never-ever-****-with-my.net

Last Wednesday, Microsoft published Windows Vista Security Guide, which provides recommendations to harden computers that use specific security baselines for the following two environments:

1. Enterprise Client (EC)--client computers in this environment are
   located in a domain that uses Active Directory and only need to
   communicate with systems running Windows Server 2003--implementation of this security baseline is described in Chapter 1;
2. Specialized Security--Limited Functionality (SSLF)--concern for
   security in this environment is so great that a significant loss of
   functionality and manageability is acceptable--implementation of this security baseline is described in Chapter 5.

• Defend Against Malware--Chapter 2 includes information about how to most effectively use User Account Control (UAC), Windows Defender, Windows Firewall, Windows Security Center, Malicious Software Removal Tool, Software Restriction Policies, and Internet Explorer 7 security features (e.g., Protected Mode, ActiveX Opt-in, Cross-domain scripting attack protection, Security Status Bar, Phishing Filter, etc.);
• Protect Sensitive Data--Chapter 3 focuses on encryption and access control technologies that help protect mobile computing environments from potential loss and theft: BitLocker Drive Encryption, Encrypting File System (EFS), Rights Management Services (RMS) and Device control;
• Application Compatibility--Chapter 4 provides guidelines to preserve functionality of existing applications when using the new and enhanced security features of Windows Vista.

Just as Google releases Spreadsheets (a total non-event for serious Excel users), an interesting discussion surfaced on Slashdot.  The article links to an interesting paper by Raymond R. Panko at University of Hawai'i about what is known about spreadsheet errors.  The conclusion says:

"All in all, the research done to date in spreadsheet development presents a very disturbing picture.  Every study that has attempted to measure errors, without exception, has found them at rates that would be unacceptable in any organization.  These error rates, furthermore, are completely consistent with error rates found in other human activities.  With such high cell error rates, most large spreadsheets will have multiple errors, and even relatively small "scratch pad" spreadsheets will have a significant probability of error."

Also, the article links to the European Spreadsheet Risks Interest Group (EuSpRIG) and its collection of public reports of spreadsheet errors.

As pointed out by the ISC's Handler's Diary, and further to the ZDNet article reporting that Microsoft considers taking admin rights from employees (link posted last Wednesday), Microsoft published Standard User Analyzer, a tool that "helps developers and IT professionals diagnose issues that would prevent a program from running properly without administrator privileges.  On Windows Vista, even administrators run most programs with standard user privileges by default, so it is important to ensure that your application does not have administrator access as a dependency.

Using the Standard User Analyzer to test your application can identify the following administrator dependencies and return the results in a graphical interface:

• File access
• Registry access
• INI files
• Token issues
• Security privileges
• Name space issues
• Other issues"

Yesterday, Google released its Web Toolkit (GWT):

"(...) a Java software development framework that makes writing AJAX applications easy.  With GWT, you can develop and debug AJAX applications in the Java language using the Java development tools of your choice.  When you deploy your application to production, the GWT compiler translates your Java application to browser-compliant JavaScript and HTML. (...)

Google Web Toolkit ships with a Java-to-JavaScript compiler and a special web browser that helps you debug your GWT applications. For details on how they work, check out the GWT product overview."

Update: running examples are available here (with source code).

Update 2006/6/6: an assortment of interesting links is available on the GWT blog.

As pointed out by André Pitié, Google Maps is now available for Western Continental Europe!  This is hot, as it was not online late last night.

In comparison to competing services, providing links in e-mails or web pages will be much easier. For instance, you could link to a street address (e.g. 1 rue de Rivoli in Paris) or to an itinerary (e.g. Downtown Paris to RMS in Reims).

Unfortunately, the level of detail varies from a country to another: querying Luxembourg street addresses is not supported yet (e.g. Place Guillaume). :-/

It should also be noted Google Earth content has been recently updated. Paris is now covered in much higher resolution than before: you could actually see the pedestrians in front of the Eiffel Tower! :-)

Sitemaps allow you to inform search engines about your web site's URLs that are available for crawling.

Google developed its own Sitemap Protocol, which can be very easily generated from Movable Type using Cameron Bulock's template. This template adds the main index page, all individual archives as well as monthly and category archive links to a sitemap.

For other search engines, I found out a SEO firm developed ROR, a search engine independent format, which can be used to generate sitemaps, but also product catalogues, etc. The format is described here. Several thousands web sites use it.

As I was not happy with the results of ROR's free sitemap generator, I thought I would adapt Cameron's Movable Type template to ROR format.

