I went this morning with my family to the Museum of Natural History on Manhattan's Upper West Side. In the subway I noticed one of the machines that sells MetroCards (the fare cards for the NYC transit) rebooting;. I wasn't able to get my cell phone camera going until it was in the boot-time banner. Turns out the machine was a bit of a museum piece itself. Before that I watched it in blue-screen mode and observed that it was running Windows NT 4.0 Workstation Service Pack 3. Wow, that's pretty old. There hasn't been any support at all for NT 4 since January 2005, and that was for Service Pack 6 I believe. To date the software, SP3 was released 8 years ago. Back to the MetroCard machine itself, there's some more detail on the screen: The banner is customized with "Metropolitan Transportation Authority" and it says, I think, "with CTS AVM". I did a little Googling and struck out on what that means. If any of you can help me out I'm curious. The moral of this story is an old one, how technology users can be incredibly conservative, or perhaps "thrifty" is the right word. I ought to follow up with the MTA to see if they plan to leave these systems as-is. Yeah, maybe "if it ain't broke don't fix it," but why did it reboot?

This is obvious when you think about it. What might you do, operating on the server itself, for which you need a recycle bin? In fact, for some, like Terminal Servers, you might need then, but not on others like a web server. In the meantime, it turns out to be a potential liability there. Thanks to The Elder Geek, by way of the SBS Diva blog (read this one for better details), for pointing this out. Susan, the SBS Diva, recently had a server compromise, and it turns out that the attackers used her web server's recycle bin as a video repository. Why? Because it's hidden. Removing the recycle bin won't stop someone from compromising your server, but it will take away one place they can hide once they get in there, so you might discover the breach sooner. And if you don't delete it, at least cut it down in size from the default 10% of space, which is far too big for a server, and probably for most client desktop.

Microsoft has announced, in the Office Sustained Engineering blog, that they will be moving away from the current weekly schedule for the release of Office hotfixes. Instead, every 2 months a cumulative update will be released. The first such update will appear in August, 2008. The blog announcing the development does not go deeply into the reasons for the change, other than to say that "[t]he primary goal is to deliver high quality fixes in a predictable timeframe." It's also possible that, being more cumulative than individual hotfixes, the new updates will keep configurations more consist ant, and therefore testing easier. On the other hand, the blog says that, even though the updates will come in a package with multiple updates, "...[c]ustomers accepting hotfixes will not be required to install anything more than they install today in order to take advantage of a cumulative update." So that sounds like you can pick and choose hotfixes to install from the package. Customers will also still be able to demand "Critical on-demand (COD) hotfixes." These are for emergencies only, and presumably they are rare. The new approach will not change the schedule or contents of public updates, including service packs and security updates.

One of the measures Microsoft recently took in reaction to a wave of SQL injection attacks was to point people to the crawling tool Scrawlr from HP. Now Mike Tracy of Matasano Security has a blog discussing some of the limitations in that tool and how to get around some of them. They refer to it as "... a cripple-ware SQL injection scanner" and don't seem to have a very high opinion of it, but also argue that it's not nothing, although there are better crawlers out there. Personally, I don't think Microsoft was overselling Scrawlr. If that was all they announced the other day then it would be worth ridiculing, but they also announced a source code analysis tool (probably the most effective of the three tools they announced) and a new beta of UrlScan to monitor for some SQL injection attacks live on the site. But they also made it clear that the real solution to SQL injection is to write your applications in a way that resists it, generally with parameterized query instead of dynamic query building.

In August 2005 the White House issued a policy "... directing all Federal government agencies to transition their network backbones to the next generation of the Internet Protocol Version 6 (IPv6), by June 30, 2008." That would be this Tuesday. The requirements in that directive were not especially difficult, and it appears that it will be met. Agencies are not required to move their traffic to IPv6 at this stage, just to demonstrate that they can properly handle IPv6 traffic on their backbones. So it's more an issue for routers than for servers, for example. There are no requirements in place for further adoption of IPv6. Such requirements and such adoption are inevitable for the next administration though, as the depletion of the IPv4 address pool is scheduled to happen on its watch.

