http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com Secuobs.com : 2009-01-09 12:58:54 - Security Bloggers Network - Is risk homeostasis real There are studies that both confirm and denyits existence Many of these studies are biased, but research thattries to eliminate the bias seems to indicate that risk homeostasis isreal Risk homeostasis is thehttp://www.secuobs.com/revue/news/50130.shtmlhttp://www.secuobs.com/revue/news/50130.shtml Secuobs.com : 2009-01-09 12:58:54 - Security Bloggers Network - In the first security bulletin for 2009, Microsoft are scheduled torelease a single Critical Patch, according to the Advance Notificationthat was recently publishedThe patch to be issued next week is for a Remote Code Executionvulnerability that affects the core Windows system and is Critical forWindows 2000, XP, 2003, but Moderate for Vista and 2008IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/50129.shtmlhttp://www.secuobs.com/revue/news/50129.shtml Secuobs.com : 2009-01-09 12:54:57 - ZATAZ News - Quatre Roumains viennent d´être condamnés à Rennes à de la prison fermepour avoir pirater des cartes bancaires via des distributeurs debilletshttp://www.secuobs.com/revue/news/50128.shtmlhttp://www.secuobs.com/revue/news/50128.shtml Secuobs.com : 2009-01-09 12:54:57 - ZATAZ News - La Délégation générale pour l´armement lance un programme de 240 millionsdestiné à renforcer le réseau intranet équipant les bâtiments desurface, les sous-marins et les aéronefs de la marine nationalehttp://www.secuobs.com/revue/news/50127.shtmlhttp://www.secuobs.com/revue/news/50127.shtml Secuobs.com : 2009-01-09 12:54:57 - ZATAZ News - Des internautes brésiliens viennent de mettre en ligne wikigata, uneencyclopedie pour adulteshttp://www.secuobs.com/revue/news/50126.shtmlhttp://www.secuobs.com/revue/news/50126.shtml Secuobs.com : 2009-01-09 12:54:57 - ZATAZ News - Plus de 35 millions d´Américains victimes de la perte de leursinformations privées 656 pertes de fichiers recensées en 2008http://www.secuobs.com/revue/news/50125.shtmlhttp://www.secuobs.com/revue/news/50125.shtml Secuobs.com : 2009-01-09 12:53:30 - Global Security Mag Online - Criston et Citrix réunissent leurs expertises pour proposer à leursclients une solution intégrée leur permettant d'auditer leurenvironnement Citrix et d'industrialiser la gestion et la sécurisationdes serveurs et clients lourdsLes utilisateurs d'environnements Citrix pourront ainsi gérer etsécuriser leurs configurations en s'appuyant sur la technologiePrecision éditée par Criston Les administrateurs pourront gérer etconfigurer les applications tournant sous Citrix et accéder àdifférents - Produitshttp://www.secuobs.com/revue/news/50124.shtmlhttp://www.secuobs.com/revue/news/50124.shtml Secuobs.com : 2009-01-09 11:56:51 - ISN InfoSec News Mailing List - InfoSec News: Belize a new target for savy hackers:http://wwwreporterbz/indexphpoption=contentettask=viewetid=3281By Lisbeth Ayuso The Reporter 09 January 2009Hacking into email accounts is common in the United States, and whileBelize has managed to stay out of harm’s way over the years, hackershttp://www.secuobs.com/revue/news/50123.shtmlhttp://www.secuobs.com/revue/news/50123.shtml Secuobs.com : 2009-01-09 11:56:51 - ISN InfoSec News Mailing List - InfoSec News: Secunia Weekly Summary - Issue: 2009-2:========================================================================The Secunia Weekly Advisory Summary 2009-01-01 - 2009-01-08This week: 52 advisories http://www.secuobs.com/revue/news/50122.shtmlhttp://www.secuobs.com/revue/news/50122.shtml Secuobs.com : 2009-01-09 11:56:51 - ISN InfoSec News Mailing List - InfoSec News: Probe led Fumo to boost security:http://wwwphillycom/inquirer/local/20090108_Probe_led_Fumo_to_boost_securityhtmlBy Emilie Lounsberry and Craig R McCoy Inquirer Staff Writers Jan 8,2009As soon as the news broke that the FBI was investigating former StateSen Vincent J Fumo, his computer technicians stepped up security andbecame more vigilant about getting rid of his e-mails, one of thecomputer experts testified yesterdayTestifying under a grant of immunity from prosecution, Donald Wilsontold the jury in Fumo's federal corruption trial that he and anothercomputer technician, Leonard Luchko, also used sophisticated softwareprograms to permanently wipe out any traces of deleted e-mailsWilson said Fumo had already been concerned about computer securityWhen the Senate hired him in late 2001, Wilson said, he asked thesenator what level of computer security was wanted"His response was something pertaining to the federal government,"Wilson