My Security Planet » Mark Curphey

Mark Curphey - SecurityBuddha.com

Software for Humans is Live

Posted: March 12th, 2011, 12:44am CST by Mark Curphey

Tags: [edit]

My new side project is now live.

Check us out at [www.softwareforhumans.com]
OWASP : slipping back into the project shadows (again) and stepping up to build better community software

Posted: March 2nd, 2011, 12:22am CST by Mark Curphey

Tags: [edit]

Every few years I pop my head up and re-engage more actively with OWASP. This year I saw a bunch of chatter coming from the OWASP Summit about the need to be more developer centric and my interest was piqued again. I posted here and here. After a week of some healthy discussions it is time for me to slip back into the OWASP shadows again. I will be speaking at the AppSec USA conference in September (OWASP’s 10th birthday). More on that in due course.

OWASP holds a special place in my heart but I am not convinced that the new momentum around ‘developers’ that I had hoped was going to emerge is actually fundamentally different from what is being done today. Why slip into the shadows and not try and influence it to be what you want it to be? If I have learnt anything about community its that the majority drives a good community and if you want to influence the majority who aren’t aligned to your way of thinking you have to invest a lot of time and energy to do it. I just don’t have that time or energy for the topic right now. People often say “I hope you prove me wrong” but don’t really mean it. I do. I really do hope that @JonWillander and crew prove me wrong and get a thriving developer community engaged but it seems to me that there is still a very strong prevention (or discovery) of vulnerability centric approach as opposed to being focused on security as an enabler (the builder metaphor). It’s valuable stuff but simply not where my personal interests are or what I believe is needed and so it’s time to slip back into the OWASP software security shadows for me for a while longer. I am sure I will surface again in the future.

Now that said what I did discover over beer and email is that there are a LOT of people passionate about OWASP but also think that things could be a lot better with some changes to the way the community works. I agree. For instance @sourcecodesec told me that he would like a democratic way to run a local chapter meeting. He wants to be able to propose a meeting, have active local community members vote on what presentations are given and have attendees get to vote on presentations / presenters. This would effectively democratize the chapter meetings process and avoid any local chapter leader having too much control over what happens at chapter meetings. You would effectively get a facilitator / organizer and the local community democratically making decisions. I have thought quite a lot about this and I think as well as democratizing the chapter management process a rewards system can actually ensure the good facilitators / organizers are recognized and rewarded. Chapter management is a problem I have heard a number of times in a number of locations so I am convinced this isn’t isolated and I am convinced that an innovative social software solution could benefit all chapters and the project as a whole. I have also heard about other challenges like OWASP members who would like to submit and read tools reports and even security reviews but do so anonymously. This is also an interesting problem. How do you share data that you can trust without revealing identifies and source? I have some ideas on this as well.

I am partnering with Marius Grigoriu on a side-project we are now calling Software for Humans which is setting out to build an online community for people interested in online community and explore exactly these kinds of community & social challenges across the spectrum of online communities. We plan to push the boundary on building social software and using the community to drive feedback and direction see if our collective ideas might work in code as well as on paper. We plan to go live with our site later this week (hopefully Thursday). Our software won’t be open source but is built on Ruby on Rails an integrated with many social platforms like Twitter and FaceBook. It seems to me building better community software is the most valuable contribution I can possibly make to OWASP while also fueling my passion for building social software. Cool eh ?
Egyptian Head Gear for Riots

Posted: February 28th, 2011, 10:01pm CST by Mark Curphey

Tags: [edit]

This was sent to me by someone today and had me in such hysterics I had to share.

Your classic 1979 ‘Tribottle rag’ helmet – a must in any type of combat

A late 80’s ‘boxhat’. The bloke next to him doesn’t appear too sure of its effectiveness

A renaissance period piece of brickwear teamed with a black and cream scarf. Textbook

I’m not sure about the tuna sandwich he is about to lob…
Old school 80s broken bin helmet.
I personally love the fact he needs to lift it up to see –
does he spend the rest of the time walking in to things?

Textbook saucepaning with lifejacket combo. He does not take, ANY!!

And the winner by 100 miles.

This bloke is going to war with 2 baguettes strapped to his ears and a ham salad roll
sellotaped to his forehead. I’d def wanna be behind him if someone lobs a load of bricks at me.
More Thoughts on OWASP 4.0

Posted: February 23rd, 2011, 5:31pm CST by Mark Curphey

Tags: [edit]

There is a lot of good chatter about what I have learned is being called OWASP 4.0. A fourth generation project no doubt! I posted here and Michael Coates posted here which seems to be stimulating some good debate.

