What is it doing partnering with Google? Well, I presume it is because the theme is “how to be safer on the Internet” which is something that I am sure the CAB cares about. However looking at the advertisement it would be easy to conclude that the CAB is somehow promoting Google+, the social networking site that Google hopes will rival Facebook. Intriguing.

The advertisement says:

To find out more about how to manage your information online, pick up a booklet from your local Citizens Advice Bureau or go to google.co.uk/goodtoknow

I wanted to see this booklet, so I looked into the Holborn CAB in London.

I have to say that the aforementioned booklet was not exactly strewn about. In fact, the woman on the desk wasn’t sure if they had any. She went and looked though, and came back with the web address. Perhaps I could go there? I said I was keen to see the booklet the CAB was handing out – did it exist? Eventually I was told that they did not have any, but that the head office in Pentonville Road might. So I went there.

The man at the desk was not sure, but went away for a moment, and came back with one in his hands.

Page one says this:

We have partnered with Citizens Advice to provide tips and advice. You can get free, confidential and impartial help about everything from finances to staying safe online from your local bureau in person, on the phone or online. For in depth information on all of the topics in this booklet and more, visit the Good to Know website.

I think this is a PR triumph for Google, but I reckon the CAB has been sold a pup. It is not that I have anything against Google; but I would go to Google for impartial advice about staying safe online in the same way that I would go to a ferry company for impartial advice on cheap flights.

There is little sign of impartiality in the booklet. Personally I would say that a booklet on “how to manage the information you share online” that does not mention Facebook is in chocolate teapot territory. This booklet achieves this though; in fact the only web site mentioned is … Google.

“Keep your Google Account extra safe,” it says. But how about not having a Google account? No account, no personal details to lose.

This is stealth advertising – except that I am not sure about the stealth.

A substantial portion of the booklet is devoted to explaining why Google having my data is really good for me. “How knowing you better makes your internet better,” it says.

There is no mention of the benefits of using an ad-blocker to avoid sending data to advertisers. Nor does it include advice on simply not putting data online at all, if it might embarrass you or compromise your safety.

The reason is that Google cannot possibly be impartial about managing online information. Google wants your data, as much of it as possible, in order to target advertising. It is as simple as that.

Which is why Google is an uncomfortable partner for the CAB. I think the CAB could do with some impartial advice.

Related posts:

1. Google’s privacy campaign, and three ways in which Google gets your data
2. A great day for Android at Google I/O; not convinced by Google TV
3. Is Google Gears safe?

The way this works is that you install the Parallels application and the create a new virtual machine, selecting a boot CD or image. Next, you have a dialog where you select whether or not you want an Express installation. It is checked by default. I left it checked and proceeded with the install.

The setup was delightfully smooth and I was soon running Windows on the Mac. I chose a “Like my PC” install so that Windows runs in a window. The alternative is to hide the virtual Windows desktop and simply to show Windows applications on the Mac desktop.

Everything seemed fine, but I was puzzled. Why was Windows not installing any updates? It turns out that the Express install disables this setting.

It also sets user account control to an insecure setting, where the approval dialog does not use the secure desktop.

The Parallels Express install also sets up an Administrator account with a blank password, so you log on automatically.

No anti-virus is installed, which is not surprising since Windows does not come with anti-virus software by default.

These choices make a remarkable difference to the user experience. Set up was a pleasure and I could get to work straight away, untroubled by prompts, updates or warnings.

Unfortunately Windows in this state is insecure, and I am surprised that Parallels sets this as the default. Disabling automatic updates is particularly dangerous, leaving users at the mercy of any security issues that have been discovered since the install CD was built.

In mitigation, the Parallels user guide advises that you set a password after installation – but who reads user guides?

If you uncheck the Express Install option, you get a normal Windows installation with Microsoft’s defaults.

These security settings are unlikely to matter if you do not connect your Windows virtual machine to the internet, or if you never use a web browser or other Internet-connected software such as email clients. If you do real work in Windows though, which might well include Windows Outlook since the Mac version is poor in comparison, then I suggest changing the settings so that Window updates properly, as well as installing anti-virus software such as the free Security Essentials.

