Tales from the Crypto

Converting from AD time to Excel time

Here's a little formula that works to convert times and dates from Active Directory (or other LDAP servers) to Excel - really useful to use if you've exported a number of entries from Active Directory to an Excel spreadsheet or CSV, and want to see them as dates:

=(B1-94353120004495000)/864000000000

Clearly, 864000000000 refers to the number of 100-nanosecond intervals in a day. It's possible that the offset value of 94353120004495000 is not going to be correct for your environment, so don't forget to test this - time zones may affect the accuracy of this value.

Insufficient Resources to Complete API - part 3

In part 2 of this series, I promised to let you know how I'd been doing with my hotfix solution to this problem.

[History: After increasing my laptop's memory past 1GB, in Windows XP SP2, I find that the laptop will occasionally refuse to hibernate, with the cryptic message "Insufficient System Resources to Complete API". A Microsoft Knowledge Base article makes it clear that this is a known bug, and offers a hotfix. After going through the simple procedure of getting the hotfix sent to me, it's now even simpler, because the hotfix is available to anyone to download, without having to call Microsoft.]

I'm happy to say that this has been going really well. My laptop, with 1.5GB of memory, now hibernates wonderfully well all the time, and I no longer fear that I will be pulling a red-hot laptop out of my bag after I've closed the lid in a hurry.

I do still hit the problem that if I press the power button, then close the lid, it hibernates once, and then a second time immediately after I turn it back on. Not a big problem - certainly not as big a problem as running the laptop's processor and fans at full tilt inside a sealed laptop bag because it didn't hibernate.

Lessons for those watching:

1. Always search the Knowledge Base - go to http://support.microsoft.com, and type in either the full error message, or select words that are liable to be unique in reference to your problems. If your first search produces too many, or too few, matches, simply choose a different set of search words. Imagine how you'd write up the article yourself, what key words you'd put in there.
2. If there's a hotfix available, don't get irritated that you have to call someone on the telephone in order to get the hotfix. It's a ten-minute process, you don't have to give your credit card number, you just say you want the hotfix related to article number such-and-such, and they send you the password to use in downloading it.
3. Revisit a previous problem after a couple of months - someone else may have reported and fixed it.

Changing passwords on a service

At work, I'm faced with an interesting task - we're trying to limit the number of people that know high-powered passwords.

[This is an ongoing goal - and we already have many processes in place that achieve this. You'll hear more about this in future.]

The latest investigation of reducing password knowledge centres around service accounts - particularly, one service account that is widespread, and has local administrative access. Not an account we want to have available to everyone, not even to everyone who manages the service!

The goal is, as with other high-powered accounts, to lock the password away, and only reveal it when it's needed to troubleshoot something. Of course, being a password, once you've revealed it to someone, you can't unreveal it.

So you have to change it. Once in the security database, and once on every service instance, so that the service can continue to log on.

But there are hundreds of instances of this service, so the administrators were baulking at the idea of having to enter the password in hundreds of locations.

I didn't like the idea either, but my suggestion was better than that of "set the password once on installation, and hope that nobody abuses their knowledge of the password". It had to be, because we don't allow that around here.

I'll be exploring what I did over the next few days, but here's my start, which may be adequate for many purposes:

C:\> for /f %a in (servers.txt) do sc \\%a config "service-name" password= "new-password"

Linux - unbreakable until when?

Man, if I were dumb enough to claim anything as "unbreakable", I'd probably want to claim that you have a little bit more than two months of unbreakability (and yes, that is an unretouched graphic from Oracle's site).

Cousin Jeff notes that Mary Ann Davidson, head honcho of Security at Oracle, previously remarked on the previous "Unbreakable" campaign "What idiot dreamed this up?"

I think it's the same "idiot" that came up with the original version of this campaign. Marketing geniuses, all of them.

Internet Explorer 7 flaw - slow news day

You know it's a slow news day when a flaw like this makes the TV news. [Or when it makes the front page of a normally respectable security site like Secunia.]

Okay, so the first thing to note is that if you try this flaw on other browsers - Internet Explorer 6 or Firefox 2.0, for instance - what happens is that the popup appears on screen without an address bar. So, if this popup is going to persuade you on Inernet Explorer 7 to click in a bad place, then it's going to persuade you even more easily to click in a bad place on Internet Explorer 6 or Firefox 2.0.

The next thing to note is that it doesn't work if your fonts are different widths from the default, for instance if you use a high-DPI font, or use larger fonts because of poor visibility, or just because you like them - the number of padding characters used has to match exactly with the width of the popup window.

Other reasons the flaw is next to useless:

• If you enable Internet Explorer 7's ability to open popups in another tab, the flaw is totally wasted.
• If you click anywhere in the window (and I don't suggest you do on any popup), the address is revealed.
• If you click in the address bar, the address is revealed.
• The flaw only works while the text in the address bar is fully selected - meaning that it's highlighted, and looks different from every respectable popup (is there such a thing?). Again, you should be aware that any time something looks different from usual, it's a warning flag at best, and probably something to be avoided.

Oh, and Internet Explorer 7 comes with a phishing filter - which I really suggest you accept - that prevents you from being lured to known phishing sites by popups such as these.

Really, there are so many down-sides to this flaw, from the perspective of a malicious person trying to actually exploit it, that it's a wonder anyone bothered to spend time typing the web page up that demonstrates it.

In a way, this demonstrates Internet Explorer 7's superiority over previous versions - if this really is the most newsworthy attack you can make, Internet Explorer 7 must be solid.

I'll restate very simply the reasons that Internet Explorer 7 is worth an install:

1. You are required to have a version of Internet Explorer on your Windows system - it's a part of the OS.
2. Every flaw that has been found in Internet Explorer 7 has been found in previous versions of Internet Explorer - and each one (of two) is minor and complex, so much so that despite widespread publicity for some considerable time, there are no known exploits in the wild.
3. Internet Explorer 7 closes a huge number of avenues of attack that were present in Internet Explorer 6.

Put all that together, and it's clear that installing Internet Explorer 7 will improve your security. Whether you use it is up to you.

Whether you use Internet Explorer, Firefox, or Opera, or some other browser, from a security standpoint, installing Internet Explorer 7 is a big win. Plus, it's much easier and more fun to use.

Cousin Jeff says it's going to be alright

I've been worried a little over the past several days that McAfee and Symantec are going to strong-arm Microsoft into weakening the protection on 64-bit Windows Vista, just because S&M can't figure out how to write software for the new operating system without using undocumented and unsupported functions that have gone away in Vista64.

Amusingly enough, Symantec's competitors, Sophos, respond to the assertion that the world will be forced to run Microsoft anti-virus software by announcing that Sophos' antivirus software will work quite happily on Windows Vista, and that Sophos isn't quite sure what all the fuss is about.

Symantec, by coincidence, have been exhibiting the sort of track-record that befits someone who wants a toe-hold in the kernel, by showing off a kernel-mode escalation of privilege vulnerability. Whoops. [McAfee is no stranger to buffer overflows, either - a Google search for McAfee, "Buffer Overflow" and Vulnerability leads to a couple of fun articles on the topic.]

But cousin Jeff puts my worries to rest, by noting that Jim Allchin, straight-shooter that he is, has declared that Microsoft won't be letting any vulpine-looking animals manage the security of this particular coop.  Not Microsoft OneCare, not Symantec, not McAfee, will be given the ability to patch into the kernel. Note that - not even Microsoft.

No, the Windows Kernel in 64-bit Vista will be written by the Windows Kernel team. Its purpose will be to act as an OS kernel, not as a lackey for whatever program can figure out how to subvert it. Symantec and McAfee can scan files for viruses the same way that Microsoft's security tools will, and the same way that Sophos' tools will, by hooking in to documented, standard, supported APIs.

