The Archives

Security, Technology
Need help: Removing old certificate revocation lists in Windows
July 9th, 2009 (8 months ago) by Jeff | Permalink | Dump Core
I have a bit of a quandary that’s got me effectively stuck on a task at my day job. Thus far, Google and every other resource I’ve searched have been little help. In the unlikely event somebody out there that reads this blog (or at least gets the update notices via RSS, Twitter, or the other various feeds) can help me, I’m going throw this out and hope it garners some feedback.

I’ll try to keep this as short as possible. Our production Web site, built in ASP.NET and C# and running in IIS on Windows Server 2003, recently added authentication via client certificates stored on users’ smart cards. We allow users to attach their smart card certificates to their existing account, then authenticate them by verifying their certificate, looking up the user account by that certificate’s fingerprint, and loading their profile. These certificates are signed by a trusted third-party certificate authority (CA) owned by the client and every morning we download the latest certificate revocation lists (CRLs) so we can reject certificates as they are revoked by the CA. My download process is working fine and dandy, so that’s not the problem; neither is the actual import process, as I know the command line options for Microsoft’s certutil command that will import the CRLs.

My problem stems from removing the old CRLs, which so far I haven’t been able to accomplish without going into the Microsoft Management Console and clicking through the GUI. We’ve had problems with the size of the certificate store, as the CRLs tend to be very large and we have to remove the old ones before the new ones can be imported. I’ve tried the few suggestions I’ve found online that haven’t seemed to work, such as a command-line switch for certutil that’s supposed to overwrite the old CRL with the new one (it just imports the new one and leaves the old one in place). We want to automate this process into a scheduled task, so it can run early in the morning when our users aren’t on the system and without human intervention.

Here are the tools available to me:
- As previously stated, certutil (part of Microsoft’s Certificate Services package);
- Windows PowerShell;
- Anything I can throw into a .NET assembly and build an executable out of (preferably C# code);
- Good old fashioned batch files.
I’ll tell you, I’m pretty frustrated and exhausted by this task. It’s not that I can’t do the research and figure it out for myself; I have done the research, and everything I’ve read applies to certificates and not CRLs, and they’re not exactly a direct swap in usage. I’d prefer not to provide much more detail than this for security reasons.

For the time being, I’ve been manually removing the old CRLs through MMC and then running a batch script to do the import every morning as my first task. That’s working fine for now, when I’m in the office every morning, but I’ll be taking some vacation time soon that will start to cause problems. I swear, if this was OpenSSL and Apache on Linux, I’d have this solved in a heartbeat (or at least an afternoon). If you have any suggestions, please feel to post a comment or shoot me a direct e-mail at the usual address.
Internet, Technology
set_bugs = 0;
February 10th, 2009 (1 year ago) by Jeff | Permalink | Dump Core

This week an couple errors were reported in the custom CMS application I built at work a couple years ago. I haven’t touched this code in at least a year, so it took me bit to swap some mental virtual memory and recall how everything worked. I’m not sure if these “bugs” were something new that had manifested themselves after a recent platform upgrade or design flaws that had been there since the beginning only to be recently noticed. None of that really matters for the sake of this post, however. Suffice it to say there were two problems, one of which was likely to be entirely my fault but relatively easy to fix with a little bit of C# hacking.

The other problem was a bit obscure. The application is built in ASP.NET 2.0 and written entirely in C#. It also makes use of Microsoft’s AJAX Toolkit for ASP.NET to “pretty up” some of the interface interactions. Unfortunately, one particular user began to experience problems with the system recently. Since she’s the project manager, needless to say the problem was escalated to top priority with little to no delay. To make things more difficult, the problem was especially cryptic. In true Microsoft fashion, the pop-up JavaScript error dialog offered little to no useful information:

Sys.WebForms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. The status code returned from the server was: 500

Google, of course, is my friend and found no shortage of pages where this turned up. The odd thing was that none of the purported causes for the error were anything that I was using.

After much searching, I finally happened upon this site. It seems Ted Jardine hit the same problem I did. He had narrowed it down to something to do with the .NET session, which he wasn’t really using but I was using extensively. What I found most interesting was his solution:

So, based on one of the comments in one of the above posts, even though I’m not touching session on one of the problem pages, I tried a hack in one of the problem page’s Page_Load:

Session["FixAJAXSysBug"] = true;

And lo and behold, we’re good to go!

I followed the various links he provided—as well as Googling for “FixAJAXSysBug” itself—and found lots more anecdotal evidence to support its usefulness. I applied this “fix” to the common header of the application to make sure it took affect everywhere and, so far, all reports seem to indicate its success.

Needless to say, I was instantly reminded of this GPF strip from the crossover with Help Desk. I can’t remember now if that joke was my idea or Chris Wright’s. It doesn’t matter now, really… it audacity is as brilliant now as it was eight years ago. The idea of setting a simple Boolean flag to “turn off bugs” is something I will always find hilarious.

Now if only all Microsoft bugs were so easy to fix….
Personal, Software, Technology
Bill Gates now inhabits my dreams…
September 9th, 2008 (1 year, 6 months ago) by Jeff | Permalink | Dump Core

So I was listening to this week’s edition of TWiT, during which Leo Laporte and the usual band of miscreants psychoanalyze Microsoft’s new ad campaign featuring Bill Gates and Jerry Seinfeld. I had not seen the ad yet myself—apparently it debuted during an NFL opening game, and considering that I don’t watch professional sports and the overwhelming majority of my television watching now consists of shows containing magic backpacks and talking monkeys that wear red boots, it hadn’t come to my attention yet—so the discussion naturally raised my morbid curiosity. So I dug around a little on YouTube and found this. I must admit, it’s as surreal as I was led to believe. I won’t attempt to try and mine this thing for hidden meaning like Ryan Block did; the only comment I think I can really make about it is that it tells me absolutely nothing about Microsoft, Windows, or any other product they may have in the pipeline, and after watching it I am no more inclined to pick Microsoft options over the competition than I was before. I thought that was the point of advertising….

But that’s not the weirdest part. Last night, I dreamed about Bill Gates. Maybe it was exhaustion, maybe it was a prescription-drug fueled haze (I’m currently in the middle of my quarterly bout with bronchitis), but it was not something I was particularly expecting. There’s nothing really interesting to say about the dream, though. In what little I remember, Mr. Gates was there, tying his shoes. He wasn’t necessarily trying on new ones, nor was there any indication that the shoes were noticeably old. They were shiny, brown leather dress shoes, so they could have been either new or well maintained. Mr. Seinfeld was nowhere in sight. The setting was unclear; I can’t say that it was a shoe store, a men’s locker room, or any other recognizable setting. I know only that I was seated on a wooden bench which I believe was painted a dark green and that Bill Gates stood next to me, lifted one leg, and set the foot on the bench, then proceeded to tie his shoe laces. Then he left without saying a word and the dream moved on to wherever it went after that. I remember nothing else about the dream, and to my knowledge Mr. Gates appeared nowhere else within it.

I have no desire to do any research on what kind of Fruedian analysis can be drawn from watching a billionare-CEO-turned-philanthropist from one of the world’s largest and most reviled software companies tying his shoes next to me. I’d be afraid of what I’d find. So I’ll just say it was the prescription cough syrup working its magic and go back to talking to the pink elephant and the green roast beef sandwich on either side of me. It’s a conversation about world politics and an economy built entirely around edible golf balls will solve the world’s energy crisis. It’s very enlightening. Maybe, somehow, some way, we’ll figure out exactly what makes Windows “delicious” while we’re at it. Drug-enduced hysteria is about the only way I can think of in my current semi-lucid state to make an operating system taste delicious. It makes me begin to wonder, though… what would other OSes taste like? Would Mac OS be crunchy? Would Linux be spicy? Would my Treo’s PalmOS be light in calories? I certainly hope so… I am trying to lose weight….
Software, Technology
Vista first impressions
December 10th, 2007 (2 years, 3 months ago) by Jeff | Permalink | 7 Core Dumps

I had my first brush with Microsoft Windows Vista this weekend. Like most hard-core geeks who are skeptical of just about anything Microsoft, I’ve read all the hype and negative press and have thus avoided it like the plague. I recently bought a new tablet PC (which just arrived today, woohoo!) and made sure to “downgrade” it to Windows XP. But this weekend as I was performing a Good Samaritan deed I was inadvertently forced to directly interact with Microsoft’s latest and “greatest” OS. And while there’s probably nothing new in this post to anyone who’s used Vista already, I’m sad to report most of what I’d heard and feared are true.

First, a little background. This past week, my sister-in-law’s notebook died. Exactly what happened is still uncertain; we know for certain that the video subsystem is on the fritz, which likely means that something is up with the motherboard (since the video is on-board). The LCD occasionally looks like a black light lava lamp, if that makes any sense, although I was surprised to have it actually work off and on with any given reboot. Windows XP crashes on boot on the NVIDIA video driver, which might (or might not) be consistent with a video hardware problem. Throw into the mix the fact that the system spontaneously reboots or locks up after a indeterminable period of time, sometimes as long as several hours or as short as ten minutes. I pulled out ever trick and tool in my geek arsenal and haven’t been able to completely diagnose the problem, let alone fix it. So now the task has become one of data recovery, and with a creative combination of a Knoppix “live” CD, a USB flash drive, and a USB external hard drive this has gone off without much of a hitch.

