Credential Providers cannot make an authentication decision. They only collect credentials. The approach I took in “Aucun” is that the Gina actually makes the authentication decision. That will not work under the new Credential provider architecture.

When I started looking to port my Gina to a Credential Provider, I first though of saving the initial credentials (when the first user logs on), then check any other user’s credential in my own Credential Provider, and if all is good, replay the initial credentials.

That bothered on many grounds :

• There will be a unlock event logged to the initial user, although that user never unlocked the workstation
• I don’t like saving passwords, even to encrypted memory
• That architecture didn’t look like something that would last

Looking deeper into the Credential Provider interface, I saw that there is one decision a Credential Provider can make. It can select what Authentication Package will honor the logon request (or unlock request, in my case). That takes place in my (your) ICredentialProviderCredential::GetSerialisation, by setting the ulAuthenticationPackage field of the CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure.

So I believe the right way of doing this is to have two components :

1. An authentication package that implements the unlock policy (any user can unlock, depending on group membership).
2. A credential provider that collects credentials (and while you’re at it, the session you want to unlock) and instruct winlogon to forward them the “unlock” authentication package.

That architecture fixes all three points above. And as a bonus, I can greatly simplify my existing Gina by merely collecting the credentials and forward them to the same authentication package. No need to hook dialog procedures and sending magic, reversed engineered constants to winlogon. In short, instead of making the Credential Provider look like a Gina, I make the Gina behave like a Credential Provider.

Authentication packages are the same under Vista and XP, that’s a good thing. But to debug them, you need the scary kernel remote debugging tools. You also need to reboot every time you mess up. But I have a working authentication package from CVS NT code source, and another called YPAuth (YP means yellow pages, the old name of NIS). None of them support the unlock scenario, though…

Stay tuned !

Here is an example. With a stock build of ocrad, I have tried to get the text from the same image, with one or two lines over the text.

$ ocrad -v banane.pbm processing file ‘banane.pbm’ file type is P4 file size is 175w x 66h number of text blocks = 1 BANANE	$ ocrad -v banane-1.pbm processing file ‘banane-1.pbm’ file type is P4 file size is 175w x 66h number of text blocks = 1 _ANE	$ ocrad -v banane-2.pbm processing file `banane-2.pbm’ file type is P4 file size is 175w x 66h number of text blocks = 1

The text goes from 100% to 0% percent recognition just by adding two lines ! The word BANANE, then _ANE and after that … nothing !

This CAPTCHA is by no means robust, and I stay convinced that all forms of CAPTCHA are to be avoided. This example just goes to show the effect of segmentation on optical character recognition (OCR).

After all, artificial intelligence is a field of expertise you can spend your life learning. Just like cryptography, it should not be done by amateurs. But unlike cryptography, an AI challenge has no key. Microsoft and Google‘s CAPTCHA have been broken. Your CAPTCHA will be broken too, it someones takes a shot at it. It is a matter of time, and there is a shorter way than brute force.

If you think you must put a CAPTCHA, start thinking about plan B right away… Using an image based CAPTCHA is not good either (post in French).

Je déteste les CAPTCHA. C’est comme de la mauvaise crypto.

Fondamentalement, le CAPTCHA ne fonctionne pas. La tâche d’analyse (le test de Turing) est complexe juste parce que personne ne s’est encore donné la peine d’écrire le code pour réussir. C’est aussi vrai pour la crypto classique, mais ces mathématiques sont soumises à des études formelles et continues. On sait à quoi s’en tenir : avec de la bonne crypto, on déplace le problème ailleurs (la gestion de clé, souvent). En intelligence artificielle, la segmentation est difficile, mais l’ordre de grandeur d’effort est à la portée des botnets actuels.

Trouver un éléphant ou un burger est faisable. Google ne trouve-t-il pas déjà les visages sur les photos ? La faiblesse de ce CAPTCHA, en particulier, c’est l’apprentissage (en supposant que l’implémentation est bonne). La mémoire d’un ordinateur est infinie. Il est possible d’avoir la base de données complète des images en relativement peu de temps. D’identifier ce qui s’y trouve et automatiser le tout. Bien sûr, il ne faut pas que l’image soit déjà dans l’index Google… Autre faiblesse, on sait toujours d’avance combien il y a de (chat-chien-burger-bébé-éléphant). Ça aide à prendre une décision automatisée.

Les attaques sur les CAPTCHA de Microsoft et Google a montré que l’analyse de CAPTCHA n’a pas un taux de succès de 100 %. Un petit pourcentage, multiplié par un bon botnet, ça fait beaucoup de captcha résolus!

On n’a qu’à ajouter de nouvelles images, non? Oui, mais combien coûtera toute cette mécanique, en développement mais surtout en entretien? Quel est le coût réel d’une utilisation abusive du service? Combien coutera l’analyse préalable des images, le classement en mots clés, etc.? On m’a demandé de compter 3 bébés, mais une image en contenait deux, faut-il filtrer ces images-là aussi?

Mais surtout, l’aspect économique de la sécurité est complètement évacué. Ce CAPTCHA est sur une page qui demande un numéro de carte de crédit, mais pas sur la page qui permet d’utiliser le service une seule fois, gratuitement. Et c’est sans compter qu’une ferme de Turing coute 8 $ pour 4000 CAPTCHA résolus. Combien coûte un client légitime dégoûté par toutes ces précautions?