I guess McAfee and Symantec will have to send their developers on a training course, to learn how to straighten up and fly right, rather than achieve all their goals by hacking around the OS.

How to be a security expert

There are two ways to be a security expert.

First, the bad way:

Publish articles saying "you should do things like I say, because I'm a security expert, and this is how you secure computers".

Then, the good way:

Answer questions that people throw at you with other questions. Here are some example questions you might try:

• What's the risk you're trying to protect against?
• Is the risk likely / realistic?
• What's the benefit of protecting against the risk?
• What damage could be caused if you don't protect against the risk? [Can the CEO go to jail? Maybe that's a risk worth taking!]
• How many different ways can we protect against the risk?
• What is the cost of protection?
• What are the side-effects of protection? [Technically, side-effects are often 'costs', but can be benefits in themselves.]

There are further depths to which you can refine these questions - for instance, consider potential risks and damage in terms of compliance regulations and sanctions, business costs, public relations, technical effort, etc.

In the Information Security field, we often get so wound up in our own technological solutions that we lose sight of the problem we were trying to solve, or the magnitude of it.

I always thought Preston Gralla was an idiot

Right from the first moment he gave my software, WFTPD, a negative review whose contents indicated he was confusing it with a completely different piece of software, I knew Preston Gralla was an idiot.

Every so often, I forget about him, because he's at least a relatively inconsequential idiot. He's not Steve Gibson, whose legions of fans hang on his every word, no matter how hyperbolic, contrived, unoriginal (unoriginal, yet claimed to be "unique" and "brand new") or incorrect.

Then again, every so often, I am reminded.

Last time was his "6 Steps To Protect Your Wireless Network", which, as I pointed out in "Wireless Security", overlaps significantly with "The six dumbest ways to secure a wireless LAN".

Today's is "Why Has Microsoft Abandoned the Power User?", in which he states (as the whole basis for his article):

In Internet Explorer 6, you are able to customize your toolbar by adding buttons, removing buttons, changing their appearance, and so on.

Don’t look for that feature in Internet Explorer 7. It’s not there any more.

Uh... yeah.

So, when you select "Tools", then "Toolbars", and finally "Customize...", what you are looking at is a mirage. The apparent ability to remove, add, move all those toolbar buttons around is completely absent.

Maybe Preston's confused because it's no longer on the View menu. A "Power User" who can't cope with the possibility that a feature has moved from one menu (which is now hidden) to a different one? That's like turning up your guitar amp, smacking your head against the strings, and calling it a "Power Chord". With power must come sophistication, or you're nothing more than an oafish brute.

In another part of his article, Preston says:

Internally, Microsoft has created a mythical typical user it calls “Abby” who knows very little about computers. It now targets the operating system and browser at this imaginary Abby, potentially leaving the rest of us out in the cold.

Clearly, Microsoft needs to create a new mythical user called "Preston". Abby could teach Preston a thing or two.

IE7 - the security update that isn't

First, the big news - IE7 is now available for direct download.

I cannot recommend this update strongly enough. Go and get it.

My wife's not into the security stuff as much as I am, so she recommends it purely on the basis that it's a far improved user experience over IE6.

Me, I see how much it adds to your security - how many attacks have been simply stopped (or, at the very least gave me a prompt) by the IE7 beta versions.

A lot of press statements have said that this will be pushed as a security update. That's not correct. It will be pushed as a high-priority update, but not as a security update.  That means it isn't going to wait for the second Tuesday of the month, and it doesn't have to be made available on the download pages at the same time as the automatic update is pushed out.

Download and test IE7 in your usual operations - if an app fails in IE7, you can spend some time getting it to work, or remove it and use IE6 again. While you do that, of course, you want to be pestering the vendor to get their app to work.

Your users who run with Automatic Updates enabled will be getting IE7 on November 1 (All Souls' Day, or the Dia de los Muertos), by the current schedule. So, update in advance to prepare for this.

Even though a number of vendors (hello, Intuit!) have stated that they will not support IE7, many of their applications just plain work anyway.

