Every year I write up one of these trip reports as well, but this time circumstances conspired against me. Several very serious customer issues arose while I was travelling, plus a serious illness of a family member back at home (
guilt guilt guilt for leaving), really made it hard to get fully immersed into the Summit.
As usual, Microsoft did a tremendous job taking care of us, which (by proxy) is taking care of their customers.
I wore my Linux "tux" lapel pin right next to my MVP pin, and (as usual) was well received. The usual good-natured ribbing, but I have never even once gotten the slightest hint of real pushback.
The regional dinner on Monday was nice: the food was
excellent, and I got to meet some of my MVP friends outside the security specialty that I knew online, but would never run into otherwise - it was a huge crowd. But, as Blake suggested, the emcee for the night was badly matched to the crowd, and it took about 30 seconds for me to realize it was not going to go well for us tonight - it was very painful. I addressed this threat with frequent trips to the bar to the point of overcompensation :-)
We managed to get a group photo (from the professional photographer there) of all the DSLR MVPs who were there, and at some point I'll figure out how to retrieve it and post.
Tuesday was a very rough day for me: horribly serious meltdowns at two customers, very poor wireless to be able to address it, and I was completely preoccupied all day - really just sick about it.
I did catch most of Bill's talk, and though he's an amazingly insightful guy, it was certainly more dry than the usual Steve Ballmer fare. Steve B is a
fantastic speaker, and I missed his not speaking.
There was a substantial Q&A session, and it's clear that a lot of MVPs think that question time == speech time. Last Summit I asked all the executives one simple question: "Are you an administrator on your own desktop", but Vista makes this question less interesting. Had I not been so preoccupied, I would have asked "What happened to 'spam problem solved in two years'?" Oh well.
In the afternoon I did catch parts of the Longhorn Server directions talk, and one on SQL Server, but I was in the throes of horrible meltdowns. It was an awful afternoon - Tuesday was mostly lost to me.
The Museum of Flight in the evening was really tremendous. It's at Boeing Field, and it's a huge place. I was commenting with somebody as I went in: "Too bad they don't have a Blackbird", and the reply was "They have two". You really can touch an SR-71. Wow!
A huge spread, all the MVPs were there, and even though I am not really a museum type, I found plenty to enjoy. I could certainly take a whole day going through this place.
The food was good (though not nearly as good as at the regional dinner), but the bars were all properly stocked. I still had my nightmares on my mind, so left a bit early and tried to attend to them back at my hotel.
Turns out I could not get wireless in my room, the Ethernet didn't work, so the only thing I could do is camp out in the hotel bar and get a weak wireless signal from some other place in the hotel. 10% packet loss makes remote desktop tunneled through SSH very painful.
By Wednesday, my nightmares were more under control so I was able to attend the sessions, and I managed to take good notes on a few of them.
I got interrupted a lot during the BitLocker (drive encryption) talk, and this really disappointed me because I wanted to really understand this with respect to the TPM (Trusted Platform Module).
I know that TPM is controversial, and I am sure that there are things it's used for that I'd not be happy with (lots of the DRM is probably that way), but the ability to well and truly crypt a drive is both an important and a hard problem when you look at all the angles.
Hint: the consumer/home laptop is not the hardest problem, it's the enterprise where you really do need key recovery and the like. Sadly, I did not manage to take any notes on this.
Longhorn Server Security & NAPThis was a useful talk that mostly addressed NAP - Network Access Protection - which I have been interested in for the last coupla Summits. It addresses (among other things) the problem of the idiot sales VP bringing his infected laptop to work and hosing the corporate network: why attack the firewall when you can just send your malware in via diplomatic courier?
When the idiot VP connects up, he gets an IP address that gives access to a very limited set of resources (certainly not the whole network.
A System Health Agent on his laptop presents a Statement of Health: my A/V is this much up to date, scan last run on $DATE, patched up to this level, etc. and a server compares that with policy. If the system is "healty" - a defined by the network admin - it's given access to the rest of the network.
If unhealthy, then the network access is widened slightly to allow access to a
Quarantine Server - here it receives remediation services. Here's this patch, here's that A/V update, please try again.
The machine submits a new Statement of Health, and the process runs again.
The interesting question came up about access to the System Health Agent API: it's available only under NDA. The problem with asking a remote system "How healthy are you?" is that it's possible for it to lie, and it strikes most of us as plausible that malware may attempt to spoof the health checks.
In this respect, NAP is not a hard-core security boundary, but merely an attempt to make the problem better. I really like it.
We asked about dealing with unmanaged devices: you have an HP printer on the network that's obviously not capable of engaging in these health-check dialogs, and it wouldn't be so hard for a bad guy to unplug the printer and jack in a laptop with the same IP. How do you fix this? "It's a hard problem"
They deployed NAP full to the Microsoft campus, and found it went incredibly smoothly. I would not have expected this to go so well, so this is a good sign.
They talked about using IPSec for server and domain isolation, and though they are interesting, it's mainly only so in an enterprise environment.
What I was really excited about, both in Vista and Longhorn Server, is
VPN Routing Compartments.
