Do No Evil; Google Chrome Style

Have you seen this warning when you try to click a link in Outlook or Word? "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator." Here is a screen shot:



There are many reason this warning can happen. Typically, the cause is that some setting in the registry (the database of configuration data on a Windows computer) has become corrupted. How exactly it became corrupted is an open question. One completely, 100% foolproof, way to corrupt the registry is to install and then uninstall Google Chrome. I discovered this when I realized that the error goes away if you reinstall Google Chrome, even if you do not set Google Chrome to your default browser. It turns out that Google leaves behind pointers to a ChromeHTML file type handler for web pages, but removes the file type handler itself during uninstallation.


To make it easier to repair a computer that has had Chrome installed I decided to write a registry file that restores the registry to its original state, and makes your computer work again. The file ended up being quite long. Google leaves behind a lot of detritus in the registry after uninstalling Chrome. It even leaves behind pointers to file icons in the, now removed, Chrome program.


If you have this error, you can use the registry script below. Or, you can do just the essential surgery by removing these two registry keys:


HKEY_CURRENT_USER\Software\Classes\.htm
HKEY_CURRENT_USER\Software\Classes\.html


That will at least make your computer mostly functional again. To really restore full functionality after you install Google Chrome you need to run the registry file, or reinstall Windows.


Technical Details


When Outlook or Word starts it reads certain registry values to learn which program to use as the file handler for web pages. Those registry keys include HKCR\.htm[l] and the ones listed above. The values in those keys do not actually point to the file handler, but rather, describe the file type of the file handler. Normally, that file type is htmlfile. When you click a link in an e-mail your computer will look up the program that handles the htmlfile file type, and opens the link using that program.


When you install Google Chrome and set it to be the default browser it creates the keys above, along with many others. Those keys set the file type for .htm and .html files to ChromeHTML. The ChromeHTML file type, understandably, points to chrome.exe as the program to invoke. As long as Chrome is set to the default browser the operating system will take the route link->hkcr\software\classes\.html->hkcr\software\classes\ChromeHTML->chrome.exe. If Chrome is not set to the default browser for that user the operating system knows to launch the default browser instead.


When you uninstall Google Chrome it deletes the ChromeHTML key, but not the keys listed above, and many others. When Outlok launches it reads those handlers and tries to find the ChromeHTML file type that those keys defines. The ChromeHTML file type has, however, been deleted. Outlook (or rather Word, which is the email rendering program) catches that but does not have a good error message to show the user. It has been programmed to display the "this file type has been blocked" error when it can't find the file type in the registry. Thus, Outlook and Word (and any other program that handles HTML links)  work correctly when Chrome is installed but not set to default, but fail after you uninstall Chrome and the linkages in the registry are incomplete.


 

Security Awareness Post 3: Recognizing Your Surroundings (Virtual)

If you have ever taken a survival course you have probably heard the instructor talk about how you need to be aware of your surroundings. Much of survival is about recognizing where you are, what is safe, and what is not. The Internet is no different. By far the most important factor in safe use of the web is recognizing where you are, and making appropriate decisions about what is safe and what is not; what is to be expected, and what is extraordinary. Unfortunately, most people either do not know how to tell where they are, or do not do so on a regular basis.


In  the first post, we discussed fake e-mail and how to recognize them.There are similar cues to tell what web sites you are visiting. Consider this picture:



 First, look at the address bar, the part that says http://www.microsoft.com/en/us/default.aspx. This part is called the Uniform Resource Locator (URL). You probably already know that this is the address of the server you are connected to. What you may not know are which parts of it are interesting when making a decision about whether to trust this site. The first part of the URL is the "protocol" used: http in this case. A "protocol" is essentially the "language" that defines the words a client, in this case your web browser, can use to ask the server, in this case the web site, to send it some information, in this case a web page. The protocol above, http, is the standard protocol used on the web. Unless the protocol is https it is useless in making a safety decision.


