Slashdot Mirror
Microsoft Research Builds 'BrowserShield'
SteelyBen writes "Researchers at Microsoft have completed work on a prototype framework called BrowserShield that promises to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages. The BrowserShield project, an outgrowth of the company's 'Shield' initiative, could one day even become Microsoft's answer to zero-day browser exploits such as the WMF (Windows Metafile) attack that spread like wildfire in December 2005."
More complexity on top of bloated and horribly obscure software. That'll help security, really.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
... Will just get a new name: zero-day browser-sheild exploits.
Sigs are for the weak.
Unfortunately, I wrote it directly into my program without giving it another name, since I didn't realize I could sell the security separate from the program.
Innovation at its finest I suppose.
How will this even help? Will the browser shield require signatures and/or heuristics like virus scanners, and thus get outdated? If manpower needs to be invested in this technology, wouldn't the same manpower be better invested in solving the problem, rather than patching it?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
... so their answer to poorly written software that is security-hole ridden is to layer more software written by the same people on top of it? Wouldn't it be easier to just write good software in the first place then actually fix, in a timely manner, anything that crops up? I'm failing to see how more bloat is going to help.
Jeremy Logan's Website.
I think they're just branding the "Disable ActiveX" checkbox.
Wow, Microsoft has "invented" privoxy!
So, instead of removing Internet Explorers ability to run code, they add another layer to filter out the code to prevent IE from running it. Does this mean that IE - like Windows - has become so complicated that noone dares remove the offending code, so all development will be addition of more "features"?
I'd rather insert my browser into a tinfoil condom, which would be more effective.
This seems to be some way to turn script (just Javascript?) into something else - safer javascript? HTML? Can't tell from the article.
If it is, then what features of the scripting is it removing to make the script safer? And if these are not important why not turn them off in the browser?
Maybe I'm being dumb, but I just don't get it.
ccalam - acoustic versions of new songs.
This just gets on my nerves. They must of spent ages planning and coding this not to mention funding.. Why the hell didn't thy put these resources into IE7 instead? Screw this "We'll protect you from the exploits", make it to the exploits are oh.. I don't know.. FIXED
I like muppets.
Protection against 0 day exploit's with signatures or another similar way that rewrites the page making it safe looks great and, in my opinion, is what is needed in the browser's world.
There is no safe browser: one can be safest than other but, anyway, there is no safe browser so a method to protect from 0days prior to patch's release is IMHO a very, very, very good idea.
What is this like a condom for your web browser? Come on, I have heard about practicing safe surfing but this is ridiculous.
Sounds like M$ has just "invented" a limited-functionality locked-in version of the marvellous Proxomitron. An application I truly wouldn't be without. Scrubs HTML nasties right out of the box, and also allows you to see a web page the way you want to see it. It runs with any browser, not just Internet Exploiter. And it's the right price, too.
It goes without saying that I didn't read the article, but it sounds like they remove the bad stuff and then show the page anyway. Why? Why not just show a page that says, "These f***ing scumbags just tried to f*** up your computer. Quit going there, and punch them in the mouth if you meet them. In the mean time, find a less dangerous source of porn."
of roles. Is Slashdot saying they should instead build this pro-active defence mechanism directly into IE? Sounds to me like this lets them work on IE as a renderer of *ML's, with another layer or adjunct which can evolve and change to meet the problem of malicious code. Rather than having IE trying to be clever, and becoming bulkier and harder to manage, a separate team is beavering away on the Shield. I still hate IE. Like Firefox. etc. etc. M$.
Researchers at Microsoft have completed work on a prototype framework called BrowserShield that promises to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages.
What happens when you mix this with Digital Restrictions Management that goes down to the hardware level? What I'm getting at is, what if it's not malicious code that is being replaced by a "safe equivalent", but perhaps a controversial story on a news website, or an important email between governments?
In the future, he who controls the computers controls the world. Digital Restrictions Management will one day give just a few computer companies control over every internet-connected computer in the world.
Some people will respond to this with "ahh.. I'll just use a firewall". Those people do not realise that firewalls will contain DRM, too.