Ahead of meeting Dinis Cruz for what will undoubtedly be too much beer tonight I wanted to jot down a few thoughts on how we could organize OWASP 4.0. There are only so many beer mats you can assemble into meaningful diagrams in a brewery! This is very similar to Michael Coates excellent suggestions but with some subtle and I think important differences.

First I think its important to have a community for people who are engaged in planning and managing software security. These people range from the CSO’s to the scrum masters. There are a lot of important topics not covered at OWASP to day ranging from broad sweeping like application security scorecards and metrics to detailed issues such as how to estimate security during Agile planning.

Second I think its important to have a community for the architects and software developers. In this track you would cover the software design issues such as how to to AuthN and AuthZ, how to design secure WS*’s etc as well as code level implementation topics.

Test should cover the traditional security testing but also include topics aligned to the much bigger and more mature software QA discipline.

Finally Operate would be for those whose primary role is in deploying, monitoring and defending against attacks. There are really important topics in deployment and monitoring that I don’t think are well represented today.

The taxonomy or nomenclature is both trivial and actually very important. People who are consuming content (educational, documentation or tools) need to be able to easily identify with their role and navigate to material that they relate to. There clearly needs to be co-ordination across the verticals and over-lap may occur but for the most part projects should fit.

Across each of the sub-communities you would have a collection of high value projects that could generally fit into people (or education projects), Process & Documentation projects and Tools / Technology projects. Coding guidelines for Ruby for instances would fit into the Design & Dev community under the Process & Documentation bucket. App HoneyPots would be in the Operate community under the monitoring focus area.

Some communities would have more of a bias to build tools (Design & Dev and Test for example) and others move of a bias on documentation and process (Plan & Manage).

Underpinning the buckets is a need for commonality and reuse. This is where guiding principles fit, taxonomies and definitions. This ensures some degree of uniformity across the OWASP community.

There are some obvious gaps such as where do browsers fit and what about R&D / security researchers? Security researchers would scare most software QA people IMHO but I don’t have any magical suggestions.

I will follow-up tomorrow with a detailed post of what I would specially drive inside the Design & Develop community. That would include a set of GitHub repo’s, a CI environment and a set of AWS instances to start with. Dev’s need dev stuff to code with!
OWASP – Has it Reached a Tipping Point ?

Posted: February 19th, 2011, 3:50pm CST by Mark Curphey

Tags: [edit]

It’s an amazing time to be writing about software and social change. I am sat in my favorite Seattle coffee shop with nothing but my MacBook (plus a coffee and chocolate croissant of course). Using nothing but my free Wi-Fi connection I can spawn up a super-computer on the fly using Amazon Web Services. I was just chatting on my cell via Twitter to a guy in South Africa that I have known for years and would regard as a friend but have never met in person. The middle East is in violent protest, governments have been over-thrown, cyber spy novels are being played out online by hackers in the wake of Wiki-Leaks and Facebook is now worth an estimated $60B. Its a crazy, crazy, crazy world…and I love it.

When I started OWASP nearly a decade ago it was without a plan (or frankly even much thought) but it was with a premonition that the Internet was going to revolutionize the world, web technology would be at the forefront of the revolution and that security would be a critical attribute in the mix. I haven’t been actively involved in OWASP for a number of years but will always claim it as my baby and passionately watch it evolve. It is my social science lab. I had always hoped that the community would develop into a community of developers that were interested in security rather than a community of security people that were interested in software. I wanted to be part of a community that was driving WS* standards, deep in the guts of SAML and OAuth, framework (run-time) / language security and modern development practices like Agile and TDD rather than people seemingly obsessed by HTTP and web hacking techniques. Ask your average OWASP member how to federate identity across the Internet and reckon you will be met with a blank stare but ask them how to check for XSS and I bet you would be greeted with a smile. Thats a problem. That is not to say that people who live and breath HTTP security isn’t incredibly valuable but it wasn’t what I wanted or what I really care about. It like focusing on a patients cold sores when the patient has lung cancer. To someone with just cold sores they need research scientists developing medicine but I think there are bigger and more important problems in the world that I care about. Looking back in hind-sight it isn’t surprising that security people gravitated to the project. Lets face it the first call to action was sent out to a security mailing list that I was moderating at the time. Why would you expect anything different? When I look back to the early years it was when the likes of Ingo Struck, Zed Shaw, Steve Taylor and Alex Russell drifted away that the writing was on the wall for me and I walked away (well moved to the sidelines) shortly after. Those guys were hard-core developers. Over the years the project has grown to be the de-facto and de-jure online source for web security and I am very proud to have planted that seed (very proud indeed) but the desire to have a community for developers interested in the type of security I am interested in has never faded and as far as I am concerned no community exists today for people with this interest.

