OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
I'm not saying it isn't possible, but depending where on the protocol stack the USB port is intercepted, it might still be vulnerable.
Possible, yes.
You also introduce the risk of vulnerabilities in your antivirus software (which is probably closed-source)
Yes, there is a risk when you run any software.
and the risk of breaking things if you deploy a bad update
As with any software, you risk breakages when you deploy an update. Of course, in the case of anti-virus software, you're at risk of downtime if it's a bad update, much like OS updates. However, in some cases, the risk maybe reduced, when the software does not require refactoring of major code on short notice.
(why would an OS update require testing, but an antivirus update not?).
I never said don't do testing (unless there is some massive risk that would qualify downtime being acceptable over vulnerability). I noted repeatedly that the time it takes to produce a software change would take more time than updating definitions in general circumstances.
Antivirus really seems like a technical solution to a non-technical problem: unresponsive software vendors.
It doesn't seem that Google is better at it, considering the speed (the time that passed after the exploit was known) of when an update was made available for CVE-2014-1705, CVE-2014-1706, CVE-2014-1707, CVE-2014-1708, CVE-2014-1710 and CVE-2014-1711 (which were exploited on ChromeOS).
Your antivirus software is capable of intercepting and preventing buffer overflow attacks coming in via the USB port?
Yes. In this specific scenario, if this would have been a Windows issue, I would have managed through my software/security management panel and Lumension; while on Linux it's through my software/security management panel and system black and white lists (ie: udev rules).
You keep coming back to Java, but Java is not a component of ChromeOS.
I didn't say it was.
In the same way, the fact that Oracle can't figure out how to do security updates
I see no evidence of that being the case. Oracle use automatic updates, sane patching policies (breaking changes go into the next 'major' version of Java etc).
is just one of the reasons why ChromeOS doesn't support Java at all.
That's quite the assumption there, the goals I have heard with Chromebooks involves promoting cloud, HTML5 local applications. I don't see how Java fits into that vision on a Chromebook to begin with.
I'm looking for evidence that an actual component of ChromeOS can't be updated as quickly as a virus definition.
Eh, I'm not that knowledgeable on ChromeOS it self, but there is one component it uses that I am fairly familiar with... I can deploy a heuristic filter for CVE-2013-1860 in roughly 15 minutes with some fairly simple pattern matching through a text file and my software/security management console. It doesn't require a reboot or interaction from users, nor does it interrupt the user.
Compare this to the time it takes to figure out the code changes for CVE-2013-1860, compile a debug build of the kernel, pass it to the build server for a non-debug build, sign it and patch systems, the vulnerability only fixed after a reboot. Pretty certain that the minimum there is at least a few hours.
The evidence here is the fact that I can write a text file with a few lines to prevent the attack from working as opposed to changing code (possibly even doing major re-factoring) that requires recompilation of kernel.
This is going to be the case for the majority of exploits out there where existing adequate support for 'definitions' that could counter this can be used.
By update I was speaking of definition updates. Without them, the software can't detect a new form of virus.
I wasn't, because the difference between a software patch and a definition update is the time it takes to produce them.
So, either the virus is using a known mechanism/payload/etc or not.
True, focus on detecting has shifted to looking at payloads rather than mechanisms now, because payloads are harder to make a different.
If it is, then the OS will be patched against it, and the virus won't be able to install a rootkit/etc.
If it is, then it has a low reputation and will be blocked with the right security settings anyway (admittedly, I have that type of functionality turned off on my machines because I develop software too, anti-virus software putting my compiled applications into quarantine or deleting is annoying).
What makes you think that a heuristic scanner will be able to discover a virus, but the OS vendor won't be able to patch the vulnerability that allowed it in?
They were unable to patch their software fast enough to close all the zero days. I was able to define rules in anti-virus to block unauthorized issues in Java however.
You claim the time required to update a definition vs patch a vulnerability is significantly different, but I don't really see any evidence supporting this.
I just gave you some.
I'm sure your systems are completely vulnerable to a comet impact that destroys all life on earth, and that is because the risk of that happening is low compared to the effort required to mitigate it.
I generally work off using requirements, ie: Must be protected against cyber threats, physical access requirements against an armed person, isolated networks etc.
I also suggest new requirements to add to those and raise risks around certain implementations.
Besides, what is your alternative?
I would need a set of requirements to work with first and some time to research the options. Something that I don't really want to do for this conversation.
I'm not aware of any other OS that provides the same kind of security/etc for anywhere near the same cost as ChromeOS.
I don't really deal with things on a consumer level, but, it wouldn't be unlikely to get a good deal with certain PC vendors for getting X amount of units for a fairly cheap price. So, money is not exactly a thing I worry too much about in my current line of work.
The last virus-related issue we had at work was a few years ago when McAfee deployed a definition update that quarantined a critical system file - half the company was down for a few days while everybody brought their PCs in for servicing.
McAfee isn't that great of a piece of anti-virus software. If you visit http://www.av-comparatives.org... you will find that it's often near the bottom when it comes to comparisons (even a few years ago). So, it doesn't surprise me you ran into problems with a piece of software that does not really excel in good quality.
It does have one of the better enterprise management control panels however, but I don't think this makes up for it's poor (or lack of) heuristic scanner and depends almost entirely on cloud connection for doing that sort of analysis.
Something like that would be virtually impossible on ChromeOS since the whole OS image is device-specific and updated as a unit, so if one doesn't boot none of them will (so only an idiot would miss it in testing).
Sure, but only until the underlying vulnerability gets patched. Your antivirus wouldn't do anything about it until it is updated either.
Anti-virus software does not usually require software updates to catch identified viruses, it's usually just updating a definition/heuristic file.
How can a heuristic handle a virus using a new infection mechanism?
I'll use a consumer product that you're likely more familiar with in my example rather than enterprise software I use.
Avast has a heuristic built in for files that have no reputation, it runs these files inside a sandbox and observes it's behaviour. If the program in question starts doing dodgy things like delivering typical infection payloads, avast will close the sandboxed and block the file from being ran on the actual system.
In the case of worms, Avast also passively monitors applications generally and when it detects a typical payload that worms use (such as trying to install a system root kit and a bunch of start up entries) will intercept the system API calls that being used to perform this and prevent that from happening.
They only protect against viruses using known mechanisms, but which have a signature not in the database.
Indeed.
How many Chrome exploits have you mitigated against using antivirus alone, and for how long?
Chrome being unauthorized software on some systems I manage is blocked on multiple levels. Chrome (and by extension, it's exploits too) have been blocked ever since it came into existence. Said management is done through system software policies that are reinforced by anti-virus solutions and passive proxy filters.
Avast Reputation services is an example, a low reputation will result in the code from being executed entirely.
Patching exploits is what keeps new infections out.
Sure, but until that happens, you're vulnerable, the time it takes to patch something verses adding a signature or a heuristic definition is significantly different.
However, if I had to pick and choose I'd pick secure-boot and frequent updates over an antivirus.
The original argument was that one replaces the other, which is what I disagree with. They both have different practical uses.
ChromeOS installations suffering viruses are unheard of
I don't deal in security around historical infections, I deal in the possibility of how a system can be compromised and then mitigating that risk as fast as possible and then through better means later if possible.
If the device were using secure boot, the device would refuse to boot at next reboot.
You misunderstand, it did not change the windows system on the flash device. The system when it booted was always clean and got infected after boot; rebooting it would restart with a clean windows install again.
An antivirus provides no protection against an unknown virus using a new infection mechanism.
Actually, it does. Modern anti-virus software still has heuristics that will kick in and many use 'community' based data to help determine the risk of a binary. This sort of filtering is available without the need to update software.
Anytime there is a known exploit it is patched to prevent the virus from being installed in the first place
Then you maybe surprised to learn that producing patches for software takes longer than simply adding a few heuristic patterns or scripted rules to block it. There have been a few instances where I have pushed rules through firewalls and various anti-virus blocklist schemas to block problematic issues while vendors were still trying to resolve them (the last one I dealt with involved Java vulnerabilities, where Oracle spent a lot of time making patches while I simply blocked it's use on untrusted sites with a few rules supplied to the URL filters in anti-virus control panels).
I do get the objection that secure boot only kicks in at boot, but I think when you consider how antivirus and ChromeOS updates work in practice, the latter actually provides more security.
No, you don't get my argument at all. I was booting systems that were 'fresh' installs every time the systems started and they would get infected practically immediately after boot. Secureboot doesn't help outside of exploits that would virtualize your entire operating system instance in order to hide itself. When you have an exploit that lets you run remote code on the system, you're running remote code. Maybe not on boot if there are code signing checks all the way, but that won't matter when it gets exploited on next boot.
In other words, you can still run malicious userland regardless if it got onto the system which is why a reactive Intrusion Detection System such as Anti-Virus software is extremely helpful.
