If you tell enough stories, perhaps the moral will show up.


Just for reference: this is the contents of the more mad son's Christmas list:
      December 25 2008 Thursday David's Christmas Presents
      Thomas the tank engine Percy and the Signal VHS
      Thomas the tank engine The Runaway VHS
      Thomas the tank engine Escape VHS
      Thomas the tank engine Thomas Gets Bumped Bumper Special VHS
      Thomas the tank engine Thomas's Christmas Party Bumper Special VHS
      Thomas the tank engine Rock n Roll VHS
      Thomas the tank engine Story and Song Collection VHS
      Thomas the tank engine Happy Holidays VHS
      Tots TV Bike Ride Bumper Special VHS
      Fun Song Factory 3 Party time at the Fun Song Factory VHS
      Fun Song Factory 2 VHS
      Tumble Tots Action Song Favourites [1996] VHS
      Tumble Tots The Action-Song Sing-A-Long VHS
      Tweenies Song Time Is Fab-A-Rooney [1999] VHS
      Maisy Maisy's ABC VHS
      Canon Digital Camcorder 35x and 1000x DVD Video
      Nikon Coolpix P50 Digital Camera 8.1 MP 3x optical zoom black (Upgrade with SD)
That's right. Fifteen videos (the "VHS" is not a misconception -- he wants tape cassettes) and two mid-range, top brand cameras.

We got him a Fuji S5700 which is cheap now and has quite a good video function (and is currently the best camera in the house), and Mrs U has had a trawl round the Maidstone charity shops for videos. We'll see how it goes.


Spam Counter - 2008 December 13: 634

Can't put this on the graph, but one month on from McColo it's still falling.....


Spam Counter - 2008 November: 852

This month's drop is the the famous McColo effect. It'll be interesting to see how a whole month without McColo looks on 12/12.
The content seems the same as ever.
Two interesting papers about email-delivered nuisances: spam and phishing. Each offers methodologies which finally give realistic estimates for the return from penis spam and phishing. Both agree there's very little profit in it -- mugs and losers are, after all, a limited resource. Which is nice.


Chinese Hackers are Real, I Tell You...

... And they're planning to flood the world with cheap telephones.

Al sits close to the Head of IT -- a position that reflects his operational centrality, and the affection in which he is held. But he came to me with a puzzle about his Hotmail. It seemed that he'd managed to send himself, and all his contacts, an email advertising http://www.feixiangyu.com -- an electrical distributor.
Well, we looked at things like his spam folder, and whether it was just in fact a particularly artful non-delivery notice. But soon he had replies from his contacts congratulating him on his new business venture.....
Now the beauty of Hotmail is that it's easy to attribute. The X-Originating-IP header gives just that -- the IP address of the originating computer, which is the IP that Hotmail saw as the browser that "got" (GETed?) the send links. This one was and Sam Spade plumps that in the middle of the Middle Kingdom. The ISP is Chinanet, and the PoP is Zhengzhou -- capital of Henan, a respectful distance from the Yellow River -- seven million people in a few square miles, and at least one dodgy marketing guy.
On the whole, I'd rather be hacked by Chinese shopkeepers than the Russian Mafia -- you're less likely to have your bank account emptied. I told Al to change his passwords, check his bank statement, and run an online AV check on his home PC. I sure hope that shows something, otherwise I'm going to have to wonder whether it happened on his office machine, and that's something I just don't want....


Microclimate (2)

A nice strong frosty morning. When the train went into Sevenoaks tunnel, the double-glazed windows were clear, but when it came out, they were obscured by condensation -- on the outside.

I guess it takes a while for the roots of the North Downs to cool.


Solving the Wrong Problem (a different one)

Now, listen. Encryption is probably not the solution to your problem. We hear a lot about encryption these days and it seems to be widely imagined as the solution to a problem, or a reason why it's not a problem: "it was encrypted", "we'd better encrypt that". Keep an ear cocked for that sort of thinking, because it is the sounds of someone making a mistake. Encryption doesn't solve any problem, not even access control problems. It replaces access control with a smaller, tougher issue: Key Management. Whether that helps at all depends on the situation. It's late and I'm tired so I'll cut through and state the facts. Encyption only helps when the key management problem can be solved, and the key management problem can only be solved in strict binary situations: When you can cast the problem in terms "everyone in this group gets full access without per-user auditing and no-one else gets anything" then maybe you could try encryption:

  • Access for a single person against the whole world -- keeping personal secrets
  • The same plan for a group small enough to maintain perfect mutual trust. Some of us feel that the maximum size for such a group is one.
  • Shared channel against the world: the VPN and encrypted device
It's Us (or rather Me) and Them. If you have any other problem, don't bother with encryption.


Voter Insecurity

It hardly matters, but on the whole, and despite even Sarah Palin, I somewhat prefer the idea of President McCain. The other guy is just so -- well -- young. As well as being a lifetime politician.

If McCain loses, well, that's just what the polls were saying. It's easy to accept unsurprising results.

But if he wins, I won't know what to think. The trouble I have is that I just don't believe in the integrity of the US voting system. Why do you need a machine to vote with? It seems as though the sole purpose is to create opportunities to bugger it up, with ballot layouts designed to fit around punch cards, more-or-less functional touch screens and the Dear knows what else.

It seems that some counties actually have voting machines where the votes only exist as totals on a CF card. That's OK for money: You can audit against the books of first entry. But ballot papers -- the petty cash slips of the political world -- are just missing from conventional PC based voting machines.

So I'm hoping for a landslide, because I don't think the USA needs another argument about who truly won.


The Angry Cyberwarrior

All over the world, we are told, war departments cosset their lists of unpublished vulnerabilities, kept in reserve to get into enemy systems. If that's true, there must have been more than one outburst of tantrums and glum looks when MS published MS08-067. It's a splendid vulnerability and one that would have saved a lot of social engineering and spying.

Now it's worthless.

Spam Counter - 2008 October: 1387

No real change. Penis pills and Russian ladies: Olga and TatianaG want to meet me?



I think this is the second or third time MS have published an out of cycle patch, and it may be the first proper Windows (as opposed to IE or Office) vulnerability to get this treatment.

