Rasmus is a scary man
Rasmus is explaining how someone made a javascript trojan horse for webmail services that is capable of compromising your home firewall and turn your computer into a zombie. By reading email. It's been closed by Yahoo Mail, but I think I just heard everyone in the room gasp and shudder.
Rasmus' summary: "What this means is that you should never, ever click on a link."
Everyone laughed, but it was a nervous laugh.
He's going on to explain the essential nature of checking user input before you display it. The Drupal community has internalized the importance of that kind of filtering for a while, but there's still a large pool of folks that aren't familiar with the 'why' behind a lot of Drupal's more restrictive output management. It's good to see a speaker instilling some serious fear around the whole "Just whip out some code that does X..." approach.
Rasmus: "We should try to build software that, when it's badly configured, fails rather than exposing important information."
After explaining the huge frightening array of secholes that can be exploited, he popped up a "CMS Report Card" on all the CMS packages that are represented at the summit. Every single project had some sort of security hole. Drupal's was a bit esoteric, requiring Flash 8 and a copy of Internet Explorer.
Rasmus: "It's really hard to find a commercial CMS vendor whose site actually uses their product."
Interesting random bits: a bug in Flash 8, combined with IE, allows a flash author to inject arbitrary stuff into the HTTP header -- which doesn't seem like a problem, but the headers are often implicitly trusted, used for retrieving cookies, and even mapping requests to virtualhosts. What does that mean? An attacker, with a malicious Flash file, can grab arbitrary cookies, jump over to other virtualhosts on the same machine, etc.
Acrobat also has similar holes -- I didn't realize that Yahoo had ripped out pdfs from their site entirely in order to avoid that sechole.
Rasmus: "When I'm surfing around to find hackable sites, I love to find hand-rolled CMS systems. I know I can hack them in a heartbeat. If I see a site is running on Drupal, or Joomla!, or another CMS? I know there may be a hole, but as soon as they fix that hole, everyone using them is safe."
The lesson? Don't write your own CMS. You have better things to do with your life.
I like your blogging thanks
Stuck far from oscms with my eyes taking on that drupal_after_16_hrs_non_stop blur I really appreciate your posts, thanks!
security
Okay, I hope you can boil down this post for me, in mom/layman terms, what this means to me or others I would know. It sounds interesting. Would this be info I should share with the guy who oversees the stuff at LW? I think they're using open source, or they used to. I'll have to check. Some company did their site.
And pics are great! Thanks for sharing : )
What sucks is that he has to
What sucks is that he has to fucking say that so ppl and Drupal developers pay attention. The truth is that the reality is much worse than you can imagine.
Post new comment