News Blog

Google is expected to update its Google Web Toolkit (GWT) this week at its new developer conference, according to eWeek.

GWT is designed to help programmers write richer Internet applications using a beefed-up JavaScript programming technique called Ajax; the project was released as open-source software in 2006 with version 1.3, and the current version is 1.4. There are several GWT talks at the Google I/O conference.

Google has been working on improving GWT's performance, Java compatibility, and developer tools, eWeek said.

SAN FRANCISCO--The glitzy, interactive abilities of Web 2.0 have led to a profusion of new applications, but the technology also is bringing a new era of security vulnerabilities, a security researcher warned Wednesday.

"Security was a challenge to begin with, but if anything it's getting harder in the Web 2.0 world," said Jacob West, manager of the security research group at Fortify, a company that helps companies make sure their software is secure. He made his comments during a talk at the Web 2.0 Expo in San Francisco here.

Jacob West, manager of the security research group at Fortify

(Credit: Stephen Shankland/CNET Networks)

A big culprit is JavaScript, a language that's widely used to control Web browsers and enable more sophisticated operations. JavaScript has been around for more than a decade, but new risks are emerging since it's a major component of Ajax, a Web 2.0 technology used to build richly interactive sites.

"The number of unique problems from Ajax will remain pretty small," West said in an interview after his speech. But Ajax means that JavaScript is being used much more widely and in much more complicated ways, so existing vulnerabilities are more widespread, and "attack techniques are improving quickly."

He did describe one particular Ajax-specific problem called JavaScript hijacking. With it, a Web browser that picks up malicious JavaScript code from a Web site can be instructed, in effect, to send confidential information with an attacker.

"JavaScript hijacking is Ajax-specific," West said. It relies on the transmission of personal information packaged as JavaScript code, and "transmitting information with JavaScript I unique to Ajax code."

Another problem triggered by Ajax are that JavaScript is more complex and therefore harder to test. And more sophistication brings more opportunities for problems with "input validation"--making sure that text typed into forms, for example, isn't actually naughty code that could sidestep ordinary scrutiny and run on somebody's computer.

West was pessimistic that fundamental progress would help reduce vulnerabilities. Companies with browsers and Web sites are reluctant to embrace change that would break compatibility with older technology, for example.

"We're talking about fixes that are going to come in the 10-year time frame," he said.

But some are working to at least close up the holes. For example, programmers working on Direct Web Remoting (DWR) and the Google Web Toolkit (GWT) updated their Ajax programming toolkits to head JavaScript hijacking attacks off at the pass.

Other toolkit makers were not so responsive, though, he said: "Microsoft and Yahoo wrote back and said, 'Nope, we're not going to fix that.'"

Zimbra Thursday released a version of its Web e-mail client that works on Java-enabled mobile phones and Apple's iPhone.

Zimbra e-mail client on BlackBerry, iPhone, and Nokia handset

(Credit: Zimbra)

With the release, the company, a division of Yahoo, released the source code for the product, called ZimbraME (Java Mobile Edition).

People can also use the software with a commercially-supported version of the Zimbra Collaboration Suite 5.0, which the company released earlier this year.

With Java-enabled phones, people can use the downloadable software to get e-mail or access Zimbra's calendar.

Google will hold a developer confab in May, called Google I/O, to discuss the challenges of writing applications for the Web.

This year's two-day event in San Francisco is larger than last year's Google Developer Day, its first organized conference aimed specifically at Web developers.

While the format is different--there will be more in-depth technical sessions and tutorials for newbies who want to write mash-ups--Google's developer strategy remains the same.

Why do they court developers? To encourage creation of more and better Web applications, said Tom Stocky, a senior product manager at Google, on Tuesday.

"We're trying to get more users, in general. We want to increase the number of users and the amount they use the Web. And improving the platform is the best way to do that, we've found," Stocky said.

What will be different this year is an increased focus on developing social applications, reflecting Web development in general. Google will have sessions on social applications, including ways to use OpenSocial, which is designed to let people share information on social networks among different applications.

There is also a track on mobile development, including ways to use Google Gears for Mobile and Android, the mobile phone platform Google and its partners introduced last November.

All the same Web platform?
Google, of course, is hardly the only tech company that is attracting Web developers to their "platform."

Salesforce.com sells subscriptions to a customer relationship management application, but when you talk to the company's CEO, Marc Benioff, you quickly understand that he is betting that its development platform, called Force.com, will fuel growth in the future.

Other Web giants--Yahoo, eBay, and Amazon--all have their own developer programs as well.

But the company set to shake things up the most in Web service development is Microsoft, which just hosted its own Mix Web development conference.

It already has many application programming interfaces (APIs) to its Web services, from Virtual Earth to Windows Live Messenger, and continues to release more.

More significantly, Microsoft understands platforms, how to build a thriving "ecosystem" of third-party applications and partners, and how to make money for everyone involved.

Microsoft Chief Software Architect Ray Ozzie has laid out a vision of a providing unifying development model for a wide range of applications, from classic client-server Windows applications to Web services mashups using Silverlight.

On a technical level, Google's push to attract developers to the Web has a slightly different flavor than others.

Stocky said that Google's focus with tools and APIs is JavaScript and good Ajax development practices.

Of course, Google doesn't have a legacy development tools business--like Microsoft or Adobe both do--that needs refreshed tooling to write applications for the Internet "cloud."

In addition, Google wants to promote technologies that work in all browsers, not things like Flash or Silverlight that require a special plug-in and are proprietary.

"If anyone's going to push the Web forward, we want them to do it in way that benefits everyone," Stocky said. "We don't have an underlying platform we're selling. We're trying to improve the Web as a platform...and increase usage of the Internet as a whole."

Google's own engineers were able to push the boundaries of Ajax. Its first release of Google Maps, where users can drag a map around a browser, inspired many developers to push the limits of Webware.

Stocky said that one of the goals of Google I/O is to garner some feedback from developers on where they are hitting the limits of Web development. But it's clear that Google wants to ride--and push--the momentum toward more capable Web applications.

"In general, every developer I know is trying to learn more and more JavaScript and Ajax best practices," he said. "It's where programming is going."

IBM on Thursday said it is donating code for securing mashups to the Open Ajax Alliance, a group of vendors and open-source Ajax projects.

The software, called Smash (for secure mashups), is designed to make it easier to keep the sources of data separate in a mashup so that the application can't be hacked, according to IBM.

Better security for Web applications built with Ajax is generally a good thing.

For IBM, this is particularly important because the company is trying to build tools that let business users create their own mashup applications. Without better security, IT managers could block the use of these tools.

For more technical details, a blogger at Web application development and design firm Pathfinder Associates dug out an IBM research paper on Smash (click here for PDF).

At Zimbra, the game plan remains largely the same, even after consumer Web giant Yahoo acquired the company last year for $350 million. But what happens if Microsoft succeeds in its acquisition of Yahoo?

Zimbra on Tuesday will release a new version of its e-mail and collaboration software, with features for reading mail and creating documents offline from a Web browser.

Zimbra Documents lets people create and share documents and mashups from a browser.

(Credit: Zimbra)

Zimbra Collaboration Suite 5.0 also adds support for BlackBerry clients and Java 2 mobile-equipped phones and now has integrated instant messaging.

The features were part of Zimbra's product plans before Yahoo acquired it and its business plan remains largely the same, according to Satish Dharmaraj, Zimbra co-founder and now Yahoo vice president.

While Yahoo Mail is aimed primarily at consumers, Zimbra sells its server software to universities, businesses, and Internet service providers. Not counting a deal with Comcast last year, it has 11 million people using its software, said Dharmaraj.

"My charter and business objective inside Yahoo is to spread as wide a net as possible for Zimbra in ISPs, .edu's (educational organizations), and the business space worldwide," Dharmaraj said.

The company was founded on the notion that there should be better Web-based, cross-platform alternatives to Microsoft Office. So its sales to universities and businesses compete directly with Microsoft. (Dharmaraj and I spoke before the proposed Microsoft-Yahoo merger was made public.)

In the consumer Web market, engineers are starting to improve Yahoo Mail with some of Zimbra's technology, he added. For instance, Zimbra's calendar application will find its way into Yahoo Mail.

Zimbra's technology is based entirely on Ajax, the Web-programming model that allows people to use sophisticated features like mashups from a Web browser.

Its Desktop application in the new version lets people from a browser create and share text documents and embed spreadsheets within them.

The offline capability of Desktop will allow someone to access different e-mail accounts, such as Gmail and corporate mail. In the Tuesday release, that feature is in beta and is expected to be generally available later in the first quarter. Zimbra provides an open-source version of its server software and charges for a higher-end commercial edition.

Update: Dharmaraj on Saturday posted a response to a question about Microsoft's proposed merger on a product forum, saying that "nothing has changed."

I still don't fully get the whole Web operating system concept. Why run an OS inside a browser when your browser is running in an OS to begin with? But AjaxWindows, a Web OS and application suite that launched today, makes a very good case for the Web OS. It's not ready yet for adoption by the world at large, but the idea behind it, and some of the features in it, are too interesting to write off as just yet another science project.

Ajax13, the company that makes AjaxWindows, was originally started to create Web-based applications. It made a word processor, sketching program, and a presentation application. Founder Michael Robertson realized that making yet more productivity applications (see also: Google, ThinkFree, Zoho, etc.) wasn't a Most Likely to Succeed strategy, so he's rolled these applications into an ambitious Web-based operating system. It worked for Microsoft, I suppose.

