Alun Jones (Security MVP) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.
If you ask Enron, there is a third level of secrecy that they were unfortunately not aware of. Documents that are so secret that NOBODY should EVER see them again. Normally we would call these *deleted* documents, but maybe we should be looking for a better name. e.g. "Mon dieu! I just accidentally marked my database as secrecy type three".
Will FTPS be included in IIS 7.0 ? Well, I hope for yes! and YES, Microsoft did look at the request and...
You see, that's the trouble with information - once you've let somebody know the information, there is no way to make sure that they un-know it. Once the genie is out of the bottle...<p>And then, you get into the state of playing Prisoner's Dilemma against the other people that know the secret - if you all stay quiet, noone goes to jail; if one of you pipes up, he stays out of jail, and the rest go in. The only way to guarantee that you're going to stay out of jail is to be the first one who pipes up.
Subscribe to Technet. You get all updates released -ever- on DVD, sorted by Security bulletin, and they only lag about a month behind. It's money well spent considering the boatload of other technical resources and downloads you get shipped to you monthly.
Could you suggest some good links about the impacts on performance? Thanks
I just subscribed to your blog the other day and read this and all I can say is here here. Preach brother... I can't stand all the crap that I have down in my systray for items (like the usual offenders taht you listed above) that I rarely use. And what is more annoying, apparently Quicktime in particular has bumped it up a notch. While I used SysInternals Autoruns to remove a lot of this crap from my startups, Quicktime (and maybe RealPlayer too) seem to put themselves back in whenever they are run for a legitimate reason. I am so fed up with those two applications in particular that it has to be something really compelling for me to actually watch/listen if it only provides a Quicktime/RealPlayer version... Charles
While I'm comfortable waiting up to a month - several months, indeed - for unannounced vulnerabilities to wait unpatched, I'm not sure that I'm thrilled about the prospect of waiting a month to ship out patches to announced, patched vulnerabilities. I don't disagree that TechNet is a valuable resource for most IT professionals, but for patch distribution to low-bandwidth sites, I really need a solution like this. [Obviously, zero-bandwidth sites are not so much of an issue - but for low-bandwidth sites, it's likely that a hacker will reverse-engineer the patch, make an exploit, and email it to the site before the site can finish downloading the patch.]
I've been looking for the same kind of solution. Putting a machine on the network 24/7 is also a threat if the business operation in not an online business.
The standalone quicktime can be found at: (no iTunes) http://www.apple.com/quicktime/download/standalone.html I don't think 7.0.4 has the security fix yet.
Not exactly easy to find, though, is it?
Yeah, well without all these leap seconds you'll be really sorry in a hundred thousand years, when your Tivo misses the first 15 minutes of the season premier of 24. :-)
It's easier to spot when highlighted in yellow.. http://img5.imageshack.us/img5/2027/quicktimestandalone9on.png (Does this support BBCODE or HTML I wonder?)
Yes. We are having the EXACT same problem using .NET Microsoft.Office.Interop in C#. We are able to make one call to: GetDefaultFolder (to get the Drafts folder) and then CreateItemFromTemplate (to create a MailItem from an MSG file) This works the first time, but when this is done on a second MSG file message, it fails on the GetDefaultFolder and throws an exception with the message: The server threw an exception
Microsoft acknowledges that this is a known issue with the MS06-003 Outlook 2003 security update and CreateItemFromTemplate. They have now released a Hotfix for this issue: KB913695 Outlook 2003 post-Service Pack 2 hotfix package: January 23, 2006: 913707 Outlook 2003 unexpectedly quits after an item is created by programmatically using the CreateItemFromTemplate method _____________ Here is the URL to get description of the fix and link to download it. http://support.microsoft.com/?id=913695 Note this link is an self extracting .exe that contains two .msp files. The one named OUTLOOKff.msp is easiest for users to use as it doesn't require them to have access to initial CD or folder. Engineer also made this comment. It is my understanding that this will also be pushed out from Microsoft update as a high priority fix but I do not have a date on when that will be pushed out.
"A study conducted by U.S. researchers Patrick K. McCluskey and Matthew Kulick found that nearly 90 percent of the citizens participating in their study were willing to sign a petition to support an outright ban on the use of Dihydrogen Monoxide in the United States." http://www.dhmo.org/ 8-)
Alan, I think you can also avoid it by omitting the second parameter from CreateItemFromTemplate. Since a message is always created with Drafts as the destination folder, you don't need it in your scenario.
That's right, Sue - that's the workaround that we figured out fairly quickly. I did wonder briefly if there might be a problem with other folders as the second parameter, but I couldn't make it crash with a simple test or two.
Not quite what I was looking for - that's a valid statistical datum that suggests most people can be easily spun. But today's news popped up an interesting link: http://news.bbc.co.uk/2/hi/health/4688618.stm "Premature babies can 'defy odds'". "The study found no significant differences in educational achievement." Uh... okay, so then there's no odds for them to defy, are there? Maybe they are defying expectations, but that's not the same thing. The odds indicate that there will be more disabilities in the group of premature children, but that this will have only limited effects on their prospects for later life. <soapbox>Having met more than a few disabled kids in my time, I'd say that we ought to be looking at why we shuffle people with disabilities into the back room of society, rather than treating them as valued members. It takes a little more effort to find appropriate work and social outlets, but it's appalling to see how many people are consigned to a life of institutional boredom unrelated to their level of ability.</soapbox>
Back in 1988 or so, Mantis tried to get lawyers and accountants interested in secure e-mail, because of the incredible insecurity of fax. It was pretty much an impossible battle. Then we had the stupid Electronic Signatures Act (S.761), the basic reasoning behind which seemed to be "It's too much effort to require people to make electronic signature systems secure, so we'll just pass a law saying that everyone should pretend the insecure systems are secure."
Leap seconds are extremely inconvenient to people stupid enough to store time and date information as an offset from an epoch moment. Which is, of course, lots of people who write software.
Agreed re foreign sites. I monitor the Swiss Security Blog... they seem to have more freedom to speak than their US equivalent :o)
I have to ask - what's the URL?
Thanks to Dana Epp's blog for drawing my attention to Microsoft's rather easier-to-read explanation of...
Microsoft has recently released a KB article on Best practices and guidance for writers of service discretionary access control lists that I think developers of services on Windows should really read. In the article Microsoft shows how to successfully apply DACLs to make services more secure for our workstations and servers, and offers guidance on how to assess the security of your application. A majority of the information surrounds around understanding and interpreting SDDL (Security Descriptor Definition Language), something I fear too many developers don't properly understand. I would also recommend that you check out the MSDN hub on Service Security and Access Rights. There you can get a better feeling for how the Windows security model enables controlled access to service objects and the service control manager (SCM). Happy reading! UPDATE: Alun reminded me in the comments that he wrote a pretty good post on how to read SDDL a few weeks back. You can check it out here....
That's great that there is a fix. However, the self extractor wants you to choose a folder to extract the files to. I just had this error happen so I have not had an opportunity to look into it. But, I have not been able to easily find the information on where to extract the files to. This seems to be a fairly obvious peice of information needed for most people who experience this problem.
This article caught my eye a short while ago; Alun is a regular commentator in my blogs, and invariably...
Hi, I was smiling when I read your post since for the last 7 years I have been saying that we(IT personnel) are becoming the plumbers of the future... And to be honest I am somewhat unhappy with that(not that I have something against plumbers). I do agree with everything you are saying here technically, yet I have a problem with the concept of degrading system administrators even more. I mean 7 years ago this was a very respected proffession,currently(since we are viewed as somewhat high-tech janitors) the profession seems to have lost most of it's respect. Saying that we are janitors-just gives us an additional kick in the face. Bye...
It's not about degrading anyone - I was even careful in how I refer to janitors because, quite frankly, the janitor at our kid's school seems to be one of the best people I've ever met. It's about removing the aura of power and appeal associated with the highest privilege levels on the system. You can call yourself an administrator if you like, but don't run with elevated privileges. In UAC in Vista, even the administrators aren't administrators all the time. Just when they need to be. I think that even if your job title is to be a system administrator, you should only have those rights and privileges while you're changing user and machine settings. Not while you're reading your email, or scheduling meetings in your calendar, or drafting a document that describes how an administrative process should proceed. There's no shame in being a plumber, either.
Did you ever manage to come up with some replacement software? I just bought one of these devices and found the software to be severely lacking.
Agreed. No problem with being a plumber-I just don't like seeing this profession's repectability degrade even more...
Yes, I did - I'm just running it through a bit of last-minute tuning. Drop me an email if you want to test it out in advance.
I bought this gadget from ThinkGeek.com with the anticipation that it would have poorly designed software and I was right. I managed to break the software in a matter of minutes. i did this by moving the transmitter away from the receiver and waited for the screen to "lock", I then held down CTRL+ESC to bring up the Start Menu, and then right clicked on the Task Bar with the intention of running Task Manager to kill the process which displays the pretty dolphin picture, but I found that by right clicking on the task bar a couple of times the program displaying the dolphin picture just died...vanished...and i was back at the desktop. Amazing. Im actually looking for replacement software which will use Window's inbuild console locking mechinism's like the one which locks the console when you hit CTRL+ALT+DEL and press K. And I'd like something which is actually configurable. So I can set if I would like the workstation unlocked for me on my return or not. Of course this may mean that your logon and password would need to be stored on disk which isnt really a good idea. Anyway, best of luck with your program. I think anything would be better than the current software it ships with.
This is one of those strange blog topics&nbsp;- can't be written about while I'm experiencing it, but...
Asta la Vista
I just wanted to say thank you for saving me hours and hours of grief. I've just been trying to do exactly what you have described and was going through exactly the same research steps as you had.
Google for RealAlternative (and its sibling QTAlternative). They're codecs that just play RealMedia and QuickTime files without installing separate players. Both play nicely with WMP and Media Player Classic.
Ah, but we will continue to say exactly this. If program X performs no admin function but requires admin rights, then it is broken and should be returned. This is true for all values of X. It's up to you, the people who *purchase* X, to vote with your money and buy from vendors who care about your security. We don't buy their stuff, so we have very little influence. But you do, and your influence is far greater.
Perhaps, too, I should have pointed out that Microsoft have been saying this ("don't make your non-admin program require running as admin") for over a decade. As a programmer, I read it a long time ago in http://www.microsoft.com/technet/archive/ntwrkstn/support/trblshoot/apint95.mspx - and that appeared around the release of Windows 95. So, yes, if you find a program that does no computer administration function, and yet requires administrator privileges (or has substantial non-administrator function, and still requires administrator privileges all the time), think to yourself "this program's assumptions were outdated over a decade ago". Quickbooks 2006, then, by requiring 1994 technology assumptions, could more accurately be described as "Quickbooks 1994 with added chrome". Return it to the store as old merchandise.
I am one of the former "military mindsets" that Alun refers to, namely the "boss". Alun has it right on the mark with his concept of business being the trustee of the information. The owner is still the individual that we represent. They have merely trusted us to hold thier information for the purpose of doing business for them. As far as the military mindset and the business mindset in security, I think there has to be both. The author of the article has a great concept about the business mindset in ensuring the transaction is genuine, but then doesn't that make the data we hold more valuable to the thief? So we still have to protect the data (the military mindset). Contrary to the author's statement, they are not opposite priorities, but rather complementary and both essential to providing security throughout the transaction (user to vendor to bank). One of the important principles that security personnel sometimes forget is that we need the system to be usable, yet secure. The balance is essential to providing proper security. If a system is too secure and limits usability, it stops the user from being able to perform the functions they want to perform and they will circumvent the security thereby rendering the system insecure. The secret of life (and security) is to maintain balance and look at an issue from as many angles as possible.
Definitely - security is always a balance, a risk management exercise, a compromise between usability and prevention. Occasionally, the two sides come together, for instance when you can make an interface more secure by reducing its complexity, and simultaneously increasing its usability. More often, you have to make a decision as to where on the sliding line you're going to mark your position - defensible, but usable; private but audited. This is why appropriate security depends on where you sit. If you turn security into a black/white question of "is this secure?", the answer is always going to be "no" - you can always find a way to subvert the system. The question always has to be "is this secure enough for my purposes?".
People who use torpid business-speak tripe like "let's focus on the low-hanging fruit" have obviously never owned fruit trees. If you pick all the low-hanging fruit first, you unweight the branches and can no longer easily reach the higher fruit, making it far more dangerous to pick the rest of the fruit. It's time to think of better analogies :)
Analogies are as useful as a chocolate teapot. Thank you for the gardening hint - I will bear that in mind when the annual contest of man against bird and squirrel comes around again. Maybe I should avoid the analogy altogether, and say that "we should concentrate on those things that are easy to do and provide a high return", reserving the hardest things, and/or those that provide little benefit, for the times when they are finally the easiest remaining and most beneficial. Obviously, there comes a point where you have to pro-rate things, so that a difficult task that provides significant benefit is worth doing before an easy task that provides little benefit. [Or in security, doing something that might be difficult for you, but prevents an easy, likely-to-occur risk. There has to be a reason why we're paid the big bucks.] I'm simply fed up of people spending time and effort to do something that prevents a risk that is unlikely and difficult to achieve. It's almost as if we need a weighting system that allows us to compare how hard a security task is against the benefit it provides to the organisation being secured. How's that coming along?
But, Isn't "This is my password." a lot better password to remember and hard to crack from automated tools than Czlr4Tz? All my passwords are pass-phrases and they make it easy to remember and based on this http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx a better password in many ways. Girish
It's certainly a lot easier to remember, and the last time I researched password cracking tools, none of them took the time to try "<word> <word> <word> <word>." But that's relying on the cracking tools remaining in that state. Your pass-phrases should continue to add complexity and entropy that are not related to a reliance on the cracking tools simply not catching up to the world of pass-phrases.
I more or less stubled into this subject because we needed to distribute a set of certificates in our AD. I got it working too for our internal root CA and a SAP AG Certificate for excel macro's. Unfortunately, it does not work in our W2K Professional Workstations. I can see the certificate blob's coming into the policy registry tree, but W2K does not have a 'Trusted Publishers' tab We run IE6SP1 on our w2k boxes. So I guess this stuff only works on XP(SP2) and W2K3 boxes.
Certainly, SRP only came with XP, and I've been unable to find any reliable documentation on Trusted Publishers for Windows 2000. There is a suggestion that a Trusted Publishers cert store in the Windows 2000 registry can exist in the HKCU and HKLM trees, but I didn't find much on that, and I don't currently have a Windows 2000 system to test against.
In my post "Scott Adams is a whiner", I mentioned that my septoplasty wasn't so bad - I spent a couple...
WOW !!! What a big help !!!!!! Appreciate your time and effort on this one bigtime. I was in the dark until I saw this article. Great Post !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Just for an FYI - you don't necessarily need a SSN to pay taxes. Go buy a pack of cigarettes. Included are all the Federal, State and local taxes you could want. Chris
Oh, so you mean (don't you hate when people do that - it means they're going to totally screw with the point of what you were saying) that when I hear "law-abiding tax-paying", I should be thinking "abiding with some laws, and paying some taxes"? How does income tax figure into this?
Actually, nonresidents living in the US can get what's called an ITIN (see <http://www.irs.gov/individuals/article/0,,id=96287,00.html>). It's the equivalent of an SSN in that you can use it to report and pay federal income tax, which is precisely what some illegals are doing. The IRS reported that about 1.4 million people filed 1040s last year using ITINs, though of course we have no idea how many of them were illegally here.
Most of those ITINs _should_ be for non-resident aliens who earn money or own property / stocks / etc within the US and need to report earnings. That's just in case someone is concerned about 1.4 million being a huge number. I'm more noticing that it's a surprisingly small number. How does that number compare to the estimated number of illegal aliens earning money in this country? My personal take is that we ought to give citizenship to any illegal alien that provides sufficient evidence to prosecute an employer that knowingly employs illegal aliens. I like self-strengthening feedback loops like that :-)
I have a better idea.. download VMWare Server.. now also free, more robust, better performing, better support for linux, remote console support with kerberos/AD integration, ability to build snapshots of system state.. and more. Microsoft is a bit late.. but at least they have arrived. Problem is.. both of these virtulization strategies SUCK! They are clunky and heavyweight because they have to emulate an entire machine. More interesting is Xen with hardware enabled virtulazation. Intel has enabled processor virtulization with their core chips and has published a scheme for I/O virtulazation for them although implementation is a bit farther off... AMDs next chips will ALL support their Pacifica virtulization which from day 1 will have processor and I/O virtulization support. Couple this with their hypertransport mesh connections and you have something akin to mainframe level virtulization across multiple physical system nodes.. really a quasi-x64 mainframe. Both Intel and AMD virtulization will allow Xen to offer much lighterweight virtulization with less than half the overhead of VMWare and Virtual Server today. Potentially as interesting is the concept of containers ala Solaris 10. This lightweight virtualization could become a de jure way to build very secure application partitions within servers that are VERY tightly controlled, provide almost all the benefits of virtulization without the headache of managing virtualized hardware instances. All in all.. this is smacking of back to the future... very sophisticated x86/64 meshed systems lashed together with super highspeed interconnects, virtualized system images at the core that can scale to massive number of processors and nodes... hmmm.. sounds like alot like the recipe for an open ended mainframe architecture. AMD is leading the charge here with Intel playing catch up. Things are certainly getting interesting again in the hardware realm!
