BlueHat IL 2023 - David Weston

BlueHat IL 2023 - David Weston - Default Security

Рет қаралды 41,170

Жыл бұрын

The journey towards default security
This talk will take the audience through the evolution of Windows security and provide insight into the latest advances. This will include a technical overview of the some of the recent capabilities in the Windows 11 OS as well as hardware. Finally the audience will also get a view of future changes in Windows that will have a large impact in preventing attacks and the exploitation of vulnerabilities.

Пікірлер: 59

@ckingpro Жыл бұрын

For App Signing, making code certificates easier to obtain would be nice (especially for open-source software). Requiring $250+ a year for code signing certificate makes it less likely for open source software developers to actually use code signing. Also, if code signing takes off significantly, it could be combined with the Web's way of Certificate Transparency. This ensures we have transparency (in the sense no apps are secretly signed). It can also be combined with CRLite so Smart App Control could be done mostly offline.

@HotCakeX Жыл бұрын

250$ a year to guarantee the safety of your software that is going to be used by hundreds, thousands, millions of people, is nothing. If you can't afford that and provide that security then either don't develop or start charging for what you make. the solutions are obvious.

@ckingpro Жыл бұрын

@@HotCakeX Or … and just hear me out, software is already manually verified to *not* be malware if it gets through winget and if you think $250 a year minimum (with some going 300+ (hence I put it 250+ and $250/year is in some countries only) is cheap? Oh and if you want to offer a macOS version, that is another $99/year to get a certificate for macOS. This is not including different currency exchange prices as the prices I listed are US dollars

@HotCakeX Жыл бұрын

@@ckingpro Winget doesn't verify the developer the same way a Certificate Authority does. Winget only verifies hashes. also, nobody said software developing and releasing it to people in the world is supposed to be cheap. it's just a corrupt ideology that open source developers and linux community invented.

@ckingpro Жыл бұрын

@@HotCakeX you are moving goalposts again. You claimed it makes your app safer when winget already verifies your app is safe. Also “corrupt ideology” … just wow.

@keyboard_g Жыл бұрын

@@HotCakeX 🤡

@jEyLaBsCEO Жыл бұрын

Get well Dia

@keyboard_g Жыл бұрын

It would be a great sign to get all these things, and not have ads in the start menu, file explorer, and system settings screens.

@mavrc Жыл бұрын

It is somewhat disconcerting. These things could be a significant step forward for security, but what they feel more like is a company trying to push more of their business toward walled gardens and ad revenue. In other words, meet the new MS, same as the old MS.

@ssokolow Жыл бұрын

@@mavrc To be honest, that's a big reason I daily-drive Linux for my home PC, despite all the cool things in Windows I'd love to get my programmer-y hands on. I have a very low tolerance for this sort of power imbalance. It's *MY* computer and it will do as I say. Maybe some day, once regulations (probably originating in the EU) catch up , similar to how the EU recently passed regulations which should force Apple to allow side-loading and user-replaceable batteries on iDevices. (To give some context for that aspect of my personality, I switched to Linux in response to Windows XP activation, and there was actually a period when I ripped out the update notifier on Lubuntu Linux and replaced it with a minimal hand-rolled one because someone removed the ability to disable the once-a-day "please reboot to apply a pending kernel update" pop-ups. I'm also only just now making plans to upgrade off a pre-UEFI machine.)

@BinarySplit Жыл бұрын

Great to see Microsoft finally starting to innovate again after a 16 year snooze. Thank you, this is legitimately exciting. Now grow some dignity and remove those damned ads from the start menu, please.

@monad_tcp Жыл бұрын

What, they tried a lot of things , windows devs are just too stubborn. This new way of doing security perhaps might work. It wouldn't be possible without the investment in infrastructure like containers and virtualization on Windows .

@JudahHimango Жыл бұрын

Great talk, David!

@MrBrouilles Жыл бұрын

MSIX is good. But code signing is the problem for small project or Open Source one. Too expensive.

@HotCakeX Жыл бұрын

open source developers have been too lazy and cheap, getting away with bad software and vulnerabilities. Companies that provide code signing certificate must validate each developer and that costs money. Nothing is too expensive when it comes to the security of people using a software on their personal computers and work environments.

@ckingpro Жыл бұрын

@@HotCakeX “open source developers… getting away with bad software and [vulnerabilities]” just wow

@MrBrouilles Жыл бұрын

@@HotCakeX I don't use code signing anymore because it's just a scam. Organized by Microsoft and its partners to charge companies or independent developers. If Microsoft really liked developers and its customers, it wouldn't force devs to use the Microsoft Store which is the only way to have a cheap code signing.

@HotCakeX Жыл бұрын

@@MrBrouilles Lol you have no idea what you are talking about. just stop embarrassing yourself any more.

@MatLanders Жыл бұрын

@@HotCakeX Except for poor people.

@jcfawerd Жыл бұрын

Get well, Dia

@Tadokolov Жыл бұрын

About Win32 isolation, does it mean I can isolate any executable without any code change? Like restricting file access for a suspicious installer downloaded from web? If so, then this is the Docker-like lightweight Windows app sandbox I've dreaming for years!

@ckingpro Жыл бұрын

Could your use case be handled by the Windows Sandbox?

@keyboard_g Жыл бұрын

@@ckingpro Windows Sandbox is a great tool, but too cumbersome to have a fresh blank every time. Lighter weight, ready to go with isolation seems like the next logical step.

@ckingpro Жыл бұрын

@@keyboard_g interesting idea! I see what the original poster meant better now

@Neme112 4 ай бұрын

Yes, but it's only for developers to isolate their apps, not for consumers to be able to isolate any app they download, and the developers have to run the app without isolation first.

