a href="https://motherboard.vice.com/en_us/article/chilling-effect-of-mass-surveillance-is-silencing-dissent-online-study-says">the chilling effect</a>', go learn how Phil Zimmermann enabled human rights activists to report out from hostile and murderous regimes in the 90's by giving them tools to encrypt email - <a href="https://philzimmermann.com/EN/letters/index.html">https://philzimmermann.com/EN/letters/index.html.</a> </p>
<p>Think about the ethical responsibility around privacy, and how those ethics have been abused or completely ignored by some corporations and governments. Research how advertising companies have exploited vulnerabilities in the Web to track user activity when they were not supposed to. </p>
<p><a name="duckduckgo"></a></p>
<h4>Change your search engine to DuckDuckGo</h4>
<p>Yes there are alternatives to Google, and yes their name is pretty weird. The good news - the results are good, they collect zero information about you, and they have some pretty neat features. </p>
<p>What can you learn about someone from 5 years of their search history, 10 years, a lifetime even? What if it's combined with email, known relationships, friends and family, and expand that out to demographic areas of all sorts. Data is useful stuff. </p>
<p>But do you want all that data collected, on your kid? DuckDuckGo is built on a concept of privacy, that was and is it's main goal, to protect your privacy. It has some pretty nifty features too, aside from not collecting data on you, it has instant answers, !bang search functionality, and other useful searching tools. Try it out <a href="https://duckduckgo.com/bang">https://duckduckgo.com/bang. </a></p>
<p><a name="password-manager"></a></p>
<h4>Start using a password manager</h4>
<p>As you've probably noticed from most of the things on this list, they are all things you can be doing for yourself as well. That goes especially true for this one. </p>
<p>Get your kid using a password manager early. Teach them how to generate random passwords for new applications and sites that need them. Get away from the idea of re-using a few passwords, and get away from the idea of using 'memorable' passwords. Those days are over.</p>
<p><a name="update"></a></p>
<h4>Install updates immediately</h4>
<p>If you see an update come through for the device, install it immediately. Most often these address significant security issues, and waiting to install them means opening the window of opportunity for a vulnerability to be exploited. Attackers won't often be targeting your kid. Rather, attackers are interested in building automation that can attack a whole bunch of devices en masse, in order to compromise them and add them to their zombie botnet collection.</p>
<p><a name="identity-theft"></a></p>
<h4>Subscribe to an identity theft monitoring service</h4>
<p>Sign up for a credit and identity theft monitoring service, and do it for your entire family, kids included, all the way to infant age. I won't tell you which service to get, not in this article anyway. There are so many out there and I haven't studied them all, but I'm sure you can figure out which are reputable and which are not. The big 3 credit monitoring companies offer these services, as do several other tech-focused companies that specialize in this field. </p>
<p>The choice is yours. Consider it like insurance, it is a cost you have to pay to mitigate a potential risk.</p>
<p><a name="links"></a></p>
<h2>Links</h2>
<p>To dive deeper in the technical topics, with tutorials, tools, and other perspectives, check out some of the following links, which serve as excellent references. </p>
<ul>
<li><a href="https://ssd.eff.org/">EFF Surveillance Self-Defense</a></li>
<li><a href="https://www.eff.org/wp/digital-privacy-us-border-2017">Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud</a></li>
<li><a href="https://epic.org/privacy/tools.html">EPIC Online Guide to Practical Privacy Tools</a></li>
<li><a href="https://epic.org/privacy/consumer/">EPIC Consumer Privacy Project</a></li>
</ul>
<p><a name="conclusion"></a></p>
<h2>Conclusion</h2>
<p>As far as the focus on children, I did aim for that initially, and have talked through topics like bullying, addiction, setting boundaries through rules and contracts, protecting their privacy from digital surveillance, and subscribing to identity monitoring services. After writing this and reading through it though, I realize that it's more than a guide for safeguarding children when they get their first mobile device or start going online. </p>
<p>This can serve as an introductory guide to becoming aware of privacy and security issues and ways to protect anyone from those issues. There are details left out, and more significant measures that could be included depending on one's level of paranoia or desire to master this reality. Still I think this can serve as a good guide for anyone from novice to amateur level of experience with this topic. It's important to recognize that there is a huge battle taking place around us. There are government entities and corporations who want to get rid of all consumer privacy rights, and there are corporations and advocates who are fighting hard to protect privacy rights. Our future depends on understanding this landscape and making up your mind based on useful information rather than ambivalence and outside influence. </p>
<p><a href="https://www.lookout.net/articles/children-online-privacy-and-security-guide.html">Children, devices, and going online. A guide to security and privacy.</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on April 06, 2017.</p>https://www.lookout.net/articles/SDL-part-12017-03-15T00:00:00-07:002017-03-15T00:00:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p>I'm writing a series on building an SDL program, the plans, the unexpected, the gotchas, and the good stuff. Security Development Lifecycle (SDL) is a phrase that comes from Microsoft, who pioneered the structure and processes that I am most familiar with. I spent a bunch of years as a security vendor for Microsoft while they were building up and rolling out the SDL, and I became so intimate with the process and helping product teams through it, that my company was asked to become one of a few select members of the <a href="https://www.microsoft.com/en-us/SDL/adopt/pronetwork.aspx">SDL Pro Network</a> (thanks <a href="https://twitter.com/k8em0">Katie!</a>). </p>
<p>Microsoft has recently gone into detail about their own <a href="https://www.microsoft.com/security/sdl/story/">SDL story</a>, how it came about, and where it took them. It's a great read to get some valuable context, history, and perspective. If you're at ground zero and want to build an SDL program at your company, expect a long, bumpy road ahead, but rest assured that a good plan, with willingness to be flexible, will get you there.</p>
<h2>Setting the Stage</h2>
<p>For this article I'm going to assume you have a company of a few thousand people, and maybe 400 in the application engineering discipline. That size makes a good middle ground for this series, as aspects can be scaled up or down pretty easily.</p>
<p>The company has a development culture, but not an application security one. Your software products have been in production for many years, and things are at a point where major rework is underway. The development teams are preparing for a new product launch based on a brand new architecture. It's all still in the early experimental phase, before any design decisions, and to top it off product teams are adopting DevOps-style Agile processes with continuous integration and continuous delivery (CI/CD) goals.</p>
<h2>Executive Support</h2>
<p>SDL doesn't happen without full executive support. The integration of security practices like threat modeling and pen testing do add time to release cycles - it's extra work. And it's more painful early in the transition, before the practices become a part of the culture, when they are constantly in mind, but don't feel like they're in the way. The leadership team should understand that this program isn't just about implementing technical controls, it's more about implementing a practice, new habits, which require an intrinsic culture change. The good news is, while many people who haven't experienced this concept of building security in to the development process typically dread security reviews and meetings, in my experience going through this process with them causes the reverse to happen - development staff actually start to look forward to having security meetings.</p>
<h2>First Steps - Interviews and Maturity Assessment</h2>
<p>You may have a sense of where your organization is at with regard to application security in the development processes, and you're almost certainly right. Nevertheless it's still a good idea to do a proper assessment to document the organization's maturity level. That assessment will serve as the starting point and reference for further discussions. The other value in an assessment is using it to measure the organization against other orgs in your industry. </p>
<p>Since you're going to be meeting and interviewing people during this phase, some other goals to keep in mind include:</p>
<p><strong>1) Start prioritizing teams</strong> </p>
<p>Use the interview process as a way to identify high-priority product teams and understand their release schedules. When I think high-priority I think of customer-facing and Internet-facing apps. The CISO or security lead you're working with may already have an idea of what products these are, but that could change as you learn things along the way.</p>
<p><strong>2) Start finding friends</strong></p>
<p>Use the interview process to identify folks who are the most open and interested in security and SDL - you will want to partner with them for the later pilot phase.</p>
<p>The <a href="https://www.bsimm.com">Building Security in Maturity Model (BSIMM)</a> is a valuable tool for measuring maturity, it's a yearly study of dozens of companies from across various industry verticals. The BSIMM was born out of a desire to gather real data about SDL implementations. As such, the people behind the study didn't approach companies with a pre-canned list of measurements. Rather they went to the companies to learn what those measurements should be. </p>
<p>The image below shows a sample <a href="https://www.bsimm.com">BSIMM7 scorecard</a> ripped straight out of the BSIMM7 report. To actually perform an assessment means you will need to do some work:</p>
<ul>
<li>Identify key stakeholders in the development organization. These are product owners, managers, directors, and developer leads.</li>
<li>Setup a 1 hour meeting with each stakeholder.</li>
<li>Using the BSIMM activity list, identify and mark which activities are implemented in the org.</li>
<li>During this meeting, collect some other data that describes development workflows, tech stacks, and methodologies that may help to further inform the assessment.</li>
</ul>
<p>Alternatively you could prepare a questionaire, but I find it more helpful to meet in person and talk through things. Also alternatively, since the BSIMM activity list is pretty big, you could use the <a href="https://www.microsoft.com/en-us/SDL/learn/assess.aspx">Microsoft SDL</a> Optimization Model as the measuring stick. I was able to extract 52 practices, or activities, for my own assessment needs. Almost all of these map to something in the BSIMM, and whereas the BSIMM scorecard below might be a little too much for some people to look at, a similar Microsoft SDL scorecard would be smaller and easier to understand.</p>
<p><img src="https://www.lookout.net/images/bsimm7-scorecard.png" alt="BSIMM Scorecard" title="BSIMM Scorecard"></p>
<p>Let's explain this scorecard a bit. The BSIMM framework organizes 113 discrete activities into 12 practice areas, which are further organized into 4 domains:</p>
<ul>
<li>Governance
<ul>
<li>Strategy and Metrics (SM)</li>
<li>Compliance and Policy (CP)</li>
<li>Training (T)</li>
</ul></li>
<li>Intelligence
<ul>
<li>Attack Models (AM)</li>
<li>Security Features and Design (SFD)</li>
<li>Standards and Requirements (SR)</li>
</ul></li>
<li>SSDL Touchpoints
<ul>
<li>Architecture Analysis (AA)</li>
<li>Code Review (CR)</li>
<li>Security Testing (ST)</li>
</ul></li>
<li>Deployment
<ul>
<li>Penetration Testing (PT)</li>
<li>Software Environment (SE)</li>
<li>Configuration Management and Vulnerability Management (CMVM)</li>
</ul></li>
</ul>
<p>The four domains are represented as pillars in the scorecard, with three practice areas in each. If you look at the DEPLOYMENT pillar, and the first practice area called PENETRATION TESTING, you will see 7 discrete activities, each further organized into 3 maturity levels. The idea here is that you can measure your own penetration testing maturity against these 7 activities. The most basic maturity level would be represented by PT1.1, PT1.2, and PT1.3. Increasing maturity levels are represented by PT2.x and PT3.x. As you can see, a high majority of firms studied (82) had a basic pen testing activity impelmented. That count goes down as the maturity level goes up. This is to be expected, most firms will be less mature, only a few will have reached high maturity.</p>
<p>Now, if you decided to go with the Microsoft SDL Optimization Model as the reference, you would wind up with a scorecard like the following:</p>
<p><img src="https://www.lookout.net/images/microsoft-sdl-scorecard.png" alt="Microsoft SDL Scorecard" title="Microsoft SDL Scorecard"></p>
<p>This takes a bit of explaining as well. You probably won't find this scorecard anywhere else, because I made it for my own purposes. It represents 52 specific activities spread out across 5 phases of the SDLC. Each phase is a pillar, and within each pillar, activities are ordered from a basic, level 1 maturity, to a more advanced, level 3 maturity. In this example, the Verification pillar shows that the organization meets all three Microsoft SDL activities for level 1 maturity - V1.1, V1.2, and V1.3. But they do not meet the more advanced level 2 and 3 activities.</p>
<h2>Lessons Learned</h2>
<p>One of the reasons I wanted to write about this was to talk about some of the lessons I learned personally or have seen others face. In the opening stage here, when the landscape is still pretty green field, it doesn't seem like there's a lot that could go wrong. At this stage it seems more about setting expectations and paying care and attention to others so you can manage those expectations. Some things to keep in mind at this stage:</p>
