What my wife knows

For Surfaces rendered

I often thought I’d like to have a career in 3D animation, solely so I could send out invoices with the title of this blog post as their content.


It seems a little late for me to choose that career, so I’ll have to use that title for a blog posting about my Surface, now that I am three weeks in to using it.


There’s no secret (or if there is, it’s poorly hidden) to the fact that MVPs visiting Redmond for the MVP Summit this year received a pretty sweet deal on a 32GB Surface 2 and Touch Cover. Along with hundreds of my brethren, I lined up at the Microsoft Store in Bellevue yelling “shut up and take my money!”


As an actual purchase, rather than a complete giveaway, I did have to pass the purchasing decision through my boss. Fortunately, she agreed that it was a good buy, as long as I treated it as a purchase of a toy for me, and stopped trying to persuade her it was a bona fide business investment for the company. Canny woman, my wife, and skilled at reducing arguments to their simplest and most incisive points.


So, a toy it was pitched as, a replacement for my iPad, which I also got for very little money – I won it in a hacking competition. As a toy, I couldn’t expect to get the Surface Pro, which is convenient, because one wasn’t offered.


What’s it like as a toy?


Does it have the Angry Birds,then? Space and Star Wars versions, yes – Rovio hasn’t been paid to get around to porting the others to Windows 8 yet.


It’s also got Minesweeper and Solitaire, with the added thrill of daily challenges, and an Adventure Mode for Minesweeper that looks a little ripped off from Repton. Mahjong, Jetpack Joyride, Cut the Rope, there’s enough games that while you might find a few individual names here and there that are missing, you’ll be able to replace them with something in the same genre.


The front and back camera make for good Skype use, whether you’re having a face-to-face chat, or showing someone the view out the window.


I can read comics, whether through the dozen or so manga readers, or through the Comics app from Comixology. Books come, of course, courtesy of the Kindle app, and of course there’s a native Amazon app as well, although as usual, it’s hard to get a better shopping experience in an app than Amazon has built into the web version.


That’s right, you actually have a version of Internet Explorer 11 built specially for the touch-screen “Modern UI”, which Microsoft used to call Metro, and which thoroughly needs a new name. This version of Internet Explorer is fairly basic, but fully functional for what most people are going to want it for. For most of what I do on the web, it’s certainly sufficient.


On the fringe of toydom


Social media makes its presence felt nicely in the People hub, like on my Windows Phone, where in one place I can keep up with my Twitter, Facebook and LinkedIn friends/followers/minions. I can also post there, although I miss my phone’s ability to post to multiple outlets at once.


If you’ve been paying attention to my gripes about podcast support on my Windows Phone, I have to say that, out of the box, I have the same – or worse –issues with the Surface 2. The native audio player does allow you to create playlists, but infallibly returns you to the start of an MP3 file almost every time you play it anew, apparently whether you played another MP3 file, skipped to a different app, or received a notification. I await the development of a good podcast / audiobook application with support for local MP3s.


On the video front, things are somewhat improved, with the Xbox Video app being the natively supported method to play my MP4s. Sadly, there’s still no subtitle support, as is the case across every single one of Microsoft’s video playing tools – if the file isn’t streaming across the web, with the closed captions in a separate stream, there’s no way to get captions to display. This is a shame, as there is good support for standard subtitles in MP4s on the Apple competition, whether it’s iPad, iPod or iPhone. Microsoft, this can’t be that hard – support accessibility on all your video players, please! [I’m not deaf, but the bus can get a little loud]


Working up to proper use


The Touch Cover is barely usable as a keyboard – but I’ve added a Bluetooth keyboard to my Christmas wishlist, for the serious typing moments, and the Touch Cover is certainly sufficient for those occasional bon mots on the bus or airplane.


Sadly, Live Writer isn’t available for Windows RT, so I’m not likely to use this for many blogs – although to keep myself honest, I am typing this on the Surface using the Touch Cover keyboard.


To write the blog entry, I’m actually using Word with its blogging template.


Woah, did you say Word? On RT?


Why yes, yes I did – but since the presence of Office 2013 on the Surface was advertised (at least, Excel, PowerPoint, OneNote, Word and Outlook), this was hardly a surprise to me – but it seems like a surprise to many of my Apple-owning friends who are just starting to get excited that Apple have deigned to let them have iWorks on their iPads now.


But the inclusion of Office isn’t the only thing that makes this device veer further into the territory of a non-toy.


Surprisingly functional


I wasn’t really expecting that Windows RT would have a desktop mode. I pretty much thought it would be Modern UI apps and nothing else. That seemed like it would suck, because I can’t then copy files across the network for playing MP3s and MP4s on the bus to and from work.


So a friend of mine set my fears at rest before I bought the Surface, and let me know that there was indeed a desktop, and a Windows Explorer. That was the tipping point to realizing I could get along with my Surface.


Then came the surprises.


There’s a Desktop version of Internet Explorer – and this one is fully functional! It even has “View Source” and the F12 Developer Tools, Microsoft’s best-kept secret in IE for some time now. [On your Touch Cover, you get F12 by holding down the “Fn” key as you press “PgDn”] This means I can carry on my Cross-Site Scripting endeavours on my Surface – which I couldn’t do from my iPad at all.


Also not on the iPad, but present on the Surface, a full version of the Command Prompt – I can run all my old batch scripts. Notepad, too (but no WordPad, sadly). Even, and I can’t imagine using the power of this too much, PowerShell!


Flash Player, as well, which isn’t available on the iPad. Remote Assistance and Remote Desktop, so I can connect to a real computer, something that wasn’t a good experience on the iPad.


Bitlocker.


Woah, BitLocker? Wow, my hard drive is already encrypted. So too could be the 64GB MicroSD card I’ve attached for extra video and audio storage, again something I can’t do on my iPad.


PerfMon, ResMon, Event Viewer, RegEdit, Windows Scripting Host, all sorts of serious tooling works in the desktop environment. Not Visual Studio, yet, but let’s remember… this is a toy, not a real laptop.


The upshot of which is…


I use my Surface 2 far more than I ever used my iPad.