The OS is read-only and uses secure-boot. If something does manage to install itself there
There was a time I had imaged Windows XP systems that booted from a read only flash device, this didn't stop those Windows XP systems from getting infected with a worm that sat on top of the famous Blaster worm, it's payload was a key logger reporting back to it's controller (was a problematic situation as I had no control of the network these were connected to).
So, think of it like having the antivirus built-in.
My quick fix (outside of being unable to update the OS due to some software conflicts) was to install anti-virus software that automatically updated it self to combat such worms. I think your line of thinking is wrong.
What does an anti-virus do which a Chromebook isn't already doing?
Combat worms, viruses etc. in real time as opposed to just on boot.
No, the European Union prevented Greece from resolving their situation by detatching from the Euro currency so they could have their own and devalue their currency (like Iceland did recently) - Now Iceland is thriving again, Greece is not.
When Greece attempted to do so, they removed the democratically elected leader and replaced him with a puppet. The country that brought democracy to the world...
Note: I don't live in the USA. I quickly scanned the article, without trying I found faults with it.
Cash is a 100% anonymous and untraceable payments technology.
Except it isn't, serial IDs on money gets recorded and it's contact with banks is recorded for fraud and deprecation purposes. If it was 100% anonymous and untraceable, that wouldn't happen.
Though hard to imagine, cash operates with no consumer protection at all. If your ‘bills’ are stolen or lost, they are gone forever.
Except I have insurance if my physical money gets stolen or lost. So, I do have consumer protection?
Moreover, there appears to be no authentication mechanism associated with cash payments or transfers, let alone one that matches modern security standards.
The prevalent news source in the UK for most citizens is the Daily Mail (which likely wouldn't discuss these issues, because it's nowhere sensationalist enough), not the BBC. The BBC does have even close to as much of an influence. A lot of people don't even give a crap about the news the BBC reports.
Every time I have been through Customs and Immigration in the UK I have witnessed (or been subjected to) the agents there acting in a very demeaning manner towards travelers. To me it is SOP for the UK, to the point that I think the equivalent people in the US actually seem nicer.
I don't know... I've been to the U.S. Had to fill in a form on the flight saying I am not a terrorist, spy etc. Then get finger printed, picture taken and asked if I am there for business or pleasure, then asked trick questions.
Compare this to the UK where they don't even sit behind equipment that fingerprints or photographs you and they just want to see your passport.
I weekly travel between countries due to my current consultancy work. In my limited experience, the border guards really aren't there waiting for you in arrivals for European or common-wealth countries.
I've been stopped at the border and hassled by a dim border gard. He was clearly trying to catch me in a lie and asked a question about somewhere I was living. He didn't like my (correct) answer and insisted I must be wrong, repeatedly.
I've never had personal details questioned by UK border control.
What the hell are you supposed to say to an obnoxious border guard who won't accept the legal, legitimate truth as an answer?
As a form of protest and understanding that Slashdot isn't what it used to be.
We could go back to dupes, terrible HTML formatting with broken threading, page loading issues, very bad and biased summaries, various live updates being performed on the website because the developer felt like working on the actual site to develop in real time.... But personally, I don't really want to.
feels like eons ago but I've been around since around 2001 and seen it get better and then worse and worse.
Reflecting on my above comment, Slashdot feels better from a site administration point of view. Comment wise, I don't find myself debating with people as much anymore; but I don't know if that's just a personal issue of my own or just that other users on this site are no longer that interesting to discuss things with.
Slashdot is becoming like wired. Very bias, late with every article poste
You must be new here... I remember incredibly bad bias many years back, but nobody decent would trust their summaries to begin with.
in fact slashdot is probably the worse because it has piss-poor editors that don't edit summaries or titles properly and misguide you to RTFA. I don't think DICE understands its audience.
Seriously, I don't think you know Slashdot's past that well or you're viewing it through rose tinted glasses.
Slashdot Mirror
Zontar The Mindless has no accusation, just facts.
I can verify this, APK posts off topic content about hosts files.
Do you see yourself adopting the Nabu and if not, why?
From Wikipedia:
I fail to see Anonymous' point.
You kind have missed a bigger problem. Windows sourcecode has been leaked multiple times, including Windows XP's.
Nobody knows how to compile it, it doesn't simply compile with compilers that Visual Studio comes with either.
Possible, yes.
Yes, there is a risk when you run any software.
As with any software, you risk breakages when you deploy an update. Of course, in the case of anti-virus software, you're at risk of downtime if it's a bad update, much like OS updates. However, in some cases, the risk maybe reduced, when the software does not require refactoring of major code on short notice.
I never said don't do testing (unless there is some massive risk that would qualify downtime being acceptable over vulnerability). I noted repeatedly that the time it takes to produce a software change would take more time than updating definitions in general circumstances.
