Uncategorized – Tales from the Crypto


Turning away from Micro$oft

Yesterday’s unexpected notice from Micro$oft that I am not being awarded MVP status this year has caused me to take stock of my situation.

Now that I’m no longer a paid shill of the Evil Empire, and they’ve taken away my free Compuserve account, I feel I can no longer use their products – mainly because I can no longer afford them if I can’t download them for free from MSDN and TechNet.

Security strengths – OR NOT!

Microsoft has been widely derided in the security community for many years, and despite having invented, expanded and documented several secure development processes, practices and tools, it seems they still can’t ship a copy of Flash with Internet Explorer that doesn’t contain rolling instances of buffer overflows.

Microsoft make a great deal out of their SDL tools – documentation and threat modeling guides – and yet they still haven’t produced a version that runs on Mac or Linux systems, unlike Mozilla who’s been able to create a multi-platform threat modeling tool, called Seasponge. Granted it only lets you draw rudimentary data-flow diagrams, and provides no assistance or analysis of its own, requiring you to think of and write up your own threats – but it’s better than nothing! Not better than a whiteboard, granted, but vastly better than nothing.

Active Directory is touted along with its ability to provide central management by Group Policy Objects simply isn’t able to scale nearly as well as the Open Source competition of Linux, which allows each desktop owner to manage their own security to a degree of granularity that allows for some fantastic incoherence (ahem, “innovation”) between neighbouring cubicles. This is, after all, the Year of Linux on the Desktop.

Unlike Windows, with its one standard for disk encryption, and its one standard for file encryption, Linux has any number to choose from, each with some great differences from all the others, and with the support of a thriving community to tell you their standard is the de-facto one, and why the others suck. You can spend almost as much bandwidth discussing which framework to use as you would save by not bothering to encrypt anything in the first place – which is, of course, what happens while you’re debating.

Something something OpenSSL.

Networking – notworking, more like!

IPv6 has been a part of Windows since Windows XP, and has been enabled by default for considerably longer. And yet so very few of Microsoft’s web properties are available with an IPv6 address, something I’ve bugged them about for the last several years. Okay, so www.microsoft.com, www.bing.com and ftp.microsoft.com all have recently-minted IPv6 addresses, but what about www.so.cl? Oh, OK.

Then there’s the Windows TCP SYN behaviour, where a SYN arriving at a busy socket was responded to by a RST, rather than the silence echoed by every other TCP stack, and which was covered up by Windows re-sending a SYN in response to a RST, where every other TCP stack reports a RST as a quick failure. I can’t tell you how many years I’ve begged Microsoft to change this behaviour. OK, so the last time I spoke to them on this issue, my son was eight, and now he’s driving, so perhaps they’ve worked some more on that since then. It is, after all, a vital issue to support correct connectivity.

It’s never a bag year any more

Finally, of course, the declining MVP swag quality has hit me hard, as I now have to buy my own laptop bag to replace the MVP ones that wore out and were never replaced, a result of Microsoft’s pandering to environmental interests by shipping a chunk of glass instead of a cool toy or bag each year.

My MVP toys were fun – a logo-stamped 1GB USB drive, a laser-pointer-pen-and-stylus which doesn’t work on capacitive touch screens, a digital photo frame – but never as much fun as those given to the MVPs in other Product Groups. The rumoured MVP compound in Florida available for weekend getaways always seemed to be booked.

No more Microsoft for me!

So, how do I get MacOS installed on this Surface Pro 3?

Lenovo experience

I have been a Lenovo customer for many years at home, in my home business and at work (until recently, when my employer switched to using Dells). I had switched to Dell for my last laptop, and was not impressed with the machine’s durability, power, or support policies. So with my most recent purchase, when the Dell started intermittently failing, I switched back to buying from Lenovo.

In June of 2013, I bought a Lenovo Thinkpad T530. Aside from some disappointment at not being able to get the same power and durability with a touch-screen, I settled down to enjoying my new laptop.

