ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Miscellaneous Tech News

    News
    83
    7.4k
    2.6m
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @scottalanmiller
      last edited by

      @scottalanmiller said in Miscellaneous Tech News:

      @obsolesce said in Miscellaneous Tech News:

      @scottalanmiller said in Miscellaneous Tech News:

      Razor and Asus Windows 10 security bypass...

      https://www.pcgamer.com/razer-windows-10-security-flaw-admin/

      Well I suppose it's, as it's always been, important to lock your device if you walk away so someone can't sneak over to your chair and "wreak all kinds of havoc" on your computer if you aren't already a local admin lol.

      So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?

      All these employees just sitting at locked computers, not allowed to use them.

      That is 100% not what he said.

      1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @scottalanmiller
        last edited by

        @scottalanmiller said in Miscellaneous Tech News:

        Razor and Asus Windows 10 security bypass...

        https://www.pcgamer.com/razer-windows-10-security-flaw-admin/

        This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

        Maybe I'm not considering something, but the article even provides examples of other non Razor devices being able to exploit this process.

        scottalanmillerS ObsolesceO 2 Replies Last reply Reply Quote 0
        • DustinB3403D
          DustinB3403 @scottalanmiller
          last edited by

          @scottalanmiller said in Miscellaneous Tech News:

          @obsolesce said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          Razor and Asus Windows 10 security bypass...

          https://www.pcgamer.com/razer-windows-10-security-flaw-admin/

          Well I suppose it's, as it's always been, important to lock your device if you walk away so someone can't sneak over to your chair and "wreak all kinds of havoc" on your computer if you aren't already a local admin lol.

          So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?

          All these employees just sitting at locked computers, not allowed to use them.

          A locked computer screen wouldn't prevent this elevation from occurring.

          JaredBuschJ 1 Reply Last reply Reply Quote -3
          • JaredBuschJ
            JaredBusch @DustinB3403
            last edited by

            @dustinb3403 said in Miscellaneous Tech News:

            @scottalanmiller said in Miscellaneous Tech News:

            @obsolesce said in Miscellaneous Tech News:

            @scottalanmiller said in Miscellaneous Tech News:

            Razor and Asus Windows 10 security bypass...

            https://www.pcgamer.com/razer-windows-10-security-flaw-admin/

            Well I suppose it's, as it's always been, important to lock your device if you walk away so someone can't sneak over to your chair and "wreak all kinds of havoc" on your computer if you aren't already a local admin lol.

            So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?

            All these employees just sitting at locked computers, not allowed to use them.

            A locked computer screen wouldn't prevent this elevation from occurring.

            f1ab795f-b3ef-40f1-9881-e8ba76011d64-image.png

            DustinB3403D 1 Reply Last reply Reply Quote 0
            • DustinB3403D
              DustinB3403
              last edited by

              Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.

              Plugging an device in while locked will still have the same issue, no matter what.

              JaredBuschJ 1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403 @JaredBusch
                last edited by

                @jaredbusch http://www.quotemaster.org/images/2f/2fca2d1cae811ceeb7e317f2afab8aad.jpg

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Obsolesce
                  last edited by

                  @obsolesce said in Miscellaneous Tech News:

                  @scottalanmiller said in Miscellaneous Tech News:

                  So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?

                  Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.

                  That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.

                  ObsolesceO 1 Reply Last reply Reply Quote -1
                  • JaredBuschJ
                    JaredBusch @DustinB3403
                    last edited by

                    @dustinb3403 said in Miscellaneous Tech News:

                    Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.

                    Plugging an device in while locked will still have the same issue, no matter what.

                    The issue also clearly involves interaction with the GUI.

                    DustinB3403D 1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @DustinB3403
                      last edited by

                      @dustinb3403 said in Miscellaneous Tech News:

                      This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

                      Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?

                      Ultimately, yes, MS is definitely the one at fault here.

                      ObsolesceO 1 Reply Last reply Reply Quote 0
                      • DustinB3403D
                        DustinB3403 @JaredBusch
                        last edited by

                        @jaredbusch said in Miscellaneous Tech News:

                        @dustinb3403 said in Miscellaneous Tech News:

                        Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.

