Anyways, during the discussion Michael Howard said something that had me fall off my chair laughing. And I just had to share it with everyone, because I think it would make a great tshirt in the midst of this debate:

Oh, I'm thinking of banning zero's next - so we can no longer have DIV/0 bugs! Waddya think?

OK.. so its a Friday and that is funny to only a few of us. Still great fun though.

Have a great long weekend! (For you Canadian folks that is)

Part of the conversation we had was on the difference between local desktop display in TS RemoteApp vs just having a full desktop to the Terminal Server. One issue that came up was that as a RemoteApp, you can't run other applications.

Well, that is not actually true. If you think that, then a TS RemoteApp has the ability to be an attack vector for you. What do I mean? Well below is a screen shot of what happens if you hit CTRL-ALT-ENTER with the cursor focused on the RemoteApp window (in this case MS Paint running remotely):

At this point, you can run Task Manager.... then hit File->Run and run something else. In my case, I showed a few people afterwards how to start cmd and start exploring the network. Now, you will only have the privileges of the user account logged in as, but it is still something you have to be careful about. If you think a RemoteApp bundle prevents access to other application sor the network... you are wrong.

So is this bad? No. Is it really an attack vector? No. You just need to understand that when allowing ANY type of Terminal Services based access, you have to restrict the policies and access accordingly. No matter if its local or remote. Running a TS RemoteApp bundle of Office will display on the local desktop, but is STILL running on the Terminal Server. So it will be browsing the network the Terminal Server is connected to as the local net. It will also browse your own drives mapped via tsclient. So you have to remember that.

Hope thats useful. A TS RemoteApp bundle does NOT mean you won't have access to the TS desktop when displaying remotely on your personal desktop. And that's not a bad thing. TS Remote App is a convenient way to extend the workspace to your local machine, anywhere in the world. No pun intended. That's its power... and the benefit. Great remote productivity enhancement in Windows Server 2008. Use it. (Safely of course)

Susan's biggest complaint is that security minded individuals shouldn't be blindly recommending the use of Twitter without educating the user on 'safe-twittering'. I would say that same logic exists for setting up web pages, blogs and the use of social networking sites like Facebook.

She stepped that up a bit tonight when she blogged her discomfort in the fact the RSA Conference was recommending Twitter as well.

So in an effort to stop spreading the FUD about Twitter insecurity, I wanted to share some of my thoughts through a quick set of safe twittering rules.

@DanaEpp's 5 Rules of Safer Twittering

• Never share information in a tweet that you wouldn't share with the world. You can never expect to take it back once it's on the Internet. Even though you can delete a tweet, 3rd party clients may still have it archived. If you feel you want to share private thoughts through Twitter, consider using a "Private Account" and limited it to only people you trust and want to share with. Of course, remember nothing prevents your friends from sharing your tweets with the world. So never share private information on Twitter. Ever. it's just easier that way.
  
• There is no assurance that a Twitter account is the person you believe it is. Deal with it. Anyone can register an account if it doesn't already exist. As a real world example, for some time @cnnbrk was NOT an official CNN account, even though most of the Twitter world thought it was. It wasn't until recently that CNN bought the account from James Cox (the account holder) for an undisclosed amount of money. Another example is the fact that one of Susan's Twitter accounts was actually created by a fellow SBS MVP, and not actually her. :-)
  
• Never click on links in a tweet, unless you trust the URL. If unsure, don't click! The worms that were used to attack Twitter came from people getting users to go to profile pages etc that they had control over for some interesting script attacks. With only 140 chars, its common to "shorten" the URL. Which means you might be clicking on a link blind. That's fine. But only trust shortened URLs that can be previewed BEFORE you go to it. As an example, my recommendation is to use something like TinyURL. However, here is the trick. When you create a TinyURL, use the preview mode. As an example, if you want to send someone to my blog you can use http://tinyurl.com/silverstr to go directly. However, if you use http://preview.tinyurl.com/silverstr it will stop at TinyURL.com and let the user SEE the link before they actually get to it. That is much safer. If using TweetDeck, select TinyURL as the provider, and when it creates the shortened url, simply add "preview." in front of "tinyurl.com".
  