Essentially: each network interface
and user session can have its own routing table, so when Dad is logged in with the VPN to work, the kids (logged in via their own accounts) do not have access to those VPN routes and can't infect the corporate server by whatever crap they are downloading.
This is in Vista now, and I love it. I'm curious to see how it's implemented (I've never heard of this kind of thing for Linux).
This was all part of the complete rewrite of the IP stack, and others have commented that this is going to open the door for a new round of bugs. This is probably true, in the sense that new code is less reliable code, but to accomplish what they wanted to do, a clean slate was probably necessary.
Windows CardSpaceI had never heard of this before, and was really intrigued. This is about the identity metasystem, and the oversimple description is that it's vCards for websites.
You can have personal cards that you create, or managed cards issued by a business or organization, and they're all containers for personal information.
Example: you visit a website and wish to login. If the website supports CardSpaces, you click the proper button and your browser brings up a list of your cards - you can pick one to send, and it provides whatever information is included.
The request for a CardSpace includes a list of things it wants, and it can include both required and optional components. "Name" and "Email address" might be required, with "city, state, gender, date of birth" could be optional, and the selector only shows cards that satisfy these requirements.
Your personal card includes whatever you care to provide, but a company-issued card (which might include your employee number, signed by the issuer) may well be what's required to provide you access to company websites.
There all kinds of provisions to give you complete control over which data you send, how this solves much of the phishing problem, and it addresses all kinds of other problems of secure identity provision.
I am doing it a disservice by describing it poorly: better to read about it yourself - example ref here:
http://msdn2.microsoft.com/en-us/library/aa480203.aspx
User Account ControlThis was given by none other than Mark Russinovich, formerly of SysInternals and now of Microsoft. He used to be an MVP, so was well acquainted with us :-) He gave a great presentation.
Note: I have not used Vista yet and don't have any direct experience with UAC.
Most of the experiences with UAC are in those prompts, but it's really interesting to see what goes on under the hood - there is a lot of virtualization that makes it possible to run poorly-written software in a safe way on Vista.
Virtualization of the filesystem and the registry are two key parts: if an application is running in virtualized mode, then write access to key areas is put in a per-user area rather then attempting to modify system-wide data.
%ProgramFiles%
%AllUsersProfile%
%SystemRoot%
%SystemRoot%\system32
Attempts to write to these are redirected to %YourUser%\AppData\Local\VirtaulStore\$PATH, and it's all transparent to you.
As a non-admin user, you could get to a command prompt and go to the C:\Windows directory, and attempt to create a file there. Let's see how it works on XP:
Start » Run »
cmd:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\steve>cd \windows
C:\WINDOWS>echo hello > test.txt
Access is denied.
C:\WINDOWS>
This is as it should be.
But in a Vista executable that's running with virtualization, this succeeds, but (without our knowing it), the write is redirected to a private virtual store under your own user profile area.
If, in the C:\windows directory, you attempt to "dir *.txt", you'll see the file as if it really was in that directory.
The virtualization flag is settable in Task Manager, so your command window example can toggle this on and off - we could see the access-denied message when he disabled it.
Similar virtualization is for HKEY_LOCAL_MACHINE\Software and a few other obvious locations.
I didn't get good notes for this, but they had a handful of other AppCompat-like settings for how to fake out an application that really insists on running as an admin - the one that comes to mind is lying to the app about whether the user is part of the administrator's group or not.
This is necessary for that poorly-written application that checks for group membership rather than access to the actual resources involved, and this fooler mechanism helps get around it.
They also support the notion of process
Integrity Levels, which limit how two processes can interact. A low-integrity process (like IE) is not allowed to do "stuff" to a higher integrity process: this includes things like write memory, send certain kinds of window messages, and other mechanisms of interprocess control.
This means that even if IE is compromised, it limits what the bad stuff can do. The whole notion of integrity levels is kinda complicated (but comes from classic security compartmentalization), and looks to be a really good effort.
Mark urged us not to turn off the UAC prompts: when you get Vista, you're going to do lots of knob-turning for the first few weeks, and this overemphasized the view of what the longterm experience will be. Once it settles down, you'll get many less prompts, and it should be a lot more manageable.
Unfortunately, I haven't tried any of this yet, but considering that I run as non-admin on my own XP desktop (and have been for years), I'm confident I'll keep the UAC prompts when I finally dive in.
----
This marked the end of the day's sessions, so we headed off to the Microsoft Company Store for some booty, and then to the platform dinners that evening.
It was just the Security MVPs, and seemed kinda lightly attended by Microsoft people. The food (and white wine) ran out early, but I did get to two-step with CalamityJane
- that's always a pleasure. She's
such a sweetie.
----
Friday morning I was only able to attend one session, on Windows Defender, but it was entirely Q&A and I didn't keep any notes. The presenter was very good, and he touched on lots of issues of A/V comparisons and how the Microsoft anti-malware offerings didn't score so well.
He made the case that some of the comparisons weren't entirely fair, but others were and he said it was a big wakeup call for them. I bet :-)
At that point I hopped in a cab with dave
to the airport and headed home.
Whew.