How Apple keeps the statistics favourable

Apple does its job to make sure that you'll see more viruses on Windows than on a Macintosh.

My favourite quote - "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."

According to McAfee, this virus infects due to a user's insertion of a removable drive carrying the virus, and "the user agrees to the auto run prompt for execution of the worm".

Uh.. so I guess that line should be "As you might imagine, we are upset at Windows for automatically running the software we approve it to run, and even more upset with ourselves for distributing it through shoddy practices and a lack of scanning or clean-room preparation of these devices."

At least Apple isn't asking for access to patch the Windows kernel.

Patch Drafting - last week's crop.

I posted towards the end of last month about "Patch Drafting", the practice of releasing your company's patch notices after Microsoft releases theirs, so that the news rags state "Hordes of patches required for Microsoft software", rather than "Hordes of patches required for your software".

This month's patch drafting included:

Adobe:

• APSB06-15 - Macromedia Contribute Publishing Server local information disclosure
• APSB06-16 - Breeze 5 Licensed Server Information Disclosure
• APSB06-17 - ColdFusion MX 7 local privilege escalation

Novell:

• TID-2974551 - BorderManager 3.8 POST SP4 Security Patch1

I don't think we can count Oracle, who will be releasing their quarterly update tomorrow. Mind you, the announcement that they'd be rating their bugs as to how serious they are, that came ... the day after Patch Tuesday.

Oh, and there's also a flurry of PHP-based application vulnerabilities, too - phpBB, miniBB, etc.

Of course, this is still all far less worrisome than the "security researchers" who wait until just after Patch Tuesday to publicly release their findings of unpatched vulnerabilities.

Microsoft opens up kernel API. Maybe.

In an article "Microsoft Now Decides to Accept Outside Security for Vista", the Washington Post says that Microsoft "did an about-face", "agreeing to make it easier for customers of its forthcoming Vista operating system to use outside security vendors, such as those who make popular antivirus and anti-spyware programs".

Okay, first, I have to disagree that it makes life easier for customers. Customers slip the CD into the drive, and press "OK" until the software is installed. Nothing Microsoft is doing in respect to this makes life any easier or harder for customers.

However, they may very well be making it easier for those security vendors to keep their old products hobbling into the new operating system without having to change their code.

Is that what you want? Is it really? You want a new operating system's security to be interrupted by old code using the old way of interfacing with the kernel?

Why not have new code that uses the new way of interfacing with the kernel? Mini-filters and other APIs allow anti-virus and other security-related programs to monitor and approve / reject all file activity on the fly, which they previously hacked into the kernel to achieve. I'd much rather see a documented API be used than a kernel hack.

[But then, I've always been a fan of using documented APIs - they are stable and reliable, and you can get support on them when they don't work the way you expect.]

Back to the story, then. Have Microsoft done a U-turn?

Hard to say, really, given that the words being used by everyone come from a transcript of a press conference with Microsoft's General Counsel (aka head lawyer), Brad Smith.

In that press conference, Brad says:

"We devised a new engineering approach that will create and extend new kernel level APIs so that PatchGuard will be retained, the security of the kernel will be protected, and yet security vendors will have an opportunity to meet their needs through these kernel level API extensions."

Hmm... that sounds awfully much like those already-existing APIs designed to interface with anti-virus and other security solutions.

So, the game play seems to be that Symantec and McAfee kick up a big stink, Microsoft says "there, there, everything's fine", and the newspapers notch it up as a victory for the anti-virus folks.

Okay, if that's the way you want to play it, fine. But really, if the antivirus vendors can start using documented APIs, we all win.

Given the number of times I've had to rescue a crashed machine from family members, only to discover that it's a combination of Norton (by Symantec) and some other component of Windows, I'm comfortable keeping those anti-virus vendors out of patching the kernel or calling it through undocumented (and therefore unmonitored) means.