Despite a few niggling sharp corners that need to be addressed, it irritates me far less than any Apple device I’ve ever owned. This just cements in my mind that, while there are many people who love their Apples, I’m just not their target consumer. I’m not sure that I’m exactly the target consumer of the Surface, but it’s inspired me and continues to grow on me. I’m even starting to write code for it. We’ll see if that becomes anything in due course.


 


Java not yet available for Surface – one more advantage.

A reminder of who I am, and what I do

Looking at my recent posts, I’ve noticed a few things – not only have I been posting very sporadically and randomly, but also I’ve been avoiding talking about a number of aspects of myself that are key to why I maintain this blog.

In an effort to improve on that, I’m going to start with a quick recap of my biography – not a chronological approach, but a few details to let newcomers know who I am, and old-timers remember my motivations.

1. Family – a father and husband

This always comes first. I work to support my family. I’ve been married nearly twenty years to a fantastically understanding wife, and with her I have a wonderful seventeen-year-old son who is fast becoming the sort of adult whom I’d want to be friends with, if we weren’t already related.

2. Technical interests – general

What makes me prime MVP material, as well as informs the rest of my work, is that I am fascinated with all aspects of technology, from nanotech to 3d printing, quantum computing, cryptography, physics, mathematics – even if it’s unrelated to my own work, or requires tools I can’t afford to use, I’m fascinated by, and try to remain informed about, as much technology as possible.

Sadly, the human brain and attention span can only gather so much information, so there’s always topics I want to know more about. I think this is the eternal frustration of the technologically inclined.

3. Technical background – developer

I’m also a software developer – practically my first job out of college was to develop for Unix platforms, initially, maintaining and porting Fortran code to that platform. Moved from there to Windows, largely out of cussidness (trying to prove to the world that Windows could run a reliable server), and languages like C++, C#, and a few other languages as time and interest allowed.

4. Interest & Current job – security guy

Over time, though, it became clear that my code was getting hacked. So was everyone else’s, but I was unusual in noticing it and wanting to do something about it.

So I became an expert in security. Mostly I did this by reading other people’s books, blogs and articles, and then answering other people’s security questions, to demonstrate that I understood and could explain.

Then, because I didn’t have a career background in security, I had to build one to match my expertise. So I worked my way up “through the ranks”, albeit a little quicker than was expected. Hopefully, that didn’t result in too much missed instruction.

As a result, I’m now a Senior Security Engineer at a large online site. I won’t name them, not because they’re not proud of me, or I’m not proud of them, but because they’ve made it very clear that my blogging is not a part of my job, and my job is not to be a part of my blog.

That means, of course, that nothing I say here is to be construed as an indication of my employer’s position (unless I specifically say it is), and that the stories here and on my twitter feed are pulled from general experience, conversations with others in my field, and general places I have worked, rather than my current employer. I have worked at enough places to tell that developers are, on average, the same no matter where you go. So the stories are the same.

The main area I’m interested in is that of Application Security – how you can build applications that offer functionality while remaining resilient under attack. But I’m still also interested in network security, social engineering (for good and fighting its use for ill), spam fighting, and a number of other topics. I occasionally tell people their web sites are broken.

5. Side work – WFTPD, 2ndAuth, Texas Imperial Software

At various times I’ve also been self-employed, and created Texas Imperial Software as the outlet for my frustrated software development side. Usually, it’s because I’ve seen a need (or had that need myself!) that isn’t being fulfilled by existing software.

“How hard can that be?” is usually the phrase that gets me into trouble.

So I find out how hard it can be. In this manner, I’ve produced:

WFTPD Server / WFTPD Server Pro – FTP servers for Windows. These have been selling for twenty years now, less solidly lately than in the past, when WFTPD was my full time job. But the income is enough to keep up the absolutely minimal support expenditure this software takes.

2ndAuth – an auditing solution for shared accounts in Windows client and server systems. When you try to log on to a Windows system using an account marked as “shared”, you are prompted in addition for your real username and password. In turn, your verified username is logged in the Windows Event Log as a user of this shared account. Sure, shared accounts are against policy, but there are some times they can’t be avoided. In those times, 2ndAuth is a compensating control that allows you to finally answer the question “I know SQLAdmin brought down the server – so which operator do I kick / re-train / fire?”

iFetch – I love BBC Radio and TV, and wrote an app that fetches radio (or TV, if you’re in the UK) shows from the iPlayer, so that you can sync them to your mobile devices that aren’t supported by iPlayer apps.

6. Survivor – cancer

This is a pretty amazing achievement, thinking back on it – but I feel like all the work was done by other people – my wife, who made important surgical decisions while I was under general anaesthesis, and has been a great strength ever since, my surgeon and the doctors who handled the follow-up work, and my son who suffered through many nights of chicken and rice which was all I had the stomach for after radiotherapy. All I did was live through it.

This is why I cringe whenever I hear people talking about “brave” cancer patients. What I did was not brave, it was survival. Running from a bear that you’ve just noticed is eating you is not brave. It’s normal, it’s natural – it’s hard, for sure, but it isn’t brave. Brave is running towards the bear to beat him off.

Oh, and the type of cancer was testicular. The outside world considers that a bad word – and while conversations about breast cancer are plenty, you won’t find a testicular cancer awareness month. [The medical profession, by comparison, thinks cancer is a bad word, and listed my condition everywhere as “testicular C.”]

Men between the ages of 15 and 35 are most likely to be hit by testicular cancer – and there’s good news, and bad news. The good news is, it’s the most easily treated form of cancer (partly because it’s mostly outside the body already). The bad news – it’s fast acting, so delaying seeking treatment leads to many men literally dying because of embarrassment.

7. Microsoft MVP – Enterprise Security

This is an award that I’m constantly proud to have received, and which I think is thoroughly worth having. I’ll be sadder when I finally lose my MVP status (hopefully many years away still) than I was when I lost my CISSP. The network of other smart people is wonderful – and being in a category that has no closely-defined product means that I can continue to give more generally-appropriate advice, rather than specific instruction on an individual product. [It also means we don’t get the exciting swag, but hey, that’s not what I’m in the program for]

There’s an MVP Summit starting on November 17, it’s kind of a Microsoft-centric conference (think TechEd), but at a faster pace, greater depth, and with some material that isn’t public yet. We’ve each signed an NDA, and there are things I know are coming that are really exciting to me, but that I can’t talk about – yet.

8. Hobbies – juggling, unicycling

And occasionally I will draw on my hobbies of juggling and unicycling. This is how I get my exercise, some of the time, passing clubs with my son or riding unicycles around the school gym. I’m not very good, but then I don’t have to be.

Training developers to write secure code

I’ve done an amount of training developers recently, and it seems like there are a number of different kinds of responses to my security message.

[You can safely assume that there’s also something that’s wrong with the message and the messenger, but I want to learn about the thing I likely can’t control or change – the supply of developers]

Here are some unfairly broad descriptions of stereotypes I’ve encountered along the way. The truth, as ever, is more nuanced, but I think if I can reach each of these target personas, I should have just about everyone covered.

Is there anyone I’ve missed?

The previous victim

I’m always happy to have one or more of these people in the room – the sort of developer who has some experience, and has been on a project that was attacked successfully at some point or another.

This kind of developer has likely quickly learned the lesson that even his own code is subject to attack, vulnerable and weak to the persistent probes of attackers. Perhaps his experience has also included examples of his own failures in more ordinary ways – mere bugs, with no particular security implications.

Usually, this will be an older developer, because experience is required – and his tales of terror, unrehearsed and true, can sometimes provide the “scared straight” lesson I try to deliver to my students.

The previous attacker

This guy is usually a smart, younger individual. He may have had some previous nefarious activity, or simply researched security issues by attacking systems he owns.

But for my purposes, this guy can be too clever, because he distracts from my talk of ‘least privilege’ and ‘defence in depth’ with questions about race conditions, side-channel attacks, sub-millisecond time deltas across multi-second latency routes, and the like. IF those were the worst problems we see in this industry, I’d focus on them – but sadly, sites are still vulnerable to simple attacks, like my favourite – Reflected XSS in the Search field. [Simple exercise – watch a commercial break, and see how many of the sites advertised there have this vulnerability in them.]

But I like this guy for other reasons – he’s a possible future hire for my team, and a probable future assistant in finding, reporting and addressing vulnerabilities. Keeping this guy interested and engaged is key to making sure that he tells me about his findings, rather than sharing them with friends on the outside, or exploiting them himself.

“I did a security class at college”

Unbelievably to me, there are people who “done a project on it”, and therefore know all they want to about security. If what I was about to tell them was important, they’d have been told it by their professor at college, because their professor knew everything of any importance.

I personally wonder if this is going to be the kind of SDE who will join us for a short while, and not progress – because the impression they give to me is that they’ve finished learning right before their last final exam.

Salaryman

Related to the previous category is the developer who only does what it takes to get paid and to receive a good performance review.

I think this is the developer I should work the hardest to try and reach, because this attitude lies at the heart of every developer on their worst days at their desk. When the passion wanes, or the task is uninteresting, the desire to keep your job, continue to get paid, and progress through your career while satisfying your boss is the grinding cog that keeps you moving forward like a wind-up toy.

This is why it is important to keep searching to find ways of measuring code quality, and rewarding people who exhibit it – larger rewards for consistent prolonged improvement, smaller but more frequent rewards to keep the attention of the developer who makes a quick improvement to even a small piece of code.

Sadly, this guy is in my class because his boss told him he ought to attend. So I tell him at the end of my class that he needs to report back to his boss the security lesson that he learned – that all of his development-related goals should have the adverb “securely” appended to them. So “develop feature X” becomes “develop feature X securely”. If that is the one change I can make to this developer’s goals, I believe it will make a difference.

Fanboy

I’ve been doing this for long enough that I see the same faces in the crowd over and over again. I know I used to be a fanboy myself, and so I’m aware that sometimes this is because these folks learn something new each time. That’s why I like to deliver a different talk each time, even if it’s on the same subject as a previous lesson.

Or maybe they just didn’t get it all last time, and need to hear it again to get a deeper understanding. Either way, repeat visitors are definitely welcome – but I won’t get anywhere if that’s all I get in my audience.

Vocational

Some developers do the development thing because they can’t NOT write code. If they were independently wealthy and could do whatever they want, they’d be behind a screen coding up some fun little app.

I like the ones with a calling to this job, because I believe I can give them enough passion in security to make it a part of their calling as well. [Yes, I feel I have a calling to do security – I want to save the world from bad code, and would do it if I was independently wealthy.]

Stereotypical / The Surgeon

Sadly, the hardest person to reach – harder even than the Salaryman – is the developer who matches the stereotypical perception of the developer mindset.

Convinced of his own superiority and cleverness, even if he doesn’t express it directly in such conceited terms, this person will see every suggested approach as beneath him, and every example of poor code as yet more proof of his own superiority.

“Sure, you’ve had problems with other developers making stupid security mistakes,” he’ll think to himself, “But I’m not that dumb. I’ve never written code that bad.”

I certainly hope you won’t ever write code as bad as the examples I give in my classes – those are errant samples of code written in haste, and which I wouldn’t include in my class if they didn’t clearly illustrate my point. But my point is that your colleagues – everyone around you – are going to write this bad a piece of code one day, and it is your job to find it. It is also their job to find it in the code you write, so either you had better be truly as good as you think you are, or you had better apply good security practices so they don’t find you at your worst coding moment.

New Windows Phone 8. Something to love, something to hate.

Given in to phone envy, Alun?

No, not really – although I will say it was interesting to be around so many Windows Phone 8 users at the Microsoft MVP Summit last week.

But the HTC HD7 I originally bought, which spent a half-hour in a hot-tub (syncing), then a week in a bucket of Damp-Rid, then a year (working) in the hands of my teenaged son, finally bit the dust in the middle of the MVP Summit.

Says the storage card is corrupted.

So, I can’t afford the time to take it apart, mess with the drive and possibly even discover that it is truly dead.

