Page 1 of 2 12 LastLast
Results 1 to 15 of 23

Thread: Vista - drivers signing

  1. #1
    Registered User
    Join Date
    Oct 2003
    Location
    Bulgaria
    Posts
    16

    Vista - drivers signing

    http://www.eweek.com/article2/0,1759,1914966,00.asp

  2. #2
    I for one am never going to use this OS even if this "feature" gets cracked... since when did Microsoft say what I can and cannot run on my machine?!?!

    M$ has been quite dictatorial recently, it seems. All the while, they concentrate on superfluous features of their software and leave the *real* issues until after they release it...
    Last edited by LLXX; February 7th, 2006 at 23:56.

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,126
    Blog Entries
    5
    I don't know that it's all that popular with professional driver writers either. There's a debate about it on NTDEV as well as 'official' blogs,

    http://blogs.msdn.com/craigrow/archive/2006/01/26/517922.aspx

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    LLXX, I recommend in the future you do some research before believing online magazine articles.

    The eWeek article is extremely misleading. Vista users will be able to run unsigned drivers by attaching a kernel debugger or by booting with F8. See http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/x64KMSigning.doc for details.

  5. #5
    ...but that still entails quite a hassle. I know that any software restriction can be overcome with RCE, but the point is that Microsoft is trying to gain more control over our machines. In the future, they might require that *all* software be signed, not just drivers, with the same reasoning. I'm sure if that happened, everyone except the most mindless lusers would have something to say. This is just the beginning, the beginning of a downward progress...

  6. #6
    Quote Originally Posted by disavowed
    LLXX, I recommend in the future you do some research before believing online magazine articles.

    The eWeek article is extremely misleading. Vista users will be able to run unsigned drivers by attaching a kernel debugger or by booting with F8. See http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/x64KMSigning.doc for details.
    But Microsoft has been consistently trying to lock out the small company/hobbyist crowd.

    http://www.boingboing.net/2006/01/30/msft_our_drm_licensi.html


    The bombshell was Amir's explanation of the reason that his employer charges fees to license its DRM. According to Amir, the fee is not intended to recoup the expenses Microsoft incurred in developing their DRM, or to turn a profit.

    The intention is to reduce the number of licensors to a manageable level, to lock out "hobbyists" and other entities that Microsoft doesn't want to have to trouble itself with.
    That is Amir Majidimehr, Corporate VP of the Windows Digital Media Division, which oversees licensing and deployment of Microsoft's DRM.

  7. #7
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by LLXX
    Microsoft is trying to gain more control over our machines
    How does this give Microsoft any more control over your machine? It doesn't allow Microsoft to do anything new that they couldn't do before.

  8. #8
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Personally I think M$ requiring signed drivers is a positive thing..it will banish those evil protectors that try to own the O.S., as well as any ring0 virii that may be in our future....(well, it would only banish protectors that could not afford to pass driver signing - but patchguard will kill Themida, etc...) - Also preventing rootkits (If one does write a rootkit, we could easily track them down henceforth)

    So many M$ haters out there always moan about M$'s unsecurity. I think this is definitely a positive step forward. (The haters want it both ways - they want security, but yet they still want to hate M$)

    DAMNIT don't people get it Windows is everywhere, and most users do not have computer knowlege, so these hacking bastards take advantage of them. So since we (I) can't track down each and every spammer or rootkit developer and give them a swift kick in the groin, then we must make win more secure, period. Crimony, one may not like m$, but I can guarantee that your financial information is sitting on a m$ o.s. based server somewhere. This is real life we are talking about. The modern day phishers and spammers have realized it. Everyone else needs to as well.


    -nt20
    Last edited by nikolatesla20; February 9th, 2006 at 16:05.

  9. #9
    ...but Sony's rootkit was signed, no? Who signed it?

    Honestly, I think they should simply put a serious "this thing might take control of all your PC, INTERNET and DATA, are you sure?" out of 'windows' control -so that intercepting it would not be feasible- whenever something unverified is trying to gather ring0 access, yeah, something cool like BSODs

    How many users would answer "yes, I accept the risk"?? I had friends that blocked internet this way, just because the big Kerio warnings popped out...
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  10. #10
    This is not really about security.
    Driver signing is not security.

