 Before we get started, is there anyone here from China? China? Anyone? Anyone speak Chinese? I know there's a lot of you, but you may not understand the way I'm asking it. The reason I'm asking is because we, Seth and I wrote a book on windows.net server security, and a translator from China just wrote to us and said that he's translated it to Chinese. And it's a pirated copy, so we encouraged him to, we said we put a link up for anyone that wants it. We'll forward you to him, and you can get a copy of this book in Chinese. Some of you, and if you want a free copy, get the Chinese version because you don't have to pay for it. And also this book is for sale at Loom Panics. We're going to be out there. If you want us to sign your copy, you can read it and then sell it on eBay for a small profit right after that. So you won't lose any money. By the way, the Goon staff just told me that I had to give this software, this hardware way up here. So we're going to ask a couple questions of you guys when we're done, and whoever gets it right will get this ancient decrepit equipment. We have no idea. He just said we're giving it away, but you're welcome to. It's doubtful that it will run.net server though, because the .net server takes a very high footprint. And for just some bookkeeping items, if we could get the next slide please. I'm Cyrus Bakari, and this is Seth Foggy. And for those of you that want the slides are available online, and they're also on the conference CD. So you guys should not have to take any notes at all. You can just relax and enjoy. And there's also a paper that goes along with this talk, because we don't have enough time to go into everything. So we went into more detail on the paper, and that's also available on your conference CD. So we encourage you guys to skim through that, or you can download it online, and we'll give you the URL again at the end. And we're also going to leave time for questions. We'll probably talk about 40, 45 minutes. And we're not going to be at the Dallas Con table, because our table was, last time we checked, piled high with refuse. So it's not very usable, but we're going to be at the Lumpan X table afterwards. Next slide. What is .NET server? Well, first of all, how many people here use Linux? There's your hand, everybody? Okay. So you're here to find X-Files probably. Who here uses... What evangelizes open source? Exactly. Evangelize open source. Who uses NT? Okay. Who uses Windows 2000? A lot of people. Is there anyone using .NET server yet? A few people. Well, then let me ask, does anyone here work for Microsoft? You don't have to reach your hand. That's not a smart thing to do here. Well, .NET server is the next version of Windows 2000. It has been... It's the enterprise operating system that's going to go head to head against Linux. Before you laugh, we're going to go into some more about the architecture. But it's basically Windows 2002 or 2003, if you want to think of it that way. It's been re-engineered from the Windows 2000 code base. And it's actually been delayed several times. And this is significant for our purposes. Because the latest word is that it's going to be expected out mid-2003. Although Microsoft recently retracted that in the last few days. And they said that it's probably going to be out at the end of this year or early 2003. And in fact, the release candidate, one, is going to be out in a couple weeks from what we've heard. It's out now. Okay, better go get it. And Microsoft most recently, the delays they've been saying is for security reasons. And it almost seems like Microsoft's become a little skittish. Because of all the exploits that have been found in their software. They keep pushing it back and pushing it back. And this is... Ultimately, it's going to reach a point where if it's in beta any longer, it's going to be obsolete before it's released. Next slide, please. We're going to just hit a very few of the points of .NET Server security. We're going to talk about some of the architecture and some of the policies surrounding .NET Server. Which we think are going to hurt Microsoft's perception of security even worse than it already is. We're going to talk about Windows product activation, Kerberos implementation, remote desktop and remote assistance vulnerabilities, and wireless support. And again, the policies. Next slide. Well, WPA is Windows product activation. And it is the default anti-piracy scheme of .NET Server. And this is actually first introduced in XP. And because of public outcry, Microsoft has been somewhat backing off from it. But it looks like they are going to ship it with .NET Server. Maybe they'll change their mind after our talk, but we doubt that. And there... Can anyone think of... Does anyone... Well, first of all, let me explain what it is. WPA... Well, let's get into that later. But there's some serious privacy concerns with WPA. And a lot of these center around the BSA or business software alliance. And who knows what the BSA is? That's good. A lot of you will know afterwards, after this talk where it is and will investigate it more. The BSA is the kind of the hired anti-piracy enforcers of Microsoft. And also, they work for other large organizations such as Adobe and Symantec. And what they do is they hunt down businesses that use pirated software and pressure them into paying a fine using various means. They're similar to the Canadian Alliance Against Software theft or CAST. Next slide. Well, the way Windows product activation or WPA works is when you install the operating system on your machine, it takes a hash based on