There are a number of resources on the web that is worth mentioning and linking to:

• SecureVantage ACS Resource Kit http://www.securevantage.com/Products/ACSResourceKit.aspx
• Securevantage has also some very nice online training “Master Classes” http://www.securevantage.com/ACSTraining.aspx
• Old-ish Overview http://opsmgr2007.wikidot.com/system:audit-collection-services
• Old-ish post by kevin http://blogs.technet.com/kevinholman/archive/2008/03/07/acs-internals-part-1.aspx
• ACS Reports for Win2008 http://blogs.technet.com/momteam/archive/2009/05/08/acs-reports-for-windows-2008-and-windows-2008-r2.aspx
• ACS for Cross-Platform http://blogs.msdn.com/scxplat/archive/2009/12/17/cross-platform-audit-collection-services-released.aspx
• Jimmy Harper’s Custom ACS Reports http://blogs.technet.com/jimmyharper/archive/2009/12/10/some-custom-acs-reports.aspx

and, of course, many more, I cannot link them all.

As for myself, I have been playing with ACS since those early beta days (before I joined Microsoft and before going back to MOM, when I was working in Security), but I never really blogged about this piece.

Since I have been doing quite a lot of work around ACS lately, again, I thought it might be worth consolidating some thoughts about it, hence this post.

Anatomy of an “Online” Sizing Calculation

What I would like to explain here is the strategy and process I go thru when analyzing the data stored in a ACS database, in order to determine a filtering strategy: what to keep and what not to keep, by applying a filter on the ACS Collector.

So, the first thing I usually start with is using one of the many “ACS sizer” Excel spreadsheets around… which usually tell you that you need more space than it really is necessary… basically giving you a “worst case” scenario. I don’t know how some people can actually do this from a purely theoretical point of view, but I usually prefer a bottom up approach: I look at the actual data that the ACS is collecting without filters, and start from there for a better/more accurate sizing.

In the case of a new install this is easy – you just turn ACS on, set the retention to a few days (one or two weeks maximum), give the DB plenty of space to make sure it will make it, add all your forwarders… sit back and wait.

Then you come back 2 weeks later and start looking at the data that has been collected.

What/How much data are we collecting?

First of all, if we have not changed the default settings, the grooming and partitioning algorithm will create new partitioned tables every day. So my first step is to see how big each “partition” is.

But… what is a partition, anyway? A partition is a set of 4 tables joint together:

1. dtEvent_GUID
2. dtEventData_GUID
3. dtPrincipal_GUID
4. dtSTrings_GUID

where GUID is a new GUID every day, and of course the 4 tables that make up a daily partition will have the same GUID.

The dtPartition table contains a list of all partitions and their GUIDs, together with their start and closing time.

Just to get a rough estimate we can ignore the space used by the last three tables – which are usually very small – and only use the dtEvent_GUID table to get the number of events for that day, and use the stored procedure “sp_spaceused”  against that same table to get an overall idea of how much space that day is taking in the database.

By following this process, I come up with something like the following:

If you have just installed ACS and let it run without filters with your agents for a couple of weeks, you should get some numbers like those above for your “couple of weeks” of analysis. If you graph your numbers in Excel (both size and number of rows/events per day) you should get some similar lines that show a pattern or trend:

So, in my example above, we can clearly observe a “weekly” pattern (monday-to-friday being busier than the weekend) and we can see that – for that environment – the biggest partition is roughly 17GB. If we round this up to 20GB – and also considering the weekends are much quieter – we can forecast 20*7 = 140GB per week. This has an excess “buffer” which will let the system survive event storms, should they happen. We also always recommend having some free space to allow for re-indexing operations.

In fact, especially when collecting everything without filters, the daily size is a lot less predictable: imagine worms “trying out” administrator account’s passwords, and so on… those things can easily create event storms.

Anyway, in the example above, the customer would have liked to keep 6 MONTHS (180days) of data online, which would become 20*180 = 3600GB = THREE TERABYTE and a HALF! Therefore we need a filtering strategy – and badly – to reduce this size.

[edited on May 7th 2010 - if you want to automate the above analysis and produce a table and graphs like those just shown, you should look at my following post.]

Filtering Strategies

Ok, then we need to look at WHAT actually comprises that amount of events we are collecting without filters. As I wrote above, I usually run queries to get this type of information.

I will not get into HOW TO write a filter here – a collector’s filter is a WMI notification query and it is already described pretty well elsewhere how to configure it.

Here, instead, I want to walk thru the process and the queries I use to understand where the noise comes from and what could be filtered – and get an estimate of how much space we could be saving if filter one way or another.

Number of Events per User

–event count by User (with Percentages)
declare @total float
select @total = count(HeaderUser) from AdtServer.dvHeader
select count(HeaderUser),HeaderUser, cast(convert(float,(count(HeaderUser)) / (convert(float,@total)) * 100) as decimal(10,2))
from AdtServer.dvHeader
group by HeaderUser
order by count(HeaderUser) desc

In our example above, over the 14 days we were observing, we obtained percentages like the following ones:

Just by looking at this, it is pretty clear that filtering out events tracked by the accounts “SYSTEM”, “LOCAL SERVICE” and “ANONYMOUS”, we would save over 45% of the disk space!

Number of Events by EventID

Similarly, we can look at how different Event IDs have different weights on the total amount of events tracked in the database:

–event count by ID (with Percentages)
declare @total float
select @total = count(EventId) from AdtServer.dvHeader
select count(EventId),EventId, cast(convert(float,(count(EventId)) / (convert(float,@total)) * 100) as decimal(10,2))
from AdtServer.dvHeader
group by EventId
order by count(EventId) desc

We would get some similar information here:

Also, do not forget that ACS provides some report to do this type of analysis out of the box, even if for my experience they are generally slower – on large datasets – than the queries provided here. Also, a number of reports have been buggy over time, so I just prefer to run queries and be on the safe side.

Below an example of such report (even if run against a different environment – just in case you were wondering why the numbers were not the same ones ):

The numbers and percentages we got from the two queries above should already point us in the right direction about what we might want to adjust in either our auditing policy directly on Windows and/or decide if there is something we want to filter out at the collector level (here you should ask yourself the question: “if they aren’t worth collecting are they worth generating?” – but I digress).

Also, a permutation of the above two queries should let you see which user is generating the most “noise” in regards to some events and not other ones… for example:

–event distribution for a specific user (change the @user) – with percentages for the user and compared with the total #events in the DB
declare @user varchar(255)
set @user = 'SYSTEM'
declare @total float
select @total = count(Id) from AdtServer.dvHeader
declare @totalforuser float
select @totalforuser = count(Id) from AdtServer.dvHeader where HeaderUser = @user
select count(Id), EventID, cast(convert(float,(count(Id)) / convert(float,@totalforuser) * 100) as decimal(10,2)) as PercentageForUser, cast(convert(float,(count(Id)) / (convert(float,@total)) * 100) as decimal(10,2)) as PercentageTotal
from AdtServer.dvHeader
where HeaderUser = @user
group by EventID
order by count(Id) desc

The above is particularly important, as we might want to filter out a number of events for the SYSTEM account (i.e. logons that occur when starting and stopping services) but we might want to keep other events that are tracked by the SYSTEM account too, such as an administrator having wiped the Security Log clean – which might be something you want to keep:

of course the amount of EventIDs 517 over the total of events tracked by the SYSTEM account will not be as many, and we can still filter the other ones out.

Number of Events by EventID and by User

We could also combine the two approaches above – by EventID and by User:

select count(Id),HeaderUser, EventId

from AdtServer.dvHeader

group by HeaderUser, EventId

order by count(Id) desc

This will produce a table like the following one

which can be easily copied/pasted into Excel in order to produce a pivot Table:

Cluster EventLog Replication

One more aspect that is less widely known, but I think is worth showing, is the way that clusters behave when in ACS. I don’t mean all clusters… but if you keep the “eventlog replication” feature of clusters enabled (you should disable it also from a monitoring perspective, but I digress), each cluster node’s security eventlog will have events not just for itself, but for all other nodes as well.

Albeit I have not found a reliable way to filter out – other than disabling eventlog replication altogether.

Anyway, just to get an idea of how much this type of “duplicate” events weights on the total, I use the following query, that tells you how many events for each machine are tracked by another machine:

–to spot machines that are cluster nodes with eventlog repliation and write duplicate events (slow)

select Count(Id) as Total,replace(right(AgentMachine, (len(AgentMachine) – patindex('%\%',AgentMachine))),'$',") as ForwarderMachine, EventMachine

from AdtServer.dvHeader

–where ForwarderMachine <> EventMachine

group by EventMachine,replace(right(AgentMachine, (len(AgentMachine) – patindex('%\%',AgentMachine))),'$',")

order by ForwarderMachine,EventMachine

Those presented above are just some of the approaches I usually look into at first. Of course there are a number more. Here I am including the same queries already shown in action, plus a few more that can be useful in this process.

I have even considered building a page with all these queries – a bit like those that Kevin is collecting for OpsMgr (we actually wrote some of them together when building the OpsMgr Health Check)… shall I move the below queries on such a page? I though I’d list them here and give some background on how I normally use them, to start off with.

Some more Useful Queries

–top event ids
select count(EventId), EventId
from AdtServer.dvHeader
group by EventId
order by count(EventId) desc

–event count by ID (with Percentages)
declare @total float
select @total = count(EventId) from AdtServer.dvHeader
select count(EventId),EventId, cast(convert(float,(count(EventId)) / (convert(float,@total)) * 100) as decimal(10,2))
from AdtServer.dvHeader
group by EventId
order by count(EventId) desc

–which machines have ever written event 538
select distinct EventMachine, count(EventId) as total
from AdtServer.dvHeader
where EventID = 538
group by EventMachine

–machines
select * from dtMachine

–machines (more readable)
select replace(right(Description, (len(Description) – patindex('%\%',Description))),'$',")
from dtMachine

–events by machine
select count(EventMachine), EventMachine
from AdtServer.dvHeader
group by EventMachine

–rows where EventMachine field not available (typically events written by ACS itself for chekpointing)
select *
from AdtServer.dvHeader
where EventMachine = 'n/a'

–event count by day
select convert(varchar(20), CreationTime, 102) as Date, count(EventMachine) as total
from AdtServer.dvHeader
group by convert(varchar(20), CreationTime, 102)
order by convert(varchar(20), CreationTime, 102)

–event count by day and by machine
select convert(varchar(20), CreationTime, 102) as Date, EventMachine, count(EventMachine) as total
from AdtServer.dvHeader
group by EventMachine, convert(varchar(20), CreationTime, 102)
order by convert(varchar(20), CreationTime, 102)

–event count by machine and by date (distinuishes between AgentMachine and EventMachine
select convert(varchar(10),CreationTime,102),Count(Id),EventMachine,AgentMachine
from AdtServer.dvHeader
group by convert(varchar(10),CreationTime,102),EventMachine,AgentMachine
order by convert(varchar(10),CreationTime,102) desc ,EventMachine

–event count by User
select count(Id),HeaderUser
from AdtServer.dvHeader
group by HeaderUser
order by count(Id) desc

–event count by User (with Percentages)
declare @total float
select @total = count(HeaderUser) from AdtServer.dvHeader
select count(HeaderUser),HeaderUser, cast(convert(float,(count(HeaderUser)) / (convert(float,@total)) * 100) as decimal(10,2))
from AdtServer.dvHeader
group by HeaderUser
order by count(HeaderUser) desc

–event distribution for a specific user (change the @user) – with percentages for the user and compared with the total #events in the DB
declare @user varchar(255)
set @user = 'SYSTEM'
declare @total float
select @total = count(Id) from AdtServer.dvHeader
declare @totalforuser float
select @totalforuser = count(Id) from AdtServer.dvHeader where HeaderUser = @user
select count(Id), EventID, cast(convert(float,(count(Id)) / convert(float,@totalforuser) * 100) as decimal(10,2)) as PercentageForUser, cast(convert(float,(count(Id)) / (convert(float,@total)) * 100) as decimal(10,2)) as PercentageTotal
from AdtServer.dvHeader
where HeaderUser = @user
group by EventID
order by count(Id) desc

–to spot machines that write duplicate events (such as cluster nodes with eventlog replication enabled)
select Count(Id),EventMachine,AgentMachine
from AdtServer.dvHeader
group by EventMachine,AgentMachine
order by EventMachine

–to spot machines that are cluster nodes with eventlog repliation and write duplicate events (better but slower)
select Count(Id) as Total,replace(right(AgentMachine, (len(AgentMachine) – patindex('%\%',AgentMachine))),'$',") as ForwarderMachine, EventMachine
from AdtServer.dvHeader
–where ForwarderMachine <> EventMachine
group by EventMachine,replace(right(AgentMachine, (len(AgentMachine) – patindex('%\%',AgentMachine))),'$',")
order by ForwarderMachine,EventMachine

–which user and from which machine is target of elevation (network service doing "runas" is a 552 event)
select count(Id),EventMachine, TargetUser
from AdtServer.dvHeader
where HeaderUser = 'NETWORK SERVICE'
and EventID = 552
group by EventMachine, TargetUser
order by count(Id) desc

–by hour, minute and user
–(change the timestamp)… this query is useful to search which users are active in a given time period…
–helpful to spot "peaks" of activities such as password brute force attacks, or other activities limited in time.
select datepart(hour,CreationTime) as Hours, datepart(minute,CreationTime) as Minutes, HeaderUser, count(Id) as total
from AdtServer.dvHeader
where CreationTime < '2010-02-22T16:00:00.000'
and CreationTime > '2010-02-22T15:00:00.000'
group by datepart(hour,CreationTime), datepart(minute,CreationTime),HeaderUser
order by datepart(hour,CreationTime), datepart(minute,CreationTime),HeaderUser

One of the pictures I took in Pisa at the Hackmeeting has been published in June's issue of "Internet Magazine", a famous italian IT magazine.

The article talks about Internet Privacy and the "Piano R*" project by Autistici/Inventati.

This is the cover of the magazine:

I am seriously considering giving Asirra a try. It is an interesting project from Microsoft Research for an HIP (Human Interaction Proof) that uses info from petfinder.com to let users set apart pictures of dogs from those of cats. There is also a WordPress plugin, in the best and newest "we want to interoperate" fashion that we are finally getting at Microsoft (this has always been the way to go, IMHO, and BTW).

Anyway, what do you think ?

For this reason, I had to pull down the code of the small application I had previously released, which was "logging" into the mobile web application "pretending" to be a mobile browser and change your status. Big deal!!!

I am quite sure there are a lot of people writing "official" applications (that is using the "platform API" and so on) that are collecting A LOT of information about users who install their applications. They are being sent the info about the visitors by facebook, they are storing them, they might do whatever they please with (study it, sell it to spammers, to marketers, to making-money-assholes) and nobody will ever notice because it is on their servers and nobody can check that.

But a script that changes your status from remote – since this is not a functionality they CHOSE to expose in their API – then THAT is a big issue. Doh!
It's just plain ridiculous, but that's it.

Sure, the terms of service for app developers say a bit more in this regard:

[...]
4) Except as provided in Section 2.A.6 below, you may not continue to use, and must immediately remove from any Facebook Platform Application and any Data Repository in your possession or under your control, any Facebook Properties not explicitly identified as being storable indefinitely in the Facebook Platform Documentation within 24 hours after the time at which you obtained the data, or such other time as Facebook may specify to you from time to time;

5) You may store and use indefinitely any Facebook Properties that are explicitly identified as being storable indefinitely in the Facebook Platform Documentation; provided, however, that except as provided in Section 2.A.6 below, you may not continue to use, and must immediately remove from any Facebook Platform Application and any Data Repository in your possession or under your control, any such Facebook Properties: (a) if Facebook ceases to explicitly identify the same as being storable indefinitely in the Facebook Platform Documentation; (b) upon notice from Facebook (including if we notify you that a particular Facebook User has requested that their information be made inaccessible to that Facebook Platform Application); or (c) upon any termination of this Agreement or of your use of or participation in Facebook Platform;
[...]
You will not directly or indirectly sell, export, re-export, transfer, divert, or otherwise dispose of any Facebook Properties to any country (or national thereof) without obtaining any required prior authorizations from the appropriate government authorities;
[...]

Are we sure everybody is playing by these rules, when every facebook "application" really runs on the developer'server ? How do you know that they are really storing only what you want them to store, and deleting what you want them to delete ? Everybody knows how difficult it is to really "delete" digital content once it has come into existance… who knows how many copies of this database/social graph are floating around ?

Of course that is not an issue because people don't talk about it enough. But a script that changes your status – now, THAT is a very terrible thing.

I just don't get this "politically correctness". It must be me.

Oh, no… look! It's not only me!
I had read this post of Dare, but I problably had overlooked the last bit of it…. because he did point out this Hypocrisy going on:

[...]
Or (5) the information returned by FQL about a user contains no contact information (no email address, no IM screen names, no telephone numbers, no street address) so it is pretty useless as a way to utilize one’s friends list with applications besides Facebook since there is no way to cross-reference your friends using any personally identifiable association that would exist in another service.

When it comes to contact lists (i.e. the social graph), Facebook is a roach motel. Lots of information about user relationships goes in but there’s no way for users or applications to get it out easily. Whenever an application like FacebookSync comes along which helps users do this, it is quickly shut down for violating their Terms of Use. Hypocrisy? Indeed.
[...]

He then insists in a more recent post in calling things by their name:

[...]
I will point out that 9 times out of 10 when you hear geeks talking about social network portability or similar buzzwords they are really talking about sending people spam because someone they know joined some social networking site. I also wonder how many people realize that these fly-by-night social networking sites that they happily hand over their log-in credentials to so they can spam their friends also share the list of email addresses thus obtained with services that resell to spammers?
[...]
how do you prevent badly behaved applications like Quechup from taking control away from your users? At the end of the day your users might end up thinking you sold their email addresses to spammers when in truth it was the insecure practices of the people who they’d shared their email addresses with that got them in that mess. This is one of the few reasons I can understand why Facebook takes such a hypocritical approach.
[...]

Thanks, Dare, for mentioning Hypocrisy. Thanks for calling things by their name. I do understand their approach, I just don't agree with it.

I did pull my small application off the Internet because I have a family to mantain and I don't want to have legal troubles with Facebook. Sorry to all those that found it handy. No, I cannot even give that to you per email. It's gone. I am sorry. For the freedom of speech, especially, I am sorry.

I will change my status more often on Twitter.

I keep finding way too many software that claim to interact with Web 2.0 sites or services, and connect here or there…. still forgetting one basic simple rule, that is: letting people use a proxy.

Most programmers for some reasons just assume that since they are directly connected to the internet, everybody is. Which isn't always the case. Most companies have proxies and will only let you out to port 80 – by using their proxy.

…which in turn is one of the reasons why most applications now "talk" and tunnel whatever application protocol on top of HTTP… still a lot of softwares simply "forget" or don't care proving a simple checkbox "use proxy", which will translate in two or three extra lines of code… three lines which I personally usually include in my projects, when I am not even a *developer*!! (but that might explain why I *think* of it… I come from a security and networking background )

I thought of writing this post after having read this post by Saqib Ullah.

Anyway. I keep finding this thing over and over again. Both in simple, hobbyist, sample and/or in complex, big, expensive enterprise software. Last time I got pissed off about a piece of code missing this feature was some days ago when testing http://www.codeplex.com/FacebookToolkit. The previous time was during Windows Vista beta-testing (I had found a similar issue in beta2, and had it fixed for RC1.)

Actually, I am being polite saying it is "missing a feature". To be honest I think missing this "feature" would have to be considered a bug: every piece of software using HTTP *should* include the possibility to pass thorugh proxy (also, don't forget about  AUTHENTICATED proxies), or the purpose of using HTTP in the first place is defeated!!

Developers!!! You have to remember people ARE behind proxies !!!!!

PopFly lets you create mashups and even custom blocks, and I liked that too. But you have to use fancy-shiny Silverlight (which is very cool indeed, but probably not *always* necesary) and you can only create blocks using Javascript. Sure, as someone as already written, the meaning of AJAX is "javascript now works". I can understand (even if I don't know them for sure) the reasons behind certain choices. But I find it limiting. Maybe it is because I don't like Javascript. It must be it. 