said Fumo wanted a level of security that was "on par with thefederal government," or that could "keep out" the governmentWilson delivered his testimony as prosecutors moved to the finalchapter of the indictment - allegations that Fumo obstructed the FBIinquiry by ordering his staff to destroy e-mail messageshttp://www.secuobs.com/revue/news/50121.shtmlhttp://www.secuobs.com/revue/news/50121.shtml Secuobs.com : 2009-01-09 11:56:51 - ISN InfoSec News Mailing List - InfoSec News: Minecode execs face prison terms for computer intrusion:http://seattlebizjournalscom/seattle/stories/2009/01/05/daily33htmlPuget Sound Business Journal January 8, 2009Two executives at Minecode LLC pleaded guilty Thursday in USDistrict Court in Seattle to misdemeanor counts of computer intrusionand face prison terms http://www.secuobs.com/revue/news/50120.shtmlhttp://www.secuobs.com/revue/news/50120.shtml Secuobs.com : 2009-01-09 11:56:51 - ISN InfoSec News Mailing List - InfoSec News: MeriTalk "Cyber Comedy" Study Asks What Did We Get for $27Billion IT Security Investment:http://wwwmeritalkcom/pdfs/MeriTalk_press_release_010809pdfMedia Contact: Liz Vandendriessche MeriTalk 703 883-9000 ext 146evan at meritalkcomInternational CES, Las Vegas, January 8, 2009 - MeriTalkwwwmeritalkcom, a new online community at the crossroads of IT andhttp://www.secuobs.com/revue/news/50119.shtmlhttp://www.secuobs.com/revue/news/50119.shtml Secuobs.com : 2009-01-09 11:56:51 - ISN InfoSec News Mailing List - InfoSec News: CFP: COLSEC 2009: Forwarded from: Patrice CLEMENTE=====================================================================The 2009 International Symposium on Collaborative Technologies andSystems http://www.secuobs.com/revue/news/50118.shtmlhttp://www.secuobs.com/revue/news/50118.shtml Secuobs.com : 2009-01-09 11:50:25 - Security Park - Axiom Housing Association is a provider of a broad range of quality,affordable rented housing throughout Cambridgeshire and Lincolnshire,the Association caters for single people, families and the elderly aswell as those who may have additional housing or support needsEstablished in 1967 with the primary objective to 'build bettercommunities', Axiom Housing Association, under its Support H morehttp://www.secuobs.com/revue/news/50117.shtmlhttp://www.secuobs.com/revue/news/50117.shtml Secuobs.com : 2009-01-09 11:50:25 - Security Park - According to new research by Network Box, nearly two-thirds of UKbusinesses do not look after their Internet security effectively Justover 65 per cent of companies spend 'no time' managing their securitysystems anti-virus, anti-spam, content filtering, VPN, intrusiondetection and web usage and bandwidth policies Nearly 15 per centspend less than 30 minutes per week managing their IT secur morehttp://www.secuobs.com/revue/news/50116.shtmlhttp://www.secuobs.com/revue/news/50116.shtml Secuobs.com : 2009-01-09 11:50:25 - Security Park - As part of a project to improve access security at the 22 most importantarenas and sports stadiums in Greece, Kaba has won the order toinstall turnstile systems Kaba beat international rivals to win thismajor CHF 2 million project, confirming its competitiveness as aworldwide provider of access systems for sports stadiums Its trackrecord includes more than 100 completed projects, includi morehttp://www.secuobs.com/revue/news/50115.shtmlhttp://www.secuobs.com/revue/news/50115.shtml Secuobs.com : 2009-01-09 11:48:50 - gHacks technology news - We have not written many articles about Windows 7 here at Ghacks in thepast This was mainly because of the fact that virtually any otherwebsite on the planet did post every tidbit of news that they couldget their hands on Today however is an important date as Microsoftwill publish a public Windows 7http://www.secuobs.com/revue/news/50114.shtmlhttp://www.secuobs.com/revue/news/50114.shtml Secuobs.com : 2009-01-09 11:48:21 - Darknet The Darkside - http://www.secuobs.com/revue/news/50113.shtmlhttp://www.secuobs.com/revue/news/50113.shtml Secuobs.com : 2009-01-09 11:46:51 - Bulletins et Alertes de Sécurité SECURINFOS.INFO - athos a découvert une vulnérabilité dans XOOPS, qui pourrait êtreexploitée par des personnes malintentionnées afin de compromettre unsystème vulnérablehttp://www.secuobs.com/revue/news/50112.shtmlhttp://www.secuobs.com/revue/news/50112.shtml Secuobs.com : 2009-01-09 11:46:51 - Bulletins et Alertes de Sécurité SECURINFOS.INFO - Dedi Dwianto a rapporté une vulnérabilité dans Soholaunch Pro, quipourrait être exploitée par des personnes malintentionnées afin decompromettre un système