So where does this place public disclosure advocates? Are people going to demand that makers of affected software have a 24/7 programming staff ready to plug leaks just so weakenesses can de disclosed immedately?
IMHO, this makes little or no difference. How many of the viruses and trojans in recent years have been created before a patch was available? Not Blaster or Sasser. I'm sure there are some in this category, but I can't think of any.
Once a patch is released, most businesses will do their own testing before rolling it out into production. This will often take several days. It's not unheard of for a patch to break something, and they don't want that "something" to be one of their mission critical servers or apps. Even if the exploit and patch were released at the same time, it would still take days for many organizations to roll out the patch.
Before you decide that full disclosure is a bad thing, you should ask yourself if you're really better off not knowing about vulnerabilities in the software you're using. What incentive would the makers of this software have to find and fix the vulnerabilites in a timely manner if no one ever put pressure on them? How much testing would they do if no one else did their own vulnerability testing after the software was available?
How many of the "bad guys" do you suppose already know about vulnerabilies long before they're disclosed? If someone is actively exploiting an undisclosed vulnerability, do you think they would create a trojan and get the vendor's attention? The vulnerability that Blaster exploited was introduced in NT4 back in 1996. How many people exploited this vulnerability before it was disclosed? We have no way of knowing.
I understand why record companies wouldn't want some internet radio station playing Britney Spears (makes it easy to pirate)but why do they care about artists they don't try to promote to traditional radio. What does a record company lose if an internet radio station is playing Elliot Smith and Ben Folds?
I fully expect the RIAA to go after internet radio with a vengence when it becomes more popular. When the day comes that we can have a wireless internet connection virtually anywhere (think cellphones) then it will be feasible for the masses to listen to internet radio stations in all of the places that we currently listen to traditional radio. "Backdoor payola" becomes irrevelant when there are suddenly thousands of radio stations covering all of the markets. I think something like this scares the hell out of the RIAA, and when this day comes, I expect them to go after internet radio just like they're going after the P2P networks.
The major labels are trying to ensure that they don't become irrevelant. If a band is going to "hit it big," then they need a million dollar marketing budget, and odds are that they'll have to sign a contract with a major label to get it. If an independent artist can get mainstream exposure through the internet, then why would this artist sign a major label recording contract that gives the label most of their profits from record sales?
The internet has the potential to really screw up the major labels' current business model of "sink several million into marketing a handful of artists." IMHO, this is the real reason why the RIAA is going after the P2P networks. The RIAA does not want independent artists to get mainstream exposure.
Second, justifying a bad behavior of a company (or person) using another bad behavior of another given a hypothetical situation is stupid.
Who is justifying anything? Did I ever say that Microsoft's behavior was excusable? Did I ever state that the behavior of corporate america in general was excusable? NO.
The parent stated "I give it a couple more years before most of the real press will have decided that yes MS is a clearly corrupt company." I think it's already blatantly obvious that Microsoft is a "clearly corrupt company" and has been for some time. This even applies to members of the press.
...do you think we won't opposed Apple and IBM? We maybe a fan now...
Sorry to disappoint you, but I've never really been much of an Apple fan. And as for IBM, I worked in their Provo, UT office for about 18 months during the 90's, and they're not any different from the others I mentioned, but that's not a surprise to most slashdotters.
Also, you ignore that not all companies are bad. Some do have good and ethical owners, CEO, board members, and shareholders.
Care to name any? You're the one who does not want to talk about hypotheticals. Oh, and be sure to state why.
While I won't completely dismiss the possibility, I don't see how this can be true for a large company with lots of shareholders to answer to. In over ten years that I've been a part of corporate america, I've never worked anywhere that I did not perceive upper management as being completely corrupt. Idealism is great and everything, but it won't feed my family.
Have you also thought that maybe the best solution is not giving anyone a 90% marketshare?
Did you actually read any of my post aside from the bold part? We agree on this. But perhaps you are just a not-so-clever troll, and I'm a fool for responding. Either that or you're to young, naive, and inexperienced to know how things are in the real world.
I would think that the big four labels signing onto a p2p network of any sort would be huge news, but I guess even in the techie world we just dont care.
Personally, I don't care. I'm fed up with the same old crap-for-music that the majors have been spewing out for years.
