This Windows batch file will parse Subversion’s svn up output and show you what files were modified, but also what files should be added.

It looks for C++, C, H, PHP, Python, Java and then some. You can easily add your own to the list.

To use simply call localfiles.bat from any versionned directory. Anything you add to the command line will be passed along to svn up. Try these variations :

• localfiles.bat -u to see potential update conflicts.
• localfiles.bat c:\the\path\to\my\project\sources works, you can run the command from anywhere
• localfiles.bat --ignore-externals or any other Subversion command you can think of

In the sample output (below) you will see

• New Source Files are source that were added (localy) but never comitted.
• Modified Source Files are source that are under source control and were modified locally.
• Unversioned Source Files are source that probably should be under source control.
• Each file is listed, with (no source file) if it looks ok.

$ localfiles.bat C:\Users\Guillaume\src\Projects\aucun.selfserve

Gathering data...

======================================
 New sourcefiles
======================================
(none found)

======================================
 Modified sourcefiles
======================================
M       C:\Users\Guillaume\src\Projects\aucun.selfserve\GINA\SecurityHelper.cpp
M       C:\Users\Guillaume\src\Projects\aucun.selfserve\GINA\loggedout_dlg.cpp
M       C:\Users\Guillaume\src\Projects\aucun.selfserve\common\Trace.c
M       C:\Users\Guillaume\src\Projects\aucun.selfserve\GINA\GinaHook.c

======================================
 Unversioned files
======================================
?       C:\Users\Guillaume\src\Projects\aucun.selfserve\GINA\StaticPrompt.cpp
?       C:\Users\Guillaume\src\Projects\aucun.selfserve\shellie\shellie_p.c
?       C:\Users\Guillaume\src\Projects\aucun.selfserve\shellie\dlldata.c
?       C:\Users\Guillaume\src\Projects\aucun.selfserve\shellie\shellie_i.c
?       C:\Users\Guillaume\src\Projects\aucun.selfserve\shellie\shellie.h

Here is the file. I gave it a txt extension, in case you are behing a paranoïac corporate proxy.

J’ai eu à changer ce mot de passe et j’ai bloqué longtemps sur le problème suivant. Et non, je n’ai pas essayé de contacter le support technique à ce sujet, des plans pour qu’ils me demandent de formatter mon PC.

En fait, c’est tout simple. Lorsque vous entrez votre mot de passe dans ce formulaire les majuscules sont converties en minuscules, tout simplement.:

Je me suis douté de quelque chose quand les mots de passe générés par Password Safe ne fonctionnais pas, mais les blasphèmes et insultes marchait tout le temps… Pas de majuscules !

Alors allez vous choisir un nouveau mot de passe SMTP, tout en minuscules. Nous savons tous qu’il n’a pas changé depuis 5 ans au moins !

Fortunately, I had set up LSASS to run under ntsd, which was connected to a remote Windbg.

To edit the registry of a remote machine running under a debugger :

1. Break into the debugger. This step will happen naturally in most snafu
2. Start a shell with the .! command
3. Fix the registry with the command line reg.exe tool. For example, to restore authentication packages type

   reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Authentication packages" /t REG_MULTI_SZ /d msv1_0

4. Type exit to quit the shell (hit Enter enough times to get back to Windbg’s prompt)

Then use the g command to resume execution.

As a side note : The windows subsystem is fully loaded before LSASS.exe starts, or at least there is enough of it to launch CMD.exe and REG.exe.

• Every time you type CTRL-ATL-DEL, a new LogonUI process is launched.
• LogonUI will try to load any registered Credential Providers COM objects.
• You can run any process on the secure desktop

With that knowledge, it is easy to set up a debugging session for your Credential Provider, right on your development machine. Before I continue, be aware that it might affect the stability of your computer temporarily, as the following illustration shows.

To debug your credential provider, you will need this :

• A CredentialProvider that can be loaded by LogonUI
• Microsoft’s Debugging Tools for Windows
• Microsoft’s psexec tool (of Sysinternals fame)

I guess you could also use Visual Studio instead, ymmv. If it works, please drop us a line in the comments.

To start debugging, here is what you have to do:

1. Start a command shell on the Secure Desktop with this command:
   

   psexec -dsx cmd.exe

2. Build a debug version of your Credential Provider and register it.
3. Type CTRL-ALT-DEL to switch to the secure desktop. That will also launch LogonUI.exe
4. Hit Alt-Tab to switch to the command prompt you started at step 1
5. Change to the directory where your source code is
6. Debug LogonUI.exe and set the source path at once, with this command :
   

   windbg –pn logonui.exe –srcpath %CD%

That’s it. You might not be very familiar with windbg, so here are a few tips to get you started:

• When you attached to LogonUI at step 6, the process is stopped. You can enter commands to set breakpoints before resuming it.
• Verify that your Credential Provider is loaded with the lm command. Look for a string like this one:

  000007fe`f5e80000 000007fe`f5e9b000   SampleCredentialProvider   (private pdb symbols)

• Just to be sure, verify that a specific symbol is loaded with this command (you should get an address):
  

  x SampleCredentialProvider!CSampleProvider::SetUsageScenario

• Set a breakpoint to the same location with this command:
  

  bu SampleCredentialProvider!CSampleProvider::SetUsageScenario

• Resume LogonUI with the g command.