The second part you see is the name of the web server: www.microsoft.com. It has three parts. From right to left, it defines ".com" which originally meant "commercial" to distinguish it from edu (educational), gov (government) and so on. These days, it really is just what is known as a "top level domain" or TLD used to denote many sites on the Internet. There are some generic TLDs, such as .org (typically used for non-profits), .com, .edu, and a lot of national ones, such as .uk (United Kingdom), .fr (France), .ru (Russia), .cn (China), and many others.  The TLD used in this case is not useful in making a safety decision.


The rest of the name of the web server, however: www.microsoft.com, is very useful. The "microsoft" part, in particular, identifies the organization or service that you are connected to. In other words, you are connected to a Microsoft server.


When you use the URL to make a decision about where you are, be careful with what you are looking for though. Criminals will often try to modify the name. For example, it may be “m1crosoft.com” (1 instead of ‘I’), “micorsoft.com” (misspelled name), or “g00gle.com” (zeros instead of ‘o’). Any time you see a misspelled URL it is almost certainly a fake!.


There is only one secure way to determine whether you trust the URL, however, and that is if it uses https as the protocol. Consider this picture:



The protocol used now is https. https is actually another protocol (either Secure Sockets Layer – SSL – or Transport Layer Security – TLS) layered on top of http. It is not crucial right now to know the technical details of that; merely what features it provides, which is two things: First, https provides a way for the web browser and the web server to encrypt all traffic between them so it cannot be intercepted and read in between the two. http, on the other hand, is unencrypted. Second, and most importantly, https gives YOU a way to identify the web server you are connecting to. When you use https, you get the little padlock in the address bar. Most people ignore the padlock, but if you go to a URL that you do not recognize, such as perhaps “live.com” it can give you the crucial information you need to make a decision.If you click on the padlock you get a screen like this:



This screen is the really important part. It tells you who issued the Digital Certificate, and the name of the entity it was issued to.In this case you can tell that VeriSign has issued a certificate to Microsoft Corporation. This is the conclusive information on which business you are connecting to. Of course, you can only trust that as far as you trust the issuer of the certificate. Generally, however, it is safe to trust any certificate that does not cause your browser to say the certificate should not be trusted. The browser vendor has already decided which issuers you should trust, and unless you have good reason to, there is usually no point in doubting that decision. If a certificate should get stolen, your web browser will throw a warning because it can only be used on the site it was originally issued for. In other words, while the criminals may be able to register "m1crosoft.com" and even get a certificate for it, they cannot use a certificate that says "microsoft.com" in it. The browser will complain if they do.


In the picture above, the address bar is green. It is not always green. That only happens if the site uses a special identifier (known as a “Digital Certificate”, which I will explain in a later post) called an Extended Validation Certificate (EV Cert). An EV Cert means that the business has paid a lot more for the certificate than a standard one, and in return, the issuer of the certificate has performed some additional validation, such as ensured that the business has a physical office somewhere. The color of the address bar actually provides little value to you when trying to determine which site you are on though. Some browsers, such as Internet Explorer, will show you information such as the business name in the little popup when the site uses an EV Certificate. However, the same information is typically available in the Details tab if you click the "View certificates" link in the pop-up. Click the "Subject" row and you will see it, as in this picture:



Using the padlock and evaluating which organization you are connected to is the only safe way to decide which site you are on. In many cases, you probably do not need that, but in some situations, such as when you are downloading software, and shopping or banking online, it is crucial.


Problems with Site Identification


Some sites use other techniques than https to help you identify them. For example, some banks have you type your username on a form that does not have a password field. Once you do it shows you a picture that you selected and the password field. The idea is that you selected the picture when you set up the account, and since the bank now shows you this picture you are supposed to trust that you are connected to the bank. Unfortunately, this system is not secure at all. Any attacker can probably guess your username (is it first initial+last name or last name+first initial?). If an attacker can guess your username, which is not really a secret, they can obtain your picture, steal it, and show it to you on his site. The criminals can even fake out the entire system by tricking you into going to their site and typing your username. They then submit your username to your bank, retrieve your picture, and show it to you on the attackers’ site. It is trivial to circumvent the system of using pictures to identify sites. The only trustworthy way to identify the site is to inspect the certificate.


