Web Security Web Technology

Contact Forms are Totally Lame

Remember the mid-to-late 90’s?

Music was awesome, there were less browsers to support, and people got spammed to death if they posted their email address online.

Having your email address posted online was the worst thing that could happen to you. We didn’t have spam filters back then. You would get so much unmanageable spam that you would have to change your email address. It was that bad. You had to tell everyone you knew about your new email address, then just kiss the old one goodbye. It was ok, though, because normal people just didn’t post their email addresses online.

Ah, but the bloggers…

That’s right, those pesky bloggers with their please-contact-me egos. They had to find ways to post their email addresses on their websites. What did they do?

First, they did nothing. And got spammed. It sucked.

Contact me at!

Then, obfuscation kind of caught on. So instead of writing your email address in plain HTML, you would write some basic JavaScript that would dynamically insert your email address into your mark-up. This worked pretty well, until the spammers got wise and updated their tools to match.

Contact me at !

You have JavaScript disabled, so you can’t see the JavaScript example.

Next, everyone settled on this idea that instead of linking your email address automatically, you could hint at what your email address is and let the users figure it out — and manually punch it into their email clients.

This worked well against spammers, because it made it look like there was no email address. But it also worked against users, burdening them with added responsibility. It was annoying then, but understandable. When people do it now, it’s just plain annoying.

Contact me at my first name at dan-menard dot com!

Finally, serious bloggers settled on the contact form. Instead of posting an email address online, these bloggers would post a form that asks you to enter your name, the subject, and the content of your email. When the user submits the form, some back-end server somewhere fills in the email address, far and away from anything spammers can see or touch.

Enter your name:

Enter your email address:

Enter the email subject:

Enter your message:

(That form doesn’t actually do anything, especially when you have JavaScript disabled.)

This was a foolproof anti-spam system, and held up well until Gmail came along and I never saw another spam message ever again. Wait, that’s worth repeating on its own line:

Then Gmail came along and I never saw another spam message ever again.

Seriously. I have three email accounts that I use daily, all of them running on Gmail. Do you know how often I see a spam message in my inbox? Maybe a few times a year. And I post those addresses online as much as I please. I don’t even think about it anymore.

And this is where we get to the point I’m trying to make:

Why are people still using contact forms?

Contact forms are unfriendly. Have you ever tried to write a heartfelt, meaningful message in one of those things? It’s impossible! They remind me that I’m monotonously typing into a machine when I should feel like I’m composing a message to a real person. I cringe whenever I see one.

They’re just not necessary anymore. We have spam filters! They work! You can post your email address online and you won’t get spammed. I promise!

And it’s pervasive! Blogs that I know and love still use them. Forcing me to shoehorn my beautiful prose into their stale, no-longer-necessary and mildly-annoying form.

I don’t get it.

I just want to use my own email client to write them an email on my own terms. Why are they making this so difficult?

Web Security

Security B-Sides Ottawa

I spent last Friday and Saturday at an information-security conference here in Ottawa. I had a really great time, and just in case you weren’t paying attention to my constant spamming via Twitter, here’s a slightly more cohesive summary of how it went down:

What is Security B-Sides?

Security B-Sides is a sort of unconference for the information security community. It’s free and community-driven, and still attracts some fantastic speakers. There have been eight of them to date, and this was the first to be held outside of the United States.

There are at least half a dozen planned for 2011, so if this is your kind of thing, see if you can make it to one near you!

The organizers did a great job bringing B-Sides to Ottawa.

They would be local information security rockstar Justin Foster, western Canada’s D-List infosec celebrity Andrew Hay, and self-proclaimed “infosec curmudgeon” Peter Hillier.

The event was hosted at Tuscon’s, a blues bar/restaurant in town (the staff there were fantastic, by the way). Justin managed to chase down a myriad of talented speakers, which we’ll get to in a moment. It was a two-day conference, with free admission, free food, and (some) free drinks. Registration maxed out at 125 well ahead of time, and at least on the Friday it looked like a full house. This was especially good for the unconference vibe, as the layout of the restaurant (many small tables) encouraged lots of chatter among attendees.

All in all, it was a total hit. Now, on to the speakers!

First up was organizer Andrew Hay, talking about his D-List status.

Andrew discussed celebrity status within the infosec community, and how other than a few big names there really aren’t that many well-known computer security experts, especially in the B- and C-list range. Therefore, he says, more or less everyone is on the D-list by default. He encouraged all of us to get out there and join the community. He’s quite the role model!

Oh, and his slides featured a picture of himself in a dress. All in all, a solid opening to the event.

Next up was Kellman Meghu, explaining some information security lore.

Kellman‘s talk was hands-down my favourite for day 1. He debunked a number of myths relating to computer security, and told some great stories about common mistakes made back in the early days of the interwebs. It was very insightful, and just as funny — he had the audience in stitches almost the entire time.

One of my favourite things about this talk was that it wasn’t targeted at any particular level of knowledge. Everyone watching could relate to his points and jokes, and all of it was appropriate for the given audience. If you ever get a chance to see Kellman talk, don’t turn it down.

After that was lunch, and then a talk about Star Trek.

Well, a talk about paradigms in information security, but using Star Trek as a metaphor — complete with clips and lame jokes. This one was full of surprises (it was added in a last-minute line-up change), but I couldn’t really relate to it. I’m not even a little bit into Star Trek, so most of the comedy was lost on me, and the material didn’t quite stack up to Kellman’s. A lot of people were into it, though, so maybe it was just me.

Then there was Peter Hillier’s EMR talk.

This was a presentation I was really looking forward to. We do a lot of healthcare work at my 9-to-5, so I took a lot of notes as it’s not every day you get to hear a public-sector security expert discuss electronic medial records.

The main message I got out of the talk was that we’re currently seeing a big disconnect between vendors, doctors and regulators. All the knowledge related to what we need in terms of security and privacy features is held by the vendors, which leads to regulators largely ignoring security features in their legislation. This is frustrating for doctors, which are left to figure out the complex issues of security and privacy on their own.

This sparked some great discussions, and I caught up with Pete afterwards for a quick chat. He’s a stand-up guy, and a huge supporter of the infosec community in Ottawa (I recognized him from our local OWASP chapter meetings, and his Twitter account). Definitely the right kind of speaker for a B-Sides event.

Following a short break, Eric Skinner lectured us on authentication.

As in Eric Skinner from Entrust, the kind sponsor who bought us all lunch. Two things were particularly notable about this presentation:

First, it was a really good summary of modern authentication techniques. It wasn’t boring, even though the information is inherently dry, and the level of depth he went into on each topic was perfect for the given audience.

Second, you would never have guessed Eric worked at Entrust (they sell authentication solutions) if he hadn’t clearly disclosed it. He didn’t push any of his company’s products or services, and was completely fair in his analysis of each method of authentication he covered. This is very important for a conference like B-Sides, and it was good to see Eric do it right.

Wrapping up day one was a security debate.

This was pretty neat. Four security aficionados on stage, debating various security issues, led by the venerable Jack Daniel. I won’t go into too much detail about the topics, but they all led to some interesting conversations. Justin was handing out drink tickets at this point, so the chatter really started picking up in time for dinner.

Halfway done! Take a break if you need one. Otherwise, let’s get to day two:

Day 2 started out with a bit of math.

Specifically, Ahmed Masud explained how algebra can be applied to computer security in place of algorithms. The idea here was that algorithms are always heuristic in nature, and that the only way to ever truly reach 100% security will be with equations and problem spaces.

The math was a bit over my head, and I think a lot of the other attendees were also a touch lost. Interesting concept, though — definitely good food for thought.

Next up was a talk on fuzzing.

This was definitely one of the most popular talks of the entire conference. Karim Nathoo and Mike Sues gave an absolutely mind-blowing explanation of modern fuzzing techniques. It was a real eye-opener for a lot of people (myself included) and they played some recorded demos to illustrate their points. Definitely a winner.

On a somewhat-related note, Karim totally won a Macbook Air through a random draw on day 1. And he gave it to his wife. Having only been married for a month and a half, I’m still not sure if that was crazy or pure genius.

After lunch was Raf’s talk.

Rafal Los is a web application security evangelist for HP, and a funny guy. I met him on day 1 (he gave me a sticker!) and he was in the debate at the end of the day. He’s exactly the kind of speaker you want at a B-Sides event; there was an avalanche of heckling audience interaction during his talk.

Content-wise, he was talking about automated tools for security-testing web applications. His material was very interesting, and covered a lot of quality assurance concepts that I was aware of but had never really thought to apply to security. Very neat stuff.

Next was Ben’s talk on motivation.

Predictably, I loved this one. Motivation is becoming a big interest of mine, and Ben Tomhave‘s talk about how to motivate users with security in mind was absolutely stellar. I think he’s given this talk before, which means he might do so again, and if that’s the case I would suggest you listen in if given the opportunity. Everyone was talking about this one.

Then there was a big discussion about CERT.

I was completely lost on this one. There were a lot of public-sector folk at the conference, and this was less of a talk and more like a discussion among attendees being moderated by the speaker, Adrien de Beaupré. It was apparently very engaging and valuable to a lot of people, but I realized this would all be over my head right from the start when I had to use my phone to look up what a Computer Emergency Response Team was. A great presentation for a B-Sides event, just not my thing at all.

Finally, we learned a bit about Nmap.

I really didn’t know anything about Nmap going into this talk. Fortunately for me, the speaker (Ron Bowes) was a developer, so we clicked on that level. I learned a lot of interesting things (did you know Nmap is written in Lua?) and he did a fantastic job setting up demos considering Nmap is a network scripting framework and there was no wireless at the event.

Thanks to everyone I met and talked to!

Specifically, I’d like to call out Justin, Andrew, and Pete again for organizing everything, Mark and Ken for hanging out with me during the talks, Ben and Nicky for chatting/drinking with me and Norbert Griffin, who came all the way from Newfoundland to volunteer at the event and lent me a charge cable when my iPhone battery died.

Can’t wait to see you all again someday!

Web Security

Are Google Wave invites to blame for recent Hotmail/Gmail phishing attacks?

I have no idea how the recent Hotmail/Gmail account compromises actually took place. What follows is a simple hypothesis based on a somewhat embarrassing anecdote.

Like many of you, I am currently waiting for an invite to Google Wave. Imagine my joy when this came across my inbox one Tuesday morning:

Subject: Google Wave invite

Congratulations! You’ve been invited to Google Wave by your friend {a close friend of mine with a Wave account}. Click the link below to register:

Still half asleep (and now bursting with joy!) I open the link, suddenly thinking it’s strange that Google would use a url-shortener to send me a Wave invite. As you may have guessed, what was waiting for me was not a desirable HTML5 product but was in fact a YouTube video of Rick Astley performing Never Gonna Give you Up — yeah, I got rick-rolled a year after rick-rolling people was cool.

Now I’m fortunate that my dear friend (it was davefp) has a sense of humour – the truth is I technically just fell for a phishing scam, and I’m lucky there was no malicious intent involved. This got Dave and I talking; phony Wave invites would be a very opportunistic way to steal account credentials from eager Gmail users, and could be what caused the recent account compromises.

Let’s look at the reasons why I was inclined to trust the link in the email I received:

  1. I was expecting an invite
  2. It looked like an invite
  3. I was half asleep
  4. I was overjoyed

I was expecting an invite. There are thousands upon thousands of Gmail users anxiously awaiting Wave invites. There are thousands upon thousands more that have no reason to expect an invite but would still take one if one were offered to them. This is an exciting product, after all.

It looked like an invite. Sure the shortened url was one possible give-away, but even that could have been improved by masking the url with text that looked like a safe url, such as Add a couple of Google images and maybe a formal signature and this could have been a lot closer to foolproof.

I was half asleep. Admit it, you’re not always paying attention when you check your mail either. We check our email late at night, early in the morning, on our mobile phones, while we’re eating or playing with a pet; there are all kinds of distractions that may contribute to not paying full attention to routine tasks like checking email.

I was overjoyed. Don’t discount this one &#8212 human emotion is what sells a social engineering attack such as phishing. I had a rush of feelings and thoughts flying through my head as I clicked a link I barely looked at: who do I know that already has wave? I hope it’s awesome! who will I invite? I should thank Dave for inviting me! where’s the link for that two-minute introduction video I saw the other day?

Of course it could just be a coincidence that Wave launched a few days before a high-profile phishing scam, and it could be that I’m the only one stupid enough to fall for a prank like this, but at the very least I think it’s conceivable that a phishing attack based on Google Wave invites could have snagged 30 000 users or so from a group of major email providers.

Am I out of my mind? Have you heard a better explanation? Share some thoughts and leave a comment.