Shouldn't Microsoft just Authenticode-sign the small executable files, like they do install.exe files,.MSIs, and.cab files? This way, all an AV utility has to do is check to see if the executable is signed by MS's signature key, and then it is proven to be known and good, barring rootkits?
I know some businesses who run McAfee on Linux, Solaris, and AIX.. Not because the boxes will likely get the next Trojan from the net, but because of contracts saying that all machines will have some sort of antivirus present. Even if all the McAfee does is run a scan down the filesystem every couple nights, it fulfills the letter of the contracts given.
So, don't expect to be free of antivirus software even if you jump platforms.
I have talked with people who used to run an ad "service" company. To them, the customers are the people who pay for the ads. The people who go to the Web pages are not considered customers at all, but visitors/useful idiots at best, leeches and pirates at worst.
From that point on, I realized that the only way to reduce the more intrusive ads is to block them, or find another site that considers the people browsing as assets, not necessary evils.
Ads that pop up crap when moving over text, Flash crap which wiggles around the screen like someone projectile vomited over my shoulder and onto my monitor, and pages which take more than 30 seconds to low because some adfarm just doesn't have the pipes to deal with the traffic, or even the annoying "punch the monkey" crap no.
Google learned this lesson back when every other search provider were doing banner ads, and this is one reason why Google has leapfrogged ahead of the pack and stayed ahead so long. Text ads are fine. Ads which require 5 megabyte.swf files are just plain unacceptable.
Every HDD out there, as part of the ATA standard, supports a secure erase command. The utility HDDErase is one such tool which tells a drive to erase itself. And since this is done at the drive level, it is a lot faster than a dd if=/dev/zero of=/dev/sdwhatever because there is no data having to be moved through the drive's I/O channels, the drive head is just writing the zeroes itself. Some drives AES-256 all the contents automatically, and a secure wipe tells the drive just to drop the existing key it uses for encrypting/decrypting data, and generate another one. This is a lot faster because once the old key is erased and a new key is put in, the remaining data on the disk is useless.
Another method is to do a file encryption method similar to how Windows Mobile post 6.0 stores encrypted files on a memory card: Generate a random 256 bit key for every item going on the HDD. Store the key to every file in the copier RAM (unless there is a reason to have persistent storage, then store it on some non-volatile memory that is easily erased.) Then when done with the copy and the data on disk isn't needed, drop the key from RAM (perhaps overwrite it in RAM a few times), and delete from the disks's filesystem. Since the encryption key only persists in volatile RAM for the lifetime of using the file, this method makes it almost impossible to recover data, unless someone is attacking the copier while it is live and in use (which then there are even bigger problems.)
That is interesting, but how does a user know if the port is part of some update versus a program that got compromised by a code injection, and is dropping stuff off at a compromised machine?
Ideally, programs should have a manifest that is included with their installation or updates. On installation, they prompt the user where they are going to be talking to (either IP address or hostnames), and if a program attempts to get out of those boundaries, the OS puts the kibosh on it. Of course, an update with an updated manifest list (even something like any host/any port) would fix this. Android does this quite well, although it isn't as granular as I wish it would be.
I have seen people consider their firewall a bulletproof way to keep the baddies out... well, until the next Web browser exploit shows this isn't a workable strategy.
In reality, a decent sized company not just needs an external firewall, but in addition, a router separating the DMZ from the internal network, an IDS to detect incoming and outgoing packets, find the source if there is a known exploit and shut it down, a content filter (to keep Joe Sixpack in Receiving from ogling at boobs, then Jane Nubile from HR sees it and then promptly files a sexual harassment lawsuit when she sees it), NAC devices (to enforce presence of antivirus utilities likely forced per agreements), equipment to log packets (ACTA will force all ISPs and carriers to log *every* packet across their network for 7 years. Not headers. Entire packets).
