I've seen about my billionth discussion about the splintering of linux distributions. The simple fact that choice doesn't make people interested in using something. If that made people happy, then blank paper would be the internet! Nothing allows open choices like a blank piece of paper - but you have to do the work. When you stare at a blank piece of paper, your mind churns with ideas but it takes time to put anything interesting or useful down. (See writer's block) Who wants to write their own daily paper from scratch every day - no one! We pay to have someone deliver it to our doors. Who even wants to write their own news? Eck! Who wants to compile their own software...or debug their kernel dumps? Linux has all the choices you could possibly want, but not one variant has all of the features most want/need. Some call this progress because you get to make a choice, but it isn't. Its just an overly splintered OS. Just build one version that does all of this stuff (well of course). If all these linux developers were forced to work on a single linux version, it would be incredible! We'd have a featureful, stable OS for most everyones needs. This could take down Microsoft, nothing less will. So its clear by market analysis, psychoanalysis, etc, that the primary
key to a software's success is not how free it is, but rather how
featureful it is. Linux is horrible at providing a standard process
for configuration modification. Every config file could be in about a
dozen different locations with a dozen different syntaxes...just in the
last 6 months. ;) I think if the linux community had the kohones they could reverse their years of wallowing in about a year by picking a single variant and closing development on all others. Within 356 days this OS would be close to useful for everyone. Within another 365 days it would be robust. Microsoft stock would plunge as vendor after vendor noticed business after business switch to OneLinux and introduce useful solutions. I call it the two year plan. I would also think that goverments would appreciate this consolidation and follow suit by promoting this OS. Within 5 years, the market would be able to support multiple variants again (but a controlled few) allowing for those special needs. But the key reason why only one variant of linux is required to make this all work is the developers and the geek community simply can't agree on working for the common good very well and there aren't enough people developing to support more than that (See the list of poor quality and insecure linux distributions here). So charge as little as you want...I'll download it, but I'll gladly buy something that has what I need and does it well.
I have been thinking more about trust and its importance in a computing environment. Since there are so many ways to erode or remove trust altogether it seems that we need to do more to provide solutions to combat these attacks.
The key benefit with computing technology is that it is so dynamic. This capability enables us to change anything in a nanosecond. This is also a huge risk. What would happen if you removed the element of change from a computing environment? Would it cease to have value? I think not. I think that the recent surge of CD bootable OS images and virtualized images are merely one phase of this trust recovery process. The next phase is creating "write-once" environments that cannot be modified by API. Simply revoke ALL write API access to the disk. Force all activity to occur in memory. This of course has constraints, but systems are more powerful everyday. Its only a few years away that we will have many GB's of memory in systems as a low end standard.
A write-once OS would improve the trust level it provides by preventing any changes to it on the fly. The concern of course is that all of its flaws are persistent as well. oh well, mankind has yet to make a perfect piece of software. I guess we'll have to live with that human flaw. A write-once OS should be as locked down as possible of course to reduce its attack surface area. Of course data storage will need to happen elsewhere. And session persistence is not a trustworthy goal as the session data needs to be stored elsewhere and could have been polluted/infected.
Now this is an area Linux could easily excel in. The write-once OS. This would need to be refreshed/recompiled (possible by the user as well) so any vulnerabilities or features can be released. Sure, you need to download a 10-20GB image, but at least once you securly load it, you won't have any questions.
Perhaps its even possible to convert the concept to hardware - the hardware linux OS. Not only is it not modifiable, but you never have to doubt it - ever. This is merely a thought, I've no experience in OS design, but I suspect this is possible, just by forking linux.
I got to go to LA for CISSP training. It was nice although I didn't get to explore much. Deckard would be proud...
A nice shot of the Bradbury Building: 
I have passed my CompTIA Security+ exam and I'm now Security+ and MCSA:Security 2003 certified!
Trust is an reliance on the integrity or nature of a entity. It does not protect you. Just assures you of its virtue of topic. So, you can have trust of identity, trust of intent, trust of protecting your credit card number, etc.
Validation is what is used to determine the state of trust.
Website use SSL certificates to provide a level of security for users. The nature of those certificates is built upon a "chain of trust" that emanates from their root certificate, held by some other entity usually. So the reason you don't need to fear someone seeing your email on gmail is not that it has been encrypted per say, but that the only entity that can see that traffic is actually Google. If Google sold their SSL certificates private key, they would risk exposing everyone's email to that buyer. Hmm...quite a lucrative market there I bet. :)
Trust is a odd thing. If you have to prove it did you have any to begin with? So why call it trust, why not call it something else like Validated Identity Recognition - "I see that certificate and I have determined it to be proof of your identity so lets talk in private now". You have essentially validated Google's identity in the example above, not placed trust in them. Hey, they may not have a clue how to protect their servers or customers.
So why mention this distinction? Well it seems that there is one current problem with open source - a lack of trust. I don't play with guns because I don't trust them in the situations I would place them in; Leaving them unsecured for hours a day, etc. Trust isn't the only thing encouraging someone to buy a product though. There are lots of reasons. But I suspect companies see things differently. Users (and companies) don't trust this stuff just because they could take a look at its code. Most users have no clue how to review code. They also have no reason to trust something based on its existence. That's like trusting a bomb because you see it. Exactly not what you would do.
So the point I'm making here is that somehow it becomes important to increase the amount of trust related to open source projects. It therefore becomes necessary to give "outsiders" a standard method of accepting (or refuting) the measure of trust of a open source project.
So why not start creating a trust based solution for open source projects. A way of saying "I've reviewed the project or part of it and I can validate it does what it is supposed to". Repeated hundreds of times for a project and you can begin to see how "supporters" and developers" begin to assign levels of trust to specific people. I trust ProjectX so therefore I trust developer John. Or vice-versa.
Using things like certificates as a identity placeholder, you can associate Trust Points in some public manner that enforces the notion of trust in open source projects. So as you gain Trust Points in general you may be generally more accepted regarding your input to a project. This is kind of like the forum policing that moderators (and user) perform, but in reverse. Don't focus on tearing a person down. Instead focus on building up trust. Those that continue to fail in that regard will not achieve much trust. The same for projects.
I can see modules being implemented similar to blogs posts using Captcha, but signing with a public cert. Since you can only sign once, re-signing is irrelevant and easily blockable. Getting around the system becomes difficult and only coersion is a concern. So could you either convince or force others to sign? Of course. That is certainly a risk here, but no more then other repudiation systems. You could be notified and have the ability to renounce a signing (with limited options) and an impact on your Trust Status.
I think this idea of Project Trust has merit and could even be implemented in companies on a much smaller scale for internal projects. More or less rated on their quality of work rather than the trust that they aren't putting backdoors in, but both are still relevant.
So validate the code, then trust the code.
What will come in the future for Information Security? Here is a list of things I see clearly becoming relevant in the next 20 years.
- Standardized definition of a file - An ISO (universal) standard defining a "file". this standard will allow for more robust security measures such as signatures, thumbprints, reliable timestamps, content validation, etc. Making a file more into a container with approved slots for required features. This will place more integrity in the files. A previous post I made about secret sharing can be combined with this to appease any Board of Directors.
- Full auditing computer systems - A computer designed to fully audit every single change to it for providing a reliable audit trail. This will require isolated logging features, likely open source analysis, and an insane amount of storage space, memory and features.
- Multi-factor authentication - Two ain't enough. Eight may be. See next entry.
- Split secrets - The old missile launch key solution to major risks will become more pervasive in corporate environments where data security is mandated. An erosion of trust masked in a technological solution will be quickly accepted by management.
- Templatized security code analysis - This is already found in limited capabilities at some large companies. But the days of 300Kb exe's is going the way of the dodo. Imagine MBs of security code to protect the actual code. Writing a C++ app for the government? You need to implement at least one of 3 possible security enhanced services within your code or no acceptance. This will protect from all known exploits for a language and provide the intense logic analysis needed to actually do its job. I imagine protected updates will be mandatory. Think TPM here.
- Restrictive Operating Systems - So locked down, you may be able to revert to a mainframe concept and reduce usage to specific commands and applications options. Corporate users will cry today, but thank us later, when millions of social security numbers, credit card numbers are actually abused in a vast breach. All those unknowing employees fired/jailed without a thought by their companies to protect their investors. Then not being able to run Solitaire will bring a sigh of relief to the worker bee who fears some strange program from ruining their career.