                        Plugging an device in while locked will still have the same issue, no matter what.

                        The issue also clearly involves interaction with the GUI.

                        Sure, but the issue will still exist no matter what, regardless of the GUI the system is still vulnerable to being owned.

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • ObsolesceO
                          Obsolesce @scottalanmiller
                          last edited by

                          @scottalanmiller said in Miscellaneous Tech News:

                          @obsolesce said in Miscellaneous Tech News:

                          @scottalanmiller said in Miscellaneous Tech News:

                          So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?

                          Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.

                          That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.

                          Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Obsolesce
                            last edited by

                            @obsolesce said in Miscellaneous Tech News:

                            @scottalanmiller said in Miscellaneous Tech News:

                            @obsolesce said in Miscellaneous Tech News:

                            @scottalanmiller said in Miscellaneous Tech News:

                            So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?

                            Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.

                            That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.

                            Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.

                            Sure. But "not a panacea" is never an argument for something.

                            1 Reply Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @scottalanmiller
                              last edited by Obsolesce

                              @scottalanmiller said in Miscellaneous Tech News:

                              @dustinb3403 said in Miscellaneous Tech News:

                              This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

                              Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?

                              Ultimately, yes, MS is definitely the one at fault here.

                              It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.

                              The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.

                              scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce
                                last edited by

                                For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.

                                Not a total comparison because it's not installing drivers, but still makes my point.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • ObsolesceO
                                  Obsolesce @DustinB3403
                                  last edited by

                                  @dustinb3403 said in Miscellaneous Tech News:

                                  This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

                                  Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Obsolesce
                                    last edited by

                                    @obsolesce said in Miscellaneous Tech News:

                                    @scottalanmiller said in Miscellaneous Tech News:

                                    @dustinb3403 said in Miscellaneous Tech News:

                                    This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

                                    Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?

                                    Ultimately, yes, MS is definitely the one at fault here.

                                    It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.

                                    The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.

                                    That's a problem. No other OS does that. Other OSes, like Ubuntu, Fedora, etc. verify any drivers that are automated in this way. They don't blinding allow any vendor to create an ID and automate the installation of just anything.

                                    The problem is not from Razor, it's that there is a gaping hole in Microsoft's security strategy that allows any vendor to put code inline for automatic deployment by Microsoft as part of the OS, without security checks.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Obsolesce
                                      last edited by

                                      @obsolesce said in Miscellaneous Tech News:

                                      The problem is that the installer (made by razer)

                                      Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.

                                      That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.

                                      ObsolesceO 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Obsolesce
                                        last edited by

                                        @obsolesce said in Miscellaneous Tech News:

                                        For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.

                                        Not a total comparison because it's not installing drivers, but still makes my point.

                                        It makes MY point. It doesn't go through Microsoft's installation system, and doesn't have the flaw. It in no way supports your point.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Obsolesce
                                          last edited by

                                          @obsolesce said in Miscellaneous Tech News:

                                          @dustinb3403 said in Miscellaneous Tech News:

                                          This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

                                          Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.

                                          How the heck does Razer being willing to bandaid Microsoft's problem suggest it is not an MS issue? I'm confused. Does this fix the issue with Asus and other drivers? Does it close the security hole?

                                          No, it does not, At all.

                                          1 Reply Last reply Reply Quote 0
                                          • ObsolesceO
                                            Obsolesce @scottalanmiller
                                            last edited by Obsolesce

                                            @scottalanmiller said in Miscellaneous Tech News:

                                            @obsolesce said in Miscellaneous Tech News:

                                            The problem is that the installer (made by razer)

                                            Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.

                                            That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.

                                            I agree with you here. It's nice and all that you don't have to dick around with things when you plug them into your computer and that they "just work". But on the other hand, MS should have caught that flaw. I agree it's their fault in the end because of that.

                                            But I disagree with others that the issue itself is caused by Windows. It's an issue in the Razer installer, but MS is responsible for the problem in the end.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 15
                                            • 16
                                            • 17
                                            • 18
                                            • 19
                                            • 372
                                            • 373
                                            • 17 / 373
                                            • First post
                                              Last post