394 posts • joined 20 Apr 2006
And people wondered why I rolled my own
This is why.
It's still early.
Seven months. Of course the early users are going to spend more of their time in the desktop.
And who needs "classic shell" when one can put a toolbar on their desktop taskbar that points to %allusersprofile%\Start Menu? (OK, %allusersprofile%\Microsoft\Windows\Start Menu then.) No extra software needed.
Aww, privacy not eroding fast enough for you?
"old institutions, like the law" weren't keeping up with the pace of [s/war/tech].
I wonder how many dictators shared this sentiment.
And talk about selling one's eyeballs to advertisers.
So this is the "Digital Pearl Harbor" Jesse Hirsh was raving about?
So the destructive power of Conficker resulted in almost $250k (wild guess US$ value) in loss.
Jesse Hirsh of the CBC asked if Conficker was a "digital Pearl Harbor." I've read guesses as to the damage, of...
...four U.S. Navy battleships (two of which were raised and returned to service late in the war) and damaged four more. The Japanese also sank or damaged three cruisers, three destroyers, and one minelayer, destroyed 188 aircraft, and caused personnel losses of 2,402 killed and 1,282 wounded.
A single US frigate would cost about US$63million today. I'm too disgusted to do the math.
And it took three years for the Germans to come up with that cost amount?
I called it an April Fool's joke in 2009 and got downvoted for it. I was also downvoted for daring to complain about idiots cheapening the memory of Pearl Harbor, September 11th, Armageddon, and a few others with the preface of "cyber."
On a lighter note, haven't the Germans heard of Sysprep? Ghost? Imagex? System Center? Give me that money and I could transform their IT department. Anyone over there hiring?
This is why he's mister "I hate everything."
Adobe's products are a security nightmare.
I've said it before, and I'll say it again: Stop complaining about the weather and start doing something about it.
Why blame MSIEXEC for Java exploits?
Disable windows installer service so s**t can't be installed willy nilly by users who don't know any better
Great, yet another pundit who thinks they can maintain Windows better than Windows can. Do you even know what the Windows Installer (MSIEXEC) service is? It's not Windows Update. You disable Windows Installer then you can't install anything made by anyone made anywhere. That includes built-in components.
And what the hell does MSIEXEC have to do with Java exploits? MS abandoned their Java implementation yonks ago, and modern Java runs in user-space exclusively.
If you want to stop users from installing stuff willy-nilly, do this.
Hey Apex: Make this product instead
Apex will automatically stop applications from performing sensitive operations while in an unknown application state.
If I could somehow sell a product that does this safeguarding for you... Hey Apex: Would you work on a product that does this instead of wasting CPU time analyzing running processes? I'd buy it, promote it, prostrate myself extolling its virtues, if only you'd produce it.
No thanks, we're good here.
Binned the "legacy" web apps or made sure they worked in Intranet Zone.
We've had multi-threading since 1995 and this is the progress we've made?
some of the performance increases have been blunted by a lack of applications that have been coded to really get the most of multicore systems.
Twenty years and we don't know how to write an application that uses threads? Even Quake II was multi-threaded. If an app uses multiple threads it's supposed to use multiple cores transparently.
Here, devs: read. Specifically, always treating threads like they're running on different cores even if they're not.
Privilege escalation is a larger target now
Previously labeled "important" because the average user used to run with escalated (admin) privileges anyway, these should become "critical" as we finally can run as non-admins without badly designed applications getting in the way, and this will become the way to hack Windows without social engineering.
If I can only get parents not to cave in to kids screaming for Mommy's password... sometimes I feel like a doctor trying to tell their patient to stop smoking.
Sucks to be in your family then.
A applies. B, well, that's not my fault.
Where were you the past thirteen years?
If they split the OS into admin space and user space and denied write access to anything in admin unless logged in as admin, then windows would be a fook sight more secure.
Windows had this since NT 3.1, but didn't really support "non-NT" applications until Windows 2000. UAC on Vista took this further. Don't blame MS for people not using it, or vendors not respecting it.
I'll believe that when Apple stops selling the Macintosh.
Let's see Apple take the first step by discontinuing the Macintosh, and sell iDevices exclusively.
