Back to normal in Colorado

But am I here? It’s kind of hard to tell
I do a good impression of myself
But what’s normal now anyhow?
from “Normal” by Porcupine Tree

Since the great weirdness last month things are getting pretty much back to normal in Colorado. The Balloon Boy’s parents have fessed up, but not before the Larimer County Sheriff posted an item to his blog attacking [the father], calling him “clever and manipulative” and comparing him to the Joker character from “Batman.” But sadly, if you were looking forward to the Balloon family reality show, that idea is a non-starter according to at least one New York-based production company.

“It’s just too poisonous,” said Irad Eyal, vice president of development at True Entertainment. “I don’t think anyone is going to want to meet with a man who shamed his family and children that way. In reality TV, there’s a definite line you don’t cross, and that’s tormenting children.”

I’m just going to leave that quote alone – as nothing I could possibly add would make it any more hilariously absurd than it already is. But I digress. Balloon Boy saga done.

The insurance companies that thought they could get away with denying coverage to healthy children are backpedaling and spinning their respective ways back to sanity. The Denver post reports that the insurer changed it’s course on the chubby baby.

Rocky Mountain Health Plans announced Monday that it found a flaw in its underwriting system and now will provide coverage to healthy infants, regardless of their weight.

“As a small company we were able to act quickly and decisively,” said Rocky Mountain spokeswoman Kayla Arnesen. “We are really pleased we are going to be covering Alex and other healthy babies.”

A “flaw in it’s underwriting system“? Dude, I can’t make up stuff this good. But again I digress. And the Denver Post also reports that the insurance company changed it’s mind on the skinny tot as well.

The Golden Rule Insurance Co. said Wednesday that it has changed its mind on a 2-year-old from northern Colorado rejected for coverage because she’s so skinny.

The insurer announced the change after [the parents] brought their story to television stations.

Golden Rule said in a statement that it changed its mind on Aislin’s case after a routine appeals process.

“I won’t tell you we’ve never made a mistake, because we have. But our reviews process is open to all,” said company spokeswoman Ellen Laden.

And the mistake was that they thought they could get away with it? At least the reviews process is open to all.

Westword is close to hiring that medical-marijuana dispensary reviewer. Although apparently I’m not the only one who found it humorous. According to Westword, their hunt for a pot critic made international news and the talk-show circuit.

“A newspaper in Denver is planning to hire a critic to write reviews of all the medical marijuana clinics in the state,” Conan O’Brien joked on his show last week. “My one suggestion for the editors: Give the guy a deadline.”

Thanks, Conan: We have. Westword stopped accepting applications for our medical-marijuana dispensary reviewer in mid-October. Now if comics and reporters alike would just stay off the story for a while (Westword‘s job opening has been the punchline on both NPR‘s Wait Wait Don’t Tell Me and a BBC quiz show, and we just logged mentions in newspapers in Russia, Israel and China), we might be able to actually finish the hiring process. For the record, we’ve gone through the more than 250 formal applications we received, contacted a dozen semi-finalists, and hope to have our new critic in place within the week.

That’s right, then it’s back to the same old, same old. But, seriously wouldn’t this  be the best job ever.

The Denver Broncos are behaving more like expected now with a 6-3 record having lost the last 3 games straight making it altogether possible (yea even probable) that they might only win 6 games total this season. Hey, you can only push the Almighty so far.

And finally the Windows 7 juggernaut continues unabated. Well, except that according to J. Nicholas Hoover at InformationWeek the U.S. Government isn’t jumping on the bandwagon until the Federal Desktop Core Configuration (FDCC), is finalized for Windows 7.

It may be another six months before agencies can move ahead with Windows 7 deployment because a government-mandated security standard hasn’t been finalized.

The Federal Desktop Core Configuration spells out 300 settings for Windows PCs and laptops, with a goal of making them less vulnerable to hackers and data breaches. FDCC settings exist for Windows XP and Windows Vista, but not yet for Windows 7.