the specifications of your unique machine. So it's a fingerprint for your individual box. And based on that, you obtain from Microsoft a activation key that will only let it work on that operating system. Otherwise, the OS will expire in two weeks. It'll lock and you won't be able to use it. It's been said that WPA phones home at intervals in the final release, but we haven't seen that yet, so we're not going to... We don't know for sure, but we'll have to watch it. One problem with this is if you change out enough hardware, the operating system again will lock, and this could be your production server or your backup server. And all of a sudden, you've got a locked operating system and you're stuck. You have to go through Microsoft, which if you read in the paper that's on your conference CD or online, we describe one administrator's nightmare when he tried to get WPA activated on his system. Can anyone think of any other software that uses something like WPA? Does anyone? It's Windows Media. It takes a hash of your... AutoCAD. AutoCAD? I don't know. XPE? XPE, definitely. That's where it's introduced. Pardon? Yeah, work. I don't know that one either. The Quark Express takes a hash and record as a hardware downloadable. So apparently Quark takes a hash and requires a hardware dongle, which is basically a hardware, almost like a key, except it's a protection algorithm that's hardware you have to buy, and it's usually very expensive for that. I believe that EI products actually do this also, but I've been too polite to reverse engineer them because they are our partners. But if anyone looks into that, let me know. Next. Some of the abuses of the business software alliance, and we've been talking about this for a couple of years now, but most people don't know about the BSA. The BSA are anti-piracy hired enforcers. They're supported financially by Microsoft to go chase you down. And there's been complaints of heavy-handed tactics that they use. And I'd talk about these in the paper some more, but for one thing, they'll hit your city with a radio campaign trying to get your employees to report you for using unlicensed software. Based on that, they can get a warrant and raid you, and they do it all the time. Or any kind of anonymous tip is enough for them to get a warrant. In Great Britain, it's been reported that they'll approach the company and say, we've put you on a list of violators or pirates on our website. If you want to get taken off, then you have to run our special software which scans your network drives for any licenses that have expired. Now, a lot of you laugh at this, but companies actually do this. They're so scared by the whole BSA spectacle that they voluntarily submit and end up paying hundreds of thousands of dollars just so they don't get exposed or raided by the BSA. In fact, the acronym BSA sounds like a federal agency. It's a three-letter acronym, and they show up in your office with suits and usually a police officer and a warrant, and you think it's a government agency. But the truth is you can just turn these guys away unless they've gotten to the step of getting a warrant. But most of the time, the companies will just roll over and say, okay, come in, audit us, give us a fine, we'll be happy to pay it, just don't report us, which is really silly, but it happens all the time. And in fact, the BSA themselves report that they've collected $75 million in this way so far. Now, if this kind of thing concerns you, the only site that I've seen that really gets into this that I've seen is stay-legal.org. You should check it out. There used to be an anti-BSA.org, but I haven't seen that up for a while now. Next slide. This is Kerberos, and this was actually drawn by a friend of mine for a book. And this is the three-headed dog that guards the entrance to Hades. It's also Cerberus in later mythology. And Kerberos was designed at MIT in the 1980s under the project Athena. Now, this is a review for most of you, but for those that don't know Kerberos, I might do a brief review. The project Athena tried to implement all three heads, which were authentication, authorization, and auditing. And in fact, later implementations, including Microsoft's, eventually got all three heads working. And it's been thought up until recently that Kerberos was pretty unbreakable. Next slide. And just to review the Kerberos authentication, if I can, I don't remember it myself. So if you're a client down at the bottom and you want to access a network resource, such as a server, you can't just go directly. First, you have to go through a key distribution center, or KDC, which is up in the upper left corner. And the client first has to request from the KDC a ticket granting ticket. And all domain controllers, by default, are KDCs. The KDC responds with a ticket granting service ticket. And when the client presents his TGT back, and based upon that ticket granting service, the client can finally access the server up in the right. And if mutual authentication is specified, the client can ask the server also to authenticate back to it. Next slide. Well, many of you have seen this. This is Frank O'Dwyer's show that there's a potential attack against Kerberos. And this doesn't work if you've used PKI or smart cards. But in our paper, we review some of the well-known attacks that have already been described against PKI and how to reverse engineer smart cards using hardware reverse engineering also. So I encourage you to look at that. But this method is to use, first you have to sniff a login session and capture that. Now, in Kerberos authentication, you