From the "Wow I know that masked man" department – Dana Epp On the Silver Bullet Podcast

——– Original Message ——–
Subject:     [SC-L] Silver bullet
Date:     Mon, 31 Jul 2006 17:51:12 -0400
From:     Gary McGraw
To:     Mailing List, Secure Coding
Hi all,
International man of mystery Dana Epp is my guest in the episode of silver bullet that went up seconds ago:

Dana is a long time software security guy and has a great blog to boot.

Check it out (and feel free to post some comments on the site). 


Trying out Counterspy

The day I have to make a decision is here…Windows Defender beta 2 as a temporary measure to wait for the Enterprise version of Windows defender… or try out Counterspy Enterprise from Sunbelt.

My concern about going with Windows Defender as a solution is that the definition updates are controlled with WSUS/auto updates.  And I can’t then make a granular ability to allow one thing to update while another one is on an approval basis.  I approve patches, but I want antispyware and antivirus to automatically get deployed.  Granted that may have it’s own risks, but it’s the way I’m comfortable with and the process I’ve built up.  To jump on the Windows defender bandwagon, I’d lose the ability to manually deploy patches when I want to…..

…so I’ll let you know how the Counterspy works…

Upgrading to Vista

Microsoft Details Vista Upgrade Paths  InsideMicrosoft – part of the Blog News Channel:
Windows Vista: Upgrade planning:

“To summarize: If you have Windows 2000 or a 64-bit version of XP, you’ll be installing from scratch. If you have XP Home, you can buy any version of Vista and perform an upgrade. If you have Professional or Tablet, you can only perform an upgrade to Business or Ultimate, otherwise you’ll need to install from scratch. If you have Media Center, you can only perform an upgrade to Premium or Ultimate, otherwise you’ll need to install from scratch.”

So this is not a post having to do with SBS..

We temporarily suspend the SBS themed blog for this posting while Susan laments on “Storytelling in Movies”

I went to 20,000 Leagues under the Sea yesterday.  Truly.  I mean the movie was called Pirates of the Caribbean..but the plot had major parts of 20,000 Leagues under the Sea.  The Octopus was the “Beasty”…. and Davy Jones somehow had an organ on board his ship just like the Captain Nemo character in the Leagues movie. 

It’s nice that a Disney movie stole from…well.. a Disney movie…but the plot for the new Pirates just doesn’t seem storyworthy to be earning $300 and someodd million at the boxoffice and then some.

Now while the technical wizardy of the movie can’t be disputed… Industrial Light and Magic is hands down the best digital wizard master in the business, the story felt flat.  I mean it was really cool to see the front part of the Pirates ride in the movie… you know where you load on the boads and the fireflies are moving around and you drift slowly by the swamp buildings until it’s time to drop down the ramp and join the “Pirates”, but the fact is that so much of the story line felt like a rip off of a Jules Verne storyline felt a little strange. 

I think I’m getting old.  Movies are remakes these days…. TV shows are too much reality show based that the fine art of telling a story is seemingly being lost today. 

…and I wonder if some of this isn’t due to too much technology.  Watch an old movie from years past and they ‘talked’ and set up things much more than they do now.  These days, if you don’t have action and stunts in the first few moments you are doomed.

Technically these movies are exquisite… however when it comes to telling a story, they are falling flat.  And storytelling isn’t something that can be replaced with technology can it?  Imagination can’t be coded.  It comes from humans and the brains we have… and can’t be replicated can it?

Some things I don’t like in the story:  I don’t buy it that Elizabeth would chain Johnny Depp to the ship.  Just doesn’t seem like something she would do.  And if she did… do we really want either Orlando or Johnny to stay in love with her?  And can someone find a tube of Crest toothpaste for these folks?  I mean I know there’s scurvy and all that…but how come Orlando and Keira have good teeth and Tia Dalma (Voodoo Lady) looks like a BIC ball point pen blew up in her mouth or something?

… oh and one more thing… in the era that Pirates roamed the seas (which was a very short period of time), weddings would not have been performed outdoors when a church was nearby.  Martha Stewart’s perfect outdoor wedding that got rained out… just seemed a tad out of place.

…so maybe the answer is… a bit of reading, eh?

P.S.  I did buy tickets online via as the geek that I am….

P.S.S…. we always stay for the full credits to count the number of Accountants used in the film (a lot this time)… you’ll want to stay for the very very end to see…well.. just trust me… sit through the credits…there’s something at the end.

I vote for "understand" WGA

Vlad links to a way to “disable” WGA but I’d strongly recommend that if your machine is failing WGA  authentication and you beleive that you are a legal owner of MS software that you make your voice heard.

1.  The WGA folks talk about a WGA “roadmap”…  so you may be shutting it off now, but it won’t be shut off later…

2.  The WGA team believes that the number of ‘false positives’ are miniscule.

Review the WGA blog for the listing of issues…and post your issue in the WGA forum.. don’t just shut the thing off because if we don’t give feedback nothing will get fixed…and yes I know that you don’t have time to fix Microsoft software…but truly nothing will get fixed unless you give feedback.

Shutting it off only reinforces the WGA’s teams thoughts that there’s little false positives out there.

Remember we have to give feedback when something isn’t working …or it won’t get fixed …

Looking for more videos?

Tim has a link on his website for his “No geek left behind” vlogs/videos… check it out!

SMBNation brochure is on the web..

The SMBnation brochure is up on the web and looks like they are starting to fill out the roster of speakers…. I’ll not be a speaker this year so I’ll have fun just attending the event.  For those that are SBS group members… make sure you check with your SBS group for a discount code.

You can also check out the webcasts on 


The other day the “Banana hack” to get a HP Media Center Edition (MCE) to join a domain (1) wouldn’t do it.. it kept bluescreening on me and I thought it was due to the partitions on the drive… and I was reminded that I could boot with a XP pro cdrom and go into the Recovery console from there… but when I did… I could only see the cdrom drive and the D: partition on the computer and not the C: drive… hmmmm… okay so the recovery console finds the drive …but not all parts of the drive… so I rebooted and went into the bios settings and found that the SATA drive was set up for RAID… and not IDE….hmmmm says I…wonder if I change the bios from RAID to IDE if the recovery console will work.

‘sure nuff that was the issue… once I flipped the SATA from RAID to IDE in the bios settings, rebooted the box, the Windows recovery console part worked and now my HP MCE M7560y has now exposed the “network settings” in the control panel so I can now join it to a domain.

(1) keep in mind that this banana hack now puts this machine in an unsupported state. I am choosing to ‘unsupport’ myself because I want the active directory full AD glue.  I’m choosing unsupporting my OS for more control from the server.

So how do you go from SBS 2k3 sp1 to SBS 2k3 R2

…now obviously we have to wait for the media…but just to let everyone know because there were some questions about this yesterday..

At the present time on the MSDN site are iso images that say SBS 2k3 R2…but there’s only the five first disks that make up SBS 2k3 sp1.

Disk 1
Disk 2
Disk 3
Disk 4

These five disks get you up to SBS 2k3 SP1…and now you are ready to apply the R2 parts. If you already have SBS 2k3 sp1 you will just jump to this R2 disk.  On it are three things… Sharepoint sp2, Exchange 2003 sp2 and the SBSized/WSUS parts.  The first two, if you are an up to date SBSer you can skip by those… it’s only the last one you need to install with the “Built in admin” account.  That will give you the SBSized WSUS and the .. .yes the green check that per Vlad (1) was the reason that R2 was delayed….

The premium disks include ISA 2004 and SQL 2005 workgroup. But truly listen to the podcast now about R2.. it may be delayed..but you’ll still need to know how to install it once it hits the streets.

