ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Miscellaneous Tech News

    Scheduled Pinned Locked Moved News
    7.4k Posts 83 Posters 3.8m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DustinB3403D
      DustinB3403 @JaredBusch
      last edited by

      @jaredbusch said in Miscellaneous Tech News:

      @dustinb3403 said in Miscellaneous Tech News:

      Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.

      Plugging an device in while locked will still have the same issue, no matter what.

      The issue also clearly involves interaction with the GUI.

      Sure, but the issue will still exist no matter what, regardless of the GUI the system is still vulnerable to being owned.

      JaredBuschJ 1 Reply Last reply Reply Quote 0
      • ObsolesceO
        Obsolesce @scottalanmiller
        last edited by

        @scottalanmiller said in Miscellaneous Tech News:

        @obsolesce said in Miscellaneous Tech News:

        @scottalanmiller said in Miscellaneous Tech News:

        So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?

        Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.

        That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.

        Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Obsolesce
          last edited by

          @obsolesce said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          @obsolesce said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          So you are saying that all companies should keep their computers locked and only allow IT staff to use the computers and the entire idea of non-admin users should be abandoned?

          Nope, I'm saying that policies should be in place to lock screens and users should be trained to lock their computers when walking away so nobody other than the device's assigned user can wreak havoc on the device.

          That's a start. But assumes that all users can be trusted, which if we trusted them, they'd all have local admin rights.

          Local admin rights isn't just about trusting the user. Simply not giving a user local admin rights doesn't magically keep the user from screwing up the computer for themself or the company.

          Sure. But "not a panacea" is never an argument for something.

          1 Reply Last reply Reply Quote 0
          • ObsolesceO
            Obsolesce @scottalanmiller
            last edited by Obsolesce

            @scottalanmiller said in Miscellaneous Tech News:

            @dustinb3403 said in Miscellaneous Tech News:

            This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

            Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?

            Ultimately, yes, MS is definitely the one at fault here.

            It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.

            The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.

            scottalanmillerS 2 Replies Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce
              last edited by

              For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.

              Not a total comparison because it's not installing drivers, but still makes my point.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • ObsolesceO
                Obsolesce @DustinB3403
                last edited by

                @dustinb3403 said in Miscellaneous Tech News:

                This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

                Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Obsolesce
                  last edited by

                  @obsolesce said in Miscellaneous Tech News:

                  @scottalanmiller said in Miscellaneous Tech News:

                  @dustinb3403 said in Miscellaneous Tech News:

                  This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

                  Agreed, it means that Microsoft is automating the installation of unapproved, untested, unsecure software as part of the OS process. Sure, a third party has the flaw, but where is the code review before Microsoft makes it install as part of the OS' pre-approved software list?

                  Ultimately, yes, MS is definitely the one at fault here.

                  It's up to the installer to dictate how things are done. It would be a horrible idea to be able to install device drivers without local admin privilege's. The software installer needs to run as System.

                  The problem is that the installer (made by razer) opens up a folder select window as System. That doesn't need to happen, however, it does need to happen if you want to be able to SEE or choose a folder to install to that isn't accessible to standard user.

                  That's a problem. No other OS does that. Other OSes, like Ubuntu, Fedora, etc. verify any drivers that are automated in this way. They don't blinding allow any vendor to create an ID and automate the installation of just anything.

                  The problem is not from Razor, it's that there is a gaping hole in Microsoft's security strategy that allows any vendor to put code inline for automatic deployment by Microsoft as part of the OS, without security checks.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Obsolesce
                    last edited by

                    @obsolesce said in Miscellaneous Tech News:

                    The problem is that the installer (made by razer)

                    Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.

                    That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.

                    ObsolesceO 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Obsolesce
                      last edited by

                      @obsolesce said in Miscellaneous Tech News:

                      For example, you can install a web browser such as Google Chrome without admin privs. But it doesn't open up a folder select window as System either.

                      Not a total comparison because it's not installing drivers, but still makes my point.

                      It makes MY point. It doesn't go through Microsoft's installation system, and doesn't have the flaw. It in no way supports your point.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Obsolesce
                        last edited by

                        @obsolesce said in Miscellaneous Tech News:

                        @dustinb3403 said in Miscellaneous Tech News:

                        This 100% sounds more like an issue for Windows rather than the hardware manufacturers.

