Slashdot Mirror


User: argent

argent's activity in the archive.

Stories
0
Comments
12,456
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,456

  1. Re:Not market share... on Foundations of Mac OS X Leopard Security · · Score: 1

    Disinfectant had definitions for like 20 viruses and half of them were Hypercard-related not MacOS.

    When was this? I'm talking about the '80s, when all you needed to do to infect a Mac was to slot a floppy.

    After Apple stopped using autorun the number of new viruses dropped significantly, and the switch to the Power PC stopped pretty much all the old ones from working. I've looked at the list you're talking about, and all the viruses are post-1992. It's not even listing the ones from the '80s.

    The Amiga is also a good example, it was an even smaller market than the Mac. By the "market share" logic it should have had fewer viruses, not more.

    Looking the other way, the PC virus explosion happened after 1997. What happened in 1997? A sudden huge increase in market share for Windows? No, the introduction of Internet Explorer and ActiveX, and all the viruses piggybacking on email worms.

    Market share isn't entirely irrelevant, no, but it's secondary to system design.

  2. I don't think you are missing anything. on Safari "Carpet Bomb" Attack Still a Risk · · Score: 2, Insightful

    He says that the attack he has found can be made without the carpet bomb...

    Just as the attack on IE can.

    Apple fixing the download-without-prompt attack won't do anything to fix the underlying problem, that just having a file sitting around in the default download directory on Windows can lead to code execution.

    I suspect that the Firefox problem is similar.

  3. PS... on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 1

    For example, if you hit WIN+R and type 'CMD", the desktop is your default working directory.

    Wrong. It's your profile, the parent directory of your desktop.

    And virtually no GUI applications on Windows EVER change their current working directory.

    No one should give a rat's ass what the working directory of any application is

    True. The current working directory should not be in the search path for applications or DLLs.

    Namely, you should not be storing .EXE or .DLL file son your desktop for any reason

    Wrong. That is depending on not having dangerous stuff in your current working directory. If the downloads were to %PROFILE%\Downloads then you'd be in trouble if you ran a program from that directory.

    Again, and UNIX developers figured this one out back before Microsoft shipped copy #1 of MS-DOS, the current directory should not be in any executable search path.

  4. What do you think "social engineering" means? on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 1

    Like I said before, there is no social engineering required *AT ALL*. Just pick a common application name and odds are they already have it installed and it *WILL* be clicked.

    What do you think social engineering *means*?

    You CAN learn not to be social engineered.

    It's a LOT harder to learn when it's OK to approve one of Windows myriad stupid "security theatre" dialogs.

    In the decade that I was a WIndows network admin, I would ROUTINELY have people who came by and say "peter, I clicked on the wrong button again and I think I have a virus". That again is critical.

    I've also had people say they'd been tricked into running a program (from the desktop in some cases, back when there was less paranoia about downloads) but only one person was ever caught that way twice.

    Clicking "OK" when the computer pops up "Internet Explorer wants to detonate your monitor"? You bet. That's a passive response to a dialog they've been trained to approve. Running a program, even when it was disguised as a document or another kind of icon (because the kind of attack you're talking about is NOT new)? That's a lot harder to depend on.

    Almost everyone CAN learn not to be social-engineered, once you eliminate that reflex reaction.

  5. Re:Amazed at the hubris in these comments on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 1

    Whose idea was it to download to the desktop anyway?
    Firefox? ...
    Firefox hasn't been around that long. Netscape/Mosaic? Mosaic certainly didn't used to do that, because on the OS it was first written for there usually WASN'T a desktop back then... and Netscape used a download manager...
  6. Social engineering automatic execution. on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 1

    Just pick some program or two that are likely to be installed on any user's computer ( iTunes, Firefox? ), and download .exe files with those names to the desktop. *BOOM*, next time someone wants to run iTunes or Firefox, if they click that exe by accident instead of their shortcut (how would they know any different? ), they're toast.

    This is called a "social engineering attack".

    You don't need Safari to do this. People have been "phished" by this kind of attack as long as there have been desktop operating systems.

    The thing is, you can learn not to be social engineered.

    If you can stick a file some place the *operating system* trusts it, however, even if the user gets asked "is it OK for me to download obscurecrap.dll", you're home free. And it's a LOT easier to social-engineer people to approve a dialog than to get them to click on the wrong icon... particularly when more people will notice a second iTunes icon on the desktop than give "obscurecrap" a second glance.

    Social engineering attacks are FAR less dangerous than automatic execution ones.

    But while I think about it... that business of hiding the file type, Microsoft? How about you don't do that, OK? It makes phishing easier. Oh, you too Apple, I'm looking at you as well.

    Oh, and Microsoft, what kind of fucked up idea was it to make the desktop the default download location in the first place? That didn't used to be standard, I used to find that stuff in a "downloads" folder, but everyone copies you even when you're doing something really stupid like that.

  7. Re:Yes, the flaw is in IE. on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 1

    What, you mean if I kill some service Windows will stop beabling at me about "do you really want to run this program you just downloaded"? Do tell!

  8. What are Microsoft's other products? on Bill Gates Reveals Secret of Microsoft's Success · · Score: 1

    Microsoft has two products, really, so I guess they're not a "one product wonder"... but Windows and Office are what Microsoft is built around, and they have routinely crippled their own products to keep them from even potentially competing with Windows.

    Ask anyone who had one of the pre-Pocket-PC Windows-CE-based clamshells and tablets, a whole product line that was knocked down in favor of the Windows NT based "Tablet PC". Microsoft wouldn't have to fight Linux on the EeePC if they hadn't pulled that boner, because it would be competing against cheaper and yet more profitable micro-laptops running CE.

    Meanwhile the Pocket PC had less capable software than the "Palmsize PC" CE-based handhelds, because people were talking about using THOSE as notebook replacements. The Pocket PC is much more clearly a tethered adjunct to the notebook or desktop, not a potential rival.

  9. Not market share... on Foundations of Mac OS X Leopard Security · · Score: 1

    its just not a very useful platform to write viruses for since they have such a tiny market share.

    Back in the '80s Macs had a tiny market share, but were a major virus breeding ground. WHy? BIG surface area exposed to attack: auto-execution of floppies, resource forks, CDEVs and INITs, etc etc etc...

    Now it's Windows that's hanging on to things like auto-execute, and letting random websites download and execute code if the user responds to "Internet Explorer wants to gibberish incomprehensible stuff here, open or panic?" dialogs the wrong way, and depending on firewalls to close access to essential services rather than using local sockets or named pipes, and having the default eceution path for the browser go through the download directory...

    Turn the tides in market share and you'd be back in the '80s, and you'd still have a huge viral load on Windows because Windows basically hangs around in the bad part of town asking viruses if they'd like a good time.

  10. 3 decades, to be precise... on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 1

    We had regular warnings about not adding "." to $PATH when I was at Berkeley... in 1978.

  11. Re:Did Microsoft fix the vulnerability in IE? on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 1

    Imagine if Netscape won the browser wars and you installed Windows Media Player which later on, in the middle of then night, downloaded and installed IE for you.

    Except that iTunes didn't "in the middle of the night, download and install Safari".

    However Microsoft did force IE into Windows, using techniques that created many inherent security flaws that we are still battling 11 years later, this being one of them.

    Apple can do anything, and few will complain.

    When Apple fucks up, I'll be the first to complain. See An Open Letter to Apple (2004) and six subsequent articles pointing out that 'open "Safe" files after downloading' is a daft idea. It took them three years to figure that one out, and by the way if you are using Safari on OSX OR Windows, make sure that option is turned OFF.

    THAT is a security vulnerability that Apple is responsible for.

    IE executing files on the desktop if they happen to have the "right" name is all Microsoft's baby.

