Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Speedy thing goes in... : Re: Speedy thing goes in... Server Time
30 Jul 2024 00:26:18 EDT (-0400)
  Re: Speedy thing goes in...  
From: Invisible
Date: 7 Jun 2011 04:23:40
Message: <4dede00c$1@news.povray.org>
 
On 06/06/2011 09:02 PM, Darren New wrote:
> On 6/6/2011 11:22, Orchid XP v8 wrote:
>> ...which the on-demand scanner is *still* going to detect...
>
> Again, the on-demand scanner is the worst possible way, efficiency-wise,
> to detect such things. Where "efficient" means "minimal impact to actual
> users." It should be a last resort, not a primary mechanism.

You have a point. Scanning a file after each time it's modified would 
seem the best approach, but I'm not aware of any product that does this yet.

>> Heheh. These are the people who thought "hey, let's make it so that every
>> home user has full admin rights by default". Yes, I'm sure they know a
>> thing
>> or two about security. ;-)
>
> I'm sure they do. And I'm sure every programmer in Microsoft *wanted* to
> not make that the default. That business cases mean you lessen security
> doesn't mean the security team doesn't know how to do security.

OK, how about this:

This is the company that produced a web server where you can completely 
defeat all access controls and fetch files you don't have permission to 
fetch just by using backslashes in the URL rather than forward slashes.

This works because:

1. The server neglects to check for invalid characters in the URL (such 
as backslashes).

2. The server uses a list to determine file access rather than 
properties of the files themselves (e.g., FS-level file security).

3. The server blacklists files that you can't access rather than 
whitelists files that you can access, causing it to fail-open rather 
than fail-closed.

4. Because the restricted URLs have forward slashes and the user typed 
an equivalent path with backslashes, a textual match routine returns no 
matches, and the URL is allowed. (This also means that any /other/ way 
to generate a semantically equivalent but textually distinct URL would 
/also/ bypass all security.)

Yes, /clearly/ MS knows how to design systems that are fundamentally secure.

>>>> That's a valid argument for a file server. But even in that case,
>>>> you (or
>>>> somebody else) still has to *access* the file.
>>>
>>> But the other person might not have a virus scanner.
>>
>> If the file is on a file server, then each time you try to access it,
>> the AV
>> product on the server will perform an on-demand scan.
>
> Sorry? What file server?

If the file exists on another PC and that PC has an on-demand virus 
scanner, than whatever way you access that file, it's going to trigger 
that PC to perform an on-demand scan. So I'm not seeing how a file on a 
PC with an AV product can pose a threat to other systems.


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.