# Wednesday, October 11, 2006

Steve Riley had a good long post on his blog about Mandatory Integrity Control as it is implemented in Vista that drew even longer comments.

Great concept, as you will see from several of the comments, this isn't the first implementation, but I expect it will be the first to get nearly universal distribution ;)

The big concern is whether the bugs will be worked out for release.  I am betting yes, though I expect a Service Pack will come someday to bring the real value of this home.

Wednesday, October 11, 2006 3:43:48 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [23]  | 
# Tuesday, October 10, 2006

My prolific friend Phil forwarded me a story about Chinese hackers trying to do in the US Commerce Department.

There are a couple of interesting points in this story:
1. Why would you need to take Internet access away from users?  Aren't they behind firewalls?  Were the hackers luring them to specific sites to hack them?
2. With over 1,100 laptops missing, I just buy that no data was compromised.  Even if it was an ex-employee the data is compromised.  And if the theft occurred in 2001 then I find it even harder to believe.

I hope the CIO at the Commerce Department isn't gullable enough to believe this obvious spin.

Tuesday, October 10, 2006 4:58:57 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [11]  | 
# Thursday, October 05, 2006

Having been involved in many software projects, some commercial, some consulting, some disasterous, I have noticed some trends that I would like to share.

If you are commissioning (read paying or betting your job) a development project, you have to avoid being wishful.  If you just trust that the developers you hired are professionals and will keep you out of trouble it might actually happen that way, but you are playing Russian Roulette.  Even some of the best developers get overtaxed or lazy or stupid or all of these things at once.  If you don't get very explicit in what you want you will pay for it. 

To avoid some of this I recommend that you:
 - Specify the system in as much detail as possible
 - Provide statements relative to how the system will be used and the intent of the project
 - Emphasis should be placed on what YOU define to be acceptable.  Define terms up front such as "commercial quality" and "easy to use"

The less you leave up to the imagination the better.  Also insist on frequent demos throughout the process with opt out options if things are just too off track.

Always remember that consulting is based on who takes the risk.  In a fixed bid engagement the developer takes most of the risk and therefore the price is uplifted accordingly.  In a time and materials engagement it is the buyer who takes all the risk and often it is the buyer who must ensure things are proceeding according to plan.

In the end it is the specification that will decide if the developers did their job or not...

Thursday, October 05, 2006 9:42:37 AM (Eastern Daylight Time, UTC-04:00)  #    Comments [21]  | 
# Tuesday, October 03, 2006

The topic of the AT command and the command prompt came up on an internal list I am on with Microsoft the jist of which was, "How do I securely turn this junk off".

The answer is that to some degree the command prompt and especially when coupled with the Task Scheduler is a security hole that is closable, but not trivially.  You can patch it using things like this http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true
and you if you really want to wipe out the user's option you should reset the task scheduler service to use a low / no priv account and disable it (I am paranoid, but I have my reasons). The problem is that the perspective of most that come up against this is that you shouldn't have to do this, but the reality is that you do.

For a scary look at why simply taking the RUN command off the Start menu is not enough try the following:
Open up "Help and Support" from the Start menu and seach for "command". 
Select the entry that describes how to "Test a TCP/IP configuration using the ping command"
You will see that there is a link that will open up a command prompt (it doesn't run as System, but it runs). 
That is the XP version. 

The Windows 2003 Server one takes more searching, but it is there.

The issue is not that the functionality exists, we all want functionality.  The problem is when it is hard (or impossible) to shut something off effectively it is maddening and often leaves people dismayed.

Time for an analogy:
I have doors on my house that I leave unlocked all the time.  The dogs and other things in the house keep it secure (if you know me then you know what I mean), but if I wanted to secure those doors and found that I could lock them, but the manufacturer set them up so that the hinges were on the outside and manipulatable by an intruder then I would be unhappy.  Most security outrage and dismay comes from features that just didn't take security into consideration for the times when I don't want the user to do anything except what the user is told they can do.
 
This will always be an arms race.  If one of our professional security gurus such as Duane Laflotte wants to get in and has physical access to a workstation or server then he can get in, but there is a point where I will say, yes I accept that there are some things I can't defend against.  If you use a tank to blow in my front door, I won't moan to the manufacturer about them not being tank proof, that is what the mines are for ;)
 
Is Vista the solution to all security problems?  I doubt it.  I expect that there will be improvement based on features I already know are in the most recent builds, but I won't judge the security of Vista until after it ships (and won't pay all that much attention to it until then either) since the devil is in the details and the truth is in the final bits.  Submarines either leak or they don't.  The OS will be judged in much the same way in regards to security.

