Forgot your password?

Comment: Re:My personal experience (Score 1) 351

by Ash-Fox (#46807273) Attached to: Google: Better To Be a 'B' CS Grad Than an 'A+' English Grad

If you do not have a good (!) formal education in CS, what you can do is quite limited.

To be honest, my own experience with people whom have had 'good formal education' in CS has been very disappointing.

Algorithmic complexity, security, competent use of crypto, advanced data-structures, etc. remain a mystery to those without that formal education

And people with that education in my experience.

they suck badly and produce things that are best thrown away instead of being implemented.

And it becomes problematic when they have some qualification backing them, because they create a false sense of quality and security.

One problem is that they often do not even realize that they are missing skills and think stupid things like "crypto is easy", or "hashing is always constant time" and the like

My own experience with such people is the mentality is closer along the lines of "I did what I know, not my problem if there is an issue."

This is not saying all people that have a decent CS degree are like this, I just don't understand how some people have them to begin with and unfortunately, they tend to be the vast majority.

Comment: Re:on purpose or not, couldn't happen if... (Score 1) 446

by Ash-Fox (#46722753) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

C++ has bounds-checked containers.

And yet, this problem still happened.

From Wikipedia:

OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.

I fail to see Anonymous' point.

Comment: Re:Biggest saving is... (Score 1) 193

I'm not saying it isn't possible, but depending where on the protocol stack the USB port is intercepted, it might still be vulnerable.

Possible, yes.

You also introduce the risk of vulnerabilities in your antivirus software (which is probably closed-source)

Yes, there is a risk when you run any software.

and the risk of breaking things if you deploy a bad update

As with any software, you risk breakages when you deploy an update. Of course, in the case of anti-virus software, you're at risk of downtime if it's a bad update, much like OS updates. However, in some cases, the risk maybe reduced, when the software does not require refactoring of major code on short notice.

(why would an OS update require testing, but an antivirus update not?).

I never said don't do testing (unless there is some massive risk that would qualify downtime being acceptable over vulnerability). I noted repeatedly that the time it takes to produce a software change would take more time than updating definitions in general circumstances.

Antivirus really seems like a technical solution to a non-technical problem: unresponsive software vendors.

It doesn't seem that Google is better at it, considering the speed (the time that passed after the exploit was known) of when an update was made available for CVE-2014-1705, CVE-2014-1706, CVE-2014-1707, CVE-2014-1708, CVE-2014-1710 and CVE-2014-1711 (which were exploited on ChromeOS).

Comment: Re:Biggest saving is... (Score 1) 193

Your antivirus software is capable of intercepting and preventing buffer overflow attacks coming in via the USB port?

Yes. In this specific scenario, if this would have been a Windows issue, I would have managed through my software/security management panel and Lumension; while on Linux it's through my software/security management panel and system black and white lists (ie: udev rules).

Comment: Re:Biggest saving is... (Score 1) 193

by Ash-Fox (#46673209) Attached to: London Council Dumping Windows For Chromebooks To Save £400,000

You keep coming back to Java, but Java is not a component of ChromeOS.

I didn't say it was.

In the same way, the fact that Oracle can't figure out how to do security updates

I see no evidence of that being the case. Oracle use automatic updates, sane patching policies (breaking changes go into the next 'major' version of Java etc).

is just one of the reasons why ChromeOS doesn't support Java at all.

That's quite the assumption there, the goals I have heard with Chromebooks involves promoting cloud, HTML5 local applications. I don't see how Java fits into that vision on a Chromebook to begin with.

I'm looking for evidence that an actual component of ChromeOS can't be updated as quickly as a virus definition.

Eh, I'm not that knowledgeable on ChromeOS it self, but there is one component it uses that I am fairly familiar with... I can deploy a heuristic filter for CVE-2013-1860 in roughly 15 minutes with some fairly simple pattern matching through a text file and my software/security management console. It doesn't require a reboot or interaction from users, nor does it interrupt the user.

Compare this to the time it takes to figure out the code changes for CVE-2013-1860, compile a debug build of the kernel, pass it to the build server for a non-debug build, sign it and patch systems, the vulnerability only fixed after a reboot. Pretty certain that the minimum there is at least a few hours.

The evidence here is the fact that I can write a text file with a few lines to prevent the attack from working as opposed to changing code (possibly even doing major re-factoring) that requires recompilation of kernel.

