Tracking the Web Trackers Mar 22nd 2013, 23:47 itwbennett writes "Do you know what data the 1300+ tracking companies have on you? Privacy blogger Dan Tynan didn't until he had had enough of being stalked by grandpa-friendly Jitterbug phone ads. Tracking company BlueKai and its partners had compiled 471 separate pieces of data on him. Some surprisingly accurate, some not (hence the Jitterbug ad). But what's worse is that opting out of tracking is surprisingly hard. On the Network Advertising Initiative Opt Out Page you can ask the 98 member companies listed there to stop tracking you and on Evidon's Global Opt Out page you can give some 200 more the boot — but that's only about 300 companies out of 1300. And even if they all comply with your opt-out request, it doesn't mean that they'll stop collecting data on you, only that they'll stop serving you targeted ads." Read more of this story at Slashdot. | Video Editor OpenShot Wants To Kickstart Windows, OS X Versions Mar 22nd 2013, 22:48 There have been video editing apps available for Linux for years, from ones meant to be friendly enough to compete on the UI front with iMovie (like the moribund Kino, last released in 2009, and the actively developed PiTiVi and Kdenlive) to editors that can apparently do nearly anything, provided the user is a thick-skinned genius — I'm thinking of Broadcast 2000/Cinelerra. Then there's VJ-tool-cum-non-linear editor LiVES, which balances a dense interface with real-time effects for using video as a performance tool, and can run on various flavors of UNIX, including Mac OS X. Dallas-based developer Jonathan Thomas has been working for the last few years on a Free (GPL3 or later), open-source editor called OpenShot, which aims for a happy medium of both usability and power. OpenShot is Linux-only, though, and Thomas is now trying to kickstart (as in, using a Kickstarter project) a cross-platform release for OS X and Windows, too. I've been tempted by dozens of KickStarter projects before, but this is the first one that I've actually pledged to support, and for what may sound like a backwards reason: I like the interface, and am impressed by the feature set, but OpenShot crashes on me a lot. (To be fair, this is mostly to blame on my hardware, none of which is really high-end enough by video-editing standards, or even middle-of-the-road. One day!) So while I like the idea of having a cross-platform, open-source video editor, I have no plans to migrate to Windows; I'm mostly interested in the promised features and stability improvements. Read more of this story at Slashdot. | GCC 4.8.0 Release Marks Completion of C++ Migration Mar 22nd 2013, 22:08 hypnosec writes "GCC 4.8.0 has been released (download), and with it, the developers of the GNU Compiler Collection have switched to C++ as the implementation language, a project the developers have been working for years. Licensed under the GPLv3 or later, version 4.8.0 of the GCC not only brings with it performance improvements but also adds memory error detector AddressSanitizer, and race condition detection tool the ThreadSanitizer. Developers wanting to build their own version of GCC should have at their disposal a C++ compiler that understands C++ 2003." Read more of this story at Slashdot. | Capcom Remastering DuckTales Game Mar 22nd 2013, 21:49 jones_supa writes "Many Slashdotters are probably aware of the 1989 Nintendo Entertainment System platformer classic DuckTales (video, designed around the Disney cartoon series. Capcom announced today at their PAX East panel that they are resurrecting the beloved game. Developed by Wayforward and Capcom, DuckTales: Remastered is something of a remake based on the original version. The embedded video shows some solid back-to-basics platformer action. The game will be out this summer for Xbox Live, PSN, and Wii U." Read more of this story at Slashdot. | Apple Makes Two-Factor Authentication Available For Apple IDs Mar 22nd 2013, 21:25 wiredmikey writes "In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained." Read more of this story at Slashdot. | Samsung Want To Sell Liquavista To Amazon Mar 22nd 2013, 21:06 Nate the greatest writes "Bloomberg is reporting early this morning that Liquavista, Samsung's cutting edge electrowetting screen tech research firm, is up for sale. Details are still thin but Bloomberg's unnamed source indicates Amazon is looking to buy Liquavista for somewhere under $100 million. This rumor confirms earlier reports that Amazon had launched a new holding company in the Netherlands and was going to use it to buy Liquavista. There have also been rumors circulating screen tech conferences for the past 5 or 6 months that Samsung was interested in selling the company. No one in the industry really understands why Samsung would want to do that, but I think the latest demo video from Liquavista explains it. This screen tech simply isn't as good as current LCD or OLED screens, and Samsung might be looking to cut their