Slashdot Mirror
Hack in the Box Meets Windows Vista
Strange_Brew writes "It appears Microsoft is really going all out to get Windows Vista secured before its release date in 2007. There's an article on PC World which talks about Microsoft's plan to give Asia's largest hackers conference an inside look at the new security features in Windows Vista this coming September." From the article: "The Hack In The Box conference will host two speakers from Microsoft. The first, Dave Tamasi, a lead security program manager at Microsoft, will give a presentation on security engineering in Vista. The talk will include a discussion about features suggested by hackers and other security conscious members of the computing community, in addition to security improvements made on Vista. The second speaker, Douglas MacIver, a penetration engineer at Microsoft, will review Vista's BitLocker Drive Encryption and the company's analysis of threats and attempts to penetrate the security feature."
...when companies "invent" some home brewn encryption and offer $100,000 or so to anyone who can crack it.
When noone does the company calls his product uncrackable. These events and claims are without credibility, security doesn't get manufactured this way.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
that this will only result in further delays, until MS have the product "satisfactory". Almost makes the $9 billion investment seem like a joke.
heck, I'm afraid of my dual booting XP just sharing a data partition on my Linux drive..
I myself think it's interesting that there are actually "penetration engineers" at Microsoft.
......
Makes sense, after all. I've always kinda felt like MS was giving it to us all up the
[/sarcasm]
I remember the days before the release of XP SP2 - it was announced to be a security update that will make Win XP the most secured OS out there. Since then who can count the number of patches, updates and vulnerabilities. I wonder if it will be different with Vista...
Omgili - Find out what people are saying.
This is probably true. On the other hand it has been claimed about every version of MS Windows since Windows NT 3.1. The bottom line is: will it be as secure (out of the box) as competing products such as Linux, BSD, Solaris and OSX? I personally doubt it. Microsoft has built itself into a box, through decisions taken years ago, from which it is hard for them to escape. I am trying to keep an open mind though.
One of the common myths is that Windows is just a victum of it's own success. The logic behind the myth is that if Mac or Linux where just as popular then the same exact problems would occur.
There is one major difference... Mac and Linux allow privileged processes to remove (and even replace) a file that still is in use. Vista continues to "protect" files that are in use from deletion.
I don't even know where to begin on that one...
Maybe HE is the one in charge of "screwing us over"..
Thank you for the deep insight in your security. You'll get our response after your release.
Yours,
Asia.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
...which is that they will find lots of holes that will compel Microsoft to delay even further!
You're as much of an idiot as "Strange Brew," who posted this.
Microsoft is being protective of ITS malware. It's ITS as a possessive form, you ignorant dullard.
Microsoft will never make Windows secure. They can only improve its software and make it harder for the hackers, but these things usually end up like at any other game - if there's a bigger challenge, there's also a bigger prize at stake and more competition.
Microsoft does have a good operating system in their hands and I'm sure Vista is going to take a huge leap ahead. However, history tells us that all attempts have been futile so far and I honestly think - no matter what you Linux geeks here say - that if Linux was on 95% of all PC:s, we'd see the same thing going on for Torvald's armada. If Microsoft was the small competitor, it would have been considered a clever runner-up with bold ambitions and virtually no viruses available, nor any known hacks. The biggest, baddest of all companies gets the most crap thrown at it. Simple as that.
Full Tilt
Yeah, because overwriting core OS files would be so much harder if the OS allowed it.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I hadn't spotted that: I was too busy fuming over the "where as popular" error.
...it probably requires clarification.
The box they built themselves into - or rather that they had to build around themselves - isn't so much the box that is the security model in Windows. I have no doubt whatsoever that Microsoft is entirely capable of locking down the system so badly that nobody but the most powerful ueber-god of a SysAdmin can open it back up to a casual user, let alone out to the internet for hackers to 'crack'.
But therein lies the problem as well. Windows users are -not- ueber-gods of SysAdmins, and this shows in the decisions that they feel are forced to make. I can't spot it in all the Slashdot story summaries on Vista right now, but there have been at least two stories in which there was a reference to Microsoft dropping a security feature or loosening a security setting -because- major clients of theirs told them that things were 'just too complex'. And this is in an operating system that guides you through reasonably easy-to-read GUIs with hint balloons and help files up the wazoo. You can well imagine what happens if you'd sit them down behind a screen that just shows a prompt and a one-liner telling them that security settings can be changed by editing the text file "omfglolwtfbbq.conf"
So yes, they're in a box that is difficult to get out of - but that's mostly because their clients make the walls so damn slippery after plating the bricks with titanium and burned down all but one of the ladders, then stationed several million angry users alongside it, hissing and whining at them whenever they try and scale it.