use an encrypted timestamp and a cryptographic checksum using a key derived from the user's password. Next slide. Now, the timestamp that's used in a pre-authentication step, that first step one and two, which we showed between the client and KDC, the timestamp is ASCII encoded prior to encryption. And it looks like this. The timestamp looks like a year, month, day, hour, minutes, and seconds. And the RC4 key we know is derived from the user's password. Now, that timestamp is important for brute force cracking because O'Dwyer talks about how to theoretically build a point and click device password cracker that will work on this. Next slide. So how do you know with a brute force password cracker if you've got the right password? Well, because of this ASCII encoding, you can just decrypt, and if you see a string that looks like a timestamp, you're pretty sure that you've got the right password. So you don't have to go through the additional step each time of computing the processor expensive embedded cryptographic checksum to make sure you got it. Because if you get it something that looks like a timestamp and you're almost certainly right. Next slide. Now, Seth is going to talk a little bit about remote assistance. Has anyone used remote assistance yet? Yes, I'm not too many. Before I do this, I want to give away one of these things, and I'm going to ask this question again, and whoever acknowledges their answer the loudest will get this. Son, SparkStation 10, who works for Microsoft? Bill Gates! No, no. Who of you works for Microsoft? All right, you got it. We can't write. I got another... I don't know what this is. It's just a computer with no CPU. It doesn't even have a CD-ROM. It has a floppy. So I'll ask you all, and who again acknowledges the loudest or most distinctly, we'll get this. Who here has pirated software? All right, you got it. Come on up. Whoever that was. Yeah, in a dumpster maybe. Are you a fed? And I have one final thing here. It's a Meritech technician handbook. Who here works for Meritech? Right here! All right. It's yours. I hope you didn't fly. All right. I'm going to talk about a couple things. First is going to be remote assistance. If you haven't... How much did you give them to take that? All right. Many of you have heard of it, and some of you have used it. If you haven't, remote assistance simply provides a way for novice users to get help from their technical gurus that work at their location. Or their friends, or their fathers, or their sons, or whoever. It allows us assistance through voice chat, video at times. It only works with Windows XP and .NET. There's several security issues around remote assistance that I've found that aren't even that technical, but they're just kind of like, I don't know, oversights. The beta3.net server relays its remote assistance request through Microsoft's website. Now, I haven't had a chance to get into the RC1, but if you've used the XP version, which I'm sure those of you have had to use remote assistance to probably use it there, it sends it direct to without Microsoft's intervention. This to me seems like a serious privacy issue, and I'm not sure why they did that. Firewalls? Is why they did that? It's a reflector. Okay. Does Microsoft collect any information? Okay. Yeah, they would never write. The BSA collects that. The password is optional, which to me also is another issue because if anything, people take the path of least resistance, just like many of the physical properties of our universe. The cry for help can be heard by all, and we'll get into this. And there's also a potential 180-degree attack method that can be used as... I thought about it when I was sitting in the DC phone home talk that remote assistance can also be used that way. This is how remote assistance works. You open up your help screen, you click on the link at the top, and it opens up a remote assistance screen. From here you can either send a request through email, through a chat, or through just a file. And the XP version, it creates an XML file, which is all right, but that still has some problems. But in this version, when you send it, we'll get into that. But right here's where the password entry is. You can simply just de-check that. And you are pretty familiar, I hope, with security issues, but if you are in charge of a company's computer department, you'll know that people hate passwords and names they do use passwords are lousy. All you have to do is uncheck that box. If you do uncheck that box, and then you send the email to the other person, I'm using email in this case, and if someone happened to be running a sniffer on a network, they would easily be able to capture this. And you can't see this too clearly, but it is in our slides. The highlighted portion there is a hyperlink, which is the link that goes to Microsoft. With a little massaging, anybody can take that hyperlink, plug it into their browser, and pull up the same remote-assistance connection screen. From there, you just simply click the button. I mean, script kids can handle this one. So now you're getting the Microsoft.net connection screen, and up comes the little box. Hey, this person's coming to ask for help, and I mean, coming to help you. Are you going to let him help you? Well, if you're a Josh Moe user, you're probably going to, because you sent the request in the first place. And now anybody can have whatever fund they want. They can... I mean, you name it, they could do it. Yeah, I'm Josh Moe. I'm your tech guy. Let me format your hard drive for you. So now anybody can reverse that... Yes. Yeah, well, yeah. This