Lord knows, It'd be hard for the Internet to be less secure than it is today. It'd be kind of dumb to reject any remotely plausible idea for making things better just because it came from Microsoft.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
They never, ever have believed in, and have only on a few occasions under very great pressure given in to, *removing* software (Clippy?); they just keep on adding instead. They must have missed that one important rule that everyone in a creative profession must once discover; 'writing is scratching', or 'prepare to throw one away' as it's called in software-land. If MS were a person, he'd be declared anally retentive; some many layers of compatibility, so many stick-on solutions that are supposed to work from below. Please guys - this is a seductive, but wrong approach - think again.
Religion is what happens when nature strikes and groupthink goes wrong.
Reduce, reuse, cycle
*cough cough* http://www.safer-networking.org/en/spybotsd/index. html *cough cough*
Now I can run IE 3.0.2 again without fear of catching something bad...
Now I can download cracks and keygens for MS products without fear!
Extreme Programming - Redundant Array of Inexpensive Developers
In the begining, it was Z80. Then, when 386 arrived, you needed an antivirus. When Internet came along, an antivirus was not enough, you need a firewall too. a few years later, pop-up blocker. Now, there is this thing called BrowserShield. I wonder what's next?...
In Soviet Russia, Browser protects SELF!
And props to the anon. who said to disable ActiveX. Amen to that!
Steve
There goes MS again. Let me guess: it will show a big ass shiny shield with a really cool animated graphic and ask "Are you sure you want to execute this malicious code?" and when the user clicks the Ok button it will ask once more just to be sure.
Personally I'm very affraid about MS sniffing my code. Experience shows that it will let tons of lines of malicious code pass, while locking down many good codes out there.
When those people will learn to stop trying to do magic tricks and be serious? A solution to browser flaws already exists and it's not magical at all, but technical: it's called "patch".
Er Galvão Abbott - IT Consultant and Developer
Hi ...
Firefox (untweaked) can easily take more mem than WinXP Pro+20 services combined ...
Just a quik reminder that the most popular alternative is no better ...
My Starcraft 2 Blog
WTF? This is the kind of approach that would be used on someone else's propriatary legacy software, or on some piece of hardware to keep it working without altering the thing itself. What are m$ saying? 'Our browser code is such a POS that we don't know how it works anymore'? 'We lost the source code ages ago and we cannot be bothered doing the job right'? 'We have so much market share that we really don't give a crap anymore, pass the crack pipe and the stock options'?
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
Instead of fixing the real problem, they create another code-layer ontop.
Reminds me of those comedy-scenes, where people try to set a shaky table straight by shortening one leg - and then shortening it to much, resulting in three legs that are too long, then cutting these...until all the legs are cut to zero.
No wonder so little of MS-Research ends-up in products - but in this light, it might not be bad after all.
Windows 2000 - from the guys who brought us edlin
UNSAFE HTML: REPLACE WITH:
k s">I am a Communist. Please mail me if you love Osama bin Laden --- I certainly do!</a>
<a href="*.apple.com*"*>*</a> <a href="mailto:/webmaster?Subject=Your%20Site%20Suc
<body*>*Linux*</body> <body>This page cannot be displayed due to faulty programming in the server's OS.</body>
<embed src="*.[^w][^m][^av]"*></embed> <b><u><i><blink>This page contains content created using a pirated version of Windows Media Player. Contact the police.</blink></i></u></b>
*Nothing to see here, please move along*
liqbase
I think it's just an effort to modularize code, but they need a new commercial name to get people excited. It's easier to write an parser + validator than to write parser + validator + render + javascript interpreter in one bunch. If they're nice, they would even offer outputting validated HTML code for non-IE browsers to use. IANAMP (I am not a Microsoft programmer), and IANHW (I am not Helen Wang) but I think that's the idea of this framework.
About inspecting the script for malicious run-time behavior, I don't think that's going to fly far (think halting problem).
I once had a signature.
I wonder how this fit in with USA's ABC strategy against HIV/AIDS?
Microsoft: DON'T SURF!!! If you must, use IE. And buy this shiny new product.
OSS crowd: Join the fun! Take a firefox.
I once had a signature.
That's like putting a Robin Reliant into a huge metal box to make it as safe as a Volvo. Or something. More coffee...
So instead of this dangerous page which will try to install malware we'll get a cleaned-up and safe version
I'm sure glad MS is out to make the interweb a better place for everyone.
