Saturday, January 16, 2010


It’s interesting how many people don’t realize what are the priorities in computer security... There are many fields to secure: server security, web applications security, network security, and finally desktop security. Over the last years I met SO many people that always expressed surprise why I would like to focus on desktop systems security? They usually argue that today, as everybody knows, it is the Network that is what computing is all about and that we should focus on securing infrastructure, and forget about the desktops, which are always to be insecure. The network is the computer, as somebody said.

What those people forget about, is that it is always the desktop that ultimately gets access to all the user’s secretes -- all the passwords, all the keys, all the corporate documents, all the nude holiday pictures, all the secret love letters, all the credit card numbers, and many more.

However secure were all the services (remote servers and network protocols) that we use, if our desktop gets compromised it’s all lost. The recent incident with Google is just yet another example of that. Our desktop systems are the most crucial piece of the whole puzzle.

It’s funny how many people think that by using some thin client solution on their desktops they can solve the problem. Of course they cannot! Just the fact that your OS executes on a server, rather then on your hardware, doesn’t make it any less prone to all the attacks that were otherwise possible when the software executed on your system.

The attempts to secure desktops have been failing for so many years. While recently there is some attempt to minimize likelihood of remote attacks via Web browsers (or generally to focus on application security), this is still just the tip of the iceberg -- there are so many other attack avenue that none of the popular OSes even tries to address, that I consider myself a brave person (not to say stupid) that I actually use my laptop everyday and keep some sensitive information on it ;)

Ok, so that’s a nice piece of complaining you say, but what are we, at ITL, gonna do about it? Well, we just gonna sit and patiently wait for better OSes to appear some day... Oh, hell, we won’t!

Happy New Year :)

<please ignore>
9933 F096 8820 0E23 1AF4 078D 8BDB D97D BDEA 9E9D


Tom Chiverton said...

And you're posting random hex digits why ?

Joanna Rutkowska said...

The "random hex digits" is a proof-of-concept exploit that targets a vulnerability in the reader's brain related to processing of the "<please ignore>" tags. Included is a simple "connect back" shellcode that, when executed, causes the victim to connect to the server and post a comment. Use it at your own risk or patch your brain.

thornmaker said...

damnit... my brain is vulnerable too. where can we get the patch? :)

Meguxx said...

what do you think about cloud computing? Whether it is necessary to create some new security system with new concepts? for example - . this is "games on demand" service. but what if it wiil be not games. what if it will be bussines applications or service that replaced home computer? it use only network. all calculating made by servers. all what you will send to server its signals from mouse or keyboard. with this situation what we should think? all problems with vulnerabilities lie down on shoulders of servers system administrators? do you think this concept of safe clouds can will be created or not?

p.s. sorry for my english

Joanna Rutkowska said...

@meguxx: Could computing doesn't really change anything -- you still need to trust your desktop (or smartphone, or whatever terminal you're using). At the very least the attacker that compromised the terminal has full access to all the input (mouse/keyboard) and output (graphics) and can not only sniff it, but also manipulate at will.

And, BTW, cloud computing means that you're sharing your private data with others (=the service provider). So, no more private love letters, no more private naked holiday pictures, etc. Think twice before taking the blue pill ;)

Unknown said...

I totaly agree with you. If your desktop is not secure there is no security at all. At the same time, even if you would realy have a secure desktop, if the rest is insecure the benifits are marginal.

I don't belive cloud computing will bring any benifits for securing your data. Like joanna said, you have to trust the service provider. Even worse after you trust the service provider you have to belive that the admins working there have the knowledge to secure their servers, have enough money to build secure systems and last but not least have enough time to take care of their system.

July 30, 2010