31 July 2007

Good Things Here...

Technorati tags: ,

Some folks get it...

http://blogs.technet.com/secguide/archive/2007/07/12/malware-removal-starter-kit.aspx

Using the Windows Preinstallation Environment (Windows PE) in combination with free anti-malware programs, the kit provides you with a low-cost, effective strategy and tool recommendations that you can use to vanquish malware attacks

...while some folks don't:

http://blogs.msdn.com/rflaming/archive/2006/09/20/763960.aspx

From a security perspective, when you get owned running under a Machine-wide account, game is over and you have to flatten the machine to get back to a secure state. 

By "it", I mean the defense-in-depth concept that the battle doesn't end when malware gets into your PC.  Machines get "owned" all the time; the majority of spam is carried by botnets running on such systems, and surveys have indicated a high percentage of PCs are running malware. 

If the only option for such systems is to "just" flatten and rebuild, many consumers will simply shrug and prefer to stay infected.  After all, they tolerate rootkits dropped from audio CDs, DoS (activation) payloads built into their OS, adverts from all over the place, etc. so why should they mind if a smidgen of bandwidth is used to DDoS unpopular entities such as the RIAA, or send out the same spam they get every day, either way?

The problem with "just wipe and rebuild" is not the pessimism that a cleaned PC will really be clean, but the optimism that a rebuilt PC will stay clean.  In reality, both approaches are complex battles that may be lost.

Security Guides Blog

The first link is from SecGuide, who may be the first Microsoft team to offer end users the tools they need to formally manage malware on infected PCs.  They may not be as far down that road as some Bart-based solutions, of which an example is shown in this slide show, but in-house Bart projects are usually too complex to be offered as an off-the-peg solution for end users to download and use.

The SecGuide approach is based on WinPE 2.0, which is now available for end users via the WAIK.  The process of integrating tools into WinPE, and building a WinPE boot disk, is pretty daunting, so I was wondering if combining David Lipman's Multi-AV tool with Bart PE would be easier?

In the big picture, we need to market the clean state against the accepted state of living with resident malware.  A non-destructive cleaning approach is a key element, and it's good to see parts of Microsoft getting this.

Windows Installer

The second link is from Setup Sense and Sensibility, which is a fascinating insight into the Windows Installer and how this has developed in Vista in particular.  The perspective appears to be 100% rooted in the concerns of corporate networking, and centered on per-user permissions and control.

The trouble is, this approach just doesn't fit the outside world of free users and the one or few PCs they use.  There's no "admin" to "do things for" the user; no tight white-list of permitted applications, and the user should have full and unfettered control over the PC.  A single PC may represent the user's entire infrastructure, so there's no "easy way out" of wiping and rebuilding desktop systems while data is safe on the server. 

Moreover, the same user will do multiple different things in the same logon session that should have differentiated rights.  Simply giving all processes the same rights just because they occur in the same logon session is next to useless, as even the most limited user account rights will allow the user's data to be edited, overwritten or trashed.

I've covered aspects of this issue many times, such as the adverse effect of flattening natural obstacles and the janitor account concept.  UAC is a step in the right direction, as for the first time it leverages the user's control over automated processes - the reason it is so "ugly" is because it is so at odds with the assumptions underlying NT's development, i.e. that automation would always be done by "proper" entities and that the user should be swept aside to facilitate such automation.

Timeless Blogging

Technorati tags:

Can you have your blog and web it too?  I'd say so, and am doing that - blogging so that content is navigable in ways more like a web site, as described here.  My tactics are:

  • Lists as the "top level"
  • Permalinks, labels and tags
  • Hover-tips to explain link destinations
  • Closure via post-terminating "home" links

Blogging is still dominated by the timeline concept, and this is particularly ironic when a post solicits feedback, only to tell you that "new comments are disabled", as in this case.  Bah!  So I'll feedback here...

Yes, I'd love to see the SecGuide blog post discussion topics for feedback, as well as their usual announcement posts.  They can use tags to separate such traffic for those who only want to read announcements, vs. those who want to contribute to discussions, and still have a mix of both for the rest of us interested in both types of posts.