I have always believed that in order for security to become an inherent part of software development it must come from within the development community itself.

We can’t have security people who know development. We must have developers who know security. There is a fundamental difference and it is important.

Last week I noticed some tweets coming from the OWASP Summit in Portugal that got me very concerned about the state of OWASP. The summit is an awesome idea. OWASP gathers a bunch of bright people from around the world into a hotel on the Algarve once a year and they drive projects, ideas and have fun. The tweet that caught my eye was “Developers don’t know shit about security“. After a few mails to a few people and a few off-line discussions I started to wonder if actually OWASP is at a Tipping Point where it will either evolve to the project I had always originally hoped or a new project will emerge made up of “developers who know security”.

I hope it is the former and I certainly don’t want to encourage revolution (just evolution) but in order for this evolution to happen at OWASP rather than another community forming (which I am hearing mutterings of on the grapevine) I think OWASP needs to adapt pretty dramatically. Before you read my suggestions (which are very direct and generally negative) remember that I think OWASP rocks. I 100% get that some people will be offended and maybe hurt by these comments but they are not personal. Read to the end before firing of poop-o-grams to me!

1. Manage the Project Portfolio – When I look at the OWASP site today its hard to see it as anything else but a “bric-a-brac” shop of random projects. There are no doubt some absolute gems in there like ESAPI but the quality of those projects is totally undermined by projects like the Secure Web Application Framework Manifesto. When I first looked I honestly thought this project was a spoof or a joke. Its been created by people who in my opinion have no idea about what development frameworks do, how they are created and certainly no idea about how to get requirements into engineering teams developing them. If you really think an important thing a development framework should do is to provide support for pluggable anti-automation (whatever that really is) then seriously …… If you go to the engineering team of a major framework with that document you won’t get far. The OWASP Guide also hasn’t been updated since 2005 and the .NET guide is a bunch of broken links or seriously outdated advice! These are key documents that are integrated into many corporate application security policies yet the Guide hasn’t been updated for 5 years. Thats .NET 1.1 / 2.0 and Java 1.5 people!

OWASP has to put controls in place over project quality and develop a project portfolio strategy. It has to focus on quality and not quantity and has to kill a large number of projects that have been created today if it wants to remain credible. It has to focus its key resources on key projects.

2. Industry Engagement and Communications – Over the years I have had many frustrating dialogs with people at OWASP about the way they have engaged with me as a corporate sponsor (direct sponsor or behind the scenes). I have seen random email after email come in, many contradicting each other or written in a tone that frankly no company would want to partner with. I totally get that there is no one voice but when an active community member openly criticizes a company they are speaking on behalf of “OWASP” wether you like it or not. There have been so many cases I have heard about where the project seems to be biting the hand that they are asking to fed it. I don’t get it. Why ask and complain in the same hand. Take a stance cause. You can’t have your cake and eat it to. One year I heard grumblings that OWASP were very frustrated that they couldn’t navigate a big software company so offered to help. After two reminders of the offer the only time I then heard from them was a year later asking for money to renew membership. Serious partnership could be made with serious funding that could drive serious projects if it was approached in the right way. Hand-outs is not the way, partnership is.

OWASP has to re-think its engagement and communication model to get to the next stage in it’s evolution.

3. Ethics / Code of Conduct – The O in OWASP is for Open. Open + Source, Open + Respectful and Open WhatEverIsAppropriate. That was a cornerstone of the project from day one. In the early days I fought with a few individuals who in my opinion were trying to circumvent the power of the project for their own personal agenda. It was a fight I was happy to make and would do so again in a heart-beat. An individual who shall remain nameless wanted OWASP to recommend a specific tool that wasn’t licensed with an OSI license. I dug in and refused; in fact I doubled-down and set guidelines on vendors abusing the brand project. That person banded together with a few other lily-livered sheep and tried to have me banned from moderating a mailing list I ran. They probably don’t know it but I have the copy of the mail they sent complaining to the company that hosted the list. I know who they were and exactly what they said. The same people later decided to form their own project that they controlled. I have a copy of a private email between a few of them in which they talk about “…..beating OWASP at its own game so we can influence the messaging that app scanning really is effective” (for completeness that mail forwarded to me by someone on the thread in disgust is in an archive somewhere and so I am paraphrasing). It was a set of douche-bag moves by people with douche-bag standards but the blood and guts have and will remain private as they have no possible positive part to play on the project. There is clearly a balance in ensuring that people who contribute to the project are rewarded. They should be and should be allowed to get something back for their hard work but the mechanism in how that happens is important and will always be a gray area. I have been amply rewarded in my career by my association with OWASP. I have been invited to speak all over the world, been asked to contribute to books and been able to talk to an incredible set of people. I have had jobs as a direct result of OWASP. When I formally transferred OWASP to it new leadership I was compensated for money I had spent in the initial years on hosting, significant personal travel and other things. In those days we never had sponsorship and I funded it all from my own pocket. I still don’t know if I feel 100% good about that but I do feel good that I only got back what I had put in (my wife tracked it meticulously) and I turned down a more than six figure offer at the time to turn over the project to a security firm that I know didn’t have the communities interest at heart. I feel very good about that! OWASP was never mine to sell but that didn’t stop other OSS projects like Nessus.

Ethics is a tough topic and riddled with subjective opinions. It’s a minefield. From an individual perspective its probably easy. Can you look at yourself in the mirror and feel good about what you have done? What pains me today is that I see people riding the OWASP band-wagon that I struggle to understand how they look at themselves and answer that question with a “yes”. Let’s take Cenzic as an example. This is a firm that was founded by the same people that founded HB Gary. Yes the same firm that has been exposed to have been plotting a campaign to discredit wiki-leaks. Cenzic also have a patent for web fuzzing. Now I am not a lawyer but this patent appears that it could be applied against OWASP projects like WebScarab at any time. This is the same firm that used to claim in their marketing that they scan for the OWASP Top Ten. Thats right using HTTP they scanned for insecure crypto! These are my personal opinion but this is not a firm with good ethics yet is actively involved in OWASP.

When I was at OWASP EU in Amsterdam earlier in the year I hears stories about a firm in the far east that was using the OWASP name to organize very well attended chapter meetings and essentially turning them into sales events for their technology. I heard several OWASP community members tell me that they felt that OWASP has lost its way and been hi-jacked by people who are serving their own interests (personal or company) and not those of the project.

For several years I have been concerned that the people speaking at conferences are not the same people that are actively working hard on projects and in some cases have been the very same people who wanted to “beat OWASP at it’s own game”. This is not a good thing for the community. Its rewarding the wrong behavior and the wrong people. So how does an open project rationalize those things and let them sponsor events yet alone contribute to projects? How can you trust that their contribution will be impartial or ethical? Its a tough one and I don’t claim to have any magic answers but I do know that the current ethics and code of conduct appear to be broken.

OWASP has to re-think its ethics policy and code of conduct.

4. Engaging Developers – If you have gotten this far then you will want to know the guy who pricked my conscious to write this post in the first place is called Jon Wilander. I have never met him but I know we would get on well. He gets on well with people I like (Dinis) and from what I can tell from his writing we are very similar. He has recently taken a job with a bank in the development team. I once moved my office from the security building to the development building to sit with the developers. Good patterns are timeless! His post talks about how to engage with developers and given a number of twitter comments and emails I am hearing about a growing tidal wave of people that think OWASP needs to be by developers for developers. My original vision. Maybe its coming full circle ?

There are huge gaps in OWASP today for developers. Where is the advice on writing security related BDD tests, integrating security into Agile, tools that plug into CI servers and IDE’s ?

I can see several ways of doing this but am adamant that this is not a matter of trying to heard the security people to develop content and projects for developers. The definition of insanity is to do the same things twice and expect a different result and while OWASP has made amazing strides in the security industry I think we need to acknowledge that security is not a Pri0 agenda item in the development culture after a decade of the project.

I think a different approach is needed and it is time for a change.

The good news I think is that I think there is room for both approaches and I think OWASP could play a leading role in both camps. Maybe Software Security is for developers and Application Security is for security people. The first persona is the builder and the second persona the breaker. One is concerned with assessing security posture and the other architecting and creating secure software. OWASP could easily pivot its work (and web site) around those two key personas. Developers best understand what they need and want, security people best understand what they need and want. Maybe the Security Web Application Framework Manifesto that I think is not well conceived (as a builder) is really useful for breakers.

I genuinely hope that what I see as a Tipping Point means OWASP will evolve rather than break apart. It’s an awesome project with awesome people.

- Mark
4HB Experiment 1 “Recomposition” – Week Two Summary

Posted: January 25th, 2011, 7:56pm CST by Mark Curphey

Tags: [edit]

I am going o move to weekly summaries of my 4HB experiment. This post is the first of those covering the first two weeks. Daily posts felt like a food diary and despite my intent to do a weekly video diary I have just not been able to get organized.

Overall the first two weeks have been surprisingly easy. I went from 223lbs to 215lbs so a drop of 8lbs in body weight. The most noticeable thing for me was actually surprising. I typically get very light headed if I haven’t eaten and have noticed that following the diet seems to normalize the food cravings and mood swings. Equally dramatic was the protein I was able to consume on the diet. While training for the last marathon the major dietary issue I had was the sheer amount of calories I needed to consume in order to meet my daily protein targets. I was taking protein bars and protein shakes but all provides around 20g of protein for around 200 calories. On the 4HB diet I can typically consume 1600 calories a day and get 180g’s of protein. It will of course be very interesting to see how the diet stacks up for me when I start running again; next week!

There are certainly a set of habits that it is worth breaking. For me not drinking enough water is one that I am working hard on but still not as effective as I know I should be. Reverting to drinking lots of tea (and yes with milk for a double whammy has been my downfall). I need to re-red the book as the fluctuations in my weight after the binge day seem to be excessive. I seem to remember a suggested normalization mid-week but this has been Thursday or Friday for me. I think I took the binge day too seriously. This week I plan to closely target a specific amount of food and watch the effects. I have also found it very tough to keep the amount of calories constant during the week. This is partly due to work (food choice and quality at Microsoft is really not great at all) and partly due to bad planning on my part. In the first week I took lunch to work. I need to start doing this again.

I will draft another summary on Sunday and then each Sunday moving on until I get to the magic 200lbs (23lb target loss) or resign !
5 Basic Things Any Blogger Should Know About SEO

Posted: January 24th, 2011, 6:17pm CST by Mark Curphey

Tags: [edit]

Before you read this post you should know that at some point someone will say “All well and good but you don’t practice what you preach!”. I know. This blog is currently hosted on WordPress and I am using an SEO plugin which covers the basics but is far from ideal. I plan to move this blog to a custom written blog engine at some point and so investing time in tweaking this blog is not a priority. What I have learn’t about SEO is driving features of the custom written blog (discussions) engine in development right now. Now with that out of the way…….

If you are like me you will have heard the term Search Engine Optimization or SEO and associated it with the sleazy side of internet spam and messages like “Be Number 1 on Google Guaranteed, Click Here Now”. I knew that a large portion of any blog traffic is driven from search but I had decided in my mind that it was something I didn’t need to deal with. I know realize that was a big mistake! The epiphany came when I first started looking into SEO casually and had a discussion with my friend JD Meir over lunch. JD runs a very popular blog called Sources of Insight (hosted on WordPress) yet had some basics missing. When he fixed the issues he saw a significant jump in his traffic. Just last week I was exchanging email with a friend who is the CSO of a top company and told he he only gets just 50 page views a day on his blog. I have spoken to many people about SEO and it is suprising how little people know so here are the 5 top things that I think all bloggers should know about search engine optimization and therefore optimize users finding your content and driving up your traffic. It is certainly not exhaustive and certainly not an original list. If you want to “Pass Straight to Go” I suggest buying the Art of SEO by O’Reilly. Awesome series of books

My top 5 are:

1. Register with Google and Bing Webmaster tools

2. Generate a sitemap.xml

3. Understand Keywords

4. Install Analytics

5. Run Free SEO Analysis Tools
Register with Google and Bing Webmaster Tools
Google and Bing (which now including the Yahoo search traffic) account for the vast majority of internet search traffic (somewhere in the ballpark of 85%) and so making sure that those search engines can find your content is absolutely critical. Both sites have tools for webmasters that allow you to register your site and ensure that the search bots can crawl it. They then provide suggestions for basic optimization and allow you to monitor any issues the search engines maybe having. They also allow you to view the keywords they see on your site and queries that users searched for which they then referred to your site. I’ll focus on the Google webmaster tools here but the Bing experience is pretty similar.

You will first need to go to Google and sign in at [www.google.com] with your Google ID. Once you are in you will need to add your site and do some basic configuration. When you add your site you will first need to prove that you own the site. There are several options such as adding a verification code into some HTML but the easiest way in my opinion is to add a DNS TXT record to your domain. You copy the verification code from the webmaster tool and create a DNS TXT record at your DNS provider. You then go back to the webmaster tools and verify the domain. Google queries the DNS, checks the verification code and voila ! After a few more clicks you are now registered and can poke around on the site and see how Google see’s your site . It is all very self-explanatory. Don’t worry if at first Google doesn’t appear to know much about you. Registering is the first step in letting then know you exist. You need to systematically go through each suggestion, fix issues and then let the crawlers update their indexes and reflect the updates in the results. It can take several weeks even after making changes to see results.
Generate a sitemap.xml
One of the items the site master tools will check is for the presence of a sitemap.xml file. This is a file that is added to your site and acts as the primary front-door for the search engine crawler. You can find out more in this Wikipedia article. Having a sitemap.xml is essential. Given that your site content will change you really need your site to be abel to update the sitemap.xml file as new content is published. If you are using wordpress there are several tools that will do this for you. Some simply allow you to generate a file and manually re-submit it to the search engines. I use the Yoast WordPress plugin today.
Understand Keywords
Search engine keywords are essential to understand two fundamental things. The first is the keywords that the search engine sees on your site. Think of it as the content that the search engine sees as available to match to potential users. The second (and often over looked) is the keywords that users are searching for. Google allows you to look at keywords and view the amount of times users were looking for content that matched with those words. As an added bonus they conveniently provide a nice interface to compare the supply of keywords and the demand to advertise against them and the amount of people searching against them. This allows you to look for areas with your target topics where users are crying out for content and where little is available today. You can also predict the amount of traffic this would generate if you were able to fill that gap in the market. A useful tool is the Google Adwords tool. Sophisticated SEO software often uses the Google Data API’s to get similar data programmatically.
Install Analytics
Whats that phrase “if you can’t measure it you can’t manage it?”. While webmaster tools will provide basic data about queries and keywords the more sophisticated analytics tools will allow you to capture rich data. You can even instrument scenarios such as a user moving through a registration wizard to find out where they drop off or so A/B variant testing to compare experiences or articles. I am using the Google analytics. Similar to the webmaster tools you will need to register your site and prove ownership, after which you will be given a piece of JavaScript that you call from every page on your site. I use a nice free iPhone app called Analytics Agent Lite to track my stats on my phone.
Run Free SEO Analysis Tools
Finally there are a number of things you will want to configure ranging from ensuring you have meta-content tags, individual page titles, encoding to ensuring you use H1, H2 etc HTML elements. A really simple free tool that I have found is WooRank. Just type in your domain and let it generate a report. Simple, quick and free.

So there it is, 5 Basic Things Any Blogger Should Know About SEO and that could have dramatic effects on your traffic. If this has been useful and you get results please let me know in the comments!
Heroku Vulnerability Security Notice

Posted: January 21st, 2011, 11:46am CST by Mark Curphey

Tags: [edit]

Summary
=======
On January 16th, 2011 at 10PM PST Heroku was notified of a
security vulnerability by David E. Chen, a long-time customer.
We deployed a fix to our production environment the following
day, January 17th, 2011 at 2pm PST.

We have done extensive analysis and have no reason to suspect
this vulnerability was exploited. However, we believe it is
important to let the community know about the situation and what
we are doing to prevent similar issues in the future. As a
precaution, we are working with add-on providers to change all
credentials. We also recommend that users should change any
manually set credentials in their apps as well.

Details on Vulnerability
========================
The vulnerability was a window through which an unauthorized
user could potentially gain read-only access to an app’s deployed
code and configuration variables.

We confirmed the vulnerability, determining that it was
introduced on December 28th. The underlying bug was fixed on
Monday January 17th, the day after we learned about it. It is no
longer possible to exploit this vulnerability. We do not believe
that any customer data was accessed or changed. We have
thoroughly audited our logs for that period and have found no
evidence that anyone exploited this vulnerability.

Consistent with best practices for security incidents, to
minimize the risk of a 0-day exploit, we waited 5 days to notify
the community and work with our add-on providers on a
precautionary mitigation plan.

