Hanno's blog

Ich möchte heute mal etwas Werbung machen für ein gerade laufendes Volksbegehren zur Berliner Wasserversorgung, welches die Offenlegung von Geheimverträgen über die Wasserprivatisierung fordert.
Worum geht es? 1999 wurden die Berliner Wasserbetriebe teilprivatisiert. Die Verträge zwischen dem Land Berlin und den Unternehmen RWE und Veolia sind jedoch Verschlusssache. Es gibt Gerüchte, dass in den Verträgen eine Passage existiert, die den Unternehmen gewisse Gewinnmargen garantiert - notfalls auf Kosten der öffentlichen Hand. Das jetzige Volksbegehren fordert nun die Offenlegung der Verträge. Egal wie man zur Privatisierung steht - es sollte eigentlich eine Selbstverständlichkeit sein, dass bei einer so zentralen Frage wie der Wasserversorgung den Menschen alle Fakten bekannt sein sollten. Informationsfreiheit ist schließlich die beste Basis für jede weitere politische Diskussion.

Um ein Volksbegehren zu ermöglichen, müssen zunächst Unterschriften gesammelt werden - insgesamt 172.000. Zuletzt meldeten die Initiatoren 77.000 Unterschriften - also etwa die Hälfte. Das heisst es bestehen sehr gute Chancen, es wird aber vermutlich knapp. Bis zum 27. Oktober kann noch gesammelt werden.

Deshalb an alle hier mitlesenden BerlinerInnen: Druckt Euch ein paar Unterschriftenliste aus, lasst ein paar Freunde und Bekannte unterschreiben. Und verbreitet die Nachricht weiter - für Transparenz und gegen Geheimverträge.

In 2008, a rather interesting new kind of security problem within web applications was found called Clickjacking. The idea is rather simple but genious: A webpage from the attacked web application is loaded into an iframe (a way to display a webpage within another webpage), but so small that the user cannot see it. Via javascript, this iframe is always placed below the mouse cursor and a button is focused in the iframe. When the user clicks anywhere on an attackers page, it clicks the button in his webapp causing some action the user didn't want to do.
What makes this vulnerability especially interesting is that it is a vulnerability within protocols and that it was pretty that there would be no easy fix without any changes to existing technology. A possible attempt to circumvent this would be a javascript frame killer code within every web application, but that's far away from being a nice solution (as it makes it neccessary to have javascript code around even if your webapp does not use any javascript at all).
Now, Microsoft suggested a new http header X-FRAME-OPTIONS that can be set to DENY or SAMEORIGIN. DENY means that the webpage sending that header may not be displayed in a frame or iframe at all. SAMEORIGIN means that it may only be referenced from webpages on the same domain name (sidenote: I tend to not like Microsoft and their behaviour on standards and security very much, but in this case there's no reason for that. Although it's not a standard – yet? - this proposal is completely sane and makes sense).
Just recently, Firefox added support, all major other browser already did that before (Opera, Chrome), so we finally have a solution to protect against clickjacking (konqueror does not support it yet and I found no plans for it, which may be a sign for the sad state of konqueror development regarding security features - they're also the only browser not supporting SNI). It's now up to web application developers to use that header. For most of them – if they're not using frames at all - it's probably quite easy, as they can just set the header to DENY all the time. If an app uses frames, it requires a bit more thoughts where to set DENY and where to use SAMEORIGIN.
It would also be nice to have some "official" IETF or W3C standard for it, but as all major browsers agree on that, it's okay to start using it now.
But the main reason I wrote this long introduction: I've set up a little test page where you can check if your browser supports the new header. If it doesn't, you should look for an update.

For a while, I wanted to read the book "The Spirit Level" by Richard Wilkinson and Kate Pickett. But this blog entry is not about this book (I haven't read it yet). Since a while, I have such a nice ebook-reader (well, it's not that nice, read my older blogpost about it, but that's not my point here). I really hate it to carry around kilos of books and I also hate it to decide which books to take with me, so for the first time I tried to actually buy an ebook.
I found that penguin has this book. The price is 9,99 £ - interesting enough, the price for the paper variant is 7,99 £. Bits must be really expensive these days. Anyway, I thought 9,99 £ is still a price I was willing to pay, so I clicked on buying, created an account and so on. I was a bit confused when they asked me for the delivery adress, but hey, I don't mind. At the end, they told me that this book is not available for customers outside the UK.
I mean... it's hard for me to comment on that. How stupid is that? I really don't want to know the strange reason that might have be (I'm pretty sure it has something to do with international copyright law and collecting societies that are unable to arrive in the time of the internet, but I FUCKING DON'T CARE, I JUST WANT TO BUY A BOOK).
So I tried it further. Amazon has the book, but only for it's own ebook reader, the Kindle. All german bookstores I found only have the book on paper.
So - I still don't have the book. I could buy it on paper - but seriously, I don't want that. I bought an ebook-reader recently because I thought this gives me the freedom to read alternately in several books without carrying them around. I thought the time has come for that.
Maybe it's just that simple: The book publishing industry will have to die - just like the music industry, which sadly still refuses to do that finally.

(sidenote: I found that someone experienced nearly the same story - with the same book - and I even know that person. That happened purely by chance.)