Thursday, December 20, 2012

The Single Most Important Step to Securing a Web Site

I've worked as an employee and consultant, in a technical capacity, for tiny companies through multi-billion dollar corporations. With the exception of the companies where I've been a founder, I've noticed that the technical teams at these companies would have a hard time immediately detecting an attack or abuse unless it caused obvious damage to the functioning of their website.

For small to medium size websites (< 5-10 requests/second/web server) the single most important defense against attacks is to continuously monitor logs. The simplest way to do this is to "tail" logs for all instances of the web server, app server, and security logs (ssh, DB, etc) 24/7 on either a system admin's or developer's computer. It would be great if this could be automated, but, many times, it's going to take a human to notice something abnormal.

Most abuse/attacks on a website begin with probing the website itself (port 80/443) or via SSH (port 22). Once abuse or an attack is noticed from a centralized source, the first step should be to block that IP address and then contact the ISP of the attacker/abuser ideally with a phone call to their network operations center or via their abuse@example.com e-mail address which is usually listed when conducting a whois lookup. In either case, the offending ISP will ask for a copy of your server logs which should be cleansed of any third party data. In other words, only send the offending ISP a copy of the logs that specifically pertain to the attacker/abuser.

Typical web server logs should contain at least the following info:
Requester's Host Name/IP: ec2-75-101-189-255.compute-1.amazonaws.com
Timestamp with time zone offset: [20/Dec/2012:13:39:40 -0800]
Request: "GET /index.html HTTP/1.1"
HTML Status: 200
Response size (bytes): 16844
Referrer: "http://google.com/com"
Time taken to server the request (seconds): 1

Also, don't include too many log parameters on web requests lest you suffer from scrolling blindness. The logs have to be readable, in real time, by a human. For unusual periods of peak traffic, it helps to tail and grep the logs in real time to focus on specific log entries.

You'll be amazed at how much you'll learn by simply monitoring these server logs on a daily basis, for just a couple weeks; it will give you a sense for what is normal traffic. Errors, unusual requests, and long response times should be investigated. Some of these issues will be web app bugs or areas requiring optimization which may have never been detected (such as an internal report taking minutes to respond when a typical request/response takes less than a second).

Frequent attacks go unnoticed until there is some ramification. If you don't know what normal behavior is then you won't be able to detect abnormal behavior.
 

Monday, December 17, 2012

How to Squeeze More Than 140 Characters Into A Tweet

Summary
How to squeeze more than 140 characters into a tweet with indexable text.

Background
Last Friday, I half jokingly sent out a tweet demonstrating how to squeeze more than 140 characters into a tweet.

Basically, I tweeted that it was possible to take a screen shot of text longer than 140 characters which could then be attached to a tweet as an image.

I say half jokingly because, even though it works, it's a bit of a hack. It wasn't until Dave Winer – who actually didn't support this technique – retweeted me that I saw a surprising interest in it. The interest probably wasn't so much the solution as it was the part that was a joke. One person called it "twaxing" (tweeting + faxing). And Dave half-joked, "the web cries" for me. But I noticed, over the weekend, that a number of people have started adopting this technique.

It's handy that Twitter now, organically, hosts images on their servers which means that a link to an image in a tweet is much less likely to break when compared to hosting an image with a third party.

A couple people pointed out the obvious shortcomings to the twax technique which was that an image of text isn't indexable (searchable). That got me thinking… what if a twax was indexable? Would there be any benefit for those times when you needed, say, 400 or 500 characters in a tweet? Perhaps.

Searchable Solutions
My initial twax search solution was to embed the tweet's meta-data in the text of the tweet but that is too ugly, inelegant, and incomplete.

After some more thought, I realized a very workable solution: embed the tweet's meta-data as a QR code inside the tweet. Any third party server could simply scan the image and decode the QR code while any human could read the text.

Technically speaking, this will work. But, would anyone use it and how would it work?

I can easily see a mobile app or Twitter web feature that would notify you once you exceeded 140 characters while continuing to let you type. When you clicked the Tweet button, to publish your tweet, the tweet would contain the first 140 characters of the tweet while the entire tweet's text would be displayed in the image, followed by a QR code of the tweet's text and meta-data.

