You fire up a debugger on a production server in a bank without explicit permission from security, they'll be escorting you out of the building in a hurry.
You're either a kick-ass troll, or you've got some serious inferiority-complex issues. (So do I, from time to time, so I understand and won't hold it against you.) [Or just bitter and angry about reality, something a lot of us here will understand with the current conditions in our world.]
Sorry I didn't fully explain my point of view. You seem to be of the opinion that the.lnk vulnerability is the main focus of the summary. I fully agree with you on that - the summary really makes it sound like that is the core of the issue.
The point I was trying to make was from a slightly different point of view looking at the evidence that they already knew of the vulnerability, but had taken reasonable steps to mitigate the risk with the signed driver requirement. Can a certificate trust system ever be fully trusted? No, it's only as strong as it's weakest link.
If you want to really impress me, then come up with a better (real world) solution than the signed requirement solution, and doesn't involve just disabling autorun functionality. [As much as we could argue that point, the decision was not made by us, so unless you're a captain of industry in disguise, then regardless the outcome of our discussion, there's not much we can do about it against the convenience factor that it provides, as long as the trust chain is not compromised.]
As far as Linux/Windows - I was a Systems Engineer/Systems Architect/Network Architect/Break/Fix technician supporting both Windows and Linux production servers for some big-ass companies over ten years ago. I've compiled my own kernel many times. So I'll take you on in either arena. Do I know all? Far from it. My chops are down a bit since I switched my career over to software development seven years ago [Have been coding since I was a kid, so made sense to do what I originally loved]. But I can still hold my own.:)
And oh yah, I DNRTFA, was purely referring to the summary. Was that bad? Should I have done that?;)
The "autorun" functionality is both a blessing and a curse, and has been for quite some time. It is not the direct point, although I agree the headline sure tries to make it seem like that's the issue.
Autorun can be, and has been, bitterly debated for a long long time. As an experienced geek, I myself find it quite moronic. However, they also have to support the run-of-the-mill crowd, the non-technical types, where autorun makes sense in a lot of scenarios, as well as the issues that come with it.
However, in this case, they took ample time to complete their "due diligence" and the "requiring signed drivers" solution is a very reasonable way of mitigating the risks.
If autorun was REQUIRED to install virii, works, bad drivers, etc, then I'd be 100% opposed to it. But they've done the best they can, and probably the best anyone's going to come up with to fully minimizing the risk by requiring signed drivers. But there's many other ways to get a clueless user to do one of many things that could have the same effect. If there's a will, there's a way.
But, I guess you'd like to throw the baby out with the bathwater entirely, and just get rid of autorun forever. While that's a clear logical choice to a heads-down geek, in the real world it's an acceptable risk to make driver installation painless for the vast jungle of technomorons out there who just want to plug some shiny toy into their computer and it just works. [And that's unfortunately the lions share of people who by shiny gadgets to plug into their computer.]
I think Microsoft is right on this issue. This problem is truly not theirs, except for the amount it negatively affects them. (Which they can do little except attempt spin control on the issue.)
They designed their driver verification process intelligently: By implementing the requirement of the drivers being signed by an appropriate third-party certificate registrar (VeriSign in this case), thus leaving the issue of managing the business of encryption keys to the established so-called "experts".
Part of the process of obtaining a trusted VeriSign cert such as the device driver key involves the company desiring a high-trust certificate of this nature involves signing and complying with a detailed set of procedures describing the physical/organizational processes how to handle and store the signed keys in a very secure and documented "chain of trust".
In the case where the security chain was broken by a (previously) trusted third party, in this case we'll probably find that RealTek is the cause of the issue by not properly following the chain of trust requirements, or how else would a rogue employee be able to sign his malicious driver?
<CoolStoryBro A decade ago, I was a systems engineer for the internet banking division of a large bank that owned a bunch of other regional banks, and I was a "primary key custodian" (A defined role in the chain of trust requirements), so I was the one who would handle the technical details as far as getting the cert created and installing it on the web banking servers. (Just SSL certs rather than driver signing certs, but at the core they're the exact same thing.)
The amount of procedural rigamorole for handling the certs was complex, and well thought-out. I would create our private key in front of a few handpicked suits from corporate and data security who would observe me as I created our unsigned private key, then I would look away while one of the security people entered a complex password that I was not allowed to know, then I would get the cert signed by VeriSign which would require the security guy to re-enter the password that I did not know, then we would get the certs back, print out several copies, seal them in an envelope, all of us would sign it and take it to a safety deposit box. The security guys were not allowed to have a copy of the unsigned private key, and I was not allowed to know the password to the VeriSign-signed (VeriSigned?) key.
[And it's been 10 years since I worked there, and the certs were only one-year certs (renewed each year going through the same type of process), so don't come try to hold me hostage for any info about the bank, my info expired 9 years ago!:) ] </CoolStoryBro
So it looks like RealTek may have dropped the ball on their cert handling procedures. Maybe VeriSign was lacking in their process auditing as well. Who knows? (I don't)
But to blame this one of Microsoft is assinine, how were they supposed to do anything different?
