Comment Feed for Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch (Going Deep on Channel 9)

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

nvictor — Mon, 02 Mar 2009 02:44:23 GMT

Great talk!

Man I also like that green shirt, mind if I ask what it is?

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

dandare934 — Thu, 15 Jan 2009 11:55:49 GMT

Excellent video. Now I know where Ross went after Friends!

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

blad3runn69 — Fri, 03 Oct 2008 09:59:49 GMT

this man is a genius, and a very eloquent speaker. I could sit on the porch & drink that shiraz? on the desk (hehe :P) & listen & learn all night. Thank you for sharing your wisdom. Standing on the shoulders of giants.

how to securing the bad cluster and sector?

ahmed_baluch2001 — Thu, 20 Dec 2007 11:25:03 GMT

i want how to securing cluster and bad sector in hard drive?becuse the bad cluster and bad sector very cover the hard drive free space and do'nt read in there secter and cluster:):O

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

jinx4848 — Wed, 17 Oct 2007 02:18:00 GMT

With regard to ~19:00 of the video and the discussion about the *Setup|Install*.exe heuristic:

Didn't Mark miss an important point about the finding?

The claim was that any file with setup or install in it would automatically be given admin privileges which is a security risk, and Mark's rebuttal is that it's not a security risk because "99.9%" of those files are indeed installers.

But the problem isn't with the executables that *are* installers, they never had security issues to worry about in the first place. The problem is with executables that are *not* installers and pose as one to get free admin rights. Is there anything else guarding an application from exploiting that? If not, then how is that a secure heuristic? I'm confused as to how Mark missed that, and I hope it's because it's something that I missed in my understanding of the issue.

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

BratKid — Sat, 15 Sep 2007 04:41:40 GMT

Wow,great and good for you.:)

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

SoakinItIn — Thu, 12 Jul 2007 04:08:27 GMT

Great interview. More of why Mark is a fill-the-room-to-capacity draw at TechEd and other events... Regarding " made a rude comment about Apple relating to their ads which target Vista UAC in a Matrix kind of way and felt it appropriate to remove it" -- bushleague. If you can't not do that, bail out. Apple kicks MS (I need to watch my language) in a lot of areas and smarmy doesn't cut it as a "come back". Quality products DO make a great comeback. Make more of those. Hire more quality people like Mark. That's a key!!! And quit worrying about when MS "loses" to a competitor. Go get better, don't whine about it...

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

nkav_au — Wed, 06 Jun 2007 05:48:06 GMT

Can anyone else make out the names of books on Mark's bookshelf. The one on the far right is the O'Reilly Active Directory book.

Great interview! More Mark on channel9!

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

Jim Carr — Mon, 30 Apr 2007 23:41:37 GMT

mark is king of hte kernal

List of books

vedala — Tue, 17 Apr 2007 03:29:22 GMT

Mark, please, could you give us the list of books sitting behind you?
I could figure out only few.

Cheers.

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

frick123 — Fri, 13 Apr 2007 07:31:12 GMT

I had a really good read on this, very detail,
and very useful information.Thanks.

Hot iPhone Converter
http://www.iphoneconverter.com

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

jawz101 — Sat, 07 Apr 2007 21:57:33 GMT

mbluett, in response to ASLR randomization:
http://www.symantec.com/avcenter/reference/Security_Implications_of_Windows_Vista.pdf

The results of this analysis show that at least one aspect of ASLR’s implementation did not perform as expected. Symantec found that one of the randomized components was not randomized consistently, resulting in a reduced degree of randomness in the layout of an application’s memory. While ASLR continues to be effective, this reduction does increase the likelihood that an attacker can guess the correct address to target.
Microsoft has confirmed Symantec’s research findings and resolved the issue highlighted. These
shortcomings are due to be addressed in Windows Vista SP1.

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

mbluett — Fri, 06 Apr 2007 19:42:16 GMT

With regard to a virus and the ASLR mechanism: Wouldn't it be possible for a virus to try each of the 256 locations looking for the function address it requires?

Also, with regard to the UAC, many users of Vista will not understand what the UAC message is actually attempting to convey and in some cases they will just click Continue. Do you have any words of wisdom as to how to instruct these people how to handle the UAC events given this lack of understanding?

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

Lofote — Tue, 03 Apr 2007 12:47:05 GMT

Quote:
I totally understand why you guys didn't use the name of the idiot company (sony) that tried to rootkit everybody, but that was really when I got into reading Mark's blog

Oh my god, there are still people out there, who can't see the difference between "Sony" and "Sony BMG"? I mean, you do realize there are a few more letters behind that first word, even capitalized??

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

pdhot — Thu, 29 Mar 2007 23:21:25 GMT

Mark Russinovich might be the best mind at Microsoft. Clear spoken, he makes even the most complicated topics somewhat understandable to the rest of us. I would give up my next child to spend some time with him (that's a figure of speach).

PsTools, Filemon, and Regmon not only simplified my life, but gave some insight into what my network was really all about.

We need more of this guy on channel 9, he is the great communicator of the IT world!!!

Thanks for having him.

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

AJenbo — Tue, 27 Mar 2007 15:09:39 GMT

I think apple forgot that they to promt for admin access an has all the system settings littred with theas little lock icons you have to lock and unlock when they made that add where they make fun of UAC, atleast in windows you don't have to type in you username and password to change settings.

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

karnokd — Tue, 27 Mar 2007 05:18:53 GMT

The UAC is indeed a big leap forward. But I understand 'her' issues as well. Apart from the user experience clicking many times on 'Do you accept...' dialog boxes, I would feel much safer when running an installer there were much finer grained acceptance rules. For example: extra warning if installer wants to add a service or kernel mode component - not just a complete or none elevation.

Anyway, thanks for the SysInternals!

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

William Stacey — Tue, 27 Mar 2007 01:24:47 GMT

Mark Russinovich wrote:

Passwords are still required to logon user accounts. While its technically possible to create a session that represents a user without using their password, there would be many serious limitations that make that approach problematic. For example, a user's protected storage area, including their EFS keys, can only be unlocked with their password. In addition, Kerberos network authentication requires the password and so none of the user's network resources would be accessible.

Thanks for the nice feedback, everyone. Glad you enjoyed the interview

Thanks for the info Mark, that helps. Hope to see more and nice work on the 3 technet articles! Cheers.

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

Mark Russinovich — Mon, 26 Mar 2007 04:31:23 GMT

Passwords are still required to logon user accounts. While its technically possible to create a session that represents a user without using their password, there would be many serious limitations that make that approach problematic. For example, a user's protected storage area, including their EFS keys, can only be unlocked with their password. In addition, Kerberos network authentication requires the password and so none of the user's network resources would be accessible.

Thanks for the nice feedback, everyone. Glad you enjoyed the interview :D

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

William Stacey — Sun, 25 Mar 2007 23:31:15 GMT

Thanks Mark and Charles. In vista context, is there any changes/improvements/apis for Services that need to impersonate users (i.e. job scheduler, etc)? Or you still need to use LogonUser api with a stored/encrypted password? It would seem, if your admin, you should be able to impersonate a user without a password (and maybe just a audit entry to show you did). Or maybe even a policy to allow admin impersonate right only from a service or something. tia

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

Charles — Sun, 25 Mar 2007 23:18:45 GMT

unforgiver wrote:
I think this is good video. But the question is - why there is a cut at minute 31? Does he said too much there? Can we see "directors cut" version of this video? Second question is: If debugger knows where the exes and dlls reside what is the problem to take the debugger, see what it is doing and use the same techniques to mess around with the system?

As I said above, I made a stupid comment about Apple and I did not want to release it to the public. It has nothing to do with the interview and its removal does not impact content quality.

The next time the debugger runs (assuming a reboot happens beforehand), the dlls and exe it was attached to will not be located in the same memory locations. That's the point of the defense mechanism. If a hacker is on your machine running a debugger, then she probably won't be on your machine running a debugger...

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

unforgiver — Sun, 25 Mar 2007 22:49:48 GMT

I think this is good video. But the question is - why there is a cut at minute 31? Does he said too much there? Can we see "directors cut" version of this video? Second question is: If debugger knows where the exes and dlls reside what is the problem to take the debugger, see what it is doing and use the same techniques to mess around with the system?

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

RichardRudek — Sat, 24 Mar 2007 23:38:25 GMT

Yeah, the first edit-point does break the thought, so here's a filler for you... :)

I wrote a short (colourful) article (many years ago) that talked about being aware about unexpected behaviours, which I think is relevant to this topic of UAC spoofing. The article I wrote was specifically about floppy-based virus infections, and how, through the dicipline of keeping the write-protect tabs in place at all times (yes, 5.25" floppies), I was able to detect suspicious behaviours, like the floppy being accessed at (repeatedly) inappropriate times.

By familarising myself with what were expected behaviours, awareness of any unexpected ones [1] would trigger an investigation, checking for viruses, etc.

So in the case of UAC spoofing (without the Secure Attention Sequence - Ctrl-Alt-Del), if you see more than one elevation request, be suspicious !

Do I think that's a sustainable practice, having to train users into what are expected and unexpected behaviours ? No, but until UAC is nailed down and "hardened", so that it does become a (first-class) security boundary, then you are stuck with having to re-live (some of) the past... :)

[1] Because one of the aims of a virus (at that time) was to spread itself via floppies, a virus would repeatedly attempt to write itself to the floppy until it finally succeeded. In some cases, however, the virus would continue to (regularly) check, even though it had successfuly written itself (infected) a floppy. Given that the floppy drives were quite noisy, it wasn't difficult to notice.

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

Stephan van Stekelenburg — Sat, 24 Mar 2007 17:03:16 GMT

Really great interview, Mark is really great too :D

Thanks for the video [H]

Re: Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

Christian Liensberger — Sat, 24 Mar 2007 14:17:53 GMT

This was a great interview :)