It probably deserves it. When I read the notice, my heart sank. I remember staying up thirty-six hours in August 2003 dealing with Nachi/Welchia running through our systems because we didn't suceed in patching MS03-026. It didn't help that I was pissed as a fart for the first six hours or so -- having been hauled out of the pub at 10PM by an aggrieved network engineer watching our traffic heading through the roof -- and my boss had to hide me in the machine room trying to figure out what was going on, while she explained to her boss that she'd sent me home. What did help was that it used ping to explore the network, and it dropped nice clear signature files. That night I experienced the sheer beauty of Cisco VACLs (level 2 filters) when I found we could use them to suppress ICMP, and that left the worm blind enough for us to clean up by hand, though I didn't dare turn it back on for a week, and we left the filter on the link to Group for years....

That vulnerability was in DCOM -- pretty important, but possibly fixable by switching off the service in the registry. This one is SMB, and there's no switching that off. You may as well shut down.  Oh, and a modern malware wouldn't make the same mistakes as nachi, or be so gentle to its hosts. So I was pretty uncompromising all Friday, and reading the increasingly nervy statements from MS, I really don't think I was too rough. We're inserting this patch as a special into the October/September patch cycle that was just starting its route to live on the Friday. We'll have to re-do all the test servers. I hope that's enough.

Real Financial Insecurity

Prostitute's postcard seen today in a phone box in King William Street:

  • A very conventional picture of a youngish woman in partial undress, and
  • A site: "London Bridge" -- in reality that would be far out in the Borough, but never mind...
All ordinary. But what struck me was the caption. It wasn't "Maid for Pleasure." It wasn't "New 19 YO Swedish." It wasn't even that perennial City favourite: "Fully Equipped Dungeon."

No. The caption was: "Kisses and Cuddles." If that isn't the clearest sign of financial calamity, I don't know what would be.

God bless her, though. It's wonderful to imagine that there's a living in snogging.


Consequences of Solving a Non-problem

Whatever was so wrong with marking X's in the boxes with a 3B pencil?
Or is the real problem that people are voting wrong?


The Current Status of the Pound

I'm writing this on 28/10 but I'm back-posting to the day it happened, right in the middle of the (first?) UK banking turmoil.
I had occasion to use the toilet in the headquarters of a big four bank. As I reached for the paper I noticed a little blemish on the white(ish) sheet. Being unsqeamish about this sort of thing, I gave it a little scratch and a shred of coloured paper came away on my finger nail. I pushed back my specs for a closer look and found a tiny fragment of a £10 Bank of England note -- barely a millimetre across, but the engraving and colour so fine as to be unmistakeable. That bank had been wiping their collective arses on thousands of pounds in fine rag paper -- and they never knew.
I do wonder whether it's co-incidence, or whether support from the BoE comes with an unpublished obligation to help them get rid of their pulp....


Boot (If You Can) and Nuke.

Endless problems trying to get DBAN to boot reliably off a USB stick for Desktop to erase a bunch of machines with.

The Windows installer never quite managed to make the stick bootable and there isn't an installer for Linux. Eventually I booted into linux and just dd'd the floppy disk image over the raw device (/dev/sdb rather than /dev/sdb1 -- though I'd previously made sdb1 bootable) -- there are no partitions on a floppy, and that seems to boot, but not very happily.

I'd have made a real floppy, but I can't believe that many of those machines would actually manage to read a whole FD without error. What they don't have is CD readers, and I don't know the general process to make an ISO bootable on a USB stick.


Spam Counter - 2008 September: 1355

Among the penis pills and the phishing we see hints of cheap clothes and dodgy diplomas. Are the times hardening? If so, Spam Will Adapt & Survive!


Free Health Food

One good reason to get home in daylight is that you can browse the hedges. It has been an amazing year for blackberries with whole sprays ripening at the same time. Even the fruit of the hawthorn are edible, though no tastier than they ever were.
Mrs U made hedgerow jam which allowed me to claim that I had spent the afternoon hawing in the hedges. Which is a very fine image.


The Truths of Astrology

I am sometimes praised, mostly by me, sometimes by him or her, but very rarely by Them. So, this afternoon when I was very deliciously, loudly and fulsomely praised by the lovely ladies on the admin desk, swiftly joined by the very gorgeous customer service head, apparently with no motive other than to publicise my wonderful personal qualities, I was a bit perplexed. In fact I couldn't restrain myself from wondering what their collective game was. (And I still don't know)

I got a glimpse through the mists, though, on the way home. My horoscope in the thelondonpaper which they won't have seen, is absolutely explicit. It looks like a good weekend -- at least as a test of newspaper horoscopy.

How? Well, it couldn't be more obviously about me, and I have got -- as it happens -- a fine project to throw myself into and a number of things that need to come together. There's even a defined timescale.

We shall see.

UPDATED: 22:34 Saturday -- I assembled a chicken coop with plenty of flair, and energetically picked fruit in the hedgerows, but nothing yet.

UPDATED 21:53 Monday -- Overall the weekend has passed off like many others -- on Sunday I mowed the lawn, cut wood, picked apples... So it looks like a clear loss for astrology -- it got the right guy, but gave the wrong advice. And yet. At 3AM today, I woke with a clear sensation of being outside in a lightning flash with the roar still echoing in my ears. I was so terrified that I would not have been surprised to find myself blind with a Voice asking "umacf24, umacf24 why do you persecute me?" As it was, I shook with terror as I made my way to the toilet and then shook with terror in bed until I fell asleep. I don't think it was real lightning -- I'm too far from the window for it to have that effect. But as a way to bring things together in a rather intriguing way, it totally sucked. So I call this a draw.


ActiveX is Satan's Execution Environment. From Hell.

I went live with a simple but rather marvellous little change -- all the groups which deliver bulk machine or account admin privilege have been dropped into the group that denies browsing on the proxies. That's a huge win -- a vital step forward now that so many legitimate sites have been perved up to push BadSrc exploits and the Dear knows what else. The admins have two accounts, and if they want to browse from their workstation, they have to make sure it's not a member of any of the privilege groups. We're not mandating how the support teams arrange accounts, we're not touching anyone's permissions -- we're just declining to accept the risk of admin browsing.