I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign, but would be devastating to online commerce as VeriSign has a near monopoly on the certificate registry market, so encryption would suddenly stop working on nearly all online businesses overnight.// But the bright side: All those sites would still work in the morning on Linux, giving it a huge boost!:)/// But on the dark side: All those sites would still work in the morning on Macs as well, giving the idiocracy movement a huge boost as well.:(
Oh yah, that question is fucking retarded. If I got thrown such a shitty requirement during an interview I would stand up, smile, thank you for the interview and walk to my car saying "Wow, don't wanna work there if they are that anal."
That's a cryptic question. Sixty seconds? Are you fucking kidding me. I'd take longer just grokking your question. Sure, the question is answerable, but you're going to lose a lot of people who actually try to fully grasp an issue before designing a solution. A professional programmer does NOT slop out stuff in 60 seconds. Only the wannabes would do that.
Any place that throws out bullshit little trick questions usually turns out to a bullshit little place to work.
At this point I'd be far more concerned about the negative publicity from all the people who are thinking your company is obsolete and cannot keep up with technology.
// Sorry everyone, this is a reply to sznupi regarding a question he asked me in a different discussion that is now closed to comments.
The book that starts off about cell phones falling from the sky is "Singularity Sky" by Charles Stross (Who actually hangs out here from time to time.) A very interesting book, I've re-read it a couple of times since I first got it.
What is the deal with those slothful people? Are they planning to make their business obsolete. I thought I'd see 64 bit Flash long before we saw 64 bit Windows hit the 50% mark.
If I was a stockholder, I'd be pissed and selling.
Slashdot Mirror
You fire up a debugger on a production server in a bank without explicit permission from security, they'll be escorting you out of the building in a hurry.
You're either a kick-ass troll, or you've got some serious inferiority-complex issues. (So do I, from time to time, so I understand and won't hold it against you.) [Or just bitter and angry about reality, something a lot of us here will understand with the current conditions in our world.]
Sorry I didn't fully explain my point of view. You seem to be of the opinion that the .lnk vulnerability is the main focus of the summary. I fully agree with you on that - the summary really makes it sound like that is the core of the issue.
The point I was trying to make was from a slightly different point of view looking at the evidence that they already knew of the vulnerability, but had taken reasonable steps to mitigate the risk with the signed driver requirement. Can a certificate trust system ever be fully trusted? No, it's only as strong as it's weakest link.
If you want to really impress me, then come up with a better (real world) solution than the signed requirement solution, and doesn't involve just disabling autorun functionality. [As much as we could argue that point, the decision was not made by us, so unless you're a captain of industry in disguise, then regardless the outcome of our discussion, there's not much we can do about it against the convenience factor that it provides, as long as the trust chain is not compromised.]
As far as Linux/Windows - I was a Systems Engineer/Systems Architect/Network Architect/Break/Fix technician supporting both Windows and Linux production servers for some big-ass companies over ten years ago. I've compiled my own kernel many times. So I'll take you on in either arena. Do I know all? Far from it. My chops are down a bit since I switched my career over to software development seven years ago [Have been coding since I was a kid, so made sense to do what I originally loved]. But I can still hold my own. :)
And oh yah, I DNRTFA, was purely referring to the summary. Was that bad? Should I have done that? ;)
Dear sirs,
Please send me 40 megabytes of ink.
Thank you
The "autorun" functionality is both a blessing and a curse, and has been for quite some time. It is not the direct point, although I agree the headline sure tries to make it seem like that's the issue.
Autorun can be, and has been, bitterly debated for a long long time. As an experienced geek, I myself find it quite moronic. However, they also have to support the run-of-the-mill crowd, the non-technical types, where autorun makes sense in a lot of scenarios, as well as the issues that come with it.
However, in this case, they took ample time to complete their "due diligence" and the "requiring signed drivers" solution is a very reasonable way of mitigating the risks.
If autorun was REQUIRED to install virii, works, bad drivers, etc, then I'd be 100% opposed to it. But they've done the best they can, and probably the best anyone's going to come up with to fully minimizing the risk by requiring signed drivers. But there's many other ways to get a clueless user to do one of many things that could have the same effect. If there's a will, there's a way.
But, I guess you'd like to throw the baby out with the bathwater entirely, and just get rid of autorun forever. While that's a clear logical choice to a heads-down geek, in the real world it's an acceptable risk to make driver installation painless for the vast jungle of technomorons out there who just want to plug some shiny toy into their computer and it just works. [And that's unfortunately the lions share of people who by shiny gadgets to plug into their computer.]
I think Microsoft is right on this issue. This problem is truly not theirs, except for the amount it negatively affects them. (Which they can do little except attempt spin control on the issue.)
They designed their driver verification process intelligently: By implementing the requirement of the drivers being signed by an appropriate third-party certificate registrar (VeriSign in this case), thus leaving the issue of managing the business of encryption keys to the established so-called "experts".