<p><strong>Understand where the organization fits into the BSIMM</strong></p>
<p>Data from the BSIMM is organized into industry verticals. If you are showing the organization how they compare to one of those verticals, be ready to explain the data in a little more detail. For example, if the organization is a health care insurer, you may show them BSIMM's radar chart of the health care industry. Well, suddenly 'health care industry' becomes a very vague term, and you may be faced with questions like - is that data from insurers or providers? Is that data from our competitors? Digging deeper shows that health care data in BSIMM encompasses more than just insurers, and includes medical tech companies as well. It's better to know the details of what you're comparing against.</p>
<p><strong>Describe the vision</strong></p>
<p>Executives may be patient, but they will feel much better having a rough ETA of when they will get their SDL program. It's too early for promises, but you could set some rough target dates for getting a couple pilot projects through a minimal SDL process. Beyond that you could set some farther goals for rolling a basic SDL out to a high-priority subset of the organization. If that included say 10 small product teams of 10 people each, you might suggest 6 - 12 months before they are incorporating SDL practices. Going from ground zero to functioning SDL will not happen fast, it's usually a cultural change which means a year minimum to get practices introduced and working in a rudimentary way. </p>
<h2>Next Steps</h2>
<p>Stakeholders will likely get the value of embedding security practices into the development process, and they might already start asking what the SDL rollout looks like, and how they can prepare their teams. Be ready to talk about the plan at a high level and present a one-page overview of the rollout. Ensure them that this will work in a way that best fits the organization's needs and workflows, and that activities will be very opportunistic and not forced, at first = )</p>
<p>Having a proper assessement document provides the launching point for moving forward. In the next article I'll take a look at building a roadmap that will get you to a basic SDL program implementation. Having the scorecard will remain valuable as it can be revisited later on and over time for management to measure your firm's maturity level and watch SDL progress.</p>
<p><a href="https://www.lookout.net/articles/Building-SDL-Program-Part-1.html">Building an SDL Program - Part 1 - Where to start?</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on March 15, 2017.</p>https://www.lookout.net/articles/STEM-quadrivium2016-02-13T00:00:00-08:002016-02-13T00:00:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-BcNs4HJ/A"><img src="https://www.lookout.net/images/Oculus-Siena-Cathedral.jpg" alt="Gate to Heaven Siena Cathedral" class="centered"></a></p>
<p>So I've been touring middle schools in Seattle, a bunch of them, and one thing kept sticking out at me. I'd walk into these classrooms, look around at the 6th grade kids staring at or huddling around their laptops, and look at the dry eraser chicken scratch on the whiteboard, and think to myself, man, I feel like I'm in the office. It felt like there was potential for a lot of distraction with all the tab-filled screens, and looking at the notebooks or rather, scraps of paper lying around, a lot more chicken-scratch too.</p>
<p>The complete contrast to this was in the Waldorf School. I wanted to find something different, something that wasn't in a rush to push tech this and STEM (Science, Technology, Engineering, and Mathematics) that on these young children. Walking through Waldorf I saw blackboards with beautiful detailed drawings, pieces of art really. And where were the computers? 'We think those can wait until high school' - okay, I think I agree. Instead, I looked around and saw notebooks on the desks. But not everyday scribble, these things were works of art, and each page was filled with beautiful handwriting and hand-drawn images of ancient pharaohs or mythological archetypes. </p>
<p>My dilemma here is, how do I convince my kid to like the Waldorf school. No seriously (ok that was kinda serious), it's figuring out how I feel about this rush to STEMify our children, my children. Actually I already know how I feel about it - it's not that I'm against STEM, that would be silly. No, rather, it feels very, unbalanced, rushed. Like the eagerness to augment the human brain with bio-tech before we even understand or the relationship of the mind to the entirety of the brain and body system. These kids are just now starting to learn about the human psyche and their own selves and relationships, I'd rather see them focused on that for a while first before rushing off to the world of objectification.</p>
<p>A friend who's a renowned quantum physicist and professor at the University of Washington once said to me - "good science needs good philosophers". The thing that matters above all else in our world, the most important thing, being relationship. That quote represents the relationship between two people, and two perspectives - scientist and philosopher, or artist. Myth describes these relationships, our relationships.</p>
<p>STEM, seems to be eager to move past this part of the story. This story is seen in our art, the mysteries, the philosophies and the theologies. It's art that shows us where we are in time, how we relate to each other and the world, the perspectives that exist. We have a compulsive, addictive maybe, tendency to identify ourselves with the gadgets and technologies of our time. Because, going outward, is so much easier than going inward. A man can spend his whole life studying an objective reality outside himself, and never go inward, never know himself and how he relates to others. And a person like that can even lead the world, and change it.</p>
<p>There was Plato's Quadrivium, or Pythagoras's. The Quadrivium was a basic educational structure that consisted of Math, Music, Astronomy, and Philosophy. Thales, and Pythagoras through Plato brought us the Western mindset, they brought us science and philosophy, and for them the two were never separate, they were intertwined. It was a way of life to think, self-reflect, and study science. There was a grand purpose in the mystery schools of those times, how mathematics was somehow representative of fundamental constructs or forms in reality, and that meditation and sensory deprivation were tools to shed the super-chatty ego-self for a period long enough to let us feel and experience our connection to the oneness of all things - to re-calibrate and tune our minds and souls.</p>
<p>So for me, I would like my kids to get a core background in music, art, and philosophy, to gain more perspective and expression of themselves and the world, and following that move into the education of hard sciences if they want. The good stuff comes when the humanities, arts, and sciences are working together.</p>
<p><a href="https://www.lookout.net/articles/STEM-quadrivium-art.html">What's wrong with STEM and right with the Quadrivium?</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on February 13, 2016.</p>https://www.lookout.net/2016/02/Top-ten-photos-from-20152016-02-11T00:00:00-08:002016-02-11T00:00:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p>Ok, it was really difficult to take 8000 photos, down to 800 good ones, down to 100 really good ones, and pull out just 10 favorites. Very difficult. But when <a href="http://www.martinbaileyphotography.com/">"Martin Bailey"</a> and <a href="http://www.thearcanum.com/">"The Arcanum"</a> asks, I will deliver.</p>
<p>I'm exaggerating a bit, it wasn't as bad as I expected, and it was actually easier than choosing my top ten from 2014, because I had a bunch I really-really liked from that year. Anyway, I'm just rambling on because I don't have much else to say to introduce these photos, so here they are. Click on any image to see it full size.</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-hNB8qkk/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-hNB8qkk/0/X3/Magnusson%20Park%20Fog%20in%20January-103-Edit-2-X3.jpg" alt="Fog and Seagull on Lake Washington" class="centered"></a></p>
<p>Some of my favorite scenes are out in the thick fog. In this shot, the seagull was perched just at the time when a beam of sunlight lit up her body and the piling. The fog was truly this thick on the other side, no special effects.</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-BcNs4HJ/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-BcNs4HJ/0/X3/Amsterdam%20and%20Italy%20Trip-1631-X3.jpg" alt="Gate to Heaven Siena Cathedral" class="centered"></a></p>
<p>Looking up toward the Gate to Heaven at Siena Cathedral. This magnificent cathedral contains one of the most interesting and mysterious mosaics on the floor of the entryway - an image of <a href="http://www.ritmanlibrary.com/">"Hermes Trismegistus"</a> emparting knowledge to some humble scholars. I managed to get this shot in the midst of a large crowd while my daughters were running circles around me.</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-WDHgJtC/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-WDHgJtC/0/X3/Figure%208%20Island%20Lightning%20-%20Silkpix-1-X3.jpg" alt="Lightning at Figure 8 Island North Carolina" class="centered"></a></p>
<p>My first shot of lightning, ever. This was a long exposure, about 10 minutes. I set it up in the spot I expected to see lightning, and was happily surprised when I realized the warning sign was also in the frame (I was aiming into pitch black night).</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-TX8Lhf6/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-TX8Lhf6/0/X3/Figure%208%20Island-182-Edit-X3.jpg" alt="Figure 8 Island North Carolina" class="centered"></a></p>
<p>From the same beach on Figure 8 Island, the sky was incredible, the sea was colorful, but this was calling for black and white.</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-7dN9DG6/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-7dN9DG6/0/X3/Figure%208%20Island-225-X3.jpg" alt="Figure 8 Island North Carolina" class="centered"></a></p>
<p>Also on Figure 8, I wanted to capture the pastels with a little blur from camera motion. The only treatment here is a slight turn of the camera while taking a long exposure.</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-JBmFkBM/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-JBmFkBM/0/X3/Figure%208%20Island-595-X3.jpg" alt="Cosmic Correspondence - Milky Way and Man" class="centered"></a></p>
<p>Not trying to be narcissistic with this, but after taking some shots of just the Milky Way, I felt like it needed something more in it, so I added myself, and my reflection. </p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-hfPWDsq/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-hfPWDsq/0/X3/Tofino%20BC-1215-X3.jpg" alt="Big sis, little sis." class="centered"></a></p>
<p>This image will probably only ever mean something to me, it's incredibly special and warms my soul to see my girls here against the setting sun. And I mean, they actually listened to me, how special is that? I was about 50 yards away with a telephoto.</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-zBBjmgt/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-zBBjmgt/0/X3/Tofino%20BC-1595-X3.jpg" alt="Tofino Milky Way" class="centered"></a></p>
<p>Can't get enough Milky Way photos? I know I can't. And this night was extra dark, and extra quiet on the beaches of Tofino. I knew I had something special when the band of Milky Way crossed over Frank's Island. Ya, I sat here for a long time and watched it traverse the island.</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-xBmWDcm/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-xBmWDcm/0/X3/larches%20against%20granite%20at%20Lake%20Vivianne%20-%20Canvas%20Print-X3.jpg" alt="Enchantment Lakes Wilderness" class="centered"></a></p>
<p>Oh the Enchantments, thank you for taking me so many years ago Andrew. I backpacked up Aasgard Pass and to Lake Vivian with this shot in my mind the whole time. I was a little bummed that it was past peak larch time and needles were shedding. But then again, it creates a unique scene in itself with the golden ground all around.</p>
<p><a href="https://web.smugmug.com/Public/Top-Ten/2015/i-kJZLMpF/A"><img src="https://photos.smugmug.com/Public/Top-Ten/2015/i-kJZLMpF/0/X3/Enchantment%20Lakes%202015-458-Edit-X3.jpg" alt="Meet the Larch Family at the Enchantments" class="centered"></a></p>
<p>More of the Enchantments, entire families of larches set against the beautiful granite. It's too bad this area is so difficult to access, but then again, it might not be so special otherwise.</p>
<p><a href="https://www.lookout.net/2016/02/top-ten-photos-2015.html">Top ten photos from 2015</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on February 11, 2016.</p>https://www.lookout.net/2015/09/Blood-moon-lunar-eclipse-Seattle2015-09-27T00:00:00-07:002015-09-27T00:00:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p>From April 2014 through September 2015 we have had four total lunar eclipses, <a href="https://en.wikipedia.org/wiki/List_of_21st-century_lunar_eclipses">a rare sequence</a> not seen since 2003 and not to be seen again until 2032. We will have total lunar eclipses before then, just not four in sequence. </p>
<p>September 27, 2015 brought the last of the current sequence in a pretty spectacular Super blood moon. The conditions were less than optimal from our point of view. We gathered in Magnusson Park along with lots of other people, walked up on Kite Hill and watched due East. Mount Rainier was getting some nice sunset light, covered in a pink glow from the refraction. I caught these photos with a Fuji X-T1 camera and Fuji's 55-200 mm variable aperture lens. I would have loved an 800mm F2.8 lens but that's not happening with Fuji, yet. Click on any image for a larger view.</p>
<p><a href="https://web.smugmug.com/Private/Family/2015/Blood-moon-eclipse/n-tHD4Qn/i-tGjXTr3/A"><img src="https://web.smugmug.com/photos/i-tGjXTr3/0/L/i-tGjXTr3-L.jpg" alt="blood red supermoon eclipse" class="centered"></a></p>