Unfortunately, many sites, including some very large credit card issuers, do not use https to serve the login form. Using https for the form is strictly speaking not required to encrypt the password when you send it to them. However, it misses the second part of https: the part where the site identifies itself to you. If the site does not server the login form over https you cannot verify where you are sending your password because you do not yet have a certificate to verify it with. If a company does this, complain to them and request that they serve the login form over https. If they refuse, take your business elsewhere. For example, Discover Card not only refuses to serve the logon form over https, but even redirects you from https to http if you type https in the address bar. After repeated complaints I decided to just cancel my Discover Card and use American Express instead, which redirects you to https should you accidentally type http in the address bar. Discover Card does not care about my privacy and safety, while American Express actually helps protect me against my own typos.

Security Awareness Post 2: Beware of malicious software

October is National Cyber Security Awareness Month, and as I stated in the last post, I decided to celebrate by writing some Security Awareness posts. Almost as if they knew what I was going to write about, I received this spam comment on my last post this morning:


"such a very informative and valued article, regards"


The poster's name, which is undoubtedly fake, was hotlinked to: hxxp://www.antivirus-finder.blogspot.com. That, in turn, turns out to be a blog that links to various unknown and quite possibly shady anti-malware programs. ("Malware" is a collective term for malicious software, such as viruses, worms, trojan horses, spyware, adware, etc. Consequently, "anti-malware" is software that, at least purports to, remove or stop malware). The latest post on the site points to something called "ClamWin Antivirus" which I have never heard of. I tried scanning it using a public malware scanner but it was so large that it could not be scanned.  A quick analysis was unable to tell me whether it was malicious, but I would never install it based on these tell-tale signs:


  1. The underhanded way in which the link was sent to me, hidden in a comment on an unrelated blog-post
  2. Never having heard of it before
  3. It is too large to scan, which could be intentional to make it more difficult to tell whether it is malicious
  4. It installed additional unwanted software when I put it on a test system:

    Any software that automatically tries to install additional software you did not ask for should be immediately considered suspicious.

It turns out in this case that I was a little extra paranoid. ClamAV is legitimate, but given the choice, I will always tend toward not installing something.


Malicious anti-malware is epidemic on the Internet. I wrote an article on it a couple of years ago. The problem has not gone away, however, and the authors have become craftier than ever in their attempts to get You to install their wares. My all time favorite is "Green AV" which claims to donate part of the money you pay to rainforests.


There are some very simple rules of thumb you can follow, however, to protect yourself against fake anti-malware:


  1. No web site can scan your computer for malware merely by your going to it. Many web sites claim to, and that is how they try to fool you into thinking you are infected and need to pay for a new anti-malware program. There are a few legitimate ones that do scan your computer, such as Microsoft's OneCare, but they all require you to agree to install something to complete the scan. That leads us to the second rule of thumb:
  2. NEVER permit a web site to install software unless you consider a site trustworthy. You have to look at the address bar to see where you are. In a future post, I will talk about how to recognize fake software and sites.
  3. Never install software that just showed up and that you did not ask for. In fact, be extremely selective about what software you install. The less software you install from the Internet, the less likely you are to get malware.
  4. If you feel you need to install something, don't do it unless you have scanned it using a reputable anti-malware scanner. A good one is http://virustotal.com. Make sure you type the link correctly. Virtually every variant of virustotal.com is registered by malware purveyors or domain squatters. Virustotal scans files you upload using most every commercial anti-malware vendor. Here is an example report from VirusTotal.
  5. Use real anti-malware. The list in the example report from VirusTotal is not a bad starting poing. Perhaps an even easier one is to simply go buy something from a reputable online merchant, such as Amazon. Getting it from Amazon guarantees that you get something that is real.
  6. If you absolutely feel the need to install something, do a quick web search on it first. If you find hundreds of pages dedicated to removing it, chances are it is fake!

In summary, remember these key points: install only the software you absolutely need, and make sure you get it from a reputable supplier.