They are, well and truly, damned if they do - and damned if they don't. But at least they realize that they are a little less damned in the first case.
I don't doubt that Vista is going to be the most secure Windows version ever. Anything else would not only be disappointing but a desaster. It would mean that Windows is getting even LESS secure as it moves through the years, that development caused the system to worsen instead of improve.
That Vista is going to be the most secure Windows Version ever is a given. I'd laugh at anyone who tries to sell it with this as the catchphrase. It's like saying "Oh, well, he's on time every day" when trying to say something nice about a coworker. If you say that, it tells me that he has no other redeeming features!
Let's talk about the question how it fares compared to other systems from other manufacturers.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well it is a two part problem. Surely if windows wasn't as popular there wouldn't be so many viruses and hacks to it, and If Apple or Linux had that level of popularity they would have more viruses and hacks. But I would contend the Apple and Linux flaws will be less far reaching and more relegated to local spots. It is not just file locking that is the problem. It is a whole slew of problems eg.
....\
Many applications require Administrator rights to install, and some require Administration rights to run even though they shouldn't really need it. This forces administrators and home users to setup accounts with very wide permissions which are damn close to Administration rights.
Interpreted languages in apps. In order to provide the most possible flexibility to they tools a lot of them come with striped down VB. But it is good enough to write to a file and make a binary file with some coaxing.
Overactive warnings. If people see these warnings enough time they will ignore them.
Must beat the benchmarks at all costs attitude. Making sure their products run faster then their competitors may punch little holes in the dam. But sometimes a little hole is all it needs.
Novices a false since of security. With marketing like this is are most secure OS yet. With firewall turned on by default. People think they are 100% protected and do stupid things. Heck I am a Mac user and I don't trust OS X security. I still take persuasions and make sure nothing is running that shouldn't be.
Open the driver doors. 3rd party drivers was the biggest mistake in security terms, buy a crappy computer with crappy parts and get crappy drivers installed may also give you crappy security because of hacks in the drivers.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I don't know if it's the best idea in the world to go to a hacker conference and brag about how secure your new OS is. That may come off sounding like a challenge to the attendees.
This announcement followed shortly by a conference in which Asian hackers give Microsoft a look at the new hacked Vista. Good job everyone! Why not just hand them a DVD master of Pirates of the Carribean 2, and a stack of blanks, and say, "this DVD is copy-proof." Sure it is.
stuff |
>>Since then who can count the number of patches, updates and vulnerabilities.
. aspx ) Thats an average of 3.5 a month... Now Linux, on the other hand, we all know thats rock-solid. I mean, a quick browse over to LinuxSecurity.com proves it -- only 16 patches! Oh, that was in July of 2006 alone? Uh, well, maybe that was a bad month. I mean, if you average it since January... oh, erm, over 1000 patches over that interval. Well, uh, that counts as one patch per distribution, and clearly thats not entirely fair to Linux... Lets break down that number:
>>
85 patches in the last two years (200 and change if you count all MS applications, including the ones not bundled with XP). (Shockingly, computers can indeed count that high: http://www.microsoft.com/technet/security/current
Distro | Security Advisories Since January 2006
Debian (between 190 and 200)
Gentoo 101
Redhat 69
PXswodniW 25
Now, I know I've got incoming replies that say "Well, patch/vulnerability counts don't matter for diddly, Linux is more secure than Windows". I actually tend to agree with both of these statements... but its sort of curious that Slashdot has this attitude that patches for one system are an admission of weakness but patches for another system show how a million eyes make bugs shallow.
Help poke pirates in the eyepatch, arr.
1. the money that can be made by selling the secrets to bad guys.
2. MS hatred goes deep in the hacking community...a lot of "hackers" would love to see vista hackable out of the box to hurt MS.
Windos security problems were seldom rooted in theoretical shortcomings, but in what we call the "real world". You know, the one where people are too lazy to create a second, non-admin account. Where IT staff is too busy to bother with the full feature set of Active Directory, and where developers are too careless and still write software that doesn't work unless you run it as admin.
There's a 95% probability that Vista will fall into the same traps, and will be just about as insecure as any other windos because of these problems and because Outlook still executes binaries sent by mail, and users can still be tricked by calling your virus.exe virus.jpg.exe and providing the proper icon.
