I have had interaction with several security project managers who were very good in creating a buzz around their projects. Projects were given fancy names. The funniest project name I have heard was "Baby Rhino". One day I get an email in my inbox with a subject line which says: Baby Rhino Caputred! - The email got my attention, but the project did not gain any extra respect (because of the name) hardly there was any significant accomplishment in terms of its deliverable.

I would rather stick with project names that signify scope, relevance, meaning and value of  a project. It is not bad to market a project, but trying to market a project without delivering value is a gimmick.

Blogger: Ramon Krikken

The web browser is one of those peculiar pieces of software, having to accept input from arbitrary sources and then parse and render the data that is sent to it. Part of this it does by itself, and other parts are taken care of by handlers and plug-ins. In doing so, it displays hypertext, images, videos, and even runs active content like Flash, JavaScript, and ActiveX.

But however much we love the browser, we’ve also come to hate the myriad of vulnerabilities that affect it. Everything from cross-site scripting to remote code execution via maliciously formed animated cursor files and Flash content can make browsing a hazardous activity. The browser is sick, and that’s not desirable for a platform we use for important business and personal transactions.

Worsening the browser’s diagnosis is the recent paper from Mark Dowd and Alexander Sotirov, sub-titled “Setting back browser security by 10 years,” which discusses how to bypass Microsoft Vista’s memory protection capabilities with some added effort for the exploit designers. It’s not that all of the techniques are necessarily new, but the browser appears to be particularly vulnerable to easy exploitation.

Surprising? Not exactly, when we take into account that the browser is suffering from the same disease as the general purpose operating system: bloat and compatibility. We expect the browser to do ever more, but everything we used it for before still needs to work as if it were yesterday. It feels a bit like people insisting on using a cardboard box as a safe, and wondering why their money keeps getting stolen.

It’s not like we haven’t been working on the browser’s cure, though. There have been some improvements in the browsers themselves, the operating systems have also implemented compensating controls, but most of all, there has been an enormous push for securing the web applications that deliver the data in the first place. Unfortunately, the latter two won’t help secure the browser in the long run.

The first issue is that not all content will come from ‘nice’ servers, the second that the server can only make an educated guess on how a browser will parse and render a given set of data, and the third that operating system controls have their own limitations, whether by design or implementation (for example needing to re-compile existing code to enable certain protections.) The browser, in the end, has to be mostly responsible for keeping itself safe; the operating system must assist it in doing so.

So we’re in a pickle. The browser is sick (and the operating system is too), but it’s hard to cure it without a redesign that will undoubtedly impact compatibility, the ever-so-desired multi-functionality, or its ease of use. We can layer defenses by using web filtering in the enterprise environment, but in the end – for the consumer market in particular – we need to fix the browser itself. I can think of a few things I think might help:

• Some kind of site security policy  to restrict where the browser loads auxiliary content from, and which data it can ‘trust’, when loading a web page (I’d prefer mandatory enforcement, and adding an HTML tag to be able to indicate blocks of untrustworthy data.)
• Restricted compartments for plug-ins to run in, ensuring that their bugs cannot easily affect the whole browser.
• Better software development practices for the plug-ins and content parsers themselves, so that they’re less vulnerable, and compiled with the latest protection measures to begin with.

All of this means more work, and some of it means a lot of unhappy reactions when things stop working. Even then we will of course still have to deal with additional vulnerabilities, such as those that may be present in hardware, but we will at least have taken prudent steps to ‘find a cure.’

For many users of Vista, its just another reason to not like it.

How does it apply to you, the casual user? It should convince you to insure your online safety. Use a alternate Browser like Firefox. Simply because its less of a target for exploits so far.

Make sure your MS updates are current. Practice good surfing, stay away from sites that may harbor porn, malicious ads and such. Make sure you have a reliable AntiVirus, AntiSpyware and Firewall program up.

And wait for the patch to fix the exploit.

Buying a lemon is always a bad thing – but when you pay $1 billion for it?! Back in 2005, Google bought a 5% stake in AOL for $1 billion and now is calling that investment “impaired”. That’s one way of putting it, so it’s a good thing Google has money to burn.

At LinuxWorld this week, Bob Sutor, VP of open source and standards at IBM, said that the next 10 years is “do or die” for open source software designed for specific industries. 10 years? That’s like 70 years in open source development time.

And finally…8/8/08…the Olympics are here! Network administrators around the world, except for Terry Childs, will be eyeing office network bandwidth closely as people go online to watch streaming video of the games. NBC and Microsoft will offer 2,200 hours of live video coverage with up to 20 simultaneous live streams of different events. Plus NBCOlympics.com will offer 3,000 hours of on-demand video content. The time difference means that much of the primetime events will be broadcast while the Western hemisphere is supposed to be hard at work. Me – I’m just glad it’s the weekend, and I can get the Olympics fix I’ve been waiting years for.