As reported by Computerworld and further to a previous post on the matter, Wal-Mart appointed Rolling Ford as its new CIO earlier this month. Ford used to be the company's executive vice president of logistics and supply chain.

A statement answered the open questions on his support of Wal-Mart's RFID Initiative and reaffirmed the company's commitment to the Electronic Product Code (EPC) standard.

As reported by Computerworld, Oracle released a tool designed to find default passwords in its database software (among several other critical patches).

While default accounts have been locked down in current versions of the database, Oracle 10g databases that have been upgraded from Oracle 7, Oracle8i, or Oracle9i may include them.

The Oracle Default Password Scanner consists in a SQL script accessible to Oracle customers in MetaLink Note 361482.1.

It should be noted that Cain & Abel carries features to crack and extract Oracle passwords.

• A MMC user interface replacing the current web-based UI,
• Improved filtering and views customization features,
• Simplified detection of required updates, and
• Better targetting capacities.

Nothing new here, but it took me a couple hours to remember where I found this before (Google kept giving me results for commercial software).

Bo Brantén published FileDisk, a virtual disk driver for Windows NT/2000/XP that uses one or more files to emulate physical disks. This works with CD images too. :-)

FileDisk is packaged with Gilles Vollant's nifty WinImage, which is shareware.

Also, I read Microsoft published Virtual CD-ROM Control Panel to mount ISO image files as CD-Rom devices (the tool is unsupported, I have not tested it).

Ok, I just tried out Google's latest service: Calendar. As usual, the GUI rocks, but I was disappointed with the following:

• You need a Google Account to answer invitations;
• Invitations cannot be added to an Outlook 2003 calendar;
• A map link is displayed even when the event's location is incompatible with Maps;
• It is not interfaced with Gmail contacts;
• It looks like you cannot hide the e-mail addresses of the other guests.

Annoyances which prevent me to use the service for my alumni group events. :-/

Update 2006/4/25: Developments arose, and it looks like Google Calendar is heading fairly fast in the right direction:

• You no longer need a Google Account to answer invitations;
• Guests now have the ability to add invitations to their Outlook 2003 calendar, but their answers (Accept | Tentative | Decline) are not processed automatically--guests receive no warning their response has not been taken into account, and you end up with a useless e-mail in your Gmail inbox (a major drawback);
• The map link is always displayed, but Google Maps coverage has just broadened significantly (where street addresses are not fully supported, the trick is to list the city only);
• It looks like partial support has been implemented for Gmail contacts as guests e-mail addresses now auto-complete (still, it would be better if both services could be accessed from a single GUI);
  
• Organizers can hide their guests' e-mail addresses, but guests who add comments disclose their e-mail address without any warning (a privacy issue).

Computerworld published a neat FAQ on Apple's Boot Camp, which finally lets users run Windows XP natively on Intel-based Macs.

This free public beta will only be available for limited time. Apple scheduled to include the final version in the next major release of Mac OS X.

Just as I read about VMWare Server Beta 2 release in my inbox, I saw in Computerworld that Microsoft made Virtual Server R2 free:

"Virtual Server 2005 originally cost $999 and $499 for the Enterprise and Standard editions, respectively, when released in September 2004. Microsoft then released Virtual Server R2 at $199 and $99 for the Enterprise and Standard editions, respectively, in December.

Longtime virtualization market leader VMware Inc., which already had a free product called VMware Player, responded in February by making its GSX Server free. Meanwhile, Linux-based vendors such as XenSource Inc. and Virtual Iron Software Inc. are readying new or updated versions of their virtualization software.

With today’s change, Microsoft is eliminating the Standard edition and making its Enterprise edition available for download at no charge."

As summed up at Undeadly, OpenBSD (free multi-platform 4.4BSD-based UNIX-like OS) has turned up a loss of approx. $40K USD over the past two years. If you use OpenBSD or OpenSSH, please consider making a donation here.

This interesting article (in French) outlines best practices to protect Blackberry devices.

As reported by many web sites, Philip Zimmermann has a new project: Zfone. This beta software allows encryption of SIP-based VoIP systems (i.e. Gizmo, Wengo, etc.), without the need of a PKI. In the future, Zimmermann expects the underlying protocol will be integrated into standalone secure VoIP clients.

Currently, binaries are available for Mac OS X and Linux. A Windows build should be released around mid-April.

Update 2006/5/23: they finally have a Windows XP version. :-)

As reported by Computerworld, by surveying 600 IT managers in the US, IBM found that the threat of cybercrime is now perceived more real and more urgent than the risk of physical crime. Also, three quarters of the respondents believe threats to corporate security now come from inside their own organizations.