You can now lock your workstation and try to unlock it. When LogonUI appears to freeze, ATL-TAB to the debugger. It should be waiting for you with the source file loaded, waiting for your instructions. Type g to resume. Complete the unlock procedure to end LogonUI.

To reattach to logon UI, you can quit windbg and launch it again, but it is easier to list the process with the .tlist command (LogonUI.exe will be the last in the list). Attach to it again with .attach 0n2331 (replace with your PID).

Happy debugging !

Image credits : http://www.123rf.com/photo_6015610_idiot-saws-branch.html

Microsoft new architecture is better, but the separation it enforces makes it hard to play tricks with the security policy. First, there are no shortcuts with Credential Providers. The documentation is formal :

CredentialProviders are not enforcement mechanisms. They are used to gather and serialize credentials. The Local Authority and Authentication Packages enforce security.

So we have to use an authentication package with the credential provider. Nothing that we didn’t see coming. I have played with authentication packages before, it just a matter of writing one.

Second, LogonUI will not kill another user’s session. I am able to get a credential provider tile on the unlock screen, logon with administrator credentials, but then I get this error message :

This computer is locked. Only the logged on user can unlock the computer.

Which makes some sense: why kill (or unlock) a user’s session if you can just start a new session next to it ? Unfortunatly, it does not help the most common use case my custom GINA users need to solve: many users need to access a single application running in a single session.

But I haven’t given up yet.

I tested on Windows 7 Ultimate 64bits, with or without fast user switching. If you ever able to unlock another user’s session, write a line in the comments. I would love to hear about it.

A custom Gina runs in Winlogon’s process. It runs under the SYSTEM account, in the TCB… In short it can do pretty much anything. But some things just can’t be done, no matter what rights you have.

Fortunately, there is an easy way to tell if a GINA can do what you need it to do, without having to write a single line of code.

The trick is to launch a cmd.exe shell (or whatever shell you prefer) on the Winlogon desktop. I used to work with EnumWinStaGui, but Microsoft’s own psexec (of Sysinternals fame) is easier to use.

To run a cmd shell on Winlogon desktop, do the following :

1. Logon with an account with administrator rights
2. Open a command prompt (elevated if you are on Vista or later)
3. Type this command :
   

   psexec –dsx cmd.exe

That’s it ! You will not see your shell, because it is running on the current desktop. To verify that it works, hit CTRL-ALT-DEL and your command prompt will be there. On Vista and later, it will be hidden under the full screen logon application (logonui.exe). Just ALT-TAB to it. That shell will keep running even if you log out, because it is not tied to the interactive session you used to start it. From that command line on the secure desktop, launch whatever command you need to confirm that what you want to do can be done.

For example, say you need to launch a process that will notify a web application just before the password is validated, maybe to start a timekeeping application. Can it be done ? Yes. On the command line running on the secure desktop, type this command :

start iexplore http://www.paralint.com/

It might not work. Maybe your proxy is not set up in the SYSTEM account ? Whatever the problem may be, you need to fix it. Writing a custom Gina is a waste of time if you can’t get past this step.

Tortoise SVN is a Explorer shell extension which calls a Windows executable, TortoiseProc.exe.

To use it from the command line, simply save this batch file somewhere in your path :

@echo off
start "" "C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe"  /command:%1 /path:"%2"

Then simply call like this :

tortoise log http://src.pararlint.com/aucun/trunk

or like this

tortoise commit .

Tested on Windows with 32 and 64 bits version.

Credential Providers cannot make an authentication decision. They only collect credentials. The approach I took in “Aucun” is that the Gina actually makes the authentication decision. That will not work under the new Credential provider architecture.

When I started looking to port my Gina to a Credential Provider, I first though of saving the initial credentials (when the first user logs on), then check any other user’s credential in my own Credential Provider, and if all is good, replay the initial credentials.

That bothered on many grounds :

• There will be a unlock event logged to the initial user, although that user never unlocked the workstation
• I don’t like saving passwords, even to encrypted memory
• That architecture didn’t look like something that would last

Looking deeper into the Credential Provider interface, I saw that there is one decision a Credential Provider can make. It can select what Authentication Package will honor the logon request (or unlock request, in my case). That takes place in my (your) ICredentialProviderCredential::GetSerialisation, by setting the ulAuthenticationPackage field of the CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure.

So I believe the right way of doing this is to have two components :

1. An authentication package that implements the unlock policy (any user can unlock, depending on group membership).
2. A credential provider that collects credentials (and while you’re at it, the session you want to unlock) and instruct winlogon to forward them the “unlock” authentication package.

