lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri Aug 19 05:26:17 2005
From: measl at mfn.org (J.A. Terranson)
Subject: [MISC] When people ask for security holes as
	features (fwd)


Too good not to share!

-- 
Yours,

J.A. Terranson
sysadmin@....org
0xBD4A95BF


I like the idea of belief in drug-prohibition as a religion in that it is
a strongly held belief based on grossly insufficient evidence and
bolstered by faith born of intuitions flowing from the very beliefs they
are intended to support.

don zweig, M.D.


---------- Forwarded message ----------
Date: Thu, 18 Aug 2005 19:37:37 +1200
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: cryptography@...zdowd.com
Subject: When people ask for security holes as features

Raymond Chen's blog has an interesting look at companies trying to bypass
Windows XP's checks that a driver has been WHQL-certified:

  My favorite stunt was related to my by a colleague who was installing a
  video card driver whose setup program displayed a dialog that read, roughly,
  "After clicking OK, do not touch your keyboard or mouse while we prepare
  your system." After you click OK, the setup program proceeds to move the
  mouse programmatically all over the screen, opening the Display control
  panel, clicking on the Advanced button, clicking through various other
  configuration dialogs, a flurry of activity for what seems like a half a
  minute. When faced with a setup program that does this, your natural
  reaction is to scream, "Aaaiiiiigh!"

There are many more examples (in followup comments and links) of vendors
cheating in the certification and install process:

  my new Dell laptop came with an usigned bluetooth driver whose setup
  automatically clicks on the Continue button of the dialogs while installing
  the driver

  the driver for a USB memory key [...] would install and auto-push the button
  on that warning dialog. XP SP2 added a new check for kernel memory pool
  corruption and guess what? This driver would blue-screen every time the
  memory key was plugged in.

  I work on a wifi product that sometimes is bundled with wifi cards. When
  packaged like that our installer also installs the wifi card dirver. Guess
  what. The suits are all upset about the "unsigned driver" warning, and they
  are sure that a programmer more clever than me could make them go away. Of
  course actually getting the drivers certified is too expensive. Excuse me
  while I get back to work on my TPS report.

  I still remember one of Linksys's Wireless B PCMCIA cards. I went to install
  the driver, the instructions actually said something to the tune of "Ignore
  this warning box, it doesn't mean anything important. Continue clicking OK
  on every screen until the driver finishes installing." Hell I could have put
  a box in that said "Click here to format your hard drive" and I'm sure some
  end users would have clicked OK. Cisco is a huge company, surely the WHQL
  payment isn't much to them.

  At a company I used to work for they had found away around that dialog box.
  They would silently launch the System Properties / Driver Signing Options
  dialog, send windows messages to select "Ignore" and then click ok,
  effectively turning off the dialog box (BTW, the code to re-enable the
  setting was commented out, so the installer made your machine less secure
  forever -- great stuff coming from a security company).

More details at http://blogs.msdn.com/oldnewthing/archive/2005/08/16/452141.aspx.
The best suggestion is that the warning be changed to:

  Warning! Your hardware manufacturer hasn't bothered to test this driver!

  Do you feel lucky?

  [Yes] [No]

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@...zdowd.com

Powered by blists - more mailing lists