(the other 5% are that Vista doesn't ship at all)
Assorted stuff I do sometimes: Lemuria.org
Sure, whatever system is the dominant one is the primary target for hacks, trojans, exploits and whatnot. I'm convinced that there is a lot in store on Linux, if people would spend their time searching for overflows, exploits or other weaknesses. Hell, it's even easier in Linux. Grab the Source, have a blast!
Yes, it simply "does not pay" to dig into Linux insecurities. What for? First of all, there are very few "clueless" users. Linux still has the "geek system" halo, users that consider themselves "normal users" without any ambitions to run servers or who just want to browse the web and write the odd letter or two won't even go near it.
And they tend to be the prime targets for spammers, trojan injectors and other malware. The clueless, gullible people.
But let's assume, just for a moment, Linux was the dominant system. Let's say it had a nice, clean user interface that lets even the most inapt monkey set it up and use it. Then we would, of course, start to see a lot of Linux based malware.
In Linux, though, you can actually implement a complete, useful and enforceable security model. You can use every kind of software that you might need without compromising the security of the whole system. Something that is by its very design impossible with current versions of Windows. In short, it is not necessary to give the average user administrator privileges, something that is simply a necessity in Windows with a fair lot of programs.
I guess, was Linux the dominant system, the blame would shift. From the system, as it is now, to the clueless user who dared to go online as root.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Obviously, the hackers would have to sign a non-disclosure agreement with MS before being allowed a quick glance at Vista's innards. So, what would this result in? Some kid getting sued when the he first hacks Vista (which will happen on Vista's release day minus a fortnight or so). That's not novel you say? It is, because he'll not only get sued for the usual bunch of crap, but also for violating the non-disclosure agreement, because MS will have the lawyers to cover that.
And if that doesn't happen, how's this: Vista gets hacked and MS blames the hackers by saying something like: 'hey, we let you look at it, you didn't see it, then how could we have?'.
Just another stick to beat around with, this is, nothing more, nothing less.
Or is this like bring manure to a fly farm?
"Interesting, the flies seem to be eating it!"
After the flies are done, however, its still just a pile of crap!!
As a rule, I never trust dark brown ketchup.
I've been a Windows user ever since. But the announcements of MS regarding Vista made me shiver (e.g. not running properly on my recently bought Fujitsu Siemens T4010 tablet-pc convertible)...
After installing Vista Beta 2 (MS Virtual Server 2005 RC2 on a dual Xeon with 16GB RAM, providing 6 GB of RAM to the vm and still running slow thanks to aero) I decided to double my efforts on Linux and switch to a decent distribution.
I wonder how they have to slim the whole "Vista-look" in order to have an OS which doesn't look like a media-center pc oder a Super Nintendo. Especially regarding the upcoming Vista "Server" I doubt that I ever could be happy with that.
Goodbye Bill, hello Linus...
great idea microsoft...tell all your security secrets to the asian hackers 4 MONTHS BEFORE you release vista.
Remember this is Microsoft. Talking about security is as good as being secure. It reminds me of their stance on interoperability.
Besides, pitching Vista as more secure may lead to some more sales.
Oh, I dunno...maybe because Windows get patched *after* 20% of the users get hammered by _bug_of_the_month_. Remind me again why most of those *nix patches come out.
Why go fast when you can go anywhere? O|||||||O
Patch count means nothing. You'd need to have to examine patch content, what was patched (core OS? default install? other software?) Debian, for example, contains what, 20,000 packages? That's a little more than your windos install CD contains, even if you install everything from minesweeper to paint.
Also, MS has moved to regular patch cycles and every patch is actually a container with many patches inside, which you don't see unless you check the details.
So in short: You simply can not compare these numbers, because the methods and contents are too different to make any comparison meaningful. Maybe comparing with OSX would work better.
Assorted stuff I do sometimes: Lemuria.org
I also feel I should point out that I am concerned just how complacent Linux and Mac people are about the security of their systems. There must be some holes in those systems, maybe not many, but if the community starts to get lax about these things, then a hole may not be closed before a major break.
If this were really happening, what would you think?
Now that's a title to have on your business card when you swap phone numbers with a hot woman ...
To err is human. To forgive is good system design.
Yup, Core OS files like Windows Movie Maker (protected in Windows XP [my old copy anyway] by the don't-let-the-OS-files-get-fucked-up filter- if you delete it, it comes back! if you replace it, your change is negated and it comes back! fuck you if you don't want it!).
Or maybe that zip file I downloaded a week ago that got bugged and I'm never going to be able to delete.
"Quoting yourself is stupid." -Me
Who had that smart idea to make the webbrowser the local file manipulation tool, and why is he still alive?
That guy died last year.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
No OS is ever 'truly secure'. You get to a middle ground, where you can do most of the stuff you want to, without making it too easy to break into. Thing is, all this exploit/patch cycles are just putting out the fires you get by living next to a volcano. The real problem with Windows is that it started from a single user 'integrated' environment. Unix had the luxury of being pretty much multi-user from day one. So the design model reflects things like concurrent access, and has the security foundation that are just vital for that to happen. Unix is fairly modular kernel shell GUI application. And when you have that sort of thing, you end up with something that's _fairly_ easy to keep straight, and you keep things that need to 'do stuff' in their sandbox. Windows is getting better, but I still get the impression that that's more because it's covered in sticky plasters sealing up the holes.
While it is true that architecture has a great deal to do with security and that architecture still poses a problem for Microsoft, it is also still true that over 80% of security problems are a direct result of bad coding practices dealing with input data. Stuff that we learned how to do 30 years ago is still the bane of our existence. (Ref. CERT ).
"If all the American people want is security, let them live in prisons." Eisenhower
The talk will include a discussion about features suggested by hackers
Now we know how all of those "features" got added.
Wouldn't it be smarter for Microsoft to assume Vista *will* be hacked at some point, and base their security around how the system reacts to said hacking, than to assume it won't? I mean, with enough time, anything can be hacked, so it is more of a factor of how long/how much effort it will take & what the hacker can do to the hackee's machine. Is there any real reason to let anything coming in from the internet have any sort of direct access whatsoever to a person's machine? And why would you, by default, let any program access the internet/download random crap? For that matter, perhaps giving the user the ability to add keys to ANY PART of the registry with nothing but a double-click isn't such a good idea. Mod me down if you must, but as a person who has removed (or attempted to remove) hundreds of easily-preventable adware/spyware/virus infections, I do have reasons to vent...
I think after Vista Microsoft needs to seriously revamp their existing code. Forget backward compatibility. They could include virtualization technology to allow users to run most legacy applications and offer an easy to use dual boot wizard like Apple provides for those instances where virtualization won't cut it. The Windows code base has been to big and bloated for quite some time and attempting to maintain backward compatibility, while a noble goal, is the primary culprit preventing serious innovation. Would Windows lose some market share in the short term? Probably but IMHO it's necessary in order to really move the product forward. From a users perspective there weren't that many compelling reasons to upgrade from Windows 2000 to Windows XP and it would seem as though there are even fewer compelling reasons to move from XP to Vista. The added security features will probably help the uninformed casual user maintain a more secure system but let's face it, most advanced users don't have virus, spyware or malware problems because we run the software and do the preventative maintenance necessary to prevent them and anyone who thinks Vista will be so secure as to not require additional software and preventative maintenance is crazy. The support for legacy applications practically guarantees that there will continue to be all kinds of security issues. All of the coolest features promised at the beginning of the Vista development cycle have been removed. We're left with a hodge podge of various things that, while interesting for Windows users, have been available in OS X and other operating systems for quite some time and those other operating systems don't have the inherent security issues and other baggage that Windows has. In short, I don't see much of a reason to upgrade to Vista. In fact, I don't ever plan on upgrading to Vista unless a game comes out that I want to play that requires it. After buying a Mac Mini in December and absolutely loving it and with Apple's switch to Intel and the subsequent release of Bootcamp and Parallels Desktop for Mac, I'm making the switch.
Notepad is just as bad. It took me a long time to completely replace that with another text editor.
:(){
Windows is, and will likely remain, in the unenviable position of having to design their systems to be both secure AND clueless-customer-friendly. And, if that wasn't problematic enough, add to that the fact that every hacker and his brother is targeting them because of their nearly ubiquitous market share.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
...considered a double-edged sword, so to speak, for Microsoft? If they release portions of the inner workings to hackers, then what is stopping the hackers from finding a 'hole in the wall' or potential exploit and NOT telling Microsoft about it?
I'm sure Microsoft already has thought of that scenerio, but still, do you think that would be possible?
...he says he wants his assessment back.
