Security Threats 3 Levels Beyond Kernel Rootkits

GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

o.k.

[amnezick]

i was gonna write something about [o]ver[k]ill but I'm not in the mood anymore. 3 VMs??? ahahahahahahahhahahahha ROFL ahahahahhahahahah (sorry, I can't help it) .. ahahahahahhahahaha

* burn karma, burn *

Re:o.k.

[NotBornYesterday]

Come back later when you're coherent.

When 4 cores and several gigs of ram are available in inexpensive off-the-shelf systems, and VM software is freely available and easier to deploy, paranoid levels of security become more and more practical.

Re:o.k.

and VM software is freely available and easier to deploy, paranoid levels of security become more and more practical.

It's only free if your time's worth nothing.

Just saying. There's always some trade-off, and while it may be worthwhile, the mere fact that you don't have to pay doesn't automatically mean it is.

Re:o.k.

[amnezick]

I guess it's true that what you don't know can't hurt you.
It's like being a cop and having a teen daughter. Knowing all the dangers out there you can't just let her go to this one party, can't you? I guess that's why she's so paranoid about it.
Whenever I see overprotective/overkill I don't even try to understand why. I just know that there are some people who live their lives in fear and there's us who don't mind going to the bank, paying bills the old way, you know ... socializing. I see the Internet as just another way of communication. nothing more

Re:o.k.

[NotBornYesterday]

Time is only one half of the equation. What are your privacy and security worth?

Re:o.k.

When 4 cores and several gigs of ram are available in inexpensive off-the-shelf systems,

Back in April my company purchased some new Dell Vostro 420 desktops, quad-core, 4 GB ram, for under $600. I'd call that inexpensive. They're even cheaper today.

and VM software is freely available

Excellent free VM software (both ESXi and VMware Server) is available from VMware. Even the paid products from VMware aren't that expensive.

Many other VM platforms from other vendors are also free.

Come back later when you're coherent.

Pot, kettle.

Re:o.k.

Pot, kettle.

WTF? You clearly don't understand the parent's post. He's saying that stuff is cheap and readily available, so it's okay to be a little more paranoid/security-conscious. You then go on to prove his point that this stuff is cheap, then tell him he's not making any sense?!?

Re:o.k.

You failed to understand what the GP was saying. He wasn't trying to describe some far-off future where multiple VM's are practical, he was intentionally describing present-day technology.

Re:o.k.

[Repossessed]

Not to mention the cost of 3 OSes. And I'm not sure if MS can enforce this, but right now you have to buy the more expensive version of Vista according to the license agreement.

Re:o.k.

If only somebody would make a free OS! Well, I guess we can always dream.

Re:o.k.

[NotBornYesterday]

I'd call that inexpensive. They're even cheaper today ... Excellent free VM software ... are also free.

That was my point. Was I too subtle?

Re:o.k.

[NotBornYesterday]

I guess it's true that what you don't know can't hurt you.

I'm not sure I agree with that one. Plenty of stuff has bitten me in the ass regardless of whether I knew anything about it.

It's like being a cop and having a teen daughter. Knowing all the dangers out there you can't just let her go to this one party, can't you?

You can't shelter your kids forever; you have to build stronger, better kids and trust they can deal with the world when it is time ( Believe me, I know - I'm there right now).

In the same way, putting thought and care into building a robust, secure computer system pays dividends when it has to deal with the real world.

I guess that's why she's so paranoid about it.

She sounds like a contractor I knew who completely overbuilt his house just because he could. Paranoid? Not really. Just building the best house he reasonably could.

Whenever I see overprotective/overkill ... there are some people who live their lives in fear

What might be overkill in the hands of experts today might well be standard issue tomorrow, and no more difficult to use than personal AV and firewall apps today.

I see the Internet as just another way of communication. nothing more

Fair enough. But it sure isn't free of danger, and thinking otherwise won't change things.

Re:o.k.

[Starayo]

I guess it's true that what you don't know can't hurt you.

Okay, so, you're walking through your house, right? And you think, "I know, I think I'll make some pancakes", so you go to the kitchen. But what you don't know is there's an ANGRY GRIZZLY BEAR in your cupboard next to the flour.

Re:o.k.

[rudy_wayne]

It's only free if your time's worth nothing.

Most of your time IS worth nothing. But people are too arrogant to admit it.

Re:o.k.

Dude, I heard about this cool new thing this guy in Finland made. Lyniux.. Leenicks, I believe it's called. You should check it out!

Re:o.k.

[Runaway1956]

You're serious, right? Let's assume that I have one copy of WinXP - or, Win7, legally licensed. I install a *nix as my primary OS, create a VM using VirtualBox, and I'm legal, so far, right? Get the VM all updated, then clone it 99 times. Suddenly, I'm illegal, right? But, all 99 machines are being used INSIDE of ONE BOX!!! I use one machine to browse the darknet, another machine to do torrenting, another to do my banking, one for general browsing, and one just to test malware on. The rest I may or may not ever fire up for some reason that I haven't thought of yet.

So, how much should I mail to Microsoft for all of my VM's?

Say, can I bum a dollar?

Re:o.k.

[Ilgaz]

Make sure you never hang around with AIX or even worse, z/OS people.

The numbers you would hear would kill you because of excessive laughing or amazement. Yes, those numbers are really thousands, not tens.

Re:o.k.

I hurd about something too, but that wasn't it.

Re:o.k.

[JordanL]

Wait... was she saying she's running a virtual machine inside a virtual machine inside a virtual machine?

Because that's ridiculously overkill.

Re:o.k.

there are always tasks that benefit from ever increasing cpu capability. squandering it on useless VM in those cases is stupid.

Re:o.k.

[gd2shoe]

Apparently too subtle for an AC. Most of us followed what you said.

Re:o.k.

Sweeeet!

Re:o.k.

Most of your time IS worth nothing. But people are too arrogant to admit it.

Hey! If I'm not screwing with security, I can spend my time reading and posting on slashd... oh.

A touch, a touch, I do confess.

Re:o.k.

Okay so at my school we have faculty advisers that are assigned to students according to their last names. The faculty advisers help students with scheduling conflicts, general questions, help with internships/employment, etc. My adviser is named Jess Depew and she's pretty hot. I don't have a picture that could do her justice at the moment. She's like 25 and she's only been at the school a few years. Anyway, I have been looking into getting an internship at a TV station or something over the summer, and the school helps coordinate these things with an internship database that's maintained by the advisers. You log on with your school ID and password and you can browse internships and stuff. I was having trouble logging on to mine so I went to go see Ms. Depew. That's where all the trouble started.

Firstly, I walked into office like 15 minutes early like an idiot and she's in the middle of lunch. So I awkwardly make stupid stall talk until she's finished.

"Oh, hey, what are you eating?"
"Salmon. I love it. I eat it practically everyday."
"Just salmon? That's pretty weird." Why the hell did I say this?
"Oh, well, I don't know. I try to eat healthy, natural foods...you know, like wild berries and honey and stuff."
"Yeah, I like food too." *facepalm*

Man, I was so nervous. Anyway, we finally begin squaring my stuff away. She looks up what I registered with in the beginning of the year. This is when the crap really hit the fan. This is how the conversation went:

"Okay, your account name is [my name] and your password is ...'depewissexy'..."

Oh damn. I completely forgot that I put that as my password in the beginning of the year. What the hell was I thinking? It was probably the longest 20 seconds of my life before I finally got my balls together to stand up and leave. Just as I walk out the door she says,

"In the future, you might want to bear in mind what kind of things you want keep to yourself."

I was so freaking embarrassed I wanted to kill myself right then and there. I wanted to run the hell out of there and never, ever see her again. But something about what she just said kept me standing in her doorway. I decided to man up and apologize. I turned to her, looked her straight in the eyes, and swallowed my pride. And then, it hit me like a train full of bricks.

She was eating Salmon.

She tries to eat all healthy, natural foods, like wild berries and honey.

She told me that I might want to bear in mind what kind of things I want to keep to myself.

Ms. Depew was a bear disguised as a human.

Immediately, the bear saw that I had seen through its charade. It roared loudly and took a menacing swipe at me. I deftly avoided its claw and sprinted out of the office. The bear was soon in chase, crashing through the walls of the office as if they were made of paper. I jumped over the receptionist desk and ran out the back entrance. The bear followed, tossing the secretary aside like a rag doll. The bear began to pursue me through the street traffic. While I fought my way through the maze of vehicles, the bear simply careened its massive force through anything standing in its way. Cars veered off the road to escape the onslaught of grizzly force that was barreling down the road. The bear was gaining fast. I had no other option but to make my way into the nearest building: a preschool. I burst through the door, startling the children from their naps. Immediately, the bear slammed through the wall, crushing a child beneath his massive paws and burying several other children in sheet rock and debris. I maneuvered my way through the chaos towards the back exit. The pre-schoolers were little more than a screaming annoyance for the bear. Its massive paws cut swaths through the sea of toddlers with each swipe. I used the precious time these children had afforded for me to make my escape into the playground. I scrambled up a ladder to a fort-like structure. My goal was to walk across the monkey bars then jump to a tree which I could climb

Re:o.k.

[Ethanol-fueled]

Yeah, go through all the trouble to abstract and obfuscate your computer operations only to have the NSA suck up and decode all of your internet traffic through their fiber splices at your ISP. Computer privacy and security no longer exist, just get used to it.

Re:o.k.

[value_added]

I install a *nix as my primary OS, create a VM using VirtualBox

Virtualbox doesn't run on "*nix", so the simplicity of your example is misleading. Windows, Linux, Macintosh and OpenSolaris are the only supported operating systems. The guest OS support is similarly limited.

If you meant Linux, I'd suggest you say "Linux" or possibly "some flavour of Linux".

Re:o.k.

I install a *nix as my primary OS, create a VM using VirtualBox, and I'm legal, so far, right? Get the VM all updated, then clone it 99 times. Suddenly, I'm illegal, right?

too lazy to sign in, and come back to find this !@#$ing post.

Unless you live in a jurisdiction where the courts won't enforce EULA's, you made a contract to agree to the EULA when you paid for, installed, and ran windows for the first time. That EULA specifies how you can use the software.

0: if you didn't pay for Windows, it's illegal to install it AT ALL.
1: If you bought a copy of windows and install it on hardware it was designed to run on, it's 100% legal. Any part of the EULA that seems to not allow this is you not understanding it.
2: If you install Linux, and run one instance of VirutalBox, and EMULATE hardware Windows was designed to run on, it's legal unless your EULA prohibits virtualization. At least one edition of XP Home did that. Check the acutal version you're using. But you're still "installing one copy on one machine", just with some lower-level software beneath it.
3: If you install Linux, and run multiple instances of VirtualBox, you MAY be illegal. Again, check your EULA. Does it mention virtualization? Are you allowed to install it on one machine, or run in on one machine? Hell, your EULA might let you run a million copies with up to ten thousand users.

"Is this legal" is a far less important issue than "is this in keeping with the EULA you agreed to?" The law doesn't give two shits if I run one copy of windows or a million, so long as I have Microsoft's permission. And that permission is embodied in the EULA. Go read it. And if you don't understand it, and actually care about the answer, go ask a lawyer.

Re:o.k.

[metacell]

No, I think she meant she ran three virtual machines directly under the host OS. And not all at the same time; the "safest" one she only fired up for bank errands and the like.

Re:o.k.

[korean.ian]

Thanks, I needed a good laugh before sleep.
M. Knight Shamalamalamamam couldn't write a better twist.

Re:o.k.

But what you don't know is there's an ANGRY GRIZZLY BEAR in your cupboard next to the flour.

Still, the AGB can't kill you until he's tapped you on the shoulder.

Ignorance is bliss.

Re:o.k.

That's what I was getting at (I'm the above AC) - there's always some trade-off.

I'm not saying that this approach, or any approach at all, is worthless because it requires you to invest time. I'm just saying that the time required is one factor you'll have to, well, factor into your decision.

What your privacy and security are worth is another good question, actually - although probably more intended as a soundbite than anything else ("of course they're worth everything!"), it's a question you should be asking yourself. There IS a point where investing more time, or money, or effort, or anything in order to squeeze out yet more privacy or security isn't worth it anymore.

Where that point actually is depends.

Re:o.k.

But you are only 'running' one copy at a time (assuming single core switching for simplicity)? :-)

And please don't bother responding to this MS dudes/dudettes, I know there is a clause buried somewhere in the license terms that probably covers every possible legal angle on this, while asserting that the OS isn't guaranteed to perform any useful purpose at all.

Re:o.k.

[vivaelamor]

Virtualbox doesn't run on "*nix", so the simplicity of your example is misleading. Windows, Linux, Macintosh and OpenSolaris are the only supported operating systems. The guest OS support is similarly limited.

Hang on, suddenly MacOSX, linux and OpenSolaris are not *nix?

MacOSX is registered Unix 03, OpenSolaris is based on System V Unix and Linux is a non registered Unix clone. Which of those don't you consider *nix? The ones without nix on the end (which leaves Linux) or the ones that aren't Unix (which at least leaves MacOSX)?

You could also throw FreeBSD into the mix which is similar to Linux in that it conforms to many of the same standards without being registered as Unix, there is an experimental version of VirtualBox available for FreeBSD.

Re:o.k.

