Illan: [...snip...] Link to google comic strip [...snip...] I found it interesting because just by looking at Google Chrome the underlying differences are not always evident.  Although its adoption will be based on UI innovations (and there are some nice ones), these are not the main advances – mostly its in the security and stability, as well as being designed for richer applications.  Which makes me think it could perhaps become a good choice for corporate internal web applications[..snip..]

It was an early morning for me and I hadn’t entirely woken up so I was probably a bit cranky still, but I responded with the following (reply all, cc’d to the company of course):

Tom: Propaganda!

Security and stability were certainly not part of their release prerequisites and clearly a backburner issue for google, a number of vulnerabilities were discovered within the first week of launch – most of them related to google’s evil concoction of old and unpatched open-source components. Can you believe they didn’t bother to upgrade their components, but released with old garbage.

We can’t dismiss chrome completely however, it is just a beta version and google “probably” is interested in protecting their users and will patch – just don’t expect to get a hardened browser out the box, or within the first 2 years at least. Firefox (with security extensions installed such as NoScript and Ad-Block Plus) is the only trusted browser in terms of security scrutiny, and they have the battle scars to prove it. It baffles me why google decided to reinvent – and it makes me nervous. They already track a massive percentage of users through their 2037 expiring cookies, gmail and google-analytics (to name a few) – but every security professional knows to really “own” (or pwn) the internet you need to be the man-in-the-browser.

Ok now I’m ranting – but I wouldn’t touch chrome with a 10 foot pole.

I have to admit that I hadn’t really bothered to look at Chrome except for the list of published vulns that had been released. I hadn’t even read the stupid comic, so was probably a bit unprepared to make that statement.

Illan’s response was taking up the google-is-cool-cause-it-appeals-to-geeks view, and I appreciate he didn’t burn me down to the ground (I think he thinks I know more about security and ethics than I really do so handled me lightly):

Illan: Erk, I had better not get into a security debate with you – but I have to answer one point:

“It baffles me why google decided to reinvent –“…

It baffled me too, and of course one could take the hackneyed view and assume they are trying to take over the world. But that would be evil.
Obviously to enter into this fray you’d need to be super duper quantum advanced, and Chrome clearly isn’t that.  That’s why I thought the propaganda (of course it is that) I forwarded was interesting – it explains why they bothered.  The changes are under the hood, geeky type things that are never going to get it accepted by the general populace.  And yes, they certainly stuffed up using old bits of code and will have as much (actually more because they borrow from two different browser families) of time as anyone keeping their browser up to date from the point of view of exploits and flaws.

But did you read the thing [he means the comic strip -tom]? Don’t you think separate processes, with more sandboxing, is cool?. A compiled Javascript and being built from scratch to work as an application container? And you can’t argue with their testing capabilities – of course there are bugs, but If anyone is positioned to find and fix them quickly its them (of course if we don’t see them doing this then its game over since they have touted their own ability to do so).  As for the user interface I do enjoy the minimalism and the googlesearchism but its not the main point. And it does seem fast.

As for secret agendas, its open source.  But I do agree that they have a hell of hill to climb with Mozilla. But perhaps its not so much that they are trying to compete as they are trying to get the others out there to improve – because they want everyone to have browsers that can run the kind of apps they want to write.

So to paraphrase:

1. Google is not evil
2. They screwed up, but they will fix all the problems
3. Technically Chrome is nicely architected and it’s fast
4. Chrome is not evil because it’s open source and their intension is to play nicely with the competing browsers in the market (more competition will up the level of all browsers)

So there was some back and forth about the process-per-tab nonsense plus the amazing performance experiences, thanks to Dom for giving me some ammo from his Chrome war with Yusuf (see comments):

Tom: In terms of the separate tab-per-process idea – yes it’s great, and it does minimize the risk of browser bugs to some extent – but doesn’t get us anywhere nearer to solving the real big internet security issues of XSS, CSRF, and SQL injection. Some would argue that these can’t be solved by the browser, but even the granular way that chrome handles cookies shows the browser has a long way to come to start tackling these security problems.

