Everything, Everything

I've never been a fan of Oracle, but recently a number of projects have distanced themselves - where possible - from their evil overlords. In some cases, such as OpenOffice, this is relatively easy (although they've currently lost the OO name, and have gone for the less easy to pronounce title of LibreOffice); in others, such as OpenSolaris, it could be a bit trickier (I think this is down to starting life as closed source Solaris). Now it seems that Java is having serious issues with Oracle. I don't mind Java (I've written several applications in it over the last decade - most without GUIs though), but this might speed up its demise.

I'm not going to name names, but during an ASV scan of very a large retailer back in February I (well, one of the automated tools we use) detected some HTML injection and Cross-Site Scripting (XSS) vulnerabilities. I even created an impressive Proof of Concept (PoC) that presented a fake login page where the victim could enter their valid username and password (which was submitted to Google as a search query, but could have gone to another server that stored the submitted values, and perhaps redirected the user to the real login page). Because it was all hosted on their domain name, many users could potentially fall for this (the domain name is displayed in black text in IE8, for example).

You'd think, several months later, that I wouldn't detect these issues. They would have fixed them, right? After all, they want to be PCI compliant, right? Right?

The issues from February are still there. Due to improvements in the tools over the last few months, the main automated web application scanner appears to have detected some new issues too (although perhaps they were added by the developers to the vulnerable website between now and then?).

This is a very large retailer with millions of customers. I've bought stuff from them in the past, you've probably bought stuff from them in the past (and you probably will buy things from them for Christmas). I can't believe they're not taking this more seriously. I have to wonder how many other vulnerabilities are present in the application that automated scanning hasn't uncovered (well it is only an ASV scan we're running for them right now).

I sometimes think to myself "better the devil you know" (such as the cash machine I inspected a few years back, which ran everything as Administrator, but was otherwise quite secure); but sometimes you end up thinking "ignorance is bliss" and very occasionally "I'm not buying from their website ever again".

I haven't logged in recently, but according to an article on The Register today it seems that Microsoft have changed the number of product keys you can get through TechNet in an attempt to battle piracy. I must admit that I was surprised by how many keys I could use when I first got my subscription a few years ago, as the subscription is per person and I don't typically havethat many machines/applications that I need to activate at the same time (half the time I build a virtual machine and delete it before it even starts to nag about activation). I'd prefer to have more keys (and a second home, a smaller and faster car like a BMW Z4, all my favourite TV shows and movies on BluRay... you get the picture), but I'm certainly not going to lose any sleep over it.

Then I read the comments and was surprised to see so many people complaining. Many of them seem to be talking about ditching TechNet (without explaining how they'll evaluate software in the future). Some are probably abusing the license agreement (anyone that talks about moving to Linux because of this decision is quite possibly using it for personal use rather than evaluation purposes). TechNet is essentially for evaluation use only. MSDN is essentially for testing purposes only. If you want to use it for personal use then buy your own full copy (OEM or retail, I don't mind). Or f**k off to Linux and shut the f**k up.

PS I don't mind Linux; but I prefer Windows.

I haven't been posting anything on here recently because I've been too busy with things like a (brief) holiday and (lots of) work. Plus I can't think of anything interesting to say right now. Sorry. Will do better in my next post!