[TheGothicGuardian]

Offer to share your pancakes?

Re:o.k.

[tepples]

If only somebody would make a free OS!

I think you meant "if only somebody would make and promote hardware designed to work with a free OS".

Re:o.k.

the OS isn't guaranteed to perform any useful purpose at all

Which is why I neither read nor care about what the EULA says.

The product sold to me is guaranteed to do exactly nothing. Really. Nothing. So I reciprocate in kind and do nothing of what the EULA may pretend to require of me in return. Simple and completely fair.

Re:o.k.

[NotBornYesterday]

You're right. Of course, another factor is whether what you are doing is what you really like doing, whether it interests you. I love tinkering with computer hardware and software. Are extra levels of security vital to me? No more than anyone else. However, I can implement them more easily than the average Joe, so the time tax is less, and I (mostly) have fun doing it.

I love brewing my own beer. Is it worth my time? If I add up the dollars and cents saved (ingredients vs. buying beer) and subtract (what i could earn working * time), probably not. If I try to amortize the money I have spent on my brewing gear over the amount of beer I produce, forget it, it's a money-losing proposition. On the other hand, I love doing it, and I can brew some damn good beer.

I guess some things are their own reward.

Re:o.k.

[NotBornYesterday]

+1 Awesome

Re:o.k.

As long as you don't open the cupboard you don't know it's there, and it wont hurt you.

Once you open the cupboard, you know it's there and *IT WILL* hurt you!

Sheeh! Never heard of logic?!

Re:o.k.

[ZvlvLord]

A Grizzly Bear? Next to the flour? Hhhm, I doubt that. The plank could never hold the weight of the bear, especially if we consider that the plank *already* has at the very least a few items on it.
Simple physics my dear Woosh, sorry my dear Watson.

Re:o.k.

[Starayo]

The plank is frozen in fear.

Re:o.k.

[Capt+James+McCarthy]

It's only free if your time's worth nothing.

Most of your time IS worth nothing. But people are too arrogant to admit it.

My time is highly valuable. To me that is. I could care less if it's valuable to you or anyone else. I don't feel that is arrogance. If I don't value my own time, how can I appreciate/value other folks time? Or who would value my time if I don't value it myself first?

Re:o.k.

[muckracer]

> go through all the trouble to abstract and obfuscate your computer operations
> only to have the NSA suck up and decode all of your internet traffic through
> their fiber splices at your ISP. Computer privacy and security no longer exist,
> just get used to it.

You could 'just get used to' using encryption, dear friend, instead of depressing yourself with that defeatist attitude.

Speaking of the NSA...I very much missed any questions/answers pertaining to SELinux. Would have loved to hear her take on it.

Re:o.k.

[rgviza]

Who the **** cares? Nobody knows but you and Slashdot. Oh, wait a minute...

But seriously, this is like asking how much you should pay the RIAA because you burned your mp3 collection to DVDs and gave a copy to your girlfriend (after stripping out the serial numbers amazon puts in the comments, of course)

If a tree falls in the forest and nobody is around to hear it hit the ground, does it make a sound?

-Viz

Re:o.k.

[Runaway1956]

"If a tree falls in the forest and nobody is around to hear it hit the ground, does it make a sound?"

Scientifically speaking, a transmitter, a medium, and a receiver are necessary for sound to exist. If no human is around to hear the sound, does NOT mean that there is no sound. My cattle heard the tree fall, and they were all extremely jumpy at morning milking. So, of COURSE there was a sound!!

The question regarding EULA's and licenses regarding virtual machines is a question that will be answered sooner, or later. The answers may be different for home users and for enterprise, but the question is legitimate. And, no one even needs to guess what MS will want those answers to be - "WE WANT PAID!"

I've already said that I'm not going to pay them. Many people will. What's right?

Re:o.k.

WTF? Why was the password stored in plaintext?!

Re:o.k.

[jonadab]

> was she saying she's running a virtual machine
> inside a virtual machine inside a virtual machine?

No. She was saying she runs three different virtual machines, for three different purposes, but all three of them are run inside the same host system. Presumably she doesn't usually run all three at once, so on recent high-end hardware the performance should be reasonable.

I wouldn't want to try it on my five-year-old single-core workstation, but she's a security researcher, so she can afford new hardware every couple of years.

huh?

[vux984]

I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization.

This seems a touch... idiotic. I could see how it could offer more. AND I don't see how it could offer less.

For what its worth, I don't use an A/V product either.

And Like her, I also have a "pretty reasonable setup" and a dose of "common sense". But I'm still balancing the increased responsiveness and hassle-free experience vs the extra security. Its a trade-off that's worth it to me, but I recognize that it is still a trade-off.

Re:huh?

I've never understood why banks have locks on both the doors to the vaults and on the safes.

Re:huh?

I use an A/V product for two reasons:

First, it is a last line of defense. Sometimes the AV program is updated and can catch threats before a browser or browser add-ons are patched.

Second, I use one that is certified by ICSA and other known independant labs for pure CYA issues. Its a lot easier to excuse something by saying that "oops, it got by the antivirus program that is properly updated daily" versus "I don't run AV". CYA 101, and I'm so used to it in work environments, I practice it at home on Windows boxes.

Re:huh?

[JustOK]

And the building itself.

Re:huh?

[benjamindees]

Think of it this way. Antivirus software is like the Marginot Line. It will keep out most invaders. But the really threatening ones will simply drive around it and disable it from the inside.

Her setup is more like a fortress filled with cruise missiles that can be launched with lots of advanced warning of attack.

Both have costs. One is more effective than the other. So, saying that something expensive and incomplete like the Marginot Line provides increased security may be technically true, but it's kind of a moot point.

Re:huh?

well, I don't know whether she uses A/V products or three virtual machines, but, man oh man.. she's hot.

Re:huh?

Of course, if she really thinks that her computer and her data is THAT valuable, she's pretty stupid to begin with.

A better analogy would be bikes. (Yes, bikes, not cars. Sorry.) Imagine you've got a bike that cost, I don't know, a thousand bucks, and you want to leave it somewhere. So you chain it to a lamp post with a decent lock.

Will that provide you with perfect security? Of course not. A bunch of dedicated criminals could come in with an angle grinder, saw through the lamp post, put your precious bike on a truck and drive away. And they might well get away with it, both literally and figuratively speaking.

What's more, this is an attack where no lock, no matter how good or expensive, will help you.

But most people won't worry about that: the vast majority of bike thieves aren't professionals like that. Using a decent lock to secure your bike on a lamp post will, in your words, "keep out most invaders".

And that's enough. Yes, the "really threatening ones" will not care. The "really threatening ones" also won't care about this person's security setup - SHE thinks it's secure, of course, but security is like cryptosystems; everyone can design something that THEY can't break, but that doesn't mean it can't be broken by other, smarter people.

Myself, I couldn't break it, because I'm probably not smarter than she is, but I'm wiser because I realize that it's not actually a moot point at all. (Oh, and BTW, I'm not the GP AC; I just wandered in.)

Re:huh?

[Bigjeff5]

Poor Belgium, nobody ever thinks they are a threat, do they?

Re:huh?

[Geshem]

How is this insightful? Joanna knows something you don't: A/V only protects you against trivial exploits and rootkits. Anything slightly sophisticated, and your A/V is useless. Joanna assumes that if something manages to get passed her security "perimeter", an A/V certainly isn't going to stop it. (what such things might be? Well, CPU exploits, rootkits which VM your OS, etc.)

Re:huh?

"I could see how it could offer more. AND I don't see how it could offer less."

If I remember correctly, Symantec and other anti-virus programs have managed to have serious bugs leading to infected systems.

Here's one reference:
http://www.theregister.co.uk/2005/12/22/symantec_archive_bug/

Then there's the problem of "consumer" anti-virus programs (eg. Mcaffee), that seem more interested in nagging you for a credit card number for a subscription than in looking for any viruses.

About a year ago I got some sort of virus through an exploit in a recent version of firefox (from accidentally browsing to a malicious site). It immediately caused a browser crash, followed by popups. Symantec was able to detect something in a scan of all the files on disk (it didn't catch anything at the time), but not clean it. About the only good I can see an anti-virus doing is potentially alerting you to a problem. Cleanup generally means reinstalling from scratch.

Re:huh?

[vux984]

Joanna knows something you don't: A/V only protects you against trivial exploits and rootkits.

Except I do know that.

Joanna assumes that if something manages to get passed her security "perimeter", an A/V certainly isn't going to stop it.

And how does running different tasks in color coded VMs protect you? All it does is mean when she's surfing for porn in "Red" and gets infected, her banking info in "Green" is safe. She's still infected though, and has to clean out Red. And all her porn passwords have been compromised.

And if her bank's dns is hijacked or there is an mitm attack, Green can be infected too.

A/V might have helped it might not have. Depending on how fresh the particular attack was.

Well...

[afabbro]

She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

And in the article:

I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site.

And as long as your bank is never hacked and serving up malware, that probably works well...

Re:Well...

[Deanalator]

That's what the noscript is for. It does more than just blocking javascript these days.

Re:Well...

[Sponge+Bath]

If you have already set noscript to allow your bank's site (required for most banks), and that site has been hacked, how does that protect you?

Re:Well...

[maxume]

NoScript is a ninja warrior.

Re:Well...

[ceoyoyo]

And as long as you don't care that your "Red" machine spends most of it's time as a zombie sending out spam.

Re:Well...

[mlts]

This is something I'm wondering. Perhaps the best thing would be for the "Red" machine to be completely rolled back when done using, and have a virtual share mapped for any data that is worth saving.

Re:Well...

[Jeff+DeMaagd]

The problem I have with noscript is that it causes more work than it saves. If I have to manually set clearances for nearly every site I visit just so the site works properly, then it's probably just too much work, there has to be a better way.

Re:Well...

[Zerth]

That's what I've got on my setup now.

After upgrading to a multi-core system where each had more processor and memory than my previous computer and noticing that 1 core was idle unless I was doing something CPU intensive, I virtualized my old machine and saved a snapshot just after bootup and opening a browser.

Then I started using that in seamless mode instead of a browser. Every time I close it, not only is the browser history/cache/etc wiped, every possible change to the entire system is wiped.

It doesn't run AV because that system just doesn't matter anymore. Instead of restarting my browser, I'm effectively wiping & re-installing whenever it feels laggy or "off".

Perhaps it is a false sense of security, but as long as it is firewalled from the rest of the network and there isn't a "Neo" virus that can "escape the simulation", I feel safer than browsing on the host system with all the AV/noscript utilities running.

Re:Well...

That's why I switched to Chrome, which has all the resources of Google behind it to prevent you from visiting comprimised sites in the first place. Before, I was very loyal to Firefox and wrestled with NoScript all the time - it got to be awful - too much of a hastle. Now with these latest attacks on FF, I am so glad I use Chrome. Also, it boots in the blink of an eye, where Firefox takes a few seconds.

Re:Well...

[Tenebrousedge]

You can whitelist, you can blacklist, you can disable JS entirely, or you can live with not having that layer of security.

I suspect you need to actually use noscript and dig through the options before making that pronouncement. You can, for example, have all scripting from the top-level site be allowed by default. I don't recommend that for your porn browsing, but it should work on most other sites.

In terms of having a relatively secure JS-enabled browsing experience, NoScript is about as good as you can get; there's probably not going to be a 'better way' there. There are plenty of ways to be secure on the internet, though.

I've spent approximately 300 seconds to date fiddling with NoScript. I've spent more time than I care to remember cleaning viruses off of computers and reinstalling OS's. In point of fact, I'm doing that right now. I'm getting to the point of thinking that on a Windows machine, using the internet only in a virtual machine is a reasonable option. As is I use linux, and feel extraordinarily thankful to have that option. If you wanted to be completely nuts about it, you could run firefox in a vm in a chroot jail on OpenBSD on a non-x86 processor, building all components from scratch, etc etc. It's just up to you what you want to sacrifice for security. Myself, I don't think that a few minutes of configuration spread over a period of months-to-years is all that big of a deal. But hey, it's your call.

Re:Well...

[bill_kress]

I was thinking something along this line--it would be nice to have a file system where all modifications were stored on a second partition on the hard disk and the primary partition was read-only (Preferably physically through a switch), including the boot sector.

On ever boot, the data in the "writable" partition is destroyed before the first write/read ever takes place.

A specific command could copy changes over in order to update the writable partition. This would be done during the shutdown process and a list of all changes could be reviewed before flipping the switch to make your drive writable.

For normal usage, such a system would be easy to use, the only difficulty would be when you wanted it updated, and even then it's not too bad. It is somewhat vulnerable when doing a "Save state" operation to a very specific targeted attack, but even this could be mitigated.

(For instance, you could have to go through a full reboot and boot off the protected partition and have IT display the changes before actually copying them over to the protected drive. I think that would make it 100% secure if you knew how to review the change list properly)

Anti-virus would also be pretty easily replaced by code that just analyzes the change list before you are able to update your main partition.

I suppose there could even be a third partition that you could never run code off that could store cookies and stuff like that if you don't want to always lose your browser history. Might add a little hole for scripting, but still pretty close to 100% safe.

Re:Well...

[mr+exploiter]

If you are so paranoid that you worry about what would your happen to YOUR computer after your BANK was hacked, you should sell your computers and go live to a cabin in the woods.

Re:Well...

[bjourne]

Why do you believe most banks sites requires javascript?

Re:Well...

[lagfest]

Already exists for windows: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

And it's free.

Re:Well...

Some time ago I tried to find a bank in UK which would not be flash-based. Either I wasn't careful or most of them is flash-based.

Re:Well...

One small glitch.

If you do get exploited, and the exploit steals your passwords, and you shut down your vm, you would never know your passwords were compromised.

Like her, I never ran AV either (all the way back to the bbs days) I did run some AV on my bbs, but it wasn't as taxing on the system back then. I am behind a firewall, with rules and cidr bans.

Still, I might have used some trials to track down bad stuff occasionaly and then uninstall. e.g. reporting, and then I go in and delete it myself.

But recently in 2009, I got hit by virut.ce. The ball game has just been raised a level.

Should we now have squid reg exp's to block iframes? I do now.

After buying new hard drives, rebuilding (actually this is going to take months, to fully get back to where I was before) and cloning (already doing that now, we are not going backwards from stupid mistakes) them.

I now have kasper, it's already detected an attempted virut.ce download and stopped it. Why Kasper? No reason, other than I used to use it back in the bbs days. The download was supposed to be a clean site, legit file.

Anyway, not running an AV ever is flawed.

By running AV..
Granted you'll need to shut it off to burn a disk, or render media. But if your not at least trying to detect things while online, your in for a big nasty suprise, I don't care how much of an security expert you call yourself. And how many vm's and proxies you hide behind.

The other thing is people only have a certain amount of money and resources, while I can go out and spend on drives and crap I use, not everyone can just fly out and buy a matching pair of drives.

Yet again a backup and AV doesn't solve the compromised password problem. When you get hit, even if you can re-clone your drive, or reboot your VM, you still only have a small window of time to get your ass out there and change all your passwords. Although your system might be back up, your accounts are just waiting to be destroyed. It's a major annoyance, and not everyone out there is capable of booting a LIVE disk either. A windows user might not know how to set up the network on a LIVE linux disk.

This is where my strategy currently is.

You literally can't trust usb drives cause they can infect your system. Although CERT says how to turn off autoinsert . it's just a registry entry, if you can delete it like CERT tell's you to, it also can be maliciously re-created by a true virus.

So storing passwords on a thumb drive is not cool.

So I thought about ssh/sftp. Means you have to have a network connection. While this is good between two clean machines, it's a problem when one is infected.

If you just leave your VM to be the same, then when you restart the VM the passwords will be the same.

I am starting to think the only way to really be safe is to have them written down in a paper book, which is then stored in a safe. The problem with this for me currently is I have some passwords that are high ascii and can't be normally typed.

So what do we do write them on an obscured file, perhaps named something which won't draw attention. .gif, .jpg I freaking don't know. I don't like password managers either cause they depend on java or are not multi-platform.

While most of this rant is on protecting windows boxes, one also has to look at your linux boxes and any other OS..

Frankly security for my boxes is becoming such a bloody pain in the ass, it's cutting into getting real work done. While you might laugh, ask yourself are you producing anything? Do you produce tv? Do you manage websites for yourself and others? -- Or do you just read shit, talk shit, play games and do email? Your box is fucking nothing compared to the shit I have to deal with. I could format your box from scratch in no time. My production box takes about three months to load. That's LOADING shit on for three months, and working out bugs, compatibility, and security. Deciding to format is no sma

Re:Well...

[Z34107]

You're looking for the Enhanced Write Filter. It redirects all writes to RAM, meaning your changes are lost when you reboot. (Or you can have a shutdown script that commits changes to disk if you want.)

It's part of the XP Embedded SDK, so it's designed for things like letting you run XP from a ROM chip or from a CD-ROM. I use it on my netbook because having all writes trapped in memory makes it's cheap, slow SSD seem ridiculously fast.

Re:Well...

I looked at XPe and that functionality. However, I don't think Microsoft intended for it to directly protect against malware, but more to be able to redirect writes to a better space for embedded devices. I'm almost certain that a malware author who gets a copy of XPe or WinFLP could disable the redirects, or at least write directly the changes wanted directly to the system volume.

Utilities like DeepFreeze are better at preventing malware from writing, but because both DeepFreeze and the malware will have the same access permissions, its a matter of who has the more clever programming to ensure the other program isn't able to do its function.

Ideally, the best way to enforce changes get dropped after a reboot is a hardware card like HDD Sheriff (although the current offering doesn't seem to support any Windows version newer than XP). After that, is a hardened hypervisor that can rollback to a known clean snapshot.

Re:Well...

[mlts]

The only place where using VMs for projects might not work well are applications (including games) which require Direct X and high performance. VMWare Workstation has some experimental support for DX9, but if one wants to play a game, probably their best bet would be a second drive with an OS that isn't used for anything other than gaming.

Re:Well...

[drsmithy]

A specific command could copy changes over in order to update the writable partition. This would be done during the shutdown process and a list of all changes could be reviewed before flipping the switch to make your drive writable.

People will happily run said command to infect themselves when offered some porn.

The problem with defeating malware isn't the technology, it's the people.

Re:Well...

If you are saving data, wouldn't it be best not to use the least secure VM to do so?

Re:Well...

Tried using an disk imaging program? It won't help with the passwords but should get you up and running a lot faster with less loss of data.

Re:Well...

Heresy! Microsoft is incapable of doing anything intelligent.

Re:Well...

I've been doing that since v1.3.0 of VMWare Workstation. Create a browsing machine, configure it, once configured set a snapshot and RAR it up (password protected if really paranoid), and put it on a stick/CD-DVD (if hardcore paranoid). Close machine after every session and never, ever, allow an update to the snapshot. You can even have it scripted to cross network restore if you want.

Now, for any files, tuck them into a heavily targeted folder with multiple scanners to give it the treatment before opening the airlock doors ;-). You could even have multiple levels of this if you want.

VMWW is useful here with it's shared folder, especially if you craft your ACL's well. It's a game, Game it well.

Re:Well...

I just use Safari. Never has been a security issue with this browser, and in all likelihood never will. Apple does a great job in making products where the end user never has to worry about security at all other than keeping automatic updates on.

Re:Well...

Very well known websites can be compromised. It need not be the actual web server, it can be an ad rotator that serves up javascript to try to exploit a browser hole, a hole in an add-on, or something along those lines.

So, having a VM just for banking is a good idea for two reasons. If the bank's website gets compromised, it won't affect anything else.

Re:Well...

[Deanalator]

I don't allow my bank with noscript. I don't just white list every site I go to, I only enable scripts if things are epicly broken, like ajax heavy sites.

My point though was beyond javascript whitelists. Even if you have "allow scripts globally" enabled (bad idea) noscript will still block most attempts at xss, heapspray, plugin abuse, and sketchy redirection etc. In short, noscript is a ninja warrior.

Re:Well...

I was thinking of having a machine that runs Linux and some type of A/V scanner in that. I've used McAfee for years (mainly for making sure word documents in and out were clean as opposed to catching other types".

The VM could just be an ISO image of a Linux boot CD that mounts the virtual drive, does a scan, then can be easily shut down once the virtual disk is unmounted.

The problem though is that malware would have to be far-fetched to jump through all these hoops, but with all the time, money, and resources available to black hats these days, it can be done.

Re:Well...

[Nikker]

After using NoScript for a couple months I found an easier way to calibrate it. First go to a bunch of commercial sites and set sites like Alexa and thelike to untrusted. I use it to blockost sites since most have a static fail over. Makes my browsing much faster and keeps an extra bit of security on my side.

Re:Well...

[vivaelamor]

She didn't say she doesn't have some sort of firewall. Stopping infected machines communicating isn't a job of antivirus programs and a properly configured firewall is far more effective at stopping your data getting out than any antivirus.

Re:Well...

[salesgeek]

Yes. Some even require Flash, too. Why? There are large numbers of executives that are smarter than you at banks.

Re:Well...

it's not free!

it's just gratis...

Re:Well...

[tepples]

I've spent approximately 300 seconds to date fiddling with NoScript. [...] As is I use linux, and feel extraordinarily thankful to have that option.

How many seconds did you spend fiddling with Linux to get your hardware to work?

Re:Well...

You need to elaborate. Really.

Re:Well...

[Tenebrousedge]

I bought it with linux preinstalled, so none. Sorry :(

Re:Well...

[tepples]

I bought it with linux preinstalled

How many seconds did you spend calling various computer shops in your home town to find one that would sell you a PC with Linux preinstalled?

Re:Well...

[Tenebrousedge]

None, someone else found it for me at Best Buy. I am not aware that they spent any time or effort looking for it either, they just happened across it. It's been my first experience with linux; based on that experience, I have been recommending it to a few acquaintances. Mostly those people who have had problems with viruses in the past.

I think we're done with this line of questioning; it does not seem to be headed to any useful conclusion.

Re:Well...

[oliderid]

On my laptop? mmmh I think around 4 hours. 1 hours of installation. 3 hours for a wifi bug. It's dual boot, KDE for daily work and a Vista installation when I need it (mostly checking web sites I'm working on). Frankly it was worth my time. I don't need any AV, most attacks are aimed at windows not linux. So life is cool...The only thing I can be concerned about is pishering...But well I'm a web developer, I'm supposed to know those things :-). Should it be the solution for the average user? No (see 3 hours for the wifi bug). Should it be the solution for a technical guy like me? Yes.

Re:Well...

[improfane]

It kind of makes sense doesn't it?

An attacker has it easy if he doesn't have to reverse engineer or run a Flash (swf) file used to add to security maybe. (Keylogger evasion and the like)

(Not that I support Flash anywhere for anything necessary, it's just another layer of security through obscurity)

Mod parent up if this is what he meant.

Re:Well...

[Tweenk]

And for Linux as well:
http://aufs.sourceforge.net/

Re:Well...

[Bigjeff5]

That's why the OP uses three VM's with varying degrees of security.

One VM has very low security, effectively nothing beyond basic security (i.e. less than an anti-virus). This is ONLY used for stuff she could give a rat's ass about - her examples for the types of things she would not do on this VM were things like online shopping or banking. Nothing with personal information or anything else she might not want compromised. She starts with a fresh image every week.

The second VM is a well secured system and is meant for doing things that are not absolutely critical, but are still sensitive and need protecting. She would not NOT do general web browsing on this machine, that is what the other is for. She would also not use it for banking, as it is not secure enough. It would be for things like shopping, giving out personal information over the web to trusted sites, etc.

The third VM is locked down like fort knox. Instead of using the "block X" methodology for securing the system, it uses the "Block everything except X". For example, all incoming and outgoing ports would be blocked except 443, for https traffic. All external hosts would be blocked except for her banking site or a very small number of similarly secured and sensitive websites. Basically, this system would be setup so securely that it would be practically unuseable except for what it is specifically intended to use.

So, Noscript would only be on the second or third VM's (blacklist on second, whitelist on third), neither of which you would use for generic browsing, and you should have no trouble at all.

She also addresses the shortcomings of her system, and that she is not completely satisfied with it because, theoretically at least, there is no reason an attack on one of the VMs should not make it to the host machine. In practice that doesn't seem to be the case, probably because there aren't many, if any, attacks in the wild geared toward hitting the host machine running a VM directly. It also probably helps that her host machine is OSx, and her VMs are Windows, making her a very small target.

Re:Well...

[ekhben]

I think you meant to say, "with all the resources that Google is going to commit to outpacing malware sites behind it." Or, in other words, bugger all, really. You're just as vulnerable with Chrome as you are with, say, Safari (let's just assume all browsers are equally exploitable, which seems more or less true by critical vulnerability count :-).

NoScript hasn't been much hassle for me. Some video sites are a pain, but most of the time the content they host is of so little worth to me that I'd rather close the tab than fuck about with the permissions in any case, and avoid one little bit of procrastination in my day.

Wups, posting on slashdot doesn't require JS. Better go do some work. By which I mean read more stories.

Re:Well...

[ekhben]

My setup is simpler: no AV, Windows set to proxy via 127.0.0.1 (no IE-using software to fuck my system over ala Windows Media Player and "codec" downloads), and, the key ingredient: I don't do much with it. I play games, I browse sites related to those games, and avoid all other uses of the web. It's a console with more buttons and user-serviceable parts.

If I have any viruses, they're so silent as to not affect the running of the machine. Four years with no reinstalls so far, and no degradation in performance.

(If you're browsing porn, googling for boobies is akin to googling for "rootkit infect me please").

Re:Well...

[bill_kress]

I wasn't really talking about this as a tool for the general public, I was saying that if I had that, I'd feel that I could make myself safe--as is I don't feel there is any way to be sure of any platform out there (with the possible exception of a system protected by a complete tripwire setup)

Re:Well...

[Deanalator]

Actually, if you aren't going to any super malicious websites, having noscript installed, and enabling scripts globally will actually still give you a significant amount of protection.

Re:Well...

[jonadab]

> And as long as your bank is never hacked

If your bank is hacked, your financial information is already compromised ipso facto, so the setup on your desktop computer is irrelevant at that point.

Re:Well...

[jonadab]

> it would be nice to have a file system where all modifications were stored on
> a second partition on the hard disk and the primary partition was read-only

It's called unionfs. The major LiveCD systems all use it with a ramdisk for the read-write portion by default, but it would work just as well with two partitions on a hard disk, or a DVD and a partition on a hard disk, or whatever.

> On ever boot, the data in the "writable" partition is destroyed

Well, a ramdisk pretty much has this property automatically, but I suppose it could be retrofitted onto another kind of setup.

> A specific command could copy changes over in order to update the writable
> partition. This would be done during the shutdown process and a list of
> all changes could be reviewed before flipping the switch to make your drive
> writable.

Hmmm. Well, if your read-only partition is a DVD, you could master a new DVD whenever you want to update it. That keeps your "physically read-only" criterion and yet still allows periodic updating.

Re:Well...

[jonadab]

Actually, I'm pretty sure SteadyState stores everything on the one partition. What the other poster describes is closer to unionfs.

Why?

[rysiek]

"...interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages)"

Why oh why did they split Joanna into 9 pages?! Thats so cruel!

Also, First Post

Re:Why?

Very long legs.

Re:Why?

[Hurricane78]

Best. Centerfold. Ever?

Re:Why?

[A+Friendly+Troll]

Why oh why did they split Joanna into 9 pages?! Thats so cruel!

They were unsure if Joanna Rutkowska was really Jan Rutkowski (which indeed seems to be the case).

Re:Why?

[Tynin]

Learn to love the Firefox add-on, Autopager. No more 9 page articles, just a nicely (generally) formatted single page.

Re:Why?

[Hurricane78]

Guyyys! Don't see a joke when you fall over it? ^^

I recommend some of those funny glasses and a week of "silliest-of" Monty Pythons therapy.

Three Separate Virtual Machines

There's careful, there's paranoid, and there's three separate virtual machines.

Re:Three Separate Virtual Machines

[VulpesFoxnik]

All of which have kernel modules to allow host systems to run them faster. Virtual hardware has such an overhead, but the day of the Virtual machine virus is going to come sooner or later.

Re:Three Separate Virtual Machines

[mysidia]

What happens when one of those kernel modules contains a security bug, that allows a malicious virtual machine driver to run arbitrary code on the host OS?

Or a security exploit is found that defeats the security of hardware-assisted virtualization.

Re:Three Separate Virtual Machines

And I'm behind seven proxies!

Re:Three Separate Virtual Machines

Some folks are more paranoid than others. I'm a geek and have a few machines at home. One of them has swappable hard drives, and I have different hard drives to boot off of depending on what I'm doing (could do it in VMs, but gaming in VMs sucks, etc).

The beyond paranoid bit? I have an old laptop I use as a bump-in-the-line OpenBSD machine with no IP address or other services running, watching/filtering traffic coming in and out of the LAN. If one of my machines gets nailed and it's virus scanner (if it's running one) doesn't catch it, I'll likely see the suspicious activity sometime on the sentinel.

Re:Three Separate Virtual Machines

[blueg3]

All of which have kernel modules to allow host systems to run them faster. Virtual hardware has such an overhead, but the day of the Virtual machine virus is going to come sooner or later.

That really depends on her setup. Virtualized or paravirtualized hardware has an overhead. Hardware virtualization has substantially less. If I had to guess, Joanna is using Xen (most of her research uses Xen, at least). Linux on Xen can be either paravirt or hardware virtualization; Windows on Xen is only the latter, I think.

Also, I'm sure the day of the virtual machine virus will come -- after all, she wrote one of the first!

Re:Three Separate Virtual Machines

and you thought your anti virus consumed lots of system resources!

security is ...

[eatvegetables]

Security is: 386 dx 40 (my first computer), BSD kernel, and Lynx non-graphical web browser. Only down side.... ascii-art porn (sigh).

Re:security is ...

[jra]

mplayer -vo aa

Re:security is ...

[Nethead]

The porn would still suck on his Herc card.

You don't use A/V? Are you insane?

If you run a recent, patched version of Linux or OS X, fine. But if you run a win32 or win64 variant, you shouldn't make the choice to place all of us at risk by running around without antivirus. It's irresponsible, and selfish.

Re:You don't use A/V? Are you insane?

[mysidia]

It's fine if you apply all security patches, utilize good firewall hardware, don't surf the web or run random untrusted executables on said win32 or win64 box.

Or if you run said web surfing inside a robust sandbox.

Re:You don't use A/V? Are you insane?

[Manip]

What is it you think Anti-Virus does?

Most people that run patched systems without clicking anything too silly rarely see an AV popup. Those that run a version of Flash that is two months old and are still using Adobe Reader 7 will be just as owned as if they had not been running AV at all.

AV is fine, and I myself run it, but if I ever see a detection that isn't a false-positive or bull, then that system is getting formatted within 24 hrs.

PS - Her Virtual environment might not even have a writeable virtual disk, and thus any nasties that get on-board are cleared each time she power cycles.

Re:You don't use A/V? Are you insane?

[ledow]

Sorry, what a load of crap.

If my AV program does the primary job that it's designed to do, it will alert me to the fact that I've been infected. That's it. Does something about that seem totally WRONG to you? It's like saying that if the military does its primary job, they will tell us we've been invaded. Er, what's the point of that?

AV *DOES NOT* stop anything, even with all the fancy-schmancy product titles that they want to use (RootkitHunter, AVToGo, Detect&Cleanse, etc.)... it merely detects the presence of a hostile element.

Now, in my experience in IT support of Windows system (covering critical public-sector networks), 99.9% of virus infections are discovered because *WE*, the users and/or technician's notice the AV fail or something that's slipped past the AV (usually by the speed-hit on the computer concerned or the fact that it's dropped off the logs). If AV can detect something, it's ALREADY on the computer. It's *after* the event. Too late. Game over. Pointless.

Now some parts of some AV packages are actually "ANTI" virus, in that they stop them happening in the first place. These products can be variously placed into the categories of: firewalls, pre-access scanners, permission-removers. Everything else that they do is ABSOLUTE bunkum.

My own personal laptop... no AV. Hell, though, I have a firewall, a web browser that doesn't execute attachments and locked-down access to EVERYTHING on it. Why do I need a taskbar icon scanning EVERYTHING that EVER gets accessed on that computer 24 hours a day and can only pop up a box (possibly, most of the time the AV just dies with any half-decent virus infection) to say "You have a virus"? Everything past that point is worthless - "clean" shouldn't even be an OPTION, nor should "Delete" or "Quarantine" because in my own personal experiments, I've see it fail at a consistently high rate on machines with known virus infections, even with the latest signatures / program versions.

Keep your computer up to date.
Stop things executing.
Check occasionally or when suspicions arise.

On a network, sure AV is good to prevent dumb users not capable of following policy. At the network edge, essential (nobody gets a mail in my workplace without it having gone through SOMETHING to scan it or at least strip all attachments). On my own IT equipment? What a waste of time.

Re:You don't use A/V? Are you insane?

[ledow]

P.S. Never "caught" a virus in fifteen years of computing, but found one once on a cover-CD for a magazine back in the DOS days. Networks I run don't get hit with virus outbreaks (and we're usually waiting for a week or two after Patch Tuesday's before we update and have a high Internet usage with completely unskilled users, on Windows XP and Server 2003 and an IT budget so low you couldn't buy floppy disks in one place!) - we get the odd virus on *personal*, standalone machines that have been taken home and brought into the network.

Re:You don't use A/V? Are you insane?

[fuzzyfuzzyfungus]

"Most of the time the AV just dies with any half-decent virus infection"

This is true. It is also a valuable feature.

Not for the poor bastards at home, of course, it'll just make their descent into pop-up misery and a new computer from best buy even faster. Pretty much any centrally managed AV setup, though, makes it pretty easy to check whether or not AV is running on a given client. If you have a client where the AV won't stay up, you have excellent reasons to suspect that the OS is 0wn3d. You can then inspect further, or just pave and reimage, depending.

Malware's habit of shoving an ice pick into the AV's neck at first opportunity is bad for nontechy home users; but it arguably makes that malware easier to detect in serious setups(if the AV can't detect the malware, which is likely, its blood demise will be obvious enough to draw attention).

Re:You don't use A/V? Are you insane?

[maeka]

PS - Her Virtual environment might not even have a writeable virtual disk, and thus any nasties that get on-board are cleared each time she power cycles.

If that were the case she would have no need to roll-it-back every week or so.

Re:You don't use A/V? Are you insane?

[maxume]

What are the vectors for these nasties that you are talking about?

I wonder because the only exploit I have ever watched try to run is some js launched pdfs, I was using a reader that was not vulnerable to the exploit, so nothing happened.

Re:You don't use A/V? Are you insane?

[Ilgaz]

A good AV will detect unknown threats and zero day attacks even before you read about them. If combined with a good firewall, they will detect any form of data leakage, at least in unencyripted form which is the most common.

There is amazing level of virtualisation, heuristics on commercial products like Kaspersky to the point of actually having a virtual machine in them and transparently launching suspicious application in that locked down machine before granting it some kind of "gray" level unless it changes.

There is also white list concept. Known products from known companies are scanned lightly and watched for things they shouldn't be doing. So, it is not like "every file scanned". File is scanned in different degrees.

Windows is so popular and known by black hats so "I don't run as admin" or "signed apps only" isn't enough anymore.

Re:You don't use A/V? Are you insane?

[tkinnun0]

A good AV will detect unknown threats and zero day attacks even before you read about them.

Really, how does that work if the malware has been tested to work against the AV before it being released into the wild?

Re:You don't use A/V? Are you insane?

[salesgeek]

Sorry, what a load of crap.

Thank you for telling it like it is.

The Hurd

[John+Hasler]

> The problem is, however, that all current popular OSes, like Vista, Mac OS X, or even
> Linux, do not provide a decent isolation to its applications. This is primarily a result
> of all those systems using big monolithic kernels that consists of hundreds of
> third-party drivers that operate at the same privilege level as the rest of the kernel.

Sounds like she wants the Hurd.

Re:The Hurd

[argent]

Microkernels that provide security boundaries between drivers have tended to have unacceptable levels of context switching in the kernel, so once you get past the theoretical stage and you're trying to push the performance to the point where you can compete with monolithic kernels... you're going to get rid of those boundaries.

Microkernels should be seen as a design model for a kernel, an abstraction of the traditional real-time kernel to a broader application area. You shouldn't demand or expect a microkernel to have actual separate processes for each component any more than you should or would demand a TCP/IP stack actually implement separate code layers and call gates for each level of the network stack.

Re:The Hurd

[John+Hasler]

> Microkernels that provide security boundaries between drivers have tended to have
> unacceptable levels of context switching in the kernel, so once you get past the
> theoretical stage and you're trying to push the performance to the point where you
> can compete with monolithic kernels... you're going to get rid of those boundaries.

Yet you use virtualization.

Re:The Hurd

[MikeBabcock]

Blah blah blah, theoretically and all that.

There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.

Feel free to read the debate, or the previous Slashdot discussions or consider Linus' previous famous quote: Microkernels are like masturbation, it feels good but it doesn't accomplish anything.

My partner,

My partner, who is a totally non-tech person, also uses a similar setup on her Mac, and she finds it usable. So, I guess it's not as geeky as it might sound.

Re:My partner,

Your point?

Re:My partner,

His point is the interviewee is admiting to being gay.

Re:My partner,

"Joanna" is a tranny.

Re:My partner,

Are you a blithering feces-chomper, or do you just masturbate to the thought of impersonating one?

I have to agree it is idiotic

[Sycraft-fu]

It is idiotic for three reasons:

1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.

3) Defense in depth is ALWAYS a good idea. In the real, physical, world you have to accept that no security is unbreakable. Anything you can make another person can unmake or circumvent. Thus security does not come from having one impassable layer, it comes from having multiple layer of different kinds. Should one layer be bypassed, security over all is not compromised. Well, a virus scanner on the system is another layer. Should be the only layer, but it helps.

Personally, I've never been impressed with her as a security researcher. She seems to be rather paranoid, and living in a theoretical world. In part this is because for all the chatter about Blue Pill, I haven't seen it made practical. Oh sure you can talk about an undetectable super rootkit on paper but does it actually work in the real world? VMWare doesn't think it would, and they do know more than a bit about virtualization.

I'm not saying this isn't an interesting line of academic research, but I'm getting tired of the "OMG I can own any system and not be detected!" doomsaying. No, really, not the case it seems.

Re:I have to agree it is idiotic

Is she nice looking ?

I wonder how many layers of condom I would need to approach her...

Re:I have to agree it is idiotic

[Talchas]

It might be idiotic if A/V programs didn't totally ruin system usability for on-line protection. And if you just run random scans, or scans of known-downloaded things, you'll still lose against any sort of automated attack (which is where anyone reasonably computer savvy might get attacked through).

Re:I have to agree it is idiotic

[Sycraft-fu]

If your AV software screws over your system, then get a better one. NOD32 is exceedingly fast and thus low impact on system resources. Also, with any good one, like NOD, you can configure what it scans so you don't have to scan everything if you don't want to.

Re:I have to agree it is idiotic

:-(
http://www.rutkowska.yoyo.pl/

Re:I have to agree it is idiotic

[PNutts]

The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

Absolutely agree. It's nice that she has a throwaway image because it isn't possible to proect herself from her definition of the critical threats, but those aren't the threats I'm necessarily worried about. My A/V keeps (among other things) the script kiddies out who do things that pi$$ me off and cause me to react. The bad guys/girls can have anything on my system which is why they probably won't bother with me. I'm wondering how much crap her system spews the day before she decides (la la la) to reimage. That's the stuff that's going after me.

Re:I have to agree it is idiotic

But... but but you could already be infected with a BluePill! And you WOULDN'T EVEN KNOW! HA! Where's your "not practical in the real world" now?

Re:I have to agree it is idiotic

OK, browsing the internet, I found green, yellow and red condoms. Do you think that should please her?

Of course I will put them on in this order:

1) red
2) yellow
3) green

P.S. I just had a look at a few pictures of her. She is not bad looking according to my taste, I find she looks a little bit like the girl on the 24 TV series.

Re:I have to agree it is idiotic

[EdIII]

I'm wondering how much crap her system spews the day before she decides (la la la) to reimage.

That bothered me too. My VM does not commit any changes when I close it down, which I do at least twice a day.

ALSO, running everything through a proxy helps too.

Re:I have to agree it is idiotic

Well, I'm not that surprised.

Re:I have to agree it is idiotic

[Colonel+Korn]

It is idiotic for three reasons:

1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

Having cleared out nastily infected computers of colleagues for a few years, I had the opportunity to look at the logs of the (symantec I believe) antivirus programs that had failed to block the offending malware. Based on the number of "yay, I blocked such and such virus" entries per infected computer, I'd say that AV programs stop about 1/4 of real, active malware. 25% 99.99%.

Re:I have to agree it is idiotic

[blueg3]

Actually, depending on your virus scanner, it stops about 50-90% of attacks out there. Joanna's setup is almost certainly more effective.

Re:I have to agree it is idiotic

[bryxal]

Mark me as another vote for Nod32. I bought it a month or so ago and I must say well worth it. Beats the pants off all the "free" ones (AVG and the like) and don't get me started on Norton and compagny.

Re:I have to agree it is idiotic

No, it's not idiotic, it's the correct approach.

Here's why: If there are any circumstances at any point in time where antivirus could have made a difference, then you've already lost and should reimage immediately, the machine is compromised. Executing code implies a trust relationship; you trust the vendor, distributor and medium over which it was transferred (or can verify it wasn't tampered with). If you or your users are known to be incapable of making these decisions and rely on antivirus, then you should be prevented from making them using noexec or whitelisting or whatever facilities your operating system provides.

But beyond this, antivirus isn't just useless, it's worse than useless as it dramatically increases your attack surface.

Re:I have to agree it is idiotic

[blueg3]

2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it. Even if the program would set itself up on a level below what the scanner could detect, the scanner can notice it as it is coming in before it can execute and do that.

This is the malware arms race. The first entity to hit the system and know the second entity's tricks wins. Malware can completely gut antivirus. In theory, it can completely and undetectably emasculate it. (In reality, it doesn't.) Antivirus programs can detect malware and stop them -- provided they know what to look for. Knowing what to look for is harder than it sounds. You can use signature scanning to find really trivial attacks, or very fancy signature scanning to find less-trivial but still enumerated attacks. Only behavioral controls will stop novel attacks, and you need to know what behaviors to stop. Simply stopping anything that might possibly be used to get control the system will leave you with a nonfunctioning system.

Bear in mind that there's anywhere from a few days to a week, at least, before an antivirus database incorporates a new malware signature. If the malware can disable the antivirus (or its update), what's the risk in a one-week window?

Re:I have to agree it is idiotic

Exactly. Although you have to design it from the attackers perspective (Red Team it). I use a multilayer defense structure here with tight-fast routines watching the most common vectors while global/realtime scanners, which operate more slowly, are targeted at the other vectors, but deployed in depth. All in all, I'm seeing a 3-4% processor utilization and that's without running everything through a virtual IDS/IPS/firewall appliance on another machine. That, and other measures, is reserved for when the Chinese or North Koreans are coming. LOL!

That's on top of rational user practices applied especially to myself, {Excepting the idiotic idea of trying to operate Windows with restricted user access.} For a period of over fifteen years I was responsible for maintaining the sanctity of the downloads in more than a few fora over on Compu$erve. I saw a lot of infected files both in uploads and from various sites, downloads, and channels. Infections two and both of those were on the Amiga. Never on my PC's. Given that one way I use to disinfect machines (hard drives) is via a PC test bed here, keeping all of my machines infection free is very important, but not critical as restoration from an image is a piece of cake.

We each have our own approaches to the problem of infowar/infocrime. One thought though. If we all used the same techniques, wouldn't that set us up for a larger fall?

Re:I have to agree it is idiotic

[tkinnun0]

Guess what, the vast majority of attacks exploit old, publicly disclosed vulnerabilities. Keeping your software up-to-date protects against those better than relying on A/V, because your A/V might not detect a new variant of an old exploit.

When it comes to 0-day exploits, they have been tested and confirmed to work against A/V, so you're just as vulnerable, even more so, if your A/V itself has vulnerabilities.

Re:I have to agree it is idiotic

[salesgeek]

As such, a virus scanner running in the OS is perfectly capable of dealing with them.
Antivirus works after code has been sent to the computer or while it's sent using a limited set of known methods. For many exploits, code runs before antivirus gets a crack at stopping it. That's why Symantec's David Hall said "If you are relying solely on antivirus ... you are not getting the protection you need.". The issue is that antivirus gives a user a very false sense of security because it works good enough most of the time.

A virus scanner in the OS can stop that. It can scan the program coming in, before it has a chance to run, and block it.
Not so much. Sure, if it's a file download that the virus scanner knows about (that's an issue right there). Not at all if it's a browser, OS or network stack exploit. And that is how many modern threats are moving - and increasingly so - and it's probably because antivirus works good enough to require a little more unconventional attack.

Regardless, I've got to agree that for non security experts, virus scanners are something you should have. For security experts, I'm not sure they provide all that much value.

Re:I have to agree it is idiotic

[drinkypoo]

AVG is the new Avast! is the new AVP. Each of these has become stupid pathetic bloatware you would never want on your system.

The new GUI freebie is Avira. It pops up an annoying screen every day to try to get you to buy it, guaranteeing that I never, ever, will. But it's found viruses in my stash of no-CD checks* and whatnot that no other scanner I've run has managed to find.

* I recently bought Simcity 4 and Black & White 2 so that I could play them on my laptop, and the vibrating optical drive is not a feature in my book, so I needed some patches. CD checks are fucking evil.

Re:I have to agree it is idiotic

[vux984]

Actually, depending on your virus scanner, it stops about 50-90% of attacks out there. Joanna's setup is almost certainly more effective.

More effective than it would be if she took her existing setup and installed antivirus into it?

I think not.

Re:I have to agree it is idiotic

Welcome to Computer Science, where the guys are guys and the girls are guys.

Re:I have to agree it is idiotic

[kill-1]

The AV companies are paid to include cracks, no-CD patches etc. in their virus databases, even if they're not trojans or anything.

Re:I have to agree it is idiotic

[ioshhdflwuegfh]

It is idiotic for three reasons:

1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

Your desire to reason about idiocy is really touching! Now, let's first admit to yourself that you pulled that 99.99% out of your ass. Then, this figure is useless if that 0.01% of viruses, that are not coming out of your ass, steal the sensitive data. What she says is many things:

1) that the whole idea of AV scanners is just the wrong way to go. AV software lags behind virus writers, her techniques are already patching up very serious holes for the potential viruses of tomorrow.
2) She goes for 100% security of your important data, which is the exact opposite of what AV software does, and which you, in all your burning desire, claim to be impossible.

2) Even in the case of low level root kits, they still have to get to your system in the first place. That in general means they have to get downloaded form the net or transferred from a CD or flash drive. Guess what? A virus scanner in the OS can stop that.[...]

Guess what? If your system is on the net and you're protected by the latest AV software, plus some decent standard measures of protection, you could get nasty virus.

[...] I haven't seen [BluPill] made practical. Oh sure you can talk about an undetectable super rootkit on paper but does it actually work in the real world? VMWare doesn't think it would, and they do know more than a bit about virtualization.

I'm not saying this isn't an interesting line of academic research, but I'm getting tired of the "OMG I can own any system and not be detected!" doomsaying.

Here is one practical question for you & VMWare: how do you know that your computer is not already run by the BluePill? "No, really, not the case it seems" does not seem to be an answer to this. Ergo, you are an idiot.

Re:I have to agree it is idiotic

[Magic5Ball]

You may wish to re-read the part of the interview where she explains how running additional programs--such as AV containing exploitable flaws not found in the absence of the operating system--in the same context as the viruses and the kernel results at best in a draw in the long term (the usual two-sided arms race to find/exploit/patch), but a potential short term win for malware in terms of data loss and reliability. Since a new malware works on the scale of minutes to hours, whereas the countermeasures respond on the timescale of hours to days, AV programs running in the same ring as everything else, including the malware, will almost always be in the lagging defensive position.

As a well learned expert who implements security solutions regularly, I'm sure you recall various incidents where AV products have detected legitimate OS/AV/etc components as the result of bad automatic signature updates, and how the resolutions required lowering the security of the overall system at least temporarily. Also, you must already be familiar with the human factors of security, wherein our perception of risk strongly influences our behaviour with respect to risky activities, especially when safety devices are perceived to provide greater mitigation than they actually do.

Re:I have to agree it is idiotic

[drinkypoo]

It wasn't the oldest or the newest cracks. The cracks I'm using right now (almost literally; I quit Simcity 4 less than two minutes ago) certainly weren't identified.

My understanding of the false positives in no-CD checks is that they are UPX false positives. Avira defaults to not go off on every packed executable. It found actual viruses in the no-CD check patches it removed. One of them was one I downloaded which was a current version, and one wasn't. The perils of removing protection...

Re:I have to agree it is idiotic

[prometheus123abc]

1) The vast majority of attacks out there are simple programs that install in the OS. They are not some uber VM root kits or the like. As such, a virus scanner running in the OS is perfectly capable of dealing with them. So no, it doesn't give you 100% defense but I bet it stops 99.99% of the attacks out there and that is worth something.

...Personally, I've never been impressed with her as a security researcher. She seems to be rather paranoid, and living in a theoretical world...

Where are you getting this 99.9% figure? Virus detectors most certainly don't prevent 99.9% of attacks. Have you ever used windows? I will admit, most malware is detectable by antivirus, but the job of a security researcher is to pay attention to ALL malware. It is easy to get a virus through a detector if you write your own code. Even if the malware is detected, certain circumstances can allow it to pass as a valid service, and the user will allow it. Security researchers are paid to pay attention to possible future threats and make recommendations to immunize our current systems BEFORE they are damaged. Even if we could stop the vast majority, it still pays to make provisions for a possible catastrophic failure in the event something does get through. Just look at what happened with conficker.

Re:I have to agree it is idiotic

[kill-1]

My understanding of the false positives in no-CD checks is that they are UPX false positives.

But that wouldn't explain all the different signatures like TrojanSpy/12345 that Avira and others assign to these executables. It also happened to me that a crack that has never been identified as a threat suddenly (after a virus database update) got flagged for some reason.

To me, this looks like the AV companies deliberately add those programs to their databases. Presumably because they are paid by software vendors.

Re:I have to agree it is idiotic

[drinkypoo]

But that wouldn't explain all the different signatures like TrojanSpy/12345 that Avira and others assign to these executables. It also happened to me that a crack that has never been identified as a threat suddenly (after a virus database update) got flagged for some reason.

To me, this looks like the AV companies deliberately add those programs to their databases. Presumably because they are paid by software vendors.

To me, this looks like the AV companies are doing their job, and updating definition files when viruses and trojans are found. I'd like to see some evidence otherwise before making or believing wild jerkoff accusations.

Re:I have to agree it is idiotic

[kill-1]

Well, there are some cracks I and many people I know have used on a lot of computers and that have never installed trojans or anything. Suddenly, Avira complains about it.

And how can you explain that AV software assigns some random virus names like TrojanSpy/123 without any further information?

Re:I have to agree it is idiotic

[drinkypoo]

Well, there are some cracks I and many people I know have used on a lot of computers and that have never installed trojans or anything. Suddenly, Avira complains about it.

How do you know they have never installed trojans or anything?

And how can you explain that AV software assigns some random virus names like TrojanSpy/123 without any further information?

I explained it already. If you want to offer an alternate explanation, you're going to have to provide some supporting evidence. Otherwise, the explanation that they are simply doing their jobs will suffice. The names for viruses and trojans are invented by the AV companies (usually loosely based on the name of the offending program, but not always) and if you don't know that, you're not qualified to participate in this discussion; if you were, you wouldn't be asking this question.

Re:I have to agree it is idiotic

[kill-1]

Maybe the AV companies don't get paid by software vendors. But they admit that they don't fix false positives in non-malicious keygens, because it's "illegal software".

See here for example: http://forum.avira.com/wbb/index.php?page=Thread&threadid=27517

Re:I have to agree it is idiotic

[drinkypoo]

Maybe the AV companies don't get paid by software vendors. But they admit that they don't fix false positives in non-malicious keygens, because it's "illegal software".

If you want to ignore a hit, you are free to do so. You're even prompted.

Most false positives are UPX detection, which again is off by default in Avira. So really, while Avira won't go out of their way to fix such a false detection (if you want it fixed, find or create a test case which is similar to the crack in question, and complain about it!) they're [probably] not going out of their way to create them, either.

Better solution: read only media

[jeffliott]

Use read-only media. The read-only media should have a physical write-enable switch, like an SD card or USB key, so you can do updates from a clean boot. Then disable writing and boot. For more info: Read only linux

Re:Better solution: read only media

[Enleth]

Been there, done that, works great.

A few years ago, I set up a bunch of thin clients for general browsing, chatting and homework at a school dorm - they were (were, as I have no idea if they're still in use, but they were absolutely maintenance-free, so I guess they should be) running Linux, with the kernel and boot config (generated on the fly) loaded from a read-only TFTP server and / mounted from a read-only NFS share. On each boot, the init scripts would finish generating a machine-specific configuration in /etc/ and mount a few ramfses on top of some directories using unionfs to give an illusion of a read-write filesystem. Then, upon login (LDAP authentication), the user's directory would be mounted from an individual password-protected Samba share (accessible from the users' personal computers as well), with the noexec attrubite of course. /tmp/ and /var/ were also noexec. Upgrades to the client system were performed at the server, by chrooting into the exported root directory.

Such a configuration is absolutely invulnerable to users, rootkits, viruses and any other riffraff known for breaking things in computers. Even in the unlikely event that someone gained root privileges on a client, they would actually gain nothing and even that nothing would vanish after a reboot.

Re:Better solution: read only media

[ccr]

And what about those BIOS/EFI[1] firmware-based hypervisor rootkits? If someone is able to gain root access in a given system that is somehow "vulnerable" in such way that a permanent EFI (or similar) rootkit can installed, then you'll be fucked even with the read-only media and all.

Speaking of which, I don't understand why manufacturers are so eagerly adding all this new intelligence into the firmware. What do we need it for anyway? IMO it would be so much simpler from security perspective, if the OS would be at the bottom of it all. Added complexity adds new possibilities for exploitation.

[1] http://en.wikipedia.org/wiki/Extensible_Firmware_Interface

Re:Better solution: read only media

You forget to set noexec on /dev/shm/ :P

Re:Better solution: read only media

[Enleth]

The clients were iMacs G3 - some argue that security by obscurity is a bad thing that should not be relied upon, but in this case, running Linux on PowerPC-based hardware with OpenFirmware puts the whole setup in the "WTF is this?" area from the perspective of a majority of the rootkit authors.

Stop Tom's Hardware

What is it with all these articles showing up from Tom's Hardware of late?

Its getting absurd and they are of pretty bad quality.

And they're written like an advert.

Not cheap

[benjamindees]

I have some experience with this sort of thing. Not a difficult setup, but it requires some knowledge and effort to maintain. So the cost is rather high, and hardware requirements somewhat steep. So you need a competent administrator with adequate resources.

The benefit, of course, is that it ends up being much more secure than antivirus software. Useful for when you make a living suing powerful organizations with the means to retaliate against you, while still being able to download porn on the corporate network.

Physical security is still important, though. Depending on who it is that's motivated to break into your systems, and their ability and willingness to simply "disappear" you or your employees when hacking attempts fail. I'd say it's not a setup for the faint of heart.

This is simple?

[westlake]

She runs three separate virtual machines designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

Three operating systems to maintain. Three browsers. Three filing systems? Three PDF viewers?

Where does it end?

To me, the Zero Day exploit suggests that a random choice of OS, web browser and file viewer would make more sense.

But the whole idea seems overly complex and dangerously fragile.

Re:This is simple?

[maxume]

If you aren't worried about locally maintaining a bunch of state in each VM (say you are paranoid about cookies and use something like delicious for bookmarks), you only need to maintain one VM (call it 'white' or something, it is essentially blank), and then when you do updates, you create three copies.

So then the paranoid nonsense lets you keep your browsing behavior separate, without a huge amount of overhead, and the three separate VMs help with security between updates.

Re:This is simple?

[Bill+Dog]

If you can forego keeping any state in a VM, why have more than one? Just redefine "switching to another colored VM" as "reverting this same one to its (most up-to-date) clean snapshot".

Re:This is simple?

[maxume]

Sure. I guess there is still a small difference between not maintaining state and not being concerned about losing state once in a while (it might be more convenient to maintain the state for a week at a time than to lose it everyday or whatnot).

Re:This is simple?

[ekhben]

Or, you just maintain the "high trust" VM and reset the other two from that one whenever you want a fresh state in them?

(Might be problematic if you store sensitive data in the VM, but I'm sure there's ways around that, eg, store sensitive data on an external drive you *unplug* when it's not needed).

im am da neo

[CHRONOSS2008]

you will take the red pill now

The nut behind the wheel.

[westlake]

Useful for when you make a living suing powerful organizations with the means to retaliate against you, while still being able to download porn on the corporate network.

I don't want this guy on the same planet as my corporate network.

Tnks for share

Tnks for share

Porno
Sikis
http://www.bedava-ligtv.com
Spiele Spielen
Bundesliga
American Poker
porno izle

in all do respect

I'd root her box ;)

Re:in all do respect

I'd root her box ;)

I'd be careful. She doesn't use AV.

Re:in all do respect

I'd root her box ;)

Your interested in helping research possible backdoor attacks I'm guessing.

Re:in all do respect

[MrPhilby]

^^^butthead and beavis type snigger^^^

An interesting and secure laptop setup?

[mlts]

This idea of using VMs could make for some interesting security on laptops that have TPM chips:

First, the laptop would be secured with BitLocker. This would provide two things, first, hardware and MBR tamper detection. Someone messes with the laptop while its not attended, it won't boot and ask for the recovery key. Second, BitLocker is transparant once it boots. No need to worry about an additional passphrase (though the recovery key should be kept someplace secure).

The main OS here is mainly used just as an enlighted host for the other VMs. Using Hyper-V or VMWare Workstation, one can then run several VMs, perhaps based around a similar starting OS and cloned. This way, one can have VMs focusing on tasks (document writing, browsing the naughty sites, payroll, etc.) With wise use of snapshots and isolation, if one of the VMs gets compromised, its just a click away from being rolled back to a clean state.

The only issue is getting data between the VMs, say from the payroll VM to the VM with the mail program. However, one can make a virtual hard disk that can be connected and disconnected from machines, perhaps being hooked up to a third, non Windows VM to check for tainted autorun.inf files and other stuff before it gets shuttled to a more security sensitive VM.

This is a lot of work, but compartmentalization and the ability to dump all changes in a filesystem to a known good point will go a long way in security.

Is it true...

[wampus]

Just because you're paranoid doesn't mean they aren't out to get you.

huh?

Since i got absolutely sick of Norton back in 05 i have not used an a/v program, and guess what? nothing but freedom. and i surf alot and download alot. dont do stupid sh1t and you wont need an a/v prog, that includes porn and torrent sites

Women in computer security

[thetoadwarrior]

I know this is a bit sexist and yes women can do whatever men can do (in IT) but it's rare to see a woman that does this sort of thing. I'd tap pay to tap someone like Joanna Rutkowska.

Re:Women in computer security

[BitHive]

I'm sure your boner means a lot to all the women in I.T.

Re:Women in computer security

[tabrisnet]

I can't remember where I read this (probably on /.), but there was some speculation that Jan Rutkowska used to be Johann Rutkowska or something similar.

Of course, I guess if they really are a girl, there's not much reason to care.

Re:Women in computer security

Yeah, it's speculation but there's some pretty good circumstantial evidence that one Joanna Rutkowska used to be Jan Rutkowski.

If she were Brazilian or Thai, I'd probably find it kinda hot.

Why does DEP come disabled in Win 7?

[Ilgaz]

I understand the DEP (data execution prevention) enabled processors weren't common back in Windows XP days but what is the deal with Windows 7 even 64bit version? Why wouldn't MS enable it by default as it is said to prevent very serious attacks on CPU level, without slowing down the system at all?

While there are no real viruses on OS X yet, I try to prepare machines for "no AV needed even while viruses exist" configuration just like you with couple of extra admin prompts, that is all but I don't follow Windows scene too much.

After enabling DEP, I even gamed on Windows 7 64bit (game is even running under win2k compatibility) and I haven't seen anything bad happen. I remember some stupid HP driver on another machine crashed because of DEP but that was all, the error message was really informative too.

So, do they disable it to make couple of badly written software owners happy while 99% would benefit from it?

BTW, this is what DEP is
http://en.wikipedia.org/wiki/Data_execution_prevention

Re:Why does DEP come disabled in Win 7?

It's only disabled for 32-bit software. 64-bit software always runs with full DEP.

The reason is that there's still TONS of poorly written 32-bit software out there that rely on DEP being off.

That said, I agree that they should still turn it on by default and let the informative error message sort out the mess.

I would love to fcuk Joanna Rutkowska

She's hot and she's a geek. Girls like her are rare.

Re:I would love to fcuk Joanna Rutkowska

She's also a man, baby!

http://www.rutkowska.yoyo.pl/

Re:I would love to fcuk Joanna Rutkowska

[Proudrooster]

I've been using this setup for quite a while and it seems to work pretty well for me. My partner, who is a totally non-tech person, also uses a similar setup on her Mac, and she finds it usable. So, I guess it's not as geeky as it might sound.

Very strange... why would someone become transgendered and then turn lesbian? Wouldn't it be easier just to stay male in the first case? Maybe s/he is going for a high level of personal security through gender virtualization.

Re:I would love to fcuk Joanna Rutkowska

http://encyclopediadramatica.com/Joanna_Rutkowska

Interesting with pictures nsfw :)

Re:I would love to fcuk Joanna Rutkowska

Because gender identity and sexual orientation work pretty much independently. Trust me, there are *lots* of geeky lesbian trans women out there.

Re:I would love to fcuk Joanna Rutkowska

So much for that old trope that geeks respect ability most of all, amirite?

Re:I would love to fcuk Joanna Rutkowska

[mikechant]

Very strange... why would someone become transgendered and then turn lesbian?

You don't 'become' trans-gendered. Current medical opinion is that it's a brain structure thing you're born with.
And you wouldn't 'turn' lesbian either, typically you would be born with the tendency to be oriented towards men/women/both.
Gender identity (whether you 'feel' that you are male or female) and sexual orientation (whether you are attracted to men or women or both) are separate issues. It's not a question of 'what is easier', it's a fundamental identity issue.

Re:I would love to fcuk Joanna Rutkowska

[oliderid]

I have worked with one of them working for a quite large French IT company. She was 1.95m tall. Probably the most incredible programmers I have never worked with. A real math genius. Frankly the first day is weird, you basically see a basket ball player dressed as a woman...And then slowly you get used to it. She was a real pro and we were glad to have her in the team. That's their life and they can do whatever they want with it, not my problem.

It would help if you read what I posted

[argent]

There's no benefit to a micro-kernel in these so-called ring -1 attacks. None.

You know, the really odd thing is that that's what I just said. Microkernels are not about security, they're about internal kernel API design. That's why Hurd and Mach suck, they're taking the API design guidelines and treating them as kernel architecture.

I do? o_O

[argent]

Yet you use virtualization.

I use virtualization where it's useful. I don't run my desktop under it, I don't use it where performance is critical. I use FreeBSD jails instead of virtual machines on my colo because they've got less overhead.

Security researchers must be responsible

[Ilgaz]

So, a person who can do mad things like ring -1 and knows about -2 -3 attacks who also happens to be a professional security researcher doesn't use AV and "doesn't see need for it."

This is the most irresponsible thing I have ever heard. Does average user have knowledge of system internals like she does? Does average user can stand the torture of 3 virtual machines? Could average user get rid of "run as admin" even on upcoming Windows 7, especially if he/she is a gamer?

This is more like a Medical Doctor bragging about how he never used any pills or went to a doctor and "doesn't see need for it".

She should browse some average user troubleshooting forums and see the junk non technical people are being victim of. No, they really don't know the privilege levels or CPU rings.

Re:Security researchers must be responsible

It's not irresponsible at all. You could compare it to military firearms often being single action instead of the double action more common in civilian models. Professionals don't need the safety measures others have, because they've often devised superior processes to mitigate the risks. Normal users are too dense, lazy, or whatever to follow better processes, so they *need* the crap that is antivirus.

For her, antivirus is virtually pointless--there is no reason for her to use AV. Just because end users are too stupid to go without it is irrelevant. She isn't giving advice to users in this context--if people happen to take away that *they* too should go without a/v--well...that's true if they're competent. And if not--it's their own damned fault.

Can't stand the "torture" of 3 VMs (you're doing it wrong)--then I guess you want the insecurity of so-called antivirus. Good luck with that. I've been virus free save something somebody handcrafted to backdoor me for over a decade (and no a/v ever would've detected that one).

Re:Security researchers must be responsible

[ZvlvLord]

Okay, exactly WHICH PART of ////// Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization."/////

did you NOT understand? Did you read that passage? I never got the idea she was pushing it for others. She was talking about HER setup. Your reaction is, well a little bit over-over-over-reactionary....

Re:Security researchers must be responsible

Actually, it makes a certain kind of sense.

No matter what you do, you're screwed. Period. Full stop.

About the best thing you can do anymore is decide what assets you're willing to lose, back up your data to cold storage in a timely manner, and be ready to rebuild or restore a system if and when you get popped.

Paranoid and delusional

[DigitAl56K]

Running three separate VMs is not only a sign of paranoia but also a delusion that as a person functioning in todays world you can realistically have so much control over information that with enough effort you can control your own security in all regards, or even that you can control it to the extent necessary to protect yourself from common threats.

Put aside for a moment that she's a security researcher and that probably invites more attacks than the rest of us face. There are a number of flaws readily apparent with this approach to security:

1 - Knowledge is power, and you just told the world critical elements of your defenses. There's a reason banks don't disclose such things. It doesn't make your system any less secure, but it raises the bar for attackers.

2 - You maintain your own VMs. In your mind nobody is better equipped to protect your systems than you are. In reality if you made a security blooper on one system you probably replicated it on all three VMs, if not the host also.

3 - I guess you assume that if you're running an app in the VM and someone decides to attack a vulnerability in your network stack that it won't actually the host system, and since the VM leverages the network stack of the host system that's not necessarily true.

4 - You may secure connections between entities like your bank by allowing only HTTPS through a browser in the VM. Reality is that in the last year major payment processors have been breached resulting in millions of people's card details being stolen. RBS WorldPay and Heartland Data Systems are two known breaches, there is one other yet unidentified from what I have read.

5 - As others have pointed out, anti-virus *will* protect you against nearly all *common* attacks. Today's anti-virus products even scan mail and http traffic for threats before your applications can process the data themselves (usually not in free versions of the AV apps). To say it adds no value at all is sending a very bad message to the majority of readers who would like to think they're better equipped to handle their own security than they really are.

The reality is that you can very easily do many simple things to help protect yourself. Install all your application updates promptly, be careful where you download software from, don't run attachments from spam e-mail, don't follow links sent to you in email without checking where they really go first, be careful where you enter your card details, run AV software, etc. etc.

However, beyond a certain point you have to spend exponentially more effort, beyond what the majority of people would consider reasonable, for very small gains in security. Chances are that you will still suffer fraud etc. during your lifetime, and it will be due to some vector completely beyond your control.

No, I didn't RTFA. 9 pages? gtfo.

Re:Paranoid and delusional

Theoretically, three layers of VM could be much more secure than an ordinary system. As you point out, there are many practical issues that need to be sorted out. Sorting out the details and justifying the complication is the kind of work a researcher is supposed to be doing. In case her solution turns out to be demonstrably better and practically usable, thanks to the miracle of software it can be duplicated with relatively little effort for millions of users who need that kind of security.

Re:Paranoid and delusional

[Weedhopper]

Well, if you're going to be paranoid, may as well be delusional. I don't think it'd be nearly as much fun to be one without the other.

Re:Paranoid and delusional

[ioshhdflwuegfh]

1 - Knowledge is power, and you just told the world critical elements of your defenses. There's a reason banks don't disclose such things. It doesn't make your system any less secure, but it raises the bar for attackers.

Now that you have been empowered by the knowledge of her defenses, please enlighten us oh mighty Forest how would you get through?

Re:Paranoid and delusional

[Magic5Ball]

Containment and context: There are different threats on the local machine and on the network. For the pros, this is another way to implement the different colored phones/terminals idea.

For the masses, an AV icon in the systray is fast becoming an analogue to the security theater at modern airports: The indicator of apparent security has become much more psychologically important than the actual state of security. But unlike modern airports which know that they will become compromised regardless of deploying all practical security measures and have other tools to deal with the breech, regular PC users are not aware that their AV will likely fail and also lack any contingency plans to address the failure.

Since the current structural power relations are such that there will always be more particular bugs and classes of vulnerabilities to exploit than resources to detect the bugs, and since there will always be many more ways to exploit bugs than there are bugs, and since the commercial AV vendors can only respond to particular malwares once they've been implemented, malware will always have the first strike advantage. Costs/benefits also favour the malware offers taken together, since a one time attack can gain thousands of nodes in the span of hours and be discarded, while AV vendors have to distribute protection to every one of millions of nodes to protect against each new attack while forever maintaining defenses against every previous attack. Unless some of the cloud AV solutions gain traction commercially and change the relationship between detection, bugs and malware, the AV faction will always be in the less favourable position in devoting almost all AV resources to addressing the symptoms of unsafe computing practices (infection), rather than causes, which are socially rooted (education and trust).

So I would view keeping an ever growing population of users in ignorance about how to properly use and secure their computers and data while devoting exponentially increasing resources to fixing the symptoms to be a less preferable long-term strategy than abandoning the current AV paradigm and putting those resources toward operator education about how to understand and interact with various information sources. It shouldn't take more than a generation to socially indoctrinate the idea of thinking before clicking, just as the Mr. Yuk campaign has curtailed the widespread ingestion of household chemicals by children in the 1980s. Admittedly, computers as a class of technologies have yet to develop the ease of use a bleach bottle or manuscripts which have integral affordances against harmful misuse, but that shouldn't be much of a challenge if the industry is as advanced as it makes itself out to be.

Re:Paranoid and delusional

[Bigjeff5]

"Sir, I'm afraid you've gone mad with power."

"Of course I have! Have you ever tried going mad without power? It's boring, nobody listens to you!"

Re:Paranoid and delusional

[jonadab]

You should have read the whole thing. You don't get a clear picture of exactly how delusional she really is until page 4 or 5.

DDoS attack on hospital

[uzytkownik]

1. I always thought that bigger risk for hospital is an random virus then DDoS attack. I did heard about normal virus attacking hospital - nobody has planned so just someone opened one attachment too far or something like that - but I did not about DDoS attack. Since what would he want to achive? 2. Unfortunatly we live in the world in which there are people beliving they will get 10% for transfer of money from one country to another (usually those countries for some reason don't have good reputation). And usually having AV, not opening attachments unless expected etc. helps avoiding most of the attacks for normal people - nobody will try to DDoS them. Different matter is with companies etc. They need to be secure. I was considered paranoid whenI advised having password and not using admin account for others. 3. Yes - for most people the discovery of the next bug in IE/Fx/Opera/... does matter. I'm not interested much if there is theoretical possibility that software is safe. I'm interested in the security here and now. Numbers of bugs discovered is not the best measurement - much better is time-to-patch - but still it is important in practice. Similary - a single shifts in prices are not important for theoretical economist - but for consumers and producers they are much more important [although thay may posses much less knoledge about origin of shift etc.]. 4. Monolithic kernel does not necessary implies 3rd part drivers. OpenBSD have monolithic kernel and AFAIR does not support loading modules after boot. Linux have most of the drivers included and is perfectly operative without loading modules. There are resons why to use them but they are optional.

Re:DDoS attack on hospital

[cpghost]

I always thought that bigger risk for hospital is an random virus then DDoS attack.

Actually, the bigger risk for a hospital would be a lethal biological virus... that is immune to blue pills.

Re:DDoS attack on hospital

[uzytkownik]

I always thought that bigger risk for hospital is an random virus then DDoS attack.

Actually, the bigger risk for a hospital would be a lethal biological virus... that is immune to blue pills.

Are you familliar with the current policies of pharmacology corporations? I'm not a doctor/pharmacologist but pills tends to be in all colors - whites, blues, orange... Some lethal biological virus may not be immune to some blue pills (although there may be policy to not produce blue pills for fighting lethal biological viruses) - and hospitals have specialists who know how to use them.

wrong color codes

[Rsriram]

Color codes for the three machines should be Red, Green and Blue. This will improve security against the bluepill attack. See bluepills cannot attack "blue" machines!

Three Levels And Beyond

[not_hylas(+)]

She now realizes that Ken Thompson's paper:

"Reflections on Trusting Trust"

http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

- is the basis of ANY hardware firmware or re-flashing of hardware.

I can't wait for next month and hopefully the bombshell we've been waiting for.
Brilliant Joanna indeed.

Re:Three Levels And Beyond

[WinterSolstice]

I was waiting for someone to mention that :)

I loved that paper. When I learned to write compilers in school they gave us this paper and a lecture on it. We then had an exercise on building our own hidden codes.

Since then, I have learned the value of paranoia. I learned in that class (and have applied since) the concept that just because something *looks* secure doesn't mean that it is. It may just mean you're not looking at it properly.

Re:Three Levels And Beyond

[u38cg]

Someone somewhere (I stumbled across his website by accident) actually went and built a basic compiler in assembly from scratch and used it to bootstrap a compiler that could compile GCC; he also used a FPGA he'd designed himself to do it on. His compiled GCC and GNU stock GCC both output an identical GCC when compiling itself, so he concluded that the NSA is not in our programs, compiling our code. Now I just need to find the darned page again.

Re:Three Levels And Beyond

[Fuzzzy]

My guess for Ring -3 is some kind of microcode manipulation inside the CPU. Probably persistent too.

stupid!

She is simply retarded, sure someone COULD bust in my front door and kill me, but that would require a work and fighting me- Someone could use some ultra complex low level hardware hack...... but why?
There is no such thing as a secure system, never will be- as for her VM's- retarded, simply retarded. Someone could still attack her root machine, hell did she ever consider that once those packets leave her box they are insecure?
There are few people I trust in the mental masturbation of information security, most are just plain stupid like this woman- she needs to just go back to the kitchen and make me a sandwich.

Re:stupid!

You're obnoxious.

>Someone could use some ultra complex low level hardware hack...... but why?
She said virtualization attacks are not economically viable for attackers right now. She's doing research, dumbass.

>did she ever consider that once those packets leave her box they are insecure?
Yes, she said for private things she only used SSL. So without a little more explanation I'm not going to accept that SSL packets are insecure once they leave the client.

I'm suspicious

[QuoteMstr]

Mark me as another vote for Nod32. I bought it a month or so ago and I must say well worth it. Beats the pants off all the "free" ones (AVG and the like)

How do you know Nod is actually doing what it claims? It's easy to boost performance by lying about tests. On the other hand, lying is not an option for free scanners.

Re:I'm suspicious

[bryxal]

by "free" I meant free as in beer. the reference to AVG and the like was meant to make that a bit more clear. My apologies if it wasn't. This is of course based on my experiences, YMMV.

Re:I'm suspicious

[Sycraft-fu]

Third party testing, that's how. VB100 would be a big one, but there are others. Various companies test virus scanners and see how they do. That is, in fact, the only way to know how well they work. Having the code open does nothing. You can look at the source and it doesn't tell you how well the thing actually works against threats.

Indeed the only OSS AV software I've aware of, CalmAV, does a pathetic job. The reason may be in part due to the way it is written but more because it doesn't have a good database of signatures. That is what really makes or breaks a detection program. There is no way to write heuristics to find everything. This is not only because there are no universally "bad" actions to look for but also because if you look for only certain behavior, the virus writers will write to avoid that. So the real way detection is done is via signatures. Viruses are analyzed and a database of them is updated on a daily basis (sometimes more often).

ClamAV just doesn't have a good, up to date database and thus misses a lot. NOD32 does, and thus misses little if anything. That the code is open doesn't mean a damn thing. Open or closed, you have to actually test it in an operating environment to see how it works and the answer is NOD32 works well, Clam does not.

Re:I'm suspicious

[Mashiara]

Just a few notes:

1. F-Secures Orion engine is fully heuristics based (file analysis), it uses signatures only fix false positives, consistently getting great scores from VB.
2. They also now have an engine (called ExploitShield) that uses heuristics (and signatures) to prevent programs (that in themselves might be good) from doing bad things, see for example http://www.f-secure.com/weblog/archives/00001727.html (using heuristics to block the FF 3.5 JS exploit)

Full disclosure: I used to work for F-Secure (partner, ie 3rd tier, support for AV and crypto; we escalated to R&D) until 2001.

Re:I'm suspicious

[ioshhdflwuegfh]

Third party testing, that's how. VB100 would be a big one, [...]

In reality, VB100 claims:

A VB100 award means that a product has passed our tests, no more and no less.

We're talking about a Pole

Yeah, it's speculation but there's some pretty good circumstantial evidence that one Joanna Rutkowska used to be Jan Rutkowski.

If she were Brazilian or Thai, I'd probably find it kinda hot.

Yeah, we're talking about a Pole.

Ummm, you pooooorrrr baby

I've been a Microsoft partner for quite a while and my problem was never a lack of licenses. Been accumulating like crazy year after year and it ain't just M$. They don't even cost that much, more than a few heavy lifters were tossed in my direction for free. User and Server Apps included. You have to do some research but it ain't that hard, unless your a Apple/Linux/whatever fan-boy and wouldn't be caught dead on a M$ site! Your call. Me, I need to use & test everything 'ause I never know what else I'll encounter out there in the REAL world. Come to fix a office machine, end up reconfiguring Exchange server in the deal for much, much more. Works for me.

She forgot the sentries, though

So maybe her setup isn't as good as she thinks.

DEP is overrated

While DEP is nice, it cannot prevent all exploits from buffer overflows. Google for return-to-libc, it's even in the wikipedia article you linked. Thus, if DEP was enabled by default exploit authors would switch to return-to-libc against Win7 instead of using "classical" exploits. Same as AV: It keeps the stupid attackers out, but the good ones will circumvent it.

Immutable VM for Browsing

Well, I have a similar setup.

I use no AV at all, instead I do all my browsing (except a few trusted sites) inside an immutable virtual machine. I.e. the machine resets itself to a previously saved snapshot every time it is restarted.

Besides I reload an image of my (host) system partition every other month or so. Been doing this for years and have yet to catch any kind of malware!

Regards

Do we need immune systems?

Not running a/v is like saying "I don't waste energy producing antibodies because they don't know about every bug out there". Instead what we do in biological security is ADD protection to augment our natural defenses with disinfectants etc.

Yes, you can live perfectly healthy without an immune system, you just have to confine yourself to a bubble to avoid any exposure. The same applies to IT. There are applications where a/v adds nothing, but only when those machines are completely issolated from any possible exposure.

The alternative view is to treat machines (virtual or otherwise) as disposable, a "use once and throw away" approach. Mix that with any persistance and the exposure increases too.

So, a security expert who can't see what av can add? Doesn't inspire me with much confidence in their connection to the real world. Perhaps they have lost sight of the majority threat/risk landscape out there through a myopic view on theoretical risks.

A bug doesn't have to be undetectable

[192939495969798999]

Bugs don't have to be undetectable, they just have to be a pain in the ass to remove, very difficult to stop up-front, and quick/easy to deploy their mischief. If those criteria are met, then with a zero-day exploit (these are published all the time), the bug could potentially hit maybe 20% of computers on the Internet successfully (Assume 80/20 rule for got the patch in time, etc.). How many more millions of machines do you need to infect and run your program on than 20% of the Internet?

And run GCC's output how?

[tepples]

A few years ago, I set up a bunch of thin clients for general browsing, chatting and homework at a school dorm [...] upon login (LDAP authentication), the user's directory would be mounted from an individual password-protected Samba share (accessible from the users' personal computers as well), with the noexec attrubite of course.

In an environment where everything writable is noexec, how do engineering and computer science students run programming exercises that they have compiled? Or is it a Dijkstra-style "if you compile your assignments, you get an F" course?

Re:And run GCC's output how?

[Enleth]

By "homework" I meant "writing essays and/or searching for sources in the web", not writing programs - for that, a dedicated (no chatting, no social networking sites, no essay writing) computer room was available in another building, with compilers and all, managed by someone else (that is, it was actually managed, mine was "set and forget").

Re:And run GCC's output how?

[tepples]

By "homework" I meant "writing essays and/or searching for sources in the web", not writing programs - for that, a dedicated (no chatting, no social networking sites, no essay writing) computer room was available in another building

Which would appear to require a lot of running back and forth between buildings when writing both a program and an essay about the program (that is, its design document or its manual).

Re:And run GCC's output how?

[Enleth]

Do you always take things literally and assume that all the people are deaf, dumb, rule-following monkeys? Sure, many are, but for any sensible person documenting a program is an integral part of the process of writing it, and it certainly was allowed in the second computer room. Writing essays about the French Revolution, molecular chemistry and the culture of the Soviet Russia wasn't - see the difference?

Re:And run GCC's output how?

[tepples]

Do you always take things literally and assume that all the people are deaf, dumb, rule-following monkeys?

If the tools for writing manuals are on the development workstations, and there's no rule against using them for a reasonable purpose (that is, writing manuals), then I see no problem. But I've run into enough "deaf, dumb, rule-following monkeys" in education to know that rulemaking should take into account the denial of service tactic commonly called work-to-rule.

Re:And run GCC's output how?

[jonadab]

> In an environment where everything writable is noexec, how do engineering
> and computer science students run programming exercises that they have compiled?

For that they use the real computer lab, in the computer science building (which is maintained by the computer science department), rather than the thin-client lab that the humanities students use to update their MySpace accounts (which is maintained by the campus IT people). HTH.HAND.

Modern microkernels are actually blazing fast!

Oh, how wrong this is.

You should look into the L4 microkernel project some time, and its follow-ups (e.g. Pistachio, Fiasco)

In a nutshell: The reason most "microkernels" have bad performance is that they are not anywhere near "micro" enough.

Minor problem

[Runaway1956]

I just don't give a damn about any stupid EULA. I have read them in the past, and disagree with half of what is printed in them. "Accepting" the EULA is a coercive exercise. Basically, it says "If you don't like ANYTHING we tell you, then you can't use our software." Bullshit. Complete and utter bullshit. I take almost all the same liberties with Microsoft and other proprietary software that I take with open source software - decompile, reverse engineer, change code, etc. The ONLY thing that I don't do with proprietary, is to redistribute. What I do INHOUSE is my business.

The day that Microsoft sits down with a panel of consumers who represent business, government, the nerd community, and average users, and hammer out a REASONABLE EULA, then I'll pay attention to the EULA again. The best "for instance" is the changing hardware deal. If I buy a Compaq, and the mainboard dies a week after the warranty dies, I insist that I have the right to replace the mainboard and any peripheral hardware, and to reinstall Windows - FOR FREE.

Corporate coercion of consumers may or may not be legal - but I will never respect it, or abide by it.

I think you're agreeing with me.

[argent]

The reason most "microkernels" have bad performance is that they are not anywhere near "micro" enough.

Indeed, and one of the ways they achieve this is by NOT performing context switches between different security domains for every message. For example, the L3 and L4 family kernels delegate security domain management to user-space programs, and L4Ka supports message passing operations entirely in user space... with no kernel intervention.

This is bringing the design back to the real-time operating systems that inspired the whole Microkernel concept.

I do "running naked", for 6++ months now... apk

"For what its worth, I don't use an A/V product either. And Like her, I also have a "pretty reasonable setup" and a dose of "common sense". But I'm still balancing the increased responsiveness and hassle-free experience vs the extra security. Its a trade-off that's worth it to me, but I recognize that it is still a trade-off." - by vux984 (928602) on Saturday July 18, @06:32PM (#28743977)

I recommend running one to folks in this guide for Windows users:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=f95071c12d0fc4e3d6b3c8b08dd8c05d&showtopic=2662

----

And people that've applied it have seen results like this (going on 2++ yrs. testimonial below, & no malware/trojan/virus/spyware/keylogger/worm infestations, period):

----

http://www.xtremepccentral.com/forums/showthread.php?s=97c1e368dad75689a8da7df5a0e97418&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free!

I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008.

Great stuff!

My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads.

APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA user @ xtremepccentral.com

----

Thus?

I say it's DOABLE to have results like that above, 100% uptime for YEARS to DECADES, + YES, on WINDOWS too... &, without AV & AS, but also, any virtualization layers (as they all lend to "performance-hits"), because I have the same here myself (along with many others)... AND, here??

I am going on a decade++ solid here now in fact, of safe 100% 'uninterrupted by online maladies' uptime, by doing the above.

HOWEVER:

Yes, even though I recommend the "layered security" of antivirus &/or antispyware programs for MOST users, just to be safe(r) online?

WELL, per my subject-line above?

Yes - I have been doing what I have seen as "running naked" (meaning w/out antivirus or antispyware programs running resident ALL THE TIME in say, your tooltray + their possible background services as well), & I have seen no problems...

Simply just by practicing what is in my guide above (going on more than a decade of safe surfing thru 3 machines now, never had a problem)

APK

P.S.=> Much of it IS, "common-sense", much of it is not - &, I'd still recommend folks run RESIDENT scanners for AntiVirus &/or AntiSpyware products in combination (say, NOD32 AV + SpyBot S&D AntiSpyware's teatimer product) for THEM to be safer...

However, here? I am not running either resident, & I'm saving CPU time, RAM, & other various forms of I/O as well by NOT keeping them running resident "all the time, 24x7", & I only use them as periodic manual scanners (say, on Sunday a.m. every week)...

100% safe & stable Windows uptime? It's doable, IF you know what you're doing - a LOT of safe computing simply boils down to that, just like it would safe driving... apk

Ahem

[thethibs]

a web browser that doesn't execute attachments

Do you actually own a computer?

Link to full text

Here is a link to the full text (I hope it works!) http://www.tomshardware.com/review_print.php?p1=2356

Javascript usage IS 1 "behavioral mod", HOSTS too

"Only behavioral controls will stop novel attacks, and you need to know what behaviors to stop. Simply stopping anything that might possibly be used to get control the system will leave you with a nonfunctioning system." - by blueg3 (192743) on Sunday July 19, @12:13AM (#28745469)

Agreed, 110%, & especially per my subject-line above (in regards to javascript mostly, but, also other things & practices to do OR avoid + more) - curb the use of it, most of the things affecting folks' machines adversely is avoided, especially in today's HEAVILY "online world"... most of the attack causes/root vectors (whatever) I see reported deal in javascript delivery mechanisms (more than malicious binaries downloaded & run)...

I recommend watching it with unlimimted, indiscriminate usage of javascript on "every site under the sun", @ least unprotected by something like NoScript (or just turning it off for MOST sites & leaving exceptions for sites that ABSOLUTELY DEMAND javascript for full/proper function only)...

And, as Ozymandias said in the film "The Watchmen"?

"So I resolved to apply antiquities teachings (usage of custom malicious site &/or adbanner blocking HOSTS files) to the world today, & so began my conquest: Conquest, NOT OF MEN, but, of the evils that beset them - Fossil Fuels (antivirus resident), Oil (antispyware resident), Nuclear Power (VM for security layers), are like a drug, & YOU GENTLEMEN, are the pushers..." - Adrian Veidt (Ozymandias), THE WATCHMEN

And since HOSTS files ARE "from antiquity" in computing? They work for that "behavioral modification", too, because of a simple principal: "You can't get burned, if you can't go into the kitchen"... & that goes for limiting indiscriminate javascript usage (NOScript + AdBlock for MOZILLA/FireFox products, & Opera's native "by site" preferences are perfect here in fact, but there's more for 'layered security', like filtering .PAC files + custom cascading stylesheets & more as well in that guide)

Those are 2 "novel techniques" that actually WORK, & for MOST folks, with 12 other things, in this guide for Windows users' security online:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=f95071c12d0fc4e3d6b3c8b08dd8c05d&showtopic=2662

----

And people that've applied it have seen results like this (going on 2++ yrs. testimonial below, & no malware/trojan/virus/spyware/keylogger/worm infestations, period):

----

http://www.xtremepccentral.com/forums/showthread.php?s=97c1e368dad75689a8da7df5a0e97418&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free!

I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRON

Re:Javascript usage IS 1 "behavioral mod", HOSTS t

[atraintocry]

Wait, what are you trying to sell me?

Dear editors...

[atraintocry]

Don't put the word "browser" in the summary of an article that isn't really about them. Knowledge of a web browser represents the bare minimum level of expertise necessary to comment on /. and as such the inclusion of that word in the summary greatly increases the signal-to-noise ratio.

Your pal,
The guy who wanted to read informative comments about VM exploits rather than NoScript

Not selling a thing - giving away, FREE... apk

"Wait, what are you trying to sell me?" - by atraintocry (1183485) on Sunday July 19, @05:25PM (#28750313)

See subject-line 1st, & go back to -> http://it.slashdot.org/comments.pl?sid=1307407&threshold=1&commentsort=0&mode=thread&cid=28749341 & that guide will get you to up to a 99++/100 on CIS Tool, if you pursue its points enough...

Plus, doing the rest the guide, above & beyond CIS Tool only, and its points for security of a Windows NT-based OS of modern ancestry (2000 & beyond), only some of which I noted in that url above now?

It'll give a user years, to DECADES, of stable FAR safer online internet & local to system uptime on a Windows NT-based OS such as 2000/XP/Server 2003 (Vista too, to an extent), that's all... no sale - no charge - no ca$h -> Free...

APK

P.S.=> And, it works... apk

AV is overrated

[metrix007]

Honestly.

AV is decent, and is useful is you have a large network to maintain, or users who don't know what they are doing.

If you know what you are doing, keep your OS patched and locked down, use a secure browser, keep up maintenance like looking out for odd files/processes etc, then AV is not going to add any additional protection. IN fact, the presence of AV, since it generally has to run as Administrator, adds an unnecessary attack vector. There are very few, if any scenarios where the security of a machine will be increased by the presence of an AV if the machine is well maintained and locked down and the user knows what they are doing. There are plenty of situations where having an AV could lead to a DoS, shell or false sense of security.

There is nothing wrong with a security researcher not using AV and using a more secure approach,especially given the nature of her work and the sensitive information she deals with.

Oblig. bad analogy complaint.

[PMBjornerud]

Her setup is more like a fortress filled with cruise missiles that can be launched with lots of advanced warning of attack.

And atom bombs! And ninjas! In a whiny white fortress on a mountaintop. Totally sweet!

Sir, you seem to have gone a bit over top with your war-analogies, somehow implying that virtual machines can cause a digital equivalent of "cruise missile" damage to attackers. At best, such a setup would render attacks useless.

May I suggest a car analogy?:

A dirty old car you drive in the nasty neighborhoods (not really caring if it is destroyed) as well as a fancy Mercedes to drive to the places you know for certain nothing bad will happen to the car.

Re:Oblig. bad analogy complaint.

[benjamindees]

I realize it wasn't obvious, but the part you don't care about having destroyed is all the peasant farmland between the border and your fortress. The cruise missiles are there so you can destroy it yourself if you need to. And yes the point of this setup is that you can completely wipe out the compromised virtual machines as necessary.