Okay so it's been a while since my last blog post - I've been stupid busy at work. I was out in Redmond for a couple of weeks hanging with my team and it's just been non-stop since I got back - but here's what's new.
- I got a new notebook and it freaking rocks. I had a Dell D600 and I had nothing but problems with it and Vista (all just driver related stuff - the OEM's it seems are busy making drivers for their latest hardware rock on Vista and the older stuff isn't feeling the love) . . . but I like Dell notebooks and I've had them for at least the last 5 years or so and I've never really had any hardware issues and their support web site is generally pretty good. Fortunately my team ordered the spiffy new Dell D820 and so far it has made all of my wildest dreams come true. 🙂 It's got the 2.33ghz (4MB cache!) Core2 Duo CPU that supports hardware virtualization with 2GB of RAM and 80GB drives . . . Vista freaking loves it - and it loves Vista. . It's got an nVidia chipset with 256MB of on-board video RAM so Aero is a rockin'. It's got a built-in TPM module which I'm going to try and get working with Bitlocker today (hopefully - the only folks I know who've tried bitlocker had Toshiba's with various incarnations of the TPM spec and they had issues until late into the Vista release). So far I've installed 64bit Vista Ultimate and Office 2007 and various other apps (my LifeCam, Communicator, Messenger etc.). Why did I go with 64-bit Ultimate? For one - you get the system wide DEP setting that enables DEP for all processes unless they explicitly opt-out of DEP . . . so this means everything is covered by DEP by default - not just stuff that opt's in to DEP (like on the 32-bit SKU's). Next up - you get Patchguard . . . yeah I know that Skape and Skywing have written papers twice now detailing various ways to bypass it - but we're committed to playing that game so we'll be fixing that real soon now - and I think it's good to have an 'enforcers' to make sure people aren't trying to hoook stuff in the kernel they shouldn't be hooking - and you should be happy too because it will keep Vista more stable and stable Vista makes happy users. And to be very clear - I'm really thankful we have folks like Skape and Skywing pen-testing that stuff for us and reporting what they find so that we can fix it before it becomes widely abused. 🙂 Speaking of security settings - I have to give props to Dell here - when I went into the BIOS to see what it defaulted to and I noted that hardware NX was enabled by default and the hardware virtualization was *disabled* by default as was the TPM module. I enabled hardware virtualizaiton as I'm running the 64-bit version of Virtual PC 2007 (beta) and it can rock like that. I enabled the TPM so I can use bitlocker with Vista. Oh and the coolest thins about the experience was that I got to try out 'Windows Easy Transfer' which admittedly I'd never used before. This is our new 'files and settings' transfer wizard thing. Since I had Vista on my old notebook and Vista on my new notebook - I went through the wizard on both machines, provided the old machine with the key to the new machine when prompted and it connected over the network and transferred all of my files and settings for me from my profile on old machine to profile on new machine (including Outlook settings and my PST's!!!). Nice. The only thing it didn't seem to transfer was my desktop background - but that's in a redirected folder that may not have been available or something.
- Okay - enough about the hardware lust . . . here's a bit of a personal story (for a change). This weekend I took a road trip to Ohio to visit some family and see some snow (I miss snow). On the way we stopped at the Virginia welcome center to swap drivers . . . on the way to the restroom I walked by this beautiful Collie that seemed to be wandering the rest area with no collar or leash . . . on the way back out it was still wandering around just following random people and so I stopped to pet it and sure enough it had no collar or tags and it had burs and other assorted crap all throughout his long hair. Shortly after I started petting him my wife came up to me and then a bunch of other people all converged wanting to know if this was my dog. A few ladies said he'd been wandering around for at least 15-20 minutes that they'd been watching and waiting to see if he had an owner. I could tell from petting him that he was extremely thin for such a big dog - you could feel every bone in his body and I could also tell he was a very sweet dog - great personality - very laid back and relaxed. So I looked at the wife and we knew in an instant we were keeping the damned dog. Now I need another dog like I need a freaking hole drilled through my skull (I have 3, now 4, and 3 cats . . . and 2 horses) . . . so that should speak volumes about this dog. I also was travelling with my 3 small kids which is of course cause for concern when picking up hitchhiking dogs. We took 'big dog' (still no name yet) to the van, he jumped in and got in the back seat with my 6 year old and promptly went to sleep on his lap for the rest of the 6 hour drive to Ohio. We have since learned that he is at least 7-9 years old and is probably legally blind (he can see - but he runs into a lot of stuff and is terrified of wood floors and tile floors and steps) . . . the vet said that he doesnt' have cataracts but that his lenses have 'hardened' (from being malnourished?). He weighs 59lbs and he should way about 75lbs . . . needless to say he's weak but getting a little more active / alert each day and already I can tell he's probably one of the best dogs we will ever own . . . he's amazing around kids - my toddler can lay on him, play with him, hug him and he just lays there or licks him. He doesn't beg even though he's clearly emaciated . . . he doesn't bark or howl or chase the cats (probably because he can't see - heh) . . .
- Okay enough about 'Big Dog' (open to suggestions on names b.t.w.) . . . I won't be blogging much in the coming weeks because I have a ton of work to catch up on . . . and I have to start writing a chapter for an upcoming book (I'm contributing a chapter to Scambray's forthcoming Hacking Exposed book - my chapter will be on achieving Stealth on Windows and I'm collaborating with Lee Yan who is an Escalation Engineer on the PSS Security team and other folks. Suffice it to say this will not just be a summary of rootkits for Windows - I plan on integrating some personal experiences doing incident response and talking about the various real ways we've seen miscreants achieve stealth on Windows . . . sure some use rootkits - but there are sneaky ways to remain hidden even without rootkits. In addition to needing to write this chapter - I also have to work on a presentation for a conferrence I'm speaking at in Spain in June. The conferrence is the FIRST (www.first.org) annual general meeting and I'll be talking about performing incident response on Vista and what's different when compared to Windows XP. Should be interesting - I got to do a bit of IR the other day for an internal employee running Ultimate . . . he got owned by a Valentines day e-greeting card thing - I'll try and get a detailed blog write-up of that experience and what I found posted here shortly . . .