On Friday July 19, 2013, I started a two week vacation, and brought my laptop along so I could keep up with my home business’ emails, as well as keeping my phone synced and family entertained with videos. We started with a six-day drive, during which the laptop appeared to be working fine, except for on two occasions when I took the laptop out of my bag to find it warm and powered on. I am always fastidious about turning off or suspending my laptop before putting it into the bag, so I was surprised the first time this happened – and subsequently had my family witness me shutting down the laptop before putting it into the bag, only to find it had turned on again when we reached one of our destinations.

I researched this on the Internet briefly (I’m a Microsoft MVP, so if there’s information out there, I’m usually able to find it), but didn’t find anything of any consequence that suggested this was either a widely known problem or a significant issue. I resolved to call Lenovo tech support on my return.

We arrived at our destination hotel on Wednesday July 24, 2013. As is usual, I plugged in my laptop and used it to monitor my email, etc. Later that evening, I returned to my laptop to find that it had turned off. I tried to turn it on again, but while the power button and webcam light both flashed on, the laptop didn’t boot. Being too late to call technical support, and with the next two days fully scheduled with my family for a vacation, I was unable to call until the weekend.

On Saturday July 27th 2013, I called Lenovo technical support. Despite the IVR telling me that I was being connected to Atlanta Georgia, the accent of the person who answered the phone was definitely not a Georgia local. I’ve lived in a number of different parts of the world (I’m an immigrant to the US myself), and my job puts me in touch with many people who have strong accents, so I was hugely irritated to find that I could not understand the person to whom I was speaking, and that he could clearly not understand me. Despite this, I tried to explain my problem to him, and to ask for a cross-shipment of replacement components or a full system, into which I could swap my hard drive on my return home and be up and working immediately. This has been my experience with previous Lenovo support issues – that I can get my replacement sent to me, so that I am without my computer for as little time as possible.

The diagnostic approach taken by this technician was minimal, and basically consisted of checking that I had tried to boot my system on AC power as well as from the battery. He then spent some time telling me that I needed a new system board (I can replace most system boards), but that he wouldn’t ship one to me, I had to ship my entire system back to IBM. He also told me that if I didn’t like this, I could apply to become an IBM Business Partner and buy parts to replace them in my own system.

Disappointed, I asked to speak to a supervisor, and he assured me his supervisor was “on a break”. Could the supervisor call me back? “No, we are not allowed outgoing calls”. What about your supervisor’s supervisor? “He is also on a break”. Unless this guy sits right next to the break room and observes everyone going in and out, the speed of his response leads me to believe that either he has been told never to put calls through to a supervisor, or he avoids doing so in the belief that this will reflect negatively upon him.

Assuming that I had somehow got put through to “second string support” because I called on a Saturday, I asked the technician to escalate my case to a supervisor, which he said he would do. A thirty-five minute call of pure frustration culminated in the technician’s inability to understand me in the slightest as I realized he had completely butchered my name – I know the first name is a little unusual, but “Jones” is surely common enough that he can’t get it wrong. Sadly, no, he keeps calling me “Mr Johnses” despite my spelling my name and correcting him at least twice.

Monday came and went without a call from a supervisor.

On Tuesday July 30, 2013, I called again, and this time was able to understand the technician far better. I explained to him my problems with the first technician, and asked that they correct my name, and confirmed again that IBM will not cross-ship parts or system to allow me to resume operations immediately on my return home. A little over ten minutes later, still not happy with what is being offered, I agree that they can ship an empty box to my house, so that I can ship my system to IBM for investigation and repair / replacement, in “up to seven business days”. At several points during this phone call, I try to explain that this has not been my experience of IBM / Lenovo support in the past, but each time I try to raise my concerns, the technician interrupts me and will not let me finish what I am saying, leaving me feeling just as frustrated as with the first technician, even though I am at least able to understand this one.

I finally ask him to escalate me to a supervisor, which he agrees to do. He connects my call out to a system that assures me every thirty seconds or so that I will be dealt with shortly. Given that there is only silence between these sentences, so I can’t be sure I haven’t been disconnected, I put the phone on speaker, so my wife (a former tech lead at a support company) can hear how Lenovo’s systems stink, and after a few repetitions of a brief assurance that I will be answered shortly, the system finally tells me it is unable to complete the connection, and that I should dial “the 1-800 number”. Then it disconnects, leaving me with no idea of WHICH 1-800 number I should call to get reconnected, to escalate my issue, to get any kind of ability to register my concerns with Lenovo about the lousy quality of their support.