I have to take advantage of the “upgrade” pricing that comes with committing to another year of service from T-Mobile, and upgrade him to a Windows Phone 8 system.

Then my wife gets interested in the phone, and before you know it, we’re all getting new phones.

No problems, then – everything’s good!

Yes and no.

It’s always good to get a new phone, sure, and to enjoy the fun of new features. But you’ve got to reinstall, and in some cases, re-buy (my wife went from a Blackberry to an HTC 8X) all your apps. And the data is all gone. High-scores, messages, settings, there’s no good path to take data from a WP7 to a WP8, let alone from a Blackberry to a WP8.

Some apps, of course, save their data to the cloud – all my OneNote files came with me.

It’s not so bad in the future, because there’s apparently a better upgrade path from WP8 to other WP8 phones. Messages get backed up, as well as your app list and settings.

How’d you get your apps back, then?

The interface to reinstall has improved over the years, from the first version, in which I only found the ability to restore apps installed directly from the Zune software; to a later version, which required a bunch of different click-through pages for each app you want to reinstall. Now, the reinstall interface is so much easier. Just go to the Windows Phone "Purchase History” page, scroll down the list of apps and click “Reinstall” on each app you want to go onto your new phone. No clicking through, no re-checking boxes about allowing location, etc.

Despite the name “Purchase History”, this page lists even those apps which I downloaded for free, whether as Trial software, or because the software was free in the first place.

That’s the good part, and that’s how I got some of my apps back. But the bad part is that this list doesn’t contain all of my free apps, just a limited, and somewhat random, selection. For instance, although it lists Amazon Fresh, the Purchase History page is missing Amazon Kindle, and Amazon Mobile, as well as the majority of my other free apps. This is not good customer experience, and if I was the author of any of the apps that aren’t easily reinstallable, I’d probably raise a big stink.

So now, I have to go one by one through my old phone’s list of apps, finding out which aren’t on my new phone, searching for them in the store, finding them in the search results, clicking on them, then clicking “Reinstall” (the store knows I have already installed them before). This makes me more likely to not reinstall these apps, and since the majority of these are ad-funded apps, whose authors won’t make a dime unless I run them, I think that app developers have a strong incentive to ask Microsoft to fix this behaviour.

And how’s the podcast experience?

Oh, you knew that I’d have something to say about that. Well, this post’s long enough already, so I’ll leave that until next time. For now, I have to say I do like my new phone, but I’m really tired of this whole update process already.

iCan’t sync with iTunes; iCan’t sync without iTunes…

OK, so that’s a horrible stretching of a song to cover a point, but it’s kind of the way I feel right now – torn between a rock and a hard place.

Some time ago now, I let you readers know that I’d won an iPad at the Black Hat security conference, and that I’d be trying it out to let you know what I thought.

First, let’s consider my usage case, and what I am comparing it against.

The iPad is, to my mind, a potential killer device for a few things I like to do:

  1. Watching movies and TV shows on the bus on my way to work
  2. Reading comics and books
  3. Using Twitter and Facebook to keep up with people around me
  4. Skype to my parents in England
  5. Surfing the web in places where my laptop is too bulky

In checking out these behaviours, I’m implicitly comparing them to not only my own Windows Phone 7, but also my wife’s Kindle Fire.

Movies and TV shows

In common with many people, I have a lengthy commute – at least 40 minutes each way of which is on a bus, so I can happily watch videos. My comparison device in this use case is my Windows Phone – an HTC HD7 (I’d link to it, but apparently it’s not being sold any more).

The iPad is bulkier, for certain, and I can hold my phone in one hand comfortably for some time. However, making up for this is the fact that the iPad is a larger display and therefore easier to see at a comfortable distance. But watching on the phone isn’t bad either.

Syncing to the iPad is accomplished through Apple’s piss-poor iTunes software (of which, more later), which seems to require that my videos be already in a suitable format for the iPad. Syncing to the HD7 requires the Zune software, which is configured by default to convert video and audio in the background without any further assistance from me.

Note that – Zune converts the videos to the right format automatically when necessary, the iTunes software simply shrugs its shoulders like a Frenchman and refuses to cope.

Because of this, I can sync to the HD7 from more sources, and more easily and automatically than to the iPad.

However, the winning step that the iPad has for me comes from a combination of its viewing size, and the fact that it can play the audio from my videos to my Bluetooth headset, something that the HD7 currently does not. I have to use a Bluetooth dongle on the HD7 to hear my videos – and that’s not right, when I already paid for a phone with Bluetooth support.

It’s worth noting, however, that because the iPad seems to pretend to be a phone, I can’t have the appropriate level of Bluetooth support, allowing incoming phone calls to pause my video and let me answer the phone.

So, a narrow win for the iPad there. But keep reading. [Add Bluetooth support for video watching, and the Windows Phone will easily surpass the iPad]

Reading comics and books

Killer app, no doubt – the size and colours make the iPad superior for reading comics. For other books, you can’t really beat a Kindle, because it’s the size and shape of a book. The iPad does seem to suffer in daylight as well, not that we get much of that around Seattle – but we clearly get enough for this to be a noticeable problem for me.

The Kindle Fire is a more subtle device than the iPad in this use as well, since it doesn’t take up as much space. The battery life, as well as the use of standard charging cables (read: I already have dozens of the things, as opposed to having to look for the one wonky, too short cable that came with the iPad) makes the convenience factor that much greater.

However, I’ve even read my comics on the Windows Phone. It’s not that bad a format, because the display is so high a resolution.

Winner: Kindle Fire. Of course, I would say that. But since the Fire has no Bluetooth audio, I can’t use it on the bus as comfortably for my videos.

Using Twitter and Facebook

The iPad is certainly convenient for this, with free Twitter and Facebook apps, as well as a web browser to use the online versions. The iPad’s desire to keep pushing text further and further to the right of the screen, in ever-decreasing strips of window, make it incredibly difficult to read some items.

