Latest Posts

Latest Comments

Archive for February, 2007

When the Blue Screen of Death may be just that

By Fjodor on Feb. 26, 2007.

I will probably never be heard touting the security and reliability of Windows. Never have, can’t see it happening anytime soon. It would seem however, that the UK’s Royal Navy is more easily impressed.

Cue Windows 2000 for Warships… Am I the only one who remember the case of Windows 2000 and LAX not mixing well?

UAC (still) not a security boundary

By Fjodor on Feb. 26, 2007.

Once again, a UAC vulnerability has been found. And once again, MS fails to see it as a problem…

Speak up or shut up

By Fjodor on Feb. 26, 2007.

Known to most, Mr. Steve Ballmer has repeated ad nauseam his claims that Linux infringes on MS intellectual property. And contrasting his claims has been the utter reluctance to name even one case in which it is true.

Sometimes someone has to call “enough”, and thus has come forward this open letter, urging MS to either identify problem areas or stop spreading unfounded FUD.

I call it most welcome, however the outcome may be.

Microsoft “lost” evidence in Burst vs. Microsoft

By Fjodor on Feb. 17, 2007.

Remember the “Burst vs. Microsoft” case?

At some point in time, Microsoft were ordered to deliver copies of email correspondence relating to Burst, but told the court it would be infeasible. The order was none the less repeated, but before said emails were delivered, the case was settled. Robert X. Cringely covered the case, and he recently received an email from a contractor involved in backup procedures within Microsoft.

The following timeline seems to cover the problem of the email correspondence:

  • Microsoft is ordered to hand over the emails.
  • Microsoft informs the court that this would be infeasible
  • None the less, Microsoft instructs their contractors to gather backups from the specified period, and store them at a given location
  • The court repeats it’s orders
  • The backup contractors discover that the previously gathered tapes are “mysteriously missing”, and are held responsible by Microsoft
  • The case is settled out of court without Microsoft producing the emails

How very convenient, and how very sad.

Microsoft fighting for open standards?

By Fjodor on Feb. 16, 2007.

As may be known to you, proposals for open, XML-based document formats have been submitted to the ISO/IEC. Open Document Format (wikipedia article), ODF, meets the usual requirements for being an open standard, and on the outside, MS’ competing format Office Open XML (wikipedia article), OOXML, appears to do so as well.

ISO adoption of the OOXML format has been blocked by IBM, backing ODF, which has sparked this open letter from MS, stating among other things that

When ODF was under consideration, Microsoft made no effort to slow down the process because we recognized customers’ interest in the standardization of document formats.

While it is true that MS did not hinder the standardisation process, it certainly did not forgo chances to hinder the adoption of it by interested parties: Inside story: How Microsoft & Massachusetts played hardball over open standards, Computerworld.com.

Furthermore, while a proposed standard may be openly presented, that certainly does not mean that it is openly implementable, as this article shows.

I will let it suffice to ask, if a standard containing the tags “lineWrapLikeWord6”, “useWord2002TableStyleRules” or “useWord97LineBreakRules” conveys a sense of openness or interoperabilty, considering that the formats for Word 6, Word 97 and Word2002 are strictly closed.

MS’ answer to Rutkowska: UAC is not about security afterall

By Fjodor on Feb. 14, 2007.

Seems MS has an answer for Joanna Rutkowska (her blog entry), with regards to the situation described in my last post.

Contrary to all statements leading up to the Vista relase, she quotes Mark Russinovich of MS as writing that UAC is not “a security boundary”, and thus that:

Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs.

So, not only is the much hyped security measures not reagarded as security measures by MS, and thus their failing to provide security is a non-bug.

Now isn’t that lovely?

Category: Microsoft

1 Comment

Joanna Rutkowska on Vista security

By Fjodor on Feb. 14, 2007.

Rutkowska is trying out Vista. And as always, it seems to be a different world than what MS marketing would have us believe…

Quote from her blog:

One thing that I found particularly annoying though, is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges.
[…]
That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers!