basically says, what do you do now? You're a social engineer to the point of wherever you want to go. You install backdoor trojan virus, or you just have some fun with the person. Call them names. Again, this problem, as I see it, is threefold. The password is not required, and I understand helping the user out, making this world room user-friendly, but that doesn't seem like security conscious behavior there. Again, it's an insecure method of transferring it. It didn't take me long to figure this out. Anybody could grab that off the wire, and maybe this isn't going to exist in the final version. Maybe they'll switch back to XML, or maybe they'll do some more further encryption or something like that, but at this point, that's what I have to go with. And again, Microsoft is in there for the firewall relay, but I don't know many people that are too excited about having Microsoft putting their foot in our lives. Does the password field is filled out? We want to answer the password, because the password is not passed at all. When the password field is filled out, at what point will the attacker have been notified? And the password is not sent at all. They have to call. They have to send it well. If you send an email, you send the password in plain text anyway, so that kind of defeats that. Unless you're using PGP, but if you're using PGP, you're probably not asking for help. So, again, the problem is free-fold. What can we do about this? Security policies as unuseful as they are, and as everyone ignores them. I mean, it's a place to start. It covers you with your hand. End user training, if you do have people that like to use this feature, make sure that they call you at least or do something to get you a password and that they do use a password. Or you could just, you know, stick the VNC, PC, anywhere, or back or first for all that. Now, remote desktop. And I will say remote desktop. I do like it. I use it. It's a very friendly piece of software. It just kind of concerns me because it allows a person full control of your computer. It's something worth bringing up, but not something worth getting all excited about. So, I'm just going to bring up on this slide. The purpose is basically, how many of you use remote desktop before? So, I don't know, 30% maybe have used it. For those of you who don't know, it's just like PC anyway. It allows somebody remotely to get into your computer and to take it over. You have full control over it. It basically, it's an invisible interface remotely to operate a computer just like you were sitting there. Again, it's basically a legitimate trojan, except that it works pretty good. Security issues. Because it runs on a dedicated port, anybody can port scan for it and you can easily detect that it's there. Once you detect that it's there, then you can move the next step and you can try and brute force it. Because most people who own computers like to put strong passwords in, it might be a difficult thing. Not. So, you know, put one, two, three, four, put admin in there, put password. Eventually you're going to get it. What to take the right script to scan a bunch of computers and test for this. This does allow full access to the computer. Again, you're sitting right in front of it from a virtual location. So, unless the original user notices you logging in, which kicks them out if it's at night, I mean, there's nothing stopping them from getting access to anything else that computer is connected to. It is disabled by default, which is good and that's smart. But when you enable it, it typically enables a cell phone administrator account if you're using an administrator account, which most people do. Now, one thing that is worth mentioning is that IPACs, you can get software to connect it with your IPACs. So, somebody can just walk into your network and, you know, sit there with their IPAC in your wireless network. You would think they're updating their tasks and they're taking over your computer. Another thing, TS-Web, which is an active scripting that downloads an applet to your computer and you run it there. It allows any computer without having a desktop client software installed to be able to connect up to another, to be able to connect up to the actual host from a desktop computer. It's a very nice thing to have if you are in the library or something and you want to connect to your home, but it's also a possible insecurity. Again, in my desktop is an excellent tool. I do say that because I do appreciate it. It is arguably free because it comes with OS. And there have been relatively few posts about vulnerabilities to it, most of which are not on service. The next thing I want to talk about is wireless networking. Dot... I'm sure it's on time. Okay, wireless networking. Dotnet supports wireless networking. It's a good support for web and it comes with support for 802.11x. Dotnet, wireless security issues. If you haven't... If you use dotnet, to get connected to DEF CON LAN, what do you have to do? Plug in your card. It automatically found it, it automatically connected to it, and automatically made your computer part of the network. And then you probably got scanned by 50 other hackers out there to put... I understand the point and I understand how that works, but to put such a susceptible technology in a server device seems to me it's a little scary to do. Because of war driving, well, we all know what that is, and for those of you that aren't here, you're probably at war driving on the contest right now, and you aren't here even to acknowledge that. Web is crackable, and we know