That architecture fixes all three points above. And as a bonus, I can greatly simplify my existing Gina by merely collecting the credentials and forward them to the same authentication package. No need to hook dialog procedures and sending magic, reversed engineered constants to winlogon. In short, instead of making the Credential Provider look like a Gina, I make the Gina behave like a Credential Provider.

Authentication packages are the same under Vista and XP, that’s a good thing. But to debug them, you need the scary kernel remote debugging tools. You also need to reboot every time you mess up. But I have a working authentication package from CVS NT code source, and another called YPAuth (YP means yellow pages, the old name of NIS). None of them support the unlock scenario, though…

Stay tuned !

Here is an example. With a stock build of ocrad, I have tried to get the text from the same image, with one or two lines over the text.

$ ocrad -v banane.pbm processing file ‘banane.pbm’ file type is P4 file size is 175w x 66h number of text blocks = 1 BANANE	$ ocrad -v banane-1.pbm processing file ‘banane-1.pbm’ file type is P4 file size is 175w x 66h number of text blocks = 1 _ANE	$ ocrad -v banane-2.pbm processing file `banane-2.pbm’ file type is P4 file size is 175w x 66h number of text blocks = 1

The text goes from 100% to 0% percent recognition just by adding two lines ! The word BANANE, then _ANE and after that … nothing !

This CAPTCHA is by no means robust, and I stay convinced that all forms of CAPTCHA are to be avoided. This example just goes to show the effect of segmentation on optical character recognition (OCR).

After all, artificial intelligence is a field of expertise you can spend your life learning. Just like cryptography, it should not be done by amateurs. But unlike cryptography, an AI challenge has no key. Microsoft and Google‘s CAPTCHA have been broken. Your CAPTCHA will be broken too, it someones takes a shot at it. It is a matter of time, and there is a shorter way than brute force.

If you think you must put a CAPTCHA, start thinking about plan B right away… Using an image based CAPTCHA is not good either (post in French).

Je déteste les CAPTCHA. C’est comme de la mauvaise crypto.

Fondamentalement, le CAPTCHA ne fonctionne pas. La tâche d’analyse (le test de Turing) est complexe juste parce que personne ne s’est encore donné la peine d’écrire le code pour réussir. C’est aussi vrai pour la crypto classique, mais ces mathématiques sont soumises à des études formelles et continues. On sait à quoi s’en tenir : avec de la bonne crypto, on déplace le problème ailleurs (la gestion de clé, souvent). En intelligence artificielle, la segmentation est difficile, mais l’ordre de grandeur d’effort est à la portée des botnets actuels.

Trouver un éléphant ou un burger est faisable. Google ne trouve-t-il pas déjà les visages sur les photos ? La faiblesse de ce CAPTCHA, en particulier, c’est l’apprentissage (en supposant que l’implémentation est bonne). La mémoire d’un ordinateur est infinie. Il est possible d’avoir la base de données complète des images en relativement peu de temps. D’identifier ce qui s’y trouve et automatiser le tout. Bien sûr, il ne faut pas que l’image soit déjà dans l’index Google… Autre faiblesse, on sait toujours d’avance combien il y a de (chat-chien-burger-bébé-éléphant). Ça aide à prendre une décision automatisée.

Les attaques sur les CAPTCHA de Microsoft et Google a montré que l’analyse de CAPTCHA n’a pas un taux de succès de 100 %. Un petit pourcentage, multiplié par un bon botnet, ça fait beaucoup de captcha résolus!

On n’a qu’à ajouter de nouvelles images, non? Oui, mais combien coûtera toute cette mécanique, en développement mais surtout en entretien? Quel est le coût réel d’une utilisation abusive du service? Combien coutera l’analyse préalable des images, le classement en mots clés, etc.? On m’a demandé de compter 3 bébés, mais une image en contenait deux, faut-il filtrer ces images-là aussi?

Mais surtout, l’aspect économique de la sécurité est complètement évacué. Ce CAPTCHA est sur une page qui demande un numéro de carte de crédit, mais pas sur la page qui permet d’utiliser le service une seule fois, gratuitement. Et c’est sans compter qu’une ferme de Turing coute 8 $ pour 4000 CAPTCHA résolus. Combien coûte un client légitime dégoûté par toutes ces précautions?

Ce CAPTCHA est l’œuvre d’amateurs. Et j’ai même pas regardé l’implémentation des cookies, session, etc. En bref, implémenter correctement ce CAPTCHA par image coûte beaucoup trop cher.

Si j’étais forcé d’utiliser un CAPTCHA, j’utiliserais un simple encodage javascript des champs du formulaire, variable dans le temps, peut-être avec un hashcash en javascript aussi, et vraiment accolé au pied du mur, j’essaierais recaptcha. L’idée est de transformer tes utilisateurs en ta propre ferme de Turing. Pas fou!