R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to Daemon
Re: WMP Adware: A Case Study in Deception
I think we can dismiss the anonymous posts about "porn" as jokesters -- or people who clearly don't grasp the issue.
I suspect ryri's point about the Restricted sites zone is valid. I don't have time to test this, but WHAT IS the zone that these are run it at present?? Is it the Internet zone? (I certainly hope). In which case a Restricted Internet zone again comes to the rescue. Or, heaven forbid, is this run in the Local Machine (My Computer) zone?? |
|
eburger68
Premium,MVM
join:2001-04-28 | R2:
My understanding is that the hosted instance of IE used for license acquisition behaves like any other default IE window, which means that it should be classed as the Internet zone.
Eric L. Howes |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit | reply to eburger68
WMP and certificates "sold" as security
In view of Microsoft's marketing of "security" certificates as a tool to protect users, the language in the original post screenshots (especially #1 and #4) imply to a user that Microsoft says they need to install this malware and that it is "certified" by Thawte. the implications by MS could lead to actionable damages to users who trust MS based on their promulgations in the message text and public positions.
Anyone smell a lawsuit coming on?
See »M$'s Peter Torr Attacks Firefox Security and linked articles by an MS developer for background of marketing strategy and implications of security.
EDIT - Mozillazine only went back to 12/22, here's the blog itself »blogs.msdn.com/ptorr/archive/200···511.aspx and a link to an EWeek article at »blog.ziffdavis.com/seltzer/archi···183.aspx
EG
(PLEASE, no IE Vs. FF replies. start a new thread if you feel compelled  )
--
N-X-211 ====== N-328KF |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
2 edits | I noticed the same thing. However, where exactly does Thawte's role end?
I believe they are only supposed to authenticate that the publisher is who they say they are, but I don't think they have the responsibility to verify that everything Ultra Web Host and iDownload do is 'desirable' for all users.
One major fallacy of the "Certificate Security Model" is that a routine user is going to know which companies they are to trust and which ones not to trust. The dialog box warns you that "Caution: Company X asserts that this content is safe", but there is no way for an average user to know whether Company X is reliable or not. Furthermore, when the Control is disguised with a name such as "Required: Media Player Update", I am sure many users would bother to read all the fine print...
I do not consider myself an routine user. But, if you search the archives here you will find that I also make stupid, hasty mistakes. When trying to quickly view song lyrics on the infamous Lyrics.com site, in my haste I must have clicked something that lead to an onslaught of ActiveX Controls being installed. If I was not in a hurry, it would have never happened -- but my haste cost me about three hours of clean-up work. Certainly a user anxious to view a 'cool' media file in WMP might easily be hasty enough to dismiss these "authenticated" downloads just to get to the video...
Thanks, Eric. I assume the same thing, but one never knows... |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| We are in complete agreement - thanks for your expansion of the subject!
The value of certificates as a means of protection has been promoted beyond its technical verification function and marketed to imply that if a source has a valid Thawte, Verisign, etc. certificate that the vendor and/or vendor's product is trustworthy when no such verification has taken place. Anyone with the money can buy a cert.
The level of expectation needs to be set and this marketing of certificates at their present level of function needs to be changed to reflect reality.
I've been in discussions where certifications are proposed based on financial stability, ISO standards, BBB standards ands so on. However, agreement on how to certify and how to implement is far from real progress.
--
N-X-211 ====== N-328KF |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| reply to R2
said by R2  :One major fallacy of the "Certificate Security Model" is that a routine user is going to know which companies they are to trust and which ones not to trust. I agree, but how else are you going to do it?
At base, I only install things from sources I trust, or that have been vouched for by people I trust.
There is no other way to determine whether a piece of software is 'desirable' or not, and this applies whether or not there's a certificate system in place or not. At some point, I have to decide whether I want to trust 'Screw-U Software' enough to install something that comes from them. |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| said by dave:
I agree, but how else are you going to do it?
Well, now that you ask... 
Ideally one or more third-parties would have to be used to determine the "reliability" of the source.
For example, on various sites where items can be purchased on-line each vendor is rated -- one-to-five stars, for example. You may have no qualms about buying something from a vendor rated 5-star, but you may think twice if the vendor is rated at only 1-star.
If there were one or more non-partisan groups rating the reliability of the various ActiveX sources, then Certificate Security might be useful. The above image is a sort of a joke -- it is not likely that MS would actually list the ratings in the Security Warning dialog box. However, there is a plausible way to make something like that occur.