The process separation means that attackers won’t be targeting the tab process because it doesn’t provide much, but will rather go after the parent layer. The browser crash discussed at http://www.networkworld.com/news/2008/090308-early-security-issues-tarnish-googles.html?page=1 is already an example of the entire browser crashing meaning that it is possible to break out of the tab process into the parent process. But sure they will fix this and we’ll be safe for another week or two. Also, I have no doubt that chrome plans to support community plug-ins (right? They can’t expect to compete with Firefox without them.) – where will these plug-ins run? Inside each tab process, or within the parent process (and how will they communicate between each process) – my point is that yes it’s definitely a step in the right direction, but there are lots of very complex problems to solve if they plan to make the architecture usable, and complexity breeds vulnerabilities.

As for performance – I don’t think we can really compare chrome’s performance with any fully featured browser yet. A buddy of mine [that's you Dom -ed] pointed out that he could get just as snappy a browser if he docked the Mozilla Gecko engine into a gtk widget and called it a browser.

Then we moved onto some philosophical stuff around browser 2.0 (if no-one else has already, I coined this!):

Illan: The bugs and vulnerabilities don’t bother me , its whether it is inherently potentially better designed… I don’t expect it to be perfect out of the box.

Bottom line: If the browser world can benefit from a bottom –up redesign, then Chrome may be a good start, and if (a big if) it is adopted by open source community then no reason it couldn’t piggy back on Mozilla and do some things Mozilla can’t without a redesign.  I mean, who was going to try redesigning anything, at least Google has given it a shot.

Good point about the speed though.

If you had to redesign the web for better security, what would you do?

So what we need is a browser re-design, and if not what is the alternative - my response:

Tom: I don’t agree that chrome is a re-design at all – sure they have done some nifty process separation, but I wouldn’t call it “browser 2.0″ [COINED! You just experienced a historic moment on the Internet -tom] just yet. The UI enhancements do look pretty, but that’s really all it is – and it all looks a bit dumbed down. Maybe I would install it for my parents to use – but they are notorious for getting fooled into clicking malicious adverts and the such so I’ll stick with firefox with NoScript for them in the meantime.

If I had to redesign the web for better security I wouldn’t go to google for ideas – their entire business revolves around profiling their users for targeted advertising. I don’t have an issue with that as its the price of good web tools, but to give them a chunk of my desktop too feels a bit big-brother. Google is more and more becoming very invasive and I don’t agree that their intensions with Chrome are to “give it a shot building a browser” – I think they really aim to own the browser market and the unfortunate thing is that they probably are in a position to be successful at it. And maybe they will improve our lives somehow in the process, but at what cost.

If google were concerned with our privacy they would have given us encrypted mail in gmail – not because the technology doesn’t exist, but because it doesn’t help their business. It all sounds like a conspiracy theory but don’t think google won’t hand out your data if pushed – Yahoo was strong-armed into handing over search data to the Chinese government resulting in real people being detained. And even if you don’t feel that no dirt would be found on you – an attacker with your credentials suddenly has your life in his hands. The lines between our digital and physical identities suddenly become scary blurred. [Dom thanks for the ammo here again :) - ed]

Illan ended off with a:

Illan: Ya, Google would hand over my data, they most certainly are not concerned with maximising privacy. I agree that we are putting a lot into Google’s hands. It is getting big brotherish and  I don’t like to think about it – which is probably what most people do. I could of course disengage from using their tools – just. In a  year or two maybe I will be just too entrenched.

But I am not at all convinced they are trying to own the browser market (not that they’d object but can they really expect to) and what good would it do them with an open source product.  I can’t see how they could expect to take over the browser world with a slight improvement. As someone once said, to change the world you have to be not 20% better than the rest, not 100%, but 1000% better. (Paraphrasing desperately).  Surely Google isn’t so naïve as to think they could manage it with this incremental attempt at improvement.  They can’t believe that just because its Google it will dominate. It’s the browser wars for goodness sake,  even Netscape couldn’t win them.  Look at Google Talk for example – its certainly no Skype-usurper,  its not even better than Skype – although I have to admit its nice that its there for free with anyone who has gmail (and who would normally not bother with an IM).[...snip...]

So what would browser 2.0 be? I certainly think we could do with an “secure application runtime environment” – oops wasn’t that Java Applets? But mediated  by a text-based descriptive language  - oops wasn’t’ that Mozilla’s XUL or whatever it is called?  Maybe browser 2.0 is Flash? Oh no its Silverlight.  What happened to Silverlight  by the way.