I'm pretty sure MacArthur thought this in 1950, and look at what happened
Oh sure, that Nork army unleashed would do a great deal of damage, would make a hell of a mess of Seoul and such places. But it wouldn't actually win, it would be beaten back and that would be the end of the State.
This might be one of those "classic Leftie / Rightie style" oft-repeated "truths," but if North Korea is as weak as the commentards here say, why did MacArthur have his ass handed to him by Truman shortly after the Incheon landing in 1950?
(Disclaimer: Not a military expert. Learning from history, though.)
OK let's try this again: It's Intel hardware though
I also tried Windows 8 Pro, but despite installing all of Intel’s driver updates, I was still unable to get a realistic score out of Futuremark’s PCMark 7. Windows 8 itself refused to give me an Experience Rating, bailing out on the video part of its tests.
So 8 wouldn't give a rating without a supported video driver, then. This is Intel we're talking about, so this will get sorted in a hurry. Does the 7 driver work in a pinch?
Wouldn't be the first time with driver problems. Intel's latest Win7 HD driver (March 2013) introduced mouse pointer lag on an HP Elite 6200 desktop PC. Had to revert to their December 2012 driver to undo it. Other commentards would blame IE10 for that.
You need some Win8 consulting then?
The bottom line: I can’t recommend installing Windows 8, and a long list of Windows Update failures, not just on the NUC but on other Windows 8 machines I’ve tried, including Lenovo’s otherwise gorgeous ThinkPad X1 Carbon, makes me even less likely to do so.
I must be the only Windows 8 user on the entire internet that isn't having problems running the thing. Heck, I can run it on a VM on a HP Microserver. Would you like some consulting?
Then SANS needs to stop cheapening Armageddon. And Pearl Harbor. And September 11th.
Catch phrases that invoke disgust:
No one died due to any event reported using these catch phrases. Real people died in the real events. That is my problem: Cheapening the memory of real life events that killed real people.
If they want to stop disgusting me, SANS needs to stop using them.
Just the link makes me cringe in disgust: "The great DDoS Cybergeddon of 2013." We're still here, aren't we? No one was hurt, right? Maybe spam increased for a few nanoseconds while Spamhaus was unreachable for a short time? Do I need to warm up my snow blower to deal with the deluge of junk e-mail?
Seeing as I'm posting this to a Europe-connected network that was supposedly strongly impacted by this, I'd say this was a storm in a teapot. But SANS has a history of sensationalizing internet events. They want to be the weather.com of cyberspace and it's embarrassing.
Here's a workaround on Windows Server
This was unexpected; Thanks for coming forward. It made me brave enough to come forward with a similar workaround I did on my Windows Server setup.
I publish a small handful of domains on that HP Microserver I bragged about a few weeks ago. One of those domains is an Active Directory domain as well as a publicly visible domain, and they handle internet e-mail and other internet things, so the domain controllers and dependent servers need to do recursive queries on the DCs running DNS, as well as host the DNS zones that make AD possible.
Windows doesn't have an IP access list saying who can do recursive queries and who cannot. But nothing stops you from copying the zones to another non-DC DNS server and disabling recursion on that.
I already have a reverse proxy server for various things; I just added DNS to it and port-forwarded DNS connections to it instead of to one of the DCs. Then I set up secondary copies of all my zones on it, and disabled recursion. I now have an edge DNS server that doesn't allow recursive queries and still acts authoritatively for my zones. I can still permit zone transfers from it to authorized servers outside as well, and do notifications of zone changes.
Sure, this is, 'duh, captain obvious' stuff for some. Who would have thought DNS would be used as a DDoS vector though? If Trevor, "I hate Windows/Java/Flash/PDF/QT/TheWorld," Pott can come forward with this, so can I.
1024x768 was a minimum for MS Store apps since launch
This rule change was for OEMs, not for the OS, PCs upgraded with it, or for applications using the new UI.
I hit the vertical limit when trying to find a resolution to record my Windows 8 Safeguarding series; At 1280x720 the UI would run, but apps designed for it would not, telling me the res was too low. Desktop was still OK. 1280x768 worked though, as did the oddball 1262x768 I ended up filming the series in.
Say what you want about the UI but don't say it's in alpha. The OS still hasn't crashed on me and it works as they designed it. Maybe not how you would design it. Of course, I don't run it on garbage hardware.
I was waiting for this...
