Steve Riley on Security : the trade press

Must be a slow news day: reporter writes 100% crap

Steve Riley — Tue, 03 Oct 2006 21:12:00 GMT

Imagine my surprise to read that Microsoft is removing NAP from Windows Vista! Does this guy actually get paid money to write this drivel? The particular folks quoted in the article all have their own agendas, of course.

News flash: we aren't dropping NAP. It's in the product now, we're actually running it on part of our own corporate network. And soon you'll get to enjoy the benefits of NAP in your own environments, too.

Yes, everyone knows you're a dog

Steve Riley — Thu, 07 Sep 2006 18:17:00 GMT

Amazing how long the legs are on the AOL search debacle. Of course, we in the online community often beat such storeis to death, if only because they deserve it!

Recently Kim Cameron posted the search history of user 16006693, which flits "from politics, to retirement, to politics, to religion, to sex, quickly back to religion (repent!), to food, and finally to heartburn." Why is it interesting? Probably because each and every one of us can find a bit of ourselves in user 16006693 (well, OK, not all of us; I know I'm not anywhere close!).

Check it out; don't hurt yourself too much from laughing:

16006693 nak
16006693 nack
16006693 sharona
16006693 knack
16006693 knack downloads
16006693 oakrige boys
16006693 oakridge boys
16006693 oakridge boys downloads free
16006693 jokes about dick cheney
16006693 jokes about dick cheney but not george bush
16006693 dick cheney creep
16006693 dick cheney dickhead
16006693 rummy dickhead
16006693 where is iraq
16006693 where is lebenon
16006693 his bullets
16006693 his bullies
16006693 shiits
16006693 shee-ites
16006693 bush appruval
16006693 bush approvel
16006693 bush drops below
16006693 dead reporters
16006693 dead reporters fotos
16006693 dead reporters pix
16006693 disembowled reporters pix
16006693 disembowled new york times
16006693 love thine enemas
16006693 love thine enemies
16006693 bible quote of the day
16006693 insperation from bible
16006693 george bush great president
16006693 george w bush great president
16006693 dream on
16006693 oakridge boys lyrics dream on
16006693 how to run country
16006693 how to run country when not really inerested
16006693 people to run country for you
16006693 over work
16006693 overwork
16006693 stress
16006693 best place to retire
16006693 places like crawford but without cindy sheehan
16006693 crawford the town not cindy crawford
16006693 crawford tx
16006693 like crawford tx but not so hot
16006693 best places to retire not hot
16006693 best places to retire global warming
16006693 global warming mith
16006693 global warming myth
16006693 crawford hot
16006693 cindy crawford hot
16006693 rice hot
16006693 rice hot not recipes
16006693 rice naked
16006693 rice nude
16006693 bible quotes resisting temptation
16006693 oakridge boys i’ll be true to you
16006693 oakridge boys trying to love two women
16006693 rice and beans
16006693 tex mex
16006693 tex mex not music
16006693 tex mex takeout
16006693 tex mex takeout dc
16006693 heart burn
16006693 heartburn

Ah, the joys of speaking about pre-release software!

Steve Riley — Wed, 06 Sep 2006 12:26:00 GMT

Two weeks ago I delivered my Windows Vista System Integrity presentation at the TechEds in New Zealand (Auckland) and Australia (Sydney). It was largely the same as the presention at TechEds in America and India, but updated to reflect changes made in the product between the time I wrote the presentation and now.

Pre-release software is like that: it changes. And when you give presentations on beta software, you rely on the details you have to give the most accurate information possible. But there is, of course, no guarantee that functionality as explained in the presentation will exactly match what's delivered when the final product is released. And indeed, in my post on mandatory integrity control, I mentioned some changes.