Even with all this network functionality, this doesn't mean the hosts are secure. They need some protection just in case there was an open wireless segment. So, if a Windows system admin is smart, they would have policies pushed out to all the Windows 7 boxes with rulesets for the inbound/outbound communication, such as no port 25 out unless it is to a dedicated machine, blocking unneeded ports to internal machines, and so on. By having this configured on the boxes themselves, a compromised process wanting to phone home would have to get admin rights on the box and turn off the firewall to do its dirty deeds.
Of course, the more complex the configurations to keep items secure, the more problems arise, especially with app troubleshooting. So having a tangled web of allow/deny ACLs on machines may result in some unexpected interactions.
The first is if you are using a VMWare solution. They used to have an ISO image which would save a boot volume to a remote share, as a VMware image ready to boot up in Server or Workstation.
The second is booting some image or backup utility that uses bootable media. Then save the HDD image to a file. In the VM program, boot the ISO image of the backup utility, restore it to the VM boot disk image.
1: One calls Microsoft and gives an install ID (which changes each install). The person on the other end gives a response key, and this should activate the machine.
2: Corporations using Vista Enterprise, Vista Business, or Windows 7 Enterprise use KMS servers (5 servers or 25 clients minimum.) These allow machines to activate without ever touching the external Internet.
That is odd. I install my Windows 7 boxes not connected to the network in any way until I make sure the firewall has the "Block all incoming connections" checkbox on. I've never had a problem with it having to get to the network during the install process.
What app developers need to do is just what the parent has done. Just stick with Google's app store, and don't try to peddle their apps on other markets. This way, customers always come to one place, rather than check one store and not others.
Oh, and even though I've not seen the contracts the other stores have in place, I'm sure the terms are a lot worse than Google's. I'm sure a lot of them require a certain threshold before someone gets paid, lots of fees and gotchas, and maybe even a requirement of exclusivity, where any apps put in their store can't be put anywhere else.
For the sake of the Android platform, just say no to that. If there need to be specialty app stores (say an app store which caters to people looking for utilities for rooted phones, or an app store which caters to pornographic apps,) that is understandable. However, stores which completely overlap market segments are pointless at best, and seriously damage the Android ecosystem at the worst.
Having multiple stores is what nearly killed Windows Mobile until 6.5. The fact that users had to dig around and search for apps, find a website to download the.cab or.exe file, then install it manually made impulse buying of stuff (a big source of cash) impossible.
The nice thing about one app store is that if one wants an app, they can search for it and find it in one place. This also makes it easier to handle funding and selling of apps.
Having multiple app stores just means it is harder to find what one wants. Is the app on one cellular carrier's store and nowhere else? Is it on the generic Android app store? This also means that an app maker has to deal with multiple stores and their ways of handling purchases and returns.
The other shoe may drop soon. Already some Android devices lock out "sideloading" of non-Market apps. Other devices are rumored to lock out both sideloading and access to the phone via ADB, both in an effort to prevent people from rooting the device, and as a way to limit options.
So, I can see some cellphone providers (not naming names) locking out all app stores and ADB on their devices, then only allowing apps to be downloaded from their store... and of course the apps are not going to be free.
Exactly. If you want non-mainstream websites, you pay $1 per kb. Mainstream sites or sites which pay the ISP people can access for "free". Great way to violate antitrust laws, IMHO.
I'm just waiting for the next shoe to drop and ISPs to charge website owners. If they want people to even *reach* their site and not a competitor's (so people who type in www.foo.com get shunted to www.bar.com), the website would have to pay a certain amount. Then more amounts for less throttling.
Then comes paying per site. If a customer wants to visit bing.com, they will have to pay the ISP for a "site connection fee".
Then come a lot of other fees, not to mention more intrusive inspection of communication. Someone logging onto their bank? Whups, that's a financial institutional access fee of $3 per time.
F2P doesn't work sometimes. SOE tried this with Free Realms, but had to scale it back a bit because nobody was buying anything, and they were losing money.
I'm of a different take. If the big guys don't like the PC industry due to "piracy", don't let the door hit them on the way out.
PC gaming is a big market. If the big guys who make another sequel leave, then indies will step in and start making titles people want to play, with little to no DRM.
Look at Bioware. They have been immensely successful even with little to no DRM. After a later patch patched out disk checks, NWN1 still sold quite well for several years. Dragon's Age is doing extremely well with just basic CD-ROM protection (no constant Internet connections, no activation, etc.)
Yes, piracy sucks, but it is a fact of life. The best thing to do is have some multiplayer access which requires unique CD keys, and just leave the clientside alone. This way, serious players will always have legal copies. The pirates will have their copies no matter what, so might as not annoy the real players.
Some phones have that as a feature. For example, my CLIQ has the ability to have the Motoblur software locate it, and optionally trigger a remote wipe.
There are also security programs which have similar functionality. I think WaveSecure might have this option.
Depends on application. For stuff that isn't as easy to run in parallel, you are correct. For a server that does virtual machines, having 12 cores may help things, because the OS and overhead of the virtual machines can be load balanced more effectively.
Even without someone posting slanderous FB profiles, I have had a large number of HR people ask me in job interviews about my Twitter/FB/MySpace accounts. In the past, when I told them that I didn't have one, I got looked at like I was completely insane. One interview actually got ended when the interviewer told me that I was a fossil and too behind the times to be part of their company because I didn't have accounts.
So I created some dummy accounts. These days, I do use FB because it is a good tool for events, but I don't bother with any other social networking site.
Even better, set your defaults so only a particular group can see what you put on your wall and other things. Then add all your friends (true friends) to that group. This way, if you add someone to friends as a diplomatic move (some workplaces require being added to friends/followers as a condition of employment), by default they do not see your posts. Same with organization fan pages that one joins.
Perhaps have Web server certs trusted by multiple CAs, so you might have a level of trust above that. This way, if a website had a cert validated by a CA in the US, Israel, Germany, Russia, and China, one of those CAs might get compromised, but it would take a pretty big international agreement to compromise all of them and generate a bogus cert.
Even with IPSec, I'd still use SSL because it does encryption on a higher level, and in some cases, is controlled by app versus app. It also allows for client certificates, so I can lock out a host of problems by having a critical external-facing Web server only allow for authentication via a cert on a smart card. Of course, more sophisticated malware can run a MITM attack by compromising the browser and changing text in flight before it leaves the client machine, but that isn't what SSL is designed to protect against.
IPSec can work keys on the machine layer, but I like packing my own parachute on a higher layer with SSL or SSH.
You can always physically armor your CA server. One client of mine has a Windows machine which is permanently offline (was activated via phone so it never has touched the Internet directly.) This machine uses BitLocker with a passphrase to encrypt the volumes, and has inside it a USB card with an Aladdin eToken on an internal port. For signing stuff, the client inserts a USB flash drive or a SD card, signs it with the commercial version of PGP, or the signcode.exe utility that is used for Authenticode signing, pulls the drive/card out, and copies the signed files back onto the network.
This way, if someone tries to boot the server from other OS media, they need the recovery key to decrypt the OS, and upon booting back to the OS, it will hang until someone provides the TPM its PIN, (which will show that the machine was rebooted.) If someone takes the smart card out of the machine, they have 15 guesses to figure out a 32-64 character passphrase. After that, the eToken will erase itself.
No, this is not as secure as a dedicated HSM, but for what the client wanted, it provided enough security, and was a lot less expensive.
Of course an intruder can always use a rubber hose attack against people who have the ability to sign programs and documents, but what this setup gives the client is the ability to have the critical keys protected from some script kiddie who manages to crack into the corporate LAN as their first threat of concern. The second threat being someone trying to physically steal/compromise a machine while nobody is around.
Shouldn't Microsoft just Authenticode-sign the small executable files, like they do install .exe files, .MSIs, and .cab files? This way, all an AV utility has to do is check to see if the executable is signed by MS's signature key, and then it is proven to be known and good, barring rootkits?
I know some businesses who run McAfee on Linux, Solaris, and AIX.. Not because the boxes will likely get the next Trojan from the net, but because of contracts saying that all machines will have some sort of antivirus present. Even if all the McAfee does is run a scan down the filesystem every couple nights, it fulfills the letter of the contracts given.
So, don't expect to be free of antivirus software even if you jump platforms.
I have talked with people who used to run an ad "service" company. To them, the customers are the people who pay for the ads. The people who go to the Web pages are not considered customers at all, but visitors/useful idiots at best, leeches and pirates at worst.
From that point on, I realized that the only way to reduce the more intrusive ads is to block them, or find another site that considers the people browsing as assets, not necessary evils.
My take: Text ads, fine. Basic graphic ads, OK.
Ads that pop up crap when moving over text, Flash crap which wiggles around the screen like someone projectile vomited over my shoulder and onto my monitor, and pages which take more than 30 seconds to low because some adfarm just doesn't have the pipes to deal with the traffic, or even the annoying "punch the monkey" crap no.
Google learned this lesson back when every other search provider were doing banner ads, and this is one reason why Google has leapfrogged ahead of the pack and stayed ahead so long. Text ads are fine. Ads which require 5 megabyte .swf files are just plain unacceptable.
Every HDD out there, as part of the ATA standard, supports a secure erase command. The utility HDDErase is one such tool which tells a drive to erase itself. And since this is done at the drive level, it is a lot faster than a dd if=/dev/zero of=/dev/sdwhatever because there is no data having to be moved through the drive's I/O channels, the drive head is just writing the zeroes itself. Some drives AES-256 all the contents automatically, and a secure wipe tells the drive just to drop the existing key it uses for encrypting/decrypting data, and generate another one. This is a lot faster because once the old key is erased and a new key is put in, the remaining data on the disk is useless.
Another method is to do a file encryption method similar to how Windows Mobile post 6.0 stores encrypted files on a memory card: Generate a random 256 bit key for every item going on the HDD. Store the key to every file in the copier RAM (unless there is a reason to have persistent storage, then store it on some non-volatile memory that is easily erased.) Then when done with the copy and the data on disk isn't needed, drop the key from RAM (perhaps overwrite it in RAM a few times), and delete from the disks's filesystem. Since the encryption key only persists in volatile RAM for the lifetime of using the file, this method makes it almost impossible to recover data, unless someone is attacking the copier while it is live and in use (which then there are even bigger problems.)
That is interesting, but how does a user know if the port is part of some update versus a program that got compromised by a code injection, and is dropping stuff off at a compromised machine?
Ideally, programs should have a manifest that is included with their installation or updates. On installation, they prompt the user where they are going to be talking to (either IP address or hostnames), and if a program attempts to get out of those boundaries, the OS puts the kibosh on it. Of course, an update with an updated manifest list (even something like any host/any port) would fix this. Android does this quite well, although it isn't as granular as I wish it would be.
I have seen people consider their firewall a bulletproof way to keep the baddies out... well, until the next Web browser exploit shows this isn't a workable strategy.
In reality, a decent sized company not just needs an external firewall, but in addition, a router separating the DMZ from the internal network, an IDS to detect incoming and outgoing packets, find the source if there is a known exploit and shut it down, a content filter (to keep Joe Sixpack in Receiving from ogling at boobs, then Jane Nubile from HR sees it and then promptly files a sexual harassment lawsuit when she sees it), NAC devices (to enforce presence of antivirus utilities likely forced per agreements), equipment to log packets (ACTA will force all ISPs and carriers to log *every* packet across their network for 7 years. Not headers. Entire packets).
Even with all this network functionality, this doesn't mean the hosts are secure. They need some protection just in case there was an open wireless segment. So, if a Windows system admin is smart, they would have policies pushed out to all the Windows 7 boxes with rulesets for the inbound/outbound communication, such as no port 25 out unless it is to a dedicated machine, blocking unneeded ports to internal machines, and so on. By having this configured on the boxes themselves, a compromised process wanting to phone home would have to get admin rights on the box and turn off the firewall to do its dirty deeds.
Of course, the more complex the configurations to keep items secure, the more problems arise, especially with app troubleshooting. So having a tangled web of allow/deny ACLs on machines may result in some unexpected interactions.
Two ways:
The first is if you are using a VMWare solution. They used to have an ISO image which would save a boot volume to a remote share, as a VMware image ready to boot up in Server or Workstation.
The second is booting some image or backup utility that uses bootable media. Then save the HDD image to a file. In the VM program, boot the ISO image of the backup utility, restore it to the VM boot disk image.
Both of these work well.
Activation is handled two ways offline:
1: One calls Microsoft and gives an install ID (which changes each install). The person on the other end gives a response key, and this should activate the machine.
2: Corporations using Vista Enterprise, Vista Business, or Windows 7 Enterprise use KMS servers (5 servers or 25 clients minimum.) These allow machines to activate without ever touching the external Internet.
That is odd. I install my Windows 7 boxes not connected to the network in any way until I make sure the firewall has the "Block all incoming connections" checkbox on. I've never had a problem with it having to get to the network during the install process.
What app developers need to do is just what the parent has done. Just stick with Google's app store, and don't try to peddle their apps on other markets. This way, customers always come to one place, rather than check one store and not others.
Oh, and even though I've not seen the contracts the other stores have in place, I'm sure the terms are a lot worse than Google's. I'm sure a lot of them require a certain threshold before someone gets paid, lots of fees and gotchas, and maybe even a requirement of exclusivity, where any apps put in their store can't be put anywhere else.
For the sake of the Android platform, just say no to that. If there need to be specialty app stores (say an app store which caters to people looking for utilities for rooted phones, or an app store which caters to pornographic apps,) that is understandable. However, stores which completely overlap market segments are pointless at best, and seriously damage the Android ecosystem at the worst.
Having multiple stores is what nearly killed Windows Mobile until 6.5. The fact that users had to dig around and search for apps, find a website to download the .cab or .exe file, then install it manually made impulse buying of stuff (a big source of cash) impossible.
The nice thing about one app store is that if one wants an app, they can search for it and find it in one place. This also makes it easier to handle funding and selling of apps.
Having multiple app stores just means it is harder to find what one wants. Is the app on one cellular carrier's store and nowhere else? Is it on the generic Android app store? This also means that an app maker has to deal with multiple stores and their ways of handling purchases and returns.
The other shoe may drop soon. Already some Android devices lock out "sideloading" of non-Market apps. Other devices are rumored to lock out both sideloading and access to the phone via ADB, both in an effort to prevent people from rooting the device, and as a way to limit options.
So, I can see some cellphone providers (not naming names) locking out all app stores and ADB on their devices, then only allowing apps to be downloaded from their store... and of course the apps are not going to be free.
Exactly. If you want non-mainstream websites, you pay $1 per kb. Mainstream sites or sites which pay the ISP people can access for "free". Great way to violate antitrust laws, IMHO.
I'm just waiting for the next shoe to drop and ISPs to charge website owners. If they want people to even *reach* their site and not a competitor's (so people who type in www.foo.com get shunted to www.bar.com), the website would have to pay a certain amount. Then more amounts for less throttling.
Then comes paying per site. If a customer wants to visit bing.com, they will have to pay the ISP for a "site connection fee".
Then come a lot of other fees, not to mention more intrusive inspection of communication. Someone logging onto their bank? Whups, that's a financial institutional access fee of $3 per time.
F2P doesn't work sometimes. SOE tried this with Free Realms, but had to scale it back a bit because nobody was buying anything, and they were losing money.
I'm of a different take. If the big guys don't like the PC industry due to "piracy", don't let the door hit them on the way out.
PC gaming is a big market. If the big guys who make another sequel leave, then indies will step in and start making titles people want to play, with little to no DRM.
Look at Bioware. They have been immensely successful even with little to no DRM. After a later patch patched out disk checks, NWN1 still sold quite well for several years. Dragon's Age is doing extremely well with just basic CD-ROM protection (no constant Internet connections, no activation, etc.)
Yes, piracy sucks, but it is a fact of life. The best thing to do is have some multiplayer access which requires unique CD keys, and just leave the clientside alone. This way, serious players will always have legal copies. The pirates will have their copies no matter what, so might as not annoy the real players.
Some phones have that as a feature. For example, my CLIQ has the ability to have the Motoblur software locate it, and optionally trigger a remote wipe.
There are also security programs which have similar functionality. I think WaveSecure might have this option.
Depends on application. For stuff that isn't as easy to run in parallel, you are correct. For a server that does virtual machines, having 12 cores may help things, because the OS and overhead of the virtual machines can be load balanced more effectively.
Even without someone posting slanderous FB profiles, I have had a large number of HR people ask me in job interviews about my Twitter/FB/MySpace accounts. In the past, when I told them that I didn't have one, I got looked at like I was completely insane. One interview actually got ended when the interviewer told me that I was a fossil and too behind the times to be part of their company because I didn't have accounts.
So I created some dummy accounts. These days, I do use FB because it is a good tool for events, but I don't bother with any other social networking site.
Even better, set your defaults so only a particular group can see what you put on your wall and other things. Then add all your friends (true friends) to that group. This way, if you add someone to friends as a diplomatic move (some workplaces require being added to friends/followers as a condition of employment), by default they do not see your posts. Same with organization fan pages that one joins.
Perhaps have Web server certs trusted by multiple CAs, so you might have a level of trust above that. This way, if a website had a cert validated by a CA in the US, Israel, Germany, Russia, and China, one of those CAs might get compromised, but it would take a pretty big international agreement to compromise all of them and generate a bogus cert.
Never underestimate the bandwidth of a playing card box full of 32GB MicroSD cards.
Even with IPSec, I'd still use SSL because it does encryption on a higher level, and in some cases, is controlled by app versus app. It also allows for client certificates, so I can lock out a host of problems by having a critical external-facing Web server only allow for authentication via a cert on a smart card. Of course, more sophisticated malware can run a MITM attack by compromising the browser and changing text in flight before it leaves the client machine, but that isn't what SSL is designed to protect against.
IPSec can work keys on the machine layer, but I like packing my own parachute on a higher layer with SSL or SSH.
You can always physically armor your CA server. One client of mine has a Windows machine which is permanently offline (was activated via phone so it never has touched the Internet directly.) This machine uses BitLocker with a passphrase to encrypt the volumes, and has inside it a USB card with an Aladdin eToken on an internal port. For signing stuff, the client inserts a USB flash drive or a SD card, signs it with the commercial version of PGP, or the signcode.exe utility that is used for Authenticode signing, pulls the drive/card out, and copies the signed files back onto the network.
This way, if someone tries to boot the server from other OS media, they need the recovery key to decrypt the OS, and upon booting back to the OS, it will hang until someone provides the TPM its PIN, (which will show that the machine was rebooted.) If someone takes the smart card out of the machine, they have 15 guesses to figure out a 32-64 character passphrase. After that, the eToken will erase itself.
No, this is not as secure as a dedicated HSM, but for what the client wanted, it provided enough security, and was a lot less expensive.
Of course an intruder can always use a rubber hose attack against people who have the ability to sign programs and documents, but what this setup gives the client is the ability to have the critical keys protected from some script kiddie who manages to crack into the corporate LAN as their first threat of concern. The second threat being someone trying to physically steal/compromise a machine while nobody is around.