This is going to be the case for the majority of exploits out there where existing adequate support for 'definitions' that could counter this can be used.

Comment: Re:Biggest saving is... (Score 1) 193

by Ash-Fox (#46668291) Attached to: London Council Dumping Windows For Chromebooks To Save £400,000

By update I was speaking of definition updates. Without them, the software can't detect a new form of virus.

I wasn't, because the difference between a software patch and a definition update is the time it takes to produce them.

So, either the virus is using a known mechanism/payload/etc or not.

True, focus on detecting has shifted to looking at payloads rather than mechanisms now, because payloads are harder to make a different.

If it is, then the OS will be patched against it, and the virus won't be able to install a rootkit/etc.

If it is, then it has a low reputation and will be blocked with the right security settings anyway (admittedly, I have that type of functionality turned off on my machines because I develop software too, anti-virus software putting my compiled applications into quarantine or deleting is annoying).

What makes you think that a heuristic scanner will be able to discover a virus, but the OS vendor won't be able to patch the vulnerability that allowed it in?

A recent example is Oracle's recent struggle with Java vulnerabilities:

They were unable to patch their software fast enough to close all the zero days. I was able to define rules in anti-virus to block unauthorized issues in Java however.

You claim the time required to update a definition vs patch a vulnerability is significantly different, but I don't really see any evidence supporting this.

I just gave you some.

I'm sure your systems are completely vulnerable to a comet impact that destroys all life on earth, and that is because the risk of that happening is low compared to the effort required to mitigate it.

I generally work off using requirements, ie: Must be protected against cyber threats, physical access requirements against an armed person, isolated networks etc.

I also suggest new requirements to add to those and raise risks around certain implementations.

Besides, what is your alternative?

I would need a set of requirements to work with first and some time to research the options. Something that I don't really want to do for this conversation.

I'm not aware of any other OS that provides the same kind of security/etc for anywhere near the same cost as ChromeOS.

I don't really deal with things on a consumer level, but, it wouldn't be unlikely to get a good deal with certain PC vendors for getting X amount of units for a fairly cheap price. So, money is not exactly a thing I worry too much about in my current line of work.

The last virus-related issue we had at work was a few years ago when McAfee deployed a definition update that quarantined a critical system file - half the company was down for a few days while everybody brought their PCs in for servicing.

McAfee isn't that great of a piece of anti-virus software. If you visit you will find that it's often near the bottom when it comes to comparisons (even a few years ago). So, it doesn't surprise me you ran into problems with a piece of software that does not really excel in good quality.

It does have one of the better enterprise management control panels however, but I don't think this makes up for it's poor (or lack of) heuristic scanner and depends almost entirely on cloud connection for doing that sort of analysis.

Something like that would be virtually impossible on ChromeOS since the whole OS image is device-specific and updated as a unit, so if one doesn't boot none of them will (so only an idiot would miss it in testing).

I could network boot systems and reimage them in the office. Laptops in the other hand don't have network boot enabled for sane reasons, but getting them to use network booting is possible for the user fairly trivially. However, they also have recovery partitions, so they could also just be restored to 'known' working copy of the system.

ChromeOS makes a lot of sense for smaller companies where the overhead of professional workstation management just doesn't make sense.

I don't know, I'd need to see the requirements, do research and do an assessment before I'd come to that conclusion.

It could work for larger companies, but they're almost never able to ditch client-side software.

There is the risk that when ditching client-side software, you grow dependent on a server and have to be ready to offer some sort of support recovery mechanism for downtime. That's expensive for small companies and large companies alike. Assessing the risks of using cloud services is often harder, especially companies like Google where they provide very little notification about changes being made on Google docs. Not to mention the controls you're given for management often do not let you control when a large upgrade rolls out (ie: changing UI, new features, possible breakages/changes of old features) comes to you, if this happens at a critical time this could effect your business operation.

Comment: Re:Biggest saving is... (Score 1) 193

Sure, but only until the underlying vulnerability gets patched. Your antivirus wouldn't do anything about it until it is updated either.

Anti-virus software does not usually require software updates to catch identified viruses, it's usually just updating a definition/heuristic file.

How can a heuristic handle a virus using a new infection mechanism?

I'll use a consumer product that you're likely more familiar with in my example rather than enterprise software I use.

