Technological Musings

Imagine a world where you can login to your computer once and have full access to all of the functionality in your computer, plus seamless access to all of the web sites you visit on a daily basis. No more logging into each site individually, your computer's operating system takes care of that for you.

That world may be coming quicker than you realize. I was listening to a recent episode of the PaulDotCom security podcast today. In this episode, they interviewed Jason Fossen, a SANS Security Faculty Fellow and instructor for SEC 505: Securing Windows. During the conversation, Jason mentioned some of the changes coming to the next version of Microsoft's flagship operating system, Windows 8. What he described was, in a word, horrifying…

Not much information is out there about these changes yet, but it's possible to piece together some of it. Jason mentioned that Windows 8 will have a broker system for passwords. Basically, Windows will store all of the passwords necessary to access all of the various services you interact with. Think something along the lines of 1Password or LastPass. The main difference being, this happens in the background with minimal interaction with the user. In other words, you never have to explicitly login to anything beyond your local Windows workstation.

Initially, Microsoft won't have support for all of the various login systems out there. They seem to be focusing on their own service, Windows Live, and possibly Facebook. But the API is open, allowing third-parties to provide the necessary hooks to their own systems.

I've spent some time searching for more information and what I'm finding seems to indicate that what Jason was talking about is, in fact, the plan moving forward. TechRadar has a story about the Windows 8 Credential Vault, where website passwords are stored. The credential vault appears to be a direct competitor to 1Password and LastPass. As with other technologies that Microsoft has integrated in the past, this may be the death knell for password managers.

ReadWriteWeb has a story about the Windows Azure Access Control Service that is being used for Windows 8. Interestingly, this article seems to indicate that passwords won't be stored on the Windows 8 system itself, but in a centralized "cloud" system. A system called the Access Control Service, or ACS, will store all of the actual login information, and the Windows 8 Password Broker will obtain tokens that are used for logins. This allows users to access their data from different systems, including tablets and phones, and retain full access to all of their login information.

Microsoft is positioning Azure ACS as a complete claims-based identity system. In short, this allows ACS to become a one-stop shop for single sign-on. I log into Windows and immediately have access to all of my accounts across the Internet.

Sounds great, right? In one respect, it is. But if you think about it, you're making things REALLY easy for attackers. Now they can, with a single login and password, access every system you have access to. It doesn't matter that you've used different usernames and passwords for your bank accounts. It doesn't matter that you've used longer, more secure passwords for those sensitive sites. Once an attacker gains a foothold on your machine, it's game over.

Jason also mentioned another chilling detail. You'll be able to login to your local system using your Windows Live ID. So, apparently, if you forget your password for your local user, just login with your Windows Live ID. It's all tied together. According to the TechRadar story, "if you forget your Windows password you can reset it from another PC using your Windows Live ID, so you don't need to make a password restore USB stick any more." They go on to say the following :

You'll also have to prove your identity before you can 'trust' the PC you sync them to, by giving Windows Live a second email address or a mobile number it can text a security code to, so anyone who gets your Live ID password doesn't get all your other passwords too – Windows 8 will make you set that up the first time you use your Live ID on a PC.

You can always sign in to your Windows account, even if you can't get online – or if there's a problem with your Live ID – because Windows 8 remembers the last password you signed in with successfully (again, that's encrypted in the Password Vault).

With this additional tidbit of information, it would appear that an especially crafty attacker could even go as far as compromising your entire system, without actually touching your local machine. It may not be easy, but it looks like it'll be significantly easier than it was before.

Federated identity is an interesting concept. And it definitely has its place. But, I don't think tying everything together in this manner is a good move for security. Sure, you can use your Facebook ID (or Twitter, Google, OpenID, etc) already as a single login for many disparate sites. In fact, these companies are betting on you to do so. This ties all of your activity back to one central place where the data can be mined for useful and lucrative bits. And perhaps in the realm of a social network, that's what you want. But I think there's a limit to how wide a net you want to cast. But if what Jason says is true, Microsoft may be building the equivalent of the One Ring. ACS will store them all, ACS will verify them, ACS will authenticate them all, and to the ether supply them.

I was fortunate enough to obtain both a PlayStation 3 and an Xbox 360 recently. I've owned a Wii since it was launched back in 2006. The Wii was always relegated as a non-contender in the "next-gen" console wars. The Wuu has definitely held its own, however, effectively carving its own niche. Instead of concentrating on graphics and processor technology, they went in a completely different direction, creating a new way to play games with their innovative controller.

I have been a Playstation guy for a while. While I never owned the original Playstation, I did get the Playstation 2 on the day it was released. The PS2 was the clear winner in the previous generation of consoles, handily beating the Nintendo 64 and Dreamcast. Microsoft was late to the game with the original Xbox, which didn't seem to do very well. The Playstation 3 has been a powerhouse since it was released. It clearly has better graphics then any other system out there, and the processing power of the system is incredible. Games on this thing look incredible, but despite this, I don't think Sony is doing very well.

