Following my recent post about the availability of the new Microsoft Card Module API and Base Smart Card Crypto Provider, I went digging for documentation about the pilot deployment of that technology.  I found a good whitepaper here.

I can't resist making a couple of comments about it, though :)  For one thing, the author includes a bit of a digression about digital certificates and attempts to make an analogy to drivers' licenses.  Apologies in advance that I include the whole paragraph for reference, but it's so ripe for commentary.

"Note: Digital certificates, similar to identification cards, are an
encrypted set of electronic authentication credentials that are used to
certify the online identities of individuals, organizations, and
computers.  Certificates are issued and certified by certification
authorities (CAs).  Like driver's licenses, digital certificates are
issued by CAs to provide proof for verifying the identity of online
entities.  However, instead of containing a photograph and the signature
of the owner of the certificate, a digital certificate contains
information that identifies the certificate's owner on the network and the
owner's public key, binding the two elements together.  Furthermore, a
certificate identifies the CA (called the issuer) that issued the
certificate, and this CA must be authorized within the enterprise, to
issue authentication certificates."

1.  Digital certificates are not generally encrypted.  In fact, Microsoft's PKI depends on the more-or-less 'public' nature of certificates, at least within the scope of a given enterprise.  For example, if I steal your smart card, I can read off the certificates and decipher all information included therein.  But unless I have obtained both your card and your PIN, I can't open up the metaphorical door for which the card and PIN are the key.  So encryption of the certificate won't buy you anything more than broken scenarios.

That said, some enterprises are pushing for inclusion of personally identifiable information (PII) or other more private data in their users' certificates.  Note that this still doesn't imply that the certificates are encrypted.  Still, the private data push is interesting, and it certainly places new and different burdens on the applications in which certificates have been used.  For example, digital certificates are sometimes used to bootstrap key agreement protocols.  How can two parties confidently exchange certificates over an untrusted link if the certificates contain PII?

2.  Back to the whitepaper ... I don't think the author intended to imply that drivers licenses are issued by Certification Authorities.  I would prefer to state that drivers licenses are issued by "Licensing Authorities" (e.g. the Department of Motor Vehicles).

3.  Contrary to the second-to-last sentence, certificates may in fact contain, or at least refer to, a photograph and/or signature of the owner.  See this RFC.

One final comment on the whitepaper brings me back to the original point:  the following snippet is a testament to the quality of the new smart card interface and CSP (which are indeed publicly available, contrary to what is stated later in the paper).

"The benefits the card management team derived from using a CSP developed
by Microsoft were that it was small, very secure, efficient, fast, very
reliable, and offered clear end-user error messaging.  In short, its
performance met all Microsoft IT requirements for its clients."

What is it and why is it relevant?  Well, the CardMod API is a new interface for exposing common smart card functionality.  It's by far the easiest way for an ISV/IHV to integrate support for their smart cards into Windows, particularly when targeting PKI scenarios.  It'll also be a sweet way for application writers to interface uniformly with different vendors' cards.

The header (i.e. cardmod.h) is available in the latest Vista CTP SDK download.  As of this post, the latest is February and can be found here.

Documentation for the new API is available online here (see "Smart Card Module Functions").

The premier client for the new API is the Base Smart Card Cryptographic Service Provider (CSP), which is also now available for download and deployment, from Windows Update (select Custom -> Software, Optional).  For the record, the CSP has been heavily tested - it's been rolled out since 2002 at Microsoft and is required for remote access to the corporate network. 

In summary, what used to be an extremely painful job - writing a monolithic smart card CSP to add support for your card in Windows - can now be accomplished by implementing this much simpler ("mini-driver-like") interface.  Anecdotally, we've seen CSPs take multiple man-years to develop, while we've heard of experienced smart card vendors completing a card module in one month!  And it worked the first time we tried it (ah, that was a good day)!!

My boss and I were discussing the types of projects that newbies might want to tackle on their own time, if they aspire to working on some of the components that our team (Windows Security) owns.  He first gave an example that was much more exciting than that though - video games - since that was his job in a former life. 

He said, to paraphrase, "everyone wants to work on video games, right?  Well what would you ask someone to do to prove him/herself before taking on real work?"  He gave the following list.

1.  Write Breakout.  There's an input loop.  I also infer (I have no background in games) that there would be some challenge in getting the rendering to run smoothly as well, even if it's just running in a window.

2.  Then write Asteroids.  Remember linear algebra?  Now you get to use it.

3.  Then render your face on a cube.  Maybe put it in the middle of a "hallway" perspective like Wolfenstein.

After he listed those, I thought, wow how cool!  I don't even want to work on games, but those sound like cool projects.  I'd even do #1 or #2 just for kicks.  It's actually kind of an interesting way to think about an established technology area - what are the smaller projects that someone should do in order to ramp up?  For security/crypto/smart cards:

1.  Hash and digitally sign some data.

2.  Ditto, but with a certificate.

3.  Ditto, but you have to enroll for the certificate (programmatically, of course), and using a smart card.  The end result should be a signed PKCS#7.

Etc. 

I've lately been digging into how NT user mode API calls, as well as system calls into the kernel, can be patched.  This began as idle curiosity about system integrity checks, but has evolved into full-blown awe about the detailed analyses of these subjects that are available out on the web.

Yes - some of the documentation was written by, and for, bad people such as rootkit writers.  But some of it was clearly not, and reading it has reminded me of few things.

1.  After many years of writing code for the OS, there are still lots of things I don't know about it.  That's nice and humbling.

2.  Picking a technical topic and trying to learn as much about it as possible via the web (can you say google-driven learning) is really fun and beneficial.

3.  As a corollary to #2, there's an amazing amount of 'free' info available online on arcane technical topics.

4.  I almost self-suppressed this post, since I hesitated to commit an act that might be viewed by others as contributing to the propagation of information frequently associated with nefarious purposes.  But then I remembered that, since the bad guys already know way more about this stuff than what I've referenced below, the best thing I can do is help the good guys learn.

So, anyway, here are some interesting links.

http://www.summitsoftconsulting.com/NtSystemCalls.htm

http://www.sysinternals.com/Information/NativeApi.html

http://www.internals.com/articles/apispy/apispy.htm

http://groups.google.com/group/microsoft.public.windbg/msg/dfe809e4eaf122d8

http://www.phrack.org/phrack/55/P55-05

I have to admit - I've really had an overall bad experience building this media center PC.  At some point a month or so ago, the thing just stopped booting.  Subsequent attempts to reinstall were not successful.  The main problem I had at that point was getting setup to find my SATA drive.  All the installation media that had worked previously - using XP Gold, XPSP1 slipstream, Media Center 2005 - combined with the BIOS configuration - basically a single-drive RAID, wouldn't work.  I was pissed.

So I went down to Fry's last weekend and bought some different gear.  First, I got a Seagate 160GB IDE disk - big, cheap, and guaranteed to not require a 3rd party driver :)  Next, I got an Antec Sonata case - it was on sale for around $100, includes a 450W power supply, and it really is quiet.  Much - much - quieter than the Lian-Li desktop case I got originally, and since it's a tower, it's a lot easier to work with.  Plus it's shiny black and looks good.  Finally, I picked up a Hauppage PVR-150, since that seems to be what everyone recommends.

The new stuff got me pretty far during the week.  But I still had major problems with the ATI All-in-Wonder.  As soon as I installed its drivers, the machine became sluggish for about 30 seconds and finally locked up - every time.  What a piece of crap!  The strangest thing is, there are people who's opinion I really trust that totally recommend that card.  Maybe the problem is that I'm running an amd64 (although still with 32-bit Windows).  That's my best guess.

So I took Friday afternoon off, determined to do whatever it was going to take to get this system working (I've spent countless hours on this thing by now, and I just needed to move on to bigger and better things in life, you know?), and went and picked up an nVidia GeForce 6200 at Best Buy.  Yes - it's a relatively older card, and I'm sure I overpaid for it, but you know what?  It worked the first time - no problems.

My experience since then has improved considerably!  The only pain, and this is always the case regardless, is downloading the latest drivers for everything and going through about 10 reboots.  After that, I plugged in my cable TV feed to the Hauppage to try my luck.  It detected the available channels and I was recording sappy daytime television in no time!

The next test was to try to configure the builtin digital audio output on the ASUS mobo.  I won't be using this box as my regular DVD player, but I was just curious if I could get the 5.1 to work.  About 2 hours later, I still was only getting stereo.  Then I learned - the nVidia software decoder that I was demoing doesn't output 5.1; it downgrades it to two channel.  I read that the latest WinDVD software decoder would allow the digital out to pass the full 5.1 signal, but I haven't tried that yet.  Since everything else is working at this point, maybe I never will!

One practical problem remains - my old house doesn't have grounded outlets, at least not where I need them, and I'm nervous about plugging in every single piece of my relatively new entertainment center gear into a single ungrounded outlet via adapters.  That's just asking for trouble.  So I need to install a grounded outlet before I setup this machine in that area, run it through the main receiver, and use the TV as the primary display.

What a mission!

Try this search in both http://search.msn.com and http://www.google.com:

who is the vice president of the usa?