Much in the same way that we have definition lists for Restricted sites or evil CLSID's, there could be lists of ActiveX providers. Bad or good providers could be placed on a list and this list could be installed on your computer. MS could have the Security Warning box then query this list and display the results in the Warning box. This would identify the provider as either "Reliable", "Unreliable", or "Unlisted". (I don't really think a -10 to +10 scale is necessary!).
This would give credibility to the Certificate Security Model -- because it would form a complete circle. Thawte authenticates that the provider is who it says it is, and your reference list confirms that the provider has been judged to be "reliable" by a source that you trust.
Without this last step I don't see how the Certificate Security Model is useful... |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI | Wouldn't a well maintained, trusted host file do the same thing as a strict Certificate Security Model?
--
Houoli Makahiki Hou |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| I would think not. A Hosts file only controls the Name Resolution process. So it could block you from going to a bad site, but it would not prevent a site that was not yet listed from downloading an evil ActiveX control.
That is part of redundancy. You cannot rely on solely a Hosts file to block everything evil as new sites may appear every day, or even every hour. |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI | The idownload.com is listed in Hpgurus host file.
It's better than a kick in the head
--
Houoli Makahiki Hou |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to eburger68
Re: WMP Adware: A Case Study in Deception
A hosts file does absolutely nothing to reassure me that the file I'm copying from downloads-r-us.com, ostensibly created by Reliable Software Inc., was in fact created by Reliable Software Inc.
That reassurance requires cryptography.
(OK, it really only tells me that the file was created by someone who knows Reliable Software Inc's private key). |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to dave
Re: WMP and certificates "sold" as security
said by dave : At some point, I have to decide whether I want to trust 'Screw-U Software' enough to install something that comes from them ... which is influenced, in part, by the prospects of seeing Anna Kournikova naked |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
 ·Clearwire Wireless
1 edit | reply to dave
Re: WMP Adware: A Case Study in Deception
Reassurances, that's the part I was missing.
If a reliable software rating (softwarecop) service were to manifest itself, a dozen rogue software rating services would popup overnite. The antispyware market is testament to that.
EDIT You can be reasonably assured that anything offered up by idownloads.com is crap.
--
Houoli Makahiki Hou
|
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to eburger68
I think, overall, we're confusing two things here:
1. Was this software really produced by who it claims to be produced by?
2. Is this software safe?
Certificates only deal with (1), but people are somehow expecting them to deal with (2) as well. |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
1 edit | I don't think WE are confusing these things -- but I suspect society in general is confusing these. In addition, the situation is further obfuscated by terminology that certainly does not make it easy for the average user to sort these out. Is this intentional or only poor planning?
I think a viable Security model should deal with BOTH of them, but that is not what we are offered. I recognize that, I just don't accept that. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to dave
said by dave :Certificates only deal with (1), but people are somehow expecting them to deal with (2) as well. When you see that traditional ActiveX download dialog box, all the certificate stuff says that it really and truly was produced by the company it claims to be (Microsoft, Adobe, Screw-U Software), and that company claims that it's safe.
The wording then says that you should only install it only if you trust the company to make that assertion
I trust Microsoft, Adobe, and dave to make "it's safe" assertions, but I wouldn't trust - say - Gator.
It is hard to imagine a technological approach that will obviate the need to use your friggin' head.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to SnowyOne
said by SnowyOne :a dozen rogue software rating services would popup overnite. Agreed. But you have the ability to choose which "Anti-Crapware" program or "Crapware Definition List" you want to use. For example, you may choice hpguru's list because you know him from what he posts here. You may choose Eric's IE-SpyAd list because of his posts here.
Grant it, some people will be duped by bogus list makers. We cannot prevent every bad thing from happening... |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by R2 :But you have the ability to choose which "Anti-Crapware" program or "Crapware Definition List" you want to use. The free market works for "reputations" as effectively as it does "ideas" and "prices"
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
1 edit | reply to Steve
said by Steve :It is hard to imagine a technological approach that will obviate the need to use your friggin' head. Ah... but that is EXACTLY what we need. That is why we have SpywareBlaster, AdAware, etc. Users cannot be expected to ACTUALLY use their head. Haven't we learned that already?
Wow, your last post is even more cynical than mine! |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| said by R2 : That is why we have SpywareBlaster, AdAware, etc. Users cannot be expected to ACTUALLY use their head. Haven't we learned that already? Yes, but statements like "Thawte guarantees the software has not been tampered with and is therefore safe to install/download." made by companies that should know better sure don't help.
--
Houoli Makahiki Hou |
|