It doesn't seem that Google is better at it, considering the speed (the time that passed after the exploit was known) of when an update was made available for CVE-2014-1705, CVE-2014-1706, CVE-2014-1707, CVE-2014-1708, CVE-2014-1710 and CVE-2014-1711 (which were exploited on ChromeOS).
Yes. In this specific scenario, if this would have been a Windows issue, I would have managed through my software/security management panel and Lumension; while on Linux it's through my software/security management panel and system black and white lists (ie: udev rules).
I didn't say it was.
I see no evidence of that being the case. Oracle use automatic updates, sane patching policies (breaking changes go into the next 'major' version of Java etc).
That's quite the assumption there, the goals I have heard with Chromebooks involves promoting cloud, HTML5 local applications. I don't see how Java fits into that vision on a Chromebook to begin with.
Eh, I'm not that knowledgeable on ChromeOS it self, but there is one component it uses that I am fairly familiar with... I can deploy a heuristic filter for CVE-2013-1860 in roughly 15 minutes with some fairly simple pattern matching through a text file and my software/security management console. It doesn't require a reboot or interaction from users, nor does it interrupt the user.
Compare this to the time it takes to figure out the code changes for CVE-2013-1860, compile a debug build of the kernel, pass it to the build server for a non-debug build, sign it and patch systems, the vulnerability only fixed after a reboot. Pretty certain that the minimum there is at least a few hours.
The evidence here is the fact that I can write a text file with a few lines to prevent the attack from working as opposed to changing code (possibly even doing major re-factoring) that requires recompilation of kernel.
This is going to be the case for the majority of exploits out there where existing adequate support for 'definitions' that could counter this can be used.
I wasn't, because the difference between a software patch and a definition update is the time it takes to produce them.
True, focus on detecting has shifted to looking at payloads rather than mechanisms now, because payloads are harder to make a different.
If it is, then it has a low reputation and will be blocked with the right security settings anyway (admittedly, I have that type of functionality turned off on my machines because I develop software too, anti-virus software putting my compiled applications into quarantine or deleting is annoying).
A recent example is Oracle's recent struggle with Java vulnerabilities: https://blogs.oracle.com/secur...
They were unable to patch their software fast enough to close all the zero days. I was able to define rules in anti-virus to block unauthorized issues in Java however.
I just gave you some.
I generally work off using requirements, ie: Must be protected against cyber threats, physical access requirements against an armed person, isolated networks etc.
I also suggest new requirements to add to those and raise risks around certain implementations.
I would need a set of requirements to work with first and some time to research the options. Something that I don't really want to do for this conversation.
I don't really deal with things on a consumer level, but, it wouldn't be unlikely to get a good deal with certain PC vendors for getting X amount of units for a fairly cheap price. So, money is not exactly a thing I worry too much about in my current line of work.
McAfee isn't that great of a piece of anti-virus software. If you visit http://www.av-comparatives.org... you will find that it's often near the bottom when it comes to comparisons (even a few years ago). So, it doesn't surprise me you ran into problems with a piece of software that does not really excel in good quality.
It does have one of the better enterprise management control panels however, but I don't think this makes up for it's poor (or lack of) heuristic scanner and depends almost entirely on cloud connection for doing that sort of analysis.
Anti-virus software does not usually require software updates to catch identified viruses, it's usually just updating a definition/heuristic file.
I'll use a consumer product that you're likely more familiar with in my example rather than enterprise software I use.
Avast has a heuristic built in for files that have no reputation, it runs these files inside a sandbox and observes it's behaviour. If the program in question starts doing dodgy things like delivering typical infection payloads, avast will close the sandboxed and block the file from being ran on the actual system.
In the case of worms, Avast also passively monitors applications generally and when it detects a typical payload that worms use (such as trying to install a system root kit and a bunch of start up entries) will intercept the system API calls that being used to perform this and prevent that from happening.
Indeed.
Chrome being unauthorized software on some systems I manage is blocked on multiple levels. Chrome (and by extension, it's exploits too) have been blocked ever since it came into existence. Said management is done through system software policies that are reinforced by anti-virus solutions and passive proxy filters.
Avast Reputation services is an example, a low reputation will result in the code from being executed entirely.
Sure, but until that happens, you're vulnerable, the time it takes to patch something verses adding a signature or a heuristic definition is significantly different.
The original argument was that one replaces the other, which is what I disagree with. They both have different practical uses.
