Lots of people are familiar with obtaining and installing SSL Certificates for hosting secure web sites, but the area of code signing seems less cohesive. I’ve compiled some notes I have on the process together in this blog post.

Yes, but who are you?

Reputable publishers of code signing certificates require some evidence that you are authorized with respect to the organization you wish to have named on your certificate. In my case, being able to produce the ASIC registration for my company was enough, YMMV.

This is subtle, but important.

1. My company rego papers are credentials a Root CA (e.g Comodo, Verisign, Thawte, USERTrust etc) uses to trusts me.
2. The user (implicitly) trust the Root CA by using an OS with their Certificate installed.
3. Ergo, the user (indirectly) trusts me.

Macro projects in Microsoft Excel/Word/Visio/Access/etc

Once you have obtained your certificate, you are able to sign Macro projects in Office document templates by choosing Tools -> Digital Signature.

Your newly purchased certificate will appear in the list and by saving the project your template is signed. The difference is now the user is asked to trust you (as verified by the CA) and your code, rather than being asked to enable all macros.

Software distributed MSI packages

Signing MSI packages and CAB files is more visible than ever before in Windows Vista. This I think is a good thing, however I do worry that because there are a lot of unsigned installers out there that users may get the message that it’s not that important.

Once you have got your certificate from a CA, the process couldn’t be easier. There are a couple of ways to get signtool.exe, I usually have the Windows SDK on my machines which ships with it.  The command to sign ClassLibrary1.dll for example is: (assuming signing from a pfx, not the local cert store)

C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\signtool.exe sign /f My_Code_Signing_Cert.pfx /p L0ng5ecr3tp@ssw0rd /d name /du http://www.MyCompany.com /t http://timestamp.verisign.com/scripts/timestamp.dll ClassLibrary1.dll

The time stamping is important here, in that certificates expire. An external time stamp ensures that the assembly was signed while the certificate was valid.

.NET Assemblies

Technically, signing an assembly is not unlike signing an MSI. On one hand it is easier because you can do the signing from inside Visual Studio’s project properties

On the hand there is the concept of delay signing, where the actual private key is not available to the developer on a day-to-day basis.  This added security adds a layer of complexity that is frankly beyond the scope of this post. I will come back and dedicate a whole post to it some time

Windows Logo Certification / WinQual

This is the only case I can think of where the vendor of the certificate matters. A certificate from VeriSign is required to prove your identity in the WinQual program, which is required for a Windows Logo certification. VeriSign has special pricing is on offer for members of Windows Quality Online Services site.  The $99 cert from VeriSign is required for WinQual membership, and is all you need if you already have a code signing certificate. The $399 cert is valid for both code signing and WinQual membership.

I just saw these and thought they were worthy of linkage

Clinic 2806: Microsoft® Security Guidance Training for Developers.

Clinic 2807: Microsoft® Security Guidance Training for Developers II.

There is a good breadth of topics covered, and the price is right

I got this message again this morning and I am so sick of it!

Only 16 chars?  O RLY?  What if my dog's name is more than 16 chars long?

Further investigation of the JS source reveals that other error messages include:

Password can only contain letters and numbers

I am always talking to people about password policy and no wonder people are confused.  So much good guidance out there is buried under so much rubbish.

Compare this to the other user experience that is becoming more common:

Much better!  There was a time when it would be appropriate to explain why the second case is better... but in this day and age it should be obvious.  It is all about coercing people to do good passwords until they are made obsolete in the future.

Since Version 1.0.60731.0 of the ASP.NET AJAX Control Toolkit there has been a quite good Password Strength control available to the ASP.NET platform.  Everyone else (like my first, deliberately anonymous example) can just Google it!  There are plenty of samples available.

One that I liked was at Gerd Riesselmann's blog, where he shares (GPL) a simple example suitable for learning how this is done.

What do you think?  Is there any excuse for giving poor password guidance in 2007?

I have a ColorPlus monitor profiling spyder by what was formally marketed as Pantone and is now Datacolor and I profile my monitors regularly.

Today was the first time I have tried to profile it since I built my new dev workstation.  It turns out the (circa 2004) ColorPlus spider that has served me well so far is now in the legacy bin.  While it works great on Vista x32 with the XP driver it has not had signed drivers released for Vista x64.

This lead me to look at what was the latest news for loading unsigned drivers into Vista x64, since I only need the thing to run for 5 minutes once every couple of months I was hoping to see that there would be some BCDEdit trickery that may let me reboot into a non-standard config, generate an ICC profile and then boot back into "real" Windows.  Seems that option was supported on Vista RC2 and removed for the RTM.

What has this to do with Linchpin Labs?

Further investigation showed up the case of Linchpin Labs (who have a Willoughby NSW address, as well as Ottawa CA).   Linchpin released a widget called Atsiv that was itself signed and would let you load unsigned drivers through it. 

Things got interesting when Microsoft categorized Atsiv as malware. 

The Microsoft position on this is detailed in the Windows Vista Security blog, and the equally detailed response by Linchpin Labs is detailed on their site.  It's unfortunate that Linchpin do not have a blog because it would be interesting to contrast the comments on the MSDN blog to any they attract.

As for the comments it seems lots of folks think their obligation ends with complaining.  It may be fun to type crap on a message board, but my respect is reserved for the folks who put time into finding the solutions.

But, what seems missing in the discussion to me is that (depending on how you count the numbers) between 40 and 60 million copies of Vista have been shipped in 19 languages to 70 countries.  Only a slim slice of that huge number of users are the tech savvy / tech professional community who, generally speaking, keep technology and the internet working and profitable for the rest of the world.  I think it is right that security decisions favor the great unwashed masses rather than the techno-elite, who should be able to look after themselves.  A bit of perspective please people.

If you get to the bottom of the Linchpin Labs announcement you find the following:

  Linchpin Labs would like to suggest that Microsoft spend less time using debatable policy as a security mechanism, and spend more time actually tightening its operating systems.

Wha??  Isn't that what this is all about?  Driver Signing Policy is tightening the OS.  Other examples of Vista security enhancements include:

• Restricted Services (service hardening)
• DEP and NX, including supporting hardware-based DEP 
• User Account Control (UAC)
• Windows Defender / Windows Firewall / Windows Security Center (techies:  think of the 98% of the world; they need hand holding, OK)
• Network Access Protection (NAP) 
• Bitlocker and EFS
• ActiveX Opt-In, support for EV Certs and anti-phishing filter support in IE7
• ...

...and probabbly others.  Yeah I'd call this tightening the OS.

Back to my ColorPlus Spyder...

So, looking at my options:

• Get a Mac.  Oh yes would I love to get a Mac.  hmmmm :)  But, desk space, power and brain cycles are at a premium at the moment.  Also being a entry-level product the ColorPlus is a Windows-only product so it would mean getting a new spider anyway.
  
• Get a new Spider.  These are costly devices and not really top of my spend list right now.  Maybe one day.
• Abandon the DRM-infested evil Microsoft empire, like some of the commenters (e.g. "Joe" et al) on the Vista Security Blog suggest.  Just try and have a 16-bit/channel colour accurate workflow in Linux.  I've been there (not recently, but as far as I can tell things haven't changed much) and it's not fun.  Just go and spend some a couple of weeks setting it up and let me know how you get on.  Send me a postcard.  Really.

Now for some real options:

1. Email Datacolor and let them know that people are interested in Vista drivers.  Done.
2. Install a copy of Vista x86, update to the latest vid drivers, calibrate the monitor, pinch the ICC profile, reboot into my "real" Vista x64.  It'll take 1hr tops.  I'll get to this on the weekend.

um, anyone want to but a second hand ColorPlus Spyder?  One careful owner, still with original box...

Listening To: The Polyphonic Spree, The Fragile Army

Update:  My ColorPlus is no longer for sale

It turns out that in the ColorVision Knowledge Base (under Support Centre) there is an article that says:

ColorPlus users can download Spyder2express software from the colorvision website's support section, and run that software with a ColorPlus serial number and a ColorPlus Spyder. The latest versions of Spyder2express are compatable with Vista32 and Vista64.

I can confirm this works.  Spyder2express is a 120Mb download which is hefty since I only want the driver :-/  The ColorPlus is detected as a Spyder2 after installation and works as advertised.

