Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Apparently this happened back in April and I wasn’t paying attention. Anyway, the local (Seattle area) biometric software firm BioPassword is now called AdmitOne. I think the new name is pretty clever, especially given how crowded the security products space is.

Permalink | Comments (0)

Kleiner Perkins has made $100 million available to fund ideas targetting the iPhone. That strikes me as a pretty big bet, although I don’t know how much of it is yet committed, or how fast it’ll go.

Still, one of the listed focus areas is communication. And with the number of business users using, and switching to, the iPhone, security is a major consideration, and hence an opportunity.

Permalink | Comments (0)

I’ve had Scheme on the mind ever since I read this from a recent list of start-up technology ideas that I blogged about a few days ago:

“A web-based Excel/database hybrid … Don’t make it feel like a database … You want the database equivalent of a language that makes its easy to keep data in linked lists. (Which means you probably want to write it in one.)”

After I read that, I immediately thought to myself, “I think that guy is talking about Scheme!” Followed closely by, “Wow, does anyone actually embody that combination of talent and insanity?”

But it turns out that Paul Graham, who wrote that list, also wrote books on Lisp, and is therefore exactly the type of person to advocate such an approach. Pretty cool.

Permalink | Comments (0)

You already knew that if you have good idea in any of these areas, you can probably get money. Still, that kind of list is always good for inspiration.

Permalink | Comments (1)

The best description currently appears to be here - http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html.

I originally learned about it here - http://www.securityfocus.com/columnists/477.

And, before finding the first link, checked out the CERT link (http://www.kb.cert.org/vuls/id/800113), which also has a better technical summary than the SecurityFocus article.

Permalink | Comments (0)

Academic malware

July 20, 2008

This is the kind of thing that you’d probably only be aware of if you work in the anti-virus software business. Anyway, turns out there’s a group in Europe that has created a test virus. It’s useful for checking whether your A/V software is installed correctly. Also useful if, like me, you need to run a demo that shows a piece of malware being quarantined.

http://www.eicar.org/anti_virus_test_file.htm

Permalink | Comments (0)

I just learned an important step when performing the following sequence: export Hyper-V virtual machines (VMs) from one machine, copy them (recursively) to another machine, and attempt to import them. Namely, you must include empty sub-directories when you copy the full export tree.

Here’s the error you’ll see if you don’t do that:


Failed to import the virtual machine from import directory … Error: the system cannot find the path specified. (0x80070003)

Here’s the command I should have used the first time around:


robocopy.exe z:\Export e:\HV *.* /s /E

But since I didn’t, I used this one to pick up the empty sub-dirs, but exclude all of the files (especially the giant ones) that I’d already copied:


robocopy.exe z:\Export e:\HV *.* /s /XO /E

Import note: if you’ve already attempted a failed import, and didn’t check the box for keeping the same machine ID, then the name of the VM’s .exp file on the local host will have been changed during the failed import (see the “Virtual Machines” subdir of the VM in question). So confusing! Thus, if you run a robocopy command such as the above, you’ll now have multiple .exp files for that machine. But here’s the trick: the one you should keep is the one that matches the new empty sub-dir that you just copied over. Delete the other one and re-try the import.

Permalink | Comments (1)

I was doing some troubleshooting Friday of a System Center Configuration Manager 2007 SP1 deployment on Windows Server 2008. The SCCM (or ConfigMgr - whichever abbreviation you prefer) client is installed on a Vista machine in the lab for testing.

The first problem I observed was that a software package distribution was failing. I confirmed that the SCCM site server is configured as a Distribution Point, and that the package in question is deployed to that DP. But still no luck.

Analyzing the status messages on the ConfigMgr server, I saw most notably the following:


System: (my Vista machine)
Source: SMS Client
Component: Software Distribution
Type: Milestone
Severity: Error
Message ID: 10051
Description: The content for ... could not be located. This SMS client will no longer attempt to locate this content. Possible cause: The content source might not be available ...

