It's a Dirty Job

Diane gets sex spam and she doesn't like it. She's sent up an offensive example.

Now I don't know why the filth heads toward her mailbox, but a quick look at her quarantine shows that there's plenty of raw ... offers ... being blocked. A closer look at the one that got through reveals the reason. There's not a single dirty or ambiguous word, it's barely even English:

If you are disappointed in its second half, bold, come in. I can do for you is - what can not no girl! enter here (a link).

Where's the harm in that? Well, it's obvious. Obvious to me and obvious to Diane too. But utterly undetectable to to the machine that's trying to keep solicitations out of her mailbox.

So I have to go down and tell the lady that her basic problem is her dirty, dirty mind.

Unwired

Over the last few weekends -- say 20 hours work total -- I've laid over the first hedge I planted here -- about 50 yards of "native mix" with the hazel taken out and used elsewhere. It's gone well. I'll never be fast at that job -- I enjoy the looking much too well -- but it's a real eye opener to see how much easier it all goes when you don't have to spend time de-wiring. And it's interesting to see what other planting-time lessons there are to learn.

• Rabbit guards are a must. The plants mostly survived, but I reckon they're a year or so back, and the ground-level damage makes them harder to split and bend over.
• Ignore the supplier's sincere advice to plant these bare-rooted slips in a trench of tilled soil. Even six years on, the roots move when you strain the plants around the spiles. Slide them into the clay down the back of a spade and they'll be forced to set firm roots in the clay.
• Another piece of gardening advice to avoid is to take the top of the slip off so that they bush out. A bush is useless -- you have to strip it all off when you lay. What you want is tall, spindly whips, so just leave them be.
• Never plant blackthorn. Duh.
• Don't plant briars with the rest of the hedge. Until it's laid over they just get in the way.
• So the mix, if you don't fancy just hawthorn, would be five hawthorn, one spindle, one hazel and one fruiting tree depending on your taste -- mine would be beech. Then come back when you've laid it and put a dog briar in each of the gaps.

Not Invented Here

This has got nothing to do with anything I know about, but it's got me cross so here goes.

My little Samsung music player is old now, but it does all I want. It loads up as though it was a USB stick. I can find the music I want navigating up and down the directory tree with folder and track names showing on the tiny four-line display. It plays .wma, .ogg and .mp3 files, and when I'm bored with my files, there's an FM radio.

I would have thought that this counted as some sort of baseline. iPods have a display for album art and video. Other players have integrated phones, or glossy appearance, or Bluetooth audio, or who-knows-what magic. But for a £40 player, I was happy.

One thing the Samsung doesn't have is the oomph to drive any sort of speaker without caning the battery. Nor should it, but it's a bit frustrating sometimes when your ears are tired of buds, that there's no way to fill the room with it.

This shouldn't be a problem these days. Quite a lot of music centres and boom boxes support "USB" which is a shorthand for digital music on popular media. Except they don't -- the support is rubbish. I looked at Cambridge One and the Yamaha desktop music player -- both about £300 -- and they were both really disappointing:

• For a start, it's MP3 only. Compared with my Samsung, the hifi designers have vast resources of electrical power and size, so there's no excuse for limiting the playback decoders.
• There's not much point in a remote if the buttons are hopelessly obscure. The navigation is hard.
• And it's worse when the UI can't even display a directory listing. I've got 2GB of music on that thing and ignoring directory names is not going to help.
• And in the 21st century, I reckon we're entitled to a decent screen, but what we're offered is a single line. I felt that I was fortunate under the circs to see the ID3 tags in an unsatisfactory fixed-rate marquee.

What's happened here is that someone has made the minimum possible hack to the code that plays MP3 CDs. The idea of picking up a few hints from the players made in a different division of the same firm just never occurs to anyone. All I want is something that can play the same files as a cheapo portable, and provides a simple user interface. Hard? Apparently so.

Cerys Matthews had a Baby.

Super!

What Goes into the W7 Workstation

First look into the Security Guide in the Windows 7 Security Compliance Management Toolkit. It's an interesting read and there's a lot of potential goodies. The takeaways for me are:

• UAC looks good, but when you get down to it, there's less than you want. In particular you still need a really non-admin account for browsing and reading mail and it won't save ordinary users from cockups -- so they still can't be admins. Good. (Mark Russinovich says that the real purpose of UAC is to force developers to make their code work as non-admin. Better.)
• The policy can all be pushed from group policy. The price of this is that W7 machines will need their own OU tree.
• There are some sexy, seeeexy audit log options. A whole lot more to set.
• There's an easier replacement for software restriction, but it relies on signed code.
• Finer-grained control over devices means we might be able to have one less agent in the build
• Still not sure about the malware tools. I can't see why I would object to the Malicious Software Removal Tool but the old rule about not mixing AV solutions may apply here. The native tools aren't enterprise capable, so they'll have to go.
• This may be time for SUS. The solution we have is more capable, but since we only ever push MS hotfixes with it, I might just choose to save the licence fee.
• They seem to have de-emphasised routine IPSEC since Vista, but I may have misssed the crucial bit.

I need a W7 install to play with.

You know you're a security professional if ...

...you ask the designers what the operational meaning of a user group is.

Performance problem? No, it's a security issue...

We block Internet browsing for accounts in admin groups. It's a malware control and I like it. But we hit a strange little problem with this using one particular app. It was fast to start with ordinary console accounts, but privileged accounts were really slow. It took a smart lad -- not me -- with a protocol analyser to spot that the startup sequence involved a certificate authentication, and the host certificate had a CRL access point at an Internet URL. The admin accounts couldn't reach this so they had to go through an agonising timeout. Problem solved!

An Aid to Promptness

It has been scientifically proven (by letting my music player run down) that an exercise mix track with at least 50% Girls Aloud (and other Xenomania Trilbies) gets you to to work ten minutes earlier.

PS. This only works if you walk to work. On the train? I can't help you.

Google Dashboard

So now we have the Google dashboard www.google.com/dashboard -- everything Google knows about you in the one place. Well that would be jolly nice, but it's really everything Google knows about your Google account, which is a slightly different thing.

Because it misses all those unauthenticated search strings which are Google's actual meat and drink. And there are already complaints about this.

But I won't be complaining. Because unless you co-operate with Google cookies, what that would show is everything sought from your IP address, which if it's like any of mine is NATed. Do you want to see what everyone in the firm has sought? Do you want them to see your searches? I think not!

Convenience

I'll be hedgelaying along the road again this year, so appearance matters a little more. And at the same time I've pretty much run out of all the odd offcuts I've been using to hold it all together. Privet was good -- it grows into hard straight rods -- but it's all gone now.

I've asked all over but asking for "posts for hedgelaying" draws a blank -- you get offered fencing pales at eighteen shillings each. It's overkill and at two per yard it runs into expense.

It doesn't look like I'll ever find the canonical Hazel rods, so I'm falling back on plan B. I rang up one of the woodsmen in the Wealden Advertiser -- Brede Valley Fencing -- and asked him to make me the same pales used for cleft chestnut wire fencing, but five foot long and without the wire. He quoted me five shillings each and I bought four hundred which will keep me going for a while. They filled up the back of the Galaxy and I drove cautiously home, delighted by the smell of the fresh green wood.

Here they are in the shed. It's a weight off my mind. I feel I can set to work without worrying about running out.

Benders? No need -- I've got Willow wands coming out of my ears, and that certainly gets attention on the commuter train.

The non-Build Build

From time to time we issue non-build laptops to people who want to use the SSL VPN but don't have a suitable personal machine . It's not a practice that gives me much pleasure, as the temptation will always be to assume that it's OK to put firms data on one of these. And it's not.

So I've been developing a little list: what we should do to a standard manufacturer's XP install so that it can be placed in the permanent, unmanaged care of a regular user. Here's what I have:

• Truecrypt set up for the system partition. (If there's and I386 on d: or e:, leave that in clear.) Why encryption? 1) because I don't trust them not to put firms data on it, and 2) it's an immediate downer for a thief.
• The MVPS hosts file. It doesn't auto update, but it's a good start.
• Default Browser: Chrome. It's not IE so it's under attacker's radar, but it does auto update even if you never run as admin
• Microsoft AV -- seems to have difficulty with non-admin updates, but better than nothing.
• The default log in takes you to a non-admin account.
• Default settings on the Windows firewall, and Windows update.

It's not much -- in particular you can't make Adobe and Java auto update on a non-admin machine, but it is better than nothing.

Spam Counter - 2009 October: 1032

Mostly watches

The Future Still Isn't Right, pt II

And another thing. Spectacles. I had my eyes tested today and my prescription has shifted again. Fair enough, and I've opted to head off into the world of varifocals with a pair of single vision driving specs, and what's called occupational lenses which shade from VDU at the top down to reading at the bottom. There are three grades of optical efficiency to choose from, optional high index plastic to reduce the weight, optional quarterwave coating for transparency, and an (optional) hardness treatment. With correction and astigmatism in the basic prescription, the Dear only knows how many possible variations on the basic format that is.

During the test, I could opt to have my retina photographed for reference (for a tenner, how could I not?) and a chance to compare it with the lovely optometrist's album of interesting eyeballs. And the whole thing was conducted at a time and place to suit me. It was the very model of the modern custom shopping experience.

But if choice is the aim, why, for the love of every holy thing, do they only make spectacle frames in two sizes: too small, and much too fucking small? Am I the only person in the world with a head like a watermelon? I think not. And on that topic why is the choice limited to what they have in the shop on that day? Is it so impossible to record the relative location of ears, pupils and nose, and cut lenses to suit a pair of frames out of a catalogue? I want glasses like Michael Douglas in Falling Down: I need nerd authority, but yet again I've settled for some boring black metal frames that are barely willing to exist.

How sad.

Protect identity with a face blur: Fail

This story is so abominably sad that there's really no need to read it. All I want to do is note that in some cases, a face blur can still give important clues to identity.

Logparser

Recently I wrote about the enumerate command that I use. I was looking at it just now because I wanted to enumerate one particular check across the whole domain: I wanted to report on the events that show a user being enrolled into local Administrators on their workstation -- and irregular admins generally.

This is a big deal for me -- has been for a long time, it's a big deal for more and more sites, and it should be for everyone. Admin privilege is the difference between spyware installing in a profile (and even now, most of them don't attempt to do this) and installing dangerously and ineradicably as a rootkit. Admin privilege is what allows  users to harm their builds with downloaded software or messing around with the branding or mapping. But alas, it's also the easy solution to a lot of problems and desktop team members -- admins themselves -- are often tempted to pass it on to a user in trouble so they can get on to the next call.

The control for this is to find out when it happens and follow up very promptly, next day, with the admin concerned. But you need to know it's happened, and the only ways I know how to tell it's happened are a) a listing of the group membership on every machine -- which doesn't, crucially, tell you when it was done, or b) the 536 message in the event log. So it's the message we want, provided we can pick and decode the content out of the rather unhelpful format. To hold the desktop team to account, we want to look at the new messages each day, making a nice report of all the suspect events.

We already have a tool -- enumerate -- which will run a command against every machine. So now we need a command that will append relevant log events on to a report. "But" I hear you cry, "but what about your RSA Envision log SELM appliance? Isn't that ideally suited to this task?" Well yes, my dears, it certainly is, but you see, it's licenced per event source. I have enough licences for all the infrastructure and about half of production servers, but none at all for workstations. We need something at a better price point, like free.

