I have no idea. It would seem to be reasonable use, but who knows with license terms, which change over time. Certainly, MS is supporting virtualization at the OS level and clearly expects customers to use it. I expect that the answer may differ for enterprise users than for individuals. I have separate copies of Office 2000, Office 2003, and Office 2007 (I gave my daugher my Office 97 or 98, I don't remember). Thus, I have the necessary licenses as a user to play this game. I would expect small businesses to also have individual licenses. In the enterprise, I don't know how it would be handled. You wouldn't need many licenses to set up a converter on a terminal server for an organization.
I have been at MS just over 4 years (working in security the entire time). It is my observation that MS is very reluctant to break back compat. There is an app compat team that represents customer interests and tries to keep teams from breaking things. Yet we do it. We do do it for security. Microsoft has a standard that products should be safe by default. If a user wishes to use a dangerous feature or legacy capability, a means will typically be provided to do this, but the user / administrator making the change needs to have some appreciation of the choices they are making. A old format or protocol that is no longer appropriate for the security environment will eventually be turned off by default. This is for the good, if not the convenience of the user, who may not properly appreciate the associated security risks.
Thus the transition from XP SP1 to XP SP2 broke a number of things as default settings of the OS were changed to make the OS security more appropriate. Similarily, a number of defaults were changed and additional defense in depth measures were added in the XP to Vista transition, as the OS was hardened further.
If the Office team said that the default availability of these converters was removed because of security concerns, believe them. They would not have antagonized the user base for a lesser reason. Note that the security community has observed a great increase in sophisticated attacks against apps, and old legacy code and protocols are a primary target. Having these off by default is wise. Office is a particular target of attackers and the Office team is behaving responsibly in hardening their functionality and configuring the default status to be secure. Organizations and/or users that need to parse and/or convert such docs can do so and are provided the necessary tools to do so.
Argeed. I would not be surprised if analysis changed the number by a factor of 2 either way, but the result is all but certain to be far shorter than the current time period.
The intent of the paper was to get an approximation of optimal for society. That is why I provided the link, which can be followed to the full paper, which is quite interesting.
It was 70 years or so for a very long time. The politicians have been well bought by a very large interest group. I think that a 15 to 20 year period would be reasonable. The current one is truly unreasonable. I would add an additional factor - if the material in question is not made available, it looses its copyright status within a year. Thus if a book or work is out of print for a year, it enters the public domain.
Traditionally, copyright was for the life of the author + some reasonably large number. The optimal lifetime has been studied under economic maximization theory. The result was ~ 14 years, which is rather closer to the 20 year patent life time than the proposed 5 years. The link is:
http://arstechnica.com/news.ars/post/20070712-research-optimal-copyright-term-is-14-years.html
I am not on the Office security team, but I think that I understand the issues they are facing.
There are at least three obvious means for users to handle deprecated formats:
1 Make the registry changes indicated in the KB article. Given that there may be vulnerabilies in the legacy conversion routines, perform conversion in a separate non-administrative user account to prevent system compromise.
2 Keep a copy of your existing O12 or earlier Office software. Run it (probably in a VM so you can use it 10 years or more from now) to convert legacy formats to more recent formats.
3 Buy commercial format conversion software. I certainly used to do this a lot in the past, in a different company, when we were taking data from a wide variety of sources.
Many of the file formats listed are by third parties, not Microsoft. Intelligent deep fuzzing has become very good in the past year or two. Microsoft has and uses these fuzzers as well. It is reasonable to assume that the Office team looked at the handling of these old formats.
Maintaining support for legacy and legacy 3d party formats gets expensive, particularily when you have to rewrite the parser and more expensive indeed if you have to try and reverse engineer the format itself because you have no documentation (after all, some of these formats were written by third parties who may no longer be extant). Such effort has to be evaluation in terms of value for the customer, as compared to writing new functionality.
