Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.
FF11's lack of a windowed mode and crashing when another program takes over is a security feature. It's harder to use hack programs when you can't see their UI. Square bans people for using hacks that let you play the game in windowed mode.
KMODE_EXCEPTION_NOT_HANDLED means that an exception occurred in kernel code that did not have an encompassing __try block. In other words, it's an exception that the system did not expect.
Almost always, it's caused by a driver programmer that did not know what they were doing when they wrote the driver. Even if the exception occurs somewhere in ntkrnlmp.exe, it's usually some dumb driver's fault. Bugchecks caused entirely by Microsoft code are uncommon.
If I owned a Mac, I'd want to see that information. It makes sense to disable it by default, but people like Slashdotters do want to see it.
By the way, you don't see this in Windows XP or Vista. XP and Vista reboot immediately on a bugcheck by default then display "The system has recovered from a serious error" when they come back up, with no technical details unless you ask for them. Getting a blue screen when the kernel bugchecks requires going to a menu 99% of users don't know exists.
The only reason educational software sells at all is because parents look at the alternatives and think that the educational games are somehow better. Children don't typically want to learn. Buying a game isn't going to change that. Educational games are boring.
Those who played Carmen Sandiego or the ripoff Mario is Missing aren't going to remember anything from it. I suppose the nerds like me will, but that's about it.
Different way: edit a pornographic adult picture to look like a child, like by cutting and pasting innocent child pictures onto a legal pornographic picture. Of course, it's not as simple as cutting and pasting, but you get the idea.
As sick as these people are, I don't see why we should throw them in jail for that...
It's not Microsoft that says that Vista 32 can't play HD movies, it's Hollywood's copy protection consortium. Vista 64 requires all drivers to be signed, so all that needs to happen is to disallow software decoding unless your operating system is Vista 64, which they have said is what will happen.
XP users can use hardware decoding, but that requires a copy protection-compliant video card and monitor.
Here's another "feature": forced driver signing. Only corporations of a particular size are allowed to pay the VeriSign tax and be allowed to make drivers for Vista 64, and there is no way to turn it off. No longer are administrators owners of their machines.
It would be even more impressive if Nintendo were promising two original, non-sequel, non-license, and actually entertaining games to ship with the Wii.
Don't get me wrong though: I want Twilight Princess and Mario 256. Some of the best games have been sequels. SNES had A Link to the Past, PS1 had Nocturne in the Moonlight and Final Fantasy 7, DC had Marvel vs. Capcom 2. Even World of Warcraft is from the franchise.
I really think it's a bad idea to place encryption into hardware, such as WEP/WPA/WPA2 into wireless cards. It should be the operating system's responsibility.
A big reason that WPA2 is not taking over the market yet is because wireless cards do WEP encryption in firmware, and you can't upgrade them. A regular user cannot spend the time researching to find the exact firmware update needed for their particular wireless card. Compare with putting encryption into the operating system, where you could get WPA2 support the next second Tuesday.
Something that really turns me off about Macs is that they only have 1 mouse button. The Mighty Mouse has 1.5 mouse buttons, unless you count the side squeeze. Apple has yet to release a 2-button mouse. Sure, on a desktop machine, you can just buy any PC mouse you like, but not on a laptop's built-in trackpad.
I tried to play World of Warcraft at my friend's house, a Mac owner, and couldn't. She had a Mighty Mouse, and I couldn't play WoW because I walk using the mouse - which you do by holding both the left and right buttons.
On this post, there are many people who say that cdrtools doesn't use proper hardware abstractions, and its use of SCSI is outdated. While it is definitely true that SCSI unit ID's are user unfriendly and don't reflect modern hardware, the use of SCSI itself is justified.
The MMC standard (multimedia command set) for optical media is based on SCSI. The MMC takes a subset of SCSI's command set and extends it. All modern readers and burners use MMC.
The MMC is meant to be hardware-neutral. The command set is independent of the type of bus with which the device is attached. Each type of bus has a method over which such SCSI commands are sent. SCSI uses itself, IDE uses ATAPI, and I have no idea what USB drives use. ATAPI in particular is an escape sequence to encapsulate these SCSI commands inside ATA commands.
