DRM is good for something

Many people are frustrated with Digital Rights Management preventing them from doing to music and e-books what they are used to doing with computer files – backups, convenience of having your media on all of your devices, and for some, piracy.  Of course, it’s the third that drives the need for DRM in the first place.

Recently I’ve been exposed to a use of DRM that I find very, very good.  I’ve been using my iPad to access my library’s Overdrive section – essentially eBooks from the library.  From the convenience of my couch at home or while away on vacation, I can browse online the books available, check them out, and download them to my iPad (or my kids’ kindle, etc) immediately.   At the end of the two week lending period, if I’ve not already deleted it/turned it back in, it automatically deletes for me.   No more having to remember to do so.

This is GREAT!   Depending on the availability of the material, I may never have to buy a book again.   I’m finding that most of the county library websites I’ve visited have Overdrive collections as well.  My Fort Bend County account does not give access to a whole lot, but I also have a Harris County library card, and they have a lot more selection.   I checked out the Houston Public Library site this morning, and it has a fairly extensive collection as well, so I am going to try to go today and get a library card.    I can see that “collecting library accounts” could soon be a fun pastime.   🙂   The Houston Public Library offers accounts to any Texas resident… perhaps Austin, San Antonio, and Dallas have similar offerings.   Time to take advantage of tax dollars being spent!

Clickjacking

Clickjacking is a vulnerability where pages with sensitive functionality are placed in an invisible IFRAME that overlays seemingly innocuous content. By enticing the user to click various buttons in the innocuous content, the attacker can get victims to click buttons that perform sensitive functionality. Because the victim is actually interacting with the application through the hidden frame, the victim’s cookies containing the session identifier are being sent with each request. If they are already authenticated, any authenticated functionality would be accessible.

Steps to reproduce:
1.    Open the below HTML file with an IE browser, changing the IFRAME target to some webpage with form input.

<html>
<head>
<title>Clickjacking</title>
<script>
var keylog='Entered text: ';
function keypress() {
keylog = keylog + String.fromCharCode(window.event.keyCode);
window.status=keylog;
}
</script>
</head>
<body style="margin: 0; padding: 0"
onKeyPress="keypress()"
onLoad="this.focus()"
onBlur="this.focus()">
<div style="padding: 10px; border-bottom: 1px solid red; color=red;">
(see typed words in your status bar)
</div>
<iframe src="https://www.somesite.com/"
width="100%" height="90%" padding="0"
margin="0" frameborder="0" security="Restricted">
</body>
</head>

2. Enter text in any input field and observe that the page is hosted in an IFRAME that echoes back the entered text.   Creepy!

Pages that include form input need to prevent other pages from setting them in iframes and stealing keypresses.  The following JavaScript can be used to “break out” of any frames and ensure that the site is loaded on the top window and not in any frame controlled by the attacker.

if (top!= self) top.location.href = self.document.location;
if (parent!= self) top.location.href = location.href;
if (top.frames.length!=0) top.location=self.document.location;
if (window!= window.top) top.location.href = location.href;

Add Swap File to Amazon EC2 Instance

I’m playing around with a free-for-a-year micro instance of Amazon’s Elastic Compute Cloud (EC2), and I noticed that while there’s around 600 MB of memory, there was no swap set up! That can grind things to a halt pretty fast. So I set one up:


[root@tauceti ~]# free
total used free shared buffers cached
Mem: 605060 596996 8064 0 68568 440104
-/+ buffers/cache: 88324 516736
Swap: 0 0 0

[root@tauceti ~]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/xvde1 6190664 1344280 4531916 23% /
tmpfs 302528 0 302528 0% /dev/shm

[root@tauceti ~]# dd if=/dev/zero of=/swapfile1 bs=1024 count=524288
524288+0 records in
524288+0 records out
536870912 bytes (537 MB) copied, 14.8886 s, 36.1 MB/s

[root@tauceti ~]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/xvde1 6190664 1870116 4006080 32% /
tmpfs 302528 0 302528 0% /dev/shm

[root@tauceti ~]# mkswap /swapfile1
Setting up swapspace version 1, size = 524284 KiB
no label, UUID=767b5917-4ff4-453e-bb3a-db644a7a7824

[root@tauceti ~]# chown root:root /swapfile1
[root@tauceti ~]# chmod 0600 /swapfile1
[root@tauceti ~]# swapon /swapfile1
[root@tauceti ~]# echo '/swapfile1 swap swap defaults 0 0' >> /etc/fstab

[root@tauceti ~]# free
total used free shared buffers cached
Mem: 605060 597368 7692 0 68576 440104
-/+ buffers/cache: 88688 516372
Swap: 524280 0 524280

Cloud Backups

I got started using Amazon Glacier today – it’s ultra low cost cloud storage, with the caveats that if you want to get anything, it’s a few hours turnaround time, and also that the only real access to it is via a programmatic API.   To the first, that’s fine, as I am looking to use it for backups for my server at home, and hopefully will never have to get the stuff.   As for the second, well there are already plenty of third party clients that have been written using the API!   I am using CloudBerry Amazon S3 Explorer, which supports Glacier as well.    I’ve already uploaded some RAW camera files, about 200 MB worth…  Now to downsize those to small images on my server and get rid of the big digital negatives that are backed up in the Glacier…   Fun stuff.

Adding Trusted Root Certificate Authorities to iOS (iPad, iPhone)

As manager of a web administration team, we’ve encountered several teams who have had trouble adding internal Certificate Authorities to iPads and iPhones…  and I don’t blame them, it’s not obvious.

To add private CA certs to your iPhone or iPad, you will need:

  • The iPhone Configuration Utility (windows or mac)
  • Your iPhone or iPad physically connected via cable to said windows or mac machine.  It’s tempting to try to add the resulting .mobileconfig by downloading it wirelessly over a browser, but it will not be trusted.
  • The cert file(s)

Once the above requirements are met, do the following:

  1. Start the iPhone Configuration Utility.
  2. Under “Library”, select “Configuration Profiles”
  3. Click the Add New button on the top left.
  4. Fill out the mandatory general information tab contents
  5. Under the Credentials section, add the CA cert or certs.
  6. Attach your iOS device if it is not already connected.
  7. Select your device in the iPhone Configuration Utility, and select its Configuration Profiles tab.
  8. You should see the profile you just created with an “install” button on the right – click it.
  9. On your device, you will see a profile installation dialog – hit the install button and follow directions.

That’s all, the CA profile should be installed and verified with a geen check.   I hope this helps some of you out there.

This process can also be used to install client SSL certs on the iPad.