joeware - never stop exploring... :)

“Better authentication methods can come along any day now… I’m ready…”

That is something I said this morning while working on my work laptop. We recently were required to add whole machine encryption which meant adding yet another password and remembering yet another ID/Password combination. When I loaded the encryption software two things irked me… The first was that I had yet another ID/Password combination to worry about and second that the local recovery mechanism was three silly questions most of which based on information that can change[1]…

Now when I fire up my laptop for work I have to enter a whole disk encryption userid / password. It is my main corporate ID in UPN/email format but a whole other password that must be six numeric digits[2]. Then I get my main logon screen which is my main ID in SAM format (I could use UPN here if I chose as well), but with my password from the corporate forest. Then I get my desktop and Office Communicator fires up and for some reason, more times than not, it asks me to enter my password as well. So again I enter my corporate password. Then up comes MSN for when Office Communicator isn’t working (all too often unfortunately)… So I enter that entirely different userid and password. Then I fire up Outlook and get to enter passwords for the PST files (yes that is my choice). So now that is the first 2 minutes of the work day…

Now let’s say I need to connect to different customer environments… We have three different shared environments that I can connect to that house many of our customers. One uses my corporate userid name but not the corporate password. One uses a whole other userid (a second corporate userid since we went through a merger with another company) and password. And the last uses two factor auth so I have to enter my secondary corporate userid with a PIN I know and a passcode from an RSA Token. Now this is only for some accounts. Other accounts have their own IDs and passwords. So say I need to get into the account I spent most of last year on, I go to their Reverse Proxy Web Site and enter my main userid and password from their corporate directory, then to connect to a server I use one of my six Admin IDs I have for that environment. Next if I connect to another large customer that I have been handling various questions for a W2K8 migration I enter a userid with a smartcard (different from the RSA token) temporary password to get into the firewalled section that is set aside for that customer, and then another userid/password to get onto the Citrix system that allows me to work on that network. If I want to connect to their lab environment, even more userids and passwords… If happen to have yet another RSA token and set of userids to connect to another largish customer I used to work on as well. I have to actually label my RSA tokens by which company the token is for. That alone is a pain, how come I can’t at least use one token/smart card for all of the companies?

This doesn’t at all go into the stuff I have for my personal world… Access to Microsoft Source Code is another smart card/password. Microsoft Private News Groups. Hotmail email account. My joeware email accounts. Admin IDs for each of my test forests for playing with AD. Home Depot account, six or seven credit card accounts, eBay, Amazon, my website and blog, 401k, health insurance, stock benefits site, Craig’s List, Code Gear Developer Account so my IDE can log into Code Gear. Admin IDs for each of the PCs I have my house, both servers, and clients. Voice mail for work phone, personal mobile phone. Key code lock on my front door to my house. Hmm what else, iTunes/App Store, all the various apps on the iPhone, etc etc etc yadda yadda yadda blah blah blah…

At this point I am getting confused just trying to maintain in my head which userid/password/token/smartcard combinations are used at which points; especially when you have one userid string blah@corp.com that is used in five different locations with five different passwords. I’m ready for authentication that just takes a look at me and says… well you look a little rough because you didn’t comb your hair this morning and are still wearing your pajamas but I recognize you as joe and will let you onto the system… And since I am actually looking at you, all of the other systems will trust that I know what I am talking about and allow you in too or I can just pass on the live video feed to them if they want to validate you… At this point the only thing I tend to have in common across multiple systems is the same answers to the recovery questions… While my userid/password isn’t likely to be consistent across systems, my mother’s maiden name probably is… It reminds me of something a good friend of mine at MSFT has said multiple times in my presence when talking about Identity… SK (for short) would say something like… You know, I don’t log into my 401k (I think it was 401k, maybe it was health benefits site or maybe it was both…) very much so I always forget my password and so then I always use the self password reset system for the web site which asks me questions[3]… Those questions might as well be my password.

Federation and Info Card is getting bigger and bigger but even if it took all my web based auth and put it into a single auth system I would still have too much to recall and deal with.

Anyway, no answers here for this issue… just venting.  Oh and I would like to see an end to the sub-zero degree Fahrenheit wind chill temperatures as well while I am at it. 🙂

   joe

[1] I.E. What is/was your favorite this or that or what was the date of this or that event. For example, I have never had a honeymoon but one of the questions was, when was the date for that? Now I would put none, but a year or two from now that could have a different answer and if I needed to recover I would have to recall when I filled out the recovery info… I am in the recovery console because I can’t even recall a password I use every day… I also hate when companies use things like favorite food or favorite movie or even favorite teacher, who says those things won’t change?