Once this is set up, the user-mode burning programs use some mechanism to send SCSI commands to the drive. These SCSI commands get encapsulated as necessary by the kernel drivers. A burning program only needs to know the SCSI commands and does not need to worry about the particular bus.
In Windows, you do this by opening the devnode for the drive (\Device\CdRom0). You then send IOCTL_SCSI_PASS_THROUGH ioctls to execute the commands. For IDE devices, the IDE driver will convert these into ATA commands using ATAPI.
I heard that ide-scsi in the Linux kernel is not enabled by default anymore, which seems like a bad idea.
1. Why should we have to ask VeriSign permission to develop applications for our own computers? You know, there do exist drivers for legitimate purposes you know. I know of a driver that grants user mode direct access to administrator-chosen I/O ports. It's designed for when the OS's parallel/serial port drivers are not sufficient. This doesn't break security, and in fact its authors were very careful about that. They wrote it as open-source, so why should they have to pay VeriSign $500 for people to be able to use it? This isn't Xbox 360.
2. There are many free development tools. Vista costs money, but most people will already have paid for it.
3a. It does not prevent rootkits. NtCreateFile on \Device\Harddisk0\Partition0, NtWriteFile 512 bytes, NtShutdownSystem to reboot. Rootkit ahoy.
3b. PatchGuard, which is not related to forced driver signing, makes the "wannabe" rootkits much harder. PatchGuard can be cracked, but not robustly, because your crack will only work until the next second Tuesday.
3c. It does NOT protect against bad copy protections. In fact, it makes them stronger. SafeDisc will have a signed driver, but an anonymous cracker cannot.
4. I think the Windows NT kernel is the best general-purpose operating system kernel there is. I think Linux, especially the kernel, is a pile of crap. That's why I like the ReactOS project even though they'll be sued by Microsoft the day they become useful.
...Spear of Destiny? Anyone remember that in Spear of Destiny?
id, who apparently was forced into copy protection by their retail publisher FormGen to put in copy protection, had some fun by putting in a bunch of back doors into the game.
Humans have been doing genetic engineering for many thousands of years. 15,000 years ago, humans started genetically engineering wolves. In those years of genetic engineering, they made a Chihuahua and Shih-Tzu from wolves. Later, humans started genetically engineering grasses, and the result was eventually civilization.
Does the fact that DNA can now be manipulated directly really make a difference as to what we're doing? In both cases, we are artificially selecting genes.
Also, keep in mind that genetic engineering of humans will eventually become necessary. Medical technology is allowing people with severe genetic defects to live and reproduce that would have died without it. Eventually this will result in a polluted gene pool. Considering the only ways to stop this are removing medical technology, eugenics, and genetic engineering, which one would you rather have?
I warned about the true purpose of the Vista 64 driver signing on my weblog in June. I got a lot of crap from people saying that I'm paranoid, and that I'm against security features in Vista. I even tried to post a Slashdot story about it (rejected of course). The problem is that I'm a nobody.
At Black Hat on August 3, Joanna Rutkowska announced her exploit to get around Vista 64 driver signing. I had come up with the same idea in June (see link above), although it's obvious that she had the idea long before me. I was insensed, however, that Joanna would give such a clear announcement to the world about how this works, and go as far as proclaiming her support for the "feature". I wanted to wait for Vista's release to really give a demonstration of the trick, because I wanted to do anything that would undermine Microsoft's imposition of driver signing.
I knew that this "feature" had little to do with rootkits, even though Microsoft had promoted it as such. It simply does not prevent rootkits. Rootkits are somewhat uncommon - the day-to-day trojans are almost all user-mode crap that adds itself to Run in the registry. Driver signing does nothing against them. Also, Administrator user-mode programs are allowed raw disk access, so what really stops a rootkit from overwriting the MBR and rebooting the system? They could ever cause a bugcheck to make it look like Windows crashed 3 hours after you ran the trojan.
I was hoping that a set of exploits would be made prior to Vista's released, then released one at a time on every second Wednesday of the month so as to cause maximum credibility damage to Microsoft. These would not be rootkits, just ways of getting a custom driver to run. I'd even try to make it difficult to use a real rootkit with it. I'm against viruses and rootkits, and have never made such a thing myself, but this isn't a virus issue.