Customers do have possible mitigations to address the issue. As a matter of configuration policy, you always keep a copy of your tools as well as your data, as the tools change over time as well. This is as true for documents as it is for source code and build environments. Customers who have legacy documents should either have the legacy tools that can open these documents or third party tools that can do so. Microsoft provides 2 means of handling the issue (1 and 2, above). It is more convenient to the user to have these natively supported, but at some point the customer value is better served by moving on and allowing those customers who still need the legacy support to implement the appropriate mitigations.
As I said in my first post, the ECC RNG is not on by default. CryptGenRandom is the default RNG. A study of the configuration settings and code, such as that done by a CC evaluation team, will definitely reveal that.
Just a note. The continued reliance upon MD5 is an issue in itself, given the advances in hash analysis over the past decade. At this point it would be wise to go with SHA-256, or if you really want to reduce the number of bits, the first or last 128 bits from a SHA-256 hash.
Understood. One of the cryptographers who published the attack against the ECC RNG was a MS cryptographer. As I said, the default RNG is NOT the ECC RNG, which was included because various governments wanted it.
I try and provide a reasonably knowledgable and balanced response to the frequently unreasonable claims and responses. Clearly I will not have any impact on the true believers, but with luck I will have some impact upon those willing to consider the issues. I joined MS 4 years ago and have worked in security the entire time, assisting the Vista security effort for the past few years and I have some involvement with the crypto efforts. By background, I was more of a BSD'er than anything before I joined MS, having started on "modern" systems on VAX Ultrix and moving on to OpenBSD based appliances.
In the early days, MS focused upon features more than security, as that is what the customers responded to. About the same as the current "Web 2.0", which is essentially untrustworthy by design.
Once security problems became a customer concern, MS moved on it. Indeed, MS is being subjected to considerable criticsm in Vista and Server 2008 for overinvesting in security with respect to neat new features. There is always the feature / security tradeoff. You can configure your system for security, minimizing the attack surface at the cost of reduced functionality. Consumers want the neat features. I run in secure mode and accept the reduced functionality.
The Secure Development Lifecycle process that was introduced a few years ago has a cryptographic portion that requires crypto usage to conform to reasonable standards, which are adjusted in light of the current crypto state of the art. This has allowed the cryptographers to clean up usage of crypto in MS products.
That is not good enough. The attack can be in the compiler or other tools in the build environment. Such attacks have been demonstrated. That is why I mentioned the CC issue. The evaluation laboratories have access to the source, have competent security staff, and are "trusted" by both the customer and the manufacturer to accurately represent what they have found.
For all the talk about closed source, a rather large number of customers, including numerous governments, has read access to the Windows Source code. Don't assume that only MS employees examine it. The number is far broader than is generally supposed.
EAL is not about security features, it is about assurance levels. In the case of EAL4, the evaluators have access to the source code and design docs and they go through looking for issues and devising tests that the evaluation lab can use to ascertain that the code behaves as expected. The reason I mentioned CC is that the CC evaluation lab has source level access to the system, not that the CC evaluation raises the security functionality. Indeed, in general you will find that the evaluated configuration of a system typically has reduced functionality. This reduces the attack surface of the system as well as the cost and time of the evaluation.
Following such an approach, I am running Windows Server 2K8 on my notebook, running as a normal user, with IE7 in enhanced security mode (which among other things, disables javascript, plugins, and most downloading). It also does not have media player. Reduced attack surface and defense in depth buys you a lot.
Doing random number generation well is far harder than expected if you don't want to heavily load the system when the rng is hit heavily, as it can be on server.
I don't have to prove it. Not only that, but you wouldn't believe me if even if the code was released - after all, how do you know that the code corresponds to the actual binary?
Look at the FIPS and CC documentation. Governments do use these systems in security critical environments, but they configure them very carefully. There is configuration data available on how to configure system for security critical environments. Selecting your random number generator is one of the things you can do.