“It will take until spring 2010, at least,” said Ken Page, Microsoft’s FDCC program manager, in a presentation today at Microsoft’s Washington, D.C., office. “This process does not happen fast.”

Oh and there was that little brouhaha over Microsoft snagging some open source code for use in a semi-proprietary licensed tool as reported by Mary Jo Foley at ZDNet. But they’ve fessed up and made it right now. Or at least made it GPL 2.

From a November 13 blog posting by Microsoft Open Source Community Manager Peter Galli:

“After looking at the code (within the USB tool) in question, we are now able to confirm this (inclusion of improperly licensed GPL v2 code) was indeed the case, although it was not intentional on our part. While we had contracted with a third party to create the tool, we share responsibility as we did not catch it as part of our code review process. We have furthermore conducted a review of other code provided through the  Microsoft Store and this was the only incident of this sort we could find.”

Galli said Microsoft plans to make the source code and binaries for the Microsoft tool available the week of November 16 under the terms of the General Public License v2 “and are also taking measures to apply what we have learned from this experience for future code reviews we perform.”

So like I said, things are getting back to normal. At least as normal as things ever get.

Colorado Weirdness

Strange days have found us
Strange days have tracked us down
From “Strange Days” by the Doors

I spend most of my time in the Peoples Republic of Boulder, so I’m pretty blase about strange stuff. I mean this is a place where a candidate for city council can file a campaign finance report with $14.37 to “Only Natural Pet Store” for dinner for his campaign manager, a cat named Sita. And nobody thinks twice about it. Needless to say, my Bizarro-meter is calibrated way higher than most. Nevertheless, events of this last week have pretty much pegged it.

First there was the whole Balloon Boy saga. As if a runaway helium filled mylar flying saucer thought to have a six-year-old stowaway aboard wasn’t bizarre enough, it turns out to be an elaborate hoax for purposes of snagging a reality TV show. Move over John and Kate plus Octomom. This totally raises (or lowers) the weird-stuff-fools-do-to-get-on-TV bar. Here is a timeline of this odd affair.
Oct 20:
FAA investigating Colo. balloon flight
Griego: A better image of parenthood
Hollywood acquaintances say balloon boy’s dad always wanted fame
Oct 19:
Balloon boy saga “absolutely … a hoax,” Larimer sheriff says
Sheriff admits misleading the media to win trust of balloon boy’s family
Oct 18:
Fort Collins parents face felony charges in “balloon boy” case
Balloon escapade a hoax police say
“Balloon boy” responders dealt with roller coaster of emotions
Experts say TV cameras alter family dynamics, like in “balloon boy” case
Sheriff expects charges to be filed against Colorado family in “balloon boy” case
Oct 17:
Charges pending in “balloon boy” saga
Balloon family has pushed for television spotlight
Sheriff has questions, says he believes family
Oct 16:
‘Balloon boy’ found safe at home
Oct 15:
Feared lost in balloon, boy found at home

Yep. It just keeps getting weirder and weirder. Culminating in what will no doubt be the most popular Halloween costume of 2009 and this YouTube spoof Real Men of Genius: Heene. Just think, all this took place in the normal part of Colorado.

And then there was this pair of stories about insurance company craziness. In the first, an infant was denied coverage due to pre-existing condition: “obesity”. In the second a two-year-old was denied coverage due to another pre-existing condition: “underweight”. Yeah, that’s what I thought too. I gotta tell ya, this doesn’t do a lot for the credibility of insurance companies in my mind. Although I have no problem believing that insurance prices will go up if the health care legislation currently being debated in congress is passed. Or not. Whatever happens I’m pretty sure that they’ll find a way to take more of our money and deliver less coverage.

And in the “Best Job Ever” category Westword, a Denver alternative newspaper posted an ad for a reviewer of the state’s marijuana dispensaries and their products. Hey, they don’t call it the Mile High city for nothing!

All this during the week that the Denver Broncos went 6-0 in a seasons where most of us thought they would be lucky to win 6 at all. If this isn’t concrete evidence of the existence of a God who watches over His Broncos I don’t know what is.