At this point, I have given up on Lenovo phone support, because it seems clear that it is as awful as Dell’s. Given that my laptop malfunctioned within two months of its purchase, I start to believe that I made a mistake returning to Lenovo, thinking that I would get better treatment and sturdier systems than I had when purchasing a cheaper system from Dell. This is why I reached out to @LenovoHelp, because I hoped someone at Lenovo still cared about the company’s reputation, and could do something to make this good.

To add insult to injury, when I finally returned home late on Thursday August 1, I find an empty box sitting outside my house. It is addressed to “ALAIN JOHNSES”. Since this is not my name, it means that I can’t request the laptop return be re-addressed to me at work, because my work will be unable to find me using that name. When the repaired system is returned to me, UPS will refuse to deliver it to an empty house, and I will have to schedule more time off work to go and pick it up. I hope they don’t ask for ID, because that won’t match, because that’s NOT MY NAME. Nonetheless, I shipped my laptop (minus the hard drive) on Friday August 2, so as to get it back soonest.

What do I want Lenovo to do to address this and make good on their failure to provide adequate service? It’s clearly too late to make this process happen quicker, that’s already failed completely. Here are some suggestions:

1. Ensure that phone technicians are comprehensible. The first technician had such a thick accent he should never have passed an interview for a phone job in English.

2. Train technicians on customer handling. You do not interrupt the customer, because that irritates the customer. You let the customer know what you can and can’t do for them, so they don’t have to fish around. You accept escalations to supervisors because that’s the only way to handle customers who want to talk about the quality of service they’ve received.

3. Cross-ship, even if you have to put the replacement items on the customer’s credit card until you receive the damaged item. I would have been happy to do this, as I have in the past. This was a distinguishing feature of Lenovo’s service in the past.

4. Make sure that if you offer weekend tech support, it is not staffed with the “second string”.

5. Systems used for escalating customer complaints must allow the customer to disconnect and call back, or be called back, at some later time. Twice I asked to be escalated, and in each case, but in different ways, I was denied the opportunity of speaking to a supervisor. Also, Lenovo was denied a chance of explaining their side, of making me less unhappy as a customer. Successful escalations are a good thing for the customer and the company, so technicians should be trained not to sidestep them by insisting that their supervisors are all “on break”.

Please make me believe that I made the right choice in switching back to Lenovo. Right now, I don’t feel happy with my purchase.

I cry every time I see a password prompt

Every company I’ve worked at, there’s been at least a couple of enterprise-wide sites that ask me to log on, and they prompt me for a user name and a password.

Clearly, if I’m connecting to an intranet site, what I need that server to do is to implement Kerberos to recognise me. That’s a great feature of modern web browsers, and it’s relatively easy to do in multiple web server frameworks. I’ll leave that as an exercise for the reader.

But that only works for internal sites, where the server and the client can each communicate to the Kerberos servers responsible for authenticating server and user. Maybe I’ll talk about that some other day.

Today, I talk about achieving SSO through Federated Identity. I’m going to start by talking about the theory.


What’s the benefit?

Simply put, security is improved dramatically, and administration and user effort is reduced.

Security benefits

No reuse of passwords – because even though we tell you not to use the same password across multiple sites, it’s well known that everyone does.

The user experience

How does it appear to the user? Simple – as long as they are logged on to the corporate network, they browse to a remote site affiliated with the company, and after a couple of brief redirects, they’re automatically logged in to the remote site with credentials and access that matches who they are.

OK, that’s great – far better than having to use and remember a different password for those remote sites.

Where’s Jesper


Jesper used to blog all the time.

Jesper used to travel the world, speaking and spreading the news about computer security.

Jesper has a new blog, but it’s been a long time since he’s put anything there.

So, where’s Jesper now?

