RTFWP! You not only have to sign everything, but you must get a Publisher Identification Certificate (PIC) from Microsoft for any kernel driver. Creating your own cert for local testing might be possible, but faking a Microsoft-authenticated PIC seems like a much bigger challenge.
But reading through the paper, I don't see any particular restrictions on obtaining a PIC. It sounds like you just get your Verisign code signing cert and then do an automated process with Microsoft to get a PIC. So why couldn't one person buy a cert and then offer a (free) signing service for anyone's code? Obviously any sane corporation concerned about security wouldn't want to trust such a service, but the white paper doesn't seem to prohibit it.
Did I read the white paper wrong? It just said the driver had to be signed, not that it had to be WHQL. I don't think this particular requirement is being implemented for reliability reasons, but for accountability reasons. With a signed driver you know where it came from--that's it. No guarantee of quality or even security, but at least you know who to blame when the driver has problems.
Corporate America told Microsoft that they didn't like service packs because they required a lot of IT effort to roll out across the organization. As it stands, any true security patch needs to be installed ASAP, so anything in a service pack is probably something most IT departments would prefer to avoid unless it scratches their itch.
Microsoft has been listening to big companies; they created "patch Tuesday" as a way to reduce the pain for corporate IT departments. Think about it, why wouldn't MS release the patch ASAP for consumers? In fact, that would be better for MS debugging because it would be easier for MS to tell if a particular patch caused problems. As it is, they're all clumped together each month.
If nobody in particular is clamoring for an update, Microsoft will oblige them by not issuing one.
The blog is right that from a user perspective this is good because it makes the target page load faster and makes the tracking transparent. However, this gives the marketer or website even less control than they have now.
Today, ad or other link tracking is generally handled like this: The link target specifies a tracking page and passes in a magic word or number that specifies the campaign or other info (e.g., "go.php?id=123" or "click.asp?campaign=A1254S"). That page logs the click in some database and issues a redirect to the actual destination page. Sometimes the web server log acts as the "database" and the click stats are processed from the logs.
With this new scheme, idea is supposed to be that the href target would be the actual destination and there would be no need for the time-consuming redirect. The separate ping attribute would take care of notifying the server similar to what happens today. But now the target page is out in the open for the client to see, and it is not essential to use the ping URL at all! Once users start blocking ping URLs, as they inevitably will, this transparency means that click stats will be very unreliable.
Since a lot of revenue depends on click numbers, this outcome is bad for commercial web sites. Therefore, very few money links will ever use this scheme and will instead stay with the tried-and-true redirect pages.
Actually, the best diagrams of the Prius drivetrain are here and a really cool animation is here.
From what I can gather the claim of patent infringement relates to the use of a planetary gearset for the drivetrain. However, the Solomon device used just electric motors whereas the Toyota uses two electric motors and a gas engine. Does that mean it doesn't infringe? Hey, I am not a patent lawyer.
Right, but as TFA says it's not the SetAbortProc API that's at issue here, that API came much later. We're talking about the Escape/SETABORTPROC record that can be put into a WMF. They are two different things.
Yes, and send someone who knows what to do whether it's a drill or a real failure.
One place where I used to work, a drive in a RAID array failed. No problem, they sent the new kid to replace the drive--easy to tell, it was the one with the red light in the middle of the array. But being the anal-retentive organizer he was, he decided to MOVE THE OTHER DRIVES OVER so the new one would be at the end. That took the array offline of course and totally confused the controller once it did see the new drive. For more than a week they claimed the data loss was due to a "rare double-drive failure".
Oh, and of course they lost several days worth of data because the last two tape backups wouldn't restore and the heads hadn't been cleaned for six months, but you could have guessed that.
I think Microsoft has fallen down by focusing too much on corporate America.
Corps and individuals want different things from their apps, and they even want different apps in many cases. Corps want everything to be centrally installable, configurable, and controllable by their IT dept to conform to company policy. In the individual case, the only centrally controlled PCs are the 0wned ones hacked by some eastern European crime cartel.
Look at it through the lens of a corp-focused company, though, and there is an opportunity. Many individuals want their PCs to be managed by someone else, either to save the hassle or because they don't know what they're doing. What if Microsoft was the central manager? You'd have to feed them a LOT of data about what was going on in your PC, just like IT management. And you'd have to pay them a maintenance fee. Basically that's what is going on with Windows OneCare.
Hey, rework the APIs all you want, if you think that's what stands between developers and quality applications. If you're talking about the behind-the-APIs code, change all that too since it shouldn't affect developers or users. No matter what, though, all the old APIs have to stay there for compat reasons.