that. But I want to talk about Web for a minute because I note that a lot of people already know what Web is, they know it's crackable, and they know that the tools exist and maybe even know how to use the tools. They don't really know how Web is crackable. And because we're talking about a server here, I just want to talk about two-fold, one to let you know about Web and that people are interested in it, and another that... I forget the other. But there's another. And so Web. Web is the wire equivalency privacy protocol or scheme. It defines security and the transmission of data. It...Cryption is based on a 5 or 13 character password. It uses the RC4 algorithm which is a fairly common encryption use. It is weakened by initialization vector collisions, and we'll get into this, and weak initialization vector. It is crackable in two hours in best of conditions, and that is usually the case. It's typically a lot longer, and it can take several weeks on a home user network where they're only sending email across it. RC4, again, it's an encryption type. It uses symmetric key, which means it has one key, not like a public-private key, like a PGP. It uses a streaming key, which means it has a different key for each packet of information, so you have a different password for each packet, which is a pretty strong method on the surface. Each packet is protected with a unique password. This is a general overview. I'm not going to go into it. You can look into the paper. Initialization vector is one of the most important parts of understanding why RC... why a web is crackable. Its purpose is to create, again, a unique key, and it does this by combining a packet with initialization vector value, which is three characters, and I kind of illustrate this here where a packet one had ABC games, packet two had DEF games, and so on. So, web's key is 24-bit or three characters. RC4, this is a general... where did my little pin go? This is a general way it works. You have the initialization vector value right here, combined with the password to create your secret keys, fed into the key scheduling algorithm, which then creates a streaming key using a state array value for those who are familiar with arrays. It then is merged with the data through an XOR calculation and outcomes the ciphertext. And this is the first part, the key scheduling algorithm, is responsible for creating a random array. This array is with the current version of web, is zero through 255, and it scrambles the numbers. So you can have any sequential from like 255, next one could be 13, next one could be 12, next one could be 68. It creates it randomly to be used in the creation of the streaming key. And it uses the initialization vector plus the password to do this. The PRGA creates a streaming cipher key and that again is explored with the plain text to create the ciphertext. And it performs additional swapping, which is the swapping is how you end up with the pseudo-random state array. And this is the basic overall encryption scheme we showed just before where the things are... where the IV and the password are merged and passes on down to the encrypted text. This is the decryption, the initialization vector, and this is the biggest weakness, is that it is sent in plain text with the ciphertext. So any hacker or anybody really with a sniffer can easily grab that first three characters of the packet when they already know the initialization vector. So they have this, it's on the decryption side, this is merged with the password which is shared previously between the user and the client and the host. And it gets fed back through here, back through the KSA, back through the PRGA to recreate the original data by X-Waring it with the ciphertext and then it goes through a CRC calculation and if it's good, the data is accepted. Now the weakness is, summarizes if you know any two XOR values the third can be deduced. It's just basically a simple comparison. You'll understand what I mean if you know XOR, I the first iteration of I and I is just a variable that holds the value. We'll hold let's see, it's always equal to one for the first iteration of the PRGA and the PRGA is just a continuous loop that loops through until there's no more data. Again, merges the streaming key with the it creates a streaming key and emerges that with the plain text to create the ciphertext. The first byte of the plain text file is always a snap header. There are other ways that you can do this that increases the chances of cracking it faster but using most tools that are out there there's a 5% probability that the state of array values between 0 and 3 will stay the same after the first four iterations of the KSA and again this is explained in that paper. The link although you can't see it probably, is up there to the paper and that will be at the end of this slide show. Really quickly these are the things that are important to know they will assume values and is an index value it just keeps track of how many times it goes through a loop basically. These values right here indicate a weak key. This is the byte of the password that you're cracking. This indicates the weak key and this could be any value and when you're collecting data tools such as web cracker or whatever they collect all the data as much as they can find and then they start doing a statistical analysis on the data that's collected and the one that comes up the most common is probably going to be your key. So it just collects the bytes so it will collect 1 through 255 on this. The secret key again it's a combination of here's your key this is the