Microsoft

Some of the things I worked on in Windows 7

Ryan M. Hurst — Wed, 21 Apr 2010 22:18:46 GMT

One of the things I love about working at Microsoft, and working in Windows, is your ability to influence so many areas.

This article at PC World discusses a number of areas (as you can imagine it's just a partial list) that I was able to directly influence or work on during the Windows 7 release, the mentioned ones include:

DNSSec
Extended Protection for Authentication,
Bitlocker To-Go
Better Cryptography
Direct Access

Pretty cool if you ask me!

Ryan

Generic Identity Device Specification Published

Ryan M. Hurst — Fri, 09 Apr 2010 17:21:34 GMT

In the PC ecosystem, when a new device (say mass storage) technology is introduced, commonly there is little standardization, vendors produce proprietary software stacks for interacting with that device, they have custom hardware interfaces for interacting with the device, custom software for managing those devices, etc.

As a device picks up in popularity common platform programing interfaces typically emerge, sometimes these are commercial in nature, other times they are standards based; in either case the goals of these interfaces are simple: abstract out the variety in the hardware ecosystem for the application developer allowing them to write software that can run on any machine regardless of which vendor manufactured a given device. These abstractions also commonly allow the sharing of devices so that multiple applications can use them at the same time.

The next phase in a devices maturity is normally the definition of a class interface for interacting with hardware, it’s this last phase that allows the “no driver needed” story that users like so much; we all reap the rewards of this with flash drives today, plug in the device and it just works (the same is true for display technologies like VGA).

These class drivers commonly cater to the lowest common denominator when it comes to functionality, but vendors are always able to add additional capabilities that are exposed when their drivers and custom software are present (again think about display technologies here as a good example).

There is one device in particular that has not entirely followed this flow that I wanted to talk about and that is Smart Cards; as a concept was they emerged in the 1970s, the first cards went into production in the late 70s. Here we are 40 years later and there is no clear “class driver” for these devices, that is not to say there have not been attempts, some even with success, but those that have had success have been closed system solutions, for example the PIV interfaces used within the US Federal Government.

In the commercial space however, no class specification that has been attempted really was viable, there are lots of reasons for this but I am cautiously optimistic that there is now a candidate.

One of the projects I was working on over the last few years was the specification of the Generic Identity Device Specification, this attempts to build on the success of the government based card specifications and extend it to commercial applications as well.

I had opportunities to work with some great folks on this effort, we all had the same goal make smart cards as reliable, cost effective and accessible as possible; I believe this work does just that.

This specification has now been released by Microsoft under the Microsoft Community Promise, that means it is available royalty free for anyone to adopt; this is a big win for our partners and above all the customers who will benefit the most from it.

So what does this mean for you? Well if you’re a customer looking to deploy smart cards you should seriously look for vendors who produce cards that are compliant with this specification, it means lower cost of deployment, makes it easier for you to multi-source cards and in the end it will likely reduce the overall cost of cards as volumes go up based on function of scale.

For a card manufacturer there are a number of benefits as well, it is possible to develop a GIDS card that is compatible with the PIV card-edge, this means you can develop a single card stock get it evaluated for FIPS (or whatever other standard) that can be sold into commercial or government applications (reducing cost) and these cards will have a great experience in Windows.

If you are a platform or operating system developer you now have a specification you can use as a baseline for testing card scenarios, a way to (hopefully) support a large number of “real” cards that will exist on the market (soon I hope), if this happens we can experience driver coverage numbers similar to other device classes.

For those of you not in this segment, this last point is super important, there is so much fragmentation in the market no solution has over a couple percent of card coverage in-box, if this specification gets adopted that number can start to look more like other device classes where the number is in the 90 percentile range.

In any event, I am pleased to see this out there, here’s hoping it gets adopted broadly…

iPhone 3.0, tethering and me….

Ryan M. Hurst — Sat, 20 Jun 2009 04:31:21 GMT

Like all good geeks as soon as a software update for one of my toys comes out I apply it, so when the 3.0 update for the iPhone came out I was right there.

I had hoped that it would resolve some issues I had been having with my phone, it did not, but Apple did replace the phone for me when I took it to them.

The problem is that when I had upgraded the phone (even before the hardware switch) my backup did not restore the applications I had on my phone, for the most part that was fine because they were still available; the thing is NetShare (a socks proxy to enable tethering with the phone) was not.

With that in mind I was left looking for an alternative, it’s not that I used it frequently but there have been times where that’s been supper useful.

Being a gadget hound I follow Engadget, they recently had a post about how to enable the native tethering support of iPhone 3.0; I followed the steps and viola, tethering showed up in the UI.

I paired the device with my Windows 7 machine and I saw a new device, but no driver was found; its HW ID was:

BTHENUM\{00000000-deca-fade-deca-deafdecacafe}_VID&000205ac_PID&1292.

Notice the strange service ID in the HW ID, (looks like someone needs to get a copy of GENGUID), in any event with some research on the web and some help from some folks I work with I discovered this is ID maps to something called “Wireless iAP” which is supposedly an Apple proprietary Bluetooth profile for a Wireless Internet Access Point.

The problem is that that there is no profile for this in Windows 7 and I have not been able to find a third-party profile I can load; I may get there, and if I do I will update this post but for now it looks like I may be out of luck.

I wonder why they did not use the standard profiles for this stuff, oh well.

[Update 6/22/09 11:00AM] I am a idiot, yes; turns out I did not have Tethering "ON" when I tried this; once I did that it worked just fine... 100% user error; just tried the connetion via speedtest.net and I was getting .60 down and .20 up.

This begs the question what is this "Wireless iAP" thing, its clearly not required for this scenario.

White Paper Published: Introduction to the Windows Biometric Framework

Ryan M. Hurst — Tue, 23 Dec 2008 18:39:41 GMT

We just recently published a new White Paper that provides a great Introduction to the Windows Biometric Framework.

The Lenovo X301 is way cool...

Ryan M. Hurst — Tue, 09 Dec 2008 05:12:05 GMT

Today my test lead let me snag one of the laptops we recently ordered for selfhost testing of some of our technologies.

My current laptop is a X61, only about a year old and its no slouch but boy this X301 is fast, and this screen its beautiful!

Its running a recent Windows 7 build and all I can say is WOW...

I am tempted to buy one for home use!

Did you know you can disable the use of USB storage devices in Windows?

Ryan M. Hurst — Thu, 13 Nov 2008 10:28:17 GMT

Well to be honest the only way to really stop the use of external storage devices is to whip out your epoxy and fill all the external ports on a machine.

Any policy that is locally enforced is a policy that can be bypassed by an attacker with local administrative privileges or physical access.

Plus if the definition of an attacker also includes the authorized user of the machine there are vectors that do not involve physical media that can *and will* be used (email, IM, web, etc.) to get the data off the machine.

With that being said it is actually possible disable the use of USB storage devices in Windows, I know a few companies who actually do this when paired with Extrusion Prevention Systems and/or Information Rights Management (IRM) systems (Its important to note such systems are best effort also, I suppose information does want to be free??).

The mechanism I am speaking about is documented in KB823732, it is supported as of XP SP2 and once is set the devices function as read-only devices only.

People should think carefully before deploying such a policy, there are plenty of legitimate reasons to use USB drives and doing this and settings like this don't differentiate by use case.

What I have been up to for the last year...

Ryan M. Hurst — Sat, 08 Nov 2008 00:47:16 GMT

A year ago I announced I took a new job back in Windows Security, I have not had much chance to blog since I took the new job but even if I did have the time I could not talk about the stuff I had been working on.

But times are a bit different now, a week ago was the Professional Developers Conference and this week was WinHEC; these were really the 1st events where Windows 7 became a public thing so now its safe for me to talk about what I have been up to.

As I said in a previous post my groups mission is to build platform technologies and solutions that enable secure password-less authentication into Windows, networks and the applications built on our platform.

To that end over the last year we have defined and delivered a platform for Biometric Devices in Windows, the "Windows Biometric Framework", this has been one of the best projects I have worked on at Microsoft.

Its just amazing that a year ago we had a whiteboard drawing and now we have a full platform and solutions built on that platform with support from great partners like Upek and Authentec (there are others too but I can't name them yet).

The cool bits of this project are in the platform, not in the user interface but the part people get to see is always a good place to start, in the "Hardware and Sound" control panel you now see a Biometric Devices control panel applet:

It exposes a set of common tasks related to Biometric devices, these of course include "Use your fingerprint to log on to Windows".

The control panel applet itself includes a list of Biometric Units that are registered on the machine, this machine (my Lenovo X61) has a Upek based Biometric Unit, you can see it bellow:

From this location you can "Remove your fingerprint data" if you do not feel comfortable with this data being persisted on the machine, or you can manage/enroll fingers.

Currently the platform only supports fingerprint readers, but its designed to support other concepts like facial recognition, vein recognition, geometry, iris and more.

In future versions of Windows, as these technologies become more common I hope to see it expanded to include native support for them as well.

So far the feedback has been great, the solution is the fastest we have tested and it allows for these solutions to co-exist, so you can buy a laptop with a built in fingerprint sensor from one manufacturer and a mouse with a sensor from another and they can both work on the same machine, unfortunately today that's not normally the the case.

There is lots more in store for Strong Authentication in Windows 7 also, I will try to write more about this and other features in this area in the future.

Back from Cartes, had a great time v2...

Ryan M. Hurst — Sat, 08 Nov 2008 00:47:06 GMT

Last year around this time I had the pleasure of heading to Paris for Cartes, it was a good trip and this year qualifies as the same.

I had a number of great partner meetings, saw a bunch of neat products, attended PC/SC and of course got to see Paris.

These trips take a lot out of you, very little time for sleep but a good time none-the less, I am glad to be home though.

RFC 5216 is published!

Ryan M. Hurst — Sat, 22 Mar 2008 19:33:05 GMT

Previously I mentioned I was working on an update to RFC 2716 that process is now complete, the RFC number for this new work is 5216.

This update was really about adding clarifying text address common implementation issues, better aligning the specification with its dependent RFCs (like RFC 4346, RFC 3280, etc), updating to specification to represent actual implementation practices to aid in interoperability and of course improving security guidance for implementers.

To be clear, no new capabilities were added to this RFC; despite that the document increased 35.9934% in size (from 50.2 KB to 71.7 KB); larger doesn't always mean better but in this case I think it does.

Book: The New School of Information Security

Ryan M. Hurst — Sun, 09 Mar 2008 22:35:17 GMT

OK, so I was not a reviewer or contributor to this new title but I do know the author and he is a bright guy, Adam Shostack is about to release his new book "The New School of Information Security"; when I first met Adam he was with Zero-Knowledge Systems as their Most Evil Genius, who could forget a title like that?

So whats the new book about? In Adam's own words its:

The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make things better. We think there's an emerging way of approaching the world, which we call the New School.

This is a concept I know I beleive in, one I have discussed numerous times with folks over beer; with that being said I can't wait to get my copy to see what the Most Evil Genious thinks.