Steve Jobs’ head in a box

Apple’s latest product announcement – you can now buy Steve Jobs’ head in a box.

Here’s a picture of an unnamed Apple salesman demonstrating the lightness of Steve Jobs’ head in a box:

No, I told you to bring me the head of Alfredo Garcia - that's Steve Jobs!

Perhaps if any of you have heard about features of the Steve Jobs’ head in a box (presumably later to be called the “iHead”?), please list them in comments below:

Vista’s Secret Windows Firewall hole

First, the good news – it’s not a flaw in the operation of Windows Firewall on Windows Vista. It’s a design feature, it makes sense, and it fits in with the principle that the firewall should keep out unsolicited traffic. It’s not really a hole, but I thought I’d grab your attention.

The symptom first came up in a Usenet posting (thanks, Jesper, for bringing me in) about Vista and a third-party FTP client:

When I do a directory listing, and a PORT command is issued, and the
server attempts to connect, it works, but at the same time a dialogue
appears telling me it’s blocked, and I can keep blocking or unblock.
I choose keep blocking but it doesn’t actually block it once.

Here’s how it looks.

First, if you haven’t got a third-party FTP client let’s fake it, by copying Microsoft’s command-line FTP client from the Windows System32 directory to another directory:

C:\users\MyMe> copy %windir%\system32\ftp.exe
1 file(s) copied.

The FTP client will not display prompts to you, but that’s a minor issue – if it upsets you, try downloading a third-party client and trying it.

Anyway, here we go – let’s try the issue in question:

  • Type ftp

  • After you see the “220” greeting message, enter ftp as the user – press enter.

  • Now you’re prompted for a password – enter anything and press enter.

  • Once you’re logged on, enter dir – again, press enter.

  • You’ll see the directory listing succeed, but you’ll also see a warning that a connection is being blocked:


Wow – that’s freaky – at the same time you’re being told that the connection used for the file listing will be blocked, it allows the connection through!

What’s more, even if you specify Keep Blocking, and then go issue another dir command, that one succeeds.

Huh? And why on earth did you make me use a copy of FTP?

Let’s go look at the Windows Advanced Firewall Rules for Inbound, and see if this sheds any light:

[That means click the Start button, type Firewall into the search box, and right-click on Windows Firewall with Advanced Security – select Run as Administrator

and accept the elevation prompt from UAC. If you don’t have an elevation prompt, then you should really re-enable UAC. Now select Inbound Rules in the left-hand pane]

Me, I’ve got a few rules labeled File Transfer Program:


That first (and fourth) rule is set to block any listening ports opened by the File Transfer Program in C:\users\myme\ftp.exe, the second two seem to be allowing any listening ports created by the one in C:\windows\system32\ftp.exe.

Obviously, that’s why I asked you to copy ftp.exe to a new directory, so that any previous allowance by the firewall rules wouldn’t get in the way.

So what’s happening here? Is the “Allow” rule somehow overriding the “Block” rule, even though it’s not dealing with the same executable?

We can test that simply by deleting both sets of rules – go ahead and do that, I’ll wait for you.

Didn’t make a bit of difference, did it? It still allowed the traffic, then prompted you if you wanted to block it. Even if you selected to “Keep Blocking“, the next and subsequent transfers still worked, right?

Okay – let’s consult the Big Book of Knowledge (alright, what I can vaguely remember after mumbleteen years in the networking world). Some routers and firewalls use an Application Layer Gateway (ALG) to translate FTP commands, and open ports. Is that what’s going on here?

Let’s take a peek at the services on this machine (as an administrator, run services.msc):


Bingo – there it is, the Application Layer Gateway Service. And when you have Internet Connection Sharing running, that’s what translates IP addresses in FTP commands for you, and what opens up port mappings and holes in the NAT that ICS hosts.

Oh, but wait a moment – what’s that in the “Status” column?

That’s right, nothing. This service isn’t running.

Something must be happening to open this port up – it’s not just a case of “port left open”, nor is it an outbound port. Those ports are closed tight until the FTP client starts listening for incoming data connections, and then they’re opened up.

Here’s where I go into MVP-mode, and start searching in all the nooks and crannies of the web and whatever documentation it holds.

Net result – Windows Firewall in Windows Vista includes something called a “connection inspection engine”.

Sounds like something from “Schoolhouse Rock“.

No, seriously, there’s a “connection inspection engine” for FTP – if you connect to port 21, the firewall monitors your communications on that channel, looking for PORT commands. When it finds one, it opens up a hole in the firewall for the incoming data connection.