Now we introduce the new machine. Like its predecessor, it’s an HP Pavilion “media center” notebook. I put “media center” in quotes because while the old machine actually ran Windows XP Media Center Edition, the new machine runs Vista Home Premium. Other than the OS, it’s obvious both machines are built for one thing: to be a portable home theater system. Both have massive widescreen LCDs, dual huge hard drives, several gigs of RAM, and the latest processors for their time. Needless to say, both machines are meant to be powerful multimedia workhorses and they have the muscle to prove it. Thus, there’s no reason to expect the new machine to be sluggish or slow.

And yet, it occasionally was. HP, like many manufacturers, loads its new machines with tons of useless garbage software. That said, I was surprised to see how little junk was really pre-installed on this thing. So the only thing I can think of that was really bogging it down was Vista itself. I can’t be 100% certain of this as I didn’t take the time to really investigate (most of my time was spent extracting data from the old machine), but there were plenty of times Vista seemed to drag and stutter, sometimes becoming unresponsive for a few seconds.

The culprit, I expect, is the new “Aero” interface. Sure, it looks pretty. I’ll give it that. Compared to XP’s default Crayola-inspired interface (which is one of the first settings I turn off on a new XP machine), it looks slick and modern. But it also seems bulky and bloated. The moment I turned it off and went back to the Windows 95-ish “classic” interface the machine become much more responsive and easier to use. While it was cute watching windows “pop” into existence (something that will probably smell suspiciously like copyright infringement to any Mac OS X user) and the translucent window borders are a nice aesthetic trick, the performance cost is pretty high and not really worth it.

Then there’s the security model. I’d like to applaud Microsoft for finally taking security seriously and making a concerted effort to be responsible with its market dominance by forcing users to be more secure. But boy howdy, is it a bear to work with. Apple has been running attack ads against Vista in their “PC vs. Mac” campaign where the nerdy PC character has to ask permission from a Secret Service inspired man-in-black for every single thing he does. I thought that was funny at the time, but I didn’t really realize how true it was. Having now been trained and used to doing things as an administrator in XP, it’s a real shock to be stopped at every other mouse click with a warning that what I’m about to do has serious security implications. It’s not just a pop-up box, either; the entire screen flashes, dimming everything else and forcing to acknowledge the pop-up before you can continue. Yes, I’m aware of the serious security implications; I’m stepping outside the box and doing advanced things outside what a normal user is likely to do. (For example, moving the contents of the old machine’s “Application Data” and “Local Settings” folders, normally hidden, to their new home.) But do you have to warn me every single blasted time? Really. What’s worse is that this extends beyond some of the obscure, funky guru work I’m currently doing. Simple configuration changes are challenged with the same severity as drastic, devastating, and potentially damaging attacks. Where 95/98 was blatantly promiscuous (or more properly naive) and XP (post SP2) was cautious, Vista is downright paranoid. I half expect it to call in the FBI and the National Guard every time I change my wireless SSID.

Maybe there’s someone out there who can help. If you have experience with Vista and you know how to turn these security pop-up off, just for my login, at least until I’m done doing arcane geek magic to finish restoring this machine, please let me know. I think I’d be done in a fraction of the time if I didn’t have to babysit these prompts all the time. Even if it’s a setting that lets me check a box that says “don’t show this again” so I only get it once per action will be a big help.

After all that complaining, let me mention one thing I did like about Vista: parental controls. As a parent who is faced with a future where my young son will be a few clicks away from all the porn and identity theft of the Internet, I’ve been looking hard at third-party (as well as home grown) filtering and monitoring solutions. Vista apparently has this built in. Unfortunately, I have no idea how effective it is. My guess is that workarounds to bypass it are now just a Google search away. But still, just like XP’s firewall is more of an afterthought than a real security measure, it’s got to be better than nothing, and it will probably be easier to train my non-tech-savvy sister-in-law in how to use it than to explain about proxies and packet filtering. Depending on how long this machine is in my possession, I might try to experiment and see just how effective these parental controls really are.

Again, nothing necessarily new here that you probably haven’t seen everywhere else, but I thought I’d share my experiences to anyone interested in listening. I’m leaning more and more toward ditching Microsoft completely and going with a completely FLOSS setup, and Vista is helping push me in that direction. Then again, I had huge reservations about XP when it came out, too, so who knows what the future will bring?