The changes to the user interface really grind my gears. No, not the transparency and cooler icons, I don't really care about those one way or another because I can turn them off. Vista has moved a lot of the common tasks around for reasons that make no sense. It's harder to find most system settings because they are several clicks deeper in the UI. Who does this benefit? It's not better for experts, who already had figured out the old locations whether they made sense or not. It's not better for Grandma, who *still* can't find or change any settings; now her brainy grandson can't help her either. It's not better for new users--are there any new Windows users anymore?
This is the original blog that revealed the SunnComm DRM installed despite the user declining the EULA. Whereas the XCP DRM could hide behind the EULA excuse, I don't see how SunnComm has any legal fig leaf here (though IANAL).
Supposedly there is about ten times more SunnComm DRM in the wild than XCP DRM, so maybe Sony felt they couldn't sacrifice holiday sales despite the legal exposure.
If there ever was an endorsement for web-based applications, this is it. When a bug is fixed in Windows or Linux, it stays active in the wild for months or years because many users don't update. With web apps the user basically gets an "update" each time they visit the site. If Google fixed the problem on December 1, the vulnerability could have been announced the same day without any kind of negative impact.
...for large companies. By that point in your life you've learned enough to know that big companies move slowly and make dumb decisions. By age 40, you've either moved into management to participate in the stupidity, or you've left for a small company or consultancy. At least that's the way it's been for me and my friends.
I love programming and will write code until I die. It's fun (in a perverse way) to come in to various companies, fix their WTF code and look like a hero.
The OP got it all screwy, and must not have read (or at least understood) the IEBlog entry that explains it pretty well.
Basically, they are removing the intranet zone for XP Home users because they don't believe it's needed, and having it creates another attack surface. You'll be able to get it back if you want, the first time you use what would be an intranet zone address IE will show the yellow Information Bar and you can click to restore it.
Zone spoofing will still be possible by using Trusted Sites zone, although it will be harder since very few sites are in that zone. Software from a few companies like AOL add themselves to that zone without telling the user though, so it still could be possible.
180 is suing ZoneLabs for a very specific and narrow statement as far as I can tell. ZoneLabs says 180 is monitoring key and mouse info, 180 says it is not. The analysis linked from TFA explains that he found evidence of setting a windows hook. The question is, does Zango use that hook to collect mouse and key info, even for a short time, or are they using the hook for other purposes? What would those purposes be?
I just checked at my local stores this weekend, and results were mixed. Borders had already pulled all the affected CDs from the shelves. Target still had them on the shelves but had entered the UPC codes into their system as recalled based on an email they got on Wednesday night. I couldn't buy the CD because it was flagged.
Best Buy, on the other hand, was clueless that there was a recall. I handed the manager on duty a copy of the official press release from the Sony BMG web site and he reluctantly let me pull the titles I could quickly find (6 Switchfooot, 1 Neil Diamond, and 4 Van Zant) and put them in a basket so they could store them in the back room until the mothership sent word about what they should do.
So they have a massive shortage of the product before the holidays and are selling it at a loss? Methinks someone sold at the wrong price point. It should have started $50 higher and then dropped in January or February, or they could have done a $50 rebate with a tight deadline.
It's not about hotels, it's about houses. (Geez, sounds like Monopoly here.)
TiVo has access to a lot of user preferences information. Companies like Nielsen and Arbitron have made large businesses out of tracking consumer behavior, but TiVo's use of technology would make it much more accurate.
The problem is, the content providers only want accuracy if it benefits them. The old "journal" system for radio and TV habits reflected what the user liked but not what they necessarily watched. There was quite an uproar when Nielsen switched to an electronic system, precisely because it indicated a drop in viewership.
It is not hard to detect the Sony/XCP rootkit using a simple script. Even in its cloaked state, several telltale signs peek through. For example, it only hides keys that start with $sys$ and Windows requires a few keys where that string is not at the start of the key. One of these is LEGACY_$sys$drmserver. See the CA writeup for details on the keys and where to find them.
everphilski, have you actually checked that with the Sony CDs? Because it doesn't work.
The settings on the AutoPlay tab are for "Autoplay V2" which determines the action based on the content of the CD (mp3 files, image files, etc.). The Sony CDs use "Autoplay V1" which only requires a file named Autorun.exe in the root of the drive. Even if you turn off all the features on the Autoplay tab, it will not disable Autoplay V1.
There are several ways to disable the V1 variety, if you don't want to manually RegEdit just download TweakUI and you can turn it off that way. If you prefer the registry method, Google for DriveTypeAutoRun to disable them on a per-drive letter basis or services cdrom autorun to turn it off for all CD/DVD drives.