There are several banks that use non-SSL login pages. This does not mean they are sending your credentials in the clear, but the user has no way to tell if the login form is legit or spoofed.Alun Jones moves from the findings of Johannes Ullrich, chief
I don't want to have to remember any passwords. OK I'll try and remember one. But don't make me change it. Well ok change it occassionally and make me practice it and have an easy retrieval route. sigh. And let me use the same password everywhere... ...and and ytou probably know all this...
There is a solution which works for me most of the time. Always fill in your password incorrectly the first time (blank is normally fine, but sometimes javascript forces you to put something). Afterwards, the failed login / try again page is normally secure.
Finally. This makes a lot of sense. Your description of what happens really clear things up. And with this new understanding of what Nagle does (and why it should not be disabled), I will now be able to fix my damn program.
Every so often, I'll explain the Nagle algorithm, and someone will post back and say "that doesn't explain this or that behaviour". Almost always, I'll simply post back a demonstration of how their behaviour arises immediately out of Nagle and the delayed Ack algorithm. Most people think that Nagle's algorithm "must" be more complicated than that. I think I may even have made it more complicated than it needs to be, and will revisit it later.
Alun, "In most environments, this is still good, because most protocols are "client sends command, server sends response" over and over again, so each side is doing one send, then one recv." Consider a situation in which you have an app that requires very low response time (very low latency of response). For instance a multiplayer game over TCP (quite a few out there that don't use UDP, due to various constraints). Such a game might well want to go Send-Send-Send-Receive. So wouldn't you say there *are* exceptions to be made here? I do believe your argument makes sense in the main, but "There's too much crappy networking software out there already, and you don't want to add to it." sounds a little bit harsh in the rare case mentioned above :) If you see things differently please enlighten me :)
The simple response: TCP is _not_ low latency. Consider this - what happens if you hit an outage? TCP will keep trying and keep trying and keep trying. That's not going to fit with your low latency requirement. An app that needs low latency needs to not be using TCP, and needs to be designed around the idea that occasionally the network will not be available for seconds at a time. TCP's behaviour, of trying until the acknowledgements come back, is not appropriate to such an app. The answer is not to take TCP and subtract the inconvenient stuff, it is to take UDP and add a very limited reliability layer, that can appropriately account for the low latency requirement. And you really need a good network protocol design for such a system - there are other issues you'll run into with TCP (my favourite - if packet 1 is unreceived, and packet 2 is queued, you will often hit a requirement to send a packet 3 with contrary information to packets 1 and/or 2 - TCP doesn't allow you to "unsend" these packets, so your protocol design based on UDP should allow you to remove queued packets that have not been sent or acknowledged. TCP satisfies a very strict set of requirements - a stream where every byte from start to finish _must_ get through, or the stream is unfinished, for instance. If you're outside of that set of requirements, for instance, if you might want to remove unsent-but-queued data, TCP is not right for you. You can add to IP, you can add to UDP, you can add to TCP. You should not design around subtracting from TCP.
Right, agreed. It makes very little sense to subtract from TCP in any generic situation. The problem that I'm facing here is that I'm working with existing protocols (proprietary) which work over TCP, and demand minimum latency. My latency to the application servers in question is very low (10 msec or so), and close to zero packet loss, so typical TCP issues that cause latency (wait-for-ack) aren't really an issue here. These app servers have low throughput ... low bandwidth requirements....but since I didnt design the protocol, nor do I really implement it (I handle the load balancing / relaying), its an interesting challenge to minimize the latency without actually changing the protocol semantics in any fashion. Fortunately for me bandwidth isn't an issue, so I *can* chew up some bandwidth if I can provide better latency as a result of that. I believe I should take your advice on this one though and not *subtract* from TCP. I do have some ideas on what I can *add* to TCP, but any advice from your end is also welcome. An interesting thing to think about too is the situations you'll find yourself in when doing TCP over UDP or UDP over TCP. Thanks!
Alun, I too read SR's commendation of Eugene Spafford's blog entry. If there is one thing sure to produce opinions from anyone (however much they claim to have no interest in security!) it is the subject of password construction and maintenance! Interestingly it is another comment I was interested in from you on Jesper's blog. As a Security consultant for one of the top 5 Banks in the UK, I have been party to risk analysis workshops. I agree we sometimes try over simplify risk. I give the example of a risk that is highly unlikely to occur, but the consequence would prevent a multi billion pound company from trading. In many risk workshops, this would be given a lowish rating (probablility x cost) would be low. I think the danger here is discounting these risk's purely because they don't score highly enough in the quantitive procedure. I think your comment about if a 'once a century' (ARO of 0.01) were to occur in the first year of trading, should the company shut down? was a very pertinent point.
yeah, who in their right mind would disable Nagle? http://support.microsoft.com/default.aspx?scid=kb;EN-US;270926 remember how NT SP6 broke lots of things? As I recall, it was SP6 that disabled nagling, and SP6a reinstated it - as far as I know it's still a feature of all Windows OS. With NT, swapping different versions of NetBT.sys would instantly improve throughput for applications such as MSAccess. Dig out your old disks and give it a whirl!
Guess your post got truncated.... Wouldn't WinInet do the job here and throw the error you wanted? You'd have to use a thread pool though to scan the servers unless you used async wininet (which is pretty ugly). And of course it would work only for HTTPS servers, not FTPS afaik.
Thanks for the note on truncation - hopefully it's fixed now. Note to self - when posting code with angle-brackets (less-than, greater-than signs), don't preview before posting. I could have used WinInet, perhaps, but of course then it wouldn't have been extensible to supporting FTPS in future, and I wanted to see how the new SslStream class works in .NET. I wish that they'd called it TlsStream, or at least created some sort of alias to that, as TLS is the new name for SSL.
Right...thanks for fixing that. Looks like pretty simple code, as you said.....I'm not a .NET programmer myself but I do see its utility now for the kind of task outlined above / RAD of a kind.
Oh, and one last thing to note about what happens while you're adding SAL to your own code... You will fall asleep through sheer tedium, you will make mistakes because it's so boring you can't think straight, and when you eventually get it all taken care of, your code will be so much cleaner it'll squeak. But it'll still have bugs in, and you'll still have to test it to hell and back. Automated tools are good for finding most of the "how on earth did I write that code so badly?" mistakes. They won't find your more subtle problems.
And another last thing - LPCSTR is your friend. It replaces "__in_z const char *" so nicely.
Related question, since you've got me interested....agreed that this not only makes your code more secure, it also deals with bugs. Subtle problems will enter no matter what you do, and errors in logic/a basic lack of complete mastery of the system is inevitable unless you wrote the darn thing :) But minimizing silly bugs helps save immeasurable amounts of time. I'm building Win32 API based IOCP servers for deployment on machines which I controlm on Visual Studio 6....in *your* experience, given the benefits of VS2005 [SAL being one of them, a few more that I know of], does it make sense for me to switch? Are there any negatives that you see? Asking since I've seen some posts of yours on related topics on usenet [IOCP/network programming] - so you may well have explored the same/similar questions.
Despite what Michael Howard says about how wonderful SAL is, and my own post from earlier today, I really...
For our next dev cycle, I wanted to use /analyze, so I got a price quote for the team edition. It was around 9K. I got the 180-day trial... Don't understand the business reason behind that either..
"When is a virus not a virus? When it doesn't spread." Virus ... With this word, sec firms earn so much money that they find the opportunity to I hope securityfirms and FUDers won't forget that point when future new "viruses" will be discovered on (especially for) Linux (cause i use it) but for other systems too (cause most people use them). Nice blog, Alun.
Q. Why don't you just walk over to the security office, show them your photo identity, and get them to reset your password? A. Because that's way too far to walk. Then again, people who know me might be able to guess that one. First off, I agree with your overall intent, I just disagree with your examples. I think you are going a bit extreme with your concerns. There will always be systems where someone can't participate; Iris scanner/lose an eye, fingerprints/burns, etc. The solution is finding a good way to handle the majority while planning for the minority.
The "walk over to the security office" is just an example. It could just as easily be "get two other people in your team to vouch for your identity", "get your manager to request the password to be reset", etc, etc - those are examples for an office environment. There are more creative ways to ask for verification of identity. As to being extreme with the concerns, I guess it's going to depend on how many people are going to be inconvenienced by whatever scheme you choose. I never had a favourite sports team, but that's usually the choice I have to make when it's just one out of four questions, because I don't fit a number of other categories, or the answers to the remaining questions are known by too many people.
Thanks, thats good news! Even if I don't use it myself, it simply means more people will end up writing better programs.
You ask, "how full is full?" You could read the article to which Bruce Schneier links. The student found a problem and told a professor, who in turn told a sysadmin, who fixed it. *You're* the one confusing the issue. The "full disclosure" that Schneier discusses is simply reporting a vulnerability to a sysadmin privately. The sort of fearmongering you're doing here is precisely the mindset that makes such private vendor vulnerability disclosure difficult. Either you can't read, or you're intentionally trying to make us all afraid of security researchers. People turn to full *public* disclosure because the attitude toward full *private* disclosure is less than responsible. You waste your breath slamming full *public* disclosure here. Instead, why not *celebrate* the responsibility that this student and professor showed?
You make my point for me, by asking me to go "read the article to which Bruce Schneier links". When Bruce makes a statement such as "Full disclosure is the best tool we have", a vast majority of his readership applies their own version of a definition of "full disclosure", and continues to cite Bruce Schneier's support of whatever they feel he's blessed them for doing. I'm not sure where you believe I crossed the line into "fearmongering", however - I simply say that public disclosure does not equate to full disclosure, unless the vendor / developer is informed first. That this doesn't apply in the case Bruce is citing is merely an indication that he should not be using broad strokes when a finer brush is necessary. He will be quoted by people who have not looked at the links; by journalists; by hackers looking for exposure and trying to justify themselves.
In the interests of balance to my last post, maybe I should tell a story about a Microsoft developer...
I ran into a little confusion when tracking down a bug in one of my programs today. Direct quote from...
"Uh... that should be "following"(or even "after", because people understand short words better), not "preceding"" Thats a small flaw, it should be "prior to" or "before". e.g. %10c - the 10 is prior to the c, rather than following it.
No, you've become confused - and that's why it's not a small flaw.
Old style "sscanf" works as you describe - if you want to read exactly ten characters into a string, you do this:
sscanf
char x[11];sscanf(input_line,"%10c",x);x[10]='\0'; // Null-terminate.
But what I'm talking about is using sscanf_s to ensure I don't overflow:
sscanf_s
char x[11];sscanf_s(input_line,"%10c",x,_countof(x));// No need to null-terminate - or is there? Discuss...
Note that the size argument, "_countof(x)" comes after the buffer pointer argument, "x". The documentation says that the size comes first, and doing it like that will crash your program.
_countof(x)
x
Thanks for commenting, though - it's pleasing to think that someone's reading my drivel :-)
Haha, thats right...the verbiage did confuse me :) So I missed out on your intention - what you wanted to correct. "Thanks for commenting, though - it's pleasing to think that someone's reading my drivel :-)" As long as you're writing about programming, security, networking, or crypto you'll have my readership in all likelihood :)
To add to what I said, the documentation seems to be describing the format string parameter, rather than the count parameter - quite confusing as you said!
Alun. Good topic - I've always been puzzled by the "disclose at any costs" mentality. I think folks generally "get" the original motivation for public disclosure to shame vendors into doing the right thing. However, once vendors start actively working to fix issues, then responsible disclosure becomes a much better process for reducing risk. I suppose the core dispute is trust though. If I look at the allegations against how long Oracle sits on responsibly disclosed issues, for example (and if it is true), I begin to doubt someone is working hard to fix issues. These are the same allegations that get levelled at us, even when I know we're working hard to fix issues and get something out in 7 days (WMF...) ...
In an email, one of Microsoft's folks makes the interesting point that the use of "bytes" and "words" is appropriate because of multi-byte character sets, and because of similar Unicode behaviours. It's an interesting point - I'd like to see a term that adequately describes the nature of an element of a string array, without devolving into calling each element a character, since some characters are made of multiple elements, and without calling each element a byte or a word, because that just adds to the confusion. When you think of strings, you shouldn't be thinking of byte representations in memory, you should be thinking of string representations.
Keith Brown states that password &ldquo;security questions are considered dangerous&rdquo; in the context...
Thanks, this helped me out as well.. Saved me a lot of time
Let us return to the days of yesteryear where security vulnerabilities were reported to CERT, who would pass the report to the vendor to resolve when or if they found time to work on the issue. The vendor would obviously be aware if vulnerabilities were being actively exploited in the wild and would respond in the most appropriate fashion for the situation, should such unfortunate events transpire. The Systems Administrators would not be aware of issues with the systems they oversee, nor should they know for they may be part of the problem. The job of the Administrator should be to follow the advice of their vendor; potential workarounds may cause other issues and complicate matters, and thus should not be implemented, discussed, or disclosed. Security researchers are only interested in getting credit for their findings, and thus their work can wait until the vendor has approved the release of their information. That type of thinking is what led to the Full Disclosure movement. Any extreme will have problems (Vendor Only Notification vs Full and Total Disclosure). Responsible Disclosure (the prevailing method of Full Disclosure) looks to be the best system so far. Of course Gulftech should have publicly disclosed the exploit, if they thought disclosing that information would lead to a better security environment than waiting for the vendor (e.g. if they felt the vulnerability was being exploited in the wild). Would you rather know, or not know?
Remember that Steve specialises in penetration testing. Self-registering for his own fan club is nothing more than a test...
Alun - you are wacky, but I appreciate you sharing these embarassing stories in support of your security insights.
I am not sure what I am missing but I had two issues with your code: 1- I was not able to find the code for TestConnectionToSite method 2- There was no use of the method VlidateServerCertificate I have the same issue where I need to scan all avalable DCs in a domain to check for certificate experation. I was hoping to use your code as a starting point Thanks Issam
Try it now - obviously, when updating this site to the newest version of Community Server, the code sample got horked again. I have since unhorked it (literally by pressing "Post" again).
Oh, Larry, Larry, Larry... Articles 1 and 2 were great - really necessary reading to a lot of would-be...
Gee Alun, you've been in the US to understand the government procurement cycle, haven't you? They'll pick the vendor with the cheapest bid, who will take twice as long to implement, may not be successful and will cost twice as much as the highest bid in the long run. Oh, and once the project is complete somebody new will come along and scrap the whole thing for a better idea. Thank goodness I don't work in the public sector, I have too much common sense for that!
If they have any sense, the project managers will say "that's too short a schedule for us, so starting August 1, all laptops must be returned to offices, and will not be allowed to be used until the encryption scheme is in process". Sadly, they'll simply pick a product at random, push it out, and deal with everyone calling the help-desk at once because they've forgotten (or never had) the password. Help-desk will then abandon (if they were ever told) any verification policies, and you'll be able to pick up a laptop from a government department, call the number printed on the label on the underside of the laptop, and ask for the unlock password, which they'll give to you.
Thanks for the information. I would like to start TLS session for imap and pop on normal port 143 (imap) and 110(pop). i was not able to do the same. http://rfc.net/rfc2595.txt\ i was trying folloiwg command using socket. it got stuck at "starttls" command. Example: C: a001 CAPABILITY S: * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED S: a001 OK CAPABILITY completed C: a002 STARTTLS S: a002 OK Begin TLS negotiation now <TLS negotiation, further commands are under TLS layer> C: a003 CAPABILITY S: * CAPABILITY IMAP4rev1 AUTH=EXTERNAL S: a003 OK CAPABILITY completed C: a004 LOGIN joe password S: a004 OK LOGIN completed Any help on this would be great. thanks urvish urvishshelat@yahoo.co.in
In between the lines creating a new SslStream object, and calling AuthenticateAsClient , you would insert the appropriate lines to write the CAPABILITY and STARTTLS commands, and to read the responses. Once you read the "OK...<CRLF>" in response to the STARTTLS command, you can authenticate as an SSL client, and send further commands and responses which will be encrypted. There should be a number of samples available for demonstrating how to communicate using SSL / TLS.
I'm confused. 1/50 people suffer from prosopagnosia (not diagnosis of suffering is abased on some 'metric' that is a fuzzy-scale). But surely a biometric security feature would be based on the system (computer?)'s ability to recognise and match faicial structure, so it would be independent of human's ability to recognise faces it would be dependent on the accuracy/reliability of the systems facial recognition system.... ...this is likely to not suffer from the same levels of 'prosopagnosia' as humans encounter.
ActiveSync has one more disadvantage. When trying to download/upload huge file to/from device ~400 - 600 MB it drops connection.
Not really - what I was thinking about was this scheme described at New Scientist, and schemes like it, where you log on by selecting a face out of a group of faces. The idea is that you don't have to type a password, you don't have to remember a bunch of strange symbols, letters and numbers, you simply have to remember the person's face.