It's good. I trialled on it myself and -- for six months -- on the domain admins. I gave support six weeks notice and a pile of reminders. I engaged with anyone who asked for advice on the technicalities. (It mostly boils down to using runas and getting a second explorer instance.) I've written a page on the support wiki, and for those who can't handle my writing there's advice from Aaron Margosis. It seems there are no tasks that require admin privilege browsing. Everything should be good, and our vulnerability surface hugely reduced.

Except for ActiveX. One of the Desktop team's top-twenty calls is to install or update an ActiveX applet from an external web site. And there's no way round it -- you do need to browse and you do need to be an admin, because what you're doing is exactly what malware does -- it's just that you happen to trust the site.

There's no need for this. I don't see ActiveX giving any better user experience than JavaScript -- it's just bad design. But it has to work.

I'm not going back. But:

  • It's pretty plain that this can't be handled with Windows permissions. ActiveX is too broken. And anyway the philosophy of this change has been to leave Windows access alone. 
  • So we have to look at the other side. When we do this at the moment, why is it OK? It's because the admin, reassured by the user, trusts the site to be safe, and required for business.
Naturally the block imposed by the no-browsing group is right at the top of the proxy policy. So I'm going to go in with a rule immediately in front of the block. If the user is a desktop admin, and the site is in a static list of "Approved for ActiveX" then the browsing is allowed, and the blocking group won't get a chance to take effect. There's an extra step to get new sites into the list but I don't think that will be too much inconvenience, and like the rest of this change, it's the sort of control we should have had a long time ago.

We have to settle who will approve sites into this list, but that's easy: I will.

Next step: probably to enable fast user switching on the desktops, to make life easier all round.


Two Shiny Stories

So now we have the Google browser with a name that proves that the Septics do get irony. It's not chromy at all, but it does have two interesting stories:

  • It is possible to keep big secrets for a long time. I don't know how long it took to go from concept to (beta -- surprise) release, but it can't have been less than eighteen months and even though a Google browser is a juicy story, all the news services all seem to have been taken by surprise. That's impressive. I'd like to know how they did it, and I wonder what other secrets they are keeping.
  • Now that Google is just as wicked as Microsoft there's lost of fuss about the browser's licence and potential to phone information to Google (i.e. under the pretence of checking if the site you are visiting is phishing. But the source is under BSD so it ought to be possible for a forked "clean" version to appear on sourceforge any time. We'll see whether open source can still function without corporate support....


Spam Counter - 2008 August: 1,521

Penis pills and Paris Hilton (declared a national historic monument). Breaks a five month downward trend, alas.


Please Provide a Credit Card Number to Enroll for this Free Offer.

One fascinating comment on this Register story:

Good ol' Tiscali
By Anonymous Coward
In the days of dial up I once signed up with Tiscali as they were offering a free month's trial and being a student I needed to save as much money as possible. As they wanted card details that they were saying that they were only going to start debiting after my free month and I didn't want to risk forgetting to cancel, I entered 4111 1111 1111 1111 as the card number, which is a commonly used test number that validates using the card checking algorithm. This worked and allowed me to sign up for my free month.
Surprisingly (or not) my internet access continued into month 2 .....
Reminds me of the days when Mrs U was driven mad by La Redoute accepting orders with credit card numbers that didn't even pass the checksum test. Surely it won't work anywhere any more....


China Stole the Productivity Revolution

It's hardly possible to avoid writing about China today. Even if it has little to do with security. So I'm going to write about three-packs of knickers for EUR 3, or mobile phones for EUR 10.

Everyone can see that the Chinese cities are getting rich. There are still plenty of people living squalid lives with little money, but the gloss is there and, more to the point, there are more and more hard-working middle-class people. Today, it's the cities and the coasts, but if they can hold on to the currency, the banks and the economy, it'll be the whole country soon enough.

Now the point about hard-working middle-class people is that they don't stitch supermarket knickers or assemble disposable mobile phones. They're too expensive. So we have to ask, once the opulence has worked its way into China, where are our panties are going to come from then? (and theirs too, of course.) Bangladesh/Nepal/Burma just doesn't have the slack to take up the produce of three hundred million pairs of willing hands. India is on its own way already, and Africa is disorganised and thinly populated.

I see the answer to this question taking us back to, ooh, 1978 -- the Year of the Micro. Back then, the unions were huge, offshore manufacturing was inconceivable and the promise of cheap micro-processors was in the robot factories that would provide a life of leisure and customised goods for all.

Well, it didn't work out that way. No. Hey! it's thirty years later -- 2008 -- the future in anybody's language -- and

  • If I want a suit, I can't walk into a shop and be measured up by a machine which will cut it, make it and post it to me.
  • Mrs U had to buy a Toyota instead of a Nissan because the seats are too long for her thighs and there's no opportunity to get it changed.
  • Children's toys are hand-assembled -- and that's not snap-together either. There are dozens of screws -- easy to design, simple to tool, but needing a lot of work to asemble.
How crap is that? What went wrong?

Offshore manufacturing is the answer. There's no point in tooling up with fancy kit if the competition can have it made by hand for less. For a huge range of goods, manufacturing has gone backwards these last thirty years -- those screws in the toys weren't there when I was young. The products are cheaper, more varied, generally better assembled but totally uncustomised and insusceptible to automation.

So my guess is this. When the supply of cheap labour dries up, we're finally going to get the automatic factory revolution. Only, it'll be thirty years better. It'll be lead by the Chinese, because they're the ones with the problem and it's going to suit their convenience not ours. But I feel that I'm within five years of getting my machine-measured suit. It's going to be more expensive than the one stitched in a Fujiian sweatshop. But at least it'll fit.


Time for Tubby Bye-Bye, Meestair Bond

Well, the NMAAJS Daughter has been on Club Penguin for a month or so, and she's been enrolled as a secret agent. You get a tool to move around the site more easily, a range of mission games, a secret tunnel from the sports shop to the surveillance HQ and some fine clothing options like a bow tie and a tuxedo. (Why on earth would a penguin -- the world's most sophisticated bird -- need a dinner jacket?)

But the real meat is in the handbook. You have to report mean penguins and the ones who use bad words, so some harried moderator in Tucson or wherever can review the log and decide on an appropriate action.

