Defect Tracking Goodness: God I love FogBugz

Today was a turning point for me as it relates to defect tracking and feature request management with customers.

I finally got off my butt and completely integrated FogBugz into our development and QA process, including the ability to take in direct email from customers. The result? You can now email a single account (even with attachments such as screenshots, logs etc) and the email gets placed in a triage area on the defect tracking system as a new case. Once reviewed by staff, it gets moved directly into the build process. All emails that exchange between the customer and the support staff are automatically tracked in the case management; there is no extra software or process to set up.

Next step will be to integrate the checkin of Subversion (our source control system) to work closely with FogBugz to track when fixes occur, and produce useful diff stats to show code coverage and areas that may need another look in the test plan.

Another neat (but secret) feature??? The new additions let me do an online crash analysis in the same manner anonymously, by using FogBugz BugzScout to track duplicate incidents submitted on the fly. Once I figure out how to dynamically route a stack trace as its crashing... it can fire off an alert right then and there and allow us to statistically find common bugs as they occur. Of course, the kind of stuff we are finding right now isn't at all crashes; they are functional or usability issues that unit tests should be catching better. But thats another story.

Anyways, I have now just finished removing BugZilla, the defect tracking system I have been using since the inception of the company (hell I used it at th last company when Mozilla was still just beginning). It's now removed off the dev server and has been replaced with FogBugz. If you haven't given it a try, consider doing so. Don't let the silly name fool ya. It's a well written and professional Defect/Bug and Incident System that is worth time investigating.

A look inside how Microsoft approaches Testing

Recently I have been fascinated about testing. I am looking to hire a good QA guy who knows how to build test plans, automated unit tests and knows how to properly manage bug tracking. As I was reading up on some of the latest approaches being used, I stumbled across an interesting blog entry on Scott's site on how Microsoft tested ASP.NET 2.0 as it has been developed. This was a VERY interesting article to me. Ever since I sat in with Chris and had an awesome demo on Team System (go check out the personal demo I got on Channel 9, or read my blog entry about it) I have been interested in building a better process here. I loved seeing some of the tools Microsoft is using to do this; Maddog looks like it rocks.

Anyways, if you have an interest in seeing how Microsoft does quality assurance testing, check out the article.

Pathetic Censorship Safeguards in PDF files

At the last DefCon there was an excellent presentation on how to thwart the censorship of documents done IN PDF.

Because the safeguards were SO ridiculously easy to defeat, the audience broke out in spontaneous applause as it was done right before their very eyes.

Don't believe me that it was that simple?

Here is a video showing how you can simply cut and paste around the blackout in a sensitive document belonging to KPMG.

Here is a video showing how you can copy the image from behind the blackout and paste the image to the clipboard clean. I am sure the Washigton Post didn't expect that when they published that PDF.

And finally, here is a video showing how you can simply select the blackout marks in Illustrator, and delete them!

So, if you REALLY think you can get away by blacking out sensitive information in an electronic document by using the PDF functionality... think again. You would be better off to print out the document, do old style black marker, and rescanning it back into PDF. Of course, as we have seen on Cryptome, even that is getting defeated now adays.

Why Default Passwords Are a Bad Idea

I have never been a supporter of default passwords in a 'manufactured shipping state' piece of hardware. Why? Because most people are either to lazy to change it, or don't even know you need to.

The result? People collect the information and post a single list of default security passwords holding MANY of your favorite vendor products in one place so script kiddies can walk right in.

What could you do about it as a developer? Don't use default passwords. But you need them when shipping for first time login. Ok, ok. Well at least force it to a one time password unique to the machine. In the past I have used a unique seed against the hardware serial of the device, which means a SLIGHT alteration may be needed to the build process of the device. At the manufacturer, you would need to have the serial info which is normally added at the end, become PART of the software flashing process. I will leave how you would plan that up to you; it is possible though.

Thanks to Foz for pointing out the list. One of these days I will have to post my list of default BIOS passwords.