Facebook, instead, empowers you to inject code into their social networking framework. Any code. In whatever language you like. They started it in PHP, but you can plug-in whatever you like: Java, Ruby, Perl…. you can even have your application running on your own server, still providing a seamless experience inside of facebook. This opens up to millions of possibilities, and I got fascinated by that.

At the same time, the paranoid part of myself has been thinking to the security implications of it. This open platform is cool, but it also sounds like a framework for cross-site-scripting (XSS) attacks. Sure, you can "report" an application made by a third party that does something weird… but who will really notice if all that happens under the hood is that your cookies get stolen (and someone accesses your bank account) ? Will you figure it out it has happenend because you wanted to see the "dancing pigs" loaded in your profile ? Or will you figure it out at all ?

This said, I set aside my fear for a while and I delved into coding. What I did learn in the last couple of years, having slowly moved away from security engagements, is to relax. When I was working costantly with security I was a lot more paranoid. Now I case much less, and I live a lot more.

So I developed a couple of quick and simple apps running from this very server into Facebook, and I started using thePHP5 library they provide, so to be able to follow the examples first and figure out how it was working.

Now I also want to take a look at the .NET library for facebook when I have time. It sounds cool.

I particularly enjoyed the following passage:

[...]
Antonio “s4tan” Parata (ap): Hi Rain Forest Puppy, many thanks for this interview. You are considered one of the fathers of web security and the inventor of the SQL injection attack. Anyway in the year 2003 you decided to publicly retire from the security field (to get more infos http://www.wiretrip.net/rfp/txt/evolution.txt). Can you briefly sum your decision?

Rain Forest Puppy (rfp): My decision to retire from the public eye was based on a lot of reasons; overall, the amount of resources & energy required to release and maintain advisories and tools was just getting to be too large. It wasn’t fun anymore–and why pursue a hobby if you’re not enjoying it?

Plus, the security industry was becoming commercialized. Advisories and exploits are now bought and sold; performing security research in the first place can land you in legal waters. The intellectual value of the security research performed has been reduced to a single severity rating, which…if not high enough…causes the entire research to be dismissed. I really enjoy security from the intellectual angle; to me, it’s all just a big mental challenge…a puzzle, if you will. So when the creativity and intellectual aspect of it started to fade away, I decided to go with it.
[...]

I do back up this point of view: "why pursue a hobby is you're not enjoying it ?".

Creativity and intellectual aspects of security do still interest me, just the market around changed. That's also part of why I started doing more System Management again – at least I have fun thiking and thinkering, integrating, scripting and composing….

[...] The intellectual value of the security research performed has been reduced to a single severity rating [...] I really enjoy security from the intellectual angle; to me, it’s all just a big mental challenge…a puzzle, if you will [...]

His point is expressed beautifully.

But he does not only talk about the Security community and market, he also has some interesting thoughts on open and closed source software:
 

ap: You are the author of the libwhisker library (http://www.wiretrip.net/rfp/lw.asp), widely used to create assessment perl scripts. What do you think about nowadays products related to web application assessment? What about some open source software (like parosproxy or nessus) changed to closed-source?

rfp: I have to choose my words carefully, because I very recently started working for a security software vendor.

Having had open source projects, I will say this: it is very hard to bootstrap a development community, and achieve the same level of polish, quality (as in QA), and implementation thoroughness as a commercial product. This isn’t necessarily because commercial software vendors are better coders; the dynamics are just different.

Open source coders are usually working on their own donated time. That means contributions are often catch-can and best-effort. Open source (when not sponsored by a commercial entity) are typically limited in resources (with time being the critical one).

[...]

All I care about is whether the tool works and/or gets the job done. I’ve spent so much wasted time trying to get a screwdriver to do a hammer’s job, and vice versa. I really don’t care if a tool is open source or commercial; I let the job dictate the tool, and not the other way around. Of course, there are certain artificial restrictions on this (like price limitations), but in general, I think there are some things that currently only exist in free & open source tools, and there are some things that currently only exist in commercial tools.

So use both wisely and get the best of both worlds.

[...]

Read the complete interview here: http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/

Digital Printouts.
I often find it funny to use the old reflex camera with films, but I mostly use it as if it was a digital one: I make many shots, some are good some are bad – I don't bother printing them, I just let it develop and I scan the pictures I like from the film (several ones are even posted here this way).
I have even been talking about this with fellow flickerer's: www.flickr.com/groups/romamor/discuss/72157600009019234/p…

On the opposite, it often happens that I want to print some photos made with the digital camera. So I take them to the shop on the Compact Flash, or more often on a USB pen drive.

Today, tough, something strange happened: the machine they use to print digital photos (some very big professional system for printing on photographic paper with a proprietary application which manages it) hanged while it was trying to load this one photo which was on the USB pendrive.

The guy at the shop got panicked: he said a week earlier a guy got the machine infected with a Virus through his USB pen, and he had to stop working for three days, spend a lot of money to get the system reinstalled…

I tried to tell him to close the application but he did not even get what I was talking about. He was saying that the system was not responsive… I was pretty sure the system WAS responsive, it was just the APPLICATION which was hanging, and since it looked like an NT-based system I tried to guide him through CTRL+ALT+DEL, to start "Task Manager", kill the application (this whole procedure took several minutes, and I had to show him which keys I was talking about as he was abel to find "ALT" but he had never hear of CTRL, left alone "DEL"). It was a Windows2000 Professional… so I wondered how did he logged in if he did not know that key combination….. I asked how did he get in when he started the machine…. "it opens automatically" he said. I see. I though it must be configured for autologon then. After killing the application he asked "how do I get out of this now??" "This" being Windows Explorer… I mean, the desktop. I pulled out my USB pendrive he was afraid of, I helped him reboot. He was nervous and he said it took much longer than normal to start up (I don't believe ONE word of it, it just took much less time than my laptop with Vista takes to start up… but he was worried and that makes one anxious and makes time flow slower). He was afraid and nervous that the "thing" could have been broken somehow by trying to load a JPEG…
NOTHING made him confident about me: I tried to reassure him I am an IT Professional, that I work for Microsoft (unfortunately I did not have my business cards with me today, that would have probably helped!), that I put my hands on much more complex and "missioncritical" systems, that I would not bring him any virus whatsoever and I am paranoid about computer security…
Nothing. Nothing worked to re-assure him that there wasn't anything to worry about my pen…

While the machine started I saw it doing AutoAdminLogon with Administrator… with a password of TWO characters.
Oh my god!
Then he wonders that he gets viruses from strangers. He runs as Administrator all the time!!!

But then I though and asked… "is there maybe a LIMIT on the SIZE of the file?". "Of course there is!".
Right.

