Category: random rants

Something broke my CacheMyWork app!

Published on by paranoidmikeLeave a comment

Ever since I joined up with my current employer, I’ve been unable to get consistent results out of my CacheMyWork application. It wasn’t exactly professional quality when I released it, but it did what I wanted nicely on some XP & Vista systems I’d been using.

Since getting my IT-issued notebook, however, I’ve been unable to get the darned thing to work consistently. When I “cache” a half-dozen or more apps, I’ve never yet seen *all* of them start up at my next logon; sometimes I’ve even seen that NONE of them run. And yes, I’m quite certain that the Registry entries are getting successfully created (under HKCU\…\RunOnce) – which means that something is interrupting the execution of these once I’ve logged on.

My suspicions are heavily weighted towards the McAfee suite of security apps, especially AntiSpyware and HIPS (Host Intrusion Prevention Service aka “entercept”). I’ve been trying to figure out how to block their activity, even temporarily (which admittedly is pretty much what I’m sure they were built to withstand), but no luck.

I’ve tried escalating through the IT service desk folks, but they are pretty much lacking in cluefulness – all I get is pointers to a couple of web pages and a vague escalation process (which seems to terminate in “single-app exceptions that *might* be added to the configuration). I need to be able to unblock whatever it is that’s intercepting CreateProcess (presumably) by the shell when it’s iterating through the HKCU\…\RunOnce values – the whole point of my app is to let me restart *any* user app, so one-by-one exception allowances is hardly an efficient solution.

I’ll keep digging, but if anyone has ever seen this kind of behaviour and/or has any pearls of wisdom on how to log/troubleshoot RunOnce activity, I’d sure appreciate a nice smack upside the head. [figuratively speaking – I’ll provide other rewards for anyone that actually helps me make progress…]

I’ve UnDeparted from Microsoft

Published on by paranoidmikeLeave a comment

I’m back, baby!

Due to my recent un-departure from Microsoft, I am now employed again full time, and so far I’m loving the new job!

I’ve willingly rejoined the Borg as a Technical Program Manager on the MSSC (Microsoft Solutions for Security and Compliance) team. I’m once again on campus in Redmond, but this time (cf. my previous career as a member of MCS) I’m not relegated to one of the “satellite” buildings; rather I’m stationed (with the rest of the team) in Building 18 – right on main campus!

The past eight months away from Microsoft has been one amazing vacation, disconnecting from the non-stop email, the petty politics and my growing unease with how little I felt I’d accomplished in five years there. I spent much of that time playing with the dogs (a good thing), getting to know my wife (a very good thing) and teaching myself firsthand that I can survive post-Microsoft. Hopefully I’ve cleared out many of my demons, my fears and my old habits – on to a new and revitalized career.

What will I be doing as a TPM? Well, the MSSC team makes it their mission to develop and deliver “solutions for security” – sometimes humungo series of papers/recommendations/technical knowledge, sometimes focused white papers, sometimes “push-button” apps that solve problems outside the scope of traditional product development. Based on my expertise in data security (& peripherally around data protection), I expect to be contributing to security solutions that help Microsoft’s customers’ data more secure. I don’t know exactly what this means, but I know that it’ll involve a lot of technical depth in technologies like EFS, RMS and Vista’s Secure Startup/Full Volume Encryption. [I’ve only been on board for a couple of weeks, so beyond that only time will tell.]

Anyone out there with any gripes, concerns or ideas for improvement in these and related technologies? You’re more than welcome to drop me a line and I’ll see if I can’t carve out some time to hear you out. With any luck, in my new position, I’ll be able to get good ideas directly into the ears of those who develop those products. How’s that for service? I dare you to suggest something radical to me. 🙂

[Note: this means that from here on, and of course for all posts up to this point, my one nod to the corporate machine is to state for the record that everything I write here is the result of my own personal opinions and cannot be construed as the “official Microsoft stance” on anything, nor can my ramblings be ascribed to my employer in any form or fashion. Everything here should be taken “as-is” (although certainly I believe there’s merit in my leavings), and YMMV. Now go forth and enjoy it!]

Digital Cameras being called a "hacker tool" now?

Published on by paranoidmikeLeave a comment

This article focuses on the use of the camera as a “digital storage device”, as if the fact that the camera is somehow a “more surreptitious” way to copy data off the computer than any other USB & similar storage device (flash drive/thumb drive/memory stick/MMC/SD card).

