How Delegation Privileges Are Represented In Active Directory

One of the last areas where more tool support is needed is in monitoring the various attributes in Active Directory (AD). Recently I got curious about the delegation flags, and, more to the point, how to tell which accounts have been trusted for delegation. This could be of great import if, for instance, you have to produce reports of privileged accounts. KB 305144 gives a certain amount of detail about how delegation rights are presented in Active Directory. However, it is unclear from that article how to discover accounts trusted for full delegation, as opposed to those trusted only for constrained … Continue reading How Delegation Privileges Are Represented In Active Directory

Web Of Trust: RIP

It's official. I just received an e-mail from Thawte notifying me that, as of November 16, 2009, the most innovative and useful idea in PKI since its inception, the Web of Trust, will die. Thawte was founded 14 years ago by Mark Shuttleworth. The primary purpose was to get around the then-current U.S. export restrictions on cryptography. Shuttleworth also had an idea that drew from PGP: rather than force everyone who wanted an e-mail certificate to get verified by some central entity – and pay for the privilege – why not have them verified by a distributed verification system, similar … Continue reading Web Of Trust: RIP

Passwords are here to stay

At least for the short to medium term. That is the, quite obvious, conclusion drawn in a Newsweek article entitled "Building a Better Password."  The article goes inside the CyLab at Carnegie-Mellon University to understand how passwords may one day be replaced. It is interesting reading all around. The article is not without some "really?" moments though, such as this quote: The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity—mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"—somehow became … Continue reading Passwords are here to stay

And finally, standard user malware

Today I finally got wind of my first piece of true standard user malware. MS Antispyware 2008 has turned standard user. The version in question installs the binaries in c:\documents and settings\all users\application data\<something>, and makes itself resident by infecting HKCU\…\Run. Curiously, the legitimate anti-malware program (one of the top 3) failed to detect the infector. Obviously, this version is much easier to remove than the ones that require admin privileges. However, MS Antispyware is not about being hard to remove. It just needs to run until the user pays for the privilege, and more than likely, even as a … Continue reading And finally, standard user malware

Microsoft Poland Empowers White People

In an absolutely astonishing move Microsoft's Polish subsidiary decided to do some photoshopping on its Business Productivity Infrastructure page to tailor it to the Polish market. Here you can see the U.S. original. In one of the least sensitive moves this year, the Polish subsidiary decided that black people in Poland do not need to be empowered, so here you can see what its version of that page looked like for a few hours today. As you can see from the current version on the Polish site, someone with a bit more human sensitivity than a teaspoon, and an I.Q. … Continue reading Microsoft Poland Empowers White People

Is it ActiveX that is the problem?

Last week, an expert from Verizon, nee Cybertrust, posted a note about the Active Template Library (ATL) security vulnerability over on the Verizon Business Security Blog. For home users, the phone company now advises you to use a different browser, ostensibly because IE and ActiveX are inherently insecure. I felt that quite missed the point that (a) browsers are software, and (b) all software has vulnerabilities, and (c) extension technologies in browsers add functionality, which (d) is implemented in the form of software, and therefore (e) introduce additional vulnerabilities. Just because Internet Explorer's extension technology is called ActiveX does not … Continue reading Is it ActiveX that is the problem?

Warning: The software you are installing does not match your mental model

This morning I talked to my dad. After a few minutes of polite small talk, I heard the 10 little words I have come to dread: “I had some problems with my computer the other day.” The video card on his laptop had died. The screen was just black. He has a Dell Vostro, so he called Dell Technical Support. They sent a contractor technician out; with a motherboard. The technician, having no real qualifications other than the need for a job; and no real training other than how to fill out the repair paperwork, installed the motherboard. Three days … Continue reading Warning: The software you are installing does not match your mental model

Steve Riley Lands On His Feet

In May, in one of the more inexplicable moves this year, Microsoft laid off my good friend Steve Riley, four days before he was to deliver half a dozen presentations at TechEd. Fortunately, it did not take Steve long to find a new gig. This Monday, he starts as the latest Evangelist & Strategist for Amazon Web Services! I'm very very happy for Steve, and very excited about what he can do in that role. Web Services are where the future is, and Steve is extremely well suited to the role. Please join me in wishing him good luck!

A better, more reliable, work-around for the Microsoft Video Control Vulnerability

For the past few days I've been following the Microsoft Video Control Vulnerability with interest. Basically, it's another vulnerable ActiveX control that needs killbitted. Last night, Microsoft posted a work-around which involves using a Group Policy ADM template (ADM is the template format that was deprecated in Vista and Windows Server 2008). Unfortunately, the template tattoos the registry, which is not really recommended. I contemplated for a while writing a work-around for this issue, but then remembered that I actually did; almost three years ago. The workaround I wrote then, for another ActiveX vulnerability will not tattoo the registry, and … Continue reading A better, more reliable, work-around for the Microsoft Video Control Vulnerability

Are Identity Theft Services Worth The Cost?

The Consumer Federation of America just published a report on identity theft services entitled "Are Identity Theft Services Worth The Cost?" The conclusion is that many are not, and that regulation is needed in that industry. It is a very interesting read.