Wednesday, April 11, 2007

Hard Had Area

Civilisation is truly in decline.

Because he boinked some fat blonde a few times there's a photographer who now has a kid and half a billion dollars or so, proof to the porn industry that you don't have to pull out for the money shot. Had he just shot his load all over her not-inconsequential ass, we might actually hear some real news, like, say, the subpoena duces tecum Congress sent the US Department of Justice for documents on the Attorneys General firings. Or not. Blind pilots? What's next, iPods for the deaf?

It's no better here. "Check out Feature XXX! Feast your eyes on Feature YYY!! Set your very own colour scheme!!!" And what about the big, gaping CSS security hole? "Pay no attention to that monkey in the corner. We're feature-rich! We're innovating!"

We're a bunch of fuckwits.
Hey $MegaCorp! Did you notice that it's easy to take the client URL and hijack a session with CSS? I can just append any old URL and the browser will be redirected! We need a solution!
Yeah, we need one, too. This one's been documented a dozen times. There are a few things to consider though:
  1. It can't be exploited if you're using cookies
  2. There's no reason not to use HTTPS in any sensitive environment
  3. Since the URL is coming from within the trusted system, there's not much threat
  4. What little threat exists is the same as any other sort of hack against your server

We don't want to use cookies because they might be dangerous. We're also not sure about setting up HTTPS so we don#t want to do that. And it must be a huge problem if the user can just go to the URL and then append the site he wants to go to and get there! This might allow users to get around our firewall! You need to come up with a solution.

Yeah, well I don't want to wear pants at home but when I'm cooking chicken-fried steak, I prefer the Levi's to hot spattering oil hitting Mr Happy. If you want your highly-sensitive information available on-line, you need more than just that firewall you really only installed to prevent your employees spending their working hours on GooTube and i-am-bored.com.

Setting up HTTPS on IIS is fucking point-and-click. If your "admin" is so incompetent that he can't set up SSL on fucking IIS, fire the fuckwit and hire a high school student. All it takes is a click, a right click, a click, a check that the port is 443, three more clicks, selecting a checkbox, then two more clicks. A drunk macaque could enable SSL within a day.

Official Root cause: 1-Defect.
True Root cause: 17-Fuckwit.
x-posted from HuSi, where there's a poll.

Labels: , , ,

0 Comments:

Post a Comment

<< Home

In compliance with $MegaCorp's general policies as well as my desire to
continue living under a roof and not the sky or a bus shelter, I add this:

DISCLAIMER:
The views expressed on this blog are my own and
do not necessarily reflect the views of $MegaCorp, even if every
single one of my cow-orkers who has discovered this blog agrees with me
and would also like to see the implementation of Root Cause: 17-Fuckwit.