Since the photo I wanted to print is actually a composition made of two photos pasted together, and each of the original was a 8 Megapixel photo, the resulting is a 16 Megapixel picture, a JPG file of roughly 8 megabytes in size. Well, this days it isn't much anyway. We nearly have cameras which produce files with that high resolution…
..but if THAT application has a limit… WHY on earth doesn't it CHECK for the bloody SIZE of the file BEFORE trying to load it ?

I mean, those are professional systems which – he said – cost around 150 THOUSAND of Euros… which they let run with an application which does NOT do any input checking/validation, runs the whole time as Administrator… while letting people bring in their own CD-ROMs, USB pens, flash memory cards….
and they expect it to be safe?

Now the guy was panicked and wouldn't let me plug my pen in the machine again.

Then he's keeping his shop closed in the afternoon since it is saturday, and I need that photo (and other ones) printed for tomorrow, because tomorrow it is my grandad's 91st birthday and I wanted to bring them printed for him and framed as a present!

Morale: I have to find another place to print them in the afternoon, in a rush, because some company sells print systems which are written like crap, which need to run as Administrator and won't do any input validation in their code. This is one of those situations where a design flaw matters.

Note: The blog above is written in italian, and it is addressed to italian IT Professionals having to deal with security.

In fact i consider GMail as being one of the best interface for reading mail that exist out there – I love "tagging" (oops: it's called "labelling" in their syntax), speed of search through messages (even tough Outlook 2007 is faster on indexed content, but still you have to buy it and install it on your PC)… I also especially love the way it shows THREADING… so that I moved pretty much EVERY mailing list I read on their account:

(ok, they could do better with the localized version of "Re:" in replies…. in Italian a lot of broken MUA's translate that into "R:" and that isn't understood by GMail and will make it think it is another thread…. but that's a minor issue, and also one that every MUA handling threading has – including "mutt" – the real problem is the broken MUAs sending the "R:" in the first place. But I digress too much….).

I also keep GMail continuosly opened in a browser during the day because a lot of informative mail and that sent by friends goes there. This to say that I do get a lot of their ads (that is – the point of having such an application, for them…). On the contrary, Windows Live Mail reduced its ads to show only one… not to annoy you too much.
But the ads in GMail were not *really* a problem (I don't read them anyway, I just plain IGNORE THEM).

But this week they REALLY pissed me off. They REALLY have. And here is the reason:
I have been using a script for MONTHS to backup my database (the one powering THIS blog) and send it "off-site" to my GMail mailbox. Pretty much something like a lot of other people do, described in various articles and blog posts. Then I was labelling them with a rule, so that I could access my backups easily in case I needed them.

Now I don't know if this violates their terms of use in any way… because I am not really using it as storage with those programs that circulated at one stage that had "reverse engineered" it. Those were bypassing the web interface altogether so people did use it as storage with a program without having to see their ads. That was the issue, I think. In my case, I am just sending MAILS to myself. One per day. I also delete the old ones every now and then, and they are not even huge in sized (attachments of 40 to 50KB so far!!)… anyway, I know a lot of people that store documents and all sort of stuff even in their corporate mailboxes in Outlook (then maybe index them with Windows Desktop Search of Google Desktop to find it back)… I was only doing the same with GMail. I don't see the big issue here….. they might think otherwise…. but from what happens I don't think that's the issue.

Anyway, now it's been three or four days that my backup mail gets rejected. My SMTP Server gets told:

host gmail-smtp-in.l.google.com[66.249.83.27] said:
550-5.7.1 Our system has detected an unusual amount of unsolicited
550-5.7.1 mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been
550-5.7.1 rejected. Please visit
550-5.7.1 http://www.google.com/mail/help/bulk_mail.html to review
550 5.7.1 our Bulk Email Senders Guidelines.

Now for fuck's sake. You know how much I hate SPAMMERS and what I would like to do with them. But I also know that it does happen to end up in RBLs and such sometimes. Fine. But GIVE ME a way to tell you that I am NOT one! If you go to the link above, all you find is a form where you can specify that mail that ended up in your "junk" folder actually wasn't spam. Yeah, right. In my case it does not even go into my "junk" folder! How am I supposed to give me the original header that arrived to THEM if I only have the one sent by my mailserver ? They just blacklisted my mail server's IP Address! As they say, I even have an SPF record, I always use the same address, etc….
So I tried to fill in the form, the day after I also tried to contact their abuse@google.com and abuse@gmail.com addresses.
Still nothing.
They even tell you (in the automated reply when you contact "abuse":
"[...] For privacy and security reasons, we may not reveal the final outcome of an abuse case to the person who reported it. [...]".
How great. How am I supposed to know if they even READ my complaint ?

You anti-spam people at GMail: "I am NOT a fucking spammer!!!!!". I 'haven't found a better way to tell ya this, you know, than writing it on my blog… this is just RIDICULOUS!

But to date my mails still get dropped. I'll probably have to send my backups somewhere else. At this point they pissed me off so much that I am also seriously considering getting back to use my own mailserver also for receiving and reading my mailing lists. Then I won't get ads there.
Afzetterij!
(I hope you have some dutch guy on board at Google, as "Google Translate" does not translate from/to dutch yet…. )

Edited on October, 8th - While GMail REJECTS those mails (it SAYS it is not accepting them), Hotmail simply DROPS them (that is: it does not even SAY it is not accepting them):

to=, relay=mx4.hotmail.com[65.54.245.104], delay=3, status=sent (250 <20061008061010.GA19807@muscetta.com> Queued mail for delivery)

This way you THINK it is going to be delivered, but it NEVER shows up in your inbox. I don't know who's behaving the worst…

At the end of September I'll have to go to England for work. Not being able anymore to carry a hand luggage, I think I will have to leave my camera home. I cannot afford to get that stolen or broken by sending it as luggage. I'll have finished paying that in 2008… you can imagine I am worried…

I am actually tempted to show up in this T-Shirt to be honest…

Yes it can be circumvented, BUT… there are seveal "but"s I can say; In fact, I have been presenting Windows 2003 R2 to several customers and I got asked this question several times, and I usually explain this in the following way:

first, it would be too heavy of a performance hit to get and check the real "nature" of a file, rather than just its file name.
Also: how would you technically do that ? Checking some headers in the file ? In this case you would need to mantain a database of known file types, keeping it up to date as new versions of that file format appear…
and then what about executables which have been passed through a "packer"
(one of those utility that effectively shrinks them while mantaining them executable) ?
What about encrypted files ? What about… ?? It just doesn't plain work. Just like many other signature-based detection mechanisms (Antivirus or IDS). Or at least, to KEEP working needs to be constantly updated (or be useless).

The file screening thing is not meant to be impossible to circumvent, rather is a way of saying to the user that he/she's not allowed to place that content there, to get notified about that, to get this information TRACKED somewhere possibly….
Of course this can be circumvented. But is not going to be very practicle, especially when your users are USERS and are restricted so that they can't associate new extention to be opened from within their media player as you are suggesting….