The staff working on this are noted cryptographers who do know what they are doing. I have been working with the cryptographers at Microsoft for some time and I have been working in crypto related areas for > 20 years.
Sorry to deflate the conspiracy theorists. Certain governmental customers wanted the ECC random number generator. MS provided it. This random number generator is not used by default. The default random number generator is CryptGenRandom, which was revised to deal with the issues that have been discussed with rather more sensationalism than was warranted.
Customers who want to use the ECC generator can choose to use it. This is rather like turning on FIPS mode.
As for backdoors, anybody who is paranoid about this issue will ignore or disbelieve me when I say that there is no backdoor that I am aware of. The Common Criterial evaluators look for such issues and submit issues for fixing if and when they find them. Other governments are not going to be willing to buy a system with a NSA backdoor. From a more practical demonstration point of view, if there was a backdoor, governments would not need to get warrants for inserting hardware keyloggers or custom malware on systems to access system information. Governments both in the US and elsewhere do this, which suggests that no backdoor is available.
I would not expect to see this in the aerospace transport market. Too expensive. The military and space arena is different. The military could use this for some purposes and the higher specific impulse associated with not having to carry your O2 would suggest that this could be used to replace the lower stage of a rocket, reducing the cost of lifting stuff. This would be useful in both civilian and military orbital lifting.
When you install 2K8 your are given 2 choices, server core (a headless server without any GUI, just a command shell) and the standard server. If you install server core, you can then use powershell to manage it. I have been working with and running Server 2K8 since Vista Beta 1. Standard server is minimal. Once you have it up and running, you then install the roles and features that you want. If there is some particular functionality that you don't care about, you can use SCW (server configuration wizard) to disable the appropriate service(s).
2K8 and its predecessor 2K3 are very stable and capable OS's with a very long supported lifetime. From a administrator's point of view, WU is far preferable to rebuilding Open BSD when security patches come out, let alone the short supported lifetime of any given release. Some of the Linix distro's have more reasonable support lifetimes, but the 7 to 10 years that Microsoft has is very nice.
Actually, I do do this. I have installed XP into a VPC and I use it to run apps that won't install in or run in Vista. I don't have many of them. I use DosBox to handle the old DOS exe's that are not well supported in VPC.
The software vendor community got lazy in the early days - run as administrator and everything just works. Install stuff across the system, including replacing system dll's and modifying the Local Machine Registry settings. Of course, while you are making your app work, you have the potential of slamming everything else, including the system.
So with Vista, Microsoft has shipped its first client OS that actually will let users run well as normal users - without admin privledges. But the software assumes admin privledges. Hence the app compat hit. There was a lot of work done with deflection directories and deflection registry hives to allow ill-behaved software to think that it was modifying the system, but it doesn't catch everything. This app compat hit was unavoidable, as not only was legacy SW broken, but new software was still being written that assumed admin privledges on the point of the user.
I run my family members as normal users on Vista boxes. I am writing this as a normal user on my notebook which is running Server 08. It works. It was painful to run as a normal user on XP. You couldn't do it on 95/98/ME.
How many users on BSD or *nix boxes have their users running as root?
If you want to run a consumer version of 2k3 server, run 64 bit XP. The problem is in the driver availability and the fact that the vast majority of the apps are coded for 32 bit so you are using the WOW interface a lot, which slows stuff down.
I am writing this on a notebook running Server 2K8 RC1.
The Vista and Server 2K8 kernels are common and both are descended from 2K3 server. The optimizations and feature sets are different though.
Sidebar is not available on server and I don't remember aero being availble either.
If I didn't already have my kids running on a Vista system, I would have no qualms taking advantage of this offer. I am already running them as normal users with parental controls and auditing enabled (and I do check the audit record). My wife and I run on another system, and there is nothing interesting in our use of that system as well - a little browsing, banking, Word, and solitaire. But I already have Vista on that as well. Both also have Office 12.
