Friday, January 11, 2008

one more time

and this one comes via my dad... he thought i'd surely have known about this, but i'd never heard a thing about it...

the app

pretty simple concept. let your apps read from disk, but only let them write to a sandbox. obviously not an extrustion prevention solution, but it is a really simple concept that seems like it could prevent a lot of badness... kinda chroot jail-ish imo...

anyway, just another cool idea to be a potential solution to some problems. but as per my last post, it is kinda laughable how this essentially just attempts to impose proper perms to tmp dirs on windows browsers. following that reasoning, just quit windows and run *nix where the browser can read the /tmp dir chmoded out at 777, and virtually nothing else.

and this also suffers from the same problems as many other security products. yea, i can build a *nix server w/ buffer overflow protections, and a hardened kernel, and other general hardening. and i can put it out on inet running services and feel pretty confident that i'll probably see any attempted attack on the machine if i watch my logs and am careful about configuration in general. but the fact that i can do that doesn't really help 99% of machines out there. this app might have potential, but 99% of ppl out there will never hear of it. i mean, i still have to tell people what no-script is. all of these patch-like solutions and add-ons need a better distribution method so the risk mitigation can reach the masses...

No comments: