Over the past few years the Firefox community has growth fast and fierce.  For web developers there have been countless add-on’s and plugins published that making building websites (i) more efficient (ii) more browser-compatible, and (iii) easier to debug.  Below are my top five:

Top 5 Web Developer Firefox Add-on’s

• Web Developer – Integrates with Firefox to create a menu and a toolbar with various web developer tools (e.g. outlining page elements, re-sizing browser window size, site-specific cookie management, and validation tools )
• Firebug – Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page
• YSlow – YSlow brings additional functionality to Firebug regarding site performance. YSlow analyzes web pages and suggests ways to improve their performance based on a set of rules for high performance web pages which coincides with the YSlow team as well as metrics defined in the book High Performance Web Sites: Essential Knowledge for Front-End Engineers
• Server Spy – Indicates the web server type for the sites you visit (e.g. Apache, IIS, Tomcat, nginx, and so forth) this data is invaluable during debugging complex server-side issues.
• Live HTTP Headers – Similar to Server Spy which just pulls the ‘Server’ element from the HTTP response header, this add-on makes additional elements available for debugging. See ‘List of HTTP headers‘ on the Wikipedia for a full listing of request/response definitions.

In an attempt to create a community around web payment security professionals and PCI Compliance, I’ve decided to co-found the Bay Area Security Professionals / PCIUG [formal name might change].  The first gathering is Friday Jan 23, 2009 and will be less formal (meet-up style) to determine the future of the group.  It’s free, just register here: https://spreadsheets.google.com/viewform?key=phKV5pOXQ70lhTuYQz2bkSg and show up here:

Gordon Biersch
2 Harrison Street
San Francicso, CA
Jan. 23rd 2009 @ 7pm

If you have any questions please don’t hesitate to contact myself @brianjeremy or @sfoak via Twitter.

I once had a girlfriend who insisted I was “secretive” and “mysterious.” Well, I guess those days are over with the birth of my blog last year www.brianjeremy.com, twitter, facebook, and the general lack of privacy all American’s face these days. So, I thought I’d release a partial list of applications and tools I use regularly to help me in my profession [we can define exactly what I do in another post - I suppose in simple terms I direct software development and oversee system administration]. Oh, most of these services, tools, subscriptions aren’t free but increase productivity drastically so get your AMEX in hand.

Server Diagnostics & Maintenance

• Pingdom – Monitors HTTP, UDP, TCP, PING : Sends a TXT alert if there is an issue.
• DNSstuff – Comprehensive DNS Diagnostics: Full Analysis Reports, Reverse Lookups, Traceroutes, Ping, SPF, Whois, and way to many services to list.
• Netcraft – Provides Host Netblocks, Application/Web Server make/model, sub-domains, provides a historical list of changes to Servers/IPs overime.
• Charles – AN / HTTP Proxy, HTTP Monitor/Reverse Proxy that allows you to view and record all of the HTTP traffic between a client machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).

Web Development Diagnostic Tools

• Firefox Firebug Extension – With Firebug you can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.  Its insane, just download it.
• Firefox YSlow Extension - YSlow analyzes web pages and tells you why they’re slow based on the the book High Performance Web Sites: Essential Knowledge for Front-End Engineers which you can purchase from Amazon. YSlow is integrated with the Firebug.
• Firefox Web Developer Extension – Since FF became popular amongst developers this became the de-facto tool for front-end  engineers and designers to figure out “how to make web pages appear correct” in various browsers.  The extension adds a menu and a toolbar to the browser with features that allow you to accomplish the above goals of getting your designs to look A+.
• Firefox Server Spy Extension – Its another great tool that indicates what brand of HTTP server you are accessing (e.g. Apache, IIS, Sun-ONE-Web-Server, Tomcat, IBM HTTP etc.)
• Browsershots - Makes screenshots of a web page in a variety of different browsers running on a plethora of operating systems.  In total, it has the ability to produce screen shots [for design/layout debugging] on roughly 80 variants of browsers/operating systems.

Security Analysis Tools

• HTTPPrint - httprint is a web server fingerprinting tool that relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated.  httprint can successfully identify the underlying web server when their headers are mangled by either patching or other methods.
• ISAPI_Rewrite – Is a powerful regular-expressions-based URL rewriter for IIS. It is compatible with Apache mod_rewrite  (in fact it will interpret Apache mod_rewrite .htaccess files, so you can change web servers w/o any hassle).
• ServerMask – This is an add-on for IIS which masks the brand of your server by modifying its HTTP header data as well as modifies your web server’s “fingerprint” by removing unnecessary HTTP response data, modifying cookie values, removing the need to serve file extensions, and adjusting other response information.  If curious, you’ll have to try httpprint against a production copy of ServerMask to determine its accuracy.

Software Development & Lifecycle

• FogBugz – Is a simple to use bug tracking system.  In addition to tracking, prioritizing, and coordinating bugs and issues.  It can also be used as project management software to better coordinate team communication.
• Atlassian JIRA – In a nutshell JIRA is the most robust bug and issue tracking as well as project management software on the market.  
• Atlassian Bamboo – Is a Continuous Integration and Build Server.  It automates the process of compiling and testing source code, saving time and instantly alerting you of build issues.
• Subversion – Is a widely-used open source version control system.  It maintains current and historical versions of files [typically source code and documentation].
• Versions – Is a new [just out of beta] Subversion client of OS X.  Its amazing, just download it now!

Database Design / Management / Monitoring

• Sybase PowerDesigner – By far the most robust data modeling tool.   Designing schema’s, physical data models, reverse engineering databases, the list is endless.  But save now, its $$$.
• Red Gate SQL Prompt – SQL Server code completion of database object names, syntax, and snippets as you write, intelligently offering only appropriate code choices.  If you write a lot of DB code or work with various databases intelligent name retrieval saves hours.
• Red Gate SQL Compare – compare and synchronize SQL database schemas, automatically traverses all objects and gives a full report prior to providing options for synchronization or simply providing a synchronization script to run at your leisure.
• Red Gate Data Compare – similar to SQL Compare with the caveat that it compares the contents of two databases and automatically synchronizes your data.
• Red Gate SQL Data Generator - One-Click realistic data generation based on the column types you specify. 
• Navicat for MySQL – Best GUI for MySQL database administration.  Distributed for Windows, OS X, and Linux.
• Navicat for Oracle – Just released two weeks ago.  Compatible with oracle 8i to current and supports all objects including directory, tablespace, synonym, materialized view, trigger, sequence, type and more. **Really looking forward to spending more time reviewing this product.

Of course this list isn’t complete, but hopefully you are able to integrate some new tools into your life. Also, please comment if you have any suggestions of items I’ve missed.

Yes its true. I spent the morning at the Department of Motor Vehicles. They have the best trash bins I’ve seen in some time. The bins clearly read “IDENTITY THEFT is on the rise. This is not a secure trash bin.” I suppose its my ocd shredding skills have some benefit.

I was just so amused by the creativity of a system administrator that I had absolutely no choice other than to write about it. Let me set the scene. I was attempting to bring up my banks website, but the site did not load. In an effort to deduce the problem I visited wellsfargo.com (another large financial institution). The homepage of Wells Fargo loaded perfectly, and thus I wasn’t having any obvious problem with my internet connection.

So what did I find so amusing and funny? Well, it turns out that the Server tag returned in the HTTP Header for Wells Fargo is “KONICHIWA/1.0″ At this point, I probably should have enjoyed the laugh instead of investigating further. But I didn’t. First, I went to Netcraft and did a search for wellsfargo.com. Netcraft shows Wells Fargo as using “KONICHIWA/1.0″ at least as far back as 2006. It was now time to set my gut feeling aside that this name was just a cute obfuscation of the real Application Server and confirm that there wasn’t any new product on the market named Konichiwa. So, I did the research and it turns out my instincts were right.

So why am I writing about this, why are you reading this, and what Application Server is Wells Fargo actually using? I will now hopefully answer at least two of those three questions!

There is a long history of security professionals and system administrators attempting to obfuscate what equipment they use [disclaimer: I am a hypocrite and follow these practices]. The rationale for this is simple: If somebody wants to do something malicious to exploit your vulnerabilities it will harder to do so if they think you are using product A instead of product B. This is merely an illusion, but it gives some peace of mind. Solving the mystery wasn’t incredibly difficult thanks to Net-Square Solutions, a security research firm based in India. They have developed a product httprint which uses web server fingerprinting to attempt to identify web servers based on their characteristics instead of the standard HTTP header which as we have seen can easily be obfuscated and renamed to “Konichiwa” which loosely means good day in Japanese.

Enough “Geeking Out”. The output from httprint is below, and Wells Fargo is actually running Netscape Enterprise Server 6.0 which makes much more sense.

httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/
httprint@net-square.com
 
Finger Printing on http://www.wellsfargo.com:80/
Host Redirected to https//www.wellsfargo.com:443/
Finger Printing Completed on https://www.wellsfargo.com:443/
--------------------------------------------------
Host: www.wellsfargo.com
Derived Signature:
KONICHIWA/1.0
9E431BC86ED3C295811C9DC5811C9DC5811C9DC594DF1BD04276E4BBC184CB92
7FC8D095AF7A648F2A200B4C811C9DC5811C9DC5811C9DC5811C9DC52655F350
FCCC535B811C9DC5FCCC535B811C9DC568D17AAE2576B7696ED3C2959E431BC8
6ED3C295E2CE6922811C9DC5811C9DC5811C9DC56ED3C2956ED3C295E2CE6923
E2CE6923FCCC535F811C9DC568D17AAEE2CE6920
 
Banner Reported: KONICHIWA/1.0
Banner Deduced: Netscape-Enterprise/6.0

For folks that are involved in IT Budgeting I’ve got to lend a little advice about purchasing SSL certificates. These days most websites require SSL functionality. When purchasing a certificate be sure to not purchase it for only a  single year. The pricing of SSL isn’t expensive in 2008, and the time required to install these certificates can be rather grandiose. Thus, make sure you at least purchase a two year certificate. One year flies by faster than you can imagine and the cost of installation is much greater than the cost of the certificate. Invest in your business, buy long term and thank me later.

I’ve been involved in a lot of E-Commerce development recently. This has lead me to do a lot of research on pending California privacy legislation and PCI compliance. I’ve since come to the conclusion that people have a skewed view of how susceptible people are to credit card fraud and identity theft. I’m sure my dad will be thrilled to find out that I have now confirmed he is a genius, and I am going to follow in his footsteps by taking an action he took many years back when he began to make on-line purchases. I think since I’m so immersed in the “Industry” it is sometimes hard to be objective. At the time, I thought he was a bit paranoid when he told me his plan for making purchases on-line. His plan was to get a new credit card and only use it for on-line purchases. Guess what, this is a great idea… and I recommend it to all!