On the machines that I've seen these programs installed, I've disabled so much functionality - and much of it described as unnecessary by the vendor themselves - that I wonder what benefit they really give my users, other than slowing their machines down and breaking the functioning of their software.

The most important national news item

Apparently, today, the most important news item around the country is that two guys accidentally crashed their vehicle into a building in New York two days ago, killing themselves, as well as setting the building on fire and causing a few injuries.

Normally, this would cause nothing more than a momentary pause in the overall news coverage, because people crash vehicles into buildings all the time (if you live on a street corner, you'll know what I mean).

This story is so huge for the simple reason that the vehicle was flying, not driving. Nothing else. No greater damage, no massive loss of life, just the fact that a flying vehicle is apparently scarier by orders of magnitude than one that rolls around on the ground.

So, now the questions come... should we ban air traffic through New York City? [Why, would you call for the banning of ground traffic, if someone caused the same damage in a car?]

Personally, I think that if this incident means anything, it is that we should start pulling aside anyone in an airplane line that looks like they might play baseball, and search them.

Way to "not remain silent", George!

“We won’t remain silent as Microsoft imposes unnecessary security risks,” wrote George Samenuk, just days before resigning from McAfee, apparently because of a back-dated stock-options scandal that started in 1996, lasting through Samenuk's reign as CEO and into the recent appointment (last March) of Kevin Weiss as company President.

Speaking of Kevin Weiss, he has been fired from the company, apparently.

I'll confess I don't understand much about the SEC and the point of this investigation, but it seems like Weiss (who came up through Sales, not Finance) is taking the fall and allowing Samenuk to bow out somewhat more gracefully.  I know if I was in that kind of lofty position, I'd be happier to resign than to be publicly terminated - unless, of course, I could point to the termination as a bone-headed or political move that was obviously unrelated to my ability at performing the job, and more related to the timing of an investigation, and the need to put a head on a pike.

Maybe Microsoft should release Vista quickly, while their detractors in the security field are playing "Who's the Boss?"

Feedback loops and financial pressure

A comment to one of Jesper's blog posts reminds me that although money isn't the only motivator around, it's often the easiest one to use when predicting behaviour.

I am a huge believer in feedback loops.  If you can set up a situation such that good behaviour is automatically rewarded, and bad behaviour is automatically punished, you've got a self-policing situation - a feedback loop - where your desired behaviour is almost certain to occur.

On the contrary, if pain is not felt by the person or department causing that pain, the pain will continue.

Most workers in business will be able to point to a case where pain is being caused (by some other department), and where there is clearly no effort to cease the pain, because it's not being felt by the person causing it.

But it's equally true of companies themselves. When you choose to buy from a company, consider whether their business model - the way they make money - builds from solving your problems, or from continuing their existence.

I used to use Red Hat as the primary example here - they make close to no money on delivering their OS to you, and make all their money from selling support and consulting services.  It wouldn't take an MBA candidate to realise that they can make more money by concentrating more on their consulting, and less on developing a solid and complete product to begin with.

I'll say right now, I haven't seen any sign that Red Hat have deliberately kept their OS crappy to encourage more support calls, or that they've deliberately dumbed down features in order to sell high-priced add-on services. But the financial pressure - the weight of "where is our next buck coming from?" - is always going to push them in that direction. What pushes back? Their good natures.

This past week has reminded me that antivirus vendors - some of them, at least - are also firmly wedged into a position where their financial pressure pushes them to do things that are counter to their customers' wishes, relying on them being good people, rather than merely good businesses. Antivirus vendors benefit from the continued perception that the OS is unsecure, and that you need to buy something new every month to make it secure again.

Is there a business model for an antivirus vendor that would have them working to help the world build more secure operating systems and applications?

Microsoft's man in Europe thinks Bitlocker is something it isn't

I've discussed this before - Bitlocker in Vista, by default, only offers to encrypt your laptop using a key it gets from the onboard TPM chip. This means that you can boot the laptop to a logon screen, and try to attack the system not only through the logon password, but also through all of the data ports, with no resistance from the encryption scheme.