Oh, I almost forgot. Microsoft released their long-awaited new OS – Windows 7 which was Amazon UK’s biggest pre-ordered product of all time. Unseating the previous title holder Harry Potter and the Deathly Hallows. Now if businesses will just follow the consumer herd, Microsoft will be golden. And I will totally need to re-calibrate my Bizarro-meter even higher.

Security For All First Birthday: Revisiting Forrester and NAP

By a fairly large margin the most popular and contentious post in the first year of Security For All [if you discount one entitled Prophecy for 2009 which got tons of hits I suspect by mistake due to the clever title] was the September 24, 2008 post entitled I so want to be a Forrester analyst wherein this report on the state of Network Access Control (NAC) by Forrester pegged the old BS-O-meter.

In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.

I responded with the following assertions.

Until all enterprises make the switch to Windows Server 2008, there is no real NAP install base.

As of now there is one, count ‘em, one SHA/SHV set provided to the “near-ubiquitous Windows Server customer base“. And guess who provides it (hint – they build a well known OS). So if your endpoint policies require only the Microsoft Security Center stuff and all of your endpoints are Windows XP SP3 or Vista Business+ and your servers are Windows Server 2008 you are golden! Both of you.

There was feedback. Todd from Napera responded thusly.

Thanks for the mention of Napera Joe. I wanted to clarify a couple of points from your posting specific to Napera rather than the Forrester analysis per se.
A Napera deployment does not require Windows Server 2008. As stated clearly in the blog post you linked to – our solution is self contained – we licensed the NAP protocols directly from Microsoft and we speak directly to the NAP agent. This removes the requirement for customers to upgrade to Server 2008 to deploy NAP. In fact, we don’t require changes to any server infrastructure (DHCP, AD etc) to deploy NAP. Just last week a brand new user told me they were checking health on PC’s within ten minutes of deploying Napera.
Also, NAP does not require Vista Business – just Vista.

There are several SHA/SHV’s shipping today beyond the Microsoft WSHA in XP/Vista you mention. Microsoft Forefront Client Security, McAfee, Symantec, Blue Ridge and Avenda are some that come to mind.
Apple has yet to commit to releasing a TNC based agent for Mac. Our Napera health agent for Mac OS X has similar functionality to the Windows NAP agent, but isn’t based on NAP or TNC protocols per se. The Napera agent could easily be made TNC compatible if that option presents itself in the future, and provides a great solution in the interim.

There were several exchanges of ideas and the following conclusion was reached with respect to Napera’s product and Microsoft’s NAP.

The Napera solution doesn’t require NPS since that’s a component of Windows Server 2008. It is a third party NAP Network Policy Server (or TNC Policy Decision Point) that uses the MS enforcement mechanisms.

Additional information was provided by Joe Davies, Senior Program Manager of the NAP Team at Microsoft.

Just wanted you to know that there are seven additional SHA/SHVs that are available from third-party vendors and two additional SHA/SHVs that are available from Microsoft for System Center Configuration Manager and Forefront Client Security.

So what has changed in the State of NAC and NAP in the year following the infamous Forrester report? Well for one thing no one (at least no one sane) proclaimed 2009 as the Year of NAC. Which was a good thing. But were we to give credence to the Forrester report we might expect that NAP or NAP -based solutions would be dominating the NAC market by now. Well guess what didn’t happen. That’s not to say that NAP development has ceased. In fact there are now eight additional SHA/SHVs that are available from third-party vendors – including an offering from Korean UNETsystem that reportedly brings NAP to Linux and Mac OS/X – and three additional SHA/SHVs that are available from Microsoft. As far as I can tell, the market penetration and predicted dominance failed to occur primarily because enterprises stayed away from Vista in droves. Partly because of the crippled economy but mostly because, well, Vista sucks. And actually useful NAC systems – yes this includes NAP – are not trivial to design, deploy and maintain. Furthermore the adoption of Windows 2008 server has been somewhat less successful than some had predicted. All of which conspires to make the analysis of the Forrester report even more amusing now than it was 12 months ago.