I really hope that the author of the article was the only one surprised by this “unexpected” use of a digital camera as a way to slurp data off a computer. I also hope that we don’t see a wave of specific “no digital cameras allowed” security policies spring up in response to this. I would think any reasonably well thought out security policy would either (a) forbid the use of all portable storage devices, or (b) accept the risk of any and all such devices equally (since they all have the potential of being used maliciously).

I really thought I misread the title of the article – I had to read it three times to make sure I wasn’t the one with the big misunderstanding.

I figured they must be talking about the use of digital cameras to take pictures of the screen (a totally unpreventable vector), or they were talking about camera-enabled cell phones (which at least are more difficult to separate from “legitimate use” than a simple camera).

Big deal.

So you can use yet another bulky USB-enabled device to copy data from a computer and take it off-premises. If there’s ANY organization left out there that still hasn’t thought through the threat of the use of portable storage media to copy large quantities of data off-premises, I doubt they’re going to finally say “oh crap!” when they read this.

It’s far cheaper and easier to hide from prying eyes the use of a tiny little USB drive (most as small a digit on your hand) – far less likely to draw attention than plugging in a fist- (or larger) sized camera into a work computer.

To steal a phrase from Bruce Schneier, this is yet another example of a “movie plot threat” that has little relation to any reasonable assessment of overall security risk to most any organization.

[category: general security]

Agree with Keith Brown’s "do not display last user name" rant

Published on by paranoidmikeLeave a comment

I’m with Keith here [note: in the interests of minimizing duplication, I’ve hacked his post down to the most stinging statements. Go read it yourself if you’re interested in a good discussion of the problem.]

A security countermeasure that isn’t all that

The password that you just entered went into the user name text box of the login dialog. When you hit enter, you attempted to log into your workstation using your password as the user name and a blank password. Because this login failed it’s logged in the Event Log. Guess what’s in there? Yep, it’s your password!
So in the interest of making your machine more secure, it is actually compromised…

… As Schneier constantly reminds us, security is all about tradeoffs. What do you gain by turning on the DontDisplayLastUserName feature? Given that it only takes effect when you’re logged out, not when your workstation is simply locked, not much! There are an awful lot of people who rarely log out of their machines (me included), and rather lock their workstations instead.
… If a countermeasure makes things harder (and more risky) for legitimate users, and doesn’t provide any real impediment for an attacker, it’s a bad tradeoff.
… I’d suggest picking up a copy of Jesper & Steve’s book, which provides really practical advice for securing Windows. It’ll help prevent these sorts of mistakes in the future!

This kind of blind use of security “countermeasures” really bothers me. I used to be a blind follower of security checklists in my early career too, so I can’t say I don’t understand the impulse that drives this sort of behaviour.

Still, I can’t believe that after all these years of people publishing these checklists, and lots of other people using them and seeing the consequences of their use, they still get published and used like this – i.e. ignorant of the consequences.

I get pretty frustrated when I see people take security measures like this and end up shooting themselves in the foot. At best, they’re no further ahead overall. At worst, they’ve taken a giant leap backwards, and made it even *easier* for an attacker to escalate themselves and do some *real* damage to your computing assets.

Damn. I really want this setting to be discarded, just like I want to see the “account lockout” setting retired in favour of a more sophisticated, goal-oriented, actually-accomplishes-what-it-sets-out-to-do countermeasure. I am all in favour of more configurability in a system, to give people more options so they can accomodate special circumstances when required – BUT – when a “special purpose” setting like this actually ends up being used blindly by everyone in unsuitable circumstances, and ends up making things WORSE, well that’s when it’s time to seriously reconsider.

Creating the Saved Password

How often does “DontDisplayLastUserName” actually do something security-useful:

  1. Computer boots up
  2. Computer is Restarted
  3. User logs off

VS. times when it can potentially hurt:

  1. User locks computer
  2. User places computer on Standby (and computer is set to lock on resume)
  3. User places computer in Hibernate mode (and computer is set to lock on resume)
  4. Computer goes into Standby or Hibernate according to Power Management configuration (and computer is set to lock on resume)

I don’t have any statistics to back up the opinion I’m about to assert, so I’ll just have to use my own user behaviour as a model and let you decide how often it happens from there:

  • I rarely power down my computer:
    • perhaps once a week or so because something has leaked too many resources over time (e.g. Virtual Memory, GDI Objects, Handles) and I need to free them up
    • perhaps once every couple of weeks because I’ve installed something that includes a kernel-level driver (display, network) or because I’ve installed an update that replaces an in-use system-level file
  • I almost never log off my computer – why bother? It’s a single-user machine almost all the time:
    • My home desktop is used by my wife or houseguests maybe once a month
    • My work notebook is used almost never by anyone else, and if I let them use it, I’ll usually just fire up a fresh browser instance (or RDP client) and let them borrow it while I’m there – I just don’t let people log on to my work computer – no reason to, that I’ve found
  • I very frequently (e.g. dozen times a day or more) end up with my work notebook locked:
    • anytime I move from the house to the office, I’ll put it in Standby or Hibernate
    • I’ll pull it open for a while on the bus to or from work and then Hibernate when I walk off
    • anytime I go from my office to a meeting (usually 1-3 per day), I’ll S/H while I carry it around
    • anytime I walk away from my notebook, I’ll lock it (Windows-L was a wonderful addition to XP)

Under such circumstances, how often do you think I’d accidentally enter my password in a blanked-out username field? Thankfully, I haven’t had that setting forced on me since I forced it on the domains which I administered in my old job as a sysadmin (i.e. 6+ years ago, before I “saw the light”). So I don’t know how often that’d actually happen now – I have no immediate experience to back it up. But if a smart guy like James gets tripped up by it once in a while, then I’m sure I’m no smarter/more attentive than he is.

Exploiting the Saved Password

OK, so let’s assume that for a significant number of computers configured to not display the last username, the user’s password ends up saved in a Security Event Log entry. That log is only readable by members of BUILTIN\Administrators and any process in the LOCALSYSTEM context on Windows up to and including XP (but can be modified on Windows Server 2003, as per Eric Fitzgerald’s article here).

So what’s the big deal? On systems where both (a) physical access is unavailable (e.g. servers) and (b) all patches have been been applied, the risk of a random attacker who doesn’t already have an Admin-level account of getting an admin-level account is usually pretty small (let’s hope – okay, this is probably asking too much, but let’s just assume for the moment, okay?).

However, on systems where either (a) or (b) is FALSE (e.g. (a) on a desktop or especially notebook computer – physically accessible to many classes of attacker; e.g. (b) on a computer where root-level exploits have not been patched), I caution you strongly that “Do not display last user name” may end up giving an attacker a means to retrieve the user’s logon password IN CLEARTEXT and be able to access any resources to which that user account has been granted access.

EFS/RMS Alert!

If you are using a Windows logon-based encryption technology (e.g. EFS, RMS), then you should be doing everything in your power to make it difficult for a physical attacker to discover or guess the user’s logon password – right?!? So my advice: along with all the other things that I’ve recommended in the past (and continue to recommend), I strongly urge you to NEVER set the “Interactive logon: Do not display last user name” setting on any client PC (desktop, notebook aka Windows 2000, Windows XP) where you believe Windows logon password-based encryption is being used.

Note: I am NOT trying to steer you away from these technologies. What I AM attempting to do is to (a) illustrate one cogent, real-world example of why this “Do not display last user name” setting can be more harm than good to your overall security posture, and (b) emphasize yet another way that attackers could be “assisted” in attacking EFS- or RMS-protected data – and what you can to do prevent that.

So there.

[category: general security]

Windows Vista’s Full Volume Encryption & TPM, part 2: FVE on Tablet PC?

Published on by paranoidmike1 Comment

OK, so where was I when I last left the TPM topic? Oh yeah

Frankly I don’t know what to think about the state of TPM-backed data encryption. I really *want* to be able to say “yeah baby – your best bet for securing data on a laptop will be Vista’s FVE” (or any other OS-level TPM-backed file encryption option). For a few hours, I actually believed it could be true – not just for an individual, but for any really big organization as well.

However, the past couple of months’ effort has me pretty much convinced otherwise. I’m not exactly optimistic for the prospect of widespread TPM-secured data protection in the near future.