My best friend is fairly computer literate. He surfs the web, uses Oracle at work (not an admin, uses the business products), whatever. He still wants to be able to download and run anything he wants to. He wants to be able to watch any video he pulls off Limewire. He wants to be able to rip and burn DVDs without having to think about it. He does NOT want to use a command line interface. This is the story common to the average joe home user. He doesn't have a firewall at home and he's connected directly to the internet via broadband. Yes, he gets spyware. Business users don't really care because they have administrators who do nothing but sit around all day making sure bad things don't happen. They have security policies on the PC, they have firewalls, they have e-mail filters, etc. The fact of the matter is that Admins typically do an okay job. The number of infected PCs per capita in the business world is very good compared to the personal PC world (based purely on personal experience). As an admin, you might think new security features or a complete overhaul of the security design in $operatingSystem will make your life easier. The odds are good your CIO who got hired because he is friends with the CEO doesn't really care. All he cares about is that $company took him out for a round of golf in Tahiti and he can communicate with other big business and government (i.e. Office products). Other than that, you're out of luck. Cheers
Check out my lame java blog at www.javachopshop.com
You can get Windows Vista for free at Jack In The Box? Microsoft must be desperate if they the need the market share that badly.
As a mid-line computer user, about every four years I surveyed the "Trinity" of OS's.
1994:
Mac: - In use
Microsoft: Dos (Respect it, but 'too old to learn a dinosaur'.
Windows 3.1: "You've GOT to be kidding me"
Linux: "Did that even exist then?"
1998:
Microsoft: - In Use. "My friend gave me a FREE Win98 Box."
Mac: - "Sorry, but companies are using Windows"
Linux: - "Did I know about that then?"
2002:
Microsoft: - Windows 2000 in use. "XP has an ugly new patch coming up."
Mac: - "OS 10 looks stable, but everything is in funny places."
Linux: - "Keeping my eyes on it, waiting for MS to screw up"
2006:
Microsoft: - "Win XP is the standard, and now they're cheap too. $600 Comps!"
Mac: - "Did they hire Dr. Dolittle? And stuff is still in funny places".
Linux: - "Since Vista will be unusable, time to buy a practice Linux Box."
So I'll probably buy a couple more cheap XP boxes just to have floating around, in anticipation of the day when OEMs will begin flooding the world with PreBuilt Vista beasts. On a Parallel track, I think reports are that Linux is finally addressing the glitches at the user experience level, so it's time to practice.
--TaoPhoenix
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Actually, I'd imagine that the most secure windows ever was DOS+3.11 running a Netware client. Sure the machine had no local security to speak of, but the era of pervasive remote exploits (ports open by default, Ping of Death, ActiveX, Internet Exploder, email worms, etc) all began with Win95. They've been trying to put the genie back in the bottle ever since.
As if Windows wasn't secure before... but now MS is having a conference to teach hackers how to get in?
Since it's inevitable, I guess it's nice to save them so much time figuring it out themselves.
my $.02: The problem with windows security is primarily one of legacy support. In the beginning noone even slighly cared about security, because computers were such a small part of the overall 'picture'. Of course, times changed and we all grew more dependant on these machines. An operating system is really only as valuable as it's application base. From the start, inter-processes communication was flawed lacking any authentication method, kernel / userland seperation was virtually nonexistant, and multi-user support was severally lacking; to name just a few problems. In almost all cases these issues persisted right up till XP when microsoft started to take security seriously with SP2. Microsoft just like the rest of us is new to the whole OS design thing. We've all thought of ways we can do things differently to make a more secure / better OS, and microsoft is right there with the rest of us; learning as we go. Remember all the broken legacy apps when NT4.0 came out? Hell, the only reason I still have a windows box in my home is because of the vast library of applications available to me. Now if they go changing the underlying fundamentals of how their OS works, they are going to break their greatest strength. What needs to be done is to find a way to write binaries that are more platform independant, let the application support for this grow for a few years, and then break away from the mold and implement a version of windows that incorporates everything we've learned over the last 20 years or so. Just my $.02
*skips over "penetration engineer" in favor of something new...*
MacIver is one of their engineers? No wonder Windows is so buggy! The security system is made up of chewing gum, a bit of tin foil, and the innards of a pen! But at least it can beat Chuck Norris's sorry ass. *wonders is MacIver has a mullet, too...*
While what you say is true, who needs a hole to exploit a machine? All you need is to convince a user to run your malware and you're away.
If they have root access, they can hose the whole system. If they don't have root access (or refuse to supply the credentials), they can still hose their own user account. Either way, if you're looking to add another PC to your zombie botnet, the difference is immaterial, especially on single-user machines.
Even if there were absolutely no remotely exploitable holes, there will always be enough naive and incautious users to provide a rich hunting ground for malware.
It's official. Most of you are morons.
"I still take persuasions..." I assume you meant precautions? I'm not sure how to take a persuasion...
On that note, you're definitely right about Windows users not taking precautions, but the problem is that that isn't going to change. Most Windows users don't know enough to know what precautions to take. I have enough trouble getting my grandfather to remember how to get on the internet. I'd rather have to clean his computer on a regular basis than try to explain to him how to avoid viruses and malware, and even if I tried, it wouldn't work anyways. Same thing with my little sister. I've tried to explain how bad an idea clicking everything in sight is, but she continues to do it.
As to the drivers, I don't think it's as big a problem as you think. Yeah, they're likely full of security holes, but no driver is prevalent enough to warrant a widespread attack. It's similar to how Windows is the most exploited OS largely due to its popularity. If someone created a virus that used a specific driver's security hole, they wouldn't be able to infect very many people, so it's not going to happen. This becomes even more true with lower-quality products, since a single low-quality product is usually not that widespread.
Remember kids, tin foil doesn't work, so use LeadHat.
Design is what is wrong with 99.999% of all software. No one ever spends the time, effort, and money to make sure that their system is designed correctly. Rarely do they update the initial requirements during development, or test the system against the requirements. This is why MS has failed before. They keep throwing money at the problem and never addressing the process that is really the problem. I can tell just by looking at the MSDN documentation that MS has no clue how a good majority of their software works. Definitions of object properties are pathetic. You can have a property called "htmlid" and the definition is the ID of the html... ?!? really... but what does it DO? Further investigation of Visual Studio Team System shows that the process is nothing more than a few high level diagrams. When you work at that level you miss the details... that is where the problem exists. An OS is so massive that the details are crucial. MS created the beast and they are responsible for taming it. Can you imagine the cost to MS of actually developing Vista the correct way... it would take YEARS and hundreds of billions of dollars... The interative process of refining the requirements the correct way would have cost them twice what they are claming Vista has already cost them. MS made themselves the industry leader and they should be responsible for maintaining their position appropriately. Instead we will get yet another half complete OS, with hundreds of updates every year, and never ending reports of defects. We will suffer and MS will continue to control the OS market. I would even go so far as to say if MS was a responsible company and did their job we would see far less defects in every other application that depends on Windows. I have found errors in the Windows IIS server through a .NET app. The developers swore it was their application but I persisted and we found the error was MS's fault. MS release a patch after months of investigation.
I wonder how often a defect fix is just a workaround of a bug that MS created in the first place?
0) receive pre-release Vista to look for holes 1) identify 3 or 4 holes in Vista 2) report 1 or 2 of them to microsoft 3) ??? = exploit remaining, unreported flaws 4) Profit!
Why, oh why, didn't I take the Blue Pill?
... Ken Lay anytime now.
When I worked in tech support, I would have conversations like this on a REGULAR basis:
Me: Okay, turn the computer off and back on again
Them: Which button is that?
Me: The one you use to turn your computer on.
Them: Okay (hits the monitor power button instead)
I'm not joking, that was a TYPICAL conversation.
-Eric
SJW: Someone who has run out of real oppression, and has to fake it.
What if it's impossible for highly secure operating systems to gain mass market adoption?
This can only be random speculation because there is an army of other variables, an army led by marketing budgets, but can you imagine corporate America ever standardizing on OpenBSD or Adamantix? OS X has a good record but it's not in the same category as those two.
In fact a really secure OS wouldn't allow running arbitrary untrusted software. Good luck selling that.
I'm no OS master, but it seems to me that the root of all Window's virus problems stems from COM and DCOM. (OLE Automation, ActiveX...whatever you want to call it..) IIRC, you could install a DCOM component on some machine on your network, connect to it from some other machine via straight-up tcp/ip and you could pretty much do whatever you wanted with the machine running the DCOM component. I mean, you could have the DCOM component do whatever you wanted it to do...delete files...format stuff..whatever you could do with any other Windows program. All it has to do is just sit there waiting for a connection and a command from your "master" application to start it's nasty-not-niceness. Just the IDEA that you could install an ActiveX control(when you get down to it, is just a small application that just needs a container), which has full access to your machine, just by visiting a website or opening an e-mail just seems incredibly stupid to me.