The research group tested BrowserShield against eight IE patches released in 2005 and found that BrowserShield--when used in tandem with standard anti-virus and HTTP filtering--would have provided the same protection as the software patches in every case, Wang wrote in a research paper.
I'm afraid without more information this sounds too much like magic. "Vulnerability-driven filtering should prevent all exploits (of a flaw) and should not disrupt any exploit free pages."
How is the technology filtering, what is it filtering, and how will it differentiate exploit free from exploit-ridden pages? If it can simply detect them why not just block them?
Microsoft Research has produced amazing technologies in the past and most of their current research is also very promising, in the area of GUI design, security, algorithms and so on. I just hope they are in tune with what Microsoft is already doing in Vista to avoid redundant layers of technology.
Also there's always the danger of Microsoft slapping a technology on IE for pure PR reasons ("haha Firefox has no filter!").
But I believe we have a case of poorly written article here. It's not uncommon that reporters simply have no idea what they are covering and coming up with wrong conclusions on what fundamentaly the shield is.
I'd say wait for the opinion to "mature" a bit on this technology.
I remember sometime back I saw a webpage that had an animated gif of a cartoon figure urinating on a Microsoft logo. The person who ran it had posted replies from Microsoft lawyers demanding he remove it. Perhaps now they can.
Time flies like an arrow. Fruit flies like a banana.
So they are trying to build a machine that can decide whether arbitrary code is malicious or not - I highly doubt that this is possible in respect to Rice's Theorem. It basically says that every aspect of an complex system cannot be decided. A well known example is the halting problem: You cannot decide whether a turing machine (or an algorithm running on it) will ever come to a stop, or is going to loop forever. And since binding processing time via infinite loops could be considered malicious behaviour, and most script languages are turing complete, an automaton will never be able to decide if a specific piece of code will harm your system. It is possible that certain aspects of a program (opening files in strange places, writing to files that should not be written to) raise suspicion, and certain chracteristics of code might also leed to detection similiar to the work virus scanners do - but I still prefer the good ol' evil bit.
Life is just nature's way of keeping meat fresh.
s///gs
Mod down people who tell people how to mod in their sigs
This sort of thing is already in anti-virus software. I use Avast! (free edition) and it has a "Web Shield" module (sounds a look like "Browser Shield", doesn't it?) that transparently proxies web traffic. When it finds anything nasty it pops up dialog box asking you if you want to download/access it anyway or "abort connection".
While this is all well and fine, would it be too much for Microsoft to just patch their bugs?
It's not exactly rocket surgery.
Mod down people who tell people how to mod in their sigs
This is nothing more than a stop-gap measure. Sooner or later they'll need to patch this one too. Then that'd be great imagine a patch that needs a patch. Heck, wouldn't be the first for MS. -- KISS (Keep it Simple Stupid)
for webpages made by Frontpage.
Don't fight for your country, if your country does not fight for you.
Do note, this is from Microsoft Research and not a core developement team working on the browser. There will always be bugs in software, just like virus can exist on any OS (though some may have more than others). MSR has been renowned for coming up with interesting solutions for interesting problems. I mean Firefox, Opera, Safari, and any other browser out there has been hit with exploits before. I mean every update of Firefox I download has multiple security updates. I'm not saying a perfect browser can't exist, but the road to get there requires both time and effort, espeically while trying to add new features to keep up to date to be able to compete with other browsers.
Just like how AV software isn't the solution to viruses, it's done quite well in protecting many systems. I personally don't understand exactly how this browsershield works, but from what I can grasp, it seems to be an additional check before loading the page into the browser and removing any malicious code. How it detects the malicious code is not clear, but having seen interesting research come out of MSR, I have my faith in these guys to have come up with an interesting solution.
HD Trailers
"Dahling, it is better to look good than to feel good.
And let me tell you something, dahling: you look BrowserShield-ous."
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
1. create product with security leaks
2. receive complaints
3. do not solve security leaks but instead, build a wall around them
4. go to sleep and forget about 1.
*sigh* So they are STILL trying to put bandaids on their old, insecure, highly-patched (and therefore low quality) software rather than ditching insecure communications protocols and writing a simpler browser that is secure from the gound up.
Yep - Microsoft is all in favor of security - so long as it maintains backward compatibility and they don't have to throw anything away.
English -- gotta love it! / The engineers refuse to refuse the rocket until the refuse is removed from the launch pad.
No, that's why we need a Free Software substitute for Windows (*) and every proprietary app.
(*) For me, those are there: I use kubuntu for almost all my computing needs.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Could they be targeting AJAX pages and the like that do not submit to the "MS" standard of AJAX. I wonder if Google Maps will still function properly with this 'security feature.'
There are no loopholes. It's either legal or it's not.
I know we all love to hate MS but this is a good idea.
First off, I have seen first hand some of MSResearch fairs and they is a lot of great stuff coming out of them. Anything that comes out of those labs is worth at least some thought before you dismiss it.
That aside, stripping nasties using a simple system before they reach a more complex system isn't really a bad idea. All of our mail servers have some sort of filter that does this (granted, more for dumb users). IIS 5 did this using a tool that was later built into IIS 6. Hell, firewalls aren't a much different idea. Most of us already run some sort of proxy software to block popups, scripts, or ads. All MS is proposing here is the equivalent of proximity or similar proxy software.
Do we just hate this idea b/c MS is doing it?
Well, I thought anti-virus software vendors already failed at similar effort. Every new virus out there first disables all known anti-virus software.
It all boils down to question: how could you tell malicious content from good one??? You would have to resort to signatures. That wouldn't help against 0day exploits in no way, since on that day 0 most signatures are not yet updated.
From the article it sounds more like standard corporate firewall functionality: "block all what looks like HTTP redirect, since that can IE exploit", "block all .exe attachments since that might be Outlook exploit", "block .wmf since that might be IE/Outlook exploit", etc. Nothing new.
Buhahaha! Very funny!! They at Redmond take Windows security very very seriously - they have put best PR people on it!!!
Good luck at identifying that "harmful code," darling!
P.S. And for that "rewrites HTML pages" bit be sure to have M$' lawyers ready. Few content providers would like idea that their pages may be rewritten by the software monopolist.
P.P.S. Would M$ ever learn? How long they intend to have that "ActiveX" crap enabled in their browsers by default?? How many sacrifices they intended to make???
P.P.P.S. On related news from Germany, my employer (about 150 desktops) 1.5 year ago has banned M$IE. Firefox and Opera must be used to access inter/intranets.
All hope abandon ye who enter here.
Surf from inside a Virtual PC.
The more you regulate a company, the worse its products become.
MOre opportunities to exploit a Microshaft product! Excellent
Did anyone else notice this?
Browser Shield
All this from the same people that brought you a spam-free hotmail inbox!!!!!! Buy now and rejoice that, soon, the only web pages you'll see in the course of your day are the ones specifically designed to get through the filter, while the useful pages that commit some innocent foul are rejected at the door.
Jester
Warning: This sig may be legally binding in England.
Rewrite: http:///Vista-Ultimate_i64%5Bcracked%5D.torrent with http://www.microsoft.com/purchase/
Why not? http://malfy.org/
No, hold on, not a MS-bashing comment, please read on.
It's not that MS is "inapt" or that they can't get their act together, it's simply that computers are computers, people are people and the mix of those is by its very nature unreliable and insecure. No matter how good you make it, there will always be tiny cracks in the security, be it for technical shortcomings or flaws in human nature that can be manipulated by social engineering.
Now, MS is the biggest manufacturer of operating systems. This shield will, invariably, also be present on every PC running their OS. So the first thing you have to defeat, as the attacker, is this shield. Can't get past it, don't bother continuing trying to defeat other security software that may or may not be present. This shield WILL be present!
So every attacker out there WILL have to come up with a cracking scheme. No matter what the cost, no matter how long it takes. It HAS to be cracked.
Thus security from MS cannot be relied on. Not because it is insecure in any way. But because every piece of malware HAS to come with some procedure to circumvent MS security. It will invariably have countermeasures in its arsenal.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Microsoft Research? I didn't know they had an R&D team... oh wait. You must mean they aquired a new startup, right?
I think dotslash is broken. Both EI and raope render your website and browser names weirdly.
Proof by very large bribes. QED.
They have just embedded Lynx in IE, just in case the later would provide too wide an access to the OS.
It's good news: we now know that Lynx compiles on Win32 and runs as nobody.