vulnérablehttp://www.secuobs.com/revue/news/50111.shtmlhttp://www.secuobs.com/revue/news/50111.shtml Secuobs.com : 2009-01-09 11:46:51 - Bulletins et Alertes de Sécurité SECURINFOS.INFO - athos a découvert quelques vulnérabilités dans CuteNews, qui pourraientêtre exploitées par des personnes malintentionnées pour conduire desattaques cross-site scripting et par des utilisateurs malicieux afinde compromettre un système vulnérablehttp://www.secuobs.com/revue/news/50110.shtmlhttp://www.secuobs.com/revue/news/50110.shtml Secuobs.com : 2009-01-09 10:34:04 - ZATAZ News - Le TGI de Bonneville n'a pas été piraté Juste un - problème -d'adressage IPhttp://www.secuobs.com/revue/news/50109.shtmlhttp://www.secuobs.com/revue/news/50109.shtml Secuobs.com : 2009-01-09 10:33:45 - Security Park - Companies with even the remotest connections to the Middle East have beenwarned to be on guard against a malware or similar cyber-attack as aresult of the ongoing conflict between Israel and the Palestinians"Our observations suggest that a large number of Web sites have beendefaced by a variety of hacker groups from Iran, Lebanon, Morocco andTurkey, and the trend is accelerating," said Br morehttp://www.secuobs.com/revue/news/50108.shtmlhttp://www.secuobs.com/revue/news/50108.shtml Secuobs.com : 2009-01-09 10:33:33 - Rootsecure.net - BBC News: UK e-mail law 'attack on rights' "Rules forcing internetcompanies to keep details of every e-mail sent in the UK are a wasteof money and an attack on civil liberties, critics say"http://www.secuobs.com/revue/news/50107.shtmlhttp://www.secuobs.com/revue/news/50107.shtml Secuobs.com : 2009-01-09 10:33:33 - Rootsecure.net - Electricpig: Boxee brings BBC iPlayer to Apple TVhttp://www.secuobs.com/revue/news/50106.shtmlhttp://www.secuobs.com/revue/news/50106.shtml Secuobs.com : 2009-01-09 10:33:33 - Rootsecure.net - Heise Security: Xterm terminal emulator executes injected commandshttp://www.secuobs.com/revue/news/50105.shtmlhttp://www.secuobs.com/revue/news/50105.shtml Secuobs.com : 2009-01-09 09:43:50 - Security Bloggers Network - Sometimes the oddest things make you laugh After a few hours of firefighting tonight I’ll get to that in a minute I walked out of theoffice laughing my ass off I had left a note for El Sidekick on thewhiteboard with a message that included ”read your email” I had sentseveral emails to our group and http://www.secuobs.com/revue/news/50104.shtmlhttp://www.secuobs.com/revue/news/50104.shtml Secuobs.com : 2009-01-09 09:43:50 - Security Bloggers Network - Jur1st at CCCKC announced some HUGE news at the meeting tonight:I am thrilled to announce that CCCKC has come to an agreement inprincipal to lease a 1400 square foot facility located deep withinthe limestone hills of Kansas City Don’t be fooled by the aboveground access…the lab lurks 85 feet below the surface of theearth What started as a few guys kicking the idea around oversome pints at the Flying Saucer has become one of the mostinspiring and diverse groups of hackers, tinkerers, makers andenthusiasts in the countryThere was a huge turnout for the huge news, too At least 22 peoplecaptured in a craptastic panoramic photo by myself with the help ofsome other attendeesThere's other news as well The 2009 pricing structure was voted on,and there are hefty discounts for going all-in with a year-longmembership Some upcoming community, training, and fundraising eventsare also coming soon as in this week Keep an eye on the CCCKC Blogto stay in the loopHiR Information Report is a proud member of the Security BloggersNetworkThis content originally posted on HiR Information Report Copyright ©2008, HiRIMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/50103.shtmlhttp://www.secuobs.com/revue/news/50103.shtml Secuobs.com : 2009-01-09 09:41:59 - Raymond.CC Blog - Everyone who has used a computer regularly has experienced it from timeto time What would you do if programs consume too much CPU or toomuch memory usage, or too many programs have been started and yourcomputer has become unresponsive The mouse cursor still moves but noprograms are responding, you cannot http://www.secuobs.com/revue/news/50102.shtmlhttp://www.secuobs.com/revue/news/50102.shtml Secuobs.com : 2009-01-09 09:39:27 - Actualités - La Cour a tenu une audience de Grande Chambre dans l'affaire Scoppola cItalie le mercredi 7 janvier 2009 Dans cette affaire, le requérant,qui a été condamné à la réclusion criminelle à perpétuité pour avoirtué sa femme et blessé un de ses enfants, soutient avoir été condamnéà une peine plus lourde que celle qui était prévue par la loihttp://www.secuobs.com/revue/news/50101.shtmlhttp://www.secuobs.com/revue/news/50101.shtml Secuobs.com : 2009-01-09 09:38:49 - Rootsecure.net - Computer World: MI5 - Internet phone services a risk to national security"The danger with online calls, said spy chief Jonathan Evans, was thatthey do not result in telephone bills"http://www.secuobs.com/revue/news/50100.shtmlhttp://www.secuobs.com/revue/news/50100.shtml Secuobs.com : 2009-01-09 09:38:49 - Rootsecure.net - PC Pro: Sunday evening - the new web rush hourhttp://www.secuobs.com/revue/news/50099.shtmlhttp://www.secuobs.com/revue/news/50099.shtml Secuobs.com : 2009-01-09 09:38:49 - Rootsecure.net - Netcraft: Widespread vulnerabilities found in programs which use OpenSSL"Due to a common mistake in checking return values from functionschecking digital signatures"http://www.secuobs.com/revue/news/50098.shtmlhttp://www.secuobs.com/revue/news/50098.shtml Secuobs.com : 2009-01-09 09:34:38 - Danger Room - Most of the time, it's all trolls and foamy mouths But every so often,some rather interesting characters stop by Danger Room's commentboards Take Nathan's item on Claiborne Pell, "The Senator Who Foughtthe 'ESP Gap'" First, we hadhttp://www.secuobs.com/revue/news/50097.shtmlhttp://www.secuobs.com/revue/news/50097.shtml Secuobs.com : 2009-01-09 09:34:36 - TrendLabs Malware Blog by Trend Micro - This “new” threat could be an extension of the spamming and malwareoperation we also blogged about last December — the same socialengineering technique and fake websites that look similar, and thesame uniform payloads New Years-themed e-cards are the bait — thefollowing spammed messages inform recipients that someone has sentthem a card http://www.secuobs.com/revue/news/50096.shtmlhttp://www.secuobs.com/revue/news/50096.shtml Secuobs.com : 2009-01-09 09:34:30 - SecuriTeam Blogs - Recent news that UK government approving Police hacking into suspectedhome computers has caused a bubble in the info-sec world They canhack into private computers either by sending an e-mail containing avirus to the suspect’s computer or breaking into a residence toinstall a keystroke logger onto a machine or simply place a http://www.secuobs.com/revue/news/50095.shtmlhttp://www.secuobs.com/revue/news/50095.shtml Secuobs.com : 2009-01-09 08:41:53 - Security Bloggers Network - http://www.secuobs.com/revue/news/50094.shtmlhttp://www.secuobs.com/revue/news/50094.shtml Secuobs.com : 2009-01-09 08:41:53 - Security Bloggers Network - * Devil's Advocate SecurityHigh Tower customers, however, were not so well informed, andcontinue to remain largely in the dark about their disposition ofthe company The High Tower website hasn't seen an update sinceNovember, and the company's pending release of their newestsoftware version is has not occurred* brightflycom - SIEM Market Narrows with High Tower's FlameoutWhile they continued winning accolades and being a prominentfixture on the trade show and speaking circuits, the new team wasunable to make good on the vision of a turnaround High Towerabruptly closed its doors last week Approximately, 34 employeeslost their jobs and the technology platform is currently up forsale We are not sure at this time if the original NASA licensingdeal is part of the sale* There is No Money in Phishing But It Still Won't Go Away -ReadWriteWebhttp://www.secuobs.com/revue/news/50093.shtmlhttp://www.secuobs.com/revue/news/50093.shtml Secuobs.com : 2009-01-09 08:36:06 - Actualités - Dans l’affaire Mangouras c Espagne, la Cour a conclu à la non-violationde la Convention Le requérant était le capitaine du navire Prestigequi déversa dans l’Océan Atlantique 70 000 tonnes de fuel près descôtes espagnoles en novembre 2002, provoquant une catastropheécologique La requête concernait le placement en détention provisoiredu requérant pour, notamment, délit contre les ressources naturelleset l’environnementhttp://www.secuobs.com/revue/news/50092.shtmlhttp://www.secuobs.com/revue/news/50092.shtml Secuobs.com : 2009-01-09 08:35:50 - XSSed syndication - Ok it is not the first time, but they had fixed them all It willprobably be the third or fourth time they try to address this damncgi Here is the XSS that Babaconda submitted to us works only inInternet Explorerhttp://www.secuobs.com/revue/news/50091.shtmlhttp://www.secuobs.com/revue/news/50091.shtml Secuobs.com : 2009-01-09 07:36:14 - Security Bloggers Network - Happy Western-new year Hope you enjoyed your holidays, and thatyou're back to work recharged et ready to authenticate/authorizeeverything in sight ;-I have a long piece I wrote back in December on my flights to Italy,but that's pretty long and somewhat philosophical: after the joys ofyesterday's announcements at CES have you seen Windows 7 yet That'ssimply amazing I decided to start the year with something lighterNamely: today I'd like to walk you though a visual tour of the NETAccess Control Service Remember the sample MMC from my team, which wereleased during PDC Every evangelist in the team contributed thepiece of functionality associated to everyone's focus area, and ofcourse I got the identity parts The MMC leverages the Access Controlservice management APIs for composing a single, comprehensive view ofyour solution settings: trusted issuers, claims transformation rules,claim types, expiration times and so on That view is designed toallow you to understand with a single glance what's going on with theservice: hence, it should be also a pretty useful tool for explaininghow the Access Control service works in the first place For checkingif the view really succeeds in presenting things in a clear way, I'llrefrain from adding all the silly sketches I usually draw in my postsand rely entirely on the MMC visualization which, after all, ismainly one of my silly sketches made parametric and rendered in prettyWPF Below we'll go though the experience of creating a NET servicessolution with the Azure portal, then we will switch to the MMC andwe'll use it to take a peek at the Access Control settings This timewe'll focus on the ServiceBus, and we'll use the Echo sample from theSDK for understanding the effects of the default settings For thetime being we will not change anything in the code or the settingsthemselves; in the next installments we'll be more playful ReadyLet's goSolution setup==============As you know by now, if you want to play with the NET services youneed to create a solution first Jenny has an excellent walkthroughfor creating a solution on her blog: I suggest you check it out if youwant detailed instructions Here I'll just show the screens where thesolution name shows up, so that it will give you some sense ofcontinuityLet's say that I successfully entered a new invitation code: firstthing, I need to figure out the name of a solution Remember, thatname must be unique: for our little example I'll pick something"VibroPlayground", hoping that nobody picked it up yetimageHey, the solution name is available Who would have thought hereit's being provisioned Note that a password has been generated forme, we'll see in a moment what is it forimageSuccess My solution is ready and is now listed in the My SOlutionsareaimageIf we click on the solution name, we'll end up in the management page:imageFrom here I can pull all the levers of my solution, for all theservices offered That's what we'd normally do, but in this post we'lluse the management APIs via our custom MMC instead The only thing wewant to do from the portal is change the solution password tosomething easier to remember Let's click on the solution credentialslinkimageWe land on a page from where we can manage the credentials associatedto our solution What does that mean, exactly Let's say that theaccess control service will issue you a token if you'll use thosecredentials What can you do with that token Well, for starters itallows you to call the management APIs for modifying you solutionsettings; second, you can use the same token for things such aspublishing services on the service bus and invoking the servicesthemselves We'll see the mechanics behind both later in the postOK; since I have a horrible memory, let's change the solution passwordto something I can actually remember:imageThat's it Normally at this point I would go back to the solution pageand start managing via portal but this time we'll use our MMCinsteadExamining our solution with the Azure Services Management Console=================================================================Let's minimize the browser and fire up our MMC What You didn'tdownload it yet You can get it from here: the install is verystraightforward, thanks to the mighty dependency checker which helpsyou to resolve all the software et setting dependencies, and of coursethere's the full source code for your viewing pleasureThe typical installation will end up generating a folder like thefollowing:imageGo ahead and double click on AzureServicesMMCmsc, you'll get thefollowing:imagePretty classic MMC, uh A tree view on the left, a main panel, and anaction pane on the right: everything is empty so farWhile the portal gives you access to all the solutions you associatedto your LiveID account, the console manages one project at a time Ifyou try to expand the Azure Services node on the tree view, theconsole will try to tie the view to one solution As a result, you'llbe prompted to enter the solution credentials namely, the passwordthat we changed earlierimageIf you are connected to the Internet and you typed in the rightcredentials, you'll get the following:imageThe tree on the left now shows all the services in your solution thatcan be managed with the console; the main pane is pretty much empty,which I believe is a bug in the current version; and on the right Ihave some actions like changing the current user Here I may drill inany service, but I'll go straight to expand the access control nodeimageHere there's a zoom of what the expanded tree looks like I have 3 subnodes: Solution, ServiceBus and Workflow We are getting to the meatof the service Every node represents a logical instance of a R-STS:the Solution will issue tokens for generic usage management API andfor when you want to use the Access Control for your own web site orservice; the ServiceBus will issue tokens to be used with the servicebus; and I am sure you can guess what the Workflow is for The MMCallows us to manage any of those, and in the next posts we'll likelydo so: for today we'll just take a look at the ServiceBusThe Access Control default settings for the Service Bus=======================================================Let's expand the ServiceBus node:imageThe loading may take some time, be patient Once it completes, you'llsee the following:imageThe URI you see below the ServiceBus node is a Scope It represents acollection of settings and rules which will apply to all the serviceswhose URI matches the scope URI itself By default we have just thisone scope, which ideally contains all others: any service you'llpublish on the ServiceBus in this solution will start withhttp://servicebus/VibroPlayground That means that until you don'tcreate sub scopes any message sent to your services will trigger therules defined here We'll stick with the default this time, since wepromised we won't change anything; we'll play with sub scopes in thenext postsOK, time to take a look to what constitutes a scope Let's click onthe subnode: you'll get the view belowimageYou'll see the "Loading" notification quite some time: don't worry, wecache everything so it takes long only the first time if you want tosee the MMC in action with cached settings check out this from ~45'on If you've been patient, you'll get to the view below netbookusers, the image is 750 pixel wide: you've got to maximize thebrowser/aggregator to see it allimageTHIS is the core of what IMHO you need to understand for working witha scope: it should be all here Let's describe the screen piece bypieceMain panel----------Those are all the settings which apply to the current scopeApplicationThe application area contains some generic settings:* URI: the URI of the relying party you are configuring, theapplication consumer of the token that the current instance ofR-STS will issue a token for* Certificate: this would be the certificate associated to yourrelying party If you want the tokens issued by the current R-STSto be encrypted, uploading a certificate here will provide thenecessary cryptographic material read: PUBLIC key of the RP todo so As you can see, the default is no certificate* Expiration: The intended expiration times of the tokens issued bythis R-STS* Permissions: This is very interesting: in this setting you canspecify which identities have the right to modify this scopesettings The default identities are the ServiceBus itself and thesolution identity: in this case VibroPlayground, which happens toalso be the identity we used for authenticating our managementsessionRules viewThis is the core of the core: a lot of thinking went in this one, soplease let us know if this works or if you'd like to see some changesOn the left area you have a Issuers area, which includes all theidentity providers that our R-STS recognizes as legitimate sources ofclaims In this particular instance we have just the system issuers,that is to say all the issuers that the Access Control servicerecognizes by default minus the current R-STS associated to theServiceBus The little pentagon in their icon represents the fact thatthey are STSes and they issue tokens: you may notice that everypentagon has a further icon to represent the specific issuer, forexample the Live ID logo for the livecom one; the STS with emptypentagon represents the R-STS of the solution This area would alsoshow custom STSes if would have defined some: they would be of adifferent color for differentiating them