Precautionary Actions
=====================
We believe it is important to take all prudent steps to ensure
the safety of apps. Heroku uses environment variables to provide
configuration information to apps. These variables often include
things like database passwords, API tokens, and credentials that
are used to access add-ons or other third-party services.
Although there is no evidence that these were compromised, we are
taking additional steps to protect users.

Actions Heroku Is Taking
————————

Our add-on partners have been notified of the problem and advised
to update the credentials for all Heroku apps. You can track the
status of credential changes for all add-on providers
at http://status.heroku.com/20110116-credentials. We expect all
add-on credentials to be updated within the next week.
We have already started rolling credentials for all Heroku hosted
PostgreSQL databases and expect to complete the update
this weekend.

The process of updating credentials will require restarting all
apps. While we do not expect any apps will have issues with the
update, if you do run into any issues please open an urgent
support ticket at <http://support.heroku.com>.

Actions App Developers Must Take
——————————–

Some apps may make use of hard-coded credentials in either their
source code or manually set configuration variables. As a
precautionary measure, we recommend that you update these
credentials.

Some examples of hard-coded credentials may include:

* Amazon RDS credentials - http://docs.heroku.com/amazon_rds#changing-your-credential
* Amazon S3 credentials - http://docs.heroku.com/s3#updating-your-s3-credentials
* Heroku username and password, often used by automatic scaling plugins. Visit <https://api.heroku.com/account> to change your password.

We have enabled advanced releases (http://docs.heroku.com/releases)
on all apps for free for the next 2 weeks, providing rollback
capabilities and a log of changes made to your app. To use,
update to the latest gem (`sudo gem update heroku`) and run
`heroku releases`.

If you need help or have further questions about the incident,
contact us at <http://support.heroku.com/>

Preventative Changes
====================

We are making several changes to our process and technology
architecture in an effort to prevent this type of security
regression in the future. First, we have introduced automated
regression testing to specifically check for permission issues.
Second, we have expanded our security audit review process for
all changes on the platform. Third, we are increasing the
frequency of both internal and external security reviews to help
ensure that we are continually following the industry best
practices. Finally, we are testing a new environment for
isolating customer processes from one another that will provide
a second layer of protection beyond filesystem permissions.

Reporting Security Issues
=========================

We want to thank David E. Chen for his contribution to our
community by helping us to identify this issue and working with
us to resolve it. Heroku is committed to continued improvements
to our trust and transparency. Any individuals who believe
they’ve identified a security issue within Heroku should contact
us at security@heroku.com

Sincerely
- Heroku Security Team

================================
This email was sent to mark@curphey.com.
If you do not wish to receive service notices you can unsubscribe:
http://lists.heroku.com/t/r/u/ydtlujy/tkolylyh/
4HB Experiment 1 “Recomposition” – Day 16

Posted: January 19th, 2011, 11:20pm CST by Mark Curphey

Tags: [edit]

Notes: Tried a protein shake when I woke up this morning and worked well. Trying consciously to shift the balance of the calorie intake to earlier in the day. Weighed in at 216.6 lb this morning so close to pre-binge weight but it’s Weds! Planning to binge less this weekend (1.5 normal calories as opposed to over 2 x).

Breakfast : 2 scoops of protein shake mix (Whole Foods Soy Protein) mixed with water , scrambled eggs and bacon – 751 calories

Lunch : Beef – 350 calories

Afternoon snack : Shrimp, tomatoes, salsa and teaspoon of almond butter – 280 calories

Dinner : 2 egg omelet, eggology, large helping of chopped bell peppers and ham – 390 calories
4HB Experiment 1 “Recomposition” – Day 15

Posted: January 19th, 2011, 1:12am CST by Mark Curphey

Tags: [edit]

Notes : Late for work so skipped normal breakfast and substituted for an Odwalla protein monster. Thanks to comments in the blog (Hoff) who suggested a 30g protein shake and then mid-morning snack. Plan to try that. Spoon of peanut butter tonight and checked ingredients. Despite organic labeling it had sugar. Need to get some almond butter from whole foods which is nothing but almonds! Another low calorie day, need to meal plan better.

Weights : 218 lbs

Breakfast : Odwalla protein shake – 400 calories

Lunch : prime rib and green beans – 494 calories

Dinner : beef salad – 474 calories

Evening snack : teaspoon of peanut butter – 100 calories