Saturday, December 22, 2007

XMAS: working with 20% of overflow ... ... ... ... ... ...

I know, it's Xmas. I should stop working and stay with my family or.. something like that. Well I really wanna stopping but I'm still working on 3 different papers, the deadlines are at the end of January and February . It seems reasonable stop blogging just for some days but actually I don't now If I'll withstand to write some news on my blog. Anyway , tomorrow I wanna point out  a very interesting post by Ann in her blog. Here you can find the original post  (MSI Script vs Windows Security), where Ann describes how :

1) Change the value of windows system registry values:
2) Run a low-level system tool:


Running some script (see the original post) during installation phase it's possible get higher permissions. The main problem seems in msiexec, which gets elevated priviledges during installation phase.

If you try to do this explicitly as a regular user (or without elevated privs on Vista), Windows will politely tell you that you can't. But if you execute the following MSI script during an installation (running the installation as a regular user), msiexec gets elevated priviledges, and can do whatever you want. Here's an example silently disabling UAC during an installation by launching regedit from cmd. (This is run in Wise via 'Execute Program from Destination', Working directory: SystemFolder):

Another interesting project that I've seen during the past days is PhisTank.It's a website where dedicated volunteers submit URLs from suspected phishing websites and vote on whether the submissions are valid. The idea behind PhishTank is to bring together the expertise and enthusiasm of people across the Internet to fight phishing attacks. The more people participate, the larger the crowd, the more robust it should be against errors and perhaps even manipulation by attackers.
I'm interested on this project for several reasons but one of the most important reason that carried me through this project has been reading this paper by University of Cambridge. Tyler Moore and Richard Clayton describe why and how this (great) service is vulnerable. I was amazing during the reading because it's impossible understanding how a pretty-important conference like Financial Crypto may public this kind of (easy and not innovative) work. Maybe my though on Financial Crypto is wrong.

4 comments:

Tyler Moore said...

I'm sorry that you found the paper 'not innovative', though I'm actually quite pleased that you found the attacks I described as 'easy'. That's part of the point: PhishTank is vulnerable to manipulation due the structure of its existing users' participation.

Using the 'wisdom of crowds' is fine whenever you're classifying galaxies, because there's no strong motivation for anyone to manipulate the outcome. However, PhishTank could well be targeted by phishermen, as they have already launched DoS attacks against other vigilate sites like CastleCops.

Finally, in future, if you're going to lift three sentences from my writing ("a website where dedicated volunteers submit URLs from suspected phishing websites and vote on whether the submissions are valid. The idea behind PhishTank is to bring together the expertise and enthusiasm of people across the Internet to fight phishing attacks. The more people participate, the larger the crowd, the more robust it should be against errors and perhaps even manipulation by attackers"), please quote the source instead. This might be mistaken for plagiarism otherwise.

Marco Ramilli said...

thank you so much Taylor for your comment. You are
right on most of the points. I like this kind of critics, they often help me growing up. I'll be glad to continue the conversation offline and to exchange some ideas on your work. Really thanks.

Marco Ramilli said...

sorry again, Tyler... My phone dictionary didnt know your right name :(

Tyler Moore said...

Hi Marco,
My email is Tyler.Moore AT NOSPAM .cl.cam.ac.uk

Merry Christmas,
Tyler