Monthly Archives: February 2007

Finding your private keys

For the most part, Windows users and administrators don’t ever have to worry about how or where their private keys are stored.

After all, your private key is yours, and it’s private. You request it to be generated, and then you don’t need to touch it, it’s already in your store – somewhere.

But every now and again, there’s a reason to do so – the classic example being when you want to run a service under its own account (because you don’t want to use “SYSTEM”, or worse, the user account of a real person). When you need to do this – whether it’s an AD-AM instance, or an FTP server that works over SSL / TLS – you will need to import the key into the machine store, and then make it readable by the service account.

Previously, I would have recommended using the WinHttpCertCfg tool from Microsoft’s download site – despite its rather particular sounding name, the basic point of this tool is to (import and) assign access rights to a certificate for a particular user. Exactly what you need to do.

Lately, though, I’ve come across another tool that has a big advantage over WinHttpCertCfg. You see, as a developer, when I see a tool that does something I can’t figure out for myself, I ask “how did they do that?” Whenever I see a KB article that says “Application A can’t do this, but Application B can”, I ask “and how does it do that? How can I do that?”

WinHttpCertCfg is like magic powder – you sprinkle it on, and it does what it’s supposed to do. But you’re none the wiser as to what it’s doing. Wouldn’t it be better if there was a tool with source code?

Now, there is.

It’s a very tiny part of the Windows Communications Framework and Windows CardSpace Samples download, and it’s called FindPrivateKey. It’s a simple executable, based on a simple C# source, with something approaching five lines of actual heavy lifting. Reading the C# source will tell even a relatively average programmer what’s going on here, and could come in handy with any future projects where you may need to trace your private keys.

Uh… except when it comes to Vista, because the keys have moved. Ah, but you’re all smart little security geeks, and know that in Vista, you can assign ACLs directly from the Certificate Manager:

You did already know that, didn’t you? Honestly, that’s such a cool feature, it makes me want Vista at my work place NOW.

Security Bulletins are easier to read in Japanese

It’s “Patch Tuesday” again – and you’re going to be spending a busy Valentine’s day installing all of them. I’m not the first person to cover this – Steve Riley did it way back when, and Susan Bradley reminded us of it, but it’s time to raise the point up again.

You can get to the Japanese Security Bulletins at http://www.microsoft.com/japan/security/bulletins/default.mspx – there’s a lot of Japanese script there, but it’s easy to see where a particular bulletin – say MS07-005 – is, because those numbers are in a Latin character set.

Compare it against the English version of MS07-005. First, let’s see how you get hit by an exploit against the vulnerability:

An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code.

There are several additional ways that an attacker could try to exploit this vulnerability. However, user interaction is required to exploit this vulnerability in each of these ways. Some examples follow:

•An attacker could exploit the vulnerability by constructing a malicious Step-by-Step Interactive Training bookmark file (a .cbo, cbl, or .cbm file) and then persuade the user to open the file.

•An attacker could send a malicious file as an attachment to a user through e-mail and then convince a user to open the attachment.

•An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.

•In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also try to compromise a Web site to have it deliver a Web page that contains malicious content to try to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site or to a Web site that has been compromised by the attacker.

Did you understand that? I’m sure your management chain didn’t.

How about in Japanese?



 

Okay, that’s fairly obvious, the bad guy’s web site infects your machine, or the bad guy’s email infects it, either when you open the email, or open the attachments in the email. [The bad guy wears a black hat and dark glasses, of course.]

How about what can be done to your machine:

This is a remote code execution vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Again, Japan makes it easy:


 
 

Oh, right, so the bad guy can drop a little copy of himself on my machine, he can look through his network “telescope” and see all my files, and he can reach through the network with his grabby thing, and dump my photos, files and emails in the trash.

Steve Jobs on DRM: "You go first"

I’ve read a lot in the press about how “Apple’s Jobs calls on music industry to drop DRM“:


“Steve Jobs on Tuesday called on the four major record companies to start selling songs online without copy protection software to thwart piracy known as digital rights management (DRM).”