As reported by Computerworld, Wyse Technology and VMware announced they will work together to create virtualized PCs that can be hosted and managed on inexpensive Intel-based servers.

In today's European edition of the Wall Street Journal, Lee Gomes wrote an interesting column on Under the Radar's Why Web 2.0 Matters conference where start-ups presented their business plans to a panel of VCs and other judges.

"The advice came in the form of the sorts of probing questions (...) such as:

1. Is what you are doing really a company or just a feature that will end up as part of some existing product?
2. If you are trying to take on an incumbent player--Google, MySpace--do you do something 10 times better than they do?
3. If you are developing something for the Web, what is to stop spammers from ruining everything you are trying to do?"

As reported by Reuters, the existence of the previously rumored GDrive online storage service surfaced after a blogger discovered apparent notes in a presentation supposedly published by error on Google's site after its analysts presentation day last Thursday.

"With infinite storage, we can house all user files, including emails, web history, pictures, bookmarks, etc and make it accessible from anywhere (any device, any platform, etc)," the notes in the original Google presentation state.

Chief Executive Eric Schmidt in his presentation made a cryptic comment that one goal of Google was to "store 100 percent" of consumer information.

Burton Group released a paper on Skype corporate usage three weeks ago, but my subscription does not include their Network & Telecom publications. Computerworld summarizes the findings: if the financial incentives and better integrated communications outweigh the risks inherent to proprietary P2P technologies, consider Skype as part of your overall communication strategy.

"Are you up for the challenge of creating the industry’s most innovative virtual appliance? VMware invites you to put your skills to the test, go head-to-head with your peers, and develop the best virtual appliance the industry has ever seen. Using open source or freely distributable components and/or your own code, create the most inventive and useful virtual appliance and win the $100,000 first prize! The Challenge is open to anyone worldwide and will be judged by a panel of industry experts with input from the community."

OK, I just love Apple's latest TV ad (French version here).

You might have heard its soundtrack before in the closing scene of Heat. It's Moby's "God Moving Over the Face of the Waters".

Microsoft released an anti-cross site scripting library for its .NET Framework. It can be freely downloaded here.

Computerworld reports on a panel that took place at the RFID World conference where Wal-Mart gave feedback on one year of live RFID usage.

Wal-Mart claims a return on investment, even without extensive process changes (i.e. out-of-stock items that are RFID-tagged are replenished three times faster than before).

As reported by the OpenBSD Journal, a straightforward IPSec with OpenBSD How-to has been published by SecurityFocus.

This is useful as the official FAQ IPSec guidance became obsolete long ago.

Yay! Apple's Intel-based Mac mini is out!

John the Ripper 1.7 has been out for nearly a month now (missed that).

As outlined in Solar Designer's announcement, JtR 1.7 became a lot faster (primarily at DES-based hashes), improves on the use of processor specific instructions sets (i.e. MMX on x86), adds an event logging framework and plenty of pre-configured make targets with optimal settings (including for OpenBSD).

Further to Anonym OS, OpenBSD Journal reports a new live OpenBSD CD has been released.   Compared to a vanilla installation of OpenBSD, OliveBSD adds a sexier Windows Manager and packs several graphic applications.

With live CD's and VMware offering free versions of its virtualization software, you can no longer complain that it is difficult to test new operating systems!

If you want to build your own live OpenBSD CD, have a look at this ONLamp article.

As reported by Computerworld, Gartner warns the latest version of Google Desktop poses security risks, as Google's servers may store an index of the files contained on the workstation where it is installed.

The workaround is to install the enterprise version, which lets IT administrators decide which features should be enabled or not (using GPOs).

Likewise, an enterprise version exists for the latest version of Google Toolbar (still in beta), and lets IT admins deactivate sensitive functions (i.e. PageRank display or AutoFill).

I discovered through word of mouth an interesting tool to control local administrator privileges: DesktopStandard's PolicyMaker Application Security.  It allows your regular users to run a particular set of applications with admin permissions, or to downgrade your admin users' privileges when they carry out sensitive tasks, i.e. browsing the web or checking e-mail.

The product used to be called NeoExec--the technology is actually licensed from NeoValens, a company managed by Marco Peretti, SecureWave's "former" founder & CEO (another great publisher of Windows security software, which is based in Luxembourg too).

Update 2006/10/27: Another one bites the dust: DesktopStandard has been acquired by Microsoft. While most products will be integrated in Microsoft's GPMC or other products, PolicyMaker Application Security will be sold as Privilege Manager by BeyondTrust. I guess Microsoft left out PolicyMaker Application Security due to licensing issues (see above), and above all, because they already have a competing product in their portfolio: Protection Manager from Winternals Software.