Little do they know that the NMAAJSD has essentially no chance of spotting bad language -- we were watching two potty-mouthed puffins F Uing and F U 2ing and she had no idea what it meant. And this is the child who, on her fifth birthday, addressed the author of her being in these terms: "Just fuck off, Daddy."

Still, you have to give them credit. They're at least trying to make it fun to be a snitch, and that puts them a little ahead of the Staasi.


Air Defence Chicken

Mrs U has persuaded the broody hen to hatch eight chicks -- four of our eggs and four (of six) from a Black Rock breeder (I keep wanting to say Northern Rock....) and the time has come to let them out for a little air in an improvised run of their own.

Magpies and kestrels are an obvious worry, but it seems that hen is ahead of us. Mrs U thought the was looking a little odd one day, as the chicks cheeped and pecked in the long grass around her. She was carrying her head strangely -- almost as if she was watching the sky. Which she was. There was a single black speck circling in the skies. And the air-defence chicken led her mixed brood indoors.


Spam Counter - 2008July: 1,207

Nearly all penis pills, or visit and get pwned.


Naming Risks

Jerome Kerviel seems to be on the edge of getting a risk named after him. This is not the sort of distinction that will make his mummy proud, but it is a distinction nonetheless. About the only other named risk I can think of immortalises the otherwise obscure Herstatt Bank closed by regulators in 1974 before it had paid out on its forwards settling that day.
Kerviel's activities are set out in the Mission Green report, and if you were following the story at the time, it's interesting to see how wrong the initial spin was: He wasn't stealing passwords, he wasn't modifying control spreadsheets. He was exploiting his back office knowledge, but at a higher level: he knew how to use cancellations and corrections -- all the points where control can't be watertight because trading isn't -- to get his positions off the records, and he'd been doing it for some time. (It was only right at the end that he started to fake forwarded email -- nothing complicated, just editing a real forwarded email.) So this gives us a useful term: Kerviel risk is exploitable vulnerabilities -- uncompleted cycles of review and follow-up -- in a control system. A short name for a rather complicated concept, so maybe it'll stick.
No this definition means that Kerviel's name is not correct for authentication-abused-to-approve-fraudulent-actions risk. But Jagmeet Channa has come along just in time to help us out. He stole a couple of passwords to approve his multi-million pound transfers to his accomplices in N. Africa and Manchester.
The problem is figuring out what risk we're naming here. Channa's not talking so we can't tell if it's:

  • Password stealing? -- he certainly did, but maybe that's not the point
  • Inserted Insider?
  • Coerced Insider?
  • Criminal Mastermind who recruited outside help?
I'm going with the authentication, for the present. Channa Role Risk.....
And what makes this a security story? Well, the investigation started by interviewing the colleagues whose passwords Channa used. Don't fancy being in an interview like that? Then guard your password.


The Visitor

If you care to watch out, the light evenings expose one of our regular visitors -- a barn owl cruises the paddocks a little after nine. It looks like a ghost, a big white bird flapping hard so as to fly slowly but totally silent. In the three years it's been coming, I've never seen it stoop but I suppose these summer visits must pay off.

In the winter, when I'm walking across the fields well before dawn, I hear owls calling in the dark, but I can't tell what sort, or whether they're hunting or socialising. Sometimes they sound like they have a warning for me.



Everyone raves about Fargo but I never saw it until last night. It is funny, and the premise of this very ordinary copper rolling up a complex, ugly situation almost without any difficulty is attractive.

For me, the best bit in the film is the shot where we see the William Macy character pull up in front of his father-in-law's body. By now, he's so depraved and so far out of his depth, that it takes him just a second to pop up the boot of his car....


Club Penguin Without Being Mad

Club Penguin is an MMPORG a bit like Second Life. Except that you can't use bad language. And your avatar is a Penguin. And it's owned by Disney. This is right up the Not-Mad-At-All-Just-Stubborn Daughter's street and for her ninth birthday treat she was subscribed.
So that's lovely except that the browser applet wouldn't connect.
Now by rights I ought to go off on a LUA rant here about the daftness of software for children that has to be admin to run. Except that CP is fine as an ordinary user and in fact I had an inkling what was wrong as soon as I saw the message.
So I went off searching and found this support page. Take a look at point four.

4. If none of these things work, you should call your Internet Service Provider (ISP). That is the company that you pay to connect to the Internet. They might be using a firewall that is blocking the ports that lead to Club Penguin. When you call them, tell them to open up these ports for TCP traffic, inbound and outbound: 3724, 6112, 6113, and 9875.
That's right, you have to open the ports, inbound and outbound without any limitation by address! "Sure I've got a hardware firewall, except that if you scan these ports you can reach a closed source server written by security numbskulls running on my daughter's PC..."
Long faces all round in the U household.
But it's actually OK. All it really seems to need is those ports open outbound, and it runs fine, with the NMAAJSD playing the mini games to her heart's content.
And that's the reply I expected to get when I opened the reply to my support enquiry. I'd asked for the server server addresses so I could limit the inbound traffic. What I got was a different list of ports (843, 9875, 6112, 3724, 6113 and 9339) with no reference to my questions about direction or limitation. This is software that's intended to be safe for children.
Nice try Walt. But Mad Aggy's happy, and that's what matters.


ProxySG Appliance Event 3E0003

Here are some messages you don't want to see:

I don't know what Mal/Badsrc-[AC] are -- Sophos are vague -- but I don't want to see them on Citrix.com and the BBC. If this is a sign that the malware distributors are moving up from the loweapline.com and the nla.co.uk, we may possibly all be in big trouble.


Spam Counter - 2008 June: 1,379

A lot of clothes and watches. Somebody is running some excellent UK bank phishing -- caught one of our senior managers.


Auran Trainz 2006 without being an Administrator

It's not hard. As an admin:

  1. Install in the normal way. Get it working with the graphics settings etc. DirectX 9 works for me, and OpenGL doesn't.
  2. Run these commands as an admin:
    cd \Program Files\Auran
    cacls * /T /G Users:F
  3. Run Regedit and navigate to HKLM\Software\Auran. Right-click on Auran and select Permissions.
  4. Select Users and check the box marked full control
Done! Any user can run and save settings.


Grepping the IE cache

I had to do an investigation the other week. I'm not an investigator and so naturally I screwed up. Here's what I learned.