MS is clearly trying to get some detailed consumer usage data for system optimization and feature planning purposes. It is trying to get data on the use of the system by people who run Windows to make their user experience better. The tradeoff strikes me as reasonable for many users.
A very good suggestion. A few years ago I believed that doing so would be enough of a security guarantee. It will typically work well against naieve threats, but as VM usage gets more widespread, attackers will start supplementing their attacks with VM penetrators to nail the host. The standard VM products do not make strong guarantees about confining hostile code in VM's.
The rich web is all well and good for those with nice screens and good vision. It does not do so well for those with highly constrained devices and/or bad vision. I would love it if companies pushing commerce web sites started having acessibility requirements.
If a user has bad vision, they can feed text into a text to speech converter. GUI into a speech converter doesn't work so well. There are an increasing number of older folks using the web, and expecting a large screen real state is not appropriate - they may have large screens, but they may have increased the font size for readability.
As for me, I am paranoid. I don't believe in running script unless I have a good reason to trust the site in question. Thus by default, I have Java, Javascript, Flash, ActiveX, et al off. Thus, no rich web for me. Too bad.
Obviously the users have found some unknown way to copy and view material. Since they are enjoying the entertainment via a unknown channel, the industry would try to get their revenue stream by some other means that is not easily avoided, such as surcharges on writable discs, hard drives, and players. Don't laugh, it has been done eleswhere. Given the way that they buy politicians, I don't view it as impossible. Indeed, given the absurdities we are facing, a surcharge-based approach looks less and less idiotic. I never thought that I would say such a thing, but considering the stupidity and self-destructivenss of the industry, it may need to be considered.
Slashdot Mirror
I have no idea. It would seem to be reasonable use, but who knows with license terms, which change over time. Certainly, MS is supporting virtualization at the OS level and clearly expects customers to use it. I expect that the answer may differ for enterprise users than for individuals. I have separate copies of Office 2000, Office 2003, and Office 2007 (I gave my daugher my Office 97 or 98, I don't remember). Thus, I have the necessary licenses as a user to play this game. I would expect small businesses to also have individual licenses. In the enterprise, I don't know how it would be handled. You wouldn't need many licenses to set up a converter on a terminal server for an organization.
Thus the transition from XP SP1 to XP SP2 broke a number of things as default settings of the OS were changed to make the OS security more appropriate. Similarily, a number of defaults were changed and additional defense in depth measures were added in the XP to Vista transition, as the OS was hardened further.
If the Office team said that the default availability of these converters was removed because of security concerns, believe them. They would not have antagonized the user base for a lesser reason. Note that the security community has observed a great increase in sophisticated attacks against apps, and old legacy code and protocols are a primary target. Having these off by default is wise. Office is a particular target of attackers and the Office team is behaving responsibly in hardening their functionality and configuring the default status to be secure. Organizations and/or users that need to parse and/or convert such docs can do so and are provided the necessary tools to do so.
Argeed. I would not be surprised if analysis changed the number by a factor of 2 either way, but the result is all but certain to be far shorter than the current time period.
The intent of the paper was to get an approximation of optimal for society. That is why I provided the link, which can be followed to the full paper, which is quite interesting.
It was 70 years or so for a very long time. The politicians have been well bought by a very large interest group. I think that a 15 to 20 year period would be reasonable. The current one is truly unreasonable. I would add an additional factor - if the material in question is not made available, it looses its copyright status within a year. Thus if a book or work is out of print for a year, it enters the public domain.
Traditionally, copyright was for the life of the author + some reasonably large number. The optimal lifetime has been studied under economic maximization theory. The result was ~ 14 years, which is rather closer to the 20 year patent life time than the proposed 5 years. The link is: http://arstechnica.com/news.ars/post/20070712-research-optimal-copyright-term-is-14-years.html
There are at least three obvious means for users to handle deprecated formats:
1 Make the registry changes indicated in the KB article. Given that there may be vulnerabilies in the legacy conversion routines, perform conversion in a separate non-administrative user account to prevent system compromise.