<p>Kids were running around playing and the sky was getting darker around 7:00 PM. Finally around 7:20 PM or so we could see the moon, already above the horizon of the Cascade mountains but shrouded in haze. </p>
<p><a href="https://web.smugmug.com/Private/Family/2015/Blood-moon-eclipse/n-tHD4Qn/i-BQjbDpq/A"><img src="https://web.smugmug.com/photos/i-BQjbDpq/0/L/i-BQjbDpq-L.jpg" alt="blood red supermoon eclipse" class="centered"></a></p>
<p>It was still pretty exciting, and as the Moon slowly made its way out of the haze it became much clearer. Because of the low light, telescopes weren't working very well, except the ones with large optics. We had a decent set of Canon binoculars though, but the Fuji camera was producing the clearest and brightest images for us to see.</p>
<p><a href="https://web.smugmug.com/Private/Family/2015/Blood-moon-eclipse/n-tHD4Qn/i-6q86VqX/A"><img src="https://web.smugmug.com/photos/i-6q86VqX/0/L/i-6q86VqX-L.jpg" alt="blood red supermoon eclipse" class="centered"></a></p>
<p>The moon reached <a href="http://www.timeanddate.com/eclipse/lunar/2015-september-28">maximum eclipse</a> about 7:47 PM PST, and finally around 8:02 PM it became much darker when the Moon had fully cleared the haze. While it was much easier to see all around the redness of the color was evident throughout the night. It was pretty awesome, and I'm glad to have witnessed the event with friends and family.</p>
<p><a href="https://web.smugmug.com/Private/Family/2015/Blood-moon-eclipse/n-tHD4Qn/i-NFpMn8t/A"><img src="https://web.smugmug.com/photos/i-NFpMn8t/0/L/i-NFpMn8t-L.jpg" alt="blood red supermoon eclipse" class="centered"></a></p>
<p><a href="https://www.lookout.net/2015/09/blood-red-super-moon-lunar-eclipse-seattle.html">Watching the Blood Red Super Moon Lunar Eclipse from Seattle</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on September 27, 2015.</p>https://www.lookout.net/2015/09/tofino-bc-surfing-milky-way2015-09-20T00:00:00-07:002015-09-20T00:00:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p>We've been wanting to trek up to Tofino, BC, on Vancouver Island, for many years, and we finally made it. I've not been to such a magical place before, the energy was all its own, palpable and positive. Something about being on an island that's far away from the fast-life, in a small quiet town with an ancient human history spanning thousands of years, surfing fun waves and looking out at dark, starry skies. Or maybe it was all the feminine presence in the water, with lots of good spirit in the lineup. It still surprises me that surfing in the Pacific Northwest attracts so many women, usually like 50% or more of the lineup, with conditions that can be cold and sometimes harsh.</p>
<p>Most photos here were taken with the Fuji X-T1 and one of the Fuji primes or zooms, maybe one or two with the Sony RX100 III. Click on any image for a larger view.</p>
<p>To get started, we took the ferry ride across the Puget Sound from Anacortes to Sidney, and passed the two hour trip with some card games and sight seeing (there was no wi-fi).</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-Kcc9HJJ/A"><img src="https://web.smugmug.com/photos/i-Kcc9HJJ/0/L/i-Kcc9HJJ-L.jpg" alt="A rare glimpse of the girls on a ferry, during a serious match of Gubs."></a></p>
<p>When we arrived it was pouring rain like we hadn't seen in a long time, two feet in four days, at least. There were waves though, and we were stoked to surf, and get out on the beach during some of the lulls in rain.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-pPndTcG/A"><img src="https://web.smugmug.com/photos/i-pPndTcG/0/L/i-pPndTcG-L.jpg" alt="The Tofino locals."></a></p>
<p>But you can't just sit on the beach in Tofino, as nice as it is (even in the rain). We got out into the rain forest, to learn about the plants and animals and the ancient human caretakers who watched over them all. You know this is a healthy nurse log, right? I've never seen any quite like this.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-PcxFfr2/A"><img src="https://web.smugmug.com/photos/i-PcxFfr2/0/L/i-PcxFfr2-L.jpg" alt=""></a></p>
<p>And of course, we have to keep our eyes open for the banana slugs, the barometers and recyclers of the forest. We don't want to step on them!</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-p6L5SF5/A"><img src="https://web.smugmug.com/photos/i-p6L5SF5/0/L/i-p6L5SF5-L.jpg" alt=""></a></p>
<p>Back in town, it was off to Tacofino several times for burritos and tacos, damn they were good. I must have eaten 5 of them during the week.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-s7zRQ46/A"><img src="https://web.smugmug.com/photos/i-s7zRQ46/0/L/i-s7zRQ46-L.jpg" alt=""></a></p>
<p>And back on on Chesterman's Beach, where there was at least one or two good sunsets to watch. I had been waiting for a good sunset of course, and thinking of photo compositions during the grayness, while waiting for Mother Nature to do her thing, change. Still, I never felt like I found the best spot or a really attractive composition, but that's okay, it just means I'll have to return.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-K8pxRV5/A"><img src="https://web.smugmug.com/photos/i-K8pxRV5/0/L/i-K8pxRV5-L.jpg" alt=""></a></p>
<p>I still don't know, and wonder, who's car this is corroding away near Frank's island. The whale tale shaped spit of land must get flooded from time to time and I imagine this car was right there during one of those floods. The First Nations people talk about a Great Flood that occurred around 10,000 years ago, which corresponds with many flood myths from around the world, and perhaps the end of the last Ice Age, so maybe the car is leftover from then.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-j2jkRXP/A"><img src="https://web.smugmug.com/photos/i-j2jkRXP/0/L/i-j2jkRXP-L.jpg" alt="One of those crazy orange-glowing sunsets in Tofino."></a></p>
<p>When the waves weren't pumping, or we were in between surf sessions, we'd explore the beach and caves which were accessible at low tide. Here a little girl faces a big dark cave, maybe pondering what could be inside, or what might have been inside from times past.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-H2F538g/A"><img src="https://web.smugmug.com/photos/i-H2F538g/0/L/i-H2F538g-L.jpg" alt="Little girl meets big dark cave."></a></p>
<p>The beach and caves never get tiring to explore.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-szvcXRQ/A"><img src="https://web.smugmug.com/photos/i-szvcXRQ/0/L/i-szvcXRQ-L.jpg" alt=""></a></p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-5pgvnkc/A"><img src="https://web.smugmug.com/photos/i-5pgvnkc/0/L/i-5pgvnkc-L.jpg" alt=""></a></p>
<p>And we made a trip out to the local botanical gardens, which were full of sculptures and art, plants, animals, and fun. Anne got this nice shot of a plant in the golden spiral.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-rKWn38g/A"><img src="https://web.smugmug.com/photos/i-rKWn38g/0/L/i-rKWn38g-L.jpg" alt=""></a></p>
<p>Waves ranged from knee high to a little overhead during our stay. The sun came out for a few days and we caught some good ones, and got the girls out on the boogey boards. Here's Anne getting a smaller one, and one of the few photos where there wasn't a pack of surf school folks crowding up the frame =)</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-pLN6b6X/A"><img src="https://web.smugmug.com/photos/i-pLN6b6X/0/L/i-pLN6b6X-L.jpg" alt=""></a></p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-MzvRMz5/A"><img src="https://web.smugmug.com/photos/i-MzvRMz5/0/L/i-MzvRMz5-L.jpg" alt=""></a></p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-9bTQ6DL/A"><img src="https://web.smugmug.com/photos/i-9bTQ6DL/0/L/i-9bTQ6DL-L.jpg" alt=""></a></p>
<p>Tofino and Vancouver Island are one of those interesting, rare landscapes where a billion islands dot the water on both the ocean-side and the inlet-side. Even the mountains have a style all their own, and the top hats to prove it.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-b5MQvqq/A"><img src="https://web.smugmug.com/photos/i-b5MQvqq/0/L/i-b5MQvqq-L.jpg" alt=""></a></p>
<p>With the angle and shape of the whale-tale sand spit at Chesterman's, a lot of fun moments present themselves for sunset photography.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-cpMHQww/A"><img src="https://web.smugmug.com/photos/i-cpMHQww/0/L/i-cpMHQww-L.jpg" alt=""></a></p>
<p>This was a total surprise, I didn't expect any of this to manifest and noticed it just by turning my attention from the surf to the sun. I'm glad I did.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-6HK7sVT/A"><img src="https://web.smugmug.com/photos/i-6HK7sVT/0/L/i-6HK7sVT-L.jpg" alt="Tucked away in Tofino, BC."></a></p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-xtL64Q5/A"><img src="https://web.smugmug.com/photos/i-xtL64Q5/0/L/i-xtL64Q5-L.jpg" alt=""></a></p>
<p>Even the pools of water in the sand made cool effects, and captured reflections of the clouds.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-M7mSk5x/A"><img src="https://web.smugmug.com/photos/i-M7mSk5x/0/L/i-M7mSk5x-L.jpg" alt=""></a></p>
<p>After recognizing the sunset situation, I rallied up my family for a sunset stroll the next night and tried to capture some silhouettes. Unfortunately I didn't think through the clothes that the girls were wearing here or these shots could have turned out much better - if they were wearning sun dresses or tighter fitting clothes. Still though, I'm happy to have captured these memories.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-wSB26Z6/A"><img src="https://web.smugmug.com/photos/i-wSB26Z6/0/L/i-wSB26Z6-L.jpg" alt="A little girl contemplates her world. In a handful of sand, a symbol of unshaped reality as it exists both at the beginning and the end, before and after her mind would intentionally form it."></a></p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-64mSvRJ/A"><img src="https://web.smugmug.com/photos/i-64mSvRJ/0/L/i-64mSvRJ-L.jpg" alt=""></a></p>
<p>And after the sun goes down and everyone gets into bed, I managed to muster up enough energy on the last night to get out and see the stars. Man was it worth it. The skies were clear and dark, and the Milky Way was in full form, arcing across the sky. Here I am alone on the beach, save for a bonfire or two far away. Silent. Mysterious. Awesome. Following the ripples in the sand, looking toward Frank island.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-7pMpJJf/A"><img src="https://web.smugmug.com/photos/i-7pMpJJf/0/L/i-7pMpJJf-L.jpg" alt="Tofino is magical all around, and has some of the darkest skies I've seen on the PNW coast. This night I was on the beach mostly alone aside from a bonfire or two, soaking in the silence and mystery and looking out across the whale tail shaped landscape of Chesterman's beach toward Frank island. The waves were glowing, bioluminescense, but I didn't realize it until later, after this photo, and I did manage to get a photo of that too."></a></p>
<p>Walking out to Frank island the story was a little different. The rock was so dark I couldn't see under my feet, but I managed to find a still tidal pool to reflect some starlight. It was a little spooky, not really so much, but a little.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-nQzsgdv/A"><img src="https://web.smugmug.com/photos/i-nQzsgdv/0/L/i-nQzsgdv-L.jpg" alt=""></a></p>
<p>And a little zen before turning in for the night.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-FhCH6Gf/A"><img src="https://web.smugmug.com/photos/i-FhCH6Gf/0/L/i-FhCH6Gf-L.jpg" alt=""></a></p>
<p>And as usual, the ferry ride home was full of fun. Something about ferries, the wind, the water, the lack of wi-fi. Here's the Syncro loaded up and parked for the ride.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-cnjccKV/A"><img src="https://web.smugmug.com/photos/i-cnjccKV/0/L/i-cnjccKV-L.jpg" alt=""></a></p>
<p>And the BC ferries were far and away nicer than the WA State ferries. Here we are walking against a steady 40 knot headwind.</p>
<p><a href="https://web.smugmug.com/Public/Website/Tofino-BC-surfing-and-Milky-Way/n-pcvKjP/i-LpsBhFw/A"><img src="https://web.smugmug.com/photos/i-LpsBhFw/0/L/i-LpsBhFw-L.jpg" alt=""></a></p>
<p>Tofino, we will be back! Hopefully as early as Thanksgiving. I want to be there during the off season, when it's not too cold and the waves are good, and when the night comes earlier, so we don't have to wait up until midnight for stargazing.</p>
<p><a href="https://www.lookout.net/2015/09/tofino-bc-surfing-milky-way.html">Tofino BC Surfing and Milky Way</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on September 20, 2015.</p>https://www.lookout.net/2015/08/unicode-confusables-in-javascript2015-08-24T00:00:00-07:002015-08-24T00:00:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p>The Unicode Confusables have long been of interest in testing security of applications and social engineering. I work with Unicode often in tools and testing, and wanted to have the confusables data available in a javascript module <a href="https://github.com/cweb/confusables.js">confusables.js</a>. The Unicode confusables are characters which are visually similar and easily confused with other characters. More information is available from the Unicode Consortium at http://www.unicode.org/reports/tr36/#visual_spoofing. </p>
<p>Because of some limitations in most javascript implementations, confusables.js requires a modified <a href="https://github.com/mathiasbynens/String.fromCodePoint">String.fromCodePoint</a> and this polyfill by <a href="https://mathiasbynens.be/">Mathias Bynens</a> works just fine.</p>
<p>Also known as homoglyphs, lookalikes, and spoofs - the confusables are characters that visually resemble or are indistinguishable from another character. For example the following two characters are visually similar and confusing:</p>
<p>FF21 ; 0041 ; SA # ( A → A ) FULLWIDTH LATIN CAPITAL LETTER A → LATIN CAPITAL LETTER A</p>
<p>Sometimes during penetration testing, we want to bypass word blacklists, spoof URLs, spoof email addresses, or perform other tasks. Being able to generate lookalike strings can be quite useful in these cases, and we also know that bad guys will apply the same tactics to bypass antivirus or other security boundaries as well. </p>
<p>If you require more capability than this javascript provides, then go check out the <a href="http://unicode.org/cldr/utility/confusables.jsp">Unicode Consortium's utility for generating confusables</a>.</p>