He’s stopped traveling the world, that much I know, because his kids were starting to ask “when that strange man was going to come visit”.

I just wish I could think of a good explanation for why he’s not blogging.

Now, it’s ever the security professional’s concern that he or she might inadvertently publish something that will let the unscrupulous attack the systems under their protection, or that will cause customers to lack confidence in the security of those systems.

But that’s part of the job, and if you can’t be trusted to have a little discretion, then you’re in the wrong field. It’s also worth pointing out that a key tenet of security theory is to assume that your attackers have complete specifications of your systems, so anything you reveal should not harm a well-designed system’s security (unless you’re going to post your p@55w0rd).

Or perhaps he has nothing to blog about – maybe there’s nothing of interest going on in security in his current position, or maybe it’s all so bad that his company can’t risk him talking about anything related to security in case it scares customers away. I’m pretty certain that’s not the truth, but it is an obvious conclusion that you’re going to draw when you have no information on which to proceed.

No, I just can’t see that there are any good reasons that he isn’t blogging… anyone got any better ideas?

Internet Explorer 7 flaw – slow news day

You know it’s a slow news day when a flaw like this makes the TV news. [Or when it makes the front page of a normally respectable security site like Secunia.]

Okay, so the first thing to note is that if you try this flaw on other browsers – Internet Explorer 6 or Firefox 2.0, for instance – what happens is that the popup appears on screen without an address bar. So, if this popup is going to persuade you on Inernet Explorer 7 to click in a bad place, then it’s going to persuade you even more easily to click in a bad place on Internet Explorer 6 or Firefox 2.0.

The next thing to note is that it doesn’t work if your fonts are different widths from the default, for instance if you use a high-DPI font, or use larger fonts because of poor visibility, or just because you like them – the number of padding characters used has to match exactly with the width of the popup window.

Other reasons the flaw is next to useless:

  • If you enable Internet Explorer 7’s ability to open popups in another tab, the flaw is totally wasted.
  • If you click anywhere in the window (and I don’t suggest you do on any popup), the address is revealed.
  • If you click in the address bar, the address is revealed.
  • The flaw only works while the text in the address bar is fully selected – meaning that it’s highlighted, and looks different from every respectable popup (is there such a thing?). Again, you should be aware that any time something looks different from usual, it’s a warning flag at best, and probably something to be avoided.

Oh, and Internet Explorer 7 comes with a phishing filter – which I really suggest you accept – that prevents you from being lured to known phishing sites by popups such as these.

Really, there are so many down-sides to this flaw, from the perspective of a malicious person trying to actually exploit it, that it’s a wonder anyone bothered to spend time typing the web page up that demonstrates it.

In a way, this demonstrates Internet Explorer 7’s superiority over previous versions – if this really is the most newsworthy attack you can make, Internet Explorer 7 must be solid.

I’ll restate very simply the reasons that Internet Explorer 7 is worth an install:

  1. You are required to have a version of Internet Explorer on your Windows system – it’s a part of the OS.
  2. Every flaw that has been found in Internet Explorer 7 has been found in previous versions of Internet Explorer – and each one (of two) is minor and complex, so much so that despite widespread publicity for some considerable time, there are no known exploits in the wild.
  3. Internet Explorer 7 closes a huge number of avenues of attack that were present in Internet Explorer 6.

Put all that together, and it’s clear that installing Internet Explorer 7 will improve your security. Whether you use it is up to you.

Whether you use Internet Explorer, Firefox, or Opera, or some other browser, from a security standpoint, installing Internet Explorer 7 is a big win. Plus, it’s much easier and more fun to use.

Initial impressions on this month’s security updates

You can find this months' Microsoft Security Bulletin here.

Here's what it contains:


MS06-056 – Vulnerability in ASP.NET Could Allow Information Disclosure (922770) – If you do .NET 2.0 web site hosting, apply this. Moderate risk of information disclosure – nothing to get hugely excited about, but if your .NET development team don't understand the information being disclosed, find a better expert.


