×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Anyone Can Buy Google Glass April 15

Ash-Fox Re:No thanks (167 comments)

I'm often an early adopter of technology, but I'm not interested in this type of product until it's far more unobtrusive and obvious.

Do you see yourself adopting the Nabu and if not, why?

about a week ago
top

Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

Ash-Fox Re:on purpose or not, couldn't happen if... (445 comments)

C++ has bounds-checked containers.

And yet, this problem still happened.

From Wikipedia:

OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.

I fail to see Anonymous' point.

about two weeks ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

Ash-Fox Re:Either it is valuable to MS or not... (650 comments)

You kind have missed a bigger problem. Windows sourcecode has been leaked multiple times, including Windows XP's.

Nobody knows how to compile it, it doesn't simply compile with compilers that Visual Studio comes with either.

about two weeks ago
top

London Council Dumping Windows For Chromebooks To Save £400,000

Ash-Fox Re:Biggest saving is... (193 comments)

I'm not saying it isn't possible, but depending where on the protocol stack the USB port is intercepted, it might still be vulnerable.

Possible, yes.

You also introduce the risk of vulnerabilities in your antivirus software (which is probably closed-source)

Yes, there is a risk when you run any software.

and the risk of breaking things if you deploy a bad update

As with any software, you risk breakages when you deploy an update. Of course, in the case of anti-virus software, you're at risk of downtime if it's a bad update, much like OS updates. However, in some cases, the risk maybe reduced, when the software does not require refactoring of major code on short notice.

(why would an OS update require testing, but an antivirus update not?).

I never said don't do testing (unless there is some massive risk that would qualify downtime being acceptable over vulnerability). I noted repeatedly that the time it takes to produce a software change would take more time than updating definitions in general circumstances.

Antivirus really seems like a technical solution to a non-technical problem: unresponsive software vendors.

It doesn't seem that Google is better at it, considering the speed (the time that passed after the exploit was known) of when an update was made available for CVE-2014-1705, CVE-2014-1706, CVE-2014-1707, CVE-2014-1708, CVE-2014-1710 and CVE-2014-1711 (which were exploited on ChromeOS).

about two weeks ago
top

London Council Dumping Windows For Chromebooks To Save £400,000

Ash-Fox Re:Biggest saving is... (193 comments)

Your antivirus software is capable of intercepting and preventing buffer overflow attacks coming in via the USB port?

Yes. In this specific scenario, if this would have been a Windows issue, I would have managed through my software/security management panel and Lumension; while on Linux it's through my software/security management panel and system black and white lists (ie: udev rules).

about two weeks ago
top

London Council Dumping Windows For Chromebooks To Save £400,000

Ash-Fox Re:Biggest saving is... (193 comments)

You keep coming back to Java, but Java is not a component of ChromeOS.

I didn't say it was.

In the same way, the fact that Oracle can't figure out how to do security updates

I see no evidence of that being the case. Oracle use automatic updates, sane patching policies (breaking changes go into the next 'major' version of Java etc).

is just one of the reasons why ChromeOS doesn't support Java at all.

That's quite the assumption there, the goals I have heard with Chromebooks involves promoting cloud, HTML5 local applications. I don't see how Java fits into that vision on a Chromebook to begin with.

I'm looking for evidence that an actual component of ChromeOS can't be updated as quickly as a virus definition.

Eh, I'm not that knowledgeable on ChromeOS it self, but there is one component it uses that I am fairly familiar with... I can deploy a heuristic filter for CVE-2013-1860 in roughly 15 minutes with some fairly simple pattern matching through a text file and my software/security management console. It doesn't require a reboot or interaction from users, nor does it interrupt the user.

Compare this to the time it takes to figure out the code changes for CVE-2013-1860, compile a debug build of the kernel, pass it to the build server for a non-debug build, sign it and patch systems, the vulnerability only fixed after a reboot. Pretty certain that the minimum there is at least a few hours.

The evidence here is the fact that I can write a text file with a few lines to prevent the attack from working as opposed to changing code (possibly even doing major re-factoring) that requires recompilation of kernel.

