November 24, 2004
Defect Tracking Goodness: God I love FogBugz
Today was a turning point for me as it relates to defect tracking and feature request management with customers.
I finally got off my butt and completely integrated FogBugz into our development and QA process, including the ability to take in direct email from customers. The result? You can now email a single account (even with attachments such as screenshots, logs etc) and the email gets placed in a triage area on the defect tracking system as a new case. Once reviewed by staff, it gets moved directly into the build process. All emails that exchange between the customer and the support staff are automatically tracked in the case management; there is no extra software or process to set up.
Next step will be to integrate the checkin of Subversion (our source control system) to work closely with FogBugz to track when fixes occur, and produce useful diff stats to show code coverage and areas that may need another look in the test plan.
Another neat (but secret) feature??? The new additions let me do an online crash analysis in the same manner anonymously, by using FogBugz BugzScout to track duplicate incidents submitted on the fly. Once I figure out how to dynamically route a stack trace as its crashing... it can fire off an alert right then and there and allow us to statistically find common bugs as they occur. Of course, the kind of stuff we are finding right now isn't at all crashes; they are functional or usability issues that unit tests should be catching better. But thats another story.
Anyways, I have now just finished removing BugZilla, the defect tracking system I have been using since the inception of the company (hell I used it at th last company when Mozilla was still just beginning). It's now removed off the dev server and has been replaced with FogBugz. If you haven't given it a try, consider doing so. Don't let the silly name fool ya. It's a well written and professional Defect/Bug and Incident System that is worth time investigating.
A look inside how Microsoft approaches Testing
Recently I have been fascinated about testing. I am looking to hire a good QA guy who knows how to build test plans, automated unit tests and knows how to properly manage bug tracking. As I was reading up on some of the latest approaches being used, I stumbled across an interesting blog entry on Scott's site on how Microsoft tested ASP.NET 2.0 as it has been developed. This was a VERY interesting article to me. Ever since I sat in with Chris and had an awesome demo on Team System (go check out the personal demo I got on Channel 9, or read my blog entry about it) I have been interested in building a better process here. I loved seeing some of the tools Microsoft is using to do this; Maddog looks like it rocks.
Anyways, if you have an interest in seeing how Microsoft does quality assurance testing, check out the article.
Pathetic Censorship Safeguards in PDF files
At the last DefCon there was an excellent presentation on how to thwart the censorship of documents done IN PDF.
Because the safeguards were SO ridiculously easy to defeat, the audience broke out in spontaneous applause as it was done right before their very eyes.
Don't believe me that it was that simple?
Here is a video showing how you can simply cut and paste around the blackout in a sensitive document belonging to KPMG.
Here is a video showing how you can copy the image from behind the blackout and paste the image to the clipboard clean. I am sure the Washigton Post didn't expect that when they published that PDF.
And finally, here is a video showing how you can simply select the blackout marks in Illustrator, and delete them!
So, if you REALLY think you can get away by blacking out sensitive information in an electronic document by using the PDF functionality... think again. You would be better off to print out the document, do old style black marker, and rescanning it back into PDF. Of course, as we have seen on Cryptome, even that is getting defeated now adays.
Why Default Passwords Are a Bad Idea
I have never been a supporter of default passwords in a 'manufactured shipping state' piece of hardware. Why? Because most people are either to lazy to change it, or don't even know you need to.
The result? People collect the information and post a single list of default security passwords holding MANY of your favorite vendor products in one place so script kiddies can walk right in.
What could you do about it as a developer? Don't use default passwords. But you need them when shipping for first time login. Ok, ok. Well at least force it to a one time password unique to the machine. In the past I have used a unique seed against the hardware serial of the device, which means a SLIGHT alteration may be needed to the build process of the device. At the manufacturer, you would need to have the serial info which is normally added at the end, become PART of the software flashing process. I will leave how you would plan that up to you; it is possible though.
Thanks to Foz for pointing out the list. One of these days I will have to post my list of default BIOS passwords.
Defending Against Comment Spam
Well it looks like I may have finally found the solution to fix my comment spam hell in Moveable Type.
This is the approach I have taken:
We will see over the next little while if it works. I noticed that as I was doing the update, I got nailed with another 150 comments. None since the older comments have been closed.
November 23, 2004
You can expect my blog to be in a weird state of flux for the next day or so. I just came back from the latest security conference (will blog about that later) to find almost 3000 pieces of comment spam. *sigh*
I am going to have to find a way to close off old comments. I may be forced to move to MT 3.12 and import the flat database into mysql so I can take advantage of some of the plugins that do this for you.
My apologies for the inconvenience. With any luck, you won't notice any major disruptions in the rss feed.
With the security forum over, I should also have a bit more time to update the blog. Will keep you posted.
November 18, 2004
Reducing Privileges in Windows
Michael has an interested article that has been published on MSDN talking about how to reduce an Administrator's privilege in Windows to reduce the access rights of a normal user in an Administrative context. In other words, if you have to do something while as Admin that doesn't need admin rights (such as read email or browse the web), you can reduce your privileges of that process accordingly. Still not as good as running as a normal user and elevating privileges as required with runas, but still a good thing none the less.