MS06-057 – Vulnerability in Windows Shell Could Allow Remote Code Execution (923191) – This is the VebViewFolderIcon ActiveX vulnerability.  Since this patch fixes the vulnerability, don't forget that if you've taken any other mitigating factors (adding a restrictive ACL, modifying the file yourself, etc), you will almost certainly want to undo them before applying this patch.

MS06-058 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163) – If you use Powerpoint, apply this patch.  Don't assume that the later "Office patch" in today's release will fix this problem.  According to the documentation as it stands currently, that is not the case.  This patch also applies to Powerpoint on the Apple Mac!

MS06-059 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164) – As with the Powerpoint patch, install this one if you use Excel.  And then install the Office patch as well. This patch applies even if you use Excel on the Apple Mac!

MS06-060 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554) – You get the picture, apply this patch if you use Word – even Word on the Mac! And then install the Office patch.

MS06-061 – Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) – XML has been Microsoft's religion for the last several years. I can't begin to sum up the number of programs that are likely to have some tie-in to this.  Since it's a remote code execution vulnerability, I suggest you apply it everywhere.  That includes servers, because they may be using web services and XML in order to communicate.

MS06-062 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581) – If you run Office – even Office on the Mac! – apply this patch – and then go check that you applied all the other patches for various components of Office.  Better still, go use Microsoft Update, and just update all your Microsoft applications automatically.  [I don't think Microsoft Update applies to the Mac – you may have to download these by hand.]


MS06-063 – Vulnerability in Server Service Could Allow Denial of Service (923414) – Taking your computer offline by sending it a network packet – for servers, that's generally more than important to prevent, so unless you are blocking the usual ports (and can trust your internal users not to run random downloaded garbage), definitely install this on your servers at first opportunity. And don't forget that clients run the server service, otherwise they wouldn't be able to share files across the network.


MS06-064 – IP Could Allow Denial of Service (922819) – reading the article carefully shows that this is related to IPv6 only.  Blocking all IPv6 traffic at the network would be a good mitigation if you are not using IPv6. You can also uninstall IPv6 by running the command "netsh interface ipv6 uninstall". This vulnerability essentially allows people who can 'ping' your box through IPv6 to occasionally disconnect some of your applications' connections. Most people today are not using IPv6, so this is really unlikely to cause anyone much bother. Install it or don't.


MS06-065 – Vulnerability In Windows Object Packager Could Allow Remote Code Execution (924496) – In my view, this one's a bit of a stretch. It'd require a user agreeing to a dialog box that didn't quite look remotely right.

General recommendations:

Okay, so clearly, at home and my small business, I'm going to install all of these by automatic updates, and reboot the first chance I get.  It's been a long time since Microsoft has released a really cruddy update.

At my day job, where it "requires an Act of Congress" to reboot a server, I'm still going to recommend that all workstations install all of the critical vulnerabilities, plus MS06-063; the servers should install MS06-056, and if they're file servers, MS06-063.

And, of course, the usual recommendations stand:

  • Don't surf from the servers.
  • Don't run Office (and Outlook is part of Office!) on the servers.
  • Don't believe your Mac is immune.
  • Don't run as an administrator-level account. Ever. Unless you absolutely have to.

Patch Tuesday – Followed by Drafting Wednesday

So, we’re all well aware that the second Tuesday of every month is “Patch Tuesday”, right?

[If you’re not aware of this, please learn now that Microsoft releases security patches on the second Tuesday of every month, so that I.T. folks don’t have to scrabble and panic to schedule time for download, analysis, test and deployment at random intervals throughout the year.]

The afternoon of Patch Tuesday is rapidly turning into Drafting Wednesday.

“Patch Drafting” is the new industry-standard practice of releasing patches as soon after Microsoft’s patches as possible.

The theory behind it, as far as I can make out, is that if you publish your patches just after Microsoft, you’ll get less hostile coverage in the computer press, because they’ve already written that week’s “Scary Patches – Sky Is Falling” story, and can’t write another one for that week’s issue.

So, next Patch Tuesday – which will be October 10th 2006 – pay close attention that afternoon and the following day to see what patches are being issued by people who want to get them in “under the radar”.