Security Awareness Post 2

October is National Cyber Security Awareness Month, and as I stated in the last post, I decided to celebrate by writing some Security Awareness posts. Almost as if they knew what I was going to write about, I received this spam comment on my last post this morning:


"such a very informative and valued article, regards"


The poster's name, which is undoubtedly fake, was hotlinked to: hxxp://www.antivirus-finder.blogspot.com. That, in turn, turns out to be a blog that links to various unknown and quite possibly shady anti-malware programs. ("Malware" is a collective term for malicious software, such as viruses, worms, trojan horses, spyware, adware, etc. Consequently, "anti-malware" is software that, at least purports to, remove or stop malware). The latest post on the site points to something called "ClamWin Antivirus" which I have never heard of. I tried scanning it using a public malware scanner but it was so large that it could not be scanned.  A quick analysis was unable to tell me whether it was malicious, but I would never install it based on these tell-tale signs:


  1. The underhanded way in which the link was sent to me, hidden in a comment on an unrelated blog-post
  2. Never having heard of it before
  3. It is too large to scan, which could be intentional to make it more difficult to tell whether it is malicious
  4. It installed additional unwanted software when I put it on a test system:

    Any software that automatically tries to install additional software you did not ask for should be immediately considered suspicious.

It turns out in this case that I was a little extra paranoid. ClamAV is legitimate, but given the choice, I will always tend toward not installing something.


Malicious anti-malware is epidemic on the Internet. I wrote an article on it a couple of years ago. The problem has not gone away, however, and the authors have become craftier than ever in their attempts to get You to install their wares. My all time favorite is "Green AV" which claims to donate part of the money you pay to rainforests.


There are some very simple rules of thumb you can follow, however, to protect yourself against fake anti-malware:


  1. No web site can scan your computer for malware merely by your going to it. Many web sites claim to, and that is how they try to fool you into thinking you are infected and need to pay for a new anti-malware program. There are a few legitimate ones that do scan your computer, such as Microsoft's OneCare, but they all require you to agree to install something to complete the scan. That leads us to the second rule of thumb:
  2. NEVER permit a web site to install software unless you consider a site trustworthy. You have to look at the address bar to see where you are. In a future post, I will talk about how to recognize fake software and sites.
  3. Never install software that just showed up and that you did not ask for. In fact, be extremely selective about what software you install. The less software you install from the Internet, the less likely you are to get malware.
  4. If you feel you need to install something, don't do it unless you have scanned it using a reputable anti-malware scanner. A good one is http://virustotal.com. Make sure you type the link correctly. Virtually every variant of virustotal.com is registered by malware purveyors or domain squatters. Virustotal scans files you upload using most every commercial anti-malware vendor. Here is an example report from VirusTotal.
  5. Use real anti-malware. The list in the example report from VirusTotal is not a bad starting poing. Perhaps an even easier one is to simply go buy something from a reputable online merchant, such as Amazon. Getting it from Amazon guarantees that you get something that is real.
  6. If you absolutely feel the need to install something, do a quick web search on it first. If you find hundreds of pages dedicated to removing it, chances are it is fake!

In summary, remember these key points: install only the software you absolutely need, and make sure you get it from a reputable supplier.

October is National Cybersecurity Awareness Month

The U.S. President has declared October 2010 to be "National Cyber Security Awareness Month." While the term "cyber" may not be particularly clear to most people, what this really is about is How To Stay Safe Online; and not just in America. Staying safe online is crucial everywhere.


To celebrate, I thought I'd try and jam in as many little advise posts as possible between now and, well, when everyone knows how to stay safe online. Thus, without further ado:


Advise #1: No, you really haven't won the U.K. Lottery.


Nor have you won the Microsoft Lottery. Nor does anyone really want you to share the fortune their deceased husband/uncle/father/president/iguana left them. These are all scams. What they are trying to do is get you to pay them for the information that supposedly will reward you with untold riches.