This is going to be the case for the majority of exploits out there where existing adequate support for 'definitions' that could counter this can be used.

about two weeks ago
top

London Council Dumping Windows For Chromebooks To Save £400,000

Ash-Fox Re:Biggest saving is... (193 comments)

By update I was speaking of definition updates. Without them, the software can't detect a new form of virus.

I wasn't, because the difference between a software patch and a definition update is the time it takes to produce them.

So, either the virus is using a known mechanism/payload/etc or not.

True, focus on detecting has shifted to looking at payloads rather than mechanisms now, because payloads are harder to make a different.

If it is, then the OS will be patched against it, and the virus won't be able to install a rootkit/etc.

If it is, then it has a low reputation and will be blocked with the right security settings anyway (admittedly, I have that type of functionality turned off on my machines because I develop software too, anti-virus software putting my compiled applications into quarantine or deleting is annoying).

What makes you think that a heuristic scanner will be able to discover a virus, but the OS vendor won't be able to patch the vulnerability that allowed it in?

A recent example is Oracle's recent struggle with Java vulnerabilities: https://blogs.oracle.com/secur...

They were unable to patch their software fast enough to close all the zero days. I was able to define rules in anti-virus to block unauthorized issues in Java however.

You claim the time required to update a definition vs patch a vulnerability is significantly different, but I don't really see any evidence supporting this.

I just gave you some.

I'm sure your systems are completely vulnerable to a comet impact that destroys all life on earth, and that is because the risk of that happening is low compared to the effort required to mitigate it.

I generally work off using requirements, ie: Must be protected against cyber threats, physical access requirements against an armed person, isolated networks etc.

I also suggest new requirements to add to those and raise risks around certain implementations.

Besides, what is your alternative?

I would need a set of requirements to work with first and some time to research the options. Something that I don't really want to do for this conversation.

I'm not aware of any other OS that provides the same kind of security/etc for anywhere near the same cost as ChromeOS.

I don't really deal with things on a consumer level, but, it wouldn't be unlikely to get a good deal with certain PC vendors for getting X amount of units for a fairly cheap price. So, money is not exactly a thing I worry too much about in my current line of work.

The last virus-related issue we had at work was a few years ago when McAfee deployed a definition update that quarantined a critical system file - half the company was down for a few days while everybody brought their PCs in for servicing.

McAfee isn't that great of a piece of anti-virus software. If you visit http://www.av-comparatives.org... you will find that it's often near the bottom when it comes to comparisons (even a few years ago). So, it doesn't surprise me you ran into problems with a piece of software that does not really excel in good quality.

It does have one of the better enterprise management control panels however, but I don't think this makes up for it's poor (or lack of) heuristic scanner and depends almost entirely on cloud connection for doing that sort of analysis.

Something like that would be virtually impossible on ChromeOS since the whole OS image is device-specific and updated as a unit, so if one doesn't boot none of them will (so only an idiot would miss it in testing).

I could network boot systems and reimage them in the office. Laptops in the other hand don't have network boot enabled for sane reasons, but getting them to use network booting is possible for the user fairly trivially. However, they also have recovery partitions, so they could also just be restored to 'known' working copy of the system.

ChromeOS makes a lot of sense for smaller companies where the overhead of professional workstation management just doesn't make sense.

I don't know, I'd need to see the requirements, do research and do an assessment before I'd come to that conclusion.

It could work for larger companies, but they're almost never able to ditch client-side software.

There is the risk that when ditching client-side software, you grow dependent on a server and have to be ready to offer some sort of support recovery mechanism for downtime. That's expensive for small companies and large companies alike. Assessing the risks of using cloud services is often harder, especially companies like Google where they provide very little notification about changes being made on Google docs. Not to mention the controls you're given for management often do not let you control when a large upgrade rolls out (ie: changing UI, new features, possible breakages/changes of old features) comes to you, if this happens at a critical time this could effect your business operation.

about two weeks ago
top

London Council Dumping Windows For Chromebooks To Save £400,000

Ash-Fox Re:Biggest saving is... (193 comments)

Sure, but only until the underlying vulnerability gets patched. Your antivirus wouldn't do anything about it until it is updated either.

Anti-virus software does not usually require software updates to catch identified viruses, it's usually just updating a definition/heuristic file.