[2] Seriously… WTF. No more, no less than six numbers…

[3] Those questions are probably less secure than the password that isn’t being remembered…

Wow, I got quite a few emails on the Special Folder GUIDs posts… Thanks to all who sent me the link… Keep it up!

Here are the link everyone was sending me

http://msdn.microsoft.com/en-us/library/ee330741(VS.85).aspx

http://news.cnet.com/8301-13860_3-10426627-56.html?part=rss&subj=news&tag=2547-1_3-0-20

After seeing http://blog.joeware.net/2010/01/07/1860/ my good friend Deano reminded me that he had shown me something like this back last year for just Network Connections…

md c:\_special\nc.{7007ACC7-3202-11D1-AAD2-00805FC1270E}

Looks like…

http://www.wired.com/video/ces-2010-hands-on-with-transparent-display-of-the-future/60826805001

I have been exceedingly lax in updating AdMod this last year. I started working on it on and off after releasing AdFind V01.40.00 last year and while I have gotten much in, I haven’t gotten it released. In the meanwhile, I would hit little things that needed to be fixed in AdFind so I started tweaking that as well. Now I see we are in the new year and still no release and my testing of the existing functionality hasn’t been going fast either to make me comfortable to release as production so instead… I have gone the way of Google and am now offering a public beta of AdFind V01.41.00 and AdMod V01.12.00. You can find the beta versions at

http://www.joeware.net/downloads/beta/adfindmod_beta.zip

These have been stable in my testing but my testing has not been comprehensive. Obviously AdFind isn’t going to break anything, it can’t, it doesn’t write anything anywhere, however AdMod could go a little awry though again, I haven’t experienced that in a bit. If I had been experiencing it, it wouldn’t see the light of day. I am a bit picky like that, I can and will make mistakes and something will get released with a bad issue occasionally, but something will not get released with a bad issue when I am aware of it.

I am not going to go over all the changes in the code right here right now. My main concern is for people to play with the tools to see if they break anything that previously worked. There were some massive changes around CSV processing so definitely check that out.

If you look back through the blog postings from this last year, you will find a couple of examples of new features/switches in AdMod.

   joe

http://download.microsoft.com/download/8/2/3/823871D1-819F-446D-ADD5-3049B78F020F/Windows_Server_2008_R2_Feature_Components.pdf

Mark Minasi has an interesting newsletter this month about a special folder that you can create to see all your CPL’s in one place. Very nice… You can read about it here –> http://www.minasi.com/newsletters/nws1001.htm

Basically I ran the following command

md c:\_special\cp.{ED7BA470-8E54-465E-825C-99712043E01C}

And then just pull the folder up in Explorer…

explorer c:\_special\cp.{ED7BA470-8E54-465E-825C-99712043E01C}

That will save a lot of time hunting around for stuff… I agree with Mark that I don’t see anything “hidden” there, but likely it is stuff that people weren’t aware of because you have to click on so much stuff to find things anymore if you are just browsing. The “search” mentality is growing and affecting design decisions… You know the mentality I am talking about… You can put stuff anywhere on your computer, it doesn’t matter where because you are just going to use Google Desktop to find it… As I heard today when discussing organization of data on computers… “I am utterly reliant on Google Desktop for it to be meaningful.”

Anyway, I can just imagine the discussions at MSFT…

Engineer: We should put this stuff in a central organized location.

Manager: Nah, throw it everywhere, it doesn’t matter.

Engineer: They won’t be able to find the stuff…

Manager: They will be using our search engine and can just type in what they are looking for and it will pop right up…

Engineer: What if they aren’t searching for something specific, but looking around.

Manager: No one would ever do that, do it the way I said, just throw things everywhere.

Unfortunately, this is the first Minasi newsletter I have seen in some time. I like looking at newsletters, especially techy based ones. But if I get an email and it requires me to chase after the info in a web site, I generally decline and delete the message. I am in email now, I want to stick there and get it done, if I go to a web browser who knows what will happen, I will probably get stuck on Google News or something. I recall way back when Mark used to send out actual newsletter emails, then he said he had to stop temporarily for some reason. Don’t recall what it was but he said don’t worry, I will go back to sending out newsletters again… Still waiting here… 🙂

Anyway it looks like this

Then if you are enumerating the items looking for something in particular, say color, you can still use the Windows Search stuff and type color in the search bar at the top and it will filter the list down for you like…

   joe

No new info here… Just revisiting my previous post about the recorder that lets you record what you are doing for documentation or debugging. I keep forgetting the command and so wanted to post here so I can find it easier without having to worry that the original poster’s post goes away…

So joe, when you can’t remember the command again… it is PSR.EXE