Okay, so for a man whose main recent claim to fame is that he’s made the population switch from wearing black earbuds to white, to be calling for an end to DRM strikes me as a little odd – after all, iTunes doesn’t sell any songs without DRM [I'll revisit this point in a moment].


So, I go and read his actual words (warning for those of you on a slow link – for a site that displays only text, it loads a lot of graphics – even the three title words are a graphic) – it takes me a long time to reach something that can actually be interpreted as “DRM is bad” – Steve asks us to “Imagine a world where every online store sells DRM-free music”, and says “This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat.”


He goes on to note that, as I’ve mentioned a number of times (but I don’t think he got the idea from me necessarily), “DRMs haven’t worked, and may never work, to halt music piracy”. I’ll be charitable, and assume that his use of “may” there is an expression of what DRM is able to do, and not the often-used synonym for “might” (go re-read the sentence, substituting either “can” or “might”, to see the difference it makes to the meaning).


 Jobs’ final paragraph, quoted below, is going to be the message we take from this posting:


“Much of the concern over DRM systems has arisen in European countries.  Perhaps those unhappy with the current situation should redirect their energies towards persuading the music companies to sell their music DRM-free.  For Europeans, two and a half of the big four music companies are located right in their backyard.  The largest, Universal, is 100% owned by Vivendi, a French company.  EMI is a British company, and Sony BMG is 50% owned by Bertelsmann, a German company.  Convincing them to license their music to Apple and others DRM-free will create a truly interoperable music marketplace.  Apple will embrace this wholeheartedly.”

So the messages from Steve Jobs are:


  • Four companies “made him do it”, but his store adds DRM to all music, whether from those four companies or not.
  • Apple plans to lead in the removal of DRM by following on after everyone else removes DRM. If Microsoft is criticised for “embrace and extend”, I think Apple should be criticised here for “you extend, then we’ll embrace” (presumably as quickly as they “embraced” the new version of Windows that landed as a surprise on them last week, despite being available to all other Windows software vendors since early last year?)
  • Europe owns the world’s ability to hear music. Only Europeans can usher in an age of audio freedom.
  • Apple doesn’t have the power, or the spine, to tell music producers “okay, you’ve had a taster of the online distribution format, now we’re going to phase out DRM over the next three years, and you can either deal with a lack of DRM, or yank your music off the store, and deal with the fact that your artists aren’t being listened to on iPods any more.”

This isn’t a call to arms, it’s a position paper – it’s a statement that Apple is subservient to the content producers, rather than the content consumers. The “customers” in iTunes are the music producers, the “products” are the consumers.


It’s a reminder that Apple has turned from a company that leads the world by making bold changes, into a company that wants to follow where others lead – if that’s alright with you.

An error in HP’s Wireless WHAT?

There are days when this dialog describes exactly how I feel about my wireless network:


Which is the most recent?

I’ve been trying to figure out why I can’t use the “Save as PDF or XPS” function from Word 2007, in the Office 2007 suite in Windows Vista. I assumed it was Vista’s fault, because my wife’s machine, running Windows XP, works fine.

First, the obvious rant – it’s really irritating that Adobe (makers of Acrobat, and the originators of the PDF document format) leaned on Microsoft to make them ship this as a separate download, when it should so clearly be a base part of the product, as was originally planned.

That leads to my second problem, and apparently the reason why I can’t save documents to PDF.

There are two versions of “Save as PDF or XPS” available from the Microsoft downloads site. I downloaded one version, but the other one is the version that works.

Here’s the details I have about the two versions:

  • Filenames: SaveAsPDFAndXPS, or SaveAsPDFAndXPS
  • Sizes: 712,568 or 956,344 bytes
  • Dates: 11/30/2006 or 11/8/2006
  • Version: 929120 or 1.0

So, which version is the most recent, the one that’s most likely to work?