(1) Vlad’s take on why the R2 release was delayed:

Here is the MVP scoop:

The product was recalled to make the green check greener. They felt that, as its most significant feature, it was not piercing green enough. The new check will have lime extract and will be based on the next generation of Aero for SBS codename Chlorophyll.FX.

And on a Friday nonetheless!

P.S. Just a joke about the inside scoop. Though kudos to the SBS team for having the balls to pull a product, shows some level of restraint and control that I hope IE team can pick up. 

P.S.  Tim says I need to at least link to Vlad’s “Its not easy being green” vlog about R2…..


Mixed emotions

Mixed emotions.

There’s no other way to describe the feelings about this.

And even more after reading these links….,1759,1996130,00.asp?kc=EWRSS03119TX1K0000594

I’m just reminded of the mixed emotions I felt when hearing that the Sysinternals guys were bought out by Microsoft….

As far Dr. J leaving…good for him like Michael says, his schedule was brutal…..but the mixed emotions are totally and purely selfish ones…..there was always a feeling that here was someone behind the wall that was “MVP” like and spoke with an indepedent voice… one who spoke for the customer.  Oh there are still more behind the wall that are like him… but it’s still means I have mixed emotions nonetheless.

… several years back as a naive geek I went in search of the Security answers.  I wanted to harden my server and I figured those folks who did this in big server land had all the answers.  So I joined this online group that was going through hardening guides to come up with a consensus.  The Center for Internet Security.  And I’d get up to call in at 7 a.m…. which if you know me that means I have to be up, showered, dressed as as soon as the call is over I’m off to work… so that means I’m getting up way earlier to get ready.. and I’m not a morning person.  I was a several year SBS MVP by that time, into watching Patch Management, not sure if I had gotten my GSEC from the SANS org by that time…but nonetheless I was this padawan looking for guidance from those that had all the answers.

I mean someone must know all the answers about … like if I disable that service exactly what programs need that and would complain, right?  I mean someone has figured all this stuff out right?

uh… well… no.

I soon figured out that given the complexity of software, the fact that my vendors never tried to code securely in the first place, that no one really knew if I turned that THING off if something would blow up on me.  And in those phone converstations, I could tell that the folks on the phone call really respected the folks from Microsoft.  They knew they were going to get honest answers and no fluff or spin.  I still remember one person in the group commenting on how they felt Microsoft had made great movement towards Security … and a great deal of that belief was due to interactions with the folks from Microsoft who gave the “face” to the corporation.

So as I listened… and piped in timidly when I felt worthy (yeah I know are probably going TIMID?  Susan?  Ms. 2×4?  Has she ever been timid?  But this was before the blog era and going into an impressive venue means you lurk for a while before you make a fool of yourself)  …. and as I realized more and more that I had to harden myself… and learn myself… and there wasn’t any silver bullet or easy button to help me.

I was extremely honored to be a reviewer of his and Steve Riley’s book, Protect Your Windows Network.  It was a blast to get chapters and then make comments (hopefully they felt the same about my comments)… it was like standing in front of Leonardo DaVinci and Michaelango and giving a critique.

My extreme best wishes in your new position.. is fortunate to have you on their team.

… uh.. this now means I need to log in and change that password because my online book buying password is soooooo old and sooooooo sucky it’s really and truly embarrassing.  And while many of us don’t have an unique password for everyone online site (let’s be honest shall we?  We have typically a base password that we then make a derivative of for other sites)….this one on Amazon…. he’d truly be severely disappointed in me if he saw how truly and utterly sucky it was.

There’s no other excuse other than laziness for not changing it.

Oh yeah… he’s needed there… there’s no password complexity recommendation page, nor guidelines to setting a good password… in fact they need to have force me to change my password a long time ago… I’m not sure if that will be his job…but if not… I think I figured out what he needs to do on day one.

In the meantime… one really really sucky password has now been changed:

You have successfully modified your account!