.... We all know that if your job title is penetration engineer your name is MacGyver
Yeah, because overwriting core OS files would be so much harder if the OS allowed it.
The point the parent was making is that it is very hard to delete malware on a live Windows system because you cannot delete a file that is in use. That is why you often have to boot to safe mode to get rid of spyware etc.. This is not the same as Windows File Protection which he didn't mention at all.
So in the context of the above, I am finding it rather difficult to ascertain exactly what fucking point you were trying to make with that meaningless one line comment. Was the parent talking about the difficulty of overwriting core OS files? No, he was not. Why are you? Please start you own thread if you want to discuss a different subject, then we can all ignore it more easily.
Also try and quote what you are replying to. It makes it easier to quickly dismiss posts as wrong and confused.
"a penetration engineer" i wish i had that job title...
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
Of course, the biggest hole in any system (IT or otherwise) is the humans.
And which users do you aim for, the 10% or the 90%? (I dont know the exact figures). Of course you go for the latter, with the greater number of Windows users you have more chance of getting a hit. Thus my point that the disparity in the number of breaks of Windows vs OSX/Linux/etc is partly due to its greater prevalence.
If this were really happening, what would you think?
Sad how you completely missed the point.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Agree with you there --I am a KDE fan (Kubuntu 6.06 currently), but from the start, I thought that Konqueror tried to be everything: web browser, file manager, image browser, basically the Swiss Army knife of KDE. Which is great --I think Konqi has its place-- but just as you wouldn't use the Swiss Army knife for your daily screwdriver / can-opener needs, I had no interest in using Konqi for web browsing or file managing. Firefox has enough mindshare that I use it, with its myriad extensions (if I need something fast, I use elinks), and for file managing I use Krusader (like Norton Commander).
One thing Konqi is good for: the kparts. So, if I need to "fish://" something from another computer, or access "media://" or "system://", Konqi is great for that. Don't get me wrong --I'm glad we have Konqi. But I would rather use specialized tools for specific purposes.
By the way, for Krusader, I use v1.7, not the buggy v1.6 that comes with Kubuntu. If you want it: apt-get remove Krusader, download the actual deb package for v1.7 from the Krusader site and force its installation, rename the executable from krusader to something else (like "krusader-1.7"), and then apt-get remove krusader (it won't touch your renamed executable) and then reinstall the buggy v1.6 version, or else apt-get refuses to work while it knows you've got the unsupported v1.7 on your system.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
His date: What do you do for a living?
Douglas: I'm a penetration engineer.
I can only imagine two results from a response like that, one is a drink in the face, the other is a long night.
Guess I'll see it first in Vegas at Blackhat. Those darn Asia hackers are a step behind on this one.
Though microsoft is buildin vista from scratch.. they can't make it SECURE for ever.. it's just a matter of time.. b4 some1 cracks it.. they r jus tryin 2 do it.. n they can't make it bcoz.. 1)vista is not a open source project like openbsd..which is d securest os u will ever see.. they r just hiring ppl 2 code 4 it.. ppl bounded by limitations n deadlines ..
2)given a choice btw user friendliness n security.. they will go for d former.. bcoz. that's y windows is more popular then linux.. u don't need man pages to run it..
3)they r making it simple for users.. n complicated inside.. while these two things don't match .. sooner or later problems will come..
4)wid integration of .net technologies and clr built into the box..
we r yet 2 see how it goes .. will it make it more secure or vulnerable..
let's see wat happens in d conference..
A non-admin user has never been able to add keys in any part of the registry. For that matter, as admin, there is also the oddity of for example CurrentControlSet\ENUM, which you've to tweak to get into.
However, I think it's important to recognize that while security in depth is a good thing, it is important to shield at the very entry point as well. Take IE again, as an example. It's nice if an exploit can't install a rootkit or modify your home directory, but if an exploit would even be able to read all your cookies, web cache and favorites, that might be bad enough. This latter option will still happen, as these are perfectly valid operations for a web browser, even if you've a kind of sandbox shielding it from the rest of the system. We can protect system integrity by depth, but protecting user data is much harder, and just about as important in many settings.
I guess M$ has found the new way to get independent reviewers, that too from the hacking community to review their product for FREE. I guess M$ should pay those public.