It looks like a desktop OS, but it's really a very fancy Web service.

The AjaxWindows environment is a very convincing (if slower) simulation of a real desktop OS. It lets you (or simulates, I can't tell) open multiple applications in different windows, and if you expand AjaxWindows to full-screen, it really does look a lot like a real OS, with no visible remnants of the underlying Web browser. But there's more to it than just looking and feeling like Windows or a Mac. AjaxWindows' cool tricks are its storage capabilities, its synchronization to your local PC, and its support for other applications and widgets.

The system even has a Windows-like Start menu.

(Credit: CNET Networks)

AjaxWindows stores its files in Google's Gmail. Considering Gmail's free storage (over 2.5 GB), that's clever, even if Google wasn't consulted for this application. AjaxWindows, and its native applications, store everything except music files in Gmail (Music is stored on MP3Tunes). Syncing your local PC's data files to your online workspace is a snap with the OS' built-in Synchronizer function, which neatly runs without requiring a standalone application download. Your workspace can also get synchronized with your browser's bookmarks, and to even your desktop background and your Windows startup sound.

Beyond AjaxWindows' own applications, your workspace comes preconfigured with links to several Google applicatiosn (such as Docs, Calendar, and Maps), as well as to Zoho Start (review) and other useful Web 2.0 applications like Meebo. But these non-Ajax13-made applications are not integrated into the experience. Clicking on Google Docs opens up the Web application in a new browser window, and files stored in Docs aren't visible on the AjaxWindows file explorer. That's ironic, considering where they are stored. Likewise, you'll need a separate sign-up for non-Google-base applications, like Meebo.

There's also an element of NetVibes with AjaxWindows. You can add widgets, like RSS feed windows and small games, to you desktop. Unfortunately, widgets written for popular platforms like Netvibes and Pageflakes don't work in the AjaxWindows system.

AjaxWindows is an interesting experiment. For users who want to take their desktop with them without carrying any hardware, it's an incomplete if tantalizing solution. The synchronization feature makes it a usable tool if you're OK with using only the Ajax13 Web applications, since unless I missed something, the other applications on the desktop can't access the synced files. (If you really want to avoid lugging a computer, you could also put your applications and working data on a USB thumb drive and get much of the same benefit.) Until more applications, their storage systems, and their sign-on mechanisms get more tightly integrated into this Web platform (see the OpenSAM initiative), AjaxWindows--and other Web-based "operating systems"--will likely remain a curiosity. This is, though, a decent start towards building a truly computer-free personal computing platform.

See also:
• Jooce (review)
• Startforce (video)
• YouOS (review)
• DesktopTwo (review)
• Glide Effortless (review)
• Goowy and YourMinis (review)

LAS VEGAS--This year's Black Hat was pretty much summed up in a prescient keynote by Richard Clarke, the nation's former cyber security czar who is now a novelist and chairman of Good Harbor Consulting. Clarke said "we're building more and more of our economy on cyberspace 1.0, yet we have secured very little of cyberspace 1.0." The apparent speed gained in Ajax (Asynchronous JavaScript and XML), which is technology that divides processing tasks between the Web server (Web site) and the Web client (browser), has opened Web 2.0 to some old-school attacks.

Nothing more clearly demonstrated this than a live hijack of a Gmail account. In a talk originally to have been presented alongside his colleague David Maynor, Errata Security CEO Robert Graham demonstrated for a standing-room-only crowd how he was able to use a tool called Hamster and Ferret to sniff the wireless airwaves for the URLs of Web 2.0 sites. While talking about another matter entirely, Graham ran the tools in the background, sniffing the wireless packets in the conference room, looking for Web 2.0 sessions cookies used by those in the audience for his talk (if, as a speaker, you ever wanted to thwart those who would be checking e-mail during your presentation, this is the tool to use). Grabbing cookies is not new. What is new is that Graham was able to grab these Web 2.0 clear text session cookies out of the thin air and then plunk the captured URL into a new browser. No password is needed; the cookie itself is enough. Toward the end, Graham opened his Hamster tool and found several likely candidates. He chose one Gmail account that had been opened during his talk. The presentation screen lit up with some poor guy's active Gmail account briefly displayed. Everyone applauded before Graham quickly wiped the information from the screen.

Should you avoid Gmail? No. If you simply change the URL in your Gmail bookmark (or any other Google-related bookmark) from http:// to https://, the Errata Security hack is no longer valid. That's not true, however, for Facebook, Hotmail, and several other Web 2.0 accounts. Graham says that while traditional Web 1.0 sites long ago learned to terminate session cookies, the cookies used on Web 2.0 sites don't expire for several years, so you could sniff accounts out of the air at your local Starbucks and months later still have access to that person's account. That's what's really scary about this new kind of man-in-the-middle attack: the victim has no idea that this is happening, and even changing the account password will have no effect. While you as an attacker can send messages, read existing messages, and even alter the look and feel of the Web mail service itself, you can't, however, lock the owner out of the account.