Thanks to the internet and services like Shoutcast and Live365, it's pretty easy for someone like me to check out bands that don't have million dollar marketeting budgets. IMHO, this is what is hurting the major labels. I can only think of two major label bands that I ever listen to anymore, and with the RIAA's recent actions I'm sure as hell not giving the majors any of my money. I prefer to spend my money supporting independent artists and artists on smaller labels.
I think the message is pretty clear: the record industry needs to start pushing a wider varity of music. Unfortunately for them this does not fit very well into their current business model of pumping millions of dollars into a few artists that supposedly have mass appeal. It seems they would rather sue their customers than update their business model to fit the marketplace.
I give it a couple more years before most of the real press will have decided that yes MS is a clearly corrupt company. This will cast suspicion on all their dealings.
Are you insinuating that Microsoft is the only "clearly corrupt" major corporation in the US, or that they are merely one of a few? After all, we know that the IBMs, AT&Ts, Worldcoms, Enrons, and all the other major corporations would never do anything unethical just to make a buck.
Seriously, I'm no Microsoft fanboy (just look at my posting history), but you can't tell me that any other major corporation would be any less evil given Microsoft's marketshare. The guys who run these companies got to where they are because they are aggressive businessmen, and in most cases somewhat less than ethical.
I think that all the 15 mins of music with 30 mins of comercials really puts off a lot of tradional radio listeners these days.
IMHO, the commercials are only a small part of the problem. I listen to internet radio all the time, in large part because I can't stomach the crap-for-music that is played on traditional radio these days. All of the best music seems to come from lesser known and/or independent artists, and you will never hear these artists on traditional radio.
But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise.
A typical smart card will require a password or biometric to unlock it. Therefore, a "common pickpocket" would also need to either guess your password or cut off your finger. Most smart cards will also lock you out after 3-5 bad password attempts.
That's nothing. I had to use a smartcard to get into my place of work in 1987! The damn things have been around for years, They're a solution in search of a problem.
Smart Cards are not the same as proximity cards. Prox cards are very simple devices that are constantly brodcasting an ID number. With the right software, anyone can wave a prox card in front of a card reader and see which number the card is broadcasting.
Smart carts actually contain a microprocessor, and typically store an X.509 certificate and private key, which can be used for authentication and encryption. In order to retrieve data from the smart card, you need to provide some form of authentication, such as a biometric or password.
Almost every company that I've worked for has used prox cards for building access, but I've never heard of anyplace using smart cards for this purpose. Unless you also had to provide a password to get into the building, you probably were not using a smart card.
But WP's demise started before Windows became ubiquitous and long before Word ever got a market foothold -- it began when WPCorp ceased offering free tech support to one and all, back in early 1994.
Actually, it started before that. Wordperfect 6.0 was released sometime around late '93/early '94, and this was supposed to be the big full-featured Windows release. At the time I was the guy who ran the high-volume laser printers that printed the license numbers individual license certificates during graveyard shift. In preparation for 6.0, we pre-printed a ton of 6.0 license certificates - something in the neighborhood of three of four pallets worth, as I recall. A few months later all of these pallets except one were shreded because the orders were not comming in. A short while later, 25% of the company was laid off.
IMHO, the decision to get rid of the free tech support was a good thing, and should have been made a lot sooner. WP was seriously mis-managed in the early 90's, and tech support was just one example. At the time, 25% of the employees in the company were in tech support! I don't know what this was costing the company, but it had to be one hell of a lot of money.
The difference between getting a copy of the SAM database and installing a keystroke logger is huge. Namely, I can copy your SAM database without changing a single thing on your system.
Agreed, perhaps that was a bad example. The point I was trying to make was that if you can get a copy of the SAM, does it really matter if the LM hashes are there or not? Either way an attacker is likely to do an offline attack on the SAM to find passwords for use on other systems. Does it really make that big of a difference if the attacker has to spend more time cracking the MD4 hashes because the LM hashes are not there?
In the ten or so years that I've worked in this industry, I've yet to work anywhere that requires password changes more frequently than ninety days. That should be plenty of time to crack an MD4 hash...
You CAN disable the storage of LMv1 hashes but that does not remove any existing hashes from the SAM, you would also need to force LMv2 authentication and even then someone who could steal the SAM file could get the plaintext.
I think in most cases simply turning off LM authentication altogether is sufficient. Sure, if someone could steal the SAM file, then they would get the existing hashes. However, if an attacker can get this kind of access to your system, then you have bigger problems. With this kind of access they could, for instance, install a keyboard logger to retrieve the passwords. If the passwords are that important to an attacker, then the attacker would likely just take his time cracking the NT hashes offline, should the LM hashes not be available.
IMHO the real risk here is someone sniffing the hashes off of the network.
Microsoft's enormous mistake was to drop IE for the Mac.
IMHO their biggest mistake was not fixing vulnerabilities in IE in a timely manner. I don't recall hearing much about the marketshare for alternative browsers increasing until after the latest round of IE security problems in the past few months. Since many folks have been hit with Blaster and Sasser, the masses seem to take security updates more seriously. There have been plenty of IE vulnerabilities in the past, but they never seemed to get as much press as they have lately.
Go have a look at the securityfocus.com archives. There are lots of posts about IE vulnerabilities, several of which Microsoft just flat-out refused to patch, probably because some manager at Microsoft did not think the problems were serious enough, and didn't want to "pony up" the resources. The entire company has paid for those decisions.
There was a guy at pivx.com that used to maintain a list of unpatched IE bugs, but the page seems to have disappeared. It's been quite some time since I looked at the list, but in some cases issues went unpatched for *YEARS*! Now, how exactly can Microsoft claim to take security seriously?
A quick google search turned up this page of still unpatched IE vulnerabilities. The list is still quite long.
But when you ask, "would I hire someone who creates/uses something annoying and not that special; requiring a moderate level of programming skill if at all; that relies on the user to activate it or a major security flaw in the OS?" Absolutely not.
Exactly. I've read through a number of these comments, and you're the only one who seems to realize that there really isn't anything to indicate that this guy is much more than a scrpit kiddie.
He exploited a flaw that someone else found, and almost certainly did by modifying a proof-of-concept exploit that someone else coded. That does not automatically make him a great hacker.
First, you need a hardware device and an interface to the system--which makes them no less "klunky" than the securid's the OP was complaining about.
You bring up a good point. I've been reading these comments thinking, "What's wrong with a smart card that has a certificate w/private key?" The problem is that the user would have to install the hardware, and these are AOL users we're talking about.
IMHO, a system where the server sent some random data to be signed with the private key (which you should _not_ be able to extract from the card) would be even better. Use this in conjunction with a mutually authenticated SSL connection, and you eliminate man-in-the-middle attacks. (Sure, SecurID makes an MITM attack harder since you have, by default, a three-minute window in which the one-time password can be used, but an MITM attack is still possible.)
Do you force the user to do something at the hardware device for each use of a client certificate? (Good luck getting that adopted, and good luck teaching the user to distiguish "good" requests from "bad" requests.) Or do you authenticate once per session, which once again leaves you open to attacks if you have a compromised workstation?
I don't see how using a one-time password solves this problem. With a one-time password, they would have to re-enter their password each time an authentication is required. If this is what they want, it would not be hard to find a smart card implementation that would do it. I've seen smart card implementations that behave both ways.
As I see it, SecurID was chosen for the following reasons:
1. No hardware to install (as you pointed out)
2. Less risk. AOL was already using SecurID internally, so it would have been easier to roll out more SecurID tokens than some other technology that they had never deployed.
3. The hardware was probably cheap. (Yes, this is pure speculation on my part.) I realize that SecurID tokens generally cost $60 or more for the average Joe, but this is AOL we're talking about. RSA is almost certainly giving AOL a large discount for this exposure to the mainstream marketplace. If AOL is successful with this rollout, then lots of other businesses (banks and stock brokerage houses come to mind) are bound to end up rolling out SecurID tokens as well.
The posters who said that diversification could/will kill Google may be on to something. Does anybody buy anything using froogle? Is Gmail (several months in beta and still crap) ready for prime time? Has Google Answers taken over the world? Etc...
I wish they would get all their people focused on fixing up some of the really cool stuff they *might* make but already announced -- but that hasn't yet lived up to its promise -- rather than getting the rumor machine going on ever more tenuous potential expansions of the Google brand.
