Filed under: Uncategorized
Sensationalism gets readers and “clicks” no matter the medium, but it can be highly dangerous… Yesterday, we saw a wonderful post of what not to do from Ryan Narine at ZDNet (http://blogs.zdnet.com/security/?p=197&tag=nl.e539).
Holy information leakage, Batman! BAMM! They know your IP address! POW! They know your screen resolution!
The worst part about this ZDNet article is that there IS ACTUALLY legitimate information leakage happening, but it is only ever so briefly discussed: it is sniff your history (like what sites you have visited)… The idea was originally promoted by our pal Jeremiah Grossman at WhiteHat Security (http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html). RSnake had done some hot new research here showing the use of CSS to do the same thing and that is the news of the article. But the reality of general browser information disclosure has been known for years, and folks out there on them Internets have provided much better and more comprehensive examples of what you can do (such as http://gemal.dk/browserspy/). Some of that stuff is definitely not good to disclose…
More fascinating to us is that this idea is a decade old… it is called Browser Sniffing and Capability Detection. In fact, one U.S. company makes a product (www.browserhawk.com) that uses this data for legitimate means, and thousands of Web professionals have done this themselves for years (Port80 folks included). And PS, for example, how do you think we know whether to compress, cache or block a request, anyways? A big part of it is browser detection, plain and simple.
We love ZDNet, we really do, but lots of mainstream tech sites and even print magazines really seem to like to go to these security or hacker conferences and report on things without any verification (http://blog.port80software.com/2006/08/fear-uncertainty-and-doubt-in-web-2-0/). They just don’t seem to get that up and coming “hackers” (or folks who want to start security consultancies) go to these conferences and say all sorts of wild things to get press and street cred (it’s the way of the jungle). We seem to remember other self-serving fear mongering information being fed to journalists in the mainstream press a few years ago, journalists who didn’t follow up on the facts for a different reason… Hmmm, can’t quite remember the circumstances and outcome about that, oh well… : )
The unfortunate part of ZDNet’s reporting here is that there really is great stuff going on that isn’t reported from these conferences because it is too difficult for a person to understand in five seconds or is apparently unlikely to happen. Pssst… this is the stuff that ends up being the cause of real security problems, but then again reporting on that might not sell too many clicks because it just ain’t scary enough!
Enjoy good health,