The really significant change in the NAC landscape during the last year is actually systemic to the information security business – the move to security as a service and managed security services. Yep – information security is moving into the cloud. Since NAC is definitely one of the trickier services to move into said cloud, we’re only now beginning to see it happen. StillSecure acquired ProtectPoint and now offers managed security services based on several StillSecure products. It’s a safe bet that their Safe Access NAC product has got to near the top of Alan’s “cloud it” list. Napera announced a beta program in July for a new online service, codenamed Cobalt that “will give you an advanced look at your network and the state of every computer connected to a compatible switch.

Oh yeah, and Microsoft announced a free consumer security offering codenamed Morro that directly competes with three of the eight third-party vendors who have those NAP SHA/SHVs. Wonder how that’s working out.

And I still so want to be a Forrester analyst.

Upgrading for better security?

We’ve heard an awful lot about how Windows 7 is way more secure than Windows XP and it’s earlier brethren. Actually we heard that about Windows Vista too. Only very few people bothered to upgrade. The operative word here being “bothered”. But that’s another post. The fact is that Windows 7 is much better in any number of ways than Windows XP (and Vista – but again another post). If you were thinking that an upgrade might be in order to improve the security posture on your Windows boxes, that’s not a bad idea. The deal is, though, that upgrading alone isn’t the answer. Kevin Beaver, a fellow CISSP has written this piece for TechTarget about how you need to secure Windows XP before upgrading to Windows 7.

It’s not too early to be thinking about how you’re going to manage your existing Windows XP base and begin focusing on Windows 7 without creating unnecessary security gaps.

It often happens that legacy operating systems do not get the attention they deserve during upgrades and migrations. Inevitably, security suffers. When these holes are found in legacy Windows systems, the response is almost always that the box will soon be taken offline. Unfortunately, soon doesn’t cut it when it comes to someone maliciously exploiting the unplugged holes in these undermanaged systems. Even if you and your business are moving forward, your Windows XP systems are still going to be targets for attack — especially once Microsoft stops supporting it in 2014.

Windows XP may be going away in spirit, but its physical remains will linger on for some time. Don’t let Windows XP security management, or a lack thereof, rule your time now or in the future. Get a handle on these possible issues early and it will make a difference for your business.

In addition to the problem of laggards (sorry there is no “No PC Left Behind” program) even the boxes that do get upgraded won’t be any more secure than they are right now if you have unnecessary – or necessary but insecure – ports open. Or if the users of these Windows XP boxes have long lived, weak passwords because you aren’t enforcing your password policy – or you don’t even have a policy. The point is that Windows 7 is more secure than Windows XP only if you take steps to make it so. You can still do plenty of stupid things, or not do plenty of smart things, that can defeat all that swell new stuff in Windows 7, just like you can defeat the old stuff in Windows XP. So if your goal is to improve the security posture of your Windows endpoints, then start doing exactly that with the stuff you have right now. Before you upgrade. Who knows, maybe you won’t even need to upgrade.

Keeping those apps updated

On the heels of Microsoft’s last Security Intelligence Report there have been a number of articles like this one on positing that applications rather than the OS (read Microsoft) are the primary culprits for software vulnerabilities.

Research by vulnerability specialist Secunia suggests that third-party applications are increasingly being used by malware writers in preference to using operating system attacks.

The Danish company said that data from its free Personal Software Inspector (PSI) tool showed that there were far more unpatched applications than operating systems among users. Furthermore, application patches were left open to abuse for far longer than operating system patches.

