Tales from the Crypto

Zune – So Nearly Perfect, it Hurts

For a while now, I’ve been listening to the BBC radio on my MP3 player – even wrote a program to download the audio of various programmes and convert them from RealAudio to MP3 so that I can listen to them on the bus or in my car on the way to and from work. First it was a 512MB Creative Muvo, then a Sandisk Sansa at 2GB.

Then on my birthday, my wife surprised me with a 30GB Zune, just what I wanted. I know there are other more recent models, but I can’t justify the expense of a 120GB model, and the others are too small of a display to be interesting. The Zune HD seems like it would be perfect, but I bet it’ll be too expensive for me to justify.

I really enjoy the Zune, and it solves many of the problems I’ve hated about the Sansa – the biggest being, as I described before, that it requires me to install (and carefully watch for sneaky encroachment) Quicktime, and to run the video/photo converter as an administrator.

So, now that the Zune solves the big problems, I’m starting to become aware of the less horrifying aspects of media player ownership.

Here are the first few little problems (note that this isn’t entirely insurmountable):

• Playing a video, or a podcast, kills off the “Now Playing” list.
• While you can resume a video, or a podcast, you can’t resume a playlist.
• You can’t create a playlist on the device – although you can add Music selections to “Now Playing”, you can’t rename the list, and “Now Playing” gets killed off so easily.
• You can’t resume a music item after you’ve paused it and played another. This makes the music folders useless for my radio programmes.
• When playing an MP3 file in the music folder, if the MP3 file has a picture (in the ID3 Picture tag), the picture is cropped to fit the display – I’d rather see it shrunk.
• Pictures from MP3 files are not displayed individually – one of them is selected as the “Album Art”, and is then displayed for all subsequent MP3s with the same ID3 Album tag. I’d rather see the pictures from the individual MP3s (who knows, maybe they’re important?)
• MP3 files from the music folder appear in the “social” under your tag, and the system tries to guess what you’re listening to. Usually appallingly badly. For instance, I play “The Eureka Years”, a radio programme from the BBC, recorded as an MP3 file with appropriate Author and AlbumTitle tags – it lists as the song “Eureka” by “Jim O’Rourke”. I haven’t found where you can correct this, or delete it – goodness only knows how you cope with embarrassing selections made by this guessing algorithm.
• You can’t delete a music MP3 file from the device without using the PC. Not much use when I’m on the bus and want to say “yep, I’ve heard that, now delete it”.

Like I said, those are the first few problems I’ve encountered.

Most of these problems seem to be solved by turning my recorded radio programmes into podcasts. Apparently you do this by moving the MP3 files into the podcast directory prior to syncing, and by changing the ID3 Genre tag to “Podcast”. That’s certainly far better, but there are still more problems I’ve encountered with that:

• Podcasts without an accompanying XML RSS feed don’t sort right. They should sort primarily by the MP3’s ID3 track #, then by date and time, and finally by name. It appears that the Zune is sorting them primarily by date (ignoring the time!) and then by name, and totally ignoring the track number.
• When sorting the tracks in a podcast by name, the sort is alphabetical, with no consideration given to numerical sorting, so my recording of “Journey into Space, World In Peril” plays in the order 1, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 2, 20, 3, 4, 5, 6, 7, 8, 9. And remember, that’s even with the track numbers present and correct (although maybe it is sorting by track number, but doing it alphabetically rather than numerically!)
• I’d rather that podcasts were picked up properly without my having to change the Genre tag – I like my Genre tags to read “Comedy”, or “Drama/SciFi & Fantasy” – and it’d be nice if the podcast tool allowed me to sub-sort the podcasts based on the genre, too!
• You can’t “queue up” the podcasts into a “now playing” list, or any other kind of playlist.
• Podcasts don’t display the Picture stored in the ID3 tag of the MP3 file – not even as “album art”. The only time images are displayed for podcasts is when the image is referenced in an accompanying XML RSS feed.

So, the next solution set would be to publish an RSS feed.

Unfortunately, this leads to the next failure.

• You can’t subscribe to a “file://” based URL – podcast feeds must all start “http://”, which means putting a web server to work even if you’re building a personal podcast feed that exists only between your computer and its associated Zune.

Other problems I’ve experienced are DRM-like, and we all know that I find DRM to be hugely objectionable. Specifically, I can’t transfer any IFC programmes onto my Zune from my Windows Vista Media Center PC, because apparently they’re all tagged as “copyright”. Note that’s my Media Center PC, transferring to my Zune so that I can watch programming recorded from my DirecTV subscription – no theft involved there, I paid for that content, but can not watch it in my chosen locale or medium.

I can only hope that someone at Microsoft reads this post, and reassures me that they’re going to do better with the release of the ZuneHD – and, because I almost certainly can’t afford a ZuneHD (although anyone who knows me will tell you how excited I’ve been about OLEDs for the last year or so), I hope that many of these improvements are back-ported to my lowly Zune 30. I’d be happy to expound on any of these points to get them addressed.

Oh, and if you ask – I would definitely and whole-heartedly recommend getting a Zune. I know that I’m going to be buying one for my wife as soon as I can find it at the right price (I’m hoping for a Woot-off or perhaps a bag of crap containing a Zune]. All the problems I’ve outlined above are really minor and piddly, but it’s these kind of tweaks that turn a merely good product into a great product. I only complain about them because the Zune is so close to perfection for me, it can be fixed with relatively little effort. The Sansa and its software were so far from perfection that it seems likely that the development team totally don’t “get it”. [The Creative Muvo was actually pretty much perfect for what was achievable at the time.]

So, am I missing any obvious tricks for my Zune? Can I get the BBC programmes on it in a better way? [Yes, I know about the BBC podcasts, but there are shows that the BBC just don’t podcast.]

Microsoft TechFest

Last week, I went to Microsoft’s TechFest as part of their “Public Day”. This is the first time MVPs as a group have been invited to this event, and although it’s clear we missed some of the demonstrations that are not public-ready, this is something that I hope can be extended to us in future, even if only to Washington-state MVPs

For general news links on MS TechFest 2009, you can search news.google.com for “TechFest”. Here’s a couple of samples:

http://www.king5.com/video/index.html?nvid=335707 – I didn’t see these guys there.

http://www.guardian.co.uk/technology/blog/2009/feb/25/microsoft-software - I bumped into this guy.

I also saw Chris Pirillo there from LockerGnome and Chris.Pirillo, but he hasn’t written anything yet. I only mention him because it’s about time that I thanked him for being one of the earliest online writers (they were called “e-Zines” back then, apparently) to mention WFTPD in his column. Sadly, I don’t have a copy to remember what it is that he said :(

Apologies to anyone who expected to reach me by email that day – the usual computers spread around the Microsoft Conference Centre for email and web browsing were missing, possibly because the Press were there, and they’ll steal anything that isn’t nailed down, before coming back with crowbars.

So, here’s some description of the things I saw, ranging from the exciting and relevant to the “why is Microsoft spending money on that?” [Note that this is not meant to be disrespectful of ‘pure research’ – often, today’s “useless meanderings” become tomorrows product – WFTPD itself started from a momentary “how hard can it really be?” lapse in my own judgement, followed by a little research and a lot of effort.]

