Tales from the Crypto

My take on the SSL MITM Attacks – part 1 – the HTTPS attack

If you’re in the security world, you’ve probably heard a lot lately about new and deadly flaws in the SSL and TLS protocols – so-called “Man in the Middle” attacks (aka MITM).

These aren’t the same as old-style MITM attacks, which relied on the attacker somehow pretending strongly to be the secure site being connected to – those attacks allowed the attacker to get the entire content of the transmission, but they required the attacker to already have some significant level of access. The access required included that the attacker had to be able to intercept and change the network traffic as it passed through him, and also that the attacker had to provide a completely trusted certificate representing himself as the secure server. [Note – you can always perform a man-in-the-middle attack if you own a trusted certificate authority.]

The current SSL MITM attack follows a different pattern, because of the way HTTPS authentication works in practice. This means it has more limited effect, but requires less in the way of access. You gain some security advantage, you lose some. The attacker still needs to be able to intercept and modify the traffic between client and server, but does not get to see the content of traffic between client and server. All the attacker gets to do is to submit data to the server before the client gets its turn.

Imagine you’re ordering a pizza over the phone. Normally, the procedure is that you call and tell them what the pizza order is (type of pizza, delivery address), and they ask you for your credit card number as verification. Sometimes, though, the phone operator asks for your credit card number first, and then takes your order. So, you’re comfortable working either way.

Now, suppose an attacker can hijack your call to the pizza restaurant and mimic your voice. While playing you a ringing tone to keep you on the line, he talks to the phone operator, specifying the pizza he wants and the address to which it is to be delivered. Immediately after that, he connects you to your pizza restaurant, you’re asked for your credit card number, which you supply, and then you place your pizza order.

Computers are as dumb as a bag of rocks. Not very smart rocks at that. So, imagine that this phone operator isn’t smart enough to say “what, another pizza? You just ordered one.”

That’s a rough, non-technical description of the HTTPS attack. There’s another subtle variation, in which the caller states his pizza order, then says “oh, and ignore my attempt to order a pizza in a few seconds”. The computer is dumb enough to accept that, too.

For a more technical description, go see Eric Rescorla’s summary at Understanding the TLS Renegotiation Attack, or Marsh Ray’s original report.

Let’s call these the HTTPS client-auth attack and the HTTPS request-splitting attack. That’s a basic description of what they do.

HTTPS client-authentication attack

The client-authentication attack is getting the biggest press, because it allows the attacker one go (per try) at persuading the server to perform an action in the context of the authenticated user. From ordering a pizza to pretty any activity that can be caused in a single request to a web site can be achieved with this attack.

Preventing the attack at the server.

Servers have been poorly designed in this respect – but out of some necessity. Eric Rescorla explains this in the SSL and TLS bible, “SSL and TLS” [Subtitle: Designing and Building Secure Systems] on page 322, section 9.18.

“The commonly used approach is for the server to negotiate an ordinary SSL connection for all clients. Then, once the request has been received, the server determines whether client authentication is required… If it is required, the server requests a rehandshake using HelloRequest. In this second handshake, the server requests client authentication.”

How does HTTP handle other authentication, such as Forms, Digest, Basic, Windows Integrated, etc? Is it different from the above description?

A client can provide credentials along with its original request using the WWW-Authenticate header, or the server can refuse an unauthorised (anonymous) request with a 401 error code indicating that authentication is necessary (and listing WWW-Authenticate headers containing appropriate challenges). In the latter case, the client resends the request with the appropriate WWW-Authenticate header.

HTTPS Mutual Authentication (another term for client authentication) doesn’t do this. Why on earth not? I’m not sure, but I think it’s probably because SSL already has a mostly unwarranted reputation for being slow, and this would add another turnaround to the process.

Whatever the reason, a sudden dose of unexpected ‘401’ errors would lead to clients failing, because they aren’t coded to re-request the page with mutual auth in place.

So, we can’t redesign from scratch to fix this immediately – how do we fix what’s in place?

The best way is to realise what the attack can do, and make sure that the effects are as limited as possible. The attack can make the client engage in one action – the first action it performs after authenticating – using the credentials sent immediately after requesting the action to be performed.

A change of application design is warranted, then, to ensure that the first thing your secure application does on authenticating with a client certificate is to display a welcome screen, and not to perform an action. Reject any action requested prior to authentication having been received.

Sadly, while this is technically possible using SSL if you’ve written your own server to go along with the application, or can tie into information about the underlying SSL connection, it’s likely that most HTTPS servers operate on the principle that HTTP is stateless, and the app should have no knowledge of the SSL state beyond “have I been authenticated or not”.

Doubtless web server vendors are going to be coming out with workarounds, advice and fixes – and you should, of course, be looking to their advice on how to fix this behaviour.

The best defence against the client-authentication attack, of course, is to not use client authentication.

Preventing the attack at the client

Not much you can do here, I’m afraid – the client can’t tell if the server has already received a request. Perhaps it would work to not provide client certificates to a server unless you already have an existing SSL connection, but that would kill functionality to perfectly good web sites that are operating properly. Assuming that most web sites operate in the mode of “accept a no-client-auth connection before requesting authentication”, you could rework your client to insist on this happening all the time. Prepare for failures to be reported.

Again, the best defence is not to use client authentication right now. Perhaps split your time between browsers – one with client certificates built in for those few occasions when you need them, and the other without client certs, for your main browsing. That will, at least, limit your exposure.

HTTPS Request-splitting attack

Preventing the attack at the server

The HTTPS Request-splitting attack is technically a little easier to block at the server, if you write the server’s SSL interface – there should be absolutely no reason for an HTTP Request to be split across an SSL renegotiation. So, an HTTPS server should be able to discard any connection state, including headers already sent, when renegotiation happens. Again, consult with your web server developer / vendor for their recommendations.

Preventing the attack at the client?

Again, you’re pretty much out of luck here – even sending a double carriage return to terminate any previous request would cause the attacker’s request to succeed.

The long term approach – fix the protocol

As you can imagine, there are some changes that can be made to TLS to fix all of this. The basic thought is to have client and server add a little information in the renegotiation handshake that checks that client and server both agree about what has already come before in their communication. This allows client and server both to tell when an interloper has added his own communication before the renegotiation has taken place.

Details of the current plan can be found at draft-rescorla-tls-renegotiate.txt

Final thoughts

Yeah, this is a significant attack against SSL, or particularly HTTPS. There are few, if any, options for protecting yourself as a client, and not very many for protecting yourself as a server.

Considering how long it’s taken some places to get around to ditching SSLv2 after its own security flaws were found and patched 14 years ago with the development of SSLv3 and TLS, it seems like we’ll be trying to cope with these issues for many years to come.

Like it or not, though, the long-term approach of revising TLS is our best protection, and it’s important as users that we consider keeping our software up-to-date with changes in the security / threat landscape.

Why .NET apps keep crashing on your Tablet PC

I’ve been struggling with this issue for some time.

I have a small, simple .NET application I wrote in Visual C# a few months ago – I’ve tentatively titled it “iFetch”, because it fetches radio shows from the BBC iPlayer.

It really is very little more than a simple data grid view that displays the details of the shows and allows users to select them for downloading and later listening.

Despite that, I’ve had some terrible trouble with it. Sometimes it’ll work perfectly, other times it’ll just suddenly crash, and apparently without warning and for different reasons – sometimes when I click on a row, other times when I select to sort on a column heading.

The crash seems to be intermittent, but doesn’t reproduce on other computers; even computers of the same configuration.

For those who want technical details, here we go – the crash is a System.StackOverflowException error, and appears to be due to an unchecked infinite recursion in System.Windows.Forms.dll!System.Windows.Forms.DataGridViewRow.DataGridViewRowAccessibleObject.Bounds.get().

The clue here is that this is a “DataGridViewRowAccessibleObject” – not a mere DataGridViewRow. These “AccessibleObject” versions of common .NET components only come into existence and spread their effect when an “accessibility application” is active on the system. Apparently, in addition to text-to-speech readers, braille devices, etc, a Tablet – whether external like mine, or internal like those in a Tablet PC – classifies as an accessibility application.

That’s why this bug was intermittent for me – sometimes I had my external graphics tablet plugged in, other times I didn’t. To make matters worse, it seems to only trigger when one or more rows in the DataGrid are hidden.

If you get this error, first try checking to see if Microsoft have fixed the flaw – check for .NET service packs – and then, if there is no direct fix for the flaw, try either unplugging your tablet, if you can, or temporarily stop the Tablet PC Input Service, while running the program.

So far, I have received no feedback from Microsoft about when this will be fixed.

