Programing

Generic Identity Device Specification Published

Ryan M. Hurst — Fri, 09 Apr 2010 17:21:34 GMT

In the PC ecosystem, when a new device (say mass storage) technology is introduced, commonly there is little standardization, vendors produce proprietary software stacks for interacting with that device, they have custom hardware interfaces for interacting with the device, custom software for managing those devices, etc.

As a device picks up in popularity common platform programing interfaces typically emerge, sometimes these are commercial in nature, other times they are standards based; in either case the goals of these interfaces are simple: abstract out the variety in the hardware ecosystem for the application developer allowing them to write software that can run on any machine regardless of which vendor manufactured a given device. These abstractions also commonly allow the sharing of devices so that multiple applications can use them at the same time.

The next phase in a devices maturity is normally the definition of a class interface for interacting with hardware, it’s this last phase that allows the “no driver needed” story that users like so much; we all reap the rewards of this with flash drives today, plug in the device and it just works (the same is true for display technologies like VGA).

These class drivers commonly cater to the lowest common denominator when it comes to functionality, but vendors are always able to add additional capabilities that are exposed when their drivers and custom software are present (again think about display technologies here as a good example).

There is one device in particular that has not entirely followed this flow that I wanted to talk about and that is Smart Cards; as a concept was they emerged in the 1970s, the first cards went into production in the late 70s. Here we are 40 years later and there is no clear “class driver” for these devices, that is not to say there have not been attempts, some even with success, but those that have had success have been closed system solutions, for example the PIV interfaces used within the US Federal Government.

In the commercial space however, no class specification that has been attempted really was viable, there are lots of reasons for this but I am cautiously optimistic that there is now a candidate.

One of the projects I was working on over the last few years was the specification of the Generic Identity Device Specification, this attempts to build on the success of the government based card specifications and extend it to commercial applications as well.

I had opportunities to work with some great folks on this effort, we all had the same goal make smart cards as reliable, cost effective and accessible as possible; I believe this work does just that.

This specification has now been released by Microsoft under the Microsoft Community Promise, that means it is available royalty free for anyone to adopt; this is a big win for our partners and above all the customers who will benefit the most from it.

So what does this mean for you? Well if you’re a customer looking to deploy smart cards you should seriously look for vendors who produce cards that are compliant with this specification, it means lower cost of deployment, makes it easier for you to multi-source cards and in the end it will likely reduce the overall cost of cards as volumes go up based on function of scale.

For a card manufacturer there are a number of benefits as well, it is possible to develop a GIDS card that is compatible with the PIV card-edge, this means you can develop a single card stock get it evaluated for FIPS (or whatever other standard) that can be sold into commercial or government applications (reducing cost) and these cards will have a great experience in Windows.

If you are a platform or operating system developer you now have a specification you can use as a baseline for testing card scenarios, a way to (hopefully) support a large number of “real” cards that will exist on the market (soon I hope), if this happens we can experience driver coverage numbers similar to other device classes.

For those of you not in this segment, this last point is super important, there is so much fragmentation in the market no solution has over a couple percent of card coverage in-box, if this specification gets adopted that number can start to look more like other device classes where the number is in the 90 percentile range.

In any event, I am pleased to see this out there, here’s hoping it gets adopted broadly…

Resources about the Windows Biometric Framework

Ryan M. Hurst — Thu, 15 Jan 2009 06:22:10 GMT

I will use this post to catalog public resources on the Windows Biometric Framework.

If you run across any that I miss please let me know, I should reliably catch the technical content ;)

TECHNICAL

Introduction to the Windows Biometric Framework (WBF)
New Windows Biometric Framework and Driver Model
Windows 7 Beta WDK
Windows 7 Developer Guide
API Documentation
Windows Biometric Framework API - (http://msdn.microsoft.com/en-us/library/dd401509(VS.85).aspx)
Driver Kit Documentation
New Windows Biometric Framework and Driver Model
Windows Biometric Code Signing Guide - (http://www.microsoft.com/whdc/device/biometric/WBF_CodeSign.mspx)
MSDN Documentation for WBF (http://msdn.microsoft.com/en-us/library/dd401509(VS.85).aspx)
Design Guidance for a Enrollment Application - (http://www.microsoft.com/whdc/device/biometric/FMA_Design.mspx)
Bio Approval Workflow - (http://www.jwsecure.com/files/Samples2009/Implementing_a_Biometric_Approval_Workflow.pdf)
A partial managed wrapper - (http://bioapprovalworkflow.codeplex.com/)

