Kurt Shintaku's Blog

A lot of hoopla has been made over a video that was produced recently and placed on the Internet that describes how to crack Windows passwords , or more specifically, how to use L0phtcrack.  (If you haven’t seen the thing, I’ve posted it here.)

WHAT IS ALL OF THIS?
L0phtcrack has its originations as an old NT password cracking tool created by a couple of hackers that discovered that by brute force attacking the Security Account Management database (aka SAM) from a Windows NT kernel-based machine, a person can crack virtually any password in the local user database with enough time and enough CPU.  Early versions of the tool required that the end user have either physical access to the machine to copy the SAM database file off of it, or have security access to the SAM database over the network so that one could again copy the file, then run L0phtcrack on it on their own time on their own machine.  Newer versions I believe allowed a person to monitor the network traffic going back and forth between the machine and other servers, to take advantage of weaknesses in the NTLM authentication protocol to essentially do the same thing.

IT’S NO BIG DEAL.
In a nutshell, if folks never actually get their hands on your laptop or don’t have physical access to your desktop, you don’t really have much to worry about because you’re pretty much protected.  In order to do all of this, a person needs to physically boot up another operating system on your machine to copy off the SAM database file and that’s not something that they can normally do if they don’t have physical access to your workstation.

If the people you’re worried about DO have physical access to your workstation, there’s an old adage in the security industry:  Don’t do that.  Giving physical access to your PC to people you don’t trust is like giving them the codes to deactivate the security alarm on your home – After they’ve disabled the alarms, it’s just a matter of picking the lock on the front door.  There’s really no commericially available operating systems out there that aren’t hackable through brute force techniques when people have physical access to the machine being hacked.  Not Macintosh.  Not Linux.  Not UNIX.

For the record, the vulnerability of data on mobile PCs like laptops has not gone unnoticed by Microsoft.  In the future, Windows Vista will be the first commerically available operating system to fully take advantage of next-generation security & encryption technology available on this coming generation of PCs & laptops.  The technology is called the Trusted Platform Module or TPM chip, which among other things enables people to securely encrypt all data on a laptop storage medium like the hard drive.  The bottom line is that even if the laptop is stolen, the data on the hard drive can’t be decrypted using simple brute force techniques.

TPM chips are only available on the latest workstations & laptops and the only Windows operating system that takes advantage of this technology is Windows Vista.

HOW TO PROTECT YOURSELF FROM PASSWORD HACKING
The net net however is that it’s relatively easy to "protect" oneself from these sort of attacks. 

1. DON’T LET PEOPLE GET PHYSICAL ACCESS TO YOUR MACHINE
   It sounds lame but any computer physically accessible by people without specific "commerically available protective security software" and special configuration "hardening" is usually vulnerable to password cracking.   Examples of this "security software" include some rather expensive packages from PointSec or for a much less expensive solution, try Windows Vista’s built-in Bitlocker Technology.  Examples of "hardening techniques" include removing all removable media drives & access points like USB ports, floppy drives, serial ports, CDROM drives, etc, enabling a power on-password and a BIOS password, etc.

   – The easiest solution is to simply use Windows Vista Business and leverage Bitlocker Drive Encryption Technology on your PC or laptop and encrypt everything securely based on your authentication.

   – If you use a desktop PC with Windows XP, keep the computer casing locked, the physical unit secured to a table (so that someone couldn’t walk off with it at night), set a power-on password and BIOS password to prevent people from "booting up from your CDROM, floppy drive, or USB port". (or simply remove the drives and ports from your machine if you don’t need them)  Additionally, use Windows XP Professional’s EFS file & directory encryption to encrypt the data in your My Documents folder to protect your personal information.

   – If you use a laptop PC with Windows XP, consider the same practices as a desktop user and consider implementing a 3rd party drive level encryption technology.  Be aware that these products often cost $500 or more and won’t really be as necessary when Windows Vista is released and available since Windows Vista will have the technology built into it.

   …and if you don’t have Windows XP Professional and have something else, you need for first upgrade before you do anything else because you’re version of Windows is either out of support or it’s going out of support, meaning no more security patches, no more stability fixes, and more more software being written for it.  i.e. you’ve got bigger problems.

2. USE DOMAIN ACCOUNTS & PASSWORDS
   This stuff only works against user accounts that are stored locally on the machine.  If you are on a corporate network with Active Directory, L0phtcrack does nothing to hack your account… because your user credential password hash doesn’t exist on the local computer, but rather it exists on a network server. 
3. USE SYSKEY 128-BIT SAM ENCRYPTION
   Syskey will encrypt the SAM database with 128-bit security making tools like L0phtcrack unusable.  Basically, just read this article for the how & the why:
   http://support.microsoft.com/kb/310105/en-us
4. USE A 14 CHARACTER PASSWORD
   The usage of a 14-character password is encouraged for the most secure way of protecting your user account & good name.  Without getting into the details, "14" turns out to be the precise number of characters that are necessary to ensure that you’re password is relatively hard to hack, assuming that you also… (see #4)
5. USE NON-ALPHANUMERIC CHARACTERS, UPPER CASE, LOWER CASE, and A NUMBER IN YOUR PASSWORD
   For example "MyPa$swordIs9ood", would be an excellent example of a password that is 14 or more characters long, contains a non-alphanumeric character($), contains both upper and lower case characters("M","w"), and contains a number(9).

 

The Messaging and Security Feature Pack for the Motorola Q with Verizon Wireless is now available!   

This is pretty cool.  The MSFP Update is a ROM update for the Motorola Q that enables a number of key technologies including:

– "Direct Push" – This basically enables the "immediate delivery of email" functionality that people are used to having on Blackberries with some key architectural differences.  The user experience is very similar to a Blackberry in that email arrives on a person’s device almost immediately after it arrives on the user’s Exchange Server.  The difference between the MotoQ’s direct push and a Blackberry is that it  can immediately delivery attachments for reading on the device, it doesn’t require any annual payments for "RIM Blackberry services", and it doesn’t require that email be processed through a RIM datacenter.  Unlike Blackberry which has your email sent to a RIM datacenter then transmitted to your device, under Windows Mobile MSFP, email flows straight from the Exchange Server to the device.

– "Certificate Authentication" – Another feature of Blackberries, this enables an IT department to only allow the usage of authorized mobile devices into their messaging infrastructure.  A certificate must be installed on the device in order for the backend messaging servers to recognize and work with it.  This ensures that rogue, insecure, and otherwise uncontrolled devices do not interact with the messaging infrastructure.

– "Remote Kill" – Often times, IT wants to send a "special message" to a device to have it "wipe it’s memory" in the event the device is lost or stolen.  MSFP’s administrator tools make this possible and the new device update will recognize this.

For installation files and instructions, please see: http://direct.motorola.com/hellomoto/motosupport/source/SoftwareUpdateSummary.asp?country=&language=&web_page_name=SUPPORT&strCarrierId=Verizon&strPhone=Q&strCable=Mini%20USB%20Data%20Cable

If you’re a real XBox fan… you must buy this album.  It’ll bring you to tears remembering some of the cooler parts of the game as the music returns you to critical juncture points in the saga.

The sweet sultry sounds of Halo 2’s Original Soundtrack… Volume 2:  Now available from Amazon.com.  Click here:  Halo 2 Original Soundtrack Volume 2

1. Prologue 2:35
2. Cairo Suite 9:42
3. Mombasa Suite 6:41
4. Unyielding 3:04
5. Mausoleum Suite 8:10
6. Unforgotten 2:09
7. Delta Halo Suite 11:26
8. Sacred Icon Suite 7:26
9. Reclaimer 3:03featuring Steve Vai
10. High Charity Suite 8:27
11. Finale 3:10
12. Epilogue 3:49

FOR THE CONSUMER
It seems that the concept of "sharing media content" is quickly becoming pervasive throughout all of our media products.

First, the initial device to be released under the Microsoft Zune brand is announced as providing the ability to share music between other Zune devices – either as "temporary copies" or as part of the ability to be a one-man "DJ/radio station broadcast for your friends".

Now Windows Media Player 11 will provide the out-of-the-box ability to be the hub of all your music, videos, movies, and photos… while other devices like Xbox360s, Windows Media Center PCs, Zune Players, and other devices connect to it to seamlessly access it’s content as if it were local. (It’s essentially subsuming the functionality of Windows Media Connect and building upon it.)

<taken from http://www.microsoft.com/windows/windowsmedia/play…>
The new Media Sharing feature of Windows Media Player 11 lets you enjoy the contents of your Windows Media Player library from anywhere in your home. If you have a home network (wired or wireless), you can use Windows Media Player 11 to stream the contents of your library to networked devices. For example, if you have an Xbox 360 or other digital media receiver (DMR), you can use Windows Media Player to stream music, pictures, and videos from your computer to that device. This even works with music that you’ve downloaded from PlaysForSure music stores and services.

And make no mistake:  It goes unmentioned but you can bet that Zune devices will work just fine with it.  This of course meaning that  Windows Media protected content will seamless sync and be accessible between these devices.  Look for an update to come with the XBox360 this holiday season to provide richer sharing functionality between Windows Media Player 11 & Zune devices.

FOR THE BUSINESS
The new Media Player has several implications to the corporate customer. 

1. PLAYER MANAGEMENT
   There’s obviously a new .ADM file for applying Active Directory tattooed Group
   Policy settings to systems with Windows Media Player 11.  While most of the original .ADM file settings should apply, there will be unmanaged components of the player unless you apply the new Group Policy template for WMP11 so remember this in your installation.  The new .ADM file can be found in the WMP11.EXE package in the 11 distribution executable.  (I’ve posted it so you can also download it at http://www.evilkoala.org/download/wmplayer.zip.)
2. DEPLOYMENT PACKAGING
   The current player is a WinZIP recognizable executable so you can take it apart if you’d like.  It’s unfortunately NOT a .MSI making distribution a little tougher.  (I’ve got a question out to the development group about this) however be aware the distribution doesn’t have any formal deployment documentation yet.

THINGS TO REMEMBER
Windows Media Player 11 Beta 2 requires the following:

• 200MB free storage
• Internet Explorer 6.xx
• Windows XP Service Pack 2 and Windows XP Media Center Edition Update Rollup 2 (for people with MCE)
• DirectX 9.0b

DOWNLOAD:  http://www.microsoft.com/windows/windowsmedia/play…

“Microsoft Office Project Server 2007 and Project Portfolio Server Deep Dive” One-Day Seminar
8:30 a.m. – 2:00 p.m., September 14, 2006
Irvine, CA

You are invited to attend a FREE 1-day “Deep Dive” seminar Microsoft Office Project Server 2007 and Project Portfolio Server futures, presented by Microsoft Consulting Services. Attendees will receive a technical overview of Project Server 2007, and learn best practices for upgrading to and deploying Project Server 2007.
Planned Agenda:

Time Agenda:

• 8:30 a.m. – 9:00 a.m. Registration and Breakfast
• 9:00 a.m. – 12:00 p.m. Project Server 2007 Overview
  Presented by: Microsoft Consulting Services
• 12:00 p.m. – 2:00 p.m. Lunch, followed by Project Portfolio Server 2007
  Presented by: Microsoft Consulting Services

Thursday, September 14, 2006
8:30 a.m. – 3:00 p.m.

To register:
http://msevents.microsoft.com/cui/eventdetail.aspx?culture=en-US&eventid=1032304785&x=9&y=12
Event ID: 1032304785

Location:
Microsoft Corporation, Irvine, CA
3 Park Plaza, Suite 1800
Irvine, California 92614
949.263.3000

Join us for an informative series on Microsoft® Project, September 13-14, 2006!

The 7 Habits of Highly Effective Project Managers using Microsoft Office Project
Perhaps you’ve heard about The 7 Habits of Highly Effective People–the best-selling business book of all time. Now you have the opportunity to implement the 7 Habits in your Project Management Process using a combination of the FranklinCovey 4 Step process and Microsoft Office Project 2003. http://www.pmpractice.com/msp_consulting/default.htm

 

Please join us for this 1/2-day seminar on September 13, 2006, in the Microsoft Irvine office, designed for Project Managers and other senior personnel who will be required to plan and manage, monitor or sponsor projects in their organizations and discover how the FranklinCovey process together with Microsoft Office Project can help ensure successful Project delivery. You’ll learn:

• How to relate The 7 Habits of Highly Effective People framework to managing projects
• How to develop a project scope document
• How to  plan a typical project using Microsoft Office Project
• How to communicate and update  your project plan during the implementation phase using Microsoft Project
• How to  close a project 

Wednesday, September 13, 2006 8:30 a.m. – 11:30 a.m.
(Breakfast and registration at 8:30 a.m., session commences at 9:00 a.m.)

To register:
http://msevents.microsoft.com/cui/eventdetail.aspx?culture=en-US&eventid=1032304343&x=16&y=10
Or, go to http://www.microsoft.com/usa/events, and enter Event ID: 1032304343

Location:

Microsoft Corporation, Irvine, CA
3 Park Plaza, Suite 1800, Irvine, California 92614

949.263.3000

I hate the Internet sometimes.  Don’t get me wrong – it’s not like I don’t recognize how the Internet has helped to level the commercial & equality playing field.  However the Internet was the reason Comdex & shows like it went under.  The Internet has encouraged less face-to-face contact and more electornic contact.  And the Internet is the reason lame media companies jump the gun, publicize stories & quotes out of content, without verifying and checking their sources, then claim "they’re just informing the public".

Like this debacle with HD-DVD playback on 32-bit Windows Vista.  In the old days folks would hold off on publishing anything until they got a detailed explanation.  Instead, if someone burps on stage at some convention, it gets blogged about from a cellular phone in the audience. 

Here’s all you need to know:

1) Windows Vista will not ship from Microsoft with the modules necessary to playback HD-DVD content. 

WHY?  We aren’t putting it in because we don’t want to build in the cost of the H.264 license (one of 3 codecs that high definition DVDs may need to playback video) into Windows Vista, being that this isn’t something that every Tom, Dick, and Harry wants to pay for.  If you don’t own a high definition DVD player on your PC, why the heck would you want to pay for the extra $20 or whatever it costs for the ability to play it back?  (Keep in mind that Microsoft has to pay hard cash to some organization out there that owns the IP rights to H.264, for each and every copy of the H.264 codec that gets distributed.  If we shipped Windows Vista with HD-DVD playback, the cost of H.264 would either get put into the the cost of the Windows OS at retail for everyone or we simply leave it out and we let people who need it buy it separately.)

…this is no different than today’s standard definition DVDs & the MPEG2 playback license.  We don’t ship Windows XP with the ability to play DVDs today out of the box because the MPEG2 codec is something like $9 a PC.  Does everyone want to be forced to pay an extra $9 in their Windows XP license, making the retail cost $108 per copy instead of $99 per copy of WinXP Home Edition?  There’s an awful lot of people out there that have no intention of ever playing a DVD on their PC… so why make them pay for it?

2) Windows Vista will require the installation of 3rd party HD-DVD decoder to playback HD-DVDs. 

WHY? I don’t know what the cost is for the H.264 codec (which will undoubtedly be larger than the $9 for the MPEG2 codec) but I can tell you that the cost of our upcoming XBox360 HD-DVD drive that we’re shipping will include the cost of the H.264 codec license (that we’re licesning from ATI)… only because we know that XBox360 owners that buy the HD-DVD drive will specifically want to play back HD-DVD movies.  This is not so with Windows Vista desktop PCs – A person with an HD-DVD drive may only use it for data archival/backup.  Either way, we’re providing a choice to the consumer by not forcing everyone to pay for the license.

Again, this is no different than today’s standard definition DVD’s:  We require the installation of a standard definition DVD decoder from Sonic, Intervideo, nVidia, or Cyberlink in order to playback movies.  These are all pay-for products that cost about $15.

One important caveat is that since it’s a 3rd party ISV (software developer) that has to create & publish these HD-DVD codecs/decoders for Windows Vista (32-bit), its availability to consumers is dependent on companies like Sonic, Intervideo, Cyberlink, & nVidia – not Microsoft.  

In other words, go bug them – not us.  We’re not the ones that make the H.264 codec for HD-DVDs. 

Version 1.2 of the "Currently Hearing" plugin for Windows Live Writer released.   This is a plugin for Windows Live Writer that will detect what you are listening to in either Windows Media Player or iTunes.

http://www.jtsquared.net/currently has the download and the currently updated information.  Drop the .DLL into your plug ins directory of Windows Live Writer.

Wow.  Ziff Davis said something nice about us.  That’s a miracle in it of itself, but they didn’t just say nice things about our recent Beta of "Windows Live Writer" (the free blogging tool for Windows Live Spaces, Typead, Blogger, Community Server and other blogging systems)…

…they called it the first Windows Live "killer app".  It’s that good a tool.  I should know – I’ve been using it religiously for the last few months to post to this blog before it was released to beta.  See for yourself.

Writer is Microsoft’s first Live killer app
"Live Writer’s most powerful features are hidden under the surface — and some of its most compelling are those that its creators neither expect nor intend…"
http://blogs.zdnet.com/SAAS/?p=199

Alexander Gounares has one of the most interesting jobs in the world. For the past two years he’s been Bill Gates’ technical assistant. Now he’s corporate vice president of corporate strategy. In this, Scoble’s last interview for Channel 9 (you will see earlier interviews of Scoble’s in the near future, but this was his last one behind the camera for C9..), Scoble and Alexander talk about everything from why Alexander elevates his monitor with reams of paper to what working with Bill Gates was like.

http://66.129.67.102/ShowPost.aspx?PostID=212743#212743