Clic!Dev, ‘Tate, and many more projects!

Every now and then, a developer makes a post on their blog that, to the unsuspecting novice, seems like common sense.
Beware, though. If the post is less than comprehensive or accurate, it better not be about security matters or that newly acquired peace of mince may be quickly shattered.

Exhibit A: This post on the topic of PHP and SQL injections. It’s not like there is a lack of information already freely available on the web.
The author even references this excellent material at the end of his post. It is too bad that his own article actually contains less relevant information than the original post.

For instance, he recommends the use of mysql_real_escape_string().

• Observation #1: this implies that you are using mysql as your database of choice. Granted you may use this method before sending a SQL query to Postgresql, but then there is no guarantee that mysql functions were compiled in the current php library.
• Observation #2: mysql_real_escape_string() does nothing more than escape quotes. From the original article: “Be aware that “sanitizing the input” doesn’t mean merely “remove the quotes”, because even “regular” characters can be troublesome.“

He recommends validating for the proper input, which is good practice. So, brownie points for that. But it wouldn’t hurt to have, for instance, mentioned the use of intval() to enforce that integer values are nothing but that. Integer values. I would say that it’s advice just as important as escaping input strings.

Now, the part that I found horrifying, but it’s just me, I’m a stickler: the author encourages you to code your HTML forms so that they will not accept too many characters. I see here some confusion: this is good usability advice, granted, but as far as security it is misguided.

The golden rule is simple: Always perform input validation server-side, where the user cannot ‘fake’ the values they are sending to your application.
Never, ever accept data “as-is” if it came through a path that allowed it to be tampered with.

Two other equally important points I wish he had mentioned are:

• Configure error reporting so that your server does not display these “helpful” error messages that he mentions and attackers are delighted to find
• A good SQL query is one cautiously put together, but a great SQL query relies on prepared statements. There are cases when you are after raw speed and direct queries feel more ‘natural’ -I know, I use them a lot- but whenever possible, use prepared statements, since the user is then not given a chance to “write” your query string himself.

Oh, great.
Merry X-Mas and all that. Unless you’re ThinkSecret. Or Fake Steve Jobs. See here.
And here.

Of course, there is still the possibility that it’s another hoax created by our favourite Steve Jobs.

Here are two groups of people who are not about to get any more of my money if this is all true:

Apple:
Sorry, guys, but coolness is part of your products’ appeal. If you behave like a-holes, I will simply dedicate more of my time writing drivers for Linux.
I know, this isn’t the first time Apple enters ************ mode. But, obviously, after their ThinkSecret victory, there is enough blood in the water to keep the frenzy alive for a while.

The EFF:
Oh, come on guys. Again, I have no idea whether FSJ’ posts are pure hoax or the real thing. But when in doubt, I always get on my soap box. So, here goes: It is not the first time that I see a report of the EFF getting a less-than-positive result. And claiming victory over a site’s shuttering, I’m sure that FSJ is devastated, now that you made clear to him that freedom of speech is your thing, but only on your terms.

Merry Christmas, Happy Hanukah and Kwanzaa, or whatever else helps you live with yourselves.
Chris out.

I try to make this blog mostly about open-source and management. And I do not necessarily mean “open-source and management” in the same breath.
These just happen to be two topics that I live and breathe daily and, as they say: “Write about what you know”.

Anyway, today, both worlds collided and you can see the result at http://blog.mootools.net/2007/12/13/an-open-apology-to-the-authors-of-jquery-prototype-and-others
I am not going to comment on the original issue, this isn’t my goal. I simply think that it’s very instructive to read all the comments to that post. They raise some very interesting questions about management.
Was the author’s reaction “leadership?” What constitutes leadership, then? Is it knowing when to apologize? Is it sticking by your own troops?

I leave it to you to form your own opinion.

Kodachi v0.5.1 is out! It’s good news for developers who want to write plug-ins or if you wish to change the look and feel of the application:

1. A demo plug-in is now included. All it does is add a new direct word to Kodachi’s vocabulary: ‘Demo‘. Type it, select some action, and it will display a Growl-like notification confirming your action. A very easy starting place for budding plug-in developers.
   -
2. Kodachi’s user interface is now skinnable. Actually this goes a bit beyond a simple skin as you can change its behaviour alltogether. Note that when launching Kodachi, you will now see the new demo skin, called ‘Bezel‘, that I created. If you are familiar with QuickSilver, this is certainly an interface you are already used to. If you wish to work with the old interface, simply disable the ‘BezelInterface’ plug-in.
   -
3. The installer now checks which version of .Net is installed on your PC, if any, and offers to install the correct version if necessary.

Download Kodachi 0.5.1

Ever used GenPass? SuperGenPass?
What do you mean, you do not know what I am talking about? Oh, you need to read on.
Of course, I am referring to SuperGenPass, developed by Chris Zarate. This wonderful bookmarklet automatically generates strong passwords for you, based on the url of the web sites you are visiting. You only need to memorize your master password and that is all.
This is a great tool on so many levels. It works for broken brains -like mine: you take all your passwords with you wherever you go since all you have to do is use the bookmarklet in any foreign browser. It is secure: no password is in fact stored anywhere.

What are the advantages of Air GenPass?