How can a heuristic handle a virus using a new infection mechanism?

I'll use a consumer product that you're likely more familiar with in my example rather than enterprise software I use.

Avast has a heuristic built in for files that have no reputation, it runs these files inside a sandbox and observes it's behaviour. If the program in question starts doing dodgy things like delivering typical infection payloads, avast will close the sandboxed and block the file from being ran on the actual system.

In the case of worms, Avast also passively monitors applications generally and when it detects a typical payload that worms use (such as trying to install a system root kit and a bunch of start up entries) will intercept the system API calls that being used to perform this and prevent that from happening.

They only protect against viruses using known mechanisms, but which have a signature not in the database.

Indeed.

How many Chrome exploits have you mitigated against using antivirus alone, and for how long?

Chrome being unauthorized software on some systems I manage is blocked on multiple levels. Chrome (and by extension, it's exploits too) have been blocked ever since it came into existence. Said management is done through system software policies that are reinforced by anti-virus solutions and passive proxy filters.

Avast Reputation services is an example, a low reputation will result in the code from being executed entirely.

Patching exploits is what keeps new infections out.

Sure, but until that happens, you're vulnerable, the time it takes to patch something verses adding a signature or a heuristic definition is significantly different.

However, if I had to pick and choose I'd pick secure-boot and frequent updates over an antivirus.

The original argument was that one replaces the other, which is what I disagree with. They both have different practical uses.

ChromeOS installations suffering viruses are unheard of

I don't deal in security around historical infections, I deal in the possibility of how a system can be compromised and then mitigating that risk as fast as possible and then through better means later if possible.

about two weeks ago
top

London Council Dumping Windows For Chromebooks To Save £400,000

Ash-Fox Re:Biggest saving is... (193 comments)

If the device were using secure boot, the device would refuse to boot at next reboot.

You misunderstand, it did not change the windows system on the flash device. The system when it booted was always clean and got infected after boot; rebooting it would restart with a clean windows install again.

An antivirus provides no protection against an unknown virus using a new infection mechanism.

Actually, it does. Modern anti-virus software still has heuristics that will kick in and many use 'community' based data to help determine the risk of a binary. This sort of filtering is available without the need to update software.

Anytime there is a known exploit it is patched to prevent the virus from being installed in the first place

Then you maybe surprised to learn that producing patches for software takes longer than simply adding a few heuristic patterns or scripted rules to block it. There have been a few instances where I have pushed rules through firewalls and various anti-virus blocklist schemas to block problematic issues while vendors were still trying to resolve them (the last one I dealt with involved Java vulnerabilities, where Oracle spent a lot of time making patches while I simply blocked it's use on untrusted sites with a few rules supplied to the URL filters in anti-virus control panels).

I do get the objection that secure boot only kicks in at boot, but I think when you consider how antivirus and ChromeOS updates work in practice, the latter actually provides more security.

No, you don't get my argument at all. I was booting systems that were 'fresh' installs every time the systems started and they would get infected practically immediately after boot. Secureboot doesn't help outside of exploits that would virtualize your entire operating system instance in order to hide itself. When you have an exploit that lets you run remote code on the system, you're running remote code. Maybe not on boot if there are code signing checks all the way, but that won't matter when it gets exploited on next boot.

In other words, you can still run malicious userland regardless if it got onto the system which is why a reactive Intrusion Detection System such as Anti-Virus software is extremely helpful.

about two weeks ago
top

London Council Dumping Windows For Chromebooks To Save £400,000

Ash-Fox Re:Biggest saving is... (193 comments)

Note: I am not the grand parent.

The OS is read-only and uses secure-boot. If something does manage to install itself there

There was a time I had imaged Windows XP systems that booted from a read only flash device, this didn't stop those Windows XP systems from getting infected with a worm that sat on top of the famous Blaster worm, it's payload was a key logger reporting back to it's controller (was a problematic situation as I had no control of the network these were connected to).

So, think of it like having the antivirus built-in.

My quick fix (outside of being unable to update the OS due to some software conflicts) was to install anti-virus software that automatically updated it self to combat such worms. I think your line of thinking is wrong.