So why the scary dialog warning that something’s going to block traffic?

Probably because the dialog pops up whenever an application starts listening, whereas the connection inspection engine only opens a hole when it sees a PORT command. And an FTP client can’t actually give the PORT command until it’s started listening.

So, the process goes something like this:

  • Start the FTP client.

  • Connect to the FTP server on port 21, waking up the connection inspection engine.

  • Log on, then type dir

  • The FTP client knows that it needs to open a data connection.

  • To start the data connection, the FTP client binds to port 0, and starts listening.

  • The firewall says “Oh no, an unknown program has started listening – better warn them that they won’t get any traffic.”

  • The FTP client checks what port it actually got, and sends a matching PORT command.

  • The connection inspection engine says “PORT command? That’s my cue!” and opens a hole in the firewall to incoming data connections.

Well, that’s easy, but what if I don’t ever want to do an FTP connection? How do I stop this from becoming a potential hacker tool?

Okay, apart from the obvious – that if a hacker could connect out to a server on port 21, nothing’s stopping that hacker from transferring data in – you might want to cripple this functionality.

No problem – just set the following DWORD registry value to 1:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DisableStatefulFTP

The default setting for this value on Windows Vista is 0. [It remains to be seen what value will be the default on Windows Server 2008]

How could Microsoft make this better?

  • I’d really like to see this documented. Just so that it’s not a surprise to anyone.

  • I’d like to know how many other connection inspection engines there are (at least one, judging from the DisableStatefulPPTP value – but I don’t know enough about PPTP to know how that affects operation).

  • I’d like to know if I can add my own connection inspection engine to the firewall.

  • Above all, I’d like to do away with the rather confusing and clumsy “We’re going to block your incoming … wait, what just happened?” dialog. If the connection inspection engine is monitoring a command channel, and the process that owns the socket for that command channel starts listening, perhaps we could wait a quarter of a second for a PORT command before calling this a blocked connection?

Finally, is this a vulnerability, a hole, or anything outside the correct operation of a firewall?

No, because the firewall is documented as blocking unsolicited incoming connections – and by any reasonable definition, the data connection requested by a PORT command is solicited.

MacBook Air debuts; iTunes Pesters Me Again

The big news from Apple this week was that they have a flatter laptop than anyone else (except Intel, who have a “Lorado” concept model that is much cooler, is demonstrated with Vista, and comes with an optional sleeve that has a Sideshow display). Conveniently for those road warriors that take to the air, the MacBook Air resolves the issue of how to carry your spare battery and comply with recent FAA rules – by having no user-replaceable battery. Special.

It also boosts the market for DVD decoders and CD rippers, by not having an on-board optical drive (there have been thinner laptops that had an optical drive). Good luck playing any game that requires you to “insert the original disk”.

Okay, enough bashing of the MacBook Air – it looks small, light and may be very useful for people who value that above all else.

As for my usual monthly complaint with Apple, I thought I had it beaten last month, after a visitor commented that I could simply tell Apple Software Update to “Ignore Selected Updates”, to make sure that when a new version of QuickTime comes out, I’m not bugged to install “iTunes + QuickTime” as well as Quicklime itself.


Oh dear, no such luck.

Apparently, what I told Apple Software Update to ignore was not so much “iTunes + QuickTime”, but “iTunes + QuickTime 7.5”.

I feel like the character in Monty Python who is repeatedly offered dishes containing various items – and Spam. “But I don’t like Spam!”

Rather than enticing me, seducing me, or deceiving me, into running iTunes, all that this behaviour has done is to make me abandon all hope, and simply dump QuickTimes and Apple Software Update as simply a bad job.

Next time there’s a movie file in QuickTime that I want to watch, I’ll contact whoever hosts it and let them know that I just can’t accept Apple’s absurd patching methodology, and that if they want me to view their content, they’ll just have to convert it to something more standard, like MPEG, that has viewers made by someone – pretty much anyone – other than Apple.

Waiting for Vista SP1?

In a previous article, I wrote about how to sound stupid by saying “let’s wait for Service Pack 1 before we deploy Windows Vista“.

Now here are a few ways to sound clever, by pointing to specific issues that will be fixed by Windows Vista SP1.