Complaint was that some abusive hotmail-sent mail had arrived quoting the outside address of our firewall. After a bit of to-ing and fro-ing, I was allowed to see the headers, and that told me a good deal:

  • Hotmail does indeed quote an originating IP in the header. Who knew?

  • The earliest relay in a hotmail relay list is a name like bay99fd.bay99.hotmail.msn.com. Any hotmail user knows that the bay appears in the URL on the hotmail home page and throughout the user interface. And for any particular account, that bay number is fixed.

  • Timezones were going to be a problem. We were in local DST, the victim's mail infrastructure was in their DST and four hours behind, his MUA was working in another zone still and a lot of the Hotmail infrastructure is on Pacific time. Still, given headers, I could convert everything to UTC easily enough.

OK. Time to see if we can knock this out in a single step and get back to proper work. The Log appliance appliance has been gathering proxy logs all year. We're a pretty relaxed site and I've not been asked to report on usage of a named site before, so I have to code up a report with wildcards for client IP, domain-name and the page name. A bit of experimenting gives me a report of access to that Hotmail bay.

Now this is the first place a real investigator would have done it differently: First step should have been a summary report of all the users of the bay over the last three months. That might have been enough to get HR off my back. As it was, I spent a week dipping in and out of the proxy logs data to look at alternatives as the mails emerged from the complaining firm.

That initial set of headers fingered a single user. I could only see two users of the bay, and at the right time only one of them was active. And guess what? Within the two-minute precision of the log upload batch, he used pages on the bay called "compose" and "premail". A bit of experimenting with my own hotmail showed that that is the characteristic signature of sending Hotmail.

This is the second point I did the wrong thing. I've got a budget for investigations and I should have used it. For UKL 1,000 + expenses and VAT, Kroll Ontrack (it used to be Vogon) will send midnight engineer to take a swearable image of a workstation hard disk, leaving you with a handy USB disk copy for your own investigation and the user none the wiser. I was focussed on our local, more rough and ready process, which was a bit too public for HR. It wasn't a total screw-up though. I'd only looked at proxy logs through a read only interface -- I knew enough not to touch the workstation, and so the purity of its evidential status was preserved, even though the Internet cache timeout was ebbing away.

Part of the delay was at the far end. HR can't and won't do anything on a complaint like this without the offending text, and the complainer was a bit coy. HR's reason is good: it might not be offensive in our context. Still, I thought it was a bit silly -- the headers showed that the hotmail address was obviously a real name, and not the name of our user, and he is, or was, a regulated person.

In the middle of that argument, I got a second set of headers for a much more recent mail. Same accounts, same bay, same user matches.

It all went a bit off course at that point. What I got next were not proper headers with that incriminating source IP and lovely times plainly referred to UTC. It was the nesting of headers in the body of a reply/forward dialogue, and the "on" times there are converted into the time of whoever received the mail. By that time, I was so focussed on matching the time to activity on the proxies that I set to work trying to infer the timezone of each recipient and reconstruct the offenders side of the dialogue. A proper investigator would have realised that this exercise was difficult enough to make uncertain results, and insisted on headers or nothing. As it was, I made mistakes and spent a lot of time wondering how the original mail could have been sent when our target definitely was busy and wasn't on Hotmail. I went as far as trying to rope in the other user of the bay as an accomplice -- that didn't work either. Looking at the times again, I can se my mistake: It wasn't five PM, but seven, and the mail was sent from home.

I'm not privy to the discussion that went on in the business. It's called reputational risk and I guess we were asking the board to trade a reputational compromise with a non-customer against possibly losing an expensively-hired fund manager and telling his customers that their money had been in the hands of a stupid person with weak morals. Glad I don't have to make that choice, but they did the right thing and I was told off to get the dirt.

The Kroll visit was simplicity itself, mainly because I didn't have to stay up all night -- the HR guy did that!

Lunchtime next day I got an urgent package with a 40GB USB hard disk which mounted first time on my non-build laptop. That was another mistake -- if I'd used a Linux laptop, or a regedit fix, I could have controlled the mount to be read only. It didn't really matter as the forensic copy is on Kroll's servers -- the supplied disk is just a playpen. The idea is that you hunt around any way you like, but any defence witnesses or advisers can still work with a guaranteed untouched copy.

This is important -- a lesson I learnt long ago. Never give in to the temptation to take a quick look at a workstation via the admin shares or however. Unless you are collecting them automatically, don't even look at the event logs. Right at the beginning of any question, figure out -- ask -- if there's any possibility that anyone will be held to account for what you uncover. Consider whether (for example) you could work from restores, or with a reporting tool. Tell your interlocutor that if it's possibly going to get as far as swearing evidence, you are less likely to be overturned if you work throughout with a trained investigator.

If you really have no choice, make sure you get a crytographically secure hash of each and every file you access. Make it clear in your notes that you obtained the hash before looking at the file. Print the hash out, note the time it was obtained, sign it and date it. Make sure that the file you keep will generate the hash you print. That way you can swear that it was that way when you found it.

However. I had a scratch copy of a workstation disk and I could do what I liked. There are tools for this sort of thing and I ain't got aught of 'em. Not necessary at my level. You can download an excellent Windows grep from the FSF and anything else is overkill. Remember to put the GNUWin32\bin directory in the path.

With the disk mounted, you'll find the IE cache is at (name changed to incriminate the innocent)

\Documents and Settings\umacf24\Local Settings\Temporary Internet Files\Content.IE5

Make your way there in the command line and issue a carefully chosen grep:

grep -irl madeupname@hotmail.com *

will search for the address in all the cached files in that directory. That matters because hotmail puts the logged on account on every page, so you can see right away whether the user has actually been active on that account -- the one thing the proxy logs can't give you. Those options mean: -i case insensitive, -l list the matching files (as the content isn't much use, as text) and -r recurses down the directories.

I was surprised to find that the IE cache went back a lot further than I expected. It looks as the the "retain for n days" setting only takes effect if space is tight -- this man's cache went back months.