According to Jean-Philippe Courtois, president of Microsoft International, however, "Even if your laptop is stolen, nobody will be able to use it because it will be fully encrypted".

That statement has a couple of problems:

1. It's not strictly true. As far as I can tell, I'll be able to use your laptop by reformatting it. That's not really a big deal, though - BitLocker is about protecting your data.

2. It's not even true if you assume he's talking about the data on the laptop, in BitLocker's default mode of operation. Encryption of data is only sensible if the keying material is not stored with the data.

In the interests of balance, I'm going to back off the alarmist nature a little here.

Most laptop thefts will be by technically inept opportunists, interested only in the value of the hardware itself. The laptop will then proceed through a chain of nefarious idividuals who will simply format it and install some half-baked pirated copy of Windows on it before selling it on. Your data will probably not be used.

Probably.

On the other hand, of course, that data is probably more valuable to a smart and motivated thief. The same guys that have dabbled in identity theft and credit card fraud are going to be quite at home with pulling your information out of a laptop, using a tool they download from a web site somewhere.

Do you want to take that risk? Not if you were thinking of installing BitLocker.

Initial impressions on this month's security updates

You can find this months' Microsoft Security Bulletin here.

Here's what it contains:

Moderate:

MS06-056 - Vulnerability in ASP.NET Could Allow Information Disclosure (922770) - If you do .NET 2.0 web site hosting, apply this. Moderate risk of information disclosure - nothing to get hugely excited about, but if your .NET development team don't understand the information being disclosed, find a better expert.

Critical:

MS06-057 - Vulnerability in Windows Shell Could Allow Remote Code Execution (923191) - This is the VebViewFolderIcon ActiveX vulnerability.  Since this patch fixes the vulnerability, don't forget that if you've taken any other mitigating factors (adding a restrictive ACL, modifying the file yourself, etc), you will almost certainly want to undo them before applying this patch.

MS06-058 - Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163) - If you use Powerpoint, apply this patch.  Don't assume that the later "Office patch" in today's release will fix this problem.  According to the documentation as it stands currently, that is not the case.  This patch also applies to Powerpoint on the Apple Mac!

MS06-059 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164) - As with the Powerpoint patch, install this one if you use Excel.  And then install the Office patch as well. This patch applies even if you use Excel on the Apple Mac!

MS06-060 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554) - You get the picture, apply this patch if you use Word - even Word on the Mac! And then install the Office patch.

MS06-061 - Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) - XML has been Microsoft's religion for the last several years. I can't begin to sum up the number of programs that are likely to have some tie-in to this.  Since it's a remote code execution vulnerability, I suggest you apply it everywhere.  That includes servers, because they may be using web services and XML in order to communicate.

MS06-062 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581) - If you run Office - even Office on the Mac! - apply this patch - and then go check that you applied all the other patches for various components of Office.  Better still, go use Microsoft Update, and just update all your Microsoft applications automatically.  [I don't think Microsoft Update applies to the Mac - you may have to download these by hand.]

Important:

MS06-063 - Vulnerability in Server Service Could Allow Denial of Service (923414) - Taking your computer offline by sending it a network packet - for servers, that's generally more than important to prevent, so unless you are blocking the usual ports (and can trust your internal users not to run random downloaded garbage), definitely install this on your servers at first opportunity. And don't forget that clients run the server service, otherwise they wouldn't be able to share files across the network.

Low:

MS06-064 - IP Could Allow Denial of Service (922819) - reading the article carefully shows that this is related to IPv6 only.  Blocking all IPv6 traffic at the network would be a good mitigation if you are not using IPv6. You can also uninstall IPv6 by running the command "netsh interface ipv6 uninstall". This vulnerability essentially allows people who can 'ping' your box through IPv6 to occasionally disconnect some of your applications' connections. Most people today are not using IPv6, so this is really unlikely to cause anyone much bother. Install it or don't.