Okay, I'll spoil it - MSN returns the (correct) current VP, right at the top, based on their builtin encyclopedia lookup feature.  Google, however, returns some link to Hubert Humphrey as its top link.  Pretty comical actually.  Frankly, I'm not sold on one engine vs the other at this point, but that's pretty lame.

I recently bought components to build my own media center PC.  The primary purpose is to be able to conveniently rip my CDs to mp3 and listen to them on my stereo.  The secondary purpose is to be a Personal Video Recorder, since we don't already have a TiVo or anything.  I've had some problems getting the PC up and running, though.  Here are the components I went with, along with comments about my experience so far.

• Asus K8V SE Deluxe mobo
• I read about this mobo in Computer Power User, or a similar mag, and it was rated favorably.  I think it's actually intended more as an over-clocking board for gamers, and over-clocking isn't my thing, but whatever.  This piece has been my most significant source of angst so far, though.  The problem is that it came with an old bios revision, which wasn't compatible with my processor, or possibly just not compat w/ 64-bit WinXP.  Suffice to say, I managed to get XP installed, but it wouldn't boot after that.  In booting to safe mode, it appeared that the last driver to load was ACPI-related, so I was pretty confident that a bios upgrade was in order at that point.  But the bios update failed, even after I tried the latest flash tool and image from the Asus website!  Now the board won't POST, and I'm waiting for a new bios chip from Asus.  The latter is costing me $40 in order to not have to wait two weeks for it to show up.  Not cool.  I fault both Asus and Directon.com for supplying me w/ gear that's out of date and not compatible.  How hard would it be for them to pop the latest bios into the board when they ship it to the customer?
• AMD64 2800+
• This proc is getting to be a bit slow these days clock-speed wise, but it's damn affordable and still pretty fast.
• 512 MB RAM
• I decided not to go with a gig in order to save $$ to spend on the other components.
• 80 GB SATA Seagate Barracuda HDD
• This is basic stuff at this point - SATA has apparently become the standard gear for performance PCs (as opposed to servers, for which SCSI still makes sense) since it's fast and it versatile in multi-drive configurations.  However, 64-bit XP couldn't find my drive during setup, by default.  This was really weird, because I built a similarly configured PC about six months ago and it worked just fine (see my earlier post).  Anyone have any idea what's up with this?  Anyway, it didn't occur to me to try installing a 3rd-party SATA driver during setup, so I instead configured it as a one-drive RAID "array" and installed the appropriate driver for that instead.  Interestingly, this mobo has two different RAID controllers present.  But this seems to be working, assuming I can get the bios fixed.  
• Antec Phantom 350W Fanless PSU
• I spent a bit extra on the PSU in order to make the machine as quiet as possible.  This thing is built like a big heat sink, which is expected.  The tradeoff is that I'm not using a tower case, so everything's packed pretty close together, and during my initial boot testing the components were getting pretty hot.  My gut feeling at this point is that I should have bought a fan-based PSU w/ a really quiet fan since that might have kept the overall PC cooler, but finding a quiet fan seems really hit or miss.
• Black Lian-Li Desktop PC-V800B case
• I think this case looks great, and it's solidly built, in accordance w/ Lian-Li's reputation.  The front of the unit reminds me of a power amp, so it should look right at home in a media center.  One hitch, the 3.5" drive bays require plastic rails that let the disk simply slide in.  I've been told that those are proprietary.  But the box didn't come with any!  As a result, the optical, floppy, and hard disks are stacked right on top of each other at the front of the case, since I can't use the separate bays off to the side without finding the darn brackets.  That's not helping air circulation, I'm guessing.
• ATI All-in-Wonder 9800 Pro, 128 MB, AGP8x video card
• I consider this to be the component I took the biggest risk with, for a couple of reasons.  First, it's an older model, which let me save some cash.  Second, the newest cards are PCI Express, which in some situations can apparently be much faster than AGP, although requires a supporting mobo, which the above does not.  Third, I read that if you really want to do television PVR, you should buy a separate Haupage TV tuner, which I wanted to avoid, again for cost reasons.  Finally, although I didn't learn this until afterward, my buddy Gus bought this until a year or so ago and had poor results w/ the ATI's driver quality.  I sincerely hope they've cleaned up their act since then, or else I'm going to feel really screwed on this purchase.

Anyway, I'll post on update once the new bios chip comes.  I'm still on the fence about whether to really try to use this new machine w/ 64-bit XP, or to chicken out and use 32-bit Windows MCE instead.  All of my drivers (except the printer ...) seem to be available on 64-bit, but it still might be too much of a hassle to not be using the built-in features of MCE.