Isn’t that exactly the opposite of what we want our patching processes to be?

Vulnerability in WFTPD

We all make mistakes, and I made a mistake in a piece of code buried deep within WFTPD.

[Actually, I’ve made several mistakes, and there are certain to be a few I’ve yet to find.]

As a result, some sociopath has been able to release an “exploit” – a program that can be run against the WFTPD server that allows it to be broken into.

[Actually, the sociopath is not the first person to discover the flaw – “appsec.ch” notified me last month, and I’ve been bringing the new code up to scratch and testing it every spare minute since then, as well as testing workarounds.]

There’s never a good time to have a public disclosure of a vulnerability in your software, but the timing of most public disclosure addicts is impeccable – Thanksgiving, Christmas, weekends, vacations, these are all the most likely times for posting exploits, because that way, they can be distributed to the largest number of bad hackers, at a time when the fewest users will be looking for fixes.

This time, the exploit has come out at a time when we are in a spat with our ISP, 1&1 – they have disabled our password-protected directory support, so we aren’t able to provide downloads of registered software right now.

The best you can hope for with a vulnerability is that there is a workaround, while such issues are resolved, new versions are tested and before the final software can be deployed.

Sure enough, we have a workaround here.

For WFTPD Server, you will need to edit the WFTPD.INI file.  In the “[Server]” section, add a line that reads “GFPNMethod=0

For WFTPD Pro Server, edit the registry under “HKEY_LOCAL_MACHINE\Software\Texas Imperial Software\WFTPDPro\Servers\<ServerName>” [replace “<ServerName>” with the name of the server you’re editing – you will have to do this for each server]. Add a DWORD key called “GFPNMethod” and set its value (either decimal or hexadecimal) to 0.

Here’s the important part – restart WFTPD Server or the WFTPD Pro service (depending on whether you have WFTPD Server or WFTPD Pro Server). This is one of those rare settings that is loaded only when the server is first loaded from the registry.

The truly paranoid will want to restart the machine, just to be “safe”.

Once we get our ISP replaced, we’ll be shipping a new version, 3.24. In the meantime, please use the workaround listed above.

Here’s a better laptop theft story…

It’d be nice if the press handled this story a little better.

After all, it’s what we want – the stolen laptop had all its private data encrypted.

So why do I still get the impression that the authors are trying to push the angle of “sure, they say it’s encrypted, but really, what protection is that?”

I really want them to say “sure, the laptop may have data on it, but it’s all encrypted, so unless this was an inside job, that data is safe”.

If there’s no PR benefit to encrypting laptops, then we are relying on businesses to do the right thing simply because it’s right – and do we really trust business that much?

Supporting businesses that do the right thing, congratulating them for it, is the best way (short of patronising their outlets) to make sure they continue to do it.

Of course, since this is the Red Cross, perhaps what’s better is a donation of time and/or money.

[Since posting this, and similar content elsewhere, I’ve received a few messages that basically say “the laptop shouldn’t have had data on it in the first place”. I totally agree, but I’m pragmatic enough to realise that people will occasionally / frequently slip up on policy, requiring you to put extra measures in place. Given that the policy says “no data on laptops”, laptop encryption is still necessary.]

Neat little RunAs one-liners – ADHERE and ADFILE


Short for “Admin Here”, I’ve been enjoying this little one-line batch script:

@runas /u:%1 “cmd /k cd /d %cd%”

What’s it do?

First, it’s important to note that it takes a parameter, the username that you want to run as.

It’ll open up a new CMD window – a command prompt window – in the directory that you’re currently in. This prevents you from arriving in the C:\Windows\System32 directory every time you realise that you need an administrator account to run a few commands.


Short for “Admin File”, here’s the obvious next step:

@runas /u:%1 “cmd /c cd /d %cd% & start %2”

Takes two parameters, the first being the user you want to runas, and the second being the file you want to run / open.


[Of course, you may want to hard-code the admin user name into the batch file.  Be my guest]

[Update 7/7 – added the “/d” parameter, so you can “ADHERE” and “ADFILE” from directories on other drives.]