Another thing that Microsoft has disclosed is that in future Windows versions (NT 6.1?), it will not be possible to run unsigned programs as Administrator anymore, even in user mode. The "elevation" system would be there still, but only signed programs could request it. I thought of a social attack against this system. I had planned to tell Microsoft because I believe in the user/Administrator separation, but now I'm not going to. I will not help a system that's against my morals.
Signature checks should be applied by the computer owner, not Microsoft. A PC is not an Xbox 360.
It would be interesting to see what changes in the new version by binary-comparing all the files. Having a recall instead of a day-one patch sounds like it's something interesting. =)
Melissa
You *can* distinguish technology from magic
on
Computer Voodoo?
·
· Score: 1
Magic violates the first and/or second law of thermodynamics. Technology does not.
Even if you got ahold of an alien spacecraft from an advanced civilization, you would be able to identify its energy source and heat vent.
Even if Microsoft wanted to, Linux is not possible on the Xbox 360, at least without a new version of the hardware.
On the 360, the page table is managed by a hypervisor etched into ROM inside the CPU. A page is never marked as executable unless it has passed an RSA signature check. The kernel does not have the authority to mark a page as executable.
Sure, you could get the Linux kernel running, but how would you get bash, gcc, perl, ls, cp,....... working without also signing them?
Microsoft's FAQ talks about C# only. Gee, what a surprise. I think this means that the dynamic recompiler is inside the hypervisor, since it can't be anywhere else. You can bet that all programs will have to be verifiable. Otherwise, exploits ahoy.
GIMPS looks for Mersenne primes. This is clearly an exact integer operation. However, for speed, they use Fast Fourier Transforms to do the big squaring operation with floating point. Obviously, they need an exact result.
The trick is to carefully calculate exactly how much error each operation can generate. It is possible to know exactly how many bits of your result contain valid information. If you need more accuracy, you can split it into multiple operations. As long as the final accumulated error in their result is less than.5, you have the integer answer they need. Note that it's basically impossible to do this without using assembly language, because the order of operations and subexpression elimination definitely matter.
Another interesting problem occurs with floating point results. You cannot expect the complete answer to be exactly identical on all machines. Even on the same machine, compiler settings affect the answer: x87 differs significantly from SSE. If you are doing something that needs bitwise identical results on all machines, you need to either implement it with integer math, or do what GIMPS does and do error tracking.
There was a instruction to reboot the Pentium regardless of CPL? The only instruction I'd remember like that is "lock cmpxchg8b eax" (or any other normal register). That instruction caused the CPU to lock up due to an incorrect implementation of the "invalid opcode" exception. This was called the "f00f bug" because its bytes were F0 0F C7 C8.
Multiplication can be defined entirely in terms of + and &, a subset of your "addition, multiplication by constants, and logic operations". Consider this function:
uint32_t multiply(uint32_t left, uint32_t right) {
uint32_t result = 0;
uint32_t mask = 1;
for (unsigned i = 0; i < 32; i++)
{
uint32_t rightmask = right & mask;
uint32_t leftmask = 0;
for (unsigned j = 0; j < 32; j++)
{
leftmask = leftmask + leftmask;
leftmask = leftmask + rightmask;
}
leftmask = leftmask & left;
result = result + leftmask;
mask = mask + mask;
left = left + left;
}
return result; }
The "for" loops can be completely unrolled because they only use constants and are never used by the code inside. The entire function then uses only the constants 0 and 1, and consists solely of the instructions "mov" (immediate and register-register), "add", "and", and "ret". Actually, on x86-32, you'd run out of registers, but it'd work exactly like this for x86-64.
If you did that, the Soulbound system would interfere. If you could not loot someone's Soulbound items, your system is meaningless: you'd get a Major Mana Potion at best. Players would put things they care about in the bank.
If you could loot someone's Soulbound items, then you could go to Gurubashi Arena to move Soulbound items between characters, so they wouldn't really be Soulbound anymore.
Slashdot Mirror
Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.
Same applies to Linux's ptrace().
Melissa
FF11's lack of a windowed mode and crashing when another program takes over is a security feature. It's harder to use hack programs when you can't see their UI. Square bans people for using hacks that let you play the game in windowed mode.
