It’s normal for Microsoft to transition their corporate environment to the latest and greatest software, especially as they transition towards RTM (release to manufacturing). However, it was quite interesting to hear that Microsoft is considering revoking local admin-rights during the Vista company-wide rollout.

We haven’t made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control — that is the feature in Vista — so that we can start moving in that direction … It is a tough balance and every company has to decide what is right for them,’ said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees.

Live by the sword, die by the sword. I find it shocking that in a large corporate environment the policy allows for most everyone to run Windows as a local admin. Though this easily explains why it is such a pain to work as a regular user; Microsoft hasn’t had to struggle through the process yet.

Take installing software in the typical corporate environment.

In UNIX:

1. User needs a particular application. Depending on company policy, the user may be able to install in their own home folder. If not, they could submit a request to support.
2. Support authorizes request, does a remote SSH connection to the users machine, installs the software (while the user is still working) and notifies user that the software was installed.
3. Software ties into centralized package management system so IT can keep tabs on security notifications, updates, etc and roll it (easily) into the centralized update mechanism.

In Windows:

1. The user needs software and does not have admin rights. The chances the user can install in their home folder is close to 0%. User requires IT to install.
2. IT receives the request and approves it. Perhaps IT gets lucky and the software is packaged as an MSI that can be installed via group policy. IT adds the install files to a network share and adjusts group policy. Tells user to restart or wait until next boot to get the update. Most likely the software cannot be installed via MSI (no auto-install MSI exists) and manual installation will happen.
3. IT contacts the user to tell them they will access their system remotely and to log out (no concurrent users in XP). User logs out and IT logs in remotely via RDP rendering the computer inaccessible for the user.
4. IT installs the software as administrator. IT logs out and notifies the user the software was installed.
5. A little while later, user contacts IT saying that the software does not run properly. Apparently the software needs to be run as admin first time to initiate some files in the program files folder. Admin repeats step 2 and 3 to finalize the software install. Unfortunately, the software refuses to run via RDP. IT has to either have local user login as a temporary admin to run the software or admin has to physically access the machine.
6. Admin decides to go to the machine to step through the install. Runs the software, logs in as the user account and it still is not operational. Admin then has to pull out regmon/filemon to determine the issues (as the regular user). Once done, admin has to re-acquire admin level rights (ie runas or admin shares) to make file permission changes/registry security changes.
7. After a debugging session, the software finally works as expected for the user (hopefully). Admin then writes down all the steps required in the event of a software upgrade, future install, etc.
8. Admin decides to notify software company so hopefully next version is fixed.. software company’s support is not interested and state “admin access required”.
9. There is no central management of the software, so admin has to manually check for updates (along with the myraid of other software). Perhaps in the spare time, the admin writes a script to assist in the installation.

I’m not jaded though – honest. Gah!!!

DD-WRT is maintained by BrainSlayer at dd-wrt.com. DD-WRT up to v22 was based on the Alchemy firmware from Sveasoft, which was based on the original Linksys firmware. Among other features not found in the original Linksys firmware, DD-WRT adds the Kai Console Gaming network daemon, Wireless Distribution System (WDS), RADIUS, Quality of Service (QoS) controls for bandwidth allocation, radio output power control (up to 251mW), and software support for a Secure Digital card hardware modification.

Check out the newest version.

Password Safe is a free and open source program that allows you to use a unique password for all your accounts, without actually having to remember all those username and password combinations. The program is a single binary/exe that requires no installation, which makes it highly portable and conveinent, and runs on all various flavors of Windows.

Starting Password Safe the first time results in a window prompting for the location of the password database you wish to open. As you have yet to create the database, simply clicking Create new database will allow you to, surprisingly, create your database file as well as assigning a Master Password that is necessary for authentication during day to day usage. Pick a strong and secure password, but do not forget it, as there will be no way to recover your password file without it. Hey, you wanted security right?

Adding a new username/password is simple and straightforward, even allowing for the creation of random ultra-secure passwords. You may wish to take advantage of this feature because Password Safe is able to fill in the login form inside your browser with a simple keyboard shortcut (CTRL+T). Not only will Password Safe remember your passwords, it also facilitates the ability to create strong passwords.

As our Internet lifetime continues to age, we are constantly challenged in remembering and maintaining all of our account information. Password Safe is an excellent tool whose value is only truly realized the more you use it.

It’s clear that Microsoft is attempting to instill safe practices to it’s userbase; you should not run Windows under the Administrator account. Fabulous idea, no one can argue that. However its current implementation is just a nightmare to work with and those of us that are already the “family tech guy” are in for a real treat in a year as Vista becomes more prevelant. The user/permission paradigm is just not a part of the average Windows user’s technology-trained mind. That’s probably the first hurdle in the security marathon. Secondly, many many applications in their current iterations fail miserably under UAP. One of Windows strengths is in its ability to run software from 10 years back – this just isn’t going to fly any longer.

