Category Archives: Uncategorized

Steve Riley Lands On His Feet

In May, in one of the more inexplicable moves this year, Microsoft laid off my good friend Steve Riley, four days before he was to deliver half a dozen presentations at TechEd. Fortunately, it did not take Steve long to find a new gig. This Monday, he starts as the latest Evangelist & Strategist for Amazon Web Services!

I'm very very happy for Steve, and very excited about what he can do in that role. Web Services are where the future is, and Steve is extremely well suited to the role. Please join me in wishing him good luck!

Lock your USB Token

Recently, Lev Bolotin of Clevx gave me a production sample of a USB token with a keypad on it. It's a pretty neat idea for certain uses. My immediate thought went to BitLocker in Windows Vista. You can store the BitLocker key on a USB stick, but you cannot prevent anyone who gets their hands on the USB stick from stealing the key. Nor can you require a PIN and the USB stick to unlock your drive. With Lev's stick, however, you can put a PIN on the USB stick itself. Unless you enter the PIN on the device before sticking it into the computer the stick won't give up the BitLocker key. In other words, you finally get the option for both a USB stick and a PIN to unlock your BitLocker volumes. 

I also like IronKey as a safe and secure USB stick. IronKey also permits multiple volumes, something that Clevx' technology currently does not have. In other words, IronKey lets you have one encrypted volume and one unencrypted one, both on the same stick. However, IronKey requires software installed on your computer to access the encrypted volume. This precludes its use to provide a second factor for BitLocker because the BitLocker key has to be available prior to booting the operating system, and IronKey's software cannot run unless the operating system is running. If you put your BitLocker key on the IronKey it must be on the unencrypted partition.

Clevx's PIN technology is currently available from Corsair in the Flash Padlock product.

More on BitLocker is available in Byron Hynes excellent TechNet Magazine article. I still run BitLocker on all my Vista computers.

Need a spare Windows box?

Have you ever found yourself in urgent need of another Windows box? Or, have you wanted to build a web application on Windows, but without having to buy servers? Or maybe you just want to have a network of Windows machines that you can test your new Server Isolation strategy on? You're in luck! Amazon yesterday launched its new Windows on EC2 service. Inside of five minutes you can be ready to log on to your very own Windows on EC2 instance and get started on all those projects!

EC2 is Amazon's Elastic Compute Cloud, a network of virtual servers where you pay only for what you use. Use it for two hours and you get charged for two hours. Use it for a month and you get charged only for a month. It's an eat-all-you-want server where you pay only for what you eat. You can even get it with SQL Server pre-installed.

As if having the ability to build your very own virtual network of Windows computers at minimal cost were not enough, there is even a security whitepaper on how to do it safely. Maybe you will even find some comfort in the familiar name involved in the project?

 

Revisiting the Immutable Laws

For many years I, and many others, have been referring to the immutable laws of security when trying to explain why something works, or does not work, a particular way. However, I've always wondered how immutable the laws really are? I finally sat down and went through them. The result is a three-piece article series in TechNet Magazine. The first installment just hit your favorite newsstand, or web browser, as the case may be. The second and third pieces will be in the November and December issues of TechNet Magazine.

Public Education in Washington State

This is a bit off topic for me, but it is an important thing to get out there nevertheless. I love living in Washington State. It may be snowing as I write this, but in general, I really like this state, the lifestyle, the people, and our wonderful natural environment. I've lived on both coasts of the US, twice, and in the middle, and in Europe, twice, and I like this place best of all.

There is, however, a significant downside to this state, one which has gotten worse in recent years: public education. Washington State, home to many companies needing highly educated talent, like Microsoft, Amazon.com, Boeing, Real Networks, F5 Technologies, Safeco Insurance, Washington Mutual, etc, has a public education crisis. Spending per student in this state ranks 42nd in the nation, just below Alabama! (Note, some studies have it ranking from 32nd to 46th, depending on the year and the methodology used).

The upshot of this is that our schools are in a crisis. At this very moment, the school board in the district where I live are just waiting for May 13, when they can finally acknowledge their decision to close one of the elementary schools in our town. This will result in shuffling 800 students around, away from their friends. My kids will be bused past two schools, including the one about three quarters of a mile from our house where they currently go, to a school over four miles away. And I moved here because of the school and because I did not want my kids to have to go through any more changes of school than absolutely necessary. In addition, this action will result in moving the Spanish dual language program away from the school where there are actually students that need it, to a school over a mile away from any public transportation. This may not be intuitively obvious, but many of the parents of the children who need dual language education have no cars at all, or one at best, and really rely on public transportation. All in all, they are shuffling 800 children away from their neighborhood schools and dispersing them throughout a 75 square mile area, away from their neighborhoods, their friends, and the teachers they have learned to love and trust. All of this because of the combined double-whammy of the states complete failure in its responsibility to its children and all the various unfunded mandates that the federal government has imposed upon local schools.

The second-most ironic part of all? The affected area is serviced by state senators Eric Oemig, a member of the "Early Learning and K-12 Education Committee" and Rosemary McAuliffe, the chair of that same committee. If the two senators have failed/neglected to fix school funding problems in their own districts, then something is really rotten in Washington State. Well, maybe the irony there is matched by the fact that Governor Gregoire's second highest priority is education. Note the complete lack (save for the creation of a committee to study the problem) of any action on her part to improve general education funding in the past 18 months. I guess we should be happy that she at least invited "Happy Feet Fans" to trick or treat in the governor's mansion – clearly a worthy achievement in education.

So, what is the most ironic part? It is this paragraph, taken from the Washington State Constitution:
“It is the paramount duty of the state to make ample provision for the education of all children residing within its borders, without distinction or preference on account of race, color, caste or sex.”
Washington Constitution, article IX, section I

As the 2007 Citizen's Guide to Washington State K-12 Finance correctly points out: "This constitutional provision is unique to Washington. While other states have constitutional provisions related to education, no other state makes K-12 education the “paramount duty” of the state."

I'm starting to wonder whether the word "ample" has a special meaning to politicians?

In light of all this, I found this letter, which Nancy Hill, another parent in the district, just sent to USA Today, quite poignant. If you are considering a job offer from one of the companies I mentioned earlier, you may want to bargain for a supplement to cover private school tuition:

Washington State's Dirty Little Secret:  Public Schools

Considering a move to Washington State?  The state certainly looks appealing.  While Washington State is bucking national trends in regard to job creation and home values, we have one dirty little secret that many people want to keep buried.  If you are planning a move to the Seattle area, you will find that high paying job, your home probably will retain its value, but you better budget in about $25,000 per child for private education.

Consider this…  Mr. Gates found it easier to ask Congress to grant more international work visas than improve public education in his own state.  All of those employees roaming the corridors of Microsoft… good thing most of them received an education elsewhere and they should not expect Mr. Gates to hire their Washington State educated children.

Simply stated, Washington State school districts are too large and our state funding is antiquated.

Washington State ranks 46th in the nation in terms of class size. Another fun Washington State education fact: Per-pupil expenditures as a percentage of per capita income was only 21.8%, ranking the state 45th nationally. Washington has the12th highest personal income per capita in the nation.
(Source:http://www.technology-alliance.com/pubspols/studies/benchmarking06.html.)

Your child's "Chance for Success" ranking in the state of Washington is 22nd.  (SOURCE: Quality Counts 2007:From Cradle to Career Tennessee 40.0 -2 30.0 -2 42.5 -2 68.3 +2 -14 45Editorial Projects in Education Research Center,2007.)

So yes, Washington State can offer you a great job, a home that will retain its value, great air quality and recreation.  But please don't expect your child to receive a great public education in Washington State. It seems that our state government really doesn't care.

 

Listing all installed updates

While researching a problem the other day I needed to list all updates that were installed on a system and get some details about why they were there. Add/Remove Programs, a.k.a. Programs and Features, is probably the worst way to do that as it is quite inefficient to go through the updates in that way, and some do not seem to appear there at all.

A better way is to use wmic from a command prompt, as in:
wmic qfe list full /format:htable

That produces nicely formatted HTML output like this:

Node Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
HUGIN http://support.microsoft.com. HUGIN. Software Update. . 933246. . S-1-5-18. 01c7ced4f18c9ed7. . . .
HUGIN http://support.microsoft.com/?kbid=937954. HUGIN. Update. . KB937954. . S-1-5-21-2593503083-3831033232-2105785001-1138. 01c832387702bf6a. . . .
HUGIN http://support.microsoft.com. HUGIN. Software Update. . 932926. . S-1-5-18. 01c7ced4f193c528. . . .
HUGIN http://support.microsoft.com. HUGIN. Software Update. . 932925. . S-1-5-18. 01c7cecb71bfd1e7. . . .
HUGIN http://support.microsoft.com/?kbid=905866. HUGIN. Update. . KB905866. . S-1-5-18. 01c83d79580f63d6. . . .
HUGIN http://support.microsoft.com/?kbid=925902. HUGIN. Security Update. . KB925902. . S-1-5-18. 01c7ced4f1962743. . . .