Agreed that the story headline isn't worthy of the facts. Still, if an EMI exec has a "belief" there's a good chance he and his cronies will try twist enough arms to get what they want. At the moment they control most of the big acts, but that could change. Why couldn't Apple sign artists directly to iTunes exclusive contracts for example?
Listen to this interview with Steve Gordon, a music industry lawyer, and you'll find out a few gems. (It starts slowly, skip to about the middle of it.) In the interview he mentions that Apple is paying 70 of the 99 cents back to the music industry. Apple has to run iTunes and pay all the transaction costs out of the 20 cents they have left. They are lucky to break even on music sales. BUT...it drives sales of iPods, and the music industry covets that money. They feel that Jobs duped them in the deal.
Sure enough, the Red Herring article confirms this resentment: "We are selling our songs through iPod, but we don't have a share of iPod's revenue," he said. "We want to share in those revenue streams. We have to get out of the mindset that our content has promotional value only."
Does this sound reminiscent of the Google should pay to use our pipes argument we heard from SBC a month ago? The music distributors are in the same boat. They don't want to be commoditized or bypassed and they are coming up with all kinds of delusional ideas for bailing water out of their sinking ships.
The players here already have blood on their hands. Yahoo's Overture division is the primary source of revenue for Claria Corporation, one of the biggest offenders out there. TRUSTe makes big money to certify web sites and basically takes the company's word about their answers to a form.
It's not just about spying or offering an uninstall link. For example, the Ask Jeeves folks make a toolbar that is bundled with a cute little utility named Smiley Central that is heavily advertised on game and kids sites. When you install it, it reconfigures your search setup to funnel all searches to Ask Jeeves. It also tacks little advertisements for itself onto your outgoing emails. But remember, you agreed to all that in the EULA, or at least your 10-year-old must have. Sure it has an uninstall, although the average computer user doesn't even know Add/Remove Programs exists much less what should be removed.
Slashdot Mirror
The question is will it be complete and compile?
... uh, where did it go?
Yes, with gcc.
Don't they have to hide parts of Windows that are licensed from other companies?
Yes, take $sys$network.h
If you want to turn off USB drive access on XP, this command will do it:
sc config usbstor start= disabled
To turn them back on, use this:
sc config usbstor start= demand
Be sure to include the space after the equal sign. You can get sc.exe from the Windows 2000 Resource Kit as well.
http://support.microsoft.com/?kbid=166819
RTFWP! You not only have to sign everything, but you must get a Publisher Identification Certificate (PIC) from Microsoft for any kernel driver. Creating your own cert for local testing might be possible, but faking a Microsoft-authenticated PIC seems like a much bigger challenge.
But reading through the paper, I don't see any particular restrictions on obtaining a PIC. It sounds like you just get your Verisign code signing cert and then do an automated process with Microsoft to get a PIC. So why couldn't one person buy a cert and then offer a (free) signing service for anyone's code? Obviously any sane corporation concerned about security wouldn't want to trust such a service, but the white paper doesn't seem to prohibit it.
Did I read the white paper wrong? It just said the driver had to be signed, not that it had to be WHQL. I don't think this particular requirement is being implemented for reliability reasons, but for accountability reasons. With a signed driver you know where it came from--that's it. No guarantee of quality or even security, but at least you know who to blame when the driver has problems.
Read on, it says that the BCDEDIT option will be removed before final Vista code ships, perhaps as early as Vista RC1.
Corporate America told Microsoft that they didn't like service packs because they required a lot of IT effort to roll out across the organization. As it stands, any true security patch needs to be installed ASAP, so anything in a service pack is probably something most IT departments would prefer to avoid unless it scratches their itch.
Microsoft has been listening to big companies; they created "patch Tuesday" as a way to reduce the pain for corporate IT departments. Think about it, why wouldn't MS release the patch ASAP for consumers? In fact, that would be better for MS debugging because it would be easier for MS to tell if a particular patch caused problems. As it is, they're all clumped together each month.
If nobody in particular is clamoring for an update, Microsoft will oblige them by not issuing one.
The blog is right that from a user perspective this is good because it makes the target page load faster and makes the tracking transparent. However, this gives the marketer or website even less control than they have now.
Today, ad or other link tracking is generally handled like this: The link target specifies a tracking page and passes in a magic word or number that specifies the campaign or other info (e.g., "go.php?id=123" or "click.asp?campaign=A1254S"). That page logs the click in some database and issues a redirect to the actual destination page. Sometimes the web server log acts as the "database" and the click stats are processed from the logs.