losses." Read more of this story at Slashdot. | MasterCard Forcing PayPal To Pay Higher Fees Mar 22nd 2013, 20:42 iComp sends this quote from El Reg: "PayPal, Google Wallet and other online payment systems face higher transaction fees from MasterCard in retaliation for their refusal to share data on what people are spending. Visa is likely to follow suit. The amount that PayPal has to pay MasterCard for every transaction will go up as the latter introduces new charges for intermediated payment processors. This change is on the grounds that such processors don't share transaction details, which the card giants would love to get hold of as it can be used to research buying patterns and the like. Companies such as PayPal allow payments between users, so the party (perhaps a merchant) receiving the money doesn't need to be registered with the credit-card company. PayPal collects the dosh from the payer's card, and deducts a processing fee before passing the cash on to the receiving party. MasterCard would prefer the receiver to be registered directly so will apply the new fee from June to any payment that is staged in this way." Read more of this story at Slashdot. | Google Keep End-of-Life Date Forecasted Mar 22nd 2013, 19:59 An anonymous reader writes "A smart aleck journalist for UK's Guardian newspaper has turned the tables on Google by compiling data on 39 of the company's terminated projects, summarized in a table and bar graph. The mean lifespan of the doomed products turns out to be almost exactly 4 years, which led Mr. Arthur to conclude that your data would be safe with Google Keep — until March 2017, give or take a few months. Of course, this assumes that Keep is destined to be one of those products and services that wouldn't be Kept, or rather 'didn't gain traction with users' in the familiar lingo of Google marketing." Read more of this story at Slashdot. | Twitter Sued For $50M For Refusing To Identify Anti-Semitic Users Mar 22nd 2013, 19:17 redletterdave writes "After a French civil court ruled on Jan. 24 that Twitter must identify anyone who broke France's hate speech laws, Twitter has since refused to identify the users behind a handful of hateful and anti-Semitic messages, resulting in a $50 million lawsuit. Twitter argues it only needs to comply with U.S. laws and is thus protected by the full scope of the First Amendment and its free speech privileges, but France believes its Internet users should be subject to the country's tighter laws against racist and hateful forms of expression." Read more of this story at Slashdot. | Bosch Finds Solar Business Unprofitable, Exits Mar 22nd 2013, 18:35 New submitter rwise2112 writes "German engineering company Bosch said Friday that it is abandoning its solar energy business, because there is no way to make it economically viable.'We have considered the latest technological advances, cost-reduction potential and strategic alignment, and there have also been talks with potential partners,' Bosch CEO Volkmar Denner said. 'However, none of these possibilities resulted in a solution for the solar energy division that would be economically viable over the long term.'" Read more of this story at Slashdot. | Intel's Pentium Chip Turns 20 Today Mar 22nd 2013, 17:53 girlmad writes "Intel's Pentium processor was launched 20 years ago today, a move that led to the firm becoming the dominant supplier of computer chips across the globe. This article has some original iComp benchmark scores, rating the 66MHz Pentium at a heady 565, compared with 297 for the 66MHz 486DX2, which was the fastest chip available prior to the Pentium launch." Read more of this story at Slashdot. | Can You Really Hear the Difference Between Lossless, Lossy Audio? Mar 22nd 2013, 17:10 CWmike writes "Lossless audio formats that retain the sound quality of original recordings while also offering some compression for data storage are being championed by musicians like Neil Young and Dave Grohl, who say compressed formats like the MP3s being sold on iTunes rob listeners of the artist's intent. By Young's estimation, CDs can only offer about 15% of the data that was in a master sound track, and when you compress that CD into a lossy MP3 or AAC file format, you lose even more of the depth and quality of a recording. Audiophiles, who have long remained loyal to vinyl albums, are also adopting the lossless formats, some of the most popular of which are FLAC and AIFF, and in some cases can build up terabyte-sized album collections as the formats are still about five times the size of compressed audio files. Even so, digital music sites like HDtracks claim about three hundred thousand people visit each month to purchase hi-def music. And for music purists, some of whom are convinced there's a significant difference in sound quality, listening to lossy file formats in place of lossless is like settling for a Volkswagen instead of a Ferrari." Read more of this story at Slashdot. | Bitcoin To Be Regulated Under US Money Laundering Laws Mar 22nd 2013, 16:23 Newsubmitter davek writes with news that the U.S. will be applying money-laundering laws to Bitcoin and other 'virtual currencies.' "The move means that firms that issue or exchange the increasingly popular online cash will now be regulated in a similar manner as traditional money-order providers such as Western Union Co. WU +0.17% They would have new bookkeeping requirements and mandatory reporting for transactions of more than $10,000. Moreover, firms that receive legal tender in exchange for online currencies or anyone conducting a transaction on someone else's behalf would be subject to new scrutiny, said proponents of Internet currencies. 