Part of the process of obtaining a trusted VeriSign cert such as the device driver key involves the company desiring a high-trust certificate of this nature involves signing and complying with a detailed set of procedures describing the physical/organizational processes how to handle and store the signed keys in a very secure and documented "chain of trust".
In the case where the security chain was broken by a (previously) trusted third party, in this case we'll probably find that RealTek is the cause of the issue by not properly following the chain of trust requirements, or how else would a rogue employee be able to sign his malicious driver?
<CoolStoryBro
A decade ago, I was a systems engineer for the internet banking division of a large bank that owned a bunch of other regional banks, and I was a "primary key custodian" (A defined role in the chain of trust requirements), so I was the one who would handle the technical details as far as getting the cert created and installing it on the web banking servers. (Just SSL certs rather than driver signing certs, but at the core they're the exact same thing.)
The amount of procedural rigamorole for handling the certs was complex, and well thought-out. I would create our private key in front of a few handpicked suits from corporate and data security who would observe me as I created our unsigned private key, then I would look away while one of the security people entered a complex password that I was not allowed to know, then I would get the cert signed by VeriSign which would require the security guy to re-enter the password that I did not know, then we would get the certs back, print out several copies, seal them in an envelope, all of us would sign it and take it to a safety deposit box. The security guys were not allowed to have a copy of the unsigned private key, and I was not allowed to know the password to the VeriSign-signed (VeriSigned?) key.
[And it's been 10 years since I worked there, and the certs were only one-year certs (renewed each year going through the same type of process), so don't come try to hold me hostage for any info about the bank, my info expired 9 years ago! :) ]
</CoolStoryBro
So it looks like RealTek may have dropped the ball on their cert handling procedures. Maybe VeriSign was lacking in their process auditing as well. Who knows? (I don't)
But to blame this one of Microsoft is assinine, how were they supposed to do anything different?
I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign, but would be devastating to online commerce as VeriSign has a near monopoly on the certificate registry market, so encryption would suddenly stop working on nearly all online businesses overnight. // But the bright side: All those sites would still work in the morning on Linux, giving it a huge boost! :) /// But on the dark side: All those sites would still work in the morning on Macs as well, giving the idiocracy movement a huge boost as well. :(
Why not BNSF? Or BMFH? Or BOFH? Or Infected Mushroom?
$(self) = "Self-taught software architect/coder with no certs"; // Shove it up your ass.
Oh yah, that question is fucking retarded. If I got thrown such a shitty requirement during an interview I would stand up, smile, thank you for the interview and walk to my car saying "Wow, don't wanna work there if they are that anal."
That's a cryptic question. Sixty seconds? Are you fucking kidding me. I'd take longer just grokking your question. Sure, the question is answerable, but you're going to lose a lot of people who actually try to fully grasp an issue before designing a solution. A professional programmer does NOT slop out stuff in 60 seconds. Only the wannabes would do that.
Any place that throws out bullshit little trick questions usually turns out to a bullshit little place to work.
Tell that to JFK. // Oh wait, you can't
There is? Where are the roots? Are the shoots still below the surface or what? (Or do you mean the Tea Partiers?)
Does that mean that they'll have orange-colored fibers and call them red?
At this point I'd be far more concerned about the negative publicity from all the people who are thinking your company is obsolete and cannot keep up with technology.
Does that mean "American Copyright Terrorist Agreement"??
Is that dark.net or darknets.com? I can't figure out how to get there...
Haven't ever played the game, but the weekly episode concept sounds intriguing enough to make me think about trying it out.
A good idea seems rarer and rarer these days.
They have to pay for the bandwidth and infrastructure to deliver the so-called "pirated" songs, so they are already covering it.
The copyright group is just a sad attempt at milking money off others. Oh the stupidity!
What'd the Droid guys do, have koolaid with the book of Jobs?
// Sorry everyone, this is a reply to sznupi regarding a question he asked me in a different discussion that is now closed to comments.
The book that starts off about cell phones falling from the sky is "Singularity Sky" by Charles Stross (Who actually hangs out here from time to time.) A very interesting book, I've re-read it a couple of times since I first got it.
OK, buddy, prove that it don't... ;)
Yep, caught it immediately, but thanks!
Above the Arctic Circle? Try above the Mason-Dixon line...
Probly Stevie's cancer coming back, this time in his brain.
Think Apple will survive the mediocrity once the smug one is no longer with us?
I think it'll tick along in obscurity for a few years, then get bought out by Microsoft.
Oh...... There's not?
/ That's just what they want you to think. // [Don't believe 'em]
I have Viking relatives in Batavia, but I don't know any of their names. Dammit!
What is the deal with those slothful people? Are they planning to make their business obsolete. I thought I'd see 64 bit Flash long before we saw 64 bit Windows hit the 50% mark.
If I was a stockholder, I'd be pissed and selling.