Actually, the sheer irony here is that Internet Explorer has had TLS 1.2 support since IE8
...actually, IE depends on the crypto suite of the host OS. On XP, only TLS 1.0 and previous SSL versions are supported. To do TLS 1.1 and 1.2 in IE, you need Vista, 7 or 8, or corresponding server version.
And there are too many banking sites that don't have TLS 1.1 or 1.2 support in their servers. I can't cite any one bank out of good conscience, but I can say that Symantec doesn't enable it on their
MessagelabsSymantec.Cloud pages. I had to argue with a support droid about that. (ugh, you know I used to like Messagelabs).
Windows adware hasGreedy advertisers have been a problem for years.
Low hanging fruit, easy target, cheap shot. Un-called for.
By the way, Mac users, easy way to protect yourself against greedy advertisers: Don't download stuff willy-nilly from the internet, and don't use an admin account for your daily work.
Looks like I need to crack the message of keeping malicious software at bay
A running theme I'm seeing in the feedback, is I need to make sure other defences (outbound firewall especially, but also turning off UPnP) are working in case malicious software somehow runs on a PC.
My problem is I'm trying to prevent malicious software from running in the first place.
At the risk of sounding like I'm from space, if I can stop unwanted software from running in the first place, I don't have to worry about unwanted software communicating outbound, or requesting open ports from UPnP routers, or using raw sockets, or taking over my display and trying to extort me for money, and so on.
It sounds deceptively simple, and perhaps that's what's confusing the mainstream computer user.
My target was more the, "You can't secure Windows no matter what," crowd, to show it can be done, but up to the SRP stuff this is all noob-capable. I think. I ramble on in spots, so I might tear this all down, write some monologues and do it properly.
About the firewall. Just like raw sockets, UPnP and outbound connections in general, my aim is to keep unwanted software at bay. If I can't keep unwanted software off, the firewall is the least of my worries.
In that example I deliberately installed Oovoo with the intent of connecting to its network through the internet. Having a firewall ask me if I want to let this thing connect outbound when I know it's an internet instant messaging application is redundant, at least in my opinion. It was the inbound connection that caught me off guard.
WFAS does let you change the default for outbound connections, so it's like the behaviour you're describing. Maybe I'll touch on that in an advanced video.
WD on Windows 8 is just another after-the-fact virus product. I treat all such products as security blankets; make the user feel good. The before-the-fact stuff takes care of the real security.
The running theme, again, is keeping unwanted software at bay. If I can do that, I don't need to worry about UPnP-capable apps, outbound connection-capable apps, or apps that use raw sockets. Because they will be apps that I chose to use.
This is good feedback; thanks for all of this. If I could do the geek and the pint icons I'd have them both up.
British sophomoric humour aside...
...I made some adjustments per recommendations right now, and will make further refinements.
Bold statement, perhaps: "Better security than you can buy." After twenty years of after-the-fact garbage from the leading computer security firms, I believe it's correct, though. I take the approach of stopping the bad software before the fact and then it can't turn off the firewall or signature-based virus detection.
Win8 Safeguarding series critiques wanted
I know... this is throwing myself at the wolves here. I figure along with the chewing up I'm about to get, some useful criticism will come up and I can improve on this series.
Think what you want about Windows 8, but people are going to deal with it. So I tossed together a video series on safeguarding home desktop PCs running it, all about using what's included and nothing added. Please take a look, and consider offering some feedback I can use.
Does Origin rely on root / administrator / system for anything?
One thing I noticed about Steam was that its client and attached games run completely in user-space on Windows. Even if I believe it is a bad idea to make a folder in Program Files user-writeable, at least any Steam exploits would be limited to the Steam environment and not leak out to the host OS, provided the user only runs it in user-space. A user can defeat any exploit with CTRL-ALT-DEL and logging off.
By comparison, does Origin work in kernel-space (using drivers) or otherwise require admin or kernel level access to run? I don't run any Origin games and from what I'm reading here I don't want to, either.
Even Java, for all of the hate Oracle's received this year, stays in user-space.
"[s/When/If] the ports open again..."
The article mentions blocking L2TP and PPTP VPN ports (and more specifically protocols) but what about TOR restricted to ports 80 and 443 - does that still work?