  • GPMC.MSC (the Group Policy Management Console) gets removed, and the Group Policy Editor will default to editing the local group policy only. Okay, that’s not really an advantage – but you will be able to download a newer group policy editor later.
  • Allows Remote Desktop Protocol (RDP) files to be signed. Complains when they aren’t (though this does cause a problem for Remote Web Workplace users in SBS land, because there’s no way to actually sign the RDP files!)
  • Improved cryptographic random number generator, leveraging the TPM if you have one on your computer. (Not sure there was that much wrong with the old one… but this one’s better, and more … cryptographicky)
  • BDE + TPM + USB + PIN – need I say more? Oh, okay then – for the truly security paranoid, you can use Bitlocker Drive Encryption with the Trusted Platform Module, and have it require a USB key and a PIN before the system will start.
  • Also with BitLocker, there is support for encryption of drives other than the main boot volume (which is the volume that has the system software on it, not the system drive, which is the one you boot from). Still can’t encrypt the system drive – because that would be just plain stupid.
  • Performance improvements – really, what’s not to like with an update that makes your computer go faster?
  • exFAT file system for flash memory storage – you probably haven’t exactly been drooling about this.
  • SSTP – allows VPN over HTTPS to Windows Server 2008 systems. Yeah, because if you’re holding off installing Vista until SP1 ships, you’ve got loads of those ready to use, right?

I don’t know – were any of those features worth waiting for? I know there’s performance and reliability improvements, but those are somewhat nebulous and indistinct.

My advice is still to test Vista as it shipped, test Vista with the Service Pack 1 Release Candidate – report bugs to Microsoft quickly, before they lock it down – and then when SP1 releases, and then test with Vista SP1 RTM when it comes out… and stop letting vendors get away with saying that “all you need to do to run our software on Vista is to disable UAC, or make all users administrator” – that’s just plain bad.

What do I wish was in SP1?

  • Some provision for solving the EFS incompatibility between XP and Vista (maybe XP SP3 will help, I don’t know)
  • The ability for a standard user to back up his own files, including EFS encrypted files, so that a user can export encrypted data to removable physical media (like a CD-R). Too much data still travels unencrypted, and it might help to have the ability to put encrypted files on CD-Rs using only what comes with the OS.
  • A server administration toolkit that allows me to administer Windows versions 2000, 2003 and 2008 from Vista.
  • An ability to switch sound output devices on already-running applications. When my wife comes into the office, I want to stop using the built-in speakers and start using the Bluetooth headset, so that she can’t hear me playing Halo.

So, tell me, what are you waiting for?

Why you don’t run as root

[… or administrator, or whatever]

I like Roger Grimes, he’s a nice guy, and he generally makes me think about what he has to say. That’s a good thing, because otherwise he’d either be part of the same choir as me, or he’d be the sort of guy whose ideas I dismiss with a wave of the paw and a barely audible “Pah.”

Today, though, I think he’s missing something fundamental – and perhaps you are too.

He writes in the InfoWorld Security Adviser column that “UAC will not work”, on the simple basis that malware can still do all the things it wants to do without having to execute under a privileged account.

That’s true, and it always will be – the day that a computer can see my attempt to “delete the Johnson account, and forward that instruction to the following addresses”, and determine whether it’s malicious or appropriate, is the day when the computer can do the whole job for me, by simply choosing all possible actions and seeing which are malicious and which are appropriate.

However, what I can rely on, if the malware has been held out of privileged accounts, is the integrity of the system, and (unless they were prone to activating the same malware) the other users on that system. [By system, I may mean one machine or several networked together to perform a function.]

So while it’s true that the old cross-platform virus “forward this message to everyone in your address book, then delete all your data” is still going to function if the user stays out of administrator roles, at least the operation of the system can be restored, as well as whatever data has been backed up.

You don’t run as a restricted user to prevent viruses from happening – you run as a restricted user to prevent viruses from happening to the people and systems with whom you work. You run as a restricted user, so that when some system falls over, you can say “it couldn’t possibly have been me”. You run as a restricted user because if there is a bug in the program you run, its effects will be limited to only that portion of the OS and its data to which you are restricted.

Sure, least privilege is somewhat of an artificial construct – but the alternative is that users get more privileges than they need. That quickly boils down to “everyone can do anything”.

I’ve been on that kind of a network before, and when we found one guy’s stash of truly offensive porn (this wasn’t the occasional Rubens painting) on the server, we had no way of finding out who it was, let alone punishing them by firing them. The company I worked for was fortunate that whoever found it didn’t sue for fostering the creation of a hostile workplace.

So, no, UAC won’t stop malware – but then that’s not its purpose. It’s purely a beneficial, incidental, and temporary side-effect that it will stop much of today’s malware.

How broken is the banking system?

Jeremy Clarkson - we should all have his simple naivete and faith in the systemMy kid and I love watching Top Gear – me, because it’s nice to see him interested in a very traditional British TV programme (in the US, you can find it on BBC America), and him, because he just loves cars – particularly high-performance ones.

So I have to admit to having a little chuckle as I find what’s been going on in the life of its host, Jeremy Clarkson.

Well, in the wake of the recent loss of 25 million child benefit case records by the UK Government’s HMRC (tax and customs) department… what, you didn’t hear about it?

Okay, I’ll admit, I didn’t report on it, because I figured the world and his wife had already heard all there was to hear on the story. Cut to the chase – someone at the HMRC received a call from someone at the NAO (National Audit Office), asking for some records. Rather than asking if they were supposed to be handing those records over, or if the NAO actually had any rights to receive the records, the “junior official” involved sent a couple of disks … in internal mail (which turned out not to be so internal, having been contracted out to a courier) to the NAO.

The NAO called back after a few days, asking where their data was.

The junior official sent another copy!

At this point, somebody told someone, and a big stink got raised that there was all this data out there – 25 million records, 7.5 million families, containing names, addresses, bank account numbers, national insurance numbers (NI numbers – that’s our equivalent of Social Security Numbers or SSNs).

Okay, so in the wake of all this, lad Jeremy decides he’s fed up of all the press coverage of the waste of time investigation into the whole loss of two miserable little CDs.

He declares, in one of the UK national newspapers (the one with semi-naked women on one of its inside pages), that it’s all a load of fuss over nothing – even goes so far as to call it a “palaver” (which is not, apparently, a knitted garment – that would be either a pullover, or a balaclava).

Mr C even goes so far as to publish his own bank account number. With sort code (aka bank routing number, to those of us in the USA).

“All you’ll be able to do with them is put money into my account. Not take it out. Honestly, I’ve never known such a palaver about nothing,”

See – I told you he called it a palaver.

Sadly, as the BBC (don’t they broadcast Top Gear, or something?) reports, “Clarkson stung after bank prank“. I guess we couldn’t predict that.

“I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account,”

After explaining to some disbelieving friends how this could have happened, I realised that not everyone has had the chance to run their own business, and see what a mess the banking system is. We all assume that the banks have our best interests at heart, and operate securely in ways that ensure we can’t lose a penny.

Not really, no. They work (mostly) on the basis that it’s cheaper to refund your money if you notice a problem and complain, than it would be to fix the problem in the first place.

Here’s a simple explanation of how “direct debit” (in the US, “automated payment”) works:

Most commonly you would complete a written Direct Debit Instruction, obtained from the organisation you wish to pay and return it to them for onward transmission to your bank. Some direct debits may be set up over the phone or via the Internet. In these cases the organisation must subsequently write to you confirming what has been agreed.

So, the receiving organisation claims to the bank that someone claiming to be the account holder requested them to withdraw money from the account.

Note “claims”, because there’s no proof at that stage.

It’s not even as workable as “you write to the bank requesting they allow a direct debit from your account” – the bank has no opportunity to interact with the customer except by sending them their next bank statement!

That’s broken – but then again, I’ve written before about how broken the credit card system for web purchases is. Again, the actual issuing bank, the one with whom you have a relationship, and who could validate your identity, is kept out of the transaction until it’s already finished.

What would be super is if a celerity like Jerembly Clarkson would start a campaign to have the banks be required to all team up and do a properly secure set of protocols for credit card and payment authorisations. Then merchants like me wouldn’t whine about repeated charge-backs that we can’t actually refute, and people like him, ignorant about the truth of the banking industry’s inability to secure the very money they are entrusted with, wouldn’t go handing out money willy-nilly to random charities just to prove that his trust is woefully misplaced.

I just don’t think it’ll happen.

I hope there was only £500 in the account, and that Mr Clarkson has already closed that account, and opened one whose number he will keep secret, sharing only with the bank, the company that prints his cheques, everyone he ever pays by cheque… now there’s another broken system.

New Scientist chat-up lines

We used to joke that a friend of mine used New Scientist magazine as a dating tool. Quiet and shy, he’d be sitting alone in a group of people, but as soon as he pulled out his New Scientist magazine, he’d find himself surrounded, inexplicably, by women interested in the stories.

With the New Year, New Scientist has announced the results of a competition to produce the best chat-up lines in science.

My favourite is:

“Hi, I’m Bob – you must be Alice. You haven’t changed a bit.”

Short and sweet, it’s the best explanation of digital signatures I’ve seen in a while.