Now the beauty of the IE cache compared to Firefox is that there's no complicated database format. The files cached are the files downloaded. Names are modified, and there's a directory structure to avoid having one huge folder, but the pages can be displayed in the browser. I have an account which doesn't have Internet access, so using that account, I just started IE and browsed to the appropriate files. It was one of my happier moments to see a hotmail folder listing -- looking a bit dodgy, admittedly -- listing times and subjects of the complained-of emails. Access to compose pages actually gave me content of mails which the complaining party had been relectant to reveal. I gather that the colour prints of those pages were particularly unsettling when the confrontation occurred.

I can't write a story like this without a few lessons.

  • Serious investigation would have been overkill. We didn't need deleted files, we didn't need to to search for concealled media or executable content. It was just those emails

  • Think. Of course he was doing it from home.

  • Ask for what you need. I needed headers.

  • Don't be afraid to search a PC. I've bought an imaging machine so we can do our own. I could have got those unarguable Hotmail reconstructions much earlier and saved a lot of time.

  • You want to keep proxy logs for ever. The depth of context is invaluable when you need to do a lot of learning about what your users get up to.
  • Remember that users can't protect themselves. Using gmail over SSL would have made this offence effectively uninvestigatable without bugging his PC. But who knows that?

Good luck to you


Spam Counter - 2008 May: 1,701

Penis pills, with a sprinkling of fake watches.


Martian Geography

Not a security story, but the Americans have got their lander down on Mars. Is it just me, or do they have much more success with rocket-assisted soft landings than balloons and inflatables and parachutes etc... Anyway there's a photograph back and if I recall school geography, those are permafrost hexagons all the way to the horizon. They've found the water they came for.


Slave to the Rythm

Slightly disconcerting moment this morning when I realised that I was striding across London Bridge precisely in time with Sophie Ellis Bextor on my music player.
How gay is that?
Still, I suppose I should be grateful -- it might have been Kylie.


Two Observations

  1. A sad little entry for change control at the meeting last week: ZWD the Zimbabwe dollar is now so close to worthless that the calculations overflow. Remove from the forex universe. No impact expected.
  2. The may is at its peak. The madder thorns are now iced with a continuous white crust. As quickly as it came it'll be gone....


Himmler Murder Memos in the NRO

This story in today's FT magazine is interesting in its own right, but it makes a good security story as well:

  1. Don't despise paper. Everyone quoted in the fake memos is dead, the empire they served is one with Nineveh and Tyre, and the record-keeping system was obviously not designed to detect this fraud, but the fakes can still be totally discredited. There is no shadow of a doubt that those notes are inauthentic, and the rest of the bundles they came from are real. What's the IT angle? Well, consider what you can prove with a signed page of printed hashes....
  2. The sideband rules. Laser printing on a document that purports to be twenty years older than xerography. Every suspect document having the file hole torn. These circumstances talk directly to the investigator.
  3. Listen to the language. The public school types who ran the war didn't talk like that and they certainly didn't write like that.
  4. Keep access records. One man only, ever, was recorded as accessing all those bundles....
  5. And of course, follow the motive. He wrote a sensational book...


Spam Counter - 2008 April: 2,123

Penis, pharmacy and watches, with a scattering of software and phishing. I was particularly encouraged by "She Will Squirt with Joy"...


Wasted Time

I spent some time going through the security morning checks with Internal Audit.

Report on event logs every morning, examined every morning, security incidents found in three years: none. Firewall traffic logs, examined ad-hoc over four elapsed years, security incidents found: one - an agobot infection on a bad build.

Hours wasted -- hundreds.

We're doing the wrong thing.

What's the right thing? There's too much novelty and too few admins in our network for IDS to be worthwhile. Just retain the logs but stop looking for trouble? The trick will be to do that, but keep looking responsible.


The woods are full of bluebells, and sunrise showers make elegantly decorated skies. Beech buds on the front hedge have just broken.



I still mull over the wasted capacity of the paddocks to grow woodchip and the shanty town to store it. But a woodchip boiler is a big investment and while I suspect the prices won't come down, the features ought to improve as they become more common.

I need a reason to start planting willow coppice now, so I'm running an experiment. Every year I cut down the mass of decorative dogwood that the previous owner liked to contrast with the birches. She may have been right -- she certainly demonstrated that cornus does well here. This year, instead of burning the switches, I've shredded them to get a cubic metre or so of brightly coloured woodchip. It's sitting in a basket made of old wire fireguards, drying off, I hope, in the woodshed. Provided they don't ferment, and they don't seem to be doing that, I'm going to try them in the woodburner to see how they do.

[3 May -- Yes they are fermenting. Arses.]

The most likely outcome, I suppose, is that they'll have failed to dry, or they'll suffocate the fire. But the next most likely is that I've got two hundred pounds of low-grade firewood essentially for free, and that's going to have me sticking in willow slips in the wet part of next winter....


Nationwide Token Delivery

Huge excitement when Mrs U received a smartcard reader for her Nationwide online banking. (OK -- I was excited, and that'll do for the purposes of this post.) It's cheap and nasty -- made in PRC -- and she doesn't have much money in that account , so it looks like an all-customers rollout. I hope it's the proper APACS EMV style job that'll work on any UK payment smartcard. It would be too depressing if they fucked this up with proprietary gimmicks.

I'm really impressed by the potential of the smartcard+disconnected reader combo. It really opens up potential to use the same token -- the card -- for authentication on the PCs (directly with attached USB card readers), authentication on the SSL VPN with untrusted clients (no drivers needed with a disconnected reader and a OTP app on the card), and a building pass with HID coils built into the card. When I'm back at work, I hope to have some integrators lined up to show me what they can do.


Safe vs Free

As vanity/personal sites go, Things of Interest is one of the best. There's a lot of interesting things -- simple but sometimes provocative and robustly logical. Presenting Arguably the most important question of the decade as a poll -- Would you rather be "Safe" or "Free"? is in that style.

As a man I wanted to select "Free", but as a father, I wanted "Safe". But really I knew that the poll was wrong. Here's a mockup of my version.

Which would you rather be:Safe1 or Free?

1 Please note that preferring safety to freedom will not make you safer. However the corresponding loss of freedom will be delivered promptly and reliably.

Mind you. It's probably too late for "Free", as well.


Microsoft Abandons AD Shock!

The Microsoft Dynamics CRM product is probably on the shortlist for every greenfield CRM implementation. It's on ours simply because we've slipped a couple of versions in our existing system.