2 Keep a copy of your existing O12 or earlier Office software. Run it (probably in a VM so you can use it 10 years or more from now) to convert legacy formats to more recent formats.
3 Buy commercial format conversion software. I certainly used to do this a lot in the past, in a different company, when we were taking data from a wide variety of sources.
Many of the file formats listed are by third parties, not Microsoft. Intelligent deep fuzzing has become very good in the past year or two. Microsoft has and uses these fuzzers as well. It is reasonable to assume that the Office team looked at the handling of these old formats.
Maintaining support for legacy and legacy 3d party formats gets expensive, particularily when you have to rewrite the parser and more expensive indeed if you have to try and reverse engineer the format itself because you have no documentation (after all, some of these formats were written by third parties who may no longer be extant). Such effort has to be evaluation in terms of value for the customer, as compared to writing new functionality.
Customers do have possible mitigations to address the issue. As a matter of configuration policy, you always keep a copy of your tools as well as your data, as the tools change over time as well. This is as true for documents as it is for source code and build environments. Customers who have legacy documents should either have the legacy tools that can open these documents or third party tools that can do so. Microsoft provides 2 means of handling the issue (1 and 2, above). It is more convenient to the user to have these natively supported, but at some point the customer value is better served by moving on and allowing those customers who still need the legacy support to implement the appropriate mitigations.
As I said in my first post, the ECC RNG is not on by default. CryptGenRandom is the default RNG. A study of the configuration settings and code, such as that done by a CC evaluation team, will definitely reveal that.
Just a note. The continued reliance upon MD5 is an issue in itself, given the advances in hash analysis over the past decade. At this point it would be wise to go with SHA-256, or if you really want to reduce the number of bits, the first or last 128 bits from a SHA-256 hash.
Understood. One of the cryptographers who published the attack against the ECC RNG was a MS cryptographer. As I said, the default RNG is NOT the ECC RNG, which was included because various governments wanted it.
I try and provide a reasonably knowledgable and balanced response to the frequently unreasonable claims and responses. Clearly I will not have any impact on the true believers, but with luck I will have some impact upon those willing to consider the issues. I joined MS 4 years ago and have worked in security the entire time, assisting the Vista security effort for the past few years and I have some involvement with the crypto efforts. By background, I was more of a BSD'er than anything before I joined MS, having started on "modern" systems on VAX Ultrix and moving on to OpenBSD based appliances.
Once security problems became a customer concern, MS moved on it. Indeed, MS is being subjected to considerable criticsm in Vista and Server 2008 for overinvesting in security with respect to neat new features. There is always the feature / security tradeoff. You can configure your system for security, minimizing the attack surface at the cost of reduced functionality. Consumers want the neat features. I run in secure mode and accept the reduced functionality.
The Secure Development Lifecycle process that was introduced a few years ago has a cryptographic portion that requires crypto usage to conform to reasonable standards, which are adjusted in light of the current crypto state of the art. This has allowed the cryptographers to clean up usage of crypto in MS products.
For all the talk about closed source, a rather large number of customers, including numerous governments, has read access to the Windows Source code. Don't assume that only MS employees examine it. The number is far broader than is generally supposed.
Following such an approach, I am running Windows Server 2K8 on my notebook, running as a normal user, with IE7 in enhanced security mode (which among other things, disables javascript, plugins, and most downloading). It also does not have media player. Reduced attack surface and defense in depth buys you a lot.
Doing random number generation well is far harder than expected if you don't want to heavily load the system when the rng is hit heavily, as it can be on server.
Look at the FIPS and CC documentation. Governments do use these systems in security critical environments, but they configure them very carefully. There is configuration data available on how to configure system for security critical environments. Selecting your random number generator is one of the things you can do.
The staff working on this are noted cryptographers who do know what they are doing. I have been working with the cryptographers at Microsoft for some time and I have been working in crypto related areas for > 20 years.