Moreover, file screeing is just ONE of many features of the component called "File Server Resource Manager" in Windows 2003 R2. Those features are meant to be used altogether: So, for example, while a user COULD circumvent the restriction and copy ".mp3" files by calling them ".xyz", but then with the useful reporting an admin would very easily spot them by looking at those directory that strangely contain a lot of ".xyz" files that happen to be roughly 5MB in size (all of them)…
In the same way by using the reporting feature you could see those huge ".doc" files are actually divx by looking at the "large files" report – how many pages would you have written to get that Word document up to 700MB ?? It can't be the usual letter Mary writes, it looks a lot more like the size of Encarta… something is then fishy about it.

You get what I mean ? It won't block the user ALL the times, but it will still drastically reduce the user abilty to waste our space, and if implemented with the proper controls and procedures and preocesses (think ITIL) in place, this can still be a valuable tool.

(I also posted this answer as a comment on the above-mentioned blog).

Only this time the sentence gets applied to Microsoft products, rather than to OSS…… Interesting

It was already more than three years ago and they are still fighting.
I can remember it well, the start of this Iraq war, because they attacked on the 20th of March – that is my bday.

The photo is of the huge demonstration that was held in Amsterdam. Actually it was kept in a lot of countries, and they were all huge.
Still they did not listen, they went further, and fought this war anyway, regarless of people's will. It's always time to remember.

I get this old memories, also to say that tomorrow it is "Festa della Repubblica" in Italy, and in Rome they want to carry on this idiotic military parade they have been doing for some years now.

But there's also a counter-demonstraion of people that dislike the military forces and that want PEACE.
Guess which demonstration will be more colourful and HAPPY ?

I'll try to get there tomorrow and take some photos too. But I am not sure I'll make it…. my kid has got a basket match first that he cares about. So I'll go there, and then I'll try to go to Rome, park *somehow* *somwehere* (it will be madhouse) and catch the "Peace-Parade" that will be already started of course…..

Coming to comment spam, I've been dealing quite a lot with the old 'b2' (WordPress's progenitor) at one stage, while I could not be asked to upgrade yet. At one stage I'd even coded my own unofficial fix for it to keep it going and mantain my sanity…

Then with WordPress I've enabled a CAPTCHA plugin which takes care of robots and only lets HUMANS place comments.

But now it's the turn of trackback spamming….
Sure, a lot of people have seen it AGES before me, simply because people DO read THEIR blog more than mine….
In a way, this might mean this is starting to be read – gosh! Who makes you read this ? Are you really THAT bored to get to read me?

Anyway, here's a couple of useful links proposing approaches to tackle comment and trackback spam. They might be useful to you too:
http://www.tamba2.org.uk/wordpress/spam/
http://photomatt.net/2005/01/05/trackback-spam/

Also now, I could get some of those plug-ins…. probably. For now I don't have time to test the plug-ins, so I've just hacked my own fix, see if it does. Probably I will have to 'touch' it again, as I might have broken the trackback feature altogether. Well, it will pretty much test itself. Spammers, where are you now ? I'm watching my logs, please try….

[edited: 20th May 2006 - Ok they did send trackbacks tonight and my fix did work ]

All in all, in this case, I tend to partially agree on some points but slightly disagree on others with Joel.

In fact, while I do acknowledge the need of "hardcore" developers to fix and build lower level things and mantain current code (and know WHAT they are doing), there are also many cases where coding in a high level language which abstracts complexity IS actually more efficient and cost effective, not having to reinvent the wheel every time.
So there are a lot of useful and nice programs written by people who DO KNOW what happens under the hood (as good in C as in Assembler), that for simplicity and flexibility run in sandboxes, high level languages, even interpreted ones! An example is Dave Aitel's CANVAS, written in Python. But that's just an example.

But I do agree with En3pY that I don't like Java myself, and I consider it being too "heavy", in general.
Solution on my side, tough, is that you don't need C or assembler to get cleaner, smaller, more efficient code, you just need better languages. An example of this is a situation I have been involved in some time ago: in that case a colleague (that works with a very large customer who has a very large exchange deployment) needed to do some performance testing of this Exchange system. He had done the testing from some Windows IMAP clients, but the customer also wanted to see the same performance values measured from a Linux box accessing the same exchange via the very same IMAP protocol.
So I wrote a nice and sweet Ruby script – and at the same time another colleague developer a similar application (in Java).
Result: 45 kilobytes of .JAR to do the same things I did in 20 lines of Ruby (20 lines – including comments!).

http://lists.immunitysec.com/pipermail/dailydave/2005-December/002747.html

Agree with him or not is up to you, obviously, but I would suggest giving it a read.

I guess it is the result of some HollyWood producer having heard the word "firewall" for the first time, and maybe being told that Dan Brown (who is mainstream these days…) had written Digital Fortress which talks of firewalls, gateways and encryption, and of bypassing the security gate…

They used to scare us with saying you should not use "pirated" software as it might contain malware… now it looks like legitimate, expensive stuff has that too… awesome….

Here Marcus says also that he does not agree with the approach of De-Perimeterisation (moving the firewall from a centralized position to each host).
I admire him and respect him a lot, but I see that he can't imagine a world wihout firewalls, being one of the fathers of the firewalling technology….
But that's provoking. I mean it's just a tease to say that we don't need firewall at all.
Firewall is still necessary, but it will slowly loose its centrality, that's more the point, IMHO.
Attacks will and DO happen more at the application level only, to the point where you pass THOROUGH a firewall anyway, with those ports that are open everywhere (HTTP anyone ?).
So we should harden the machine and protect them LIKE IF there was no firewall.

I do like the De-Perimeterisation instead, like Steve riley says in the "death of the DMZ" (Italian Article/Translation here – Original Speech here).
Sure, ONLY taking care of the data is not enough, and the problem of Transitive Trust he mentions makes sense.
But again, ask 100 to get 10. If you push it to the extreme limit (=no firewall at all) you maybe get people to HARDEN their machines finally.
Then if you got both (hardening AND firewalls)…. well, that's better.
I think at the end of the day what really counts is INCREASING the security measures TO THE HOST level…. so you don't *just* rely on a firewall like many corporations have been convinced to be able to do for years… while being wide open in the soft center with a crunchy shell….

I agree with the comments on Arian Evans. He is cool.
I've attended his talk at BlackHat Europe (http://www.itvc.net/blackhat05/dayII.asp#Arian%20Evans) and it was great fun!

http://www.itvc.net/blackhat05/

Since I had enjoyed the speech very much when I first listened to it, and I found myself in complete agreement with it, I started emailing the link above to some friends to notify them of its existance. Unfortunately italians are not famous for speaking and
understanding english very well… so I found out that many of them could not be bothered to listen to an entire speech
in english without having slides next to it… so they were asking me to "explain it".

Thus, I decided to write it down and translate it for those fellow (illiterate?) nationals. I have asked Steve permission to publish it, and since he agreed, you can now read it here: http://www.itvc.net/opinion/view.asp?id=290

What usually happens when a security bulletin comes out on "patching Tuesday" is that I spend most of the night studying it (I am in Europe, so with the time zone difference, by the time a Security Bulletin is out in America, here is already evening?), to be able to know ins and outs about the new issue/vuln/patch and to be able to explain this to my customers during the days that follow.

I have to admit that the last couple of rounds (GDI+ in September, and the 10 bulletins of October) I have been quite hectic to make it in time – with studying things myself before providing "expert advice" to someone else….

But ISA Vulnerability being patched doesn't mean I can sit down and rest: a variant of MyDoom Worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html) is currently exploiting machines vulnerable to the IFRAME (http://www.securityfocus.com/bid/11515) vulnerability of Internet Explorer.
If you haven't done it yet, install WinXP SP2 which is immune to this vulnerability!

I have been thinking what the right place to post this would have been, since it is a personal opinion about my work. Yes, because this isn't the only space I got now….. Haven?t I told you yet? I got a corporate Blog now!
Yes I started working for Microsoft lately. Yes it's true. Yes it's really me.
Yes I know, I have also been writing anti-Microsoft stuff in the past, sometimes.
Yes I can also use Linux, that's correct, and even do forensic analysis on it.

I am a person first, and a technology tamer second.
Tamer, for I am not really an enthusiast, like many other out there.
I don't particularly like gadgets. Not for myself. But it doesn?t mean I don?t use them ? I do, of course. But it is mainly because I like to understand how stuff works. I?ve always done, I always will; by understanding technology, we can let it behave as WE want – and not the other way around.
This has been, since my early days with a Commodore64 (and all the other machines that passed under my fingers) my drive: understanding WTF that machine is doing, and let it do what I want (you know ? sometimes machines would like to do what they want, but in that case I don't let them?).
Now this is challenging with every technology, and I don't see contraddictions in using them all.

I worked with Microsoft in several situations in the past.
I had been working for years with Microsoft products, I've got Microsoft certifications, and I have worked with Microsoft people on Microsoft projects many times in the past, before joining the corporation myself.

I have had a period of my life where I looked at the competition, too, I admit it, but I then realized I don't like them. I don't like their politics, while I might understand the technologies (from a technical standpoint, as stated before), since technologies are ?neutral? in themselves.

I am back with the old friends now. You?ll hear from me here, or there – it will depend on the subject, and on my mood when posting.

in this he makes some very interesting point as security is achieved through procedures and the mind of people; by those analysts watching at those security consoles, and not the consoles themselves.

[...] SIMS don't live up to the hype, because they're missing the essential ingredient that so many other computer security products lack: human intelligence.[...] The key to network security is people, not products. [...]

these are some interesting passages, and I also like very much this other one:

[...] SIMS require vigilance: [...] staffing requires [...] fulltime employees; [...] and [...] personnel with more specialized skills. Even if an organization could find the budget for all of these people, it would be very difficult to hire them in today's job market. And attacks against a single organization don't happen often enough to keep a team of this caliber engaged and interested.[...]

that is of the reasons I stopped being a 'security officer' lately, and I went back to what I've always liked most: working for a vendor.
Being on the *pure* defense side for long is not going to be appreciated by your very bosses – they might even find you're too expensive for you're giving them a very specialized service they don't even partially understand.
So let be it – when I go to this kind of companies and they are customers for me, they pay more for the same sort of job. And the job is less boring, for you study different situations, of different customers, different products in different environments. It keeps me busier and happier.
[...this thing kinda makes sense to me...]

You can find his announcement of the article on his BLOG http://blogs.msdn.com/michael_howard/archive/2004/10/19/244642.aspx
with link to the article itself.

I prefer to leave anonymus posting capabilities to my visitors, but I don't like helping spammers doing their crap.

linking to a number of sites, to increase their ranking.
it looks like they're having loads of fun.
I don't get the fun of it, tough.

I have read of people writing this sort of crap on wikis too, and I just don't get why people should be so lame to use a public faciliy to write their crap. Possibly is the same sort of people who writes on walls…..

The logs were reporting the posts happened from two IP addresses:
38.119.107.88 and 213.91.217.78.

I now cleared them. If they continue I will have to deactivate the possibility for people to answer/comment to posts…. which would be a pity.

[original text of the interview in english]

I've also interview Jeff Moss – and that's an interview that rocks

[original version of the interview in English]

They must have read the bottom of this !
Yes, they did, and then they wrote me this mail.

http://www.muscetta.org/gustavo.html

Guys, I am sincerely sorry.
The words used are misleading.
I strongly disagree with classist definitions.
But I put it there to link to what Lance told me that in our interview.

I mean: is true that in east europe there is alot of cracker's activity. That's a real information.
But is only PART of the information. Not all is coming from there.
As there is far more SPAM coming from the US for example, just to mention one!

SECOND INFORMATION (no need to blog twice):
I posted a paper about an evolution of the honeytoken concept: the 'honeytag'.
(link to text written in Italian)
http://www.itvc.net/opinion/view.asp?id=281

Is is notoriously a joke day, and I've seen many of them today.

That of NMRC (www.nmrc.org) was the best.
I mirrored it here

Also XS4ALL's helpdesk team instructions on how to connect a coffe machine in broadband weren't bad at all. Also mirrored this here.

At first it seemed it was something fantastic.

Now even the average user is starting to notice how dangerous it can be.
I am not going to write a lot of FUD.
I just want to think about which the issues are at the moment.

PCs and their use evolved with a speed that was untough of before.

But in the frenzy of giving the masses "easy to use" graphical interfaces, and functionalities to attract them and create the current addiction to substain the market itself, we forgot to teach the people.
We forgot to build in security other than features, we forgot to let people understand WHAT they were using, and how it worked.
And even how it could misused, so that we could PROTECT ourselves.

I used to be quite drastical in thinking that people should just not use personal computers… what do they need them for?
I just mean thje normal people, those who find it difficult even to operate them, let's keep troubleshooting aside!
I was of the idea that a computer should be user by someone who knows how to use it.
But my retro-thinking was obviously destined to fail, as the IT-revolution was spreading more and more and pcs were moved from the specialist's room to the lounges of the normal "average" people…
'Simple' Computing, GUIs, and a huge amount of features made it accessible to the masses.

The issue with vandals: bad crackers, defacers, virus writers, script kiddies….
The society does not tell our youth the truth.
Our modern society tells kids a 'double message': on one side it condemns these behaviours, one the other side it glorifies them.

Hackers are celebrated in movies.
Breaking things gets subliminally presented as being something COOL, something you have to do, if you want to be like your heroes on telly…

and then the guys who fall in the trap on the media and actually behave this way get busted, condemned, punished, and moreover we are creating more and more restrictive laws to block these things.

