Digital Gemstones Blog

This is a mostly useless post, just me playing around with Java Applets and some fun little code I wrote a while back. As a challenge, can you figure out what this applet is doing?

I just read this article (Well-Intentioned Destruction) on The Daily WTF talking about a developer's experience where a clients whole system was being deleted randomly and without reason. After lots of hunting and digging around he discovered that a web crawler was accessing links to delete every article it crawled, thinking they were just more links.

They'd never run into this problem before, since they used header('Location: index.php'); to redirect visitors away from restricted pages if they're not logged in. But the location header does not deny access to the original page, it is simply an HTTP instruction to go to a different page instead. Since any system connecting over HTTP - especially crawlers - have the ability to choose to obey Location headers or not, the Location header cannot be trusted for any kind of security.

What did they need to do to resolve this bug? Well more than likely a deep code analysis with this new knowledge would be wise, but all they have to do to ensure secure data is not being served up is to add exit; after the header command - this stops the PHP script from executing and therefore outputting any secure data or running any secure commands.

It's interesting to note the different paradigm of thought different people go through, because the WTF blog suggests instead changing the delete command to a POST button, rather than a GET url, so that crawlers won't hit them anymore. That's true, but really disregards the problem entirely. button or link, without a command to stop all execution if the visitor is not authenticated, the security hole remains - modified, but just as big and gaping.

An Easy Fix:

I've always been annoyed by websites and systems that have requirements for what kind of password you can use. GoDaddy, for instance, requires its FTP passwords have an uppercase letter and a number or it will not accept your password; and UC Davis requires your password be at least 7 characters long (and strangely, no more than 8). At first glance, this seems like good security practices, preventing users from picking weak passwords. But the fact of the matter is, a properly build system should be just as secure if a user picks a terrible password like apple as if they picked something ridiculous like'@pPl3S4uCe'. This article is an in depth analysis of the several options developers have to safely store user's passwords, and why requiring hard passwords is not the way to go.

So I've had the same looking site for about three years now, and though it's gone through several versions and improvments on the backend, I haven't really done much of anything on the look and feel of it, and I think it's high time I change that. I am, however, not all that great on the design side of web development, so if you have any thoughts - or best of all design skills of your own, I would love to collaberate with you.

I'm not looking to spend large sums of money here, but if you wanted, I would be happy to pay a decently small fee, or even better develop and maintain a site for you as compensation.

You can contact me here or through my contact page if you're interested.

So it's been about six months since I last took the time to update my blog - though in the meantime I've redesigned how comments are submitted to better fend off the hoard of spammers. Just today I've started receiving waves of spam url comments which appear to be from stanford.edu - but are in fact exploiting a redirection security flaw in one of their web pages to make a bunch of porn sites appear legitimate. I've notified the webmaster, we'll see if they do anything about it.

So what have I been up to for the past several months? Well I've been back at Willamette for about two months now, pursuing my Computer Science degree and doing my level best to wreck havoc on the school's network. I've been trying to set up a FTP based file sharing service on campus, though as yet I haven't found a good FTP crawler / indexer, so suggestions would be awesome. In about two weeks I'll be heading up to Eugene to participate in the ACM's ICPC programming competition - maybe I'll be inspired to write something about the tournament - we'll see.