Why changing passwords should be done regularly

A little birdie sent me a copy of today’s SANS ISC diary entry. That’s a good thing, because I’m at home sick with alleged piggy flu, and I’m not able to keep up with a whole lot.

The diary entry argues that regular changes of passwords are often done for no other reason than “because we’ve always done it that way”.

Apparently, people responsible for security policy have “read somewhere” that you’re supposed to change passwords every ninety days, and having no other basis on which to proceed, that’s the policy carved in stone.

When asked why this policy is the way it is, the usual response is “good security practice” – and in such environments it’s difficult to give a good response to someone who pushes back, arguing that changing passwords in their application is ‘difficult’ or, more often, ‘expensive’. This is, after all, business, and if one side pleads “expense”, while the other side pleads “good thing to do”, the latter side will lose.

So, why is it best practice?

One reason is that you have to recognise that for all that we tell users not to share their passwords, not to use the same password on multiple sites (aka “share their passwords”), etc, very often users will do exactly that. So, every ninety days, you change your password and you cut off everyone with whom you previously shared your password (to an extent).

Another reason is to allow changes in password policy to propagate out to new passwords. If you suddenly realise that passwords can be easily hacked if they are only six characters, you change the password policy to require punctuation as well, and then you realise that because no one has to change their password, the new policy will never be applied.

Those are the common arguments for regular password changes, and there are a few others, but there’s one I rarely hear being made.

What about when you do get an exposure?

In my professional career, I have seen, or heard of, a number of cases of exposure of password information. Sometimes it’s as simple as a departing employee who knows far too much information and may not be trusted, or as mind-boggling as a team sharing a list of important passwords, and one of the team members losing the list. Other times it’s more complex.

Each time, the response from security is the same – if the existing passwords are in danger of being used because of such exposure, then those passwords need to be changed.

Most times, the response from the business is the same – that the passwords haven’t been changed in so long, and they’re spread through so many different applications, that they have no idea what will be affected if they change the password.

Once you hit that scenario, it can be months before you get the password changed. Yes, months. And all during that time, the account may be compromised.

How do you prevent this?

Think of your disaster recovery drills – when there’s a process that needs to be followed quickly and correctly in an emergency situation, you achieve that by meticulous planning and regular exercise. You create the process and test it regularly, updating the process as you find there’s a need.

If you don’t change passwords on these high-value accounts once every 90 days (or so), how do you know that you’ll be able to change those passwords after an exposure or compromise? How will you guarantee that your password change procedures are current, without testing them? How will you enforce changes being documented if you don’t check the documentation against reality once in a while?

White House moves to Open Source

Subtitle: Media posts uninformed rubbish as commentary

From the MSNBC story “White House opens Web site coding to public”:

"Security is fundamentally built into the development process because the community is made up of people from all across the world, and they look at the source code from the very start of the process until it's deployed and after," said Terri Molini of Open Source for America, an interest group that has pushed for more such programs.

Expecting Open Source to be more secure because the general public contributes to and reviews it is like expecting a televised football match to be safer, because the folks at home are engaged in crowd control and looking for pickpockets.

While you might luck out in finding a few talented, devoted, and dare I say it, obsessed individuals who will call the police every time they see an infraction on screen, most of the people tuning in are going to be watching the game; and those that are trying to help are often clueless about how the security in the grounds works, and you’ll get many calls from people who see the security guards searching bags on entry as pickpockets.

Lots more to pick on

There’s lots more to pick on in the article – for instance, the inability to determine the difference between a content management system and the web site it serves (akin to not knowing the difference between a story and the typewriter on which it was written), which itself significantly reduces the need for this one Open Source product to be secure.

The news article barely hints at some of the true advantages of Open Source – that others can drop additional components in at their pleasure, and that you can pick up whichever of those components you need. [Of course, the same is true of closed source products with good published interface specifications, so perhaps this is only an advantage in the extreme case that the provided interfaces are incomplete.]

Is Open Source more or less secure?

There are plenty of reasons to believe that Open Source offers security advantages – it’s possible, for instance, to do your own deep security investigations and fix problems when you become aware of them. Of course, that’s rather like saying an advantage of buying an old car is that you get to do your own services – great if you’re a mechanic, not so good if you have to check the owner’s manual to remember which end to put petrol into.

Software is more secure because it is written by good, dedicated, experienced programmers, reviewed by other good, dedicated, experienced programmers, analysed by tools and experienced programmers looking for security flaws, and tested pretty much to destruction.

Don’t forget, as well, that there is little perceivable difference between secure software, lucky software, and uninteresting software. All will appear to be unhacked – until luck runs out, or the software becomes interesting to an attacker.

I don’t claim to be able to determine that all Open Source is more or less secure than all Closed Source.

Just that the “more eyeballs” line doesn’t remotely provide anything close to an explanation.

Phishing at Hotmail, GMail, Yahoo! Mail, etc.

Recent password exposures at a number of online email services remind me to give a little advice on passwords.

Definitely use this as a reminder to do something about your passwords – but don’t do the obvious thing. Don’t rush round and change all your passwords right away.

Don’t change your passwords, change your password habits.

1. Don’t use the same password everywhere.
   If your password gets exposed, or the service owner is malicious (or has a malicious staff member), you’ll be exposed everywhere.
   Many times, of course, you will be unable to use the same password everywhere, because one site will require a symbol, and another will not allow that symbol. It is better to cope with this than to have to try and synchronise all your passwords.
2. Write down some of your passwords.
   What, seriously? Yep. Write down those passwords you don’t frequently use, and lock them away. Or store them in a password-protected (encrypted) file, whether that’s a Word file, Excel spreadsheet or any number of other storage mechanisms that will allow you to encrypt your passwords and store them away. Now you have replaced multiple passwords to remember with one.
   See point 1, though, make sure the password encrypting your password store is one you don’t share with any other sites.
   There are products out there which will protect your passwords for you – whether they are called password safes, vaults, strongboxes etc, they all do basically the same kind of thing.
3. Consider what passwords should be accessible to others.
   This may sound like bad security – and in a managed environment where others can always exert administrative rights to access files and systems that your passwords were used for, you should generally not be sharing your passwords.
   But think on this – a friend of mine received a traumatic train/brain injury, and though his recovery borders on the miraculous, there are many things he has forgotten. Passwords seem to be the hardest for him to hang on to, and he has had to recover through other means – sometimes simply wiping and recreating the system.
   Just as you have a will to direct people how to continue after your passing, store safely away account details and passwords so that your affairs can be brought into control if you are interrupted like my friend, or more permanently disconnected from the Internet. And make sure someone trustworthy and reliable can find that store when necessary.
4. Plan to change your passwords.
   If you don’t occasionally change your passwords, you will not know how to change them when it comes time to do so in a hurry.
   At several times in my professional career, I’ve had to deal with accounts whose passwords might have been exposed, whether through departing employees, lost password sheets, and at some of those occasions the natural security response of ‘change the passwords as soon as possible’ results in major push-back, by teams who have never changed their passwords, don’t know how to achieve it quickly, and aren’t sure what other applications depend on those passwords.
   If you don’t regularly change your important passwords, you’ll be flummoxed and panicked when it’s actually necessary to do so, and you may break something that depends on those passwords being synchronised.
5. Change your passwords often enough, but not too often.
   How often is too often?
   How often is enough?
   Difficult questions – often enough that you can remember changes to the systems to figure out why a password change caused some difficulty, and often enough to cover departing employees or others who might have had legitimate access once, but shouldn’t have access any more.
   Too often is when you get so tired of changing your passwords that you start regretting the process entirely.

There are no doubt dozens more things that could be suggested as good password practice, but these five will stand you in good stead.

Windows 7 – what it’s missing

Unless you’ve been living under a rock, you’ll be aware that today was the release of Microsoft’s latest operating system version, Windows 7.

So, everyone else has their own ideas of what’s missing in Windows 7, here’s my list, and it’s not the same petty focus that everyone else seems to have. Mine is based on what I want, rather than what’s remotely close to being reasonably achievable.

1. Media Center devices to provide support for DirecTV.
2. Trimmable transparent screen overlays supporting multi-touch input.
3. IPv6 support from my home ISP.
4. A web browser that opens quickly enough that I don’t forget what I was about to browse to.
5. A tool to answer “why is the system so slow right now?” – especially on those occasions when the CPU is not being over-taxed.
6. A free Zune HD. (Why not, since I’m dreaming here.)
7. Simple facilities to allow electronic commerce to operate on ‘zero knowledge’ principles, so that I would share my credit card account number only with my credit card provider, rather than with every merchant I might do business with. (Maybe Infocard or something like it could come close to fulfilling this wish)
8. An “Expert” mode, where menus are visible, files and file extensions are not hidden in Explorer. (For that matter, file extensions should not be hidden in Explorer. Ever.)
9. MSN – excuse me – Windows Live Messenger that works in a somewhat rational way, back in the system tray, rather than as a minimised icon.