These scams are sometimes known as "Nigerian Scams" because they many of them originate in Nigeria. More technically, they are known as "Advanced Fee Frauds". The objective is to get you to pay some amount now in return for riches later. Of course, there are no riches later. What there are are hordes of people in Internet Cafes all over the developing world, and probably Toronto and Iowa as well, who are making a living by fooling people into sending them advance fees in return for the winnning lottery ticket.


This may sound too elementary to many, but the truth is that these scams work! The hordes are out there because there are people who pay them enough to sustain the business model. Ask around and see how many of your parents, relatives, children, friends, neighbors, and fellow commuters on the bus realize that these are scams. I think you will be shocked to see how many do not realize that all these are fake. I certainly was shocked when I found out that one of my neighbors lost $5,000 to one of these scammers.


But, of course, none of us would ever get fooled by these scams. So, I have one favor to ask of you: please make sure that everyone you know won't get fooled. Let's put the scum behind the advanced fee fraud out of business once and for all. All it will take is for each of us to make sure that we don't let any of our acquaintances fall prey.

Apple to iPhone Users: Please Install This Untrusted Configuration Profile

It appears Apple is the only company around that doesn't use Microsoft Exchange. Apple's recently released iOS (not to be confused with Cisco's IOS) 4 apparently wasn't tested with Exchange at all. Many users are reporting slow e-mail sync, and apparently Exchange server admins are none too happy with the load these devices are putting on the Exchange server – much more than the old OS did.


Of course, you cannot downgrade a device that has been upgraded to iOS 4. iPhone Operating Systems are signed by Apple at run-time and Apple refuses to digitally sign anything below iOS 4 now, so if you upgrade your device, you are stuck, unless you are willing to jailbreak your device, and right now, you can't jailbreak an iOS 4 device that was not jailbroken prior to the upgrade.


That leaves you with Apple's solution: a configuration profile that modifies the settings on your device.


Unfortunately, the configuration profile is unsigned. Configuration profiles make critical changes to how your device operates. Therefore, Apple supports signing them so their source can be authenticated. Too bad Apple doesn't bother with this itself. Rather, Apple's recommendation appears to be that users download and install random unsigned configuration profiles found on the Internet.

How to fix the "Unable to install Apple Mobile Device USB Driver" problem

If you have upgraded your iTunes to version 9.2 you may have run into the problem that your computer no longer recognizes your iPhone/iPad/iPod. I had the problem on one computer, but not the other. When you connect the device it starts installing the driver, then it fails and iTunes never sees your device.


After a fruitless 45 minutes on the phone with and Apple support technician that seemed to be new to Windows and who eventually hung up on me, and a web search that turned up nothing I decided to take things in my own hands. Here is how you fix this problem if you have it.


First, open Computer Management. You can do this by clicking the little Window logo that is your Start menu, right click "Computer", and click "Manage."


Click the Device Manager node. At the bottom you see Universal Serial Bus Controllers. It may be expanded already, otherwise expand it.


Now connect your device. It will start loading the driver, the Device Manager window will go blank once or twice, and eventually you will see the Apple Mobile Device USB Driver. It will have a yellow exclamation mark super-imposed on it. That signifies it failed to load. If it doesn't show up, disconnect the device and try it again. I had to try a couple of times before it stuck long enough to do anything with it.


Right click Apple Mobile Device USB Driver and select Properties. Click the Driver tab, and then click the Uninstall button. You will get a dialog that asks you whether you want to also delete the driver. You do. The driver is faulty and you want to get rid of it. It appears the iTunes 9.2 installer actually destroys the configuration of that driver. I have not investigated how exactly it does this but I would expect that the registry configuration is flawed. Perhaps someone can post the flawed and correct ones and we can come up with an easier way to fix this problem?


Once you have deleted it close Computer Management and open the Programs and Features Control Panel applet. You now want to uninstall just about everything made by Apple. I found it easier to sort on publisher here so I can see everything. You want to get rid of Bonjour, Quicktime, Apple Software Update, Apple Application Support, Apple Mobile Device Support, and iTunes itself. Theoretically I suppose there ought to be some subset of this that you can remove, but the Apple support technician who was unable to solve the problem was adamant that Apple has failed to provide any way to install just the Apple Mobile Device Support component, which is all you actually need.