Moderate:

MS06-065 - Vulnerability In Windows Object Packager Could Allow Remote Code Execution (924496) - In my view, this one's a bit of a stretch. It'd require a user agreeing to a dialog box that didn't quite look remotely right.

General recommendations:

Okay, so clearly, at home and my small business, I'm going to install all of these by automatic updates, and reboot the first chance I get.  It's been a long time since Microsoft has released a really cruddy update.

At my day job, where it "requires an Act of Congress" to reboot a server, I'm still going to recommend that all workstations install all of the critical vulnerabilities, plus MS06-063; the servers should install MS06-056, and if they're file servers, MS06-063.

And, of course, the usual recommendations stand:

• Don't surf from the servers.
• Don't run Office (and Outlook is part of Office!) on the servers.
• Don't believe your Mac is immune.
• Don't run as an administrator-level account. Ever. Unless you absolutely have to.

McAfee wants to modify your kernel

Much press has been made lately about the complaints by McAfee and Symantec that they have been locked out of modifying the Windows Vista x64 kernel through the closure of undocumented back-doors that they used to use. (Sadly, none of what either company has said seems to carry any technical explanation with it, just rhetoric wailing that "customers' security will suffer".)

Jesper wrote about this on his blog, as did Sandi and Walter, as well as Stephen Toulouse - and there are many others out there with various perspectives. Rocky Heckman, for instance, or Microsoft's security head honcho, Ben Kingsley.

I think that this is more a reliability issue than a security issue (I see reliability as an important aspect of security).

Although it's got a security "face", in that you have to work hard to prevent attackers from modifying the kernel, it has a reliability "body" - the goal is, of course, to reduce the number of people with their fingers in the kernel, on the basis that many of them have no business there, or skill in that realm.

Given the buffer overflows and reliability issues caused by some of the security products from third-party vendors, it seems like a good idea to avoid having them tie in to the highest-privileged component on the system.  Symantec and McAfee are not OS kernel developers, they shouldn't be writing into the OS kernel.

Sure, we could say that about Microsoft, if we were to assume that Microsoft is the hive-minded Borg that the company is often portrayed to be. But let's step back a moment, and consider that the company is made up of application developers and kernel developers, among other distinctions that could be made.

Microsoft has made it clear that their own application developers will not be given undocumented hooks into the kernel - kernel development will be restricted to kernel developers.

Back when I was on the inside of Microsoft, I heard repeatedly that development was to be done using only published APIs. If I wanted to use another team's API that wasn't published, even if I could discover it by looking through source code, the only appropriate method was to request that the owners of that code publish it as an API, so that I could legitimately use it.

A recent example of this "only use the published APIs" approach is the WiFi Live Beta program that started up recently. You could spot that this was likely to be coming, because before it was announced, there was a release of WiFi Native APIs.

Symantec and McAfee have heard that they will be locked out from unauthorised modifications to the kernel for some months now (I know, because I've heard this for some months now, and I'm not in the inner circle of virus companies that gets more information than I do).

Why did they choose this time to start the PR blitz?

What else is going on right now that would cause this to be a worthwhile time to complain like this?

Biometrics fail to authenticate, once again

Steve Riley points to Mythbusters' successful attempts to breach biometric security - okay, so it's not really that the door lock failed to authenticate, it's that it failed to not authenticate.  Shocking in the extreme is that this test actually demonstrated that even a photocopied fingerprint can fool this "unbreakable" door lock.

I'll say it again (and again) - because biometrics are a public part of your persona (unless someone has invented a biometric based on the pattern of your haemmorhoids), they are only suitable for use as a claim of identity. They can / should never be used as a proof of identity. (Though it is an interesting thought that using them as such might get around the problem of password and data loss through death of the password owner.)

That's not to say that biometric door locks have no place - for a relatively low security use, or against unmotivated and unsophisticated attackers, for instance, they may serve a valid purpose. Use one to keep the kids out of the liquour cabinet - but don't use one to keep the feds out of your filing cabinet.