Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

The Discussion

• 

  Great interview! Mark, you're my hero!

• 

  Great interview so far (still watching). Any reason it was cut at around 31:02?

• 

  Yes. I made a few edits in this video. I know it's rare for me to do this, but in this case I had to.
  
  C
  
  EDIT: I am a terrible editor. Jeez... I'm not sure why I made the first chop where I did. Oh well. So it goes.

• 

  Good interview. Vista internals , system calls and UAC explained well.
  Awsome.
  

• 

  After watching the whole thing, I have to agree with the other comments that this is a fantastic video. Mark explains everything crystal clear. I really liked the explanation of the different user roles.

• 

  I remember now. At 31-something in the interview I made a rude comment about Apple relating to their ads which target Vista UAC in a Matrix kind of way and felt it appropriate to remove it.
  
  Mark's lessons on Vista's fundamental security model was much more interesting.
  
  
  C

• 

  Charles,
  
  Just my 2 cents worth.
  
  One of the best interviews you have done.
  
  Good work.
  
  

• 

  Good interview.
  
  Mark described alot of complicated stuff in human language.

• 

  Charles wrote:

  Mark's lessons on Vista's fundamental security model was much more interesting.

  
  
  Indeed.
  
  However, you made my head spin trying to think about how a system could by architected that would do away with the admin/standard user concept. It's a very easy thing to say, but practically turns computer science on it's head.
  
  I totally understand why you guys didn't use the name of the idiot company that tried to rootkit everybody, but that was really when I got into reading Mark's blog. He's a good writer, and it was like reading some sort of techno-thriller mystery.

• 

  Great interview Mark. Like everyone here I owe you a huge dept of thanks. Sys Internal tools have been invaluable over the years in helping me both with my personal software development and at my work. The Windows world would be much the poorer without you!

• 

  Pls pls pls do more interviews with Mark.

• 

  This was a great interview

• 

  Really great interview, Mark is really great too

  Thanks for the video

• 

  Yeah, the first edit-point does break the thought, so here's a filler for you...
  
  I wrote a short (colourful) article (many years ago) that talked about being aware about unexpected behaviours, which I think is relevant to this topic of UAC spoofing. The article I wrote was specifically about floppy-based virus infections, and how, through the dicipline of keeping the write-protect tabs in place at all times (yes, 5.25" floppies), I was able to detect suspicious behaviours, like the floppy being accessed at (repeatedly) inappropriate times.
  
  By familarising myself with what were expected behaviours, awareness of any unexpected ones [1] would trigger an investigation, checking for viruses, etc.
  
  So in the case of UAC spoofing (without the Secure Attention Sequence - Ctrl-Alt-Del), if you see more than one elevation request, be suspicious !
  
  
  Do I think that's a sustainable practice, having to train users into what are expected and unexpected behaviours ?  No, but until UAC is nailed down and "hardened", so that it does become a (first-class) security boundary, then you are stuck with having to re-live (some of) the past...
  
  
  
  [1] Because one of the aims of a virus (at that time) was to spread itself via floppies, a virus would repeatedly attempt to write itself to the floppy until it finally succeeded. In some cases, however, the virus would continue to (regularly) check, even though it had successfuly written itself (infected) a floppy. Given that the floppy drives were quite noisy, it wasn't difficult to notice.
  
  

• 

  I think this is good video. But the question is - why there is a cut at minute 31? Does he said too much there? Can we see "directors cut" version of this video? Second question is: If debugger knows where the exes and dlls reside what is the problem to take the debugger, see what it is doing and use the same techniques to mess around with the system?

• 

  unforgiver wrote:

  I think this is good video. But the question is - why there is a cut at minute 31? Does he said too much there? Can we see "directors cut" version of this video? Second question is: If debugger knows where the exes and dlls reside what is the problem to take the debugger, see what it is doing and use the same techniques to mess around with the system?

  
  
  As I said above, I made a stupid comment about Apple and I did not want to release it to the public. It has nothing to do with the interview and its removal does not impact content quality.
  
  The next time the debugger runs (assuming a reboot happens beforehand), the dlls and exe it was attached to will not be located in the same memory locations. That's the point of the defense mechanism. If a hacker is on your machine running a debugger, then she probably won't be on your machine running a debugger...
  

• 

  Thanks Mark and Charles.  In vista context, is there any changes/improvements/apis for Services that need to impersonate users (i.e. job scheduler, etc)?  Or you still need to use LogonUser api with a stored/encrypted password?  It would seem, if your admin, you should be able to impersonate a user without a password (and maybe just a audit entry to show you did).  Or maybe even a policy to allow admin impersonate right only from a service or something.  tia

• 

  Passwords are still required to logon user accounts. While its technically possible to create a session that represents a user without using their password, there would be many serious limitations that make that approach problematic. For example, a user's protected storage area, including their EFS keys, can only be unlocked with their password. In addition, Kerberos network authentication requires the password and so none of the user's network resources would be accessible.
  
  Thanks for the nice feedback, everyone. Glad you enjoyed the interview

• 

  Mark Russinovich wrote:

  

  Passwords are still required to logon user accounts. While its technically possible to create a session that represents a user without using their password, there would be many serious limitations that make that approach problematic. For example, a user's protected storage area, including their EFS keys, can only be unlocked with their password. In addition, Kerberos network authentication requires the password and so none of the user's network resources would be accessible.
  
  Thanks for the nice feedback, everyone. Glad you enjoyed the interview

  
  
  Thanks for the info Mark, that helps.  Hope to see more and nice work on the 3 technet articles!  Cheers.

• 

  The UAC is indeed a big leap forward. But I understand 'her' issues as well. Apart from the user experience clicking many times on 'Do you accept...' dialog boxes, I would feel much safer when running an installer there were much finer grained acceptance rules. For example: extra warning if installer wants to add a service or kernel mode component - not just a complete or none elevation.
  
  Anyway, thanks for the SysInternals!

• 

  I think apple forgot that they to promt for admin access an has all the system settings littred with theas little lock icons you have to lock and unlock when they made that add where they make fun of UAC, atleast in windows you don't have to type in you username and password to change settings.

• 

  Mark Russinovich might be the best mind at Microsoft.  Clear spoken, he makes even the most complicated topics somewhat understandable to the rest of us.  I would give up my next child to spend some time with him (that's a figure of speach).
  
  PsTools, Filemon, and Regmon not only simplified my life, but gave some insight into what my network was really all about.   
  
  We need more of this guy on channel 9, he is the great communicator of the IT world!!!
  
  Thanks for having him.

• 

  Quote:
  I totally understand why you guys didn't use the name of the idiot company (sony) that tried to rootkit everybody, but that was really when I got into reading Mark's blog
  
  Oh my god, there are still people out there, who can't see the difference between "Sony" and "Sony BMG"? I mean, you do realize there are a few more letters behind that first word, even capitalized??

• 

  With regard to a virus and the ASLR mechanism:  Wouldn't it be possible for a virus to try each of the 256 locations looking for the function address it requires?
  
  Also, with regard to the UAC, many users of Vista will not understand what the UAC message is actually attempting to convey and in some cases they will just click Continue. Do you have any words of wisdom as to how to instruct these people how to handle the UAC events given this lack of understanding?
  

• 

  Comment removed at user's request.

• 

  I had a really good read on this, very detail,
  and very useful information.Thanks.

  Hot iPhone Converter
  http://www.iphoneconverter.com

• 

  Mark, please, could you give us the list of books sitting behind you?
  I could figure out only few.
  
  Cheers.

• 

  mark is king of hte kernal

• 

  Can anyone else make out the names of books on Mark's bookshelf. The one on the far right is the O'Reilly Active Directory book.
  
  Great interview! More Mark on channel9!
  

• 

  Great interview. More of why Mark is a fill-the-room-to-capacity draw at TechEd and other events... Regarding " made a rude comment about Apple relating to their ads which target Vista UAC in a Matrix kind of way and felt it appropriate to remove it" -- bushleague. If you can't not do that, bail out. Apple kicks MS (I need to watch my language) in a lot of areas and smarmy doesn't cut it as a "come back". Quality products DO make a great comeback. Make more of those. Hire more quality people like Mark. That's a key!!! And quit worrying about when MS "loses" to a competitor. Go get better, don't whine about it...

• 

  With regard to ~19:00 of the video and the discussion about the *Setup|Install*.exe heuristic:

  Didn't Mark miss an important point about the finding?
  
  The claim was that any file with setup or install in it would automatically be given admin privileges which is a security risk, and Mark's rebuttal is that it's not a security risk because "99.9%" of those files are indeed installers.

  But the problem isn't with the executables that *are* installers, they never had security issues to worry about in the first place. The problem is with executables that are *not* installers and pose as one to get free admin rights. Is there anything else guarding an application from exploiting that? If not, then how is that a secure heuristic? I'm confused as to how Mark missed that, and I hope it's because it's something that I missed in my understanding of the issue.

• 

  i want how to securing cluster and bad sector in hard drive?becuse the bad cluster and bad sector very cover the hard drive free space and do'nt read in there secter and cluster:):O

• 

  this man is a genius, and a very eloquent speaker. I could sit on the porch & drink that shiraz? on the desk (hehe ) & listen & learn all night. Thank you for sharing your wisdom. Standing on the shoulders of giants.

• 

  Excellent video.  Now I know where Ross went after Friends!

• 

  Great talk!

  
  

  Man I also like that green shirt, mind if I ask what it is?

• 

  What an interview it was!

  I second the positive comments here about the great video, and Mark Russinovich is awesome indeed.

• 

  娘子convert to iphone我convert to iphone欠convert to iphone你convert to iphone太多convert to iphone的溪边河口