With this new scheme, idea is supposed to be that the href target would be the actual destination and there would be no need for the time-consuming redirect. The separate ping attribute would take care of notifying the server similar to what happens today. But now the target page is out in the open for the client to see, and it is not essential to use the ping URL at all! Once users start blocking ping URLs, as they inevitably will, this transparency means that click stats will be very unreliable.
Since a lot of revenue depends on click numbers, this outcome is bad for commercial web sites. Therefore, very few money links will ever use this scheme and will instead stay with the tried-and-true redirect pages.
Actually, the best diagrams of the Prius drivetrain are here and a really cool animation is here.
From what I can gather the claim of patent infringement relates to the use of a planetary gearset for the drivetrain. However, the Solomon device used just electric motors whereas the Toyota uses two electric motors and a gas engine. Does that mean it doesn't infringe? Hey, I am not a patent lawyer.
Right, but as TFA says it's not the SetAbortProc API that's at issue here, that API came much later. We're talking about the Escape/SETABORTPROC record that can be put into a WMF. They are two different things.
Yes, and send someone who knows what to do whether it's a drill or a real failure.
One place where I used to work, a drive in a RAID array failed. No problem, they sent the new kid to replace the drive--easy to tell, it was the one with the red light in the middle of the array. But being the anal-retentive organizer he was, he decided to MOVE THE OTHER DRIVES OVER so the new one would be at the end. That took the array offline of course and totally confused the controller once it did see the new drive. For more than a week they claimed the data loss was due to a "rare double-drive failure".
Oh, and of course they lost several days worth of data because the last two tape backups wouldn't restore and the heads hadn't been cleaned for six months, but you could have guessed that.
Unregister the dll that provides WMF viewing. Click Start, Run, and enter this:
/U SHIMGVW.DLL
REGSVR32
Sunbelt has more detail here.
I think Microsoft has fallen down by focusing too much on corporate America.
Corps and individuals want different things from their apps, and they even want different apps in many cases. Corps want everything to be centrally installable, configurable, and controllable by their IT dept to conform to company policy. In the individual case, the only centrally controlled PCs are the 0wned ones hacked by some eastern European crime cartel.
Look at it through the lens of a corp-focused company, though, and there is an opportunity. Many individuals want their PCs to be managed by someone else, either to save the hassle or because they don't know what they're doing. What if Microsoft was the central manager? You'd have to feed them a LOT of data about what was going on in your PC, just like IT management. And you'd have to pay them a maintenance fee. Basically that's what is going on with Windows OneCare.
Hey, rework the APIs all you want, if you think that's what stands between developers and quality applications. If you're talking about the behind-the-APIs code, change all that too since it shouldn't affect developers or users. No matter what, though, all the old APIs have to stay there for compat reasons.
The changes to the user interface really grind my gears. No, not the transparency and cooler icons, I don't really care about those one way or another because I can turn them off. Vista has moved a lot of the common tasks around for reasons that make no sense. It's harder to find most system settings because they are several clicks deeper in the UI. Who does this benefit? It's not better for experts, who already had figured out the old locations whether they made sense or not. It's not better for Grandma, who *still* can't find or change any settings; now her brainy grandson can't help her either. It's not better for new users--are there any new Windows users anymore?
This is the original blog that revealed the SunnComm DRM installed despite the user declining the EULA. Whereas the XCP DRM could hide behind the EULA excuse, I don't see how SunnComm has any legal fig leaf here (though IANAL).
Supposedly there is about ten times more SunnComm DRM in the wild than XCP DRM, so maybe Sony felt they couldn't sacrifice holiday sales despite the legal exposure.
If there ever was an endorsement for web-based applications, this is it. When a bug is fixed in Windows or Linux, it stays active in the wild for months or years because many users don't update. With web apps the user basically gets an "update" each time they visit the site. If Google fixed the problem on December 1, the vulnerability could have been announced the same day without any kind of negative impact.
...for large companies. By that point in your life you've learned enough to know that big companies move slowly and make dumb decisions. By age 40, you've either moved into management to participate in the stupidity, or you've left for a small company or consultancy. At least that's the way it's been for me and my friends.
I love programming and will write code until I die. It's fun (in a perverse way) to come in to various companies, fix their WTF code and look like a hero.
The OP got it all screwy, and must not have read (or at least understood) the IEBlog entry that explains it pretty well.
Basically, they are removing the intranet zone for XP Home users because they don't believe it's needed, and having it creates another attack surface. You'll be able to get it back if you want, the first time you use what would be an intranet zone address IE will show the yellow Information Bar and you can click to restore it.