So, what are the things in your twisted imaginings that would turn Windows 7 from this kind of Seven:

into this kind?

[Note: Having said all of this, it should be clear by now that I think Windows Seven is well worth having. But I still want more!]

SAL-like code annotations for Java

http://types.cs.washington.edu/jsr308/ seems to be talking about a set of type annotations for Java that are similar to those provided in Microsoft Visual C++ by SAL, the Standard Annotation Language.

One thing that the Java annotations have going for them over the SAL is that these annotations are going to be a part of the Java 7 standard, so it’s something that will come with the language no matter who implements it, whereas the C++ SAL extensions are specific to Microsoft. Of course, when I say “no matter who implements it”, I’m not aware of any significant currently supported implementations of Java outside of Sun, so it’s possible that such a statement is necessarily limited.

[Note that the SAL extensions can be included in C++ code that is compiled with other compilers, you just won’t see any benefit from them when using other compilers.]

What do annotations do?

As explained in the blog post that Michael Howard put out when SAL was first made available, these code annotations add something to object and function prototypes. What they add is the ability to turn run-time issues into compile-time errors.

So, for instance, a null pointer dereference, that would be an instant denial of service on your application, is trapped at compile time, because you declared in your function or class prototypes that you expect the pointer not to be null.

Adding these annotations to your code can certainly be a time-consuming task, since you have to revisit old code and add them in by had, recapturing assumptions that you had originally made about objects you reference. That in itself can be a learning experience, of course, and because you will capture a number of outstanding reliability, quality and security bugs, it’s far from being an empty investment.

What do the Java annotations capture?

The first checker that the Java annotations implement is the Nullness checker. This allows you to declare whether you are expecting a reference or value to be null or not. This generally avoids you seeing exceptions through dereferencing null.

The Interning checker prevents you from seeing poor results when comparing two objects (such as two instances of “Integer(2)”) using “==” or “!=”. Without the Interning checker, using “==” to compare two Integer variables each containing an instance of Integer(2) will produce the result ‘false’. This can cause logical processing errors, which the Interning checker will address.

The Mutability (IGJ or Javari) checker allows you to specify that an object reference should not be used to modify the contents of that object.

The Lock checker prevents locking errors by allowing you to declare that objects can only be accessed when guarded by a lock, or to declare that a function can only be called when holding a particular lock.

The Tainted checker allows you to mark an object as coming from an untrusted source (think “user”). Marking some functions as expecting Untainted data will prevent them from being fed Tainted data, and will ensure that other developers accessing such a function will call checking routines to convert the data from Tainted to Untainted before passing it to your functions.

The Linear checker prevents your code from holding more than one reference to objects marked as Linear. Since Java, like C#, likes to copy references to objects, rather than the objects themselves, this checker can prevent you from finding unexpected side-effects from objects being modified through aliases you weren’t expecting.

Further checkers appear to allow you to write your own checkers, but I haven’t got the Java programming chops to really play with these.

Should I include these annotations in my Java projects?

Definitely. Or something like them. Using annotations to define to the compiler some of the expectations you make of your code (a hyped-up interface contract, if you like) allows the compiler to check more deeply into whether those assumptions can hold true throughout your code.

My own experience of SAL-annotated code is that it has allowed me to discover some relatively subtle bugs in my programs. Or bugs that weren’t quite so subtle, but just weren’t jumping out at me.

A quick look at these Java annotations suggests that they will do the same for Java projects. Frankly, the more help you can get from these static analysis tools, the better. Analysis tools don’t catch all problems, and they aren’t a substitute for good programming, but they do provide a second check on your own assumptions that can be very useful.

Previous articles on SAL:

• SAL - pipped at the post by Michael Howard
• Okay, scratch what I said about SAL
• Forget that I asked you to ignore what I said.

Google bans MVP

Google certainly sounds like it’s a nice place to work. Table football, free lunches, that whole “don’t be evil” mantra, and the requirement to spend 20% of your time on projects that aren’t specifically to do with any particular company goal (with the obvious intent that some of those projects will result in interesting discoveries and/or personal development that the company can use).

But I can’t say that I’ll be applying there, at least until they publicly state that they are permanently reversing a decision they made in the last few weeks.

What did Google do that was, to my mind, so very close to evil?

Google told Jon Skeet that he shouldn’t accept the Microsoft MVP Award that was offered to him, despite the fact that he’s been awarded for the sixth year in a row.

Remember, this is a retrospective award – it is a recognition of what you have done for the community of Microsoft’s users, not a request or obligation to do anything in the future or act in a particular way.

Jon’s award stems from his frequent, continued and voluntary assistance to other C# developers.

As far as I can tell, Google has not told Jon to stop helping C# developers, and certainly his blog is still up, his support pages and FAQs are still up, and he’s still posting helpful advice on C#.

I could even understand if they said “don’t go to the annual MVP Summit”, or “don’t advocate Microsoft products” (although that’s not expected of MVPs, who bristle at the slightest suggestion of being ‘evangelists’).

So, Google’s not angry with his behaviour – they are angry with his being recognised and rewarded, by Microsoft, for that helpful volunteer behaviour.

My own C# projects have benefitted on numerous occasions from finding an article Jon has posted on the Internet. I’d like to thank him for that, and I hope he isn’t required by Google to reject my gratitude as well.

Thanks, Jon Skeet, for all you do for the C# developer community.

Thanks, Google, for reminding us that there’s a line that divides “evil” from simply “really, really bad”.

[Note: Please feel free to pass this posting on. I’d like to see Google feel very very ashamed for this, and to recant. If only because Jon will be eligible every quarter for the MVP award, and he’s going to get awfully tired of refusing it over and over. News coverage would be great, but I don’t see any at the time of writing on Bing’s News search.]

Sometimes It Seems Like Unix(*) Needs to Learn from Windows

(*) By “Unix”, I mean Linux, Unix, AIX, OS/X, and similar flavours.

Way back when, about twenty or so years ago, I was a Unix admin, and a Unix developer. I had to be both, because I was the only person in the company who could spell Unix.

My favourite game was to go along to presentations for Microsoft Windows ‘new features’ and say “Oh, but hasn’t Unix had that for the last twenty years?”

Sure enough, there were countless things that Windows users and developers were just discovering (TCP/IP, shared libraries, multiple sessions on the same computer) that had been in Unix for some time. Linux was yet to make a mention, but as I’ve moved firmly into the Windows world, and left Unix behind, I’ve pretty much assumed that technologically speaking, if Windows has it, Unix and the like must also have the same functionality.

As I re-engage with Unix and Linux developers and IT professionals in recent months, though, I can see that there are some areas – particularly in security - where Windows is far ahead of the *x operating systems. Here’s a few:

Where’s my EFS?

EFS, the Encrypting File System, is one of Windows’ best-kept secrets. It’s not really a secret, of course, but it acts like one – there are so few people willing to use it, and mostly because they’re scared of or don’t understand it.

EFS allows users (under administrative control and with appropriate recovery measures in place) to choose files to encrypt, and to declare which other users can access the encrypted files.

EFS-encrypted files are encrypted on disk, and the keys cannot be broken simply by mounting an offline attack, because the key for each file is encrypted with users’ public keys, and the private keys are held securely in the users’ certificate store.

What does *x have in response? Whole disk encryption by third-party products (OK, Windows has Bitlocker and any number of third-party products). EFS protects individual files, and is far more fine-grained than the ‘all or nothing’ access of WDE (or FDE, Full Disk Encryption, if you prefer).

Single Certificate Store

This isn’t really a “single” store so much as a predictable location for the certificate store. If you want to read a user’s certificates and keys, you know where to find them (although you generally only have access if you are the user in question. Private keys from the certificate store are protected using the DPAPI, appropriately protecting them (apart from some key recovery scenarios, you have to log in using the password associated with the keys).

Similarly, certificates and keys belonging to the system and its service accounts are also in predictable locations.

This makes life easy for tools that need to scan for certificates due to expire.

Where are certificates and keys stored in *x? All over the place. Generally in “PEM” files, usually (but not always) in the same directory in which the application that installs them is.

How are these private keys protected in *x? There’s sometimes a password to open up the private key from the PEM file, and usually the PEM file has a restrictive access mask on it. [Read further for more problems with this]

Single SSL Library

It’s not uncommon to see several instances of OpenSSL installed on any particular system, whether it’s *x or Windows, if the system runs applications that use OpenSSL.

Windows developers, of course, can simply use the SSL API built in to Windows (CryptoAPI, CAPI and SChannel), and not have to worry about shipping an SSL library with their application, or keeping up with new versions as they come out, or tracking down customers and notifying them of updates to address security flaws (such as the Debian Linux key generation flaw I posted about a while ago).

Single SSL Configuration

If I want to disable SSL v2, or ciphers with fewer than 128 bits, on Windows I can change a few registry settings and know that I’ve fixed every application that uses SChannel. I can even do that remotely, with remote registry editing from a script or group policy tattooing the registry.

To do the same for OpenSSL, it seems that I have to find every application that uses OpenSSL and change the configuration files there. 

Data Protection API and configuration file protection

This is the one that really started me on this article.

How do you store a password in a configuration file?

Yes, the ‘right’ security answer is “you don’t”, but that’s naive. The fact is that there are many instances wherein you have to store a password – to access and authenticate to a remote application, or (if you’re using OpenSSL) to open a password-protected PEM or PFX file in order to read out the private key.

On Windows, the Patterns and Practices team have documented how to do this – basically, you use the DPAPI to encrypt the password into the config file, and again to decrypt it back out – and your DPAPI keys are encrypted by your master key, which is derived from your password. The end result is that you can’t get those DPAPI keys without the password.

What do the *x platforms have?

”Put the password in plain text, and protect it with a restrictive access mask”, is what I’m told. And in a search, I couldn’t find anything better being recommended. OK, one person recommended encoding the password with base64, but that’s hardly a security measure.

Jesper brought up the excellent question of “how is it different?” – in the *x system, the password is marked as only being accessible to the correct user. I was about to answer him when Steve F spoke up for me, and noted that in the DPAPI case, you have to read the file, and then an API has to be called to decrypt the password; in the *x case, you simply have to read the file. There are many many more exploits that allow the reading of a file under privileged rights than there are exploits that allow the execution of code.

Patch Management and Group Policy

Microsoft has done a really good job of implementing enterprise-level management features into their operating systems, from Group Policy and WMI to WSUS and other update management tools.

The *x systems I’ve seen seem to be built from the perspective that each system has its own attendant administrator, who is only too happy to manually deploy patches or tweak settings in line with some policy on a scrap of paper or post-it.

Maybe I’m missing some huge advances, and maybe some of these issues are resolved with a third-party tool – but then, maybe that’s part of the problem too. All of the above are a part of the operating system in Windows, and can be relied on to exist by developers, and their use by applications can be expected by IT professionals.

[Disclaimer: Yes, I know there are still areas where Microsoft needs to learn from Unix and Linux, and perhaps it’d be good if you’d educate me on those, too. This isn’t a “Windows is better than *X” debate, it’s a “hey, even if you think *X is better than Windows, here are some areas *X needs improving in”.]

Edit: There have been some excellent comments posted overnight in response to this article, and as I had hoped, I am mostly still 'in the dark' about what Linux and Unix-like systems offers. I'll be looking at these as I have time, and responding when I can. For now, just let me say that I am impressed to see so much technical content in the responses, and so little of the "fanboy" behaviour that often characterises these discussions.

Zune HD – but not mine

A friend of mine ordered a Platinum Zune HD recently (that’s the 32GB model), and because he was unable to receive the shipment, asked for me to open it for him and check on its functionality to make sure he hadn’t been shipped a lemon.

Since I’ve previously commented on the Zune 30 that my wife bought for my birthday, I thought I’d have a quick look and see what I like about it.

The demonstration video is stunning, and shows off the display impressively. The display is wonderfully bright, and fulfils every bit of the promise of OLED technology. Light-weight, thin, amazingly bright and detailed.

Installing the new Zune software from http://www.zune.net/setup went smoothly, although when the player was plugged in, the Zune software immediately insisted on a Player update. The Zune needs to be updated from 4.0 to 4.1 already.

This may come as a surprise, but really it’s not too shocking. There’s a considerable gap between preparing a bunch of hardware for simultaneous shipping and the actual delivery, during which time there may be some interesting bugs discovered. Possibly this time, the bug is that the charge indicator doesn’t light in version 4.0, but does light up in version 4.1. At least, that’s a change I noticed.

So, have any of my previous complaints been addressed? Given the timing of my last post, close to the end of the Zune HD’s development, I doubt that Microsoft had a chance to fix the problems I noted, and I seem to be correct about that.

You can still put MP3 files into your Podcast folder and give them a genre of “Podcast” in order to make them work like Podcasts (i.e. remembering their position while you go do other things), but the images tied into the MP3 files are still not displayed along with those podcasted MP3s. And they still don't play ordered by track number, preferring instead to use some bizarre combination of date and textual sort, with some apparent randomness thrown in.

It appears so far that all of the other issues I’ve encountered are still there, so I’m still waiting for someone at Microsoft to address those and deliver a Zune (updated firmware, software, or hardware) that is absolutely perfect. If they could make it cheaper, too, it would be easier to justify a purchase.

But man, I love that bright display on the new Zune HD. I just wish I didn’t have to part with this one so soon. I guess I’d better save my Amazon gift cards…

Would you behave differently in a shared office?

How would you change your behaviour at work if you knew the person seated one desk over worked for a competitor?

How would your behaviour change if you knew the person one cubicle over was about to work for a competitor?

What if you knew that your cubicle neighbour was going to lose her job (be fired or laid off) in the next six months? Do you think she’d be looking to work in a different industry, or the one where she had the most recent experience?

What if the economic situation was such that you just couldn’t be sure who in your office would still be with you a year from now?

How would you protect your data then?

My point is less about pointing out that the current economic situation seems very like this harsh threatening landscape, but to ask you to consider that the answer to this question is actually the answer you should give all the time.

A recent study from Ponemon stated that six out of ten departing employees will take data with them as they leave, whether that’s customer data or business intelligence. Why do they do this? Well, we could get into the whole motivation of why, but the real answer is simple:

Because they can, and because they think they can benefit from doing so. Not because they won’t get caught – because, really, what are you going to do, fire them?

Behave (and design!) as if you’re in an open environment.

Design your data and processes around the idea that important, private, or proprietary data should only rest with individuals or in stores for as long as it is needed to do the job at hand.

After that, then what?

If you no longer need it, or can reconstruct or re-collect it when you next need it, why not just destroy the data?

If you need it, return it to a secure data store, from which it can’t be fetched again without business need, and appropriate authorisation.

If you never needed it in the first place, why collect it at all?

Protecting systems, networks, applications – that’s just resiliency and protection of a few thousand dollars of assets. The real money – and the real requirement for security protection – is in the data.

Act (and architect!) like the data is, AND isn’t, yours.

I used to say that people should “act like the data isn’t yours in the first place” – makes logical sense, doesn’t it?

Sure, if you think that way – if you think that you should be careful with other people’s possessions that they’ve loaned to you.

Over several jobs and several years, I’ve come to realise that we aren’t all of the same species of thought. Some of us are careless with other people’s possessions, and are only concerned with taking care of what’s ours.

So, my explanation has changed – now, the explanation is still that the data doesn’t belong to us, but we have possession of it, and therefore we, as application designers and architects, have a double requirement to be careful with it. We must protect it because it isn’t ours, and we must protect it because it is in our care. To be loose with other people’s data would be to cause them damage, and to be loose with data in our care would be to cause our business damage by reducing the value that we get from holding that data.

How FTP Data Connections Work Part 2 (OR: Fun With Port 20)

As we mentioned in the 1st part of this series, FTP is a more complex protocol than many, using one control connection and one data connection.

A recap of the first post…

In typical Stream Mode operation, a new data connection is opened and closed for each data transfer, whether that’s an upload, a download, or a directory listing. To avoid confusion between different data connections, and as a recognition of the fact that networks may have old packets shuttling around for some time, these connections need to be distinguishable from one another.

In the previous article, we noted that two network sockets are distinguished by the five elements of “Local Address”, “Local Port”, “Protocol”, “Remote Address”, and “Remote Port”. For a data connection associated with any particular request, the local and remote addresses are fixed, as the addresses of the client and server. The protocol is TCP, and only the two ports are variable.

For a PASV, or passive data connection, the client-side port is chosen randomly by the client, and the server-side port is similarly chosen randomly by the server. The client connects to the server.

For a PORT, or active data connection, the client-side port is chosen randomly by the client, and the server-side port is set to port 20. The server connects to the client.

All of these work through firewalls and NAT routers, because firewalls and NAT routers contain an Application Layer Gateway (ALG) that watches for PORT and PASV commands, and modifies the control (in the case of a NAT) and/or uses the values provided to open up a firewall hole.

Isn’t there a totally predictable data connection?

For the default data connection (what happens if no PORT or PASV command is sent before the first data transfer command), the client-side port is predictable (it’s the same as the source port the client used when connecting the control channel), and the server-side port is 20. Again, the server connects to the client.

Because firewalls and NATs open up a ‘reverse’ hole for TCP sockets, the default data port works with firewalls and NATs that aren’t running an ALG, or whose ALG cannot scan for PORT and PASV commands.

Why would an ALG stop scanning for PORT and PASV commands?

There are a couple of reasons – the first is that it doesn’t know that the service connected to is running the FTP protocol. This is common if the server is running on a port other than the usual port 21.

The second reason is that the FTP control connection doesn’t look like it contains FTP commands – usually because the connection is encrypted. This can happen because you’re tunneling the FTP control connection through an encrypted tunnel such as SSH (don’t laugh – it does happen!), or hopefully it’s because you’re running FTP over SSL, so that the control and data connections can be encrypted, and you can authenticate the identity of the FTP server.

So how do you get FTP over SSL to work through a firewall?

In the words of Deep Thought: “Hmm… tricky”.

There are a couple of classic solutions:

1. Allow PASV data connections, select a wide range of ports, and open that range for incoming traffic from all external addresses in your firewall configuration; hope that your FTP server can be configured to use only that range of ports (WFTPD Pro can), and that it has protections against traffic stealing attacks (again, WFTPD Pro has). Still, this option seems really risky.
2. Block all PASV connections, and make the clients responsible for opening up holes in their firewalls. If you’re convinced the risk is too great to do this on your server, how does it look to convince your users that they should accept that risk?
3. After you’ve authenticated the server and provided your username and password in the encrypted control connection, issue the “CCC” (Clear Control Channel) command, to switch the control connection back into clear-text. I dislike this as a solution, because it requires the ALG pay attention to a lot of SSL traffic in the hope that there might be clear-text coming up, and because you may want the control channel to remain encrypted.

Awright, clever clogs, you solve the problem.

The astute reader can probably see where I’m going with this.

The default data port is predictable – if the client connects from port U to port L at the server (L is usually 21), then the default data port will be opened from port L-1 at the server to port U at the client.

The default data port doesn’t need the firewall to do anything other than allow reverse connections back along the port that initiated the connection. You don’t need to open huge ranges at the server’s firewall (in fact you should be able to simply open port 21 inbound to your server).

The default data port is required to be supported by FTP servers going back a long way- at least a couple of decades. Yes, really, that long.

If it’s that simple, why isn’t everyone doing it?

Good point, that, and a great sentence to use whenever you wish to halt innovation in its tracks.

Okay, it’s obvious that there are some drawbacks:

• In stream mode, the data transfer is ended by closing the stream. This means that you have to open a new control connection. Not good, given the number of round-trips you need for a logon, and the work needed to start an SSL connection.
• Most FTP clients view the default data connection as, at best, a fail-over in case the PORT or PASV commands fail to work. Obviously, that means it’s not likely to be a well-tested or favoured solution on these clients.

Even with those drawbacks, there are still further solutions to apply – the first being to use Block-mode instead of Stream-mode. In Stream-mode, each data transfer requires opening and closing the data connection; in Block-mode, which is a little like HTTP’s chunked mode, blocks of data are sent, and followed by an “EOF” marker (End of File), so that the data connection doesn’t need to be closed. If you can convince your FTP client to request Block-mode with the default data connection, and your FTP server supports it (WFTPD Pro has done so for several years), you can achieve FTP over SSL through NATs and firewalls simply by opening port 21.

For the second problem, it’s worth noting that many FTP client authors implemented default data connections out of a sense of robustness, so default data connections will often work if you can convince the PORT and PASV commands to fail – by, for instance, putting restrictive firewalls or NATs in the way, or perhaps by preventing the FTP server from accepting PORT or PASV commands in some way.

Clearly, since Microsoft’s IIS 7.5 downloadable FTP Server supports FTPS in block mode with the default data port, there has been some consideration given to my whispers to them that this could solve the FTP over SSL through firewall problem.

Other than my own WFTPD Explorer, I am not aware of any particular clients that support the explicit use of FTP over SSL with Block-mode on the default data connection – I’d love to hear of your experiments with this mode of operation, to see if it works as well for you as it does for me.

Dreaming of the future...

Here are some technologies I just can't wait for:

• OLEDs:
  • for room lighting - ambient light from ceiling-tile sized light panels [those of us that suffer migraines want an alternative to fluorescent lights, compact or otherwise]
  • for either back-lighting of LCD screens, or for the screen itself - I didn't know until after I bought it that my laptop uses a fluorescent bulb for the backlight. When the battery gets low, I can see it flicker, and I have to turn it off or risk another migraine.
  • Are they green? They're any colour you want, baby!
  • Oh, you mean are they ecologically sound? Far more so than incandescent, fluorescent, effervescent, evanescent or putrescent. Incandescent bulbs burn way more power; fluorescent bulbs have mercury - and, surprisingly, burn way more power for the amount of light they put out than equivalent LEDs or OLEDs.
  • OLEDs are cool to the touch - perhaps in some climates this means you'll have to run your heater more, but really, you don't think a light-bulb is an efficient heat generator, do you?
• Multi-touch support, including fingertip and stylus support.
  • Windows 7 (which I thought would be called "Viista") will feature multi-touch support, where users will grab objects with a couple of fingers, to more naturally twist and scale them.
  • Stylus support would allow drawing and writing - I wish I had an excuse to get a Tablet PC, but I just can't afford to sacrifice power in order to get that capability. Maybe I'll buy a cheap USB tablet to plug in at the side.
• Single sign-on through the use of federated identity.
  • Okay, that one probably needs some explanation.
  • I'm tired - so tired - of one password here, a different password there, here I'm "alunj", there I'm "aljones", another place I'm ma7amj, yet another place AMJ10.
  • I want to enter one user name, one password, and be able to authenticate to everywhere.
  • Of course, that would mean everywhere would have to trust the one user name and one password - and if that isn't carefully monitored, you'll see people tying their bank accounts and nuclear secrets to a one character password. This requires some thought.
• Transflective displays.
  • Tra-wha?
  • Put simply, if it's light enough to read a piece of paper, I want to be able to use my laptop. And if it's really, really bright, I want to be able to use my laptop.
  • No backlights - I want the screen to be like coloured paper, reflecting ambient light.
  • That'll cut down on weight, battery consumption, and probably also frame rate in games. Can't have everything :)
• Wi-tricity
  • Wireless electricity.
  • Sure, it's going to bombard me with electrons, but only if I'm resonant. Otherwise, it'll power my technology without requiring that it all be tethered to the wall.
• Wide-spread adoption of IPv6
  • Heck, even though Microsoft installs IPv6 by default in Vista and Server 2008, there still isn't an IPv6-based Microsoft "front page".
  • www.ipv6.microsoft.com has been dead for months.
  • Akamai, which hosts www.microsoft.com, doesn't appear to know about IPv6.
  • IPv6 brings us back to the way that nature intended the Internet to be - everyone's a peer node; everyone can be a server. Firewalls are firewalls, and NATs are non-existent.

Nice support from Lenovo

I’ve been wanting to post this comment for some time, but never seemed to get around to it.

I’ve been through a number of different laptops over the last decade or so – Compaq, Dell, Gateway, and Toshiba – and each time, I’ve found that they just don’t seem to last. I can’t point to anything in particular – it’s never the same thing twice, but for one reason or another, I don’t get more than a couple of years’ life out of a laptop. Sometimes it’s physical failure – the screen breaks, the drive fails, the battery stops holding a charge – and sometimes it’s simply that the machine is too slow and impossible to upgrade to support me as new software is needed.

Unless I buy a ThinkPad.

It’s not that the ThinkPad doesn’t have its problems – it’s more that IBM support always made things right. When the CD-R drive on my first ThinkPad started failing, I called them up, and they quickly sent me a replacement (taking, as usual, my credit card number as guarantee in case I didn’t send them the drive back). The replacement turned out to be a DVD-R drive, so I was ahead on that deal – particularly since the failure happened right at the end of the warranty period.

So my more recent ThinkPad concerned me, coming as it did with a Lenovo sticker instead of IBM.

As usual, problems with the laptop happened once in a while. About six months in, the laptop battery stopped retaining its charge. I’m used to companies telling me that the battery is only warranted for 90 days, and that when batteries stop holding their charge, it’s because of my usage patterns (whatever that means – isn’t a battery supposed to be used when you’re on the bus or train, or in a meeting?)

Not these guys, no, they sent me a replacement battery (after the ritual exchange of credit card numbers).

One persistent problem stayed with me from the first few months of the purchase of the laptop – the sound stuttered. Now, I should note here what I mean by “stuttered”, because I gather others have sound stuttering that isn’t the same problem as mine.

Imagine, if you will, that the speakers can handle sounds only “so” loud. Pass any sounds louder than that to them, and the sound ceases until the sound is back to a good volume. So, the timing of the sound is unaffected, it’s just as if someone’s repeatedly hammering the ‘mute’ button. Not a problem if everything’s normalised to below 70%, say, but then that’s difficult to listen to because it’s so quiet.

That’s the problem I had – the other sort of problem appears to be where the processing of the sound signal is held up, so the timing of the sound is affected, as if someone is hammering a ‘pause’ button repeatedly on and off.

I called Lenovo a couple of times about this, and assumed it was simply not going to be fixed, as they kept suggesting new drivers, or that I take it to a service centre where they would decide if it could be fixed there or had to be sent away. I wasn’t keen on the service centres they were suggesting.

Finally I reached the end of my warranty, and also the end of my patience with the problem – I was playing more and more stuff from BBC Radio (see a theme here?), and they were coming through normalised properly, rather than dead quiet. So, I either had to re-normalise everything myself, or get the problem fixed.

I called Lenovo, spoke to a nice man in North Carolina, and was told they’d have to look at the system. I’d have to send it in.

I hate being without my laptop – all the more so because I had to send in my hard drive as well. So, it’s make-a-backup time, plus delete-all-the-secrets. A box arrived, with paid shipping, I stuck the laptop in the box, and sent it back. Over Thanksgiving, so that “5 business days” became naturally closer to two weeks, and because it eventually took a while to fix the problem, closer to three weeks.

When I received the system back, I noticed a few things:

1. The sound problem had been fixed.
2. The mainboard had been replaced.
3. These repairs had all been done for free despite the fact that I was a couple of weeks past warranty expiration when I first called.

You’ll often hear people bad-mouthing non-US companies for having poor technical support that doesn’t speak English and can’t often help – and though this may be true for Lenovo’s online support ‘chat’ (where you type into a browser window), it’s not true for their phone support, and I really can’t argue with the quality of the warranty work they’ve done for me (and how comfortable they were stretching the warranty in the instance that I had been complaining for a while before the warranty expired).

Perhaps it’s a little sad that I have to post a glowing review like this of support that matches roughly what I would expect. But I think Lenovo deserves a pat on the back for this support, and I can only apologise that it has taken me so long to get around to doing so.

I will likely be buying another Lenovo ThinkPad when I finally need to dispose of this one.

How FTP Data Connections Work Part 1 (OR: Don’t Open Port 20 in your Firewall!)

This will be the first of a couple of articles on FTP, as I’ve been asked to post this information in an easy-to-read format in a public place where it can be referred to. I think my expertise in developing and supporting WFTPD and WFTPD Pro allow me to be reliable on this topic. Oh, that and the fact that I’ve contributed to a number of RFCs on the subject.

Enough TCP to be dangerous

First, a quick refresher on TCP – every TCP connection can be thought of as being associated with a “socket” at each device along the way – from one computer, through routers, to the other computer. The socket is identified by five individual items – the local IP address, the local port, the remote IP address, the remote port, and the protocol (in this case, the protocol is TCP).

Firewalls are essentially a special kind of router, with rules not only for how to forward data, but also rules on connection requests to drop or allow. Once a connection request is allowed, the entire flow of traffic associated with that connection request is allowed, also – any traffic flow not associated with a previously allowed connection request is discarded.

When you set up a firewall to allow access to a server, you have to consider the first segment – the “SYN”, or connection request from the TCP client to the TCP server. The rule can refer to any data that would identify the socket to be created, such as “allow any connection request where the source IP address is 10.1.1.something, and the destination port is 54321”.

Typically, an external-facing firewall will allow all outbound connections, and have rules only for inbound connections. As a result, firewall administrators are used to saying things like “to enable access to the web server, simply open port 80”, whereas what they truly mean is to add a rule that applies to incoming TCP connection requests whose source address and source port could be anything, but whose destination port is 80, and whose destination address is that of the web server.” This is usually written in some short hand, such as “allow tcp 0.0.0.0:0 10.1.2.3:80”, where “0.0.0.0” stands for “any address” and “:0” stands for “any port”.

Firewall rules for FTP

For an FTP server, firewall rules are known to be a little trickier than for most other servers.

Sure, you can set up the rule “allow tcp 0.0.0.0:0 10.1.2.3:21”, because the default port for the control connection of FTP is 21. That only allows the control connection, though.

What other connections are there?

In the default transfer mode of “Stream”, every file transfer gets its own data connection. Of course, it’d be lovely if this data connection was made on port 21 as well, but that’s not the way the protocol was built. Instead, Stream mode data connections are opened either as “Active” or “Passive” connections.

Active and Passive Data Connections

The terms "Active" and "Passive" refer to how the FTP server connects. The choice of connection method is initiated by the client, although the server can choose to refuse whatever the client asked for, at which point the client should fail over to using the other method.

In the Active method, the FTP server connects to the client (the server is the “active” participant, the client just lies back and thinks of England), on a random port chosen by the client. Obviously, that will work if the client's firewall is configured to allow the connection to that port, and doesn't depend on the firewall at the server to do anything but allow connections outbound. The Active method is chosen by the client sending a “PORT” command, containing the IP address and port to which the server should connect.

In the Passive method, the FTP client connects to the server (the server is now the “passive” participant), on a random port chosen by the server. This requires the server's firewall to allow the incoming connection, and depends on the client's firewall only to allow outbound connections. The Passive method is chosen by the client sending a “PASV” command, to which the server responds with a message containing the IP address and port at the server that the client should connect to.

The ALG comes to the rescue!

So in theory, your firewall now needs to know what ports are going to be requested by the PORT and PASV commands. For some situations, this is true, and you need to consider this – we’ll talk about that in part 2. For now, let’s assume everything is “normal”, and talk about how the firewall helps the FTP user or administrator.

If you use port 21 for your FTP server, and the firewall is able to read the control connection, just about every firewall in existence will recognise the PORT and PASV commands, and open up the appropriate holes. This is because those firewalls have an Application Level Gateway, or ALG, which monitors port 21 traffic for FTP commands, and opens up the appropriate holes in the firewall. We’ve discussed the FTP ALG in the Windows Vista firewall before.

So why port 20?

Where does port 20 come in? A rather simplistic view is that administrators read the “Services” file, and see the line that tells them that port 20 is “ftp-data”. They assume that this means that opening port 20 as a destination port on the firewall will allow FTP data connections to flow. By the “elephant repellant” theory, this is proved “true” when their firewalls allow FTP data connections after they open ports 21 and 20. Nobody bothers to check that it also works if they only open port 21, because of the ALG.

OK, so if port 20 isn’t needed, why is it associated with “ftp-data”? For that, you’ll have to remember what I said early on in the article – that every socket has five values associated with it – two addresses, two ports, and a protocol. When the data connection is made from the server to the client (remember, that’s an Active data connection, in response to a PORT command), the source port at the server is port 20. It’s totally that simple, and since nobody makes firewall rules that look at source port values, it’s relatively unimportant. That “ftp-data” in the Services file is simply so that the output from “netstat” has a meaningful service name instead of “:20” as a source port.

Coming up in part 2…

Next time, we’ll expand on this topic, to go into the inability of the ALG to process encrypted FTP control traffic, and the resultant issues and solutions that face encrypted FTP.

Stupid Outlook 2007 RSS Feed Workaround

I was starting to wonder why other people were getting news stories before me.

Then I realised I just wasn’t getting news at all.

Looking at my Unread RSS Feeds search folder in Outlook 2007, I noticed that I hadn’t received a single post since June 10th 2009. Coincidentally, this is when I installed a number of updates:

None of these updates had any “Known Issues” listed in the Knowledge Base articles associated with them that would stop feeds from updating, so I went searching.

First I went searching at Microsoft’s support page (a supported fix or workaround is generally so much safer and more reliable than an unsupported one), and found that this problem had indeed been fixed in the February 2009 Cumulative Update for Outlook 2007 (“RSS feeds become dormant and do not reactivate.”), which was incorporated into Outlook 2007 Service Pack 2. I’ve already installed those.

Great. They’re obviously talking about a completely different problem cause.

Next I go searching the web in general – I use Bing, simply because it’s easy to get to, and Google when I think the answer is more likely to be in the Usenet newsgroups (is it too much to ask Microsoft to maintain their own Usenet archive and search there from Bing?)

