Isn’t “Secure String” an oxymoron for .Net? So if we are thinking about securing some sensitive data in say C or C++ its relatively simple load it into a char array memory and encrypt it, wiping the memory out after the information has been loaded.

Now try that with .Net! From the Microsoft site:

“A String is called immutable because its value cannot be modified once it has been created.“

So how can you destroy one? Set it to empty? Well simply put you can’t . Once your string is not longer referenced, or worse yet your object containing the string its time for the Garbage Collector to come and do its work. The problem is if your object has been around long enough to get into Generation 1 or 2 then it is going to take a bit longer.

Hmmm so in translation if you keep a password, Credit Card, encryption key or some other sensitive text in memory as a string you cant destroy it (think memset for us oldies!). Only the GC can free the memory for you, and you are dependent on HOW it frees that memory. I personally don’t know for a fact if it memsets it to blank, or just dereferences the pointer. However I would be willing to bet it is the option that requires the least amount of work and that doesn’t bode well for controlling the exposure of our sensitive data.

Plainly that proverbially sucks!

Enter the “SecureString” class, from the MS site it says:

“Represents text that should be kept confidential. The text is encrypted for privacy when being used, and deleted from computer memory when no longer needed.”

Wow doesn’t that just sound like the ticket we need! Secure, Encryption, delete from memory – how fantastic! Uh oh keep reading the remarks:

“Your application can render the instance immutable and prevent further modification by invoking the MakeReadOnly method.

…

Use appropriate members of the System.Runtime.InteropServices..::.Marshal class, such as the SecureStringToBSTR method, to manipulate the value of a SecureString object.”

BSTR – oh I feel the COM headache coming back!

Actually its really not that bad, but its definitely not a straight swap for a System.String. See some example code below:

using System;
using System.Text;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Security;

namespace CSharpHacker.Utilities
{
   /// <summary>
   /// Demo helper class for <see cref="SecureString"/>
   /// </summary>
   public class SensitiveDataHelper
   {
      private SecureString sensitiveData;

      /// <summary>
      /// Gets or sets the sensitive data class from helper
      /// </summary>
      /// <value>The sensitive data container.</value>
      public SecureString SensitiveData
      {
         get { return sensitiveData; }
         set { sensitiveData = value; }
      }

      /// <summary>
      /// UNSECURE: Converts the secured sensitive data into an unsecured string.
      /// </summary>
      /// <remarks>
      /// This is a dangerous function that converts secured information into
      /// unsecured data.
      /// </remarks>
      /// <returns>String representing the secured data</returns>
      public string SensitiveDataToString()
      {
         IntPtr ptr = Marshal.SecureStringToGlobalAllocUnicode(this.sensitiveData);
         try
         {
             // Unsecure managed string
             return Marshal.PtrToStringUni(ptr);
         }
         finally
         {
             Marshal.ZeroFreeGlobalAllocUnicode(ptr);
         }
      }

      /// <summary>
      /// UNSECURE: Base64s encodes a SHA512 has of the sensitive data
      /// </summary>
      /// <returns>SHA512 hash value</returns>
      public string Base64SensitiveDataHash()
      {
         IntPtr bstr = Marshal.SecureStringToBSTR(sensitiveData);
         try
         {
            // Pretend simple hash function that returns a string - this is fake just for readability!!
            string output = Marshal.PtrToStringBSTR(bstr);

            Marshal.FreeBSTR(bstr);

            SHA512 sha = new SHA512Managed();
            byte[] result = sha.ComputeHash(Encoding.UTF8.GetBytes(output));
            return Convert.ToBase64String(result);
         }
         finally
         {
            Marshal.ZeroFreeBSTR(bstr);
         }
      }

      /// <summary>
      /// Loads the sensitive data into a <see cref="SecureString"/>
      /// </summary>
      /// <param name="sensitiveInformation">The sensitive information to protect.</param>
      public void LoadSensitiveData(char[] sensitiveInformation)
      {
         try
         {
            using (SecureString securePassword = new SecureString())
            {
               foreach (char c in sensitiveInformation)
               {
                  securePassword.AppendChar(c);
               }
               securePassword.MakeReadOnly();
               this.sensitiveData = securePassword.Copy();
            }
         }
         finally
         {
            // discard the char array
            Array.Clear(sensitiveInformation, 0, sensitiveInformation.Length);
         }
      }