Version numbers aren’t going to help me, because it’s clear that I’m trying to compare apples and oranges.

What about file sizes? Released versions are usually smaller than test versions, but then again a newer version could add a much-needed feature and thus be larger, so the sizes don’t give much help.

Dates would seem to be the answer – clearly, you’re not going to post an older version after a newer version has been released.

So, I’m getting the version that has the 11/30/2006 date. And there’s my problem.

Apparently, Microsoft chose to update the “Beta 2 Technical Refresh” version of this add-in after Office 2007 was released to manufacturing, after publishing the RTM version of the PDF to XPS. After they did this, I downloaded and installed the ‘latest’ version, only to find that it doesn’t work.

Anyone else who’s done this, here’s a couple of signs:

  1. Your “Programs and Features” listing (in Windows Vista – in Windows XP, it’s “Add/Remove Programs”) shows “Office 2007 Add-In – Microsoft Save as PDF or XPS (Beta)”
  2. When you hit “Publish” to save a file as PDF, you get a message reading “The Microsoft PDF and XPS export add-ins are not installed correctly. You can get the most recent components from Microsoft Office Online.”

You can fix this by uninstalling “Office 2007 Add-In – Microsoft Save as PDF or XPS (Beta)”, and installing in its place the correct “Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs“. You will be asked to validate with Genuine Windows Validation, to make sure you have a licenced copy of Office 2007.

Boston police fail to recognise urban trends

Boston police spent several man-hours, and more than a few bomb squad detectives, on defusing an advertising campaign.


Here’s MSNBC’s take on the story.


I love the sub-title: “Officials seek restitution for publicity campaign that sparked terrorism fears”.


How about “City seeks restitution for waste of time by security ‘experts’ who can’t spot an emerging urban fad and distinguish it from real terrorism”?


There’s nothing marketers like more than successfully convincing the public that the thing they’re marketing is the new cool thing, and is loved by people at large.


It’s been so successful an approach that the term “viral marketing” has been coined. You see companies making commercials that are designed to be emailed around, generating a “buzz”, and you see numerous stories of companies using various different kinds of graffiti in order to give the impression that a young, hip crowd are interested in the product being advertised. Occasionally people get in trouble as a result, because the graffiti is more permanent than is expected:


IBM graffiti ads gain notoriety – IBM paid to spray icons for “Peace, love and Linux” around Chicago, but accidentally forgot to specify that the spray used be a chalk that washes off in the rain.


“Moose” cleans surfaces to create ‘reverse graffiti’ – some stunning examples of what happens if you let a surface get really dirty, and an artist with a crazy idea comes along. His local city council wants to arrest him and charge him with ‘vandalism’.


And another recent trend in urban graffiti – non-destructive, and highly visual, “LED Throwies” are a cheap way to paint a bridge or a metal wall with light and colour.


So, how did Boston’s police manage not to have anyone on staff who recognised the characters from Cartoon Network’s Aqua Teen Hunger Force? [Or even, an officer who happens to comment that he's seen that exact same character on children's T-shirts when he visits schools?]


How did they not have anyone on staff who said “oh, that’s probably just a big LED throwie”?


I realise that, to a certain extent, you have to investigate stuff that is new and different in case it’s new and dangerous – but it seems that there is too much of a concern over this. Remember, that’s part of my job, too – to investigate the extraordinary in case it’s a security incident – but you have to be smart enough to know when it’s just the latest sign of an emerging trend. I’d quickly be in trouble if I ran around raising alarm bells saying that our records on gynaecological exams were being published, on the basis of an employee visiting a porn site from work.


Would the same effort be expended if, say, a marketing company left a bunch of cassette players – boom boxes – on street corners, playing a catchy jingle? Same components – batteries, wires, electronics, blinky lights, advertising message – but we’re comfortable with the fact that a cassette player is a known object.


I don’t think the media in this case is paying enough attention to “how could Boston’s police be so clueless as to urban trends and popular culture to place such a stress on this being a likely explosive device?”