The nice thing about this technique is that a single QR code can encode thousands of characters of text. Plus, the tweet text and its image with the QR code could stand alone without network connectivity.

Saturday, December 15, 2012

When A Constitutional Amendment Outlives Its Usefulness



"Why should a private American citizen own an assault rifle?" asks the city girl.

Good question.

"Because it's my Second Amendment right," answers the farmer.

Good answer.

Does the U.S. Constitution contain amendments that have outlived their purpose?
Certainly. The best example is the 21st Amendment which repealed the 19th Amendment on Prohibition.

What about the Bill of Rights? No Amendment in the Bill of Rights has ever been repealed.

The Third Amendment of the Bill of Rights, which prevents soldiers from being quartered in a home without the owner's consent, has certainly outlived its purpose. The U.S. Military is so large and well funded that there's no need to quarter soldiers in private homes. Repeal the Third Amendment and America doesn't skip a beat.

Surprisingly, yesterday's shooting isn't the largest K-12 massacre. In 1927, a disgruntled tax payer used dynamite to kill more than 40 people, including 38 elementary school children in Bath Township, Michigan.

So, what about the Second Amendment which gives American citizens the right to keep and bear arms? Could that, too, have outlived its usefulness? What were our forefathers thinking when they drafted this amendment?

The Second Amendment serves several purposes. In 18th Century America, a typical citizen may own a firearm for hunting and protection. Constables didn't cruise the suburbs to maintain law and order 200 years ago. And there was no way to call 911 for help. Big chain supermarkets and grocery stores didn't exist with stocks of food that you could store in your refrigerator. Hunting was a big part of survival. 

But, beyond these reasons, there was another key purpose for 18th Century Americans to own firearms which was to keep the government in check. With the exception of the cannon, private American citizens were on even footing with the government when it came to weapons. Automatic weapons didn't back then, nor did weapons of mass destruction.

In colonial American, firearms didn't even have what we now think of as traditional bullets. In the 18th Century, firearms like handguns and rifles were single shot flintlocks with a hammer that held a rock mineral (flint). When the trigger was squeezed, the hammer hit a frizzen that threw sparks into a pan of fine gun powder which set off the weapon. If you turned a flintlock firearm sideways the FFFF gunpowder fell out of the pan making it unfireable. A flintlock firearm couldn't easily be concealed nor would it work in the rain (hence the phrase keep your powder dry.)

In the 18th Century, a battle between private citizens and government backed troops was nearly an even match in terms of firepower. It's clear that this is no longer the case. The U.S. Government has weapons of mass destruction and no reasonable person could make the case that private American citizens should own tanks, bombs, or missiles.

Question Without Answers

At this point, we only have complex questions without simple answers:

How does the current state of military hardware affect the Second Amendment? A matchup between the U.S. Government and its private citizens is not even close to a fair fight.

Should Americans own any firearms? Should private firearm ownership be better controlled? Could it be better controlled?

Even if private firearm ownership was eliminated, would people take to other forms of attack such as the Bath Township massacre or the Shoe Bomber? Bad people can always find big ways to hurt good people. Look no further than the 9/11 attacks to see how machines of peace can be turned into weapons of mass destruction.

Could schools be made more secure, similar to airports? Even if that's done, kids will still go outside to play which is where two elementary students were shot, two years ago, in my own town of Carlsbad.

Here's something important to consider… think critically of your ideas. If you think the Second Amendment should stand as is, consider yourself wrong. If you think the Second Amendment should be repealed, once again, consider yourself wrong as you think consider workable solutions. Not being able to critically examine your own thoughts and ideas leads to closed-mindedness. 

One final thought to ponder as the Constitution tries to keep pace with technology...
Which is more important: your privilege to drive a car or your right to keep and bear arms?

(Not that they're mutually exclusive nor am I suggesting the prohibition of all firearms. I'm merely making a point about the difference between rights and privileges. Driving, in Saudi Arabia, is a privilege that women don't have.)

There's no simple solution – but at least all sides agree that something needs to be done to prevent a repeat of yesterday's tragedy.