I plan to do something similar on my blogs, so that in effect each blog can function as multiple sites.  Blog-based discussions may be more survivable and discoverable than web or news forums, as the blog (or web site) provides a persistent navigation tree to reach this material.

19 July 2007

Meta-Bug: UI Refresh That Doesn't

Technorati tags: ,

If you can read this post, you're lucky, because I think I've just edited this blog's framework into the ground!

The case was a meta-bug (i.e. a conceptual bug that underlies other bugs).  I was trying to add a poll to the blog, which was rejected due to some date format thing.  So; is "07/07/19" yy/mm/dd or mm/yy/dd?  Do my preferences for dd/mm/yy(yy) have any bearing on what the error report shows?  None of that is the bug, by the way; just bad error message design - in fact, it may be that the new Poll thing is just plain broken.

Here's the bug: If I try a different date that is also "wrong", will I be able to visually tell the difference between nothing happening when I click Save, and getting the exact same error message invisibly "refreshed" over the old one?  What happens if I ASSume that "nothing happened" and I machine-gun the dumb-ass Save button 100 times out of frustration?

Er... I wish the last question was rhetorical, heh.  I've just closed the browser window that has been "Saving..." my blog for the last unfeasibly large number of minutes.

So if you're looking at a blog layout that is currently less than fully-assed, with a dead poll that was "fished" before it was born, then you know why.

Bah!  User failure strikes again...

Malware - Is That All You Ever Think About?

Technorati tags:

Folks could be forgiven for asking:

Why do you care
About malware?

Malware is the bulk of a larger problem which is vendor-pushed code.  Nothing can overwhelm support resources as widespread automatic insertion of bad code can do.

For in-house system administrators, it's a major headache, but for a tech servicing multiple single-PC sites, it can be a disaster.  If you offer an SLA (Service Level Agreement) that is insufficiently escaped by weasel-wording and disclaimers, then one big outbreak can put you out of business... how do you "resolve within 48 hours" when you have 100 sites per tech needing urgent attention within the same hour?

So yes; just as someone interested in completing university studies may switch to soldiery as driven by self-preservation demands, so I have an interest in malware.  And just as a soldier has an interested in keeping his weapons in working order, I have an interest in maintenance OSs such as Bart and WinPE 2.0, as well as the politics that keep these tools out of the hands of those who need them most.

Sharp readers will have noticed my definition of the "larger problem" encompasses automatic OS and antivirus updates, various ad-hoc "update" facilities built into arbitrary programs, Google's "update everything" tool, and codecs "needed" to play arbitrary content. 

All of these break best-practice rules on code changes:

  • Do not allow others to change your code
  • Log all code changes
  • Ensure all changes are reversible
  • Ensure changes do not "kick away the ladder"

In essence, the logic behind "code of the day" is broken:

  • When our code breaks, it can't be trusted
  • This happens too often to manage manually
  • So trust us to push more code whenever we see fit

Does not compute.  Yes, I see the need to patch OS and exposed surfaces as soon as possible, but I also see the need to reduce exposed surfaces made of code that is not trivial enough to be relied on as defect-free.

And no, I don't recommend Google's "update everything" tool.

16 July 2007

New Content From Here

I've just completed a wish list of around 30 or so I'd like to see fixed, changed or created in Vista (and in some cases, retro-fitted to XP).

I also did a commented picture show of a typical Bart mOS session, stepping though verifying each safety level before reaching for the next, as outlined in this PC Crisis article.

I've always wanted to re-use blog posts as structured web pages, so as to combine the simple creation and consistent style of a blog site with the ongoing re-usability of a formal web site.  I find I can do that on the other blog by combining the "list" feature with jump-pad blog posts full of links.  I'm used to this structure from a closed mOS wiki I did a while back.

What this may mean, is less (or perhaps, different) content here, with links from here to there.  I like the lack of adverts on this site, but I can't see as easy a way to get it to do what I'd like done.

13 July 2007

Forthcoming Attractions

In the next week, I'll be low-profile in newsgroups (again) and doing Vista feedback and mOS issues that I will echo in my blogs. The mOS stuff will be here, while the Vista stuff I'll do over in the Vista Curve blog.

I expect there will be a lot of traffic, so suggest you peruse subject lines in the sidebar rather than desperately hitting the PageDown key :-)