I am not Remy Mouton, unfortunately: http://remy.mouton.free.fr/art/
Just fix the fscking browser and your problems will be SOLVED Microsoft. Adding bullshit on the top won't help things. It will just add more complexity for when things go wrong.
Gorkman
Correct me if I am wrong, but won't this break AJAX, and well pretty much any page that uses heavy Javascript. The article talks of replacing client side Javascript with the HTML it would generate. This would suggest that Javscript would no longer be executed on the client. No more onchange/onclick events.
meh
And the MicroSoft implementation seems to be a limited sub-set. It won't even block ads.
.. paranoid crackpot leftover from the days of Amiga.
First of all: prototype framework? Is now really the time to put out the press release? Granted, they've advanced past the conceptualized foundation stage, but it sounds to me like there's more work.
Second, and maybe I'm exposing my ignorance, but aren't these "read junk and output clean" programs variations on Turing's Halting Problem and inherently faulty or potential DOS vectors?
This may be another chorus of the op-had-to-add-something-blues, but I understood that the WMF problem was that the spec allowed for a call-back to any helper program. How can any filter protect against design flaws?
We, of course, as users, have a different concept of safe than others, including Microsoft and many governments. I saw another poster quote the article as suggesting an unsafe web site gets rewritten for presentation. With the build-up to XP, Microsoft was touting intelligent links which would enable Windows/IE to insert sponsored links on unlinked content. There was some worry that this would be used to hijack ads and replace them with ones where Microsoft got the money. With this new approach, one can see the extor, er, advertising revenue possibilities. Much like AOL e-mail and "spammers" a little payment and we'll make sure our user-base can see your page.
What about the political arena, would Microsoft make a deal with a government, in order to gain market share in a controlled economy, which allows that government to adapt these tools to ensure that the browser does not propagate any unsafe ideas, content, or interpretation of events? Maybe it won't be Microsoft's "choice" as legislation is passed which requires this technology on all browsers within the jurisidction and further requires that the api and upload mechanism be in the hands of a governmental agency, for the sake of discussion let's call it the Ministry of Truth.
The worst part is, M$ is counting on & exploiting the ignorance of the average PC user for a buck - again. Most folks will think this is a good idea.
How about once it is in the form of hardware soldered to your motherboard? How about once they get some law passed where you need that chip to access the net, no correct handshake from the module, no access?
No that hasn't happened yet but you can smell it coming now. And they'll pass those sorts of laws based on protecting the childrens and not aiding the tarrists and defeating the e-vile pirates an stuff like that.
Ya, you can stockpile mobos now, but that still won't let you on the net later. Might take them several years, but they won't stop trying, and they have the cash to buy laws.
Ever get that message "Ensure your anti-virus software is switched off during the instalation, certain products are known to cause problems".
So, now will we get "MS browser shield is known to cause problems with this web application"?
This tells me that you haven't the first clue about software development. You're demanding that Microsoft "fix all the vulnerabilies in IE" before implementing a "wall". You're extremely naive if you think that MS can just "fix all vulnerabilities in IE" before the vulnerabilities are even discovered. Browsers are so complex these days (too complex, really), that it's foolhardy to expect "perfect" code. Look at Firefox and its myriad of recent security updates. MS fixes flaws as they come up, just as Mozilla does.
The point of "building a wall" is that it's nearly impossible to create "perfect" code. The "wall" provides protection against the bugs that are inevitably in the browser. There's nothing stupid about this concept, and you're only taking the stand you are because it's Microsoft that's doing this. If MS does implement this wall in the future, they'll still fix any flaw that allows exploits to occur in spite of the wall. They'll still fix flaws as they come up, just as they do today, but hopefully such a wall would result in fewer flaws coming up in the first place. Now, it's possible that the wall will "cover up" hidden flaws such that they are never discovered and therefore never fixed. You know what? GOOD!!
Microsoft is already doing things like this in Vista, where IE7 runs in a low-rights mode such that it has no access to any files or directories except the cache, unless OK'ed by a "broker", which is invoked if the user does File-SaveAs or some such. The idea here is that the "broker" code is extremely small, and so is unlikely to have hidden flaws. Malware might find a hole in IE7, but would then have to find a flaw in the "broker" in order to infect the system. You, being naive as you are, would have Microsoft eliminate the broker, run IE7 at the same privilege level as the user, and just "fix all flaws in IE", right?
