Vista Still Not Vulnerable

While I have no professional need to do so, I monitor the Microsoft Technical Security Notifications. Specifically, I monitor the comprehensive feed that includes bulletins, revised bulletins, and advisories. Security is an interest of mine, and I have been trying to use secure practices ever since I received malware through a remote procedure call vulnerability in Windows XP during my freshman year. Something that has amazed me is that none of the security notifications since the Windows Vista release have applied to either Windows Vista or Office 2007. I believe there are two reasons for this. The first reason is that both products are significantly more secure than their predecessors having been fully developed with Microsoft’s Security Development Lifecycle of its Trustworthy Computing Initiative. The second reason is that Windows Vista has not been widely deployed yet and is not generally availability. This makes it a less promising target for malware writers. It also is not in the hands of security researchers.

There have been some vulnerabilities during the beta and release candidate stages of Windows Vista reported in the popular news, but most of these were misinformed. One issue was reported in the Windows Powershell. This tool is not included in Windows Vista and never has been. Another issue is the so-called frankenbuild of Windows Vista. Unethical hackers took activation components from prereleased version of Windows Vista and spliced them into the release version so that activation could be passed. Microsoft released an update addressing this issue and the product keys used would quick working for activation once the prereleases expired.

Professor Challenge

I have a challenge for teachers and professors of the world. In particular, this challenge is targeted toward teachers of advanced high school courses on up into higher education but it can apply elsewhere. The challenge is to give a test, quiz, or assignment that you would give your students to your colleagues. If your colleagues are missing problems, then your test, quiz, or assignment is not at a reasonable difficulty. As another teacher or professor, your colleague should know the material better than you expect the students to know the material.

The reason I am making this challenge is because there are cases when material appearing on assignments simply does not belong there. Examples include many proofs. In particular, I refer to proofs that do not appear in lecture and course material. Of those, I refer to those proofs that do not deviate in a patterned way from proofs that are shown. When these proofs were originally formulated, which is a feat you are asking your students to repeat when the desired proof meets the mentioned qualifications, it took much longer than a day. In some cases, you are asking students to repeat such an amazing feat in less than an hour. Does that seem right?

If you are a professor or teacher and you take this challenge, please let me know your results. Additionally, if you have a differing view on this issue, let me know. I am interested in education and have thought about being a teacher or professor someday, likely after a career in my chosen field.

You’re the One that I Want

I am usually not interested in reality television shows, but I am interested in musicals. For that reason, I gave Grease: You’re the One that I Want a try. This premiere episode was not particularly interesting, but I think things will get more interesting later in the season. Assuming I remember, I think the show merits watching the next episode. This show seems modeled after American Idol. There are three judges, but the decision is up to the US public. The primary difference I see is the prize. The prize in this show is a lead role in the new Grease production.

Dirty Jobs

One of the shows I enjoy watching is Dirty Jobs on the Discovery Channel. The host, Mike Rowe, travels around the country finding dirty jobs and does them. Watching the show, I have seen him inspect a sewer, stick body parts into body orifices determining animal gender, literally squeeze the crap out of chicks and dogs, and a whole lot more. What amazes me is that people do those jobs. There is no question that many of the jobs come with great health risk. I don’t know if it is intended as a joke, but many of the guests say it is okay because it is organic. I’m sure that is not correct. Bacteria are all natural and organic, and it definitely is not a good thing for a person.

In spirit with one of the show’s slogans, here are my thanks to the men and women of the world that make civilized life possible. I definitely would not want to do most of those jobs.