  12. Re:Yes, the flaw is in IE. on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 1

    Will that also override the application search path going through the current directory?

  13. The IE flaw is a threat even without Safari. on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 2, Interesting

    By themselves they aren't that big of a threat

    Um, yes, the IE flaw *is* that big of a threat. There is no circumstance where it should EVER be acceptable for a downloaded file, whether with permissions or not (who other than a geek is going to worry about downloading a file called "somethingobscure.dll"?), to be AUTOMATICALLY executed just because of the name it's given.

    I hope Microsoft fixes it bloody quick.

  14. The actual vulnerability is in IE. on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 3, Interesting

    The actual vulnerability is that Safari downloaded files without the user's permission.

    Asking for permission before doing something that may potentially lead to a security exploit is no protection at all. Seriously. In the eight years between the time Microsoft introduced the browser-desktop merge, and the time I quit being a system admin and went back to programming, I had many many cases where some user (and these weren't dumb users, these were engineers and programmers with PhDs and patents to their name) would come to me and say "Peter, I just clicked the wrong button again, and I think I have a virus". That "again" is important. That means that they have the "Windows pops up stupid dialogs all the time so I have to approve this one" reflex burned into their cortex.

    A user is not going to realize that a web page asking to download "someobscuregibberish.dll" is attacking them.

    Stupid permission dialogs are no protection.

    The actual vulnerability is twofold:

    1. The path goes through the current directory by default, and it goes through the current directory first.

    This is something that UNIX used to do, and it was widely recognized as a BAD idea by 1980. MS-DOS wasn't even out yet, let alone Windows.

    2. The default download directory is the default directory of any program, let alone a program that is run virtually every time you log in.

    This one is, well, beyond stupid. This is like having the mailslot in your front door connect to your safe deposit box. The directory that is MOST likely to contain malicious code is the one that you're MOST likely to be running code from on any given day.

    Trying to make this a Windows issue smacks of fanboyism.

    Name one other operating system or application where downloading files to the default download folder would cause them to be run, under any normal circumstances. The whole idea is completely insane.

  15. Re:Yes, the flaw is in IE. on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 2, Funny

    You can make a real shortcut, set the working directory to whatever you want, or even launch IE from its own program directory from a command prompt, and it will still consider the desktop to be the current directory.

    Whiskey Tango Foxtrot?

    Every time I think I'm being to hard on Microsoft, that I'm just being a cynical old fart, I come across something like this.

    Holy Mother of Turing, what were they thinking of?

  16. Yes, the flaw is in IE. on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 4, Informative

    Microsoft's library path ALWAYS goes through the current directory. For some obscure reason that IE icon on the Desktop, the one that isn't a shortcut but is actually something special Microsoft added back in 1997 to make it harder to remove IE, runs IE on the Desktop instead of in the IE install directory, the way it would if it was a shortcut.

    It's all a side effect of Microsoft's shenanigans when they tried to use browser-desktop integration to make an end-run around their agreement with the US DoJ. That they've convinced people that the big news is a bug in Safari that makes it slightly easier to take advantage of this problem is, well, bizarre.

    And now you know the rest of the story.

  17. Re:Still not legacy free on Via Debuts Mini-ITX 2.0 · · Score: 1

    Why does it have to be legacy free?

    It doesn't. I just thought the subject line was ironic.

  18. Re:Still not legacy free on Via Debuts Mini-ITX 2.0 · · Score: 1

    You want to eliminate the legacy mouse and keyboard ports, but you want to keep the legacy serial port?

    No, really, I'm all in favor of both these innovations, I just wonder about the subject line...

  19. In other news... on Microsoft Spokesman Says ODF "Clearly Won" Standard War · · Score: 5, Funny

    Ice-capades grand opening in hell marred by dive-bombing pigs.

  20. Did Microsoft fix the vulnerability in IE? on Apple Fixes Safari "Carpet Bomb" Windows Vulnerability · · Score: 2, Insightful

    Did Microsoft fix the vulnerability caused by Internet Explorer running with its current directory set to the Desktop and its library search path going through the Desktop? Because until they do that, the actual vulnerability in Windows that Safari made slightly easier to exploit still exists.

  21. Re:Strange. on 1 In 3 Sysadmins Snoop On Colleagues · · Score: 1

    Generally asking them what the business case was, and if they don't have one that's often enough, because it's usually a matter of casual curiosity. Depending on what the situation was, you may be able to ask if they thought it was worth being a test case in the courts if someone (oh, no, not me) discovered them violating people's reasonable expectations of privacy without a business case for it (sure, you can probably make a case that there's no expectation of privacy in the workplace, but do you want to have to? I know *I* don't)...

    Now if they were looking for something like a good copy of source code that had been missed by the nightly backups, that's a different matter, but that's not snooping, casual or otherwise.

  22. Re:Security Theatre, nobody is immune... on Mac OS X Root Escalation Through AppleScript · · Score: 1

    My experience is that once people are in the habit of approving security theatre dialogs, it doesn't matter what the dialog looks like. They just go ahead and approve them all.

    Now if I was writing a trojan that was going to piggyback on the execution of a privileged program, I wouldn't even bother bringing up my own dialog... I'd use Mach injection to modify a program that's already raising its privilege, and change what it runs on teh other side of the privilege boundary. Now if I was going to attack someone who was smart enough to remember to lock his keychain and preferences when he's not using them, I'd take advantage of the race condition I alluded to in a previous message.

    Back to my original point, many messages back, compared to the kind of security theatre that makes remote execution attacks possible, like the Safari/LaunchServices one, this one is minor. Because if you're in a position to perform a privilege elevation attack on a desktop OS you've pretty much already got all the rights you need to completely bone the owner, just by getting local user privileges.

    And getting back to "Security Theatre, nobody is immune...", my point was that it's not just Microsoft that's guilty of security theatre, Apple, Mozilla, AT&T, UCB, you name it, they've all done it.

    8 years is a lot of training to undo.

    It's 11 years last month for Microsoft's remote execution design flaw, the one that they've been trying to solve with security theatre for, well, 11 years. Apple's remote execution security theatre only lasted three.

    I'm not saying that Apple's innocent here, just that requiring the guy sitting at the desk to occasionally verify that they're not someone who just walked up to an unwatched keyboard isn't an inherently bad idea... the way asking "should I do something really really stupid" is.

  23. Re:Security Theatre, nobody is immune... on Mac OS X Root Escalation Through AppleScript · · Score: 1

    I don't agree that "most" of the places that dialog pops up are unrelated to Installer.app.

    Most of the places that dialog pops up for me are to unlock Preferences and to unlock my keychain, or to run an application with elevated privilege, or to authenticate Finder to copy a file to (for example) another user account.

    Perhaps if I was installing lots of applications all the time I'd have a different experience.

    The reason Apple is culpable is that they have made it easy to create installers, but only installers that require you to type your admin password.

    Indubitably, but compared to the Safari/LaunchServices Security Theatre this is a peccadillo. Also... I find quite a lot of installers happily run to completion without ever asking me for my password. Are they just emulating Apple's installer, or what?

  24. Re:You're missing the big problem... on New FISA Bill Would Grant Telcoms Immunity; Vote Is Tomorrow · · Score: 1

    Not all companies and institutions that were forced to comply with these and other illegal orders were "Good Germans" about it. There are avenues for challenging these kinds of orders in the courts, even while complying.

    Unethical? If they were little municipal libraries with limited resources and experience with the court system, rather than large profitable companies with a permanent legal staff, I would be inclined to agree with you... but when it's the little municipal libraries that found the time, money, and backbone to go through the courts, while the big profitable companies stood enthusiastically by the government, I don't think that word means what you think it means.

  25. Upgrade the OS! on Revitalizing an Aging Notebook On the Cheap · · Score: 1