Windows Vista Employee Timekeeping:

The first bad idea comes to light as a series of lawsuits against employers.  Their bad idea?  Tying in a time-keeping system for logging hourly employee hours into the startup and shutdown of an employee’s Windows Vista PC.  At first glance the idea sounds reasonable enough.  You identify how many hours an employee has worked by how many hours their computer has been on.  Simple and efficient.  Way better than some error-prone clock and paper stub system, right?

Well.

…Err…

Wrong.

Hence the lawsuits.  Now you’d think Microsoft might be to blame in this one, because everyone loves to blame Microsoft and it is Windows Vista.  And in a way Microsoft is to blame… just not legally.  The problem, you see, is that in some cases Windows Vista is taking over 15 minutes to start up or shut down.  And so employees on this computer-driven clock are sitting there for fifteen minutes at startup before being “clocked in” and likewise again at shutdown before being “clocked out”.  In these really bad cases, that’s a half of an hour a day that the employee is not being payed.  At five days a week that’s two and a half hours of unpayed time.  It adds up fast.  Even the employees who suffer less because they have faster PCs are still accumulating hours and hours of unpaid time over the course of their employment.  And obviously, to them, that stinks.

Clearly the idea of using the computer for timekeeping is in need of some adjustment.

US Army USB Sticks:

So you’re a soldier in the Army.  You don’t always have access to a nice handy network for delivering files.  So you have your handy-dandy military issued USB stick.  It’s a simple solution to data mobility.  Which is great.  Until some schmuck brings in a virus.  Uh oh!

Yeah.

The Agent-BTZ worm, a modification of the SillyFDC worm, has been thrashing the US Army so badly that until they get it nailed down, no one is allowed to use any portable media solution.  No USB sticks!

Once the infection is removed, military issued portable media will be allowed once more.  But all of those naughty naughty soldiers and civilian contractors will have to stop using their own personal devices.

It actually comes as a surprise that the US Army didn’t see this coming.  Or maybe they did but they had no solution.  It seems like Windows autorun feature would be the first hurdle to tackle.  In a high-security environment, it’s kind of bad to just automatically run executable code when you stick a device into a PC on a highly secured network.  Next would be a good idea to do the opposite: Run a security program to scan any device for viruses automatically when it’s plugged into such a computer.  (Or even on any CD/DVD/Blu Ray/etc.)  And then of course, obviously, control the use of non-issued media. There are always rules about such things, but never complete enforcement.

Because keyloggers and remote executables on highly sensitive military servers is “A Bad Thing”.

Apple MacBook DisplayPort:

So you bought a shiny new Apple MacBook, and you’re all happy.  You hook up your old monitor to it (or one you bought on discount, et cetera) using a DisplayPort to DVI or VGA connector and sit down to watch this great video you bought from iTunes to celebrate your new purchase.

Only to have your new computer tell you that you can’t play your protected content on your unprotected screen.

Doh!

Yeah.

Because Apple’s DisplayPort is basically an HDMI port, using a built in copy-protection system like HDMI’s High-bandwidth Digital Content Protection (HDCP).  Only, because it’s Apple, they made it proprietary and call it DisplayPort Content Protection (DPCP).  It’s basically the same thing.  Before it will play, the media player asks if the media displayer (the monitor or TV) can decode the encrypted signal it’s about to send to it.  If it can’t do so, it doesn’t play.  This keeps pirates from grabbing an unencrypted video mid-stream and recording it.

There’s just one problem.  Apple’s DisplayPort is basically new and basically unused, because it’s proprietary.  So there aren’t many monitors or TVs out there that support it, and certainly buying a new one is expensive.  And Apple, the micro-managing control monster that they are, don’t give you unprotected VGA or DVI ports on MacBooks.  So you can’t connect your monitor or TV up to your MacBook in a way that skips this annoying layer of DPCP copy protection.  You have to do it through the protected DisplayPort in some way.  Meaning, basically, you’re screwed.  So you either have to buy a brand new Apple monitor, or settle for watching the video on your little laptop screen.  (Is there even a TV that will support it?)

You see, this is where PCs have that awkward advantage.  Because PC manufacturers really don’t care.  They’re not there to control your ever move.  In fact, they’re quite “open”.  So even though your PC might have a similar (though much more widely used standard) HDCP copy protection over an HDMI cable connection, it will also have a DVI or VGA port (or even component, s-video, or composite video cable option) where it will let you connect up to any old TV or monitor and play your protected videos.

I don’t think Apple really appreciated the number of MacBook owners that would, you know, actually use iTunes?  Or Apple just didn’t appreciate the number of people that actually wanted to watch their videos on a screen larger than a laptop?

Hmm…

Either way, Apple is not exactly impressing customers with this.

And so long as Apple continues to ship notebooks with only a DisplayPort (no DVI or VGA port) Apple customers will continue to have this problem.

At least until some inspired hack builds a DisplayPort to DVI converter that uses the converter to respond back to the MacBook that all is secure instead of letting the monitor/TV do that.  But that would probably be illegal as it’d circumvent security measures.

You might have thought that with Microsoft’s “Patch Tuesday” fix of the seven year bug, things would be over.  And in a more perfect world, they would be.  Unfortunately we don’t seem to live in that more perfect world.

The problem is, according to sources like Metasploit, it ain’t over yet.

“The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim,” says Metasploit.  In fact, Metasploit goes on to say, “The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to.”

And since this is quite possible to do, it basically means that Microsoft’s “fix” ammounts to nothing for any dedicated attacks.

So what does Microsoft have to say about it?  Well, let’s take a gander over here, where Christopher Budd speaks.

Let’s see. “At a high level, the behavior that was discussed in the original SMBRelay attack is related to some of the basic behavior of the legacy NTLM protocol.“  Okay, congratulations on being able to throw acronyms around.  “When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications.“  Well … yeah.  Obviously fixing the problem would mean changes to every application that uses the faulty code.  It’s a lot of work.  Something that should have gotten on right away, instead of being put off.  But why do that when you can procrastinate?

“We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.“  So the workaround wasn’t actually feasible.  Microsoft’s own words here.  “As Mark notes in his post, implementing SMB signing is still an option and one that we ultimately recommend.“  Wait, so it’s not feasible, but it’s still the option that Microsoft recommends?  Even after releasing their “fix”?

“However, if you’re like me and remember the SMBRelay attack, you now have a protection option in case you can’t implement SMB signing: apply MS08-068.“  Oh, great.  The MS08-068 that according to Metasploit isn’t actually a fix at all because a hacker can work around it to still execute code remotely.

So let me get this straight.  Microsoft delays a fix to Windows for seven years because it would mean also fixing all of the affected networking clients.  Instead of just fixing it and fixing the clients too.  Their suggestion to people who are afraid of an attack by this route are to use an admittedly “infeasable” workaround.   And when, so much later, Microsoft finally patches the actual security hole, they don’t fully patch it, but just one approach to it.  So that hackers can still get around the patch.  So your options are use a patch that doesn’t work, or use an “infeasable” workaround? And that’s after seven years!

Yep.  That’s security, Microsoft style.

This was one of those things that when I first saw it happening, knew it was going to be trouble.  And sure enough, it went to court.

Now, I’m of two minds on this.

On the one hand, Microsoft clearly made their stupid Windows Vista Basic level far below what every other version of Windows Vista could run.  It was a clear and obvious ploy to put “Windows Vista Capable” logos onto machines far below actual Windows Vista capability.  And in all fairness, I think that Microsoft deserves some kind of slap on the wrist for that.

Was this done for Intel’s sake though?  I don’t know.  Really.  I’m glad I’m not the one who has to decide that.

I can see it.  Don’t get me wrong.  But I can also see a desperate Microsoft, willing to do anything to replace Windows XP.  And willing to do a lot to break into markets typically dominated by low costs, piracy, or a bit of both with a low-cost low-requirement version of Windows Vista.  Let no market go without a fight.

And so, by that very argument, I can almost see a legitimate market for Windows Vista Basic.

Almost.

But most certainly, Windows Vista Basic’s tie-in with the Windows Vista Capable logo branding machine was a very bad choice.  It created a lot of half-truths that ignorant consumers could find confusing.

And there’s the real rub.

What ignorant consumer spends so much money on a computer without even trying to research their purchase, and then has any right at all to complain when they foolishly spent their money?  Even the tiniest bit of research into the requirements for Windows Vista Basic and every other version of Windows Vista would have shed millions of watts of illumination.  (I know, watts isn’t technically the right term.  More like lumen, candel, lux, et cetera.)