It looks to me like Full Volume Encryption (FVE) in Windows Vista won’t be a viable option for anyone who isn’t prepared to drop a bundle on new computing hardware at the same time. That’s because there’s almost no computers – especially mobile computers – on the market that have a v1.2 TPM.

While I realize that there are other IHV- and ISV-supplied TSS packages to support TPM-backed file encryption, I am mostly focused on Vista FVE for a couple of reasons:

  1. Until a service is provide in-the-box with the OS, my experience with customers is that integrating vendor-specific security software is a huge hassle, and not supportable at scale over shorter periods of time (e.g. 2-3 years).
  2. There’ll often be more than one TPM-enabled package to support – generally, it looks like an organization will have multiple packages, one for every desktop/notebook/tablet/server vendor that integrates a different TPM module.
  3. It’s not clear at this time how the TSS packages are licensed, but I’ll take a SWAG and assume that you’re only licensed to use the TSS package on the system with which it was shipped, and that you’ll have to pay extra to use that package on PCs that were shipped with a different TSS package.
  4. An organization could scrap the bundled software packages entirely and just license a third-party product across the board (e.g. Wave), but the choices are pretty limited from what I’ve seen, and personally (without having had any hands-on experience to support my gut feeling) I don’t know how much confidence I’d have locking my organization’s most prized data up under this – e.g. what’s the enterprise management (archival & recovery, configuration management, identity management) story like?
  5. [Disclosure: I’m a former Microsoft employee, security consultant and spent most of my tenure consulting on EFS, RMS and other security technologies.]

I’ve been in the market for a new laptop for a while, and one of the reasons for my recent obsession with TPM is that (a) any purchase I make now will have to last well beyond the release data of Vista, (b) since I intend to continue to leverage my Windows security expertise, I should really get a computer that supports FVE so I get first-hand knowledge of how it works, and (c) you generally can’t add a TPM chip to a computer after you’ve purchased it (with at least one known exception).

Oh, and I’ve committed myself to the Tablet PC variant, since I am a committed “whiteboard zealot” and I expect to use the freehand drawing capability quite a bit.

So my mission is to find a Tablet PC that meets my “requirements”:

  • TPM v1.2 chip
  • max RAM > 1 GB
  • dedicated video RAM > 32 MB (to support the lunatic Vista graphical improvements)
  • can run from battery for at least three hours a day (e.g. bus rides to and from work, meetings away from my desk)
  • won’t break my wrist if I use it standing up (e.g. weight under 5 lbs)
  • will withstand dropping it once in a while – I’m more than a bit clumsy

I have spent countless hours scouring the Internet for TPM-enabled Tablets. After my intial survey of the PC vendors’ offerings, I figured there’d be at least a couple of options from which to choose. However, the longer I looked, the more bleak it became. Of the major vendors of Tablet PCs (Acer, Fujitsu, Gateway, HP, Lenovo, Motion and Toshiba), I have so far found exactly ONE Tablet on the market with a v1.2 TPM chip.

One.

And not exactly the industry standard for large enterprise deployment – Gateway!

Did I mention that Windows Vista will require the v1.2 chip to support Secure Startup and Full Volume Encryption?

Oh, and did you hear that Microsoft is trying like h*** to get Tablet PCs in the hands of as many users as possible?

Geez Louise, I even went so far as to contact Fujitsu (who have a really fantastic Tablet with a v1.1 TPM chip) to see if they were sitting on any about-to-be-released v1.2-enabled Tablets, asking them the following:

Could you give me some idea of the following:
– whether Fujitsu is committed to integrating v1.2 TPM chips in their computing products?
– when we can expect to see Tablet PCs with v1.2 TPM chips integrated into them?
– Any planned model or series of Tablets that the v1.2 TPM chips will be used in e.g. Lifebook 4000 series, Slate vs. Convertible, etc.?

And this is the response I got:

We fully intend to continue our support of TPM and transition to v1.2.

However, at this time we can not provide a date as to when this will be available. Fujitsu company policy and NDA agreements with suppliers do not allow us to publicly disclose future plans prior to product launch.

So what’s a guy to think? Right now we’ve got exactly one FVE-ready Tablet on the market, and according to this guy, the big wave of computer upgrades in the business sector may already be passing by. [Let me ignore the fact that I haven’t looked into notebooks yet, and assume that TPM v1.2-equipped notebooks are just as scarce. I’ll check into this further and report back.]