But at this point, based on the success messages posted by the DP, I was pretty certain that the DP component itself, as well as the package in question, was configured correctly, at least on the server side.

Another couple of troublesome messages came from the client in %systemroot%\system32\ccm\logs\cas.log. First this one, dating back to the initial install of the ConfigMgr client: “Software Distribution Site Settings for the client are missing from WMI …”

And this one in execmgr.log in the same client directory: “Raising event … SoftDistErrorNoContent …”

An equally important observation about cas.log, which I suspected at the time but couldn’t confirm until now: the NetBIOS name of the DP server didn’t occur in the log until after the issue was fixed. That’s a telltale sign that the client knew the package existed, but couldn’t figure out how to download it.

It took me a while to get there, though. Some web searching led me to initially believe that the correct version of MSXML was missing from the Vista client, and I tried installing on older version, but, for future reference, I don’t think that was part of the problem.

Then another post reminded me that the ConfigMgr client had been unable to automatically detect its local site code (see %systemroot%\system32\ccm\smscfgrc.cpl | Advanced | Configure Settings). I thought, at the time, that was only because I’d forgotten to create the System Management node in Active Directory. But re-running the client auto-discover at this point revealed that was still broken! It hadn’t occurred to me until that point that these issues might be connected.

The answer came when I ran across posts, in various contexts, about setting site boundaries. Seems that can affect a lot of ConfigMgr functionality - to a confusing extent, actually, because even though the client may be hardcoded to a certain site, package distribution will stlil fail unless an explicit boundary mapping exists for the client in question.

Lab testing confirmed this. Check out Site Database | Site Management | (Site Name) | Site Settings | Boundaries in the Configuration Manager Console snap-in. I set a single boundary to include the virtual 10.0.0.x network in use by the test machines. Much to my delight, auto-discovery and the package download were fixed immediately.

Permalink | Comments (0)

I referred to this in my TechEd post here. Various links to the interview are here.

Permalink | Comments (0)

Are you one of those people who, like me, thought that couldn’t be done? Well, read on, because it can!

What am I talking about? I wanted to create an IPsec policy that requiring a health certificate. That is, require that the IPsec peer presents a valid certificate which includes the System Health Authentication OID (used by NAP). Since that capability isn’t supported by the old IP Security Policies snap-in, I needed one of the new Connection Security Rules (that is, the new rule type included in the Vista and Server 2008 firewall).

But I also wanted that rule to be port-specific. While that capability is supported by the legacy IP Security snap-in, it’s not exposed by the Connection Security Rules GUI. Lame.

However, the underlying rules engine supports that combination, and the capabilities are exposed by the netsh.exe command-line. Cutting to the chase, here’s an example:


netsh.exe advfirewall consec add rule name=HRweb-Secure endpoint1=10.0.0.3 endpoint2=10.0.0.2 action=requireinrequireout port1=any port2=8000 protocol=tcp auth1=computercert auth1ca="DC=LOCAL, DC=NORTHWIND, CN=NORTHWIND-NORTHWINDDC-CA" auth1healthcert=yes

In summary, that command creates a new connection security rule with the following characteristics:

  1. The rule applies to traffic exchanged between two IPs, 10.0.0.3 and 10.0.0.2.
  2. Authentication is required on inbound and outbound traffic.
  3. The rule applies to traffic originating from any port, but only when destined for port 8000.
  4. Finally, both parties must present valid certificates issued by the specified CA, and the certs must contain the health OID.

As an aside, regarding the operating environment, the x.2 machine is a demo web server and x.3 is the client. But keep in mind that IPsec views them as peers.

Important caveat: that rule only gives you integrity, not privacy. That is, the resulting traffic is authenticated and has a cryptographic checksum, but it’s not encrypted. As I said, this is for a web server, and TLS is being used for encryption. Why bother with IPsec? The health OID! By requiring that, I’m ensured that any machine hitting the demo web site has been deemed compliant, based on the current network health policies.

Permalink | Comments (0)
Newer Posts »