...and would you believe their is a Mac version of ColorPlus 1.1 in the Knowledge Base that is not listed in the Support downloads.  I'm happy to be wrong anytime it works out for the best :)

Listening to: The Campfire Headphase, Boards of Canada

You can do this today, like in 10 minutes...

OpenSearch is a format for describing how your site is searched, and optionally for adding Search elements to other formats like RSS. 

Auto-discovery of OpenSearch description documents is done via a link in your HTML head like so:

<link rel="search" type="application/opensearchdescription+xml" title="My Site" href="http://www.mysite.com/open-search.xml" />

The OpenSearch xml document is interpreted in the browser to add extra search providers in the integrated search function as so:

The contents of the file can be short or it can be long.  A bare bones example may be as simple as this:

<?xml version=”1.0” encoding=”UTF-8”?>
<OpenSearchDescription>
   <ShortName>My Site</ShortName>
   <Description>Search My Site</Description>
   <Url type="text/html" template="http://www.mysite.com/search.aspx?terms={searchTerms}"/>
</OpenSearchDescription>

The spec gives another simple, and one much more detailed example document.  The IE blog also goes into some detail... but in true internet fashion, View Source is the quickest path to an example

Security?

The bad news is, as of current browsers at time of writing (IE 7.0.6000.16473, Firefox 2.0.0.4) it seems controls are quite lax around what search template you can include, I had no problems setting the URL in the search template as being a completely different site!   

While it would be completely hilarious to posion someone's search bar as a prank with the following three facts...

• IE stores the search settings here: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
• FireFox stores them in the filesystem: C:\Documents and Settings\<winprofile>\Application Data\Mozilla\Firefox\Profiles\<mozprofile>\searchplugins
• (sounds like google, not work safe)

I would ultimately like some control here.  I can't see anything in Group Policy for enforcing/allowing/denying new search providers.  I'd like to add one to all PCs for my internal Sharepoint site for example.

DasBlog

Tangentally, If you are looking for the file to edit to add a new link url to a dasBlog site it is:

\dasblogce\themes\*\homeTemplate.blogtemplate

Listening To:  Sonic Youth, Daydream Nation

This is the second post on Group Policy for web developers.  Part 1 was about managing the local Intranet Zone for your AD network.  This post will be based on a similar scenario.  Specifically, when issuing certificates from a local Certification Authority, like Microsoft Certificate Services that ships in Windows Server 2003.

Modern browsers give you a more pretty warning system than they did last year when you view a site that do not chain back to a Trusted Root CA.  This is still an important warning and we don't want to condition people into just clicking yes every time they see it.

The first thing you will need to do (and like the last post, a certain degree of domain administrative Godness is required...) is get the CA's certificate from the CA.  Using Microsoft Certificate Services, you want to choose the option highlighted below:

This will prompt you to save the certificate file.  Do this, then delete it when you are done. 

Next we need to install the certificate into our client machines.  We will need a GPO.  You may use the one from the previous example or make a new one. Again the place in your AD to create this will vary.  For smaller sites adding at the the top level is fine, but hands off the default policy.

Navigate to Security Settings -> PK policies ->Trusted Root CA's as in the screen below:

Right-click on the Trusted Root CA's container and choose Import.  Here, browse for the cert file saved in step one and you are done!

Finally, here is some linkage to much more detail about Certificates in AD.

Some sites that you may have on your internal network, such as Virtual Server console, Sharepoint, ASP.NET sites of your own creation, and so on, can require your AD credentials to log you on.  Typically the browser will prompt you for them unless you add the site to the Local Intranet zone. 

This quickly becomes cumbersome as the number of users grows.  Everyone will have to add the URL to their Local Intranet zone manually and that spells work.

Internet Explorer

All the IE Zones, including Local Intranet, can be administered by Group Policy.  Where in your AD you create your GPO will depend on the scale of your operation, for smaller sites a GPO at the domain level is not a bad choice.  I'd caution against editing your default domain policy, consider creating a new GPO just under it.

Edit the GPO and browse to the Site To Zone Assignment List, inside the Internet Control Panel \ Security Page settings:

  

The UI will let you add IP addresses, FQDN's or http/https addresses, and which zone they will belong to.

