Saturday, 28 January 2006

Southpark1I've been a South Park fan ever since it came out. Who woulda' thunk these cartoons would become such a phenomenon. I laugh my ass off every time I watch it.

I have to say that at $1.99 an episode, it's a bit pricey - maybe buying the DVD sets online (you can find some good deals if you look) might work better for some people. But for the convenience factor, and in terms of iTunes store's expansion into the video content arena, this is cool.

South Park on the iTunes Music Store - click here to open in iTunes

Comedy Central and Apple just added South Park, Drawn Together (never really watched that one) and Best of Comedy Central Standup to the iTunes store.

Add/Read: Comments [1]
Humor | Random Stuff
Saturday, 28 January 2006 13:38:13 (Pacific Standard Time, UTC-08:00)
#  Trackback

Published just this month, an important whitepaper is now available that provides authoritative information about applying  the "don't run as admin" concept in the real world.

Should you care? Yes. Absolutely. Why? Because running as an administrator or high-privileged user opens the door to malicious software ruling your world by potentially damaging your computer and data, compromising confidential information, and harming your company's reputation and business relationships. Put simply, you should do it because it's now possible, because with Windows Vista it will be enabled in terrific ways that reduce the pain, and just because it makes obvious good sense.

Users will download and install software they're not supposed to. Policies don't solve technology problems. Rather they guide solutions to people problems. Users will take CDs they bought with a major record label on the sleeve and stick them in their CD-ROM drives, whether or not they are supposed to, and we've all learned recently that you cannot trust major record labels to product safe, appropriate software. Users will surf to web sites and (regardless of how much education and prevention you do, and how many times you tell them to never click on that stupid thing that says their computer might be infected) they'll click and download and even install software that wreaks havoc, logs keystrokes or any one of a thousand other bad things.

People and process changes and preventions are important - don't get me wrong. We need to educate and provide standards, and we still need to hold people accountable for behavior. But that does not remove from us the responsibility to make proper and correct technology decisions when it comes to operation and implementation security. Period.

People, process and technology - it's a combination of all three of these, in careful balance, that makes a true security ecosystem work.

But making changes like this is, honestly, something that most business and technology people avoid, because they're afraid they won't be able to operate that way. Or they're afraid someone will complain. Sorry guys, not a good enough reason, not anymore.

So... What's the problem we're trying to solve? From the paper:

"A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message."

The approach into which the least-user model falls is a layered security, defense-in-depth style. We cannot rely solely upon one layer of security to solve all our malware problems, and the fact is this: If all computer users already ran with least-privileged accounts, the incidents of malware (spyware, adware, etc) would be significantly less. In the real world, we are stuck in a position of needing to make a change, but for the future we will do well to remember how taking the easier route early in a technology phase can come back to bite us later.

"A defense-in-depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least-privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks.

"The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration. However, because the LUA approach requires organizations to plan, test, and support limited access configurations, this approach can generate significant costs and challenges. These costs can include redevelopment of custom programs, changes to operational procedures, and deployment of additional tools."

Small and large organizations (of all types) are faced with this problem. While it's not the end of the world, it's often not a trivial task to change to a least-privileged computing model if you're already deployed in a mode where all users are administrators. This is common in software companies and other place where people have liberal privileges in order to provide ultimate flexibility in their development and design world.

I should also note that in Windows Vista, the next version of Windows, there are significant improvements in the operating system that will make it completely feasible to apply a least-privilege user model to every single computer, while affording users the ability to install software and make appropriate configuration changes in a controlled and safer environment. In my opinion, any shop that deploys Vista when it's available and does not take advantage of this security capability is negligent (and there will be many companies where that will happen, just watch). Find out more about Windows Vista User Account Control (UAC) at the Microsoft Technet site pages that cover the subject, and be sure to read and subscribe to the UAC Team Blog.

I highly recommend this whitepaper. It cuts to the chase and explains things in a clear and concise way, while addressing real world concerns and providing links and references to third-party tools and information. If you run a network or a dev shop, or if you're in any way responsible for secure computing, this is a paper you need to get familiar with.