In this case, the web had sporadic references to people deleting “~last~.sharing.xml.obi” and “Outlook.sharing.xml.obi” – I would generally avoid doing this sort of change without a backup and a box of tissues to cry into when things go wrong. Deleting temporary files and hoping they get rebuilt is sometimes a miracle, and sometimes more of a magic trick, making things disappear without a trace. So I continued looking.

One question that was asked – and that I should have asked myself – is what kind of “feeds not updating” issue I was having. There are several kinds:

• Feed data present, connection attempted, mismatch in dates
• Feed data present, connection attempted, some other error
• Feed data present, connection not attempted
• Feed data not present

I was in the latter category – when I opened the Tools menu and selected Account Settings, the RSS Feeds tab contained only a few items, rather than the several dozen I was expecting to see. This is what I was expecting:

As it turns out, there is a simple and stupid workaround for this issue, which requires no deletion of files.

Navigate to the RSS Feeds folder (mine is under an RSS Feeds PST file, but if you selected the default, it’ll still be in your Personal Folders file), and for each feed that you’re missing, simply select the feed’s folder, as shown to the right.

For each folder you select, Outlook will display the downloaded items from that feed – and will slyly go behind the scenes to make sure that the feed is in the RSS Feeds tab.

For my several dozen feeds, this took a while, but wasn’t too bad.

[Note: Don’t try to navigate back through the folder history by holding down the ‘back’ key on your keyboard or Alt-Left Arrow – when I did this, Outlook crashed after zipping through a few folders.]

As you can see from my later screenshot of the “RSS Feeds” tab above, all my feeds are re-added, and a new sync caused them to be updated with new content.

It’d be really nice if this process could be automated for a number of folders at a time, to “refresh feeds from RSS Folders” – but for now, this is at least a workaround when you notice that you’re just not as well-informed as you used to be.

Zune – So Nearly Perfect, it Hurts

For a while now, I’ve been listening to the BBC radio on my MP3 player – even wrote a program to download the audio of various programmes and convert them from RealAudio to MP3 so that I can listen to them on the bus or in my car on the way to and from work. First it was a 512MB Creative Muvo, then a Sandisk Sansa at 2GB.

Then on my birthday, my wife surprised me with a 30GB Zune, just what I wanted. I know there are other more recent models, but I can’t justify the expense of a 120GB model, and the others are too small of a display to be interesting. The Zune HD seems like it would be perfect, but I bet it’ll be too expensive for me to justify.

I really enjoy the Zune, and it solves many of the problems I’ve hated about the Sansa – the biggest being, as I described before, that it requires me to install (and carefully watch for sneaky encroachment) Quicktime, and to run the video/photo converter as an administrator.

So, now that the Zune solves the big problems, I’m starting to become aware of the less horrifying aspects of media player ownership.

Here are the first few little problems (note that this isn’t entirely insurmountable):

• Playing a video, or a podcast, kills off the “Now Playing” list.
• While you can resume a video, or a podcast, you can’t resume a playlist.
• You can’t create a playlist on the device – although you can add Music selections to “Now Playing”, you can’t rename the list, and “Now Playing” gets killed off so easily.
• You can’t resume a music item after you’ve paused it and played another. This makes the music folders useless for my radio programmes.
• When playing an MP3 file in the music folder, if the MP3 file has a picture (in the ID3 Picture tag), the picture is cropped to fit the display – I’d rather see it shrunk.
• Pictures from MP3 files are not displayed individually – one of them is selected as the “Album Art”, and is then displayed for all subsequent MP3s with the same ID3 Album tag. I’d rather see the pictures from the individual MP3s (who knows, maybe they’re important?)
• MP3 files from the music folder appear in the “social” under your tag, and the system tries to guess what you’re listening to. Usually appallingly badly. For instance, I play “The Eureka Years”, a radio programme from the BBC, recorded as an MP3 file with appropriate Author and AlbumTitle tags – it lists as the song “Eureka” by “Jim O’Rourke”. I haven’t found where you can correct this, or delete it – goodness only knows how you cope with embarrassing selections made by this guessing algorithm.
• You can’t delete a music MP3 file from the device without using the PC. Not much use when I’m on the bus and want to say “yep, I’ve heard that, now delete it”.

Like I said, those are the first few problems I’ve encountered.

Most of these problems seem to be solved by turning my recorded radio programmes into podcasts. Apparently you do this by moving the MP3 files into the podcast directory prior to syncing, and by changing the ID3 Genre tag to “Podcast”. That’s certainly far better, but there are still more problems I’ve encountered with that:

• Podcasts without an accompanying XML RSS feed don’t sort right. They should sort primarily by the MP3’s ID3 track #, then by date and time, and finally by name. It appears that the Zune is sorting them primarily by date (ignoring the time!) and then by name, and totally ignoring the track number.
• When sorting the tracks in a podcast by name, the sort is alphabetical, with no consideration given to numerical sorting, so my recording of “Journey into Space, World In Peril” plays in the order 1, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 2, 20, 3, 4, 5, 6, 7, 8, 9. And remember, that’s even with the track numbers present and correct (although maybe it is sorting by track number, but doing it alphabetically rather than numerically!)
• I’d rather that podcasts were picked up properly without my having to change the Genre tag – I like my Genre tags to read “Comedy”, or “Drama/SciFi & Fantasy” – and it’d be nice if the podcast tool allowed me to sub-sort the podcasts based on the genre, too!
• You can’t “queue up” the podcasts into a “now playing” list, or any other kind of playlist.
• Podcasts don’t display the Picture stored in the ID3 tag of the MP3 file – not even as “album art”. The only time images are displayed for podcasts is when the image is referenced in an accompanying XML RSS feed.

So, the next solution set would be to publish an RSS feed.

Unfortunately, this leads to the next failure.

• You can’t subscribe to a “file://” based URL – podcast feeds must all start “http://”, which means putting a web server to work even if you’re building a personal podcast feed that exists only between your computer and its associated Zune.

Other problems I’ve experienced are DRM-like, and we all know that I find DRM to be hugely objectionable. Specifically, I can’t transfer any IFC programmes onto my Zune from my Windows Vista Media Center PC, because apparently they’re all tagged as “copyright”. Note that’s my Media Center PC, transferring to my Zune so that I can watch programming recorded from my DirecTV subscription – no theft involved there, I paid for that content, but can not watch it in my chosen locale or medium.

I can only hope that someone at Microsoft reads this post, and reassures me that they’re going to do better with the release of the ZuneHD – and, because I almost certainly can’t afford a ZuneHD (although anyone who knows me will tell you how excited I’ve been about OLEDs for the last year or so), I hope that many of these improvements are back-ported to my lowly Zune 30. I’d be happy to expound on any of these points to get them addressed.

Oh, and if you ask – I would definitely and whole-heartedly recommend getting a Zune. I know that I’m going to be buying one for my wife as soon as I can find it at the right price (I’m hoping for a Woot-off or perhaps a bag of crap containing a Zune]. All the problems I’ve outlined above are really minor and piddly, but it’s these kind of tweaks that turn a merely good product into a great product. I only complain about them because the Zune is so close to perfection for me, it can be fixed with relatively little effort. The Sansa and its software were so far from perfection that it seems likely that the development team totally don’t “get it”. [The Creative Muvo was actually pretty much perfect for what was achievable at the time.]

So, am I missing any obvious tricks for my Zune? Can I get the BBC programmes on it in a better way? [Yes, I know about the BBC podcasts, but there are shows that the BBC just don’t podcast.]

Microsoft TechFest

Last week, I went to Microsoft’s TechFest as part of their “Public Day”. This is the first time MVPs as a group have been invited to this event, and although it’s clear we missed some of the demonstrations that are not public-ready, this is something that I hope can be extended to us in future, even if only to Washington-state MVPs

For general news links on MS TechFest 2009, you can search news.google.com for “TechFest”. Here’s a couple of samples:

http://www.king5.com/video/index.html?nvid=335707 – I didn’t see these guys there.

http://www.guardian.co.uk/technology/blog/2009/feb/25/microsoft-software - I bumped into this guy.

I also saw Chris Pirillo there from LockerGnome and Chris.Pirillo, but he hasn’t written anything yet. I only mention him because it’s about time that I thanked him for being one of the earliest online writers (they were called “e-Zines” back then, apparently) to mention WFTPD in his column. Sadly, I don’t have a copy to remember what it is that he said :(

Apologies to anyone who expected to reach me by email that day – the usual computers spread around the Microsoft Conference Centre for email and web browsing were missing, possibly because the Press were there, and they’ll steal anything that isn’t nailed down, before coming back with crowbars.