What does an anti-virus do which a Chromebook isn't already doing?

Combat worms, viruses etc. in real time as opposed to just on boot.

about two weeks ago
top

European Parliament Votes For Net Neutrality, Forbids Mobile Roaming Costs

Ash-Fox Re:Well, that does it (148 comments)

Greece did it to themselves.

No, the European Union prevented Greece from resolving their situation by detatching from the Euro currency so they could have their own and devalue their currency (like Iceland did recently) - Now Iceland is thriving again, Greece is not.

When Greece attempted to do so, they removed the democratically elected leader and replaced him with a puppet. The country that brought democracy to the world...

about two weeks ago
top

European Parliament Votes For Net Neutrality, Forbids Mobile Roaming Costs

Ash-Fox Re:Good, I guess (148 comments)

everyone else uses BT wholesale services

Not true, See BE and Virgin.

about two weeks ago
top

Mt. Gox Knew It Was Selling Phantom Bitcoin 2 Weeks Before Collapse

Ash-Fox Re:Bitcoin (263 comments)

Regulations and backing have worked so well in the past... Nothing like this has EVER happened to any world currencies..

I don't think I've ever heard of a 'world currency' suffer from a well known exploit in the Bitcoin protocol.

If I make this broader, I don't think I've ever heard of a 'world currency' suffer from a well known exploit in computers.

about a month ago
top

WV Senator Calls For Ban On All Unregulated Cryptocurrencies

Ash-Fox Re:Bizarre Shadowy Paper-Based Payment System (240 comments)

Note: I don't live in the USA.
I quickly scanned the article, without trying I found faults with it.

Cash is a 100% anonymous and untraceable payments technology.

Except it isn't, serial IDs on money gets recorded and it's contact with banks is recorded for fraud and deprecation purposes. If it was 100% anonymous and untraceable, that wouldn't happen.

Though hard to imagine, cash operates with no consumer protection at all. If your ‘bills’ are stolen or lost, they are gone forever.

Except I have insurance if my physical money gets stolen or lost. So, I do have consumer protection?

Moreover, there appears to be no authentication mechanism associated with cash payments or transfers, let alone one that matches modern security standards.

Like the RFID chips in my notes?

about 2 months ago
top

Edward Snowden's Lawyer Claims Harassment From Heathrow Border Agent

Ash-Fox Re:When I watched films about the Nazis... (261 comments)

The prevalent news source in the UK for most citizens is the Daily Mail (which likely wouldn't discuss these issues, because it's nowhere sensationalist enough), not the BBC. The BBC does have even close to as much of an influence. A lot of people don't even give a crap about the news the BBC reports.

about 2 months ago
top

Edward Snowden's Lawyer Claims Harassment From Heathrow Border Agent

Ash-Fox Re:The agent barked the questions at Radack (261 comments)

Every time I have been through Customs and Immigration in the UK I have witnessed (or been subjected to) the agents there acting in a very demeaning manner towards travelers. To me it is SOP for the UK, to the point that I think the equivalent people in the US actually seem nicer.

I don't know... I've been to the U.S. Had to fill in a form on the flight saying I am not a terrorist, spy etc. Then get finger printed, picture taken and asked if I am there for business or pleasure, then asked trick questions.

Compare this to the UK where they don't even sit behind equipment that fingerprints or photographs you and they just want to see your passport.

about 2 months ago
top

Edward Snowden's Lawyer Claims Harassment From Heathrow Border Agent

Ash-Fox Re:The UK border staff are wildly incompetent. (261 comments)

I'm British.

I weekly travel between countries due to my current consultancy work. In my limited experience, the border guards really aren't there waiting for you in arrivals for European or common-wealth countries.

I've been stopped at the border and hassled by a dim border gard. He was clearly trying to catch me in a lie and asked a question about somewhere I was living. He didn't like my (correct) answer and insisted I must be wrong, repeatedly.

I've never had personal details questioned by UK border control.

What the hell are you supposed to say to an obnoxious border guard who won't accept the legal, legitimate truth as an answer?

I wouldn't know, I have yet to encounter it.

about 2 months ago

Submissions

Ash-Fox hasn't submitted any stories.

Journals

Ash-Fox has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...