Security Stories

If you tell enough stories, perhaps the moral will show up.


"Edward Snowden"

I have been enjoying a lurid TV spy drama series called The Americans very much lately, so it's just possible that everything I have to say here is the result of too much stimulation and late night TV...

I think that the whole Edward Snowden business smells very ratty indeed. Apparently he's on his way to Venezuela now, where he will, if he is lucky, spend the whole of the rest of his life hoping for a presidential pardon. Perhaps he will be consoled by his distraught pole-dancing girlfriend, and the occasional visit from Glen Greenwald. Or perhaps, and this is my expectation, on a day when the news is all elsewhere, he will disappear, and a few months later, someone looking like, but not too much like, him will walk into a well-remunerated, under-worked job at some sleepy agency of the US government.

Yes, I think this is an operation. I'm not certain, and I'm somewhat less certain that Snowden knows it, but it seems the most likely explanation. There are three factors to this:

  1. The ridiculous melodrama: The girlfriend; The anguished father; The extraordinary claims of access; The cogent, rather rehearsed, interviews and the round-the-world tour. Snowden makes Assange look small-time.
  2. The banality of the limited, studiously-vague, revelations. The internet is tapped. Of course it is. That is why we encrypt. Telephone metadata is passed on. That's horrible, but I can't claim to be surprised. Nothing to throw a career away over, except for one thing:
  3. The claim that GCHQ can read Blackberry handsets. This is a huge deal, if they're referring to users connected to a Blackberry Enterprise system. The BES lets security-concious managers screw handsets down so tight that it's well-nigh impossible to get spyware on to them, and the telecoms operators don't have access to the keys of what is widely acknowledged to be a sound cryptosystem. Breaking that, reliably, is a massive success and yet it's thrown away as a minor point in one of the Guardian's articles.
 The Blackberry thing is so huge that I can't help seeing it as the main motive. BES-managed Blackberries must have been a thorn in the side of communications spies for a long time. Breaking them means breaking the standard encryption algorithms, which can perhaps be done, on a huge scale, which probably can't, or alternatively, it means suborning the administrators of every government and diplomatic BES installation, which would be laborious and unreliable. It would be easier for everyone if diplomats and civil servants could be persuaded to just stop using them.

Now the thing is, if that was my job, if I wanted to get adversaries off their BBs onto something I could tap, I would probably start with exactly this revelation. It wouldn't be true, but once it reached enough security officers, by a means that persuaded them they weren't supposed to know it, they would soon be doing my job for me. A leak, with some colour to make it plausible, wrapped up in enough spurious content that the gem -- as my targets would see it -- has to be dug for, is exactly the way to go. Of course, there's nothing to stop other reasons being true too. We could well also be looking at an opinion-testing exercise, a realisation that the phone and Internet tapping was going to leak at some time, and this at least puts it under some kind of control, and there may be other motives as well. But the basic structure, a controlled leak and a discredit for Blackberry is the core, and that is what I think Snowden, whether he knows it or not, is up to.


Coverage doesn't cover it; Why we need delinquency.

I don’t think “coverage” targets and metrics for update-led systems like AV and patching do the job. It’s just as important to measure the AGE of non-compliance: the Delinquency. I want the reporting packages that come with AV and patch products to offer that number, and I’m vexed - really quite upset just now - that they don’t.

The purpose and justification of compliance targets is to ensure that "enough" machines are current without wasting effort on too many fixes. In theory, “enough” means
  • In the machine population as a whole, on average an installed malware infects (much) less than one other machine, so outbreaks are stifled ("herd immunity")  and
  • The probability of any individual machine being compromised is acceptably small considering its sensitivity.
These factors could be measured and calculated, but in practice they aren’t. There are too many unknowns. In fact we adopt more or less arbitrary targets.

Almost uniformly, targets for anti-malware signature systems and patching are routinely measured and set in terms of coverage. What percentage of the population is “out of date” or not installed at all?