      /// <summary>
      /// Loads the sensitive data into a <see cref="SecureString"/>
      /// </summary>
      /// <param name="sensitiveInformation">The sensitive information to protect.</param>
      public void LoadSensitiveData(string sensitiveInformation)
      {
         char[] sensitive = new char[sensitiveInformation.Length];
         sensitiveInformation.CopyTo(0, sensitive, 0, sensitive.Length);

         LoadSensitiveData(sensitive);
      }

      /// <summary>
      /// Loads the sensitive data into a <see cref="SecureString"/>
      /// </summary>
      /// <param name="sensitiveInformation">The sensitive information to protect.</param>
      public void LoadSensitiveData(StringBuilder sensitiveInformation)
      {
         char[] sensitive = new char[sensitiveInformation.Length];
         sensitiveInformation.CopyTo(0, sensitive, 0, sensitive.Length);

         LoadSensitiveData(sensitive);
      }

      /// <summary>
      /// Creates the secure string from string.
      /// </summary>
      /// <param name="unprotectedSensitiveInformation">The unprotected sensitive information.</param>
      /// <returns></returns>
      public static SecureString CreateSecureStringFromString(string unprotectedSensitiveInformation)
      {
         char[] unprotectedSensitive = unprotectedSensitiveInformation.ToCharArray();
         SecureString secureInformation = new SecureString();
         try
         {
            foreach (char c in unprotectedSensitive)
            {
               secureInformation.AppendChar(c);
            }
            secureInformation.MakeReadOnly();
            return secureInformation;
         }
         finally
         {
            // discard the char array
            Array.Clear(unprotectedSensitive, 0, unprotectedSensitive.Length);
         }
      }
   }
}

A word of caution to the above code:

• SensitiveDataToString – is considered insecure as it returns a string of the encrypted data. The same data we are trying to encrypt! However it is a commonly requested function, and so there is the implementation.
• Base64SensitiveDataHash – is considered insecure as it currently uses a temporary string (:-( ), at this time I don’t have a way to converts a BSTR into a an array without going through a string first. One way would be to process it prior to being made ReadOnly, or alternatively someone can write a comment how to convert a C# BSTR into a byte array!

So even with all those disclaimers running a program that takes input will still a ‘leak information’ for the System.String. Specifically the tricky area is how do you get them into you program in the first place? Read them from a database, WinForm user input, or a web page? Kinda tricky ! If you search the web there are implementations of  secure login controls that build it up character by character, but certainly something to think about.

So how Secure is “SecureString”? The answer is “it depends”, but reasonably secure and a heck of a lot better than System.String. A while ago there was a big storm about tools that can connect to the process and decrypt your SecureStrings. The best rebuttal to this I’ve seen can be read about in [SecureString Redux]. I definitely recommend reading this.

Now I have to say I’ve been meaning to write this for some time now! Hopefully this helped raise awareness of the string leakage risks in the .Net language and ways to help minimize the string information leak scenario.

Potential enhancements to the helper class would be:

• Make the Hashing really secure, and allow a “HashAlgorithm” to be passed in
• Allow external encryption
• Allow secure serialization of data (via the encryption)

Gareth

• [OWASP Code Review]
• [How To: Perform a Security Code Review for Managed Code]
• [Phase 1: Conduct a Security Design Review]
• [Security Code Reviews]

Note as other are suggested, or I find others I’ll update the list.

Once a fighters weakness has been exposed there is really nothing you can do to unhide that weakness. You could have the best fighter in the world one day, then the weakness is exposed… You are in trouble!

Security is very much the same. You can perform all the scans, probes, fuzzes, code reviews and feel confident (well as confident anyone does in the security world!) that you are pretty well covered. One revelation a day later can completely invalidate your expectations, and you have to completely start over. Sometimes it is a slow build up, other times it is the equivalent of a bomb.