<p>Note that generating a full list of all confusable permutations is expensive and often unnecessary, so confusables.js only generates a single permutation from randomly selected characters.</p>
<h2>Installation</h2>
<p>The test page <code>index.html</code> is running at <a href="http://lookout.net/test/confusablesjs">http://lookout.net/test/confusablesjs</a></p>
<p>In a browser:</p>
<figure class="highlight"><pre><code class="language-html" data-lang="html"><script src="js/confusables.data.js"></script>
<script src="js/confusables.js"></script>
<script src="js/fromcodepoint.js"></script>
</code></pre></figure>
<p>Two public methods are available with confusables.js to return the confusable data. You can pass in a string of characters and get a randomly selected string of confusable characters returned, or you can pass in a code point or single character and get an array of all confusables for that character.</p>
<p>The <code>confusables.utility.getConfusableString()</code> method accepts a string of one or more characters as input and returns a string of confusable characters. Since each character of input can have several confusables, a random one is selected from the data set. This provides a quick and convenient way to select confusables without enumerating the entire set.</p>
<figure class="highlight"><pre><code class="language-js" data-lang="js">var input = "abcDEF123";
var output = confusables.utility.getConfusableString(input);
// output is "αƄсᎠᎬϜוƧЗ""
</code></pre></figure>
<p>The <code>confusables.utility.getConfusableCharacters()</code> method accepts a single character or code point value (decimal or hex) as input and returns all of it's confusable characters in an array, which could be multidimensional when several characters combine to create a single confusable:</p>
<figure class="highlight"><pre><code class="language-js" data-lang="js">var codePoint = 0x0041; // or "A" or 65
var output = confusables.utility.getConfusableCharacters(codePoint);
// output is ['A', 'A', 'Α', 'А', 'Ꭺ', 'ᗅ']
// and could contain arrays of characters as values, e.g.:
// [["C", "'"], "Ƈ" ];
</code></pre></figure>
<p><a href="https://www.lookout.net/2015/08/unicode-confusables-in-javascript.html">confusables.js - Unicode confusables in javascript</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on August 24, 2015.</p>https://www.lookout.net/2015/08/daddy-daughter-backpacking2015-08-20T00:00:00-07:002015-08-20T00:00:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<p>This year was our annual daddy-daughter backpacking trip that some good friends and I have been doing since our girls were five years old. This year was extra special because they are now 10 and their 5 year old sisters came along for their first trip.</p>
<p>In the past we've gone backpacking into different areas of Washington, but this year we decided to go canoeing in the lakes of the North Cascade mountains. </p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-m9wf6bT/A"><img src="https://web.smugmug.com/photos/i-m9wf6bT/0/L/i-m9wf6bT-L.jpg" alt=""></a></p>
<p>We started off with a short one-mile hike down to Ross Lake, where we picked up a boat ride to Ross Lake Resort. The trail down was steep in places, easy going mostly except for the two guys who had to lug our cooler and camp stove. We normally wouldn't take such luxuries, but this was canoe camping after all so let's go big.</p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-4GLvZvP/A"><img src="https://web.smugmug.com/photos/i-4GLvZvP/0/L/i-4GLvZvP-L.jpg" alt="This year was our 6th annual daddy-daughter backpacking trip and some other dads and I took the girls to Ross Lake in the North Cascades for some canoe camping. This is the sunrise view from a tiny island we camped on, watching a few other canoers heading out, while looking toward Colonial and Pyramid peaks. There was a lot of smoky haze in the sky. There was also a lot of swimming, rock jumping, and adventuring on this little island.The North Cascades National Park is one of the most incredible parks in the nation, and much less traveled that areas like Glacier and Yellowstone, part of the reason I love it.The geologic history of the region is awesome. Over 500,000 acres containing 8,000 foot peaks, over 300 glaciers and just as many lakes, and enough diversity to redefine the term.Rocks have been dated to 400 million years, with "a geologic mosaic made up of volcanic island arcs, deep ocean sediments, basaltic ocean floor, parts of old continents, submarine fans, and even pieces of the deep subcrustal mantle of the earth." [http://geomaps.wr.usgs.gov/parks/noca/nocageol1.html]It's like every geology Mother Earth had to offer was pulled together in this one landscape. Fossilized sea life has been found on mountain peaks. Mantle from the Earth shot up from miles below the surface to form peaks above the surface. And land masses drifted from around the world to collide in the this concentrated area."></a></p>
<p>This was the sunrise view from the tiny Cougar Island we camped on our second night, watching a few other canoers heading out, while looking toward Colonial and Pyramid peaks. There was a lot of smoky haze in the sky. There was also a lot of swimming, rock jumping, and adventuring on this little island.</p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-dT5TLZ5/A"><img src="https://web.smugmug.com/photos/i-dT5TLZ5/0/L/i-dT5TLZ5-L.jpg" alt=""></a></p>
<p>The North Cascades National Park is one of the most incredible parks I've been to, and much less traveled that areas like Glacier and Yellowstone, part of the reason I love it.The geologic history of the region is awesome. Over 500,000 acres containing 8,000 foot peaks, over 300 glaciers and just as many lakes, and enough diversity to redefine the term. Rocks have been dated to 400 million years, with the area becoming, as the <a href="http://geomaps.wr.usgs.gov/parks/noca/nocageol1.html">USGS puts it</a>:</p>
<blockquote>
<p>a geologic mosaic made up of volcanic island arcs, deep ocean sediments, basaltic ocean floor, parts of old continents, submarine fans, and even pieces of the deep subcrustal mantle of the earth.</p>
</blockquote>
<p>There are sorts of interesting patterns in the rocks around the North Cascades.</p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-fgBTx3B/A"><img src="https://web.smugmug.com/photos/i-fgBTx3B/0/L/i-fgBTx3B-L.jpg" alt=""></a></p>
<p>It's like every geology Mother Earth had to offer was pulled together in this one landscape. Fossilized sea life has been found on mountain peaks. Mantle from the Earth shot up from miles below the surface to form peaks above the surface. And land masses drifted from around the world to collide in the this concentrated area. </p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-44qb8kH/A"><img src="https://web.smugmug.com/photos/i-44qb8kH/0/L/i-44qb8kH-L.jpg" alt=""></a></p>
<p>Not to mention, picnic tables drifted from around the lake to collide with our campsite. Here's my daughter Ruby enjoying paddle boarding on one.</p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-ptJ88CT/A"><img src="https://web.smugmug.com/photos/i-ptJ88CT/0/L/i-ptJ88CT-L.jpg" alt=""></a></p>
<p>Naomi got to do some picnic-table paddle boarding of her own, but was much more interested in the Pacific tree frogs they were finding near the water's edge.</p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-Fqb7DKM/A"><img src="https://web.smugmug.com/photos/i-Fqb7DKM/0/L/i-Fqb7DKM-L.jpg" alt=""></a></p>
<p>Pacific Northwest moss and lichen is everywhere of course, but it was pretty dry given the drought this year.</p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-s4qWMTg/A"><img src="https://web.smugmug.com/photos/i-s4qWMTg/0/L/i-s4qWMTg-L.jpg" alt=""></a></p>
<p>I don't know what kind of plant this little guy was, but it caught my attention somehow, somewhere on a trail near Big Beaver campground where we stayed on our first night.</p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-8SfckKh/A"><img src="https://web.smugmug.com/photos/i-8SfckKh/0/L/i-8SfckKh-L.jpg" alt=""></a></p>
<p>And the we camped at Beaver and on Cougar island, and the place is surrounded by black bears and all sorts of trout, the only wildlife we saw other than the trout Dave caught, were the local camp squirrels who were no doubt happy to see us with a bunch of little kids that drop lots of food.</p>
<p><a href="https://web.smugmug.com/Public/Website/6th-Annual-Daddy-Daughter-Trip/n-3xZfD5/i-ZLZjDrw/A"><img src="https://web.smugmug.com/photos/i-ZLZjDrw/1/L/i-ZLZjDrw-L.jpg" alt="The squirrels love seeing newcomers arrive."></a></p>
<p>It was a great trip with good friends. The Ross Lake area and the North Cascades are beautiful wilderness with plenty of exploration and relaxtion to offer (well maybe when the kids are more grown). I'm looking forward to next year's trip.</p>
<p><a href="https://www.lookout.net/2015/08/daddy-daugther-backpacking.html">6th Annual Daddy Daughter Backpacking Trip</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on August 20, 2015.</p>https://www.lookout.net/2013/12/who-can-afford-immortality2013-12-07T00:57:00-08:002013-12-07T00:57:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
People thought it was neat when <a href="http://www.amazon.com/b?node=8037720011">Amazon announced drone delivery</a>. I think many of us don't realize or believe half of the technology headed our way in the next 25 years, particularly with regard to the era of <a href="http://2045.com/articles/29103.html">neo-humanity</a> and the Kurzweillian Singularity. <br /><br />Dmitry Itskov is a young Russian billionaire <a href="https://www.facebook.com/photo.php?fbid=462188620551735&l=956f81c65b">who wants to live forever</a> and create super-human Avatars with fantastic powers. He's already started the <a href="http://2045.com/">2045 Initiative</a> to figure out how to do it by that date. The problems with the idea of "uploading consciousness" into an Avatar are numerous. Not the least of which is, <a href="http://www.closertotruth.com/consciousness">we don't even understand consciousness</a>, or agree on what makes it up. So on the one hand it seems reasonable to upload more understood chemical/physical properties of memories since we presumably have a <a href="http://web.mit.edu/newsoffice/2012/conjuring-memories-artificially-0322.html">decent understanding of how neurobiological memory works</a>. <br /><br />But assuming this could happen, you run the risk of creating a powerful psychopath, full of intelligence and immortality, and devoid of compassion, empathy, and other emotion. The <a href="http://2045.com/">2045 Initiative</a> claims that by the time we've given up our human bodies for their Avatar holograms or physical counterparts, war and suffering will no longer be acceptable, and personal spiritual growth will be our main focus. Seems oddly reminiscent of certain mythological deities and demigods to me, has this happened before?<br /><br />The idea of a second body ala Avatar seems ancient. Ancient mystics and shamans have talked about extra-bodily states, and throughout time it's been given different names including the spirit-body, the astral-body, and the dream-body, as described in various practices from Buddhism to Yoga to Western Esoterica, achievable through techniques such as meditation, lucid dreaming, or psychedelics. Anyone who has experienced or frequently practices <a href="http://www.lucidity.com/VOLDE.html">lucid dreaming</a> can attest to the profound feeling of an alternate persona whether they believe it's inherent in the local mind or part of a non-local, greater Jungian collective consciousness.<br /><br />Working in the information security field I am of course interested in the possibilities this new world would bring, although it sounds very much like The Matrix, so one can imagine. We'll hack it to pieces, no doubt.<br /><br />I'm sure I have some incorrect assumptions here with barely a layman's understanding of neuroscience, philosophy, and the mind-body problem, so please chime in. <br /><div id="fb-root"></div><script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <div class="fb-post" data-href="https://www.facebook.com/photo.php?fbid=462188620551735&set=a.271084349662164.50667.193507870753146&type=1" data-width="550"><div class="fb-xfbml-parse-ignore"><a href="https://www.facebook.com/photo.php?fbid=462188620551735&set=a.271084349662164.50667.193507870753146&type=1">Post</a> by <a href="https://www.facebook.com/2045Initiative">2045 Initiative</a>.</div></div>
</div>
<p><a href="https://www.lookout.net/2013/12/who-can-afford-immortality.html">Who can afford immortality?</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on December 07, 2013.</p>https://www.lookout.net/2013/12/are-surveillance-goals-for-political2013-12-05T18:11:00-08:002013-12-05T18:11:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
The Washington Post has reported that the <a href="http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html">NSA is tracking location data</a> for millions of mobile devices.<br /><br />"Brad Smith, Microsoft legal counsel, said government snooping was now as much of a security problem as computer viruses and other cyber-attacks."<br /><br /> It seems rather obvious that NSA tracking goals have gone way beyond hunting for terrorists. I believe there's a larger operation at play to understand social attitudes, personal behaviors, and to organize data into demographics as such, including belief-systems of families and communities. This would serve any political power extremely well when devising platforms and propaganda.<br /><br /> I'm combining some of the methodologies being used, with speculative assertions about the true political motivations, and also with the possibilities for population-simulations being run using vast amounts of real information over large spans of time. In some ways, Jaron Lanier points to these possibilities in his book <a href="http://www.amazon.com/Who-Owns-Future-Jaron-Lanier/dp/1451654960">Who Owns the Future</a>.<br /><br /> What do you think? Far out? I don't think so, not in today's information-economy. And certainly thinking ahead, 10 years from now the amount of data collected combined with increased computing power, combined with public apathy, could lead to what Snowden (and others past) warned of "turnkey tyranny".