This is typical Eric Schmidt. When he was the Novell CEO, the development of new ideas was strongly encourged. The result was lots of new products which all solved problems in their own way, and didn't necessarily work well together. When Schmidt finally "resigned," the company had three different proxy-cache products (iChain, BorderManager, Volera) alone!
Eric Schmidt is a technologist. He was successful as CTO at Sun, back in the 90's when Sun was doing well. But what did he do for Novell, and what exactly has he done for Google? While he seems to understand technology and the culture that drives it, I don't see what he has done for any of these companies that is so revolutionary.
It's probably more effective than preaching to the converted, i.e. the average home user who isn't even aware of the concept of an Operating System, or even that Windows is not 'part of the computer'.
There are plenty of sysadmins reading slashdot...
But it's not generally the sysadmins who make purchasing desisions, its the executives. I'm going out on a limb here, but I'm guessing that there are not a lot of CXO types who read slashdot.
I just used this my own box with the VNC Inject and I was given a very nice screen shot of the target box's desktop...
Ok, so I have not actually tried this tool, I'm just speculating based on what I know about Windows. I recently finished writing a Windows app that includes a service which does IPC with another process running on the user's desktop, and a third component that displays a window on the Winlogon desktop when the workstation is locked. All of this had to work in remote Citrix/Terminal services sessions, too. By the time I had finished with the design, I had come to understand this functionality in Windows better than I ever cared to.
Your comments piqued my curiosity, so I went back and looked at the webpage. The "VNC Server DLL Injection" section on this page sheds some light on things. Here is an excerpt:
If there is no interactive user logged into the system or the screen has been locked, the command shell can be used to launch explorer.exe anyways. This can result in some very confused users when the logon screen also has a start menu. If the interactive desktop is changed, either through someone logging into the system or locking the screen, the VNC server will disconnect the client.
This supports my earlier statements. Perhaps I did not make it perfectly clear, but I was referring specifically to cases where the system was in a locked state, or a not logged-in state.
Now, whether or not VNC can interact with a desktop that is not active (IE: the user's desktop when the workstation is locked) is another question. I would have thought this was possible if the VNC server was one of the processes on this desktop, hence my comments about exploiting something in the user's "session" (desktop would have been a more correct term). Perhaps VNC won't do this. If it won't, then it seems to me that this should be possible with some tweaks to VNC. In my experience, process running on the user's desktop will still process messages, display windows, etc. even when the workstation is locked.
There was something in MSDN about writing a Pass-Thru GINA as MS called it. GINA basically provides all the Workstation Locked and Login and Ctrl+Alt+Del dialog boxes.
Yep, this is another approach. I didn't mention this one because it requires a reboot.
Perhaps the payload could be used to catch login keystrokes, but I doubt Windows makes it possible to receive keystroke events during a login/unlock-workstation screen. If doing so is possible, it's a huge security flaw in Windows.
While I've not tried it, I'm certain that this is possible, and IMHO it's not a security flaw. In order to do this your code would have to be running as the System account, which means that you've already comprimised the machine and can do pretty much whatever you want. (For example, you could snag all of the password hashes and do an offline dictionaty attack on them.) VNC was running as System account in example screen-shot on the website, so they obviously exploited some security flaw of this nature when they created the example. This is exactly the same type of flaw that Sasser, Blaster, and company exploited.
If you manage to compromise a service running as the System account, then you could log keystrokes by starting a new process on the Winlogon desktop (the desktop which is visible when logging in and when the workstation is locked) which would then hook fields on the login dialog.
Another approach is to use CreateRemoteThread API to start a new thread in the Winlogon process that would hook which would hook the fields on the login dialog.
Yet another approach would be install your own keyboard driver like this utility does.
I'm sure there are lots of other methods that I'm leaving out.
Re:Works when the machine is locked too
on
Point, Click, Root.
·
· Score: 5, Interesting
The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.
So does anything else that exploits a service running as LocalSystem. As long as the service is running, it does not matter the workstation is locked or not logged in.
I assume you're saying this because you saw the screen shot linked in the summary. Notice that it says "System" at the top of the start menu. This is not the user's desktop, and you won't get to see the user's running apps. You'll have to exploit something running in the user's session to do that.