Melissa
Just what we need for Room 101. Somehow I think you wouldn't need victim-specific tortures anymore.
Melissa
KMODE_EXCEPTION_NOT_HANDLED means that an exception occurred in kernel code that did not have an encompassing __try block. In other words, it's an exception that the system did not expect.
Almost always, it's caused by a driver programmer that did not know what they were doing when they wrote the driver. Even if the exception occurs somewhere in ntkrnlmp.exe, it's usually some dumb driver's fault. Bugchecks caused entirely by Microsoft code are uncommon.
If I owned a Mac, I'd want to see that information. It makes sense to disable it by default, but people like Slashdotters do want to see it.
By the way, you don't see this in Windows XP or Vista. XP and Vista reboot immediately on a bugcheck by default then display "The system has recovered from a serious error" when they come back up, with no technical details unless you ask for them. Getting a blue screen when the kernel bugchecks requires going to a menu 99% of users don't know exists.
Melissa
The only reason educational software sells at all is because parents look at the alternatives and think that the educational games are somehow better. Children don't typically want to learn. Buying a game isn't going to change that. Educational games are boring.
Those who played Carmen Sandiego or the ripoff Mario is Missing aren't going to remember anything from it. I suppose the nerds like me will, but that's about it.
Melissa
Different way: edit a pornographic adult picture to look like a child, like by cutting and pasting innocent child pictures onto a legal pornographic picture. Of course, it's not as simple as cutting and pasting, but you get the idea.
As sick as these people are, I don't see why we should throw them in jail for that...
Melissa
It's not Microsoft that says that Vista 32 can't play HD movies, it's Hollywood's copy protection consortium. Vista 64 requires all drivers to be signed, so all that needs to happen is to disallow software decoding unless your operating system is Vista 64, which they have said is what will happen.
XP users can use hardware decoding, but that requires a copy protection-compliant video card and monitor.
Melissa
Here's another "feature": forced driver signing. Only corporations of a particular size are allowed to pay the VeriSign tax and be allowed to make drivers for Vista 64, and there is no way to turn it off. No longer are administrators owners of their machines.
Melissa
It would be even more impressive if Nintendo were promising two original, non-sequel, non-license, and actually entertaining games to ship with the Wii.
Don't get me wrong though: I want Twilight Princess and Mario 256. Some of the best games have been sequels. SNES had A Link to the Past, PS1 had Nocturne in the Moonlight and Final Fantasy 7, DC had Marvel vs. Capcom 2. Even World of Warcraft is from the franchise.
I really think it's a bad idea to place encryption into hardware, such as WEP/WPA/WPA2 into wireless cards. It should be the operating system's responsibility.
A big reason that WPA2 is not taking over the market yet is because wireless cards do WEP encryption in firmware, and you can't upgrade them. A regular user cannot spend the time researching to find the exact firmware update needed for their particular wireless card. Compare with putting encryption into the operating system, where you could get WPA2 support the next second Tuesday.
Melissa
Something that really turns me off about Macs is that they only have 1 mouse button. The Mighty Mouse has 1.5 mouse buttons, unless you count the side squeeze. Apple has yet to release a 2-button mouse. Sure, on a desktop machine, you can just buy any PC mouse you like, but not on a laptop's built-in trackpad.
I tried to play World of Warcraft at my friend's house, a Mac owner, and couldn't. She had a Mighty Mouse, and I couldn't play WoW because I walk using the mouse - which you do by holding both the left and right buttons.
Melissa
On this post, there are many people who say that cdrtools doesn't use proper hardware abstractions, and its use of SCSI is outdated. While it is definitely true that SCSI unit ID's are user unfriendly and don't reflect modern hardware, the use of SCSI itself is justified.
The MMC standard (multimedia command set) for optical media is based on SCSI. The MMC takes a subset of SCSI's command set and extends it. All modern readers and burners use MMC.
The MMC is meant to be hardware-neutral. The command set is independent of the type of bus with which the device is attached. Each type of bus has a method over which such SCSI commands are sent. SCSI uses itself, IDE uses ATAPI, and I have no idea what USB drives use. ATAPI in particular is an escape sequence to encapsulate these SCSI commands inside ATA commands.