The Xbox 360 is a pretty decent machine, despite the red-ring issue they initially had. It doesn't have the power or graphical prowess of the PS3, but it does have a pretty strong backing. I'm not a hardcore Microsoft hater, but I'm not exactly a fan either. I've essentially moved on from Windows and I use either Linux or OS X now. Despite this, I've been drawn to the Xbox 360 for some time now. I had avoided purchasing one, but then, I had avoided purchasing a PS3 as well. Since getting both a PS3 and an Xbox 360, however, I've noticed that I'm drawn more towards the 360 and I've grown curious as to the reasoning behind this. I think I've finally identified it.

If you want your platform to do well, you need to build a community around it. Microsoft's Xbox team has done this, in spades. Marketing is one thing, and there is a massive marketing force behind the 360, but community can really make or break things. The PS3 has a little bit of a community, mostly centering around the PS blog. Nintendo's community is virtually nonexistent. But the 360 community is just huge and engaging. Major Nelson and his team do an incredible job promoting the 360 while keeping their content entertaining and diverse. The 360 itself encompasses a ton of community building with a stream of new content about new games, videos, and music.

I think Microsoft's Xbox team has clearly won this round of the console wars. The advent of the Kinect and the Move, round two is clearly on its way. The Kinect seems to be out to an early lead, however, with the Move being mostly ignored as a copy of the Wii motion controllers. Nintendo doesn't seem to have a play in this latest round, though one could argue they were first to market when they initially launched.

I enjoy playing all three consoles, but the Xbox clearly seems to be winning in my home. Microsoft is doing an incredible job thus far with the Xbox and I'm hoping they continue they way they're going.

April 1, 2009. The major media outlets are all over this one. Digital Armageddon. The end of computing as we know it. Again. But is it? Should we all just "Chill Out?"

So what happens April 1, 2009? Well, Conficker activates. Well, sort of. It activates the latest revision of its auto-update algorithm, switching the number of domains it can find updates on from 250 per day to 50,000 per day. Conficker, in its current form, isn't really malicious beyond techniques to prevent detection. In order to become malicious, it will need to download an update to the base code.

There are two methods by which Conficker will update its base code. The first method is to download the code via a connection to one of the 50,000 domains it generates. However, it does not scan all 50,000 domains at once. Instead, it creates a random list of 500 of the 50,000 generated domains and scans them for an update. If no update is found, Conficker sleeps for 24 hours and starts over by generating a new list of 50,000 domains, randomly picking 500, and contacting them for an update. The overall result of this is that it becomes nearly impossible to block all of the generated domains, increasing the likelyhood that an update will get through. On the flip side, this process appears that it would result in a very slow spread of updates. It can easily take days, weeks, or months for a single machine to finally stumble upon a live domain.

The second method is to download the code via a peer-to-peer connection between infected hosts. As I understand it, the peer-to-peer mechanism has been active since revision C of Conficker has been in the wild. This mechanism allows an update to spread from system to system in a very rapid manner. Additionally, based on how the peer-to-peer mechanism works, it appears that blocking it is difficult, at best.

So what is the risk here? Seriously, is my computer destined to become a molten heap of slag, a spam factory, or possibly a zombie soldier in a botnet attack against foreign governments? Is all hope lost? Oh my , are we all going to die!

For the love of all things digital, pull it together! It's not as bad as it looks! First off all, if you consistently update your machines and keep your anti-virus up to date, chances of you being infected are very low. If you don't keep up to date, then perhaps you should start. At any rate, fire up a web browser and search for a Conficker scanner. Most of the major anti-virus vendors have one. Make sure you're familiar with the company you're downloading the scanner from, though, a large number of scam sites have popped up since Conficker hit the mainstream media.

If you're a network admin, you have a bigger job. First, I'd recommend any windows machines you are responsible for are patched. Yes, that includes those machines on that private network that is oh-so impossible to get to. Conficker can spread via samba shares and USB keys as well. Next, try scanning your network for infections. There are a number of Conficker scanners out there now thanks to the Honeynet Project and Dan Kaminsky. I have personally used both the proof-of-concept python scanner, as well as the latest version of nmap.

If you're using nmap, the following command line works quite well and is incredibly fast :

nmap -sC --script=smb-check-vulns --script-args=safe=1 -p139,445 \
-d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64 \
-oA conficker_scan

Finally, as a network admin, you should probably have some sort of Intrusion Detection System (IDS) in place. Snort is an open source IDS that works quite well and has a large community following. IDS signatures exist to detect all known variants of Conficker.

So calm down, take a deep breath, and don't worry. I find it extremely unlikely that April 1 will result in anything more than a blip in network activity. Instead, concentrate on detection and patching. Conficker isn't Skynet.... Yet.

My wife is a professional SEO consultant with her own business. I work with her on occasion, helping out with the server end of things. It's fun and challenging, and I think we work pretty well together.