So, here’s some description of the things I saw, ranging from the exciting and relevant to the “why is Microsoft spending money on that?” [Note that this is not meant to be disrespectful of ‘pure research’ – often, today’s “useless meanderings” become tomorrows product – WFTPD itself started from a momentary “how hard can it really be?” lapse in my own judgement, followed by a little research and a lot of effort.]

Specification Inference for Security

To improve focus on potential security faults in static analysis tools, this is a toolset whose approach is to divide functions into Sources, Sinks and Sanitizers (although that alliteration is liable to lead to confusion) – Sources generate untrustworthy data from input, Sinks consume data that they trust will fit their expectations, and Sanitizers transform the data along the way, ideally making sure that it goes from untrustworthy to trusted. Thinking in terms of a SQL injection, the Source would be a web server receiving input from a user containing a SQL command, the Sink would be the SQL server, and the Sanitizer would be whatever code packages the input and determines whether to pass it to the SQL server, and what changes to make (such as requiring proper quoting, or using a stored proc or parameterized query). Once these categorizations have been made, the static analysis tool can check that Sanitizers actually do sanitize – rather than having to try and analyse every function for possible sanitization. http://research.microsoft.com/merlin

Concurrency Analysis Platform and Tools

Enhances your test tool set by allowing tests to run with multiple permutations of concurrency. Race conditions are usually caught by users, or in production environments, because the environments cause different threads or processes to run at different speeds – with this toolkit, you get to try out multiple combinations of execution sequence, so that you are more likely to trigger the race condition. Of course, you still have to write tests that consider the prospect of doing more than one thing at a time, and because there are a large number of concurrency permutations, it’s not a turn-key solution, but it does allow you to debug concurrency issues more methodically, and catch those that appear more frequently. http://research.microsoft.com/chess - and this one’s available for download as an add-on to Visual Studio!

Lightweight Software Transactions for Games

Not just for games, the ORCS platform (Object-based Runtime for Concurrent Systems) makes coding multi-threaded applications easier and more problem-free. http://research.microsoft.com/orcs

Closed-Loop Control Systems for the Data Center

Power consumption monitoring and control allows for servers to be brought online or offline as computing demands change, so that as usage ramps up, more servers are turned on, and as usage declines, servers are turned off. I don’t think this is entirely original.

Algorithms and Cryptography

Cryptographic solutions with leakage. Unfortunately, the lady who came up with this wasn’t on hand to discuss her work, and her husband standing in for her didn’t seem to understand much about it either. The poster claimed an algorithm whereby you could leak some of your key to an attacker without reducing the strength of the key. I’m not sure how this works, or where it differs from having redundant information in the keys, or something like M of N crypto, but maybe it’ll be something that will affect our field in the years to come.

Opinion Search

Full of marketing jargon and too dense for me to penetrate, this is something that we could potentially use in the business side of Expedia, making use of customer opinions to allow search results to match the user’s opinion against the opinions of others with whom they have consistently agreed in the past, and can be expected to do so in the future.

Low-Power Processors in the Data Center

Using Netbook processors for data processing in a parallel environment allows for significant power savings.

Audio Spatialisation and AEC for Teleconferencing

Relying on the rise of computer-phone integration, and the fact that most computers have stereo speakers, this is a system for teleconferencing where different parties are given a different spot in the stereo spatialisation. Makes it much easier to tell who’s talking.

SecondLight

Surface computing taken to another level, literally. The surface on which images are projected is usually a light diffuser, so that the image effectively “stays” on the surface. In this implementation, the surface is rapidly switched between diffuse and transparent, so that you can use a secondary diffuser surface on top, which shows a different image. You have to see a demonstration to understand it - mms://wm.microsoft.com/ms/research/projects/secondlight-cambridge/secondlight.wmv - it’s a little flickery, in real-life too, but the team assured me that it can be made less so.

Commute UX – Dialog System for In-Car Infotainment

Will this stop executives requesting shorter passwords for unlocking their phone while driving? Probably not.

Back-of-Device Touch Input

Anyone using an iPhone or similar touch-based device will be familiar with the issue that your fingers are covering the image you’re trying to manipulate. By putting a sensor panel on the back of the device, you can reduce the size of the display without making it impossible to read while you select.

Augmented Reality

Combining GPS location with stock footage of the place you’re in, this is all about placing extra information into a view (such as a cell-phone with a video camera, or maybe eventually a heads-up display in glasses / goggles) of the world around you, by recognising where you are. Can be used for games, directions, advertising, city guides, or post-it notes without the paper.

Recognizing characters written in the Air

Entertaining just to watch people dragging an apple around to make letters on a screen in front of them. Probably more useful in the mode where the lid of an OHP pen is the “bright spot of strong solid colour” being tracked in mid-air.

Colour-structured Image Search

Draw a rough colour picture of the image you want to see, and get a page of search results from around the web. The demonstrations consisted of drawing pictures of flowers, or flags, or a sunset. I foresee widespread abuse once deployed, although it will mean that people who usually draw on bathroom walls will be moving their talents online.

MVP Summit 2009 is here!

I snapped this picture last week at Microsoft' Research’s Tech-Fest event.

Microsoft always makes the visiting MVPs feel welcome at Global Summit time, when all MVP awardees are invited to visit Microsoft’s campus, and engage in face-to-face conversations with various Microsoft Product Groups about the feedback they’re seeing from the users they talk to in their various forums, whether that’s Usenet newsgroups, web forums, user groups, or book and magazine readers.

This year, in large part thanks to the efforts of one of the other Security MVPs, Dana Epps, we have a fantastic schedule of in-depth sessions on identity frameworks, threat modeling, Microsoft’s internal security, and a number of other topics that I should perhaps keep quiet about.

The other benefit to me, as an MVP, from these sessions is that I get to network with other MVPs – all of whom are intelligent, driven individuals with expertise in a wide variety of fields, not just my own area of Enterprise Security.

Already I’ve spoken to a number of people in conversations that I intend to continue long after the Summit is over. I’ve made some new friends, met plenty of old friends, and expanded and strengthened existing social connections.

It’s a little sad that the worsening economic climate has caused a number of MVPs from outside the US to not attend this year’s Summit, and even some from inside the country. But it does appear that the MVP programme is still strong, as around 1500 MVPs from around the world are in attendance.

For those wondering about the swag bag, we got a cloth bag, stickers, a pen, and a water bottle. The shirts will be arriving on Wednesday (thank you, US Customs!). The benefit is more in the programme of technical sessions than the bag, unlike some technical conferences, where your $2500 entrance fee gets you a rather spectacular bag of ‘freebies’ and a number of sessions scheduled such that all the ones you want to see are in the same time slot.

I have to say, I love the stickers. Being a part of the MVP programme is a really nice thing that Microsoft does to say ‘thank you’ to people who are assisting Microsoft’s customers in newsgroups, user groups, etc, and who would continue to do so anyway, even if Microsoft ended the MVP programme. As such, I think it’s an excellent recognition, and I’m proud of the fact that I was awarded – so I like to show it off, mainly by plastering stickers on my various technology items like laptops and PDAs.

If Your GPS Worked Like An Information Security Team

… it would fend off dangerous drivers from hitting you.

… it would give you regular statistics on the number of accidents on your daily route, so you could make decisions to avoid newly bad parts of town.

… it would help you plan your route to avoid the sorts of areas that have bad accidents, so that you would not be a part of one.

… it would give you hints on how to be a better driver, and train you every so often to keep your driving skills sharp.

… it would observe other accidents and gauge trends, to advise you what previously safe driving habits to avoid.

… it would co-operate with you in planning a trip, to help you choose the quickest, safest route to your destination.

… it would teach you how to read maps, so you could make safe routing decisions for yourself.

… it would work with your mechanic, so that every time your car went in for a service, it would come back safer.

… it would work with the police to let them know where the bad parts of town are, so that they could be cleaned up.

… it would let you know any time you were about to run a stop-light or exceed the speed limit, so that you could make an informed decision, rather than accidentally break the law and get pulled over.

Yes, it’s  another argument by analogy, which is something I dislike in general – but I see too many times when the Information Security Team is perceived as a “STOP” sign. The Security Team is employed by the same organisation as you, and therefore has the same business goals – just a different focus. Its focus is to ensure that the company can carry on doing business without interruption by hackers, crackers, viruses, spyware, regulatory and contractual damages, or public relations disasters caused by inappropriate data disclosure.

I think a GPS is a better analogy, then – if you follow the Security Team's advice, or at least listen to it, you’ll be aware of the risks of the different ways to your –our- destination.