Lunch

Lunch is a pretty awesome meal. Breakfast is usually eaten either on-the-run or at home. Dinner is usually eaten with the family. Lunch, however, happens with business partners, coworkers, friends, and more. During various lunches, I have had the opportunity to meet some pretty cool people. I have had lunch with Michael Howard, one of Microsoft’s security experts; Larry Osterman, one of the people behind how sound works in Windows; and Dave Massy, responsible for the user experience of Internet Explorer. Outside of Microsoft, I have had lunch with Ted Nelson, credited with inventing hypertext; Paul Kunz, the first Webmaster in America; and Robert Cailliau, one of the Web’s creators and popularizers. In the future, within the computer industry, I’d like to have lunch with Bill Gates, cofounder of Microsoft. I actually asked about meeting for lunch when I interned at Microsoft, but I was turned down. I would also like to have lunch with Blake Ross, one of the creators of Mozilla Firefox; Mitch Kapor, creator of Lotus; and Dean Kamen, inventor of Segway human transporter. Reaching beyond computers and science, someday, I would like to have lunch with Hugh Hefner, founder of Playboy; Chuck Norris, martial arts expert and actor; and Michael Jordan, athlete.

Lunch with some of these people may seem farfetched or unreasonable, but in all cases, I admire qualities in these people. Bill Gates is a shrewd business man. Blake Ross is entrepreneurial. Mitch Kapor has an interest in computer history and open source software while being part of both. Dean Kamen has come up with some pretty cool inventions. The more farfetched lunch interests also have qualities I admire rather than just wanting a chance to meet a celebrity. Hugh Hefner seems to have found a way to have a fun-filled life and still get the bills paid. Chuck Norris not only has great martial arts skills, he founded Kick Drugs out of America. Michael Jordan showed that amazing accomplishments can be made with hard work.

I have had lunch with some amazing people already in my life. I can’t wait to see with whom I will have lunch next.

Digital Signatures for Small Projects

Digital signatures are a technology used in Windows to ensure both integrity and authenticity of data. Integrity ensures that the data has not been modified. Authenticity ensures that the data came from the source claimed. Usually this is done by creating a hash of the data and encrypting the hash with public key cryptography. The details of how exactly it works are irrelevant to this post. What is relevant is the public key cryptography concept. The way this works is that there are groups call root certificate providers. These are companies like Verisign, Thawte, and Geotrust. Those companies use their root certificate to issue certificates to other people. They authenticate the recipient of the certificate to varying degrees. Hypothetically, a root certificate provider could issue certificates to anybody that asks. As a result, there are no authenticity guarantees. You would not want their root certificate included in your software. This is where companies like Microsoft come in. Microsoft has a root certificate policy to which root certificate companies must adhere in order for their root certificate to be included in Windows. The chain of trust then is: You trust your copy of Windows to be authentic through the physical certificate of authenticity and now with things like Windows Genuine Advantage there are some digital assurances in place. As a result you trust that Microsoft has included root certificates that follow their reasonably defined root certificate policy.

Let’s say you download AOL Instant Messenger. The installer for it is digitally signed with a certificate for AOL. The AOL certificate is digitally signed using one of the root certificate providers. Consequently, you trust Microsoft, Microsoft trusts root certificate providers, a root certificate provider trusts AOL, and AOL trusts the executable you received to be the one that they released. This chain of trust makes some cool things possible. Windows Live OneCare, for example, will automatically allow digitally signed programs through the firewall. This provides a level of convenience to OneCare users without sacrificing security. Because the software is digitally signed, there is a great chance it is legitimate. In the rare case that it is not legitimate, the antivirus and antispyware components can uniquely identify the digital signature without a false positive. The user remains secure with convenience and AOL doesn’t have to deal with as many support cases regarding firewalls interfering with their instant messenger.

The problem is that the root certificate providers trusted by Microsoft charge money for a code signing certificate. These code signing certificates cost a few hundred dollars. This cost is reasonable for larger companies such as AOL, Google, and others. However, there are far more small scale software projects. Examples include Gaim, 7-zip, and more. In many cases, there is usually only one developer or a single lead developer with occasional contributions from others if the project is open source. This leads me to a problem for which I have been trying to find a solution: Are there any reasonably priced code signing options for these projects? I have talked to developers of these projects and they realize the benefits of code signing, but the costs are out of their reach. What solutions are there?

Having worked with Linux systems, I know about PGP, but that is not how code signing is done in the Windows world. I am searching for a solution for developers of Windows freeware. Let me know if you know of a solution to this problem.

Tools I Use

A friend of mine recently shared some of the tools she had discovered during 2006, and I have seen similar lists on other blogs. Here is my annotated list of my favorite products that I have come across in 2006.

I started using StumbleUpon toward the end of 2006. It is a browser extension available for at least Internet Explorer and Mozilla Firefox. The basic way it works is that you rate sites you visit. Based on these ratings, your interests, your friends, and other factors, it takes you to a new likely unknown Web document. I would make the analogy that StumbleUpon is to Web documents what Amazon.com is to books. If that is truly what it is intended to be, I would say its suggestion engine needs some work or it needs more users to give it a better corpus of data from which to make recommendations.

I am currently using Windows Vista. While not generally available until the end of January, it was released in 2006, and I have the release version through both an MSDN subscription and the gift for being a Windows Vista beta tester. If you have a sufficiently powerful computer, Windows Vista has a nice looking interface. At first glance, this interface may look like pure eye candy, but there is usefulness as well. Live previews of many things are rendered. When you hover over a taskbar button, you see the actual window in a live thumbnail. When you switch applications with either the traditional task switcher or the new Flip3D, you also see live previews of the windows. These are also not basic image thumbnails, they are live thumbnails. If there is a video playing in the regular window, it will be playing in the thumbnail. Windows Vista also has several improvements to security from integration of Windows Defender to User Account Control. Unless you are into security, you likely won’t understand the significance of the improvements so I won’t describe them in detail. Windows Vista also has desktop search features built-in. Windows XP has an Indexing Service that served a similar role, and it is still available for backwards compatibility, but desktop search does a better job and has a more appropriate scope of indexing. The final item I like is that Windows Vista constantly improves. If you are not connected to the Internet, it will optimize how it uses memory based on how you use applications. It automatically defragments the hard drive on a schedule. It automatically learns your particular dictation and writing style with its speech and handwriting recognition capabilities. Beyond that, with an Internet connection, it will automatically optimize networking parameters for the actual connection. It can use online help which may be more accurate than the help collection included. It can send crash reports to Microsoft for analysis and automatically tell you when a reported issue has a fix or more information.

I am also currently using Office 2007. In particular, I like the RSS and iCalendar integration in Outlook. I like the To Do bar in Outlook. I also like the account automatic configuration in Outlook. I also like the ribbon user interface. It is present in Word, Excel, PowerPoint, and portions of Outlook that use Word. It makes much more sense than the infinitely nested toolbars and menus in Office 2003 and earlier. Office 2007 also features live previews similar to Windows Vista. Office 2007 also finalizes the death of Clippy. Office Assistants, as I believe they were called, are no longer available in Office 2007.

Another product I started using was Windows Live OneCare. It is an all-in-one security product from Microsoft. It provides firewall, antivirus, antispyware, and more. It does cost money for a subscription, but a subscription covers three computers, so one subscription can cover your family. Generally, I have been fine using free security products and actually found them better than commercial products. However, I was introduced to OneCare as an internal beta tester when I interned at Microsoft. Recently, a particularly amazing capability that I haven’t seen in other security products became evident when I was using OneCare. There was a security vulnerability in Windows with how Windows Metafile images were processed. Before the fix was available for Windows, OneCare began to ensure that Windows Metafile images were not malformed. One that I encountered was malformed and I was warned. OneCare has an extremely simple user interface with literally one care. As long as the programs tray icon is green, you are okay.

That is my report of tools released during 2006 that I have enjoyed using. I am sure I will find new tools during 2007.

Finding Information

I seem to have some skills in finding information. Those skills generally involve using different information sources together. There are two primary cases of finding information I will share and one that is recent.

The first case occurred while I was an intern at Microsoft during the summer of 2005. One of the things I did throughout the summer was to contact various people and meet them for lunch. I started with some of the people who blog on MSDN. These included people like Larry Osterman and Gretchen Ledgard. Once I ran out of bloggers that I found noticeable out of all the blogs on MSDN, I started meeting people to whom those bloggers referred me. Eventually, those thinned out and I still had about half a summer left. I tried going for the big fish and asked both Bill Gates and Steve Ballmer if they’d like to meet for lunch sometime. Expectedly, they declined but wished me luck in my internship. At one point, I started asking people I met on Microsoft’s shuttle system. Microsoft has the largest private transit system, or so their intranet site claimed. There are several events and seminars going on around Microsoft, so I found myself using the shuttle system frequently. One of those times, I met somebody who worked in my building. I met him for lunch one day. Another time, I met somebody on the shuttle. (This is where this story starts). I found out that the person was new to Microsoft. I also found out that this person worked in human resources. I also knew by virtue of where the person got on the shuttle what building she was in. I got off the shuttle at my building, and I decided that this person might make an interesting person with whom to have lunch. There was a problem though. Despite the information I had gathered from talking to her, I did not have her name. I remembered that that Microsoft has internal mailing lists for just about everything. There is a list for specific new employee orientations. There is a list for each building. There is a list for each department. On top of that, the members of each list could be downloaded as an Excel file. As I recall, I downloaded the list for each piece of information I had. I loaded the Excel files into Access. I wrote a SQL query joining all three tables based on person’s name. There were two hits and only one was female. I e-mailed that person and explained how I came up with her name. I was successful in finding the person. She ended up not having time to meet for lunch, but that is irrelevant to the story of finding the information.

In my second case of finding information, I and several other friends had returned from a school break. One of the people in the group of friends was not back at school yet, and nobody knew her phone number. This person had a profile on Facebook, but the profile did not have her phone number either. However, it did have the person’s home address. Knowing that most people have entries in the phone book under one family member, I knew it was likely she would have a phone number in the phone book. However, name would not go the whole way because the entry was likely under a relative and there were several entries with the last name. There was only one entry, however, that matched the address found in Facebook. We had found the person’s phone number.

In the most recent case, there was a person I had corresponded with regarding his product during high school. Eventually, his company closed up shop and I fell out of contact with him. When I interned at Microsoft, I found out about Windows Live OneCare and began participating in the internal beta program. I started submitting feedback as any beta tester should. Then, one day, I received a phone call. I looked at the phone and it said "Schacher, John." That name was familiar. I hesitantly answered the phone, for I was not expecting a call and never enjoyed trying to handle a call intended for somebody else.

Hello.

Is this Brant Gurganus?

Yes.

Did you ever use a program called Bugtoaster?

Yes.

Well, I was one of that company’s founders.

The conversation went along those lines. I found out that John was working on the firewall portion of the OneCare product. He came across some feedback from me and recognized the name. This was really cool for me. When I was corresponding with John on occasion about Bugtoaster, he had mentioned that if I were ever in the area where Bugtoaster was located, I could probably get a job with them. This was important for me, because it confirmed that I had skills and traits that were valuable to existing professionals. It meant I should be able to find a summer job in the technology industry. One summer, I had worked at Kroger and found it extremely disappointing. I wanted to work with software. I started e-mailing Web development companies around Indianapolis, and Omega Design Studio responded. I had found a technology position without having any college yet. Anyhow, John Schacher became one of the other people with whom I had lunch during the summer. After my internship, I tried e-mailing him, but the e-mail bounced. It seemed he had left the company, and I had no contact information. Recently, I looked his name up in the phone book, and there seemed to be a John Schacher in the area still. I then looked his name up on LinkedIn. I found a John Schacher there that worked in the Seattle area. This John Schacher worked for Experticity. I tried contacting John on LinkedIn, but that costs money and I’m not going to upgrade my account just to send one message. I looked up the Experticity site. I found an e-mail address on the site. I wrote:

I am trying to contact a John Schacher that I believe may now work at Experticity. He previously worked at Microsoft, and he also ran a company called Bugtoaster. If this John Schacher works at Experticity, could you please forward this message to him so he may respond. Thank you.