Once this is set up, the user-mode burning programs use some mechanism to send SCSI commands to the drive. These SCSI commands get encapsulated as necessary by the kernel drivers. A burning program only needs to know the SCSI commands and does not need to worry about the particular bus.
In Windows, you do this by opening the devnode for the drive (\Device\CdRom0). You then send IOCTL_SCSI_PASS_THROUGH ioctls to execute the commands. For IDE devices, the IDE driver will convert these into ATA commands using ATAPI.
I heard that ide-scsi in the Linux kernel is not enabled by default anymore, which seems like a bad idea.
Melissa
1. Why should we have to ask VeriSign permission to develop applications for our own computers? You know, there do exist drivers for legitimate purposes you know. I know of a driver that grants user mode direct access to administrator-chosen I/O ports. It's designed for when the OS's parallel/serial port drivers are not sufficient. This doesn't break security, and in fact its authors were very careful about that. They wrote it as open-source, so why should they have to pay VeriSign $500 for people to be able to use it? This isn't Xbox 360.
2. There are many free development tools. Vista costs money, but most people will already have paid for it.
3a. It does not prevent rootkits. NtCreateFile on \Device\Harddisk0\Partition0, NtWriteFile 512 bytes, NtShutdownSystem to reboot. Rootkit ahoy.
3b. PatchGuard, which is not related to forced driver signing, makes the "wannabe" rootkits much harder. PatchGuard can be cracked, but not robustly, because your crack will only work until the next second Tuesday.
3c. It does NOT protect against bad copy protections. In fact, it makes them stronger. SafeDisc will have a signed driver, but an anonymous cracker cannot.
4. I think the Windows NT kernel is the best general-purpose operating system kernel there is. I think Linux, especially the kernel, is a pile of crap. That's why I like the ReactOS project even though they'll be sued by Microsoft the day they become useful.
Melissa
...Spear of Destiny? Anyone remember that in Spear of Destiny?
id, who apparently was forced into copy protection by their retail publisher FormGen to put in copy protection, had some fun by putting in a bunch of back doors into the game.
*gets indicted under 17 USC 1205 for saying this*
Melissa
Humans have been doing genetic engineering for many thousands of years. 15,000 years ago, humans started genetically engineering wolves. In those years of genetic engineering, they made a Chihuahua and Shih-Tzu from wolves. Later, humans started genetically engineering grasses, and the result was eventually civilization.
Does the fact that DNA can now be manipulated directly really make a difference as to what we're doing? In both cases, we are artificially selecting genes.
Also, keep in mind that genetic engineering of humans will eventually become necessary. Medical technology is allowing people with severe genetic defects to live and reproduce that would have died without it. Eventually this will result in a polluted gene pool. Considering the only ways to stop this are removing medical technology, eugenics, and genetic engineering, which one would you rather have?
Melissa
I warned about the true purpose of the Vista 64 driver signing on my weblog in June. I got a lot of crap from people saying that I'm paranoid, and that I'm against security features in Vista. I even tried to post a Slashdot story about it (rejected of course). The problem is that I'm a nobody.
At Black Hat on August 3, Joanna Rutkowska announced her exploit to get around Vista 64 driver signing. I had come up with the same idea in June (see link above), although it's obvious that she had the idea long before me. I was insensed, however, that Joanna would give such a clear announcement to the world about how this works, and go as far as proclaiming her support for the "feature". I wanted to wait for Vista's release to really give a demonstration of the trick, because I wanted to do anything that would undermine Microsoft's imposition of driver signing.
I knew that this "feature" had little to do with rootkits, even though Microsoft had promoted it as such. It simply does not prevent rootkits. Rootkits are somewhat uncommon - the day-to-day trojans are almost all user-mode crap that adds itself to Run in the registry. Driver signing does nothing against them. Also, Administrator user-mode programs are allowed raw disk access, so what really stops a rootkit from overwriting the MBR and rebooting the system? They could ever cause a bugcheck to make it look like Windows crashed 3 hours after you ran the trojan.
I was hoping that a set of exploits would be made prior to Vista's released, then released one at a time on every second Wednesday of the month so as to cause maximum credibility damage to Microsoft. These would not be rootkits, just ways of getting a custom driver to run. I'd even try to make it difficult to use a real rootkit with it. I'm against viruses and rootkits, and have never made such a thing myself, but this isn't a virus issue.
