John Graham-Cumming

Last week I talked about JavaScript security at Virus Bulletin 2009. One of the security problems with JavaScript (probably the most insidious) is Cross-site Scripting (which is usually shortened to XSS).

The basic defense against XSS is to filter user input, but this has been repeatedly shown to be a nightmare. Just yesterday Reddit got hit by an XSS worm that created comments because of a bug in the implementation of markdown.

I believe the answer is for sites to sign the <SCRIPT> tags that they serve up. If they signed against a key that they control then injected JavaScript could be rejected by the browser because its signature would be missing or incorrect and the entire XSS problem would disappear.

For example, this site includes Google Analytics and here's the JavaScript:

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3C…

While over in Geneva for the Virus Bulletin 2009 conference I managed to make a side trip to see CERN. It turned out to be a great afternoon because the tour was guided by actual physicists and I took a school trip.

I am a little old for it, but when I organized my trip I was told that I would be added to a group from Steyning Grammar School. There I was with 23 final year A-level students on a whirlwind trip to Switzerland. They were extremely nice kids, and I could easily imagine that teaching such a group would be incredibly rewarding.

The visit started with a talk and a film. This told the story of CERN itself (it's almost 55 years old) and described the operation of the Large Hadron Collider.

Here's what part of the LHC looks like (this is a mock-up). The large blue thing is one of the super-conducting magnets. There are 1,232 of these in the 27km ring, each weighs about 27 tonnes.



After that we were bussed over to where the superconducting magnets used in the LHC are r…

The cool team that manages the POPFile project (that I started what seems like years ago...) have just released v1.1.1 with a bunch of improvements (especially for Windows users).

From the release notes:


1. New features

You can now customize Subject Header modification placement (head or tail)
by changing the new option 'bayes_subject_mod_pos'. (ticket #74)

NNTP module now caches articles received with the message number specified.

You can now jump to message header/message body/quick magnets/scores in the
single message view by clicking links on the head of the page. (ticket #77)

You can now filter messages shown in the history using 'reclassified' option.
(ticket #67)


2. Windows version improvements

The minimal Perl has been updated to the most recent 5.8 release. Since this
release of Perl only officially supports Windows 2000 or later POPFile 1.1.1
may not work on Windows 95, Windows 98, Windows Millennium or Windows NT. The
installer will display a warning message explaining th…

I've just completed my presentation at Virus Bulletin 2009 which was entitled JavaScript Security: The Elephant running in your browser.

My thesis is that the security situation with JavaScript is so poor that the only solution is to kill it. End users have very little in the way of protection against malicious JavaScript, major web sites suffer from XSS and CSRF flaws, the language itself allows appalling security holes, and as data moves to the cloud the 14 year old JavaScript security sandbox becomes more and more irrelevant.

Here are the slides:

Javascript SecurityView more presentations from jgrahamc.

Today, O'Reilly released my book, The Geek Atlas, as an iPhone application. It's the complete text of the book on the iPhone. Since the book is organized as small chapters it's very readable on a small screen.



The neatest feature is that latitude and longitude given for each place in the book is clickable and takes you straight to that location on Google Maps.

And it's only $5.99 or £3.49.

Last night the British Prime Minister Gordon Brown issued a long statement about my Alan Turing petition that included a clear apology for his treatment. Unfortunately, I've been in bed nursing the flu so it was only by chance that an amazing sequence of events occurred.

Yesterday evening I realized that I had to check my email (I'd been avoiding it while ill) because of a work commitment on Friday and so I logged in to find a message that read:

John - I wonder if you could call me as a matter of urgency, regarding your petition. Very many thanks!

Kirsty

Kirsty xxxxxxx
10 Downing St, SW1A 2AA
Tel: 020x xxxx xxxx

So, I called back. The telephone number was the Downing Street switchboard and after Kirsty told me that the government was planning to apologize for Alan Turing's treatment she then said "Gordon would like to talk to you".

A few minutes later the phone rang and a soft Scottish voice said: "Hello John. It's Gordon Brown. I think you know why I am ca…