While I’m certainly not convinced that this lets OS vendors – and yes this includes Apple as well as Microsoft – off the hook, it definitely points out a serious problem: how do you keep all of your software patched. Not just the OS. The approach that pretty much all Windows users have grown to accept is to run the updater services that come with each package they install in addition to the OS updater. There are significant problems with this approach. There are frequently clashes between the different vendors updater programs, not to mention that they consume system resources and are generally not terribly stable. As if these weren’t bad enough, the bottom line is these updater programs – including OS updaters – only patch security problems as a side effect. Let’s be real here, the primary purpose of update programs is not to make the end user more secure – it’s to cover the vendor’s booty and to grab  more booty from the end user by pushing new features, applications and services.

Back when I was building highly available UNIX software, a patch meant “the smallest change possible to fix a specific problem“. If you weren’t seeing that specific problem, then you didn’t install the patch. In addition a patch NEVER, EVER introduced new functionality. Period. Now certainly this led to problems of it’s own like an explosion of patches and extremely complex mechanisms for determining which patches should be applied, but it also led to systems that were stable and highly available. Systems that were not shutdown or restarted for years. That is certainly not the case nowadays with personal computers. We’ve been convinced – mostly by OS vendors – that we should accept every update they choose to push to us. Without question. In fact the default (recommended) behavior in Windows Vista is to automatically install all updates that Microsoft deems “important”. Stuff like “Microsoft Genuine Advantage Validation Tool” (what user isn’t dying to have this on their machine?)  Stuff that reboots your machine – automatically (hey – it’s Windows we’re totally used to that). And application vendors can be even worse. Who hasn’t ended up with a copy of “Adobe Photoshop Album Starter” on their system with no idea what they would ever use it for. And don’t even get me started on Real. The point is that if what you want is to keep your personal computer secure without additional bloatware, crapware, superfluous features and the instability introduced by same, vendor provided update software will not get you there. Or even near there.

I’m a long time user and huge fan of Secunia PSI. I have it installed on all of my Windows machines because it actually addresses this problem of how to keep your applications and the OS patched. Without having to run multiple update services. Or even Microsoft update. How does it perform this amazing feat? First off, Secunia is primarily a security research company. They make a living by finding and cataloging software vulnerabilities. They also sell a corporate version of their Software Inspector, but in general they have no financial stake in end users buying the latest, greatest versions of any particular software. The Secunia company jewels are the research and associated database of vulnerabilities that they can cross reference to specific updates that will fix those vulnerabilities. Essentially Secunia PSI works like this: it scans your system for software that it knows about (a real scan, not just a registry scan) and looks up those packages in the Secunia database, reporting on vulnerable software it finds. It works on a pull rather than push model (i.e. you pull down their database info, you don’t push your software inventory to them). So rather than having Adobe or Microsoft notify you to download an update just because there is one, PSI will only notify you if there is a known vulnerability in your software and specifically which update will fix it. The best part is that it knows about all of the software installed on your system – not just the most recent version according to “Add Remove Programs”. A PSI scan of my wife’s laptop discovered three (count ’em – 3) different and vulnerable versions of Apple Quicktime. Apparently several programs had installed their own private version of Quicktime and never registered it. I’ve seen similar situations with Java and Flash.

So now I run Secunia PSI on my Windows boxes – real and virtual – instead of a separate updater for every peice of software I own. Now if Secunia would only come out with a Mac version of PSI I’d be a happy camper. Or at least a marginally less snarky camper. So update your Windows systems intelligently. Don’t just be a stooge for the software vendors. Give Secunia PSI a shot. You’ll be glad you did. And your system will be much happier. And more secure.

Strange week for Microsoft

Last week was a strange week for Microsoft. In the news anyway. First we have this story in eWeek’s Microsoft Watch.

Today, April 8, a jury found that Microsoft infringed on Uniloc patents for product activation. Microsoft uses the technology to protect its software from theft. Who’s stealing from whom?

So Microsoft (allegedly) stole their product activation technology? Oh the irony!

And then there was this reminder in PC Authority about the impending “end of support” for Windows XP. Today.

Windows XP will pass another milestone on the road to retirement next week when Microsoft withdraws mainstream support for the operating system. While the company said that it will continue to provide free security fixes for XP until 2014, any future bugs found in the platform will not be fixed unless customers pay for additional support.