key that we use in the example this is an initialization vector again the secret key is the combination of those two you'll see a modulus if you start studying the code it's a modulus operator if you're familiar with programming or you like mathematics you'll understand what I mean by that and again you assume the state array value is swapping as a 5% chance when you're working with it this is what I came up with to make things easier to keep track because you start getting a lot of values going on this is my key array that if I was testing it or if a program was testing it if you wanted to do a paper if I was testing it I would have this set up and then I list my original state array values with my original i and j values this is the equation that's used to create this value which is used in here to swap values right here and again I'm going to cover this real fast because we're running out of time it's in the paper, please read it when you come to loop 2 you go through the same equation process and the same swap loop 3, same thing and now the important thing to note it's all been key 0 which is used right here to key value key 0, key 1 and key 2 are the only ones that have been used in here which can be again sniffed off the wireless network so anybody can do this anybody can recreate the first 3 the first 3 loops and combine that with knowing that the first 3 loops don't know the state array values and the first 3 we combine that with the fact that the state array values KSA don't change 5% of the time you have a pretty big hole which we can work with to find the key and this would be KSA loop 4 if we did know the key now if we're looking at it from a hacker's point of view this is what it looks like we don't know this part of the key but we do know that XOR has a kind of a weakness in which we can recreate the first byte of the PRGA and you do this by combining our snap header which we know exists with the first byte of ciphertext to create a value, in this case it was 15 now we can work our way back through the PRGA and we end up with the S of 3 value being equal to 15 at the KSA loop 3 or iteration 3 and now it's just a matter of going backwards and plugging it in and doing some simple calculations and we can recreate that value right here so now we know the first byte of our key and you just basically continue this through the whole process and again, this particular example is one that works, it is going to be recreated I didn't want to take a chance because there's only 5% probability that I would get it right so I found one that worked again, this is just an overview of wireless networking Windows.net supports it Web is crackable so you have a possible presentation point where you can only rely on Web for your security in your wireless network so what to do, there's many other things you can bind with Web to make it secure and even Web itself, it is a fallback point in which you can be claimed that you're not liable against people who hack, if someone actually breaks Web you know they were trying to get into your network the only other option is don't use wireless networks next year, at this point, they're going to release a version that should take care of this problem and hopefully seal it the whole again, the slides are available there and I think we're back on you now that we have your attention Seth has written more about that actually in a book which will be coming out later this year on wireless security and he talks about the default XP use of that and how it can get you into some bad legal troubles I want to talk about policies and many of you or some of you some of you have in the past partnered with Microsoft for security they used to have a Microsoft security partners program or MSPP where they would let smaller security consulting groups like many of you all partner with them and they would send you business and you would help them find vulnerabilities and things like that Microsoft terminated this last November without any warning and they rolled it into their Microsoft Gold Certified Partner for Security Solutions or CPSS the problems with this is it kind of showed out the smaller guy the smaller security consulting group which is a shame because a lot of the best vulnerabilities are found by the small independent security groups and now if you want to be a Microsoft security partner you have to have at least four MCSCs in your company which very few smaller guys do you also have to pay Microsoft now to be a member in the United States it's currently $1450 a year which puts it out of the range of some small independence you also have to inform Microsoft about our details including what you're working on and who you're doing it for which in our industry a lot of people don't want if you're consulting for someone doing penetration testing they don't want you to be telling other people that you're doing it and now you have to sign a full disclosure what I call a gag rule I don't think Microsoft calls it that but it's basically says that if you want to work with us you can close your vulnerabilities publicly unless you follow our protocol and that puts it out of the range of a lot of people I want to talk a little bit more about this gag rule next slide well the gag rule as we talked about last November Microsoft formed a coalition with five security companies and these were BindView, FoundStone, Guardant, AtStake and ISS I'm sure there's several but you're not raising your hand I actually, not to bash them I actually have very good friends that work for a lot of these companies and they're really smart guys