In comparison, while the Windows Phone does have a free Twitter and Facebook app, and access to the web, it doesn’t actually need any of these, because there are the “Me” and “People” tiles, through which you can read notices from all your social media sources (Twitter, Facebook, Linked-In, MSN Messenger in my case). This gives a more natural, integrated feel to the communication, and it feels more like I’m sharing with my friends than I’m using this or that app.

Winner: Windows Phone, hands down. [But it would be nice to have Bluetooth keyboard support]

Skype to the UK

OK, the iPad wins hands-down on this one. There’s a Skype app in beta for the Windows Phone, but my HD7 has only a rear-facing camera, and the Fire of course doesn’t have one.

Winner: iPad (but only because I have a 1st-gen Windows Phone)

Surfing the web

The iPad has no Flash support – but then nor does the Windows Phone.

The iPad uses a webkit-based browser, which comes with a fresh batch of security flaws once a month (as does iTunes). The Windows Phone comes with Internet Explorer – but without the same set of flaws that get patched in your regular Windows update. I strongly believe that the Windows Phone gives me the most secure browsing of any device that I have. But it is a little hard to read.

Winner: iPad

Sounds like we have a clear winner, then?

Yabbut no.

I got the iPad for free, so I have to bear in mind that for most people, they pay $500 to have it. It’s not that much better than the Windows Phone. I got the Windows Phone for practically free – one cent on Amazon Wireless, with a two year commitment. But then I was going to get a phone anyway, and the two year commitment is common for phones.

Irritations

As with every Apple product I have ever used, it seems like they skimped a little on the “fit and finish” of the software. This leads to small – but constant – irritations. There have been many times I’ve been tempted to throw it to the floor and stomp on it. So far, the iPad has survived largely because I know that if I want to get rid of it, there are numerous people who would happily take it from me. And then I settle down.

So, what are my irritations?

  1. User interface
  2. iTunes
  3. iTunes
  4. iTunes

User interface

There are some areas where it’s clear that the Apple design philosophy hasn’t been communicated well – even to writers of the native apps.

Delete an item

A clear example – how do you delete an item? In iBooks, you swipe to the right, which causes a delete button to appear. You press this button, and the item goes away. In Videos, you hold your finger on an item until a little “x” appears. You press the “x”, and are asked if you really want to delete the video. I guess videos are more important than books, that you have to be prompted.

I should say that this is how videos are supposed to be deleted. What actually happens is that you hold your finger on a video for a while. The “x” fails to appear, because you wiggled your finger a little (really common on a bus). So you let your finger up, and the video opens up. So you close it down again, and hold your finger on the video again. Now the “x” appears – albeit sometimes in a different place than you expect. So you press it. Damn, missed, because the bus must have hit a bump, so the “x” goes away. Bring it back! Bring it back! Okay, here it is again, so I can press it finally. And then I get asked if I’m sure. Am I sure? Am I sure? I’ve only spent the last ten minutes trying to get the damn “x” up on screen and hit it – of course I’m sure! And I remind myself not to throw the iPad to the floor and stomp on it.

Yes, I know about the “Edit” button, and that shortcuts one part of the process, but makes it more likely that you’ll accidentally delete the wrong video, because it puts an “x” above each one.

[A short note – the “x” appears in one of two places – either immediately on the top left corner, or a good half-inch above that. I can see no logic in why it does this.]

Detail view

In the Videos app, there are three kinds of video. “Movies”, “TV Shows”, and “iTunes U”. The “TV Shows” and “iTunes U” items all come from iTunes, so all the videos I put on my system end up in “Movies”, no matter what metadata I put on the file. Whereas I never metadata I didn’t like, iTunes clearly never metadata. For the iTunes U and TV Shows tabs, each item is listed with details – length, a title, and a description. This is great, although it would also be nice to see which ones I’m part-way through watching.

For the Movies tabs, however, there’s only two things showing – a thumbnail, which is the first frame of the movie (oh, and so often, that means it is plain black), and the curtailed title of the video. So, “Have I Got News for You: Series 42, Episode 5” is displayed as “Have I Got News for You:…” – as is every episode of every series of that show. Same thing for “The Sarah Jane Adventures…”, or “Who Do You Think You Are…” Yeah, the BBC could choose shorter titles, but the iPad could pay attention to the Subtitle field in the metadata for the episode information. Oh, yeah, that’s right, metadata is to be ignored.

And there’s no details on the video – no duration, no description, no indication of whether or not I’ve been watching this video file at all. I’d like to say “hey, this component of my bus ride is going to take another twenty-five minutes, so I’d like to watch something that length or shorter”.

Notifications – or scrubbing

When watching a video, you can ‘scrub’ through it by dragging a little slider at the top of the screen. Except when the slider is near the middle of the top of the screen, because then you’re going to actually be pulling down the notifications window. If anyone writing this software actually used an iPad, they’d be experiencing this frustration, and it would have been fixed by now.

Back, back, back – no, store!

To go backward in the user interface of an app, you click the button in the top left. Except that sometimes, the button in the top left takes you somewhere else, like the iTunes store.

Delete doesn’t actually free up space

You can delete videos all you like, bus joggling allowing, and when you’re done, your storage usage hasn’t gone down at all. There is no room for more videos. This one confused me for some time, until I remembered that you never actually close apps when you switch between them. The storage is released, not when you delete the movie, but when you close the app.

That would make sense, if you could actually undelete the movie while the videos app runs, but no. That doesn’t happen.

And on and on…

I could carry on, but I just get angrier and angrier. The difference between editing the list of apps you can run, versus editing the list of apps currently running, for instance. One is dismissed by a tap, the other requires that you hit the home button, and I can’t remember which one.

iTunes

So, the first complaint I have about iTunes is the one I have made from the beginning – it includes way too much, and it screws up my system way too badly. What do you get when you install iTunes?

Well, first you get a file called “iTunes64Setup.exe”. This installs iTunes into “C:\Program Files (x86)” – uh, yeah, that means the “64 bit” version of iTunes is actually all 32-bit. Then it tells you:

SNAGHTML1f848dc

The wha?

What does iTunes have to do with Outlook? That’s crazy.

And then, what does it install? Only another four applications.