</div>
<p><a href="https://www.lookout.net/2013/12/are-surveillance-goals-for-political.html">Are Surveillance Goals for Political Control?</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on December 05, 2013.</p>https://www.lookout.net/2013/10/on-global-surveillance2013-10-16T05:55:00-07:002013-10-16T05:55:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
<p>Back in 2001, I was just one of many warning that the PATRIOT Act gave broad authority to track people. This is what I wrote in 2001, Chapter 4 "Legal Threats to Individual Privacy" of a book named Privacy Defended. The writing was on the wall, in plain sight.</p> <blockquote><b>The Patriot Act of 2001</b></blockquote><blockquote>In the wake of the terrorist attacks in the U.S. on September 11, 2001, several U.S. laws have been considered to provide more power to law enforcement to track terrorists and other types of criminals. One law that was signed was the <b>Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act</b> of 2001. This law gives federal investigators broader authority to track phone and Internet activities. While aimed at terrorist activities, the language covers other types of activity as well. </blockquote><blockquote>Civil liberties activists protested the law, which would allow wiretap orders under foreign intelligence rules. The law also allows law enforcers to obtain Internet records under so-called “trap-and-trace” orders. The attacks on the U.S. helped push this law past the privacy concerns of many groups, but a provision in the law states that Congress will review it in two years. Part of the law expands the capabilities of the FBI’s DCS1000 program. ISPs must make their systems more available to the DCS1000 program, although the law does provide for a judge to review the FBI’s Internet wiretaps.</blockquote> <p>To sum up where we're at today in 2013, the US NSA in collaboration with British GCHQ has engaged in wholesale, unrestricted surveillance across the global Internet and telephone companies. And we the taxpayers have funded this. Surveillance has increased exponentially beyond 'suspects' and 'targets' to simply 'everybody'. The equivalent of not only reading and monitoring all activity but storing it presumably for many years. Imagine what someone good could do with all that data! Imagine what someone bad could do...</p> <p>It's not unexpected, and in fact we've known this capability was growing. But the tactics should be disturbing because, well, they're attacks. They look like attacks we use in Internet security testing, and attacks we try to defend against. Man in the middle, backdoors, and <a href="http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html">sabotaging national RNG standards</a> deployed across most major software. No ISP is safe, no Facebook, Google, or other provider is safe, no software and no cryptography even seems safe from the capability. But these attacks are more interesting than criminal, or nation-state attacks. These attacks are legal... so we the public have already agreed to them, somewhere, some how, without really knowing... then again there was the Patriot Act. We warned you.</p> <p>In 2001 when I was writing <a href="http://www.amazon.com/Privacy-Defended-Protecting-Yourself-Online/dp/078972605X">Privacy Defended</a>, government surveillance was one of the threats I discussed. At that time, I think most of us who worked in Internet security and privacy expected such surveillance would be rather limited to slices of traffic and data. For example, we knew the FBI had Carnivore, and would show up at an ISP asking to plug in their device and siphon traffic, or else they might just install a hard drive array to mirror traffic and collect it in a month or so. Still, it was thought to be used for targeted investigations into criminal leads, but it was also understood that significant amounts of unrelated and untargetted traffic could potentially be captured.</p> <p>Of course we understand that companies such as Google, Facebook, Microsoft, and Amazon have incredible amounts of data about us. Our habits, content of our email, documents, purchases, etc. But there's a certain level of trust we have with them, and they at least seem a little isolated from each other. When the secret FISA court system in the US gives the NSA legal access to their data on demand, the trust breaks down. Are those companies morally or ethically responsible to resist handing over their entire databases to the NSA?</p> <p>And then there are the advertisers. These companies extend their reach in scope similar to how the NSA does. Advertisers can record our activities and information across Internet services, in a way that transcends just one site. Of course they're mostly just trying to track metadata, it's not like advertisers are out there trying to collect all of our private email and financial data, are they? And they certainly don't have access to telephone calls.</p> <p>Morally, it looks pretty bad. If the intelligence community wants unconstrained access to everything that traverse the Internet - business data, financial data, shopping, social, friends, email, and general Web surfing activity... why don't they just come out and ask for it? How could you think such a massive operation would continue growing unnoticed by the general public? Did you think it would be better to beg for forgiveness than to ask permission? Or did you just not even care what the public would think, because the legal framework had already been setup to support it?</p> <p>Effectively, this could get ugly. If nations start creating their own Internet implementations as some are saying, well what a mess we might end up with. If businesses and individuals can't trust our data is safe and secure when we want or need it to be, then our practices We can clean up this mess, and many of us want to! But only if a majority of people everyone care to recognize the issues. If you're curious to know more just ask someone questions!</p> <p>Leaders of the Internet infrastructure <a href="http://www.icann.org/en/news/announcements/announcement-07oct13-en.htm">recently denounced the USA's global surveillance</a>. As it has destroyed trust, these leaders including ICANN, IANA, W3C, ARIN, APNIC, IETF, and RIPE have called to distribute Internet governance across nations, rather than keep most of it in the USA. </p> <p>In a recent Internet Engineering Task Force meeting, <a href="http://t.co/JBBfocl3o9">Jari Arkko gave a nice presentation</a> on this. As we can see, the trust problem runs deep. All the way from the Web applications, down through the operational stack, and down through the tool chain, compilers, and hardware that supports it all.</p> <p>After listening to more and more people discuss this, it leads me to believe that philosophically security isn't just a mere illusion, it's almost a complete waste of time. On the one hand, it's only effective in layers - against layers of attackers. We can stop some general attacks but we could never stop anything so well organized, or coercive as global surveillance, not to mention something that's already been designed as 'legal' by the authorities. As the saying goes, if someone wants to get in, they'll find a way.</p>
</div>
<p><a href="https://www.lookout.net/2013/10/on-global-surveillance.html">On Global Surveillance</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on October 16, 2013.</p>https://www.lookout.net/2013/01/unicode-security-testing-library2013-01-30T17:56:00-08:002013-01-30T17:56:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
Oftentimes, I want to break software, mostly Web applications, but occasionally platform-related, such as protocols or OS code. When it comes to testing string input to find bugs, or vulnerabilities, Unicode can be a tester's best friend. Strings are not simple things for software engineers - they require a lot of planning - buffers, encodings, transmission, and storage are just a few concerns.<br /><br />I've had some success over the years finding nasty bugs, things that get critical ratings and require the world to reboot, for which Unicode has often been a useful creative tool. I've leveraged the Unicode specifications for this quite a bit, and learned by past research by other bug hunters. I've also managed to work on a few tools, one being <a href="http://xss.codeplex.com/">x5s, a cross-site scripting tester</a> which was implemented by John Hernandez. It's novelty was in sending various Unicode characters and detecting when they transform into an ASCII equivalent. Character transformations can lead to dangerous scenarios.<br /><br />I also wanted to document more interesting Unicode characters so they could be easily accessible, and pre-defined. Often people ask me, what characters should I use for testing? Which ones flip text around? Which ones cause problems? Which one maps to an apostrophe for SQL injection, or a less-than sign for XSS? To answer these questions, I put everything I knew of (well most of it) into a <a href="https://github.com/cweb/unicode-hax">small utility library, unicode-hax</a>, available on Github for your security testing pleasures.<br /><br /><b><u>Major features:</u></b><br /><br /><ul><li>Contains methods to get <b>best fit mappings</b>. For example, you want to know all the characters in various legacy encodings that transform to "<" or some other ASCII character.</li><li>Contains methods to get <b>Unicode normalization mappings</b>. For example, you wan to know if any special Unicode characters will transform to ">" or some other ASCII character.</li><li>Contains a small set of hard-coded <b>Unicode characters useful in fuzzing</b>, as well as some functions for returning invalid byte sequences or characters that .NET would not allow by itself (because they're not well-formed). </li><ul><li>ill-formed byte sequences</li><li>Unicode non-characters (an oxymoron?)</li><li>private use area (PUA)</li><li>unassigned code points</li><li>code points with special meaning such as the BOM and RLO</li><li>half-surrogate values like U+DEAD, a very nasty little guy all by itself</li></ul></ul><br />I wanted to reduce the number of iterations during fuzzing to a very small group of characters with special meaning which historically cause problems in software.<br /><br />If you have any suggestions for improvement, additions etc., please let me know. Find the code here:<br /><br /><a href="https://github.com/cweb/unicode-hax">https://github.com/cweb/unicode-hax</a><br /><br />Happy bug hunting.<br /><div><br /></div>
</div>
<p><a href="https://www.lookout.net/2013/01/unicode-security-testing-library.html">Unicode security testing library</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on January 30, 2013.</p>https://www.lookout.net/2013/01/privacy-in-web-of-meta-consciousness2013-01-25T17:31:00-08:002013-01-25T17:31:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
I often get asked by friends and family - how can I keep my personal information online and private at the same time? Is it safe to use Facebook or can some hacker get all my personal info? And even the old - is it safe to shop online - do you buy stuff online Chris? My hunch is that we're not doing enough to help the average person understand how this stuff works, or maybe in fact it's just the opposite, and we're doing too much, confusing the matters through to much complexification.<br /><br />We're at a major crossroads in the human-technical interface (e.g. how people interact and relate to their techie devices and the Web), and could use more <b>philosophers </b>shaping our understanding and future of <b>privacy online</b>. For many years, we've watched and wondered how our personal information was used online, when it was abused, and when it was directly criminalized (e.g. identity theft). We've sought methods to protect our personal email, to stop lurking advertisers from tracking our movements online, and to keep our credit card government-issued ID numbers safe. <br /><br />With the rise of Webmail systems like Hotmail and Gmail, we started to <b>ponder </b>how all of our personal email communications might be used by the host - were they mining it for data? About what? Products or topics I'm talking about? Relationships I have? What I think about? Some of us would use <b>encryption </b>to keep the prying eyes out, very few of us. Eventually most got used to the idea of using Web-based email, and just stopped wondering about how our personal messages were being analyzed or used. Blogs came along, spreading fast, and we were able to divulge public thoughts as an author, and comment anonymously if we wanted. <br /><br />Social networks arose, and privacy matters grew into something different. Suddenly we had a Facebook or Twitter <b>identity</b>, and our public comments, thoughts, and private email were all tied to it. What's more, this identity became a staple across the Web, so that each site we browsed or application we used could link us back to it whether or not we wanted it. The proliferation of the <b>Social-Web</b> was documenting the thoughts of billions of people, just like millions of memories being stored in the <b>brain</b>. <br /><br />Now the Web is growing into a <b>meta-consciousness</b>, ugly and crude in ways, but it seems to be happening. <br /><br />Laws have scrambled to understand and establish rules and rights of privacy, often falling short. Encrypting private data was one solution but was inaccessible to the masses who couldn't grasp the how or why of encryption. Maybe the traditional models of privacy won't work, maybe we need to be thinking about privacy-plasticity.<br /><br />Maybe the future of privacy lies in my having more individual control over who can have what information - no more of this ad network tracking business unbeknownst to the average Web citizen. A true privacy looking glass that enables viewing who has what data about me, with the capability for me to delete it from their records with a single click. Or maybe online privacy concerns will give way to the greater good - "the more we know each other's personal secrets the better we can all become". After all, that's a betterment Carl Jung was sort of attempting with deep explorations into the private subconscious mind - an area that's private even to our own personality. Or maybe governments will demand that all private information be available to them, which we've seen before in various forms of legislation. <br /><br />There's a lot of "<b>maybe's</b>" here and I'm betting that to answer them we need <b>less engineering</b>, <b>less legal compliance</b>, and <b>more humanism and philosophy</b>.