but one thing that they had to do to get into this coalition is they had to agree to spare Microsoft from public embarrassment with vulnerability disclosures so they had to sign a gag rule to be a member but now what's the problem with this why is such a policy bad for Microsoft and why do we think that it can raise some negative security issues for Microsoft well here's one example a lot of you heard about ISS releasing a severe Apache vulnerability to bug track last month actually in June how many people know about that everybody okay that's all over the media and the problem with this and for those of you that do run Apache on Windows does anyone do that am I the only one in the world who does that it's actually pretty good if you have to use Windows in your environment Apache is a lot there's a good alternative to ISS as a lot of other people are pointing out the problem is that there's many distributions of Apache especially on Windows it's a binary install and it wasn't working and ISS only gave one day or less than a day notice before they posted this vulnerability publicly and for those of us that stayed up past midnight trying to get this patch to work and didn't get any sleep that we're not going to forget it any time soon so there's no grace period and what's the problem how can we possibly blame Microsoft for what for ISS's faux pas how's that possible well we can't directly blame them but if we get the next slide actually back one slide down the bottom the problem with this is ISS signed this gag rule to be a partner of Microsoft they said we're going to spare you vulnerabilities for 30 days at the same time ISS turns around and attacks one of Microsoft's biggest competitors in fact their biggest competitor in the server market and that's Apache with no grace period so here they're favoring Microsoft with a gag rule on one hand turning around and hitting their competitor balling that same gag rule on the other hand is that illegal? No but it does potentially raise some ethical concerns and the question is was there any pressure from Microsoft for them to do this to exert anti-competitive pressure now I'm certain the answer is no there is no intentional anti-competitive pressure but the fact that there is a relationship between ISS and Microsoft raises that issue of conflict of interest because ISS is presumably gaining benefit from being a partner such as free publicity or leads from Microsoft they are benefiting from Microsoft so to turn around and attack and open source competitor those raise some issues so this is going to hurt Microsoft more than anything indirectly if they have a gag rule which they probably shouldn't that's very controversial to begin with but if they do they should ask their partners to make it apply equally to their open source competitors to avoid raising such an issue next slide well in this talk we've discussed some potential attacks against the architecture I have to say that we haven't found any severe vulnerabilities in the implementation itself and so overall for those of you that did admit to working for Microsoft you can pat yourselves on the back believe me though there will be exploits and lots of them but that's okay they can be fixed what you don't want to do if you're Microsoft is try to patch things by enforcing gag rules and other policies like that if you have a vulnerability the best thing probably is just to admit your mistake and give credit to the person who found it then fix it and go on the public is going to respect you a lot more in the long run than if you try to influence industry standards by creating RFCs against full disclosure which has happened so I think more than the architecture I think Microsoft policies should be overhauled next slide so are humble recommendations to Microsoft not that they will pay any attention but here is some suggestions for improvement go ahead and move to final release of the operating system because if you keep being scared to release it it's going to be obsolete it will already have been in beta for two years almost and it's actually makes you stronger to be tested it's nothing to be afraid of number two we would recommend immediately and totally removing the WPA because if you're Microsoft all of your hard work making this operating system is going to be flushed down the toilet because no self-respecting administrator is going to put up with this if you read about what we talked about if you read that comment in the paper that comes with this talk you're going to see what I'm talking about it's extremely humiliating the WPA concept and finally we would again change the gag rule and finally terminate association with the BSA or business software alliance the truth is that people who pirate Microsoft software if they do it commercially and it's a large pirating ring that's something different but to go after the honest companies or the honest small system administrator who's just doing his best job and may have one license somewhere expired and using heavy-handed tactics against such companies that's only going to hurt you in the long run and I think Microsoft's been lucky so far because people don't really know about the BSA too much yet but if there's one message we want you to take home after this talk is to read more about the BSA and to make your own informed decision next time again we'll be available to take questions for just a few minutes and then we'll be at the Loom Panics table if anyone wants to get their copy of our book signed so that they can sell it on eBay for a profit and here are the links thank you very much