SNAGHTML76b36b0

iTunes

When syncing videos to the iPad with the Windows version of iTunes, they are synced with at least one default setting not correctly set.

That’d be fine if it was an unimportant setting, but no. The setting is “resume from where I left off”. That means that every time I switch videos, or close the video application (see previous discussion of why I need to do this to recover storage), the video I want to watch starts again from scratch.

There is a simple fix to this – for every video I upload to the iPad, I have to go into iTunes, select the video, right-click it, select “Get Info”, open the “Options” tab, uncheck the box that says “Remember Playback Position” (or if I selected multiple videos, set to “No” the drop-down arrow labeled “Remember Position”), hit “OK” (there is no “Apply”), wait for this action to sync to the iPad, then right-click the video(s) again, select “Get Info”, open the “Options” tab, and then recheck the box (or set the drop-down box to “Yes”), hit “OK” and sync once again.

iTunes

For weeks I’ve been complaining that every USB device on my system has been unreliable – I have to plug and unplug simple USB flash drives a half dozen times before they finally get recognised in Explorer.

Then it finally dawned on me.

One device has been steadfastly reliable, always becoming active and ready to use within seconds of plugging it in. Yes, it’s the iPad.

Acting on this hunch, I removed iTunes, Apple Mobile Device Support, Apple Application Support, Apple Software Update, Bonjour, and even QuickTime (not sure how that got on there). Suddenly all my USB devices connect first time, every time. With the exception of the iPad, of course, which sulks if it doesn’t have iTunes (though the same charge can be leveled against my Windows Phone requiring Zune – although that hasn’t yet caused all my other USB devices to become unavailable).

Adding iTunes back in to the mix, strangely, has yet to reproduce the same unreliable behaviour. I strongly distrust software acting randomly.

If I could just drag my videos into a folder using Explorer without installing iTunes (since iTunes doesn’t actually properly do any of the other things that an intermediate program should do, such as converting video formats, extracting and using metadata, or setting the “resume from where you left off” option), I’d be happy without iTunes on my PC at all.

And other reasons…

There are other reasons not to like the iPad – it’s too trendy, for one; and it’s not really a $500 product. There are, as I point out above, too many areas where it’s clear that the developers have not finished the job.

I use the iPad simply because it’s free, and has a large display.

I’d far rather use a tablet that works in a more predictable and controlled manner, where the applications on the device and to sync the device have the flavour of being finished.

But I didn’t get one of those for free.

I got an iPad.

And I’m grateful.

Even if, once in a while, I want to dash it to the floor and stomp it into pieces.

In June: Happy Birthday to me–World IPv6 Launch Day

I’d like to thank ISOC (the Internet Society) for making my birthday later this year into World IPv6 Launch Day.

This year is a special one for anniversaries – my 45th birthday, 20 years since I arrived in the USA, 10 years since beating cancer – seems like the perfect time for ISOC to honour me by switching everyone to IPv6.

Now, if only I could persuade Comcast to deliver IPv6 to my house, where we are still using Hurricane Electric’s Tunnel Broker.

Changing passwords on a service, part 3

It’s been quite some time since I wrote about changing passwords on a Windows service, and then provided a simple tool written in Visual Basic to propagate a password among several systems sharing the same account.

I hinted at the time that this was a relatively naïve approach, and that the requirement to bring all the services down at the same time is perhaps not what you want to do.

So now it’s finally time for me to provide a couple of notes about how this operation could be done better.

1. If you can’t afford an outage, don’t have a single point of failure

One complaint I have heard at numerous organisations is this one, or words to this effect:

“We can’t afford to cycle the service on a password rotation once every quarter, because the service has to be up twenty-four hours a day, every day.”

That’s the sort of thing that makes novice service owners feel really important, because their service is, of course, the most valuable thing in their world, and sure enough, they may lose a little in the way of business while the service is down.

So how do you update the service when the software or OS needs patching? How do you fix bugs in your service? What happens when you have to take it down because the password has escaped your grasp? [See my previous post on rotating passwords as a kind of “Business Continuity Drill”, so that you know you can rotate the password in an emergency]

All of these activities require stopping and cycling the service.

Modern computer engineering practices have taken this into consideration, and the simplest solution is to have a ‘failover’ service – when the primary instance of the service is taken offline, the secondary instance starts up and takes over providing service. Then when the primary comes back online, the secondary can go back into slumber.

This is often extended to the idea of having a ‘pool’ of services, all running all the time, and only taking out one instance at a time as you need to make changes, bringing the instance back into operation when the change is complete.

Woah – heady stuff, Mr Jones!

Sure, but in the world of enterprise computing, this is basic scaling, and if your systems of applications can’t be managed this way, you will have problems as you reach large scale.

So, a single instance of a service that you can’t afford to go offline – is a failure from the start, and an indication that you didn’t think the design through.

2. Old passwords and new passwords are both valid – for a while

OK, so that sounds like heresy – if you’ve changed the password on an account, it shouldn’t be possible for the old password to work any more, should it?

Well, yes and no.

Again, in an enterprise world, you have to consider scale.

Changing the password on an account isn’t an instantaneous operation. That password change has to be distributed among the authentication servers you use (in the Windows world, this means domain controllers replicating new password information).

To account for this, and the prospect that you may have a process running that didn’t yet have a chance to pick up the new password, most authentication schemes allow tokens and/or passwords to be valid for some period after a password change.

By default, NTLM tokens are valid for an hour, and Kerberos tickets are valid for ten hours.

This means that if you have a pool or fleet of services whose passwords need to change, you can generally take the simple process of iteratively stopping them, propagating the new password to them, and then re-starting them, without the prospect of killing the overall service that you’re providing (sure, you’ll kill any connections that are specifically tied to that one service instance, but there are other ways to handle that).

3. Even if you don’t trust that, there’s help – use two accounts

Interesting, but I can’t afford the risk that I change the password just before my token / ticket is going to expire.

Very precious of you, I’m sure.

OK, you might have a valid concern that the service startup might not be as robust as you hoped, and that you want to ensure you test the new startup of the service before allowing it to proceed and provide live service.