I received a response today. I had found John Schacher again. I have now added him to my LinkedIn network, so hopefully, I will not end up with outdated contact information again.

Those are my three stories of finding information. Hopefully, they inspire you to come up with creative ways to find information you want.

Goals

There are certainly many times when people make goals. I like to make goals at times that coincide with the beginning or ending of an event or preferably a collection of events. I made a goal at the beginning of this school year to be off academic probation. I have succeeded in that goal. At the beginning of last summer, I made a goal to rekindle my interest in math, science, and computers. I succeeded in that goal.

It is now the year 2007. It is a new year. That is frequently a time for new goals or resolutions as they are frequently called. While there is no natural reasoning for a year to start or end when it does, the fact that other human events start and end at that time make it a reasonable time for goal setting as well. My goals for 2007 are to stop a few bad habits I have had since childhood, more consistently exercise, and more consistently write.

Many resolutions are broken because they are either not taken seriously or the right steps are not taken in attaining them. One of those right steps is to right down the goals. I will write the goals here so that they are not only written but publically known. By making the goals publically known, peer pressure can help me attain the goals.

My first goal to stop some personal bad habits cannot be described significantly because they are personal habits. I will say that one of my desires will more likely occur as a result of stopping one of the bad habits.

The second goal to exercise more is one of those lingering ones that is typical of resolutions for a new year; however, I already made good progress on it at the beginning of this school quarter. I was doing cardiovascular exercise in the mornings. It was a routine that worked pretty well. I woke up at 7AM. I went to breakfast, and I then waited at least a half hour. I then did the exercise in the SRC once I felt that breakfast had digested. I came back and took a shower. I then had some time to kill before lunch and my first class of the day. However, one of the courses I was taking decided to start meeting at the time I was running. I am a person for whom consistency helps regular events to happen. Because of the occasional meetings for that course, I had a hard time making myself exercise on the days I could. For this and other reasons, I have dropped that course, so I can renew my work on this goal.

My third goal is to more consistently write. The primary inspiration for this goal is the character of Atrus in the Myst computer game series. In addition to the game series, the authors of the game also wrote a series of three books, collectively The Myst Reader: The Book of Atrus, The Book of Ti’ana, and The Book of D’ni. From both the game series and the three books, it is evident that writing is central to the D’ni civilization. Specifically, nearly everybody kept journals of their day-to-day findings and reflections. Additionally, the D’ni had a form of writing known as the Art that allowed one to write a description for a world and that book would literally form a link to a world matching that which was described. That form of writing is not what I am after. The first, reflective, journaling form of writing is the kind I wish to master. For both the characters of Myst, particularly Atrus, and people in real life, writing forms a means of recording what you learn. The reflection aspects provide a means by which to improve one’s own life. Further, much of history is revealed first through written accounts.

From my own history, I wanted to try journaling for a while and I wanted to improve my typing skills. I had learned touch typing in school, but at heart, I was still a hunt-and-pecker. One summer, I made the goal to keep a journal, but I was only going to use the touch typing skills. I created a text file in Notepad and started the file with ".LOG." If you have ever read the help file for Notepad as any geek/nerd/tool like me has, you will know that putting that text at the start of the file will cause Notepad to append the date and time at the end of the file whenever you open it so that log typing may commence from that point. I credit that experience with providing most of my current typing skills. Additionally, I gained insight that combining goals can help them to be achieved. For that reason, not only will I write my goals for 2007 here, I plan to write about my progress with those goals and other thoughts with this blog.