Description and summary of the whitepaper from the Microsoft download page:

This 100-level technical white paper provides information on the principle of least privilege and describes how to apply it to user accounts on Windows XP. The paper covers the following topics:

  • Risks associated with administrative privileges
  • Definition of the principle of least privilege
  • Definition of the least-privileged user account (LUA) approach
  • Benefits of the LUA approach
  • Risk, security, usability, and cost tradeoffs
  • Implementing the LUA approach
  • Future developments

This paper also describes at a high-level the issues that affect implementation of the LUA approach and provides useful links to other online resources that explain these concepts in more detail.

Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Saturday, 28 January 2006 09:51:48 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Thursday, 26 January 2006

Omar Shahine sent me a message inviting me to sign up for Live Contacts this evening. It's a service that ties together your Messenger address list, Hotmail/live mail contact lists, and MSN spaces profile info (all, of course, associated with your passport identity), and let's you subscribe to someone else's contact info. Once subscribed, any time someone on you Live Contacts list changes their contact info, it changes in your list. So, it's always connected and up to date.

Plus, you can choose how much of your personal and business contact info to share (granularly), and with whom to share it.

Start by logging into your Spaces profile (mine's here, not used much to date) and then you can share your contact info with others. Choose "Edit Profile" on your space page, and scroll down to the "Contact Information" section - that's where you can specify how and with whom to share your info. It'll always be up to date in other people's Messenger and Hotmail/Live Mail apps.

Add/Read: Comments [0]
Thursday, 26 January 2006 22:41:33 (Pacific Standard Time, UTC-08:00)
#  Trackback

Microsoft Security VP Mike Nash answers a stack of questions posed by Slashdot readers. The Q&A is pretty good. Nash provides substantial answers to some fairly pointed questions. One thing is clear, both in the answers and in my own experience: Security is hard - if in no other way, then from the standpoint of overcoming the many cultural and technical hurdles.

Nash covers a broad range of important topics and addressed many, many issues. Click on over to read, but here's a very brief couple of excerpts:

On code security and secure code review processes:

"Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated."

And on the cultural challenges of prioritizing security:

"Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."

If you're even tangentially involved in security for your organization, and especially if you're a technology company, this Q&A is definitely worth the read.

Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Thursday, 26 January 2006 20:50:06 (Pacific Standard Time, UTC-08:00)
#  Trackback

I've received a number of requests for Windows Live Mail invitations recently, due to my recent post offering up Windows Live Messenger account invitations. I don't have any Live Mail invites, but I'd suggest you sign up here and see what happens. At least one person to whom I suggested this signed up today and received his invitation today, as well:

(Windows Live Mail is the new version of Hotmail, currently in beta test mode and available only by invitation, which you can sign up for at the above addresses)

Add/Read: Comments [6]
Thursday, 26 January 2006 18:04:04 (Pacific Standard Time, UTC-08:00)
#  Trackback

From Mark Harrison's weblog:

All Windows SharePoint Services customers are entitled to an extended free trial of Antigen for SharePoint. This trial version will be active through June 30, 2006.

To download, simply go to and fill out the form.

Antigen for SharePoint allows Windows SharePoint Services users to collaborate without the risk of uploading or downloading infected documents or inappropriate content.

The simple and honest fact is that many people who have deployed WSS or SPS don't run any anti-virus software on their SharePoint implementations - and that's a huge mistake. Running plain-ol' AV on the server's file system is exactly the wrong thing to do, because all the SharePoint files are stored in the database where regular AV software can't touch them. And besides that, running real-time AV scans of a SQL database file (which is constantly changing) is a supreme resource and performance killer if there ever was one.

I've worked with Sybari's Antigen products on both SharePoint and Exchange for several years. In my book, it's the best thing in AV-Land since sliced bread. So check it out.

Add/Read: Comments [0]
IT Security | SharePoint | Tech
Thursday, 26 January 2006 00:41:07 (Pacific Standard Time, UTC-08:00)
#  Trackback