Ok, this issue started with an article by Symantec titled “An Example of Why UAC Prompts in Vista Can’t Always Be Trusted.”

After that, Thor (Hammer of God) posted his opinion on Bugtraq, which prompted a few other responses.

So I decided to look at the issue closer and add my own opinion. The result is that this really is a hyped issue. What really makes this issue FUD is that the Symantec posting implies this is a serious issue and never really clarifies the actual risk. Then, so many news sources picked it up without really understanding the issue at hand. What further hurts the credibility of this post is that the Symantec post is probably not completely objective on this issue due to their own future competitive products. Read the rest of this entry »

Recently a friend was complaining to me about the “screen flickering” that occurs whenever a User Account Control (UAC) prompt comes up in Vista and he wanted to know how to turn it off—not UAC, just the dimming and flickering effects. He said he already looked in the display settings and didn’t see anything there. Read the rest of this entry »

When I was a teenager in California there was private oil pier near Rincon that we liked to jump off. It was great—you’d throw your surf board off first so there was no backing out, because it was scary looking down at the dark green ocean so far below you. Once your board was in the water you had no choice but to follow it out into the emptiness below. Read the rest of this entry »

I thought I would add a bit more to my original post to clarify the problem. Half of the problem is the way Windows searches paths, and the other half is software developers who don’t quote their paths in the Registry or when calling CreateProcess. There are no built-in Windows services that have this problem and this issue has been documented for over a decade. Read the rest of this entry »

A couple years ago I mentioned in a SecurityFocus column that Windows has a problem when you put a file named “program.exe” in the system root directory. The problem is basically in how it deals with spaces in paths that don’t have quotes around them. Anyone with the permissions to create a file in the root directory could create a malicious program that could escalate their privileges. Here’s an excerpt from that article: Read the rest of this entry »

One thing that bothers me about many web sites out there is how I get to (or don’t get to) choose my account name. Sure, many web sites let you have any account name you want, but some web sites just want to use your e-mail address. While this is very convenient for low security sites that you rarely visit, some times it just isn’t appropriate. What do you do, for example, when your e-mail address changes? Read the rest of this entry »

If you do any kind of .NET web development, it would be well worth your time to dig through Microsoft’s Patterns & Practices Security Wiki

The Wiki is a good index of old articles and a launching point for new articles on secure web development.  Even if you have a small web application, it doesn’t hurt to be part of the solutions, not part of the problem.

http://www.nurs.co.uk/news/specials/cms/1171535504212694732419_1.htm

There are many ways you can use digital certificates in Windows. The only problem is that it often involves either having your own CA, paying for certificates from a trusted CA or, the worst option, using self-signed certificates. Fortunately, there is another solution. CAcert.org provides free digital certificates for anyone who wants to set up an account. This frees you from having to bother with setting up a certificate server and of course it doesn’t cost you anything.

Read the rest of this entry »

I have always been annoyed with the huge number of files under the Windows directory, but I was very surprised when I looked at my Windows directory under Vista: 39,609 files and 7,411 folders! Read the rest of this entry »

I was playing around with the cool new Yahoo! Pipes site and built myself a feed on password topics. I’m sure I will be tweaking it some as I learn how to use pipes, but I thought I’d pass my pipe around to others who are interested in passwords. You can view my password topics pipe here:

http://pipes.yahoo.com/pipes/iLQCZHG42xG0wG8iXqIxGw

You can also subscribe to the feed using RSS, JSON, e-mail or phone.

The release of Windows Vista seems to have brought on a tremendous amount of criticism. Of course, CNET has yet another article with an apparent anti-microsoft agenda. The article criticizes the fact that Vista’s firewall does not block outgoing traffic by default. In other words, the author wants Vista to prompt you every time a program first accesses the internet. This is actually kind of ironic considering that Apple’s latest tv ads criticize Vista for too many security prompts. Read the rest of this entry »

I got an e-mail earlier this week from a financial web site. The e-mail displayed the last 4 digits of my U.S. social security number. Presumably, they didn’t show the entire number for security reasons, but I wondered how secure that really is to show even the last 4 digits. Can someone easily guess my full SSN with just the last 4 digits? Read the rest of this entry »

This absurd article at cnet claims that security experts don’t recommend buying Windows Vista for the security features. The article tries to cast doubt on the effectiveness of new security features in Vista. But I disagree. I think security experts do recommend switching to Vista. Read the rest of this entry »

If you have ever locked down a Windows 2003 or Vista machine you have probably run across the Application Experience Lookup Service, also known as Application Experience or AeLookupSvc. The documentation on this service is pretty vague and sometimes contradictory, so people often ask me whether they should keep this service enabled or to disable it. I thought I would clarify exactly what this service does. Read the rest of this entry »