My view is that that suits the manufacturer’s model where installers and updating systems work reliably and easily, where the bulk of the effort lies in the initial setup and maintenance is mostly a matter of ensuring the new-builds all carry the agent. When that’s true, why not aspire to 100% and set a target of 97%? The real world is somewhat different.

Not so long ago, I faced a situation where a major vendor AV product was struggling to attain 80% coverage. The hardware was regular, the OS was XP, the builds were coming off a restricted set of images. We got plenty of high-quality support, but it was all about rectifying individual machines – try this, if that doesn’t work, try this. In that situation, the coverage metric was very unhelpful because it just doesn’t say what to do next, how to prioritise limited effort. Coverage can even be a negative guide if the support teams learn to focus on the easy wins, as the troublesome builds which may never have had a current scan will never be fixed. If you have a coverage target, it’s natural to fix the easy problems first – would you fix the AV on a dozen standard-build workstations, or that flaky build that runs that special system that nobody really understands? Are you going to reach out to the laptop users who never update? Or if you’re patching every server you have, except the domain controllers, the coverage looks fine, but the situation is dire…

The measure we want – and none of the reporting tools support it – is delinquency. Delinquency measures how long devices – servers, workstations – have been out of compliance. Admins faced with a delinquency target will be more motivated to fix the hard cases, or escalate them out of the system.

Delinquency is the percentage of machines which are out of compliance now and have not been in compliance before some cut-off time. If you scan compliance on Monday, then the machines that were first noticed the previous Monday or before are your one-week delinquents. Of those, the ones that first showed up the Monday before that are your (yes) two-week delinquents.

The timescales you use depends on how tightly you intend to ride rectification for that particular population. For example, for workstations, I would say that a target might be 10% of one-day delinquents, and zero% of one-weekers. I’m saying that we can accept quite a high percentage of non-compliant hosts, provided that we have confidence that all of them are getting fixed within the week – rebuilt or updated by hand if necessary.

Servers, naturally, are different.  For servers, the route to live is six weeks long and we get one reboot window per month. Many rectification processes involve a reboot. That’s part of the reason why coverage targets fail harder for servers. But for delinquency, we can say that our target is zero% of six-week delinquents – everything has to be fixed in the first reboot cycle after it goes bad – and all of a sudden we are getting somewhere.

I’m not against coverage reporting. It’s good, and it tells a good story at management level. And coverage targets are necessary to control some very obvious ways to game delinquency! But delinquency allows you to manage:
  • It gives you a clear “next action” – pick the oldest – to prioritise your rectification effort, and
  • It’s compatible with a zero target – you just have to set the age of non-compliance to match your environment, available effort, and risk appetite

On the downside, auditors tend to panic or look blank when you describe it to them. More seriously, it requires a history, and I guess it’s that dependency which means that it seems to be impossible to get figures out of the reporting packages.

And that’s why I’m ranting! I’ve just had to give up delinquency reporting as the hand-built tool I used became too hard to maintain with a change of platform. I’ve had to move back to checking coverage and keeping private little lists of troublemakers, and it feels like a real step backwards.


We Are At War!

Possibly. The story has been running in the computer press for a fortnight or so -- google “Stuxnet Iran” but it’s gone mainstream with articles in the Economist this week.

A specific malware -- called Stuxnet by its original discoverers -- turns out to be:

  • Very sophisticated, robust and prolific, particularly well able to travel on USB memory sticks to infect systems kept off the Internet
  • Targeted rather specifically to attack WinCC, a notoriously insecure plant and process control system from Siemens
  • And, weirder, even at sites running WinCC, despite all that specicifity, it doesn’t do any of the harm it is capable of. Except in Iran.
Because it seems that the Iranian nuclear fuel and reactor plants run WinCC. And when it’s activated in Iran -- the details of that aren’t clear -- it causes harm.

Cutting a long story short, the line offered to us is that Stuxnet was build by a well-resourced team to smash up the centrifuges at Natanz or even the reactors, by disabling the computers that manage them. The Americans are said to have form here. The Israelis have an obvious interest. And both nations have deep capabilities in development and experts in malware analysis.