at a glance from the systemones Again, we'll see more of it next timeIn the center, in the azure no pun intended vertical band Rules, wehave the current R-STS, the issuer that will issue tokens for thisscope following the rules defined here As mentioned, for this scopethis is the ServiceBus oneThe remaining graph represents the default rules that the AccessControl created for this scope Let's interpret the view, from top tobottom:* We have a rule which takes in input a single claim from thesolution STS* it would appear that the rule should work as follows: if you geta token from the solution STS containing a claim "username", andthe value of that claim is "VibroPlayground", then include inthe output token a claim "Action" whose value is Send* We have another rule, which again takes a single claim from thesolution STS* the rule structure is the same as the one already described,only the output claim value changes: now for the same input asabove we'll provide a claim "Action" containing the value"Listen"The little "et" in the chevron doesn't mean much if we have a singleinput claim condition, but it would apply if we'd have more than oneIf we right click on the last chevron and choose "Edit Rule", we'llget the following:imageFrom here we can change all the rule settings we want: however noticehow all the information included in this "table" view is in factavailable in the graphic view, though the control view is more handyfor editsNow we know what claims will be issued by our ServiceBus R-STS, andunder which conditions: but what is the effect of those claims Well,for the ServiceBus the Action claim is very special Remember thediscussion about authorization claims some time ago Here the NETservices own not only the STS part, but also the messaginginfrastructure which routes calls and handle addresses; that meansthat not only they can be an authorization decision point bycodifying their decisions in form of claims in the tokens they issue,they can be an authorization enforcement point by defining what acertain claim value means for the service and make it happen Forexample: if you want to publish a service on the ServiceBus, you needto present a token issued by the ServiceBus STS which contains aninstance of the claim Action with the value "Listen": which happens tobe exactly the output of the 2nd rule Symmetrically, if you want toinvoke a service on the ServiceBus you need to present a token issuedby the ServiceBus STS which contains an Action claim with value"Send" So what's the translation in plain English of the two defaultrules below With your solution credentials you can publish servicesand invoke them, which is exactly what you'd expect from the defaultWe'll put this theory to test toward the end of the post; and we'llplay with rules and expand our service audience in the next postsOf course this view enjoys all the usual WPF goodness: you can zoom,pan, center et resize, the works The only thing that is missing issupport for dragetdrop, but I'll tell you a secret: the WPF controlthere DOES support the creation of rules by simple dragetdrop, itsimply doesn't work when hosted under MMC For the time being ;-Claim TypesThe bottom area of the main pane is reserved to the recognized claimstypes Here you see the default system claims for the ServiceBusscope: of course you can add custom ones, and other scope types likesolution will have different default claimsActions-------When a scope is selected in the tree view, the Actions pane getspopulated by various commands relative to the scope itself like theEdit Scope Properties shown below as an example or the lists itcontains Many of the commands here are also available by clickingdirectly on the visual elements in the main viewimageEcho, echo, cho, o=======================That's it: we've touched pretty much on every default value and everyaspect that can be pulled out via management API To reinforce some ofthe concepts we encountered, let's take a quick look to the usual Echosample from the SDK:imageThe 2 projects here both connect to the ServiceBus, and they both usethe solution credentials for obtaining the token necessary to do soBelow there's the authentication code for the client; the service codeis similarimageLet's run the two projects:imageAs mentioned, we use the solution credentials for both The twoprojects want different things from the ServiceBus: the service wantsto publish itself, while the client wants to invoke the service Fromwhat we have seen of the rules above, do you think that the twoprocesses have what it takes for succeeding in their intent It's abig YES: the solution identity can both Listen and Send In fact, theexample works:imageAhh, that clicks :-Next====Seeing is believing I hope that this little tour helped you to reasonabout the Access Control service structure; I purposefully left outall the philosophy and tried to be as practical as possible, howeverif you read this you'll discover that all of the above is right onpoint I also hope that the MMC will help you to further explore thepotential of this great service In future posts we'll play a bitharder, using the MMC for adding more identity provider, claim typesand rules for enabling less trivial scenarios If you have feedbackyou know what to do :-IMAGEhttp://www.secuobs.com/revue/news/50090.shtmlhttp://www.secuobs.com/revue/news/50090.shtml Secuobs.com : 2009-01-09 07:36:14 - Security Bloggers Network - My apologies for this “phantom” posting… “Pro Dev: Who are We What isOur Role” While editing that posting, I published it way prematurelyCan you say miss-click Now, I corrected this within minutes, butdue the magic of Google and Feedburner that fragment was whisked ontothe net and perhaps will live forever… Now, you would think thatThe Internet Never Forgets — your mistakes http://www.secuobs.com/revue/news/50089.shtmlhttp://www.secuobs.com/revue/news/50089.shtml Secuobs.com : 2009-01-09 07:36:14 - Security Bloggers Network - imageimageimageIMAGEhttp://www.secuobs.com/revue/news/50088.shtmlhttp://www.secuobs.com/revue/news/50088.shtml Secuobs.com : 2009-01-09 07:32:14 - Computer Security News - As a new year begins, people are increasingly dependent on digitaltechnology, and cyber security becomes increasingly important as wellhttp://www.secuobs.com/revue/news/50087.shtmlhttp://www.secuobs.com/revue/news/50087.shtml Secuobs.com : 2009-01-09 06:44:49 - TCPZ, Best TCP IP Patch - Sometimes, the file Tcpipsys incorrectly modified by another patch, thiswill cause tcp-z not start correctlySuggestion: Restore the original file Tcpipsys, restart computer,then try TCP-Z againhttp://www.secuobs.com/revue/news/50086.shtmlhttp://www.secuobs.com/revue/news/50086.shtml Secuobs.com : 2009-01-09 06:44:46 - EvilFingers - "Be it shitty or be it nice,send your feedback for it would be wise"We respect your time and precious response to our work, without whichwe are blind men swimming across the English channel We really fixour needs and requirements based on the interaction with you, ourusersSo, kindly email us at contactfingers @ gmailcom with any reports,advices, requirements or compliments, etc Be it good or be it bad, docontact us- EFhttp://www.secuobs.com/revue/news/50085.shtmlhttp://www.secuobs.com/revue/news/50085.shtml Secuobs.com : 2009-01-09 06:42:16 - Irvine Underground Organization - It’s always a blast to play with our best and brightest or at least whatwe wish to reveal http://wwwfbigov/page2/dec08/code_122908htmlhere’s a tip for those that are not using flash like me seescreenshot: “//headlines/codeswf” as inhttp://wwwfbigov/headlines/codeswf … note that this is flash andcould be full of goodies … solution posted here:http://wwwroot777com/computer-security/solving-fbis-2008-code-cracking-challenge/and if you want http://www.secuobs.com/revue/news/50084.shtmlhttp://www.secuobs.com/revue/news/50084.shtml Secuobs.com : 2009-01-09 06:35:02 - Hack a Day - Those of you that live in snowier climates will drool over the I-Shovel,a battery powered robot that shovels the snow off your driveway,saving you countless hours of backbreaking labor over the course of asingle winter Its inventors claim that, despite its relativelyunderpowered motor, it keeps the driveway clear even in heavy http://www.secuobs.com/revue/news/50083.shtmlhttp://www.secuobs.com/revue/news/50083.shtml Secuobs.com : 2009-01-09 06:34:16 - Latest from Computerworld - The disclosure that executives at Satyam Computer Services engaged infraudulent accounting has potentially big implications for UScompanies that rely on the offshore outsourcing vendorAdd to digg Add to StumbleUpon Add to Twitter Add to Slashdothttp://www.secuobs.com/revue/news/50082.shtmlhttp://www.secuobs.com/revue/news/50082.shtml Secuobs.com : 2009-01-09 05:29:57 - Security Bloggers Network - This moring I received one message from “Gmail team” with the subject of“Make Your Own Website With Google For Free” It’s really a Phishingmessage to steal your Gmail account and password The below is themessage body: Make Your Own Website With Google For Free New Event InGoogle Make Your Own Website With http://www.secuobs.com/revue/news/50081.shtmlhttp://www.secuobs.com/revue/news/50081.shtml