EDITORIAL

ArsTechnica - Deep inside the Windows 7 Public Beta
NeoWin - Bitlocker-To-Go and Biometric Improvements
CNET - 7 things you did not know about Windows 7
Windows Team Blog - Windows 7 Puts it’s Finger on Enhanced Biometric Support
WindowsSecurity.com Blog - http://www.windowsecurity.com/articles/Whats-new-security-front-Windows-7.html
www.net-security.org - Strong authentication with biometrics for Windows 7 - http://www.net-security.org/secworld.php?id=7358
Windows Team Blog - End-To-End Trust and Windows7 - http://windowsteamblog.com/blogs/windowssecurity/archive/2009/04/21/end-to-end-trust-and-windows-7.aspx
eWeek - Windows 7 Security Enhancements Summed Up - http://www.eweek.com/c/a/Security/Windows-7-Security-Enhancements-Summed-Up-358323/

Thinking outside-the-box, or loosing your privacy little by little

Ryan M. Hurst — Sun, 30 Nov 2008 07:31:04 GMT

I ran across a neat article on using Javascript and default CSS behaviors to infer what sites you frequent, this is not new, the earliest reference I could find of this was from 2006 but I bet this has been going on for much longer.

An example of analytics that can be applied to this data is that one follow is using your URL history to infer gender.

These are great examples of thinking outside the box and how privacy is an illusion (especially on the web).

How to tell if a volume is Bitlocker protected with TPM and PIN

Ryan M. Hurst — Wed, 12 Nov 2008 10:47:57 GMT

Today I was presented with a question, how can I tell if the OS volume is protected with Bitlocker a TPM and a PIN.

Since I could not sleep (its 2:30AM right now) I figured I would throw together a quick and dirty script that checks for that, it was pretty easy to do.

I started with the documentation for Win32_EncryptableVolume which I recall seeing previously in a unrelated mail at some point, from there I discovered the GetKeyProtectors method, I then did a search on Live for GetKeyProtectors and VBSCRIPT that was scoped to Microsoft.com domains.

This got me a handful of samples, I took one hacked it up and came up with this:

' --------------------------------------------------------------------------------
' Get configuration we will need
' --------------------------------------------------------------------------------
' Get the OS System Drive
set shell = WScript.CreateObject( "WScript.Shell" )
strDriveLetter = shell.ExpandEnvironmentStrings("%SystemDrive%")

' Target computer name
' Use "." to connect to the local computer
strComputerName = "."

' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------

strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
On Error Resume Next 'handle permission errors

Set objWMIService = GetObject(strConnectionStr)

If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If

On Error GoTo 0

' --------------------------------------------------------------------------------
' Get a list of volumes that could be bitlocker protected.
' --------------------------------------------------------------------------------

strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)

If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now check if it was protected with a TPM and a PIN
' --------------------------------------------------------------------------------

nKeyProtectorTypeIn = 4 ' type associated with "TPM and Pin" protector

nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)

If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now return what we found.
' --------------------------------------------------------------------------------
On Error Resume Next 'handle unitialized array

If IsNull(aKeyProtectorIDs(0)) Then
    WScript.Echo "This volume is NOT TPM and PIN protected."
Else
    WScript.Echo "This volume IS TPM and PIN protected."
End If

From the time I decided to write the script, to the time I wrote it and tested it was about 15 to 20 minutes; the samples were great, the MSDN documentation was pretty decent too; all this without ever doing anything with Bitlocker before, WMI is great stuff.

I may never use this but if nothing else it was quick and fun to throw together, maybe it will help you.

How to do away with the Delete/Resume/Restart Page...

Ryan M. Hurst — Mon, 07 Jul 2008 00:57:13 GMT

I don't know about you but I just hate the Delete/Resume/Start page in Media Center; I would prefer that when the video is done that it just take you back to the page that invoked the play operation in the first place.

This isn't so hard to do, all you need to do is wait for MediaTransport.PropertyChanged to file and when PlayState goes into the "Stopped" state navigate back to whatever page you feel is appropriate.

A generic way to get this page out of Media Center would be to call HistoryOrientedPageSession.BackPage every time the playback goes from Playing to Stopped.

While I have not tried this myself, this appears fairly straight forward and is probably safe to do at any time (given the nature of this state transition).

How to determine what content a MCE Extender supports...

Ryan M. Hurst — Sun, 06 Jul 2008 22:12:20 GMT

So your a Media Center add-in and you want to determine if a file is a supported format for the playback device that is being used at any given time, here is what you do:

First things first you should detect if your on a Extender or not you should make sure the Capabilities.IsConsole is false.

At this point you know your on a extender, the next thing need to do is check to see that the file you are about to play is supported by the the Extender, to do that you can use DeviceInfo.ProtocolInfo (), this will either return null which means you can assume a base set of capabilities (documented on here) or return a string which can be parsed to find out what "Content Types" the Extender supports.

What is a "Content Type" you ask? its a string that gives you a basic idea of what sort of content your looking at (obvious eh?) for a mpeg file it will be "video/mpeg".

You can determine the "Content Type" for a given file extension by looking in the registry under "HKEY_CLASSES_ROOT\.{FileExtension}" where {FileExtension} is the extension of the file in question, the value of "Content Type" will have what you need.

Another useful thing to know is the "PercievedType" for a given file, its very similar to "Content Type" in purpose but the king thing to understand is that the Videos Library in MCE uses this to determine if a given file is a "Video" or not, as such if you were to build a Video library of sorts what you would likely want to do is:

Find all content that has a PercievedType of Video
Identity which of those files are supported by the device being used at the time by checking the ProtocolInfo method.
Either filter out or disable content that is not supported by the current playback device.

As I said this approach isn't perfect, it has a couple short comings:

You are not guaranteed that a device will return you a ProtocolInfo string so you have to special case that with the default content types called out in the ProtocolInfo documentation.
Content Type, while useful isn't enough to tell you for sure the content will play, for example bit rate and other encoding options can make content not playable.

With that being said this is a fairly reliably means for you to filter out the cruft that will cause users of your add-ins problems, and you should consider implementing it if you create a library view in your application.

Automate the mundane for sanity sake (part 4)

Ryan M. Hurst — Sun, 22 Jun 2008 23:23:26 GMT

A recent change in My Movies results in users having to have the rips be conformant with the DVD standards, specifically it now requires that the VOB, IFO, and BUP files are in a VIDEO_TS folder.

I threw together a very basic script that can take folders that are in the form of sourcedir\moviename\dvdfiles to sourcedir\moviename\video_ts\dvdfiles.

As always use this script at your own risk, I have only done limited testing, but it worked on the two folders I tried .

To use this copy the following script to foo.vbs, put it in the root of your movies folder, open a command prompt in that directory and type "cscript foo.vbs" and you should be good to go.

I recommend trying it on a small folder set before you run it on your whole collection to make sure you would be happy with the results.

Dim FileSystem, szMovieFolder
szMovieFolder = "C:\test"
Set FileSystem = CreateObject("Scripting.FileSystemObject")

Dim Folder, File, Files, oMovieFolder, szFolderName, iEndOfShortFileName, szDestPath
Set oMovieFolder = FileSystem.GetFolder(szMovieFolder)

Set Folders = oMovieFolder.SubFolders

For Each Folder in Folders

szFolderName = szMovieFolder & "\" & Folder.Name

If (FileSystem.FileExists(szFolderName & "\" & "VIDEO_TS.ifo")) = True Then

  ' Looks like we have a movie name folder that directly contains a VIDEO_TS.IFO

  szDestPath = szFolderName & "\" & "VIDEO_TS"

  If (FileSystem.FolderExists(szDestPath)) = False Then

   ' Looks like it also does not yet have a VIDEO_TS folder

   FileSystem.CreateFolder(szDestPath)

   ' Now it does!

   Set Files = Folder.Files

   For Each File In Files
    bMove = False

    ' If its a VOB, BUP, or IFO move it.
    If InStr(1, LCase(File.Name), ".vob") <> 0 Then bMove = True
    If InStr(1, LCase(File.Name), ".ifo") <> 0 Then bMove = True
    If InStr(1, LCase(File.Name), ".bup") <> 0 Then bMove = True

    if bMove = True then
     ' ok lets move file
     wscript.echo "Moving '" & File.Name & "' to '" & szDestPath & "'"
     File.Move(szDestPath & "\" & File.Name)

    end if
   Next

  End If
End If
Next

Good luck.

OK, I admit it, I am twisted...

Ryan M. Hurst — Sun, 23 Mar 2008 01:22:27 GMT

I was catching up on reading blogs and such and ran across this post from Bruce Schneier over at Wired titled "Inside the Twisted Mind of the Security Professional".

The premise of this so aptly titled post is that security professional's just think differently, and that this difference is a trait that might just be innate in certain individuals; I have to agree.

I got into electronics (including computers) as a child as a means to figure out how they worked, it started by taking them apart and putting them back together; though in many cases I ended up with extra parts most of the time they went back together just fine .

I quickly learned that this was mostly a mechanical exercise, and that no amount of assembly and re-assembly would really tech me how these things worked; so I started looking at the software.

The interest in software was really again trying to understand how these magnificent boxes worked, I recall looking at the files that made up programs trying to understand their role and ultimately realizing for me to really understand how things worked I had to be able to re-produce approximations of them and so I taught my-self to program (Basic, Pascal, C, and c64 and x86 assembly).

Once I mastered the basics I came back to looking at these programs, trying to understand them and utilizing the basic understanding of computer architecture and programming I had amassed, from there I started trying to see how I could bypass the copy protections on games; it's really this that got me into computer security.

Here there was this commercial software developed by a mass of professionals designed to prevent me, a punk kid from doing something and I was able to by-pass it; I recall how proud I was of myself at first but this quickly lapsed as I realized problems like this were impassable, I was 10.

My friend Josh and I started fumbling around on bulletin boards across the nation, It remember going into a chat room with Josh and some guy offered us a step-by-step guide of sorts to log in and control phone switches as a means to make free international calls; he had written this guide based on a manual he stolen out of the back of a telephone operators truck, the inside cover of the manual included the default password for this switch.

I remember this guy telling us how he went about it, and how amazed he was when he found that most of the switches out there were based on this same system and no one changed the default password; this guy was not much older than us, maybe 15 or 16 but again clearly pleased with how he was able to figure this all out.

For me this was the beginning of understanding social and computer networking, and the beginning of me seeing myself as a "hacker".

As a "hacker", I prided my myself in my common sense and the lack of common sense in others; every where I went I was looking for flaws, things that other people missed.

I remember when we moved to our new house, my mom called the power and phone companies to have our service transferred, I listened to her side of the phone call and she never had to give them any private information; I was amazed. Several months later some kid picked on me at school so I called the phone and power company to have their service disconnected, it worked.

This view on life has continued to this day, I have of course grown up and no longer use my insights for evil (at least intentionally) but I thank my lucky stars I see the world the way I do.

As for this view of life being innate in some, as I said. I believe it is; however I also believe it can be learned though I don't know if it can be taught. As a "hacker" when I watch movies I look for the mistakes, the things that were of such a small detail that they were missed by the production staff, when I got married I started to share these findings with my wife who was always surprised I noticed such things.

However at one point in our marriage she started finding these flaws before I did and when we discuss strategy on issues she also now finds angles I may have missed; she tells me that this is something she has learned from me, all I can say is I certainly didn't mean to teach it as now she can use it against me

RFC 5216 is published!

Ryan M. Hurst — Sat, 22 Mar 2008 19:33:05 GMT

Previously I mentioned I was working on an update to RFC 2716 that process is now complete, the RFC number for this new work is 5216.

This update was really about adding clarifying text address common implementation issues, better aligning the specification with its dependent RFCs (like RFC 4346, RFC 3280, etc), updating to specification to represent actual implementation practices to aid in interoperability and of course improving security guidance for implementers.

To be clear, no new capabilities were added to this RFC; despite that the document increased 35.9934% in size (from 50.2 KB to 71.7 KB); larger doesn't always mean better but in this case I think it does.

My Netflix is dead, long live My Netflix.

Ryan M. Hurst — Sun, 10 Feb 2008 22:50:24 GMT

Back in 2004 ended up getting a cold or flu of some sort that kept me from going into work for a day or so and I used that time to throw together a Media Center add-in called My Netflix; I have done a few minor updates over the years (http://unmitigatedrisk.com/archive/2007/08/25/119.aspx) but my work has become increasingly demanding and finding the time to give the project the TLC it deserves has been difficult at best.

As a result I am now officially announcing the death of My Netflix, I will no longer fix anything no mater how minor; if you have issues I released it under the MSFT permissive license and the source is still available (http://www.unmitigatedrisk.com/mce/mynetflixsource.zip) so you can go to town if you like.

With that being said, My Netflix has also been re-born (http://www.anpark.com/index.php/2008/02/10/new-vista-media-center-plugin-mynetflix-beta/); a kind soul (Anthony Park) has done a bunch of what I wanted to see done and re-wrote the add-in as a MCML application giving it experience more consistent with MCE plus he added support for Watch It now.

I have not been a Netflix subscriber for some time (they started rate limiting me, I think this is a dishonest practice) so I switched to Blockbuster (which has its own issues but that's another post) but from the screen shots Anthony has done a great job; in fact I think I will sign up for Netflix on one of the trials and play with it.

I can't say how excited I am to see this happen :)

Thanks Anthony!