 

You can redirect the output into a file and then open at will. However, I found two flaws in the output. First, run it on Vista and look at the Output column. It will URLs to the KB articles for the update, in some cases, but they are not active hyperlinks. On XP, the caption field does not even have this information, apparently because XP updates do not populate that field. Second, there are a bunch of unnecessary columns, and the information is inconsistent from OS to OS.

To address those issues I wrote the attached script. It does more or less the same thing, but it gives more compact output and formatted hyperlinks. Its output looks like this:

Caption Description Hotfix ID KB Link Installed On Service Pack in effect Fix comments
http://support.microsoft.com Software Update 933246 933246 01c7ced4f18c9ed7
http://support.microsoft.com/?kbid=937954 Update KB937954 937954 01c832387702bf6a
http://support.microsoft.com Software Update 932926 932926 01c7ced4f193c528
http://support.microsoft.com Software Update 932925 932925 01c7cecb71bfd1e7
http://support.microsoft.com/?kbid=905866 Update KB905866 905866 01c83d79580f63d6
http://support.microsoft.com/?kbid=925902 Security Update KB925902 925902 01c7ced4f1962743

The Service Pack In Effect and the Fix Comments fields are still not populated, but that is because this screenshot was taken on Windows Vista. On XP they were populated. In addition, the script does its best to parse the Hotfix ID and make a clickable link out of it in the KB Link directory. This gives you a direct link to where the script belongs. In addition, the script creates the output file automatically in current working directory. This makes investigating the installed updates far easier. Hopefully someone else will find this helpful.

Two more notes are in order about this script. First, the Installed On date is in binary form on Windows Vista, which is why the output looks the way it does. On Windows XP that same fields holds a string date and so is much more valuable. Second, a more powerful version of this script, written by scripting genius Ed Wilson, and designed for PowerShell, will ship on the CD for the Windows Server 2008 Security Resource Kit. The CD comes with a number of other scripts of his design, as well as some tools of my design, and is, of course, available for pre-order now.

IDThieves.org and its ilk are unauthorized blog mirrors stealing intellectual property

Recently, a shady outfit that goes by a number of names, all of which have to do with ID Theft have been stealing the content of my blog and mirroring it on their site as their own. They take the contents, verbatim, and list it as having been written by “SecuMania staff,” which I am not. I just wanted to make you aware that I have NOT authorized this theft of intellectual property, nor do I have anything whatsoever to do with any of their shady business practices or anything they advocate on their site. I am doing my best at cleaning up the trackbacks their site creates, but it is not entirely successful.

The unauthorized copies are shown on several different URLs, all of which are related. They also seem to scrape other content, which, presumably, they have no right to.

<site data removed upon request>

It is not clear whether the site is simply trying to boost Google rankings or whether they are trading in malware, but personally, I would treat anything they try to sell on that site as malware. Stay away from all these sites and don’t download or purchase anything from them.

Heh, the attached screenshot is funny.

IDTheftReview.com and its ilk are unauthorized blog mirrors stealing intellectual property

Recently, a shady outfit that goes by a number of names, all of which have to do with ID Theft have been stealing the content of my blog and mirroring it on their site as their own. They take the contents, verbatim, and list it as having been written by "SecuMania staff," which I am not. I just wanted to make you aware that I have NOT authorized this theft of intellectual property, nor do I have anything whatsoever to do with any of their shady business practices or anything they advocate on their site. I am doing my best at cleaning up the trackbacks their site creates, but it is not entirely successful.

The unauthorized copies are shown on several different URLs, all of which are related. They also seem to scrape other content, which, presumably, they have no right to.

<site data removed upon request>

It is not clear whether the site is simply trying to boost Google rankings or whether they are trading in malware, but personally, I would treat anything they try to sell on that site as malware. Stay away from all these sites and don't download or purchase anything from them.

Heh, the attached screenshot is funny.

New blog mirror

This morning it was brought to my attention that certain overzealous network managers are blocking access to msinfluentials becuase it is a "personal site." I suppose that is true since my blog is the only thing there. To solve that, Susan did some quick configuration work and produced a mirror of my blog at http://msmvps.com/blogs/jesper/Default.aspx. If you are having a problem accessing it try the mirror. It has the same content, but is a more "professional" site so it should be allowed through in more places.