I don't deal in security around historical infections, I deal in the possibility of how a system can be compromised and then mitigating that risk as fast as possible and then through better means later if possible.
You misunderstand, it did not change the windows system on the flash device. The system when it booted was always clean and got infected after boot; rebooting it would restart with a clean windows install again.
Actually, it does. Modern anti-virus software still has heuristics that will kick in and many use 'community' based data to help determine the risk of a binary. This sort of filtering is available without the need to update software.
Then you maybe surprised to learn that producing patches for software takes longer than simply adding a few heuristic patterns or scripted rules to block it. There have been a few instances where I have pushed rules through firewalls and various anti-virus blocklist schemas to block problematic issues while vendors were still trying to resolve them (the last one I dealt with involved Java vulnerabilities, where Oracle spent a lot of time making patches while I simply blocked it's use on untrusted sites with a few rules supplied to the URL filters in anti-virus control panels).
No, you don't get my argument at all. I was booting systems that were 'fresh' installs every time the systems started and they would get infected practically immediately after boot. Secureboot doesn't help outside of exploits that would virtualize your entire operating system instance in order to hide itself. When you have an exploit that lets you run remote code on the system, you're running remote code. Maybe not on boot if there are code signing checks all the way, but that won't matter when it gets exploited on next boot.
In other words, you can still run malicious userland regardless if it got onto the system which is why a reactive Intrusion Detection System such as Anti-Virus software is extremely helpful.
Note: I am not the grand parent.
There was a time I had imaged Windows XP systems that booted from a read only flash device, this didn't stop those Windows XP systems from getting infected with a worm that sat on top of the famous Blaster worm, it's payload was a key logger reporting back to it's controller (was a problematic situation as I had no control of the network these were connected to).
My quick fix (outside of being unable to update the OS due to some software conflicts) was to install anti-virus software that automatically updated it self to combat such worms. I think your line of thinking is wrong.
Combat worms, viruses etc. in real time as opposed to just on boot.
No, the European Union prevented Greece from resolving their situation by detatching from the Euro currency so they could have their own and devalue their currency (like Iceland did recently) - Now Iceland is thriving again, Greece is not.
When Greece attempted to do so, they removed the democratically elected leader and replaced him with a puppet. The country that brought democracy to the world...
Not true, See BE and Virgin.
He's pledged far more actually.
http://www.dailymail.co.uk/new...
I don't think I've ever heard of a 'world currency' suffer from a well known exploit in the Bitcoin protocol.
If I make this broader, I don't think I've ever heard of a 'world currency' suffer from a well known exploit in computers.
Note: I don't live in the USA.
I quickly scanned the article, without trying I found faults with it.
Except it isn't, serial IDs on money gets recorded and it's contact with banks is recorded for fraud and deprecation purposes. If it was 100% anonymous and untraceable, that wouldn't happen.
Except I have insurance if my physical money gets stolen or lost. So, I do have consumer protection?
Like the RFID chips in my notes?
The prevalent news source in the UK for most citizens is the Daily Mail (which likely wouldn't discuss these issues, because it's nowhere sensationalist enough), not the BBC. The BBC does have even close to as much of an influence. A lot of people don't even give a crap about the news the BBC reports.
I don't know... I've been to the U.S. Had to fill in a form on the flight saying I am not a terrorist, spy etc. Then get finger printed, picture taken and asked if I am there for business or pleasure, then asked trick questions.
Compare this to the UK where they don't even sit behind equipment that fingerprints or photographs you and they just want to see your passport.
I'm British.
I weekly travel between countries due to my current consultancy work. In my limited experience, the border guards really aren't there waiting for you in arrivals for European or common-wealth countries.
I've never had personal details questioned by UK border control.
I wouldn't know, I have yet to encounter it.
We could go back to dupes, terrible HTML formatting with broken threading, page loading issues, very bad and biased summaries, various live updates being performed on the website because the developer felt like working on the actual site to develop in real time.... But personally, I don't really want to.
Reflecting on my above comment, Slashdot feels better from a site administration point of view. Comment wise, I don't find myself debating with people as much anymore; but I don't know if that's just a personal issue of my own or just that other users on this site are no longer that interesting to discuss things with.
You must be new here... I remember incredibly bad bias many years back, but nobody decent would trust their summaries to begin with.
Seriously, I don't think you know Slashdot's past that well or you're viewing it through rose tinted glasses.
I personally like the beta, I think it needs some improvements; but leaving? What is there to leave over?
WillAffleckUW, and now your planet will be destroyed; good going.
I personally like the beta.
You deny that distributions have been providing free upgrades and updates to their releases?