'I think it's inevitable that just like you have U.S. dollars used by thieves and criminals, it's sadly inevitable you will have criminals use a virtual currency. We want to work with authorities,' said Jeff Garzik, a Bitcoin developer. Still, law enforcement, regulators and financial institution have expressed worries about the hard-to-trace attributes of virtual currencies, helping trigger this week's move from the Treasury's Financial Crimes Enforcement Network, or FinCen." Read more of this story at Slashdot. | An Instructo-Geek Reviews The 4-Hour Chef Mar 22nd 2013, 15:40 Bennett Haselton writes "Recently I wrote an article about what I considered to be the sorry state of cooking instructions on the web (and how-to instructions in general), using as a jumping-off point a passage from Evgeny Morozov's new book To Save Everything, Click Here. My point was that most "newbie" instructions never seemed to get judged by the basic criteria by which all instructions should be judged: If you give these instructions to a group of beginners, and have them attempt to follow the instructions without any additional help from the author, what kind of results do they get? The original title of my article was "Better Cooking Through Algorithms," but due to some confusion in the submission process the title got changed to "Book Review: To Save Everything, Click Here" even though, as multiple commenters pointed out, it didn't make much sense as a "book review" since it only mentioned a short passage from the actual book. This article, on the other hand, really is intended as a review of The 4-Hour Chef, even though the article only covers a similarly tiny fraction of the book's 671-page length. That's because even before buying the book, I was determined to review it according to a simple process: Try three recipes from the book. Follow the directions step by step. (If any direction is ambiguous, then follow what could be a plausible interpretation of the directions.) My estimation of the quality of the book, as an instructional cooking guide for beginners, is then determined by the quality of the food produced by my attempt to follow the directions. (I've done this so many times for so many "beginner cookbooks," that I've probably lost my true "beginner" cook status in the process — which means that the results obtained by a real beginner using The 4-Hour Chef, would probably be a little worse than what I achieved.)" Read on for the rest of Bennett's Thoughts Read more of this story at Slashdot. | A Truckload of OAuth Issues That Would Make Any Author Quit Mar 22nd 2013, 15:00 New submitter DeFender1031 writes "Several months ago, when Eran Hammer ragequit the OAuth project, many people thought he was simply being overly dramatic, given that he gave only vague indications of what went wrong. Since then, and despite that, many companies have been switching to OAuth, citing it as a 'superior form of secure authentication.' But a fresh and objective look at the protocol highlights the significant design flaws in the system and sheds some light on what might have led to its creator's departure." Read more of this story at Slashdot. | Blizzard Announces Hearthstone: Heroes of Warcraft Digital Card Game Mar 22nd 2013, 14:52 UgLyPuNk writes "Blizzard has revealed its 'something new' at PAX East 2013: Hearthstone: Heroes of Warcraft — a 'charming collectible strategy game set in the Warcraft universe.'" Blizzard says this game is a departure from their normal development process: it was made with a team of just 15, will release this year, and it's free-to-play. Hearthstone is built for Mac OS, Windows, and iPads. There's a deck builder, a match-finder, and AI for those who don't want to play against other people. While it's free to play, and players will earn new packs of cards by playing, there will also be an option to purchase new packs. Read more of this story at Slashdot. | Twitter, Hotmail, LinkedIn, Yahoo Open To Hijacking Mar 22nd 2013, 14:19 mask.of.sanity writes "Twitter, Linkedin, Yahoo! and Hotmail accounts are open to hijacking thanks to a flaw that allows cookies to be stolen and reused. Attackers need to intercept cookies while the user is logged into the service because the cookies expire on log-out (except LinkedIn, which keeps cookies for three months). The server will still consider them valid. For the Twitter attack, you need to grab the auth_token string and insert it into your local Twitter cookies. Reload Twitter, and you'll be logged in as your target (video here). Not even password changes will kick you out." Read more of this story at Slashdot. | Google Reportedly Making a Smartwatch, Too Mar 22nd 2013, 13:36 judgecorp writes "With Samsung and (reportedly) Apple already making smartwatches, Google has now joined the party, according to a (paywalled) report in the Financial Times. The Google Watch is apparently being made by the Android group, and could have some synergy with Google's other wearable tech — the Glass spectacles. The distinctive thing in Google's patent seems to be having two displays — one for public data and a flip-up one for more private stuff." Read more of this story at Slashdot. | Il "meraviglioso" mondo delle startup italiane Mar 22nd 2013, 13:35 Il copione è sempre lo stesso. Ogni volta che parlo di qualche startup si scatena l’inferno. Ieri ho scritto questo post su Quag. Come al solito mi sono beccato dell’incompetente, del pregiudizievole, di quello che parla senza conoscere, di quello che spara su tutti, dello sfascista, e le solite filippiche a cui sono ormai abituato. Massimo Marchiori, fondatore di Volunia. In un’intervista comparsa su Wired dichiarava:«Noi vogliamo liberare le galline e aiutarle a spiccare il volo. Rispetto a Google, che offre i risultati delle ricerche e poi abbandona l'utente, Volunia lo segue nel Web». Sul Sole24 ore Volunia era stato addirittura indicato come «la sfida italiana a Google». Poche settimane dopo la presentazione il progetto era bello che morto. Qualche mese fa, parlando di Volunia, ho titolato il post «Perché sarà un flop». Le reazioni sono state identiche. Incompetente, pregiudizievole, sfascista. Come se esprimere un parere “diverso” dall’edulcorata visione che spesso viene proposta sulle più blasonate vetrine online in merito a certe startup sia una specie di bestemmia. Che poi, diciamocela tutta, per capire che Volunia fosse impresentabile, non è che ci volesse chissà quale scienziato. O no? Nel post su Quag, lo preciso per quelli che lo hanno letto superficialmente, ho solo posto l’attenzione su un punto. E cioè sull’opportunità di investire 1,2 milioni di euro per questo genere di iniziative. Considerazione del tutto personale, come del resto tutto quello che trovate su questo blog, no. Così come era “no” quando ho parlato di Volunia. Lo trovo un po’ sconsiderato. E giù col solito pippone dell’incompetente, pregiudizievole e sfascista. Con Volunia s’è visto infatti com’è finita. Ora vi invito a riflettere su una semplice questione. Epurate il vostro cervello dai vostri pregiudizi. E concentrarvi un secondo sui numeri. 1,2 milioni di euro. Con quella stessa cifra, visti i tempi che corrono, sapete quante piccole imprese ci finanziate? E badate che parlo di “imprese” nel senso classico del termine, quelle che sono il vero motore economico del Paese. Non di certe fighetterie digitali di cui ci si può vantare solo in qualche presentazione. E magari, nel primo caso, la probabilità di vedere qualche soldo indietro per gli investitori ci sarebbe pure. Perché è inutile continuare a lamentarsi che i soldi non ci sono se poi quei pochi che girano vengono investiti male. Corrado Passera, il Ministro dello Sviluppo Economico:«Con le start-up rilanciamo l’occupazione» All’epoca quando ho criticato il famigerato Fondo dei Fondi presentato nel così tanto chiacchierato “Rapporto Startup” del Ministro Corrado Passera, una buona parte del mondo digitale casereccio si è letteralmente rivoltato in massa contro di me. Incompetente, pregiudizievole, sfascista, solo per citare gli epiteti più eleganti. Io ho solo fatto una domanda, che oggi a distanza di mesi non ha ancora ricevuto una chiara risposta. Sempre se il risultato di aver stralciato il Fondo dal Decreto Sviluppo approvato dal Consiglio dei Ministri, di per sè, esplicitamente, non lo sia. Il Fondo prevedeva 50 milioni di euro destinati alle startup. Mi chiedo, 50 milioni per finanziare l’ennesimo Volunia? 50 milioni di sperpero di fondi pubblici polverizzati per costruire l’ennesimo castello di carte? Se penso al contributo che 50 milioni di euro posso dare all’economia “reale” del Sistema Italia (di cui alcune startup virtuose, assai meno sotto la luce dei riflettori, ne costituiscono un sano esempio), allora sì. Sono e rivendico il mio essere sfascista e pregiudizievole nei confronti di certe altre startup che non mi convincono per niente. Ma badate, sono “pregiudizievole” almeno quanto chi prova maldestramente a convincermi che, continuare a schiantarsi contro certi muri di cemento armato per il solo gusto di sputare i propri denti per terra, tutto sommato, non sia poi così male. Ben vengano le startup di ogni genere. Ma lasciateci almeno il sacrosanto diritto, nei confronti di alcune, di nutrire qualche legittimo