Customers who want to use the ECC generator can choose to use it. This is rather like turning on FIPS mode.
As for backdoors, anybody who is paranoid about this issue will ignore or disbelieve me when I say that there is no backdoor that I am aware of. The Common Criterial evaluators look for such issues and submit issues for fixing if and when they find them. Other governments are not going to be willing to buy a system with a NSA backdoor. From a more practical demonstration point of view, if there was a backdoor, governments would not need to get warrants for inserting hardware keyloggers or custom malware on systems to access system information. Governments both in the US and elsewhere do this, which suggests that no backdoor is available.
I would not expect to see this in the aerospace transport market. Too expensive. The military and space arena is different. The military could use this for some purposes and the higher specific impulse associated with not having to carry your O2 would suggest that this could be used to replace the lower stage of a rocket, reducing the cost of lifting stuff. This would be useful in both civilian and military orbital lifting.
2K8 and its predecessor 2K3 are very stable and capable OS's with a very long supported lifetime. From a administrator's point of view, WU is far preferable to rebuilding Open BSD when security patches come out, let alone the short supported lifetime of any given release. Some of the Linix distro's have more reasonable support lifetimes, but the 7 to 10 years that Microsoft has is very nice.
The software vendor community got lazy in the early days - run as administrator and everything just works. Install stuff across the system, including replacing system dll's and modifying the Local Machine Registry settings. Of course, while you are making your app work, you have the potential of slamming everything else, including the system.
So with Vista, Microsoft has shipped its first client OS that actually will let users run well as normal users - without admin privledges. But the software assumes admin privledges. Hence the app compat hit. There was a lot of work done with deflection directories and deflection registry hives to allow ill-behaved software to think that it was modifying the system, but it doesn't catch everything. This app compat hit was unavoidable, as not only was legacy SW broken, but new software was still being written that assumed admin privledges on the point of the user.
I run my family members as normal users on Vista boxes. I am writing this as a normal user on my notebook which is running Server 08. It works. It was painful to run as a normal user on XP. You couldn't do it on 95/98/ME.
How many users on BSD or *nix boxes have their users running as root?
I am writing this on a notebook running Server 2K8 RC1.
The Vista and Server 2K8 kernels are common and both are descended from 2K3 server. The optimizations and feature sets are different though.
Sidebar is not available on server and I don't remember aero being availble either.
No.
MS is clearly trying to get some detailed consumer usage data for system optimization and feature planning purposes. It is trying to get data on the use of the system by people who run Windows to make their user experience better. The tradeoff strikes me as reasonable for many users.
A very good suggestion. A few years ago I believed that doing so would be enough of a security guarantee. It will typically work well against naieve threats, but as VM usage gets more widespread, attackers will start supplementing their attacks with VM penetrators to nail the host. The standard VM products do not make strong guarantees about confining hostile code in VM's.
If a user has bad vision, they can feed text into a text to speech converter. GUI into a speech converter doesn't work so well. There are an increasing number of older folks using the web, and expecting a large screen real state is not appropriate - they may have large screens, but they may have increased the font size for readability.
As for me, I am paranoid. I don't believe in running script unless I have a good reason to trust the site in question. Thus by default, I have Java, Javascript, Flash, ActiveX, et al off. Thus, no rich web for me. Too bad.
Obviously the users have found some unknown way to copy and view material. Since they are enjoying the entertainment via a unknown channel, the industry would try to get their revenue stream by some other means that is not easily avoided, such as surcharges on writable discs, hard drives, and players. Don't laugh, it has been done eleswhere. Given the way that they buy politicians, I don't view it as impossible. Indeed, given the absurdities we are facing, a surcharge-based approach looks less and less idiotic. I never thought that I would say such a thing, but considering the stupidity and self-destructivenss of the industry, it may need to be considered.
As for me, I don't buy their products at all.