Related posts:

1. Hands On with Microsoft Security Essentials – terrible name, but product looks good
2. Miguel de Icaza talks about Windows 8 and the failure of Linux on the desktop
3. Windows security and the UAC debate: Microsoft misses the point

This was puzzling me. She described how she went to the BBC iPlayer site, and it said she needed to install Flash.

She clicked the link and got to Adobe’s download site. She clicked Download now and got a page describing four steps to install, but nothing happened, no download.

She clicked Adobe’s troubleshooting guide, which took her through uninstalling Flash Player and then a manual download. All seemed to work but at the end of it, it was the same. Go to the BBC site, and be told to install Flash Player.

You can understand how computers, at times, can seem downright hostile to the long-suffering user.

What was the problem? I logged on with remote assistance. Somehow, IE9 had ActiveX Filtering enabled.

This is actually a great security feature. ActiveX is disabled on all sites by default. A little blue circle symbol appears at top right.

Click this symbol and you can turn off filtering for this site only.

Yes, great feature, once you are aware of it – but too subtle to be noticed by the average user browsing the web. From the user’s perspective, no amount of uninstalling and reinstalling of Flash Player would fix it, and the PC was about to be flung across the room in frustration.

The other problem is that the feature is too new and too little used to feature in most of the troubleshooting guides out there. It is not mentioned in Adobe’s page on troubleshooting Flash on Windows and in IE, for example.

How the setting got enabled in the first place is a mystery. Maybe a mis-click. It is unchecked by default, and you can see why.

Conclusions? I guess it shows that security without usability is ineffective; and that minimalist user interfaces can work against you if they in effect hide important information from the user.

Incidentally, this is why  I dislike the Windows 7 feature that hides notification icons by default. It is user-hostile and I advise disabling it by ticking Always shot all icons and notifications on the taskbar.

It may be more secure, but I would not consider enabling ActiveX Filtering for non-technical users.

Related posts:

1. Cross-platform concerns as Adobe abandons AIR for Linux
2. Adobe Flash vs Apple iPad: RIA in the balance
3. CNN Daily Top 10 spam email shows failure of user education

I look forward to trying it; but Internet Explorer 9’s Smart Filter was not keen.

What you cannot see from the screenshot is that the option to “Run anyway” is hidden by default. You have to click More Options; otherwise you just get the first two options, Don’t run, or Delete.

Note that this download is from an official Microsoft site, and has been downloaded, according to the stats on the page, nearly 6,500 times.

Developers can cope; but I think this sort of warning is extreme for a download from an official Microsoft site, whose main crime is being unknown, for some reason, to the SmartScreen database of approved executables.

Though maybe the Visual Studio team should have signed the installer.

The long term effect is that we learn to ignore the warnings. Which is a shame, because the next one might be real.

Update: How do other browsers handle this scenario? Here’s Google Chrome:

Mozilla Firefox – a prompt, not a warning:

same in Apple Safari:

Which is best? Well, IE9 wins kudos for being the only browser to point out that the package is unsigned; but loses it for its over-the-top reaction. Chrome has pitched the leverl of warning about right; Firefox and Safari are perhaps too soft, though let’s also allow for the fact that their filters may already have worked out that thousands had already downloaded this file without known incident so far.

The IE9 issue is mainly because the installer package is unsigned, which is probably an oversight that will be fixed soon.

Related posts:

1. Microsoft rolls out its browser choice update – but which is really the best?
2. Firefox segmentation fault on Asus Eee PC after update
3. Microsoft.com blank in Google Chrome browser history

In an interview at the European Identity Conference in Munich he discusses the state of play in identity management, but does not explain what interests me most: why he left. He was respected across the industry and to my mind was a tremendous asset to Microsoft; his presence went a long way to undoing the damage of Hailstorm, an abandoned project from 2001 which sought to place Microsoft at the centre of digital life and failed largely because of industry mistrust. He formulated laws of identity which express good identity practice, things like minimal disclosure, justifiable parties, and user control and consent.

Identity is a complex and to most people an unexciting topic; yet it has never been more important. It is a central issue around Google’s recently announced Chromebook, for example; yet we tend to be distracted by other issues, like hardware features or software quality, and to miss the identity implications. Vendors are careful never to spell these out, so we need individuals like Cameron who get it.

“Cloud is identity management,” he says in the interview.

Cameron stands by his laws of identity, which is says are still “essentially correct”. However, events like the recent Sony data loss show how little the wider industry respects them.

So what happened at Microsoft? Although he puts a brave face on it, I am sure he must have been disappointed by the failure of Cardspace, a user interface and infrastructure for identity management that was recently abandoned. It was not successful, he says, because “it was not adopted by the large players,” but what he does not say is that Microsoft itself could have done much more to support it.

That may have been a point of tension; or maybe there were other disagreements. Cameron does not talk down his former company though. “There are a lot of people there who share the ideas that I was expressing, and my hope is that those ideas will continue to be put in practice,” he says, though the carefully chosen words leave space for the possibility that another well-represented internal group do not share them. He adds though that products like SharePoint do have his ideas about claims-based identity management baked into them.

Leaving aside Microsoft, Cameron makes what seems to me an important point about advocacy. “We’re at the beginning of a tremendously complex and deep technological change,” he says, and is worried by the fact that with vendors chasing immediate advantage there may be “no advocates for user-centric, user in control experience.”

Fortunately for us, Cameron is not bowing out altogether. “How can I stop? It is so interesting,” he says.

Related posts:

1. Kim Cameron hacked, commenters make fools of themselves
2. Hands on with Google Cloud Connect: Microsoft docs in Google’s cloud
3. Bob Muglia leaving Microsoft, CEO Steve Ballmer searching for new cloud leadership

Sony has disclosed that:

Between April 17 and April 19 2011 an attacker gained access to “user account information”

The information includes:

name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

The information might include:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained

The remainder of the information is mainly generic advice on fraud prevention. Many comments to the blog post make the reasonable point: why were they not informed earlier?

How many users are on PSN? The number 75 million is widely reported. In January Sony claimed over 69 million PSN members.

It is easy to say that Sony should have operated a more secure system. Making a judgment on that is hard because there is a lot we do not know. Was this information encrypted? Sony says passwords were stolen, which may mean they were unencrypted though that is hard to believe; or that they were encrypted but likely to be easily decrypted, which is perhaps more likely. On the other hand the fact that encryption is not mentioned in the post tends to suggest that none of this information was encrypted.

The scale of the incident makes it remarkable but the fact of network intrusions and personal data being stolen is not surprising, and likely much more of this happens than is reported.

The state of internet security overall remains poor and what we see constantly is that security best practices are ignored. Convenience and the desire of marketers to grab as much personal data as possible constantly trumps security.

Here is Kim Cameron, Microsoft’s identity architect, writing in 2005:

We should build systems that employ identifying information on the basis that a breach is always possible. Such a breach represents a risk. To mitigate risk, it is best to acquire information only on a “need to know” basis, and to retain it only on a “need to retain” basis. By following these practices, we can ensure the least possible damage in the event of a breach.

…

The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts. For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed.

Cameron’s thoughtful and excellent “laws of identity” lack take-up within Microsoft as well as elsewhere; the CardSpace system that was built to support it was scrapped.

An example of the low priority of security around the web is the prevalence of “password security answers” as Sony describes them. This is additional information that allow you to recover an account if the password is forgotten, especially if the email address associated with the account is no longer in use. Contrary to the impression given by the forms that require the information, these questions and answers reduce your security in order to ease the burden on support. They break Cameron’s laws of identity by providing the third party with information that it does not need, such as mother’s maiden name, though of course you can provide fictional answers and in fact I recommend this.

Personally I am also one of those people who never tick the “save credit card details” box. I am happy to enter them every time, rather than hand them over to a system of unknown security. Some sites do not let you make purchases without saving credit card details; as I recall, Amazon is one of them, and Apple another. This means the consequences of security breaches at these companies are greater, though I imagine they also make more sales since the friction of the purchasing process is reduced.

I am not optimistic that internet security will improve in the near future, though I guess that major breaches like this one are a force for reform.

Update: In a new post Sony says that credit card data was encrypted but personal data was not. I am surprised if this included passwords; but the IT world is full of surprises.

Related posts:

1. Sony locks down the PS3 – removes Other OS support from all models
2. A tale of two stores, and a go with PlayStation Move
3. Sony’s Flash advantage for PlayStation 3 vs Xbox 360

Unfortunately this code may run when previewing a document in Outlook, which normally embeds Word, so it is potentially rather damaging.

Rachwald traces how the embedded trojan evades anti-virus, installs itself into the Windows system32 folder, and creates a remote shell application.

It does appear that the vulnerability was patched in November 2010. Still, it is interesting that the insecure code survived in Microsoft Office at least back to Office XP Server Pack 3 in 2004 and probably earlier.

I mention it partly because the analysis is a good read, and partly to highlight the fact that even RTF documents may not be safe.

Related posts:

1. Anti-virus failure leaves XP broken, DNS hijacked, user frustrated
2. Search for virus help highlights lack of authority in Google, Wikipedia
3. Anti-virus software continues to fail

The reason, it turned out, was the password policy set by Microsoft and outlined here:

To help maintain security, you must periodically change your password. When you change your password, be aware of the following:

• You cannot repeat your previous 24 passwords.
• You must change your password at least once every 90 days.

In addition:

Microsoft Online Services uses an account lockout policy to help protect the accounts of service administrators and end users. The user can try to sign in to the Administration Center or the Sign In application five times. After five failed attempts with an invalid user name or an incorrect password, users are locked out for 15 minutes. This condition cannot be manually reset.

In this case, Microsoft’s PC sign-in applications prompted the user to change his password. He did so. All seemed well, except that his mobile – in which email settings are deeply buried – did not know about the password change and made repeated attempts to collect email. Result: lock-out, and a horrible user experience.

According to this thread, Microsoft has been so besieged with requests to remove the expiration policy that it solved them at a stroke: by refusing them all.

I find this curious. First, it is doubtful whether frequent password changes really enhance security. Users in this case need new non-repeating passwords every 90 days, which means they are more likely to be written down. Remember, you cannot repeat your previous 24 passwords.

Second, it is odd that BPOS admins do not have the ability to disable password expiration policies in their online management tools.

It may seem a small issue, but for some it is a deal-breaker:

At this moment it is not possible to disable password expiration at all. I opened a ticket and technical support told me multiple times they won’t offer that option anymore… It’s disappointing since I lose customers who choose Google Apps over Microsoft Online just because of the password issue.

Apparently this may be fixed in the forthcoming Office 365.

Related posts:

1. Microsoft inadvertently shares BPOS offline address books with other customers
2. Notes from the field: migrating a small business to Microsoft BPOS
3. Store any type of file in Google Apps – in effect, GDrive

The solution? Well, white-listing, visiting only trusted web sites, not opening attachments, keeping your OS fully patched, and so on. None of them perfect.

Alternatively, a new model of computing. One of the attractions of locked-in platforms like Apple’s iPhone and iPad is that they are harder to infect. Google’s forthcoming Chrome OS is even better designed from a security perspective. I am surprised that this aspect of cloud+device computing does not get more attention.

Related posts:

1. Delphi developer virus exposes weakness in anti-virus defences
2. Sophos Windows 7 anti-virus test tells us nothing we don’t already know
3. Anti-virus failure leaves XP broken, DNS hijacked, user frustrated

Enough to say that VPN is not always the best approach to remote access. There’s also SharePoint of course; but there are snags with that as well – it is powerful, but complex to manage, and has annoyances like poor performance when there are a large number of documents in a single folder. In addition, Explorer integration in Windows XP does not always work properly; it seems better in Vista and Windows 7.

FTP on the other hand can simply publish an existing file share to remote users. FTP can be horribly insecure; it is a common reason for usernames and passwords to passed in plain text over the internet. Fortunately Microsoft now offers an FTP service for IIS 7.0 that can be configured to require SSL for both password exchange and data transmission. I would not consider it otherwise. Note that this is different from the FTP service that ships with the original Server 2008; if you don’t have 2008 R2 you need a separate download.