Between now and the shipment of Vista (perhaps October 2006, if you can believe these rumours), less than a year away, am I to believe that hordes of TPM v1.2-equipped PCs will show up on people’s desks? If so, then perhaps there might be a minority of organizations who would consider testing the Vista FVE technology (though I doubt they’d be ready to standardize on it, assuming – rightly – that they’ll have less than a majority of Vista FVE-ready PCs in their organization).

But even if TPM v1.2-equipped PCs were to quickly dominate these organizations, would I feel comfortable urging such organizations to adopt Vista to enable use of FVE to protect their data? I honestly don’t know – I don’t feel a resounding “YES” coming on, but neither do I feel a “NO” building in my gut. Perhaps it’s because I feel like this question won’t be practical for a number of years yet.

By requiring the v1.2 TPM chip for FVE & Secure Startup, I believe that:

  • Third-party TSS packages will get a lot of leeway to take the “organizational standard” position – especially for those TSS packages that also support v1.2 TPM chips
  • Most mid-sized to large organizations won’t be in a position to adopt FVE & SS as their data protection standard until say 2008 or later.

This leaves me wondering what data will be left to protect by then? Given the fact that most organizations are being forced through one regulation or another to encrypt customer-sensitive data, I believe that the next couple of years will be the final window for unencrypted user data to reside on client PCs.

Put another way: if you’re the InfoSec officer in charge of recommended strategies for regulatory compliance & avoiding liability, wouldn’t you rather just encrypt every disk on every “physically insecure” PC throughout the organization? That’s one sure-fire way to know that users haven’t accidentally stored a sensitive file in an unencrypted volume, folder or file. Only then would the organization be able to claim that a lost or stolen PC did not contain unencrypted customer data.

[Now, sure, in 3-5 years there’ll be room to re-evaluate the technology used to maintain protected data on hard drives, and it’s quite possible that by then Vista’s SS & FVE will get the nod from many organizations. Migrating from one highly-technical solution to another is never easy in large orgs, and is pretty scary for small outfits or self-supporting end users, but I’m leaving the door open for the landscape to change beyond my wildest imaginings in the 3-5 year timeframe…]

Does anyone see things differently? Does Vista FVE look like it’ll capture a significant portion of the “data protection” market? I’d really like to be wrong about this – it would suck if the best “free” on-disk data protection technology to come out of Microsoft won’t be practical for the majority until long after they had to commit to another on-disk encryption solution.

Email users getting more Paranoid?

Published on by paranoidmike1 Comment

I read an article today about email & phishing, and I’m actually heartened by the same news that the reporter seems to take as pessimistic:
Is it ‘lights out’ for e-mail?

It says that, according to the MailFrontier Phishing IQ Test, email users can correctly identify phishing attempts 82% of the time. They also report that users falsely identify “legitimate” email as a phishing attempt 48% of the time. [Note that this is based on a set of “test” emails, not on the test subjects’ own email inboxes.]

While the writer (Anne Bonaparte, CEO of MailFrontier) seems to believe this means that people’s use of email may be on the decline, I think this is a sign that people are finally treating email as they should: not unlike other forms of spontaneous contact from the outside world.

My wife even forwarded me an email yesterday that looked pretty phishy – an invitation to join a market research survey group, sent by some third party on behalf of Microsoft. Having worked there, my read of it is that it actually *was* legit – I’ve seen plenty of feedback over the years on these marketing-driven email campaigns that – despite all of the good security practices being preached inside Microsoft – still end up looking like they’re a security threat/spam/phishing attempt (when really they’re just poorly-thought-out third-party mass-mailings]. No harm done, just a little twinge on the Paranoid-o-meter, and I really think that’s a good thing.

If someone came up to your door that you’d never met and claimed to be from the IRS and wanted to come in and see your house, would you immediately believe them? What if you got a piece of mail that said it was your bank and that you had to leave your ATM card and PIN # in a mailslot at some odd address?

I for one am glad that people are getting more skeptical about the stuff that floods their inboxes. I live a great deal of my time in my inbox, and I have gotten pretty good at sniffing out illegitimate contact among the hundreds of messages I receive every week. [Fifteen years of jealously guarding my online privacy and trust will do that to a fellow I guess.] I’m glad that others are taking a healthier attitude towards unsolicited email, and I hope this means that they’re wising up that just because someone says something doesn’t immediately make it true.

