Security

What's new in XMLSpy Version 2015 Release 3

I'm very excited to announce the new v2015r3 release of XMLSpy today. XMLSpy continues to be the de-facto industry standard for XML Editing and we take that responsibility very seriously by adding support for new standards, improved technologies, as well as features that just make our users' work more productive every release.
This latest version of XMLSpy adds the following new features:
  • Support for XPath 3.1 and XQuery 3.1
  • Significantly extended XPath/XQuery tab
  • Support for Web Services Security and other security extensions
  • Support for XBRL Extensible Enumerations 1.0
  • Support for custom fonts in Output Windows
Improved XPath/XQuery tab in XMLSpy 2015r3
Let me tell you a little bit about each one of those features...



Support for XPath & XQuery 3.1

The RaptorXML engine at the core of XMLSpy now fully supports the updated XPath 3.1 and XQuery 3.1 specifications, which were published as W3 Candidate Recommendations in December of 2014. New capabilities in XPath and XQuery 3.1 include:
  • Maps
  • Arrays
  • Support for JSON: parse-json, json-docs, serialize to JSON
  • Lookup operator “?”
  • Arrow operator “=>”
  • New functions, e.g., sort, contains-token, parse-ietf-date
Maps and arrays increase flexibility and processing speed of XPath and XQuery statements significantly, while JSON support is important as adoption of the standard continues.

Significantly extended XPath/XQuery tab

The XPath/XQuery tab, which was augmented with innovative support for XQuery Update Facility in XMLSpy 2015, just got even more powerful for XSLT and XQuery developers. The new features - shown in the screenshot above - include:
  • Builder mode, offering a list of operators, expressions, and built in functions, which you can insert in your current expression by double clicking. Functions are inserted with their arguments indicated by “#” placeholders, making it easy to build expressions quickly and error-free. You can view a description of each item by hovering your mouse over it in the list. When you’re finished building an expression, click over to Evaluator mode to test the results.
  • Enhanced entry helpers now display the description of built in functions, and then show helpful function and listentrymeter details as you type, speeding development and ensuring accuracy.
  • Ready-to-use code snippets for complex statements such as FLWOR and XQuery Update expressions are provided in the Operator/Expression pane in Builder mode, allowing you to read a description of each and insert the expression at the cursor by double clicking.
  • Nine tabs are even more useful for developing and testing complex expressions. Once you have composed an XPath or XQuery statement on one tab, switching to a new tab lets you build and analyze the results of a new expression – but when you switch back to the previous tab, the expression and results are still there. This allows you to switch back and forth between multiple expressions that you develop side-by-side and incrementally make changes to each one of them, preserving both the expression AND the result for each tab.
     

Support for Web Services Security & other extensions

In response to increasing demand for end-to-end security of Web services transactions, XMLSpy 2015r3 now supports authentication based on the WS-Security (Web Services Security) standard via client certificates and calling Web services via HTTPS.
Published by OASIS, Web Services Security is an extension to the SOAP protocol designed to add security functions such as authentication to SOAP messages themselves for end-to-end security of complex Web services transactions. These measures add to those provided on the transport layer by HTTP security.
New options have been added to the SOAP Request Settings Dialog - shown in the screenshot below - which is accessed via the SOAP menu, allowing you to enable and edit HTTP security settings and WS-Security settings.

Support for XBRL Extensible Enumerations

XML Schema's xs:enumeration feature allows enumerated types to be defined. Such types have a fixed list of allowed values that cannot be changed until the next version of the schema is published.
XBRL projects often require "extensible enumerations", which leave extension taxonomy editors free to augment the list of allowed values for a concept. This is particularly important for allowing enumeration values in multiple languages as well as reusing existing domain hierarchies as fact enumeration values.
XMLSpy 2015r3 now supports extensible enumerations with multi-language labels in the XBRL Taxonomy editor.

For more information on What's New in the other products of the Altova MissionKit desktop developer tools and our Server product family, please take a look at the "What's new" page on our website and at the Altova Blog.

