It has been a while since our last post, but then we are both really busy getting our work done and studying for some certification and other stuff. I’d like to promise that we will publish cool stuff on a more regular basis, not sure if we can keep it though. What I DO promise is that I am going to try!

"One must have a good memory to be able to keep the promises that one makes" - F. Nietzsche

So, having that said, what was going on that we have not been blogging about:

Windows 8 and Windows Server 2012 Release Previews are out!

Go, give it a try. And check out all the cool content over at Windows Server Blog and Building Windows 8. Really.

Windows Phone 8 has been announced.

I’m personally looking forward to that, I came to love my Windows Phone 7 and I think this is going to be even better. Read more on the Windows Phone Blog.

• Device encryption: To help keep everything from documents to passwords safe, Windows Phone 8 includes built-in technology to encrypt the entire device, including the operating system and data files.
• Better security: Windows Phone 8 supports the United Extensible Firmware Interface (UEFI) secure boot protocol and features improved app “sandboxing,” so the phone is better protected from malware with multiple layers of security.
• Remote management: With Windows Phone 8, IT departments can manage apps and phones remotely, with tools similar to ones they now employ for Windows PCs.
• Company Hub and apps: Companies can create their own Windows Phone 8 Hub for custom employee apps and other critical business info.

Microsoft Surface has been announced.

Hm, looks nice… but we will see.

Get more (well, not too much more) at surface.com

Moving away from MD5 and keys under 1024 bits.

Some efforts are made to put more trust into the struggling SSL Certificate business and I guess it also gives us more security. Personally I think that education is the key point when it comes to “trust” and SSL and IT security in general. People should really be aware of what it means to just ignore Certificate warnings…

Its up to us IT Pros to make (our) internal servers trustworthy and sort of train users to rely on SSL and watch out for it.

Lets get back to MD5. So, recently there has been a some media coverage of the so called “Flame” malware which used phony certificates to make a man-in-the-middle attack against Windows Update possible. Whoever created the malware used a flaw in Microsoft's Terminal Server Licensing certificate infrastructure to create a code signing certificate that chained up to Microsoft's Root CA. In essence this was possible because of the TS Licensing certs using MD5 hashes which are prone to collision attacks.

More information about Flame on: NakedSecurity; Remote Desktop Services Blog; Security Research & Defense; the Security Advisory can be found here.

Some days after that I (and other customers) received an email from RapidSSL stating that MD5 is to be abandoned by June 1, that is all (RapidSSL) certificates that have been using the MD5 hashing scheme have been revoked. They did also revoke any certificate using a key size under 1024 bits.

Microsoft is also going to release an update that blocks certificates with keys less than 1024 bits. More information on this on the Windows PKI Blog.

Exchange 15 rumors

Exchange 2010 has been available for little more than two years when Microsoft kicked off the “Office 15” technical preview (for few, select people) back in January 2012. Not much information has been published since then, although a beta is expected for “late summer”. Since the Exchange Conference happens to take place by the end of September I suppose we all will know more by then.

That’s it for now. Have a nice weekend!

tom