Ce CAPTCHA est l’œuvre d’amateurs. Et j’ai même pas regardé l’implémentation des cookies, session, etc. En bref, implémenter correctement ce CAPTCHA par image coûte beaucoup trop cher.

Si j’étais forcé d’utiliser un CAPTCHA, j’utiliserais un simple encodage javascript des champs du formulaire, variable dans le temps, peut-être avec un hashcash en javascript aussi, et vraiment accolé au pied du mur, j’essaierais recaptcha. L’idée est de transformer tes utilisateurs en ta propre ferme de Turing. Pas fou!

The trick is to subtract 4 from the Capabilities in the registry. Not easy, but it can be done. The only thing is that it keeps coming back after every boot ! And it looks like the value cannot be edited under Vista. Here is how to fix it for good.

What has to be done (but doesn’t work)

Find the drive that shows up in the safely remove hardware icon in your registry. It will be somewhere under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\. My DVD drive was here :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\CdRomHL-DT-ST_DVDRAM_GMA4082Nj_______________PM01____

There is a numerical an alphanumerical key under that with a DWORD Capabilities value.

It is a bit field. The bit 0010 (4 in decimal) is the REMOVABLE bit. Clear it by subtracting 4 from the value you have. The value I had was 6, so now I am down to 2.

If you try to do that, you will get an access denied. That’s ok, we will get around that. For now, right click on the key name and copy it (the key named 5&3392c8c4&0&0.0.0 in my example).

Same idea, that works manually under Vista

You need to have the TCB privileged enabled to modify that registry key. Running regedit as an administrator (or elevated, if you have UAC) will not work. You can fix the value with this command line :

psexec -s reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\CdRomHL-DT-ST_DVDRAM_GMA4082Nj_______________PM01____\5&3392c8c4&0&0.0.0" /v Capabilities /t REG_DWORD /d 2 /f

You will have to replace the key name with what you found in your registry. Running psexec -r regedit might work, but who wants to do that every time the computer boots ?

Permanent fix

I hardly ever run as an administrator, so putting the above command in a script was out of the question. The solution was to create a Task using Windows Task Scheduler. I set it to run at startup, under the SYSTEM account. Don’t forget the /f (force) flag, or else the job will appear to hang, waiting a confirmation from you.

Create a new task. In the “General” tab, click Change User or Group and enter “SYSTEM” . Trigger on startup and enter the same command as above, but without psexec -s. Your task is running reg.exe, with everything right of that (in the command line, earlier) as optional arguments.

Good luck and HTH !

After a few lines in, I realized that I would be less work to order the tests in a way that would minimize the change to the configuration between any two tests. In other words, when a n+1 test case required a change to the registry, then the user group membership should not change, and vice-versa. That would also make it easy to investigate a failed test, because only one thing would change between any two tests.

Then it hit me.

Well actually, I had to stop and think for a while. Kind of like my mind restoring a dusty old tape archive… I remembered that mathematician Richard Hamming had a code for that. It’s a numbering scheme where only 1 bit changes between any two numbers. The number of bits that change is the Hamming distance between two numbers. Using four information bits to represent each possible use case, I came up with the following table. The first two rows (MSB, in blue) are user membership to a group, and the two last rows (LSB, in green) is the presence of that group in the registry. Ordering my tests that way gave me a constant Hamming distance of 1.

The only drawback to this is that all the typing I saved writing my test batch file, I wasted on this blog post !

I wrote a little batch file that will launch forrest in a new window when the “run” option is used, and in the same window when any other option is used. Here it is :

@echo off
if "%1"=="run" goto NEWWINDOW

call "%FORREST_HOME%\\bin\\forrest.bat" %*

goto END

:NEWWINDOW
start "Forrest" cmd /C "%FORREST_HOME%\\bin\\forrest.bat" %*

:END

You can also add a /T:2F switch to make the window white on green. I often have quite a few console windows running, separating them by color reminds me which one is which !

I had trouble finding the information. I went looking for the link again without any success. So I am posting it here, where I will always be able to find it !

Update 2008-01-25 : You must add this XML to the file $FORREST_HOME/main/webapp/jettyconf.xml

<Call name="addListener">
  <Arg>
    <New class="org.mortbay.http.SocketListener">      <!-- Add this next line -->
      <Set name="Host"><SystemProperty name="jetty.host" default="localhost"/></Set>
      <Set name="Port"><SystemProperty name="jetty.port" default="8888"/></Set>
      <Set name="MinThreads">5</Set>
      <Set name="MaxThreads">100</Set>
      <Set name="MaxIdleTimeMs">30000</Set>
      <Set name="LowResourcePersistTimeMs">5000</Set>
    </New>
  </Arg>
</Call>

You know its working when you see this in the Forrest window:

21:05:11.864 EVENT  Apache Cocoon 2.2.0-dev is up and ready.
21:05:11.864 EVENT  Started SocketListener on 127.0.0.1:8888
21:05:11.864 EVENT  Started org.mortbay.jetty.Server@df8f5e