Re: [OpenAFS] What you need to know about Windows 10
On Jul 29, 2015, at 9:10 AM, Jeffrey Altman wrote: > On 7/29/2015 3:12 AM, Antoine Verheijen wrote: >> Putting my security hat on: certified drivers does not provide ANY >> additional degree of security whatsoever. It merely states that the >> certifier has blessed it using whatever criteria they use (in many >> cases, simply financial payment). >> >> What guarantee(s) is the certifier prepared to live up to via their >> certification? If none, why is it required? > > Certification provides quality control. Microsoft's signing of the > kernel drivers does not involve any payment. Microsoft is willing to > sign any drivers that have passed the required quality control checks > which include test suites, static analysis, and feature/capability lists. I'll accept this point at face value, in particular as I have no direct experience with Microsoft in this regard. Furthermore, I realize in hindsight that this not the venue to discuss an issue of this sort as it does not relate in any meaningful way to AFS, the real subject of this mailing list, and I should never have made my initial comments in this discussion list. I apologize for having done so. > The only additional security benefit of Microsoft signing the drivers as > opposed to permitting vendors to use issued cross signing certificates > is that a vendor cannot longer be hacked and have their signing key be > used without their knowledge to sign unapproved binaries without a paper > trail. This is a totally valid point, one which I had not considered, and which most certainly does provide increased security (albeit perhaps not of the sort I had in mind), clearly contradicting my initial assertion. :-) > Jeffrey Altman Once again, apologies for the inappropriate content. I'll try to be more considerate. :-) Bye for now. Antoine VerheijenEmail: [email protected] .Phone: (780) 462-9696___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] What you need to know about Windows 10
On 7/29/2015 3:12 AM, Antoine Verheijen wrote: > Putting my security hat on: certified drivers does not provide ANY > additional degree of security whatsoever. It merely states that the > certifier has blessed it using whatever criteria they use (in many > cases, simply financial payment). > > What guarantee(s) is the certifier prepared to live up to via their > certification? If none, why is it required? Certification provides quality control. Microsoft's signing of the kernel drivers does not involve any payment. Microsoft is willing to sign any drivers that have passed the required quality control checks which include test suites, static analysis, and feature/capability lists. The only additional security benefit of Microsoft signing the drivers as opposed to permitting vendors to use issued cross signing certificates is that a vendor cannot longer be hacked and have their signing key be used without their knowledge to sign unapproved binaries without a paper trail. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] What you need to know about Windows 10
On Wed, Jul 29, 2015 at 9:56 AM, Brandon Allbery wrote: > On Wed, 2015-07-29 at 01:12 -0600, Antoine Verheijen wrote: > > What guarantee(s) is the certifier prepared to live up to via their > > certification? If none, why is it required? > > It is a point... Apple is apparently willing to let anyone request a > kext signing certificate, I gather the requests are vetted even if the kexts are not directly so -- D
Re: [OpenAFS] What you need to know about Windows 10
On Wed, 2015-07-29 at 01:12 -0600, Antoine Verheijen wrote: > What guarantee(s) is the certifier prepared to live up to via their > certification? If none, why is it required? It is a point... Apple is apparently willing to let anyone request a kext signing certificate, whereas Microsoft requires you to submit the extension to them for signing and presumably validate it in some way. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix openafs kerberos infrastructure xmonadhttp://sinenomine.net
Re: [OpenAFS] What you need to know about Windows 10
Putting my security hat on: certified drivers does not provide ANY additional degree of security whatsoever. It merely states that the certifier has blessed it using whatever criteria they use (in many cases, simply financial payment). What guarantee(s) is the certifier prepared to live up to via their certification? If none, why is it required? Just my thoughts. Thanks for listening. :-) Antoine VerheijenEmail: [email protected] .Phone: (780) 462-9696 On Jul 29, 2015, at 12:48 AM, Gary Buhrmaster wrote: > On Wed, Jul 29, 2015 at 12:28 AM, Jeffrey Altman > wrote: > >> Tomorrow(*) > > Thanks for the update/reminder. And thanks for your > willingness to build "one last time" for Windows 10. > It really is "above and beyond" what anyone has any > right to expect. > > Personally, I have no idea if Windows 10 will be > everything MS wants it to be(**), but (putting my security > hat on) moving to certified drivers is the right way > forward, regardless of how it impacts some projects > (and those projects need to "step up their game"). > > Thanks. > > Gary(***) > > > (*) The right statement to many on Wednesday really should be: >"and then, and then, do the smart thing, let someone else try first" > > (**) "Its tough to make predictions, especially about the future" > > (***) Can't find a quote to steal over my sig. > ___ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] What you need to know about Windows 10
On Wed, Jul 29, 2015 at 12:28 AM, Jeffrey Altman wrote: > Tomorrow(*) Thanks for the update/reminder. And thanks for your willingness to build "one last time" for Windows 10. It really is "above and beyond" what anyone has any right to expect. Personally, I have no idea if Windows 10 will be everything MS wants it to be(**), but (putting my security hat on) moving to certified drivers is the right way forward, regardless of how it impacts some projects (and those projects need to "step up their game"). Thanks. Gary(***) (*) The right statement to many on Wednesday really should be: "and then, and then, do the smart thing, let someone else try first" (**) "Its tough to make predictions, especially about the future" (***) Can't find a quote to steal over my sig. ___ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] What you need to know about Windows 10
Tomorrow is Wednesday July 29 and the day that Microsoft is going to release Windows 10 to approximately 5 million users that have either been a part of the Windows Insider program or pre-registered for a free upgrade. Windows 10 will be made available to volume license customers on August 1. Some vendors such as Dell and Lenovo will begin shipping pre-loaded systems tomorrow and stores such as Best Buy have been encouraged to upgrade current stock to Windows 10 before they let the machines out the door. The USB Flash Disk images will be shipping on August 30. There will not be a build of OpenAFS 1.7 targeted at Windows 10 available on the release day. I am hoping to produce what will be my last "OpenAFS" branded client with support for Windows 10 by the start of the AFS and Kerberos Best Practices Workshop on August 17th. After that I will only be releasing AuriStor branded clients and I will explain why at the end of this letter. First, what do I know about the existing 1.7.32 build and Windows 10. 1. The 1.7.32 build does work (for the most part) on Windows 10 but 1a. the installation will be damaged during an upgrade from Windows 7 or Windows 8.1 to Windows 10. In particular, the network provider registration will be lost. End users should be encouraged to run "Repair" on the OpenAFS components after the installation is complete. 1b. there are some changes to the method by which the afs redirector is accessed that can under some circumstance result in a BSOD. 2. The infamous Explorer Shell caching bug that resulted in reports that there are 0 bytes free when copying files to \\AFS has been fixed in Windows 10. 3. As a result of the Explorer Shell bug being fixed the AFS redirector needs to be modified to undo the hack that disabled the reporting of read only volume state. 4. There is another known bug in shell32.dll that has not been fixed that can result in a deadlock if a UNC path such as \\afs\share-does-not-exist\ is entered into the explorer shell or into a file open/save dialog box. I have a workaround to implement in OpenAFS but it is not ready. 5. There are known bugs in the AFS redirector or service that can 5a. prevent failover to alternative .readonly volume sites 5b. result in access to the wrong file object if two or more objects exist with names that differ only by case in the same directory 6. The Netbios interface that the afsd_service relies for the SMB server interface has been removed in Windows 10. As a result the AFS SMB interface must be permanently disabled when running on Windows 10. 7. Windows 10 supports UNC hardening for secure access to roaming profiles and network based executables and configuration files. Microsoft best practice states that UNC hardening should be turned on. UNC hardening protects against man in the middle attacks that can result in execution of untrusted code or the loading of untrusted user registry hives by the system. OpenAFS does not support UNC hardening and it must remain disabled. By the workshop I plan to have an OpenAFS based installer to distribute. This installer will not be signed by Microsoft but by the older cross-signing certificate method. By the workshop I also hope to demo the first AuriStor based client which will: 1. support UNC hardening 2. support IPv6 connectivity 3. include a new kernel driver to process ICMP messages for faster failover and detection of IPv6 Path MTU sizes. 4. be compiled with Visual Studio 2015 5. be signed by Microsoft This client will be the client that I am going to submit to Microsoft for certification testing. It is my hope that certification approvals will be issued by October 16th which is expected to be the day that production quality previews of Server 2016 will be released. As I have mentioned previously, only drivers that were signed by Microsoft and include a certification attributed in the signature can be loaded on forthcoming Windows Server releases. Support for Server Nano will not be completed by October. I am hoping that can be completed by Spring 2016. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
