Switching Internet Explorer's NTLM Credentials

I was looking for a way to have Internet Explorer, launched within user1's Windows session, authenticate against NTLM sites and proxies with the credentials of user2.
Using Windows Credentials Editor does work but, as said, it's no production tool.
I also found that using the runas command was problematic because you either create a Windows profile or not:

• If you do create a profile, that means a profile and corresponding home folder will be created, which might not be desirable.
• If you do not create a profile, that means user2 cannot save parameters in IE and cannot receive domain policies, bookmarks and so on.
  

Eventually I found a very short, built-in way to do it:

C:\>runas /netonly /user:my_domain\user2 "C:\Program Files\Internet Explorer\iexplore.exe"

Entrez le mot de passe de my_domain\user2 :
Tentative de lancement de C:\Program Files\Internet Explorer\iexplore.exe en tant qu'utilisateur "my_domain\user2" ...

That runas /netonly command lets you run IE with user1 privileges, profile and bookmarks AND authenticates at remote NTLM sites and proxies as user2.

This piece of code is especially convenient in situations where you want to do remote NTLM authentication as a given user but do not want to launch a full Windows session just for it.

Shredding files mostly useless (review)

Bruce Schneier points that filesystems sometimes get in the way of secure file deletion.

I blogged about that six months ago (second point in that bill) after checking my understanding of the question with the developer of Inferno.

I since heard about similar stories quite a few times, either from software like filesystems or recovery systems or from hardware like Flash memory putting the content of a file in arbitrary locations. It seems to be a fairly well known fact among people who spent time on the matter.

To my mind, apart from shredding entire drives when the hardware is disposed of or goes from an user to another, companies should not waste time on shredding.

Of course, I guess Bruce Schneier would argue about encryption, rather than deletion :-)

Microsoft fallacious IE8 campaign

Is the market of browsers so opaque, obscure, for non-technical people, that Microsoft think they can fool them with a simple table?

To summarize the history of facts, Microsoft once had a monopoly in web browsers because the software shipped with their operating system, Windows, which is ubiquitous. They then sat on their laurels for a while (roughly from the end of the nineties to 2006) and lost a part of their market shares to more secure, faster, more flexible browsers, such as Mozilla's Firefox. They finally reacted and released Internet Explorer 7 and Internet Explorer 8, fixing a lot, but, to many eyes, not climbing to the level of quality of their rivals.

And now, they try to get their market shares back by a marketing campaign, with an awfully simplified and fallacious comparison table.

Now, let's return to normal. Below is their table, with my remarks or modifications in orange.

I do not comment on Chrome, because I have used it too little.

		Internet Explorer 8	Firefox 3.0	Google Chrome 2.0	Comments
Security					Internet Explorer 8 takes the cake with better phishing and malware protection, as well as protection from emerging threats. And so can say anyone. But with intimate relations between the operating system and the browser, Internet Explorer puts the system at a greater risk against malware.
Vulnerabilities					The time to fix vulnerabilities once they are public is the shortest in Firefox. Internet Explorer has got the worst record of critical vulnerabilities, sometimes not patched long after they are public.
Privacy					InPrivate Browsing and InPrivate Filtering help Internet Explorer 8 claim privacy victory.
Ease of Use					Features like Accelerators, Web Slices and Visual Search Suggestions make Internet Explorer 8 easiest to use. Some might say it's a question of taste. I feel like Internet Explorer is rigid while Firefox is flexible.
Web Standards					Firefox and Chrome have more support for emerging standards like HTML5 and CSS3, but Internet Explorer 8 invested heavily in having world-class, consistent support for the entire CSS2.1 specification. I don't deny Microsoft made big improvements, but almost any web developer still frowns the eye at the very name of Internet Explorer. Yet, they did improve.
Developer Tools					Internet Explorer 8 has the most comprehensive developer tools built in, including HTML, CSS and JavaScript editing, but also JavaScript profiling; other browsers have developer tools available, but either require you to download them separately, or aren't as complete. You could also argue that the simplicity of XUL, Firefox's development language, is one reason it's been such a success.
Reliability					Only Internet Explorer 8 has both tab isolation and crash recovery features; Firefox and Chrome have one or the other. Only Internet Explorer crashes when too many pages are open at the same time.
Customizability					Sure, Firefox may win in sheer number of add-ons, but many of the customizations you'd want to download for Firefox are already a part of Internet Explorer 8 – right out of the box. I have never found for Internet Explorer precisely the equivalent of what I use in Firefox.
Compatibility					Internet Explorer 8 is more compatible with more sites on the Internet than any other browser. That's certainly true because of Microsoft long record of purposeful incompatibility which, in the past, encouraged developers to not develop for other browsers. However, I do not know one of the sites that I use today that is not compatible with Firefox.
Manageability					Neither Firefox nor Chrome provide guidance or enterprise tools. That's not true. With the tools provided by Frontmotion, you can achieve a similar manageability (for instance, centrally from an Active Directory server) and I would say you get a more precise customizability of what's managed.
Performance					Knowing the top speed of a car doesn't tell you how fast you can drive in rush hour. To actually see the difference in page loads between all three browsers, you need slow-motion video. This one’s also a tie. Whatever recent benchmark shows Internet Explorer as the last of the last browsers in matters of speed.

I was not the only one to notice that :-)

• Savio Rodrigues (IBM) at his blog
• also a post on Royal Pingdom

Some comments are worth reading.

EDIT 06/29/2009:
They're going to some extremities for their marketing... in my natal region, they advertise on pizza boxes, and also have a look at this one in the US:
http://www.browserforthebetter.com/index-htm.html#getie8:6qmoqjtZ9pH

EDIT 07/28/2009:
I have found some pictures of those IE pizza boxes here and here.

Geekonomics - Criticism of Chapter 6 on opensource software

Second of the series of articles inspired by David Rice's Geekonomics.

I am not totally satisfied with David Rice's take on opensource software in his Chapter 6: Open Source Software: Free, But at What Cost?

While he definitely has good points as a whole, and while I see his description of some of the hidden defects of opensource projects as accurate, I am sad that he forgets to mention about real big companies taking a part in opensource developments. Companies like IBM, Sun (now Oracle) or Apple all make some opensource developments, and you cannot tell that they act as beginners or non-professionals in their development methodologies.

And I am also a little surprised to see that the author compares opensource development projects to an "idealized" proprietary development project. For instance, he says it is possible that a part of an opensource software will go unmaintained because of a lack of interested people and forgets to say that even in big proprietary developments, such things also happen, because of mediocre management or because of periods of deep stress.

I would say that Chapter 6 holds some good points but my conclusion be:

• Opensource software is not a radical change from proprietary software in the methodologies.
• Opensource software is not radically more secure or of better quality than proprietary software by essence.
• The "given enough eyeballs, all bugs are shallow" argument is valid, and those opensource software which have a high number of both users and developers actually get an improvement of their quality and security.
  

Geekonomics - Reasons for the States NOT to fix software quality problems

First of the series of articles inspired by David Rice's Geekonomics.

As an introduction I would like to give two figures from the first chapters of the book.

• An estimate of the US losses coming from software failures (both quality or security) at the scale of the whole country: $180 bn a year. (yes billion, not million)
• Deaths occur from software failures. Multiple times per year, if they are not numerous enough to make statistics [yet].

David Rice's point
In the beginning of the book, David Rice argues that software developers have no incentives to make a better work. In chapter 5, Absolute Immunity: You Couldn't Sue Us Even If You Wanted To, David Rice shows that the US government is not making anything against software failures. On the contrary, the US gov gives developers the free hands and no responsibilities of any kind if they should get sued over damages resulting from the use of their software.

And he goes for a short explanation that the US system waits for citizens to become plaintiffs and sue software developers before any public authority will react. He quotes the typical reaction that you would get if you tried to make a law about software quality, through Ronald Reagan's words:
Government is not the solution, government is the problem.

My point
I quite agree with the author on the observation. The US gov does nothing, or goes against any initiative geared towards better software. But I don't agree with the far too simple explanation he gives. I guess a $180 bn issue would get a law if there were no incentives for not making a law. And I can see three reasons a country like the US wouldn't want to improve software quality.

1. "Don't worry, be crappy". This maxim by Guy Kawasaki summarizes well the way software companies get into the subject. They try to output something they can sell, whatever the quality. But this reasoning also goes for countries. Software is a global trade good, and a big software maker as the US doesn't want to slow down the sales by making quality restrictions. If a law were passed, it would probably impact the economy of the country. Same goes for other developed countries.
   In the same train of thoughts, if a law were passed, maybe some development companies would offshore developments.
2. We are still in an early phase of software deployment. Though it is recognized that a big company now has to do better IT rather than more IT, it is still important for many countries, including the US, to do more IT, even at the cost of not doing it better. I mean, a country like the US gets a competitive advantage from doing more IT, getting more automated stuff in its services, agencies, its companies, etc. and would "competitively speaking" lose time by concentrating on the improvement of quality and security.
3. As is long argued in the book, there is an underground market for security vulnerabilities. This market is the fact of underground hackers, but if the underground does it, there are good reasons to believe that the "official" intelligence services do the same. If so, it is rather possible that intelligence services from the typical countries such as the US, France, Israel, Russia or China (which are coincidentally the biggest software developers) have good interest in keeping a high level of not public, unpatched vulnerabilities. They want to know the vulnerabilities themselves, be able to penetrate a lot of places, especially for industrial eavesdropping, and they absolutely do not want software makers to patch the vulnerabilities.

All of these seem better explanations to me for the lack of reaction of developed countries against bad software quality and security.

Articles about Geekonomics to come

Following the return of my copy of Geekonomics: The Real Cost of Insecure Software, by David Rice, I am in the process of writing a few articles about the ideas from the book.

Go read the book if you're interested in understanding the phenomena around and beneath software insecurity and bad quality.

Since I do not want to plunder the author's content by making a detailed summary or quoting the most interesting excerpts, I am selecting a few subjects and trying to explore them a little further than the book. Which will be very hard since I do not have all the investigation sources that Rice may have had, nor patience, skills and experience. For short: I will give some opinions from my understanding of matters in or around the book.

Articles about Geekonomics - delay

I told to some of my readers that I would write a series of articles on Geekonomics: The Real Cost of Insecure Software, by David Rice. This excellent book attacks the macroscopic questions of why software is so insecure and how to secure it.

I have lent this book and will be late (gosh, I am already late), till I get it back.