Zone spoofing will still be possible by using Trusted Sites zone, although it will be harder since very few sites are in that zone. Software from a few companies like AOL add themselves to that zone without telling the user though, so it still could be possible.
180 is suing ZoneLabs for a very specific and narrow statement as far as I can tell. ZoneLabs says 180 is monitoring key and mouse info, 180 says it is not.
The analysis linked from TFA explains that he found evidence of setting a windows hook. The question is, does Zango use that hook to collect mouse and key info, even for a short time, or are they using the hook for other purposes? What would those purposes be?
I just checked at my local stores this weekend, and results were mixed. Borders had already pulled all the affected CDs from the shelves. Target still had them on the shelves but had entered the UPC codes into their system as recalled based on an email they got on Wednesday night. I couldn't buy the CD because it was flagged.
Best Buy, on the other hand, was clueless that there was a recall. I handed the manager on duty a copy of the official press release from the Sony BMG web site and he reluctantly let me pull the titles I could quickly find (6 Switchfooot, 1 Neil Diamond, and 4 Van Zant) and put them in a basket so they could store them in the back room until the mothership sent word about what they should do.
So they have a massive shortage of the product before the holidays and are selling it at a loss? Methinks someone sold at the wrong price point. It should have started $50 higher and then dropped in January or February, or they could have done a $50 rebate with a tight deadline.
It's not about hotels, it's about houses. (Geez, sounds like Monopoly here.)
TiVo has access to a lot of user preferences information. Companies like Nielsen and Arbitron have made large businesses out of tracking consumer behavior, but TiVo's use of technology would make it much more accurate.
The problem is, the content providers only want accuracy if it benefits them. The old "journal" system for radio and TV habits reflected what the user liked but not what they necessarily watched. There was quite an uproar when Nielsen switched to an electronic system, precisely because it indicated a drop in viewership.
It is not hard to detect the Sony/XCP rootkit using a simple script. Even in its cloaked state, several telltale signs peek through. For example, it only hides keys that start with $sys$ and Windows requires a few keys where that string is not at the start of the key. One of these is LEGACY_$sys$drmserver. See the CA writeup for details on the keys and where to find them.
everphilski, have you actually checked that with the Sony CDs? Because it doesn't work.
The settings on the AutoPlay tab are for "Autoplay V2" which determines the action based on the content of the CD (mp3 files, image files, etc.). The Sony CDs use "Autoplay V1" which only requires a file named Autorun.exe in the root of the drive. Even if you turn off all the features on the Autoplay tab, it will not disable Autoplay V1.
There are several ways to disable the V1 variety, if you don't want to manually RegEdit just download TweakUI and you can turn it off that way. If you prefer the registry method, Google for DriveTypeAutoRun to disable them on a per-drive letter basis or services cdrom autorun to turn it off for all CD/DVD drives.
Agreed that the story headline isn't worthy of the facts. Still, if an EMI exec has a "belief" there's a good chance he and his cronies will try twist enough arms to get what they want. At the moment they control most of the big acts, but that could change. Why couldn't Apple sign artists directly to iTunes exclusive contracts for example?
Listen to this interview with Steve Gordon, a music industry lawyer, and you'll find out a few gems. (It starts slowly, skip to about the middle of it.) In the interview he mentions that Apple is paying 70 of the 99 cents back to the music industry. Apple has to run iTunes and pay all the transaction costs out of the 20 cents they have left. They are lucky to break even on music sales. BUT...it drives sales of iPods, and the music industry covets that money. They feel that Jobs duped them in the deal.
Sure enough, the Red Herring article confirms this resentment: "We are selling our songs through iPod, but we don't have a share of iPod's revenue," he said. "We want to share in those revenue streams. We have to get out of the mindset that our content has promotional value only."
Does this sound reminiscent of the Google should pay to use our pipes argument we heard from SBC a month ago? The music distributors are in the same boat. They don't want to be commoditized or bypassed and they are coming up with all kinds of delusional ideas for bailing water out of their sinking ships.
The players here already have blood on their hands. Yahoo's Overture division is the primary source of revenue for Claria Corporation, one of the biggest offenders out there. TRUSTe makes big money to certify web sites and basically takes the company's word about their answers to a form.
It's not just about spying or offering an uninstall link. For example, the Ask Jeeves folks make a toolbar that is bundled with a cute little utility named Smiley Central that is heavily advertised on game and kids sites. When you install it, it reconfigures your search setup to funnel all searches to Ask Jeeves. It also tacks little advertisements for itself onto your outgoing emails. But remember, you agreed to all that in the EULA, or at least your 10-year-old must have. Sure it has an uninstall, although the average computer user doesn't even know Add/Remove Programs exists much less what should be removed.