Bottom line is once a weakness has been exposed you need to:

• See if it can be simply covered
  • Fighter can learn to defend against take downs (or not get hit in the head )
  • Algorithm can be enhanced to extend its life DES==>3DES
• Relegate
  • Fighter acts as the ‘gatekeeper’ to the higher competition levels
  • Algorithms security clearance has been lowered, it cant be used in the more secure areas. Examples of this are theoretical discoveries that are likely to result in the actual weakness discover some time later.
• Retire
  • Fighter retires, becomes a commentator!
  • Algorithm depreciated as it is shown to be fundamentally insecure, now studied in university to show the weakness that designers need to be aware of. Think WEP!

If the weakness is known it is natural the opponent will attempt to get a competitive advantage using it. The longer the weakness is known the more adept the opposition will be at exploiting it.  This is true for both MMA & security!

Companies running a SDL are the equivalent to the fighters stable. It is their job to recognize the weaknesses and manage the processes and algorithms so any weaknesses are covered or retired before they become a major problem.

Gareth

For starters I recommend reading the article [http://en.wikipedia.org/wiki/Password_strength]. This is a good article covering the relative strengths of passwords, and gives a guide for determining the strength of a random password and a human derived password.

The major problem with passwords are that humans need to remember them, or they write them down. In an interesting technology twist historically you only used to have to worry about your co-workers having access/abusing your password because there was implicit physical security in place – you could only log on if you were physically in the office.  As such at that time your biggest threat was your co-workers, unfortunately the secondary defense of physical location has effectively been removed with the internet and VPN technology.  So now your threat count has increased from the people you work with to the entire world! Add to this these people are financially motivated and can directly target you – its a whole lot scarier out there now!

So before jumping into the implementations we need to go through well known things to avoid to help improve password strength:

• Avoid sequences – keyboard or alphabet based (abcd, qwert, 1234, !@#$% etc)
• Avoid dictionary words, especially common ones! Be aware that common misspellings are also used in dictionary based attacks – so unless your misspelling is VERY unusual then you can expect it to be in a dictionary!
• Avoid leet/1337 password substitution of words (eg P@ssw0rd, M1cr0$0ft, 0\/\/n3d). Again these are now all in dictionaries, so while it may be harder to brute force – they are pretty trivial for a dictionary attack. Of course it doesnt hurt to be 1337, but it just really doesn’t help defend a targeted attack.
• Avoid team names, socials, license names etc.

Things to avoid to minimize compromise exposure:

• Use different passwords for different online accounts
• Avoid using information about you that can be readily be found on the web as a password reset scheme. DOB, where you were born, school name etc.
• If any account needs the most rigorous password control it is your email account. Nearly every online system ties back to an email account. If you need to reset a password, it normally goes to your email address. If that is compromised then that is really the opening of Pandora’s box.

Alright, lets start with the weakest ‘safe’ approach – Information entropy:

• This strength calculation only holds true for ‘random’ passwords. No human (at least that I know) can really generate a random password on their own. The best approach that I’m aware of is to start up notepad and get your two year old to start smacking your keyboard. Then take this text and randomly change case of characters and inserting special characters. Unfortunately this is still weak because we have 2 hands and the keyboard is naturally divided into where your hands go. This generation is not as randomly distributed as people would think – nor would I recommend it! But at least you have a starting point, but then you have to write it down!
• [0-9] – 10 possible symbols per character – 3.32 bits of base2 log entropy
• [a-z] – 26 possible symbols per character- 4.7 bits of base2 log entropy
• [A-Z] – 26 possible symbols per character- 4.7 bits of base2 log entropy
• [A-Z, 0-9] – 36 possible symbols per character- 5.17 bits of base2 log entropy
• [A-Z,a-z] – 52 possible symbols per character- 5.7 bits of base2 log entropy
• [A-Z, a-z, 0-9] – 62 possible symbols per character- 5.95 bits of base2 log entropy
• [A-Z, a-z, 0-9, Special] – 94 possible symbols per character – 6.55 bits of base2 log entropy

So we can see that having a strong password using completely random information will be hard to generate on our own, yet this approach is what is what is most commonly used to in web applications to determine password strength. This is not strong enough because humans are naturally not random. Using this theory the following non-random passwords generate results that imply the passwords are strong:

• 12345678901234567890 – 20*3.32 => 66.4 bits of entropy
• !!!!!!!!!!!!!!!!!!!! – 10 * 6.55 => 65.5 bits of entropy
• !@#$%^&*() – 10 & 6.55 => 65.5 bits of entropy
• qwertyuiop[]qwertyuiop[] = 24 * 6.55 => 157.2 bits of entropy.