It's no surprise. The system, developed entirely internally by Microsoft, is a showcase for the options available for .net applications: SQL, IIS, Async, Workflow and the rest. It's a modern architecture and I think it would be fair to say that this is how MS expect applications to be built now. Which means that it also contains a really good joke.

Remember Active Directory? I do, in fact I'm pretty sure it was going to be at the heart of the modern enterprise. What that means is a question for another time, what's clear for now is that Microsoft doesn't believe it any more. Dynamics CRM 4.0 barely touches the AD after the user has authenticated. All the access control, all of the organisational structure is built entirely in the application data structures. Domain groups? We've heard of them!

I asked whether this put the DBAs into an access control role we've tried to limit to the helpdesk. The answer was a peach: the data are very normal, but none the less too complicated to edit by hand. And the DBAs won't have the access anyway...

Goodbye AD. Goodbye ACLs. Goodbye integrated access control. I never really believed, but for a while I did hope.


Blue Flash

Here's a fine end to a long slog. I've just started a couple of weeks off and walking home on Friday, just as I crossed the river, I saw a flash of blue zipping along under the bridge a foot above the water.

I'd never seen a kingfisher before, but I have now.

Mind you -- just in case it all seems too springy -- it's snowing thickly today, and there's more promised.


Time Based Rant

My Blackberry 8800 is a handy little device. It's subscribed to a UK GSM network (the UK networks all have reliable GSM time) and it's a GPS receiver (of course GPS is all about time to the microsocond).

So why does the clock displayed on the front drift four or five seconds in a day?



Busy March

Why so many posts in March? Simple -- Mrs U is spending my bonus on builders and I'm sleeping next to attic computer. Easy to post.


Spam Counter - 2008 March: 2,748

Replica Rolex, Gucci/Prada, penis drugs, gambling, diets and some rubbish phishing. That last is interesting as I've been seeing some very good quality spam directed at Google Adword customers.

Lust for Life in the Hedgerow

The willow benders I wove along the top of the lay are flowering in one last effort. They'll die as the wands dry out.

And Mrs U found a fine toad -- moist and warm -- waiting for insects to attack the lambs lettuce in the greenhouse.


Last Logon Time

I have discovered a fascinating little gobbet of truth about the Active Directory 2003 records of the time users last logged on. The summary is this:

  • The Last Logon attribute tells us nothing useful. It's the time the user last logged on to the domain controller the query was run on. So if you run the query on a DC that doesn't do much authentication, you'll wonder why no-one has been logging on lately. Ignore this attribute unless you are gathering records from all DCs and selecting the latest...
  • The Last Logon Timstamp is different. It's the time the user last logged on to any DC in the domain. Aha! Problem solved? Sort of -- because the attribute is replicated across the domain, you'll get the same answer, give or take replication time, regardless of the DC you query. The only little fly in the ointment, leaching dark fluids and tainted chitinaceous fragments into the smooth white emulsion, is that replication time. It's not a minute. Or an hour or a day or a week. It's a fortnight.

So the proper interpretation of this field is something like this:

  • Blank: If the user has ever logged on, they must have done it in the last 14 days. Or perhaps they never have.
  • Date: The user definitely logged on on that date, and may have logged on any time up to 14 days after.
In practical terms, that means your script purging not-used-lately or totally-unused accounts can't delete an account on the basis of a blank Last Logon Timstamp. If you want to delete accounts that have never been logged on, you'll have to find another way.


Sir Arthur C. Clarke

His death is the important news today. Rumours about bank liquidity are secondary.


Spam's Back (If it was ever away)

Google Mail has a spam detector that works pretty well for my purposes. All the spam that comes in gets purged into a separate folder and there it is in the folder list on the left: "Spam -- 900 unread". Of course, it doesn't mount up for ever: Google purges everything older than thirty days.

What this gives is a rather sensitive spammeter. Changes in the number of messages in my spam folder ought to track the amount of spam on the internet in the last thirty days.

The news is bad. Before Christmas, the level had been declining gently, down to 900-odd. The last time I looked it was at 2,350.

The reason it's worse than doubled is pretty clear. All of the subtly dissected images from last year's stock pumps have gone -- everything now is a mildly suggestive subject and a penis-pill link. Easy to send, easy to multiply, and with a spoofed address it looks just like "Mail this story to a friend" traffic, so it's devilishly hard to spot.


Autistic Happiness

Ours is the first age where autistic children can be happy.

It's because we have Google and youtube. Google is good -- it searches, and if you've got a special interest a search engine is part of what you need.

Youtube goes a little further. For certain we have the train videos posted by all the sainted spotters who have made the more mad son contented, stimulated and entertained from a nice safe indoor seat. That's very good. We have the Thomas videos -- very naughty, very welcome -- which have come back into his life now he's starting to get a glimmering of relationships and consequences. It goes further than that.

This picture shows why. It's the logo you'll find in the front of a lot of Thomas tapes from the eighties and nineties. Others are Strand and VCi. So it's no surprise I grabbed it off a youtube post.

What is a surprise is that this isn't the opening frames of a pirate post. It's from VCI Backwards, one of dozens of posts composed from these publisher's logos. No content, just the logos and jingles, forward, backwards, foreign variants, compilation sand the Dear knows what else.

And they're popular! VCI Backwards shows 31,000 viewings. My thesis is that the vast majority of those viewings is from ASD boys who have found whatever spark of interest lies in collection and comparison of these snippets.

Certainly Ravy D's a fan. He won't know to post fan art so I'm doing it for him: this is his interpretation -- perhaps tribute is a truer word -- of The Video Collection.

The original was created in Windows Paint as a 1.7MB BMP. This extract -- a 6KB GIF -- includes all the non-white content and was prepared in Irfanview.


Cider Outcomes

Well, the cider took. The mostly-Bramley fermented nicely to produce a splendid but very strong and tart drink by Christmas. The brew from the mostly-Spartan was slow to start and hasn't conditioned as well, and is indeed rather bland but just as strong and it softens the Bramley rather well. They're both still improving and drink very nicely in a fifty fifty blend in the glass.

Key point one seems to be that a pressure barrel is well worth the expense. Neither brew is as good after going flat in the fridge. And the second is that fining doesn't seem to make much difference -- it threw a lot of sediment but it was still cloudy. The unfined Bramley brew is probably the clearer of the two now.