One nice side effect of this to watch for is the users can now not change their zones via the IE settings.

FireFox

For FireFox, you are going to have to create/maintain an all.js in the %installdir%\defaults\pref\ directory.

This is just a plain text file that can contain settings in the FireFox Javascript format.  For Integrated Authentication you will need to add the following line:

pref("network.negotiate-auth.trusted-uris", "comma seperated site list");

Listening To: Kruder and Dorfmeister, the K&D Sessions, part 1

I was just surprised to work out that I have been on Windows Vista for about a year now nbsp; I joined the club with Beta 2 which was released in May '06   I also toyed with an earlier WinHEC Longhorn release but not in any substantial way.

From day one I’ve had UAC on.

Unfortunately one of the last guys to join the compatibility club was Visual Studio 2005 with the Vista Update patch

But just tonight I found the rare case of an MSI from Microsoft that failed with a cryptic message if not run as Admin: The Composite UI Application Block.

So I've put together a little grab bag of Vista UAC links and tips that I'm calling Strategies for life with UAC:

• First and foremost, know what has changed.  I wasn’t shocked when Buzz, which despite not having a substantial update since whoknowswhen, wouldn’t run out of the box.  The Audio subsystem had a major overhaul in Vista.  AppCompat came to the rescue here.
• Launch a cmd.exe shell as an admin, then run msiexec, regedit, or whatever from there.  This way you only have to elevate once at the start of your session.
• Use Compatibility, part I.  Choose XP SP2 from the Compatibility tab of the EXE File Properties page.  Raymond Chen referred to this as a Combo Meal of AppCompat settings.  Various degrees of slight of hand he said. 
• Use Compatibility, part II. You can also launch the Compatibility wizard from the Use an older program with this version of Windows link inside the Programs group in Control Panel.  This is the same set of options as is on the Properties page, however the UI is more suited to trial and error for troublesome programs, and you have the option to submit your results to Microsoft.
• Use Compatibility, part III. I am aware that there is an application compatibility toolkit available for ISV's, but haven’t had cause to look too much further.
• Use Virtualization.  Grab VPC 2007 (freebie)  I use VPC for application and installation testing with the Undo Disks feature, but it would be just as valid to run a VPC of XP or earlier if you had some app that would only run on a specific OS.

Just a note on Virtualization, I have not been able to find an authorative souce on the question of:  If I put Vista on my PC, is it legit to use my old OEM XP CAL in a VPC.  The rumours around the web seem to settle on:  a) depends on your license agreement, but I suspect it is an edge case and they are playing that card close to their chest.

If you can find an authoritive, public link on the above question please post a comment and there will be a prize.  You know I'm good for it people!

A couple of extra resources:

• Aaron Margosis' Blog
• The Non-Admin Wiki
• The UAC blog, not current but the archives have some gold.

Listening To:  Boards of Canada, Music has the right to children

Today's link propagation is for a page called: patterns & practices Security Checklists Index over at MSDN:

http://msdn2.microsoft.com/en-us/library/ms998392.aspx

This page describes itself as:

This page provides an index of patterns & practices Security Checklists organized by categories using multiple views.

It's slightly dated, but still current.  One for the bookmarks.

Does anyone have any other .NET checklists they can share?

It has been hard to ignore some of the rumblings about the government's Access Card program, designed to improve the process around health and social services.

Problem is, there is an database nerd inside me that can see the merits of unified identity for what must be hunderds of computer systems of varying vintages in misc government departments.  The twitchy paranoid inside me detects that eerie National ID Card smell about them.  So I'm torn.

I wouldn't like to give the impression I know enough about this program to give informed critique, but I'm keeping an eye on this one...

First saw these in the back of Protect Your Windows Network and had cause to search for them today.  Here's the Linkage:

10 Immutable Laws of Security

Now look slightly more dated than I remember them ;)  So replace Password with Passphrase as appropriate etc, there is also some very good advice around too...

This is something I have noticed in a lot of the samples around plugin architecture (for example).  The common theme is to reflect over the DLLs in an path and load the types that impement a certain interface.  Fair enough so far.  Once you have a collection of pointers to entry points you have plug-ins... but you also have an attack vector.