I still have what may be misguided faith that Microsoft will polish this up, because, whether we all want to admit it, this is desperately needed.

Hamachi is a program that enables you to quickly configure a secure private network between computers over the traditionally insecure Internet. At it’s core, this slick solution allows you to access your computers remotely (over VNC or RDP), safe Windows File Sharing, play LAN games, or deploy inherently private Web or FTP servers. Essentially it allows people to build ad hoc local area networks, easily.

Installation of Hamachi is of standard fare.

1. Download the most recent version of the software (version 1.0.0.56 as of this writing).
2. Step through the installation process; accepting the default options is recommended. A reboot may be necessary afterwards, to finish off the installation process.
   
3. Once installed, launch Hamachi from the newly created shortcut. Here Hamachi will step you through the account creation process by requesting a nickname and creating the account on the Hamachi server. You will be presented with your own unique 5.X.X.X IP address upon completition.
   
   
4. After account creation and login, it is time to create your private network. Click “Create new network” and provide the requested information. The password chosen here should be highly secure as it is critical to Hamachi’s security model.
   
5. On a second computer, follow the installation process from above but instead of creating a new network, you want to “Join existing network” using the password created as authentication.

So how does this all work? From Hamachi’s website, the “peers utilize the help of a 3rd node called mediation server to locate each other and to boot strap the connection between themselves. The connection itself is direct and once it’s established no traffic flows through our servers.” Basically, the mediation server is what allows Hamachi to be a zero-configuration VPN by handling all the complications of NAT and Firewall traversal for you, behind the scenes. It is important to note that the Hamachi does not forward any traffic – it’s only purpose is to assist in establishing the direct point-to-point connection between the computers.

Is it the total panacea that every wifi user is looking for – that is, an easy to install/configure/maintain and most importantly secure VPN solution? Surprisingly for a free product, it is! There is one caveat, in order to truly emulate standard VPN functionality, Hamachi requires a computer to connect to; you must leave your home computer running in order for your hotspot laptop to bounce off of it, via Remote Desktop.

Give it a go, I highly recommend it.

Running Hamachi as a service in Linux:
http://forums.hamachi.cc/viewtopic.php?t=3421

Hamachi on Mac OSX Beta info:
http://forums.hamachi.cc/viewtopic.php?t=4260

[tags]VPN, Hamachi, Secure WiFi[/tags]

The files they are gone.
It seems McAfee ate them.
Go home from work now.

read more | digg story

I’m sure this is going to spread like wildfire across the Internets today, but let me take a minute to debunk this. As best I see, the website in question allows users to create their own UNIX-style accounts through a LDAP interface. From this remote access shell, the said hacker was able to use a vulnerability to escalate his privileges to root-level. Sure, its a succesful hack, but I’m not aware of any “secure” machines configured to allow users to create their own shell access. Furthermore, I do not believe SSH is even enabled by default on OS X (though to be fair, most admins will turn this on).

What’s the significance? It’s not that OS X isn’t hackable, or that this sysadmin gave far more remote access than is normal; no, it’s that no one operating system is more or less secure than another. Security is an ongoing project, completed one day, only to begin the next.

read more | digg story

What a waste of engineering. This is why all the effort behind HD movie disc protection is stupid. Not only are you going to have hackers salivating over the idea of dismantling the system just because its something new and interesting (and the fame that comes with it), but you’re also creating a huge inconvenience for people that actually want to buy your product!

Spending a little money to make some trivial protection to stop the most casual copying is the only thing worthwhile. These companies should put a fair price on their product and sell to the people that want it. Putting a premium price on BD-ROMs and slapping ridiculous protection on them is pointless. They should cost the same as DVDs and have only trivial protection. DVD protection is easy enough for grandma to bypass yet they still fly off the shelves.

I hope Sony/Toshiba/Movie studios wake up when the public decides they don’t want to pay for this crap.

* The password must contain at least one (1) UPPER CASE letter.
* The password must contain at least one (1) LOWER CASE letter.
* The password must contain at least one (1) numeric digit: (0,1,2,3,4,5,6,7,8,9).
* The password cannot contain any four (4) consecutive characters of your username
* The password must be at least eight (8) characters long.
* The password cannot be changed to any of your three (3) previous passwords.
* The minimum user-defined password life is one (1) day.
* The password cannot contain any dictionary word greater than or equal to four (4) characters.
* The password will expire annually.

…the requirements for a registration system I came across today. Yoi!