dubbio. | Adobe To Australians: Fly To US For Cheaper Software Mar 22nd 2013, 12:53 angry tapir writes "It's been a long-running joke that it's cheaper for Australians to get a plane ticket to the U.S. if they want to buy Adobe's Creative Suite instead of paying local prices. But appearing before a parliamentary inquiry into the disparity between IT prices in Australia and elsewhere, Adobe's local chief appeared to suggest just that." Other companies gave their responses to the inquiry as well. Microsoft said they'll simply charge what the market will bear. Apple tossed out a host of reasons for the price difference; its retail partners, digital content owners, exchange rates, taxes, import duties, and an apparent inability to alter the price set by its U.S. parent company. Read more of this story at Slashdot. | Apple: 75% of Our World Wide Power Needs Now Come From Renewable Power Sources Mar 22nd 2013, 12:11 skade88 writes "Apple now owns and runs enough renewable energy power plants that 75% of their world wide power needs come from renewable sources such as wind, solar, geothermal and hydro. From the Apple Blog Post: 'Our investments are paying off. We've already achieved 100 percent renewable energy at all of our data centers, at our facilities in Austin, Elk Grove, Cork, and Munich, and at our Infinite Loop campus in Cupertino. And for all of Apple's corporate facilities worldwide, we're at 75 percent, and we expect that number to grow as the amount of renewable energy available to us increases. We won't stop working until we achieve 100 percent throughout Apple.'" Read more of this story at Slashdot. | DARPA Tackles Machine Learning Mar 22nd 2013, 09:27 coondoggie writes "Researchers at DARPA want to take the science of machine learning — teaching computers to automatically understand data, manage results and surmise insights — up a couple notches. Machine learning, DARPA says, is already at the heart of many cutting edge technologies today, like email spam filters, smartphone personal assistants and self-driving cars. 'Unfortunately, even as the demand for these capabilities is accelerating, every new application requires a Herculean effort. Even a team of specially-trained machine learning experts makes only painfully slow progress due to the lack of tools to build these systems,' DARPA says." Read more of this story at Slashdot. | Security of Mashup Applications for Enterprises Mar 22nd 2013, 07:01
Advertise here via BSA Beyond the buzz of Web 2.0, mashup applications (also called hybrid or situational applications) bring the promise of creating meaningful experiences by feeding other people's data to your application. For businesses, this means consuming data without the overhead of infrastructure or data storage and being able to tap into established technology vendors such as Bing Maps, LinkedIn or Twitter. While combining components from all over the web can help you quickly build a powerful application, it can also expose your users to malicious content that sneaks into your application from your providers. How can you protect your users and still realize the potential of mashup applications for the enterprise? In this series, I'll investigate how to mitigate security issues that can come along with a mashup application. To frame the discussion, we'll build an application for the fictional Vision Sciences Corporation, leveraging risk management, good-old input validation and the muscle of modern browsers to keep users safe. Each article will focus on one of these elements, starting in this article, where I'll examine how modern browsers help isolate content. At the end of this article, you'll understand how the browser is the first layer in your defense-in-depth strategy against malicious mashup madness. What Are We Building? I always find a sample project helpful to illustrate development issues. Talking about the sample lets me dive into a narrative, not just detached code. So to start, imagine the following scenario: You are a developer at Vision Science Corporation, and your product team has requested that you build an HTML5 application for the company's office locations around the world that shows news about health and safety risks combined with medical information distilled from Twitter. Being a savvy developer, you know that you can get this data from a variety of sources in your organization and through external providers like Bing Maps and Twitter. Here is a breakdown of the data sources and systems for the application: Internal Data - HR system for employee and facility information; XML output through ASP.NET pages from hr.visionsciences.com.
- Physical security department's intranet site for medical intelligence information; HTML content from security.visionsciences.com/med-intel.html.
- Physical security department's travel advisory system (REST API) from security.visionsciences.com/travel/.
External Data - Twitter API to collect local medical intelligence (aka crowd sourcing).