Personally, I think that people are a little too trusting of people in positions (or illusions) of authority – often believing outright the claims of news reporters, people in uniform, political figures and other “strangers” just because they have the look and mannerisms (or the claimed position) of authority. I will defer to legitimate authority as much as is wise in this day and age (I am a Canadian living in the US, after all), but it disturbs me to think that people around me would have believed any claim that winds up in their inbox.

I think it had to do with the magical nature of computers (for most people) – they don’t know how they work, they don’t understand how fallible the people are that create the hardware & software, and just how riddled with flaws and humanity these whirring beasts really are. It’s like when I tell people about how insecure all the banks are for whom I’ve worked – it shocked me at the first one, and became expected by the third, and now I understand just how thin the ice is on which our finances skate.

Same with email, and thankfully as people have more exposure to it, and see more and more what the latest news report says about what you can and can’t trust, they are starting to see through to the other side of that thin ice, and are treading more carefully.

So what if you delete a few legitimate emails? Your life will rarely end if you don’t get that message – most people, next time they meet up, will nearly always say “Did you get my email?” anyway. Or they’ll re-send the email if they haven’t heard back. Or they too will forget about what they sent, as there’ve been another 200 emails (spam, phishing, and real communications) since the time they sent that email you might’ve inadvertently (or intentionally?) deleted.

It’s a big world, and no email is an island. Especially the ones that promise you a free vacation on one.

P.S. I scored 60% on the Phishing IQ Test II, so what do I know?

VB Express – holy crap, I can successfully code!

Published on by paranoidmikeLeave a comment

I’ve been toying with the notion of learning some “real” coding for years now. No matter how good I get at my expertise(s), and no matter how much demand for infrastructure geeks like me there is, I’ve felt a growing pressure to get some “chops”. Yeah, I can read an API, I can sometimes *follow* a codepath (almost easy in VBScript by now, still brutally hard in a C++ fragment), and I feel comfortable in using tools like Depends.exe, ProcExp.exe. Hell, I even have gotten to *almost* understand what I’m doing when I run a debugger like windbg.exe.

I took a great introductory college course on ASP.NET development from a really good friend a couple of years ago, but didn’t quite finish it (i.e. I didn’t write the final). I’ve had an IDE installed on most of my computers for years now, but didn’t hardly do much more than fire up a sample and feel inadequate.

So a few months back I spotted the Visual Studio Express betas – stripped-down IDEs that are targeted at folks just like me. At first I felt just as inadequate with them as with the full-fledged beasties – I still didn’t really know where to start, and without a good sense of the “vocabulary” of a coding language, I always felt like I was crippled from doing something practical with it. [Sorry, but I’m one of those guys that doesn’t really *learn* the lesson by using artificial dev scenarios that don’t do much more than “Hello World” crap. Maybe that works for a lot of folks, and I’m just broken, I dunno.]

Then I started seeing some really encouraging signs:

  • free training videos targeted at the Absolute Beginner
  • learn-to-code books (e.g. 1, 2) that specifically aim for the Express IDE
  • free online training courses (not just Express-oriented, but they’re there if you want ’em)

And so I took more and more steps to get closer. I got a couple of books out from the library that would give me some fun, easy, quick stuff to play with:

  • Learn Microsoft Visual Basic .NET in a Weekend
  • Visual Basic .NET Weekend Crash Course

And most importantly, I sketched out a design idea for a simple application that I would actually use. [More on that later, when I get some of the cool features working.]

But here’s the kicker: not only was it fairly easy to stumble across the basic code fragments that I would need to make the basics of my app work. Not only did I find that things like the “Me” object were damned intuitive, and some of the new controls (like the Menu Bar Toolstrip) were brilliant for quickly whipping up the stuff I *never* want to have to write from scratch. No, the bit that finally got me to blog about this “dirty secret” of mine was this:

[hmm, uploading the screenshot doesn’t seem to be working.]

I’ve run across an error like this before: “NullReferenceException was unhandled” – “Object reference not set to an instance of an object”. Seen it tons of times, and never knew what to do with it.

So when did they finally know how to translate these errors into English? Now there’s a dialog that includes

Troubleshooting tips:

Use the “new” keyword to create an object instance.

Check to determine if the object is null before calling the method.

Get general help for this exception.

*I* can actually do something with that information. OK, so hell, if I can get past this kind of vague-as-everything error message, I’m figuring this is do-able, and I’ll keep pounding away at this code.

Then I check back to Microsoft’s web site to see the current offerings, and was surprised to be able to download the released version of the Express editions directly off the web. !!!

Well holy freak, this is a pretty good deal – download any one of the Express Edition dev tools and use it free for a YEAR. What? Are you guys nuts? What happened to the 60/90/120-day evals? Won’t this eat into a giant sales opportunity? Must be giving some Marketing guy chills just considering this approach…

Well, call me crazy but I think this is great – give guys like me enough time to actually start using the stuff – long enough that I can actually justify to a manager the cost of buying one of these things.

No, wait – WHAT? [OK, I’m done after this] Seems that if you download ’em before 2006-11-07 (i.e. next year), they’re free to use forever. [which means they’re free from now on, because you *know* that you’ll always be able to dig up a download of them somewhere on the ‘net once they’re out like this.]

Sweet.

Trusted Computing Best Practices, the TNC spec, and Microsoft’s involvement – hypocritcal?

Published on by paranoidmikeLeave a comment

Below are excerpts from Bruce Schneier’s “Schneier on Security” blog, asserting that Microsoft is making an effort to prevent the TCG’s software-only spec for TPM apply to Windows Vista before its release:

In May, the Trusted Computing Group published a best practices document: “Design, Implementation, and Usage Principles for TPM-Based Platforms.” Written for users and implementers of TCG technology, the document tries to draw a line between good uses and bad uses of this technology.

[…]

Meanwhile, the TCG built a purely software version of the specification: Trusted Network Connect (TNC). Basically, it’s a TCG system without a TPM.

The best practices document doesn’t apply to TNC, because Microsoft (as a member of the TCG board of directors) blocked it. The excuse is that the document hadn’t been written with software-only applications in mind, so it shouldn’t apply to software-only TCG systems.

This is absurd. The document outlines best practices for how the system is used. There’s nothing in it about how the system works internally. There’s nothing unique to hardware-based systems, nothing that would be different for software-only systems. You can go through the document yourself and replace all references to “TPM” or “hardware” with “software” (or, better yet, “hardware or software”) in five minutes. There are about a dozen changes, and none of them make any meaningful difference.


If true, this feels to me like some form of hypocrisy, at least at a company level. Microsoft took a decidedly different stance on the use of the “no execute” (NX) feature of the latest generation of CPUs from Intel and AMD, and in an ideal world I’d expect them to do the same here.

In the release of Windows XP’s Service Pack 2 (SP2), they implemented changes to the OS that would enable it to assert the “no execute” flag on any and all processes running on the system – if a process attempted to execute a “page” that was previously considered a data page (i.e. non-executable code), then the OS could immediately halt the program and alert the user. The intent is to prevent things like “buffer overruns” from being able to successfully circumvent a program’s intended purpose and ultimately cause the program to do something the attacker wishes (usually a malicious attack on the OS, its programs, or the user’s data). Worms and viruses have had a field day with this kind of attack for years, and Microsoft and the CPU vendors finally got around to implementing an idea that had kicked around the security community for quite a while.

So far so good. However, while this feature was intended to work with the cooperation of software and hardware, it left most of the existing base of XP users (those without NX-capable CPUs) up the creek. So Microsoft decided to implement a subset of those ideas on any computer running Windows XP SP2. This is a software-only implementation of NX – not perfect, not foolproof, and definitely not as strong as the hardware-backed NX you get with the NX-capable CPUs, but a major leap forward from the “buffer overrun friendly” versions of Windows that have preceded it.