So, the other day she comes to me with an odd question. Why is Google Analytics suddenly showing a high bounce rate for new keywords? Interesting problem, of course. One of the first things that popped into my mind was either a blackhat SEO or a rival of some sort. It sounds paranoid, but it does happen.

So I pulled the access logs and started pouring through them. Since the bounce rate came from a keyword search, it was easy enough to locate the offending entries. There were hundreds of log entries, all coming from the same 65.55.0.0/16 address space. A couple more seconds of digging showed that 65.55.0.0/16 was owned by Microsoft. Reverse DNS on some of the IPs revealed that these IPs were all part of the MSN web crawler. MSN apparently doesn't provide reverse DNS for all of their IPs. No matter, there were enough to prove that this was MSN. Here's an example from the log:

65.55.110.195 - - [24/Mar/2009:03:08:05 -0400] "GET /index.html HTTP/1.0" 200 58838 "http://search.live.com/results.aspx?q=keyword" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)"

So what in the world is going on here? Why are we getting pounded by hundreds upon hundreds of requests from the MSN crawler? And why is the MSN crawler reporting itself as Internet Explorer 6.0? The referrer URL showed the source of the request to be from a live.com search, but these being crawler addresses, I'm willing to bet this was programmed in rather than a result of an actual search. It doesn't really matter, though, because whatever it is, it's causing a high bounce rate and really screwing up the site statistics. The high bounce rate may be affecting the Google ranking as well.

Before we blocked these requests, though, we wanted to make sure this was unwanted behavior, so we started digging for info. One of the pages we came across described the same behavior we were seeing. As it turns out, this strange activity is intended. Live.com claims they do this to detect cloaking. Of course, it was quite easy to identify these IPs as coming from Microsoft, and determine (rather quickly) that they are sourcing from a search engine. It would be very simple to broaden any cloaking to include those IPs, making this crazy technique useless.

Microsoft claims they are continuing to tune their crawler to reduce the spam and make the keywords more relevant. The point is, though, that this seems to hurt more than it helps. As a result, many webmasters are blocking the referrer spam, at risk of having MSN blacklist the site. We have followed suit, deeming both MSN and Live.com to be irrelevant search engines.

Of course, if someone out there has a better idea of how to handle this, I'm listening...

Well, looks like the early information on Windows 7 might be wrong.  According to an interview with Steven Sinofsky, Senior Vice President of Windows and Windows Live Engineering at Microsoft, there are a few details you may have heard that may not be entirely true.  But then again, it seems that Mr Sinofsky did tap dance around a lot of the questions asked.

First and foremost, the new kernel.  There has been a lot of buzz about the new MinWin kernel, which many believe to be integral to the next release of Windows.  However, according to the interview, that may not be entirely true.  When asked about the MinWin kernel, Mr Sinofsky replied that they are building Windows 7 on top of the Windows Server 2008 and Windows Vista foundation.  There will be no new driver compatibility issues with the new release.  When asked specifically about the minimum kernel, he dodged the question, trying to focus on how Microsoft communicates, rather than new features of Windows.

So does this mean the MinWin kernel has been cut?  Well, not necessarily, but I do think it means that we won't see the MinWin kernel in the form it has been talked about.  That is, very lightweight, and very efficient.  In order to provide 100% backwards compatibility with Vista, they likely had to add a lot more to the kernel, moving it from a lightweight, back into the heavyweight category.  This blog post by Chris Flores, a director at Microsoft, seems to confirm this as well.

The release date has also been pushed back to the original 2010 date that was originally stated.  At a meeting before the Inter-American Development Bank, Bill Gates had stated that a new release of Windows would be ready sometime in the next year or so.  Mr Sinofsky stated firmly that Windows 7 would be released three years after Vista, putting it in the 2010 timeframe.

Yesterday evening, at the All Things Digital conference, a few more details leaked out.  It was stated again that Windows 7 would be released in late 2009.  Interestingly enough, it seems that Windows 7 has "inherited" a few features from it's chief competitor, Mac OSX.  According to the All Things Digital site, there's a Mac OS-X style dock, though I have not been able to find a screenshot showing it.  There are these "leaked" screenshots, though their authenticity (and possibly the information provided with them) is questionable at best.

The biggest feature change, at this point, appears to be the addition of multi-touch to the operating system.  According to Julie Larson-Green, Corporate Vice President of Windows Experience Program Management, multi-touch has been built throughout the OS.  So far it seems to support the basic feature-set that any iPhone or iPod Touch supports.  Touch is the future, according to Bill Gates.  He went on to say:

“We’re at an interesting junction.  In the next few years, the roles of speech, gesture, vision, ink, all of those will become huge. For the person at home and the person at work, that interaction will change dramatically.”

All in all, it looks like Windows 7 will just be more of the same.  With all of the problems they've encountered with Vista, I'll be surprised if Windows 7 becomes the big seller they're hoping for.  To be honest, I think they would have been better off re-designing everything from scratch with Vista, rather than trying to shovel in new features to an already bloated kernel.