In a separate talk, Billy Hoffman and Brian Sullivan, both of SPI Dynamics, talked about the rush to Web 2.0, how even some established sites are "Ajaxify-ing" themselves at the expense of good security practices. To prove their point, the pair built an Ajax-enabled travel Web site, HackerTravel.com. They did so by following the current best practices for Ajax. In their talk, however, Sullivan and Hoffman showed how they could take advantage of known weaknesses within Ajax. For example, they could rearrange the JavaScript on the client to either book every seat on the plane (staging a denial-of-service attack) or purchase a round-trip ticket for $1.

Last year, Hoffman talked about the many problems within Web 2.0 Ajax technology, and this year he more or less put the subject to bed by addressing developers and insisting that they not put business logic on the client side of the transaction; that they keep all of that on the Web server. You can hear more about this topic from Hoffman and Sullivan on a recent Security Bites podcast.

Later in the conference Billy Hoffman returned with John Terrill, executive vice president and co-founder of Enterprise Management Technology, to talk about a prototype Web 2.0 worm they've built written in JavaScript and Perl. Hoffman explained that if there's a cross-site scripting vulnerability on a Web site, the worm can inject itself into that Web site in JavaScript form. Inside the worm is a Perl form so that when a user visits that Web site, the JavaScript version gets downloaded to their Web browser and the Perl form can inject itself into the Web server, so it can move from client to server with ease.

While we've seen computer worms before, they claim their new creation can pull vulnerability data off security sites such as Secunia and then exploit those new vulnerabilities, rendering current desktop security protection ineffective. Currently such a worm does not exist in the wild, but Terrill and Hoffman insist it's possible for others to do what they've done. You can hear Hoffman talk more about his creation in this recent Security Bites podcast.

There is hope. In addition to better coding practices on the Web server, another way to prevent runaway Web 2.0 vulnerabilities is to lock down the JavaScript in the client's browser. At Black Hat, Mozilla released new tools allowing anyone to test their Firefox (or any browser) against JavaScript errors. What's significant is that you can also use this tool against Apple Safari, Microsoft Internet Explorer, and Opera.

In an interview before her presentation, Window Snyder told me there are about 10,000 Firefox users worldwide who regularly download what are called nightly builds. Whenever the Mozilla security team puts out new fixes within the nightly builds, it's these 10,000 users who test the fixes on a wide variety of machines and under a wide variety of circumstances. Thus, Mozilla is able to roll out its security patches faster and with fewer headaches than its competitors. By tapping into their millions of users worldwide, Mozilla hopes more of these avid users will identify future Firefox flaws before they can be exploited.

LAS VEGAS--Want to build a Web site with all the latest Ajax technology? Or how about "Ajaxifying" an existing application? Bryan Sullivan, Senior Research Engineer for SPI Labs, and Billy Hoffman, SPI Labs' team leader, did just that during their talk "Premature Ajax-ulation" Wednesday afternoon at Black Hat. The two said that often developers see only the code that works, and not how someone else may come along and exploit it.

To demonstrate, Sullivan and Hoffman built a mock travel Web site, Hacker Travel.com.

"We're actually using examples that we find from popular Ajax books, from popular Ajax Web sites," said Hoffman. "We're going to say, 'Look, we built this the way you were supposed to build it, the way so-called authoritative sources told you to.' Now here's what we need to be thinking about while you are developing these apps. And we're going to poke holes at it and show how to basically develop these things securely from the start."

Hoffman said companies traditionally hire third parties to come in and audit their site or perform a penetration test, then dump a thick PDF report on the developers' desks and say "here, fix it." What do the developers do? "They go and they type 'SQL injection' into Google and they find the first page and say 'Oh, here's how I fix it.'" That simply doesn't work, says Hoffman.

During the talk Hoffman showed how perfectly functional Ajax code could easily be manipulated by examining the Javascipt in the browser. Ajax by design pushes some of the sensitive decisions out from the server onto the client. That may speed the process for the end user, but it also exposes the process to attack. In one example Hoffman lowered the price of an airline ticket down to one dollar by manipulating the javascript. He also created a denial-of-service attack by holding all the available seats on a flight by turning off the hold release function.

The problems, said Sullivan and Hoffman, lie in the best practices often printed about Ajax. They said never put business logic on the client side, never use single Javascript to handle all the function calls, and don't use DataSet objects. When all the secrets are stored on the server side as opposed to the client side, the site is better protected against attack.