These examples need to flesh out the scenario of testing the plug-in for authenticity imho.

My gut feeling is I want an X.509 cert in there somewhere as a pre-shared secret, but I don't quite have the full picture in my head just yet, should that tie in with strong naming assemblies, or be seperate additional layer.  Suggestions welcome

I don't know what it is, but today I got this in my junk mail:


Dear Sir/Madam,

We have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.


Yours faithfully,
Steven Allison


*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 283-4108


I'm insulted.  If you are going to prank me into running your spyware, please put some effort into it.  Not to mention the small matter of jurisdiction...

There's this thing called the Turing Test.  In a nut shell it is can a computer be so clever that you don't realize that it's a computer you are communicating with.   The test must then assume some  benchmark level of human intelegence.  Could a drop in the benchmark of human intelegence be measured by how lame the lure has to be before someone bites?

And a quick post-script to any law enforcement agencies out there:  If you ever get so lazy that you start to question suspects by email...  *rolls eyes*

I saw this post the other day on the IE team's blog while looking at some IE7 stuff...

I was unaware that the SV1 token gets added to your browser User Agent string after XP SP2.  I don't think in this case it matters if SP2 is more secure than RTM XP, I still don't want someone to know my patch level.  Call me paranoid...

As fortune would have it, fiddler has an answer!  Thanks

Oh, with regard to IE7 - apart from all the user experience enhancements like tabs (thanks for coming to the party IE) etc the killer I reckon is in protected mode registry virtualization - I think we will see more of this in future!

Lately I've been receiving spam that seems to have no payload. 

No links to knock-off phallicpharmaceuticals.
No promise of promiscuous foreign brides
Nada!

They just have a dozen lines like:

oziuyebjrukdebrrpzewciungdjfapa 

So yes, they are successful in getting through my heuristic filters, but to what end?  What is in it for the spammer?

Hypothetically...

Just say I have a folder full of images and Windows had generated a Thumbs.db in that folder, now I burn the whole folder (including the thumbs file) and give it to you.

What can you know about my PC (OS, hardware, anything) from the Thumbs.db file alone?

When I find out, I'll post the answer here, or feel free to leave a comment.

A week since my last blog post!  Here's a quick summary.

• My head has been spinning at work.  Hit a busy period and I can't seem to work fast enough.

• Sydney is starting to get C-O-L-D cold!
  

• Gates is leaving Microsoft (later rather than sooner), Scoble is leaving Microsoft (I've been the web site for half an hour and I still don't know PodTech do)... would the last one to leave Redmond please turn out the lights? :)

• The continuous integration thing is moving along.  Draco.Net, NAnt and NUnit all rock. 

• Here's the trick for testing database code:  have your test setup put a transaction on the wire and have your test cleanup roll back the transaction.
  
• I know I have only read the doc 8 times this week, but I think I'm starting to understand the DI pattern.

• Microsoft renamed InfoCard to now be CardSpace.  WTF?  Still no cards?  Infocard is still a good idea - identity management is still very important but please guys drop the "cards" thing.  Not everyone follows WinFX developments up to the minute and you're starting to confuse people.  And I still don't have a satisfactory answer as to why we are doing this over protocols like HTTP and SMTP.  Why not another rev of these protocols to natively include identity, encryption and authentication, and then build identity management frameworks on top of them?

• Neofiles has been doing my head in with talk of transhumanist singularities, cognitive liberty, liberation biology and nano-biotech.  For some reason I put my strongly skeptical BS-Filter on hold for this show and I am starting to think about these things.  I'm definately not sold on some of these topics.  Maybe I'm just short on sleep.
  

Been a while since the last security post, so while its a blogging day...

I was catching up on PaulDotCom security weekly podcast and during a discussion about insecure protocols like Telnet "behind the firewall" I learned that the RDP ("Terminal Services") is vulnerable to Man in the Middle (MITM) attacks.  In fact they put RDP into the same group as Telnet!

I remember when I started allowing RDP into my home network I did some research into if the encryption used by RDP is secure -which it is- but this vulnerability highlights that it is not enough and that it is exploitable by means of ARP Posion Routing to intercept your RDP session, including what you type at the login prompt.