That’s very ‘enterprise scale’, too. There’s nothing worse than taking down a dozen servers only to find that they won’t start up again, because the startup code requires that they talk to a remote service which is currently down.

You wouldn’t believe how many systems I’ve seen where the running service is working fine, but no more can be started up because startup conditions for the service cannot  be replicated any longer.

So, to allow for the prospect that you may fail on restarting your services, here’s what I want you to do:

  1. Start with a large(-ish) pool of services. [See “no single point of failure” above]
  2. All of your services are running as one user account. Create another user account, with the same rights and privileges. Make sure that access rights are provided to the group that these accounts are a member of, rather than to individual accounts.
  3. Wind down one of the services, and shut it down.
  4. Change the downed service to use the second account you just created.
  5. Start up the downed service.
  6. Monitor this newly started service to make sure it starts up successfully and is providing correct service. (Yes, this means that you have the ability to roll-back if something goes wrong)
  7. Repeat steps 3 – 6 with each of the other services in the pool in turn, until all are using the second account.
  8. De-activate / disable logon to the old user account. Do not delete it.

As you can probably imagine, when you next do this process, you don’t need to create the second user account for the server, because the first account is already there, but disabled. You can use this as the account to switch to.

This way, with the two accounts, every time a password change is required, you can just follow the steps above, and not worry.

You should be able to merge this process into your standard patching process, because the two follow similar routines – bring a service down, make a change, bring it up, check it for continued function, go to the next service, continue until all services are done.

No excuses

So, with those techniques under your belt – and the necessary design and deployment practices to put them into place – you should be able to handle all requests to rotate passwords, as well as to handle patching of your service while it is live.

Sorry that this doesn’t come with a script to execute this behaviour, but there are some things I’m hoping you’ll be able to do for yourselves here, and the bulk of the process is specific to your environment – since it’s mostly about testing to ensure that the service is correctly functioning.

Black Hat with Amazon.com–2011 Code Challenges I

As a part of my day job at Amazon, I get to spend time recruiting the brightest and the best of the world’s security professionals – especially those who are willing to move to Seattle, Virginia, Dublin or Bangalore. Every so often, we go out on the road to security conferences, and as well as being able to learn from other security professionals who are presenting, we have a booth whose chief purpose (aside from the usual networking) is to recruit security staff.

If you are interested in security jobs at Amazon, visit http://security.amazon-jobs.com to see what’s available, and email security-ninjas@amazon.com to express your interest and submit your resume.

Black Hat 2011

We’re part way through the first day here at Black Hat in Las Vegas, and already the coding challenge is generating a lot of interest. Every morning, and every afternoon, we put up a piece of code – it’s a small piece of code, to make it readable and to make solving the challenge relatively quick and simple. But there’s something wrong with the code.

In my favourite samples, the flaw is a security flaw, but sometimes the flaw is something that, while not directly security related, may still cause a bug to trigger incorrect security behaviour.

Inevitably, we take down the coding challenge before some of the attendees have had a chance to read and work with it. Also, there is no way for non-attendees to get access to the code on the easel.

To fix that, I am uploading the code samples here to my blog. It’s important for readers to know that this is not an indication that anything in this blog is sanctioned or approved by Amazon.com, and it is not an indication that I speak for Amazon.com in any way whatsoever.

Having got that disclaimer out of the way, here’s the code we submitted for today, August 3rd, 2011.

Morning code sample: PerlForm

#!/opt/third-party/bin/perl –w
use strict;
use CGI qw/:standard/;
my $cgi = CGI->new;
my $name = $cgi->param("name");
my $item = $cgi->param("item");
my $count = $cgi->param("count");
print $cgi->header;
print $cgi->start_html('Form test code');
print $cgi->start_form;
print 'Name:',$cgi->textfield("name",$name),$cgi->br;
print 'Item:',$cgi->textfield("item",$item),$cgi->br;
print 'Count:',$cgi->textfield("count", $count),$cgi->br;
if (! $cgi->param) {
    # No values - show submit button
    print $cgi->submit;
    # CSRF protection - submit hidden nonce
    my $nonce = rand(100000000); # A bazillionty.
    print $cgi->hidden("nonce-value",$nonce);
} else {
    # Values - purchase item. Use cookie to identify session
    process_values($name, $item, $count);
}
print $cgi->end_form;
print $cgi->end_html;
exit 0;

Afternoon code sample: FixedPoint

bool fixedPoint(int nDecimals, const char *str, int &out)
{
// Converts string representation of decimal numbers
// to fixed-point integer representation, multiplying
// by 10 ^ nDecimals.
// Input has been sanitised and is trusted to be valid.

    char *point = 0, *end = 0;
    int frac = 0, digits = 0;

    out = strtol(str, &point, 10);

    if ( *point == '.' )
    {
        frac = strtol(point+1, &end, 10);
        digits = end-point-1;
    } else if (point == str)
        return false;

    while (nDecimals—)
    {
        out *= 10;
        if ( --digits == 0 )
            out += frac;
    }

    return true;

}

Note that the comments here can be relied upon. When we say that the inputs are sanitised and can be trusted to be correct, that means that nDecimals is always greater than or equal to the number of digits past the decimal point. strtol starts at the first parameter converting a representation of an integer from character to integer, and when it finds a character not part of that integer representation, it stops, and stores the pointer to that invalid character in the second parameter. The third parameter is a base, or radix. Here, we use base 10. There is no integer overflow going on here, the numbers being passed in are relatively small.

So what are we doing here?

Obviously, I’m not going to provide answers here for some time, because that would reduce the

2ndAuth released for Windows 7, Windows Server 2008 R2

I’ve given some hints at what we’ve been working on lately, by my choice of article topics.

Credential Providers have been my headache for a couple of months now, not least of which is because Microsoft haven’t quite provided all the working code they ought to have done for Windows Vista. Windows 7, now that works just fine. So that’s what we’re supporting – Windows 7 and Windows Server 2008 R2 (essentially Windows 7 Server) – with our new release of 2ndAuth.