• Use a 3rd party Twitter client instead of using the Twitter.com website directly. I am a fan of TweetDeck and Twitterfon, but there are tons of different clients out there. Why? It is the lesser of two security evils as it relates to web based attacks in Twitter. Most clients have ways to reduce or turn off linking, prevents the script attacks in profile viewing and generally is just an easier environment to stay protected in. Are these clients free of attack? Of course not. But its another layer of defense. Of course... you need to have trust in your client. But that's a story for another day ;-)
  
• You never know who is following you. Remember that. As you use Twitter more and more, you never know who might be watching. I recently had someone who has been trying to get an interview with me who follows me on Twitter, knew where I was having coffee one day because of a tweet I wrote (and it's geotag) and ended up coming down to confront me with his resume. Which was inappropriate in my books. But my own fault. I wasn't too concerned.. but it definitely gave me pause when considering my daughter uses Twitter and could be as easily found. Nothing like the potential of being stalked. GeoTagging makes it way to easy to find you. Remember that.
  

Look, Twitter is addictive. Simple. Short. Fast. A great way to see the thoughts of others you might care about. Ultimately though... like any other Internet based technology it has the potential to be abused... and put you at risk. No different than websites or blogs.

So be careful. Follow these rules and enjoy the conversation!

I will be there too, and will be available if anyone wants to talk about secure coding, threat modeling with the SDL TM or if you want to talk about integrating AuthAnvil strong authentication into your own applications or architectures

I do hope to see some of you there. And if I don't... I will be seeing you at #energizeIT right?

What: Coffee and Code in Vancouver
When: April 8th, 2009 from 9am - 2pm
Where: Wicked Cafe - 861 Hornby Street (Vancouver)

Last month I had the experience of accidentally backing up 7GB of MP3 data to our offsite data backup provider, i365 (formally eVault). I have been a happy customer for YEARS of their service. It works as intended, and quite frankly I rarely even think about them as it "just works". But I got nailed with a HUGE overage bill that blew away my DR budget. It was not a pretty site. Half a year's budget spent in two months.

I gave them a call to find out what was going on, and their Customer Service technical team was awesome in helping me to identify the culprit. We quickly stopped that folder from being backed up any more, and then created a filter to prevent media file extensions from ever being backed up again. This wasn't a standard web based, email only support option. It was a real, living, breathing geek who knew how their software works. And that is important to me... it let me address the issue in a pretty fast manner and move on to more interesting pursuits.

However, the fact remained that it was an expensive lesson on what NOT to do. I had overages of about $26/GB, which is insanely expensive by today's rates. Then again, it was a plan I was on from over 3 years ago. So I can't really blame them for that.

So I twittered in frustration. And Vlad Mazek over at Own Web Now sent me some information about his offerings, which from a cost perspective is way more inline with what a small business can afford. And ultimately I sent out the following twitter after learning about his services:

Holy cow. OwnWebNow offsite backup appears to be way better for small business than eVault.

Now from a social media perspective that might not mean much. But it had an interesting cascading effect worth noting. It seems management over at Seagate heard about the tweet. And it caused a meeting to be scheduled between myself, my eVault account manager and her director.

We had our conference call this morning. Talk about service! They listened to my concerns, and reviewed my account with them. Being with them for so many years, they wanted to keep my business and wanted to make things right. And from the action items from the meeting, it sounds like they will.

Our data needs have changed. We have doubled the amount of data we need to store offsite, and being hit with 4x overage charges isn't acceptable. They listened to the pain I have identitifed, and are addressing it with a new plan that is more inline with my needs and expectations. Guess what? It is going to cost me more money. Considerably more money than if I went with Own Web Now's service. However the difference is WORTH it to me, and although I haven't made a final decision yet... I am leaning heavily to stay with them. As a small business owner my loyalty is to my company and its bottom line. However, it is balanced with the costs of good technical support, and great customer service. Something Seagate/i365 has shown me today.

Customers matter. Without them, a software company is nothing. And it seems i365 get that. And it seems they listen to their customers on Twitter. That's just awesome. And that small gesture has probably secured my business for many years to come.

I was privileged enough to get early access to this study and have to say over the last few weeks I have reflected on their skelton and see some real merit for using BSIMM in enterprise environments. It dictates a well rounded maturing process that can easily be adopted, even if in stages, to significantly increase the security effectiveness of a company's development process.

I highly recommend to take a look at it. You can download it here.

If there is one criticism I would have on BSIMM, it is that it has a requirement of scale. In the study, the median for a software security group (SSG) is 35 to 40 people, which is much too large for a majority of software companies out there. With the adoption of many agile software development paradigms, teams are getting smaller, not bigger, and are becoming isolated from main development teams. Especially if outsourced. And in actuality, it is my belief its these smaller teams that would benefit most from a software security development lifecycle that is better studied, understood and adopted. It's one of the reasons I like the Microsoft SDL process. It works with small teams of 5 or 10 people in the entire team.

However, that is no reason to dismiss BSIMM. From the 110 activities, although some simply don't fit, much does, irregarless of the size of the team. The requirement is that it be bought into... shifting culture and defining attitude. What was interesting to see was the top 10 activities seen through most companies studied. They include:

• Create evangelism role/internal marketing
• Create policy
• Provide awareness training
• Create/use material specific to company history
• Build/publish security features (authentication, role management, key management, audit/log, crypto, protocols)
• Have SSG lead review efforts
• Use automated tools along with manual review
• Integrate black box security tools into the QA process (including protocol fuzzing)
• Use external pen testers to find problems
• Ensure host/network security basics in place

Sounds like good advice to me.

I'd like to congratulate Gary and his peers on an interesting study. And I hope others in the industry will look up this research and see how they can adopt it to their own development processes. With any luck, we can see adaptations to allow this to work with considerably smaller teams.

Back in 2007 I actually blogged how to do this. But most people didn't realize that it has been rolled out to work with production services now, and has for some time (as a beta). So this blog is to provide a link on how to do this.

Rather simple.... just go here: https://login.live.com/beta/managecards.srf

Doing that will get you issued a managed card which you can use on XPSP3, Vista and Windows 7 workstations. When you sign up, you will now have an option to present an information card. It looks like this:

So if you ever find yourself complaining that you hate entering your Passport/LiveID password all the time when logging into Microsoft services, fear not. Use an Information Card and take advantage of single sign-on!...

Ain't that the truth?

For those with their heads in the sand, the story goes that in Windows 7 the default behaviour for UAC is to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. Because UAC is a "Windows setting", it means you can disable UAC without being prompted. And people believe that due to this behaviour, UAC is broken.

Now, I have to say I am personally not a fan of the new slider tuning functionality of UAC in Windows 7. When Windows Vista came out I applauded Microsoft's approach as it forced people to see the trust boundaries that were being broken in software applications that didn't run properly when using least privilege. After all, that is what UAC is designed to do. It enables people to run with the least privilege they need and to encourage applications to migrate to Standard User. Every time you see a prompt, you know which offending application could be written better. You turn to the vendor of that app and scream at them. And its working. Crispin Cowan, who works on the team at Microsoft focused on UAC, had an interesting chart in his presentations at PDC last year showing the prompt reduction people were seeing in the field by applications that were being fixed as Vista was being adopted. It's rather significant.

This is a positive aspect of UAC.

So if it's working, why would Microsoft change it? Well, it's a balance between security and usability. The goal of a technical safeguard providing value in any security aspect has to be weighed against the usability of the system. If it's too difficult for someone to adopt, people tend to find ways around it. This is exactly what happened with UAC in Vista. IT professionals (I will use the term LOOSELY here) were recommending people turn it off. Customers were complaining about the experience, and Microsoft listened to the feedback. Basically, in Windows 7 you got what you asked for *sigh*

Which is rather disappointing. I think Microsoft is making the right commercial decision, but not the right security one. I am not objecting to the new slider. Only to the default shipping state. Of course, I can easily get the level I want by adjusting BACK to high. Which is exactly what I have done in my Windows 7 installs to date. Let me be clear. If you want the same behaviour you have in Vista, you can get it by setting the slider to the highest setting. This gives you the right elevations with the secure desktop as you have it now.

I may personally object to Microsoft's decision because I don't find UAC a nuisance. I run as a Standard User. NOT as a protected admin in "administrator-approval" mode. I rarely see prompts, and my work desktop is Vista SP1, with a beta of SP2 on another. But as Susan is always so fond of saying, I am NOT a normal computer user.

So with an open mind, let's discuss an external view of Microsoft's decision. Vista got a bad wrap on UAC. Customers complained. So Microsoft changed the behaviour. Does this make us less secure?

Well first off, let's remember that UAC is NOT a technical safeguard to provide security boundaries. Mark Russinovich has shown on several occasions how to get around UAC. The goal of UAC is to help get us to a point where everyone runs as standard user by default, and that all software is written with that assumption. Crispin's stats shows it IS getting better as developers move towards this. However, UAC is NOT a mechanism to prevent applications from communicating with each other at different integrity levels on the same desktop. In other words, its trivial to send window messages from a user's desktop to an elevated process in the same desktop. And because of this, it means if someone can get you to run code on your system, it isn't your system anymore. This is Law #1 in the 10 Immutable Laws of Security.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

So if you have ever thought UAC prevented this, you are wrong. If you want that sort of isolation, the right way to do it is to use fast user switching and switch to a DIFFERENT desktop and log into an account with the appropriate privileges you need. This is what I do. If I NEED to do a bunch of admin things, I switch to an admin account and log in. If I need to browse places I am not confident in, I switch to a restricted account with almost no privileges. It's just safer that way. And for everything else I do on a daily basis, I use my Standard User account.

Now, let's reflect on the notion that the default settings make us less safe. Is that really true? Well in Vista, most people are told to turn OFF UAC. That's bad advice. But a reality we have seen. So in those situations, yes, UAC in Windows 7 is better. But what about those people that are used to UAC in Vista? Well, interestingly enough, what are we losing here? In Vista, most user's eyes gloss over when a UAC prompt shows up. Because few actually run as a Standard User, they confirm the prompt with a single click without even reading or understanding the message in front of them. So if we are making the choice for them on the most common prompts, is that a bad thing?

The fact this change exists in Windows 7 means Microsoft DID lower the bar for malware authors. It has gone from extremely difficult to disable UAC (but not impossible) to trivial. However, the malware has to first be executed. In most cases users will have had to install that software, in an elevated manner giving the malware a chance to run with higher privileges already.

Now before you go off and start pointing out malware can run directly in the browser without the user's knowledge or need to install anything, remember how IE works. When surfing online it runs in its own sandbox in the LOW integrity level. Microsoft called it "Protected Mode IE" (PMIE) for a reason. It is significantly more difficult to get hostile code on the Internet to run without your knowledge and be able to do things like modify UAC settings. Microsoft is working hard in IE8 to make that even more difficult. So as an attack vector, that is unlikely unless the attacker first breaches the IE sandbox. If they do that, you have bigger things to worry about than a UAC prompt going missing. :-)

So am I for Microsoft's default behaviour? Not for me personally. But I understand it. They have taken a look at the security risk and balanced it against the usability of the system. Remember, security is all about risk mitigation, NOT risk avoidance. They have looked at the real world experience of UAC in Vista and tweaked it to give the best experience, while being cognisant of the implications to security. For users coming from an XP world (which is most people since Vista adoption has been so slow), it means their experience will be better, and still more secure. And the chances of them following the guidance from the "IT professionals" who don't know any better to turn it off probably won't be followed.

So no, UAC is not broken in Windows 7. And it DOESN'T really make you less secure. But if you have concerns, stop using that damn adminstrator-approval mode account and move to use a Standard User account. And increase the UAC settings to High. You can always use the fast user switching and jump to a higher privileged desktop as needed. Of course, that shouldn't be a lot of times if you have software that actually works in a least privileged environment. And that is what is REALLY broken out there. Application vendors need to fix their stuff. Period. Which is what UAC was designed to help with!