I think this could very well be true. Stuxnet is really hard to explain on any other theory. It “wasted” a previously unknown Windows vulnerability on an esoteric target -- a weakness that could have made millions installing Zeus to collect banking passwords. The “waste” is just as gross when you consider the huge skill and work that’s gone into the code -- just to bugger up some plant for no obvious economic benefit.

So, Stuxnet is a weapon in an undeclared war against Iran. And that’s interesting because it’s a first look since Titan Rain at what modern information weapons look like. And what do they look like?

Well, unimpressive, mostly:

  • Slow. Stuxnet has been around for months, and if there was an effect at Natanz, it took a while.
  • Expensive. There’s a lot of effort in that code, no doubt, and a lot of investment in the test and development rig it first ran on, but the real cost is that as soon as it goes public it betrays the zero-day vulnerabilities it depends on for its unique spreading capabilities. Zero-days are wasting assets -- and the clock starts running the moment they’re used.
  • Weakly targeted. Stuxnet went global. It was designed to limit the harm in non-target sites, but it would be better from the security point of view if it had never got there. Global distribution tipped off every WinCC site, including the Iranians to get smart.
  • Limited scale. You can’t do wave after wave of this sort of attack, as the victim will tighten up their patching and filtering, and at any time the supply of zero-days is limited.
  • Limited effect. The Iranians still have a nuclear programme.
  • And, finally, there’s no magic. No doubt Stuxnet is quality work, but it’s just a well made malware. Like all current malware, it’s a combination of understood techniques.

That last one seems crucial to me. If you do all the things that you should be doing to manage routine malware and zero-days: endpoint, removable media, gateways; then you’re also, and entirely for free, building yourself a bunker which will stifle many of the best efforts of the “cyber” warriors.

I’ve been meaning to write about the boondoggle called information war, but it will have to wait. All I’m going to say here is that I’ve felt for some time that even the idea of IW is unsound -- a hysterical reaction to the pathetic network security seen in the United States and the defence establishments of other countries. If Gary Mackinnon can break into your systems by guessing telnet passwords, then, yes, probably you are at risk to rather broad attacks. But that has nothing to do with expanding warfare into the cyber domain and, frankly, everything to do with being a tosspot.

In the meantime, for the rest of us, the lesson of Stuxnet is that Information Warfare is, and remains, a matter for routine operational security.



OK. Another good title would have been "Idiot." It's a lesson to me. The lessons for you are at the bottom.

It all seemed so reasonable. The screen on my phone was going mental and it had to go for repair. I don't know enough about Android to be sure I'd erased sensitive info and so instead I had to change passwords for every app I used: Facebook, Twitter, my Google account and my email too. Just good practice. The phone was going in on Monday, so that's what I did on Sunday night. I was quite proud of myself.

Now I'm not foolish. I know the risks. I wrote the new passwords down on a piece of paper, and tested them (Can you see where this is going? No, actually you can't. Read on.) My memory of that is very plain, though I was getting sicker minute by minute. I struggled back to town on the Monday, and spent the rest of the week pre-occupied with a really horrible cold.

Back in Kent on Friday night, I thought I'd try and catch up with a week's worth of Twitter timeline. Except I can't log on. Check the bit of paper. Try cAPS lOCK. Try spaces or a punctuation trick. Nope. Try Facebook -- straight in. OK, so it's a silly error, and all I need is a password reset. Off to my mail to pick it up -- can't log on. Arses. Nothing I can think of will get me in. I even have a cached Twitter logon, but it won't let me change my email without knowing the password. And that won't help me get my email password back.

This is the fundamental problem with free services. There's no escalation. And by this time I was getting seriously vexed. It didn't help my peace of mind that there's a spate of password "guessing" attacks against personal email accounts at the moment. Or that the help page for my email blandly told me that the reset would be sent to my secondary email when I didn't have one.

