Guess what, this isn't a post about the recent Rogue CA presentation... just something I came across that frustrated me.
I recently went to check out adsense to see if it's ever actually made me any money. Being Canadian and using google.ca hourly (since google.com forces me to google.ca I might as well type it myself), I typed in www.google.ca/adsense. I was kicked over to https://www.google.ca/adsense and had the following appear in Firefox
I know it's obvious what the problem is, but let's look at my other screenshots since I took the time to take them.
Now why can't a company like Google get their SSL certs right? How's the general public ever supposed to trust SSL if major web-based companies are too lazy to get proper SSL certs? I'm actually rather disppointed by this. I've actually trained some of my family to not venture into sites with improper SSL certs (or at least investigate them first) and this would confuse them and set all the effort that I've made back several steps.
We always talk about educating the user, and I believe that SSL is something we can properly educate the end user about, however that requires an effort on the part of the website / vendor in question. This time Google has failed.
I came across this blog post on the Official Google Blog, which discusses a YouTube Symphony. This is one of the coolest things I've seen online in a long, long time. Perhaps it's the music lover in my that makes me simply love the idea, to the point that it makes me sad that I pawned my trumpet while I was in college. I do have a few other instruments and a few potentially "unique" ideas to submit. Either way I'm excited to submit a couple of videos to this and possibly convince my wife to as well.
This is a "wish post". I'm a huge fan of Google Apps, I love using my @computerdefense.org email address with everything Google and having it inside of GMail is great. However there are a number of labs features that I would love to have access to and don't get because I use Google Apps intead of GMail. So this is a request that Google make the Labs feature of GMail available to Google Apps users.
Well it certainly didn't take long... I noticed this on milw0rm this morning. It seems that someone has found a DoS in Google Chrome. What's interesting is that one of the thngs that Chrome does is process separation between tabs (or so they claim), yet this DoS manages to take out all of Chrome, not just the tab you visit the page in.
Original Advisory with PoC (Note that you don't even have to click on the PoC link in the advisory. You can cause the crash simply by mouse overing it.)
Hey All,
Thanks to everyone who's filled it out, for those of you that haven't... you still can (survey). A large number of people are prefering to stay anonymous, but I have gotten some rather interesting comments. To date 169 people have filled out the survey. If all goes well, I'm hoping to start analyising the results after about a week or so.
To clarify, for anyone who reads this first... When I say Denial of Service, I'm not considering packet flooding (these days you essentially need DDoS for that)... I'm thinking single packets that cause servers to crash, or malformed pages that cause browsers to crash. That being said, I don't want to influence anyones answers... that's why I provided plenty of places for notes. Feel free to tell me what you really think.
Lastly, in the goal of making an interesting whitepaper out of this, I've started contacting vendors. Currently I've contacted Adobe, Apple, Google, Microsoft, Red Hat and Sun. I've asked them to answer the survey (and provide me with unique information via email that they will put in the name, email and url portions (for proper identification)) and I've passed on a few vendor specific questions. I've taken the route of contacting their PR agencies, so we'll see what happens.
Categories: IT, Security Tags: Adobe, Apple, Denial of Service, DoS, google, microsoft, Red Hat, Sun, Survey, tyler reguly
I learned something rather cool today, and whenever I learn something, I like to share it.
I'm sure everyone is aware of this and I'm the last one to learn about it, but it's cool anyways. Let's say your GMail (or Google Apps account) is example@gmail.com. You can create customized addresses for each mailing list, or page you sign up for (for separation, or to see if anyone is selling your address) by using + in your email.
Example:
example+computerdefense.org@gmail.com will still be delivered to example@gmail.com, however it will contain that unique identifier in the address. This allows you to identify spam that computerdefense.org may generate (of course, that would never happen), or to distinguish incoming email.
Another potential use (especially on the Google Apps side) is for a small business with a sales office. Let's say you have 20 customers, you could easily distinguish between mail from each customer by giving them the following addresses sales+customer1@mybusiness.com, sales+customer2@mybusiness.com, etc.
As I said, this is probably old news... but it's new to me, so I figured I'd share.
And I feel fine...
By morning most likely everyone will have blogged about the recent court ruling that Google hand over the YouTube logs to Viacom (MTV & Paramount Pictures parent company).
Oddly enough I saw a clip on BBC News that was mentioning popular articles on their website. The first thing my wife said was, "Does this mean I should stop going to YouTube?" My immediate response was, "Why?" To which she responded, "If I watch something that's copyrighted, can't I be sued or something?"
Now this was the way the short little news clip presented itself, and I'm definitely not a lawyer but my answer was, "No." Now maybe I'm wrong, and I'll probably be the only one to say this, but I don't see how this is a big deal. Viacom wants to compare the viewing habits on their copyrighted material vs non-copyrighted material. I actually think they have a right to do that. It comes down to this... find a way to keep the copyrighted material off the site or give people who's copyrights are violated access to statistics.
Based on the article, that's all Viacom wanted... statistics. Well at one point they wanted to YouTube source code but that's a ridiculous request. Google probably should have just granted them access to the statistics right away. I honestly don't care if Viacom figures out who I am and what I've watched on YouTube.
I do hope that Google gets the right to anonymize the logs before passing them on, but they should have been doing that all along... there was no real reason to store IP Addresses for any length of time.
Anyways... it'll be interesting to see what Viacom gets in the end, and how many people cry that this really is the end of the world.
This isn't a new topic... McAfee mentioned it a couple of weeks ago, and it appeared in a ha.ckers.org comment almost 2 years ago.
It seems that Google Page Ad (http://www.google.com/pagead) can be abused as a redirect. This redirect won't work blindly, certain variables require certain values. However those variables aren't validated... I can generate a valid redirect, and then substitute in any url I want and it will still work. I've been noticing more and more spam lately making use of this, and it leads me to wonder why Google, with all their power (and I am a huge Google fan), can't get the validation right to ensure that this issue stops.
Here's an example URL... however in this case, I've removed the spammers address and inserted ComputerDefense.org: http://www.google.com/pagead/iclk?sa=l&ai=JqenDy&num=08582&adurl=http://www.computerdefense.org
Update:
In thinking this through more, I thought I should add to it. This redirect requires certain information... without the ai and num fields, the redirect won't work. All Google has to do is tie these fields to a specific URL, they don't even need the redirect URL included anymore... They could validate and redirect based on data they retrieve while validating the request.
