Security
Clue for Developers
Windows NT 2000 XP 2003 is a multi-user operating system. It is not DOS. Do not develop software as an administrator. It may be annoying, but you will become accustomed to working with least privileges.
12:09:03 PM # Google It!
categories: Security
Interview with Bruce Schneier
Mark Frauenfelder at BoingBoing, who seconds my motion regarding the Department of Homeland Security, points to ITConversations' excellent interview with Bruce Schneier. He almost sounds like an economist in evaluating risks: Are we getting good value for our investment?
When the U.S. Government says that security against terrorism is worth curtailing individual civil liberties, it's because the cost of that decision is not borne by those making it.
10:43:19 AM # Google It!
categories: Security
A Suggestion for Either Candidate
Now that John Kerry is the presumptive Democratic nominee for President, I'd like to reiterate my recommendation that Bruce Schneier be appointed to either of two positions in the new administration:
- National Security Advisor
- Director of Homeland Security
Of course, in the event of a Bush landslide in the States of Contention, I'd be more than happy if he'd do the same. We need someone in government who actually knows something about security.
11:52:18 AM # Google It!
categories: Politics, Security
Trust, My Ass
As long as the paperwork all lines up, who the hell cares?
6:13:45 PM # Google It!
categories: Identity, Security, System Administration
Verification
Our friends at Verisign like to use a trusted third-party source when verifying the identity of the contact information given in a certificate signing request. What this entails is that they call 411 and ask for a the listed telephone number of the requesting company. They then call that number, and ask to speak with the person requesting the certificate, or ask for confirmation that the requestor is employed by said company.
You would think that the phone company would be easily verifiable. Turns out that they can't just call the operator to get in touch with someone on staff, nor are the affiliates' listed numbers answered by live people. How funny is that?
11:08:40 PM # Google It!
categories: Identity, Security
Hah!
Netcraft reports on Microsoft's pathetic work-around for phishing. That's it: disable functionality because your application has issues with parsing a particular kind of URI.
Oh, wait, isn't this the same thing you did to work-around hidden extensions in filenames?
2:01:04 PM # Google It!
categories: Dear Microsoft, Security
Can I Get Some Help Here?
Gee, Microsoft, you could have made filtering network traffic just a little bit more usable. All you had to do was write a log file, or at least give us the option to log what you're doing.
So I'm applying their so-called IP filters to a host before we deploy it. And, unlike some idiots out there in InternetLand, I use a default DENY rule. So, I add one of those. Then I add the exceptions to the "naff off" rule. And then I apply the filter.
And that doesn't work, because now everything is denied. I suppose that's better than having everything allowed, but it's more than a little annoying. Now I have to leave my chair!
The rudimentary firewall in Windows 2000 applies the rules in an somewhat dynamic fashion. In other words, it's unpredictable. If you permit traffic first, and only then deny it, then things work. Maybe. Who knows? It doesn't log anything.
Update: There are a couple of tools that make the Windows 2000 IP Security Policy more transparent. Of course, neither of these is installed by default, and one must be acquired from the Resource Kit. netdiag
, from the support tools provided on the Windows 2000 CD, can display the status of all networking components. The helpful thing here is that it appears to display the policy filters in the order in which they are applied. The following will spit verbose output for the IPsec test suite to NetDiag.log:
netdiag.exe /v /test:ipsec /l
The other tool is ipsecpol
, part of the Resource Kit, but fortunately available for download. ipsecpol
can be used to set policy from the command line. But the elite programmers at Microsoft wrote it only to set policy, not display it, so you'll want to read the instructions. Knowledge Base article 813878: How to Block Specific Network Protocols and Ports by Using IPsec contains examples.
5:09:45 PM # Google It!
categories: Dear Microsoft, Security, System Administration