</div>
<p><a href="https://www.lookout.net/2013/01/privacy-in-web-of-meta-consciousness.html">Privacy in a Web of meta-consciousness</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on January 25, 2013.</p>https://www.lookout.net/2013/01/url-testing2013-01-14T06:02:00-08:002013-01-14T06:02:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
URLs are a cornerstone protocol of the Internet and the Web, but they are often misunderstood, occasionally abused, and quite often manipulated during security testing. I've put up some <a href="http://www.lookout.net/test/url/">Web pages to test URL parsing</a> including one that works in a more live-view sort of way. I've also compiled over 500 <a href="https://github.com/cweb/url-testing/blob/master/urls.json">test cases</a> into JSON format from a number of sources including <a class="g-profile" href="http://plus.google.com/102907710238326025954" target="_blank">+WebKit</a>, <a class="g-profile" href="http://plus.google.com/107651864577259151853" target="_blank">+Julian Reschke</a>, and <a class="g-profile" href="http://plus.google.com/100610951871586794452" target="_blank">+Eduardo Vela</a>, as well as myself, which were improved by <a class="g-profile" href="http://plus.google.com/111991826926222544385" target="_blank">+Michael Smith</a> and <a class="g-profile" href="http://plus.google.com/112284435661490019880" target="_blank">+Anne van Kesteren</a>. <br /><br />URLs have been a <a href="http://lists.w3.org/Archives/Public/uri/2012Oct/">hot topic</a> for quite a while, and as a co-chair of the IETF's <a href="http://tools.ietf.org/wg/iri/">IRI Working Group</a>, I witnessed some of the conversations around the specs. The Internationalized Resource Identifier specifications were intended to define how the <a href="http://tools.ietf.org/html/rfc3986">RFC 3986 URIs</a> could be made to include Unicode primarily, as well as other character encodings for legacy purposes.<br /><br />The URL test page at <a href="http://www.lookout.net/test/url/">http://www.lookout.net/test/url/</a> includes a few links, and the code and test cases can be found at <a href="https://github.com/cweb/url-testing">https://github.com/cweb/url-testing</a>.<br /><br />1. <a href="http://www.lookout.net/test/url/url-liveview.html">A URL Live Viewer</a><br />A page that dynamically displays URL components as parsed by the browser's DOM, and by the URL.js prototype implementation. The live view idea came from <a class="g-profile" href="http://plus.google.com/112284435661490019880" target="_blank">+Anne van Kesteren</a>'s live URL DOM viewer page which I lost the link to. <br /><br />2. <a href="http://www.lookout.net/test/url/url-runner.html">A URL test runner</a><br />A page that runs <a href="https://github.com/cweb/url-testing/blob/master/urls.json">500+ URL test cases</a> through the testharness.js hosted by W3C.<br /><br /><span style="font-family: inherit;">3. Test URL parsing in DOM versus HTTP GET requests</span><br /><div style="border: 0px; color: #333333; line-height: 22px; margin-bottom: 15px; padding: 0px;"><span style="font-family: inherit;">Run all tests from urls-local.json using testharness.js to compare the Web browser's DOM properties with the resultant HTTP request's path and hostname parts. The value of this test scenario is that we can compare the results of the HTTP GET against the browser's DOM properties to detect when URL components differ between the two.</span></div><div style="border: 0px; color: #333333; line-height: 22px; margin-bottom: 15px; margin-top: 15px; padding: 0px;"><span style="font-family: inherit;">This test is more complicated because it has the following server-side <strong style="border: 0px; margin: 0px; padding: 0px;">requirements</strong>:</span></div><ul style="border: 0px; color: #333333; line-height: 22px; margin: 15px 0px; padding: 0px 0px 0px 30px;"><li style="border: 0px; margin: 0px; padding: 0px;"><span style="font-family: inherit;"><strong style="border: 0px; margin: 0px; padding: 0px;">mod_rewrite</strong> configured to proxy all requests for a pre-determined hostname pattern:</span></li></ul><pre style="background-color: #f8f8f8; border-bottom-left-radius: 3px; border-bottom-right-radius: 3px; border-top-left-radius: 3px; border-top-right-radius: 3px; border: 1px solid rgb(204, 204, 204); color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 13px; line-height: 19px; margin-bottom: 15px; margin-top: 15px; overflow: auto; padding: 6px 10px;"><code style="background-color: transparent; border-bottom-left-radius: 3px; border-bottom-right-radius: 3px; border-top-left-radius: 3px; border-top-right-radius: 3px; border: none; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; margin: 0px; padding: 0px;"># Redirect everything that includes urltest.lookout.net in the hostname for URL testing<br />RewriteCond %{HTTP_HOST} ^.*urltest\.lookout\.net$ [NC]<br />RewriteRule ^.*$ /cgi-bin/httpreq.pl<br /></code></pre><div style="border: 0px; color: #333333; line-height: 22px; margin-bottom: 15px; margin-top: 15px; padding: 0px;"><span style="font-family: inherit;">With the above RewriteCond, each test case must point to a URL that includes urltest.lookout.net in the hostname. The RewriteRule will send the request to /cgi-bin/httpreq.pl, a CGI Perl script which will return the HTTP GET request's Host header value, and GET path. These values are returned as javascript variables to be used in evaluating how the URL was parsed. For example, the following HTTP request:</span></div><pre style="background-color: #f8f8f8; border-bottom-left-radius: 3px; border-bottom-right-radius: 3px; border-top-left-radius: 3px; border-top-right-radius: 3px; border: 1px solid rgb(204, 204, 204); color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 13px; line-height: 19px; margin-bottom: 15px; margin-top: 15px; overflow: auto; padding: 6px 10px;"><code style="background-color: transparent; border-bottom-left-radius: 3px; border-bottom-right-radius: 3px; border-top-left-radius: 3px; border-top-right-radius: 3px; border: none; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; margin: 0px; padding: 0px;">GET /foo/bar HTTP/1.1<br />Host: foo.urltest.lookout.net<br /></code></pre><div style="border: 0px; color: #333333; line-height: 22px; margin-bottom: 15px; margin-top: 15px; padding: 0px;"><span style="font-family: inherit;">would return:</span></div><div class="highlight" style="background-color: white; border: 0px; color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 14px; line-height: 22px; margin: 0px; padding: 0px;"><pre style="background-color: #f8f8f8; border-bottom-left-radius: 3px; border-bottom-right-radius: 3px; border-top-left-radius: 3px; border-top-right-radius: 3px; border: 1px solid rgb(204, 204, 204); font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 13px; line-height: 19px; margin-bottom: 15px; margin-top: 15px; overflow: auto; padding: 6px 10px;"><span class="kd" style="border: 0px; font-weight: bold; margin: 0px; padding: 0px;">var</span> <span class="nx" style="border: 0px; margin: 0px; padding: 0px;">pathname</span> <span class="o" style="border: 0px; font-weight: bold; margin: 0px; padding: 0px;">=</span> <span class="s2" style="border: 0px; color: #dd1144; margin: 0px; padding: 0px;">"/foo/bar"</span><br /><span class="kd" style="border: 0px; font-weight: bold; margin: 0px; padding: 0px;">var</span> <span class="nx" style="border: 0px; margin: 0px; padding: 0px;">hostname</span> <span class="o" style="border: 0px; font-weight: bold; margin: 0px; padding: 0px;">=</span> <span class="s2" style="border: 0px; color: #dd1144; margin: 0px; padding: 0px;">"foo.urltest.lookout.net"</span><br /></pre></div><ul style="border: 0px; color: #333333; line-height: 22px; margin-bottom: 0px !important; margin-left: 0px; margin-right: 0px; margin-top: 15px; padding: 0px 0px 0px 30px;"><li style="border: 0px; margin: 0px; padding: 0px;"><span style="font-family: inherit;"><strong style="border: 0px; margin: 0px; padding: 0px;">DNS wildcard</strong> record for the host For this to work, the DNS must be setup with a wildcard <strong style="border: 0px; margin: 0px; padding: 0px;">A</strong> record so that requests to *.lookout.net all resolve to the same IP address</span></li></ul><br />
</div>
<div class="css-full-comments-content js-full-comments-content">
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.blogger.com/profile/17419730572984706346">
<div class="css-comment-name js-comment-name">
Michael(tm) Smith
</div>
</a>
<div class="css-comment-date js-comment-date">
2013-01-14T06:16:42.496Z
</div>
</div>
<div class="css-comment-content js-comment-content">
http://www.lookout.net/test/url/test-url.html for "A URL Live Viewer" is 404. I guess you want to that to be http://www.lookout.net/test/url/url-liveview.html<br /><br />By the way, great stuff man :)
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://getfiddler.com/">
<div class="css-comment-name js-comment-name">
Eric Lawrence
</div>
</a>
<div class="css-comment-date js-comment-date">
2013-01-14T22:41:27.921Z
</div>
</div>
<div class="css-comment-content js-comment-content">
If only there was some tool that could watch all of the network requests without regard to the client or server technology. Some sort of "proxy" maybe? Of course, it would need to be scriptable or extensible to enable injection of the desired logic. Ideally it would be based on a technology which you/Casaba has experience with? Hrm... I bet you get where I'm going with this. :-)
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.blogger.com/profile/13379556110278063970">
<div class="css-comment-name js-comment-name">
Chris Weber
</div>
</a>
<div class="css-comment-date js-comment-date">
2013-01-14T22:51:39.475Z
</div>
</div>
<div class="css-comment-content js-comment-content">
Bah, that's what I get for cramming in site changes and a blog post before bedtime, thanks for the report : -)
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.blogger.com/profile/13379556110278063970">
<div class="css-comment-name js-comment-name">
Chris Weber
</div>
</a>
<div class="css-comment-date js-comment-date">
2013-01-14T23:09:19.813Z
</div>
</div>
<div class="css-comment-content js-comment-content">
Hmmm what on Earth could you be talking about? :-P At one point I was using Fiddler for this! And it filled the need perfectly well in my personal lab, I even found some interesting bugs. Currently I want the testing to be a server-side solution - it could be done easily with an IIS HTTP module, but I'm running Apache and thinking mod_rewrite or an Apache module would be required.
</div>
<br/>
</div>
</div>
<p><a href="https://www.lookout.net/2013/01/url-testing.html">URL Testing</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on January 14, 2013.</p>https://www.lookout.net/2012/04/generating-confusable-lookalike-strings2012-04-05T00:43:00-07:002012-04-05T00:43:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
<p>The Unicode Consortium released a <a href="http://unicode.org/cldr/utility/confusables.jsp">utility to generate confusable strings</a> quite a while ago. Since I've seen people trying to create similar tools themselves recently, I thought it might be worth mentioning.</p> <p>In case you haven't received the memo about confusables, also known as homoglyphs, lookalikes, and spoofs - they are characters that visually resemble or are indistinguishable from another character. You can read more about it <a href="http://web.lookout.net/search/label/confusables">here</a> or virtually any other place on the Web by searching for some of these terms. For example the following two characters are visually similar and confusing:</p> <p>FF21 ; 0041 ; SA # ( A → A ) FULLWIDTH LATIN CAPITAL LETTER A → LATIN CAPITAL LETTER A</p> <p>Sometimes during penetration testing, we want to bypass profanity filters, spoof URLs, spoof email addresses, or perform other tasks. Being able to generate lookalike strings can be quite useful in these cases, but of course is not the only method required. If you require such capability, then go check out the Unicode Consortium's utility at <a href="http://unicode.org/cldr/utility/confusables.jsp">http://unicode.org/cldr/utility/confusables.jsp</a>, but please don't share this link with the bad guys.</p>
</div>
<p><a href="https://www.lookout.net/2012/04/generating-confusable-lookalike-strings.html">Generating confusable, lookalike strings</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on April 05, 2012.</p>https://www.lookout.net/2012/03/unicode-normalization-in-urls2012-03-17T19:22:00-07:002012-03-17T19:22:00-07:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
<p>In some contexts, normalizing a string means upper or lower-casing it. In Unicode "<a href="http://www.unicode.org/reports/tr15/">normalization</a>" means something much different. The Unicode standard offers four "normalization" forms which irreversibly transform a given character or sequence of characters according to either a simple mapping rule, or a more complex algorithmic rule. -Since browser interoperability depends on each browser processing a URL the same as the next, I thought testing some of the more popular browsers might be a good idea. </p> <h2>Why should you care?</h2><p>If you're a Web developer using Unicode anywhere in your URLs, then you're probably concerned when those URLs get handled differently in various Web browsers. If you're a penetration tester, you probably like to find quirky ways that URLs get transformed.</p> <h2>Test Setup</h2><p>To test Unicode normalization I used some of the character sequences from <a href="http://www.unicode.org/reports/tr15">Unicode Standard Annex 15 "Unicode Normalization Forms"</a> and others from RFC3197. From TR15 I looked at a Singleton from Figure 3 - U+212B which normalizes to U+00C5 Å under NFC, and U+0041 U+030A Å under NFD. I also looked at multiple combining marks from Figure 5, U+10EB U+0323 ძ̣, and the sequence U+1E9B U+0323 ẛ̣ from Figure 6 Compatibility Composites. Through those few tests we can test for each of the four normalization forms, and see NFC being applied in Safari and Chrome (in different ways), and rule out NFD, NFKC, and NFKD. </p> <h2>Test Results</h2> <p>I was hoping to find some security bugs, but only found interoperability bugs. That doesn't mean security bugs don't exist here. As if URLs weren't tricky enough with plain old ASCII, handling Unicode characters makes them even more open to interpretation. For example, an Internationalized Resource Identifier (IRI) with a path, query, and fragment containing U+212B <span class="code">#Å</span> means code point U+212B to IE, Firefox, and Opera, but it means U+00C5 <span class="code">#Å</span> to Chrome (in the fragment only), and U+00C5 percent-encoded <span class="code">#%C3%85</span> to Safari (in the path, query, and fragment). </p> <p>These types of character transformations make for ripe targets in security testing, but only when the resulting character has some practical use such as bypassing an XSS or SQL injection filter. When a certain input X transforms to become Y, an attacker has more opportunity slip a malicious link or XSS payload past an unsuspecting defensive filter. In testing how Web browsers normalize Unicode across a URL/IRIs components, I made the following observations.</p> <ol><li>Safari applies NFC normalization to the path, query, and fragment.</li><li>Chrome applies NFC normalization to the fragment only.</li><li>MSIE, Firefox, and Opera do not apply normalization anywhere.</li><li>MSIE violates RFC 3986 by sending raw, unescaped UTF-8 bytes in the query during an HTTP request.</li><li>Chrome, Safari, Firefox, and Opera all send percent-encoded UTF-8 in the path and query during an HTTP request</li><li>Safari percent-encodes the fragment.</li></ol> <p>Firefox and Opera seem to be the only two that agree in all tests, Chrome is a little odd with the fragment, and Safari is the odd-guy out across the entire URL. IE is the only browser that sends raw UTF-8 encoded bytes out on the wire (in the query component only), but I think that <a href="http://tools.ietf.org/html/rfc3986#section-3.4">RFC 3986 allows for that anyway</a>. <p>My conclusions were based on reviewing the following:</p><ol><li>The DOM property values for the anchor element, which included an individual the test case.</li><li>The raw HTTP GET request (for the img) as sniffed off the wire using winpcap, triggered by a test case using the img element</li></ol> <p>The spreadsheet spreadsheet below includes table of results observed from the <a href="http://www.lookout.net/test/iri/normalize.php">test cases</a>, and can also be <a href="https://docs.google.com/spreadsheet/pub?hl=en_US&key=0At1OFOiVqCrvdFo3aFc1elhXS2pnVkpxOFZORjQ1cUE&hl=en_US&gid=4">opened in a separate window</a>.</p> <iframe width='800' height='800' frameborder='0' src='https://docs.google.com/spreadsheet/pub?key=0At1OFOiVqCrvdFo3aFc1elhXS2pnVkpxOFZORjQ1cUE&output=html&gid=4&widget=true'></iframe>
</div>
<div class="css-full-comments-content js-full-comments-content">
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.julian-reschke.de/">
<div class="css-comment-name js-comment-name">
reschke
</div>
</a>
<div class="css-comment-date js-comment-date">
2012-03-18T09:02:08.230Z
</div>
</div>
<div class="css-comment-content js-comment-content">
Good stuff.<br /><br />But what makes you think that having non-ASCII characters in the query part (IE) is allowed per RFC 3986?
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.blogger.com/profile/13379556110278063970">
<div class="css-comment-name js-comment-name">
Chris Weber
</div>
</a>
<div class="css-comment-date js-comment-date">
2012-03-18T16:59:46.554Z
</div>
</div>
<div class="css-comment-content js-comment-content">
I'm glad you asked - because after re-reading I think my interpretation of this clause was incorrect:<br /><br />"However, as query components<br /> are often used to carry identifying information in the form of<br /> "key=value" pairs and one frequently used value is a reference to<br /> another URI, it is sometimes better for usability to avoid percent-<br /> encoding those characters."<br /><br />So then, does "those characters" refer only to slash ("/") and question mark ("?") only?