So how was the setup? Pretty frustrating at the time; though now that it is all working it does not seem so bad. The problem is the number of moving parts, including your network configuration and firewall, Active Directory, IIS, digital certificates, and Windows security.

FTP is problematic anyway, thanks to its use of multiple ports. Another point of confusion is that FTP over SSL (FTPS) is not the same thing as Secure FTP (SFTP); Microsoft offers an FTPS implementation. A third issue is that neither of Microsoft’s FTP clients, Internet Explorer or the FTP command-line client, support FTP over SSL, so you have to use a third-party client like FileZilla. I also discovered that you cannot (easily) run a FTPS client behind an ISA Server firewall, which explained why my early tests failed.

Documentation for the FTP server is reasonable, though you cannot find all the information you need in one place. I also found the configuration perplexing in places. Take this dialog for example:

The Data Channel Port Range is disabled with no indication why – the reason is that you set it for the entire IIS server, not for a specific site. But what is the “External IP Address of Firewall”? The wording suggests the public IP address; but the example suggests an internal, private address. I used the private address and it worked.

As for RemoteApp, it is a piece of magic that lets you remote the UI of a Windows application, so it runs on the server but appears to be running locally. It is essentially the same thing as remote desktop, but with the desktop part hidden so that you only see the window of the running app. One of the attractions is that it looks more secure, since you can give a semi-trusted remote user access to specified applications only, but this security is largely illusory because under the covers it is still a remote log-in and there are ways to escalate the access to a full desktop. Open a RemoteApp link on a Mac, for example, and you get the full desktop by default, though you can tweak it to show only the application, but with a blank desktop background:

Setup is laborious; there’s a step by step guide that covers it well, though note that Terminal Services is now called Remote Desktop Services. I set up TS Gateway, which tunnels the Terminal Server protocol through HTTPS, so you don’t have to open any additional ports in your firewall. I also set up TS Web Access, which lets users navigate to a web page and start apps from a list, rather than having to get hold of a .RDP configuration file or setup application.

If you must run a Windows application remotely, RemoteApp is a brilliant solution, though note that you need additional Client Access Licenses for these services. Nevertheless, it is a shame that despite the high level of complexity in the configuration of TS Gateway, involving a Connection Authorization Policy and a Resource Authorization Policy, there is no setting for “only allow users to run these applications, nothing else”. You have to do this separately through Software Restriction Policies – the document Terminal Services from A to Z from Cláudio Rodrigues at WTS.Labs has a good explanation.

I noticed that Rodrigues is not impressed with the complexity of setting up RemoteApp with TS Gateway and so on on Windows Server 2008 R2:

So years ago (2003/2004) we had all that sorted out: RDP over HTTPS, Published Applications, Resource Based Load Balancing and so on and no kidding, it would not take you more than 30 minutes to get all going. Simple and elegant design. More than that, I would say, smart design.

Today after going through all the stuff required to get RDS Web Access, RDS Gateway and RDS Session Broker up and running I am simply baffled. Stunned. This is for sure the epitome of bad design. I am still banging my head in the wall just thinking about how the setup of all this makes no sense and more than that, what a steep learning curve this will be for anyone that is now on Windows Server 2003 TS.

What amazes me the most is Microsoft had YEARS to watch what others did and learn with their mistakes and then come up with something clean. Smart. Unfortunately that was not the case … Again, I am not debating if the solution at the end works. It does. I am discussing how easy it is to setup, how smart the design is and so on. And in that respect, they simply failed to deliver. I am telling you that based on 15+ years of experience doing nothing else other than TS/RDS/Citrix deployments and starting companies focused on TS/RDS development. I may look stupid indeed but I know some shit about these things.

Simplicity and clean design are key elements on any good piece of software, what someone in Redmond seems to disagree.

My own experience was not that bad, though admittedly I did not look into load balancing for this small setup. I agree though: you have to do a lot of clicking to get this stuff up and running. I am reminded of the question I asked a few months back: Should IT administration be less annoying? I think it should, if only because complexity increases the risk of mistakes, or of taking shortcuts that undermine security.

Related posts:

1. How secure is Windows Vista?
2. Silverlight 5 unveiled: more power, more Windows
3. Windows gets thinner – a comeback for the thin client?