Disclaimer: Any of the security articles on this site, no matter how juicy the titles, are about white-hat work. If anyone learns anything useful for attacking servers from me, it’s because they are really, really bad at googling.

I’m not a paranoid person, I rarely lock my doors. Even with computers, many of my passwords are “password” and I believe in backups not preventative security for 90% of my personal files. Still, I’m passionate about *being able* to secure systems.

Computer security is hard. It’s hard enough to write software that works 100% of the time for users who desperately want it to work, malicious users are another kettle of fish. It’s far too easy to just claim to be “concerned” about security, and then do nothing but hope for the best.

The attackers are machines. Back in college I had a machine exposed to the internet for a few days and it was turned into an FTP server for pirated movies in under a week. There was nothing special about my machine, the pirates were likely just constantly cycling through IP addresses looking for an unprotected machine. The idea that there are evil machines on the internet who spend 24 hours a day trying exploits against every server they can find is 2 parts scary and 3 parts science-fiction-style-creepy.

Long odds aren’t a defense Every so often, I’ll figure out an attack that’ll require an annoyingly specific set of circumstances. It really takes the thunder out of it to explain that if you were running IE6 on Windows 98 on Tuesday in the rain, I could totally sniff your passwords. It’s tempting to think that if only one in a thousand machines is vulnerable to an attack, no-one will bother. Just like how the low response rate to spam emails means that no-one bothers sending them.

I’m often asked what anti-virus software I use. It’s always hard to answer the question, I really have a two-part system:

• Good backups — so the worst that can happen is I have to re-build a computer.
• A complete list of every virus that I’ve ever caught and why it’ll never happen again. I occasionally check my Windows machines with anti-virus programs (I like ClamWin) to verify, but generally you know when you have a virus the same way you know if there’s sugar in the gas tank. For anyone keeping score
  • I had to share files regularly with a computer in China, and every time I plugged my USB drive in, the computer used to copy over a viral EXE, and once I hit enter instead of delete
  • In university I foolishly connected an unprotected Win98 system directly to the internet and it was taken over by a warez group (not quite a virus, but similiar enough).
  • I actually got the Michelangelo virus back in the late twentieth century.

I don’t think I’m all that unique, the last “is it a virus” I was asked to take a look at was just a really bad HP printer driver. I may be unique in having spent more time dealing with problems caused by Norton antivirus than viruses, but I still suspect that if you practice safe computing, the threat from viruses is overstated.

At least compared to backing up.

I think there’s a script injection vulnerability with a site I use, and I’m itching to find a proof-of-concept attack. I haven’t had time, or the chutzpah to pick at it yet, but I did disable their client side verification. I don’t know why it just occurred to me today to make a “Run arbitrary code in the context of the page” bookmarklet.

To use it, drag this: Run Code onto your links toolbar. All the code is:
javascript:(function(){eval(prompt('Run this code on this page:'))})()

1. Standard javascript: protocol and wrapping in a function to prevent being treated as a URL
2. Ask for a string
3. Eval the string

If there’s a client-side script CleanBadCharacters(s), you can run “CleanBadCharacters=function(s){return s}“, no quotes and you’ll need to do a little reading to find the exact validation.

Update: Not an hour after I added that hammer (metaphorically), everything’s looking like a nail. Eval-ing “document.body.style.color='white' ” is useful if someone thinks grey on gray is an acceptable colour scheme.