Since my recent column on the failures of the WildList and anti-malware certification there has been a small firestorm of commentary in the anti-malware community on the subject. In e-mail and security list discussions both pro- and con- arguments have been bandied about. For instance, Andreas Marx (who, it must be said, is a competitor of the WildList-based services) pointed to a presentation he and Frank Dessmann made at the Virus Bulletin 2007 conference called "The WildList is Dead, Long Live the WildList!". In it they show how small, poorly-chosen and out of date the malware sample in the WildList is. VB100 certification, which is a contract test performed by certain labs to verify detection of all items in the WildList, has been a marketing imperative for years. Now it turns out that Trend Micro, one of the largest companies in the business, is turning its back on the WildList and VB100 certification. I contacted Raimund Genes, CTO Anti-Malware at Trend Micro, and asked him to thank me for inspiring their new policy, but it turns out they have been thinking about it for a while. It's not just the problems in the content of the WildList, it's also the test procedures. WildList testing is performed off the Internet, on an isolated LAN. I actually did some of this testing many years ago and the systems doing the tests were completely offline. Back then (it must have been 1999 or 2000) it might have been defensible, but now products like Trend Micro's use online reputation services in order to avoid false positives and detect new threats, so there's no way you can do a good test offline anymore. The presumption, and it's a fair one, is that their customers will be online so you may as well take advantage of the fact. While there are good testing services available, there's nothing quite like the WildList for a benchmark. The results from thorough evaluation of anti-malware software are complex and difficult to evaluate, unlike a simple checkmark. This is a problem, because marketing matters and customers can't be expected to evaluate all the data.

On Tuesday, June 10, Microsoft will release 7 security bulletins, 3 of them critical, and security updates to address them. Microsoft's new advance notification bulletin format adds a very readable new view in the Affected Software section. For each operating system version you can see which bulletins are relevant and what the severity is. The bulletins now have English titles too: The three critical bulletins:

• The Bluetooth Bulletin: Affects XP SP2 and SP3, Vista and Vista SP1
• The Internet Explorer Bulletin: Affects all Windows versions. Critical on IE6 and IE7 on Windows 2000, XP and Vista; Moderate on Windows Server 2003 and 2008.,
• The DirectX Bulletin: Critical on all versions of Windows and DirectX.

The other bulletins are entitled WINS, Active Directory, PGM (all ranked Important) and Kill Bit, ranked Moderate.

Microsoft has released a couple of handy items for Windows administrators. Neither are really big deals, but conveniences. We all use Microsoft's Sysinternals tools, written by Mark Russinovich and Bryce Cogswell, but it's been a minor pain keeping up with all the updates they put out and installing them. Now, if you don't want to, you don't have to bother: You can get the tools live off the web and run them directly rather than going through the obfuscatory Microsoft Download Center and then having to unzip a file or run an installer.. Go to the Sysinternals Live web page. You'll see a directory listing of the current files in the Sysinternals set. For instance, the current version of Process Explorer is http://live.sysinternals.com/procexp.exe. In IE you can choose to run directly from the browser, but you can also create shortcuts on the desktop or in the Start Menu system to these files, and every time you run that shortcut you'll be running the current version. You do need to go through some confirmations, agreeing to the license, etc. The second trick is the Elevation PowerToys for Windows Vista. These expand the Windows RunAs functionality to some popular 3rd party admin tools, like KiXtart and ActivePerl. Some examples combine it with the Elevate power tool to allow you to do RunAs for programs, like the MMC, which are often resistant to RunAs. There is also a PowerToy for running a CMD shell or PowerShell as the SYSTEM account.

Do you find yourself leery when on public WiFi networks? You should be. All manner of attacks are possible, especially if the WiFi hardware isn't as up-to-date as it should be. Comodo has the solution: A VPN service named TrustConnect. There are daily, monthly and annual contracts available. Enterprise customers may have their own VPNs, but when you're on personal business you still need to be secure. Your communications will be secure at least up to the point of Comodo, at which point they connect back out to the rest of the Internet, probably in the clear (unless, for example, it's an SSL site), So there's still some exposure there, but it's not likely to happen between Comodo and your surfing destination. Of course, VPNs aren't a cure-all, and a compromised PC connected to a VPN is still compromised, but it can be a powerful tool to protect assets at both ends of the connection.

In my recent column on certificate lifecycle management I named three companies in the business (RSA, Microsoft and Venafi) and prodded other vendors to come forward and identify themselves. Only one has done so, confirming my suspicion that this is a small market. That vendor is Trustwave with their Certificate Lifecycle Manager. a fairly new product. It has discovery, analysis and management functions. Trustwave says it "...automates the entire SSL process and monitors deployed SSL certificates. Since its inception, we have more than 2,500 POS devices monitored by CLM."