Not that you should follow everything you see, of course, but it becomes increasingly challenging and difficult for a parent to counterfight this messages of the media, of the society.

As a parent I am afraid.
How much strenght do we have as parents and educators, against the massive power the media have ?
How much influence do we manage to keep on our kids ?
How many parents ARE actually aware of these issues ? Some don't even know the full story themselves…

[Thanks for the image to the guy I stole it from (who actually found it around as well) - www.networkintrusion.co.uk]

So then we have to hear around abou these terrible criminals… well, there might be those as well. Certainly they are there. But there is also another phenomenon: kids loving the thrill of something illegal, for its own sake.
I don't know how much jail time is going to solve the issue, and how much should we rather watch at teaching values to our young men…
I see it as more of a social issue than – again – the media would like to let us believe….

The article up here really caught my attention.
It is sort of something I have been thinking for a while now.
We need to give more education to the end users, not to scare them with complicated matters.
The world of IT Security in particular, keeps a great distance between who's working in the field and who's not. Who is not working in ITSEC, the normal people that compose a huge percentage of Internet hosts… they just don't understand the matters enough.
Telling them to apply patches, to set up firewalls, to use antiviruses and to respect our known, consolidated best practices is not going to fix the situation. We use a language that is not immediately understandable, too technical, too detailed, lacking analogies, metaphores, etc.

We don't need to scare them.
The approach of scaring people to push them to protect themselves is not a good approach.
Because that's what we do. Or better, that's what the IT industry and the press mainly do.

And Beware: I don't mean only scaring them against the problems and the risks. That might even be acceptable.
What I am afraid of, is that we scare them about the solutions to the problem!
When they hear or read of a virus named with twenty different names, with several numbers to understand which is the right patch to put on… even the more determined "normal people" give up.
I still see people at my work coming to me asking for help with their home pcs, and I am dispensing floppies with removal tools and patches… and a couple of words of awareness.
Tools and patches are not enough on their own.We need to TALK to them.

People need reasons, as they tend to move aside from what they do not understand.
And computers are still not understood by the big masses.
They might be using them. This does not mean that they are actually feeling confident at all about them.
The PC revolution has allowed the computers to get out from datacenters and to populate the living rooms of the average families.
Well, most people just want to use this technology as an improved TV…. reading news, sending mails.
They don't necessarily want to be involved or just to bother listening to scary stories of hackers, unnumbered lists of security bulletins, or patches, or viruses.
Let's be serious for a moment: my mother finds a videorecorder still cumbersome to use, but she does sends emails and surfs the web. How is she supposed to understand the concepts of bugs, exploits, patches, and so on?
They normal users still keep a semplicistic approach to the problem, similar to that they would have for a car: "when it is broken I'll have someone fix it". They don't understand the consequences that this kind of technology can take with it. And we are just about to give this technology an extra boost of capillarity, pushing internet on mobile telephones and various devices…
IPv6 is designed to cover an immense address space, with the backing idea of providing each individual a large number of addresses for each devices.
Who is going to explain to that granny, tomorrow, that the thieves got into her house and deactivated the alarm of the house having gained elevated privileges with a buffer overflow on the old software (not patches) of the dish-washer, which is networked with the rest of the world?
People don't want to become insane running after their technology gadgets.
We, geeks, might do, but the rest of the world doesn't.
They just want to use technology that makes life easier, not more complicated.

We need to make "simple people" aware of the ever increasing importance of security, but I would rather be happy of doing that by showing them that it is not as complicated as we present it now. They have to get aware that with each one of us following best practices, we can keep the whole world in a better state. We are citizens of the Net, and we have to be "good neighboors" to the other inhabitants of cyberspace. When our security means not being a pending danger for th other IP addresses (think of a worm spreading…each one ontaged becomes – unwillingly – an attacker), maybe the message gets through.
It might evoke/awake that bit of love that people still have for each other.

But in order for this to be effective, we have to support our explanations, our "transmission of knowledge" with a simple language. And we have to support it with first line initiatives.
For example, there are different kinds of broadband providers: there are those whose commercial pushes the message "your pc is connected day and night! WOW!" without showing ANY possible negative side. Being on the internet day and night might be nice, but it does carry risks. And those risks don't get usually explained.
A loud "BRAVO !" goes to those which give them a personal firewall package as default part of their package, instead. Showing an effort to protect them.
It's kind of having all the cars being equipped with seat belts, which is what it happens today: everybody uses a car, still we are aware that it is risky.
Well, this risk is not "visible" to the standard, end computer user.
We need to show them the risk in clear terms, and provide them adequate protection out of the box.

We need to simplify their involvement, but making them aware that they ARE indeed involved.
They are involved in keeping the internet a better place for everybody.
To achieve this we have to help them grasp what happens.
With simple language. With examples.
With Solutions, but without high costs.

What can we gain? The Internet will be a better place.
What we risk if we don't? The Internet itself. The TRUST of people in the technology itself.

Who knows – as the article I quote at the begining says – if we might finally convince people not to open attachments….

…we all have read about Microsoft releasing a patch that gave some people trouble with RRAS Services.

I have instead being the lucky guy who's got another – similar – problem with it: on a machine with Microsoft Proxy Server 2.0 running into IIS3, the "Web Proxy" service would not start.
The "World Wide Web Publishing Service" starts, but from Internet service manager the "Web Proxy" module appears as Not Running.
I looked at the property of the WWW Service in Internet Service Manager, where the field "User" (for Anonymous Authentication) is indeed EMPTY, instead of containing the usual IUSR_SERVERNAME.
But, funny enough, the value with the correct user name IS in the registry (HKLM/System/CurrentControlSet/Services/W3SVC/Parameters ….). It's still IIS3, then it is in the registry, it does not have a metabase. But is DOES not get read !!
Uninstalling the patch, the service works again, and the user is correctly displayed.
I KNOW that the vulnerability is considered "Moderate" since no native service can expose it remotely.
On the other hand, on the very same machine a third-party SMTP Virus-Scanning product is also installed, which MIGHT make use of the "dangerous" API, and expose the flaw remotely…. very remote possibility, but still I like to have my systems patched…. maybe a maliciously crafted mail could trigger the vulnerability (?worst case scenario?), like in a bug of sendmail of some time ago…..

And this was the bad new.

The GOOD new is that Microsoft supplied me the hotfix they released for the RRAS issue, and it also fixes this problem.
I am one week late, but my system is patched.

Digression:
The hotfix in question is numbered Q825501 – I wonder how one is supposed to REMEBER all of these numbers… which relation does it have with the original "823803" ?… which again is referred to security bullettin MS03-029…

But OK, the issue was the fix, and the fix works. That's important.

It includes an interview with Lance Spitzner (translated in Italian).

The original (untraslated) text of the interview with Lance is instead to be found on http://www.muscetta.org/spitzner_interview.txt.

I would appreciate having feedback on that one. Just feel free to email mail about it.