I recently discovered this page, which describes Mozilla’s solution for prevention of XSS (Cross-Site Scripting) available as a Firefox Extension.  Here’s the HTTP response from my site:

hank@tardis:~$ wget -S http://www.ralree.com
--2009-06-30 09:52:13--  http://www.ralree.com/
Resolving www.ralree.com... 74.54.115.108
Connecting to www.ralree.com|74.54.115.108|:80... connected.
HTTP request sent, awaiting response...
 HTTP/1.1 200 OK
 Date: Tue, 30 Jun 2009 13:49:54 GMT
 Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a Phusion_Passenger/2.1.3
   mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
 X-Powered-By: PHP/5.2.8
 X-Pingback: http://www.ralree.com/newblog/xmlrpc.php
 Last-Modified: Tue, 30 Jun 2009 13:49:21 GMT
 X-Content-Security-Policy: allow self; img-src *; object-src *.ralree.com
  *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com
  friendfeed.com; style-src *.ralree.com *.ralree.info
 Content-Length: 57457
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8

As you can see, my content security policy is sent as an HTTP header on all HTTP responses from my site.  I basically stole an example from this page.  I’ve attached it in the .htaccess file in my site’s root, before everything else in there, like so:

<IfModule mod_headers.c>
Header set X-Content-Security-Policy "allow self; img-src *; object-src *.ralree.com *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com friendfeed.com; style-src *.ralree.com *.ralree.info"
</IfModule>

I highly recommend everyone with commenting activated on their blog enable this, since XSS is a serious pain.  This seems to work very well on Site5, where mod_headers was simply enabled out of the box.

Uncategorized firefox, hacking, http, scripts, security, site5, vulnerability, xss

The more I hear about digital national health records, the more I worry about them with regards to security. Various interpretations of the new legislation in the 2009 Stimulus bill could mean anything from implementing something like SAFEHealth, a decentralized system, to something like Google Health, which would centralize medical records. I expect that a decentralized system will not be what the government will choose. Proper usage of a decentralized system would be fine, but removes a lot of the utility promised by proponents of electronic health records, such as the possibility of access to updated health records from anywhere. I’d like to start off with an alarming quote I found in this interview with Karen Bell, director of the Office of Health IT Adoption at the U.S. Department of Health and Human Services:

TR: What about the public-health benefits? Systems that house large quantities of patient data could enable new types of research studies.

KB: Absolutely, that’s something I get really excited about. It will totally break open our knowledge base. For example, I have been diagnosed with low-pressure glaucoma, which is fairly unusual. No one knows what causes it. I would love to be able to search the system for anyone with this form of glaucoma and start to look for similarities.

Read more…

Uncategorized databases, government, health, healthcare, politics, security

After obsessing over it today, I decided to write a quick primer on RSA Encryption you can do in your head. It’s pretty simple, and to the point. The numbers are very small. Try it out!

I plan to write some code implementing the algorithm.  That should be fun.

Uncategorized code, encryption, github, learning, rsa, security

I have joined the GSWoT. I am the newest Gossamer Spider Web of Trust Introducer! This is a great honor, and I’d like to thank Kara Denizi for giving me the chance to join.

Above, I’ve posted the current state of the keyring. It also includes an outlier from my personal keyring.

Props to sig2dot for creating that graph. Here’s the commands:

wget -O gswot.keyring "http://biglumber.com/x/web?keyring=5802;download=1"
sudo apt-get install graphviz imagemagick
wget http://www.chaosreigns.com/code/sig2dot/sig2dot.pl
gpg --list-sigs --keyring ./gswot.keyring | perl sig2dot.pl > gswot.dot
neato -Tps gswot.dot > gswot.neato.ps
convert gswot.neato.ps gswot.neato.jpg

Pretty easy – I might have to use this in the future for more graphs and digraphs…

Uncategorized encryption, gpg, groups, gswot, pgp, security, trust

I had a problem today. I wanted to encrypt something with my GPG Key. It was only on my laptop. Here’s what I did:

  gpg --export-secret-keys > gpgkeyfile
  gpg -c gpgkeyfile
  shred -u gpgkeyfile

Then move gpgkeyfile.gpg to another computer. To import them again:

  gpg -d gpgkeyfile.gpg > gpgkeyfile
  gpg --import gpgkeyfile

gpg: key 9140A8C7: secret key imported
gpg: key 9140A8C7: *** 1 new signature
gpg: key 5EF4A221: secret key imported
gpg: key 5EF4A221: public key *** imported
gpg: key 46C171A0: secret key imported
gpg: key 46C171A0: public key *** imported
gpg: Total number processed: 3
gpg:               imported: 2
gpg:         new signatures: 1
gpg:       secret keys read: 3
gpg:   secret keys imported: 3

Woo hoo!

Uncategorized encryption, gnupg, gpg, pgp, security

Well, it’s official:

Wordpress is a joke!!

Mephisto Wins!

Uncategorized blog, hacking, security, wordpress