@gsuberland Жыл бұрын

I assume the James he was referring to at 2:08 is James Forshaw? :D

@BeyondImaginationzz Жыл бұрын

can pluton firmware updated from Linux too ?

@0xeb- Жыл бұрын

Great speaking skills David. Nice presentation. Arak is my favorite ;)

@gsuberland Жыл бұрын

I honestly don't see the app isolation side of this taking off for general applications, and Notepad++ is a perfect example of why. The required file access for NP++ is unbounded - it should be able to open every single file on the system, wherever it is. If you set up the policy to say "by default it can access Documents, but you can grant it access to anything else on an individual basis", all you're doing is adding busywork for the user in exchange for no practical security benefit, because anyone who does use NP++ is going to grant that access, and if you install the app but don't use it then there's no security impact in the first place. This isn't even a technical user thing - people are going to want to open text files from USB drives and other non-C:\ fixed drives. If you don't allow additional resources to be granted access, you're basically asking the user to copy the file into the documents path, edit it, then copy it back. A more permissive policy that allows access to everything except system directories, program files, etc. might be alright, but that still adds friction and it's not the only problem with this approach. The prospect of "oh just get your users to return ETLs" is pie-in-the-sky thinking. I laughed when it was mentioned. Nobody is going to do that! It's funny that selinux policies were mentioned earlier on, because it has exactly the same problem. On top of that, nobody wants to debug why their app crashes in an obscure code path where it accesses some random registry key that wasn't spotted by the capability profiler, and nobody wants to debug this when the app supports 3rd party plugins. Sandboxing off other resources like COM, object namespaces, etc. is cool, because that's much less of a chore to manage, but prescriptive registry and file access policies are just too much of a maintenance hassle. If this ends up being mandatory for MSIX deployment, 99% of apps are not going to use it, and it'll suffer the same fate as UWP. There's some great stuff in here but the app isolation just seems like the same stuff Microsoft tried before but with a new name, new tooling, and the same practical usability problems. I'm willing to be proven wrong but I strongly suspect that this isn't going to meet the "don't annoy the user" and "make it easy for devs" goals that were espoused at the start of the talk.

@acuteaura Жыл бұрын

Notepad++ is the ideal app for file/folder picker portals instead of unbounded filesystem access though.

@dustojnikhummer Жыл бұрын

@@acuteaura Assuming you work with notepad++ by going to it and using the File -> Open dialog, instead of going to the file in your file manager and Open With -> Notepad++

@Neme112 4 ай бұрын

Ideally, this would work like it does in UWP, where the app doesn't have access to arbitrary files, but if the user opens the file via a file picker in the app, or if the user opens the app by clicking on that file, then access to that file is granted.

@seltmitchell2965 Жыл бұрын

Well, better late than never I guess.

@ClaytonWhite-db9sc Жыл бұрын

✌️ "Promo SM"

@guai9632 Жыл бұрын

nice try, ms, but no. return 10's sane design

@trignite Жыл бұрын

Literally peoples only issue with 11 design is a couple tiny things "I can't move the task bar" they are very likely to change this but you can use an app to do so. "I don't like the new context menu" - Then change it back. The main reason people dont like the new one is just because new software doesn't support it yet. Give it time, its actually a LOT cleaner and less cluttered. Other than that.. pretty much everything else is better. The settings has more things that dont require old control panel. File explorer and notepad now has tabs. New Terminal (which is incredible) is actually default now, not the shit-tier command prompt and powershell that didn't change for like 20 years. Blutooth is actually quick-accessible now via taskbar, instead of opening a whole window. Security is better. CPU Scheduler for alderlake and raptorlake is better. There's so many more things I can say but.. stop being a sheep and try 11. I thought I would hate it from everyone saying it was bad. But i moved over a few months ago and actually love it. It's a lot faster too.

@guai9632 Жыл бұрын

@@trignite nope. installed and used it for about an hour. count about 10 things they worsen and only one improvement. not a great score. fuck this shit. it's 8 and their stupid decision to fix what's never been broken all over again

@DrewWalton Жыл бұрын

@@trignite agree with all of this, I think Windows 11, while it has its own issues, is massively underrated.

@voicevy3210 Жыл бұрын

lot of dalvikvm politics

@wissenschaftler400 Жыл бұрын

Why are you pronouncing Latin phrases with English pronunciation?

@Digidan5 Жыл бұрын

damn.... time to switch back to linux then i guess :^)

@obvinpro Жыл бұрын

bye

@HotCakeX Жыл бұрын

bye

@xspager Жыл бұрын

Cool. Also free Palestine!

@avibenavraham Жыл бұрын

It’s been free since 1948

@RCD_K Жыл бұрын

Free palestine

@coolbugfacts1234 Жыл бұрын

@@avibenavraham if you define "free" as being under military apartheid rule and legally discriminated against

@avibenavraham Жыл бұрын

@@coolbugfacts1234 Jordan is under military occupation and apartheid? Wow, I had no idea

@Borgilian Жыл бұрын

@@avibenavraham Are you parasites still shooting palestinian children just for throwing rocks at your tanks? Or forcefully sterilizing blacks who don't want to get kicked out of the land you stole? Are you still throwing radioactive materials from planes on top of palestinians in order to track their movements?

@floweringmind Жыл бұрын

ZorinOS is looking like a better option everyday that passes.

@karimmirak2158 Жыл бұрын

Free phalestine falasine Palestine 🇵🇸

@JohnDoe-pn7jx Жыл бұрын

monkey said "cool"

@yooanto9465 Жыл бұрын

you will never stop the hackers ever Microsoft knows that. MS add useless stuff and create more bugs on every new update. Did you even listen to customers? we are tired of your useless stuff / simple OS like windows 7 is more functional than windows 10 and 11.