JMH
Emeritus, Contributor
- Apr 2, 2012
- 7,197
Linux Foundation unveils a workaround for Win 8 Secure Boot
- Thread starter JMH
- Start date
AceInfinity
Emeritus, Contributor
And who doubted this when I mentioned someone coming out with a way to achieve this here? I remember it being someone on this forum haha :lol: (Can't find the thread or remember the exact discussion about this though)
A good example though of why you can't take things for granted though with technology. "Unbreakable security" or any of the like, in regards to phrases or statements others make about a specific product, always proves to be false after a while. You just need to give it time :)
This is why I trust in my own brain more than I do in relying on any program or OS to keep things secure FOR me. It's the best way to stay secure, just a little common sense and diligence.
edit: "building a binary which has the Fedora key embedded, and then getting that binary signed by Microsoft" --- Annnd again, Microsoft takes a hit for their Digital Signature's flaw... :shame2: Needs to be fixed.
~Ace
A good example though of why you can't take things for granted though with technology. "Unbreakable security" or any of the like, in regards to phrases or statements others make about a specific product, always proves to be false after a while. You just need to give it time :)
This is why I trust in my own brain more than I do in relying on any program or OS to keep things secure FOR me. It's the best way to stay secure, just a little common sense and diligence.
edit: "building a binary which has the Fedora key embedded, and then getting that binary signed by Microsoft" --- Annnd again, Microsoft takes a hit for their Digital Signature's flaw... :shame2: Needs to be fixed.
~Ace
Last edited:
Actually, the signature files come from VeriSign, so that wouldn't be a Microsoft problem. And no, nothing is unbreakable, but with UEFI signed/secure boot plus Windows 8's measured secure boot plus decent security software built into the hardware itself (available soon from Intel, apparently) that Windows 8 is capable of using, it does make security of the OS that much better. While the open source community is usually up in arms about something Microsoft is doing for security, this one at least really does make the host OS boot path and runtime that much more secure. Tinfoil hat wearers will always decry somehow that Microsoft is trying to lock them out, but in this case it can be turned off (or for $99, you can get your own osloader key so that you too can build and boot your OS in a more secure manner on UEFI). This is much ado about nothing.... ok, it's much ado about $99 
.
.
AceInfinity
Emeritus, Contributor
A signature that came from VeriSign, but digital signatures in general by Microsoft implementation will still be insecure regardless of where they come from, so I'd disagree. In my opinion it is a Microsoft issue at hand here. Not to mention for the tests and examples they've requested by me, I WAS able to modify a signature digitally signed by them, for MSE itself... Their own installer for Microsoft Security Essentials, and the program/application itself after installation. So this is not a VeriSign issue if that's what you're saying.
Perhaps, and I don't disagree, but keep in mind that Malware and technicalities increase everyday as well. So in the end, how much better than before? (in relative comparison between Bad vs. good back then and now?)
You give me the name of any Microsoft signed file, for even Windows 8 RTM, and i'll still show you that it's not entirely secure. Although hopefully they are still aware of this since my last encounter with them in regards to this, and they'll be working on it to fix it. I don't feel like bugging them anymore than I have to about this though, because I did initially show them how it was flawed, with the exact steps taken to show this security flaw.
I believe "Flame" also used the flaws in signatures to their advantage. So it is out there, these hackers are almost mocking Microsoft for the fact that this flaw exists, and i'd like to see Microsoft retaliate from it. There's a couple others even after "Flame" I was reading about last week. Same thing with Digital Signatures. Including people modifying Adobe signatures to place within their bad files.
What's worse is for how easy it is to do... And i'm not a super computer. I've just been heavily influenced and inspired by Mark Russinovich's speeches and content that computer security was something i've been looking into for a while now.
:beerchug2:
Last edited:
In all reality if someone has unrestricted access to your computer there is no amount of protection that can keep you safe...
This is why you lock your doors and businesses have security features in place... The software itself will never be enough.
This is why you lock your doors and businesses have security features in place... The software itself will never be enough.
AceInfinity
Emeritus, Contributor
I'd agree to some extent. That is true though :) It all depends on how the AV in autotime will determine what kind of suspicious activity is deemed as malicious though as well. It's not just reading instructions within a file at scantime, but any kind of network activity or local remote activity on your filesystem itself as well or services, etc...
Lots of AV's today monitor activity in this way, because a first barrier won't do it all the time. However, if AV's now start relying on trusted digital signatures to determine which files to exclude from any kind of protection, we're done. With the current vulnerabilities in Digital Signatures in general at this point in time.