- Bing Maps API to plot the facilities on a map.
Our First Challenge: Getting Data from Other Domains To begin, we need to be on the same page about a critical concept that impacts mashup design, implementation and maintenance: same origin policy (SOP). Back in the days of Netscape (1995), when JavaScript and DOM were introduced, it was decided to restrict scripts from communicating with resources with a different protocol, host and port (known as the origin; see Michael Zalewski, Tangled Web, 2012). This policy restricts apps.visionsciences.com from accessing content on hr.visionsciences.com because the sites' host names are different. As you can see, SOP is good for restricting unauthorized access, but it also restricts legitimate access. SOP impacts several browser features that enable mashup applications, such as web storage, cookies, XmlHttpRequests, and others. For example, if the following code block was run on apps.visionsciences.com, it could not reference the XML document requested from hr.visionsciences.com because the host name of the responder is different from the host name of the requestor. // Script running on http://apps.visionsciences.com $.ajax({ url: "http://hr.visionsciences.com/data.xml", dataType: 'xml', type: 'GET', success: function (data) { alert("Success!"); }, error: function (ex) { alert(ex); } }); If you want to consume this data for your mashup, you have a problem and need to look at another solution. You could use a proxy design through which a server-side control consumes the data and then provides it through a local resource, or you could work with the data provider to cook up a JSONP execution. Both of these are decent solutions, but today's web browsers offer another solution that can require less code and less development cost: cross-origin resource sharing (CORS). SOP works well for isolated sites, but in a world where data can be anywhere, it becomes more of a hindrance to developers. Cross-origin resource sharing allows providers to make their content accessible by adding the Access-Control-Allow-Origin header to the response for their resource, but adding this header does not mean that anyone can access resources from the provider. By using the Access-Control-Allow-Origin header, providers can state which origins can access their data. As an example, here is the hr.visionsciences.com header: Access-Control-Allow-Origin: http://apps.visionsciences.com Now the previous Ajax request will work because the client and server are participating with each other on the request and response. But if you ran the same Ajax code from security.visionsciences.com it would fail because hr.visionsciences.com is only permitting requests from apps.visionsciences.com. This approach creates a white list of permitted requestors, enabling only qualified requestors to receive content. For an instance when you want to provide the content to anyone requesting it, you can simply use an asterisk for the domain in the Access-Control-Allow-Origin header: Access-Control-Allow-Origin: * From a security perspective, please keep in mind that using an asterisk allows anyone to access your content. Your purpose and organization's risk tolerance will drive how open (or closed) your implementation of CORS will be. If your organization wants to restrict access to data because of the data's proprietary nature, stay away from * and maintain your white list with recurring (at least every six months) access reviews. Determine who is accessing your data, why they need access and if they should still have access. While CORS makes life easier for data consumers, data providers can be taking on more risk. If you (as a data provider) permit more than read-only operations through your CORS implementation, you could be opening the door to a cross-site request forgery (CSRF) attack. Be selective in what returns the Access-Control-Allow-Origin header and limit it to data you want to provide via CORS. For example, do not include the header on resources like a settings information page or a password reset page. These resources are prime targets for CSRF attacks. From a client-side perspective, not all browsers support CORS. Some browsers have supported it for a long time, while others are just now coming to the party. Depending on your enterprise's standardized browser and version, you might need to consider a CORS alternative (like postMessage). Check out When can I use… to see if CORS is available for your organization's choice of browser. Internet Explorer 8 and 9 have a slightly different approach to CORS, called XDomainRequest (XDR). If you are a jQuery developer you can easily implement XDR with CORS by leveraging a great code library from Daniel Kastner (https://github.com/dkastner/jquery.iecors). You can detect whether CORS or XDR is available by using the following code segment from the IEBlog: // Script running on http://apps.visionsciences.com in IE10 var xhr = new XMLHttpRequest(); if ("withCredentials" in xhr) { // CORS is supported } else { // Fallback behavior for browsers without CORS for XHR } Or, if you're using jQuery, you can use the code shown in Figure 1. // Script running on http://apps.visionsciences.com if (jQuery.support.cors) { $.ajax({ url: "http://hr.visionsciences.com/data.xml", dataType: 'text xml', type: 'POST', success: function (data) { alert("Success!"); }, error: function (ex) { alert(ex); }); } else { // Fallback behavior