Sorry, SecureBoot is implemented in the very firmware you can own when WP is busted... so Windows will happily believe all is good. That's the point of these types of vulnerabilities.
The TPM point would be valid if you actually manually configured which PCRs will cause BitLocker and remote attestation to fail. By default the firmware ones are NOT setup this way. Even if they were, it the attacker knew the expected measurements (from the original firmware), TPM has no signing on measurements and therefore you could fake the old numbers by self measuring.
Please read the letter USBIF wrote to Palm -- they *expressly* stated that usage of the VID/PID in this manner is a supported and expected function of the USB standard. They are using their VID/PID exactly in the way it was intended for.
Erm, Acetaminophen is not a "Brand name", it is called a "Common name" or "Generic name". And guess what, so is Paracetamol, the European "Common name". A "brand name" is Parocet or Tylenol.
So I guess Europeans have a little bit more trouble differentiating brand names from common names, or were you just trying to get everyone to switch over to the European way of naming things?
The drug name is "N-(4-hydroxyphenyl)acetamide", FYI.
A bit of a shameless plug, but if you'd like more information on these "shims", I've started a series of articles on the technology (still hoping to complete it shortly) on my blog at http://www.alex-ionescu.com/?p=39. FYI, there's over 8000 of them in Windows today, and each time you launch an app, these checks are made.
Also, to clarify, a soft page fault is when a page is migrated from the standby list to the working set -- which is several orders of magnitude less expensive then a hard fault. Except for some TLB issues, there's no significant performance issue, and no disk access in any case.
You need to understand the difference between a "soft page fault" and a "hard page fault". The numbers you're looking at are a combination of both -- I would guess maybe 1000 hard faults, and 6.999 soft faults.
So you're looking at completely the wrong number (page reads/sec is a better number, subtracting that from I/O reads/sec).
If you want more information, I suggest you read up on the Memory Management chapter in Windows Internals.
I'm in Shanghai this month and just heard the air raid siren for 3 minutes while in Old Shanghai... it was quite touching to see everyone stop whatever they were doing.
As for Internet access... I think this is sensationalist BS. I'm on slashdot.org, people.com, youtube.com, cnn.com and wikipedia.org right now without any problems. Nobody's cutting access, they're just asking for a period of mourning and respect for the dead.
How is this different from our reaction to Pearl Harbor and/or September 11?
I'm sorry, but Microsoft does NOT sell UAC as a "security framework" or a "security model" or even a security boundary, as the article claims. It's a convenience tool that makes it easier for you to run applications as standard user, that's IT. Anyone that claims UAC has ANYTHING to do with security has absolutely no clue what they're talking about -- and I challenge you to show me Microsoft documentation that speaks of UAC as a security boundary.
From TFA: "Microsoft can claim that Vista blocks system-modification tools from running at startup;" -- again, I'm sorry, but Microsoft does not make this claim. The steps that the developers of this product (admittedly a good one) are perfectly in line with what I'd expect a system of this nature to do: run as a service. That's *exactly* what services are supposed to be: administrative-level daemons that must launch on startup and are independent of the user account (or always require high privileges). Microsoft does not block applications requiring admin access from starting up for SECURITY -- it's done because otherwise, your computer would be stuck on the secure desktop waiting for authorization, and anyone possibly depending on the application (and anyone else also requiring elevation -- AFAIK, the AppInfo service can only request one elevation at a time) would also be frozen.
I don't see what the big deal is. I run OS X on my desktop and I see plenty of similar applications running as services, in fact, I'm pretty sure Apple's guidelines also don't allow for applications that require root access to prompt for credentials during the startup process. It's just bad user experience.
Because Win32k.SYS (The Win32 GUI Subsystem) expects user32.dll to remain at the same base address. So while most other DLLs can be relocated, user32.dll can't, since all the pointers that win32k.sys uses would become invalid. A solution would be for user32.dll to report itself to Win32k.sys for every new GUI process, but this would considerably slow things down, and require callback tables and validation to be per-process instead of per-system.
Also, they're "hardcoded" because it's faster when the system doesn't have to relocate them; in all other cases except for kernel32, user32, gdi32 and ntdll, they can be relocated (unless the file was built with/FIXED).
Re:Error in slides from Ionescu's talk
on
ReactOS Revealed
·
· Score: 1
Thanks, originally Vista was going to have full MAC, not just Biba. I guess I never noticed that it changed for RTM. I will update the slides (at least my copy). Thanks!
What decent programmer hasn't hooked the windows kernel to bend it to thier needs?
"Programmers" like that are anything but decent if they release such code in the market. They're the ones responsible for 90% of the BSODs we see and the system instability that plagued NT due to crappy drivers. They're the reason I think Patchguard is a good idea, in some ways.
Note that I have nothing against people who experimented with the kernel and used hooking for learning and experimenting, just don't ship out a product like that.
You havent tested this. I could care less if your driver is loaded.
Not using a driver, RTFM.
Microsoft knows that 3rd party driver certificates are going to be stolen/compromised. Microsoft hasn't even provided a method to reject unsigned drivers yet (per MSDN it will be in Vista SP1).
Which is why this isn't using a stolen/3rd party driver or unsigned driver, nor actually loading a driver.
Did you happen to hook one of the kernel functions PatchGuard is monitoring? Try to patch CI.DLL and see what happens. You can disable driver signing. You cannot disable PatchGuard.
There's about a dozen ways to disable PatchGuard, and I was able to patch CI.DLL, disable PatchGuard, as well as turn off code signing. I don't want to sound condescending, but you don't seem to know what you're talking about, or you're being deliberately misleading with your PatchGuard comment.
I'm not saying that you can't bypass Microsofts DRM restrictions. I just don't think you have and the burden of proof is on you.
I'm not going to commit legal suicide by proving it. The point of my blog entry was never to say I broke DRM, but that I've found a way which can break it, which people are free to explore on their own.
Administrators can turn PatchGuard off at boot time. He didn't break it.
There's no way to turn off PatchGuard off, only Driver Signing, which watermarks your desktop and disables PMP. Ways to break Patchguard 2.0 were published recently by "Skywing" on uninformed.org
Yes, it requires a reboot, which is why it's only useful for bypassing DRM, not for open source apps (which will have to bother the user to reboot).
2). It uses a method provided by Microsoft.
Erm, no, PMP is provided by Microsoft. This method bypasses it.
3). It hasn't been tested.
It works fine, the actual PMP-disabling code hasn't been tested because I don't want to touch that. But my code ran in kernel-mode, which means it's possible. Read up a bit on computer architecture and you'll see that as long as you have access to the kernel, you're God on the machine (Apart from hypervisor machines and/or additional hardware -- which PMP doesn't currently employ).
4). Author is more afraid of the DMCA than of violating Microsofts EULA terms.
Author is a student and doesn't want to be sued out of existence because this method could be used to "circumvent a technological measure primarly destined for copyright protection".
Not to mention the fact the pagefile exploit: 1) Won't work on some systems, by design (like mine) 2) Has a high risk of damaging your data, due to the complete lack of multi-thread race considerations.
You should try out Paypal Mobile. We do the same thing, but now I just take out my phone, press a couple of buttons, and they have the money instantly. Also works at some stores...
Yeah, but even then, at what speeds? When I hear Americans talking about "Broadband" (and reading some of the comments here), I see "256/64" or "768/128" and one or two 1.5Mbit comments. For 60$ CAN I get 10Mbit downstream and 1Mbit upstream, with no bandwidth usage limit. That's about 50$ US, which seems to get you 1MBit on DSL (which, in my experience, implies PPPoE and other such c*ap). And when you said basic cable, was that analogic? I pay 30-35$ for about 200 digital channels... Add 20$ for VoIP with 5 services (call waiting, caller id, etc). About 120$/month for ultra high speed internet, more digital channels that I can watch in a whole year, and a great phone line. All on one bill, through one single cable.
Considering the cost of a Dual-Layer DVD-RW + CD-RW Combo Drive (70$ or lower), which burns a CD in 3-4 minutes or over 8GB of data in 20 minutes, thus allowing you to backup more frequently and with more ease, your new purchase not only increases your productivity by large margin, but it might save you days worth of work in case of a disk crash. After 5 years of not having upgraded your burner, I think the 70$ was worth it. Also, a firmware upgrade would've probably fixed your burner to deal with 700MB CDs. There aren't really supposed to be any technical differences. My 2x cd-r on my 90mhz laptop burnt on them fine, years ago.
Microsoft had had builds of Windows for the following platforms since the first NT beta: -Alpha -PPC -MIPS -x86 IA64 support started a *very* long time ago, and x86-64 basically took the shortest time (you only basically need to recompile using a good optimizer, and change some code to take advantage of some new features... the big problem is changing the ASM code in the kernel/hal, but there isn't much of that.
MIPS/Alpha/PPC support was officially cut during the Win2K beta, but Microsoft has been keeping private copies mostly because Cutler liked it that way, and also because it ensures what you're doing is still portable. In fact, the first version of NT that was booted and tested was not the i386 port, since MS wanted to make sure that the system was portable enough so that it would work on the least-targetted platform first (and boy it did).
MS does not however have a G5 build of Windows, since there are too many Big Endian issues and it isn't worth it for them anymore.
Well, in Quebec (the province right above new england, in canada:P), we have non-Bell (the monopoly) public phones, and Bell DSL service over non-bell phone service, and vice-versa. We can even have cell phones that keep our residential number.
All these are due to *Federal* laws (afaik) which prohibited the local carrier from not allowing competing DSL products, and which prohibited the local carrier from being the sole owner of public phones...
Allright, next time you take a bathroom break during TV advertising, make sure you turn yourself in.
And if you read the newspaper tomorrow morning and you don't see the little tiny add on the left side, I guess you're also comitting theft because your eyes have inadvertantly blocked the ad.
If you're on the highway, and you fail to see "Sponsored by: ", you should again turn yourself in...after all, you're driving on someone's share of the highway and your eyes have just blocked/ignored the advertisiement.
I'm sorry, but what on Earth thinks that advertisers have a RIGHT to have their ads seen by people? Advertisement is a GAMBLE, not a God-given right.
Slashdot Mirror
Sorry, SecureBoot is implemented in the very firmware you can own when WP is busted... so Windows will happily believe all is good. That's the point of these types of vulnerabilities.
The TPM point would be valid if you actually manually configured which PCRs will cause BitLocker and remote attestation to fail. By default the firmware ones are NOT setup this way. Even if they were, it the attacker knew the expected measurements (from the original firmware), TPM has no signing on measurements and therefore you could fake the old numbers by self measuring.
Please read the letter USBIF wrote to Palm -- they *expressly* stated that usage of the VID/PID in this manner is a supported and expected function of the USB standard. They are using their VID/PID exactly in the way it was intended for.
Erm, Acetaminophen is not a "Brand name", it is called a "Common name" or "Generic name". And guess what, so is Paracetamol, the European "Common name". A "brand name" is Parocet or Tylenol.
So I guess Europeans have a little bit more trouble differentiating brand names from common names, or were you just trying to get everyone to switch over to the European way of naming things?
The drug name is "N-(4-hydroxyphenyl)acetamide", FYI.
A bit of a shameless plug, but if you'd like more information on these "shims", I've started a series of articles on the technology (still hoping to complete it shortly) on my blog at http://www.alex-ionescu.com/?p=39. FYI, there's over 8000 of them in Windows today, and each time you launch an app, these checks are made.
That should've been "6.999 million".
Also, to clarify, a soft page fault is when a page is migrated from the standby list to the working set -- which is several orders of magnitude less expensive then a hard fault. Except for some TLB issues, there's no significant performance issue, and no disk access in any case.
You need to understand the difference between a "soft page fault" and a "hard page fault". The numbers you're looking at are a combination of both -- I would guess maybe 1000 hard faults, and 6.999 soft faults.
So you're looking at completely the wrong number (page reads/sec is a better number, subtracting that from I/O reads/sec).
If you want more information, I suggest you read up on the Memory Management chapter in Windows Internals.
I'm in Shanghai this month and just heard the air raid siren for 3 minutes while in Old Shanghai... it was quite touching to see everyone stop whatever they were doing.
As for Internet access... I think this is sensationalist BS. I'm on slashdot.org, people.com, youtube.com, cnn.com and wikipedia.org right now without any problems. Nobody's cutting access, they're just asking for a period of mourning and respect for the dead.
How is this different from our reaction to Pearl Harbor and/or September 11?
I'm sorry, but Microsoft does NOT sell UAC as a "security framework" or a "security model" or even a security boundary, as the article claims. It's a convenience tool that makes it easier for you to run applications as standard user, that's IT. Anyone that claims UAC has ANYTHING to do with security has absolutely no clue what they're talking about -- and I challenge you to show me Microsoft documentation that speaks of UAC as a security boundary.
From TFA: "Microsoft can claim that Vista blocks system-modification tools from running at startup;" -- again, I'm sorry, but Microsoft does not make this claim. The steps that the developers of this product (admittedly a good one) are perfectly in line with what I'd expect a system of this nature to do: run as a service. That's *exactly* what services are supposed to be: administrative-level daemons that must launch on startup and are independent of the user account (or always require high privileges). Microsoft does not block applications requiring admin access from starting up for SECURITY -- it's done because otherwise, your computer would be stuck on the secure desktop waiting for authorization, and anyone possibly depending on the application (and anyone else also requiring elevation -- AFAIK, the AppInfo service can only request one elevation at a time) would also be frozen.
I don't see what the big deal is. I run OS X on my desktop and I see plenty of similar applications running as services, in fact, I'm pretty sure Apple's guidelines also don't allow for applications that require root access to prompt for credentials during the startup process. It's just bad user experience.
You just contradicted yourself there.
" if you're logged in as administrator that you don't have to provide a password " => True, so no UAC prompts if you're logged on as admin.
"with UAC, even root has to sudo." => False, as you've just said, if you're root (Administrator), there's no UAC.
Because Win32k.SYS (The Win32 GUI Subsystem) expects user32.dll to remain at the same base address. So while most other DLLs can be relocated, user32.dll can't, since all the pointers that win32k.sys uses would become invalid. A solution would be for user32.dll to report itself to Win32k.sys for every new GUI process, but this would considerably slow things down, and require callback tables and validation to be per-process instead of per-system.
/FIXED).
Also, they're "hardcoded" because it's faster when the system doesn't have to relocate them; in all other cases except for kernel32, user32, gdi32 and ntdll, they can be relocated (unless the file was built with
Thanks, originally Vista was going to have full MAC, not just Biba. I guess I never noticed that it changed for RTM. I will update the slides (at least my copy). Thanks!
What decent programmer hasn't hooked the windows kernel to bend it to thier needs?
"Programmers" like that are anything but decent if they release such code in the market. They're the ones responsible for 90% of the BSODs we see and the system instability that plagued NT due to crappy drivers. They're the reason I think Patchguard is a good idea, in some ways.
Note that I have nothing against people who experimented with the kernel and used hooking for learning and experimenting, just don't ship out a product like that.
I have an NDA with Microsoft already. But this was done through independent research which isn't covered.
You havent tested this. I could care less if your driver is loaded.
Not using a driver, RTFM.
Microsoft knows that 3rd party driver certificates are going to be stolen/compromised. Microsoft hasn't even provided a method to reject unsigned drivers yet (per MSDN it will be in Vista SP1).
Which is why this isn't using a stolen/3rd party driver or unsigned driver, nor actually loading a driver.
Did you happen to hook one of the kernel functions PatchGuard is monitoring? Try to patch CI.DLL and see what happens. You can disable driver signing. You cannot disable PatchGuard.
There's about a dozen ways to disable PatchGuard, and I was able to patch CI.DLL, disable PatchGuard, as well as turn off code signing. I don't want to sound condescending, but you don't seem to know what you're talking about, or you're being deliberately misleading with your PatchGuard comment.
I'm not saying that you can't bypass Microsofts DRM restrictions. I just don't think you have and the burden of proof is on you.
I'm not going to commit legal suicide by proving it. The point of my blog entry was never to say I broke DRM, but that I've found a way which can break it, which people are free to explore on their own.
Administrators can turn PatchGuard off at boot time. He didn't break it.
There's no way to turn off PatchGuard off, only Driver Signing, which watermarks your desktop and disables PMP. Ways to break Patchguard 2.0 were published recently by "Skywing" on uninformed.org
1). It doesn't work out of the Box.
Yes, it requires a reboot, which is why it's only useful for bypassing DRM, not for open source apps (which will have to bother the user to reboot).
2). It uses a method provided by Microsoft.
Erm, no, PMP is provided by Microsoft. This method bypasses it.
3). It hasn't been tested.
It works fine, the actual PMP-disabling code hasn't been tested because I don't want to touch that. But my code ran in kernel-mode, which means it's possible. Read up a bit on computer architecture and you'll see that as long as you have access to the kernel, you're God on the machine (Apart from hypervisor machines and/or additional hardware -- which PMP doesn't currently employ).
4). Author is more afraid of the DMCA than of violating Microsofts EULA terms.
Author is a student and doesn't want to be sued out of existence because this method could be used to "circumvent a technological measure primarly destined for copyright protection".
Not to mention the fact the pagefile exploit:
1) Won't work on some systems, by design (like mine)
2) Has a high risk of damaging your data, due to the complete lack of multi-thread race considerations.
You should try out Paypal Mobile.
We do the same thing, but now I just take out my phone, press a couple of buttons, and they have the money instantly.
Also works at some stores...
Yeah, but even then, at what speeds? When I hear Americans talking about "Broadband" (and reading some of the comments here), I see "256/64" or "768/128" and one or two 1.5Mbit comments. For 60$ CAN I get 10Mbit downstream and 1Mbit upstream, with no bandwidth usage limit. That's about 50$ US, which seems to get you 1MBit on DSL (which, in my experience, implies PPPoE and other such c*ap). And when you said basic cable, was that analogic? I pay 30-35$ for about 200 digital channels... Add 20$ for VoIP with 5 services (call waiting, caller id, etc). About 120$/month for ultra high speed internet, more digital channels that I can watch in a whole year, and a great phone line. All on one bill, through one single cable.
And it's Lucovsky not "Lucovosky".
Considering the cost of a Dual-Layer DVD-RW + CD-RW Combo Drive (70$ or lower), which burns a CD in 3-4 minutes or over 8GB of data in 20 minutes, thus allowing you to backup more frequently and with more ease, your new purchase not only increases your productivity by large margin, but it might save you days worth of work in case of a disk crash. After 5 years of not having upgraded your burner, I think the 70$ was worth it.
;)
Also, a firmware upgrade would've probably fixed your burner to deal with 700MB CDs. There aren't really supposed to be any technical differences. My 2x cd-r on my 90mhz laptop burnt on them fine, years ago.
It's DRM, by the way, not DMR
Microsoft had had builds of Windows for the following platforms since the first NT beta:
-Alpha
-PPC
-MIPS
-x86
IA64 support started a *very* long time ago, and x86-64 basically took the shortest time (you only basically need to recompile using a good optimizer, and change some code to take advantage of some new features... the big problem is changing the ASM code in the kernel/hal, but there isn't much of that.
MIPS/Alpha/PPC support was officially cut during the Win2K beta, but Microsoft has been keeping private copies mostly because Cutler liked it that way, and also because it ensures what you're doing is still portable. In fact, the first version of NT that was booted and tested was not the i386 port, since MS wanted to make sure that the system was portable enough so that it would work on the least-targetted platform first (and boy it did).
MS does not however have a G5 build of Windows, since there are too many Big Endian issues and it isn't worth it for them anymore.
You only pay 20% income tax and you're complaining? Wow... I didn't even know that it went that low.
My dad pays 55-60% of his gross revenue in income taxes. And the sales tax totals up to 15.56%. So out of 1$, you get to keep 25 cents.
Well, in Quebec (the province right above new england, in canada :P), we have non-Bell (the monopoly) public phones, and Bell DSL service over non-bell phone service, and vice-versa. We can even have cell phones that keep our residential number.
All these are due to *Federal* laws (afaik) which prohibited the local carrier from not allowing competing DSL products, and which prohibited the local carrier from being the sole owner of public phones...
Allright, next time you take a bathroom break during TV advertising, make sure you turn yourself in.
And if you read the newspaper tomorrow morning and you don't see the little tiny add on the left side, I guess you're also comitting theft because your eyes have inadvertantly blocked the ad.
If you're on the highway, and you fail to see "Sponsored by: ", you should again turn yourself in...after all, you're driving on someone's share of the highway and your eyes have just blocked/ignored the advertisiement.
I'm sorry, but what on Earth thinks that advertisers have a RIGHT to have their ads seen by people? Advertisement is a GAMBLE, not a God-given right.