So it's a good thing that there's one thing I don't get free: domain hosting. I pay a very large fee to use the excellent EasyDNS. I don't go there often enough to remember my password, but they do have a recovery system, and they do have a telephone with actual people who could change the email address once I was able to prove identity. Once I could change the zone file for my domain I could haul my way back into my mail. Hurrah.

So, yes, what are the lessons?

  1. Obviously, you can't remember all your passwords. Duh!
  2. Writing them down ought to be good enough but it isn't. Empirically proven! (Idiot.)
  3. You need a plan. At the very least you need to be able to say routinely that all your password resets will come to some email account or other. Realistically that has to be your main account because the same address is used by most services for ordinary communication.
  4. You need a password on your main email account which is different from the password you use anywhere else. Why? Because if any other service has its user/password list stolen, the thieves'll be trying that password to get into your mail, and once they're in, they'll lock you out and steal your identity. A whole different nightmare, but quite common these days.
  5. You need another email account you can trust to receive resets on your main email. I have a good relationship with my employers so I'm using my work account. You might pick someone you can trust (but who doesn't have an engrossing interest in you -- that could go seriously wrong) and set up a mutual arrangement. Or Hotmail accounts seem pretty permanent these days.
  6. And finally, you need to CHECK the password recovery options every once in a while. This happened to me once before and the route back in was easy -- but it doesn't work any more. And when you have checked, you need to test.


Latex as a Security Tool

I hope I don't disappoint you here.

After a couple of dirty (ooer) jobs over the weekend I felt moved to write about the benefit I've been getting from my big box of disposable gloves.

Five pounds gets a hundred latex gloves -- male sizes -- at Screwfix and at 5p each you can use them for almost anything (and as they really don't keep for long you do need to use them up.) Just over the last few days, I've protected my hands against grease, drain overflows and -- ahem -- biologically active matter. Barrier creams can work and are more comfortable, but the gloves give you a better grip for tools, you can wear gauntlets over them and they come off when you're finished.

And, Security? Well yes. A couple of years ago I spent a week in hospital with an infected finger joint that wasn't playing nicely with the antibiotics. It was pretty scary -- an unmanaged replicator would be a very 21st century way to die, and I never found out where it came from. The best guess was some tiny wound on the finger went septic and my hands do get a lot of abuse. Since then, out of fear, I've been trying to keep them clean and intact as far as possible. All hail cheap latex gloves.

Was that a disappointment? Well I'm sorry, and I will go so far to say you look pretty good in your black PVC LBD. But get yourself some gloves as well, for safety's sake.


Barefoot Security Anti Malware

I do get asked for security advice, but not that often these days. Often, much more often, I want to tell people, to SAVE them. Yes.
So this a worked-up version of an email I send out. It's how to keep control of your computer, your data and your passwords by preventing malware on your PC. I'm aiming at the ordinary PC/Windows user with occasional notes about Apple and Linux. It's in rough priority order, and it's mostly advice I follow myself (though it's not all of the paranoid steps I take.)
If you think I should have put AV software top of the list, you should remember that I am a security Expert. Yes, and I have business cards which say just that.