Mainstream support for XP will end on 14 April 2009, over seven years after the operating system originally shipped.

So not only does this put Microsoft in the bizarre position of no longer having mainstream support for it’s most widely used product (XP accounts for 63% of all internet connected computers compared to Vista at 24%) but how exactly does that square with this article in AppleInsider wherein it is revealed that Microsoft is going to allow HP to ship systems with XP installed instead of Windows 7 until April 30 2010?

The announcement hasn’t been made publicly, but AppleInsider can exclusively report that according to a source within Hewlett Packard, Microsoft has granted the PC giant an extension to its existing rights to continue selling the nearly eight year old Windows XP on the company’s business desktops, workstations, and notebooks in place of Windows 7 for another year.

Microsoft isn’t excited about the XP extension, as the internal communique provided by the source stated, “It’s important to remind customers that Microsoft are still planning to retire XP Pro Mainstream support on April 14th 2009 and will only provide OS security updates beyond that date unless the customer has an Extended Hotfix Support contract. MS Extended Support for XP Pro ends on April 8th 2014.”

Yeah, I’ll bet they’re not too excited. XP is truly worthy of the Security for All “Energizer Bunny” award.

Finally to cap it all there was this bit of blameshifting reported by the Register.

Microsoft has blamed common third-party desktop applications, rather than Windows, for the majority of security threats in a new report.

The latest edition of Microsoft’s Security Intelligence Report suggests that “nearly 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications”. It reckons hackers have shifted their attention to applications in response to improved security of operating systems, including Windows. The overall number of security vulnerabilities went down, but the number of high-risk flaws rose by 4 per cent, according to Redmond’s security researchers.

Well Duh! As a bona fide, certified (and possibly certifiable – but I digress) Microsoft Developer – I have an MCSD – I can tell you exactly where we who build those insecure third party desktop applications learned how to do it. That’s right folks, go back to your old, say circa 2000 or so,  MSDN documentation wherein you can find some of the best examples of how to build code that is incredibly vulnerable to injection attacks and buffer overflows. Those were the days. It’s taken me years to learn how to write more secure code, and in the meantime I’ve gotten plenty of practice fixing tons of inherited code. Much of which was copied directly from the original example code in MSDN. As you can imagine my employers have been somewhat reticent (more like violently opposed) to completely rewrite these applications so like every other Windows developer, I’m stuck with fixing only the stuff I find in the course of updating the code. If it’s egregious enough.

But I’m willing to put up with a little blame directed my way by the Redmond folks. As long as I can keep using Windows XP. While my inner ethicist ponders the morality of protecting a product with stolen technology. A strange week indeed.

Energizer Bunny OS

The coveted Security for All “Energizer Bunny” award goes to Microsoft Windows XP for it’s ability to just keep going and going… Yep, the rumors of XP’s impending demise, ostensibly to be replaced by the exciting new Windows Mojave er… Vista are still somewhat premature. Undoubtedly to Microsoft’s chagrin. Check out this announcement as reported in InfoWorld.

Microsoft will provide hardware partners with media to let their customers downgrade from Windows Vista to Windows XP for six months longer than it originally planned, the company confirmed Friday.

The move comes even as Microsoft has just launched a $300 million marketing and advertising campaign to encourage people to buy Windows Vista. The company is also prepping Windows 7, the next client version of the OS, for release in the next 12 to 18 months.

Microsoft will give OS disks to OEMs and system builders so customers that purchase Windows Vista Ultimate and Business editions can downgrade to XP Professional if they so choose until July 31, 2009, Microsoft said through its public relations firm.

Previously, Microsoft planned to provide the XP recovery disks to partners until Jan. 31, 2009, although there is no deadline for downgrade rights, the company said. If a customer wants to downgrade from Vista to XP after the new deadline, they can contact Microsoft for a disk, the company said.

Competition with oneself issues aside, hats off to Windows XP for winning this prestigious award.