for browsers without CORS for XHR } Figure 1 Use this jQuery code to determine whether a browser supports CORS or XDR. CORS can be used for much more than reading data. Our example focuses on getting data from another location. More complex requests can be accomplished using preflight requests. I will not dive into the details of CORS with preflight in this series, but you can find information about it on the IEBlog and in the W3C documentation. Mashing with iframes There is more to a mashup than Ajax requests; you can also have windows into another location via frames. From a security perspective, iframes have traditionally been a point of concern. Content inside a frame can access resources on the calling page, and historically this has been leveraged for some very nasty attacks, such as clickjacking and key-stroke redirection. How do good frames go bad? Consider the following: in our sample application we need to include the HTML file from security.visionsciences.com/med-intel.htm. The security department updates this HTML by hand and does not have a review process prior to posting. In the past, disgruntled members of the security staff have defaced the page with comments about how the security department is overworked and understaffed. While those employees have not posted any malicious scripts yet, they could, and the act would go unnoticed. If the goal of the project is to simply display the information from that page, we could show it via iframes, but how do we mitigate the potential of malicious code being injected into our page through the frame? Back in the days of Internet Explorer 6, Microsoft introduced an attribute to the iframe: security = restricted. Adding this attribute cast the frame's contents as a Restricted Site (Internet Options, Security tab, Sites setting), which by default did not have scripting enabled. Any script on the page in the frame would be disabled, as well as scripts on any nested pages. HTML5 is using a similar concept with more granular control in the new sandbox attribute of the iframe element. Using the sandbox attribute casts the frame as a unique origin (remember SOP) unless you instruct it otherwise. By default, according to the W3C draft, using sandbox disables the following actions: - Form submission
- Script execution
- Links targeting other frames or the top document
- Plug-ins being instantiated or executing code in other frames or the top document
- Pop-ups disabled (in the W3C standard, this is referred to as "auxiliary navigation")
- Rendering a nested frame "seamlessly," meaning that it appears to be part of the page without the window frame.
- Automatic features such as setting focus on a form or starting a media file.
To provide flexibility in implementation, the sandbox attribute can have multiple allowed settings, which keeps the control you need while reducing your potential attack surface. When code calls the sandbox attribute, all of the following actions are disabled, leaving it up to developers to allow the behaviors they want the frame to be able to perform: - allow-forms – Allows forms submission by the sandboxed content
- allow-popups – Allows popups to be launched by sandboxed content
- allow-same-origin – Allows the sandboxed context to communicate back to the calling site
- allow-scripts – Allows scripts to execute inside the sandboxed content
- allow-top-navigation – Allows the sandbox content to navigate to the top-level browsing content. This could be used if you want the frame to be able to control navigation for your site.
Using the sandbox attribute is very simple, but understanding the behavior of nested sandboxes requires more study. First, let's look at how to implement a quick sandboxed iframe: <iframe sandbox src="http://security.visionsciences.com/med-intel.htm"></iframe> This code invokes an iframe that does not permit any of the above actions (because all are disabled by default). If you want to allow top-level navigation and popups, you would update the iframe as follows (notice that the values of the sandbox attribute are space delimited): <iframe sandbox="allow-forms allow-popups" src="http://security.visionsciences.com/med-intel.htm"></iframe> As common sense tells you, certain combinations of sandbox values can lead to unintended security consequences. Combining allow-scripts and allow-same-origin permits the sandboxed content to execute scripts on the calling page—scripts that can remove the sandbox attribute from the iframe and circumvent your security control. While you might see this and think to yourself, "Well, of course, I would not do that," you must consider how nesting sandboxed content works. Imagine that you use the iframe shown earlier to embed med-intel.htm in the sample application. One of the security staff has used an iframe on the med-intel.htm page, which provides a view to www.some-fake-news.com/news-feed.aspx with the following iframe element: <iframe sandbox src="http://www.some-fake-news.com/news-feed.aspx"></iframe> Based on these items, according to the W3C sandbox proposal, would the news-feed.aspx page support pop-ups? If you answered no, you are correct. What is allowed in the sandbox is determined by the most restrictive settings. In our example, we state in the main frame (security.visionsciences.com) that forms and popups are allowed. In the next frame, we declare only the usage of the sandbox and do not permit anything. The second