Keep your Thinking Cap Securely ON  Why on earth would you click on THAT?
If the answer is "because THOSE sites are the ones I chiefly love looking at" then you need to pay close attention to the rest of this list.
And if you say "because I'm human and I'm not 100% focussed 100% of the time" then you should read on too.
Backup your Files  Anything you care about should be on media which you don't leave plugged in. There are some nasty malware infections which are simplest to eradicate with a format and restore, so backups are essential. (And there's always fire, flood, technical failure and stupidity, if malware doesn't worry you!)
It's a big topic. You need to think about having a regular system that will show you if copies get lost or aren't taken, about, testing your backups, satisfying any data protection obligations, encryption if you worry about people reading it, and keeping media out of the range of that fire/flood/whatever.
It's a shame that it's a top priority as it's none too easy. If you're in doubt about how to do this, I suggest you set up with a UK online backup services, test their software, check their prices and get value out of their support line!
Don't do PC Work as an Administrator  This is really just for Windows users as Mac and Linux set it up correctly anyway. Windows 7 and Vista are better, but you should still arrange to work as a non-admin.
In XP, go into the control panel and set up a new admin account. Then make your regular account into a limited user. Use the limited account for all browsing, email, word processing etc. Only use the admin account to install software, add new hardware, and set up users.
This simple trick stops a proportion of Windows malware, when malware programmers are lazy and assume you haven't taken this precaution -- as most people haven't. Even though attackers are wising up now, and plenty of password stealers and others will now install without admin, it's still an important precaution because it stops rootkits, and ensures that installed malware is easier to clean off.
The problem is that other programmers, especially games programmers, are just as lazy as malware authors so their stuff won't work. Software which insists on admin privileges to run (rather than to install) should be rejected as unfit. If you're stuck with it, investigate "run as".
Apply Security Fixes  Ensure that all security updates apply automatically. Malware uses unpatched vulnerabilities to install. Vulnerabilities are sometimes being exploited even before they are fixed, so ignore people who say you should wait a few days -- it's too complicated, and the risk of you forgetting or being exploited in those few days is much greater than that of a bad patch.
In Windows take a moment to turn the software firewall on, as that setting is nearby.
Keep your Auxilliary Programs Up To Date  Make sure that all of the extra stuff you need for the full experience (Adobe Reader, Flash, Shockwave, Quicktime, Java) are up to date. Secunia Inspector is a good way to check.
Most modern attacks arrive through these products. If you use Office, Photoshop or whatever make sure you get updates for that too.
Use a Less Common Browser  On Windows, don't use Internet Explorer (except for updates where it makes you do it.) On Mac, don't use Safari. Malware authors naturally target the common browsers.
On Windows, install and use Google Chrome browser because it can update itself as a non-admin (unlike Firefox). If you must browse as an admin, install Firefox and learn to use it with NoScript.
Also in Windows, take the time to keep IE up to date. Even if you think you're not using it, you don't want old versions on your PC.
Use AV Software  On Windows, Microsoft Security Essentials is good enough -- free, unobtrusive and good quality -- if you avoid admin browsing and email. Check that it is updating automatically.
I confess I don't run AV myself, but it seems like a necessity for people who like to test animated cursors or other oddments.
Disable the Big Adobe Reader Mistakes  Adobe stuff needs special attention. There's just so much malware targeting it, and it's not easy to keep up with the updates. PDF used to be a handy document format, now it's a malware magnet. Reader X (10) is an improvement, but it's still a bore. You have to switch off the idiot features that Adobe added.
Start the Adobe Reader and pull down Edit/Preferences…
  • Select Trust Manager in the list and clear the checkbox marked "Allow opening of non-PDF file attachments with external applications"
  • Select JavaScript and clear the checkbox marked "Enable Acrobat JavaScript"
You need to repeat for every user account that uses Reader. There are equivalent settings in Acrobat if you use that -- you'll need to find them yourself.
So will these make you secure? Well, no; nothing will. But they will stop you from being a soft target. If you have secrets to keep, there's a whole other journey about understanding the settings on your accounts, encrypting data and the rest. But that is another post.


Organisational Truth Lies in the Email Distribution Lists

Now this is a really good idea.

"All data access should be approved by the data owner"
That sounds so reasonable, it's easy for the auditor to say. But it's absolute murder in practice:

Most access is routine, and based on who you work for. Requiring an approval for this sort of access diverts effort and attention and provides no real control because if the facts are right, the access is approved unthinkingly.

I've been messing around with the idea that the official org chart from HR is a suitable proxy for this sort of approval. Essentially, I'm claiming that if the line is on the chart then the manager can't -- won't even be asked -- to decline access to his own team's area. And the same would go for project managers: if you're on the team, you're in the folder.

Now that's an OK sort of plan except for one detail: The org chart is wrong most or all of the time. Lot's of temps are missing and there are important lines that never get on to paper. To be fair, the people who manage it never intended it to be a moment-to-moment authority, but that, unfortunately, is what I want.