                        Also, Razer reached out to confirm the bug and will fix it. Not a Windows issue.

                        How the heck does Razer being willing to bandaid Microsoft's problem suggest it is not an MS issue? I'm confused. Does this fix the issue with Asus and other drivers? Does it close the security hole?

                        No, it does not, At all.

                        1 Reply Last reply Reply Quote 0
                        • ObsolesceO
                          Obsolesce @scottalanmiller
                          last edited by Obsolesce

                          @scottalanmiller said in Miscellaneous Tech News:

                          @obsolesce said in Miscellaneous Tech News:

                          The problem is that the installer (made by razer)

                          Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.

                          That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.

                          I agree with you here. It's nice and all that you don't have to dick around with things when you plug them into your computer and that they "just work". But on the other hand, MS should have caught that flaw. I agree it's their fault in the end because of that.

                          But I disagree with others that the issue itself is caused by Windows. It's an issue in the Razer installer, but MS is responsible for the problem in the end.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Obsolesce
                            last edited by

                            @obsolesce said in Miscellaneous Tech News:

                            @scottalanmiller said in Miscellaneous Tech News:

                            @obsolesce said in Miscellaneous Tech News:

                            The problem is that the installer (made by razer)

                            Made by, but not provided by. It's being provided by Microsoft, and trusted to run by Microsoft. Who made it originally isn't really relevant in a "who is at fault" question. Sure, right this moment, Razor can patch a hole. But a hole that also exists for other major vendors, like Asus.

                            That it is already multiple vendors in exactly the same way drives home how much this is a flaw in the OS, not in the drivers. The drivers are not what is giving admin rights to non-admin users.

                            I agree with you here. It's nice and all that you don't have to dick around with things when you plug them into your computer and that they "just work". But on the other hand, MS should have caught that flaw. I agree it's their fault in the end because of that.

                            But I disagree with others that the issue itself is caused by Windows. It's an issue in the Razer installer, but MS is responsible for the problem in the end.

                            Exactly. I'm not saying that Razer shouldn't fix their stuff TOO. However, Razer should never have to worry about the situation as if the OS was working properly, their driver (nor any software) should have to worry about presenting a dialogue as an admin, to a non-admin user. Razer isn't the one creating the escalation. They are trusting that the OS is checking if it is an admin before executing the installer.

                            If you were the developer and wrote this software, you'd be like "how the hell am I supposed to write an admin protection system when the operating system is giving my program admin rights without verifying the user is the admin and agreed to it.... that's not my responsibility, I can only go to the OS for that!"

                            In this case, it's an installer (not a driver) with the issue. And likely not even an installer that Razer is making, but one that they are buying (just guessing.) Because it's a standard thing. And I bet 99% of installers have this issue, because it's an agreement between apps and the OS that the OS will not give this permission in this way, ever.

                            Imagine if you wrote a video game and the OS escalated to admin without you requesting it once in a while. You'd be pretty shocked that your software which was trusting the OS, was suddenly blamed for admin rights you didn't create or allow.

                            It's a weird situation, and one that other OSes get around by not having this kind of installation process as a normal thing. DNF / YUM / APT all avoid this by having a standard (and open source) installer that everyone shares. And never is a third party app installer ever automated by the OS.

                            Microsoft chooses not to include an installer in that way AND chooses to allow third party installers AND to allow unverified closed source ones, to run as admin automatically. It's a pretty massive shortcoming that isn't really excusable since the late 1990s.

                            1 Reply Last reply Reply Quote 0
                            • JaredBuschJ
                              JaredBusch @DustinB3403
                              last edited by JaredBusch

                              @dustinb3403 said in Miscellaneous Tech News:

                              @jaredbusch said in Miscellaneous Tech News:

                              @dustinb3403 said in Miscellaneous Tech News:

                              Why the downvote on that @JaredBusch? The issue is clearly how windows supports the elevation and allows a user to select anything outside of the intended purpose.

                              Plugging an device in while locked will still have the same issue, no matter what.

                              The issue also clearly involves interaction with the GUI.