frame does not permit pop-ups, so the sandbox will disable them for some-fake-news.com. Your trust in the framed content and the functionality that your users need, dictate how restrictive you make your sandbox. Remember that any restrictions you place on the root carry through the nested frames. If you allow a behavior on the root, it must be allowed in subsequent nested frames to function in those frames. The inheritance behavior described here is based on the W3C draft. In practice, browsers could implement it differently. Always check your sandbox inheritance to be sure that you are aware of your security exposure. For more details on W3C's sandbox draft, check out the "Sandboxing section." This section provides all the details necessary to understand the inputs and outputs of how browsers are to interpret the sandbox attribute. From there, research your favorite browsers (or the ones your users use) to determine how they implement sandboxing. Unfortunately, the sandbox attribute is just now becoming available to browsers. Newer versions of Internet Explorer (version 10) and Firefox (version 13) support it, while both Chrome and Safari have supported sandbox for a few versions now. You can explore the implementation in Internet Explorer 10 at ttp://ie.microsoft.com/testdrive/HTML5/sandbox/Default.html. Note that sandboxing is not supported in all browsers. Check whether your users' browsers support sandboxing by using the following JavaScript: if ("sandbox" in document.createElement("iframe")) { //sandbox is supported } else { //sandbox is not supported } Use the sandbox attribute as a single piece of your defense-in-depth approach because not all browsers support it. In the third article in this series, I'll examine how to add layers to your defense using the "constrain, reject and sanitize" approach to further secure your iframe content. Next Time: Who Can You Trust? This article started by examining the basics of consuming data from external sources. You learned how cross-origin resource sharing (CORS) allows applications to consume data from other domains and break free of the same origin policy (SOP). We also examined the most basic mashup technique of using iframes to pull content into an application. CORS allows data into applications, while sandboxing provides a layer to a defense-in-depth strategy. In the next article, I'll look at how a risk-based analysis of data sources can drive your sanitization activities, and then we'll move on to implement the input validation process of constrain, reject and sanitize. About the Author For the past ten years Tim has been building web applications using JavaScript, ASP.NET and C#. Now Tim leads the development team at FrontierMEDEX building online medical and security intelligence tools. Tim is a CISSP and CEH specializing in secure software development. Find Tim on: Tim’s Blog Twitter: @seccode. SponsorsProfessional Web Icons for Your Websites and Applications | Most UK GPs Have Prescribed Placebos Mar 22nd 2013, 06:56 Techmeology writes "In a survey of UK GPs, 97% said they'd recommended placebo treatments to their patients, with some doctors telling patients that the treatment had helped others without telling them that it was a placebo. While some doctors admitted to using a sugar pill or saline injection, some of the placebos offered had side effects such as antibiotic treatments used as placebos for viral infections." Read more of this story at Slashdot. | CS Faculty and Students To Write a Creative Commons C++ Textbook Mar 22nd 2013, 05:32 Cynic writes "Inspired by an earlier Slashdot story about Finnish teachers and students writing a math textbook, I pitched the idea of writing our own much cheaper/free C++ textbook to my programming students. They were incredibly positive, so I decided to move forward and started a Kickstarter project. We hope to release the textbook we produce under a CC BY-NC-SA 3.0 license and sell cheap hard copies to sustain the hosting and other production costs." Read more of this story at Slashdot. | Kids Build Pill Dispenser To Win Raspberry Pi Award Mar 22nd 2013, 04:33 judgecorp writes "The first Raspberry Pi Awards have picked the best projects built by schoolchildren using the Raspberry Pi. The winners included a team of 8 to 11 year olds, who built a door-answering machine for elderly or disabled people, and a team of 12 to 16 year olds, who made an automated pill dispenser for forgetful patients. Other categories included adults, who built a wireless home power consumption system." Read more of this story at Slashdot. | Study Finds Universe Is 100 Million Years Older Than Previously Thought Mar 22nd 2013, 02:25 skade88 writes "Reuters is reporting that scientists now say the universe is 100 million years older than previously thought after they took a closer look at leftover radiation from the Big Bang. This puts the age of the Universe at 13.8 billion years. The new findings are the direct results from analyzing data provided by the European Space Agency's Planck spacecraft. The spacecraft is providing the most detailed look to date at the remnant microwave radiation that permeates the universe. 'It's as if we've gone from a standard television to a high-definition television. New and important details have become crystal clear,' Paul Hertz, NASA's director of astrophysics, told reporters on a conference call." Read more of this story at Slashdot. | |