Another thing that Microsoft has disclosed is that in future Windows versions (NT 6.1?), it will not be possible to run unsigned programs as Administrator anymore, even in user mode. The "elevation" system would be there still, but only signed programs could request it. I thought of a social attack against this system. I had planned to tell Microsoft because I believe in the user/Administrator separation, but now I'm not going to. I will not help a system that's against my morals.
Signature checks should be applied by the computer owner, not Microsoft. A PC is not an Xbox 360.
Melissa
The NT kernel is called ntoskrnl.exe, or ntkrnlmp.exe on multiprocessor/multicore systems. Both get named ntoskrnl.exe upon installation.
Melissa
It would be interesting to see what changes in the new version by binary-comparing all the files. Having a recall instead of a day-one patch sounds like it's something interesting. =)
Melissa
Magic violates the first and/or second law of thermodynamics. Technology does not.
Even if you got ahold of an alien spacecraft from an advanced civilization, you would be able to identify its energy source and heat vent.
Melissa
Even if Microsoft wanted to, Linux is not possible on the Xbox 360, at least without a new version of the hardware.
....... working without also signing them?
On the 360, the page table is managed by a hypervisor etched into ROM inside the CPU. A page is never marked as executable unless it has passed an RSA signature check. The kernel does not have the authority to mark a page as executable.
Sure, you could get the Linux kernel running, but how would you get bash, gcc, perl, ls, cp,
Microsoft's FAQ talks about C# only. Gee, what a surprise. I think this means that the dynamic recompiler is inside the hypervisor, since it can't be anywhere else. You can bet that all programs will have to be verifiable. Otherwise, exploits ahoy.
Melissa
GIMPS looks for Mersenne primes. This is clearly an exact integer operation. However, for speed, they use Fast Fourier Transforms to do the big squaring operation with floating point. Obviously, they need an exact result.
.5, you have the integer answer they need. Note that it's basically impossible to do this without using assembly language, because the order of operations and subexpression elimination definitely matter.
The trick is to carefully calculate exactly how much error each operation can generate. It is possible to know exactly how many bits of your result contain valid information. If you need more accuracy, you can split it into multiple operations. As long as the final accumulated error in their result is less than
Another interesting problem occurs with floating point results. You cannot expect the complete answer to be exactly identical on all machines. Even on the same machine, compiler settings affect the answer: x87 differs significantly from SSE. If you are doing something that needs bitwise identical results on all machines, you need to either implement it with integer math, or do what GIMPS does and do error tracking.
Melissa
All members of a group of zero members are equal as well. =)
Melissa
There was a instruction to reboot the Pentium regardless of CPL? The only instruction I'd remember like that is "lock cmpxchg8b eax" (or any other normal register). That instruction caused the CPU to lock up due to an incorrect implementation of the "invalid opcode" exception. This was called the "f00f bug" because its bytes were F0 0F C7 C8.
Melissa
Multiplication can be defined entirely in terms of + and &, a subset of your "addition, multiplication by constants, and logic operations". Consider this function:
uint32_t multiply(uint32_t left, uint32_t right)
{
uint32_t result = 0;
uint32_t mask = 1;
for (unsigned i = 0; i < 32; i++)
{
uint32_t rightmask = right & mask;
uint32_t leftmask = 0;
for (unsigned j = 0; j < 32; j++)
{
leftmask = leftmask + leftmask;
leftmask = leftmask + rightmask;
}
leftmask = leftmask & left;
result = result + leftmask;
mask = mask + mask;
left = left + left;
}
return result;
}
The "for" loops can be completely unrolled because they only use constants and are never used by the code inside. The entire function then uses only the constants 0 and 1, and consists solely of the instructions "mov" (immediate and register-register), "add", "and", and "ret". Actually, on x86-32, you'd run out of registers, but it'd work exactly like this for x86-64.
If you did that, the Soulbound system would interfere. If you could not loot someone's Soulbound items, your system is meaningless: you'd get a Major Mana Potion at best. Players would put things they care about in the bank.
If you could loot someone's Soulbound items, then you could go to Gurubashi Arena to move Soulbound items between characters, so they wouldn't really be Soulbound anymore.
Melissa