Microsoft is a better source of free (as in beer) software than you might expect, and they have the tool for this job: Logparser; motto: "the world is your database." In outline, Logparser converts and presents logs of many sorts and some odder stuff like registry and filesystem contents as queryable lists. The queries can be simple or complex: I started with

SELECT
 Strings 
FROM
 \\mypc\security 
WHERE
 EventID=536 

But you need to work a little harder to get a script parameterised enough to be enumerated across all domain members and produce a good outcome. The beauty of Logparser is that it's mature enough to deliver -- it really is a proper log analysis tool. I expected to write auxiliary scripts to break out the data, decode SIDs, accumulate the report as a CSV, and keep track of the last log read on each machine, but in fact all this can be done in Logparser script language or command line options.

-- admin.sql
-- Logparser query.
-- Accumulate events where a user has been made a member of admins or power users
-- You might want to enumerate this across the entire domain 
-- (omit domain controllers which have different messages)
-- Command would be like 
-- logparser 
--  -o:TSV -oSeparator:space -headers:OFF -fileMode:0 
--  -iCheckPoint:MYPC.lpc 
--  file:admin.sql?oFile=2009-10-18_AdminChanges+sMachine=MYPC
-- The checkpoint file is named for the machine, and output is appended to "today's" file.

SELECT 
-- Generating "hand" CSV rather than the CSV output type -- more flexible to do it in SELECT and USING
 
 -- the ms from the :ll aren't populated but it stops Excel dropping the seconds
 TO_STRING(TimeGenerated, '\"yyyy-MM-dd hh:mm:ss:ll\",')AS Date, 
 strcat(ComputerName,',') AS Computer,
 Resolve_SID (SID) AS Admin,
 Action,
 Resolve_SID (SIDUser) AS User,   
 Group

USING 
-- Do the token parsing in USING: break the bits we want out of the -|%{SID}|... tokens in Strings
 Extract_Token(Strings,1,'|') AS SUr,  -- User SID
 Extract_Token(Strings,2,'|') AS GroupN, -- (Localised for free -- more friendly)
 Extract_Token(Strings,3,'|') AS GroupD, 
 Extract_Token(Strings,4,'|') AS SGp,  -- the Group SID 
 
 SUBSTR(SUr,2,SUB(STRLEN(SUr), 3)) AS SIDUser,  -- break raw User SID out of the %{SID}
 
 CASE EventID WHEN 636 THEN 'enrolled' WHEN 637 THEN 'removed' END AS Action, -- Friendly EventIDs
 
 -- Output like "into BUILTIN\Administrators"
 STRCAT(
  STRCAT(
   CASE EventID WHEN 636 THEN 'into ' WHEN 637 THEN 'from ' END, 
   GroupD),
  STRCAT( '\\', GroupN)) AS Group
 
INTO
-- Need the -fileMode:0 (append) on the command line to avoid overwriting with each machine.
-- For a log for each machine then the command line above would let you use %Machine% in the name.
 %oFile%.csv 

FROM 
-- FROM the machine security log  --  This is -i:EVT. 
-- Don't use the SID resolve option because you may want to limit to particular built-in groups, but 
-- and S-1-5-32-544 is easier than working out internationalised versions of "Administrators"
 \\%sMachine%\Security 

WHERE 
 ((EventID=636) or (EventID=637)) and       -- 636 enroll, 637 remove
 (SID<>'S-1-5-18') and           -- Ignore actions by local System
 (                -- Ignore boring groups
  ((SGp = '%{S-1-5-32-544}') or (SGp = '%{S-1-5-32-547}')) -- Only want Admins or P Users
 -- Optionally don't report Domain admin (check your SID) being made admin, because it happens in every log!
 -- and 
 -- (SIDUser <> 'S-1-5-21-4163168572-49618088-4072775208-512') 
 )

Remaining niggles are petty. some machines have corrupt SELs -- logparser fails at end of log, so it never writes a checkpoint so the entire file is processed every time. But this can be fixed by saving and emptying the offending log. And I suppose it would be nice if it enumerated the domain itself, but that doesn't trouble me.

Apparently V3 is due out. I cannot wait.