This won't let you do anything that you could not already have done by installing, say, netcat with the same exploit.
At least with oldschool lockers, you would get a big fat key with a number on it, so you knew what was yours.
My thoughts exactly. I read the article, but I still don't understand the reasoning behing this. From the article:
...decided that the usual public lockers would be problematic because people often lose the keys. And that seemed to become even more likely now that tourists have to empty their pockets for a metal detector
Seems to me that someone is a lot more likely to forget their locker number than lose a key. If these were the oldschool "keyed" lockers, then they could charge a fee for lost keys, which would pay for the cost of a new key and the inconvience of having to open someone's locker for them. This would also provide visitors with some additional incentive to keep track of their keys. With this biometric system, it seem to me that people would be forgetting the numbers all the time and have to get a staff member to deal with it. Not to mention that the biometric system must have been expensive. Perhaps I missed it, but I did not see the cost of this system in the article.
Sure, you could do something like identify returning users from their fingerprint, then display the locker number when their fingerprint is verified. (The article did not mention if they are already doing anything like this.) But the problem with this approach is that no matter how big and conspicuous you make the locker number in the display, there will still be plenty of users who never notice it. And it seems to me that the users who forget their locker numbers are also the most likely to not notice the locker number in the display.
Also from the article:
However, prints are being run through terrorist watch lists in the biggest deployment of biometrics yet -- the federal government's new system for tracking foreign travelers.
(Dons tin-foil hat) Perhaps this type of application is the real reason for the biometric lockers.
This article has a more realistic perspective on things. If Sun were going to buy SuSe, they would have done it before Novell bought them. After all, Schwartz himself said that Novell's products are "far less intersting" than Suse. Why pay the extra money for a bunch of Novell products that they don't want?
And since the first thing developers do when they get their new PC is complain that they have to have admin rights, they never find out that their install routines don't work if they aren't admin.
And this is an excuse for not testing their apps as a non-admin?
I specifically was looking for one of the biggest problems with Windows -- Administrator authority is too easily doled out (by default, every home user is also an administrator.) This is exacerbated by the fact that so many Windows applications require the user to have Administrator authority.
Application developers deserve just as much blame for this as Microsoft. It's a catch-22: practically everyone who uses Windows logs on as Administrator, so making sure non-administrative users can run your app is generally not a requirement.
To make matters worse, Windows allows developers to store global variables in a shared memory segment, which IIRC is located in the dataseg of a given.exe or.dll. This provides an easy way to do IPC. IIRC, usage of shared memory segments is the reason that Office 97 and other apps require write(!) access to the System32 directory. Of course when I've seen shared memory segments mentioned in the MSDN documentation, I've never seen any mention of the security implications.
Re:Where is Progressive Rock?
on
IT's Musical Habits
·
· Score: 2, Informative
This station plays some killer Progressive Metal, and some prog-rock. Stuff like Everygrey, After Forever, Spiral Architect, Power of Omens, Ice Age, Sonata Arctica, and of course Dream Theater and Fates Warning. (What can I say? I'm a developer and us developers like the heavier stuff, right?)
Slashdot Mirror
Once a patch is released, most businesses will do their own testing before rolling it out into production. This will often take several days. It's not unheard of for a patch to break something, and they don't want that "something" to be one of their mission critical servers or apps. Even if the exploit and patch were released at the same time, it would still take days for many organizations to roll out the patch.
Before you decide that full disclosure is a bad thing, you should ask yourself if you're really better off not knowing about vulnerabilities in the software you're using. What incentive would the makers of this software have to find and fix the vulnerabilites in a timely manner if no one ever put pressure on them? How much testing would they do if no one else did their own vulnerability testing after the software was available?
How many of the "bad guys" do you suppose already know about vulnerabilies long before they're disclosed? If someone is actively exploiting an undisclosed vulnerability, do you think they would create a trojan and get the vendor's attention? The vulnerability that Blaster exploited was introduced in NT4 back in 1996. How many people exploited this vulnerability before it was disclosed? We have no way of knowing.
The major labels are trying to ensure that they don't become irrevelant. If a band is going to "hit it big," then they need a million dollar marketing budget, and odds are that they'll have to sign a contract with a major label to get it. If an independent artist can get mainstream exposure through the internet, then why would this artist sign a major label recording contract that gives the label most of their profits from record sales?