So RDP is a bit of a fact of life for me at the moment, applying some defense in depth is in order.  Some layers we could add:

1. Tunnel the RDP connection over SSH.  I really like this one because it adds a layer of authentication to the session, not just encryption.   This addresses the root cause of the problem:  So long as the encryption remains in place, RDP does not care how the traffic gets there.
   
2. Tunnel the RDP connection over SSH.  Yeah, but this time it is to allow us to close port 3389, there by not advertising the availability of RDP on the host.
   
3. IP FIltering & IPSec policy.  In my case I already have this in place for my off-site connections to only allow connections from know-good IP addresses.  This is equally valid for behind the firewall sessions.
   
4. Certificates.  I'm a big fan of certificates as a factor to authentication.  I'll blog one day about using them to encrypt SQL Server's on-wire protocol.  Technet has a how-to that shows you how to set this up with Windows 2003 Server SP1 & Windows XP.
   

I just got this message from Skype about a security update:



Apart from the stray non-printable control char after the question mark, this is pretty much the way security update notices should go out for consumer applications.

The security fix only works if people download and run the update, and if the message can't be read by the intended audience because it is deep in techno-babble your patch is all for zip.

It reminds me of way-back-when comparing iptables on Linux 2.4 vs. IPF in OpenBSD 2.x.  The one factor that made OpenBSD more secure for me in this case was the rules were written in words the config file rather than as parameters to iptables making them less error prone and hence more secure.  I believe both those tools are now left to history now anyway...

Anyway, well done Skype

(NB:  They also blog

Something more we can all do:  Sender Policy Framework.

http://www.openspf.org/index.html

also

http://www.ietf.org/rfc/rfc4408.txt

The gist of it is the SPF record in the DNS identifies all the valid hosts that are allowed to send mail for that domain.  Mail should not be accepted for domains with an SPF record if the originating host is not in the SPF record.

Anything that reduces spam gets my vote!

You can check your domain for this and related details at DNS Report.

I was listening to DNR last night, the guest was Kim Cameron and they were talking all about Identity.  The topic of the let me get my work done button came up.  This is the digital version of the boy who cried wolf story. 

When the user is bombarded with endless security dialogues that they don't understand they blur into one big let me get my work done button.

I thought I'd represent it graphically :)

I've been a fan of Crypto-gram for ages.  Blogged about it too.  It's author, Bruce Schneier, really knows his stuff.  It's a welcome reminder each month than when dealing with information security -as everyone employed in tech really is- paranoia is a very healthy emotion.

He asked bloggers to help spread the word of a proposed contest on Movie-plot terrorist threats.  These are the kind where (in my words) someone has a maybe valid/maybe invalid idea about how a terrorist can go about their aims, then removes the doubt around their own stupidity by trying (often including proposing great expense) to mitigate the risk.  Sigh.

I'll be tracking the Technorait results for this too :)

I have reprinted Mr Schneier verbatum from this month's Crypto-gram below.


Movie-Plot Threat Contest



NOTE: If you have a blog, please spread the word.

For a while now, I have been writing about our penchant for "movie-plot
threats": terrorist fears based on very specific attack scenarios.  Terrorists with crop dusters, terrorists exploding baby carriages in subways, terrorists filling school buses with explosives
-- these are all movie-plot threats.  They're good for scaring people, but it's just silly to build national security policy around them.

But if we're going to worry about unlikely attacks, why can't they be exciting and innovative ones?  If Americans are going to be scared, shouldn't they be scared of things that are really scary?  "Blowing up the Super Bowl" is a movie plot to be sure, but it's not a very good movie.  Let's kick this up a notch.

It is in this spirit I announce the (possibly First) Movie-Plot Threat Contest.  Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with.

Your goal: cause terror.  Make the American people notice.  Inflict lasting damage on the U.S. economy.  Change the political landscape, or the culture.  The more grandiose the goal, the better.

Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc.

Post your movie plots here on this blog.

Judging will be by me, swayed by popular acclaim in the blog comments section.  The prize will be an autographed copy of Beyond Fear.  And if I can swing it, a phone call with a real live movie producer.

Entries close at the end of the month -- April 30.