Defending Against Comment Spam

Well it looks like I may have finally found the solution to fix my comment spam hell in Moveable Type.

This is the approach I have taken:

1. Upgraded to MT 3.12
   
2. Moved the flat Berkley DB to mysql
   
3. Installed MT-CloseComments and set it to turn off comments after 7 days
   
4. Rebuilt the entire contents to reset all old comments.

We will see over the next little while if it works. I noticed that as I was doing the update, I got nailed with another 150 comments. None since the older comments have been closed.

Lets hope.

Blog Funkiness

You can expect my blog to be in a weird state of flux for the next day or so. I just came back from the latest security conference (will blog about that later) to find almost 3000 pieces of comment spam. *sigh*

I am going to have to find a way to close off old comments. I may be forced to move to MT 3.12 and import the flat database into mysql so I can take advantage of some of the plugins that do this for you.

My apologies for the inconvenience. With any luck, you won't notice any major disruptions in the rss feed.

With the security forum over, I should also have a bit more time to update the blog. Will keep you posted.

Reducing Privileges in Windows

Michael has an interested article that has been published on MSDN talking about how to reduce an Administrator's privilege in Windows to reduce the access rights of a normal user in an Administrative context. In other words, if you have to do something while as Admin that doesn't need admin rights (such as read email or browse the web), you can reduce your privileges of that process accordingly. Still not as good as running as a normal user and elevating privileges as required with runas, but still a good thing none the less.

The code is rather simple; simply grab a restricted token with less privileges using SaferComputeTokenFromLevel() and then pass that token to the start up params in CreateProcessAsUser(). Of course there is one limit with this... this API was introduced in Windows XP and Windows Server 2003. As such, this won't work on Windows 2000.

Good stuff. Great article. Enjoy!

Sarbanes-Oxley now in Effect

Save your emails. SEC said so.

Welcome to audit hell. Its November 15th, and SOX is now in effect.

Strongbad gets a Virus

For those Strongbad fans with an evil streak in them, you GOTTA check out the latest email sent to him.

I think the author of that virus was hired by a German firewall company. ;-)

Ok, maybe not. Thanks to David for pointing it out. I am still laughing. It made my day!

TabletPC - Maybe they ARE Disruptive Technology

Very few people know this, but a few weeks ago I picked up a TabletPC. It was time. My little Toshiba Portege 3480 just wasn't able to keep up with me. I loved it because it was so small and light (only 3lbs), perfect for all my traveling, but it was only a PIII 500 with 192 Megs of ram (the maximum ram for the thing). Although I can edit documents on it and show powerpoint slide decks (perfect little machine for my role as entrepreneur), I simply couldn't do much code on it.

Knowing I am heading down to the Microsoft campus to do some kernel mode dev work/testing in December in Building 20, I figured it was time to get at least a laptop that could meet my requirements for mobility, yet functionality.

Here is what I gave myself as a baseline:

• I want something of similar size to my Portege
  
• I want something weighing in at only a few lbs. Nothing larger than 5 lbs
  
• I would like at least a 1GHz processor
  
• Must support AT LEAST 1 GIG of ram
  
• Must have AT LEAST a 40 gig HD
  
• Must have AT LEAST a 2 hour battery life, full on.
  
• Must have integrated wireless, and a way to QUICKLY turn it off
  
• Must have integrated 10/100 network
  

As I started hunting around, I also compared my needs with a TabletPC. I noticed on average that the TabletPC with similar functionality was going for about another 20-25% more in cost. Didn't seem to make sense to even consider it.

And then, the moons were aligned and the gods must have been crazy as I tripped over a great deal on Ebay. Acer was selling refurbished units with full warranty that they had in stock of their Acer TravelMate C111TCi-G. And it was approximately the same price as what I would pay for the laptop I was about to order.

Now if you recall, I said I wouldn't buy a TabletPC blind. If I couldn't actually try this thing, I didn't want to bother. However, since it was a convertable laptop-to-slate mode Tablet, even if the Tablet sucked, I still have a half decent laptop at about the price I was going to pay anyways. And Susan has the earlier C110 model, and raves about it. So I bought it.

