New URL

The new URL makes much more sense. I doubt I've inconvenienced anyone, but if I have, I'm sorry, and thank you for finding your way here.

Obligatory Tribute to Homer Simpson

Just back from three days in a caravan on the Isle of Grain. Literally three days -- I slept at home, commuting with Comedy Dave and the dog, neither of whom were really happy with the caravan concept.

The spookily-named Allhallows Camp is great for bike-mad boys, even if they are a bit iffy about brakes. And the more mad son is very iffy on the brakes -- or at least that's a much more palatable theory than accepting that he's played too much "The Simpsons Hit and Run". Of course, when he runs into an occupied, parked van, and then sidesteps the inevitable argument with the Homer collision soundbite from the game: "Ow! My neck!" you have to wonder.

Desperate for a Wii

(This is my entrant for "most peurile reference to a Nintendo gaming console 2007".)

Now that the less mad son's eagerly desired birthday present has arrived from a reputable supplier (gamestation) I feel that it won't be tempting fate to describe what happens when you try and order from some other suppliers.

About ten days ago, Mrs U was desperately looking for a Wii. It launched months ago -- how could it possibly be in short supply now? The LMS was on a promise but there were none to be found with a fixed delivery date anywhere in the UK. Until she came across a site that magically was promising a five day delivery. Just time! So she shopped, waved her credit card, and waited.

No confirmation email: that's odd. Five days later, no Wii: that's a nightmare. Check the bank account: £2,500 debited by a restaurant in Surrey. Oooh.

Now I'm not naming the site because it's just possible that the cause of the trouble is actually this. But I don't think so.

The point to this sad story is that Mrs U is a competent shopper and competent security consumer. She declines to speak to the bank when they ring her up and ask her to confirm her identity. She knows what the padlock means. But as soon as she was a little bit needy, she was willing to deal with a site she'd never used before, without doing research that could have shown the slagging it got on Yahoo answers, she was willing to ignore the absence of a phone number, and she clicked straight through the warning from the self-signed certificate that was pointing to a "commerce" site hosted the Dear knows where. Education and common sense swept aside by need and "experience" of good shopping outcomes in the past.

It's worse for the restaurant: they've accepted a bad card without a PIN and that'll mean a monster charge back straight off their margin. Grief all round.

Education is supposed to be the key security tool, but it seems to me that the only education that works is to screw up.

Going to Work in the Dark Again

You don't have to work with audit logs to be a GMT bigot. But it helps.

Limited User? Limited programmer if you ask me.

Less mad son's birthday and the Wii hasn't turned up, so I had to fall back on an old promise to install Steam and pay for a copy of Garry's Mod. Whatever that is.

What it is, is an easy install, together with -- in Steam -- the crappiest LUA bug ever. Obviously it needs to be installed as an admin, and equally obviously, after a deplorable spyware incident, the less mad son is not an admin. So I installed it myself, tested, and then we flipped over to his account to run it there. Well, to cut a long story short, to run Steam as a non admin, all you have to do is make sure that BUILTIN\Users have read-write permission from the install directory (\Program Files\Steam) on down. That's a bit of a palaver on XP Home, as it's hard to get the security tab to show, and I ended up going nuclear with a copy of subinacl, but conceptually it's the simplest possible LUA bug -- the installer doesn't bother to set the right permissions.

I'm not a bigot. Steam runs on Linux as well, so I can see that creating local application settings might not be the right thing to do. But I don't think it was too much to ask the testers to check that files shared among users were permissioned to BUILTIN\Users. Not to BUILTIN\Administrators.

In my opinion, programmers who test code using administrator accounts should never be admins again.

Still, at least Steam is free. Matlab costs £2-12K depending on what you buy, and our unfortunate application packager is going to have to spend days figuring out what part of the machine registry it's writing user settings to before I will sign it off for use in the firm. Slimy negligent gouging incompetents.

Trees from Whips

The last thing I did before I was locked up was plant some fresh ash whips. I smeared off the lower buds, stuck them eight or ten inches in, wrapped rabbit guards round, and bundled in threes in the hope that one will grow. I've tried hazel in some hedges and they look like they're going to break out, so we'll see.