I could actually live with that loosesness -- "Good enough" is a lot better than most people's practice, and I think it would do. But we can go a little better, thanks to Kate.

This afternoon I was tidying some permissions, and I ran into trouble because the team group was wrong. And Kate, bless her white pate, told me to populate the group from the team mail list.

I can do something with this!

Because one thing that managers and their PAs care about is that the team or project distribution list is OK. It'll be updated when the structure changes, and everyone will be on it. If you work for two bosses you'll be on both lists. And, crucially, with Exchange, distribution lists can feature in access control -- you just have to turn on "security-enabled."

Do you see where I'm going? The distribution list structure, with its nesting, is a true org chart, kept up to date by people who care and understand what it means. And that means that it can be used for all your "because he works for me" approvals, without dealing with the constant stream of "oh that changed" errors.



It's OK -- It's Just Normal

Stupid article in Friday's Kent Messenger about a rapist on the transplant list. The editorial comment asked the question "Would you donate your heart to a Rapist?

Well, the obvious answer is "No: I'm still using it," but it's still worth a look because it makes a rather wonderful example of the way normals think.

As far as I can tell, it's not a joke. We're not intended to say "No, and he shouldn't get blood transfusions either" or "No, and donor registration should allow you to opt out of patients with unpaid parking tickets as well." Or, and I particularly like this one, "No, and convicts should be denied medical attention generally."

Someone wrote this, someone subbed it and the editor put it on the front page of the Maidstone edition. None of them gave it the ten seconds thought required to see that there's no principle here, that even if the transplant immunologists didn't already have enough to worry about, there's no line, no criterion offered which will serve to guide donors or doctors.

There is a real story -- that some judges are much too prone to make stupid remarks -- and I'm hoping that it wasn't just cynicism that got it covered this way. I can't really object to journos who fail to take an idea to its limits to see where it goes. It is, after all, just normal. 


Ballistic Brown

This story feels like it's being pushed by someone hostile. But I see it -- and trust it as far as -- any other dodgy authentication issue. It's only OK for a bullying hotline to trust your word about your identity if all they'll do is give advice.

Because otherwise it allows callers to build a slanderous paqper trail.

The only reason i don't believe this actually is a long-planned operation to discredit the PM is that no-one could possibly have imagined that the woman would be daft enough to go public.


Safety First

I don't believe the LHC will bring the universe to an end when they switch on the second beam and start getting relativistic collisions. The energies are simply too low.
But just for safety's sake, I'm testing the scheduled posting feature in Blogger. I had this story booked to go for Christmas morning 2008 when I figured they'll be running both beams by the end of December.
But they broke it and broke it again. The latest news I have (18/10/2009) is it'll be running early in the new year, so Valentine's Day is a safe bet.


It's a Dirty Job

Diane gets sex spam and she doesn't like it. She's sent up an offensive example.

Now I don't know why the filth heads toward her mailbox, but a quick look at her quarantine shows that there's plenty of raw ... offers ... being blocked. A closer look at the one that got through reveals the reason. There's not a single dirty or ambiguous word, it's barely even English:

If you are disappointed in its second half, bold, come in. I can do for you is - what can not no girl! enter here (a link).
Where's the harm in that? Well, it's obvious. Obvious to me and obvious to Diane too. But utterly undetectable to to the machine that's trying to keep solicitations out of her mailbox.

So I have to go down and tell the lady that her basic problem is her dirty, dirty mind.



Over the last few weekends -- say 20 hours work total -- I've laid over the first hedge I planted here -- about 50 yards of "native mix" with the hazel taken out and used elsewhere. It's gone well. I'll never be fast at that job -- I enjoy the looking much too well -- but it's a real eye opener to see how much easier it all goes when you don't have to spend time de-wiring. And it's interesting to see what other planting-time lessons there are to learn.