Code integrity and signatures

The latest version of the presentation includes more details on code integrity and code signing. Previously I had described code integrity as applying to all binaries in the operating system; in fact, code integrity applies to the following:

All code loaded into a protected process
Modules implementing cryptographic functions
Modules loaded into the software licensing service

Kernel mode creates special cases that vary depending on the edition of Windows. For 64-bit:

All kernel mode code loaded anywhere at any time must be signed -- applies to drivers and non-drivers

For 32-bit, non-driver kernel mode code doesn't require a signature. For drivers, the allow/warn/block behavior of prior versions of Windows is gone. Windows Vista raises a warning if you attempt to install a driver without a signature (only if you're an administrator; standard users can't install unsigned drivers). Drivers with signatures install without prompts. Signatures can come in three forms:

Manufacturers can obtain WHQL signatures from Microsoft as part of the Windows logo program; this indicates a certain level of quality
Manufacturers can sign drivers themselves; this indicates authenticity but nothing about quality
IT departments can self-sign drivers; this allows organizations to silently deploy approved drivers, even if they otherwise lack signatures

For more information, read the whitepapers for 32-bit plug-and-play drivers and 64-bit kernel mode code.

Protected processes and high definition content

The Protected Media Path (PMP), part of the new Windows Media Foundation, contains two protected processes. PMP provides a more robust playback environment for high definition rights-protected content. Code integrity checks that all protected processes have valid certificates and that they haven't been revoked.

Based on some details provided to me, I stated that in only 32-bit Windows Vista, next generation high definition protected content will not play at all; 64-bit is the platform for playing back such content. Then I added some conjecture: the media companies wanted this because the risk of unsigned kernel mode code present in memory could thwart content protection.

Turns out that my information and my conjecture weren't correct. Windows will never decide not to play content. PMP itself isn't monitored by code integrity, but it does consume the output of a report generated by the operating system about unsigned code in memory. When you load next generation high definition protected content into a playback application, Windows reports the status of kernel mode drivers loaded into memory: the names of the drivers and whether each of those drivers is signed.

Based on that report, the playback application -- not Windows -- decides what to do: it will either play the content or raise an error and refuse to play. It's also possible for the content itself to indicate what to do, based on instructions contained within the content's embedded license.

Unfortuantely, my initial explanation sparked the interest of a journalist. Originally he was going to write that Microsoft has dropped support for BluRay and HD-DVD movies. I never said that, of course, although I can see how it's easy to leap to that conclusion. Even after I met with the journalist, to ensure he understood the details (as I knew them at the time), his article still generated some controversy: I got Slashdotted!

Keeping you informed

I guess that's the risk you take in a job like mine. It's a risk I'm willing to take, because I still believe I have the coolest job in the world: helping you learn everything you can about how to design and operate environments using Microsoft technology as safely and securely as possible.

Fortunately, mechanisms like this blog allow us to ensure that you, our customers, get the most up-to-date information we can give you. Now that I understand how PMP functions with respect to code integrity, I can let all of you know here, as well as ensure that future deliveries of the system integrity presentation will be as accurate as possible.

As always, I extend my sincere gratitute to everyone who takes time to attend my presentations. It means more to me than you'll ever know. I look forward to continuing to see familiar faces at events around the world, and also meeting new folks too. :)

What motivates a journalist?

Steve Riley — Thu, 19 Jan 2006 02:52:00 GMT

OK, I have to unload a burden here.

I often interact with the tech press in various places throughout the world. I've had wonderful, productive meetings with many fine journalists. New Zealand and Malaysia particularly stand out in my memory. However, a thing has happened today that, while not affecting my relationships with individual journalists, irritates me about tech reporting in general.

Take a look at this: "Windows Wi-Fi patch could be a long time in coming." It describes a "vulnerability" recently reported by a researcher at a security conference. c|net also wrote about this two days ago.

I'm disappointed at the seemingly superficial reporting here. Mark Loveless (the researcher) has discovered a way to confuse unsuspecting people simply by taking advantage of a feature in Windows. He has not discovered a vulnerability. There's no error in either code or the default configuration here.

Today's article implies that a bad guy can get access to any system he wants to. Thing is, the default configuration won't permit that. You have to run as local admin and deliberately misconfigure your wireless settings for a bad guy to connect to your computer -- and when you do this, Windows warns you multiple times about potential threats.

It saddens me that, rather than truly analyzing the researcher's report, the journalist simply chose to report "yet another vulnerability."