Application filtering for HTTP and HTTPS exists, as does transparent proxying. If a US business can do it, you can bet Iran is doing it, and very likely with software authored in the US despite export controls.
They keep saying that...
A great Redmond plan to get Linux on the desktop?
Then it hasn't worked in twelve years. Wasn't the Windows 95 Start Menu the first thing that was supposed to make people move to Linux? Or was that product activation on XP? UAC on Vista? The Start Screen on 8?
I'm still waiting.
Non-admin accounts, Software Restriction Policies, etc etc etc etc
McRAT ensures its persistence by writing a copy of itself as a DLL and making registry modifications
Lather, rinse, repeat.
Including fifteen different building codes? Hostile contractors?
Open source DIY domicile project to 'do for building what Linux did for software
(OK, perfectly fine article if not for this secondary headline. Venting speen in 3... 2... 1...)
So now I'll have to choose which distro of house I want before I can build it, there will be inter-distro feuding over building codes, and crowdsourced contractors consisting of a mix of maybe friendly and mostly hostile geeks, each deriding each others' designs.
"No one builds a wall with studs sixteen inches on-centre anymore."
The paranoid ones will use "NSA House" like they use NSA Linux, only to later speculate about gaping holes in the walls. There might not be any holes, and it might be the strongest house you could build, but who would trust it?
Who am I kidding? If Microsoft made a house, people would complain about the door locks. Come to think of it, my wife would complain about the door locks and not use them, and then she'd wonder why the TV was stolen.
McAfee rewrites history?
Signature-based malware identification has been around since the dawn of the computer security industry
Stiller's Integrity Master, a profile-based virus detector, existed before John McAfee sold a cheap and lazy media on Virusscan:
I love it! I have been a fan of integrity checking (IC) ever since my first big software conflict trashed small parts of a few files of the 2,000 + files on my disk in … 1986
(Sadly, that article is only on Google's cache now.)
"Classic leftie style?"
Classic leftie style[...] It's really rather frightening how often that a lie or inaccuracy is repeated a few times and then becomes effectively an incontrovertible fact.
Like, say, "Obama is a muslim?" That's not exactly "leftie style" yet it is incontrovertible fact among certain sects of non-lefties.
Where's the foot-in-mouth icon?
I guess the JPEG GDI+ exploit was so last decade...
This is a bit of a twist on normal exploitation simply because the malicious code is actually inside of an image, something that hasn’t really been done before.
Set the WABAC machine for 2004, Fred: Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution.
We really do have short memories in this industry.
The even like / dislike count suggests there's some truth and some exaggeration to this
It's nice to know I wasn't the only one scared away from Linux by hostile technical support.
Now you just need the nice ones to get on the cases of the not-so-nice ones and make them stop biting the n00bs.
Complain about the weather...
...or do something about it.
Seems like a sensible approach. Or is BlueGreen asking for too much in this place?
There's vigilance, and there's paranoia
And this: "...that you know of..." is paranoia. Lovely technique to sell security products. Not so lovely a technique to do actual security.
Understanding how Windows really works goes a long way to preventing exploits. I've said many times before that there's better security built into modern versions of Windows than any security product you can buy for it. Even a non-security product can prevent malware before so-called security products can; in that case, it was Microsoft word, which could stop Word macro viruses before anti-virus products could.
Give the fellow credit for doing something pro-active. If you really are trying to sell something, it's better than blasting them for not using the popular security-blanket-of-the-day.
Re: Speaking of drive-by download prevention...
Your going about it the wrong way though, deny everything and then just allow program files. That blocks off removable media and network shares as well without having to specify every single path under the sun.
Fair enough; this is why the example also sets the SRP policy to affect non-admins only. An admin could still install software from CD or USB devices. The shortcut file type (.lnk) is specified in the default SRP policy and the example instructs you to remove that particular one, or yes, personal shortcuts do stop working.
It's not my example and I want to flesh it out into a comprehensive how-to guide, but tossing it out there should get some brains thinking. I also want to run it against my software library to see what doesn't work, and then replace the broken garbage.
- Crawling from the Wreckage Want a more fuel efficient car? Then redesign it – here's how
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Human spaceships dodge ALIEN BODY skimming Mars
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
- Downrange Are you a gun owner? Let us in OR ELSE, say Blighty's top cops