Slashdot Mirror

I've been playing around with this a bit http://www.sandboxie.com/ even though it puts your browser in a sandbox, you can move anything you downloaded to it to your system. I'm not sure how well it works I've only just found it.

Run keygens under Sandboxie and you won't have to deal with that.

You can try http://www.sandboxie.com/

It doesn't even need to be a virtual XP+IE8. SandboxIE can already keep ActiveX controls within a sandboxed environment. If Microsoft built something like this into IE9 or Windows 8 (or whatever the next versions are called) they could easily keep ActiveX around, but sandbox it so it would be safe to use.

Or you could just use SandboxIE, which lets you run any program in its own little sandbox that can be tossed whenever you like. Easy to set up and use and 100% free. Why not give it a try?

You can always Sandboxie or a VM to run the game. Any rootkit included with the DRM will be isolated from the rest of your system (albeit still executed).

Not an ideal solution to DRM in the long run, as not everyone can set up a VM.

It is perfectly possible to run programs that aren't trusted. You just can't allow them to do certain things. This is the main principle of sandboxing, and a good operating system should sandbox every single application completly, unless someone with administrator privileges requests otherwise. And even such requests should only be exceptions to the sandboxing.

I am running every program I don't trust sandboxed with sandboxie. It isn't a perfect solution as it isn't as well integrated into the system as it could be. There is also the problem that I don't have a 64 bit upgrade path because Microsoft is preventing low level security programs from working on their x64 operating systems.

When I install a game I want to be able to say:

"By default you'll have access to the same things as any program and that is read access to executables/libraries and settings registered as public. I'll also grant special rights to access the internet, but because of that you won't be able to access my documents folder (even in read mode) because that would constitute a security risk."

Finally, a whitelist to authorize installation of well known libraries (DirectX, Java, etc.) would further reduce the burden of making hard security decisions.

This is why the security on most operating system suck currently. There is too much trust given to installers.

I do like the idea of sandboxie which redirects any disk (and registry) write access outside of the sandbox, preventing virus and malware (such as securom) from taking over the system. Unfortunally it doesn't function on Vista 64 because patchguard exists to prevent security systems or rootkits from installing.

The disadvantage with sandboxie is that it is a little rusty when it comes to the user interface part. I think an operating system built around a sandboxie like system, treating each application as its own sandbox, would be far better in that area. The advantage with using sandboxie is that it is faster and less memory consuming than running a full virtual environment.

It actually looks like you may even be able to run securom games in a sandbox under sandboxie as long as you give them access to the dvdrom pipes. Not sure how well it works with the latest version of securom though.

This is why the security on most operating system suck currently. There is too much trust given to installers.

I do like the idea of sandboxie which redirects any disk (and registry) write access outside of the sandbox, preventing virus and malware (such as securom) from taking over the system. Unfortunally it doesn't function on Vista 64 because patchguard exists to prevent security systems or rootkits from installing.

The disadvantage with sandboxie is that it is a little rusty when it comes to the user interface part. I think an operating system built around a sandboxie like system, treating each application as its own sandbox, would be far better in that area. The advantage with using sandboxie is that it is faster and less memory consuming than running a full virtual environment.

It actually looks like you may even be able to run securom games in a sandbox under sandboxie as long as you give them access to the dvdrom pipes. Not sure how well it works with the latest version of securom though.

Ummm....I wasn't preaching Noscript. I said I had to use Noscript to keep my customers from getting boned by the exploit o' the day. And I know it is a bandaid,which is why I made the suggestion about the penalty box. And as for getting boned by Noscript,I've personally never had it happen. Because I use whitelists and don't care if some site has some "whizz bang" JScript on it. If I really want to try it that bad I look at the page layout and see where it is coming from. If it is coming from some "202.156.xxx" I avoid it like the clap. If it isn't I run SandboxIE with Firefox to throw it into a temp sandbox. Although with all the exploits coming out lately I have been running the sandbox more and more just to be safe.

I agree with you 110% about needing to shore up JScript security. It just seems like folks are into this "web 2.0" buzz so hard that nothing will be done until some uber nasty hits the web that totally bones enough users that folks say enough and start looking for JScript blockers. Oh,and I do run Adblock Plus as well. No use wasting my bandwidth on some stupid "hit the monkey and win an iPod" ad. But I am old enough to remember when ActiveX got the same buzz that JScript has now,with everybody tripping over themselves to make websites that featured ActiveX goodies. And if JScript doesn't get locked down and soon,I'm betting it will end up being looked at in 5 years like ActiveX is now. That is,it sounded like a good idea at the time,but then the malware ruined it. But as always this is my 02c,YMMV

For me, I would find that to be a useful feature -- two browsers with two profiles, and as long as the two have distinct visual settings, you can have the best of both worlds.

Cheers

You may want to give my approach a go. I have Sandboxie installed and I run firefox sandboxed by default. To run it unsandboxed I have a batch that launches it, so I'm aware I'm doing something "unsafe". There is an option to allow the sandboxed browser to directly access your favorites, so even if you empty the sandbox whatever you bookmarked remains.

That alone should stop most attacks, but if you want to be even more paranoid you can also install SysInternals' tools. They come with a wonderful little tool called psexec that will allow you to launch any process as a limited user like this: psexec -ld firefox.exe The "-ld" switches mean '[l]imited' and '[d]ont wait for process to end'.