  • Rabbit guards are a must. The plants mostly survived, but I reckon they're a year or so back, and the ground-level damage makes them harder to split and bend over.
  • Ignore the supplier's sincere advice to plant these bare-rooted slips in a trench of tilled soil. Even six years on, the roots move when you strain the plants around the spiles. Slide them into the clay down the back of a spade and they'll be forced to set firm roots in the clay.
  • Another piece of gardening advice to avoid is to take the top of the slip off so that they bush out. A bush is useless -- you have to strip it all off when you lay. What you want is tall, spindly whips, so just leave them be.
  • Never plant blackthorn. Duh.
  • Don't plant briars with the rest of the hedge. Until it's laid over they just get in the way.
  • So the mix, if you don't fancy just hawthorn, would be five hawthorn, one spindle, one hazel and one fruiting tree depending on your taste -- mine would be beech. Then come back when you've laid it and put a dog briar in each of the gaps.


Not Invented Here

This has got nothing to do with anything I know about, but it's got me cross so here goes.

My little Samsung music player is old now, but it does all I want. It loads up as though it was a USB stick. I can find the music I want navigating up and down the directory tree with folder and track names showing on the tiny four-line display. It plays .wma, .ogg and .mp3 files, and when I'm bored with my files, there's an FM radio.

I would have thought that this counted as some sort of baseline. iPods have a display for album art and video. Other players have integrated phones, or glossy appearance, or Bluetooth audio, or who-knows-what magic. But for a £40 player, I was happy.

One thing the Samsung doesn't have is the oomph to drive any sort of speaker without caning the battery. Nor should it, but it's a bit frustrating sometimes when your ears are tired of buds, that there's no way to fill the room with it.

This shouldn't be a problem these days. Quite a lot of music centres and boom boxes support "USB" which is a shorthand for digital music on popular media. Except they don't -- the support is rubbish. I looked at Cambridge One and the Yamaha desktop music player -- both about £300 -- and they were both really disappointing:

  • For a start, it's MP3 only. Compared with my Samsung, the hifi designers have vast resources of electrical power and size, so there's no excuse for limiting the playback decoders.
  • There's not much point in a remote if the buttons are hopelessly obscure. The navigation is hard.
  • And it's worse when the UI can't even display a directory listing. I've got 2GB of music on that thing and ignoring directory names is not going to help.
  • And in the 21st century, I reckon we're entitled to a decent screen, but what we're offered is a single line. I felt that I was fortunate under the circs to see the ID3 tags in an unsatisfactory fixed-rate marquee.
What's happened here is that someone has made the minimum possible hack to the code that plays MP3 CDs. The idea of picking up a few hints from the players made in a different division of the same firm just never occurs to anyone. All I want is something that can play the same files as a cheapo portable, and provides a simple user interface. Hard? Apparently so.


What Goes into the W7 Workstation

First look into the Security Guide in the Windows 7 Security Compliance Management Toolkit. It's an interesting read and there's a lot of potential goodies. The takeaways for me are:

  • UAC looks good, but when you get down to it, there's less than you want. In particular you still need a really non-admin account for browsing and reading mail and it won't save ordinary users from cockups -- so they still can't be admins. Good. (Mark Russinovich says that the real purpose of UAC is to force developers to make their code work as non-admin. Better.)
  • The policy can all be pushed from group policy. The price of this is that W7 machines will need their own OU tree.
  • There are some sexy, seeeexy audit log options. A whole lot more to set.
  • There's an easier replacement for software restriction, but it relies on signed code.
  • Finer-grained control over devices means we might be able to have one less agent in the build
  • Still not sure about the malware tools. I can't see why I would object to the Malicious Software Removal Tool but the old rule about not mixing AV solutions may apply here. The native tools aren't enterprise capable, so they'll have to go.
  • This may be time for SUS. The solution we have is more capable, but since we only ever push MS hotfixes with it, I might just choose to save the licence fee.
  • They seem to have de-emphasised routine IPSEC since Vista, but I may have misssed the crucial bit.
I need a W7 install to play with.