                              Sure, but the issue will still exist no matter what, regardless of the GUI the system is still vulnerable to being owned.

                              No, this issue, specifically requires that a user be logged in to the GUI in order to be able to exploit it.

                              Other than Mr. Microsoft ( @Obsolesce ), no one is trying to say MS doesn't have a shit ass flaw that needs fixed. But the flaw 100% requires the GUI.

                              ObsolesceO 1 Reply Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce @JaredBusch
                                last edited by

                                @jaredbusch said in Miscellaneous Tech News:

                                Other than Mr. Microsoft ( @Obsolesce )

                                I acknowledged the flaw in their process.

                                1 Reply Last reply Reply Quote 2
                                • stacksofplatesS
                                  stacksofplates
                                  last edited by

                                  https://www.the-sun.com/tech/3525714/microsoft-power-apps-exposed-data-leaks/

                                  Kind of click-baity title but power apps automatically makes a database public when you enable an API to interact with the database.

                                  DustinB3403D 1 Reply Last reply Reply Quote 0
                                  • DustinB3403D
                                    DustinB3403 @stacksofplates
                                    last edited by

                                    @stacksofplates said in Miscellaneous Tech News:

                                    https://www.the-sun.com/tech/3525714/microsoft-power-apps-exposed-data-leaks/

                                    Kind of click-baity title but power apps automatically makes a database public when you enable an API to interact with the database.

                                    At what point do we hold people (Microsoft) criminally liable who design and implement these systems with such poor security practices, by default the database was public when using an API....

                                    Um my 3 year old would know better than to use that as a default setting.

                                    1 Reply Last reply Reply Quote 1
                                    • mlnewsM
                                      mlnews
                                      last edited by

                                      Google Pay team reportedly in major upheaval after botched app revamp

                                      "Dozens of employees and executives have left" the struggling payments division.
                                      Google Pay is apparently just as much a disaster internally as the app transition has been externally. That's the big takeaway from a recent Business Insider article detailing an exodus of executives from Google's payment division, lower-than-expected app adoption, and employees frustrated with the slow movement of the division. Business Insider spoke with ex-employees and learned that "dozens of employees and executives have left" the Google Payments team in recent months, including "at least seven leaders on the team with roles of director or vice president." The most prominent departure, of payments chief Caesar Sengupta, kicked off the exodus in April, and now employees are worried about another reorganization and even slower progress. Many rank-and-file team members have reportedly departed, too, with the story saying, "One former employee estimated that half the people working on the business-development team for Google Pay—a group of about 40 people—have left the company in recent months."

                                      1 Reply Last reply Reply Quote 0
                                      • black3dynamiteB
                                        black3dynamite
                                        last edited by

                                        https://www.omgubuntu.co.uk/2021/08/gnome-41-features-and-changes

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          As expected, another vendor hardware installer exposed critical Windows 10 bug...

                                          https://www.bleepingcomputer.com/news/security/steelseries-bug-gives-windows-10-admin-rights-by-plugging-in-a-device/

                                          1 Reply Last reply Reply Quote 1
                                          • mlnewsM
                                            mlnews
                                            last edited by

                                            Need to get root on a Windows box? Plug in a Razer gaming mouse

                                            Razer's automatically downloaded installer exposes a SYSTEM shell to any user.
                                            This weekend, security researcher jonhat disclosed a long-standing security bug in the Synapse software associated with Razer gaming mice. During software installation, the wizard produces a clickable link to the location where the software will be installed. Clicking that link opens a File Explorer window to the proposed location—but that File Explorer spawns with SYSTEM process ID, not with the user's. By itself, this vulnerability in Razer Synapse sounds like a minor issue—after all, in order to launch a software installer with SYSTEM privileges, a user would normally need to have Administrator privileges themselves. Unfortunately, Synapse is a part of the Windows Catalog—which means that an unprivileged user can just plug in a Razer mouse, and Windows Update will cheerfully download and run the exploitable installer automatically.

                                            DustinB3403D 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 42
                                            • 43
                                            • 44
                                            • 45
                                            • 46
                                            • 372
                                            • 373
                                            • 44 / 373
                                            • First post
                                              Last post