So the sandboxed firefox (and IE, for the work-related or other odd sites that demand it) also run as limited users. In fact you can use the windows START command in your sandboxed batch file to run them in high priority ( START "annoying mandatory title" /HIGH "psexec -ld c:\prog~1\mozilla\firefox.exe" ) and your browsing experience should be a blazingly fast and safe ;)

Here is a nice little freeware sandbox I use for bad ID10T Windows problems.Works well and is easy to use.Enjoy! P.S. It'll work on FF and anything else you want to sandbox,not just browsers.

You can also take provisions to have the code run in a secured environment. Have a look into the Windows Steady State if you want to maintain an immutable desktop that gets reset to an initial configuration chosen by you every time you restart the PC. That will prevent enterprising users like myself from fiddling with everything from windows themes and UI (I love Royale Noir!) up to installing all manner of unsanctioned programmes like Geany, Python, whathaveyou. Or run the OS on a virtual machine.

Or if that is too inflexible/cumbersome, have the most "dangerous" apps run sandboxed with something like Sandboxy http://www.sandboxie.com/

I realize this does nothing to insure that your programs are trustworthy, but you can at least keep an eye on those programs that you need to run but are unsure of, and minimize the damage they can do to your system. I particularly find running web browsers sandboxed most useful.

My laptop is worse than yours, core2 duo with 2GB and shared graphics, and I have none of the problems you are complaining about. I actually choose to use vista over XP a linux, both of which I have used on the laptop in the past.

1. I uninstalled Norton. I use Sandboxie, and highly recommend it.

2. My power management puts my laptop to sleep both if I leave it unattended for the set period of time, or if the battery gets to low. It's simple to control which icons are hidden or not using the notification area properties. My battery level, network connectivity, sound, etc are never hidden, while others like my camera assistant software are never visible.

3. My laptop steps down perfectly. You can even watch it do it in real time using the reliability and performance tool. Granted, if you put your laptop in high-performance mode, it won't step down, but that's only because that's what it is supposed to do. Try 'balanced.' my laptop has never shutdown due to overheating, unlike my friends laptop (running XP), which he has to constantly use in low-power mode, otherwise it will overheat and fail.

4. I use firefox the vast majority of the time, and I have never seen a message like this when using IE on the firefox-incompatible sites I visit.

5. I have never had problems connecting to a wireless network that is within range. I also find my wireless card is a couple of levels better than those of my friends, although I attribute this to the wireless card, rather than the OS; I can frequently connect to networks that they can't even see.

Sandboxie
Filemon

Perfect for stopping applications from doing such things (or with Filemon, logging it). While I'm definitely not an uneducated user when it comes to computers, those tools are excellent.

And to the earlier poster who said limit whitelists in Noscript: Why use whitelists at all? I mean,it only takes a couple of seconds to click allow and since on flash objects doing so allows you to see the URL,isn't it safer to just take the extra few seconds? I know there have been a few times in the past where I have gone to watch a flash on a site I trusted only to see the URL redirecting all over the web and passed. Sure enough in a day or two I would read about some massive hack hitting thousands of sites. I personally would rather take the time than be boned.But that is my 02c,YMMV

For different reasons from the article, I set up a similar situation for my somewhat (ok, quite) computer illiterate in-laws. One, "promiscuous" browser, firefox running in sandboxie, and a second, for doing anything which doesn't work from the first. (Firefox updates, etc.)

No, it doesn't protect against keyloggers, phishing, or anything else that is a "real" security threat, but my time cleaning out malware/trojans and other junk has gone drastically down. The fact that browsing/search history doesn't survive the session is an added bonus for them. (Though I didn't know about the auto clear in firefox, is that a new feature?)

Forget the delete cookies/history/temp files routine. Get Sandboxie.

Not just for browsers either.

I haven't used it myself, but saw a link to it recently (on /. I believe) and thought it might be interesting:

http://www.sandboxie.com/

http://www.sandboxie.com/

Consider sandboxing your browser. This has been out for a while:

http://www.sandboxie.com/

has anyone seen sandboxie ?
It is sort of virtualization of individual applications.

There already exist Windows software for virtualising applications; these are called sandboxing applications. Sandboxie is a great example. Sandboxie is gratis, but you are encouraged to register/pay. Only drawback with Sandboxie is that it isn't Open Source - although I seriously doubt that "SoftGrid" will be Open Source either...

In other words, I think we should Sandbox Everything.

Apparently, SE Linux is trying to do something like this, but OS vendors need to find a way to make this whole process seamless and easy, so that I can right click on an application, go to permissions, and say, "This program I will allow to read my home directory, but only write to its own directories; that one I will let write anywhere, but read only itself" and so on.
--
I use Sandboxie to surf the web, http://www.sandboxie.com/ which asks you what you want to save to your _real_ HD when closing up, I really like it that way, that way only stuff you really _want_ will get on your disk.

Yeah they fail on removing files. I ran browzar (silver addition) in sandboxie http://www.sandboxie.com/ and it left behind 34 files, 16 folders for a total 1.72mb of stuff that they claim shouldn't be there. You can view what was left behind here (zipped) http://rapidshare.de/files/31863264/Browzar_Stuff_ Left_Behind.zip When I ran browzar all I did was enter fast car in the search bar at the top right, after going through 4 pages or so called search results all I saw was 40 results of sponsors. Yeah sounds like adware to me. Then then went to google.ca and entered fast car, better. Oh well next :)

His working implementation is available at http://www.sandboxie.com/

Maybe he'd tell you in exchange for a redesign of his site.

Sandboxie works really, really good for this purpose. You can sandbox IE (or any other app for this purpose) and even if you get infected by spyware, as soon as you close IE, all is gone.

http://www.sandboxie.com/