Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

I just read an interesting article - the January 2007 The Business of Software column in the Communications of the ACM - entitled Agile … and Offshore, by Phillip G. Armour (sorry, the text isn’t available for free, but I’ll summarize). No, this post has nothing to do with so-called Agile development.

Rather, my interest is this: the author reports on an interview he conducted with the CEO and CTO of Chicago-based Aginity, who make business intelligence dashboard applications. Their development team is split between their headquarters and a city in Ukraine. What’s cool is that they rely an a number of ("free") open-source tools, which they claim have only recently reached the level of maturity to make such an offshore approach feasible for a small and, okay … agile … company.

The list of tools cited:

The fact that Aginity seem to be targetting the Windows platform makes me wonder if Microsoft’s Visual Studio IDE was omitted from that list simply because it’s not open-source, or because they’re actually not using it. Playing around with the live demo dashboards linked from their webpage leads me to conclude that they’re almost certainly using VStudio, since the demos are ASP.NET based, and they appear to be both high-quality and quite complex. I don’t know the relative cost of VStudio licenses in Ukraine, but I can only guess that it must pay itself if you’re doing this type of work. Hence, I theorize that they’d be screwed without it, perhaps even more so than in the absence of any of the tools above.

The point is that the list of tools above is collaboration-oriented, and that while this type type of tool seems to have reached critical mass in terms of enterprise-readiness, the open-source IDEs (e.g. Eclipse; acknowledging, of course, that IBM has its own agenda) have not, at least when it comes to working with Microsoft’s current application technologies (e.g. ASP.NET, WinForms, etc), targetting Windows.

I suppose this is simply a reflection of the reality that VStudio will always have a built-in head-start when it comes to integrating with proprietary Microsoft technologies. That’s not to say that a 3rd party couldn’t pull it off, or that, for that matter, Microsoft’s technologies are the best solution for every mainstream business problem. Still, I find myself using VStudio almost constantly - wishing it were both better and cheaper. Healthier competition might accomplish both things.

Permalink | Comments (0)

I’m happy to announce that I’ve had a second article published with MSDN Magazine.  This one explains how to implement a Credential Provider for Vista.  Credential Provider is the new interactive authentication plug-in model for Windows, replacing the deprecated GINA interface.  Yes, that’s correct, your GINA won’t work on Vista.

As I explain in the article, though, CredProvs are pretty easy to write, and offer more flexibility than the GINA interface did.

As always, I welcome reader feedback and questions.  However, I’m considering disabling blog comments, because it gets overloaded with spam.  If that happens, I can be reached via my corporate contact page.

Permalink | Comments (0)

I’m happy to see that the NMap folks took my Vista fix - see their changelog and my previous post on the subject.  However, in running the latest NMap - 4.20 - on my Vista RC1 machine, the dependency error on npptools.dll is still there.

Drilling into this problem a bit:  the dependency is from WanPacket.dll, a component of WinPcap version 3.1, which is included by default with the NMap Windows installer.

link.exe /dump /imports WanPacket.dll
Microsoft (R) COFF/PE Dumper Version 8.00.50727.42
...

Section contains the following imports:

NPPTools.dll
...
4 CreateNPPInterface
12 GetNPPBlobTable
2E SetBoolInBlob
3 CreateBlob
5 DestroyBlob

From MSDN, those routines are part of the Netmon SDK.  But from Microsoft’s recent Netmon v3 release information, their capture, parser, and interface have been re-written.  And, significantly, Netmon 2.x is not compatible with Vista.  However, as I wrote previously, dropping the old npptools.dll from my XPSP2 machine onto Vista seems to allow NMap to run just fine. 

But there’s a better solution which indicates that this problem will soon be solved.  WinPcap version 4.0 Beta 3 is now available and no longer has the NPP dependency.  In fact, WinPacket.dll is no longer part of the distro.  So here’s what I did:

  1. Install NMap 4.20 (including WinPcap 3.1) on Vista
  2. Go to Control Panel -> Programs and Features (used to be Add/Remove Programs), select WinPcap, then Uninstall.
  3. Install WinPcap 4.0 Beta 3.

Everything seems to work at that point, and no need for npptools.dll.  Hopefully the NMap folks will pickup the new WinPcap distro soon and this will all be a distant memory …

Permalink | Comments (0)

We’ve been working on an interesting project lately, which has allowed us to research some of the more popular network-based security scanning tools on the market.  One of the things we’ve encountered during our research is a proliferation of lists of security tools.  Turns out that’s exactly what we were looking for!

I feel compelled to provide my own lists.  These do not reflect the opinion of any of my clients. 

The 2006 List of The Best Security Tools Lists
  1. Fyodor’s - unlike the other lists, this one appears to be based on feedback from a decent sampling of people who should know what they’re talking about.  On the other hand, it’s skewed toward open-source, gray-hat stuff.  Still, it gives the low-down on 100 different tools, which is cool.
  2. Darknet - well commented, although only discusses 15 tools.
  3. dmoz - just an alphabetical list:  boring. 
  4. My own list, which follows … :)

Before I provide my own Best Security Tools list, some additional comments: 

  • The following list reflects a considered compromise between the marketing prowess of the entities represented, correlated with a gut check on whether the average Fortune 1000 IT guy would be interested.  This, in turn, is balanced against perceived quality, which is partially based on the lists above. 
  • I’m only considering network-based vulnerability scanners.
The 2006 List of The Best Network-Based Vulnerability Scanning Tools
  1. Tenable/Nessus
  2. Metasploit
  3. Canvas
  4. Core Impact
  5. ISS
  6. Watchfire
  7. eEye
  8. Qualys
Permalink | Comments (0)

A colleague and I have been playing around with the new Provisioning API in Microsoft’s Certificate Lifecycle Manager (CLM) Beta 2 product.  So far, aside from a lack of documentation which I’m told will be forthcoming, the Provisioning API kicks major butt.  It’s going to allow customers and integrators to marry CLM’s powerful PKI deployment capabilities with other scenarios, such as OTP, that Microsoft doesn’t otherwise support.  Kudos to the dev team for pulling off this significant feature addition while under pressure to get CLM v1.0 out the door!

Anyway, what we learned is that Microsoft.Clm.Provision.dll is what’s known as a "2.0 assembly," meaning it was built against the version 2.0 CLR.  To find this information, we ran:

ildasm.exe Microsoft.Clm.Provision.dll

and clicked on the Manifest list item in the resulting window.  Listed dependencies include the following:

.assembly extern mscorlib
{
  .publickeytoken = (B7 7A 5C 56 19 34 E0 89 )                         // .z\V.4..
  .ver 2:0:0:0
}

.assembly extern System
{
  .publickeytoken = (B7 7A 5C 56 19 34 E0 89 )                         // .z\V.4..
  .ver 2:0:0:0
}

I believe this also implies that the assembly was built with the 2.0 (presumably C#) compiler.  The net result is that projects dependent on this assembly are not compatible with Visual Studio 2003 (aka Everett), into which the 1.1 CLR and C# compiler are integrated.  Hence, gotta upgrade to 2005 (aka Whidbey)!

I suppose it may be possible to point VS 2003 at the 2.0 compiler and CLR, but I have no idea how to do that, and it sounds very painful.  However, there’s a better option, which also happens to be free:  download the latest Visual C# Express Edition from MSDN and use that instead.  It works - we checked.

Permalink | Comments (0)