Ultimately information is power.  Nowhere is that more true than in the realm of security.  I suggest that you learn all you can and I will do what I can to help.

Tuesday, October 03, 2006 4:07:10 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [24]  | 
# Monday, October 02, 2006

If you want to keep track of how prevelent phishing attacks are from month to month (and I do) then you should check AntiPhishing.org.  The site is pretty meager in most regards, but the front page has a bar chart that is pretty staggering when you realize that they are only measuring people who have actually figured out that there is a phishing attack in progress (a fraction of the population I am sure) and further restricted by the fact that those astute people had to know about and be willing to take the time to report it to AntiPhishing.org.

I find these statistics interesting to have as spin seems to creep into everything nowadays.  I like to lay my hands on hard numbers and make up my own mind.

Monday, October 02, 2006 5:11:19 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [23]  | 
# Friday, September 22, 2006

There are many varying opinions on almost everything, but Compliance is one of those topics like economics, everyone has a different opinion it seems.

I was reading an article by one of the Systems Engineers at Network Appliance entitled, "Six Tips for Archive and
Compliance Planning
" and while I agree with most of the points Mike Riley makes, I had to think a bit about his words on Encryption.

He isn't saying not to use encryption, on the contrary, he is saying that encryption is a must, but the advice is sound.  Be careful what you do and the ramifications.  With compliance systems, often search and rapid retrieval are key and these are some of the most plausible arguements against specific applications of encryption.

As always, look before you leap.  I guarentee that if you think about where you should be using encryption you are already ahead of most.

Friday, September 22, 2006 11:19:34 AM (Eastern Daylight Time, UTC-04:00)  #    Comments [34]  | 
# Wednesday, September 20, 2006
It seems that even though we all know we need to patch our system, we are now having to do it faster and faster to avoid the vulnerable time between patch availability and exploit.  In an article on ZDNet there are details of how the latest exploit is being used, but soon you should see a post by Duane Laflotte on his security blog about how it isn't just being used on sites you might expect.  Even the super computer savvy gamers are getting hit and I have to think that in many cases we just know about this because they realize.  How many never figure out that they are maintaining a drone in the hacker army of some malcontent 15 year old with a grudge...
Wednesday, September 20, 2006 10:49:16 AM (Eastern Daylight Time, UTC-04:00)  #    Comments [20]  | 
# Wednesday, September 06, 2006

I have been casting about for .Net Best Practices and came across Adam Cogan's lists of how to do pretty much everything.  The funny thing is that I have known Adam for years and was aware that he had compiled quite alot of information on his site, but until I started to dig through it I hadn't realized just how much is there.

If you are trying to codify your companies "how we do it here" then make sure you check out Adam's site.

Wednesday, September 06, 2006 9:33:09 AM (Eastern Daylight Time, UTC-04:00)  #    Comments [40]  | 
# Tuesday, August 29, 2006
I am sure it is reported elsewhere, but I found an article on a proof of concept virus that targets AMD processors on a magazine site in Australia.  The article dismisses the threat of such an item and pretty much holds it up as just a curiosity in the fight against hackers, but I see it differently.

In order to win, eventually security has to be hardware based.  The whole Palladium (now known by the horrible NGSCB acrynym) effort is just the most public manifestation of this realization and even it has gone dark.  Hacking the hardware is hard, hacking the software is easy.  Software provides the security of a screen door while hardware security done well can be like a steel cage.  Watch as this develops.  Like gas prices driving the frantic (and belated) search for alternative fuels, it will be a mind blowing security threat that finally forces us to invest in security via hardware in real terms.

If the barrier to enter the hardware market in a significant way weren't so large, I expect this problem might already be solved...
Tuesday, August 29, 2006 3:23:44 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [19]  | 
# Tuesday, August 01, 2006
I know it is simple and probably not an amazing tool, but I am finding www.dnsreport.com to be amazingly helpful in some troubleshooting I have had to do recently.

Sometimes the most important thing is to just have the right tool...
Tuesday, August 01, 2006 12:04:53 PM (Eastern Daylight Time, UTC-04:00)  #    Comments [23]  | 
Site Search

Categories

Locations of visitors to this page