Specification Inference for Security

To improve focus on potential security faults in static analysis tools, this is a toolset whose approach is to divide functions into Sources, Sinks and Sanitizers (although that alliteration is liable to lead to confusion) – Sources generate untrustworthy data from input, Sinks consume data that they trust will fit their expectations, and Sanitizers transform the data along the way, ideally making sure that it goes from untrustworthy to trusted. Thinking in terms of a SQL injection, the Source would be a web server receiving input from a user containing a SQL command, the Sink would be the SQL server, and the Sanitizer would be whatever code packages the input and determines whether to pass it to the SQL server, and what changes to make (such as requiring proper quoting, or using a stored proc or parameterized query). Once these categorizations have been made, the static analysis tool can check that Sanitizers actually do sanitize – rather than having to try and analyse every function for possible sanitization. http://research.microsoft.com/merlin

Concurrency Analysis Platform and Tools

Enhances your test tool set by allowing tests to run with multiple permutations of concurrency. Race conditions are usually caught by users, or in production environments, because the environments cause different threads or processes to run at different speeds – with this toolkit, you get to try out multiple combinations of execution sequence, so that you are more likely to trigger the race condition. Of course, you still have to write tests that consider the prospect of doing more than one thing at a time, and because there are a large number of concurrency permutations, it’s not a turn-key solution, but it does allow you to debug concurrency issues more methodically, and catch those that appear more frequently. http://research.microsoft.com/chess - and this one’s available for download as an add-on to Visual Studio!

Lightweight Software Transactions for Games

Not just for games, the ORCS platform (Object-based Runtime for Concurrent Systems) makes coding multi-threaded applications easier and more problem-free. http://research.microsoft.com/orcs

Closed-Loop Control Systems for the Data Center

Power consumption monitoring and control allows for servers to be brought online or offline as computing demands change, so that as usage ramps up, more servers are turned on, and as usage declines, servers are turned off. I don’t think this is entirely original.

Algorithms and Cryptography

Cryptographic solutions with leakage. Unfortunately, the lady who came up with this wasn’t on hand to discuss her work, and her husband standing in for her didn’t seem to understand much about it either. The poster claimed an algorithm whereby you could leak some of your key to an attacker without reducing the strength of the key. I’m not sure how this works, or where it differs from having redundant information in the keys, or something like M of N crypto, but maybe it’ll be something that will affect our field in the years to come.

Opinion Search

Full of marketing jargon and too dense for me to penetrate, this is something that we could potentially use in the business side of Expedia, making use of customer opinions to allow search results to match the user’s opinion against the opinions of others with whom they have consistently agreed in the past, and can be expected to do so in the future.

Low-Power Processors in the Data Center

Using Netbook processors for data processing in a parallel environment allows for significant power savings.

Audio Spatialisation and AEC for Teleconferencing

Relying on the rise of computer-phone integration, and the fact that most computers have stereo speakers, this is a system for teleconferencing where different parties are given a different spot in the stereo spatialisation. Makes it much easier to tell who’s talking.

SecondLight

Surface computing taken to another level, literally. The surface on which images are projected is usually a light diffuser, so that the image effectively “stays” on the surface. In this implementation, the surface is rapidly switched between diffuse and transparent, so that you can use a secondary diffuser surface on top, which shows a different image. You have to see a demonstration to understand it - mms://wm.microsoft.com/ms/research/projects/secondlight-cambridge/secondlight.wmv - it’s a little flickery, in real-life too, but the team assured me that it can be made less so.

Commute UX – Dialog System for In-Car Infotainment

Will this stop executives requesting shorter passwords for unlocking their phone while driving? Probably not.

Back-of-Device Touch Input

Anyone using an iPhone or similar touch-based device will be familiar with the issue that your fingers are covering the image you’re trying to manipulate. By putting a sensor panel on the back of the device, you can reduce the size of the display without making it impossible to read while you select.

Augmented Reality

Combining GPS location with stock footage of the place you’re in, this is all about placing extra information into a view (such as a cell-phone with a video camera, or maybe eventually a heads-up display in glasses / goggles) of the world around you, by recognising where you are. Can be used for games, directions, advertising, city guides, or post-it notes without the paper.

Recognizing characters written in the Air

Entertaining just to watch people dragging an apple around to make letters on a screen in front of them. Probably more useful in the mode where the lid of an OHP pen is the “bright spot of strong solid colour” being tracked in mid-air.

Colour-structured Image Search

Draw a rough colour picture of the image you want to see, and get a page of search results from around the web. The demonstrations consisted of drawing pictures of flowers, or flags, or a sunset. I foresee widespread abuse once deployed, although it will mean that people who usually draw on bathroom walls will be moving their talents online.

MVP Summit 2009 is here!

I snapped this picture last week at Microsoft' Research’s Tech-Fest event.

Microsoft always makes the visiting MVPs feel welcome at Global Summit time, when all MVP awardees are invited to visit Microsoft’s campus, and engage in face-to-face conversations with various Microsoft Product Groups about the feedback they’re seeing from the users they talk to in their various forums, whether that’s Usenet newsgroups, web forums, user groups, or book and magazine readers.

This year, in large part thanks to the efforts of one of the other Security MVPs, Dana Epps, we have a fantastic schedule of in-depth sessions on identity frameworks, threat modeling, Microsoft’s internal security, and a number of other topics that I should perhaps keep quiet about.

The other benefit to me, as an MVP, from these sessions is that I get to network with other MVPs – all of whom are intelligent, driven individuals with expertise in a wide variety of fields, not just my own area of Enterprise Security.

Already I’ve spoken to a number of people in conversations that I intend to continue long after the Summit is over. I’ve made some new friends, met plenty of old friends, and expanded and strengthened existing social connections.

It’s a little sad that the worsening economic climate has caused a number of MVPs from outside the US to not attend this year’s Summit, and even some from inside the country. But it does appear that the MVP programme is still strong, as around 1500 MVPs from around the world are in attendance.

For those wondering about the swag bag, we got a cloth bag, stickers, a pen, and a water bottle. The shirts will be arriving on Wednesday (thank you, US Customs!). The benefit is more in the programme of technical sessions than the bag, unlike some technical conferences, where your $2500 entrance fee gets you a rather spectacular bag of ‘freebies’ and a number of sessions scheduled such that all the ones you want to see are in the same time slot.

I have to say, I love the stickers. Being a part of the MVP programme is a really nice thing that Microsoft does to say ‘thank you’ to people who are assisting Microsoft’s customers in newsgroups, user groups, etc, and who would continue to do so anyway, even if Microsoft ended the MVP programme. As such, I think it’s an excellent recognition, and I’m proud of the fact that I was awarded – so I like to show it off, mainly by plastering stickers on my various technology items like laptops and PDAs.

If Your GPS Worked Like An Information Security Team

… it would fend off dangerous drivers from hitting you.

… it would give you regular statistics on the number of accidents on your daily route, so you could make decisions to avoid newly bad parts of town.

… it would help you plan your route to avoid the sorts of areas that have bad accidents, so that you would not be a part of one.

… it would give you hints on how to be a better driver, and train you every so often to keep your driving skills sharp.

… it would observe other accidents and gauge trends, to advise you what previously safe driving habits to avoid.

… it would co-operate with you in planning a trip, to help you choose the quickest, safest route to your destination.

… it would teach you how to read maps, so you could make safe routing decisions for yourself.