So is Microsoft in the wrong for the confusing labeling?  Or is the consumer at fault for not even trying to understand something that was clearly documented?  I believe in protecting consumers.  I really do.  But somewhere you do have to draw a line.  At some point you do have to say, “Beyond this point, you the consumer were just not doing your own due diligence, and thus on your own head your foolishness be.”  I mean the phrase “caveat emptor” has survived so long for a reason.  Microsoft may have made a slightly confusing system, but it was far from obfuscated, so could one really call it misleading?

But deeper than this, is also the question, was Intel actually directly involved?  That, I find all that much harder to decide.  Because, as I already noted, there were legitimate reasons for Microsoft to create Windows Vista Basic.  It may have been bad form to call it Vista.  It certainly was ill advised to include this level of Windows Vista into the Windows Vista Capable program.  But even if Intel were in some way involved (and why woudln’t they be, being the largest PC CPU and motherboard chipset manufacturer by far in a PC operating system issue) are they really culpable in any of the damages?  Even the same system that gave Intel the(fair or unfair) “advantage” to labelling underpowered systems as Windows Vista Capable also gave companies like AMD and Via the same advantage.

So I’m glad that I’m not involved in the trial.  Because it’s certainly a mess.

I think it’s fair to say that Microsoft deserves at least some kind of slap on the wrist.  Possibly even more so.

Less sure though am I of Intel’s culpability in the debacle.

One thing is however certain in my mind, and that is that consumers should not get off without their own slap.  It really was not that confusing.  And it was clearly documented.  All that a consumer had to do was care enough to do five minutes worth of web surfing.  If that.  It was all right there, out in the open.  It would be like buying a car with a deisel engine and then complaining that it wouldn’t run on unleaded.  Or that it sometimes has problems starting in cold weather.  There’s still a certain level of onus upon the buyer.  There are plenty of misleading things going on every day.  This, in my opinion, barely qualifies.  The only difference is that this has a nice big target on it, Microsoft.  So I don’t think this is so much about the actual issue as it is about the cha-ching!

Microsoft Patch Tuesday, a day that everyone holds their breath in wonder.  Which bugs will be fixed today?  How will this affect out IT infrastructure?

Well, this one has a doozy!

A flaw in Server Message Block (SMB) has been fixed.  Yay!  But how long has this flaw really been known?  Well, Metasploit chalks it up to “Sir Dystic” at a hacking conference in 2001.  While elsewhere it is suggested that the original find is credited to “dildog” (AKA Christian Rioux of Veracode) even further back in 2000 at Defcon.

Either way, that’s an awfully long time to just sit on a critical security flaw.  Oh, sorry, Microsoft itself only labels the flaw as “important”.

I guess we should just be glad that it’s finally fixed.

It’s almost surprising really.  People actually want Windows 7, so much so that they’re already pirating it.  This is no mean trick since it’s pre-beta.  Yet it isn’t entirely unexpected, as news of the private beta hit Microsoft’s Professional Developers Conference.  All it takes is a single leak.

Well, a single leak, and someone who actually cares.

Apparently, people care.

Torrent sites such as Mininov, Pirate Bay, and Seedpeer are hosting the 32-bit and 64-bit versions of the Windows 7 pre-beta.  (Not that I support piracy.  I don’t.  But it’s interesting that the Windows 7 pre-beta is already being pirated.)  It’s almost like a wildfire.  People haven’t been this interested in a Microsoft OS since XP.  It almost makes me wonder if there wasn’t some intent there, somewhere.  But of course not.  Microsoft would never do anything so drastic to take people’s minds off of Vista…

Meanwhile, Microsoft says that the official open beta of Windows 7 will begin in early 2009.  Just in time for people to have gotten over that it won’t be there for the Christmas rush, but not so far away that people forget it entirely.  Good planning on Microsoft’s part.  The sooner that they can get people to forget the name “Vista”, the better.  But not before they’ve milked it for all they can, of course.  Nothing says sales like Christmas.  Let the replacement’s beta come after then.

Well, whatever games be afoot, let’s just hope that this time, when Microsoft releases Windows 7 for real and in full, that it’s actually tested and fixed.  I look forward to Microsoft’s next great OS … just so long as it actually works.