Hospital Protocols

I spent last week in hospital with an infected joint; I've had to find out about StickyKeys, and I'm using the mouse wrong-handed. I didn't feel ill, I just had to be around for regular surgery and IV penicillin, so there was a lot of time to kill with no desk, no computer, no Internet and one or two compromised hands (you can't read when your hands hurt and you haven't got a desk).

Better people than I am would have done something useful with all this time. I just wished it was finished. But I saw a lot of security protocols:

• When you are prepped for a local anaesthetic, it's the same as for general: eight hours starvation. For why? So you can be conveniently be put right under when it all goes tits.
• Every single person who planned to do anything substantial at all asked me whether I was allergic to anything. Every time. I was the second longest term resident on the ward at the end, and the nurse who'd infused the same prescription all week still asked the same question every time.
• Everybody asks your name and date of birth, and then checks the band on your wrist. Every time.

I got pretty sick of this and I was brewing up some smart answers. Until the porters turned up to collect the appendectomy next to me. He was starving and ready to go. They asked his name. Wrong guy. I love security protocols.

Light Feet on the Drive

OK -- the scenario is that you really, really want to know what's on a Windows workstation hard drive -- you plan to look in the IE cache, system logs, registry, SAM, etc. You can't/won't be arsed to image it and work on the image and you are not going to take this rather urgent moment to learn about excellent Linux based tools. But you do want to take all reasonable precautions. (What's reasonable? I'm less sure than I was after reading this document. It's a normally reliable source, but the example scenario contains an eyepopping amount of work on a live system. Maybe evidence rules are different in the States. My approach is to kill the disk and only ever read from it.) Here's the plan.

1. Prepare an investigation machine. You need a computer with Internet access where you can work privately. You also need a USB disk housing that will fit the disk in question. Maplin do an IDE/SATA for 3 1/2 inch disks, while 2 1/2 inch laptop disks still seem to be small format IDE and there are lots of housings for those. Since we really don't want to write to the evidence disk, run the Read Only registry file below, and test that you can't write to a scratch USB device. Load tweakui (Microsoft Powertoys) and make sure that you're not set to autoplay anywhere to reduce the risk of malwaring your investigation machine.
2. Give the job a name. The Remedy number, "2007 02 Hotmail Complaint" -- whatever.
3. Get a chain of custody log. The idea here is that you have a collection of evidence for the investigation, and as you collect each item, you sign it out and and back in when you return it. so that you can swear to where anything was at any future tribunal.
4. Get a log book. Or open a file, or something, anything where you can write everything down. Computer records are good here as you can paste in log entries and images. Finish each day with next steps so you don't forget, then print the day's record, and sign and date each page. Enter it into your evidence store.
5. Pull the power on the workstation. Record make model and serial number. Remove the disk, and record the make, model and serial. Put this diskless carcass into your evidence store with a label that says "2007 02 Hotmail Complaint Exhibit A". You shouldn't need to boot it, but you never know. Anyway it's evidence.
6. The disk is Exhibit B. Log it, and sign it out to yourself. Mount it in the USB housing. Check that you've run readonly.reg on your investigation machine. Plug it in and make sure it comes up on you're investigation machine. Don't let it auto play.
7. Where you go now is up to you. Check the tools below to look at Windows file contents, and there are others to look at file times.

Read Only.reg

Create a file called readonly.reg using notepad. Save it on your desktop. The file contains just these lines:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
"WriteProtect"=dword:00000001

Double click on the file and confirm you do want to load the settings. Then test on a scratch USB stick -- you should see a "Write Protect" warning come up when you try and save something. To get back to read/write you need another file with that last dword set to 00000000.

Read Event Log Files

The log files you want will be in d:\windows\system32\config\ assuming d: is where your disk is. Sometimes you can load the .evt files from the subject disk into the log viewer. I find that it always says they're corrupt though.

So I use Activestate Perl, add the Parse::EventLog module and a few lines of code to list them out into an easy text format. Here's the code -- you'll want to tweak it.

use strict;
use Parse::EventLog;
$|=1;

my $elogfn = 'd:\\windows\\system32\\config\\SecEvent.Evt';
print "Loading Event log: $elogfn .." ;
my $elog = Parse::EventLog->new($elogfn);
print "..loaded\n";
my %c = $elog->getOldestEvent();
while (%c = $elog->getNextEvent())
{
  my $str;
  if ($c{Strings})
  {
      $str = join('|', @{$c{Strings}}) ;
      $str =~ s/\t/\\t/g;
      $str =~ s/  / /g;
  }
  my $evt = $c{EventID};
  my $time = localtime($c{TimeGenerated});

  my $ msg = "$time: $evt <$str>\n";
  print $msg unless grep({$_ == $evt} (560, 576, 515, 600));
}

The good bit here, is that this will work from a Linux machine just as well as Windows.

Read Registry and SAM files

The most amazing thing thing I've learnt recently is that the SAM is in the same format as a registry hive. This means you can use this tool to print out the system registry and the SAM (from d:\windows\system32\config\) as well as user registry from ntuser.dat in the appropriate profile.

You should also be able to use Parse::Win32Registry though I haven't done that. It would work from Linux, too. There's scope for a useful script here, as the SAM is in a desperately unhelpful format.

Investigate That!

When you have to investigate a PC, there's the ideal approach, and the actual approach.

The ideal approach calls in a firm of investigators -- I use Kroll Ontrack as the sucessors to Vogon. They send in an engineer to take forensically sound images, and retain them on their systems until they can schedule an investigation to answer some of the basic questions. Two weeks to get there, and then further rounds of questions and answers ending in a report. Meanwhile you have managers wanting answers.

So there's the actual, otherwise known as DIY. Everyone does this sometimes, so here's a few pointers to protect your arse.

1) Give Babylon Her Due.

If this is one of the cases where the police need to be called, then you must do that. You can't be ordered to conceal it by your boss -- your duty as a subject trumps your duty as an employee. Definitely talk it over with a sane advisor who's familiar with the situation, but if it's ugly then you have to give the cops the option. Don't go mental about this: for certain spyware breaches the Computer Misuse Act, but what are the chances of some random piece of spyware originating from someone subject to the Act?

2) Get it Cleared.

You need a pretty explicit memo from your source of arse covering (your boss, HR) saying that the answers are wanted tomorrow, there is definitely no intention to rely on your investigation in any sworn proceedings, and that your advice to go the ideal route is not wanted or not practical in this case.

3) Take Care Anyway.

When you're half way into a DIY investigation and you realise that you are going to have to complain about the behaviour of an employee, or call the police, you do not want a sinking feeling that you've trampled on the only copy of the evidence. See the next post has basic tips for getting the data you need without booting the evidence disk or writing to it.

4) Keep it Locked Up.

One of the best reasons for working on images is that the record keeping to prove evidence is easy: you can keep the original locked away for long periods. If you're actually working on it, you have to sign it in and out, secure it when you leave your desk.... No fun, and not impressive when you have to swear a long chain on ins and outs, but better than no records kept at all.

Busy Weekend

OK. I finished pollarding the old willows by the pond. The take from that is going to be a lot of crappy firewood and a lot of waste, unless I can make faggots. The sanest use for the land we have would be to grow enough willow or poplar to fire a woodchip boiler -- as we burn oil at the moment that's twelve or sixteen hundred savings from something that currently yields nothing.

The big winds last week blew out some of my dodgier hedgelaying, so I've put that back. And I've planted another twenty-five hazels on a rather tight spacing. When they're established I'm putting in ash behind them with a view to eventual firewood coppice.

And I put in seventy-five hornbeams for Mrs U's garden.

Just one magic point: if you've struggled as I have to put bare-root trees into heavy clay you need this spade or one like it. If you want to let the plants in down the back of the spade in the traditional way, and you're strong enough to open up the slits in the soil, the metal shaft means you can push as hard as you need without breaking the handle off, and if you do decide to dig a trench, it needn't be a wide one. You'll need metal re-inforced boots to use it though -- and be prepared to jump on it to get it in to clay.

Chickens

Just to note that Mrs U. got her chickens at last -- on the same day that this hit the news. Every day, I expect to come home and find she's been tarred and feathered by the neighbours.

The .Net Developer's Guide to Windows Security

Just a quick note to big up Keith Roberts and his book "The .Net Developer's Guide to Windows Security". Don't be foxed by the ".Net" bit -- it just means "Modern Windows". The whole text is online but it's well worth buying the book simply because it's broken down into five and ten minute chunks, so that a couple of month's toilet visits will have you knowing more than you want about every major topic in Windows Security.