"There just isn't a way to really attack Linux or OS X or any of the Unix variants - once you compile it, it's like iron" Tom Adelstein (From the IT News article) That's not naive, that's stupid.
Tom's right - Tom's statement was stupid. [I hope the two Toms aren't the same person!] I don't know of Tom Adelstein, so I can't say whether he's prone to making stupid statements, but that one sticks out as reason to ignore him in future.
And good riddance to bad rubbish, I can't stomp out the lingering copies of 98 fast enough. Ending support will hopefully kill a few more for us, but there are always die-hard neanderthals. ME will someday join Microsoft BOB in the Software Hall of Infanmy.
Only that the great and wise Linus T. sprinkles his holy parmesan cheese on top of all Linux code. Thereby making it more secure and efficient than Windows and granting it's users a narcotic-like sense of invincibility. Too bad he's not as good at GUIs....
... and what about the code he didn't write? ... and what makes Linux' development work securely when Linus gets hit by a bus? I'm pretty sure you're being facetious (although it's really not that much over the top from much of what I hear from religious adherents), but the serious point is this - if it takes an irreplaceable person to make an OS secure, then the OS is fragile. If it takes a documented process to make the OS secure, and the process can be followed by anyone with a modicum of training, then the OS is not fragile.
... modularity ... Alun - I think you've got to give them that one. I know the Windows Server team is coming around, but the Linux distros do generally have the ability to install a more minimal build. That's not a panacea of course. Less crappy code can (and does) have more vulnerabilities than more quality code. But, the modularity is good. If they'd do an SDL-like process on top of it, they're starting from a good place.
NOTE:&nbsp; I am not asserting that my vulnerability analysis demonstrates that Windows is more...
..so I'm using Shavlik to patch for all those other programs including Apple Quicktime...and the patch...
Try using the K-Lite codec pack. Has Quicktime and Realplayer in their minimalist format. No icon, no annoyances.
My focus here is not to say "help me find a way to open this video without seeing the icon", it's to say "if you write programs this way, people will find reasons not to run them - so don't write programs that way".
I'd have to agree, With No Ability to Backup what we purchased it's like we are renting the software other than purchasing it. And even if you call who made it to send them the original, they charge you so much for the replacement, that you could buy a new one online cheaper.. It's like all software is Buyer Beware... Here's Frogger 2 for $11.00 Plus Ship http://www.shop.com/op/~FROGGER_2_SWAMPY'S_REVENGE_W95_XP_NEW_CD-prod-19988609-27482559?sourceid=298
...I like Alun, he actually *reads* my blog, and even comments sometimes... Anyways, Alun doesn't...
Interesting, Alun. My oldest daughter is moderately retarded and has a slew of motor difficulties and I know just what you mean. She can go ballistic at the littlest thing and when her computer is not working I'd better get on it or she'll hound me to death. I wish games would let you install to the hard drive and not require the CD at all, hard drive space is cheap.
Is it a vulnerability? Yes. Do all vulnerabilities have the same severity? No. Factors to consider are the criticality of the service affected, other services or programs dependant upon the affected service, and the initiating requirements. If I can send Out Of Band (OOB) data to BSOD your machine then yes, I’d consider that a severe vulnerability. If however I’m browsing and a site closes my browser window I’d consider it an annoyance vulnerability. External vs Internal causes goes a long way towards my opinion as to the severity of Denial of Service vulnerabilities.
Obviously, I'm with you in that "if I provide a service to others, that you can deny, it's a vulnerability", because you'll deny that service over and over again. And apparently, you're with me on the idea that if I choose to download your site and it's a DoS attack on my ability to further download web sites, it's nothing more than an annoyance. I don't think it's even a vulnerability - because I'm no longer vulnerable to your site once I figure out which site to avoid (which shouldn't take me long!)
In Programmer Hubris Part 1, I described that frequently I'd come across applications that impinge on...
Links and snippets below... Press release here: "Recognizing the important role the Windows® operating...
And could we please, please, please, stop calling them "tenants"?
"Tenets", as anyone who's done a year of Latin (or most derived "Romance" languages) will tell you, are things that you hold.
"Tenants" are people who live in your building.
strcpy_s? That's one of the dumbest ideas I've seen in a long time. I can just imagine the thinking that must have gone into it... "So, what are we going to do about this buffer overflow problem?" "Well, it happens because people use things like strcpy, rather than using strncpy like they should and actually checking for error conditions." "Hmm. So, how about we force them to check for error conditions and handle them? Or provide a replacement string implementation that doesn't have fixed buffer sizes?" "What do you think this is, Java? Objective-C on a Mac? Some kind of pinko high level language?" "OK, OK. Let's just put a Band-Aid over the gaping wound. Let's define strcpy_s, which is exactly as broken as strcpy, except your program crashes immediately rather than becoming corrupt or crashing later on." "But... couldn't we do that for all strcpy calls and still be within the ANSI spec?" "Yes, but that way people would be forced to fix their broken code. If we do it the half-assed way, all the broken code will continue to work." "But we won't get actual security until every single strcpy call is replaced with strcpy_s." "Well, that's a Simple Matter Of Programming!" "Excellent! Truly we are delivering quality software!"
"Well, it happens because people use things like strcpy, rather than using strncpy like they should and actually checking for error conditions."
I'm going to have to disagree with you here - strncpy isn't a solution, either. The count parameter of strncpy is described (in various ways) as the number of characters from the source string that should be copied, rather than the space that's available in the destination string. That you can use this parameter, and the min function, to achieve those ends, doesn't make strncpy a universally good replacement. [The better answer is to create a better string and/or buffer class, and use it, IMHO - but be sure you get it right!]
"Hmm. So, how about we force them to check for error conditions and handle them? Or provide a replacement string implementation that doesn't have fixed buffer sizes?"
Both of these are easily achievable in C++.
Forcing the check for error conditions comes with the use of SAL and the /analyze compiler switch, which will flag as warnings any place where you do not check a return value that is declared by SAL to be important. Oh, and you do compile with "all warnings are fatal errors", don't you?
As for the replacement string implementations, you have a number of different string classes for various needs, from the simple BSTR through MFC / ATL's CString, and the STL's string classes. I'm sure there are more if you look hard enough.
My goal in writing this post, as you probably figured out, is to ask how I can use the tools provided to find and fix the broken code. I don't buy the idea that developers can suddenly become super-vigilant and catch themselves from using strcpy badly - and I don't think that's what you were saying - I'd just like the tools to find the code in compilation, rather than in test. SAL and /analyze hold out the promise of being better at this over time.
As someone for whom the last few years have been either Outlook or Notes of various flavours I can say that Outlook has won out as more usable and I think has been more of a joy to deploy than Notes although I can say that neither was a joy. Lotus got so much right (a) multiple servers for failover [now I think available in E2K7](b) multiple timezones on a meeting invite [although this one has finally been added in the beta 2 refresh for O2K7] and so much wrong (1) single language per install so when I worked for a global bank with staff in ~89 countries we had to have every localised version of Notes they did when we could have deployed one Outlook version and language packs (2) a scripting / automation interface a Vogon could not love. Given a free choice as user I will pick Outlook over Notes but as a company owner I have a feeling the choice would go the other way until Microsoft made me believe E2K7 was the preverbial dogs testicles.
This may be one of those cases like trying to find accounting software that is secure and doesn't require huge investments of personal information - there is very little competition in the field that is any better, so there's no reason to improve, except for personal pride on the part of the developer, or for the sales angle - and you can't sell easier to use, you can only sell a new feature, or a prettier screenshot.
... is that an arbitrary file is not executable by default. Which gives another level of defence. Not perfect, I know. But far better than allowing any downloaded file to be run as a program by clicking on it, and much easier to secure than try to add warnings to all the ways that the file can appear on a system.
I see that red X all over the place :) Yeah, yeah, I just found your blog and em thorougly enjoying reading the backlog.
Thanks alung. same i have done.but i always works first time.second time if u run immediately it fails at "sslStream.AuthenticateAsClient(serverName);" stating that "handshake failed due bad packet format." same code is working fine for SSL multiple times wihtout closing application.(window). I realy got stuck here..no clue... regards, Urvish
Okay, so the red X is irritating, but I think I've fixed it now.
Not having developed any larger apps in .NET yet, I can't say that I can offer a really good answer - but any time you're talking about a failure "the second and subsequent times", you have to look at "did I close the first one properly?"
"Close", is of course, a concept, not a function or operation - it could mean that you didn't call a "Close()" function, or it could mean that you didn't finish receiving the last piece of data, or you didn't drop from SSL down to plain-text, and now you want to negotiate back up to SSL when you're already there.
Apply some thought to this in your own case, and you'll probably find out what's wrong - otherwise, you might want to post your question in one of the .NET newsfroups.
Maybe Dr. J just wanted a change of atmosphere, I can't imagine his job was fun. And maybe he thinks his work is done at MS (ROFL) and wanted a new challenge. Of course personally I think Susan drove him away with her hero worship and he figures he might be safer at Amazon....
I still think there are two levels of wireless security. The first being protect your corporate network. In that case WPA and 801.x should be used to keep hackers at bay. The second type of security is a user at home wanting to prevent his neighbors from mooching net access. In that case WEP should be good enough 95-99% of the time. Since most people's neighbors aren't cracking wep. Also you can still use your DS if you just use wep. Disabling broadcasting is useless and just makes everyone's life more difficult. MAC filtering is a little better, but again just makes things needlessly difficult.
There's more classes of wireless network than that, of course. Here's an extended taxonomy, and the sort of thing you might need to secure: Public (free) access: Protect the infrastructure from damage, provide equivalent service to all users, monitor and prevent users who use the service to commit damage. Public (pay) access: Same as for Public (free) access, but you also want to limit usage to people who have paid. Private (home) access: Control who can use the wireless network, prohibit the exposure of data to unauthorised parties. Private (corporate) access: Strongly control who can use the wireless network, prohibit the exposure of data to unauthorised parties. There's not much difference between what the home wireless and corporate wireless wants; the difference is in the resources they can expend - the time, money, and expertise. The same is true for the attacker - the difference is generally in the time, money, and expertise. WEP cracking, SSID sniffing, MAC faking, they're all dead simple and cheap - so it's no use using WEP, blocking SSID announcements or limiting MAC addresses. DHCP limiting is a total non-starter - it's a Denial-of-Service attack waiting to happen. Never install a "security feature" that costs more to administer and/or use than it will save you in recovered or prevented costs.
I still dis-agree on wep. While it may be dead simple to you and I to crack I just don't see the average person looking for free wi-fi in neighboorhood to be doing it. The problem is there are still a good deal of consumer devices that don't support even WPA-PSK and most home routers don't allow multiple levels of security.
The average person looking for free wi-fi downloads a simple toolkit that allows them to crack WEP if they aren't around an unencrypted link. Consumer devices need to come up to scratch.
yes it is. Why? 1) DoS is just like a bad virus. your computer is rendered inoperable until u are released. 2) DoS could be a buffer overflow and the person doesnt even know it. off thee top of my head, there ya go
PingBack from http://www.wirelessforums.org/wireless-news/black-hat-wi-fi-exploit-5302.html#post31389
Worth noting that -044 and -049 and Win2k only. -047 only impacts VBA SDK and Office 2k & XP. Still a huge pile this month.
...And when will Microsoft finally figure out how Microsoft patches can be applied without requiring a reboot?
It's very easy to ask that question, but the answer is more complicated. Any time you patch a component - a DLL, or an EXE, or a system configuration file - that is in use, you have to figure out what you're going to do with the applications still using the component. If it's a DLL, you've got the likelihood that it is being shared by several processes, and maybe even that the DLL is using shared memory and variables to communicate between instances. If that's the case, then simply replacing the DLL without rebooting means that you'll now have two versions of the same DLL competing with one another as to which is the 'real' one. Let's choose the clipboard as an example. Say you patched the clipboard DLL, and segmented the two versions so that they can't share memory. Now, you copy something in an application that was open when you applied the patch, you go to another application that was open after you applied the patch, and you hit "paste" - nothing happens, or it pastes some content that isn't the content you copied, because the two versions of the DLL aren't sharing the same memory. Of course, the alternative would be to not segment the memory, so that both old and new versions are running with access to the same data. That's too scary to contemplate - if you think buffer overflow attacks are a bad thing, just think what happens if you have two programs accessing the same memory, but one program thinks its data size is half that of the other. Buffer overflows are just the start - there's also the possibility of a different initialisation, or different meanings of certain values within variables. So, to install a patch, you really have to wait until a moment when nobody is using the file that you're going to patch. Reboot is the safest time to do that. Obviously, it can be done better - you could list all the processes that have the files open that you want to patch, and ask the user to close them all (or force them closed for yourself). But then you have the user education issue of "I've just been told that MSIMN.EXE has this DLL open - what application do I close?"
I'm sorry I made you spit. But since I'm here, let me ask. Is there any cure for that MSMVP?
Keep applying the salve, and hope it doesn't come back next year? Who am I kidding, I love being an MVP - it doesn't change anything about who I am, or what I do or say, but it puts me in touch with a lot of other people with the same goals and drive to achieve them.
Tales from the Crypto : How do I rate today's patches?: http://msmvps.com/blogs/alunj/archive/2006/08/08/107097.aspx...
More laptop encryption news: "A U.S. government computer loaded with approximately 133,000 drivers'...
> Any time you patch a component - a DLL, or an EXE, or a system configuration file - that is in use One additional issue to consider, if the DLL is loaded into a long running process (e.g. a service) and you don't reboot. Then the vulnerability will continue to exist in memory. While patches, the computer could still fall to the same attack.
Absolutely - my long post above only scratched the surface of the problems that Microsoft (and other patching vendors) face when they try to deploy a patch without rebooting. Vista has some improvements in this area - notably, it will prompt to close applications and save files to prevent the requirement of a reboot.
Maybe you should leave it wide open for anyone to connect. But ... use QoS or some method of rate limit for all IPs but your own. So as to cause the other hosts to only get 56Kbs bw. :) Then the unwnated geusts will become frustrated and discouraged and, leave. Just a thought.
Sounds like a good idea to me. Part of me wants to argue that it's dead simple to saturate your wireless bandwidth anyway, but then again, it's worth 'suggesting' to the wireless hacker that he might want to go elsewhere to get bandwidth, if that's what he wants.
I think you can widen this out to more than developers. My primary responsibility is architecture / design of Windows, primarily AD, systems and I like to think I am good at it. I feel I am less good at implementation and least good at operational support. Maybe I am just less comfortable doing them or just plain don't like doing them. Doing them though is invaluable as often implementations fall down because of a misunderstanding of the plans in place or a need to adapt and the adaptation is not in the ‘spirit’ of the design. Quite often the cyclical ‘thing’ happens where the design evolves due to implementation issues. I also think that the best, and only workable handover, is from implementer to operator. I have found the best way to keep capable of the work required to participate in carrying through my sort of projects where I am often the technical lead for the initial design is to drop down the food chain progressively to just another team member doing the operations and showing people how it all interrelates. The biggest problem I have with getting other people to work this way is ego – they just plain can’t cope with not being the most important person all the time.
http://www.acidplanet.com/artist.asp?podcast=1184|2&amp;t=7417 August patching podcast for your listening...
The bit that made me laugh loudest was Intel insisting the problem was caused by Microsoft bad drivers. Yes they are technically correct the drivers in question are distributed and signed by Microsoft as part of Windows and use the same dumb code Intel gave to Apple who also distributed the same problem to their users. Nice shake of the shoulders Intel you seem to have moved the blame nicely in the Windows world and Apple need you to keep being nice and supplying processors to them ahead of Dell so have little option but to keep quiet.
Hi Alun Long time since we've appeared at the same time in microsoft.public.win32.programmer.networks. :-) Curiously I had this problem just after you, and followed your instructions previously, but was obviously hibernating more often or something because it became apparent quickly that re-creating the hibernation file wasn't a complete solution. I then downloaded the KB909095 patch directly. Doesn't its link appear in the article for you? Maybe it was added in the last update "August 16, 2006"? Anyway, since installing the patch hibernation is yet again reliable. :-) Thanks Alan
Thanks for the pointer - last time I visited the page, the hotfix was strictly off-limits except if you called. Today, it's downloadable, and a good thing too, because the goofball at the other end of the line sent me the Windows Server 2003 veraion of the patch. As for us meeting on the various network programming newsgroups, it's not so much a small world as it is a large world with pockets of localised smallness. Good to hear from you again.
This can happen for other reasons. See the knowledgebase article and windows patch at http://support.microsoft.com/kb/909095
I know that, thanks - that's why I added the piece about a hotfix being available.
The BBC has an article about the cracking of Microsoft's DRM protections for Windows Media format files....
The BBC has an article about the cracking of Microsoft's DRM protections for Windows Media format files.
In Programmer Hubris Part 1 , I described that frequently I'd come across applications that impinge
Uh.. Quickbooks 200X comes with Google Desktop as an option you have to say "no" ... don't ya just love it?
You're preaching to the choir brother.
Real Player - Google toolbar
Cyberlink - Google toolbar
InterVideo - Google toolbar and Desktop Search
Acrobat Reader - Google toolbar
Firefox - Google toolbar
WinZip - Google Toolbar *and* Desktop
Dell was thinking of bunding Google Toolbar and Desktop - did that go ahead?
Sun Java - Google toolbar... or is it Yahoo... who knows, its one of them.
Macromedia Flash and Shockwave - Yahoo toolbar
Acer - Yahoo Search
MSN Messenger comes with too much bloody stuff:
http://msmvps.com/blogs/spywaresucks/archive/2006/08/24/109382.aspx
Somebody tell me why Google are the "good guys". As far as I'm concerned they are getting dangerously pervasive in a way MS never was. Google is, and always has been, ahead of the pack when it comes to gathering information about us. Google knows what we search for, it knows what we listen to, it has our emails in its never-to-be-deleted database. It was/is even contemplating using a PCs microphone to capture sound bytes from you for targeted advertising:
http://www.theregister.co.uk/2006/09/03/google_eavesdropping_software/
Are you afraid? I'm starting to be.
I get the impression, too, that the DivX player is far from being the only software that has offered not just to give me the Google toolbar, but also to shove an entire change of browser at me.
At least Nero doesn't ask me the question every time I install, it's an option on the download page, so as long as I install from a copy I previously downloaded, I don't have to remember once again that I'm not into the Yahoo! toolbar.
My kid's machine, on the other hand, has at least five different toolbars installed into it, to the point where I wonder if he has enough space to read the web page he's browsing to.
Clearly what's needed is for Google to distribute a "Google Toolbar Blocker". Download it and deploy it, and all future attempts to install the Google Toolbar will be blocked.
Going down this road, of course, it's obvious that what is really needed is a "Global Installation Blocker", that blocks installation of every piece of software unless you specifically enable that piece of software to be installed. :-)
Heh. I sure hope that *all* your son has on his machine is those toolbars...
Is there really a significant difference between spyware and these various toolbars?
They all try to worm their way onto your machine by including themselves with other stuff you wanted, and hoping that you don't remember to read the check boxes before you click "OK" to the installation.
I guess "do no evil" is somewhat fungible.
Add google desktop.
.. I mean everyone else is doing it?
(just kidding)
Hi Alun, So, what happened to "secure by design, secure by default"? Did Microsoft decide that one of their more useful security features in Vista would be better if it was crippled into close-to-uselessness? It sure seems that way - by default. It is secure by design, sure, but only a half-arsed implementation by default. This is a very backwards way of going forwards. Regards, HiltonT
I'm with you. I like to stick with the concept that you should never assign to malice that which can be adequately explained by stupidity (or naivete, or short-sightedness, or whatever), so I have to believe that there's reason behind this.
My best guess is that the team were given a mandate - make it so that a hacker can't steal my laptop, remove my hard drive, and mount it in his machine to access my data.
If the mandate were to be reworded, "make it so that a hacker can't steal my laptop and access my data", it would be clear that TPM-alone is an inappropriate choice, and an inappropriate default.
Ain't TPM alone protects from HW changes only? Then the overall (physical) security (of the device) is the weakest one. You have recovery key (presumably the stronger option), but none (with TPM alone or just very weak max 20 digit numeric key with TPM+PIN) on normal boot. The dumb question - How the TPM helps if the machine is stealed? Even USB with 128bit key seems to be better, but why no USB+PIN option? Why no finger print (or iris on laptop w/ built-in videocam) + PIN option available?
TPM-only is designed to protect against someone installing extra software in your boot code. Anyone with the skills or money to go about messing with boot code is likely to go for the easier route of booting the machine with untampered code, and then finding a way in through the external ports, particularly through the network.
TPM-only allows your system to be taken, by an attacker, from a small, relatively simple and secure environment, where the disk is encrypted, to a large, complex and less-secure environment (the running OS), where the disk is effectively decrypted.
Realistically, of course, if your laptop is stolen, it will most likely be wiped (rendering it impossible to boot, even with TPM-only protection on Bitlocker) and sold at a pawn shop to someone who wouldn't be interested in your data, or have the tools to get at it. However, if you're responsible for the data of thousands of people - a valuable commodity - can you afford to take that risk?
As for your question about "why not use fingerprints?", aside from my usual note that fingerprints are not equivalent to passwords, I'll also note that the code for Bitlocker is small, and loads between the BIOS and the OS. Bitlocker can't use as key storage anything that requires a device driver, or isn't exposed by the system BIOS.
Okay, so seems BL provides just protection on boot and sits between BIOS and OS boot loader. But you mentioned it is small piece of code that BTW resides on plain unprotected 1.5GB NTFS partition. What can prevent from hacking that? Also, as MS stresses, BL is _not_ designed for user authentication (nor authorization?). I think the simple VM + its image container encryption is the way to go for many laptop users. Another way is BartPE (or now Vista WinPE?) booting environment with encryption sw pre-installed. Unfortunately, both have their problems (performance, ease of use). Anyway, MS BL just doesn't seems to be the tranparent encryption security solution that effectively protect the laptop owners for instance. Sure fingerprints or iris (i.e. biometrics) aren't that reliable yet, and a booted OS drivers are the unfortunate requirement (until PC makers will integrate pure hw + flashable eprom sensors in their machines). IMHO the one possible solution for now is using USB sticks with passphrase/PIN to boot PC/laptop with all the drives encrypted by a transparent encryption sw. Do you aware of the working solutions based on that, does this allow to have just small (maybe DOS based) encryption sw on USB stick or still forces to build entire (wanted for the target PC) OS image in there?
What can prevent from hacking the unencrypted boot code? Simple - the TPM chip. The boot process requires that the boot code match the checksum stored in the TPM chip.
Of course, another protection for hacking the boot code is to require an external key (password, USB, etc) to provide material from which you build a key that is involved in the decryption key chain. That way, you can hack the boot code all you like, but without the external keys, you can't get at the data. [The scenario of the lost laptop returned to its owner is relatively uninteresting and should generally be protected by policy and practice - returned laptops should be backed up, then re-imaged, because you should assume that they are suspect].
There are several other solutions out there that will encrypt the drive and use a pass-phrase, or an external token, to provide the decryption key. The ones I've seen aren't as manageable, however, as BitLocker.
At my job, we use PGP Whole Disk Encryption, but its management facilities across a large organisation are not easy.
I'd think that many developers would think that "under the radar" is a good thing, however as users this is definitely a bad thing. Any developer with half a nouse would realize that being open about patching, updates and vulnerabilities (and no, I'm not promoting irresponsible disclosure by security researchers) is the smartest way to approach things. Common sense, however, is far from common.
All it means is that the same pressures that got models to become sickly rail thin have now turned and that we should expect 'fashion' in female for to turn back toward a healthy weight.
Steve Riley points to Mythbusters' successful attempts to breach biometric security - okay, so it's not
> What else is going on right now that would cause this to be a worthwhile time to complain like this? North Korea nuke launch maybe?
Security is only as good as the worst mistake an Administrator makes.
I've discussed this before - Bitlocker in Vista, by default, only offers to encrypt your laptop using
“ We won’t remain silent as Microsoft imposes unnecessary security risks ,” wrote George
Not North Korea, no, but you are doing well in looking beyond the US for answers...
Okay, you give up, I'll tell you.
It's the EU courts investigating Microsoft for anti-competitive practices.
Oh, and maybe a little work trying to make you look the other way while McAfee suffers a small ethical problem of its own.
Isn't that exactly the same problem as doctors? I remember reading that some king (or equivalent) would only pay his doctors when he felt good. Of course with that you have a problem of doctors not giving the right diagnosis. How about giving death sentence to virus writers? Or cutting a hand off at least? I don't know. No constructive ideas from my end. Only mumbling...
It starts with the design of Unix as a multi-user platform. And it's the design of the Linux kernel, its system related design, which makes it more secure. I don't know Windows code at all, but with the experience I had, Windows IS designed differently with other targets and a much different design to start with. Putting security on top of a crapy kernel and core system is like putting cheese on top of a Mac burger...it's not kosher (e.g. not secure). No matter how much cheese you put there (until you don't see the burger) doesn't makes it kosher. Never. You wrote: I would argue that Microsoft, with its various source code licences, may have more people devoted to passing eyeballs over their code than Open Source does Really? Can I read the code? If I'd have a problem, can I check to see what the program is really doing by reading the source? Can I write test cases? Change pieces of code? Are there multiple companies, reading, writing and contributing code to the Windows kernel? C'mon....
The Windows NT core was designed as a multi-user platform from the start, by the same guy (Dave Cutler) responsible for VMS' design, which has long been envied for its security.
The Windows 9x core, on the other hand, was definitely not much of a multi-user system, since everyone was a de-facto administrator, and the base file system was FAT, where everyone's an owner with full control.
And I am most definitely serious about the "more eyeballs" comment. Who reads open source? Generally the developer, the guy approving the checkin (often the same guy) and if you're lucky, there are one or two interested parties who check on some small portion of the code. Outside of the guy who wrote it, do you really believe there are that many people actually tasked with poring over the code (and interested enough to do so)?
Can you read the code? Yes. Here's the web page that'll tell you how.
As you'll see from my comments in other articles, I don't necessarily think it's a great idea for random companies to be writing and contributing code to the Windows kernel, but yes, that goes on too. A lot of things that require direct kernel editing in Unix / Linux / etc are available through non-kernel means (for example, new network stacks or changes to the existing stack, through the use of Layered Service Providers).
As you say, you don't know Windows code - and that's half the problem in this argument, is that most people arguing on either side have spent zero time on the other side.
At the time I used Windows OS's, there was no shared code or any other open code coming out from Redmond. Without getting into this more seriously, I guess there are multiple limitations on getting access to this shared code mentioned by you. But also what is the use of access to the Layered Service Providers if I want to access or change the kernel directly? Quite obvious the Linux kernel is a very interesting piece of code and lots of developers indeed read, change and learn from it, in full or partly. Other software vendors do this for their own purpose (e.g. adding driver support, application support) and therefore indeed gets accessed quite a lot! And it's easily available to you, me and everybody. There are no limitations like at MS code.Also some Linux distributions indeed go over the various pieces of code line by line...guess you are not familiar with the open source world and might miss some information on this subject. But let me give you a real world example, without all the arguments:I personally administered Windows and Linux servers. The ratio was one in ten (1 Windows NT or 2K / 10 Linux), all of them serving web content. Guess which servers got cracked twice, even so being protected behind a firewall, anti virus and other anti's? Right, you know the answer! So even the logical chance would have been 1 in 10 for Linux to get compromised, it was the opposite way around. This is what counts at the end of the day...So I just popped in by chance and left a message and didn't intend to start any flaming on this issue I'd like to finish with this statement: Linux is quite secure at the core...whereas the in Windows world there is some security put on top...I mean, applications should not protect the system (as seen so many times in Windows ("The application tried to access....allow?"), the system should protect the applications!Cheers!
I posted towards the end of last month about " Patch Drafting ", the practice of releasing
Right from the first moment he gave my software, WFTPD, a negative review whose contents indicated he
"While you do that, of course, you want to be pestering the vendor to get their app to work" .... right, it's the vendor's fault they didn't have the foresight to predict that a future browser it's going to break it.
IE 7 has been in public beta for so long, that what was foresight to begin with is by now aged hindsight.
LOL re. not wanting to patch the Kernel
I've been worried a little over the past several days that McAfee and Symantec are going to strong-arm
I've been worried a little over the past several days that McAfee and Symantec are going to strong-arm
Actually, "Abby", the prototypical AOL mom, knows a TON about computers. We came up with "Abby" based on what we thought that persona knew and did (mostly email and some IM'ing). Then we went and interviewed some Abby's and discovered that they were surprisingly computer literate. They didn't USE the system for that much but they knew how to do a lot.
Good to hear from you, Larry.
Like I said, Abby could teach Preston a thing or two.
You need a prototype like my mother, who's often calling for help with the same functions that aren't basic enough that she does them all the time, but aren't so complex that she isn't interested in doing them. Guided Help in Vista would be a great help to her!
Thank you guy's I went to Microsoft and downloaded the hotfix, hope it works but thank you for the help
In part 2 of this series, I promised to let you know how I'd been doing with my hotfix solution to
Have you looked at passgen.exe from Jesper and Steve's book which would let you set a different password per machine (great for machines in different pools of risk) as well as making sure it was complex. Good tool.
In a comment to my earlier article , Scotty (a friend of mine from the mother country) asks: Have you
Opens, copies, starts Primal Script and paste. >400 lines returns to making pizza and for a quieter point in the day when two year old has been fed. Looks interesting from a quick once over.
Seems to work fine in some testing I did on a test domain but then I expected it to work. Only code comment I would make is that I am not sure all the error trapping is catching all the errors it may be intended to. Generally I would have headed toward an Express version of Visual Studio for VB.NET or C# due to the far better error trapping and better dev environment and the free price cannot be argued either. Don't get me wrong I think VBScript has been a very useful tool and JavaScript is just to painful for most 'basic' programmers to get to grips with. But error trapping is plain awful in VB or VBScript. In future PowerShell will I think be the automatic format for any script like this because of the power and reach it will have as well as industry support (wait for the launch event for some good surprises).
Funny you should mention that it would be better written in C++, C# or even VB.NET... I plan to do just that when I get a little time.
It generally does not make sense to substract from TCP, but say you decided to use UDP and add some reliability layer, how is this very different from disabling Nagle:
1. The number of IP packets on the network would be roughly the same. Agreed the UDP packets will be slightly smaller (28bytes IP + UDP header instead of the 40 bytes TCP + IP header).
2. What about the reliability and sequencing that you get from TCP out of the box? Relieves you from writing reliability layer for UDP IMHO.
So I would prefer to disable Nagle if that makes sense in your specific case and not indulge in any unnecessary research based projects like implementing your own reliability layer over UDP and busting your project's deliverable date. And in these days of gigabit switches, increasing a few packets on the network is no big deal.
I believe in approaching problems in a pragmatic fashion.
If you need reliability, what damage does Nagle cause you?
It delays your packets in extreme circumstances, but then so does reliability in general. If you add reliability, you are implicitly declaring that you don't mind seeing your packets delayed.
If you need your packets to get there as fast as possible, and can't afford any delay, you have to lose packets.
Pragmatism, if that is your watch-word, tells you that reliability and the Nagle algorithm are not mutually exclusive by any means.
So, reliability => TCP => Nagle, and speed => UDP => packet loss.
I'm sorry but I don't understand how you can say that BL with TPM only don't protect your data if someone steal your laptop ? It's impossible to log on without the user's password and data are still encrypted because the decryption/encryption is an real time action done for every read/write action.
Thanks for your help.
"Bitlocker with TPM only" only goes so far.
If I steal your laptop, I can now turn it on, and watch it boot back at my lair.
I can turn it off and on time and again, and I can try to log on as many times as possible.
Or, I could ignore the logon prompt entirely, and attack the system through the network ports (how long before someone discovers a network vulnerability?), or through USB, or CDs with AutoRun (okay, so that requires that some idiot disabled the AutoRun prompting, but hey, we're talking about a defence that could and should prevent any attack against the physical machine).
If there is a wormable vulnerability, or an exhaustive attack exploit, I can plant my code inside the machine, and - as you point out - "encryption / decryption is a real time action for every read/write", so I'm able to read the drive through the OS as if it was never encrypted.
Other drive encryption methods rely on external keying material - thumbdrives, passwords, etc. They are vulnerable to these same attacks only if the thief steals the laptop while it's powered on, and doesn't shut it down or hibernate it (which means, in my case, that he doesn't cloes the lid!)
His wife knitted a keyboard cover and it's covering the keys of the computer.
http://knittingforsanity.blogspot.com/
(that's my theory)
There are a lot of things that developers are.. cattle, monkeys - these fit quite well I think. They - just - don't - get - it. Why is it that the infrastructre or security engineer understands but the developer still doesn't?
The security engineer understands it, because it's the security engineer's job. I'd dispute that the infrastructure engineer, in general, understands it - I've certainly met many who don't.
As to why developers don't get it, frequently it's because they don't have a reason to do so. They are given a list of features to craft into their code, and a deadline in which to do that. Security is not listed as a feature, and is unlikely to be tested for.
Security must be a decision from the top down.
How do you install the hotfix if you only have a command prompt available?
It's an EXE. You run it.
If you only have a command prompt available, I think there are likely to be other things you need to fix first.
Clay will never own my computer - nor will any of these other <insert country here> Idol "winners".
I like steak. I'm not so much a fan of mince. I like real meat. Same with music - I like real music, not the pre-softened, sliced and diced and (supposedly) easy to digest rubbish that is being put out by <insert country here> Idol participants. There's no way that any of their crappy anti-piracy (like ANYONE would want to copy that crap anyway) junk will infect or otherwise degrade the performance of my computer.
Nor my ears!
Regards,
HiltonT
(hiltont.blogspot.com)
It's not about whether or not you like the content - you're going to see this on a lot of music CDs, whether it's commercial tat or something more to your liking (let me guess - you're a country music fan?).
So, you have to decide if you're going to use your PC to play CDs, and if you are, how you're going to protect your systems from untrusted and unknown content that arrives on them through DRM that you weren't paying attention to.
Why does no-one ever mention ATA-3 hard disk passwords? An 8-digital password required during the BIOS phase might not seem secure but a 3-retry before power-cycle limit and the disk implemented low-level format before unlock with supervisor password makes it really quite good! Plus, no overhead at all during reads or writes.
Shame certain manufacturers watered it down by coding the supervisor password as 8 spaces.
What a crooked shop those guys are running over there. It's about time they have to pay the piper. Hats off to Gene Hodges for running away like a coward in January. No wonder their security wunderkind Vince Gullotto joined Microsoft.
Hi Alun,
Unfortunately, your recommendation of picking up a cheap USB 2.0 storage device won't necessarily work because a number of the cheaper no-name USB 2.0 drives are not fast enough for ReadyBoost to use - and even if they include some fast and then some slow Flash storage, ReadyBoost check the entire device and will reject it.
Kingston, Sandisk and other reputable brands all seem to work in my experience, but I know that some people have been stung by slow devices.
Basically, the device must be able to do 3.5 MB/s for 4 KB random reads uniformly across the entire device and 2.5 MB/s for 512 KB random writes uniformly across the device. Have a read of Tom Archer's ReadyBoost rundown for more info - http://blogs.msdn.com/tomarcher/archive/2006/04/14/576548.aspx
HI Alun,
Also, I have tried using 768MB of my Kingston 1 GB USB key here to see what difference ReadyBoost makes to my system (Vista x64 Ultimate RTM, Pentium D 3.00 GHz, 2 GB RAM) and have found that it makes absolutely no difference to my system performance at all. Or no perceptible difference.
I cannot tell if the USB key is inserted or not - so its back to being a USB key as it is significantly more useful that way. Triewd this for a 2 week period and honestly couldn't pick any difference.
Oh, well - it was worth a try.
Try Thunderbird.
If you're willing to read messages as HTML rather than plain text, you'll at least get the space bar scrolling back. Then again, it's not necessarily a worthwhile trade-off...
I agree 100%. I rely on blogs, as a source of current information, before I buy a product.
Who does not get something free based on the job that they do? I, as a hotel manager, routinely receive free products for me to try. The reasoning behind my receiving free products and bloggers receiving free products is different, but yet it is the same: to get people to buy said product.
Is it bad that I received a free TV when I was looking to replace all of those in the hotel? Some thought so, but because of that TV, I went with another brand. My point is that it can go either way.
Either the bloggers will love the laptop and Vista and write about it or they will Not like it and write about it.
For most I think that it boils down to jealously.
Read that free page carefully: the free version is the one that is ending on January 15: 7.1.409.
That means there is probably really no more free versions to AVG.
475: How and why to get AVG Free 7.5?
Please be informed that we have released new 7.5 version of AVG Free Edition.
However, this AVG Free Edition still has many limitations:
- AVG Free Edition 7.5 has no technical support!
- It is strictly prohibited to use AVG Free Edition 7.5 within any organization or for commercial purposes
- AVG Free Edition 7.5 cannot be installed on server operating systems
- According to our license policy, it is prohibited to install and use AVG Free Edition in a network environment
- AVG Free Edition 7.5 does not include remote control
- AVG Free Edition 7.5 does not include a firewall
- AVG Free Edition 7.5 does not include a anti-spyware protection
- AVG Free Edition 7.5 does not include a anti-spam component
- AVG Free Edition 7.5is not compatible with Windows 64-bit editions
- Scheduling options in the AVG Free Edition 7.5 are very limited (only one scheduled update per day, one scheduled scan per day etc.).
- AVG Free Edition 7.5 does not have guaranteed access to high-speed servers for downloading updates and program upgrades.
- AVG Free Edition 7.5 does not offer advanced testing options, such as password-protected archives reporting, adjustment of scan process priority and many others.
All AVG commercial editions have many user benefits in comparison to AVG Free Edition.
If you need more information about any specific AVG product, please feel free to contact us.
If you still want to upgrade AVG Anti-Virus Free Edition 7.1 to 7.5 version instead of selecting one of the commercial editions, please follow these steps:
1) run the AVG Free Edition 7.5 Setup program
2) click "Next >" on the "Welcome!" screen
3) click "Accept" on the "License Agreement on Use of an AVG Free Edition" screen
4) select "Repair installation" on the "Select Setup Type" screen and click "Next >"
5) select "Restart the computer now" (if not selected) and click "OK" on the "Installation Complete!" screen to restart your computer and complete the installation
No technical support is available to AVG Free users!
If you have any technical problem, please note that Free Edition users will be requested to use the self help support available at
http:// free.Grisoft.com.
I hated Outlook Express and its severe functionality differences as compared to Outlook. Using Outlook Express made me appreciate Thunderbird, which is what I still use for my usenet reader.
Also, if you want to get the passwords from Outlook Express, have a look for "Asterisk Key". :)
No takers? There's no trick, it's just a "did you expect that" kind of thing. Just to remind you all that when you take what you believe is a protective action, it's a good idea to verify that you have completely protected yourselves.
Alun,
Do you know the reason behind this? I just recreated the scenario, but took it a step further and removed all groups/users from the Permissions window. I then mapped to the shared folder from two different nodes using two different user objects in AD, and I can still access the share. The only caveat is that both users had Domain Admin privileges. If I have time, I'll try it with a non-Admin user, but I suspect that it will yield the same results. So, what's the reason behind this?
Many thanks,
Al
For your example, I wonder if this is because all files naturally have Creator/Owner Full Control permissions, in any OS before Vista / Longhorn. Try it from a user who isn't the owner. I suppose it's also possible (but I don't think this is the case) that you caused the file to have a NULL DACL, rather than a present-but-empty DACL. NULL DACLs indicate "everyone full control".
My teaser is a little simpler than that.
Can't you go to the power management control panel? That is where hibernation control has been before Vista.
Not there now - I can set several options from there, like what to do when the lid closes on the laptop, that kind of thing. I can even see several options that are still set to Hibernate - but if I select them, I am given the choice of Sleep and Shut Down.
You actually do have to run a command to turn hibernation on. No GUI.
The push toward sleep mode becomes less gentle.
Alun blogs about how he gets diet ads in his email....and this is just a sample daily spam email report
Poorly written applications, that's what causes me the most pain with UAC. I presume that we will see less UAC prompt over time as Vista becomes the Windows version of choice and application developers pick up their act.
On my work machine I'm not really seeing too many prompts - generally during software installs. On my home machines it's games (PunkBuster requires administrative access).
Being in IT it's not an issue for me, but I'll have to see how my wife or my father reacts to UAC. That should be an interesting experiment.
I simply can't imagine Rowan's scenario. I too LOVE UAC.
I'm gonna blog on this, with props to you.
Jeff
Frustrating as UAC can be during the installation of software on a newly installed Vista box, I can understand why Microsoft implemented it - the innate inability for Microsoft and their 3rd party developers to create software that will run with limited rights.
If Symantec software is so poorly written that it prompts for rights elevation on every keystroke (loosely paraphrades), then maybe Symantec should get a clue! I'm a well known proponent of good coding practices and this simply excludes every piece of Symantec code that they manage to get their hands into - the first release after they borg some poor security company is generally not too bad, but after that, the good ol' Symantec Shitas Touch takes full effect, and the software turns to sh... well, you know!
Do I care that Symantec can't get their own code running with UAC? Not in the slightest - we refuse to support any of their poorly written rubbish on any of our lcient sites.
Well, just before xmas I had a look down and decided that "now's not the time for getting into shape, but straight after the holidays, well, then I'll get serious". I was going to start with a 30 minute of so walk in the morning, a 60 or so min walk at night, and then when my poor little legs could handle it, supplementing the morning walk with a bike ride, slowly extending this up to about an hour or so.
And I was going to start getting the rubbish down the side of the house turned into some sort of ground covering - not grass, possibly daisies.
I was going to do this on Monday 8 January - the first day back in the office after the holidays.
Then life got in the way - http://hiltont.blogspot.com/2007/01/not-being-one-for-doing-things-in.html - and things changed priority.
Isn't it always the way that when you finally make a decision to do something good for someone (be it yourself or someone else) that life up and knocks it on the head?
And as for spammers, we should treat them like flies. I know that a lot of people have the "I should aim to kill 10 flies a day to make the world a better place in which to live" ethos. Maybe we should apply that to spammers as well?
Hilton, please tell me you don't author a spelling correction program.
Yay, for we worship the enlightened one, the Jobs, at the altar of the fruit. Oh great enlightened one, show us the latest reincaranation of someone else's idea. For we cannot resist any i you allow us to purchase at exorbitant prices to fill our meager and void lives. and fuel our self-esteem until the next announcement. Hail to the fruit. Hail to the fruit. Hail to the fruit. Halleluja!
Amen.
Good post. Here it is actually the developers who asked to be made users first and have been encouraging the propagation of that change to the rest of the company, but I get the impression that overall you're right. It's particularly annoying when development tools aren't well-behaved in a standard user account. Development tools should be the best behaved - I wish those developers would get it.
Thanks, Gavin - obviously there are some developers who do get security, but plenty yet who don't have the first clue.
Thanks for the teaser - this officially promoted you to my "Priority" RSS label :). I haven't tried this but according to http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/w2kscgcd.mspx definition of Users - "This group provides the user with the necessary rights to operate the computer as an end user, such as running applications and managing files. By default, Windows 2000 adds all new local user accounts to the Users group. When a member server or a computer running Windows 2000 joins a domain, the Domain Users global group, the Authenticated Users special group, and the INTERACTIVE special group are added to the local Users group."
With the Authenticated Users group still in the local Users group the act of removing Domain Users from the group had no real effect.
I was beginning to wonder if anyone would get it - Steve wins!
Unfortunately, we have no prizes here, especially since even my wife figured it out inside of thirty seconds. :)
http://www.sonybmgcdtechsettlement.com/Faq.htm
Please read about the Sony BMG lawsuit, which had nothing to do with Clay Aiken and everything to do with corporate bungling.
Clay Aiken's excellent Christmas cd is available without this software and you are entitled to a copy. You'll be glad you took the trouble to acquire it. It's a very nice album. His mini-release this Christmas, "All is Well" was a Walmart exclusive and sold out immediately.
His latest album "A Thousand Different Ways" is terrific. It wasn't Clay's idea to do mostly covers for his sophomore album, but he brought a new sound and his personal style to them and the original songs on the album (one of which he co-wrote) are great. If you purchase a copy of the album through iTunes, you will be able to hear "Lover All Alone", for which he wrote the lyrics.
All the latest Clay Aiken news is here:
http://www.claynationnews.com/
Cheers!
Thanks for the links - although I have to note the irony of suggesting first that I get a DRM-free version of the CD, and then that I should download from iTunes.
However, I think you and I both managed to leave out the most important of Clay's links - http://www.thebubelaikenfoundation.org/ - linking to Clay's foundation supporting children of different abilities engaging in inclusive activities.
When I was growing up, disabled kids were never seen out in "the real world", which is practically criminal. Inclusion is often a positive influence on both the disabled and the more-able kids.
As the parent of a child on the autistic spectrum, I have nothing but appreciation for Clay's work in the area of inclusion.
Phew... I am so glad I found this page. I have been going mad for a few days trying to enable hibernate after I accidentally removed it because I opted to clean up the disc space use by hibernate. The Run as Administrator bit above helped me so running powercfg -h on worked. Thanks a lot Alunj
Bernie
I have the same critique, but applied to Outlook 2003.
You can create a Contacts folder and even a distribution list for those contacts, but you can't *use* that distribution list until you add that contacts folder to your list of Address Books. That's an extra, nuisance step. And how do you do that, by right-clicking? Nope. You have to know to bring up the properties, then go to the Outlook Address Book tab, and check the box "Show this folder as an e-mail Address Book".
And don't get me started on the lame interface of iTunes. How could anyone with more than a screenful of songs like it? How could Apple not get the simplicity of dragging a song or playlist onto the iPod icon? But nooooo, you have to create the playlist in the main screen, then change the focus to your iPod, then go to the "tab" for your music, and fill in the checkbox for the newly created playlist so that it and its contents will by synched.
(But, probably, these are things that your wife knows).
There are two behaviours in SSL that seem to catch out a number of people. The first is the use of close_notify
I use the security template that comes with the Microsoft XP hardening guide. It includes additions to group policy such as the screensaver grace period.
Unfortunately in my environment, the VPs allowed us to enforce a screensaver but only with a ridiculously long timeout so you can go out to lunch without the screen becoming locked. The screensavergraceperiod is moot for us becasue of that.
Regarding the windows media player issue, don't forget that for WMP 9 or later you can set User Configuration/Administrative Templates/Windows Components/Windows Media Player/Playback/Allow Screen Saver to allow the screensaver to still run when windows media player is in use.
Maybe they should take a leaf out of this guy's book?
http://www.dumbcrooks.com/convict-steals-car-to-get-back-to-jail/
The URL says it all! :)
That was a night I'm going to remember for the rest of my life. How many hundreds of thousands of dollars were spent on this thing? I actually got a chance to chat with some of the Vanishing Point coordinators, and they said that the barges were $55,000 apiece to rent. Ludicrous!
Burrito bars, little mini hamburgers, free beer and energy drinks, they definitely knew their audience. The pinball games, the laptops running Vista, it was incredibly better than any other party I had ever been to.
My favorite part of the evening? I was wearing my light-up sound-reactive shirt, and people kept thinking I was one of the actors along with Elvis or Bobby Fischer, and were asking me for clues. *snicker*
I _love_ that shirt. I so wanted to ask you where you got it. But the wife was there to make sure I didn't geek out too much.
Silly players, thinking that there would be any clue at the party that wasn't also on the web.
Those U3's are EVIL. I hate usb devices that have that logo.
Considering my experiences with my HP nx6120 and problems with wireless networking I can only say that the screenshot suits it perfectly!
I'll see your HP dialogue box and raise you a totally inane stating-the-bleeding-obvious systray applet:
http://msmvps.com/blogs/spywaresucks/archive/2007/02/04/541920.aspx
Surely after the Sony rootkit debacle, you will want to disable autorun on CD drives anyway. And I've seen anti-virus software triggered by CD-R disks make on an infected home computer.
What's wanted is the option to allow automatic running of your local good copy of a media player or web browser, but never execution of code from the disk.
Yeah, this was one of a series of big ugly hairy pills I swallowed trying to set this up in Vista so I could start a project to upgrade an existing peice of production middleware.
Eventually, my dose of M$ kool-aid wound up being fatal and I abandoned the port to the new C compiler. If this is the future, I am going to focus my efforts on building a time-machine. My time would be a heck of alot more productive.
To be fair, Visual Studio 2005 SP1 actually has a much better track record of running as non-administrator than any previous version.
Alun, good stuff! It is now What My Wife Knows too...
I wonder if we're going to see monthly Manga releases from Microsoft any time soon.
PingBack from http://winblogs.security-feed.com/2007/03/08/global-mvp-summit-march-12-15/
I hope that they will re-award you - your blog has been a good read :)
PingBack from http://winblogs.security-feed.com/2007/02/01/boston-police-fail-to-recognise-urban-trends/
PingBack from http://winblogs.security-feed.com/2007/02/03/which-is-the-most-recent/
PingBack from http://winblogs.security-feed.com/2007/02/07/steve-jobs-on-drm-you-go-first/
PingBack from http://winblogs.security-feed.com/2007/02/22/finding-your-private-keys/
PingBack from http://winblogs.security-feed.com/2007/01/29/vulnerabilities-and-asset-management/
PingBack from http://winblogs.security-feed.com/2007/01/27/ssl-development-gotchas/
After looking just briefly, the #8 looked a bit strange, esp. this bit: "ensure that your secure development processes revolve around processes". Probably too much emphasis on the process?
Besides, however good development process is, people are still the key: I have tested security of software products done by fully ISO, CMM and RUP-certified organisations, with disastrous results. I don't know how to put it here, but one of the questions is: do you trust your developers? And if not - how the code is checked for back doors etc.? "Pay someone to find holes" doesn't quite cut it.
And I'll never agree to the #3 - "Someone else is better". Sometimes not.
How about creating a wiki for this?
#3 is about getting over your own ego, and searching for that better person, or that better tool. If you really find that there's nothing out there better than what you could do, then fine, there is noone better than you for that task.
#8 is a little awkward, yes, but I'm trying to get across the concept that personalities are temporary, processes last. Use the personalities to set up processes and make people use the processes; but make sure that the processes can last after the personalities move on to something more interesting.
As for "pay someone to find holes", yeah, that's a little weak - but I'm trying to emphasise that you can't expect people to find holes in their own code strictly for fun's sake, so you have to include more people, and you have to make it worth their while to find the holes. Your attackers already have found it worth their while to find them.
Blog on!! Blog on!!
Sean
GM, Community Support & MVP
Microsoft
Mary Jo Foley has a blog post that Alun comments on....regarding transparancy at Microsoft and she has
Ms. foley's work is a waste of time.
http://msmvps.com/blogs/alunj/archive/2007/03/29/beating-bradley-to-the-punch.aspx Yeah yeah Mr. Smartypants...
Hi, Alun:
Glad you found my blog. I only found yours because you linked to me. So I guess neither of us is a frequent reader of the other...
That said, I didn't post about crackdowns on the MVPs because I dislike the MVPs or think you folks are "for sale." Far from it. In fact, if you look back at MVP history, I have been a big backer of the MVP program.
Read this for more: http://www.mvps.org/about/kissoff.html
I quote MVPs often and rely on them for comments for articles.
I included the comment about pressure on MVPs because I have been told about this from MVPs themselves who asked not to be named. My comments were neither fabricated nor "fanciful."
Agreed 100% with you Alun. This was not one of Mary Joe's best moments. Blogged here.
Well, Mary Jo, I can't say anything about those unnamed MVP sources, but I have yet to meet an MVP who tells me that he or she felt pressured into a lack of openness.
The only thing I have ever been warned about is that I may not blog anything that's currently covered as NDA - Non-Disclosure Agreement - content.
Oh, and the rather strange requirement that while on Microsoft campus, we should not blog which buildings we're in.
I don't see this as a reduction in openness for the MVPs.
Hypothetically, of course, Microsoft could dispense with the current run of MVPs, and recruit a new batch who will only say what they are told - but I just don't see that in my tea-leaves. Perhaps you're drinking a different brand?
Given the number of MVPs who've collectively turned their heads and exclaimed "say what?" at your article, I do think you've missed the mark somewhat.
It also happens while trying to access previously encrypted files with an expired DRA domain certificate, but the initial response from the system is much more cryptic. For example, opening a file in Excel or trying to create a plain folder inside of an already encrypted folder results in a simple "Access Denied" message. My first responses were to log out/in, reboot, run chkdisk, etc.
As you know, I disagree with some of your general views on exception based programming. I think your view comes from a c level programming bias.
That said, the first line of this guidance agrees with your more specific points.
http://msdn2.microsoft.com/en-us/library/ms229005.aspx
Yes - and that's the point, really, don't catch exceptions unless they're expected.
To my mind, an exception is something unexpected. If it's an ordinary part of operation, it's a return value, not an exception.
Hi Alun, I just had to let you know that opening bit about a try{}catch around the main processing looped had me in stitches.
Glamour magaizne posted a stat...I'm paraphrasing...
'According researchers at Northwestern University rape is down by 80% and is going down because of the increase in internet pornography.'
What's worse is if you read the study, Ahhhhhh! The 'researcher' looked at the rape rates in the four states with lowest internet access and the rates in the four states with the highest internet access, and ran a correlation... Therefore, if you have the internet you must be looking at porn. And that is not the only problem with the data. (The author doesn't even mention the problems that rise with rape stats.)
Well, thats my...uh... favorite bad stat...
Please don't put me on any kind of list....
Brooke Wagner
That's a useful summary, Alun.
But is there any way to specify the encryption strength? In my experience, the performance difference between AES-128 and AES-256 is negligable.
Since I have configured BitLocker to use AES-256 (a subject worth a considerable discussion in its own right), does ReadyBoost end up weakening BitLocker's strength?
And perhaps more importantly, how does this wrok with and without a TPM, and where is the key stored? (I hope it is a purely transient key gnerated when the token is inserted, adn discarded later.)
Bob
I didn't find a setting to raise ReadyBoost from AES-128 to AES-256.
However, there's a couple of comments to make:
1. The BitLocker-protected data is the bigger target, and is going to use the same key over a longer period of time, compared to ReadyBoost which chooses a different key often.
2. Seriously, AES-128 isn't strong enough? What kind of cracker are you really expecting? If you are really in the market for that kind of protection, I'd suggest just buying more memory [Oh, and then watch out for the latent images in memory sitting around before the machine is booted!]
3. There is no storage of the key - it's totally dynamic, generated at least once per boot (I'd be surprised if it isn't once per ReadyBoost session).
Windows NT 3.1 was released ... oh, back in the early to mid '90s. Ever since then, I've been
About damn time indeed. Amen!
Subtitled: Don't believe everything you hear at TechEd. I was inspired by my "empty DACL"
www.microsoft.com/.../sessionh.aspx
The link for the presentation BTW
That's definitely the presentation, but since it's an earlier version, it doesn't mention Vista.
Having said that it doesn't illustrate my point, of course, I can only recommend watching the presentation to which you link, as this is definitely a very entertaining way to learn about what makes an application safe.
Pingback from Slightlyinsane.co.uk » Only you can prevent security fires
Pingback from Slightlyinsane.co.uk » NULL DACL Behaviour in Windows Vista
How did you get it to install? I've tried installing CS-RCS 5.0 on Vista Ultimate and setup.exe dies in the middle every time.
I didn't do anything special - but this is an upgrade from XP running CS-RCS to Vista running CS-RCS. Maybe the upgrade did some magic.
Yes, that explains it; it seems to be only the setup program that bombs. If I knew all of what it has to do I could probably do it by hand; but there's the service and the DocumentManager and who knows what else. Well, if I get desperate enough I'll probably have a hack at it :)
I bought two SD Cards today, each of which are 2GB in size (and each with a warning on the back that
Personally, I think it's a bad policy to allow any charity access to an entire email list. Solicitation should not be allowed through email, even if it is from a charity.
Actually it turned out to be easy. I searched my XP registry for ComponentSoftware and CS[-]RCS and made a .reg file of what I found. (I had to edit the user ID in the HKEY_USERS entries.) Then I copied the CS-RCS program files and ran the .reg file on the Vista system and ... IJW!
this page really help me. i was also playing stupid removing hibernate by disk-cleanup. But i cant believe that microsoft stupid enough to forget enable option. damn!
problem solved! first get admin right by running "msconfig.exe" and at tab "tools" click "disable UAC" then click "launch" button. To enable hibernate run "powercfg -h on". Thanks for ur help! By the way, its good idea to keep disable UAC as its suck!
I would definitely advise against disabling UAC - after all, without UAC, you have no protected mode in Internet Explorer, and you have no prompts when a piece of software tries unexpectedly to use an admin-only operation.
I think disabling UAC should only be used if you're going to engage in a marathon session of installing software onto a machine - and after you're done, re-enable it.
But I did find out why I got no right-click menu for my Start menu.
Apple Updater showed me two new software updates the other day - "Quicktime" and "iTunes
Lukcy so and so! My Dell D420 has an SD slot and it worked with Vista Ultimate initially then just stopped working. I'm confident it is not a hardware failure but have had no luck getting Vista to recognize the SDs again. In the hardware list it thinks everything is hunky-dory. I know the SD cards are technically okay as they work fine in my XP machines.
Not so lucky - my USB stopped working a few weeks back.
Excellent point about being proactive in terms of end of support issues and software asset management. One of the important precepts of SAM is the necessity of knowledge of what software is installed in your environment...that can be an entire organization still running Office '97 or that you have 10 machines that are running Windows '98 (and those machines are sitting on the following desks...).
Aiding organizations in proactive planning for the planned obsolescence of software is just one of the many values SAM brings to an organization.
Anyone looking for additional information on SAM is welcome to check out the following blog software-license-management.blogspot.com
Wait, your upset at Apple for that? What about every piece of Wintel software that puts so many icons on your desktop. I installed TurboTax, no extras and got 5 icons. Most of them linked to the web, but some to software that wanted my credit card to enable it. And your upset with Apple? Guess the apple doesn't fall far from the Wintell tree.
There is als a KB article for this issue: http://support.microsoft.com/kb/929103.
Lucky you. i've tried three SD cards in my dell 1501 laptop and none will work with ready boost. i've got: a kingston 1gb x133 a lexar 1gb x133 a Sandisk Extreme iii 2gb card. any ideas?
Me either. I own an iPod Nano second gen and I use Anapod to manage my tunes. iTunes is just too bulky and slow for me. As for Quicktime I use VLC Player for offline files. I have never yet found the need to view online QT videos, there is always an offline copy available somewhere. :)
Don't get me wrong - Intuit is on my you-know-what list as well, partly for the sort of shenanigans you're describing, and partly for the insistence that you should be an administrator to run your company's accounts.
Apple's QuickTime just happens to be a convenient target today.
1. Don't run the ReadyBoost test until your machine is some significant time into the boot.
2. Until SD cards come with a "ReadyBoost ready" designation, don't buy SD cards for the ReadyBoost, but be pleased if they work for you.
3. Maybe it's not the cards. Could it be that your SD card slot just can't do the speed required?
I have noticed that the Local Computer certificate import wizard doesn't actually place the certificate in the required location for all users. Which is a step back as the feature did work in windows XP.
It Blocks all attachments, it blows.
I am getting the errror mensioned above while I switch on the computer.
Sometimes it's hard to get the project teams to slow down and embed security into the process. Deadlines drive the project and development teams and *some think* it's easier to go back and fix the problem.
Sorry, Phil, but you're wrong.
It's _always_ hard to get the project teams to slow down and embed security into the process. You are absolutely right that deadlines drive projects, and that there is little consideration given to "it just took longer than we planned, because we've never done anything like this and had no idea how difficult it would be."
There's a book title that I remember - "If you don't have time to do it right, when will you have time to do it over?"
That's why on my own projects, I try really hard not to announce or sell features until they are completed. Obviously I don't have that luxury on work I take part in for other people, whether they're employers, or consulting clients.
Real people do read your blog, Alun. Good luck at TechEd. Sorry cannot make it.
Yes I confirm, by the way is there a chance you might come to the tech day in France Orlando is a bit to far at the moment ;).
Have fun
Perhaps the XP->Vista upgrade messed up the .cmd shell extension in the registry?
That's what I thought to begin with, but here's the setting:
C:\>reg query hkcr\cmdfile\shell\edit\command
HKEY_CLASSES_ROOT\cmdfile\shell\edit\command (Default) REG_EXPAND_SZ "%SystemRoot%\System32\NOTEPAD.EXE" "%1"
HKEY_CLASSES_ROOT\cmdfile\shell\edit\command
(Default) REG_EXPAND_SZ "%SystemRoot%\System32\NOTEPAD.EXE" "%1"
As far as I can tell, that's exactly the same as on a Vista clean install.
In part 1 of this mini-series , I talked about how the US Postal Service had deployed only part of the
yeah, my company was burned on this. Go Microsoft. Way to let admins know a critical element of security exists upon the creation of a domain.
Our recovery process (the private key was totally way lost) was to implement 2 new DRA's, which I spent forever trying to figure out how to do. Then days after the cert expired and I had admins complaining about access loss to their files, I managed to get the solution in place, but no one wants to go anywhere near EFS now....but its coming anyway. :)
I got the error also when I switch on the computer so it seems there is nothing to do to fix it becuase I can not access my computer whatsoever. What should I do?
No idea, I'm afraid - seeing that message on startup is obviously a different problem. Sorry.
Over the last several days, I've been getting more and more requests for my updated Wireless PC Lock
Hey Dude, neat idea. WIBNIF... I always connect my Windows Mobile to my computer whenever I'm at my desk (at work). When I leave my desk I always take my phone with me. I'd love an option similar to yours in ActiveSync :) Ooh, and maybe an option to send a lock signal over wi-fi from phone to computer also...
I shall have to see what I can do.
I've been asked about Bluetooth - but there are a couple of problems with using a Blue-tooth device to signal presence, not the least of which is that BlueTooth has an impressive range on occasion. For instance, in my office, I can use my earpiece in the cafeteria to hear music playing from my laptop's BlueTooth adapter back at my desk: that's too far of a connection to be useful.
For a phone with a docking cradle, though, that's probably a really good choice - and might be sufficiently secure an authentifier to work up a version that logs you on or unlocks you (Vista and later only - I don't fancy a GINA rewrite)!
Is there a way to do something like setting "sticky bit" on *nix system that works on folder level, so users cannot "accidentally delete files" unless he/she explicitly cleared the bit first?
Well, here's where Vista helps you.
You can set the NTFS permissions so that a user cannot delete their own file.
However, this doesn't quite address the problem - instead of deleting a file, what if I simply choose to open it, and fill it with zeroes? Is that functionally different from deleting the file?
What about simply replacing the data you have on file with completely fabricated information?
Whatever technology you put into place, even if users have only exactly the rights necessary to do their job, they also have exactly the rights necessary to screw up their data.
That's why I like to see the users as an integral part of any security solution - and why I think users have to be informed as to the choices of their actions, and guided towards the most usual (and ideally the safest) action as the easiest choice.
I see a pattern. I have used two Corsair GT USB drives and both worked for a while as ReadyBoost then stopped working, just like the examples above. The drives themselves are fine, if I turn on ReadyBoost they flash a bit and when I go back it is off again.
In the "Good Old Days", Norton's disk defragment(DD) tool allow you to select a cluster(of FAT16) and see which file is sitting on it.
Aren't similar tool available for NTFS?
Typo: It should be "SD"(SpeedDisk).
You can use any forensic tool to pull this information. (you can use eval versions of FTK or WinHex; I use EnCase )
There's also a NTFS API where it will give you the ALLOCATED_ARNGES for a NTFS file. Many times it's NTFS internal files like $Log or $MFT_MIRROR that will lock this. These files can't be moved with the system running.
The VSS and TxF functionailties of Vista make this harder!
You COULD try this: remove the HAD, attach to other system and shrink there.
Has anyone recently implemented a usb key solution? I understand from this post and others that there are some group policy gotchas and I wonder if it is really all that bad of a config. Perhaps someone could speak to this if possible...
Thanks.
Even though there's no API call to do it, it is possible to unlock the workstation programmatically by emulating entering the password. I made a similar application that does this by connecting to an UltraVNC server service on the same host and sending mouse and keystroke events to enter the password. Alas, I have no hardware for proximity detection, so my application uses the removal and insertion of a USB drive holding a key file.
Windows Vista sucks not only in Newsgroup area. Try to delete message. You most likely encounter message "Unknow error"System which costs 300 bucks has unknow errors. rediculous !!!!!!!. I'm using Linux as another os at this same computer and (Linux Ubuntu) and no problem with deleted messages ,
Vista SUCKS
what are you guys saying? I don't understand a word. could anyone just simply tell me if there is any way to shrink more volume in vista?
Vista just sucks, can't network, can't use my previous PM8, and what more!!
Nice one Alun. I'm a die hard IE fan, it's the best. I went to Firefox for a while for the adblocking plugin but now I'm back with IE using IEPro plugin. Firefox gobbled up so much damn memory at times that I got fed up having to shut it down and restart it every 15 minutes or so.
Window says: "Over the weekend, we learned about a new scenario that identifies ways that Firefox
Pingback from University Update-Microsoft Visual Studio-FirefoxURL - potshots part deux
re: "You can't comment in an unbiased fashion, because you're a Microsoft MVP."
Window and Asa are Mozilla employees who have been *very* biased in their public commentary during this brouhaha - I'm gobsmacked that a FF supporter would have the balls to make such a statement about Alun. It is sad to see how recent events have have brought out the worst in FF supporters.
It worries me that FF are barrelling down a dangerous highway to try and "fix" a problem that isn't theirs to fix. Do they *really* want to start down the slippery slope of taking responsibility for validating data on behalf of who knows how many third party applications? How are they going to that? What will they break?
I can only hope that Window, Asa et al will sit down and think things through properly.
"[...] Implementations must not percent-encode or decode the same string more than once, as decoding an already decoded string might lead to misinterpreting a percent data octet as the beginning of a percent-encoding [...]"
This means an implementation *may* attempt to *partially* encode characters which have been left unencoded against the spec in an URL supposed to be ready for consumption (as the one which is going out through external protocol handlers). As a matter of fact, it may try to encode anything but the percent octet and the reserved characters.
Such an interpretation perfectly justify the (very simple but effective) fix that's already been implemented by Mozilla guys, see bugzilla.mozilla.org/show_bug.cgi
A similar fix is readily available for NoScript users.
--
There's a browser safer than Firefox... http://noscript.net
That comment about MVP status being an indication of bias was actually made in a personal exchange, and to the extent that the speaker intended it, it's true - my MVP status suggests (but doesn't require) that I know more about Microsoft solutions than about non-Microsoft solutions.
But you don't have to look far to find Microsoft MVPs who spend most of their time in a non-Microsoft field (Steve Friedl of http://unixwiz.net/ is my favourite example).
Firstly: STD 66 absolutely does require that quote marks be percent-encoded. Any URI with unencoded quote marks is illegal. I quite agree that IE shouldn't encode quote marks appearing in a URI; but it should reject the URI as illegal and refuse to do anything with it, least of all pass it to third party software.
However: according to Microsoft's documentation, the URI is decoded before being passed to the protocol handler. For instance, if the URI contains %20 that will be replaced by a space.
This has several implications. Firstly, it means that the original vulnerability can probably be exploited with *legal* URIs; encoded quotes will be decoded before being passed to the protocol handler.
Secondly, it means that Firefox probably needs to re-encode the entire URI to have the best shot of getting it to the form it should be in.
I notice you say that the URI should only be encoded by the party creating it and only decoded by the party processing it. I quite agree, and consider that to be Microsoft's fundamental mistake here; the protocol handler specification should not require that the URI be transmitted in decoded form but that it be transmitted unmodified - provided, of course, that it is legal. :-)
STD66 is another name for RFC 3986, and it says: "Under normal circumstances, the only time when octets within a URI are percent-encoded is during the process of producing the URI from its component parts."
Since IE is not producing the URI from its component parts, I presume you are saying that acting as a proxy between a producer and a consumer of a URI is outside of "normal circumstances" - is that right?
As you note, Microsoft does decode percent-encoded values on their way to the protocol handler, and I view that as incorrect behaviour under the standard - my next part of this series will be to document some of the things I see Microsoft doing when it calls protocol handlers that I think are incorrect, though not a security flaw in themselves.
I have not seen any discussion by the Mozilla folks as to how they intend to avoid the double-encoding / single-encoding confusion that may follow from their change - but of course all protocol handlers will have to add extra work to handle this from now on - is the URI from IE, and therefore already decoded, or is it from Firefox, and therefore needs decoding?
Either way, you still need to act like the only thing you can trust is that "the entire remainder of the command line" comes from the user and cannot be trusted.
Excellent. Thank you. I was getting ready to return the setup until I found your software. Thank you for taking the time to write this, and most importantly, distribute it.
You're very welcome. I will confess that I need to start polishing up the projects I've been working on, and release them here. Look for more security-related tools as time goes by - they won't necessarily be polished sale-quality merchandise with install scripts, logos, etc, but they will be workable demonstrations like this one.
STD66/RFC3986 restricts the characters that can legally appear in a URI without being encoded. I agree that the encoding should be done by the party generating the URI not by an intermediary; however I would argue that the intermediary is entitled (in fact obliged) to reject a URI that has not been properly encoded by the originating party.
In other words, I suggest that if a web browser encounters a link containing illegal characters (including spaces and double quote marks that haven't been percent-encoded) it should refuse to attempt to follow it.
Hmm... that would kind of kill
javascript : alert("Hello world")
I wonder if there are any other things that look like URIs and have bad characters in them?
Why can't the intermediary simply pass everything on, like the proxy that it's pretending to be, and expect the protocol handlers to behave like the secure Internet-facing applications that they are pretending to be?
I don't think Javascript really counts as a URI; I mean, it doesn't identify a resource, does it?
I'd love it if all the protocol handlers would cope with illegal data properly, but the reality is that dozens of handlers have been identified that all made the same mistake, and I'm not aware of a single one that got it right; OK, I haven't actually looked, but you get my drift. :-)
I don't think it's realistic to expect that everybody will fix this problem promptly and that no newly written software is going to reproduce it. At the end of the day I don't really care who is to blame, but I don't want to be vulnerable; at the moment, it looks like the only way to avoid it is going to be to avoid IE.
Yes, the 'javascript' line was a bit facetious of me - but it makes the point that there's plenty of "URI"-looking links that disobey RFC 3986, and it's not too much of a stretch to think that protocol handlers might expect to do the same.
I haven't seen the 'dozens of handlers' that you've heard of, which have exploitable vulnerabilities. I've seen one class of handlers - basically, everything that Mozilla ever wrote.
Looking at the source code, they receive the single LPSTR command line argument in the WinMain function ... and then they discard it, and use an undocumented(!) pair of global variables to pass arguments into a main() function.
Almost seems as if it was written by a Unix programmer who didn't feel at home in Windows. :)
The flaw is definitely in the handler - fix it in the handler, and it doesn't matter which browser you use.
Obviously we're not going to agree here - to my mind, Internet Explorer is designed to behave like a transport mechanism here - you might as well ask that this be fixed in the TCP stack.
To you, the browser should have intimate understanding and be allowed to muck with URIs without any requirement to understand them, on what I perceive as a rather flimsy stretching of RFC 3986.
Our positions are irreconcilable - but the discussion is worth having.
Have a look here:
bugzilla.mozilla.org/attachment.cgi
I'm not saying all of these are actually exploitable but a lot of them obviously assume there won't be quotes (or in some cases command-line switches) in the incoming data.
You draw a conclusion that isn't necessarily true.
Using "%1" instead of %1 is as much a habit as a programming practice designed to catch arguments with spaces.
However, anyone who puts a command-line argument after the user-supplied argument is suggesting poor judgement, even though that, too, could be handled by counting backward from the end of the string.
Were I to review these protocol handlers for security issues, I'd start first with those that end with an argument after the %1; then I'd go to those with undocumented arguments, such as %L. That way I'd be attacking the handlers with the most likelihood of being unsecure.
However, as you point to the ones with "%1" as being likely vulnerable to unencoded quotes, you should also point to those with %1 as being likely vulnerable to spaces.
dir /a /s /d | findstr $DATA
works fine for me, not sure if it misses some of the alternate data streams but it works alright.
Yeah, I guess it's pretty subjective, and I may be overestimating how many are actually risky.
For what it's worth, I'd personally expect a safe handler to look something like this:
someexecutable /handler %1
That would be straightforward to code. Putting quotes around the %1 doesn't achieve anything except forcing you to add the code to remove them.
Even simpler would be
someexecutable %1
but only if there aren't any possible flags to look for.
In either case, of course, the code might or might not be doing the right thing; the only way to tell is to look at the code or try to break it.
Steve is right that too often backups and encryption are forgotten. And it's true that the FILES on the computer that aren't data are plumbing.
But the other part of the plumbing, e.g. the free disk space and network bandwidth that can be used to sell DoS zombie attacks, spam relays and pubstro FTP servers, are I think still attacked as much as the user data is.
Also, drive encryption and backups only protect the data at rest. I understand that recent attacks have monitored running processes and/or memory to glean useful user data being sent out through Internet Explorer. So I hope it's clear to all the readers that Steve isn't advocating that they can start spending less time on the other traditional countermeasures.
While I think you are probably right that encoding everything except reserved characters, alphanumerics and percent would be safe from double-decoding, that's not what the RFC actually says. By the time the browser hits it, the URI should be presumed to have already been encoded, and encoding any part of the string would be considered to be doubly encoding.
I reiterate - if you're going to re-encode the string, you should re-encode the whole string - all characters that are not reserved, percent or alphanumeric. By that standard, Mozilla has not implemented an elegant solution, and runs the risk that some other character sequence (not to mention the possibility of Unicode) will cause them the same problem in the future.
I presume you mean "dir /a /s /r | findstr $DATA" - and while that will tell you the name of the file and stream, it doesn't tell you the location of the file and stream.
Plumbing that is unavailable for its intended users will generally get fixed. The problem is when 'excess' plumbing - or that which is perceived as excess - gets used by others. After all, what's the damage to a business if its spare capacity is being used to run a porn site? Can you get funding to address that if it's not actually interfering with your operations? Only if you can make the case that there is a significant risk that these uninvited users of your plumbing will some day cause you to be unable to use it.
I think Steve was advocating protecting your data at rest and in transit. Plumbing can't be trusted.
You wrote: "To you, the browser should have intimate understanding and be allowed to muck with URIs without any requirement to understand them, on what I perceive as a rather flimsy stretching of RFC 3986."
I hate to drag on a discussion that's probably starting to get tedious, but ... well, I'm going to anyway. :-)
In case it wasn't clear, I don't want the browser to "muck with" URIs; just to validate them against the syntax defined by the RFC, at least so far as to check that they contain only valid characters (this is trivial to do).
I'll grant that so far as I know there is no documented standard for what a browser or other intermediary should do when faced with an illegal URI, but I think it's accepted practice in computing that a program can do anything it thinks best with illegal data. This might mean stopping dead, ignoring it, trying to turn it into legal data, or processing it exactly as if it were legal.
I recall Microsoft producing some software to sit in front of IIS and block potentially dangerous requests; I imagine this included any request whose URL contained illegal characters. The analogy isn't perfect, but you agree that in at least some cases it is OK for an intermediary to block data known to violate the relevant syntax?
If the intermediary is knowledgable of the behaviour of all the handlers underneath it, yes. Otherwise, you move the support burden from people whose software is vulnerable, to people whose software may or may not be vulnerable, but which used a feature of the lack of encoding.
On the subject of IE percent-decoding what it passes to the handler, I'd like to point out that in some cases this is impossible for the handler to recover from. To quote the RFC:
"URIs that differ in the replacement of a reserved character with its corresponding percent-encoded octet are not equivalent."
For example, if the protocol handler sees a question mark, it doesn't have any way to tell whether it was supposed to be a question mark or %3F, and they aren't the same.
However, I agree that Microsoft are stuck; they can't change this already documented behaviour without potentially breaking existing applications that expect it. (Personally, I wouldn't mind breaking applications if they were violating the RFC standards, but that isn't the case here; the change would affect properly coded applications.)
What worries me about the security aspect is that this is one of those really ugly cases where a system is vulnerable simply because a particular application is installed, even if it isn't being used. People who use Firefox (for example) will hopefully be keeping it up to date - the problem is people who installed it once a few years ago, tried it out and went back to IE.
If I am reading the Mozilla bug properly it seems that IE 6 and IE 7 behave differently on XP and that ShellExecute behaves differently on XP depending on whether IE 6 or IE 7 are installed. From the bug comments it also seems that some of the Firefox exploits can be reproduced with XP's start run only when IE 7 is installed. At least some validation / cleanup is done to the url for some protocol handlers with IE 6 and IE 7 and the same appears to be true with ShellExecute with XP IE 7 which is different when compared to XP IE 6. There also seems to be different validation / cleanup on Vista's ShellExecute when compared to ShellExecute on XP with IE 7. Since there are several different combinations perhaps documentation on all of the different combinations would be in order. Also, it seems that the behavior cited for Internet Explorer in the msdn article you referenced is for IE 7 and that IE 6 does escape.
As an unbiased Windows C++ programmer, here are my $.02:
The problem here is that the winapi uses a string for CreateProcess and WinMain instead of an array of strings and leaves it up to the program to mess with the command line (including wildcard expansion!).
The problem is compounded by the fact ShellExecute function that takes a format string and a parameter string and just blindly substitutes parameters.
So yeah, I definitely blame Microsoft for creating this nightmare that every application now has to deal with because they took the lazy approach (IMNSHO).
Given the above, the only correct way for firefox to proceed is:
1. Change their url handler to something like "c:\blah\firefox.exe" /unsafeurl:%1 and then use GetCommandLine() to look for everything after /unsafeurl:
2. Speaking of which, why did the register firefoxurl to begin with?
3. Not do something extremely idiotic like writing their own ShellExecute function as bugzilla.mozilla.org/show_bug.cgi suggests that parses the registry values and calls the url handlers in a way that's friendly to parse_cmdline().
And thinking out loud here, somebody should investigate how ShellExecute and CreateProcess handle going over the ~32k (I think) command line string limit.
"The problem here is that the winapi uses a string for CreateProcess and WinMain instead of an array of strings and leaves it up to the program to mess with the command line (including wildcard expansion!)."
My thought is that this is actually behaviour that you want for a protocol handler, because the URI is a single string, and might not follow the same parsing as shell commands.
If you want shell command style parsing, you can get that by calling CommandLineToArgvW, but given that spaces and tabs might be special to the URI but are not differentiated in Argv-based parsing, I don't see that argv processing gives you anything in a protocol handler.
"The problem is compounded by the fact ShellExecute function that takes a format string and a parameter string and just blindly substitutes parameters."
What else should it do?
As for ShellExecute and long command lines, ShellExecute is documented as returning an error code when the command line is over (INTERNET_MAX_URL_LENGTH - 1) characters. CreateProcess is limited to 32k.
That's right - it looks like there is some element of interconnectedness between Firefox and IE 7 on this bug. This suggests that there may be a flawed behaviour in IE 7 that Firefox is triggering. If that's the case, of course, I'd expect Microsoft to fix the flaw.
I have the same problem(s).
Consider this... I have done all that could be done, except using dozens of 3rd party tools (tried just two or three utilities) and I am stuck with a 130 GB volume. I even tried to solve the puzzle by making a complete PC backup, restoring it on another PC with hope that it may be satisfied with a 50 GB volume. No! It needs its free space. Actually, this was the only scenario that hasn't surprised me... But it made me angry anyway.
And, yeah... Network! When someone whispers: "Vista...", I yell, "Network!".
It appears that the interconnectedness between XP with IE 7 and Firefox is also between XP with IE 7 and XP's Start -> Run menu, Skype, Miranda, and likely others.
"My thought is that this is actually behaviour that you want for a protocol handler, because the URI is a single string, and might not follow the same parsing as shell commands."
Generally I prefer the single-string approach, I guess because I grew up with DOS/Windows rather than Unix/Linux. But the Linux approach does have an advantage in this scenario, because the launching application passes an array rather than a string, so no parsing is necessary to separate out the arguments.
The Linux version of Firefox never had this vulnerability because the presence of quotes had no effect on the way arguments were separated.
No, the Linux version of Firefox never had this vulnerability, because the arguments were passed from browser to protocol handler without going through the shell.
The Windows version of Firefox had the opportunity to create a protocol handler that could receive arguments from a browser without going through the shell, but chose to ask the shell to parse those arguments.
("shell" = "C runtime library"?)
Well, it has to parse them somehow!
The point is that under Windows all you get is a single string, so you have to parse it to divide it up into separate arguments. You can let the runtime library do it, or you can do it yourself; either way, you're potentially vulnerable if you haven't considered the possibility that one of the arguments might contain unexpected delimiters.
Under Linux the arguments are passed from the caller to the recipient as an array - already separated - so the presence of delimiters in an argument has no effect.
As a more extreme case, suppose for some reason you had to pass two arbitrary strings instead of one. In Linux this would be easy. In Windows the processes would have to agree on a quoting mechanism to cope with delimiters, or use some more complicated technique like DDE or COM.
I'm still more comfortable with the Windows approach; but I do think the Linux approach has some advantages.
In this case, yes, the shell on Unix is the equivalent to what the C runtime library is doing. On Unix, command-line arguments are split by the shell, and you can sidestep this parsing by calling execp directly, passing in the array of arguments that should go to the executable. On Windows, that can't happen directly, because all executables take a single parameter. If you wanted the original "pass an array to be interpreted exactly as given", you could implement the protocol handler as a COM object. That is one of the documented approaches offered. The Mozilla team chose to do a Win32 app, and either didn't understand what they were giving up by making that choice, or didn't think it was important.
Hey, man,
I'm a heavy usenet user. Especially the binaries groups.
I used a program called XNEWS (http://xnews.newsguy.com/)
It's free. And, it suited me better than any other reader, pay or free, that I've tried.
You may want to give it a shot. The guy that wrote it supposedly based a lot of the interface on the NewsXpress that you mention. (How I found this article - I just switched to linux and now need to find a good newsreader or get 'wine' & my beloved xnews back)
-Stephen in Boston
Pingback from University Update-Windows Vista-How to make me nervous
Get a copy of GParted and stop your bellyaching!! GParted is mature and will shrink your NTFS partitions with zero problems.
Hmm -
Downloaded it and installed it. My nightly VBScript to archive stuff to my network share is now broken.
It seems that
CSCRIPT.EXE //H:CSCRIPT
doesn't work any more. Any .VBS file that I run now launches with WScript.
Time to call Product Support...
Well, it looks like MS just never tested this functionallity completely.
With WScript 5.6, running
CSCRIPT.EXE //H:CSCRIPT //S
changes the Open/Command sub-key from WScript to CSCript. Open2/Command is set to the opposite value.
HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command
With Wscript 5.7,
Changes the shell default to point to Open or Open2. However, it doesn't check what Open or Open2 actually point to!
So if you first run
in Wscript 5.6 to switch Open and Open2, then install WScript 5.7, running the //H command actually gives you the EXACT OPPOSITE of what you want!
Thanks to the SysInternals team for ProcMon for helping to figure this out...
Note that to fix this, you can't just change the shell default. You MUST change the Open/Open2 keys back to their default values, since the //H command will blindly assume that Open2 is CScript...
Alun:- I had planned to send this via your contact form but it isn't working. Feel free to post this as a comment (it's vaguely on topic!) or not as you see fit.
I've learned something recently that worries me and might be within your field of interest. Support for the Microsoft Java VM (remember the lawsuits?) expires at the end of this year, meaning no more security updates. I just *know* some troublemaker is going to be holding onto a vulnerability report and releasing it 1st January!
And, no, I don't mean me. :-)
The problem is that if you've got MSJVM installed, it's hard to remove. Microsoft have a removal tool but they're only providing it to IT pros:
support.microsoft.com/.../826878
OK, so I can get it, but even so we're going to have to muck about to deploy it. I want to be able to distribute it via WSUS! And, in my opinion, everybody should be getting protection against future MSJVM vulnerabilities via Microsoft Update; otherwise we're going to have a whole lot of exposed home machines one day.
The argument that the effects have to be irreversible doesn't hold water IMO. Surely there must be a way of distributing an update that effectively disables the JVM without actually deleting it? (For example, the security on the relevant files could be set to deny execute access.)
I'd be grateful for your opinion on this matter.
Harry.
There are a few reasons not to panic:
1. Sun Java is a far more interesting target, especially given the ease with which an attacker can request an older, unpatched version that wasn't removed by Sun's update tool.
2. Any website relying on Java to support Windows systems is already going to be pushing the message to make Sun Java be the default Java processor.
3. If you have a machine whose last clean install was with Windows XP SP1a or later (including Windows Server 2003 or Vista), you won't have MSJVM on your systems, and can't get it installed through any normal means. Since that service pack was released on February 2, 2003, you'll find that any machines that have MSJVM on them are machines that have been updated to newer operating systems and service packs from machines purchased over four years ago. That should cut the numbers down.
4. If a serious vulnerability is disclosed, Microsoft still has the "damn the torpedoes, full speed ahead" option of issuing the MSJVM removal tool to all users, and accepting the consequences of some users experiencing issues with loss of (old, obsolete) applications as their Java Virtual Machine disappears.
5. Another option that may well be in Microsoft's back pocket is negotiation with Sun to allow the development and shipping of a security fix, if the hypothesised flaw is sufficiently important.
6. [This is the clincher for me] Along the lines of the argument that time machines are impossible because we haven't been visited by tourists from the future, it's worth noting that a zero-day bug in the MSJVM is worth far more now, when some corporate users are still hanging on to it, than it will be this Christmas, when any corporate users worth a damn will have shoveled that puppy into its little cardboard box.
Oh you star!!
I've been trying to fix this for months now, and this is the only solution that has worked!!
THANK YOU!!!!
You may be right. One minor correction - MSJVM may be installed on newer machines as part of an older product, in particular Visual Studio 6. Note that extended support for Visual Basic 6 doesn't expire until April 2008.
Also because there's nothing forcing third party developers that may have used MSJVM to update their software - or even stopping them from including it in new software! - there's no way to be sure it isn't installed without actually checking.
... and, as an afterthought, it is true that no MSJVM security vulnerabilities have been reported in nearly five years.
I don't think that the MSJVM was ever legally redistributable by third parties, so that doesn't appear likely to be a problem.
Unless, of course, the black market economy in pirated software reaches such a stage that an attacker can rely on there being a pirated version of software installed and ready to be abused on most otherwise legitimate machines...
Quoting from the Microsoft FAQ here:
www.microsoft.com/.../faq.mspx
"I am a developer. Can I continue to distribute the MSJVM?
The End User License Agreements (EULAs) for both Microsoft Visual J++® and the Microsoft SDK for Java grant limited rights to redistribute the installer for the MSJVM (msjavx86.exe). However, Microsoft highly discourages continued redistribution of the MSJVM as provided for in these EULAs."
I vaguely recall installing one or two third-party products that used the MSJVM some years ago. It isn't all that common. As I mentioned, my main problem is going to be Visual Basic.
Is there a way to turn off the sound the program makes?
Sure - when the program first runs, it registers as a source of application sounds. You can choose what sounds (if any) to use for any of the application's events that are registered for sounds. You can do this from the Sounds Control Panel Applet.
I just installed bitlocker using a USB key only. I ran the bitlocker drive preparation tool that MS provided recently which makes the process quite easy. It creates the boot partition and copies all the startup files to it. I also had to run gpedit.msc to modify the bitlocker options so I could use a USB key since my system has no TPM chip. The 300GB drive encrypted in about 2.5 hours. My only concern is that if a laptop or PC is stolen with the USB key, then the encryption is useless. I would rather have the option of requiring a password, like most of the other disk encryption products out there. Relying on a physical key alone is less secure.
I'm with you there - either with TPM, or with USB, or any other solution that has a good chance of packing the key material in with the laptop (hey, passwords on sticky notes count in that category!), you have a good chance that the machine can be booted - and once booted, how many services are listening and waiting for an attack on the network port, on the USB port, on the parallel port, on the serial port, on the FireWire port, on the card reader, on the PC Card port, on the Express Card port, through the video card, the PS/2 port, the CD / DVD ROM drive, the media card reader, etc?
One of them's likely to be exploitable by the time your machine gets stolen. Or maybe the thief takes your laptop, and waits a month or two until an exploitable vulnerability gets released, then uses that to hack in?
If all the keying material rides with the computer - like with the TPM chip - your data is really not that safe.
I guess that would be a valid argument for something like XP SP3, but SP1 for Vista WILL be a huge improvement. How many laptops still have problems with power management in Vista? A lot. How many graphics cards are still having driver issues? And most importantly - are you really going to deploy Vista and then go around applying hot fixes to machines?! I'd much rather wait for a fully supported solution to resolving horrendous file transfer speeds both on and off the network along with all the other reliability issues I've encountered so far. When SP1 arrives I'll reevalate, but Vista ain't ready yet.
Sounds like you've found a showstopper or two for your organisation - and that's my point. If you really have a showstopper, _and_ you believe it's fixed with Service Pack 1, then you can justifiably say "we won't deploy until we have Service Pack 1 in hand".
I have not yet encountered any significant problems along the lines you describe - the power management on the laptops I've tested is acceptable, with little difference in battery time, and acceptable hibernation times plus resumption from sleep.
The video performance and reliability issues in particular that I've heard of from others tend to revolve around one manufacturer's line of cards, and I would expect that updates to those drivers will be forthcoming without waiting for a service pack.
I'm not sure what particular hotfixes you feel are necessary to install on your systems, but the reliability and performance packs recently released on the Microsoft downloads site are fully supported, and can be deployed immediately in a number of different ways - not just manually.
Overall, though, I think you're making my point for me - don't sit mindlessly waiting for SP1 if you have no reason to do so; if you have a bug that prevents deployment in your organisation and will be fixed in SP1, then by all means sit around and wait before deploying.
Alun, it's fair enough to raise the question for debate, but it's not appropriate to suggest that it's wrong to wait for an SP for an RTM product. Especially when you've got a lot of business managers willing to fry you alive for loss of productivity et al. In these situations you have to be more cautious as to what you deploy, and when you deploy it.
Often the reason corporates decide to wait for an SP release for an RTM product is because of all the rough edges that get "smoothed" off by the SP. And, reliability and usability usually increases after an SP is appled. As you know SP's are not traditionally a mechanism for delivering new functionality, but by definition are provided to fix fundamental as well as peripheral issues with an OS, or product. This then suggests that these changes are beneficial and sometimes worth waiting for. In Vistas case, and from personal experience of using the product (which i refuse to use as my main station) there are "many" rough edges and only an SP (2008) will fix them.
I for one would not drop Vista in to the workplace until it's performance issues are resolved. Sounds a bit fuzzy, sure it is. I know this is a generalisation and not pointing at XYZ issue, but it's well documented on the web that Vista needs to be honed a bit more. Who on earth could justify Vistas current performance on high end desktop equipment, which is turned in to 4-5 year old kit the moment Vista is installed! I have a laptop that runs blisteringly fast on XP, battery performance is great. I go ahead and install Vista and I get 30minutes battery life, and the OS crawls along when doing the most mundane things. Obviously this brand new (not hardware crippled) laptop was returned to XP, and productivity went back to normal.
No one in their right mind would sack you for not deploying an RTM product, unless it was business critical. A desktop migration is often not business critical but a planned, road-mapped approach to managing the desktop estate. And, introducing new functionality as well as sometimes generating a massive re-training campaign that can cost companies millions in training resources and loss of productivity while the users get use to doing the same thing a different way.
All food for thought, i enjoyed reading you're article, and hope my comment is not too abrasive, keep up the good work!
I still think you're making my point for me.
You've told me not that you're waiting for SP1, but that you're waiting for errors - specific errors (and performance _is_ a specific error) to be resolved.
There's a big difference.
As for training, that needs to be done on whatever version you're deploying - if you deploy RTM, you can train on RTM, and if you deploy SP1, you can/should train on SP1.
Let me point you at three things:
First is Google with a search string of "Vista problem", the second is "XP problem" and the third is a link to a well known, and unfixed issue with Vista.
www.google.co.uk/search
Note that Vista+Problem = 122,000 results, and it's only been out a few months! whereas XP+Problem (which has been out quite a few years) has 112,000 results (tap this in yourself, see what figures come out). That is a sure indication that there is a lot of "chatter" surrounding "issues" with the product. Now go visit Technet forums, see a lot of "it's not working" chatter there too? If most or any of these problems impacted you're users would you brush them off and tell them to quite moaning and enjoy this wonderful RTM OS? Or would you think "oh bugger"? Do you think the business managers would be understanding? How much damage would you have done to the IT Departments credibility, especially when SP1 arrives and the problems disappear? Would that reinforce you're decision, or make it look like a sick joke on the business?
Now I really enjoy working with Microsoft products, but i'm a realist, i know they get things right AND they get things very wrong ... but releasing RTM products in to the business is too close to a gamble for an old-timer like me, it's less of a gamble once an SP is released.
Take a look at the gaming industry, RTM = buggy, then a patch comes out, in fact a long list of patches come out and the product is usually only fully usable after 3-6-12 months. This is a model driven by marketing, get it released on such a date and we don't care how many bugs are in there, fix them after we've shipped. I'm seeing that same behaviour manifesting in the non-gaming world.
Now, that 3rd and final link ... this is very interesting, and would cause me to shiver if the business started to suffer from it, especially if I was responsible for deploying the product early, and ignored those that said "hold on there tex, let's wait":
www.theregister.co.uk/.../vistas_long_goodbye_continues
Now, come up with a suitable justification as to why the "business" should continue to wade it's way through that unfixed problem, especialy if it starts manifesting on VIP machines. I think you'd be looking at jobsites and muttering "no one ever got sacked for buying IBM", or something similiar ;-)
Now, to be fair Vista is an OS, we all went through the same kind of pain when Windows 95 rolled out, when XP rolled out it was harsh. OS's are high visbility because it sits on every single users machine, and users have to interact with it every time they click the mouse or touch the keyboard. Whereas, a different RTM product, such as a back-office product would get less usage and less of a strain on the business if it was a bit buggy. Thus, i'd consider my options differently depending on high-vis and medium to low-vis.
I hope this doesn't again reinforce you're point somehow? As i'm trying to point out that you can cut this a million different ways but essentially it comes down to risk takers and non-risk takers. I fall in to the latter category, IT serves the business, business does not serve IT.
This has spurned me on to write a detailed article, of my experiences over the years with OS and product deployments, culminating in to the single choice "should I deploy" or "should I wait". I'll be sure to come back here and drop a comment to the article.
And a search for "linux problem" returns over 200 million matches.
"Apple problem" returns around 134 million matches.
I'm not suggesting that this is an indication of the number of problems in those operating systems, just pointing out that the search alone is a rather unscientific - and incorrect - way of rating the suitability of an operating system.
As for the "Vista's Long Goodbye" posting, it sounds like this is exactly the sort of bug that was fixed in the recent performance update:
KB Article 938979 - Vista Performance Update
Again, if you have specific reasons not to upgrade to Vista yet, then fine - don't upgrade to Vista.
If you have no specific reasons not to upgrade to Vista, then don't make up non-specific reasons like "there hasn't been a service pack yet". Pointing back to May's reports of problems that appear to have been fixed last month would seem to be pushing it a little.
That's not correct, I was contrasting two Microsoft OS's (in a loose way, certainly not scientific and doesn't hold much water agreed), and not their competitors.
To reference Apple and Linux google searches just sounded like a knee-jerk reaction to the assumption that I was trolling\flaming Microsoft here. That's not my thing.
I was not trying to show that Microsoft runs out flakey OS's, instead the reference was to highlight that there is a "lot of negative chatter" over Vista, from tried and tested Microsoft customers. That reinforces my position not to deploy RTM right now, even though a few KB's have been released. Instead, let those companies that have a "special agreement with Microsoft" eat dogfood, and produce KB's. The mere thought of deploying an epic peice of software such as Vista, and experiencing new, interesting and very unknown issues makes me steer clear until it's bedded in. Besides, Microsoft has enough customers deploying RTM, hence why we are getting KB's released which 90% (again not a scientific percentage, just a working figure!) of the time are generated via feedback from customers actually suffering\experiencing the problems.
You need to be more objective, and put Microsoft to the side for a minute. Like I said previously, the Business is all important. IT is the businesses slave, and not it's master. If anything, qoute from this paragraph and reason this in to you're assertions. And don't feel that I am roughing you up, just being both devils advocate, and passing on my ten cents worth of reasoning.
It's an interesting subject, I'd love to hear what others think. I'm sure there are many that can contribute their thoughts for and against, and perhaps even middle of the road!
Cheers Alun, keep up with the thought provoking blog entries!
My point in trying those searches was to indicate just how useless it is to rely on search result counts as an indication of the quality or otherwise of a particular operating system or version.
My goal here is to remind you that you can't let the rest of the world do your testing for you - either implicitly by the simple maxim "don't deploy until service pack 1", or explicitly by waiting for the chatter to die down.
Your business is like no other business - and that's pretty much true for every business out there. You run a combination of software that is unique. If Vista doesn't run for you now, the correct response is to bug Microsoft about it, and get them to fix your problems, not wait for them to fix everyone else's problems, and hope that they managed to hit yours in passing.
If Vista does run for you now, then you're possibly losing a competitive advantage by waiting for everyone else.
Whats pissing me off the most are apps with requestelevationlevel set to asInvoker (regedit, process explorer, Bioshock etc.) It forces a UAC prompt on me that I don't need if I'm doing something to my user (HKCU etc.) and I don't know any way around it other than hacking the .exe's manifest to user instead of asInvoker. And if the app is marked with asInvoker, it means it HAS to support running as LUA, otherwise it should use admin and not asInvoker
I've been a dyed-in-the-wool infrastructure geek for 11 years, and I'd tried in vain to bridge the gap to Developer-land for most of those years.
This is partly because I'd constantly run into troubleshooting issues that took me to the API layer and below, but I wasn't able to "go the last mile".
It's also partly because, at least while working at Microsoft, I got the distinct impression that "if you don't do code, you ain't worth squat". Infrastructure geeks, no matter how knowledgeable, were always second-class citizens at MS.
I've often dipped my toes in the water of providing guidance to the developers on whom the infrastructure folks depend for (a) leveraging the security infrastructure that the systems folks worked so hard to put in place, and (b) not creating wide-open holes into the infrastructure through holes in their code. I've found it difficult to explain to many developers why they should bother integrating with AD, using Windows-integrated authentication (or even LDAP, for g##'s sake), why their app might fail on a locked-down server. I've also had just as hard a time teasing out of these developers things like what privileges & permissions are required for their app to run, in which DLLs certain functions are stored, and all of that other "plumbing"-related minutia.
I finally made the leap, and am developing code in C#, VB.NET, XSLT and Javascript, and I feel like I'm almost "qualified" to create good code. [Maybe one of the barriers to "becoming" a developer was the very realization that I didn't want to repeat the mistakes and problems that all the dev's with whom I've worked had created, and on whose mess I've often had to bolt security after the fact.]
I've found Keith Brown's books to be the most lucid explanation of security concepts that works for both Infrastructure and Developer crowds, but maybe because of that, his books don't sell that well. :( Still, I can't recommend them too strongly.
Actually, TCP_NODELAY causes sub-optimal performance even for more popular protocols such as HTTP. A HTTP request will typically be smaller than a complete segment, so if you don't disable it, the response will be delayed. The nice thing is that you can enable and disable it any time for each single connection. Also the telnet case is a rather extreme one. Most protocols don't send tiny pieces of data, so setting TCP_NODELAY will rarely have extremely bad consequences. Also UDP simply isn't possible in each and every case. Consider that most applications will want to over tunneling through a proxy at least as fallback. UDP has a lot disadvantages anyway, thus scrapping TCP altogether just because one property is sub-optimal is probably a not good idea as you might easily end up with something that is far worse especially if you want to use that in the heterogen real-world i.e., everybody can come up with protocols that perform great for him... but suck everywhere else.
I think the problem you describe is not so much disabling Nagle but as you also wrote the multiple sends/writes. That alone will typically perform quite badly due the whole system call and processing overhead. So if you simply avoid writing out single bytes by coalescing data into a buffer of a few kilobyte or use of gather/scatter IO, you don't really need Nagle, it'll perform even better due to less system calls and you have more control over what is send ASAP and what may be queued up. Of course that needs some planning ahead and isn't as trivial and switching something on or off. That much I agree.
HTTP need not be impacted by the Nagle interaction with delayed ACKs.
Granted, the request is often shorter than a complete segment - though it can be longer. As a result, the request will at least end with one incomplete segment - but then, there will be no other incomplete segments buffered, so the request will complete without delay.
The response will carry the ACK with it, so there's no delay on the ACK, and it too should be sent as a number of full segments followed by a small one, which will not be delayed by Nagle.
HTTP is a fairly good example of a request/response cycle that should _not_ be affected adversely by Nagle or Delayed ACK.
Now, if you want to write your HTTP server so that it sends the response header in a separate send() call from the response data, you might get poor performance on short responses, because that then becomes "read, write-small, write-small, read", which is the classic bad case for Nagle / Delayed ACK.
Write your HTTP server better :)
"A couple of obvious approaches for web-based applications are Windows Integrated Authentication (which, admittedly, does require IE and IIS), and SSL client certificates.&qu