- Big Brother - Think you have someone watching your every move today? Ha! Its nothing like will be present in 20 years. Mandatory recording, tracking, home auditing will all be part of getting a job in the future. Remember Back to the Future 2, they'll watch every transaction you perform at home as well and be able to act instantly on it. All because you'll want a job that pays well. Cheap jobs will still be generally unmonitored. Homeland Security will push for this program design, you'll see.
- Open source - After years of struggling with acceptance open source solutions will go critical as technology provides some of the solutions above. Once code security is modularized, implementing secure open source solutions raises their trust factor significantly. I imagine modularized solutions for code performance and feature provisioning will also occur reducing the effort in producing well built open source solutions that don't require a degree to use. Most open sources apps today have a handful of active developers and likely numerous hackers attacking the published code, with opposite goals. The changes mentioned will make hacking much more difficult at the code level.
I've been looking at getting a cell phone that can handle all my needs, including calendaring. Well, the problem is I'd like to sync my personal calendar and my work calendar without publishing my personal calendar to work.
I use Outlook 2003 at work (Exchange 2003) and home.
So there are several Outlook sync apps out there, but they all seem to require the use of Outlook categories. You then select which categories to sync and in which direction. This allows granular control. So in order to separate my personal calendar from my work calendar, I have to at least identify ALL of my personal calendar items with a category. Not so bad to manually change them once. But I would have to manually set a category for every calendar event I create! Ah, but I can just set a default category so I never have to think about it, right? No, the silly problem is that there is no easy way to have a default category set on your calendar items. OK, so now you're saying "this guy has no idea what he's talking about." Go and check...I'll wait here. OK, now onward. ;)
How on Earth could Microsoft have been releasing this Outlook product and be considered the premier product without such a seemingly simple setting (Set a default category for appointments and/or contacts)? Apparently, just by never doing it.
So here is:
How to set a default category for all Outlook appointments:
- Open Outlook 2003 or higher.
- Open (select) the default Calendar folder or create a new folder for calendar items.
- While the correct calendar folder is selected, click "Tools/Forms/Design a form"
- Select Appointment from the "Standard Forms Library".
- The Form Designer will open the "Appointment" template.
- Click on the Category button in the lower right of the Appointment tab.
- Select (or create) at least one category to use as the default for all items in this calendar and click OK. You can choose multiple categories if you want.
- Click "Tools/Forms/Publish form as".
- At the top left, select the "Personal Forms Library", then provide a useful name for your form (such as PersonalAppt or WorkAppt) and click Publish.
- Click File/Close. Do NOT save changes.
- Right click the calendar folder you wish to use this new "default category" on and choose Properties.
- Change "When posting to this folder" to use the form name you created in step 9. (You may have to browse by choosing Forms...) Click OK.
- Now create a new calendar appointment in this calendar. Note that it should automatically have the category (ies) that you set in the template. If not you may have not selected the correct form or saved it on the properties window.
This same process can be performed for any pre-existing form type such as contacts, appointments, notes, etc. just make sure to change the correct folder to use the new form you created. Enjoy!
So the new is that a whole bunch of information was declassified by the US government at midnight 12/31/2006. These types of information declassifications always seem to be meaningless when you don't know everything else that may have been learned. The expected (perceived) value of government information is accountability and truth. But how do we know that no one twisted the information's focus over time or transcribing generations?
http://politics.slashdot.org/politics/07/01/01/1657224.shtml
I've been pondering this problem and I thought that a public system that tracked the thumbprints of various documents and information (of any digital format) would help to assuage the publics fear of misinformation without releasing any information for use by foreign intelligence. This being one of the primary concerns of governments secrets. The system would also be key in assuring the governments people that there government wasn't abusing its knowledge or trying to obfuscate its meaning.
A "secret sharing" system that was certified by appropriate international organizations and reviewed by information security bodies could achieve this goal if well designed. Similar to a Nuclear materials review, a "shared secrets" review could be performed to assure that the related procedures were being followed.
I can see a digital system managed in part by organizations such as the U.N. and monitored universally by peoples such that more accurate criticism can be leveled at participating governments.
Any form of this system would place personnel at risk since information without witnesses is pointless. I see a multitiered system of witness lists, references, etc such that the individual personnel who may have obtained the information (field agents) may be protected. Of course information itself may not be needed to determine its focus. Sometimes simply a datestamp can be enough evidence to direct foreign intelligence to its content. This can easily be misdirected (counter-intelligence style) by claiming minutia of information, such as "The sky is cloudy today" and recording these in the system as well.
Now, I certainly understand (being in IT and all) the potential amount of information (and misinformation) being gathered here, which is why these "shared secrets" would cost money to the governments listing them. In addition a multitude of processes (checks and balances) would need to be formalized and protected in various ways, including technological means.
As an example a field agent discovers an assassination plot against the US President and they document this as a "secret" in a system, either indirectly or directly due to exposure concerns. Presumably a superior ranking professional will receive this "reported secret" an in turn acknowledge its existence and its origin. this creates definitively the first "digital secret", with a full record of its contents (video, email etc) with several digital signatures stored in public fields (its Digital Secret Signature or DSS) using approved protocols, etc. Any forwarding (presumably digital) of this information would result in further (automatic?) acknowledgement of secret sharing and result in a digital trail of evidence which is stored in the "Secret Sharing System" of the US government. This "database" exposes its DSS lists and they are synched with external systems in "real time". Each acknowledgement of secret reception results in a new entry associated with the original secret (perhaps its DSS only?) and therefore there is a fairly reliable breadcrumb trail.
Now, of course this whole system relies on a lot of process and technological innovation that doesn't exist quite yet. With technology becoming more pervasive in our daily lives, is it too much to expect that government employees would need to comply with participation in such a system? This may mean extensive monitoring of the work environment and all communication devices owned, as well as GPS tracking, microchip-under-skin, etc. Essentially until there is such encompassing auditing of persons, this would merely be a Orwellian future. Not to mention the petabytes of information to be stored to audit all of this.
There would never be a need to demand release of information. Anything that was deemed releasable could be. It would validate that the information released was factually represented in the past and provide accountability for any mistakes. Now you at least have names tied to information in a formal manner. If people aren't willing to take the accountability for the information they handle they should not be a government agent. Prescribe jail time and related sentences to those who fail to abide by the universally accepted law. Now you have a globally backable justice system brewing...no need for a UN court, just make the various goverments courts abide by international laws when treating related cases and you have provided transparency to government sourced injustice.
But you see what I mean, right?
"Well, I must say having an OS choice other than Micro$loth seems really cool, like I'm not trapped by the system! I'm glad I've installed RedHat on this old box I had layin around. This should be fun! I'll come back in five minutes and continue my foray into Linux..."
<5 minutes pass>
"Ahh, ready to go again...just wiggle the mouse to get the screensaver off..."
<mouse pointer wiggles like a dying bug>
"oh, I must have to click the keyboard."
<click, click...CLICK!CLICK!CLICK!>
"What the #%^@? OK, I'll just reboot by pressing the ever handy Reset button."
<Reboot starts. Spiels of text flow past until...>
"Hey, what does this mean "Corrupt XF86Config; Initialization Failure"? Oh, I'll just go in to the command prompt and fix this there."
<click click,click>
"Uh, nothings wrong with this config...it hasn't changed a bit! I'll just call a old friend. He'll help."
<beep, beep, beep,beep,beep,beep,beep....ring,ring>
"Uh, hullo?"
"Hey Lloyd, it's Scott. Remember me?"
"Uh, no."
"OK, well I have this problem with my Linux XF86Config. I think the system just hosed up for no apparent reason."
<chuckle, chuckle>
"Hey what're ya chucklin at Lloyd? Find something funny on the web?"
<silence>
"So, Scott have you tried to edit the config file?"
"Yeah, it seems fine."
"OK. Have you reinstalled the drivers through the config util?"
"Uh, what?!?! I have to reinstall the friggin drivers??!?!?!"
<sigh>
"Have you tried editing the timings for the Horiz. and Sync modes?"
"Uh, I have no idea how to read that stuff, it's like in PigLatin binary or something!"
<oy, vey!>
"OK, Scott what you need to do is go to Borders and buy a book."
"Oh, is there some book that's good for troubleshooting this kinda problem?
"Yeah, it's called Computers For Dummies."
<Click....brrrrrrrrrrrrrrrrrrrr>
"Uh Lloyd, I think we got disconnected...."
Needless to say I have not ventured back into the RedHat zone even though I have decent Unix skills. And I'm still trapped by the system. Oh, Neo when will you come rescue us?
"I can't seem to get into my place."
OK, first- what type of place do you have? Is it a apartment? A House? A tent in the woods?
"I don't know, it's got windows....."
OoooooooK. <preparing to become frustrated> Well do you have a key to get in?
"I have a bunch, but none of them work. The one marked Ford fit but it wouldn't open the door."
Nah, nah, nah, that one DEFINITELY won't work. Did you get one from a person who helped you buy the place there?
"Yeah, I think..."
OK, let's try that one. Now before I start [BEEP,BEEP,BEEP....]...What's that noise?
"Uh, nothing. [BEEP,BEEP,BEEP....]"
No, WHAT IS THAT NOISE? I NEED to know. [BEEP,BEEP,BEEP....]
"I think I have some kind of security alarm." [BEEP,BEEP,BEEP....]
[SLAP!!!!] <Techie slaps his forehead hard>
OK, STOP what your doing! Listen to me, try putting the key you got, from the person we mentioned, in the keyhole and turn it clockwise. [BEEP,BEEP,BEEP....]
[BEEP,BEEP, bee...] "Hey the noise stopped! Wow thanks!"
Alright, have you pushed the door open now?
"Left handed or right handed?"
It doesn't matter.
<techie makes the "duh" face>
[chhk] "Hey thanks for getting me in. Hey while I've got you, could you tell me what that box out front is for?"
The mailbox?!?!?
"Is that what it's for? How do I get my mail?"
Ummm.<dreading a longer conversation> I'm not sure. Could I get in touch with you----<click....RRRRRRRR> (phone dialtone appears)
I have fixed a couple of annoying bugs with this version. Now it works cleanly. Download here.
The new netsh in Vista is simly updated with a new section for outbound filtering. I took some time and made a few example rules for those struggling with the syntax. The rules below are linked here ( Vista-Outbound-Firewall-Rules.bat.txt (1.23 KB)). Pretty nice. Finding some processes trying to access the internet such as Windows Error Reporting. More a pain to translate the event log entries generated then anything. netsh advfirewall firewall add rule name="IE (TCP)" dir=out program="c:\program files\internet explorer\iexplore.exe" protocol=TCP localip=any localport=any remoteip=any remoteport=80,443 action=allow netsh advfirewall firewall add rule name="IE (UDP)" dir=out program="c:\program files\internet explorer\iexplore.exe" protocol=UDP localip=any localport=any remoteip=any remoteport=80,443 action=allow netsh advfirewall firewall add rule name="Firefox (TCP)" dir=out program="C:\Program Files\Mozilla Firefox\firefox.exe" protocol=TCP localip=any localport=any remoteip=any remoteport=80,443 action=allow netsh advfirewall firewall add rule name="Firefox (UDP)" dir=out program="C:\Program Files\Mozilla Firefox\firefox.exe" protocol=UDP localip=any localport=any remoteip=any remoteport=80,443 action=allow netsh advfirewall firewall add rule name="Windows Messenger (TCP)" dir=out program="c:\program files\msn messenger\msnmsgr.exe" protocol=TCP localip=any localport=any remoteip=any remoteport=80,443,1863 action=allow netsh advfirewall firewall add rule name="Windows Messenger (UDP)" dir=out program="c:\program files\msn messenger\msnmsgr.exe" protocol=UDP localip=any localport=any remoteip=any remoteport=80,443,1863 action=allow
Yikes, read this post on a Microsoft forum and it has scared me a little bit about Vista's BitLocker feature.
http://windowshelp.microsoft.com/communities/newsgroups/en-us/default.mspx?dg=microsoft.public.windows.vista.security&tid=9550eb1d-edd7-4905-8e8a-fcaa997faa99&lang=en&cr=US&sloc=en-us&p=1
This essentially means that your system "may" have a significant failure because of a single bit error on a drive. Now I know I'm sounding a little brazen here, but this is a legitimate concern for users, especially corporate users - the ones most likely to implement this feature.
The only workarounds to this problem are:
- Don't use BitLocker - Less security is safer?
- Perform regular backups of your system - this may help but a typical user won't be capable of restoring their system without administrative intervention. So you end up taking a user down for a day to get their system restored or rebuilt from image - great, just great.
I guess we'll just have to wait for a RAID-able solution. or some type of parity option.
I'm posting from inside Windows Vista, the next OS and I must say its pretty sweet. I've encrypted my main partition using BitLocker and messed around with a featureful firewall. Too bad the firewall and its associated parts needs some work. It says that it will notify me when something is blocked, but I never received a single alert for anything.
For more on Vista --> http://www.microsoft.com/windowsvista/
I easily passed the 70-299 exam today! :) That makes me a MCSA. Next month I'm gonna try the "ISA 2004" exam for my MCSA+Security. 
I was a little worried about this one, but I thought I did great on the test. Not exactly ;) Next up 070-299! This next one will give me my MCSA. Then I'll step thru certifications until I reach my goal of MCSE: Security.
I just passed my 070-290 exam - "Managing and Maintaining a Microsoft Windows Server 2003 Environment"
I'm looking to schedule 070-291 for later next month but I hope to be able and move it up.
I'm halfway through my core exams! I rocked the XP exam. I'm gonna start moving quicker on my exams. I can do one a month. So I get to brag and put this logo up again. :)
So recently I been reading about Windows privileges and all the concern about privilege escalation. Privilege escalation is a "feature" where a user/process may obtain a Windows privilege not currently held via a special request or change to an account. This is something I've looked into before, but I think its more important today then ever.
It should be well known by now the concept of Least Privilege is a key pillar in the realm of security. This means you should only have the rights to do what you need to and no more. Unfortunately we usually find 1 reason to use admin rights on computers and decide to keep things easy by always running as admin. Bad idea!
What we all should be doing is using a regular user account that has been granted the necessary privileges/permissions to use the computer as we need. So start by creating/changing an account on your computer to be a regular user. Then try to perform everything you need to as this account. When you have issues, determine what they are and grant them with as little extra rights granted. If you use PolicyMaker Application Security (a free install for local use) to disable all Windows privileges for iexplore.exe, you will protect your self from malware that tries to modify the system using privileges. Now, that isn't all that helpful, but you have revoked the web browsers ability to do things on your computer that it shouldn't be able to. That is the essense of Least Privilege.
So besides locking down application privileges, you can do lots of other stuff with PolicyMaker such as escalate your privileges for those apps that can't run as a regular user. This is very nice. So you can set your account as a regular user and proceed to identify those apps that have issues and place them into your local group policy to work correctly.
fyi - I did have some issues on my computer that I thought revealed an odd dependency of IE on privileges, but it appears I was wrong. I'm concerned over what I saw, but I can't explain it.
So what about IPSec is hot, other then the fact you can script it? Well in a enterprise environment you can deploy it in Group Policy. Now that is a pretty cool way to protect your network. So you can use IPSec to protect traffic between trusted hosts. The easiest scenario is to setup IPSec between domain computers. Once Group Policy refreshes on a client computer they implement whatever IPSec policy is deployed to it. In a workgroup environment you can still use IPSec for protecting your network, but it is more manual effort.
Not only can you deploy IPSec policies to computers using Group Policy, you can also deploy dynamic IPSec policies to the same computer at the same time. Now dynamic IPSec policies are the same thing only they don't stick after a reboot or IPSec is restarted. This makes them handy for testing a setting, you can just reboot (or restart IPSec) to undo it.
So deploy a baseline IPSec policy to everyone, then use script to deploy dynamic IPSec policies at startup. That way you can quickly deploy IPSec protection without a way to back out.
The key thing to remember about applying an IPSec policy using Group Policy is that you can only have one policy - the last one that applies. Similiar to a specific Group Policy setting. The IPSec Policies don't merge into one big policy as Group Policy is enforced onto a computer.
Microsoft IPSec FAQ
Important things to consider regarding IPSec and tradeoffs.
Microsoft article on how to assign Domain based IPSec policy
Microsoft article providing an outline of reasons to use IPSec.
Example scripts and reasons to use IPSec to protect your systems
Example scripts for protecting against a specific security concern (WINS exploit)
Go read my other article on IPSec (sample scripts and IPSec policy files)
Microsoft needs to provide free builtin 0-day protection to their OS's.
So as many have probably heard, this Microsoft Windows WMF vulnerability was getting massive amounts of security community attention including a well dissected hotfix from a well known developer. So I myself sent two critical emails to Microsoft trying to encourage them to work with this community effort for a quick hotfix. They were both essentially dismissed via replies, but I'm sure that my emails along with the hundreds of others they probably received made the points of concern clear.
This wasn't about profit, "open source" or even "free 0-day protection", but about protecting Microsoft customers. This is a key part of their Trustworthy Computing initiative. There were numerous people working to identify the security vulnerability, test it and discuss it. When everyone complained to Microsoft about the situation, clearly Microsoft noticed that the customer wasn't satisfied by waiting 10 days for a hotfix. If a non-Microsoft developer could build a "patch" to protect users, get it tested and deployed in 4 days, then Microsoft should be able to do that or better.
As it turned out Microsoft addressed the same exact piece of code that was a concern. So the "unofficial" patch was correct and protected users.
Now the big point is, why can't Microsoft do something like this quick hotfix? Well, sounds like Microsoft doesn't think they impacted their customers enough by costing them untold millions in lost productivity and revenue with all of the vulnerabilities over the years. Apparently Trustworthy Computing means "Trust Microsoft, and only Microsoft". This is an unacceptable stance in the realm of information security.
Microsoft could easily build a framework to deploy quick hotfixes that merely block vulnerable code. They don't need to fix the code immediately, just offer something that block access to the bad code. This is why the unofficial hotfix was so perfect. It didn't ask users to replace a file provided by Microsoft, just put one in the middle and intercept the vulnerable code.
All in all, I really think that Microsoft is afraid of too many things, not unable to solve the problem. I'm sure there are IP questions about 3rd party hotfixes. I'm sure there are patch availability, reliability and trustworthiness concerns. But I'm also sure Microsoft can do a whole lot more to protect its users than it is doing today.
So, go demand that Microsoft build a 0-day protection framework that protects their customers.
Whats hot...IPSec is hot. I've been playing around over the past few days on scripts that setup IPSec rules to protect a Windows 2000 or XP system. Now IPSec has two modes - AH and ESP. AH provides authentication of packets while ESP provides encryption of packets. You can use both at once but its a little different then the perfect security option you would think.
IPSec has performance concerns. It causes an increase in bandwidth and CPU usage. Not so big on a home network, but in a corporate environment it can be huge.
I've extended this IPSec learning to enable IPSec security (AH+ESP) on my home network for all traffic. I haven't noticed any performance issues. I tend to do very little between my computers.
How to use IPSec on Windows XP SP2
- Download the Windows XP SP Support Tools. (must be the SP2 version)
- Install the Support Tools. I choose the "complete" install option, but it may not matter.
- Review how the ipseccmd.exe command works. Note - I think the help offered by "/?" is inaccurate as the 1f option works, yet doesn't display at the command line.
- Either build your own script or choose one of mine. Only one can work at a time.
- Notes:
- You must run the same script on all XP computers you want to use that IPSec between.
- All my scripts allow ICMP unhindered to facilitate troubleshooting.
- Make sure you edit my script to customize the shared secret used from "PresharedKeyString" to something else.
- Dynamic scripts will only work until the next reboot or IPSec service restart. This allows you to make temporary changes to IPSec. Safer for testing out IPSec
- Static scripts will stay running at all times. The only way to disable it is to open the IPSec console (via MMC) and disable the policy. True secure modes of IPSec.
- Optional IPSec scripts (don't force IPSec usage, just try to use it)
- Dynamic or static encryption. Related IPSec policy file for static.
- Dynamic or static authentication. Related IPSec policy file for static.
- Required IPSec scripts (force IPSec usage, drop non-IPSec connections)
- Dynamic or static encryption. Related IPSec policy file for static.
- Dynamic or static authentication. Related IPSec policy file for static.
Recently a vulnerability was uncovered related to WMF files on Windows OS's. This vulnerability has yet to have a functional workaround or patch from Microsoft. The security community has taken it upon theeselves to issue a workaround that alleviates the issue. This is a good sign that the community is willing to spend effort to protect Microsoft's customers at no value to themselves except credibility.
Various credible companies and groups have supported this code development level workaround. This is better then Microsoft's response which has included a workaround which breaks functionality and a couple of useless blog postings.
It seems that Microsoft has taken the CYA (cover your a--) path - contacting law enforcement and publishing a bulletin, but not actually protecting their users. WTF? Isn't that out of order in the list of priorities?
I have submitted a plea to Microsoft to work with the security community to provide and approve such workarounds. Clearly they don't have the manpower or time to devote to this problem as lots of people are being attacked due to this vulnerability. So the next best thing for Microsoft to do is accept the community based efforts and support them.
This clearly isn't about open source or providing free protection services, its all about protecting the customers. Microsoft consistently has placed its company above the customer during these security issues. It is a disgusting trend that has had impact on lots of their customers. I hope their customers vote with their wallets.
That voice of the computer from Wargames...ahh brings back memories of 1984. As for the actual reason I mentioned it, the lovely voices of the Microsoft Agent program. I've been messing around ALL DAY with Microsoft Agent and scripting. Its been somewhat fun, but fairly frustrating. I've just built a script that acts as a simple helper running on your desktop. Not really too helpful.
http://ydns.no-ip.com/msAgentHelper.vbs.txt
This script will expect you to setup a few things:
- right click this file (http://ydns.no-ip.com/msAgentHelper.vbs.txt) and do a "Save target as"
- Rename the file to remove the ".txt" extension.
- Choose a location to save the file that you can remember. Click Save.
- Open the folder where the file was saved.
- Edit the file by right-clicking and choosing Edit.
- Modify the top few entries to match your needs.
- Save and close the file.
- Right click the ".vbs" file, choose Properties and go to the Script tab.
- uncheck "Display logo..."
- Click OK. Now you will have a file by the same name except a WSH extension in the same location as the vbs file.
- Double click the "wsh" file. When you run it, it should play sound if Microsoft Agent is properly installed.
This was fun to write but has little value as it is. Trying to think of ways to make it more useful. Perhaps some type of table of things it can do for me.
All because work is a bitch.
oh, thats what an external trust is for...
VBScript to run remote file copy (for remote backups)
The future is here. It is Mister Hamsi. The latest fad in worms is sure to be entertaining while your docs are wiped like a baby's bottom. We'll all be like babies watching Teletubbies while our hard drives churn with a slathering of sniffers and backdoors.
How come Microsoft hasn't really done anything with Outlook in the past 3 revisions? I just bought Outlook 2003 and found a technicolor Outlook 2000. Spam Filtering...thanks, don't actually stop the spam, just make me figure out how to siphon the crap out of my inbox myself. Someone at work ask a good question (at least for corporate environments) - Why can't a user queue mail that needs to be delivered to another person, instead of dropping it when the destination mailbox is full? We have a decent retry mechanism for general mail delivery (built into SMTP RFCs), why not a similar model for "mailbox full" or "destination unknown"? The typical solution is that someone gets so pissed off that their VP (or mine) demands to have the mailbox limit raised for that user. Obviously not the best solution.
This is a very simple concept that Microsoft should have thought about providing years ago. If anyone cares, you would naturally force the user to queue the mail in their mailbox, instead of on the server. This would prevent the problem of DOSing a mail server. I understand that determining when an email can reach a users mailbox can be difficult (except if its Exchange!), but at least process the responses from an Exchange server and place the email into a Retry folder or something. Its not rocket science.
They want to say that they are providing a better experience and want to show off the next big thing - Presense, but they fail to actually implement simple things like this that would make a lot of people happy.
Well, nothing like spending a night to to make a 6 line (ok 44) vbscript. Here are the results. While not earth-shattering you may have gone through quite some trouble trying to do this yourself. Here is a script that lets you do a couple cool things with Windows Media Player 10.
-
Play a sound file via Windows Media Player 10. No GUI or anything. A guess must be made on the time to play the sound file or the script will just quit before you hear it complete.
-
Eject all CDROM/DVDROM drives.
WMP Tasks VBScript
I don't know if there is a similar ActiveX for WMP7/8/9? Maybe another night.
Another day, another cool script. This script will let you play sounds on an XP system that has been setup for text to speech (a builtin feature). I'm not sure if it'll run on a default XP system.
|