… it would work with your mechanic, so that every time your car went in for a service, it would come back safer.

… it would work with the police to let them know where the bad parts of town are, so that they could be cleaned up.

… it would let you know any time you were about to run a stop-light or exceed the speed limit, so that you could make an informed decision, rather than accidentally break the law and get pulled over.

Yes, it’s  another argument by analogy, which is something I dislike in general – but I see too many times when the Information Security Team is perceived as a “STOP” sign. The Security Team is employed by the same organisation as you, and therefore has the same business goals – just a different focus. Its focus is to ensure that the company can carry on doing business without interruption by hackers, crackers, viruses, spyware, regulatory and contractual damages, or public relations disasters caused by inappropriate data disclosure.

I think a GPS is a better analogy, then – if you follow the Security Team's advice, or at least listen to it, you’ll be aware of the risks of the different ways to your –our- destination.

When “All” isn’t everything you need – Terminal Services Gateway certificates.

Setting up Terminal Services Gateway on Windows Server 2008 the other day.

It’s an excellent technology, and one I’ve been waiting for for some time – after all, it’s fairly logical to want to have one “bounce point” into which you connect, and have your connection request forwarded to the terminal server of your choice. Before this, if you were tied to Terminal Services, you had to deal with the fact that your terminal connection was taking up far more traffic than it should, and that the connection optimisation settings couldn’t reliably tell that your incoming connection was at WAN speeds, rather than LAN speeds.

But to get TS Gateway working properly, it needs a valid server certificate that matches the name you provide for the gateway, and that certificate needs to be trusted by the client. Not usually a problem, even for a small business operating on the cheap – if you can’t afford a third-party trusted certificate, there are numerous ways to deploy a self-signed certificate so that your client computers will trust it.

I have a handily-created certificate that’s just right for the job.

I ran into a slight problem when I tried to install the certificate, however.

The certificate isn’t there! In this machine, it isn’t even possible for me to “Browse Certificates” to find the certificate I’m looking for. On another machine, the option is present:

That’s promising, but my certificate doesn’t appear in the list of certificates available for browsing:

I checked in the Local Computer’s Personal Certificates store, which is where this certificate should be, and sure enough, on both machines, it’s right there, ready to be used by TSG.

So, why isn’t TSG offering this certificate to me to select? The clue is in the title.

The certificate that doesn’t show up is the one with “Intended purposes: <All>” – the cert that shows up has only “Server Authentication” enabled. Opening the certificate’s properties, I see this:

Simply selecting the radio-button “Enable only the following purposes”, I click “OK”:

And now, back over in the TSG properties, when I Browse Certficates, the Install Certificate dialog shows me exactly the certificates I expected to see:

This isn’t a solution I would have expected, and if that one certificate hadn’t shown up there, I wouldn’t have had the one clue that let me solve this issue.

Hopefully my little story will help someone solve this issue on their system.

Debugging SSTP error -2147023660

Setting up an SSTP (Secure Socket Tunneling Protocol) connection earlier, I encountered a vaguely reminiscent problem. [SSTP allows virtual private network – VPN – connections between clients running Vista Service Pack 1 and later and servers running Windows Server 2008 and later, using HTTP over SSL, usually on port 443. Port 443 is the usual HTTPS port, and creating a VPN over just that port and no other allows it to operate over most firewalls.]

The connection just didn’t seem to want to take, even though I had already followed the step-by-step instructions for setting up the SSTP server. I thought I had resolved the issue originally by ensuring that I installed the certificate (it was self-signed) in the Trusted Roots certificate store. [If the certificate was not self-signed, I would have ensured that the root certificate itself was installed in Trusted Roots]

The first thing I did was to check the event viewer on the client, where I found numerous entries.

I found error -2147023660 in the Application event log from RasClient. This translates to 0x800704D4, ERROR_CONNECTION_ABORTED. That was pretty much the same information I already had, that the connection was being prevented from completing. So I visited the server to see if there was more information there.

On the server, I couldn’t find any entries from the time around when I was trying to connect. Not too good, because of course that’s where you’re going to look. In some cases, particularly errors that Microsoft thinks are going to happen too frequently, the conditions are checked at boot-time, and an error reported then, rather than every time the service is called on to perform an action.

Fortunately, it hadn’t been that long since I last booted (and I had a hint or two from the RRAS team at Microsoft), so my eyes were quickly drawn to an Event with ID 24 in the System Log, sourced at Microsoft-Windows-RasSstp. The text said:

The certificates bound to the HTTPS listener for IPv4 and IPv6 do not match. For SSTP connections, certificates should be configured for 0.0.0.0:Port for IPv4, and [::]:Port for IPv6. The port is the listener port configured to be used with SSTP.

Note that this happens even if your RRAS server isn’t configured to offer IPv6 addresses to clients.

So, here’s some documentation on event ID 24 :

http://technet.microsoft.com/en-us/library/cc733844.aspx

This is one of those nasty areas where there is no user interface other than the command-line. Don’t get me wrong, I love being able to do things using the command line, because it’s easy to script, simple to email to people who need to implement it, and it works well with design-approve-implement processes, where a designer puts a plan together that is approved by someone else and finally implemented by a third party. With command-line or other scripts, you can be sure that if the script didn’t change on its way through the system, then what was designed is what was approved, and is also what was implemented.

But it’s also easy to get things wrong in a script, whereas a selection in a UI is generally much more intuitive. It’s particularly easy to get long strings of hexadecimal digits wrong, as you will see when you try and follow the instructions above. Make sure to use copy-and-paste when assembling your script, and read the output for any possible errors.

The CWE Top 25 Programming Mistakes

I’ve read some debate about the top 25 programming mistakes as documented by the CWE (Common Weakness Enumeration) project, in collaboration with the SANS Institute and the MITRE . That the list isn’t complete, that there are some items that aren’t in the list, but should be, or vice-versa.

I think we should look at the CWE top-25 as something like the PCI Data Security Standard – it’s not the be-all and end-all of security, it’s not universally applicable, it’s not even a “gold standard”. It’s just the very bare minimum that you should be paying attention to, if you’ve got nowhere else to start in securing your application.

As noted by the SANS Institute, the top 25 list will allow schools and colleges to more confidently teach secure development as a part of their classes.

I personally would like to see a more rigorous taxonomy, although in this field, it’s really hard to do that, because in large part it’s a field that feeds off publicity – and you just can’t get publicity when you use phrases like “rigorous taxonomy”. Here’s my take on the top 25 mistakes, in the order presented:

Insecure Interaction Between Components

“These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.”

