Steve Riley on Security : my book

Passgen tool from my book

Steve Riley — Mon, 29 Sep 2008 23:42:29 GMT

Way back in 2005, Jesper Johannson and I wrote Protect Your Windows Network. It’s still available, and although its product set is now somewhat dated (Windows XP and Server 2003), much of the practical advice about security policies, social engineering, security dependencies, and how to think about security remains relevant. That’s because we strove to write something more lasting than a simple configuration guide.

On the CD-ROM accompanying the book we included a tool called Passgen. In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

For a while Jesper maintained a web site for the book, running on a server in his house. His ISP changed policies and made it impractical to continue running the site. But because the tool is still so useful, I’ve put a copy in my SkyDrive—look in the “Passgen” folder.

Also, note that I’ve put a new section in the right-side column, “Resources for you.” Here’s where I’ll keep links to bits and pieces that many of you will find relevant and interesting.

Update. A few readers have informed me that the SHA-1 hash printed in the README.DOC doesn’t match the actual hash of passgen.exe. Jesper made a few changes and recompiled the tool. The correct hash is now:

fa19722348e9e0603f24c0ef9fc715010403bcfa

I’ve updated the README file with the new hash. Also, passgen.exe has a digital signature, and you can check its details if you’d like.

Tools in the proposed consumer security book

Steve Riley — Mon, 25 Jul 2005 19:39:00 GMT

Oh, I forgot to mention that we're planning some tools for the consumer book, too. The first will help you set yourself up as a least-privileged user. It would detect how you're running now, create an account for managing the system and running games and older application, and then change the privileges of all other accounts on the system.

The second tool is a web site password manager. Unlike similar tools, this one would generate all the passwords for you, making them as strong as possible (possibly using predefined character sets for common sites). Unless you specifically instruct it to, the tool never shows you the password; instead, it copies the password to the clipboard so that you can paste it into a field. The tool uses a master pass phrase or an automatically-generated key stored on a USB drive to generate passwords on the fly, so that it never needs to store actual passwords. There will be an option to export your password list so that, for shared sites, you can share passwords.

Idea for second book -- "Stay safe online: computer security at home"

Steve Riley — Mon, 25 Jul 2005 07:04:00 GMT

Jesper and I are planning a second book. We've noticed a distinct dearth of useful, actionable, and non-scare-mongering computer security resources for home users. A few of the books we've seen are hopelessly bad, really. Either they rapidly forget their audience and get way too technical, or they indulge in religous arguments, bashing Microsoft for no good reason. Why would that be interesting to the average non-technical home user?

We want to take a different approach. Here's a basic outline, which I'll fill in over the next couple weeks:

Introduction

Purpose and audience
Security basics
Understanding the tradeoff
Recognizing threats
Risk management

Ensure your computer is up to date
Protect against malware
Protect your users

Running with least privilege
How to use administrative privileges properly
Software that requires administrative privileges and good alternatives

Safe home networking
Surfing safely
Installing applications properly
All you need to know about passwords
Protecting your children online
How to spot snake oil
What if the worst happens?

Unlike other books, we have no illusions that home users are interested in managing their computers. All they want to do is use them! And our chapter on protecting children will have a decidedly different slant. We're generally opposed to spying on kids, thinking that it's better to build an environment of trust.

We're thinking that if we could get this book into places like Costco, Sams Club, Best Buy, Circuit City, and so on, it would sell pretty well. What do you think of our idea? Is there a market for this book? Would you recommend or buy it for your family, your friends, and your neighbors?

Bug in the book: Appendix C, hosts file

Steve Riley — Tue, 28 Jun 2005 19:49:00 GMT

Somehow this escaped our notice during the proof phase, but the hosts file that's printed in the book (and burned on the CD-ROM) is completely bogus. It actually blocks a number of very good sites that have anti-spyware software and even blocks MVPS.org, the place where you can get a real spyware/adware blocking hosts file.

So please ignore the file in the book, and our apologies to anyone we might have offended. Instead, get the regularly-updated spam and ad blocking hosts file from MVPS. You'll be happy you did!

New preorder site

Steve Riley — Tue, 12 Apr 2005 22:56:00 GMT

The publisher has posted their own pre-ordering page. Please go here:

www.awprofessional.com/title/0321336437

And if you enter the promotional code JJSR6437, you'll get a nice discount!

Ready for pre-ordering

Steve Riley — Mon, 21 Mar 2005 23:08:00 GMT

Friends, the book is now ready at Amazon for pre-ordering. Here's the link:

http://www.amazon.com/exec/obidos/ASIN/0321336437/protectyourwi-20

Thanks to everyone for all your interest!

The book is getting closer!

Steve Riley — Thu, 10 Mar 2005 22:25:00 GMT

For those of you who don't know, Jesper Johansson and I have been writing a book. It's called Protect Your Windows Network: From Perimeter to Data and is published by Addison-Wesley. We finished writing all the chapters a couple months ago; it's in copy-edit phase now and will hit the streets on 27 May. We'll be signing copies at TechEd US in June!

pre-order now: http://www.amazon.com/exec/obidos/ASIN/0321336437/protectyourwi-20

TechEd: http://www.microsoft.com/events/teched2005/default.mspx