The truly shocking thing is how much the supermarket bill has gone down after I started drinking homebrew. That decline in revenue is probably why Alastair had to put the booze tax up in the budget.


Terrorist Spies

I found out whether I believe in evil terrorists reconnoitring for their next target.

Rather to my surprise, it appears that I do.

At 06:50 I saw a clean-looking man in a hi-vis vest photographing an iconic tower, leaning back to get the upper parts in. After a few shots he hopped into a clean-looking, unmarked refuse lorry waiting at the curb and his mate drove him away. The photograph, the building just didn't hang together with the refuse lorry, and everything was really much too clean, so I noted the number of the lorry, and when I got to work, I wrote it all down.

I wasn't too happy with claiming that it was a terrorist planning exercise, though, so I tried it on a few people to see how it sounded. But I couldn't persuade myself it was even slightly normal and so I dropped it on the Met's reporting site.

Am I perhaps an hysterical old bat?


Messages from the Divine are Ever Clouded in Mystery

Last week I laid a fleece before the Lord. I washed the worst of the mud off my boots and determined that if they stayed clean, I could conclude that winter is over. That's important -- I look pretty eccentric commuting in boots -- I'd rather wear my regular shoes.

This week my boots are cleaner than ever. But the reason is that I've been wading through vast pools of standing water from the storms. The fleece is dry, but my shoes would be very wet indeed.

So what's the message? Simple: God is cleverer than me.


This Job is Weirding Me Right Up

I was sitting next to a man on the train and noticed that he was looking at porn photos on his telephone. I didn't think "Blimey, that's a bit much on the train!" I didn't think "I wonder if that's his missus." I didn't even think "Ooh gissa look!"

No. The first thing in my head was: "I hope that's not a work phone."



It's trying so hard. Hedging is over -- the first buds broke on the hawthorn three weeks ago, but they haven't done much since. The bees in the new hazel coppice are out looking for catkins in warm sun, but I daren't open them up for a look. I've tidied up the woodshed, but there's still a stream of logs going indoors.

All I can do is wait. I don't mind -- it's just so exciting.


Pick Any Two

There is the famous security story of the honest consultant offering a system to a client: He asks them to pick any two from

  • Cheap,
  • User-friendly, and
  • Secure
Reading the news today, I saw the latest idiot scheme to put every child on a secure government database, and I realised that it's the same thing.

"Secure Government Database?"

Pick any two.



Clear skies left yesterday afternoon much warmer than the morning. But this morning I was crackling through frost again -- except for a moment: as I crossed the river I felt a waft of heat and my glasses misted over.


The end of the World

I think there are currently two ways for mad scientists to destroy the world.

  1. The new accelerator at CERN has a sort of chance of creating quantum black holes, depending apparently on how tightly the insensible dimensions are rolled up. Good looking theory says that they should evaporate in a tiny gamma burst, but no-one can be sure how relativity works at that scale. If they don't evaporate, they will fall to the earth's core and then consume the whole planet. The first few atoms might take a while, but after that, they'll be unstoppable.
  2. Craig Venter's team expect to be loading their carefully written DNA into a cell this year. If they cock up and build a replicator, there's no easy telling what it'll manage.
In the past, the best bet was fusion bomb tests: could they ignite light elements in the planet's crust? Well, no as it happened, and I'll guess we'll be alright with these two, too.


Be Careful What You Wish For

Five years ago, I was effectively unemployed, failing to keep on top of the household jobs, and wishing I was riding on the commuter trains going past.

This evening, long after I should have been back, I was sitting on a commuter train wishing I was at home.



I was cutting down the hedge in front of the house today. Quite heavy work, a little sawing through the beech trunks, but mostly figuring out how to use the loppers to undo the tangle and pull out the heavy brushings.

Every Sunday walker that came along the lane had the same piece of advice: "That's a heavy job -- you need a chainsaw."

Now I'm a power tool enthusiast -- in the right place -- and I know a professional hedger would automatically use a power saw. But why on earth would anyone imagine that a middle-aged, middle-grade bank operative with almost no training or experience would do better with a chainsaw than with the bowsaws I've been using since I was a child?


It's not easy running a website

I think I have this right: There are currently two large-scale ways in which you can have lost control of your website.

Either way, you won't know about it until the customers are complaining.


Secrecy Preserving Protocol

From the Metro 2008-1-15:

.... he claimed a mystery royal had warned that Princess Diana's intimate conversations might be bugged. In a bid to protect the person's identity, Mr Burrell insisted on writing the name on a piece of paper and passing it to the coroner. Lord Scott-Baker then revealed three members of the family not named -- the Queen, the Duke of Edinburgh and the Duchess of York....

Nice balance.


Pain Allergy

I didn't do any hedging today. Last Sunday I was tidying up a monster hawthorn stool and a branch whacked me in the head, leaving me with a dirty great big thorn stuck in my scalp.

It didn't infect, but my inability to remove it -- I couldn't see it -- resulted in a sequence of increasingly desperate requests for help as the lump went down and the splinter made itself increasingly uncomfortable. It ended in the Barts Minor Injuries unit with a nurse on each side of the couch each pressing hard on her side of the lump while one of them used a free hand to wield the forceps.

Some people would pay for that, but for me, before I go back, I'm getting one of these. In the mean time, I had a happy day trying out my new compressor.

Pollen Allergy (The Attack of the Online Florists)

I was talking to the helpdesk team meeting about safe browsing yesterday. I went round the table asking for guesses about the site category that caused the most virus blocks this week. All the usual categories came up: social networking, webmail, blogs and one wag offered the BBC. All good tries except the last, and all wrong.

The real answer was online florists.

Well, that was my route into saying that no site is really safe, (in fact it's a really good security story) and that's why I was going to have another review of their privilege, but I didn't really give it the thought it deserved.

Happily, Mary Landesman has. But I wish she had been able to figure out what was going on.

UPDATED 16/1/2008

It's being reported that all these sites were on Fasthosts when they had that mass site admin password reset in October (and then waited till December to enforce it). Looks as if the malware dropped at that time was left quiescent until last week which makes this a really good security story: Hackers are willing to wait, and there really is no logical end to the consequences of a root compromise.