TechEd – Tales from the Crypto


Are you a ‘dual’?

Last month at Tech-Ed, I was discussing with someone from the Solution Accelerators team about how I wished that Microsoft would produce some administration documentation for developers, and/or developer documentation for administrators, so that the two groups would be able to talk the same language.

[As a f’rinstance, back in the days of Windows 2000 and before, if you were a developer writing code to log a user on to the system and run a process (say, for instance, in your spiffy little FTP server), you would face an error if your code wasn’t running in the context of an account with SE_TCB_NAME privilege.

But you couldn’t tell an administrator to enable the SE_TCB_NAME privilege on the application’s account, because he’d have no idea what you mean.

To an administrator, that privilege is called “Act as part of the operating system”.]

“Well,” said my conversational partner, “That’s because you’re a jewel.”

“That’s awfully nice of you to say, you’re somewhat of a gem yourself.”

“No, not ‘jewel’, a ‘dual’ – you span the two worlds of IT Pros and Developers.”

He went on to explain that there are few duals, and that this was why there were few resources that address the disparity between what is developed, and what is administered.

A lot of the examples I came up with (e.g. the name LUA versus UAC) were rooted in the history of development – where Microsoft’s naming police have chosen a name that they felt was “catchier”, “more marketable”, or simply “not offensive to <some-group>”, as a replacement for an internal name. Changing the internal name in APIs that have already gone through beta testing is not generally possible, so the developer name stays as the old name, and the administrative interface is changed to present the new, marketing- and legal-friendly name or image.

Are you a dual? What are some of your challenges in communicating across the boundaries between two worlds?

Did you guess the Tech-Ed theme yet?

When I first arrived, I thought it was “finger painting”, because of the logo.

But now, after spending a week here, I realise that it’s “Weight Management”.

Interesting sessions are frequently posted on one, then the other, side of the building, with no way to go but down the stairs (or escalators, when they’re working), across the length of the main hall and expo floor, then back up the next set of stairs.

Finally, today’s lunch (the last lunch at Tech-Ed is always pretty poor food) ran out. Completely expired, with hundreds of starving techies waiting to eat.

Not a pretty sight.

When food finally did come, it was “fried vegetables in a bun”.

Now, granted, some of us might need to lose the weight…

[Let the flood of diet pill spam comments commence.]

Steve Riley at TechEd

Okay, so everyone attends Steve Riley‘s sessions, and some of them cluster around him wherever he goes at TechEd (at the Spiderman ride at last night’s attendee party, I saw him enter the ride, and the “wait from this point” counter immediately ran up to 45 minutes).

But there’s a reason he’s popular – he speaks to his audience in a very enjoyable and informal manner, he rarely refers to notes or reads from his slides, and he has a lot of good stuff to say. Possibly he has this ability because he isn’t associated with a product group, and therefore doesn’t have to push the latest and greatest piece of software. Whatever the reason, he’s worth going to see.

I managed to catch one of Steve’s presentations, on “Making the Trade-Off: Be Secure or Get Work Done”. This was a great talk, although apparently a number of people have had issues with his discussion of “Security Theatre” at the airports, and in the war on terrorism (it always sounds like “war on tourism” when the President says it, and that does seem like a good description of airport security theatre).

If I had to pick on one complaint about Steve’s session, it would be that I wanted to see a little balance in the first section – while I take Steve’s point that we Security wonks need to talk to business types about the cost savings and/or benefits of implementing security, privacy, integrity and disaster recovery technologies, I think it’s important to re-state what may be obvious to some:

When you’re looking to hire security expertise, make sure that they don’t just want to save money, but they also want to save the world.

If you’re hiring as a security expert someone who only wants to save your company money, that person may be too interested in facilitating the business to consider the privacy of your customers’ data, or to spend an hour making a change that significantly increases security but would take far longer to quantify as a monetary saving. Even if you want to insist that every security change requires a financial report as to its benefits, a security guy who isn’t motivated much by security isn’t going to provide the valuable “devil’s advocate” point-of-view that allows you to truly assess the risk landscape in which you live.

Of course, as Steve’s point was originally supposed to underline, if your security guy cares only about saving the world, and nothing about saving money, you will constantly clash with him about issues where your data simply isn’t worth protecting – where the cost of an exploit or loss is less than the cost of protecting it.

[Is that a scary thought? Yes, it is, at first blush – that somewhere out there is your data, being held and protected by an organisation that says “this data is only worth this much to us, and because it would cost more to secure than to lose it, we don’t care to protect it”.

But don’t panic – there are plenty of safeguards. First of all, your data is generally tied in to hundreds or thousands, maybe millions, of other people. So, the cost of losing your data is essentially the cost of losing the data of your cohorts all combined – lose one, and you’ve lost them all through the same method. Most loss of customer data is in the thousands to millions of dollars of worth to a company or organisation. Your data is generally safe.]

The bottom line is: when looking for, or training, security staff, try to find someone who wants to be a security superhero, but teach them how to enumerate the benefits of what they’re going to do. There’s always plenty of financially beneficial, security smart changes to be made, so asking him to not make security smart changes that are financially expensive is a matter of prioritisation, rather than one of stopping him from doing security.

Public, Home and Work networks

Here I am at TechEd, and I want to connect back home.

No problem – I can use a VPN, because I have one set up on my server back at home.

[Perhaps that’s not normal, but I’m a geek]

Now I want to browse my home network, partly because I want to see what’s on my Media Centre back at home.

Here’s what I get:

So, I want to turn on Network Discovery and File Sharing, yes?


Although all of the traffic I initiate to my home network, and all of the traffic it sends back to me, is encrypted, the key to remember about turning on Network Discovery is that it not only allows you to browse other servers at home, to discover them, but it also allows you to browse other servers on the local network, and does not give you a way to distinguish between them.

So, if I browse looking for servers at home, I may accidentally locate someone’s laptop down the hall from me, which happens to be running a server OS, or simply sharing out its files.

I think, though, that it would be handy to be able to turn on network discovery and file sharing over the VPN connection, rather than for all connections at the same time.

Catch me at Tech-Ed

For those of you who want to catch me at Tech-Ed, if it’s only to let me know that real people (rather than spammers) read this blog, you can find me in the yellow section of the Technical Learning Center, in the Security sub-section, at the Solution Accelerators / Security and Compliance booth. I’ll be there when I’m not at breakout sessions – or, more precisely, I’ll be at breakout sessions when I’m not supposed to be at the booth!

NULL DACL Behaviour in Windows Vista


Subtitled: Don’t believe everything you hear at TechEd.

I was inspired by my “empty DACL” issue, and what I remembered of Jesper’s “Is That Application Really Secure?” talk from last June’s Microsoft Tech-Ed conference, to test whether my security issue was caused by a NULL or empty DACL.

Jesper had said in his talk that Vista changes the behaviour of NULL and empty DACLs – that NULL DACLs were changed to mean “no access”, from Windows XP’s behaviour of “full control to everyone”; and that empty DACLS are changed to mean “no access”, from XP’s “full control to owner; no access to everyone else”.

Note, however, what ICACLS, Vista’s replacement for CACLS and XCACLS says on files that I create and assign restrictions to:

C:\Users\test>icacls *.txt
empty.txt No permissions are set. All users have full control.
null.txt No permissions are set. All users have full control.
Successfully processed 2 files; Failed processing 0 files

As you can see, ICACLS says that both an empty DACL and a NULL DACL mean “everyone, full control”. Here’s what Explorer properties says about them each:



So, ICACLS disagrees with Explorer, and they both disagree with Jesper.

Although Jesper’s the most reliable source I know, he was of course talking about Beta software that was not yet tied down, so it’s entirely possible that what was true in the Beta version of Vista last June (or was planned to be true by release time) got changed before the product could actually make it to market.

The best thing to do, then, is to test.

Sure enough, I can write to the NULL DACL file from any account, and I can’t write to the empty DACL file from any account – including the owner of the file.

So, Explorer’s right, this time around. NULL DACL means “full access to anyone, including the guest”, and an empty DACL means “no access to anyone, including the owner”.

I discussed this with Jesper, who noted that he was passing on statements from other team members about functional changes that obviously didn’t make it in to the final cut for Vista – whether for time reasons, or because the changes were ruled inappropriate (maybe backwards compatibility got in the way?).

This demonstrates that you absolutely need to not only understand the documentation for the behaviour of various DACL settings, but that you also need to test, test, and test again on all the platforms you support.

Null DACLS, then, are still a phenomenally bad idea, and you just plain shouldn’t use SetNamedSecurityInfo if you don’t know what you’re doing!

Ten reasons Dr J wants to go to Amazon.

Ten reasons Dr J wants to go to Amazon.

10. Tired of working at a desk, wants to work at a door on breeze blocks instead.

9. Commute to Downtown Seattle is better than commute to London, New Zealand, Japan, Barcelona, Amazon Basin, Tsurinam, Atlantis, etc.

8. Tired of dealing with all those damn MVPs and their incessant fawning.

7. Feels the need to do security, rather than just travel the world talking about it.

6. Techies don’t appreciate being labeled “marketing”.

5. The Dr J fan-club is still smaller than Steve Riley’s.

4. After giving the same talk for the last three years, surely the industry has gotten the point by now, or is beyond help.

3. Wants to hack Amazon’s system to improve the sales of his books.

2. Microsoft is no place for a family man [but is Amazon really all that much better?]

1. Office closer to the water; water means scuba.

[Other friends of mine say “good luck” in their own ways:

Sandi “Spyware Sucks” Hardmeier

Susan “E-Bitz” Bradley

Joe “Joeware” Ware]

So, why do you think he left?

Few people in my TechEd group

I’m a little disappointed to see that the Tech-Ed group I created, “Ex-Initech Employees“, has only three members so far.

I’m sure that there are many people here who have, at one time or another, worked for Initech, the company featured in the movie “Office Space”.

It may not have been called Initech while you were there, but if you recognise the staff, the management, the policies, the consultants – join the group!

Tech-Ed fan clubs.

Steve Riley and Jesper Johannson each have fan clubs at the Tech-Ed communications page.  I’d link, but you have to have a TechEd registration to see it.  Steve’s fan club has 10 members, Jesper’s has 7 – but we actually count Steve at 9, because he has joined his own fan club.

Those of us who know Steve are unsurprised by this. 🙂

Jesper has an edge, though, since his photo is feature in the slide-show they’re presenting prior to the keynote.

Yes, I’m sad enough to be posting this live from TechEd!

More Tech-Ed news as we go along.