Big Data analysis applied to retail shopping behavior

Everybody knows that online retailers like Amazon track customer behavior on their website down to every last click and then analyze it to improve their site. But when it comes to regular retail locations collecting detailed customer data by tracking their every move, people seem to be surprised, and sometimes even outraged…

Tracking Shoppers in Retail

It is somewhat ironic that we are used to being tracked online, but when customer tracking - sometimes even based on the very smartphones we carry in our pockets - hits the real world, privacy concerns abound. Interestingly, the same systems have been used for years to prevent theft, and nobody seems to have a problem with that. But once Big Data gets collected and is analyzed for more than just theft prevention and is utilized to analyze shopping behavior and improve store layouts, things get a bit murky on the privacy implications.

The NY Times has a nice article about this today, including a video that shows some of the systems in action. Very cool technology is being used from video surveillance to WiFi signal tracking, and I guess this is really just the tip of the iceberg.

It will also be interesting to see how the privacy implications around Google Glass play out in the next couple of months. If the government can track and record everybody and if business can track and record their customers, then why shouldn't ordinary people also be allowed to constantly record and analyze everything happening around them?

When George Orwell coined the phrase "Big Brother is watching you" in his Nineteen Eight-Four novel, the dystopian vision of a government watching our every moves seemed to be the epitome of an oppressive evil. Nowadays, privacy concerns have certainly evolved over the past decade to the point where video cameras on street corners are taken for granted in many democracies and I'm sure we'll see a continued evolution of our understanding of privacy in the years to come.

Additional Coverage: Techmeme, Marketing Land, iMore, Business Insider, The Verge

Zero-day exploits, spies, and the predictive power of Sci-Fi

Reading the NY Times over coffee this morning, I noticed the article "Nations Buying as Hackers Sell Flaws in Computer Code" which details how nations (and, in particular, their secrete service organizations) are now bidding for and buying zero-day exploits from hackers and security experts worldwide.

Certainly a very timely article, as the world still comes to grips with the evolving role of the NSA and what we've learned in the aftermath of the Snowden leaks. It also reminded me of a Science Fiction series I read in the late Nineties and turn of the century: Tom Clancy's Net Force.

TomClancy's Net Force

Set in 2010 this was a gripping story about a new fictitious FBI division created to combat threats in cyberspace. The storyline quickly evolved from criminal investigations into cyber espionage and cyber warfare. These were the days of the early web and people still used AltaVista as a search engine - so a lot of the ideas in Net Force seemed pretty far out back then.

Interestingly, in the real world, in 2010 the US Army activated their Cyber Command.

And when people talk about Cyberspace in the media today, let's not forget that that term, too, was coined by Sci-Fi authors such as Vernor Vinge and William Gibson in the early Eighties. Like many other geeks of my generation, I devoured those books back then.

Musing about these things over coffee on a beautiful Sunday morning reminded me of an interview I gave to Erin Underwood at the Underwords blog a year ago, in which we talked about the importance of Sci-Fi for young adults and the oftentimes predictive powers of Sci-Fi literature…

Password Security and Keeping your Data Safe

If you are using a password that is 8 characters in length (or shorter) you just lost the game. And I'm not talking about well-known passwords, such as "password", "monkey", "qwerty", or "12345678". This machine here is part of a cluster of 25 GPUs (Graphic Processing Units) and can crack any 8 character password of any complexity in less than 6 hours:

GPU Cluster

As reported on the Ars Technica blog today, researchers have built a Linux-based GPU cluster that can do a brute-force attack on the NTLM cryptographic algorithm at the heart of the Windows login authentication that can try and astounding 958 combinations in just 5.5 hours. At a speed of 350 billion guesses per second, it can crack any password of 8 characters or less in length without resorting to dictionary-based attacks.

Combining such power with existing dictionary based cracking algorithms can possibly crack even longer passwords in a similar time.