And BOY am I glad I did. What did I get? Well, I got a second generation TabletPC which not only met my requirements, it beat them:

• It's the same size as my Portege
  
• It is only 3.3 lbs
  
• It has a 1GHz Ultra low voltage (ULV) Intel processor
  
• Comes with 512 Megs ram, expandable to 2 GIGs!
  
• Comes with a 60 gig HD
  
• Comes with a 3 hour battery life
  
• Has integrated 802.11b AND g wireless, and a single button to QUICKLY turn it off
  
• Has integrated 10/100 network
  
• Has builtin Bluetooth, and uses the same single button as the WiFi to turn on and off
  
• Has pressure sensitive display when using the pen
  
• Supports dual head with an external monitor, great for coding
  

Using it for 2 weeks, I now GET IT. I understand what Robert is always raving about. If you have similar needs as me when it comes to meetings, reading and coding... a TabletPC might be for you. I am finding I am MORE productive with the thing than my old laptop, but thats not saying much when you jump with leaps and bounds to this peppy little thing.

There are a few things I don't like about the TabletPC though. And I am sure some of them sound fickle, while others may be a limitation on my model.

First and foremost, when Robert said that TabletPCs are a "disruptive" technology... he means it. For me thats a bad thing. What do I mean? Well my purchase was so that I have a more effective tool to do business. In the last two weeks I have had well over 10 meetings, and almost every one of them is "disrupted" when people in the meeting want to see my TabletPC. I am going to a meeting to get work done. I don't want to take the first 10 minutes to show you why you need your own. Maybe some people want the attention; I just want to get on with my work. Its a tool people... not a toy. (Although the Microsoft Tablet Pool Power Toy is nice :) )

On a more serious note, I did find some TECHNICAL issues with my Tablet. First off, it SUCKS in a well lit room with high powered halogen lights. It has a really ugly glare, making it impossible to leave the tablet in slate mode on the table. You can however tilt it a bit and its fine. I have come to basically put it on my lap and it seems to get around the issue.

The built in pen has much to desire. Acer sent me a REALLY nice after market pen which even includes a virtual eraser at the end. I wish the little pen in the Tablet included that functionality. It's just awesome to be writing, and flip over the pen to erase something. Hopefully someday soon someone will buy me the nice Cross Executive TabletPC Pen. Maybe my wife will get me one for XMas. :)

The design of my Tablet could have been better thought out. When you flip into slate mode, the screen covers up the speaker. So the result is a tinny muffled sound if you are listening to tunes while in slate mode. I would recommend that they find some way to move the speaker onto the screen, so it doesn't matter which orientation it is. Of course, I can simply put in headphones to get good sound if I need it for this thing.

A final "drawback" might be my expectations are too high on what is "inkable". I was expecting that I could highlight PDF files and store the strokes for later retrieval when viewing documents. I don't see why that couldn't be stored in metadata in the alternate datastream of the document... but it doesn't. Of course, maybe it can, and I just haven't learned about it yet.

I found a few things I didn't expect that I really like. While doing a bit of photo editing in Adobe Photoshop Elements I found I can do WAY more with the pen than I could with the mouse. Zooming in tight onto an image I can use the pen just like I would on paper, and that is just AWESOME when touching up edges and stuff. It was awesome to have that ability; I sure don't have that kind of control with the mouse. The other thing was flow chart doodling. With OneNote its awesome to quickly draw up a flowchart, add some text and later do a search for that text to bring up the chart in no time at all. I didn't expect OneNote to work that well for me. I will admit though that I think OneNote is overkill. Its got feature bloat that just isn't funny. I would bet I am not using 10% of what it can do. I kinda wish there was Microsoft Journal with folders/tabs. I bet I would be just as content with that as OneNote. Who knows.

Anyways, when you look at my issues, they aren't TERRIBLE to live with. My TabletPC works great and its now replaced my Portege. And the added functionality, flexibility and productivity I gained made it well worth it. And I am happy with the purchase.

Secure Coding - We can't stop trying

Recently I wrote a reply to someone on the SCL list, and I decided I want to blog it for later retrieval. I have been way to busy as of late getting ready for the security forum to blog (my apologies for that), but feel you guys might be interested in this email. Enjoy.

George,

> I truly believe this as no matter how secured we make our programs there
> will always be someone to figure how to break it.

Like most things in information security its about risk mitigation, NOT risk avoidance. We can sit and profile the adversary till we are blue in the face and assume we know how he will think; the landscape always changes and we will at times miss something.

But that doesn't mean we stop trying. Secure software engineering is still in its infancy. We will continue to have failures. What will make the difference is how we learn from it, adapt and move forward. Having a poor track record to this point doesn't help. Things like buffer overflows have been around for over 20 years and many developers still haven't figured it out.

But that doesn't mean we stop trying. We need to approach it with a higher mindset. Instead of worrying about the next great technical safeguard or uber coding technique we have to really understand how software works. How it is exploited and how we can mitigate the risks associated with various attack pattern TYPES.

I say TYPES as I think it goes beyond what people like Gary McGraw outline. Commonalities in the patterns continue to be ignored as systems get more obscured with higher level language that hide what is going on. New developers are emerging without having a REAL understanding of what is going on under the hood, having a false sense of security because they have been told that <your favorite language here> is safer to code in.

Sometimes we need to reflect on history and try to learn from it. We like to tout that defense in depth in any environment is a good idea. Yet do we actually use that thinking in software? Do we actually understand what that means? To me I would rather have three smaller walls than one BIG one. Why? Because I will typically know when the first wall is breached, giving me time to REACT. How much software today simply implements a single safeguard and think its safe? Its not acceptable, and thats not a failing of the discipline. Its the failing of people who don't know any better. They read "Writing Secure Code" or "Building Secure Software" and think they have all the answers, when there is much, much more. And whats sad, is most developers don't even go that far.

We need to reduce, redirect or eliminate the impacts of attacks, and that goes beyond simply writing "secure" code. We need to apply the thinking to configuration, to deployment AND to design. Microsoft calls it SD3+C. Its one of the concepts I LIKE coming out of there. Secure by design, secure by default and secure in deployment. (I won't get into the +C here). Yet I know MANY people don't even think about that when writing software. Heck, many still WRITE code as an Administrator on a Windows system for gods sake. And deploy software requiring similar rights when its not needed. *sigh*

Now I know I am preaching to the choir. You guys know all this stuff. But the people out there DON'T. And now we are full circle in the discussion of education.

George, you are right that there will always be an adversary that will be able to break our safeguards. The trick is to apply the appropriate safeguards in the right places to make it much more difficult for the attacker, so that they will move on to easier targets. Its not about have the BEST security in the world, its about having "just enough" security to mitigate the risks you wish to protect against. Does it make sense to spend $500,000k on developing a crypto schema for a P2P file sharing app? Probably not. Would you want to apply that to something protecting critical infrastructure. Probably.

Think of it as a chess game with a twist. We always have to think ahead of the adversary, thinking moves ahead of what they are going to do. Unfortunately they can move their pawns backwards, giving them an unfair advantage. And at times, get ahead of us. But that doesn't mean we stop trying.

--
Regards,
Dana Epp

Political tactics in selling Operating Systems

I didn't know how to title this entry, as I am still trying to get the mud slinging US political election out of my head.

You know the one. Where everyone slings mud at everyone else, meanwhile it only looks like everyone is dirty.

Well, that happens with operating systems too. Microsoft started it with their "Get the Facts" campaign, where they showed why in their view Windows has a lower total cost of ownership and outperforms Linux.

Today Novell shot back by launching their "Unbending the Truth" campaign. And they provide some pretty on point responses, bended to THEIR view.

As I look back to the Redmond campus, waiting for someone to grab another handful of mud to throw, I just shake my head. When will they realize that it's about the right tool for the right job. Quit throwing mud at each other, and tell me what YOU stand for. Answer the question of "What's in it for me", rather than "Why does your competitor suck".

Give me compelling reasons why your OS will make me more money, save me more time, and/or make me more productive. If you can't do that, then go away. I couldn't care less that you are threatened by each other. I couldn't care less if some grass roots zealot thinks Bill Gates is evil and has made to much money selling business apps that 10 years ago were not stable. I don't give a damn if some MVP can show me how it takes THEM 5 days to set up a Linux box.

So bend the truth however you see it. Give me YOUR facts so I can laugh. Then stop and think. Neither of you got my money because of it. I spend my money when I see that something works for me. Not on how something WON'T work for me.

If I want that, I'd go vote.

Microsoft to offer advance information about security patches

Now Susan told me something interesting today. Microsoft has announced that they are expanding their security bulletin program to provide all customers with advance information about upcoming monthly security updates.

Starting this month, the TechNet Security site will publish a general summary of planned security bulletins three days before the regular scheduled bulletin. All in response to customer feedback.

This is kind of nice as the advanced notification will assist administrators with resource planning for the monthly security bulletin release. Of course, you DO do regression testing as part of your patch management strategy anyways, so advanced notice is only going to help with a bit of scheduling... as you need time to roll it in the test lab first.

Still kind of nice though. And in December, they will begin to offer the service directly via email to customers who sign up.

Good show.

Star Wars Episode III Trailer out!

Well its out. Star Wars III - Revenge of the Sith trailer is out on the net. My buddy Alan has put up a local copy for the bandwidth deprived.

OHHHHHHHHHHHHHHHH I can't wait!!!!!!!!!!!!!!!!!!!!!!!!

Electronic CSI - A Guide for First Responders

The US Department of Justice has released an excellent document on "Electronic Crime Scene Investigation - A Guide for First Responders". The DoJ expects to release a series of books that will cover the following areas:

• Crime scene investigations by first responders.
  
• Examination of digital evidence.
  
• Investigative uses of technology.
  
• Investigating electronic technology crimes.
  
• Creating a digital evidence forensic unit.
  
• Courtroom presentation of digital evidence.

This first book fits that mandate well. I'll let you read the paper (or atleast the TOC) to see if it is of interest to you.

Good stuff. Thanks to Joat for pointing it out. Happy reading.

Scripting Security Descriptors in Windows

I stumbled across an interesting document today from Microsoft on how to script security descriptors on Microsoft platforms.

Taken from Microsoft's website...

"Every securable resource on a Microsoft Windows Server operating system has an associated security descriptor that specifies which security principals can access the resource and what actions those security principals can perform on the resource. Security descriptors can be managed by using scripts."

You can get more information information about this document here. There are some really good examples in the document, including scripts to mod file and registry security descriptors. If you are dealing with security on Windows servers, you really need to take some time to read this document (its only 28 pages) and see if you can apply some of this to your day to day operations.

Some useful ways to use this information:

• Daily scans of critical security perms for files
  
• Daily scans of critical security perms for registry settings
  
• Tripwire style perm checks by the minute of specific files being monitored
  
• Archive backup of perms of critical areas of the server

These seem silly until you realize that being able to script checks for the footprint of perms on a system are VERY useful for audit and analysis purposes. If a process changes your perms, you WANT to know about it. This might be one way of doing that.

Anyways, YMMV. Enjoy. Happy reading!

Security Sounds Good, But Does It Make Me Money?

Lockergnome has an excellent article on the discussion of return on investment (ROI) on security.

Man this article made be laugh as I shook my head and chanted.. "I hear ya".

Prevention is the only way to protect the intangible information assets of a business, the soft, squishy stuff that accounts for up to 80% of its value (Wleugel, Dowdall, Grange 2003). Prevention means building information security into your business processes, aligning your policies with those of your suppliers, hardening your systems, and educating staff.

Ever wonder why I write intrusion prevention software for a living? :)