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.julian-reschke.de/">
<div class="css-comment-name js-comment-name">
reschke
</div>
</a>
<div class="css-comment-date js-comment-date">
2012-03-19T09:40:44.552Z
</div>
</div>
<div class="css-comment-content js-comment-content">
> So then, does "those characters" refer only to slash ("/") and question mark ("?") only?<br /><br />Yes, that seems to be the case.
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.blogger.com/profile/05060120882054416919">
<div class="css-comment-name js-comment-name">
whit537
</div>
</a>
<div class="css-comment-date js-comment-date">
2012-04-12T18:28:55.351Z
</div>
</div>
<div class="css-comment-content js-comment-content">
Yeah, here's the BNF (collated from RFCs 3986 and 2234):<br /><br />query = *( pchar / "/" / "?" )<br />pchar = unreserved / pct-encoded / sub-delims / ":" / "@"<br />unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"<br />ALPHA = %x41-5A / %x61-7A ; A-Z / a-z<br />DIGIT = %x30-39 ; 0-9<br />pct-encoded = "%" HEXDIG HEXDIG<br />HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F"<br />sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="<br /><br />Looks like MSIE's querystring handling is a spec violation after all. I was worried there for a second.
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.blogger.com/profile/05060120882054416919">
<div class="css-comment-name js-comment-name">
whit537
</div>
</a>
<div class="css-comment-date js-comment-date">
2012-04-12T18:42:02.904Z
</div>
</div>
<div class="css-comment-content js-comment-content">
Maybe update the post/spreadsheet to reflect this?<br /><br />Also, what does the red/green color-coding indicate in Table 1? (It doesn't correlate with No/Yes, for example.)
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.blogger.com/profile/13379556110278063970">
<div class="css-comment-name js-comment-name">
Chris Weber
</div>
</a>
<div class="css-comment-date js-comment-date">
2012-04-12T21:14:48.581Z
</div>
</div>
<div class="css-comment-content js-comment-content">
Thanks for the analysis whit537. I've modified the test results section to call out that IE violates RFC 3986. I imagine this has been well known for many years but still it may become more important to understand over time as we move to a more Internationalized Web.<br /><br />The red/green is just a loose way of calling out areas that I felt might be problematic or in the minority.
</div>
<br/>
</div>
<div class="css-full-comment js-full-comment">
<div class="css-comment-user-link js-comment-user-link">
<a href="http://www.blogger.com/profile/07280094583092548929">
<div class="css-comment-name js-comment-name">
Kelly Jones
</div>
</a>
<div class="css-comment-date js-comment-date">
2013-06-03T12:55:58.084Z
</div>
</div>
<div class="css-comment-content js-comment-content">
Thanks for sharing this information...great help!!!<br /><br />For <a href="http://techasta.com/" rel="nofollow"> Online Tech Support</a>,please follow the link<br /><br />Best Regards<br />Kelly
</div>
<br/>
</div>
</div>
<p><a href="https://www.lookout.net/2012/03/unicode-normalization-in-urls.html">Unicode Normalization in URLs</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on March 17, 2012.</p>https://www.lookout.net/2012/02/testing-charset-encoding-support-in-web2012-02-13T17:09:00-08:002012-02-13T17:09:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
Note: To jump straight to test page click here <a href="http://www.lookout.net/test/charsets/iana-charset-support/">http://www.lookout.net/test/charsets/ascii-unsafe/</a><br /><br />Web browsers support a variety of character set encodings mostly for legacy reasons and backwards compatibility. After all, UTF-8 and a handful of other encodings today are capable of representing all of the characters that were once relegated to a wide assortment of character encodings. It's clearly evident from Google's February 2012 report that UTF-8 is dominating the Web, with <a href="http://googleblog.blogspot.com/2012/02/unicode-over-60-percent-of-web.html">60% of Web documents using UTF-8</a> - and that number is rising as other legacy character encodings are declining in use. <br /><br />Those of us who test Web application security are often concerned with character encodings in our attempts to manipulate string input in ways that would eventually lead to mayhem. For that reason it's good to know a bit not just about which encodings the server-side components support, but also which ones the Web browser supports. I've documented the results of <a href="http://www.lookout.net/test/charsets/iana-charset-support/">testing character set support in Web browsers</a> in the table below, along with a brief summary. <br /><h2>Test Results</h2>The following table, which can also be <a href="https://docs.google.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0At1OFOiVqCrvdFo3aFc1elhXS2pnVkpxOFZORjQ1cUE&single=true&gid=2&output=html">opened in a new window</a>, lists all of the supported charset encodings in each Web browser tested on a Windows 7 and Ubuntu 11.10 OS where possible. Testing was only concerned with <a href="http://www.iana.org/assignments/character-sets">IANA's official list of character set names</a> that may be used on the Internet. <br /><br /><h3>Default Fallback Encoding</h3>Most browsers use UTF-8 as the default fallback encoding. However Safari, and Chrome on Ubuntu, fell back to ISO-8859-1 when an unrecognized charset label, such as "freshies", was tested. <br /><br /><h3>Supported charset labels</h3>The results also show all supported character set labels per browser, in a comma-separated form of <span style="color: green; font-family: 'Bitstream Vera Sans Mono', 'Andale Mono', 'Lucida Console', monospace, fixed; word-spacing: 2px;">named_charset</span><span class="framecharset" style="color: grey; font-family: 'Bitstream Vera Sans Mono', 'Andale Mono', 'Lucida Console', monospace, fixed; margin-bottom: 2px; margin-left: 2px; margin-right: 2px; margin-top: 2px; padding-bottom: 2px; padding-left: 2px; padding-right: 2px; padding-top: 2px; word-spacing: 2px;">,interpreted_charset</span> where the named_charset was the test case and the interpreted_charset was what the Web browser's <span class="code">contentDocument.charset</span> property returned. Using <span style="color: green; font-family: 'Bitstream Vera Sans Mono', 'Andale Mono', 'Lucida Console', monospace, fixed; word-spacing: 2px;">iso-ir-144</span><span class="framecharset" style="color: grey; font-family: 'Bitstream Vera Sans Mono', 'Andale Mono', 'Lucida Console', monospace, fixed; margin-bottom: 2px; margin-left: 2px; margin-right: 2px; margin-top: 2px; padding-bottom: 2px; padding-left: 2px; padding-right: 2px; padding-top: 2px; word-spacing: 2px;">,ISO-8859-5</span> as an example - the test returned a document with the HTTP Content-Type set to iso-ir-144. Then the <span class="code">contentDocument.charset</span> property was checked and found to be ISO-8859-1. Since the two were aliases for one another the test was considered a pass, meaning the charset label was supported by the browser.<br /><br /><h3>Charset labels that fallback to non-equivocal IANA alias</h3>If the <span class="code">contentDocument.charset</span> returned a value that was not an equivalent charset alias for the test case (according to IANA's list) then it was deemed a failed test case. Often however, the interpreted_charset was in fact an equivalent, or superset, encoding, even though it was not listed as so by IANA. In some barely interesting cases a vendor-specific charset label could be found this way, such as <span class="code">unicodeFEFF</span> which seems to only be used by Internet Explorer.<br /><br /><br /><iframe src="https://docs.google.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0At1OFOiVqCrvdFo3aFc1elhXS2pnVkpxOFZORjQ1cUE&single=true&gid=2&output=html&widget=true" style="border: 0px; height: 800px; width: 100%;"></iframe>
</div>
<p><a href="https://www.lookout.net/2012/02/testing-charset-encoding-support-in-web.html">Testing charset encoding support in Web Browsers</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on February 13, 2012.</p>https://www.lookout.net/2012/02/testing-ascii-unsafe-encodings-in-web2012-02-06T16:00:00-08:002012-02-06T16:00:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
Note: To jump straight to test page click here <a href="http://lookout.net/test/charsets/ascii-unsafe/">http://lookout.net/test/charsets/ascii-unsafe/</a><br /><br />[UPDATE: Some <a href="https://plus.google.com/102891963682045703790/posts/TvKKdF4hstD">feedback </a>from Anne van Kesteren pointed to the fact that all browsers do support HZ-GB-2312, even though the test results showed IE and Firefox did not. The direct URL for that particular encoding test is <a href="http://lookout.net/test/charsets/ascii-unsafe/charset.php?alias=HZ-GB-2312">http://lookout.net/test/charsets/ascii-unsafe/charset.php?alias=HZ-GB-2312</a>. Looking closer it seems the ICU trancoding added a two-byte preamble to the string, which are 0x7E 0x7D, or '~}'. I'm not very familiar with HZ-GB-2312 but a quick look at RFC 1843 tells me that this two-byte sequence switches the context from GB-mode to ASCII-mode. So it seems that Firefox and IE do not recognize this mode-switching byte-sequence, or at least not in this context.] <br /><br />Web browsers support a variety of character set encodings which could be broadly categorized as either ASCII-safe [1] or ASCII-unsafe [2]. The goal of this test was to identify which ASCII-unsafe character encodings were supported by each Web browser.<br /><br />String encodings play an important role in testing Web applications for security vulnerability. If I can control some input's encoding then I will manipulate it in ways that might confuse a parsing process or bypass a defensive filter. To use a common example - imagine you input a string somewhere that includes the U+003E GREATER-THAN SIGN '>' in a meager attempt at cross-site scripting. An XSS filter consumes the input as UTF-8 (which is ASCII-safe) and immediately recognizes the 0x3E byte sequences as something naughty, at which point it throws back an error message. Since you realize that a query string parameter (e.g. &charset=utf-8) controls the page's output encoding you change the charset parameter's value to 'cp037' and encode the input string accordingly. In the cp037 encoding, the '>' character is represented with the byte 0x6E, which in ASCII would be the 'n' character, two completely different characters. The character slips by the filter which assumes it was encoded as UTF-8, and makes its way on to the destination. The reason for the confusion was that the two encodings cp-037 and UTF-8 (ASCII-safe) are not compatible.<br /><br /><h2>How the testing was setup</h2>The <a href="http://lookout.net/test/charsets/ascii-unsafe/">test page</a> attempts to identify which ASCII-unsafe charset a Web browser supports by loading a string encoded in each charset, and testing if the browser decoded it as expected. The page uses the XmlHttpRequest to fetch each string from the server, which returns the string in an HTTP request that includes the Content-Type header, and the corresponding charset label for the test case. The test page then decodes the string according to the charset label, and tests it for equivalence with the following static control string.<br /><br /><pre> $%'()*+,-./<>:;=</pre><br />There are some potential pitfalls to this approach. The most obvious being that the browser may not officially support the given charset encoding under test, but it instead may be applying some intelligence (e.g. sniffing) to the string to try and figure out what it's encoding could be. For example, many of the ASCII-unsafe encodings share similar ranges of characters, where the '>' may actually be represented with byte 0x6E in all of of them. So if you were to test using only a single character you might end up with false positives if the browser was sniffing and decided that the encoding was 'cp237' instead of the 'cp037'. Although these are both variants of EBCDIC, there are some differences. So the test ended up using a string of many characters, which still doesn't totally solve the challenge. However, it works okay and produces decent results. <br /><br />Because the testing uses the <a href="http://userguide.icu-project.org/conversion/converters">ICU project</a> to build the test strings, it's limited to only the character set tables that ICU includes. That's quite a lot mind you, but some other interesting <a href="http://unicode.org/Public/MAPPINGS/VENDORS/">variants and oddities</a> might not be included.<br /><br /><br /><h3>Transcoding the test string</h3>The test string shown above uses 17 characters with familiar names - this string gets transcoded into 417 different character set encodings (the recurring 17 is just coincidence, I think). Because most of the 417 labels are just aliases for a superset, they can be further grouped into a much smaller set of around 17 (just kidding) encodings. <br /><br />The <a href="http://userguide.icu-project.org/conversion/converters">ICU project's Converter API</a> was used to perform the transcoding. ICU also provided all of the <a href="http://demo.icu-project.org/icu-bin/convexp?">charset aliases/labels</a> used for testing. The code for transcoding is <a href="https://github.com/cweb/web-charset-tests/blob/master/src/transcode/transcode.c">available on github</a> for the curious. <br /><br /><h2>Test Results</h2>The following table, which can also be <a href="https://docs.google.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0At1OFOiVqCrvdFo3aFc1elhXS2pnVkpxOFZORjQ1cUE&output=html">opened in a new window</a>, lists all of the ASCII-unsafe charsets supported in each Web browser tested. <br /><iframe src="https://docs.google.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0At1OFOiVqCrvdFo3aFc1elhXS2pnVkpxOFZORjQ1cUE&single=true&gid=3&output=html&widget=true" style="border: 0px; height: 800px; width: 100%;"></iframe><br /><h2>Notes</h2>[1] ascii-safe An ASCII-compatible character encoding is a single-byte or variable-length encoding in which the bytes 0x09, 0x0A, 0x0C, 0x0D, 0x20 - 0x22, 0x26, 0x27, 0x2C - 0x3F, 0x41 - 0x5A, and 0x61 - 0x7A, ignoring bytes that are the second and later bytes of multibyte sequences, all correspond to single-byte sequences that map to the same Unicode characters as those bytes in ANSI_X3.4-1968 (US-ASCII). [RFC1345] <br /><br />[2] ascii-unsafe ASCII-compatible bytes do not map.