This is not an April Fool's joke, although it's in the spirit of the season.  The purpose of this contest is absurd humor, but I hope it also makes a point.  Terrorism is a real threat, but we're not any safer through security measures that require us to correctly guess what the terrorists are going to do next.

Good luck.

Post your entries, and read the others, here:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html

Movie-plot threats:
http://www.schneier.com/essay-087.html

http://www.time.com/time/nation/article/0,8599,175951,00.html
http://www.schneier.com/blog/archives/2005/10/exploding_baby.html
http://www.schneier.com/blog/archives/2006/02/school_bus_driv.html
http://www.imdb.com/title/tt0075765

There are hundreds of ideas here:
http://cockeyed.com/citizen/terror/plans/terrorwatch.html

OK, this is my wishlist for a proximity security device for the Windows platform.  There are a couple out there, but none that do all what I want, and are available locally and are affordable.  Maybe no more than $100-150 initially and comming down with volume.

Backgrounder:  A proximity security device is just a gizmo that is aware of how close you are to your computer, and secures it when you're not around.

• It has to work with Windows integrated security.  This means not starting a new process that covers the screen and requires yet another local password store.  Nor somthing that starts the Windows screensaver.  It has to lock Windows at the NT Security later.  It should also be Group Policy aware, so your AD could stop your account being used on a machine that did not support the device.
  
• You're going to need a dongle on your keyring, and some receiver in your pocket, but No USB!  The system should not be able to be neutralized by ripping out the dongle while you're away from your desk.  Also USB leaves too much of the process visible to the driver stack.
• It needs to be tamper evident.  So if a machine is rebooted while secured it needs to be noted somewhere in big red letters!
  
• It needs to pause Windows Media Player/Winamp/Sonique/iTunes :)
• You must only be able to log in to the machine again when the dongle is in proximity.
• Maybe even some biometric on the keychain dongle so that it can only send back a signal when your fingerprint matches.
• It would be nice if one keychain could lock multiple machines.
• Lastly, and most importantly, it must automatically lock your machine when you move a certain distance from the machine with no questions asked.

Has anyone seen such a gizmo?  Or am I meant to keep dreaming :)

OK, here's my monthly props for CryptoGram...

Bruce Schneier links to a story where some Russians use a 'dead drop' technique via anonymous email systems like Hotmail.

The idea is that 2 or more people share an email account and instead of sending email messages to each other they just save their message as a draft email for the next guy to read. 

I like this as a specific case to illustrate the more general point about security based on "building higher walls" being bad becuase it assumes that all entry points are known!

After blog mint [?]: I've been thinking more about this... the key isn't that the message never went across the wire because it did (from the PC to the Hotmail server) but it's that it didn't leave Hotmail via SMTP, so the goal in sight is to avoid SMTP message detection and signal analysis based on SMTP traffic.  Taking that as the general case leaves open a bunch of other scenarios, like storing secret data on mobile SIM cards for example.  Just a thought...

Firstly, the credits.  This post would not have been possible without Jesper Johansson.  Look at his notes no Anatomy Of A Hack.  He's an authority on securing Windows networks, and has given me a lot to think about.

Prime among them is the problem that while running secure web applications on secure Windows servers has never been more possible, it's still too much of a black art.  I'm just scared that too many apps will be bumped up to run as administrative accounts because it's just too much hard work to get them to run.

Even following good quality (but slightly dated) patterns and practices guides like Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (2002, extra comma theirs) aren't the full story.  You can still be forced to resort to tools like Filemon and Regmon to work out why your least-priv account cannot be started as an application pool.

This isn't meant to be a Windows is insecure rant, because they are 10-a-penny.  This is just meant to be a heads-up and link-fest.

Final link for the bandwidth-endowed.  You can watch a couple of sessions presented by Jesper at the Tech.Ed 2005 Australia site.

 

After Blog Mint [?]:

I thought I'd post some more links to resources I can personally recommend:

• Crypto-Gram mailing list.
• patterns and practices Secirity Wiki.
• A book called Innocent Code.  ( [ELX] [Dymocks] )
• A more general book called  Practical Guidelines & Best Practices for MS Visual Basic & MS Visual C#. ( [ELX] [Dymocks] )