The internet has the potential to really screw up the major labels' current business model of "sink several million into marketing a handful of artists." IMHO, this is the real reason why the RIAA is going after the P2P networks. The RIAA does not want independent artists to get mainstream exposure.
The parent stated "I give it a couple more years before most of the real press will have decided that yes MS is a clearly corrupt company." I think it's already blatantly obvious that Microsoft is a "clearly corrupt company" and has been for some time. This even applies to members of the press.
Sorry to disappoint you, but I've never really been much of an Apple fan. And as for IBM, I worked in their Provo, UT office for about 18 months during the 90's, and they're not any different from the others I mentioned, but that's not a surprise to most slashdotters.
Care to name any? You're the one who does not want to talk about hypotheticals. Oh, and be sure to state why.
While I won't completely dismiss the possibility, I don't see how this can be true for a large company with lots of shareholders to answer to. In over ten years that I've been a part of corporate america, I've never worked anywhere that I did not perceive upper management as being completely corrupt. Idealism is great and everything, but it won't feed my family.
Did you actually read any of my post aside from the bold part? We agree on this. But perhaps you are just a not-so-clever troll, and I'm a fool for responding. Either that or you're to young, naive, and inexperienced to know how things are in the real world.
Thanks to the internet and services like Shoutcast and Live365, it's pretty easy for someone like me to check out bands that don't have million dollar marketeting budgets. IMHO, this is what is hurting the major labels. I can only think of two major label bands that I ever listen to anymore, and with the RIAA's recent actions I'm sure as hell not giving the majors any of my money. I prefer to spend my money supporting independent artists and artists on smaller labels.
I think the message is pretty clear: the record industry needs to start pushing a wider varity of music. Unfortunately for them this does not fit very well into their current business model of pumping millions of dollars into a few artists that supposedly have mass appeal. It seems they would rather sue their customers than update their business model to fit the marketplace.
Seriously, I'm no Microsoft fanboy (just look at my posting history), but you can't tell me that any other major corporation would be any less evil given Microsoft's marketshare. The guys who run these companies got to where they are because they are aggressive businessmen, and in most cases somewhat less than ethical.
Smart carts actually contain a microprocessor, and typically store an X.509 certificate and private key, which can be used for authentication and encryption. In order to retrieve data from the smart card, you need to provide some form of authentication, such as a biometric or password.
Almost every company that I've worked for has used prox cards for building access, but I've never heard of anyplace using smart cards for this purpose. Unless you also had to provide a password to get into the building, you probably were not using a smart card.
IMHO, the decision to get rid of the free tech support was a good thing, and should have been made a lot sooner. WP was seriously mis-managed in the early 90's, and tech support was just one example. At the time, 25% of the employees in the company were in tech support! I don't know what this was costing the company, but it had to be one hell of a lot of money.
In the ten or so years that I've worked in this industry, I've yet to work anywhere that requires password changes more frequently than ninety days. That should be plenty of time to crack an MD4 hash...
IMHO the real risk here is someone sniffing the hashes off of the network.
Go have a look at the securityfocus.com archives. There are lots of posts about IE vulnerabilities, several of which Microsoft just flat-out refused to patch, probably because some manager at Microsoft did not think the problems were serious enough, and didn't want to "pony up" the resources. The entire company has paid for those decisions.
There was a guy at pivx.com that used to maintain a list of unpatched IE bugs, but the page seems to have disappeared. It's been quite some time since I looked at the list, but in some cases issues went unpatched for *YEARS*! Now, how exactly can Microsoft claim to take security seriously?
A quick google search turned up this page of still unpatched IE vulnerabilities. The list is still quite long.
He exploited a flaw that someone else found, and almost certainly did by modifying a proof-of-concept exploit that someone else coded. That does not automatically make him a great hacker.
IMHO, a system where the server sent some random data to be signed with the private key (which you should _not_ be able to extract from the card) would be even better. Use this in conjunction with a mutually authenticated SSL connection, and you eliminate man-in-the-middle attacks. (Sure, SecurID makes an MITM attack harder since you have, by default, a three-minute window in which the one-time password can be used, but an MITM attack is still possible.)
I don't see how using a one-time password solves this problem. With a one-time password, they would have to re-enter their password each time an authentication is required. If this is what they want, it would not be hard to find a smart card implementation that would do it. I've seen smart card implementations that behave both ways.
As I see it, SecurID was chosen for the following reasons:
1. No hardware to install (as you pointed out)
2. Less risk. AOL was already using SecurID internally, so it would have been easier to roll out more SecurID tokens than some other technology that they had never deployed.
3. The hardware was probably cheap. (Yes, this is pure speculation on my part.) I realize that SecurID tokens generally cost $60 or more for the average Joe, but this is AOL we're talking about. RSA is almost certainly giving AOL a large discount for this exposure to the mainstream marketplace. If AOL is successful with this rollout, then lots of other businesses (banks and stock brokerage houses come to mind) are bound to end up rolling out SecurID tokens as well.
Eric Schmidt is a technologist. He was successful as CTO at Sun, back in the 90's when Sun was doing well. But what did he do for Novell, and what exactly has he done for Google? While he seems to understand technology and the culture that drives it, I don't see what he has done for any of these companies that is so revolutionary.
Your comments piqued my curiosity, so I went back and looked at the webpage. The "VNC Server DLL Injection" section on this page sheds some light on things. Here is an excerpt:
If there is no interactive user logged into the system or the screen has been locked, the command shell can be used to launch explorer.exe anyways. This can result in some very confused users when the logon screen also has a start menu. If the interactive desktop is changed, either through someone logging into the system or locking the screen, the VNC server will disconnect the client.
This supports my earlier statements. Perhaps I did not make it perfectly clear, but I was referring specifically to cases where the system was in a locked state, or a not logged-in state.
Now, whether or not VNC can interact with a desktop that is not active (IE: the user's desktop when the workstation is locked) is another question. I would have thought this was possible if the VNC server was one of the processes on this desktop, hence my comments about exploiting something in the user's "session" (desktop would have been a more correct term). Perhaps VNC won't do this. If it won't, then it seems to me that this should be possible with some tweaks to VNC. In my experience, process running on the user's desktop will still process messages, display windows, etc. even when the workstation is locked.
If you manage to compromise a service running as the System account, then you could log keystrokes by starting a new process on the Winlogon desktop (the desktop which is visible when logging in and when the workstation is locked) which would then hook fields on the login dialog.
Another approach is to use CreateRemoteThread API to start a new thread in the Winlogon process that would hook which would hook the fields on the login dialog.
Yet another approach would be install your own keyboard driver like this utility does.
I'm sure there are lots of other methods that I'm leaving out.
I assume you're saying this because you saw the screen shot linked in the summary. Notice that it says "System" at the top of the start menu. This is not the user's desktop, and you won't get to see the user's running apps. You'll have to exploit something running in the user's session to do that.
This won't let you do anything that you could not already have done by installing, say, netcat with the same exploit.
Seems to me that someone is a lot more likely to forget their locker number than lose a key. If these were the oldschool "keyed" lockers, then they could charge a fee for lost keys, which would pay for the cost of a new key and the inconvience of having to open someone's locker for them. This would also provide visitors with some additional incentive to keep track of their keys. With this biometric system, it seem to me that people would be forgetting the numbers all the time and have to get a staff member to deal with it. Not to mention that the biometric system must have been expensive. Perhaps I missed it, but I did not see the cost of this system in the article.
Sure, you could do something like identify returning users from their fingerprint, then display the locker number when their fingerprint is verified. (The article did not mention if they are already doing anything like this.) But the problem with this approach is that no matter how big and conspicuous you make the locker number in the display, there will still be plenty of users who never notice it. And it seems to me that the users who forget their locker numbers are also the most likely to not notice the locker number in the display.
Also from the article:
(Dons tin-foil hat) Perhaps this type of application is the real reason for the biometric lockers.
To make matters worse, Windows allows developers to store global variables in a shared memory segment, which IIRC is located in the dataseg of a given
Right here.
This station plays some killer Progressive Metal, and some prog-rock. Stuff like Everygrey, After Forever, Spiral Architect, Power of Omens, Ice Age, Sonata Arctica, and of course Dream Theater and Fates Warning. (What can I say? I'm a developer and us developers like the heavier stuff, right?)