</div>
<p><a href="https://www.lookout.net/2012/02/testing-ascii-unsafe-encodings-in-web.html">Testing ASCII-unsafe encodings in Web browsers</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on February 06, 2012.</p>https://www.lookout.net/2012/01/testing-registerprotocolhandler-and-web2012-01-30T17:42:00-08:002012-01-30T17:42:00-08:00Chris Weberhttps://www.lookout.netcweb@protonmail.com<div class="css-full-post-content js-full-post-content">
<p class="note">Note: jump straight to the <a href="http://www.lookout.net/test/handler/">test page for navigator.registerProtocolHandler and web+</a> if you'd rather...</p><p>A <a href="http://tools.ietf.org/html/rfc3986">URI (Uniform Resource Identifier)</a> is easily the most recognizable protocol element of the Web. A URL (Uniform Resource Locator) is a form of URI which includes an access mechanism (e.g. a network location). The terms are often used interchangeably, and to add to the terminology, these protocol elements may also be <a href="http://tools.ietf.org/wg/iri">IRIs (Internationalized Resource Identifiers)</a>, which can be thought of as a fork of URI that may include characters outside of the US-ASCII character set. So, <span class="code">http://www.lookout.net/index.html</span> would qualify as a URL, a URI, and an IRI. The 'scheme' part of this URI would be 'http', which refers to the specification that further defines how the URI parts should be processed.</p><p>The ABNF grammar for a <a href="http://tools.ietf.org/html/rfc3986#section-3.1">URI scheme</a> is defined by RFC3986 as: <br /><pre>scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )</pre></p><p>Quite simply, scheme names can only consist of the letters a-z, the numbers 0-9, and the three special characters '+', '-', and '.'. Uppercase letters A-Z in a scheme name would be canonicalized to lowercase as defined by the spec and as we see in most implementations. The syntax rules for a scheme are simple and do not impose arbitrary length limits, although most implementations will enforce their own length limit. Schemes are registered through an official <a href="http://www.iana.org/assignments/uri-schemes.html">IANA registry</a>. Depending on who you ask, the process is not difficult but does involve some time and a manual review. The registry was designed to centrally coordinate and organize scheme registrations so they would be documented and publicly available. However over the years, many scheme names have been invented by application owners who did not use this process.</p> <h2>Protocol handlers in the Web browser</h2><p>The DOM function <a href="https://developer.mozilla.org/en/DOM/window.navigator.registerProtocolHandler">navigator.registerProtocolHandler</a> takes three parameters - a URI, a scheme name, and a title. These are used to register a protocol scheme name, such as http or mailto, to an arbitrary URI that should be used to handle that scheme. For example, you might want to let Hotmail register the 'mailto' protocol to be handled by some URI like <span class="code">https://www.hotmail.com/?email=%s</span> The '%s' is required in the URI registration and will be replaced with the entire reference URI.</p> <p>For example using the above registration, if you clicked on a link like <span class="code">mailto:chris@lookout.net</span> the browser would open <span class="code">https://www.hotmail.com?email=mailto%3Achris%40lookout.net</span>. In fact, the registration may persist at the OS layer, in which case it would be available to any application. </p> <p>web+ is a new scheme <b>prefix</b> introduced by HTML5. I'm not clear on the purpose of this new prefix, but I can imagine seeing future schemes like web+tweet, web+like, and web+comment. In practice I suppose that application developers could register ad hoc schemes and would likely never go through the official IETF/IANA process. Some schemes would end up becoming popular and persisting while others would just fade away.</p> <h2>Risks to Security and Privacy</h2><p>Many risks have been documented in the W3C specification including the following:</p><ul><li>Hijacking all Web usage</li><li>Hijacking defaults</li><li>Registration spamming</li><li>Misleading titles</li><li>Hostile handler metadata</li><li>Leaking Intranet URLs</li><li>Leaking secure URLs</li><li>Leaking credentials</li></ul><p>Others perhaps had not been considered or clearly listed, such as the capability to track users through unique identifiers appended to the web+ prefix, discussed more below.</p> <h2>Test results</h2><p>The table below <a href="https://docs.google.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0At1OFOiVqCrvdFo3aFc1elhXS2pnVkpxOFZORjQ1cUE&single=true&gid=1&output=html">can also be opened in a separate window</a> summarizes the test results, which are discussed a bit more below. The <a href="http://www.lookout.net/test/handler/">test page</a> is available online where you can quickly run the canned tests or create ad hoc tests.</p> <iframe style="width: 100%; height: 800px; border: 0px;" src="https://docs.google.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0At1OFOiVqCrvdFo3aFc1elhXS2pnVkpxOFZORjQ1cUE&single=true&gid=1&output=html"></iframe> <p>As you can imagine, it would be devastating if one could register an arbitrary web+ scheme to the 'javascript' handler. As many XSS filters around the web intentionally block 'javascript:' in forums and comments, they would be immediately hosed when web+foo could achieve the same affect. It would be just as devastating if the 'http' handler could be controlled, so that all links ended up going to http://nottrusted.com?stealing=your%20data. Fortunately, all browsers tested prohibited such registration attempts.</p> <p>Also fortunate, all of the browsers tested properly prohibited cross-origin registrations, even within the same general domain - registrations to a subdomain and parent domain were both prohibited, as were registrations to completely different domains. However, both Firefox and Opera allowed registrations to https from an http domain, but only Firefox allowed the reverse - registration from an https origin to http. Additionally, Firefox was the only browser to allow registrations to URIs with completely arbitrary ports, e.g. 23.</p> <p>And what characters are allowed in a web+ scheme? The specification allows only the letters a-z after the prefix, but does not propose limits on length. Opera did not allow web+ registrations during testing, and both Chrome and Firefox allowed more than the small set of characters a-z. In fact, Firefox allowed any character whatsover to be registered, <b>with or without the prefix</b>, including any Unicode code point. Chrome only allowed the characters +, -, ., a-z, A-Z, and 0-9, in the ASCII range. Chrome was also liberal with Unicode and would allow most, but not all, code points above U+00FF. Of course this is pointless, because having anything but the URI-defined set of limited ASCII in the scheme would be prohibited and instead interpreted as a relative path in all modern Web browsers.</p> <p>The User Interface seemed quite confusing in all cases except for Opera, which set the clearest message of the bunch. Both Chrome and Firefox used confusing messages that I cannot imagine a non-technical user would understand. Heck they were even confusing to me. Take a look at the following and judge for yourself, from top to bottom they are Opera, Firefox, and Chrome.</p><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-vqCAdpUphYc/TybYGiQKbrI/AAAAAAAAAMY/ritoua3mU14/s1600/ui-confusion-opera.JPG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="40" width="400" src="http://1.bp.blogspot.com/-vqCAdpUphYc/TybYGiQKbrI/AAAAAAAAAMY/ritoua3mU14/s400/ui-confusion-opera.JPG" /></a></div> <div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-ejgdWiLQzkM/TybYJjnWLDI/AAAAAAAAAMk/09rceqbO4FI/s1600/ui-confusion-ff.JPG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="33" width="400" src="http://1.bp.blogspot.com/-ejgdWiLQzkM/TybYJjnWLDI/AAAAAAAAAMk/09rceqbO4FI/s400/ui-confusion-ff.JPG" /></a></div> <div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-9qXCvXgCAq0/TybYJmQ-43I/AAAAAAAAAMs/UnBmpqLVlm4/s1600/ui-confusion-chrome.JPG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="48" width="400" src="http://1.bp.blogspot.com/-9qXCvXgCAq0/TybYJmQ-43I/AAAAAAAAAMs/UnBmpqLVlm4/s400/ui-confusion-chrome.JPG" /></a></div> <p>The primary spam protection is the infobar and requirement that a user must click 'yes' or 'no' to accept the registration or not. The UI could easily be flooded with infobars in Chrome, which tiled them vertically, making the Web page completely unusable after the window filled up, as in the image below.</p> <div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-b2yMmLaTb4U/TybYWEbGCAI/AAAAAAAAAM8/5hlppHEbfX4/s1600/chrome-register-protocol-cascade.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="351" width="400" src="http://3.bp.blogspot.com/-b2yMmLaTb4U/TybYWEbGCAI/AAAAAAAAAM8/5hlppHEbfX4/s400/chrome-register-protocol-cascade.png" /></a></div> <p>One could also create a really long title, which would overflow the UI so the user would only see one big button, and would likely have little idea about what to do other than click the big button.</p> <div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-YjKTu9JdkfU/TybYWcHnkfI/AAAAAAAAANE/ATY97KeYCBM/s1600/chrome-ui-overflow.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="172" width="400" src="http://1.bp.blogspot.com/-YjKTu9JdkfU/TybYWcHnkfI/AAAAAAAAANE/ATY97KeYCBM/s400/chrome-ui-overflow.png" /></a></div> <p>Firefox and Opera both at least overlapped the infobars so you would only ever see one at a time. Closing one would reveal the next one behind it.</p> <p>It's also interesting to note how the registered protocol handlers would be stored. Chrome was the only browser that registered handlers at the OS-layer, making them available to all applications. In Windows this meant storing the registrations in the registry under the <span style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', 'Lucida Console', monospace, fixed;">HKEY_CLASSES_ROOT</span> hive, which required administrative elevation to register. In Ubuntu, they'd be stored in <span style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', 'Lucida Console', monospace, fixed;">~/.local/share/applications/mimeapps.list</span>. Opera stored registered protocol handlers in <span style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', 'Lucida Console', monospace, fixed;">C:\Users\chris\AppData\Roaming\Opera\Opera\handlers.ini</span> where they were only available to Opera, and Firefox took the same approach, storing them in <span style="font-family: 'Bitstream Vera Sans Mono', 'Courier New', 'Lucida Console', monospace, fixed;">C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\wj7x1dmj.default\mimeTypes.rdf</span> where they were actually mapped using the URN protocol.</p> <p>Here's what a 'mailto' scheme registration looks like stored in Opera's handler.ini file:</p><pre><br />[mailto]<br />Type=Protocol<br />Handler<br />Webhandler=http://www.lookout.net/?mail=%s<br />Description=mailto scheme<br />Flags=16<br /></pre> <p>And here's what some snippets of a 'foobar' scheme registration looks like stored in Firefox's mimeTypes.rdf file:</p><pre><br /><RDF:li RDF:resource="urn:scheme:foobar"/><br /><RDF:Description RDF:about="urn:handler:web:http://www.lookout.net/foobar=%s"<br /> NC:prettyName="The foobar scheme"<br /> NC:uriTemplate="http://www.lookout.net/foobar=%s" /><br /><RDF:Description RDF:about="urn:scheme:foobar"<br /> NC:value="foobar"><br /><NC:handlerProp RDF:resource="urn:scheme:handler:foobar"/><br /><RDF:Description RDF:about="urn:scheme:handler:foobar"<br /> NC:alwaysAsk="true"><br /><NC:possibleApplication RDF:resource="urn:handler:web:http://www.lookout.net/foobar=%s"/><br /></pre> <h2>Further testing</h2><p>I tried clobbering some registration entries in Firefox using certain Unicode characters that would be best-fit mapped to ASCII. In other tests, some characters seem like they obviously should not be allowed in a scheme name, like control characters, for example, 0x09 and 0x01. However, tests at using these combined with <a href="http://shazzer.co.uk/vector/Characters-allowed-before-protocol-in-js-url">some Shazzer vectors for characters allowed before the javascript scheme name</a> did not work. While the registrations were allowed in Firefox, such as " javascript" with a leading SPACE, I believe some pre-processing removes that when encountered in an href attribute. </p><p>As far as penetration testing Web applications, we'll want to keep an eye out for usage of navigator.registerProtocolHandler, and closely inspect what the use case and implementation details might be. For example, it makes sense that GMail or Hotmail would want to register the mailto handler to their URL. Is that URL dynamically generated and can it be controlled by user-input? If an attacker could for example inject the hostname part of the URL then they could cause some mischief, or at the least steal email addresses and other data present in the mailto link. We'll also want to keep an eye out for registrations of web+foo schemes for similar issues including data ex-filtration and URL-control. I'm sure other folks can think of more threats and abuse cases, if so please let me know! Otherwise, time will tell.</p> <h2>Risks to user-tracking and fingerprinting</h2><p>Another threat to consider is the way the web+ prefix would allow sites to set persistent unique identifiers in a user's Web browser. This issue was brought up by James Hawkins, author of <a href="http://dvcs.w3.org/hg/web-intents/raw-file/tip/spec/Overview.html">Web Intents draft</a>, on the <a href="http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2012-February/034881.html">WHATWG mailing list</a>. It also became evident to me during testing when I realized I could set a unique identifier through the web+ protocol scheme - something like web+[some_unique_id]. Sites (from any origin) could later use the isProtocolHandlerRegistered(scheme, url) to identify its visitors, and even track their movement across the Web. As we've seen with trickery employed by advertising agencies in the past, those unique ids could be bundled and shared. However, the isProtocolHandlerRegistered API was not implemented during testing so I could not confirm this. </p>
</div>
<p><a href="https://www.lookout.net/2012/01/testing-registerprotocolhandler-and-web.html">Testing registerProtocolHandler and the web+ scheme prefix</a> was originally published by Chris Weber at <a href="https://www.lookout.net">lookout.net</a> on January 30, 2012.</p>