Experience over Theory

In the past I used to work as a trainer. As a trainer you need to have a grasp
of the subjects that you teach. Your knowledge needs to be in-depth as you are
constantly surprised by the questions of delegates. To be able to grasp the material
you need to understand the theory behind what you are attempting to teach.

During the time that I taught I used to take on consulting jobs, to keep my hands
dirty. At some stage I decided to stop training and I started to look for work in the field. A theme
that used to come up in most of my interviews was that I had the theoretical knowledge
yet I may be lacking in experience (previously, I used to hear this from my delegates). This used
to drive me crazy, specifically when it came from people that built themselves (and took
pride of) having nothing but experience. I had better knowledge then they did of the subject
yet I was judged due to “lack of experience”.

Doing some reading I found the following sentence I would like to quote from a text book
on negotiation by Gavin Kennedy:

“A purely anecdotal approach to practical problems is limited in three ways: the manager might
forget the appropriate anecdote to guide him in his current circumstances; he might apply
the an inappropriate anecdote to his problem; he might never have covered the appropriate anecdote
in his training and be at loss as to what to do”

I feel that I can relate to this, especially to the last sentence.
As a consultant I used to see this happening every time one such so called “experienced” person
would encounter an issues that he has never encountered before. He would go blank.
In most of the cases by applying some theoretical knowledge of how things work, the theoretician
was able to solve the problem…and then be scolded for not having enough experience… :)

Ok,so at this stage you might be asking yourself- what exactly is he trying to say here?
Two points to keep in mind:

  1. A professional is a person that has both:theoretical knowledge and experience. In my opinion
    the balance should be 65-35 towards theory.
  2. Don’t laugh at people that actually sit down and learn!
    [They may be bigger then you]
     

Israel going Skynet?!

I found the following post that claims that Israel is building an AI system will help
the military in decision taking and in addition to that it might be able to take over
if needed to.

The full story can be found at:
http://blog.wired.com/defense/2008/01/israel-thinking.html

Truth be told, this may not be a bad idea considering the fact that when under an
attack of a very large number of missiles a human operator may not be enough. On
the other hand memories of Skynet and Terminator’s do come to mind…

Terminator 4 now a new chapter in the terminator series

Mandatory Integrity Control (What,how and why do we care?)

The theory

Mandatory Integrity Control (MIC) is an additional layer of security built into Vista and
Windows 2008. This particular layer helps Windows protect itself from harmful intentional and unintentional
changes to important objects. Among the objects protected we can find files, directories, registry
key, printers, and actually any object that has a security descriptor.

The beauty of MIC is that it has been there in the background all along protecting you, yet you never knew
it existed. You might have actually encountered it by trying to change a file that is protected by it, and even
though you had the permission you couldn’t…

The MIC layer is a barrier placed before your permissions are checked. Essentially this new road block checks
your privilege level against the object that you are trying to change. If your privilege level is equal or higher you are
allowed to make the change. On the other hand if your privilege is lower you cannot change the object even
though you may have the permission to.

Vista defines four integrity levels in order of precedence from low to high (the Untrusted and Trusted Installer are out
of scope here):

  1. Low – Used by Internet Explorer 7 to enforce Protected Mode:
    image
  2. Medium – Used for standard users (assumed if no other level is set):
    image
  3. High – Used for administrative actions (CMD with Run as administrator):
    image
  4. System – Used by the system
    image

Note that what happens is that each privilege level is represented by a different group SID.

 

Privilege levels are inherited, meaning that the privilege level of the creator is inherited by the object
that is created. If a user opens Notepad the users privilege level is attached to the process and the
file created by the process and so on…

 

A quick example

Ok, lets try something practical.
In the following example I will create a new file using an elevated CMD.exe ,view the integrity level by using ICACLS and then
I will try to delete the same file using a standard CMD.EXE…lets see what happens:

image

Note that CMD was started as an administrator and the file has been created with a privilege level of high (last line
of ICACLS output. The users privilege level is also high (see the WOAMI output and he belong to the Administrators
group).

 

image

Note that the second instance of CMD is not run as and administrator. The file is still there, still with a high level of privilege,
the user has permissions (ICACLS and WHOAMI output) yet he can not delete the file.
The reason is that the current privilege of the user is medium (note the output of WHOAMI).

 

Now to top it off-something odd(or actually normal,depends on how you look at it…). If you attempt to delete the file
from an Explorer window you will receive the following message:

image

Once acknowledged (by pressing Continue) the file will be deleted-what happened here?

Well by choosing to continue you elevated the Explorer processes level to High- thus you can delete the file…

 

Conclusion

Based on the above example you can see that MIC is an additional layer of security implanted into Vista. Vista
assigns the level of integrity a specific object belongs too, it’s not configurable and the only way that a user
can elevate his own level of integrity is by interacting with the system an explicitly acknowledging an action(such as
the deletion of the file in our example). A very important point to understand about MIC is that it protects files
from being tampered with,not their privacy. In other words only ACLS will protect the file from being read.

Now I really love to contradict myself (at least I do it in different paragraphs…),there is a way to manipulate
files and even protect it’s contents by using MIC but it’s not a way I would recommend. On the other hand it’s
still good to know and as Mark Minasi mentions what happens if a malware actually creates a file with the privilege
level of System -no one will be able to delete it?!?

Mark has created a tool called CHML.EXE that is a bit more versatile then ICACLS and it allows you to set privilege
levels.
For additional information on CHML look at:
http://www.minasi.com/vista/chml.htm

Timing operations

If you need to know the time that elapsed between two operations you can use the
the following tool from Microsoft(windows 2000 resource kit):

http://www.microsoft.com/downloads/details.aspx?familyid=913795CD-7026-4143-AE85-1F5E096F9BE0&displaylang=en

———————————–
TIMETHIS  :  Command Timing Utility
———————————–

Usage : TIMETHIS “command”

  TimeThis executes the command specified by its arguments, then reports its
  run time in HH:MM:SS.TTT format.  Quotes around the command are required only
  when the command involves redirection via <, >, >>, or |, etc.  Quotes ensure
  that the redirection is applied to the command being timed, rather than the
  TimeThis command itself.

Getting zapped?!?

I own a Dell XPS m1330. It’s  a cool laptop (yes,it’s red), looks good, very mobile
and does the work…

To my surprise, I stumbled upon a blog post claiming that there is some issue with their
physical build and wiring that might cause minor to mild electronic shocks.
For the full post,take a look at:
http://crave.cnet.com/8301-1_105-9852716-1.html

Now at this stage I really have to ask myself,how on earth could the QA guys miss such a “tiny”
issue?!?!

The model I own has a three pronged AC adapter cable, so it never happened to me-but still….

[P.S. It’s still a cool laptop-and it’s RED!!!!]

dell_shock.jpg

Windows Vista Service Pack 1 RC Refresh Public Availability Program

In all honesty, I find Vista to be a great OS(as I have mentioned several times in the past). Moreover,
I find that the 64bit version is even better. After getting that out of my system(not for the first time),
I am glad to see that SP1 is just around the corner.

If you want to try it,take a look at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=529d992a-d69e-4c73-9213-7a7f3852c0ca&DisplayLang=en