Now how about that. She describes the XP option of customised privileges, enabling the user to assign only the strictly required privileges for installing software, and still disallowing e.g. loading kernel drivers. Seems neat, but, alas, a thing of the past.

Next, she finds that while Vista still does go through some work to protect itself, it seems a little more careless with actual user data. In other words, even processes running at the lowest “Integrety Level” might still read data from more privileged processes. As she puts it:

So, the statistics look better and everybody is generally happier. Including the competition, who now has access to stolen data 😉

She goes on to describe her ability for an “IL” process to send keyboard and mouse events to a shell running as Administrator. How very reassuring.

Go Vista!

Category: Microsoft

1 Comment

Vista and HD content? Not likely…

By Fjodor on Feb. 13, 2007.

This almost speaks for itself: A Cost Analysis of Windows Vista Content Protection. Therefore I shall restrain myself to this little nugget of totalitarian gold from MS’ specs and a comparison:

“It is recommended that a graphics manufacturer go beyond the strict letter of the specification and provide additional content-protection features, because this demonstrates their strong intent to protect premium content”

…which seems unscrupulously close to Sir Ian Kershaw’s concept of “working towards the Führer”, as explained by this http://goodreports.net book report on his “Hitler: Nemesis 1936-1945”:

“‘Working towards the Fuhrer.’ What this refers to is the way in which radical actions were often instigated from below, not as the result of express directives, but because they were felt to be in line with Hitler’s broadly defined aims.”

Now, I am not saying that the software business is comparable to the holocaust. Not by a long shot. However, it would seem that MS is trying, in the first, to reap the benefits of a mechanism, that was an instrumental factor in the radicalisation of the second.

Category: Microsoft

1 Comment

Vista and security practices

By Fjodor on Feb. 13, 2007.

Extremetech has tested 25 games on Vista, and though I am not a gamer, I thought I’d take look. It does have some interesting tidbits, considering normal security practices.

In the section about Battlefield 2, it is noted, that to connect to servers employing Punkbuster protection, you need to run the game with Administrator privileges, seeing this as being somewhat of a non-issue (“That little fix allowed me to jump on any server with Punkbuster enabled…”).
This procedure is referred to a number of times, either as not needed or as a normal procedure (“This is starting to look like a pretty common cure-all for Vista games compatibility issues.”, “…and only a handful needed just a minor tweak or two, like running the game as Administrator”). Now, how is that for security, running large, networked, closed-source, cracker-luring programs with full privileges on the system?

Another little thing, concerning Lord of the Rings: Battle for Middle Earth II, Rise of Legends, is seen as a feature. I am oblivious to the actual procedure of adding anything to the Windows Firewall, but even assuming a dialog window, many users would undoubtedly be compelled to just click on “Yes” and be done with it: “As it does with Windows XP, the game can add itself to the Windows Firewall exception list to make sure online play isn’t blocked.”. Now that just makes me feel warm and fuzzy all over…

And you thought they limited you with Vista?

By Fjodor on Feb. 13, 2007.

Modular operating systems are a good idea. Not a new idea, though. But wouldn’t it be wonderful, if you could distribute just the bare minimals (as in ability to boot and upgrade, nothing more), and have the user pay for every little extension like running more than a very few apps, connecting devices, browsing the web?

Now, it could almost be argued, that what was harder to code should cost more, but in the case of number of apps, it would actually be harder to limit the number than the opposite. Likewise, network must be present to download extensions, so it would be harder to code restrictions there too. And USB? Obviously, the user must at first startup be able to have keyboard and mouse. Including that functionality, but restricting all else is also harder.

So what’s the point? Why, testing the limits of user abuse comes to mind, but then again that limit seems nonexistant, since people actually want to use Vista.

Your money, that’s what.

Cue This patent application and Groklaw’s
take on it
.

© 2017 - Fjodor's thoughts
Designed by Shauryadeep Chaudhuri
Coded by XHTML Valid
Minor modifications by Fjodor

Powered by WordPress

FireStats icon Powered by FireStats