Avast has a heuristic built in for files that have no reputation, it runs these files inside a sandbox and observes it's behaviour. If the program in question starts doing dodgy things like delivering typical infection payloads, avast will close the sandboxed and block the file from being ran on the actual system.

In the case of worms, Avast also passively monitors applications generally and when it detects a typical payload that worms use (such as trying to install a system root kit and a bunch of start up entries) will intercept the system API calls that being used to perform this and prevent that from happening.

They only protect against viruses using known mechanisms, but which have a signature not in the database.


How many Chrome exploits have you mitigated against using antivirus alone, and for how long?

Chrome being unauthorized software on some systems I manage is blocked on multiple levels. Chrome (and by extension, it's exploits too) have been blocked ever since it came into existence. Said management is done through system software policies that are reinforced by anti-virus solutions and passive proxy filters.

Avast Reputation services is an example, a low reputation will result in the code from being executed entirely.

Patching exploits is what keeps new infections out.

Sure, but until that happens, you're vulnerable, the time it takes to patch something verses adding a signature or a heuristic definition is significantly different.

However, if I had to pick and choose I'd pick secure-boot and frequent updates over an antivirus.

The original argument was that one replaces the other, which is what I disagree with. They both have different practical uses.

ChromeOS installations suffering viruses are unheard of

I don't deal in security around historical infections, I deal in the possibility of how a system can be compromised and then mitigating that risk as fast as possible and then through better means later if possible.

Comment: Re:Biggest saving is... (Score 1) 193

If the device were using secure boot, the device would refuse to boot at next reboot.

You misunderstand, it did not change the windows system on the flash device. The system when it booted was always clean and got infected after boot; rebooting it would restart with a clean windows install again.

An antivirus provides no protection against an unknown virus using a new infection mechanism.

Actually, it does. Modern anti-virus software still has heuristics that will kick in and many use 'community' based data to help determine the risk of a binary. This sort of filtering is available without the need to update software.

Anytime there is a known exploit it is patched to prevent the virus from being installed in the first place

Then you maybe surprised to learn that producing patches for software takes longer than simply adding a few heuristic patterns or scripted rules to block it. There have been a few instances where I have pushed rules through firewalls and various anti-virus blocklist schemas to block problematic issues while vendors were still trying to resolve them (the last one I dealt with involved Java vulnerabilities, where Oracle spent a lot of time making patches while I simply blocked it's use on untrusted sites with a few rules supplied to the URL filters in anti-virus control panels).

I do get the objection that secure boot only kicks in at boot, but I think when you consider how antivirus and ChromeOS updates work in practice, the latter actually provides more security.

No, you don't get my argument at all. I was booting systems that were 'fresh' installs every time the systems started and they would get infected practically immediately after boot. Secureboot doesn't help outside of exploits that would virtualize your entire operating system instance in order to hide itself. When you have an exploit that lets you run remote code on the system, you're running remote code. Maybe not on boot if there are code signing checks all the way, but that won't matter when it gets exploited on next boot.

In other words, you can still run malicious userland regardless if it got onto the system which is why a reactive Intrusion Detection System such as Anti-Virus software is extremely helpful.

Comment: Re:Biggest saving is... (Score 1) 193

Note: I am not the grand parent.

The OS is read-only and uses secure-boot. If something does manage to install itself there

There was a time I had imaged Windows XP systems that booted from a read only flash device, this didn't stop those Windows XP systems from getting infected with a worm that sat on top of the famous Blaster worm, it's payload was a key logger reporting back to it's controller (was a problematic situation as I had no control of the network these were connected to).

So, think of it like having the antivirus built-in.

My quick fix (outside of being unable to update the OS due to some software conflicts) was to install anti-virus software that automatically updated it self to combat such worms. I think your line of thinking is wrong.

What does an anti-virus do which a Chromebook isn't already doing?

Combat worms, viruses etc. in real time as opposed to just on boot.

Comment: Re:Well, that does it (Score 1) 148

Greece did it to themselves.

No, the European Union prevented Greece from resolving their situation by detatching from the Euro currency so they could have their own and devalue their currency (like Iceland did recently) - Now Iceland is thriving again, Greece is not.

When Greece attempted to do so, they removed the democratically elected leader and replaced him with a puppet. The country that brought democracy to the world...

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis