September 10, 2006 at 6:30 pm
It Won't Work
I've seen this article in a few places, about Microsoft Research Building a Browsershield and I don't think it will work. Not that it's a good idea, but we get into this same problem over and over with security solutions that are devised by programmers and touted as the next great thing to solve our woes.
Let me give you an example of why I don't think this will work. Did anyone think 4 years ago that cross site scripting would be a problem? I mean you code a page to go grab something from another page and then display it to your user. But somehow the "bad guys" figured out a way to use it against us.
I remember even more years ago when everyone embedded links in their emails so people could easily follow them. Then we had "fake" emails posing as banks, merchants, etc. with email links that "appeared" to go to a real site. Now we can't trust those links anymore.
Rewriting code in a browser to "make it safe" is a worthy goal. And it will raise the bar for hackers and some of them won't be able to continue to attack us. But any scheme that a company comes up with will get circumvented. Every type of "sandbox" we've developed has been compromised, and more quickly as we add features and capabilities to the sandbox.
I'd like to see more secure browsing. And I hope IE gets there. I've set Firefox as the default, mainly because of my kids, but also because so many attacks have come through the advanced capabilities of IE. But also because it's hard to tell sometimes what issues may actually occur from downloading a web page. I just hope we don't start seeing all kinds of web page breaking from legitimate sites because the dynamic, rich content we've come to enjoy stops working.
I know my week without ESPN while they "broke" Firefox with a scripting update, was no fun at all. Without a daily paper, I felt a little lost following the end of the baseball season.
Steve Jones
PS - It's the 5 year anniversary of the 9/11 attacks in the US. If you feel so inclined, take a moment to remember those that are no longer with us.
September 11, 2006 at 2:02 am
And popups.
For one of our (web) applications it's used to present a login screen.
So you have to keep telling people to allow popups for the application.
An other thing "broken" by abuse.
September 11, 2006 at 4:05 am
I agree with you, Steve.
This is just another move in an endless confrontation between programmers and hackers. The only thing we can do is keep up with the latest security, evade attacks and be prepared for the worst case.
Latest security: All updates, all new virus information for our anti-virus, all new things for our anti-spyware programs, new firewalls etc. It's best when they're from different companies.
Evade attacks: I use Opera instead of IE. Just safer.
Be prepared for the worst case: BACKUPS!!!
September 11, 2006 at 6:31 am
I don't mean to offend, but I'm going to take this a slightly different direction...
Hackers are to corporate IT what Terrorists were to 9/11. Without any thought for the people they hurt, even thinking themselves as justified and fighting a righteous war, the Hackers and Terrorists continue to create havoc.
Until we treat Hackers the same way we treat Terrorists, the problem will continue. This means some talented people will be killed or sentenced to long jail terms. Other countries will have to write laws and pursue the Hackers along with the Americans.
Until we have the political will to declare war on Hackers, billions will be wasted trying to keep them at bay.
September 11, 2006 at 8:11 am
The browsershiled frame work actually does work very well for removing social engineering attacks. If the code is never seen by the user, they can't be tricked into clicking, right? If we start removing threats at the gateway and not letting them reach our internal networks then we don't need to worry about educating users against the threats (which is really the ony way to be 100% safe). If every user on my network had the knowledge of Kevin Mitnick, my network would never be compromised.
Joshua Perry
http://www.greenarrow.net
September 11, 2006 at 12:02 pm
I look at it as help and also something to hurt you. I think it will help grandma from her machine being turned into a bot, maybe.
I also so it being a crutch. If it would have defeated all of the updates from 05 prior to patches, then I can see some network admins not applying patches because BrowserSheild will take care of it. I think MS will also take longer to get out patches. As tough as it already is for the security community to get them to issue patches out of cycle for 0-day vulns, I see this as being thier ability to say, "Use BrowserSheild, It will keep you safe" until we get around to issueing the patch during our monthly cycle.
September 11, 2006 at 4:23 pm
There is never time to do it right but always time to do it again.
It's time to go back to the basics - edit your parameters (API arguments) for:
If this set of programming 101 rules from the 70's had been followed my guess is that 80-90% of the 'flaws' present today would not exist !
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply