They have VMplayer and now it allows you to create new VMs not just use appliances without jumping through hoops. It works well but no snapshots I don't think, you can obviously copy a VM manually. Workstation is good though if working with ESX as I swear you need an array of tools to get stuff to convert on it. Yeah I know about the standalone converter...
What software are you using to virtualize? VMware or other? I like the idea of a VM for specific software packages, Virtualbox would work well for that or VMplayer...
I've been using VMware at work for quickie testing. Seems to work well for this and the licensed copy allows snapshots which are very nice. I understand from developers doing work for us that they run into issues with VMware workstation when they script things to happen with the VMs. VMware player works okay for home use as Workstation is a bit pricey.
Virtual box, for me at home and some at work, works great! I don't know anyone exercising the API so I can't comment on that but for home use this rocks and is free!
Above that comes ESX which is also free with advanced functions disabled. This isn't something you run on a desktop but I've recently set it up to consolidate multiple other servers and this works terrific for a 24x7 system doing many mundane things like storage. This gives you experience with VT-d and all sorts of other goodies like figuring out how to do graceful shutdowns from a UPS signal etc. Fun stuff for sure and a good system to "graduate" to in my experience.
Isn't it also possible to have issues from handling lead? All in all it's not something I intend to play with like mercury when I was a kid. that stuff was a blast, thankfully I didn't play with it very much as I found out later it's plenty toxic via contact. Times, they seem to have changed a bit:-O
I've played with magnets since I was a small child and received a book at a book fair that contained one taped to the inside - in 1st grade. Over the years I collected quite a few of them and that includes a ton of these ball magnets that everyone is ranting about, I have about 100 of them hanging in my cube a foot from me now. Number of magnets ingested? ZERO
Meh, he gave enogh detail on how their sandbox couldn't handle specific processor instructions and would bypass files that had them to be pretty effective against the AV I'd say. I think there was also a specific number of instructions the sandbox would run before passing the file too but I might be thinking of another AV.
I'll grant that he didn't give a script that one could just copy and paste but I think he gave plenty of information to a pretty interested audience that could act on it back in August! If nothing he described their crypto well enough for someone to duplicate his work if inclined and pointed out many areas that were weak. The paper just documents and supports his claims is what I'd say. Even when he spoke he admitted that Sophos was working to fix things already. Sophos wasn't squeeky clean, don't get me wrong, but this is so long after the fact that I'd pretty much forgotten about it so to me it comes across as his wanting to make a second splash with the research is all...
Oh yeah, I asked the guy after his talk if he was going to research any other AV products - his response was that no he wasn't. I wish he would or that perhaps someone else would. I'm pretty sure Sophos isn't the high bar in AV but I'm betting that there may be some others with some pretty crappy behavior out there that haven't been highlighted. Why not give them a shot too? Wasn't clear why these guys were such a target although he did mention their being used in various hardware products as an AV engine as part of the reason .
This was the subject of a talk given at Black Hat (or was it DEFCON?) in August out in 'Vegas. Why it's news now suddenly is a mystery to me. The guy did thoroughly hack the product to include reversing it's signature encryption (homebrew crypto?!) and figuring out that some features simply didn't work. However at the time of the talk he also told the audience that he had been working with the company and that they had changed some things and would be switching to standard crypto. I'd still agree the company comes across as slimy since some of their claims were pure crap (some signatures apparently obviously machine generated despite claims they didn't do that etc.) but now months later to post this like it's news? Really? Maybe he should have had this paper ready to roll right after the talk?
It might have helped had he bothered to defend himself, since he didn't the judge defaulted to the maximum penalty. This does seem to teach others not to purchase from this company but to get it elsewhere instead.
Been through some storms so I've added some munchies, bought some water, charged a spare car batt for a frend's sump pump and to charge phones, and I cleared the gutters out. I also chatted with my neighbors, we're prepped to help each other out if needed. Pissed I skipped installing the generator I considered last month, betting I'll need it...
Yuck it up but 8inches or more of rain will fuck things up pretty good. Oh, I RainX'd my car windshield too:-)
Think of an idea, a software package, a new widget. Now, you willing to play roulette and try to build it without first making really sure that someone isn't going to sue you? Or will you first pay lawyers to research patents? And incorporate to cover your ass? How much will you spend before you even begin to do anything with your idea? Unless you REALLY love this thing are you even going to bother? Look at the huge mountain of hassle and money in front of the pursuit of any idea, is it any wonder that so few really seem to pursue their ideas? Most of us have lives we'd like to remain somewhat sane...
You seem to be assuming that the root for both key paths will be the same, somehow I doubt a key used to sign apps for a remote desktop application of any flavor is going to be allowed to sign bootloaders. It also seems you do not understand exactly how the other key came about, someone didn't just steal a Private key laying around. It's not "a" key but "THE" key that's required.
You might also want to figure out that Microsoft is NOT the signing authority for the key being used here. The Microsoft key is being used only because it's a widely distributed key and Microsoft has apparently agreed to allow it's use for others but if they refuse it's possible to have the CA sign another root. Unfortunately that Public key would be far less likely to be as ubiquitous as the Microsoft key. As it stands right now I see no reason why Microsoft wouldn't allow the signing with this key, it has protections built in to prevent malicious usage.
There will be no myriad of CA signing with the Private key to be hacked, Microsoft will have their Public key distributed far and wide in hardware. They will retain the ability to sign their code and the Root will apparently be able to sign other approved code that will leverage the same Public key. This way Linux kernels COULD be signed and use this key embedded in hardware if desired. Some distro are apparently looking to go that way. However kernels change and are sometimes custom so this shim was created and will be signed by this group to sidestep the hassle. They are getting signed by a key given to them that descends from the Microsoft key. I would bet that a revocation process does exist but I doubt it's a very smooth one.
Note that Verisign not Microsoft gets the fees from this process, they are the CA handling this.
Fully agree! Linux binaries can already be signed, some distro are doing it, so why not allow users to add a key and sign their own? Why not sign a great deal of the boot process while we're at it ala Microsoft? We now have the hardware support it seems...
Actually, if Linux could offer the users the ability to sign their own kernels and other boot pieces, then put the key into the BIOS it would provide greater security for Linux as well! Obviously the user would have to manage their signing key properly and kernel updates would be a hassle but the added security provided could be just as useful. Why not take advantage of this??
Pretty sure Microsoft has said that they expect there to be a BIOS option to turn it off. I expect it will be harder to find one that doesn't allow it to be turned off than on that will. I certainly wouldnt buy anything that didn't allow it to be deactivated!
Yeah it does, and no I don't expect an option to skip the check else they would never sign it and revoke the key as has already been done in the driver world. If you've got a server or Myth box I would expect you to uncheck the option that requires secure boot and not sweat any of this as it wouldn't help you anyway since its currently only a Microsoft option.
Not exactly, it was signed with a weak key produced by one of their remote desktop solutions that allowed licensing of components. Microsoft has since revoked those keys and bumped up the minimum allowed key size to stop this in the future. This was NOT a case of someone stealing a Microsoft key left in the parking lot.....
Did you miss the part about a present user test? It means someone will be presented a message and asked to approve before boot proceeds. Sounds like a good way to go to me however it will certainly screw up a server reboot lol.
Slashdot Mirror
They have VMplayer and now it allows you to create new VMs not just use appliances without jumping through hoops. It works well but no snapshots I don't think, you can obviously copy a VM manually. Workstation is good though if working with ESX as I swear you need an array of tools to get stuff to convert on it. Yeah I know about the standalone converter...
Or run a Windows VM and VNC to it to run Vsphere....
Would be nice to know if the OP wants a desktop or server sized solution to play with. If just desktop there's plenty of options....
What software are you using to virtualize? VMware or other? I like the idea of a VM for specific software packages, Virtualbox would work well for that or VMplayer...
I've been using VMware at work for quickie testing. Seems to work well for this and the licensed copy allows snapshots which are very nice. I understand from developers doing work for us that they run into issues with VMware workstation when they script things to happen with the VMs. VMware player works okay for home use as Workstation is a bit pricey.
Virtual box, for me at home and some at work, works great! I don't know anyone exercising the API so I can't comment on that but for home use this rocks and is free!
Above that comes ESX which is also free with advanced functions disabled. This isn't something you run on a desktop but I've recently set it up to consolidate multiple other servers and this works terrific for a 24x7 system doing many mundane things like storage. This gives you experience with VT-d and all sorts of other goodies like figuring out how to do graceful shutdowns from a UPS signal etc. Fun stuff for sure and a good system to "graduate" to in my experience.
Not played with Xen, sorry....
Isn't it also possible to have issues from handling lead? All in all it's not something I intend to play with like mercury when I was a kid. that stuff was a blast, thankfully I didn't play with it very much as I found out later it's plenty toxic via contact. Times, they seem to have changed a bit :-O
Wow I wish I hadn't posted so I could mod this - VERY good point!
I've played with magnets since I was a small child and received a book at a book fair that contained one taped to the inside - in 1st grade. Over the years I collected quite a few of them and that includes a ton of these ball magnets that everyone is ranting about, I have about 100 of them hanging in my cube a foot from me now. Number of magnets ingested? ZERO
Or maybe someplace liek Dealextreme?
http://dx.com/s/magnets
I'm sure there's no lead in them! ;-) I have a few sets form these guys in the office - lots of fun!
Meh, he gave enogh detail on how their sandbox couldn't handle specific processor instructions and would bypass files that had them to be pretty effective against the AV I'd say. I think there was also a specific number of instructions the sandbox would run before passing the file too but I might be thinking of another AV.
I'll grant that he didn't give a script that one could just copy and paste but I think he gave plenty of information to a pretty interested audience that could act on it back in August! If nothing he described their crypto well enough for someone to duplicate his work if inclined and pointed out many areas that were weak. The paper just documents and supports his claims is what I'd say. Even when he spoke he admitted that Sophos was working to fix things already. Sophos wasn't squeeky clean, don't get me wrong, but this is so long after the fact that I'd pretty much forgotten about it so to me it comes across as his wanting to make a second splash with the research is all...