At this point you have an Apple free computer. You may actually want to seriously consider leaving it in this state and go find a mobile device from a manufacturer who does not consider the operating system they are programming for to be the enemy. However, if you want to actually keep your Apple device, go ahead and reinstall iTunes. Unlike the uninstall process, a single installer lays everything down for you. You won't need to restart afterward unless you have Outlook open while installing. Once you are done reinstalling, plug your device back in and the driver should now load properly.


It's worth noting that during the iTunes installation you will be presented with two User Account Control (UAC) prompts. This is because Apple deliberately designed its installer to do so. Obviously, making Windows seem more annoying than Mac OS has been a corporate goal of Apple's for some time now and this is just one small part in this. Technically the reason this happens is because the installer installs both iTunes and QuickTime and rather than elevate the entire installer with a single UAC prompt and then launch both component installers from there, they elevate each of the component installers with its own prompt. Considering it takes considerably less code to do this with a single installer one can only assume that this was a deliberate decision made to annoy Windows users.

Don’t fire people until after you wipe their phones

A very commonly required feature for mobile access to email is remote wipe – the ability to reach out and wipe all corporate data off a mobile device. Exchange ActiveSync supports this feature and has for several versions now. You, as the Exchange or Security administrator can issue a remote wipe command to a compliant device, or the user can do it themselves through Exchange, and the next time the user connects the device will be wiped.


There are two major flaws in that design. One is the well understood "the next time the user connects" part: you cannot reach out to the device and immediately wipe it. The devices do support receiving remote commands through SMS, but for some reason there is no function in Exchange to use that feature to somehow, securely, trigger a remote wipe.


It turns out, however, that there is another, possibly even larger, flaw in the implementation of remote wiping in Exchange ActiveSync. Here is the work flow:


  1. Device connects to Exchange Server
  2. Device transmits DeviceID
  3. Exchange server asks for authentication
  4. Device authenticates
  5. Exchange server checks if a remote wipe command has been issued for the device

Spot the flaw yet? Consider this scenario


  1. Bob failed to sufficiently internalize the sexual harassment training and racks up enough points to get fired
  2. Bob is walked to the door with his shiny personal Windows Phone 7 Smartphone or whatever in his pocket
  3. IT Department is notified that Bob has been terminated and disables/deletes his account
  4. IT Department, following the security policy, issues a remote wipe command to Bob's phone

Pop quiz: What happens to all the company confidential data on Bob's device?


Answer: Nothing! It will stay there for as long as Bob decides it should. Go back and look at the connection workflow again. The Exchange server will only send the remote wipe command to Bob's device after Bob has already authenticated. The IT Department did the absolutely logical thing and disabled Bob's account. Therefore, he will never successfully authenticate again. The way remote wipe is implemented in Exchange ActiveSync means we just lost the ability to wipe our data off Bob's mobile phone.


The alleged solution to this is that you should reverse steps 3 and 4 in your firing process: leave Bob's account active until his device gets wiped. If that makes you just a little queasy you are not alone. In my opinion, this is a major feature miss. Remote wipe in Exchange ActiveSync is only useful when a user loses his or her device, and even then, it is lacking since you cannot reach out to the device and wipe it. Remote wipe in Exchange ActiveSync is utterly useless when people are terminated from their emoloyer.

2010 PADI Instructor Manual Available Online Now

If you are a PADI dive professional, or are considering being one, you may be interested in the 2010 Digital Instructor Manual. PADI graciously posted it online for free, allowing anyone, not just instructors, to access it. If you are interested in taking the instructor exam this year, this is great news since it saves you the money it used to cost to buy the manual.


The new version of the manual contains all the standards but not all the details on how to teach the courses that used to be in the manual in the past. Those are now in separate guides instead.

Fake Anti-Malware is Apparently Microsoft’s Fault

Munir Kotadia, an IT Journalist in Australia, has finally managed to figure out how to blame Microsoft for the fake anti-malware epidemic. Apparently, the reason is that “Microsoft could save the world from fake security applications by introducing a whitelist for apps from legitimate security firms” and, presumably, has neglected to do so out of sheer malice.