Then he went home and I went to get some lunch. A good morning :) I still haven’t installed Chrome and I don’t plan to, which is unusual for the early-adopter symdrome I suffer from. 6 months ago I probably would have backed Google here - but something just smells fishy. Maybe I’m paranoid, but damn it really bothers me whenever I click that “History” link on the Google search page.

I especially enjoy the closeup snap of a notebook above containing meeting minutes, one hell of a dancing pig this photosynth thing!

Update: Found an article about a hacker who was busted after investigators found photographs posted of his cat on his laptop - they managed to zoom into the laptop screen, obtaining a lead as to his identity.

Good news is that my TimeWarner RoadRunner Cable service was patched only about 4 days ago. Check your status by going to doxpara.com and clicking the “Check My DNS” button.

I previously used ZiPhone to unlock my 1.1.4 phone, which worked great - but doesn’t look like the famous Mr Zibri will be releasing a ZiPhone 2.0 - looks like he’s a bit of a sulker! A recent iphone dev team rant lands a couple of massive blows, look forward to the cryptic response!

My prediction is things are gonna get nasty! Looking forward to the next episode?

So anyways, I think it’s time I did the upgrade - I’m busy getting all the pieces of the puzzle together, I’ll keep you updated :)

I’ve become thoroughly addicted to online shopping, especially ebay, I *WILL* find a bargain soon and it will all pay off - but in the meantime I have to continue hunting :) Got the bug after ordering a new 22″ LCD and Linksys-54g router for my study (read: desk in the kitchen) - looking forward to getting a real work environment in place. Also my internet connection is rediculous - I have the TimeWarner RoadRunner cable, and it’s really not that fast on paper, but hell it feels like a LAN, 13ms ping to almost everywhere might have something to do with it!

I’ve been keeping myself busy with writing a SQL Injection framework, well thats the idea, at the moment it’s a bunch of nasty looking python scripts but i’m slowly pulling some structure together and should have something to show y’all soon. Been testing against a couple of vulnerable ZA sites (makes me feel closer to home I suppose) as I don’t have my lab infrastructure ready here yet, promise not to break anything! ;)

While there I plan to take tons of pictures, even bought an awesome new camera bag (bought it here, and got a whopper discount) which can take my laptop plus camera and all related gear easily, it’s quite big but hell isn’t the rest of America? Also plan on touring around as much as possible, especially want to get some time on a snowboard :) Plus I am definitely coming back with my CISSP - I need something to keep me busy.

Frantically packing the house up - will post when we arrive, can’t wait to experience this awesomely fast internet I keep hearing about…

My good mate Colin from The Times has asked me to write a quick review of an xbox360 steering wheel for their newly acquired gadget reviewing site nudjit (it’s a pretty good site, certainly something worth keeping your eye, or rss aggregator firmly fixed on).

Check out the review here.

Also some new pics posted from an 80’s party a few weekends ago. I dressed as Gene Simmons from the band KISS (the one with the tongue) - it was a blast!

Quite a brave move, and it seems like google must have done some heavy work removing all the dangerous module from their python environment, so I went digging around executing arbitrary code to see what I could find:

• “os” module is available to import, nothing incredibly exciting - except a little information leakage about our current directory. os.getcwd() returned me /base/data/home/apps/evox/1.4 (my app is called evox, and I have submitted my code 4 times at this point)
• Next was, can I make an outgoing connection (think botnet, ddos) - but alas the socket module, although importable, doesn’t have any ability to create a new socket. And thus trying to use anything else such as urllib or urllib2 results in wierd and wonderful errors, no doubt due to socket.
• Unwinding of exceptions also results in very normal stacktraces - doesn’t look like they have an intermediate layer - so very likely they have merely stripped out the unwanted modules from the standard library.
• Other interesting details:
  • sys.platform -> linux2
  • CPython version -> version 2.5.2 (r252:60911, Apr 15 2008, 20:27:56) [GCC 4.1.0]

I plan to tinker some more - will publish what I find!

I’ve also quit smoking - 1 whole week now and going quite strong (weekends are hell tho).

On an awesome note, a recently reacquainted friend Dom has a killer security blog here, check out his most recent discussion about WabiSabiLabi, plus comments by Roberto Preatoni himself.