Digital Choke Daynotes

Daynotes	a daily journal of our activity	Send us email
Digital Choke	an action that is sometimes needed for your computer; also a short techno-story available here.

Sunday, June 15, 2003

Happy Father's Day! Although there are varying degrees of successful fathers, I think that those that try their best should be rewarded. I'm not saying that my fathering skills are perfect, but they have been successful overall. I am thankful for my experience as a father.

We slept in this morning, then Pam fixed me some french toast and orange juice for breakfast. Then it was off to church, and back again for some rest and relaxation. Then I fired up the new grill, and put on some steaks with a pepper rub. They were not bad for a first try on a gas grill, although they were done a bit more than they should have been. Well-done, in fact. More experimentation is in order.

I watched the first part of the Discovery Channel's "Walking with Cavemen", which was quite interesting. I had to make a few phone calls, and then the TV was pre-empted for a Hallmark channel special movie ("The King and Queen of Moonlight Bay"). I was out-voted by the two women. So I hooked up the laptop to the phone line and did some surfing.

Back to work tomorrow. A meeting with the boss to discuss the project plan, and the other usual stuff. I need to get started on a "Security for Users" plan, to help educate the masses (and to offset a bit of their grumpiness about the web filtering that was put in place by the direction of the big bosses). It should be an interesting week.

Monday, June 16, 2003

A lot of 'bloggers' spend most of their time just putting links on their pages, rather than what I term the "Daynotes style", which is what I think this is. If I see a personal site that has just a bunch of links in it, I am probably not going to visit that site again. I like the 'journaling' type of sites, which is why I write this.

So I don't really like to put a lot of links in these pages without at least an explanation of why I think you should go there. So you won't see a "this is interesting", "can you believe this", etc. type of linking on these pages. (Those links actually go to my "Digital Choke" fictional story; I figured that link is OK as an example.) I think that a lot of bloggers do that just to increase their rankings on Google or other ranking sites.

If I put a link in these pages, I'll tell you why. Which is a long way of introducing these links and information:

Here's something that should be interesting to virus haters (that should be everyone) and those that are using Microsoft Servers or creating application web pages.

Network Associated (McAfee/VirusScan etc) has rearranged their web site.

• This URL is for the location of the updates information http://www.networkassociates.com/us/downloads/updates/
  
• This is for the Knowledgebase area https://knowledgemap.nai.com/phpclient/homepage.aspx
  
• Virus Information Library is here (good place to look up info about a virus) http://www.networkassociates.com/us/security/vil.htm
  
• Newly discovered/recently updated virus info
  http://vil.nai.com/VIL/newly-discovered-viruses.asp
  
• Virus Hoaxes
  http://vil.nai.com/VIL/hoaxes.asp
  

I have found all the above links to be useful. Somewhere in the 'home users' area is some interesting maps and statistics about virus/worm infections. If you deal with viruses on a regular basis, or are interested in the subject (and how to protect yourself), you may want to add the above links to your bookmarks/favorites page.

Microsoft has released a paper (here: http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp ) containing information about ensuring your web applications are built with security in mind, and ensuring your web servers are more secure. Note that the above link is to their announcement page, a 5.8MB PDF file is here: http://microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en , so plan accordingly.

I believe that MS is trying mightily to increase security of their products. There are still problems, but they are being addressed. In addition to these and other useful papers, witness the improved security of Windows 2003 Server, as reported by many publications and papers.

This is a long quote from the Microsoft announcement showing the topics covered in their new paper

Microsoft is pleased to announce the release of "Improving Web Application Security: Threats and Countermeasures"

This guide helps you build hack-resilient applications. A hack-resilient application is one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host in a secure network and is developed using secure design and development guidelines.

Web application security must be addressed across the tiers and at multiple layers. A weakness in any tier or layer makes your application vulnerable to attack. Figure 1 shows the scope of the guide and the three-layered approach that it uses: securing the network, securing the host, and securing the application. It also shows the process called threat modeling, which provides a structure and rationale for the security process and allows you to evaluate security threats and identify appropriate countermeasures.

If you do not know your threats, how can you secure your system?

The guide is divided into five parts.

Part I, Introduction to Threats and Countermeasures This part identifies and illustrates the various threats facing the network, host, and application layers. By using the threat modeling process, you can identify the threats that are relevant to your application. This sets the stage for identifying effective countermeasures. This part includes:

Foreword by Mark Curphey
Foreword by Joel Scambray
Foreword by Erik Olson
Introduction
Solutions at a Glance
Fast track
Chapter 1, Web Application Security Fundamentals
Chapter 2, Threats and Countermeasures
Chapter 3, Threat Modeling

Part II, Designing Secure Web Applications
This part provides the guidance you need to design your Web applications securely. Even if you have an existing application, you should review this section and then revisit the concepts, principles, and techniques that you used during your application design. This part includes:

Chapter 4, Design Guidelines for Secure Web Applications
Chapter 5, Architecture and Design Review

Part III, Building Secure Web Applications
This part helps you to apply the secure design practices and principles covered in the previous part to create a solid and secure implementation. You'll learn defensive coding techniques th at make your code and application resilient to attack. Chapter 6 presents an overview of the .NET Framework security landscape so that you are aware of the numerous defensive options and tools that are at your disposal. Part III includes:

Chapter 6, .NET Security Fundamentals
Chapter 7, Building Secure Assemblies
Chapter 8, Code Access Security in Practice
Chapter 9, Using Code Access Security with ASP.NET
Chapter 10, Building Secure ASP.NET Pages and Controls
Chapter 11, Building Secure Serviced Components
Chapter 12, Building Secure Web Services
Chapter 13, Building Secure Remoted Components
Chapter 14, Building Secure Data Access

Part IV, Securing Your Network, Host and Application This part shows you how to apply security configuration settings to secure the interrelated network, host, and application levels. Rather than applying security randomly, you'll learn the reasons for the security recommendations. Part IV includes:

Chapter 15, Securing Your Network
Chapter 16, Securing Your Web Server
Chapter 17, Securing Your Application Server
Chapter 18, Securing Your Database Server
Chapter 19, Securing Your ASP.NET Application and Web Services
Chapter 20, Hosting Multiple ASP.NET Applications

Part V: Assessing Your Security
This part provides you with the tools you need to evaluate the success of your security efforts. It shows you how to evaluate your code and design and also how to review your deployed application, to identify potential vulnerabilities:

Chapter 21, Code Review
Chapter 22, Deployment Review

Finally, there are two extra sections, Checklists and and How-to Articles:

Checklist: Architecture and Design Review
Checklist: Security Review for Managed Code
Checklist: Securing ASP.NET
Checklist: Securing Enterprise Services
Checklist: Securing Web Services
Checklist: Securing Remoting
Checklist: Securing Data Access
Checklist: Securing Your Network
Checklist: Securing Your Web Server
Checklist: Securing Your Database Server
How To: Implement Patch Management
How To: Harden the TCP/IP Stack
How To: Secure Your Developer Workstation
How To: Use IPSec for Filtering Ports and Authentication
How To: Use IISLockdown.exe
How To: Use the Microsoft Baseline Security Analyzer
How To: Use URLScan
How To: Create a Custom Encryption Permission
How To: Use Code Access Security Policy to Constrain an
Assembly

This _patterns and practice_ guide is available at:

http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp

(note, this link may wrap in some email clients)

In the same neighborhood you might find other interesting 'white-paper' kinds of information about various security issues relating to Microsoft products.

A catch-up day at work today, nothing really exciting, although I suspect another major project from above is ready to descend on me. Not much I can say about it now, but I'll talk about it when I can.

Had a nice visit from the grandkids (and their family tonight). They stopped by to give me my Father's Day present (they were at his parent's yesterday; we share them occasionally). I got a two very useful books.

Then we went off to the local Coldstone Creamery (an ice cream place) for dessert. It was a warm day today (about 98 degrees, but not much humidity). We got there about 8:00pm, so it was starting to cool off. We sat outside the place and enjoyed the ice cream.

Then back home, where I installed the Virusscan and WinZip on my daughter's computer, and gathered the bar code labels for all the rebates. Then I sat down in the family room and did a bit of surfing while watching "Enemy of the State". It's one of my favorite movies. A lot of interesting things in there that may have become a bit more real. If you haven't seen it, it's recommended. Pay attention to the statements at the end. And then compare it to what has been happening to your personal freedoms (in the US and other places) after 9/11.

Tuesday, June 17, 2003

"There is nothing to see here." -- Zork I

Wednesday, June 18, 2003

I usually write these meandering thoughts around 10:00pm. Last night, I was too tired to do that. I have a tendancy to stay up later than I should, considering that I wake up a bit after 5:00am each morning. Sometimes it catches up with me, as it did last night.

I have gotten a lot accomplished the past two days. I am still organizing the garage. I picked up a workbench kit at Lowe's last Saturday, and Tuesday after work I started to put it together. It's four feet wide, made out of angle iron, with a work surface of that processed wood stuff. It comes with a little light and a power strip, and it only cost $88. I don't need a big fancy workbench area, so this one seemed like it would be very useful. So I got it put together Tuesday night.

Today was the luncheon hosted by the hospital volunteer guild. Stacy spent quite a bit of time there as part of her occupational training class at school. She was selected to recieve a $1000 scholarship, so we all went over to an area country club for the luncheon and presentation.

On the way home, we picked up Stacy's car. We had the shop check it out to ensure that it will be working OK while she is at school in Idaho. They replaced the timing and other belts. There was some additional work that needed to be done: plugs/wires/filters, rear brakes, and transmission filter/fluid change. Most of that work I can handle, a bit cheaper than the repair shop. The work that they did cost about $400, including some diagnostic work. The additional work would have been about $600.

So I got the car, paid the bill (they do good work there), and then stopped by the local auto parts store to load up on the rest of the parts needed. That came to about $160. That, plus several hours of work, will get that car in good shape for a couple of years of college. In fact, I may get one of Stacy's friends (who enjoys working on cars) to do all the grunt work. I figure that he will work a lot cheaper than the repair shop.

Once at home, I spent some time putting up an additional fluorescent light fixture in the garage. I also replaced a defective outlet plug in the kitchen. And then fired up the new barbeque for some ribs for dinner. Then a trip to the local Target for a few things. By the time we got home, it was about 830pm.

I spent a bit of time going through some work email, getting rid of the crud and looking for anything that I might need to know before I go back to work tomorrow. Should be interesting.

Thursday, June 19, 2003

Spent a bit of time on the anti-spam program. With the wide variety of email in a corporate setting, finding the right balance of blocking the bad stuff and letting the good stuff through is quite difficult. For instance, our company sends out many bid requests. The responses can be caught by a filter rule that uses a dictionary of shopping terms. But you need to have a filter for shopping/marketing spam, which is the great majority of spam mail. So how do you build rules that block and allow? It's quite difficult, and very time-consuming.

So I spent a bit of time trying to define a rule that will work in that situation. It looks like it should look for words that would be unique in a bid response, while not relying too heavily on a dictionary of shopping words.

On the way home, we stopped at Mel's Restaurant. You might remember Mel's from "American Graffiti". There are several of them here in California, and the food is pretty good. We met both of my daughters there, and the grandchildren. We had a nice visit, and a good dinner.

Then the women went off shopping while I headed home. I did a bit of puttering in the garage. I put up the second florescent light fixture in the garage, but didn't wire it yet. I'll probably get around to doing that Saturday. Then I spent some time reviewing some maps and brochures on Yellowstone National Park. Next week is the journey to Idaho to take Stacy to college in Rexburg, Idaho. After we help her get settled in her apartment just off campus, Pam and I will go a bit further up the road and spend a bit of time wandering around Yellowstone. We'll probably do a bit of light hiking, maybe a tour bus, and perhaps go on a trail ride (horses). Then we'll swing down to Salt Lake City (Utah) and have a short visit with my sister before heading home.

So, a bit of research with the materials we got from the touring club (AAA) was in order. This will be our second visit there; Pam and I spent a week camping there the summer after we got married. That was about 27 years ago, so I suspect that there might be a few changes. It should be a fun trip, though. Even with all the driving. Yellowstone is about 850 miles away from here.

I've started making a list of things to do before we go. We'll get some of our new neighbors to keep an eye on the place, and the security system will be turned on, of course. We might even get my cousin to do a bit of house-sitting, since they are between houses at the moment. So things will be well-protected while we are gone.

Friday, June 20, 2003

You may have heard about the big USDA conference that will be in town (Sacramento) next week. The conference is about ways to increase the food supply in third world countries. Among the topics will be biotechnology, which have gotten all the green guys worked up. So, besides the conference attendees, there are projected to be 8-10,000 protesters wandering around the city. There are some worries about the protestors doing another "WHO" thing like they did in Seattle.

So there will be some streets blocked off from traffic, downtown workers are being advised to bring their lunch rather than eating at the local sandwich place, telecommute if they can, etc. There is extra police and the "Chips" (California Highway Patrol) around the state capitol building, bus routes changing, and lots of security guards. It should be an interesting couple of days.

Especially since I work about 4 blocks from the conference location.

In the meantime, it looks like a big rearrangement of our mail system. We get, as you two regular readers know, lots of messages each day -- some of it actually related to official company business. So it is important to have a system that can handle the load, and not have single points of failure. The current design sometimes lets mail bypass the spam filter because of the load. And our anti-virus server is getting a bit old, so it is time for a redesign.

After work, we got home, changed, and headed over to the in-law's house where the trailer is. We put an ad in the paper for it today (1990 Prowler, 26 foot, good condition, $5000, in case anyone's interested; delivery extra for those of you that don't live around Sacramento), and got a few calls. One guy wanted to see it tonight, so we went over there to meet him after work. Hitch in the plans, though; his father-in-law had a stroke just before he was going to leave to see us. I told him to take care of his family, we could figure out something for this weekend.

Then a bit of shopping for some 'walkabout' shoes for Pam, and a stop at the Golden Arches for a hot fudge sundae. We drove by the local Barnes and Noble bookstore about 8:00pm, and there were already people lining up for the Harry Potter book. We decided we could wait until tomorrow to pick up a copy -- Stacy really enjoys those books; I think she has read each of them several times.

Tomorrow's plan is to get the rear brakes on the car fixed before we take off for the big trip. And some more cleaning up in the garage is in order. But now, as you can tell from the timestamp at the top of the page, it's time to post this before it becomes tomorrow.

Saturday, June 21, 2003

"There is nothing to see here." -- Zork I

Digital Choke Daynotes