(BTW, remember the story about MS inviting FF devs to Redmond give some advice on getting FF to run on Vista? One of the things that the FF devs said they were interested in was running FF in the low rights mode, just as IE will (the low rights mode is an API available to apps besides IE). (See beltzner's post in the usenet thread Groups.google.com: mozilla.dev.planning: Firefox and Thnderbird on Vista, where he talks about getting FF to run in "the new application security mode" (as well as taking advantage of other Vista features). So, the FF devs are idiots too, right? They should ignore Vista's "app security mode" and just "fix all flaws" in FF, right?)
You also don't have a clue regarding how easy it is to use tricks in languages (like Javascript) to get malware to execute. I took a class on this, and you'd be surprised to see what looks like perfectly safe Javascript or SQL script actually be malware. So, what's wrong with providing a little protection?
Who knows, maybe in the future, IE will be written in managed code, run in low-rights mode, and have a "BrowserShield". Good.
-- "I never gave these stories much credence." - HAL 9000
This is the wrong way to fix "the problem". The "problem" is a browser is allowed to do some malicious behavior. The fix should be "never allow the browser to do this behavior" but they offer "scanner to catch the behvaior" instead? This has been tried before with miserable results. There are millions (if not billions) of permutations on the bad behavior so forgive me if I don't have a lot of confidence any scanner can figure it out.
An old coworker characterized Microsoft design philosophy and their fixes like an alluminum finish boat with a leak where they consistently fix "the wrong problem":
- These boats might leak, so lets add inflatable pontoons
- The pontoons make the boat too heavy to movie with the original motor so add two larger motors
- The motors now eat too much fuel so add more fuel tanks
- The fuel tanks are too large for the boat so weld on another boat and put the fuel tanks there
By the end you end up with something that doesn't look like a boat wanted or needed or can actually use very well as a boat. The wrong fix was adding pontoons to keep the boat afloat. They just automatically assumed "leak = sinking" where this might not be the case at all. The hole in the boat might be small enough that it would never sink to begin with.
At the heart, this is the folley that Microsoft tries where they ignore the inherent design of web browsing: Web browsers by design accept a lot of questionable material from questionable sources. A scanner seems to fly in the face of this where Microsoft seems to claim that *some* questionable material from a question source isn't actually bad. What could this possibly be?
no text I say
My turnips listen for the soft cry of your love
A lot of privacy/security products (proxies/plugins/extensions/etc) had or could had problems in a moment or another with that kind of sites advanced functionality, but in this case how much will be bugs and how much intended "feature" for the ones that built it?
From other point of view, they are shielding a problem in a product of them, maybe really solving the problem without breaking functionality is a bit hard, so the easy option could be having an optional shield so the user can choose between having broken functionality or broken security (i.e. for internal lans or very trusted sites). But still, they will be the referees of the sites you go in without troubles (i.e. all microsoft owned sites), and the sites where if have some advanced functionality, you get a warning, or will not be able to access, or will have to search on how to enable it, or just drop all your protection.
Not the cause...
Task Mangler
There is one, it's called ipCop, ipcop.org, it does a great job of protecting windows machines. I set one up at a non-profit that only had Win95 & 98 machines and it stopped their problems.
I have noticed that more machines I work on these days have been broken by Windows Updates rather than other malicious code. I don't work on as many machines these days as I used to but do find this to be suprising trend (3 of the last 3).
Anyone else noticing this phenomenon?
How can you test code to see if it's malicious without running it first? It's like trying to determine whether or not a program will halt...
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
The page you are looking for is currently unavailable. The Web_
site might be experiencing technical difficulties, or you may need
to adjust your browser settings.
_________________________________________________
Please try the following:
- Click the Refresh button, or try again later.
- If you typed the page address in the Address bar, make sure that it is spelled correctly.
- Click the Back button to try another link.
Cannot find server or DNS ErrorInternet Explorer
mod me funny
firefox + noscript.
Since most of Microsoft's bugs come from using C, it is time to switch to an altenative. Cyclone is the perfect candidate: compatible with C, yet safe.
The Cyclone programming language can be found here:
http://cyclone.thelanguage.org/
You can read more details in the MSR article. The paper (to appear at OSDI) is here: http://research.microsoft.com/research/shield/pape rs/bshield.pdf
It will be interesting exercise in introspection if slashdot were to carry out this experiment -
Post some of the MSFT items as Google items and some of the Google items as MSFT items and see how the slashdotters react to it. I am not willing to conjecture anything as my hypothesis but one or more of the following might get answered (not definitively) -
1. Slashdotters mostly hate MSFT no matter what it does
2. Slashdotters mostly love GOOG no matter what it does
3. Slashdotters are unbiased and evalute every action purely and solely on the merits of that action.
4. Slashdotters are just another bunch of sleaze bag. They are vain, abusive and idle heads.
5. Slashdotters are the moral gatekeepers of the tech/corporate world and are above any pettiness.
Anyone at the slashdot willing to do this, do it silently and pleeeease think through the experiment design so that you get something informative out of it.
cheers
Kaspersky Anti-Virus already does this without proxies, it intercepts network traffic directly.
...That malware writers will start writing fun stuff to trick or otherwise use the "filter" for their own devices. On a very simple level...how about code within code? So you take a script that does something evil and split it up by inserting whole older known scripts and dumping them in the middle. The "filter" then yanks all the older malware while unknowingly "stiching" the code they really wanted to execute back together to hit the client.
Knowing microsoft though, the "filter" probably has some sort of execution capability and someone will find a way to use the filter to take control of your system. Simple is safer boys and girls. Try to remember that.
No, we hate it because it's stupid, and futile, and more a PR stunt than a real solution.
The problem isn't with the idea of filtering. That's essentially the idea behind virus scanners, spam scanners, firewall rules, and whatnot. The problem is thinking it's going to make the browser more secure. Of course it's not!
It cannot detect new exploits, assuming those exploits are truly new. It can protect against a certain subset of existing problems, and that's it. If it does much more, it's going to break more things than it fixes.
Why is this?
Because computers are dangerous. Their danger lies in them being 100% information processors. That's what they do. They are generic, powerful, information processors. There is no way of knowing beforehand what kinds of information you are going to process, or how it's going to be processed.
Exploits take advantage of the generic nature of computers. They take advantage of the ignorance of the people using computers. They take advantage of the incompleteness of our understanding of computers (that is, design flaws, implementation flaws, etc).
No amount of layering is going to stop an exploit. All the new layer does is create a new point of exploitation. The more complex a system, the less-well understood it is by the people who designed and built it, and the more likely it is to contain exploitable flaws. Adding a new layer in the mix increases complexity.
That is the problem. And that is the reason people around these parts don't take Microsoft seriously. It's not
Make it as complex as it needs to be, and no more.
Or:
Keep it simple, (sucker|stupid|shithead).
And worse, Microsoft has to make their software complex. It's job security. As long as they dominate the desktop distribution channels, they can call the shots. If their system was simple, someone else would be able to interoperate with it, or clone it (like the Wine project). That would be deadly for Microsoft, as it would endanger their control. So they are forced into complexity.
What's the way to make sure you aren't fired? Make sure you are irreplaceable, that nobody else can do your job. That's job security, and that's how you make sure you aren't fired. Oh, or do good work without causing trouble, but that isn't nearly as sure-fire.
Anyway, sorry for the long rant. It's just that Microsoft has tried very hard to get security right, and they can't. The problem isn't with Microsoft or their engineers, per se. The problem is that Microsoft has built an operating system with the Rube Goldberg design school. Kludges like this "Shield" initiative are add-ons that make the OS more complex, not less, creating more holes, not fewer.
It's not just past history. (How many times has Microsoft taken security seriously? I've lost count.) It's not cynicism. It's engineering fact. This is a bad idea to start with, to fix a problem that shouldn't be there in the first place. Not only will it not help, it'll make the problem worse.
Microsoft is to software what Budweiser is to beer.
Why not just hide the system from users ?
Administrator > sees c:\ and all directories.
User > sees just c:\Users\ then user directories.
e.g. c:\Applications, c:\Docs, etc.
that way the OS is hidden and protected from users.
1. The filter WILL be able to tell apart good data from bad. Just like the spam filters in Hotmail.
2. 0-day browser exploits are possible, but 0-day security software exploits aren't.
3. Microsoft will be kind enough not to use this for censorship.
Just my first thoughts.
Please correct me if I got my facts wrong.
They're pursuing yet another grand idea instead of spending the same effort on something less sexy, like finding and fixing buffer overruns. Static code analysis (which they use) can't catch them all, particularly in a system with tons of dependencies all over the place.
...with a page that just says: -
..etc.
"M$ the EVIL, OSS GOOD"
"M$ the EVIL, APPLE GOOD"
"M$ the EVIL, GOOGLE GOOD"
"M$ the EVIL, Linux r0x0rz u M$ sux0rz"
I mean, that's about the level of debate we have here.
No objective thinking. Just juvenile tribalism.
No - I'm not new around here. Perhaps I've finally realized I've been here to damn long.
Next they will come up with BrowserShield Defender to protect the shield, then BrowserShield Defender Shield to protect the Defender, etc. Soon IE will be so heavily fortified that no malware can get through. Why didn't anyone think of this before?
"View this page in Firefox tab"?
My life is one big siesta in which I'm dreaming I wished my life was one big siesta.
This looks really, really dumb. What a shame they're expending effort on it. I'm glad it ain't my money.
If you wanna secure a web browser, here's what to do:
- First, get rid of the whole idea of web browsers deliberately executing code from a web page. ActiveX was Microsoft's dumbest inventions ever (I mean, really, it wins first place on the list of MS atrocities). Internet clients should never execute remote code on purpose -- that's insecure by design. If the code didn't come from
/usr/bin or c:\windows, then you probably don't need to run it.
- Accept that maybe someone will find a way to get remote code to run anyway, such as maybe through a buffer overflow or something. So, account for that, by running the web browser in a sandbox where it doesn't have access to jack shit -- if hostile code runs, it can't do anything. All Microsoft's customers have 386s-or-better now and are running the NT kernel instead of MSDOS, so this should be totally doable.
- Get rid of the possibility of buffer overflows. Either use a safer language, or start looking really hard at the code like the OpenBSD guys do.
There. Was that so hard? Ok, maybe not trivial, but Microsoft can probably afford to hire an extra employee or two.As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Internet condom:
1) Slow and bulky (check)
2) False feeling of security (check)
Oops it broke now I'm going to have screaming twin core processors everywhere.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
Or you could use Privoxy, which does the same thing, but is open source and cross-platform. I still use Proxomitron because I have a lot of filters written for it that specifically affect ads on the sites that I use. Also, Privoxy's GUI is a bit harder to use.
Centralization breaks the internet.
Clippy was fun, I would see dozens of people just clicking the animate option on clippy to see all that he (it?) does. I forget in which version ('97 I think) clippy would tap the screen after a while seeing if you were there.
Picture this: it's 2AM you are woken up by this *tap* *tap* *tap* sound. It's not the door, it's not the window and it is coming from where your computer is. Turn on the monitor and there is Clippy tapping the screen asking if you want to save the document(s) that is (are) open.
**I left the computer on, the CRT off with the speakers turned up a bit.
In the time it takes to create a browsershield signature, perhaps they could fix the vulnerability.
This would probably help for dealing with unpatched vulnerabilities in third party activex controls, which Microsoft can't update themselves. They're not exploited that often though, because only a few are really popular. And it takes less work to test a new signature than a new build, and less bandwidth to distribute.
and build BrowserShield on top of it.
Microsoft's solution is a combination of hardware and software. Here is a photo of the main hardware component of the top secret browser shield.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Is this supposed to be Microsoft "innovating" again? I've been using the HTTP proxy filter Proxomitron for years to do exactly what this describes... among many other HTTP things like blocking ads, managing cookies, protecting my privacy, and even reworking Web pages to suit my weird tastes. Privoxy does virtually the same thing, and I gather there are yet others. Both of these are "free", though Proxomitron isn't yet open source (the family of the deceased author may yet open-source it).
If Microsoft really wants to "help", perhaps it should contribute to enhancing Privoxy or acquire rights to Proxomitron and then fully open-source and enhance it, rather than reinventing a proprietary solution that promises marginal utility and guaranteed lock-in and vendor dependency (if "vendor" is a strong enough word to describe Microsoft).