Google Chrome vs. FX+NS; integral sandboxing vs. 3rd-party

[Hungry Man]

Agreed. It's not the CA system, it's that *Comodo itself* was breached by a hacker in a foreign country who was able to log in as a privileged Comodo exec with the authority to issue certs. That's not confidence-inspiring, especially for a company in the business of firewalls and overall security.

Happens a lot. I mean, it's definitely not making me feel confident but I don't think it matters much.

I wasn't referring to the write.exe program. (nice to meet someone who remembers that!) I knew you meant MS Word. But I think you typo'd by saying you could tell Word not to READ from s32, where probably you meant, tell it not to WRITE to s32. Which is why I said i thought that Word *must* have READ permissions to s32, as some of the libraries it calls are in s32. Clearer?

Could be read or write. It might break Word, it was purely an example. I could say to block read/write to the downloads folder - the point is that you can add the most meaningless restriction to any program and it's still a sandbox.

[Tom T.]

... I could say to block read/write to the downloads folder - the point is that you can add the most meaningless restriction to any program and it's still a sandbox.

I'd call that a simple permissions restriction, and not a sandbox in any sense of the word, but no point in quibbling over semantics, eh?

(I have the Remote Desktop Protocol -- RDP service -- disabled, but I wouldn't say that I sandboxed RDP, or that the machine was sandboxed against RDP attacks. I just disabled the dang service, that's all. )

[Hungry Man]

Permission restrictions are definitely sandboxes =p before virtualization etc that's all sandboxes were. SELinux is a good example of this. Essentially a jail. Or Chrome, which uses MIAC - a sandbox.

[Tom T.]

http://en.wikipedia.org/wiki/Sandbox_%2 ... ecurity%29

In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.....

The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.

I think this thread has about outlived its usefulness, as it's down to semantics. It's been interesting, but time to let it go -- unless there's any more actual, new material or ideas that haven't been discussed already. Any objection?

btw, if you want more interesting reading, go to http://www.schneier.com, and search for "Clive Robinson"+castle ....... and "NickP+jail".

[Hungry Man]

Alrighty.

[Tom T.]

This Just In:

Forbes - Best Read: Brand'ts Top 5 Malware Threats in 2012

If you’re not running Firefox with NoScript installed, you need to do so right now. As far as I can tell, it’s the only surefire method of preventing an accidental infection of a Windows PC by exploit-kitted Web pages.

Res ipsa loquitur.

[Tom T.]

Apparently, only NoScript can prevent SVG scriptless keylogger attack, and has been doing so even before the attack was revealed.

Users of other (non-NS-supporing) browsers, beware.

[Thrawn]

Who said anything about obfuscated Javascript? I'm talking about obfuscated developer.
I merely visited the ScriptNo web site, looked at some of the FAQ, etc., and found that one about his anonymity.

Looks like the author of ScriptNo is no longer anonymous. And he discussed the reasons for the lack of personal info on Wilders Security. He sounds like he's doing his best.

I still think that ScriptNo should be renamed, and probably needs more disclaimers, and I'm holding out for the real NoScript before I seriously consider Chromium migration. But it's true that the developer deserves more credit for his effort. Who knows, maybe getting momentum behind something like ScriptNo is the only way Google will end up supporting NoScript fully.