The machine was unveiled by Jeremi Gosney at the Passwords^12 conference in Oslo, Norway, last week. The same machine can make 63 billion guesses per second against password hashes computed using SHA1 - a very widely used hashing algorithm.

How secure is your password?

The reality is that most people still use incredibly weak passwords. The 25 Most Popular Passwords of 2012 are well-documented, as are the 10,000 Top Passwords of 2011. If your password is on either of those lists, you should stop what you are doing right now and go change it. Seriously. All of these well-known passwords as well as any word that appears in a dictionary is highly susceptible to hacking.

Up until a little while ago the common recommendation was to add a few numerical digits and maybe a special character or two to the mix and that would usually result in a pretty safe password. Most sites also require users to pick a password of 8 characters of length (or more) and people usually stick with 8. But that is simply no longer sufficient, as any password 8 characters in length can now be hacked within 6 hours with a brute-force attack.

However, the solution is fairly simple: just by doubling the password length from 8 to at least 16, the duration required to crack the password by the new GPU cluster or similar machines increases from 6 hours to 138 billion years. Even assuming reasonable advances in processor power over the next couple of years, that should make the password pretty safe for the foreseeable future.

If you want to see how (in)secure your old password was, you can use this service. But please make sure you change your password afterwards!

In addition to these thoughts about password length and complexity, it is also important to realize that sooner or later most online websites end up being hacked and all their passwords being stolen (see, for example, the LinkedIn Password Hack in June 2012). Therefore, it is vitally important to minimize the damage and not reuse your passwords on multiple sites.

Ultimately, however, a password alone cannot ever be 100% secure. In addition to hacking in its various forms, any password is also susceptible to phishing attempts, trojans, key-loggers, and other approaches that compromise its security. The only proven approach to really keep a system secure is based on a technology called 2-factor authentication where you need to provide at least two pieces of information to access a system: for example, something that you know (password) and something that you have (secure token).

A lot of these topics have also been discussed in various newspaper articles and blog posts recently and I have provided links to the most useful articles at the bottom of this blog post.

Recommendations

Here is my own personal list of measures that help me keep my passwords and data more secure - these are based on my own approach that I've developed over time, so feel free to adopt any of those for your needs as you see fit:

  1. If an online service offers 2-factor authentication, I always take advantage of that - especially for sensitive information, such as online banking, investments, etc. but I also use it for DropBox, my Google account, or even for Facebook.
  2. All passwords need to be 16-20 characters length at a minimum and include at least 6 numeric or special characters. This makes them relatively uncrackable, provided that one doesn't include any common words from the dictionary. I try to stay away from common recommendations and password-generation patterns, such as taking the first character of each word in your favorite song lyrics or similar approaches. If a pattern has been described somewhere you can rest assured that hackers know about that pattern and can tweak their algorithm to crack it.
  3. I use different passwords for all sites - not a single password shared amongst multiple sites.
  4. For all online services I use computer-generated random passwords with a length of 16-20 characters or longer - depending on what the website allows - and these passwords use at least six numeric or special characters. For example, such a password might look like this: [mLzJKf1j7cP3n|B!8@WJw
  5. I use a password-management application to generate and keep track of all these random passwords. There are many popular such applications on the market and after some research and testing I found 1Password to be the right solution for me, since it is available for Windows, Mac, iOS, and Android.
  6. My master password for the password-management software is somewhere between 25-35 characters in length and uses more than eight numeric and special characters. Nothing in this password is susceptible to a dictionary-based attack, so it should withstand all current cracking capabilities.
  7. I store all my sensitive information and financial data in an encrypted file and keep it safe by storing that file on a USB drive. I use a href="http://www.truecrypt.org/">TrueCrypt as the encryption software of choice, because it is again available on multiple platforms. The password for my encrypted data is again highly complex and fulfills all of the requirements outlined above.
  8. To guard against catastrophic failure of the password-management software, a printout of all passwords is stored in my safe.

With this approach I feel that I have done a pretty good job of making a hackers' life rather difficult. Is it 100% secure? Probably not, and I constantly tweak my system as new information surfaces and we learn about new improvements in processing speed or cryptography advances.

What is your strategy? Let me know your thoughts here on the blog or via Twitter or Facebook comments…

Further reading:

Tools I use:

Google Data Center StreetView with Storm Trooper and R2-D2

Google has opened up StreetView access into its data center in Nenoir, North Carolina today, giving you the ability to take a virtual walk-through of their facility. In a time where most companies are super-secret about their facilities to prevent vulnerabilities, hackers, or even physical intrusions, this is a remarkable and somewhat surprising publicity stunt. GoogleDataCenterStreetViewR2D2 Maybe they are convinced that their site security team - apparently consisting of a single Imperial Storm Trooper and R2-D2 - is sufficient to prevent any malicious attacks…?

Backup/Restore on iOS - not always what you'd expect

Yesterday I had an interesting experience with the backup/restore function in iTunes 10.7 while migrating all my data from my old iPhone 4S to the new iPhone 5. Due to my previous unsatisfactory experience with backup/restore from iCloud when migrating from an iPad 2 to iPad 3 this spring, I decided to use iTunes on my MacPro to make a local backup this time. Furthermore, I wanted to make sure not to run into any iOS 5 -> 6 upgrade issues, so I had already upgraded my iPhone 4S to iOS 6 in the previous week to make this switch more efficient - or so I thought! When it was time to make the move, I connected the 4S, waited for the sync operation to finish, and then right-clicked the phone in iTunes and selected backup.

After the backup process completed, I turned off the old phone, connected the new phone, and selected "Restore" to restore the phone from the backup I just had created. After I waited through a reboot and confirmed a few more dialogs, I thought I would now have everything on the new device exactly the same way as I had on the old phone. But that was not the case…

When you do a backup of your PC or Mac and then lose your hard drive you would expect the machine to be exactly the same after you buy a new disk and run a restore operation, right? Especially you'd expect all settings and configurations to be restored.

Apparently not so with iOS. To my great disappointment I found that for a lot of my applications the restore function only restored the app itself, but not any of its settings, especially not any login information. In particular, I had to manually reenter my account information into all of the following apps on my new phone:

  • Evernote
  • Dropbox
  • Twitter
  • Facebook
  • WSJ
  • Kindle
  • iCloud, iMessage, FaceTime, Find my friends
  • Netflix
  • Hulu+
  • Yelp
  • OpenTable
  • MLB At Bat
  • Disk Decipher
  • and many more…
In addition, I found that all of the soft-token apps for secure 2-factor authentication to various services were not getting restored with their settings, and so they each generated a new unique device idea and did not allow any easy restoration, transfer, or migration from one device to the next. In fact, with the Google Authenticator that I use for Google Apps and Dropbox as well as with thr Symantec VIP Access app I use for some banking sites my only choice was to log into these web sites, request deactivation of the old soft-token, and then add the new soft-token. In most cases this required having access to the old soft-token to enter a valid code. So I had to turn the old phone back on and migrate every single service authentication to the new token app on the new phone one by one.

Now, in all fairness, I should say that in iOS at least there is a Backup/Restore function, which is completely missing in Android (unless you want to be adventurous and root your device). But I found it very surprising to be lacking in so many ways, especially with regards to app configurations, settings, and logins.

Luckily I don't have to complain about any actual data loss. With my calendar, contacts, and email all in Google Apps, none of those got lost. So this was more of a nuisance that cost me about an hour or two before I had my phone reconfigured to my exact specs and resetting all my soft-token apps.

But it would have been much harder to do, had I actually lost my phone or had it been damage, because removing 2-factor authentication from an account when you don't have the soft-token anymore is rather difficult and often only possible with lengthy tech support calls. It would make much more sense to allow full backup/restore functionality of your phone onto your computer - especially since you can encrypt your backups nicely with iTunes, so the information therein is rather secure.

Bottom-line: plan a couple of hours for your upgrade - especially if you use many apps…