• Well, first of all, it allows you to run the tool with web browsers that do not provide correct support for bookmarklets. Safari for Windows, I am looking at you.
• If you are a tad paranoid, like me, but have to use browsers that are unable to store such a big bookmarklet, for instance Internet Explorer or Opera, you may not wish to use Chris Zarate’s server to run it every time you need to regenerate a password.
• If you are at a friend’s house and they do not wish to let you install a bookmarklet in their browser, no problem: GenPass is portable and you can carry it around with you on a USB stick. Of course, one may argue that they still have to agree to install Air

Explaining how this application works is a breeze, mostly because there isn’t much to explain. When you open it, you see three text fields. Enter your master password in the bottom one and click on the tiny icon to close it. The top text field will contain the password generated by the tool and you will be able to copy them to the clipboard using its own icon. The middle field is the one where you will enter or paste the link of the site you are currently visiting. Since Air is a desktop application, you can alternatively grab the link’s icon in your browser’s address bar and drop it on the application.

You can stop reading here and download the application directly if you are not interested in the technology behind this simple guy.

This is my first Air application. So, how hard was it?

I used the latest release of Aptana, which is very nice for creating Air applications. That is, as long as your Air applications do not rely on Flex.

application.xml contains all the information pertaining to your application. Note that this information is not used by the Air installer. It seems that the installer only looks at the certificate used to sign your application. Since the only certificates currently available can be bought from Thawte for several hundred dollars, I believe that the fact that the installer does not claim that “Chris was here!” is a reasonable trade-off.

You can edit this file manually to provide information such as application license and icons.

AIRAliases.js is the library that links the objects used by Air’s bridge.

If you are a total Air newbie, just like I was before I wrote this tiny application, you have no idea what is this bridge that I am talking about.

The first iterations of Air -formerly known as Apollo- did not come with a security model and it was potentially possible to do all sorts of nasty things with Javascript code that could simultaneously talk to the Internet and clobber your local filesystem if it felt like it.
Adobe quickly introduced their own security model, which happens to be kind of kludgey but certainly makes sure that any connection between the World and your local resources is voluntary.

unsafe.html is a html page that is included in a frame. This simple fact means that it has access to all your web browser resources and no access to your computer’s resources. This is the Web sandbox and is usually used as presentation layer.
In my case, of course, because I am a little piggy, al l the presentation is done in the top frame, which happens to have access to your computer resources but cannot run queries to the World or execute arbitrary code through the use of eval() or setTimeout()
Joking aside, it is perfectly legit to use the top frame as presentation layer; it just makes your life harder if you use some libraries that make extensive use of eval()

GenPass.html is our top frame, just described in the previous paragraph. It contains a lot of Javascript and the definition of the iframe
container that links to unsafe.html. I have no right to be proud of this Javascript because I did not write most of it. It’s actually Chris Zarate’s supergenpass bookmarklet code, only modified just to the point where it can be included in an Air application. The rest of the code is the UI, which relies on jQuery. Because, good news, jQuery works on Air!

<iframe id=”unsafe”
src=”unsafe.html”
sandboxRoot=”http://voilaweb.com/”
documentRoot=”app-resource:/”
width=”0%”
height=”0%”
style=”border: 0px; margin: 0px; padding: 0px; width: 0%; height: 0%; visibility:hidden;”>
</iframe>

What’s really important here -save for the fact that I am setting all sizes to ‘0′ because I do not want to display the frame- is the src attribute. The page that will run in the web sandbox is unsafe.html

function notworking()
{
$(’#working’).css(’visibility’, ‘hidden’);
}

// Bridge
var Exposed = {};
Exposed.notworking = notworking;

$(document).ready(function() {
document.getElementById(’unsafe’).contentWindow.parentSandboxBridge = Exposed;

Do not blink: this is where it’s happening!
If it were not for this bit of code, we would not need our iframe. But since we wish to be able to invoke notworking() using setTimeout(), now we have to jump through hoops. Fortunately, these are simple hoops once you understand them.
First, we create an object called Exposed. We store a reference to our callback method in this object.
Then, when the DOM is ready according to jQuery, we take advantage of the fact that top frames are allowed to access the content of iframes: we store a reference to Exposed in the child document (remember that when we created our iframe, we gave it an id of ‘unsafe’? This is how we are accessing it now).

When the user clicks on the ‘Copy to Clipboard’ icon, we display an animated gif: a couple spinning arrows. We wish to display these guys for a second, then get rid of them. Of course, that’s the rub: since we are in the local sandbox, we cannot invoke setTimeout(). No problem! Let’s ask our child document, who lives in the Web sandbox, to do this for us. We are keeping, in our top document, a reference to the only method contained in the child document: localpause(). It is now time to invoke it. Let’s have a look at its content:

function localpause()
{
setTimeout(’parentSandboxBridge.notworking()’, 1000);
}

It is pretty straightforward: after a second, it will invoke the parent’s notworking() method, which will hide the animated gif (see above).

And that’s all there is to it, really.

Feel free to leave a comment if you have more questions.

I want to download it!

Oh, yes. Sure. Clicky.

You can now anonymously sync. to the bleeding edge version of Kodachi’s source code at svn://nextbbs.com/kodachi

If you do not feel like installing svn/compiling Kodachi but are still curious about its source code, you can browse it at http://www.nextbbs.com/trac/kodachi/

Note: if you sync. to the first check-in, you will get the version of Kodachi that is currently downloadable. If you sync. to the next one, you will get a new version with a temporary default interface. Yes, I am working on adding customizable interfaces.