• CWE-20: Improper Input Validation
• What’s proper input validation? Consider the thought that there is no input, no output, only throughput. A string is received at the browser, and turned into a byte encoding; this byte encoding is sent to the web server, and possibly re-encoded, before being held in storage, or passed to a processing unit. For every input, there is an output, even if it’s only to local in-memory storage.
• Validating the input portion falls broadly into two categories – validating for length, and validating for content. Validating for length seems simple – is it longer than the output medium is expecting? You should, however, check your assumptions about an encoding – sometimes encodings will add, and sometimes they will remove, counts of the members of the sequence – and sometimes they may do both.
• Validating for content can similarly be broken into two groups – validating for correctness against the encoding expected, and then validating for content as to “business logic” (have you supplied a telephone number with a square-root sign or an apostrophe in it, say). Decide whether to strip invalid codes, or simply to reject the entire transaction. Usually, it is best (safest) to reject the entire transaction.
• CWE-116: Improper Encoding or Escaping of Output
• The other part of “throughput validation” – and while we constantly tell programmers that they should refuse to trust input, that should not be held as an excuse to produce untrustworthy output. There are many times when your code is trusted to produce good quality output. Some examples:
• When you write a web application visited by a user, that user trusts you not to forward other people’s code on to them. Just your own, and that of your business partners. [See Cross-Site Scripting, below]
• When your application is used internally [See SQL Injection, below]
• Be conservative in what you send – make sure it rigorously follows whatever protocol or design-time contract has been agreed to. And above all, when sending data that isn’t code, make sure to encode it so that it can’t be read as code!
• CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
• SQL Injection is a throughput validation issue. In its essence, it involves an attacker who feeds SQL command codes into an interface, and that interface passes them on to a SQL database server.
• This is almost an inexcusable error, as it is relatively easy to fix. The fix is usually hampered somewhat in that the SQL database server is required to trust the web server interface code, but that means only that the web server interface code must either encode, or remove, elements of the data that is being passed in the SQL command sequence being sent to the server. The most reliable way to do this is to use parameterised queries or stored procedures. Avoid building SQL commands through concatenation at almost any cost.
• CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
• I hate the term “cross-site scripting”. It’s far easier to understand if you just call it “HTML injection”. Like SQL injection, it’s about an attacker injecting HTML code into a web page (or other HTML page) by including it as data, in such a way that it is provided to the user as code.
• Again, a throughput content validation issue, anything that came in as data and needs to go out as a part of an HTML page should be HTML encoded, ideally so that only the alphanumerics are unencoded.
• CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
• Like SQL injection, this is about generating code and including data. Don’t use your data as part of the generation of code.
• There are many ways to fix this kind of an issue – my favourite is to save the data to a file, and make the code read the file. Don’t derive the name or location of the file from the user-supplied data.
• CWE-319: Cleartext Transmission of Sensitive Information
• What’s sensitive information? You decide, based on an analysis of the data you hold, and a reading of appropriate laws and contractual regulations. For example, with PCI DSS, sensitive information would include the credit card number, magnetic track data, and personal information included with that data. Depending on your state, personal contact information is generally sensitive, and you may also decide that certain business information is also sensitive.
• Seriously, SSL and IPsec are not significant performance drains – if your system is already so overburdened that it cannot handle the overhead of encrypting sensitive data, you are ALREADY too slow, and only providence has saved you from problems.
• Especially where the data is not your own, make an informed decision as to whether you will be communicating in clear text.
• CWE-352: Cross-Site Request Forgery (CSRF)
• Another confusing term, CSRF refers to the ability of one web page to send you HTML code that your browser will execute against another web page. This really is cross-site, and forges requests that look to come from the user, but really come from a web page being viewed in the user’s browser.
• The fix for this is that every time you display a form (or even a solitary button, if that button’s effects should be unforgeable), you should include a hidden value that contains a random number. Then, when the “submit” (or equivalent) button is pressed, this hidden value will be sent back with the other contents of the form. Your server must, of course, validate this number is correct, and must not allow the number to be long-lived, or be used a second time. A simple fix, but one that you have to apply to each form.
• This really falls under a category of guaranteeing that you are talking to the user (or the user’s trusted agent), and not someone pretending to be the user. Related to non-repudiation.
• CWE-362: Race Condition
• Race conditions refer to any situation in which the execution of two parallel threads or processes behaves differently when the order of execution is altered. If I tell my wife and son to go get a bowl and some flour, and to pour the flour into the bowl, there’s going to be a mess if my wife doesn’t get the bowl as quickly as my son gets the flour. Similarly, programs are full of occasions where a precedence is expected or assumed by the designer or programmer, but where that precedence is not guaranteed by the system.
• There are books written on the topic of thread synchronisation and resource locking, so I won’t attempt to address fixing this class of issues.
• CWE-209: Error Message Information Leak
• Be helpful, but not too helpful. Give the user enough information to fix his side of the error, but not so much that he has the ability to learn sensitive information from the error message.
• “Incorrect user name or password” is so much better than “Incorrect password for that user name”.
• “Internal error, please call technical support, or wait a few minutes and try again” is better than “Buffer length exceeded at line 543 in file c:\dev\web\creditapp\cardcruncher.c”
• Internal information like that should be logged in a file that is accessible to you when fixing your system, but not accessible to the general end users.

Risky Resource Management

“The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.”

• CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
• The old “buffer overflow” – a throughput length validation issue.  Any time you take data from one source and place it into another destination, you have to reliably predict whether the destination is large enough to hold it, and you also have to decide what you will do if it is not.
• Don’t rely solely on .NET or Java “protecting you from buffer overruns” – when you try and access an element outside of a buffer’s limits, they will simply throw an exception – crashing your program dead in its tracks. This in itself could cause half-complete files or other communications, which could feed into and damage other processes. [And simply catching all exceptions and continuing blindly is something I’ve complained about before]
• CWE-642: External Control of Critical State Data
• By “Critical State Data”, this refers to information about where in the processing your user is. The obvious example of bad external control of critical state data is sending the price to the user, and then reading it back from the user. It obviously isn’t too hard from an attacker to simply modify the value before sending it to the server.
• Other examples of poorly chosen state being passed includes the use of customer ID numbers in URLs, in such a way that it is obvious how to select a different customer’s number.
• State data such as this should generally be held at the server, and a ‘reference’ value exchanged to allow the server to regain state when a user responds. If this value is populated among users sufficiently sparsely, it’s close to impossible for an attacker to steal someone else’s state.
• CWE-73: External Control of File Name or Path
• This is related to forced-browsing, path-traversal, and other attacks. The idea is that any time you have external paths (such as URLs) with a direct 1:1 relationship to internal paths (directories and paths), it is usually possible to pass path control from the external representation into the internal representation.
• Make sure that all files requested can only come from a known set of files; disable path representations (such as “..”, for ‘parent directory’) that your code doesn’t actually make use of.
• Instead of trying to parse the strings yourself to guess what file name the operating system will use, always use the operating system to tell you what file name it’s going to access. Where possible, open the file and then query the handle to see what file it really represents.
• CWE-426: Untrusted Search Path
• Windows’ LoadLibrary is the classic example of this flaw in design – although the implicit inclusion of the current directory in Windows’ execution PATH searched is another.
• When writing programs, you can only trust the code that you load or call if you can verify where you are loading or calling it from.
• A favourite trick at college was to place ‘.’ at the front of your path, add a malicious shell file called ‘rm’, and invite a system administrator to show you how to kill a print job. The “lprm” command he’d run would call “rm”, and would run the local version, rather than the real command. Bingo, instant credentials!
• Don’t search for code that you trust – know where it is, and if it isn’t there, fail.
• CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
• I find it hard to imagine the situation that makes it safe to generate code in any way based off user input.
• Perhaps you could argue that this is what you do when you generate HTML that contains, as part of its display, user input. OK then, the answer here is to properly encode that which you embed, so that the code processor cannot become confused as to what is code and what is data.
• CWE-494: Download of Code Without Integrity Check
• Either review the code that you download, or insist that it is digitally signed by a party with whom you have contracted for that purpose. Otherwise you don’t know what you are downloading or what you are executing.
• CWE-404: Improper Resource Shutdown or Release
• This covers a large range of issues:
• Don’t “double-free” resources. Make sure you meticulously enforce one free / delete for every allocation you make. Otherwise, you wind up releasing a resource that you wanted to hang onto, or you may crash your program.
• If the memory you’re about to release (or file you’re about to close) contained sensitive information, make sure it is wiped before release. Verify in the release build that the optimiser hasn’t optimised away this wiping!
• Make sure you release resources when they are no longer in use, so that there are no memory leaks or other resource overuse problems that will lead to your application becoming bloated and fragile.
• CWE-665: Improper Initialization
• Lazy languages like Javascript, where a mistype becomes an instant variable assignment, should be avoided.
• Define all variables’ types – no “IMPLICIT INTEGER*4 (I-N)” (Am I showing my age?)
• Put something into your variables, so that you know what’s there. Don’t rely on the compiler unless the compiler is documented to guarantee initialisation.
• By “variable”, I mean anything that might act like a variable – stretches of memory, file contents, etc.
• CWE-682: Incorrect Calculation
• Again, a multitude of sins:
• “should have used sin, but we actually used cos”
• divide by zero – or some similar operation – that causes the program to halt
• length validation / numeric overflow – in a single byte, 128 + 128 = 0
• As you can see, a denial of service can definitely occur, as can remote execution (usually a result of calculating too short a buffer, as a result of numeric overflow, and then overflowing the buffer itself)
• Don’t underestimate the possible results of just plain getting the answer wrong – cryptographic implementations have been brought to their knees (and resulted in approving untrustworthy access) because they couldn’t add up properly.