So my thought is this: What do we use Digital Signatures for until they fix them? Nothing to speed up the performance for a filesystem scan from some protection program you have on your PC, because it doesn't guarantee that the file is not malicious. And vice versa with even checking for digital signatures in the shell properties dialog either, because it's still not 100% reliable at this time. And when will we know when they are not reliable? I'd expect Microsoft to (hopefully) release information about this. But even then, I wouldn't expect it to be bulletproof because nothing is in my opinion.
I'll give you a real world example. Mark Russinovich talking about finding malicious code execution from malware found in predator drone applications by the military. Cyber war in the future or what? :thumbsup2:
Note: Ever seen the movie "War Games"?
(For something that's supposed to be highly secure, how secure can we tell it to be? If this is what others who aren't supposed to have access to something, have access to?)
Lots of AV's today monitor activity in this way, because a first barrier won't do it all the time. However, if AV's now start relying on trusted digital signatures to determine which files to exclude from any kind of protection, we're done. With the current vulnerabilities in Digital Signatures in general at this point in time.
So my thought is this: What do we use Digital Signatures for until they fix them? Nothing to speed up the performance for a filesystem scan from some protection program you have on your PC, because it doesn't guarantee that the file is not malicious. And vice versa with even checking for digital signatures in the shell properties dialog either, because it's still not 100% reliable at this time. And when will we know when they are not reliable? I'd expect Microsoft to (hopefully) release information about this. But even then, I wouldn't expect it to be bulletproof because nothing is in my opinion.
I'll give you a real world example. Mark Russinovich talking about finding malicious code execution from malware found in predator drone applications by the military. Cyber war in the future or what? :thumbsup2:
Note: Ever seen the movie "War Games"?
(For something that's supposed to be highly secure, how secure can we tell it to be? If this is what others who aren't supposed to have access to something, have access to?)
Last edited:
I also agree that nothing will ever be bullet proof...
Even if digital signing were to be perfected you will still have to trust that the file is safe...
For example it is not uncommon for companies to release software that is not truly safe...
Just to name a recent few, multiple FF bugs, flash, skype recently had a huge flaw,chrome,java...
You can never trust something completely nor will you ever be able to.
Even if you have the best security manned 24/7 the possibilities of an inside job still exist
Just a never ending battle :banghead:
No side will ever give up you just learn to live with it.
My favorite is when the user themselves are the issues... For example soldiers updating there facebook statuses with global positioning while under cover :banghead:
Even if digital signing were to be perfected you will still have to trust that the file is safe...
For example it is not uncommon for companies to release software that is not truly safe...
Just to name a recent few, multiple FF bugs, flash, skype recently had a huge flaw,chrome,java...
You can never trust something completely nor will you ever be able to.
Even if you have the best security manned 24/7 the possibilities of an inside job still exist
Just a never ending battle :banghead:
No side will ever give up you just learn to live with it.
I remember listening to his presentation about that :lolg:
My favorite is when the user themselves are the issues... For example soldiers updating there facebook statuses with global positioning while under cover :banghead:
Last edited:
AceInfinity
Emeritus, Contributor
"Even if digital signing were to be perfected you will still have to trust that the file is safe..." -- Unless!!... You've got some experience in reverse engineering (for information retrieval only) about how the file operates on your filesystem. If you notice some odd instructions; writing to another process memory, any AV references, any hooks on system information and queries, when the file is maybe just something like Photoshop or some Image viewer app you downloaded off the net. Then you've got some serious issues, and the file probably shouldn't be trusted, regardless of what the Digital Signature says.
"For example it is not uncommon for companies to release software that is not truly safe..." -- Nope, and you'll get that a lot with lots of the smaller companies. Larger companies like Apple, Adobe, Microsoft, etc... Will usually sign their stuff though.
"My favorite is when the user themselves are the issues... For example soldiers updating there facebook statuses with global positioning while under cover :banghead:" -- Haha, yes :) I read an article about that as well here posted by JMH. Just goes to show you that people do develop strategies, for the socially unaware people using a computer, or even to do with things that 'trick' your system itself, if they can't trick YOU. You can have Antiviruses, but you still have to keep your brain in high alert regardless. That's my rule with computer security.
It should be more widely known, but I know lots of even my family members that think an Antivirus is the best thing ever, and depending on whether it's even free or paid, determines how good it'll do for protecting your system. Otherwise if it can't protect it for you, then nothing can. Which is all a bunch of false information I believe (for the most part).
Has Sysnative Forums helped you? Please consider donating to help us support the site!