After day one of Cuil, I’m not super impressed

Half the UK day the site was down due to lack of capacity… guys if you want to beat Google you need to allow us to actually search… after all the primary reason people use Google is its search is quick, pretty accurate.. and seemingly always available.

Cuil, however, well, not so good on day one.

Recently (well 9 months ago) I started playing Eve Online for 3-4 months.

I’ve had my iPhone since day 2 integrated with both me.com for bookmarks, contacts, email and calender, as well as to my work caldender via a test ActiveSync server @ work.

I must admit the fact that the iPhone can connect to two “push” services at once is mighty handy - and the fact that in calender’s combined view you can clearly see what appointments are work, which are personal… etc.

I just want to say from my experience the linked register article has it spot on one day 1 iPhone launch here in Ipswich via the O2 store.

I’ve decided, I’m getting one (as mentioned in last blog post).

What swung the decision for me is the fact you can get 16Gb storage on a phone for mp3’s - with the size of my collection this will allow a decent amount of music for all occasions. + room for some movies and applications.

Note that in the past I was critical of the iphone (even I believe on this blog 18 months ago), but the 3 crucial things lacking then have been fixed

1. GPS
2. 3g/HSDPA!
3. 3rd party Applications

With these fixed I can’t resist getting one. Super monkey ball looks great - and excited about possibilty of GPS. Only thing I can fault really is the camera and lack of user replaceable battery. The touch interface I had tried on the old iPhone and although I think it’ll take some getting used to, I think I’ll grow to like. Also the excellent Cloud/Btopenzone roaming deal should be commented on as it should greatly increase data speeds in a lot of places I visit (liverpool street/city area for one). This doesn’t change my perception overall that Wifi will be surplanted by 3g cards where it is overpriced - coffee shops being a prime example.

I think the critical thing for Apple in terms of revenue generation on the iPhone will be MobileMe as this will allow full sync from PC to Mac, to iPhone for a very reasonable sum (in fact for less than I pay now for less email storage on another host…). If Apple get this right then it certainally will make me switch email hosts… cant’ wait for the upcoming trial. I have 2 PC’s, 2 laptops at home now - one is a work laptop admittedly so lets exclude that - however email sync is always painful between the 3 - I use imap currently… but I have no caldender/contacts sync, which this will fix at long last. This is a longstanding gripe of mine - exchange for the masses is finally here I hope!

Now I just need to prepare for the small queue (I do live in a small part of suffolk so not expecting a huge queue). I just hope they do have a 16Gb in store if I join the queue at 7:45am… if not I’ll just wait a few days/weeks until they do have stock. I’m not queuing at the crack of dawn - this isn’t that important to me!

Are you queuing?

According to the link below - Apple have reset a users password on the basis of a one line email (with quite poor english) which is recorded in the chaps own email file!

To quote the email in full “am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com”

This really is quite awful because as the chap points out the mail address of the guy in question is nothing like his own.

Part of my current role (in fact the main piece now) is Web Application Security Testing. Which means I get paid to hack around with corporate and non corporate web apps (ie, Apps we buy vs app’s we build).

Web application bugs although currently looked by some to not be serious are gathering in momentum and becoming more common - only recently a lot of websites were compromised by Chinese hackers using SQL injection. XSS in particular can also be used to great effect in just one example of many to send a session cookie off site to hacker base - and thus giving them access to the logged in users data.

Over the past year I’ve tested around 40 apps in total, some complex, some simple. Major security defects have been found in all apart from one application during this time.
The fact is, regardless of the language an Web application is written in, it typically is vulnerable to one of the below 3 in my findings.

• SQL Injection
• Cross Site Scripting (XSS)
• Privilege Escalation

The above is not a full list, but its the basics and believe it or not even in 2008 SQL Injection is still the most common flaw we find! For a better view of what you should be doing to stop this, OWASP is a good website to start with.

Of these bugs SQL Injection and Cross site scripting are usually the easier to spot, and also to get developers to fix - and it is surprisingly easy to fix these first two by not trusting user input, and filtering it before it hits database in case of SQL injection, or is formatted back to users ( in case of XSS both preferably). There are good tools to test both in a semi-automated way in the form of a firefox extension here - we use this in combination with commercial tools to test for this in combination with manual testing (for SQL injection typically) with database traces running. Manual testing is far easier if you can see the queries being executed on the database (though you can’t do this in a black-box test where you have no access to remote database obviously.).

Privilege escalation however can be more tricky to both test and find in my experience at least. Its almost always a manual test - as the commerical and free tools do not do as good as job at finding this as they do the XSS/SQL bugs. In my testing I have found that some developers however still seem to think that simply hiding menu’s from a lesser priviledged user is a way to secure their application (though thankfully this is a minority!)..

One application I tested recently did at least get this right, but used a very predictable bash64 encoding to hash message ID’s within the messaging in the app (where critical data was being passed over this) They wrongly assumed the algorithm they devised was strong enough to protect themselves….. as it didn’t look predictable to the developers (who had no experience of that kind of work). The problem was they had negected to do a check when the page was loaded as to whether user had rights to read that message. That simple fix was enough to secure the app…

Where I work at least, we finally are integrating Web security at project design and initial build stages - so finally security is being taken seriously at day one (This is reducing the critical bugs found at testing) - Is this happening elsewhere?

Overall though is it not time for Web developers to take security more seriously? My hit rate on serious defects is showing that in some cases its the last thing on their mind when developing - and those that do make a effort, they sometime miss the mark leading to a nasty bug.

For information, the tools I use daily are : IBM Appscan, Paros, BURP, XSS/SQL-Inject, althugh these are not the only ones - I have a list that fills my screen - of various proxy’s, header modifiers, request modifiers etc, encryption tools etc.

This is in reply to the recent excellent blog post from Matthew Sparkes at PC Pro.

I too own a big camera (Nikon D80) + some long lenses (well a stablised 18-200mm + a 70-300mm depending on the occasion, + some fast smaller fixed lenses - the 200-400 is sadly just a dream).

Not that I’m a pap or a professional photographer, I just enjoy photography.