Porous Defenses

“The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.”

• CWE-285: Improper Access Control (Authorization)
• This one pretty much speaks for itself. There’s public parts of your application, and there’s non-public parts. Make sure that you have to provide authentication before crossing that boundary, and make sure that the user account verified in authentication is the one that’s used for authorisation to access resources.
• Carry user authentication information around carefully, without letting it be exposed to other forms of attack, but also to make sure that the information is available the next time you need to authorise access to resources.
• CWE-327: Use of a Broken or Risky Cryptographic Algorithm
• Translation – get a crypto expert to manage your crypto. [Note – this is why I recommend using CryptoAPI rather than OpenSSL, because you have to be your own expert to use OpenSSL.]
• New algorithms arise, and old ones become obsolete. In the case of cryptographic algorithms, obsolete means “no longer effectively cryptographic”. In other words, if you use an old algorithm, or a broken algorithm, or don’t use an existing algorithm the right way, your data isn’t as protected as you thought it was.
• Where possible, use a cryptographic framework such as SSL, where the choice of cryptographic algorithms available can be adjusted over time to deal with changing realities.
• CWE-259: Hard-Coded Password
• If there’s a hard-coded password, it will be discovered. And when discovered, it will be disseminated, and then you have to figure out how to get the message out to all of your users that they can now be owned because of your application. Not an easy conversation to have, at a guess.
• This is a “just don’t do it” recommendation, not a “do it this way” or “do it that way”.
• CWE-732: Insecure Permission Assignment for Critical Resource
• If a low-privilege user can lock, or corrupt, a resource that is required for high-importance transactions, you’ve created an easy denial-of-service.
• If a low-privilege user can modify something that is used as a basis for trust assignments, there’s an elevation of privilege attack.
• And if a low-privilege user can write to your code base, you’re owned.
• CWE-330: Use of Insufficiently Random Values
• Give me a random number. 7. Give me another random number. 7. And another? 7.
• How do you tell if a number is random enough? You hire a mathematician to do a statistical analysis to see if the next number is predictable if you know any or all of the previous numbers.
• This mostly ties into CWE-327, don’t do your own crypto if you’re not a crypto expert (and by the way, you’re not a crypto expert). However, if you’re hosting a poker web site, it’s pretty important to be able to shuffle cards in an unpredictable manner!
• Remember that the recent Kaminsky DNS attack, as well as the MD5 collision issues, could have been avoided entirely by the use of unpredictable numbers.
• CWE-250: Execution with Unnecessary Privileges
• Define “unnecessary”? No, define “necessary”. That which is required to do the job. Start your development and testing process as a restricted user. When you run into a function that fails because of lack of privileges, ask yourself “is this because I need this privilege, or can I continue without?”
• Too many applications have been written that ask for “All” access to a file, when they only need “Read”.
• Too many applications demand administrator access when they don’t really need it. I’m talking to you, Sansa Media Converter.
• CWE-602: Client-Side Enforcement of Server-Side Security
• I’ve seen this one hundreds of times. “We prompt the user for their birth date, and we reject invalid day numbers”; “Where do you reject those?”; “In the user interface so it’s nice and quick”. Great, so I can go in and make a copy of your web page, delete the checks, and input any number I like. Don’t consider it impossible that an attacker has written his own copy of the web browser, or can interfere with the information passing through the network.

What’s missing?

Glaringly absent, as usual, is any mention of logging or auditing.

Protections will fail, always, or they will be evaded. When this happens, it’s vital to have some idea of what might have happened – that’s impossible if you’re not logging information, if your logs are wiped over, or if you simply can’t trust the information in your logs.

Maybe I say this because my own “2ndAuth” tool is designed to add useful auditing around shared accounts that are traditionally untraceable – or maybe it’s the other way around, that I wrote 2ndAuth, because I couldn’t deal with the fact that shared accounts are essentially unaudited without it?

Of course, that leads to other subtleties – the logs should not provide interesting information to an attacker, for instance, and you can achieve this either by secreting them away (which makes them less handy), or by limiting the information in the logs (which makes them less useful).

Another missing issue is that of writing software to serve the user (all users) – and not to frustrate the attacker. [Some software reverses the two, frustrating the user and serving the attacker.] We developers are all trained to write code that does stuff – we don’t tend to get a lot of instruction on how to write code that doesn’t do stuff.

Another mistake, though it isn’t a coding mistake as such, is the absence of code review. You really can’t find all issues with code review alone, or with code analysis tools alone, or with testing alone, or with penetration testing alone, etc. You have to do as many of them as you can afford, and if you can’t afford enough to protect your application, perhaps there are other applications you’d be better off producing.

Other mistakes that I’d like to face head-on? Trusting the ‘silver bullet’ promises of languages and frameworks that protect you; releasing prototypes as production, or using prototype languages (hello, Perl, PHP!) to develop production software; feature creep; design by coding (the design is whatever you can get the code to do); undocumented deployment; fear/lack of dead code removal (“someone might be using that”); deploy first, secure later; lack of security training.

“Fully Stealthed” means fully spoofable

Every so often, someone on one of the security mailing lists to which I subscribe will post a frothing rant from someone who has discovered their own personal “magic bullet” which solves all their security woes. This time, it’s a guy who was convinced that Microsoft’s recent out-of-band Internet Explorer patch MS08-078 is actually a conspiracy by Microsoft (and the government, of course) to invade your computer.

Okay, now aside from the point that, technically, Microsoft “pwns” your computer if you run their OS, and they don’t need to install patches to continue to do so; aside from the Ballmer defence (“If we were actually evil, don’t you think we’d be doing a better job at it?”; aside from that and many other considerations, what evidence did this guy have that the patch is a conspiracy?

Gibson Research’s ShieldsUp site reported that his system was “Fully Stealthed”.

[For those of you non-geeks reading the blog, that means that his firewall was closed up so tight that his system was not responding to any attempt to connect.]

Many other people have made, or will make, the obvious note that the patch is for a browser client bug, whereas the firewall ignoring all incoming requests only protects against server-related bugs, so I’ll leave it to those people to discuss that.

My concern is that Gibson is still pitching the idea that “Fully Stealthed” is a good idea.

TCP/IP, the network protocol on which much of the Internet is currently based, is designed around certain error reporting mechanisms that keep the system able to route around trouble.

One of these mechanisms is the TCP RST (reset) flag. The reset flag a great tool, as it says in a single bit “I received this packet, but I can completely guarantee that it’s not meant for me”. Another similar mechanism is the “ICMP Host Unreachable” response, which says “You appear to be trying to send a packet through me to another machine, but although I’m not a bad place to send that packet through, I can’t seem to reach that machine just now”.

When you’re “Fully Stealthed” (or completely non-responsive, if you prefer), it’s like you’re a black hole, and neither the TCP RST flag nor the ICMP Host Unreachable errors are returned from your system.

That’s great, right, because it means that your attackers can’t tell you’re there? It’s like you’re a black hole, no one can see you, right?

That sounds good in theory, except that even black holes can be seen, because they don’t act like the empty space that might otherwise be there.

Similarly, a “Fully Stealthed” machine gives away its presence by occupying an IP address that will not respond at all when you try to contact it. Very much like a black hole, it’s clear that it’s there, because if there was nothing there, the upstream routers would be passing back ICMP Unreachable messages.

OK, so maybe they know that I’ve got a machine here, at this IP address, but it’s safe, because it’s Fully Stealthed – Stealth just sounds so cool, especially since it’s a verbed noun! It’s alright that I look like a hole to the rest of the Internet, because nobody can do anything to me!

Wrong again.

The attacker can pretend to be you, because there’s nothing you’re going to say about it.

Let me qualify that – of course, the attacker can’t use your password if he doesn’t know it, nor can he use your private keys. But he can use another thing that some sites use as part of the proof that you are who you claim to be.

He can use your IP address.

A few things prevent this normally:

1. The attacker never gets to see responses to his traffic – but for the most part, he may be able to guess these, and perhaps he can see those responses, if he’s sniffing your line, for example.
2. You get to see the responses to the attacker – this allows your computer to say “I received this packet, but I can completely guarantee that it’s not meant for me” – in other words, to send a RST back.
3. If the attacker can’t see his responses, he needs to guess the random sequence number that is supplied in the SYN-ACK packet. Again, this isn’t a problem for the attacker if he’s sniffing your line, but it’s also not a problem for the attacker if he can guess the sequence number somewhat reliably. This happens every now and again, as network stack developers fail to predict ways in which their own randomness can be predicted.

So, number 1 and 3 aren’t always a barrier – number 2 is definitely a barrier if the attacker needs to maintain the connection for more than a few fractions of a second, as the RST from the spoofed IP address will cause the server to drop the connection and ignore what the attacker is trying to do.

So, this is a valuable protection that a “fully-stealthed” firewall is going to throw away for you – the ability to spot when someone is spoofing your IP address, and to respond back to say “uh, that isn’t me – stop talking to him”.

A firewall should behave as if the machine is present but disinterested, and should actively refuse misguided connection attempts and responses, not merely ignore them. There’s a big difference between the two behaviours. Don’t use the sensationalist terminology of a poor substitute for an expert as a replacement for understanding of your risks and threats.

Microsoft Security Advisory – MD5 collisions

I would hardly be able to call my blog “Tales from the Crypto” if I didn’t pass at least some comment on the recent Microsoft Security Advisory, and the technical pre-paper on which it is based.

To an uninformed reader, the advisory (and especially the paper) doesn’t make a whole lot of sense, as with most cryptography documents. If there’s an attack on a cryptographic technology, doesn’t that mean it’s broken and we should stop using it?

Not really, no. We should stop using, or shore up, those components that have an increased vulnerability.

First, let’s remember that cryptography is necessarily full of mathematical theory and that it is very much a developing field. If I say something along the lines of “magic happens here”, please accept that at face value. It means that there is something hugely full of mathematical complexity that I don’t understand, but which has been assessed by mathematicians who know more than I do about the subject.

How do certificates work?

So, a little background, and an explanation of the attack, before we get to the mitigations.

Every time you use HTTPS (HTTP over SSL / TLS), there’s an identifying exchange – at the very least, the server identifies itself to you, and possibly you identify yourself to the server. In SSL, this is almost always done using certificates – strictly speaking, X.509 certificates.

A certificate is a list of statements about the identity of the party it represents, followed by a mathematically-derived encrypted value called a “signature”. The signature is based on a hash function, which is chosen to be resistant to attack. Typical hash functions are MD5, SHA1, and the “SHA-2” family which are identified by the number of bits of output they produce (i.e. how well they uniquely represent the original information to be hashed). The signature is the hash of the identity statements, encrypted using the issuer’s private key. This means that anyone can decrypt the hash, but in doing so, they will recognise both that only the issuer can have created the signature, and that the identity claims made in the certificate are accepted as valid by the issuer.

This allows you to trust the owner of the certificate, on the basis that you trust the issuer. Sometimes you don’t know if you can trust the issuer, either, and so you have to find out if you can trust the issuer – by looking at their certificate, seeing what claims it made, and what other issuer signed it, and so on, up a “chain of trust”, until you either meet a certificate you do trust, or you meet a certificate that is “self-signed” – that is, that it claims to be its own issuer, and has no other signatory.

So, from this description, you should be able to envisage a chain of trust, where the “leaf certificate” of the site whose identity you want to verify, is signed by an intermediate certificate authority (CA), which may in turn be signed by an intermediate CA, and so on, until you meet a certificate that is signed by a “root CA” – a self-signed certificate whose trust you can use as a basis for trusting the leaf certificate.

Many root CAs are installed by default in operating systems, or applications that use SSL, with the intent that you should be able to trust all certificates issued by those CAs, because they take adequate steps to verify the certificates they issue, and because they use modern technology.

Where’s the attack?

There’s nothing surprising about this attack to those of us who follow cryptography news. One of the problems with hashes is that it is possible to generate two paired documents, that have different content, but whose hash is the same. It has been known since 2004 that you can generate such colliding documents using MD5 as a hash without quite as much effort as the “brute force” technique of trying to generate documents and see if they match. From that, we have (or should have) predicted that this attack was possible, though not easy.

The attack is this – the attacker requests a bona fide web-site, or email (or any other) certificate from a reputable certificate authority. The certificate request is generated along with a second ‘shadow’ certificate – the two differ in areas chosen by the attacker, and with sufficient care to make sure that the issued certificates will both match the same signature.

This gives two certificates, which each appear to have been issued by the certificate authority, but only one of which actually contains information that was seen by the certificate authority.

The method of attack beyond this point will depend on what the shadow certificate was. The simplest way to attack this would be to have both certificates be web site certificates (or both be email certificates, etc), so that you could ask the CA for a certificate for your own name, but wind up with a certificate for someone else’s name – a big company or an important individual, say. That’s useful, but it only gives you one usable certificate per request. Keep that up, and you are sure to be detected.

