Web Admin Blog Real Web Admins. Real World Experience.

12Jan/091

Beware The Wolf In Supplier’s Clothing

As you all know, the economic climate of 2009 is a cold, cold winter indeed.  And like wolves starved by the cold and hardship of the season, our suppliers have turned feral.

When everyone's sales slip due to the down economy, companies (and individual sales reps) are desperate to make their numbers.  How are they doing it?  By trying to jack up maintenance costs, in some cases by more than 100%!  It's way more than isolated incidents; all our maintenance renewals coming up are meeting with hugely inflated quotes.  And not fly-by-night companies either, I don't want to name names but let's just say I am confident everyone out there has heard of all of them.

So protect yourself.  In your dealings with your supplier reps, start making it clear way ahead of time that your economic situation sucks too and you certainly expect that there's a price freeze in place.  Don't put up with it either - they know they're going to make plenty of money off all the goons they send quotes to who will just rubber-stamp it and send it on so they can return to ESPNZone (I'm looking at you, State of Texas).  If you put up enough resistance they'll go looking for easier pickings, just like those mean ol' wolves do.    We had one outfit that wanted to jack up our maintenance cost by $125k a year, but luckily our IT director is a firm lady who has no problems with browbeating a sales rep until he cries.  In the end, we let them have a 5% increase because we ended up feeling sorry for them.

And have a backup plan.  If they really do have you over a barrel, then you're low on leverage - you can try offering reference calls, presenting at conferences, and other handy non-cash incentives to them.  But when it comes down to it, you need to be able to walk away from them.  And to do this you need to plan ahead.  There are very few things that there's only one of.  Have multiple suppliers lined up, and have a plan to change hardware or software if you have to.  Also look into open source, or third party support - even if it's "not as good," these days you have to decide how much good is worth how much money.

Now don't get me wrong, we like to partner with our suppliers and treat them friendly.  Win-win and all that.  But good fences build good neighbors, and there's nothing friendly about showing up and saying  "Hey, your operations will grind to a halt without our product, so stick 'em up and give me double this year!"

Be advised, that gleam in Bob the Sales Rep's eyes will be a little hungrier than usual these days, and he's gotta eat one of God's little forest creatures to live.  Just make sure it's not you.

Tagged as: , 1 Comment
24Sep/0815

New 0Day Browser Exploit: Clickjacking – OWASP AppSec NYC 2008

This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway.  Here's my notes from the semi-restricted presentation.

Jeremiah started off with a brief introduction on what clickjacking is.  In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you're on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.  "A normal user wouldn't have any idea of what is going on.  People in this audience may see something a little different from what they would expect and you would definitely see the results in the page's source code."  Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.  "It makes it easier in many ways, but you do not need it."  Use lynx to protect yourself and don't do dynamic anything.  You can "sort of" fill out forms and things like that.  The exploit requires DHTML.  Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.  Each click by the user equals a clickjacking click so something like a flash game is perfect bait. The issue and fix will probably be originally released on http://ihackcharities.org.

My Analysis: It sounds like the exploit basically creates a frame that is hidden underneath the main content frame that a user is seeing.  The main content could be a flash game or any sort of incentive to keep a user clicking.  All of the clicks that the user is making are used to click on content in the hidden frame. Again, just my speculation based on the information provided by RSnake and Jeremiah above.

15Jul/083

SaaS Headaches

There's a lot of promise in the new SaaS (software as a service; what used to be called ASPs, or Application Service providers, till Microsoft crapped all over that acronym) and newer PaaS (platform as a service) spaces (and look for a steady stream of new "aaS"es to come).  However, there are a lot of gotchas in signing on with a SaaS vendor.  You'd like to be able to believe that they have decent performance, uptime, security, etc., especially after the tell you "Oh, all kinds of big companies use us; Dell, IBM..."  This is exacerbated by SaaS often being an "end run" around IT in the enterprise, so naive users can get sold a bill of goods without proper technical oversight.  SaaS is a big buzzword now, and there are a lot of startups springing up that do not necessarily have experience running large scale sites.  Think about how many MMORPG games still get scuttled due to poor operational performance.  SaaS is the same.

Here's some things to keep in mind when selecting a SaaS vendor, laced with real life horror stories from our experiences.

1.  Performance/Availability.  Set a hard performance/availability SLA in the contract.  Many vendors won't even have an SLA clause, or they'll have one that says "99.9% uptime!" without any remedy clause for what if they don't hit that.  You want a clear SLA with a clear measurement method and clear "money back" if they don't hit it.  We use a 2 second global performance SLA as measured by a Keynote Global 35 monitor.  But the SLA isn't the whole story - you are counting on these people to accomplish your goals.

Tagged as: , Continue reading