It's not a management or policy text and knowing all of it is not obligatory, but this book has helped me deal with issues that ended up on me because apparently I know this stuff. I don't -- I stole it from Keith. Just as examples, check out How to Develop Code (and do other stuff) as a non-Admin or How to Store Secrets on a Machine

Serious, practical stuff.

Reporting Permissions

I've been spending the quiet period after Christmas working on some scripts. For some time now I've felt the need for a report of permissions, hierarchically by directories in the DFS, and also per trustee. Reports like that would let me see a lot of things I want to see:

• Permissions on users: no users should have direct permissions
• Permissions on uncontrolled groups: if it's not a ROLE group it shouldn't deliver any access in the departmental filing
• Everyone/all users permissions: almost never correct
• I could run them on servers as part of the compliance checks

They would also remind me that there are things I want to address:

• ACEs referring to deleted accounts and groups -- There's a handy subinacl option to remove this
• "Domain Admin" permissions -- one of the techs here solved admin file access problems that way -- when what he needed was local administrator permissions
• Permissions delivered by SID-historied groups that need to be dropped or replaced

A good thing all round. The only problem is that they are very hard to get. It seems like there would be tools to do this, but I can't find anything suitable. Only after spending days hunched over a hot interpreter have I found why: it's moderately difficult, and the semantics of the report are surprisingly tricky.

• The simple approach doesn't work. If you build a hierarchy and read and report the ACL masks for each file and directory, the output is unusably difficult to understand. Even on one object there can be multiple ACEs for each trustee.
• And there's just too much data. Even if people could understand the access options implied by mask bits and types, there are ten million objects on our file servers. No-one reads a ten-million-line report.

The approach I've come up with with pretty crude, but I'm hoping it's going to do something useful:

1. Don't try and represent the subtleties of permissions. Boil everything down to (none) Read, Write and Deny in that increasing order of priority. For any given trustee, only even think of reporting the highest priority. Fancy stuff like "deny execute, allow read" just shows up as the single "highest" permission: in this case it's Deny. (Oh yes, at this level, Deny is a permission, regardless of DACL type flags and ACE masks)
2. Don't distinguish between inherited access and directly granted. What matters for reporting is the actual access. When you come to rectify, you'll need to know how it got there, but the Windows tools are good for that.
3. Do use the concept of inheritance to trim down the report. The only permissions you need to report are where something changes. If a trustee gets a permission in the root of a ten-thousand-directory, 300-thousand-file volume, and every file and directory inherits it or has had it applied, then your report for that trustee is one line, not a third of a million lines.
4. Assemble your basic reports for each trustee -- it makes the purging much easier. If you want to report a single directory structure with entries for all trustees, you can mash that together later.
5. I've found three levels of interest in files (when they need a report at all)
   • Leave them off entirely -- seems brutal but it cuts the run-times and you don't lose much
   • Report them as a single aggregated pseudo-name "[one or more files]" for each directory -- this effectively raises a warning if any file is more permissive than the settings on its directory
   • Report each individually following the same rules as for directories
6. Expect to translate between the names you use to extract the permissions, and the names you report. Consider a DFS for example.

The down side of all this simplification is this: it's simple. That Everyone/Full permission that appears at the root and inherits all the way down is highly significant, but easy to miss. After all, it'll only be the one line. I think this means that we still need to apply automatic policy exception detection, but that is a project for the future.

I saw the Comet!

Weather today is dreadful, wind and rain, but yesterday was totally clear and I saw comet McNaught.

17:10 in central Kent, bearing about SE, in the orange glow above the horizon. Tail subtending about 1/4 of the full moon, leaning slightly to the right and tighter toward the horizon. Could have been a cloud but it looked cometty to me. I've never seen a proper tail before.

As soon as I saw it I raced home to show the less mad son, but it had set by the time I got there.

I Want a Video Server

There's a device I want to buy:

• On the input side, composite video and sound -- at least four inputs capable of handling the feed from security cameras. Not digital, not USB -- just cheap cameras.
• Processing: Support for video motion detection would be good.
• And output: a stream server for live-ish video and automatic upload of motion-detecting images to a remote SFTP server. Email/text alerting driven off the motion detection makes it useful.

One of these in the attic with some strategically placed cameras would provide some worthwhile security.

It's essentially just the works from an IP camera -- it should be a few hundred pounds at Maplin. But it doesn't seem to exist. Bummer.