The method outlined in the research paper, however, goes a step further than that – the certificate request that the CA sees is, as before, a simple web site certificate request. But the shadow certificate is designed to be that of an intermediate CA itself. Once this attack is successful, you can use the intermediate CA to issue any number of web site, email, code-signing, and even other CA certificates. Because these certificates chain up through your bogus intermediate CA, and then to a trusted root, they too will be trusted.

What about defence?

There are several defences to consider, and I’ll address them from the perspective of various different parties.

1. The Certificate Authority

First of all, all certificate authorities need to move to stop using MD5 when signing other people’s certificates. They should have stopped doing this some time ago, as it was clear that the generation of colliding certificate requests was an ever-increasing possibility. Also on the way out should be SHA1 (although that does mean older systems and software may have issues, because they may not be able to support newer SHA-based hash and signature algorithms). Note that this (particularly the dropping of SHA1) is a recommendation that should be followed with glacial slowness, over years, rather than days. We’re not that broken yet.

Even if the CA continues to use MD5 and SHA1, they can adequately protect against this attack by using non-predictable serial numbers when generating the certificate signatures. This is essentially the area where the CA can most easily and most effectively prevent this attack from succeeding, relying as it does on being able to predict precisely the contents of the returned certificate. This will continue to work so long as the attackers can only generate two colliding paired documents – if there is ever a sustainable attack that allows creating a document that matches the hash of another document without generating them together, this too will be a cause to doubt those certificates.

Another defence against this (but not the simpler form of the attack) is to ensure that you use different CAs to issue leaf certificates than you use to issue intermediate CA certificates, and that you set limits on how long the chain may be as signed by your CAs. That way, a leaf certificate request cannot be used to create a shadow intermediate CA certificate, because verification of the chain will fail because of length constraints.

Check your certificate requests, and make sure that you have not seen a large number of certificate requests from substantially the same source, in an attempt to generate a desired serial number. Offer your existing customers, if they are worried about MD5-signed certificates, the option to replace their certificates with certificates signed by other hash schemes.

2. The Web-Site Owner

There’s really not anything the web-site owner can do, beyond checking any reports of hijacked sessions, or web sites not appearing to be correctly identified, and then taking legal action to remove such pretender sites when they are found.

One thing that can be done is to champion the use of Enhanced Validation (EV) SSL Certificates, as specified by the Browser Forum. These certificates are required to use a chain that has no MD5 signatures in anything other than the root CA. Push the message to your customers and users that the green bar indicates a higher level of trustworthiness. You’ve not only identified yourself to the CA’s satisfaction, but your CA and you are committed to a more up-to-date technical configuration.

Ask your CA if you need to take action with your existing certificates – if they are signed by using MD5 hashes, it may be that some customers will refuse to accept your certificates. Your CA may have a reasonable offer on replacing your certificates with ones signed by SHA1 or other hashes.

3. The Web-Site Visitor

These are the guys that really matter – because if they can be fooled, then the attack has succeeded.

The first thing that has to be drummed into web-site users’ heads is that a certificate error message should be reason for you to stop your visit to the web site with the error, and to not place any orders with them, or supply it with your private information (password, personal details, etc) until you have resolved with their technical support what the issue is. This step alone is something that I have emphasised before, and I emphasise it again now, not because it is the best fix for this issue (because a clever attacker will try to produce a certificate that doesn’t error), but because it’s something that protects against the far easier attacks, and it is still not a habit that users have gotten into.

Next, keep up-to-date with patches. If there are interesting ways to block this at the browser, those will be distributed through security patches to your browser or other applications. If you use a lot of OpenSSL-based applications, keep looking for updates to those; if you use a lot of CryptoAPI-based apps, updates should come to you automatically through Windows Update.

Read Microsoft’s Security Advisory, as well as entries on the Microsoft Security Response Center Blog and the Microsoft Security Vulnerability Research & Defense Blog.

4. The software developer

Consider, if you already verify certificate chains yourself, adding or documenting features to refuse chains that flow through CA certificates signed with MD5; also to refuse chains that flow through CA certificates with too much ‘cruft’ (this attack uses the “Netscape Comment” field and fills it with binary that doesn’t look very comment-like).

Make sure that your verification routines check for chain length constraints, as well as corrupt or absent revocation list locations. Again, this attack had no space to put a valid CRL location in place.

If you develop IDS solutions, you may want to try and check for an SSL negotiation that includes certificates signed by intermediate CAs that are themselves signed by using the MD5 hash algorithm – although this is a little complex to track, it shouldn’t be completely impossible.

And, in summary (phew – at last!)

This is a proof of concept of a theoretical attack, and has generated some interest because it’s a shoe we’ve been waiting to see drop. Repeating the work with the information supplied by Sotirov et al would require a lot of significant and serious mathematics. I know that’s not something to make it impossible, but I think it’s enough to suggest that the sort of people with enough resources to hire advanced mathematicians would find it cheaper and easier to just use something more like social engineering to achieve the effect of having visitors trust your web site.

In several months, the tools will become more widely available, but by then, CAs should be smart enough to stop using MD5, and be considering a move to SHA256 and above. And if they aren’t, I’m sure there will be further advisories with instructions on which root CAs to remove from your trusts.

This is a thoroughly interesting attack, and exciting to people like me. That shouldn’t be taken as an indication that the world is about to collapse, or that you can’t go on trusting HTTPS the way you currently do. Even though we now have the ‘perfect storm’ of a serious DNS flaw backed with a way to subvert SSL, it doesn’t appear to be in use at the present, and with the information on how this attack was achieved, it’s possible for a root CA to comb back through their records and find suspicious behaviours that match this attack.

Link: Verisign’s statement (they own RapidSSL, the CA that was the subject of this attack).

Sad notes – passed over Christmas.

I’m very sad to note that Eartha Kitt has died – even in her eighties, the woman simply embodied sexiness. Truly the best Catwoman ever. And as the voice of Kaa, in The Jungle Book, purely hypnotic. [To those of you who are saying “huh? Winnie the Pooh played Kaa, just before he testified to the HUAC”, wait for the radio series to repeat on BBC 7. Remember – the pictures are far better on the radio.]

As for Harold Pinter, I think it’s possible that he isn’t dead. Just … pausing.

Running out of disk space? How’s your logs?

I ran out of disk space today.

This is not entirely a new issue for me, because I like to listen to BBC Radio from back home, and my only way to do that is to download the shows overnight so I can listen to them the next day. [I’m not allowed that sort of bandwidth at work]

I start troubleshooting this in the obvious way – where are my largest individual files, and are they useful? Windows Vista’s Search is great for this – you can ask for files over a certain number of bytes:

Whoa, over a gigabyte in that mysterious file called “setupapi.app.log”? Ah, but it’s in that C:\Windows\inf directory that I really shouldn’t mess with, so I’d better check to see that it’s alright to get rid of the file. Let’s see what the Microsoft Support Knowledge Base has to offer on the subject of huge files created by the Setup API.

http://support.microsoft.com/default.aspx/kb/958909 - “It may take a long time to log on to a Windows Vista-based computer that has antivirus software installed” – well, I haven’t really noticed that logons are that slow, and I don’t actually have antivirus software installed. But visiting the article, I see that this is only the first half of the title. The full title is:

It may take a long time to log on to a Windows Vista-based computer that has antivirus software installed, and you may notice that the file size of the Setupapi.app.log file is very large

So, to use a medical metaphor here, the large setupapi.app.log is the internal haemorrhaging caused by some injury or illness, and the slow logon (or in my case, the inability to use my disk space) is the externally visible symptom – the loss of consciousness, the fainting fit, the going-into-shock. Now that we’ve got the diagnosis, let’s see if the KB article has anything useful to say.

“This problem occurs because the verbose logging policy for the Setupapi.app.log file in Windows Vista is set to the most verbose setting (0x20000FFFF).

“…

“To work around this problem, remove or adjust the value of the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\LogLevel”

Hmm… my value is set to 0x20000000. What value should it be?

“Type 0x00000020 in the Value data box.”

OK, that’s a little pedantic – instead, how about you click the “Hexadecimal” radio button, and enter “20”:

There is a hotfix mentioned in the article, but I rarely like to apply hotfixes to my machine if I am sure that the workaround will suffice. I may revisit the hotfix if I can’t see this work to reduce my log file size.

So, how did this happen? How did the setting get put to such a bizarre value?

Quite frankly, I don’t know – and as long as the problem goes away, I’ll just put it down to one of the many programs that I’ve installed or uninstalled. Judging from the fact that this log seems to have been in detail mode ever since November 2007, it’s likely that this setting was chosen (either by me or Microsoft) to gauge how successful the new install of Vista was going.

I now have a gigabyte of my file-space left, and I can go and download “Crisp and Even, Brightly”, one of my favourite Christmas shows from Radio 4. I only wish I could get the TV, because there are some excellent BBC shows that never make it across to this side of the Atlantic – and I just can’t wait for Doctor Who Season 4 – the next Doctor (or is he?), Cybermen, and a Victorian Christmas.

Redmond Report says “Vista Kernel Flawed”

This is just some lovely reporting:

Vista Kernel Ready To Pop?

Vista, due largely to its lockdown of user rights, is far more secure than XP. But it's not 100 percent safe. In fact, the kernel itself has an issue that could lead to buffer overflow attacks, or so says security company Phion.

Well, that's hardly surprising, we know how common buffer overflow attacks are, and how difficult they are to prevent. Go on...

The exploit, which does require admin privileges, is pretty well-documented by Phion. And there's no patch -- just a workaround from the company. Hmm. Is Phion looking for new customers?

Uh... if the 'exploit' needs admin privileges to start with, exactly how is it an "exploit"? It's a bug. By the time you have admin privileges, you can replace the operating system with one that does your bidding anyway, so how is it an 'exploit' that you can do so without replacing the OS core?

Pre-announcing this kind of flaw is like giving bullets to insurgents before our soldiers have a chance to put on helmets and bulletproof vests: dangerous.

No, it's rather like suggesting that there's a flaw in that if the Commander-in-Chief is secretly supporting the terrorist cause, he can order our soldiers to be needlessly sent into a dangerous war zone without sufficient arms or armour.

There are other bugs where I would agree that it’s important to avoid announcing the flaw before the vendor has been given a reasonable chance to fix it for find a workaround – this isn’t that case, though.

The flaw in question is worth noting, though, in that it's something that can be abused by members of the Network Operators group - and there are many sites that put users into this group simply so that they can turn off or on the wireless networking card on their laptops (for those that don't have a simple hardware switch). So, while Microsoft may assert that "Network Operators are just like administrators", there are many ordinary users who have been dropped into the Network Operators group.

News: Apple, Linux Users repeatedly mash "refresh" button

Okay, so that's just one way to explain the news story at ComputerWorld "Windows market share dives(*) below 90% for first time" - statistics don't lie, but they don't always answer the question you thought they did.

ComputerWorld also offers other explanations than their title:

Vince Vizzaccarro, Net Applications' executive vice president of marketing, attributed Windows' slip to some of the same factors he credited with pushing down the market share of Microsoft's Internet Explorer browser. "The more home users who are online, using Macs and Firefox and Safari, the more those shares go up," he said. November was notable for a higher-than-average number of weekend days, as well as the Thanksgiving holiday in the U.S., he said.

Uh, in other words, expect to see the trend increase as more Mac and Firefox users get laid off and have to search for *** at home.

(*) For "dives", reads "descends by 0.84%" - view the graph at http://marketshare.hitslink.com/os-market-share.aspx?qprid=9 - yes, those are indeed graphs showing the (ahem) rise and fall of usage patterns. See if you can tell rising months from falling months without cheating by looking at the numbers! Three and a half percent, say, would be more like a "dive". Time to buy Sterling, I think!

Nobody stopped me, as I put the second laptop into my bag...

I have two laptops that I carry with me most places I go. This isn't showing off, it's just something I do for a number of reasons. (One laptop is for work, the other is personal)

On a recent trip, I wanted to leave one with my wife as she dropped me off at the airport (flying with more than one laptop just seems silly, all that extra weight) - but she drove off before I could take the superfluous laptop out.

So I proceed to the TSA line, wondering what they're going to say about me packing two laptops.

Nobody noticed. Nobody at all raised an eyebrow at me sliding two laptops into my bag.

That has me somewhat concerned - although it made my trip rather easy.

The implication is that if I am smooth enough of a criminal, I can pick up my laptop and yours, and slide them both into my bag without anyone except you caring – and you’re on the other side of the metal detector from me.

Although it would have slowed my progress through the security line, quite frankly I'd rather someone questioned me about the fact that I was doing something extraordinary in sliding more than the average number of laptops into a bag.

On a number of occasions, my wife (a seasoned traveler) has seen people accidentally swap laptops with her, walk off without their own laptop, or been worryingly detained through the metal detector as their laptops are sitting unprotected and unwatched at the other end of the security scanner.

Recently the TSA produced statistics that showed that many thousands of laptops are abandoned at security lines at the nation's airports - I would be interested to know how many thousands of laptops are not abandoned, but are purloined - accidentally or with criminal intent - by someone other than their rightful owner.

What should the TSA do to prevent theft and/or loss at the security checkpoint? Could the security lines survive if staff insisted on not letting the next person (or their carry-on luggage) proceed until the last person had finished collecting theirs from the output?

FAQ on 2nd Auth

I’ve already received a number of questions about my secondary authentication tool, 2ndAuth. Here’s a few answers:

• You only show it working for Windows Server 2003 and Windows XP – does it work on other platforms?
  Currently, we only support using it for Windows Server 2003 and Windows XP, although it’s possible that it might work in Windows 2000 Server. The technique used certainly won’t work in Windows Vista or Windows Server 2008, but I have plans to make a different version of the same idea to work there.
• Is this a custom GINA? Does it work with other custom GINAs?
  This is definitely not a custom GINA, but it ties in to the WinLogon process that the GINA is required to call. As a result, on some custom GINAs, it’s possible that it might not work correctly, if the custom GINA does not call the WinLogon functions in the correct sequence or with the correct desktop visible. So, if you’re finding that it has issues with your custom GINA solution, try it without the GINA to see how it’s supposed to work.
• Does the secondary authentication prompt occur on all logons?
  The prompt only occ