The code is rather simple; simply grab a restricted token with less privileges using SaferComputeTokenFromLevel() and then pass that token to the start up params in CreateProcessAsUser(). Of course there is one limit with this... this API was introduced in Windows XP and Windows Server 2003. As such, this won't work on Windows 2000.
Good stuff. Great article. Enjoy!
November 15, 2004
Sarbanes-Oxley now in Effect
Save your emails. SEC said so.
Welcome to audit hell. Its November 15th, and SOX is now in effect.
Strongbad gets a Virus
I think the author of that virus was hired by a German firewall company. ;-)
Ok, maybe not. Thanks to David for pointing it out. I am still laughing. It made my day!
November 14, 2004
TabletPC - Maybe they ARE Disruptive Technology
Very few people know this, but a few weeks ago I picked up a TabletPC. It was time. My little Toshiba Portege 3480 just wasn't able to keep up with me. I loved it because it was so small and light (only 3lbs), perfect for all my traveling, but it was only a PIII 500 with 192 Megs of ram (the maximum ram for the thing). Although I can edit documents on it and show powerpoint slide decks (perfect little machine for my role as entrepreneur), I simply couldn't do much code on it.
Knowing I am heading down to the Microsoft campus to do some kernel mode dev work/testing in December in Building 20, I figured it was time to get at least a laptop that could meet my requirements for mobility, yet functionality.
Here is what I gave myself as a baseline:
As I started hunting around, I also compared my needs with a TabletPC. I noticed on average that the TabletPC with similar functionality was going for about another 20-25% more in cost. Didn't seem to make sense to even consider it.
And then, the moons were aligned and the gods must have been crazy as I tripped over a great deal on Ebay. Acer was selling refurbished units with full warranty that they had in stock of their Acer TravelMate C111TCi-G. And it was approximately the same price as what I would pay for the laptop I was about to order.
Now if you recall, I said I wouldn't buy a TabletPC blind. If I couldn't actually try this thing, I didn't want to bother. However, since it was a convertable laptop-to-slate mode Tablet, even if the Tablet sucked, I still have a half decent laptop at about the price I was going to pay anyways. And Susan has the earlier C110 model, and raves about it. So I bought it.
And BOY am I glad I did. What did I get? Well, I got a second generation TabletPC which not only met my requirements, it beat them:
Using it for 2 weeks, I now GET IT. I understand what Robert is always raving about. If you have similar needs as me when it comes to meetings, reading and coding... a TabletPC might be for you. I am finding I am MORE productive with the thing than my old laptop, but thats not saying much when you jump with leaps and bounds to this peppy little thing.
There are a few things I don't like about the TabletPC though. And I am sure some of them sound fickle, while others may be a limitation on my model.
First and foremost, when Robert said that TabletPCs are a "disruptive" technology... he means it. For me thats a bad thing. What do I mean? Well my purchase was so that I have a more effective tool to do business. In the last two weeks I have had well over 10 meetings, and almost every one of them is "disrupted" when people in the meeting want to see my TabletPC. I am going to a meeting to get work done. I don't want to take the first 10 minutes to show you why you need your own. Maybe some people want the attention; I just want to get on with my work. Its a tool people... not a toy. (Although the Microsoft Tablet Pool Power Toy is nice :) )
On a more serious note, I did find some TECHNICAL issues with my Tablet. First off, it SUCKS in a well lit room with high powered halogen lights. It has a really ugly glare, making it impossible to leave the tablet in slate mode on the table. You can however tilt it a bit and its fine. I have come to basically put it on my lap and it seems to get around the issue.
The built in pen has much to desire. Acer sent me a REALLY nice after market pen which even includes a virtual eraser at the end. I wish the little pen in the Tablet included that functionality. It's just awesome to be writing, and flip over the pen to erase something. Hopefully someday soon someone will buy me the nice Cross Executive TabletPC Pen. Maybe my wife will get me one for XMas. :)
The design of my Tablet could have been better thought out. When you flip into slate mode, the screen covers up the speaker. So the result is a tinny muffled sound if you are listening to tunes while in slate mode. I would recommend that they find some way to move the speaker onto the screen, so it doesn't matter which orientation it is. Of course, I can simply put in headphones to get good sound if I need it for this thing.
A final "drawback" might be my expectations are too high on what is "inkable". I was expecting that I could highlight PDF files and store the strokes for later retrieval when viewing documents. I don't see why that couldn't be stored in metadata in the alternate datastream of the document... but it doesn't. Of course, maybe it can, and I just haven't learned about it yet.
I found a few things I didn't expect that I really like. While doing a bit of photo editing in Adobe Photoshop Elements I found I can do WAY more with the pen than I could with the mouse. Zooming in tight onto an image I can use the pen just like I would on paper, and that is just AWESOME when touching up edges and stuff. It was awesome to have that ability; I sure don't have that kind of control with the mouse. The other thing was flow chart doodling. With OneNote its awesome to quickly draw up a flowchart, add some text and later do a search for that text to bring up the chart in no time at all. I didn't expect OneNote to work that well for me. I will admit though that I think OneNote is overkill. Its got feature bloat that just isn't funny. I would bet I am not using 10% of what it can do. I kinda wish there was Microsoft Journal with folders/tabs. I bet I would be just as content with that as OneNote. Who knows.
Anyways, when you look at my issues, they aren't TERRIBLE to live with. My TabletPC works great and its now replaced my Portege. And the added functionality, flexibility and productivity I gained made it well worth it. And I am happy with the purchase.
November 13, 2004
Secure Coding - We can't stop trying
Recently I wrote a reply to someone on the SCL list, and I decided I want to blog it for later retrieval. I have been way to busy as of late getting ready for the security forum to blog (my apologies for that), but feel you guys might be interested in this email. Enjoy.
November 04, 2004
Political tactics in selling Operating Systems
I didn't know how to title this entry, as I am still trying to get the mud slinging US political election out of my head.
You know the one. Where everyone slings mud at everyone else, meanwhile it only looks like everyone is dirty.
Well, that happens with operating systems too. Microsoft started it with their "Get the Facts" campaign, where they showed why in their view Windows has a lower total cost of ownership and outperforms Linux.
Today Novell shot back by launching their "Unbending the Truth" campaign. And they provide some pretty on point responses, bended to THEIR view.
As I look back to the Redmond campus, waiting for someone to grab another handful of mud to throw, I just shake my head. When will they realize that it's about the right tool for the right job. Quit throwing mud at each other, and tell me what YOU stand for. Answer the question of "What's in it for me", rather than "Why does your competitor suck".
Give me compelling reasons why your OS will make me more money, save me more time, and/or make me more productive. If you can't do that, then go away. I couldn't care less that you are threatened by each other. I couldn't care less if some grass roots zealot thinks Bill Gates is evil and has made to much money selling business apps that 10 years ago were not stable. I don't give a damn if some MVP can show me how it takes THEM 5 days to set up a Linux box.
So bend the truth however you see it. Give me YOUR facts so I can laugh. Then stop and think. Neither of you got my money because of it. I spend my money when I see that something works for me. Not on how something WON'T work for me.
If I want that, I'd go vote.
Microsoft to offer advance information about security patches
Now Susan told me something interesting today. Microsoft has announced that they are expanding their security bulletin program to provide all customers with advance information about upcoming monthly security updates.
Starting this month, the TechNet Security site will publish a general summary of planned security bulletins three days before the regular scheduled bulletin. All in response to customer feedback.
This is kind of nice as the advanced notification will assist administrators with resource planning for the monthly security bulletin release. Of course, you DO do regression testing as part of your patch management strategy anyways, so advanced notice is only going to help with a bit of scheduling... as you need time to roll it in the test lab first.
Still kind of nice though. And in December, they will begin to offer the service directly via email to customers who sign up.
Star Wars Episode III Trailer out!
Well its out. Star Wars III - Revenge of the Sith trailer is out on the net. My buddy Alan has put up a local copy for the bandwidth deprived.
OHHHHHHHHHHHHHHHH I can't wait!!!!!!!!!!!!!!!!!!!!!!!!
Electronic CSI - A Guide for First Responders
The US Department of Justice has released an excellent document on "Electronic Crime Scene Investigation - A Guide for First Responders". The DoJ expects to release a series of books that will cover the following areas:
This first book fits that mandate well. I'll let you read the paper (or atleast the TOC) to see if it is of interest to you.
Good stuff. Thanks to Joat for pointing it out. Happy reading.
November 01, 2004
Scripting Security Descriptors in Windows
I stumbled across an interesting document today from Microsoft on how to script security descriptors on Microsoft platforms.
Taken from Microsoft's website...
"Every securable resource on a Microsoft Windows Server operating system has an associated security descriptor that specifies which security principals can access the resource and what actions those security principals can perform on the resource. Security descriptors can be managed by using scripts."
You can get more information information about this document here. There are some really good examples in the document, including scripts to mod file and registry security descriptors. If you are dealing with security on Windows servers, you really need to take some time to read this document (its only 28 pages) and see if you can apply some of this to your day to day operations.
Some useful ways to use this information:
These seem silly until you realize that being able to script checks for the footprint of perms on a system are VERY useful for audit and analysis purposes. If a process changes your perms, you WANT to know about it. This might be one way of doing that.
Anyways, YMMV. Enjoy. Happy reading!
Security Sounds Good, But Does It Make Me Money?
Lockergnome has an excellent article on the discussion of return on investment (ROI) on security.
Man this article made be laugh as I shook my head and chanted.. "I hear ya".
Prevention is the only way to protect the intangible information assets of a business, the soft, squishy stuff that accounts for up to 80% of its value (Wleugel, Dowdall, Grange 2003). Prevention means building information security into your business processes, aligning your policies with those of your suppliers, hardening your systems, and educating staff.
Ever wonder why I write intrusion prevention software for a living? :)