[We’re still supporting 2ndAuth for Windows Server 2003 / Windows XP / Windows 2000, and will be releasing patches, new features and updates as necessary]

To whet your appetite, here’s a screen-shot of 2ndAuth at work on a Windows 7 system:

2ndAuth7

Notice that when 2ndAuth detects that you’ve selected to log on to a shared user (by a confusing coincidence, this one has a first name of “Shared”, and a last name of “User”), it prompts you for a second authentication (hence the name), which requires that the actual user enter another set of credentials (these should be their own credentials, and shared users cannot vouch for other shared users). This is then written to the Windows Event Log so that you can check who has been accessing which shared accounts and when.

Unauthenticated / failed attempts are also logged, but it’s difficult to say how useful it is to read that, since the failure could be with an invalid user name as much as an invalid password.

Terminal Services / Remote Desktop Connections are supported, too, as well as locking and unlocking the workstation (e.g. handing off to another user part way through a procedure).

The goal here is to acknowledge that sometimes you can’t help using a shared account, and the best thing to do is to provide a mechanism whereby you can discover who is responsible for the use of that account.

I’ll be adding a download link to our products page for 2ndAuth in a little while, but in the meantime, please feel free to ask me any questions about this service – either in the blog comments here, or by email to alun@texis.com.

Weird virus / anti-virus behaviour

My wife and I pent a while this weekend trying to figure out how to rescue a Media Center that seemed to be going a little loopy.

The Windows Media Center application itself worked fine, as did Windows Media Player, Calc, etc.

Only Internet Explorer was failing.

SNAGHTML11188b4

If you press Ctrl-C from most Windows dialog boxes like the one above, it will copy the text of the dialog into the clipboard.

Here’s what I get if I do that (this is mostly aimed at people using search engines):

[Window Title]
C:\Program Files (x86)\Internet Explorer\iexplore.exe

[Content]
C:\Program Files (x86)\Internet Explorer\iexplore.exe

The parameter is incorrect.


[OK]

[Had the Media Center been on 32-bit Windows, those paths would simply be “C:\Program Files\Internet Explorer\iexplore.exe” – the error message would still be “The parameter is incorrect”]

So, what on earth does this mean?

It seems bizarre, partly because there isn’t a parameter I’m supplying to Internet Explorer, but mostly because it gives me chills whenever Internet Explorer dies so quickly – I’ve seen so many viruses that disable Internet Explorer (so you can’t download a fix), that an IE issue like this sends a shiver down my spine.

My wife had the first go at fixing this, trying not only removing and re-adding IE as a Windows Feature (in “Turn Windows Features On or Off”), but also reinstalling Windows 7 on top of itself, as a repair. No fix.

Meanwhile, I downloaded Mozilla Firefox and Google Chrome on a different computer, moved them over to this one, and installed them each.

Both of them, when I tried to run, came up with the same “The parameter is incorrect” message. Worrisome.

I fire up Regedit, which is almost always also disabled by viruses that want you not to fix them. Strangely enough, that works – but I’m not done with my virus theory.

I updated Microsoft’s Security Essentials – which is already running on this system. A Quick Scan finds nothing. Trend Micro’s HouseCall is another “download and run this” virus scanner, much like the Microsoft Malicious Software Removal Tool, which arrives monthly with your Windows Updates.

Still nothing detected.

I get by with a little help from my friends

Fortunately, my friend and fellow MVP, Susan Bradley, is online, and although I don’t think she has the bandwidth to answer everyone’s questions, I think I’m rather special, so I call on her time to see if she has any suggestions.

“try malwarebytes.org?” she asks.

Sure enough, I hadn’t, and I know that several of the Consumer Security MVPs swear by it. So I download it and run it.

It finds four infections (I never get excited about the number of infections these tools find, because some of them are really aggressive as to what they think are “infections” – I’m one of those strange people that thinks tracking cookies are “mostly harmless”).

Reviewing what they are, I can see exactly how the behaviour comes about, but I’m still at a little of a loss as to how that happened.

The four entries it finds are under Registry settings, in the registry tree HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, and under keys called “iexplore.exe”, “chrome.exe”, “firefox.exe” and “opera.exe” (Opera is another browser you can download).

The value, in each case, is as follows (using RegEdit to see):

SNAGHTML12019ad

The value name is “Debugger”, and although you can’t see it clearly there, the value is “ -sb” – that is a single space, followed, by a hyphen, and the two letters “sb”.

This is a variation on a classic method for killing Internet Explorer – or rather, for sidelining it, or prepending it with your own code. The functionality has a good purpose – for developers who want to run their debugger every time they open an application. I use it a lot myself.

I haven’t seen anyone do exactly this, though – it seems like they screwed up somehow.

The Fix

Fixing this is really simple. You just have to remove the value named “Debugger” from that key. Watch that you don’t make other changes, in case those cause other behaviours you don’t want. Oh, and do this as an administrator, or you won’t actually make any changes.

In my case, since this was the only value in the key for Internet Explorer, Firefox, Chrome and Opera, I deleted the keys themselves, just to be safe.

No reboot required – suddenly, I can start up my browsers – all of them. Thank you, Susan, and thank you, MalwareBytes!

The cause?

I’m always keen to find the cause of issues like this – especially since this could still be a virus that caused this, and if it is, I think the Microsoft Security Essentials team would like to know about it.

Searching leads repeatedly to the same possible target – a ROGUE antivirus program, which calls itself “AVG Antivirus 2011”, but which actually has nothing to do with the real AVG Antivirus. I’ve heard of this before, and I’ve seen it at a couple of sites I’ve visited for “research purposes”, but each time I’ve simply closed down IE before it had a chance to run its alleged scan.

[Hint: no web site should be scanning your computer and finding viruses. If a web site says it’s found a virus, it’s referring to the one it’s about to install on your system.]

So, it could have been me, it could have been a family member – but no real harm done. My guess is that it started to install itself, and Microsoft Security Essentials started to remove it, but didn’t quite manage to complete the job. That’s just a guess. I don’t have nearly the resources or the interest to try and re-stage the incident to test! I’m putting this blog entry out in the hope that it’ll be a search engine hit when someone else runs into the same issues.