And actually, it seems to work pretty well. I’ve enabled the NX feature on all the computers I touch, and seen it catch a number of programs that were (in most cases accidently) caught doing the very things that NX is set to trap. It doesn’t interfere with the stable, mature applications I’m running, and it hasn’t yet prevented me from doing anything really important. Mostly, it’s trapped this behaviour in the third-party “shareware” type apps that are nice to have. [Hopefully I’ve been able to help the developers of these apps by sending them the crash dumps from these apps. When I am notified by XP SP2 that an app was caught by NX, I’ll trace through the dialogs that tell me where the dump files are located – indicated as the “technical information” that would be submitted to Microsoft through the Error Reporting feature – I’ll find the dump folder, Zip up a copy, and email that Zip file to the ISV who developed the app. Microsoft probably does this as well for apps that often show up in their error reporting queues, but I figure it can’t hurt to make sure anyway. Hint: I don’t have one on my system right now – the folder is deleted once it’s uploaded to Microsoft’s error reporting site – but the crash dump files will be written to your %temp% folder, with a folder name conaining “WER”, and the major files will have the extension “.hdmp” and “.mdmp”. The files compress quite well.]

So here’s my concern: if Microsoft’s Windows division was comfortable with taking a hardware-assisted feature like NX and implementing it as a “software-only” feature, wouldn’t it seem hypocritical to resist applying a software-only spec for TPM to the premier OS next on the horizon? I know I’m being naive here, but it seems like Microsoft would be in a near-ideal position to apply TNC to Vista. They’ve been working on the formerly code-named “Palladium” technology for ages now – or at least talking about it in the press. As well, they’ve apparently been involved with the TCG and the development of these documents for quite a while now, and presumably had at least some level of influence over their content (though probably not a dominant hand in them, given the number of other players with just as much at stake here).

So I wonder aloud: what possible benefit does Microsoft gain from Vista “escaping” the confines of the TNC spec? I would guess it’s because, at this late stage in the development of Windows Vista (they just passed Beta 1), there aren’t a lot of fundamental changes to the OS that could be introduced – without significant risk of delaying the release of Vista AGAIN. [How many scheduling delays now, and how many valuable features REMOVED to keep the schedule from slipping further?]

Perhaps there are other just as innocent explanations as well, e.g.:

  • They’ve been trying to get the TNC spec worked into Vista all along, but at the same time as they decided to pull the “Palladium” features out of Vista, they also had to decide whether to further delay Vista (and continue to stabilize the TNC components) or take the TNC components out of Vista and stabilize the Vista ship schedule.
  • The TNC spec may have taken a late change that drastically altered the requirements for Vista, and the Vista team couldn’t add the major code change without resetting the Vista development milestones.
  • There are plans to add TNC into Vista post-RTM – not unlike the way that many significant features were added to XP via SP2.

It would certainly help quell a potential firestorm of controversy if Microsoft got out ahead of Schneier’s allegations and discussed their plans for TNC implementation in Windows, and what prevents them from incorporating the spec in Vista before it ships. Despite the nefarious personality that some would like to attribute to every action from Microsoft, I’ve found that the people I’ve met and with whom I’ve worked there really do have the best of intentions at heart.

IE & tabbed browsing – what are the competition *really* doing to MS?

Published on by paranoidmikeLeave a comment

The amount of effort that MS has poured into tabbed browsing over the years – first denying its utility, then showing how you can do it with other IE-based browsers, and finally in actually implementing it in IE7 – makes me wonder what’s up in the minds of the competition, and all the “whiners”, who kept harping on the lack of tabs in IE [caveat: I like tabbed browsing as much as the next person]

At best, tabbed browsing is a “nice to have”, and if you *really* didn’t like that IE didn’t have it, I gotta wonder why you didn’t just go use another browser that *did* have tabs. I can see *some* legitimate reason for putting tabs in IE, but the effort that it generated on MSFT’s behalf I believe was disproportionate to the benefit of finally getting tabs in IE.

It reminds me of the times when the press are goaded into spending inordinate amounts of time reporting on trivial issues, giving the government or industry plenty of “cover” in which to execute much more controversial policies and decisions. Like implementing extreme policies while the press spends every waking moment wondering about Terry Schiavo, as one example.

Microsoft, you should watch out for what people are *really* doing while you’re not watching – while you’re being goaded into focusing all this attention on such a trivial implementation (even if some of your biggest customers are “demanding” tabbed browsing). At minimum, you’re being taunted into playing a game of catch-up with the competing browsers, and getting no more benefit from this than being able to claim “me too” on a feature that I believe is ultimately trivial. What major “big-bang” features do your competition get to deliver, while you’re playing me-too rather than implementing new features?

I know this sounds a bit paranoid, but it doesn’t mean it’s inaccurate…