So what is Microsoft COFEE?

• it is a collection of information gathering tools which are either built into Windows (ie. net, arp, ipconfig) or can be freely downloaded from the Microsoft website (ie. pslist)
• it contains a simple case-management software which helps users prepare a USB stick that need to be inserted in the target computer and manage the collected information
• the software on the USB stick is executed either using the autorun mechanism or by manually launching it. There is no built-in functionality to bypass passwords or other protection mechanisms
• It also contains a detailed analysis of the registry / filesystem fingerprint of each tool (this is important if the other party argues that running the tool caused modifications on the system which are pertinent to the case)

Conclusion: there is no magical pixie dust here, move along! (in fact, it is quite similar with the winenum Metasploit script).

PS/Update: regarding the “defense” against these tools: first of all, they all seem to be user-mode tools. This means that they probably have limited capability of detecting kernel-mode rootkits. Also – from what I’ve seen – they are all public tools, so there is a good chance that there exists malware out there there which “defends” itself against these software. Again, no magic.

Now before you conclude that this is utterly useless – if I were a IT forensicator :-p, I would prefer having this data compared to no data at all. It will give you some basic idea of the system (or the network for that matter if ran on every PC) which may enable you to come back with a very precise target in mind.

Picture taken from raddaqii’s photostream with permission.

As far as I’m aware, only Microsoft and hosting providers (which recoup the cost from their clients) are running MS servers in large numbers. This is sustained by a quick check of the top ~5000 sites (as defined by Alexa) – less than 16% of them run IIS. To paraphrase Eminem:

Be smart, don’t be a retard! You take advice from someone who run their front-end webserver tier on VM’s, even though it makes no sense from a technology standpoint to do so?

PS. Yeah, there is the BizPark program from MS for startups – but we yet have to see the first large-scale success emerge from it (BTW, one of my favorite site – StackOverflow – runs Windows Server trough the BizPark program – and even they now use a Linux VM!).

Picture taken from mark sebastian’s photostream with permission.

Disclaimer: arguments are very emotional things. As much as we would like to think that they consists of logical statements and counter statements with the “best” arguments winning, in real life the acceptance or rejection of a given argument very much depends on the frame of reference of individual persons. With this in mind, I believe that Tudor and me have very different frames of reference (him being a Microsoft employee and me being an open-source enthusiast) and as such I’m quite sure that nothing written by me here will change his mind (and conversely, nothing written by him will change my mind). Still, I think that this is a useful exercise to get things off my chest and to document arguments for more open-minded people

1. His first argument is that installing and using pirated software is harder that legitimate software because mechanisms like WGA – I don’t think that this argument holds water, since most people (the “average user”) can’t install an OS, regardless if it is pirated or legitimate. Just ask yourself the following question: how many of the non-technical people you know installed themselves the OS on their computer? I would bet you that the number is very, very close to 0.

   If the OS is installed by the “neighbor kid from the 2nd floor”, then this argument doesn’t hold. Even more, many geeks pride themselves with being able to perform complicated tasks, like disabling the WGA, and as such, for them the existence of protection element is a positive thing (a challenge to be solved).

   Finally, the inverse of the argument (that legitimate MS software is easier to use than pirated one) isn’t true either in my experience. I had numerous occasions where (completely legitimate, bought with the computer OEM) Windows failed to validate, a (again, completely legit, boxed version) Win 2k3 SBS suddenly refused to work because it needed to be a DC (and it told me after 3 months!), the Windows 7 beta deactivated itself periodically, VM’s deactivated themselves after moving from one machine to the other for purely technical reasons (even though the one-machine / one-owner / one-copy rule was always observed), etc.

2. The second argument is that there is no peer-pressure to pirate in Romania (that not “everybody is doing it”) – I would suggest him to visit any campus in Romania and check out the (pirated) software which can be found on the network. And not only that, but music, movies, books, etc. Or to go to repair shops and ask for MS Windows / MS Office being preinstalled on the computer – the answer will almost always be positive. Even more, the next generation feels entitled to these freebies (and it isn’t something specific to Romania either, thanks to the abundance of the freemium business model on the Internet).

   In the long term (IMHO) less and less people will be willing to pay for things which they perceive as basic needs. The only options for old-style software companies (like Microsoft) are to include more and more technical measures to try to prevent this (even though the current measures already make MS Windows annoying to use) or to raise the level of punishment associated with piracy (which shouldn’t be possible in democratic countries because of public backlash)

3. Piracy doesn’t help the software companies by making their product more well known – if this would to be true, why do you think that there are associations in people’s mind like Microsoft – Windows, Office – Microsoft, image editing – Photoshop, CD burning – Nero and so on? Most people use whatever is already installed on the computer to accomplish their jobs. This is why OEMs get big bucks from software companies to preinstall their product.

   I don’t buy the “starving programmer” argument either. The cost of copying software is minuscule. Which means that over 80% (this is of course a number pulled out of my rear, but I’m quite sure that the real number is somewhere in the ballpark) of each sale is pure profit. Which means that (a) a freemium type model can easily be sustained and (b) that even a few sales mean that the company makes a nice profit, and excessive focus on this part (ie. “we are loosing X billion of USD to piracy” – which BTW is not true for at least two reasons – first because the method to determine the number of pirated copies is questionable and second, because it assumes that every person who “pirates” would buy the product if s/he didn’t have access to the pirated version) is pure greed – which, let us remember, is one of the seven deadly sins.

   Also, as a programmer, you don’t have to write commodity software. Let me tell you, there is very good money to be made from writing custom software for a small number of clients.

   A final point I would like to make with regards the relation of piracy to innovation: remember that all three “big” powers (USA, Russia and China) started out (and some are still) by rejecting patents to bootstrap their industry. Something worth thinking about…

4. That people buy because somehow they are convinced that it is “the right thing”, not because of fear – I’m not seeing it. At least at the individual level I don’t know anybody who bought a single Microsoft product (including myself, I’m living off my MSDN AA licenses). At a company level the motivation (arguably) is mostly fear. They buy licenses for the same reason they pay taxes. Also (as I’ve already said at point 2), the willingness of people will only go down, not up.

5. Software is not overpriced, especially when considering the income level of Romanians – this is IMHO the best example for the “pink sunglasses” Tudor is wearing and how his frame of reference distorts his perception. The average (net) income per month in Romania for 2008 was somewhere around 400 USD (this would mean 4800 USD per year for those of you who use this frame of reference). Given this figure, is it reasonable to expect that people give more than half of their monthly income (or even all it, if we consider that a computer would need MS Windows + MS Office + AV) for software? May I venture a guess that (a) Tudor has at least five time the average net income and (b) he has free access to all of Microsoft’s software, and as such, he might not see the real situation? My challenge to Tudor would be: how much of the software he has right now on his personal machine did he pay for?

My conclusion is that software piracy is here to stay. Especially in more poor countries like ours. To give Microsoft what is due: they do really excellent software (not that they don’t do mistakes, like Vista – which is abysmal – I’m speaking from a first hand experience, having played with it on two “Vista certified” laptops and in VMs). Even so, their expectation is unrealistic at a minimum and even unethical. Also, as a developer, if you develop using a technology (OS, libraries, components, etc) for which you don’t have the source code, you will hit “undebuggable” issues sooner or later.

PS. Vista is the new ME – just worse:

Update: fixed some typos and errors in expression – thank you to my dear readers.

Then again the evil voices in my head said: ok, maybe they eliminated the automatic way, but I should be able to find a one-click method which makes social engineering malware easy to deploy. My line of thinking was: make something run when the “Open folder” AutoPlay option is selected using the desktop.ini (also, the MSDN link) file. After toying around and not having too much success I came upon a KB article from MS which states:

To help prevent potentially unsafe content from running when you open a folder on your local computer or on your local area network, by default, Windows XP SP1,Windows Server 2003, Windows Vista, and Windows Server 2008 do not support HTML for Web view in Windows Explorer.

What can I say? Very cool. This again demonstrates the value of the agile practice “just add the features the customer is asking for, nothing more”. So, no cookie for me this time :-).

Picture taken from drumecho’s photostream with permission.

Now here is my buglist (including things that are not visible from the picture):

• The initial “one icon to represent everything” (running programs and programs which might be run) was confusing to me, so I tried to revert to a more classic method – however, as you can see from the picture, it is very confusing still: it seems to try to respect the original order or the icons, sticking IE and Explorer to the left and Media player (which is not started) in the middle. The uneven spacing is very confusing.
• Also, the new design manages to actually show less info at once and overflows very quickly.
• For applications which have a single window, the popup that should help you select between the windows is blank (you can see the dark-gray rectangle in the screenshot – it was generated by hovering over the Metasploit button)
• Hiding the notification area has two issues: first, it makes it harder to access icons which you do want to keep an eye on. Second, it will almost certainly be “hacked” by application vendors to make their icon always visible (this can be achieved currently by going to the “Customize…” option, so you can do the same programatically), thus negating any benefit.
• The explorer doesn’t have a “one level up” button any more, just a back button. Given that most of the windows are based on Explorer, or at least use the same metaphore, this is very annoying. For example, when configuring IIS, there is a discrepancy between the folders you see on the left (and the “address” shown) and your actual position. To put it an other way: there are situations where there is no way to go “one step back”.
• IE8 beta offers to download IE8 RC1, but on the page it takes me to there is no link for Windows 7!
• After searching for something from the search box and clicking on a link from the result page, the search box is filled with the URL!

I have a theory (based on personal observations) about Microsoft shooting themselves in the foot (even though I’m not saying that it is a bad thing) with the recent UI changes (beginning with the Office 2007 ribbon): these UI might make it easier for first-time users, however it forces you to throw away all the things you have in “muscle memory”. This is annoying for power users (every time I have to use Office 2007 I have violent reactions) but it is outright catastrophic for less computer-savvy people who’ve learned “dances” like “go to the third menu and click the fifth element”. An other contributing factor (which might be specific to non-English speaking countries) is the large number of English Windows/MS Office installations combined with the fact that most people don’t speak English, so these types of memorizations are their only solutions. All of these people are left out in the cold with these UI changes. Most people (from my experience) don’t learn by reading a book or a help file, they learn from other people. But with the latest release MS nullified all the expertise in the domain, making this kind of “folklore” almost impossible.

Update: here are two “bonus” videos – one displaying a Mac OS X UI to the text of a Windows 7 presentation, and the second one convincing people that KDE is new Windows 7. I got the second link from Jupiter Broadcasting.

• He admits that we already have SNMP but criticizes it for being quirky. The example that he gives is that the method to reboot some equipment is to set uptime to zero. WS-MAN, he says (I really should look up this chaps name, shouldn’t I?) will have “real methods”. Well, no standard has been ever implemented the same way by all vendors. Unless you have a single vendor (*cough* Microsoft *cough*) delivering all the software, there will be differences, just as there are differences in SNMP and management software will have to adjust for them (just the way it does for SNMP today).
• An other argument is “security”. He says that by using SSL (TLS) you just double encrypt the data, since it is already encrypted, but then admits that passwords go in the clear unless you do use TLS. First of all, web services but no mention of WS-Security? Second of all, are you really telling me that vendors will put all that extra processing power in their equipments to support TLS? And if not (if this is an optional feature), we’re back to SNMP (cleartext passwords – cool). Also, given how less than 1% of the websites on the Internet correctly supports SSL, what exactly makes you think that admins will configure this infrastructure correctly with server and client certificates? (BTW, they didn’t mention client certificates, but I really hope they support them)
• An other argument: it has the option to enumerate all the parameters! How is this substantially different from the SNMP MIB’s?
• Yet an other argument: it will run trought port 80 (ok, this definitely seems to indicate a cleartext protocol), so you won’t have problems passing trough your corporate firewall / proxy. BTW, did I mention that this friggin thing will run over HTTP? (WS is defined for multiple transports – including email and FTP – but HTTP is the most popular one which always gets associated). So now you want to shove an HTTP server in the network equipments and just assume that it won’t have any vulnerabilities because the HTTP and XML standards are soo simple – not! Getting back to the “bypassing firewall” argument:
  • First of all – you are IT! WTF are you trying to do bypassing yourself? If your organization is f***’d up at that level that you can’t open ports for legitimate reasons, you have bigger problems. And if it isn’t a legitimate business reason, it is very good that they are blocking your ass!
  • Putting everything over the same port makes it very hard to categorize traffic. Of course this is not the first time MS has done that: open up filesharing and congratultions – now others can use DCOM, WMI, etc on your system. Talk about a large attack surface and a complete disregard for the “one port – one service” principle!
  • Incidentally you can use HTTP proxies to tunnel arbitrary TCP connections (if they are so configured) with the CONNECT method (this is how HTTPS trough a proxy works if the proxy doesn’t MITM’s it).

And finally: an other proclaimed advantage is its integration with PowerShell. Yes, PowerShell seems really cool, but wouldn’t it have been much simpler (and more compatible and more useful – because we have SNMP capable hardware now) to just add SNMP capabilities to PowerShell? IMHO, it would.

So there you have it, an other thing which isn’t needed. Looking forward to exploit bugs and improperly configured services of these types in 5 years.

PS. Maybe Google will index these and we can Google hack switches and routers!

No, I’m talking about the fact that to use WPA2, you need to install an update which is not included automatically by Windows Update. To make this a double fail, their “Live” search engine gives back as a first link a support article with no download link (!!!), while Google gives you a working patch (although a new version is available, the old version still works. Fail!

• Direct download link for the old update (without the “Genuine Windows” BS): KB893357
• Direct download link for the new update (again, without the “Genuine Windows” BS): KB893357

Update: this UserFriendly strip reflects perfectly the situation:

BTW, does somebody know where is in Excel 2007 the “File Properties” menu??? I’m going back to my OpenOffice.org 3.0, however MS Office 2007 hijacked all my file extensions and I couldn’t find an easy step to reset it to OO (maybe I just bite the bulled and uninstall/reinstall OO).

Morro will be forced to innovate like any AV vendor due to the external pressures of the extensive user base of existing AV solutions, changing threats/attacks, and continued pressure from third party AV.

The biggest problem with this argument is that MS, having brand recognition, can ignore tests to some degree, thus lessening the pressure on them. On the other side, it will probably share intel (if not teams) with some related MS products (like the MSRT or Forefront), giving it the possibility to react faster. In the end security still doesn’t hurt Microsoft enough so that they don’t repeat the “IE method” (killing off competition and then ignoring the product).