Oh yeah, I asked the guy after his talk if he was going to research any other AV products - his response was that no he wasn't. I wish he would or that perhaps someone else would. I'm pretty sure Sophos isn't the high bar in AV but I'm betting that there may be some others with some pretty crappy behavior out there that haven't been highlighted. Why not give them a shot too? Wasn't clear why these guys were such a target although he did mention their being used in various hardware products as an AV engine as part of the reason .
This was the subject of a talk given at Black Hat (or was it DEFCON?) in August out in 'Vegas. Why it's news now suddenly is a mystery to me. The guy did thoroughly hack the product to include reversing it's signature encryption (homebrew crypto?!) and figuring out that some features simply didn't work. However at the time of the talk he also told the audience that he had been working with the company and that they had changed some things and would be switching to standard crypto. I'd still agree the company comes across as slimy since some of their claims were pure crap (some signatures apparently obviously machine generated despite claims they didn't do that etc.) but now months later to post this like it's news? Really? Maybe he should have had this paper ready to roll right after the talk?
http://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Ormandy
It might have helped had he bothered to defend himself, since he didn't the judge defaulted to the maximum penalty. This does seem to teach others not to purchase from this company but to get it elsewhere instead.
Been through some storms so I've added some munchies, bought some water, charged a spare car batt for a frend's sump pump and to charge phones, and I cleared the gutters out. I also chatted with my neighbors, we're prepped to help each other out if needed. Pissed I skipped installing the generator I considered last month, betting I'll need it...
Yuck it up but 8inches or more of rain will fuck things up pretty good. Oh, I RainX'd my car windshield too :-)
Think of an idea, a software package, a new widget. Now, you willing to play roulette and try to build it without first making really sure that someone isn't going to sue you? Or will you first pay lawyers to research patents? And incorporate to cover your ass? How much will you spend before you even begin to do anything with your idea? Unless you REALLY love this thing are you even going to bother? Look at the huge mountain of hassle and money in front of the pursuit of any idea, is it any wonder that so few really seem to pursue their ideas? Most of us have lives we'd like to remain somewhat sane...
You seem to be assuming that the root for both key paths will be the same, somehow I doubt a key used to sign apps for a remote desktop application of any flavor is going to be allowed to sign bootloaders. It also seems you do not understand exactly how the other key came about, someone didn't just steal a Private key laying around. It's not "a" key but "THE" key that's required.
You might also want to figure out that Microsoft is NOT the signing authority for the key being used here. The Microsoft key is being used only because it's a widely distributed key and Microsoft has apparently agreed to allow it's use for others but if they refuse it's possible to have the CA sign another root. Unfortunately that Public key would be far less likely to be as ubiquitous as the Microsoft key. As it stands right now I see no reason why Microsoft wouldn't allow the signing with this key, it has protections built in to prevent malicious usage.
There will be no myriad of CA signing with the Private key to be hacked, Microsoft will have their Public key distributed far and wide in hardware. They will retain the ability to sign their code and the Root will apparently be able to sign other approved code that will leverage the same Public key. This way Linux kernels COULD be signed and use this key embedded in hardware if desired. Some distro are apparently looking to go that way. However kernels change and are sometimes custom so this shim was created and will be signed by this group to sidestep the hassle. They are getting signed by a key given to them that descends from the Microsoft key. I would bet that a revocation process does exist but I doubt it's a very smooth one.
Note that Verisign not Microsoft gets the fees from this process, they are the CA handling this.
Your thread of probability - it grows thin....
I doubt it, chances are they are using a different signing key for that platform - a good
Idea though!
When booting a Microsoft OS it's not just the boot loader that's signed. You might want to spend a little time researching the secure boot process...
Fully agree! Linux binaries can already be signed, some distro are doing it, so why not allow users to add a key and sign their own? Why not sign a great deal of the boot process while we're at it ala Microsoft? We now have the hardware support it seems...
Actually, if Linux could offer the users the ability to sign their own kernels and other boot pieces, then put the key into the BIOS it would provide greater security for Linux as well! Obviously the user would have to manage their signing key properly and kernel updates would be a hassle but the added security provided could be just as useful. Why not take advantage of this??
Pretty sure Microsoft has said that they expect there to be a BIOS option to turn it off. I expect it will be harder to find one that doesn't allow it to be turned off than on that will. I certainly wouldnt buy anything that didn't allow it to be deactivated!
Yeah it does, and no I don't expect an option to skip the check else they would never sign it and revoke the key as has already been done in the driver world. If you've got a server or Myth box I would expect you to uncheck the option that requires secure boot and not sweat any of this as it wouldn't help you anyway since its currently only a Microsoft option.
Not exactly, it was signed with a weak key produced by one of their remote desktop solutions that allowed licensing of components. Microsoft has since revoked those keys and bumped up the minimum allowed key size to stop this in the future. This was NOT a case of someone stealing a Microsoft key left in the parking lot.....
Did you miss the part about a present user test? It means someone will be presented a message and asked to approve before boot proceeds. Sounds like a good way to go to me however it will certainly screw up a server reboot lol.
http://www.trailcampro.com/
Game Cameras brought up a TON of hits. Not hard to find something to meet this at all it seems...