I’m clearly not a thinker at the same level as Munir; maybe that is why I don’t fully get this white list he proposes. Does he want one only of security software? How would you identify security software? I can see only two ways. The first is to detect software that behaves like security software. If you scan files for viruses, hook certain APIs, quarantine things occassionally, and throw frequent incomprehensible warnings, you must be security software. The problem is, the fake ones only do the latter of those four. If you use heuristic detection of security software it would be absolutely trivial for the fake packages to not trip the warnings. They just have to avoid behaving like security software. Of course, if they actually DID behave like security software, we would not have this problem, would we?


 The second approach I can think of is to have all security software to identify themselves as such, both the fake and the real. They could set some bit in the application manifest, the file which describes the application. I propose that it should look like this:


<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ manifestVersion=”1.0″>
  <assemblyIdentity type=”win32″
                    name=”RBU.FakeAntiMalware.MyCurrentVersion”
                    version=”6.0.0.0″
                    processorArchitecture=”x86″
                    publicKeyToken=”0000000000000000″
                    securitySoftware=”True”
  />
</assembly>


Note the flag in the manifest above that identifies this package as security software. Now Microsoft can just compare the name of the package against a list of known good software and if it does not match, block it. This extremely simple mechanism works just as well as the “evil bit”: http://www.ietf.org/rfc/rfc3514.txt. In fact, if we simply change the manifest like this, we can avoid the whole white list altogether:


<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ manifestVersion=”1.0″>
  <assemblyIdentity type=”win32″
                    name=”RBU.FakeAntiMalware.MyCurrentVersion”
                    version=”6.0.0.0″
                    processorArchitecture=”x86″
                    publicKeyToken=”0000000000000000″
                    malicious=”True”
  />
</assembly>


There you have it! Microsoft should make it part of the logo guidelines to require all malicious software to identify itself as malicious. Problem solved! You may go back to surfing the intarwebs now.


The sharp-eyed security experts in the crowd may have spotted a minor flaw in this scheme, however. What if the malicious software refuses to identify itself? Curses to them! Maybe we need something better. Perhaps Munir’s whitelist is to be a whitelist of all software? That would be simpler to be sure. In fact, using Software Restriction Policies (SRP), which has been built into Windows for years, we can restrict which software can run. Now all we need is our whitelist. Of course, as Munir points out, it is Microsoft’s responsibility to produce that whitelist.


Producing the whitelist would be conceptually simple. Microsoft would simply have to create a division that ingested all third party software, tested it, and validated it as non-malicious. DOMUS (The Department of Made Up Statistics) estimate the number of third-party applications for Windows at somewhere between 5 and 10 million, including shareware, freeware, open source, commercial applications, in-house developed applications, line of business applications, the kiosk applications that drive your ATM, your gas pump, your car, and probably a space craft or two. In order to avoid becoming an impediment deployment, Microsoft would have to test all such software for malice, with an SLA of 24-48 hours, yet guarantee that software does not turn malicious after several weeks or months. It would also need to ensure that any updates do not introduce malicious functionality. In other words, to meet these requirements, Microsoft would need to do just two things: (a) develop a method of time travel, and (b) hire and train all of China to analyze software for malicicous action. I’m sure the Trustworthy Computing division is working on both problems.


I am not arguing that reputation scoring does not have some promise, which is what Symantec’s Rob Pregnall was actually talking about, and which Munir turned into an indictment of Microsoft. However, reputation systems are not only fallible and can be relatively easily manipulated. Without consumers actually understanding what the reputation score means, and learning how to value it over the naked dancing pigs, it will never help. Again, it comes down to how we educate consumers on how to be safe online and why, instead of scaring them into buying more anti-malware software. I may be mistaken, but I was under the impression that the reason Freedom of the Press is a cherished human right is because the Press is there to educate the public. Why is the press, along with government and the IT Industry, not doing more to educate the public on how to tell real from fake?