The more astute among us will see the last two passwords were generated by running your finger across the a keyboard line of on a US keyboard. To enter the 24 characters password took under 3 seconds. So if anyone saw someone entering a password like this at work or in a library – its pretty easy to duplicate. Plainly you can see that with human users they are going to opt for the easiest way to remember and enter a password – this will never be random!

So to help avoid our users from becoming victims we have to try to take away the ‘easy’ passage from them. We have to assume the password is not going to be mathematically random – so we need to start from a different position. We have to ensure we remove the human weaknesses that other ‘black hats’ are looking to exploit.

So going back to the beginning of the article we are going to create an interface to define a ‘password policy’ that provides us a way to help enforce a stronger passwords – or  at least allows systems to setup a common language for handling passwords.

   /// <summary>
   /// Interface for defining a password policy
   /// </summary>
   /// <remarks>
   /// This security policy determines whether passwords
   /// meet pre-determined complexity requirements.
   ///
   /// If this policy is enabled, passwords must meet the
   /// following minimum requirements:
   ///
   /// Not contain the user's account name or parts of the
   /// user's full name that exceed four consecutive
   /// characters.
   /// Be at least <see cref="MinimumPasswordLength"/>
   /// characters in length
   /// Contain characters from three of the following
   /// four categories:
   /// English uppercase characters (A through Z)
   /// English lowercase characters (a through z)
   /// Base 10 digits (0 through 9)
   /// Non-alphabetic characters (for example, !, $, #, %)
   ///
   /// Complexity requirements are enforced when passwords
   /// are changed or created.
   /// </remarks>
   public interface IPasswordPolicy : IPolicy
   {
      /// <summary>
      /// Indicates the minimum password strength index for
      /// this policy (see PasswordStrengthIndex)
      /// </summary>
      /// <remarks>
      /// This value is based of a calculation of
      /// information entropy after sequences
      /// and dictionary words have been
      /// removed.
      /// </remarks>
      /// <value>
      /// The minimum index of the password strength.
      /// </value>
      PasswordStrengthIndex MinimumPasswordStrengthIndex
      {
         get;
         set;
      }

      /// <summary>
      /// Gets or sets the minimum length of the password.
      /// </summary>
      /// <value>The minimum length of the password.</value>
      int MinimumPasswordLength
      {
         get;
         set;
      }

      /// <summary>
      /// Gets or sets the maximum length of the password.
      /// </summary>
      /// <value>The maximum length of the password.</value>
      int MaximumPasswordLength
      {
         get;
         set;
      }

      /// <summary>
      /// If policy requires mixed case
      /// </summary>
      /// <value>true if policy needs mixed case</value>
      bool RequireMixedCase
      {
         get;
         set;
      }

      /// <summary>
      /// If policy needs digits
      /// </summary>
      /// <value>true if policy needs digits.</value>
      bool RequireDigits
      {
         get;
         set;
      }

      /// <summary>
      /// If policy needs special characters
      /// </summary>
      /// <value>
      /// true if require special characters are needed
      /// </value>
      bool RequireSpecialCharacters
      {
         get;
         set;
      }

      /// <summary>
      /// Indicates if the username needs to be additionally
      /// supplied to verify the password complexity against
      /// </summary>
      /// <value>
      /// true require username to check password against
      /// </value>
      bool RequireUsernameToCheckPasswordAgainst
      {
         get;
         set;
      }

      /// <summary>
      /// Gets or sets the maximum count of characters
      /// in a sequence
      /// </summary>
      /// <value>The maximum count of characters
      /// in a sequence.</value>
      int MaximumCharacterSequenceCount
      {
         get;
         set;
      }

      /// <summary>
      /// The duration of the lockout in minutes.
      /// </summary>
      /// <remarks>
      /// This security setting determines the number of
      /// minutes a locked-out account remains locked
      /// out before automatically becoming unlocked.
      /// The available range is from 0 minutes through
      /// 99,999 minutes.
      /// If you set the account lockout duration to less
      /// than zero, the account will be locked out until an
      /// administrator explicitly unlocks it. If an account
      /// lockout threshold is defined, the account lockout
      /// duration must be greater than or equal to
      /// the reset time.
      /// </remarks>
      /// <value>The duration of the lockout.</value>
      int LockoutDuration
      {
         get;
         set;
      }

      /// <summary>
      /// Gets or sets the lockout threshold.
      /// </summary>
      /// <remarks>
      /// This security setting determines the number of
      /// failed logon attempts that causes a user
      /// account to be locked out. A locked-out
      /// account cannot be used until it is reset
      /// by an administrator or until the
      /// lockout duration for the account has expired. You
      /// can set a value between 0 and 999 failed
      /// logon attempts. If you set the value to 0,
      /// the account will never be locked out.
      /// </remarks>
      /// <value>The lockout threshold.</value>
      int LockoutThreshold
      {
         get;
         set;
      }

      /// <summary>
      /// Reset account lockout after X minutes
      /// </summary>
      /// <remarks>
      /// This security setting determines the number of
      /// minutes that must elapse after a failed logon
      /// attempt before the failed logon attempt
      /// counter is reset to 0 bad logon attempts.
      /// The available range is 1 minute to
      /// 99,999 minutes.
      /// </remarks>
      /// <value>The duration of the lockout.</value>
      int LockoutResetInMinutes
      {
         get;
         set;
      }
   }

You can see this password policy template extends the initial outline to not only provide guidance for the number of entropy bits, but allows for the policy to cover the lock out strategy in the case of incorrect password handling and password expiry approaches. If you look at the source code you will also see the options that are available, but for the sake of this article we are trying to keep on point

So on to the actual strength testing, this oddly is rather simple at the end of the day. We are going to use an Interface definition (IPassword) for the Password processor (makes testing & mocking easier) so we can actually have multiple implementations (think MEF!).  Now the actual implementation.

1. Check for sequences using various lookup tables to determine if any sequences exist. If a sequence length is detected, and is longer than allowed the password fails the policy. The tables include:
   • Alphabetic + numeric sequence
   • QWERTY US Keyboard
   • QWERTY UK Keyboard
   • AZERTY Keyboard
2. Perform simple DecodeEliteEncoding then perform a simple hardcoded dictionary match of well known super common passwords
3. If supplied (and if required) compare password elements to the user name

The end implementation is still fairly simple and it would be fairly easy to improve on this implementation.  The most obvious ones are to support a custom dictionary and add more custom keyboard sequences. Other extensions would be to store the passwords and become a real password token service. We can leave it up to the reader to provide an implementation of IPassword to call the Google password rating service rather than the above implementation:

https://www.google.com/accounts/RatePassword?Passwd=csharphacker

All good stuff! I hope this helps (and the source code) people provide a better approach to helping strengthen passwords.

[Download source code here]

The linked source code is liable to change over time so check back often. The source code uses the Microsoft testing framework and currently has 100% code coverage! Although I don’t think 100% is all that people think it is.

Finally the goal is to make everything a more secure place – and in reality the best approach is to use a strong memorable password in conjunction with a hardware token that changes every minute.

As always feedback is welcome!

Gareth

• VMware announces VMware vCloud Express, goes head to head with Amazon EC2
  • VMware today announced vCloud Express, a new class of service that will deliver on-demand, pay-as-you-go computing power as a service, much like Amazon Web Services’ Elastic Compute Cloud (EC2).
• A PCI-Compliant Cloud? Not at Amazon
  • Very interesting debate and conclusion regarding Amazon EC2 & PCI. Worth a read!
• Azure Reference Architecture Explored with Project Riviera
  • If you’ve been wanting to see how a multi-tenant architecture works with Windows Azure Platform, you’ll want to see Project Riviera. The project has been released on MSDN and includes source code. Interestingly the sample application is a loyalty application!
• Cloud Cartography & Side Channel Attacks
  • This is obviously dependent on the availability of a weakness in the hypervisor, but definitely an interesting concept none the less.

Security

• Microsoft Internet Information Server (IIS) FTP Server Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code
  • Any one running IIS 5, 5.1, or 6 and FTP – watch out!
• New version of WiKID authentication server
  • WiKID Systems announced version 3.4 of the WiKID Strong Authentication Server in Enterprise and Community Editions. New features include built-in support for the SAML Single Sign-On Service for Google Apps, a new self-registration process for Active Directory users and extended vendor-specific RADIUS attributes.
  • Pretty interesting stuff, not seen this before.

Hopefully my writers block has been solved and I’ll get back to writing some code

Gareth

Banned Crypto and the SDL – Read it , outlined some bullets below:

• Dont use MD4, MD5 and SHA-1, you should use SHA-256, SHA-384 or SHA-512
• Dont use DES, 3DES, you should use AES (in CBC mode)
• Dont use RC4, use RSA and Elliptical Curve.
• Only use the following random generators:
  • CryptGenRandom (Win32)
  • BCryptGenRandom (Win32)
  • System.Security.Cryptography.RNGCryptoServiceProvider (.Net)

Gareth

• AWS Start-Up Challenge For 2009 – Amazon has kicked off the third annual AWS Start-Up Challenge now.
  • Start-ups in the United States, the United Kingdom, Germany, and Israel are encouraged to apply for a chance to win $50,000 in cash, $50,000 in AWS credits, mentoring sessions from AWS technical experts, and AWS Premium Support Gold for one year.
• How to use a CTE in a view. If you dont know what a CTE is check it out here, definitely check out its recursive capabilities here.
• Microsoft Research “Gazelle” fires experimental salvo at Google.
• PCI DSS Legitimizes Conflicts of Interest
• Geneva identity grows up with rebranding roll on Active Directory Federation Services (ADFS), Windows Identity Foundation & Windows CardSpace.
• Managed Extensibility Framework (MEF) Preview 6: V1 Feature Complete Silverlight Support and Much More!
  • Not only is this the feature complete build for MEF V1.0 (which will ship with .NET Framework 4) but it also has the first drop of MEF for Silverlight!
• Google releases remote screen viewer NeatX.
  • “The good old X Window system can be used over the network, but it has issues with network latency and bandwidth. Neatx remedies some of these issues,” Google engineers wrote on the company’s open source blog.

Interestingly for me also is that while this concept applies to both Microsoft .Net runtimes and Mono they do behave differently, well they have different GC collection algorithms at any rate and there are implications for that. I may cover that as a separate topic in a later blog as well (more Blog promises… everyone tells me not to do that )

Gareth

• Amazon Adds CloudWatch Monitoring, Other Services
• Amazon to ‘Open Source’ their cloud API’s
  • This will be a very telling move if it gains acceptance. It will open up the way for a number of people to standardize to, but I am more than a little skeptical
• Credit Card Council Looks Into Cloud Security
  • You knew it had to be coming – and now it has!
• Bulk Loading/Export from Clouds
  • This shows how the systems are starting to mature. It has always been a fear how to get large data sets to and from cloud systems. Specifically I imagine there will be data analysis cloud applications that may end up processing terabytes (or more) of data. Getting that information there was a problem until now.
• Cloud Electronic Socket for $100
  • This is key, this moves backup from significant chunky machines (PC’s) to a small appliance no larger than an electrical adapter. Very nice, and I hope successful.
  • Socket appliance backs up to cloud storage
• Tibco enters the cloud space using Silver on Amazon
• Microsoft and Sun talk interoperability

The SDL blog http://blogs.msdn.com/sdl/archive/2009/05/28/a-note-on-the-recent-sdl-4-1-process-release.aspx highlighted this fact, and is really what pointed me to get the latest documentation. Below is an excerpt of the changes in the documentation:

Changes in This Version
Corrected typographical errors and added guidance regarding SDL security requirements and security recommendations. Additional requirements and recommendations for line-of-business (LOB) applications have been added.

• Phase Two: Design
  • Three new security requirements
• Phase Three: Implementation
  • Ten new security requirements
  • Twelve new security recommendations
• Phase Four: Verification
  • Four new security requirements
  • Two new security recommendations
• Phase Five: Release
  • One new security requirement
• Security Development Lifecycle for Line-of-Business Applications

So for those out there definitely check out the SDL blog and if you are following SDL make sure you get the latest revision of the documentation. Next time I’ll make sure I that dont miss the crown jewels!

Gareth

A pair of security researchers have ‘re-discovered’ a way to hack Vista (and presumably Windows 7)
http://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf
. They have released the concept prior to the Windows 7 launch to goad Microsoft into making some fixes.

I have to say this one definitely made me smile as Int13 was always my favorite interrupt, but I suspect most modern programmers don’t even know what it does – and even worst don’t know the Ralf Brown list (last updated last updated 29-Dec-02, which is way newer than I would have thought!).

Any way for us folks that know Int13 I suspect this ‘approach’ will make you smile – but it is definitely a blast from the past.

Gareth

So being the cheapskate that I am, I had already tried Dans Guardian a year or two ago in conjunction with IPCop. This worked reasonably well but caused me to have another PC warming up my Floridian office – which as most know we are not short of heat here in Florida!

So given I didn’t want to add another device I had a look around the net for other host based offerings, rather than network based. For the difference have a look at the Wikipedia Intrusion Prevention system page and search for ‘host based’ and ‘network’. These concepts also apply to the internet monitoring software as well.

So the first attempt was Microsoft Live Family Safety, since I couldn’t find much detailed information on this I had to just try it to see how effective it actually was. The install was smooth enough, but the downsides for me were:

• Each child/person needed a live ID to alter the allowed profiles
• It didn’t fare very well at all on YouTube (aka failed miserably).
• Very limited configuration options

The big immediate one was that it really only appeared to restrict sites rather than content, obviously an easier thing to implement but not that helpful when dealing with YouTube. So in its favor it was free, but the fact we had to create live id’s for the kids, and it really failed on the YouTube test we had to test the uninstall feature. Which it did very well!

So on to the next one, NetNanny. This one had good reviews on the net, so it seemed the next choice. In addition it had a trial version to allow us to check how effective it was before committing money. Well technically I wouldn’t commit money without knowing how effective it was, it would have just been scrubbed off the list – unless it was personally recommended to me.

So the trial was easy enough, supply a email address and get started. From the get-go it seemed nice and polished, and it successfully blocked the problematic YouTube. The features that it offered were significantly more configurable than the free Microsoft offering. Significantly these were:

• Name a child in configuration, without the need for a live ID
• Link Names to Windows logins (nice and handy for fast user switching)
• Name a child in configuration, without the need for a live ID
• Blocks by content, so passed the YouTube address.
• Extensive configuration options

So it passed all the immediate needs, in addition (which to be fair I think the MS one also allows for) was email notifications of alert behaviors. So if any blocking was performed I would get the email. So after trying a couple of test scenarios it really seemed to block what we needed to be blocked, without blanket cutting out YouTube – which is really a sledge hammer approach.

So now the programmer side in me was interested. Normally I only buy software that I consider to be valuable, and my valuable that means I couldn’t trivially write it my self (or there wasn’t an equivalent Open Source version). This software is definitely valuable – and there is a lot of potential in the software. For the programmers out there, it should be noted the software is subscription rather than buy and forget – but that actually seems a sensible model to follow for this type of software (similar to AV).

So while it was installed on the computers we didnt warn the kids… 9:30 the following morning we got the question “So have you got software on the PC to block sites?”. The email chain in my inbox showed exactly what was blocked and why, and again it did the job! In addition it even seems to lock in at a nice low level even blocking all network access until the user is signed in, so no sneaking stuff in and to be honest the NetNanny team have gone about nearly everything I would have attempted to do my self anyway – so the Buy vs Build in this case for me was a no-brainer. Firstly it did what the box said, secondarily it wasn’t excessively expensive – in fact it was pretty darn reasonable given the capabilities of the software. My congratulations to the NetNanny team. There are no doubt other software solutions/options out there and people are free to comment on their recommendations. However to be clear I dont want to be perceived as disrespecting any OSS solutions as I have the greatest respect for them. However in my case the key benefit was the fact it was a host based system rather than a remote firewall with content filtering, and most OSS solutions are device/Linux based rather than host. NetNanny did the job for a good no-nonsense price, and I can be fairly assured that they will succeed as a company as they have a excellent product offering.

So congratulations and thanks to all those out there helping parents protect the younger ones.

Gareth

Hopefully this helps anyone looking for help performing some semi-automated test.

Gareth