    Imho, this is all about DRM.
    This document clear states my opinion:
    http://www.microsoft.com/whdc/device/stream/output_protect.mspx

    Btw, very interesting protection mechanisms described in the doc.

    Regards,
    Opc0de

  11. #11
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by Maximus
    ...but Sony's rootkit was signed, no?
    I don't know whether or not Sony's "rootkit" was signed. However, if it was signed, then it would be trivial to determine who wrote it (in this case, Sony). The same can't be said for truly malicious rootkits. Requiring a path of non-repudiation via signing is a huge step forward in hindering the authoring and distribution of malicious rootkits.

    Quote Originally Posted by Maximus
    Honestly, I think they should simply put a serious "this thing might take control of all your PC, INTERNET and DATA, are you sure?" out of 'windows' control -so that intercepting it would not be feasible- whenever something unverified is trying to gather ring0 access, yeah, something cool like BSODs

    How many users would answer "yes, I accept the risk"?? I had friends that blocked internet this way, just because the big Kerio warnings popped out...
    I hope this is not a serious suggestion.
    1. If Windows displayed that prompt, then it couldn't be out of Windows's control.
    2. Even if it could be out of Windows's control, users will always click "Yes" because they want to make $0.005 for clicking on banners or they want to see flying pink elephants.

    By taking security decisions out of the hands of the common user, social engineering attacks are greatly hindered.

  12. #12
    Quote Originally Posted by Opcode
    This is not really about security.
    Driver signing is not security.

    Imho, this is all about DRM.
    This document clear states my opinion:
    http://www.microsoft.com/whdc/device/stream/output_protect.mspx

    Btw, very interesting protection mechanisms described in the doc.

    Regards,
    Opc0de
    Yes. It is DRM, which is all about preventing you from doing what you want with your hardware and software, while giving software and hardware companies more control over what your machine can and cannot do. Just like Trusted Computing, in a way.

  13. #13
    Quote Originally Posted by disavowed
    Requiring a path of non-repudiation via signing is a huge step forward in hindering the authoring and distribution of malicious rootkits.
    This is true, but the problem remains: why should I pay $$ for signing drivers and each update/upgrade at m$? They started this 'policy' when they initially marketed the 'designed 4 win95 app' logo in the nineties, and still go on on such line.

    It would just be a tax (well, another one) on small developers (do you think they'll sign for free every patch/upgrade and so on? Not even ATI signs all its drivers...)


    Quote Originally Posted by disavowed
    I hope this is not a serious suggestion.
    Yes and No

    Quote Originally Posted by disavowed
    1. If Windows displayed that prompt, then it couldn't be out of Windows's control.
    2. Even if it could be out of Windows's control, users will always click "Yes" because they want to make $0.005 for clicking on banners or they want to see flying pink elephants.
    1. Out of 'Windows', not out of Windows. You can check kb and mouse far before they fall down in the messagin pump.
    2. Nothing is fool-proof. But as I said, I know many users really worried of security, often discouraged when they discover they need to install and use 5-6 products to gather a minimal security level. ...You would only save ppl capable of using the brain when a big red mark appear

    Quote Originally Posted by disavowed
    By taking security decisions out of the hands of the common user, social engineering attacks are greatly hindered.
    This is ethically a very controversial point. Let's start FAR. Aristotheles (whatever this is written in english) in his analysis of Politics said that a nation should not take care of the citizens as if they were idiot children. Still, 2'500 years after, I perfectly agree (ok, I made it short, or the post wold be 10 pages long).
    Who is M$ for chosing in my name what is good and what is not for me? Windows is an M$ property, no doubt in it, but it is also an OS. And m$ 'should' guarantee my rights of having the OS work for my software, and not 'taking' over my control of the PC like sony's DRM.
    M$ choices affects a very large number of ppl in all the world, so m$ is not (at least ethically) free to do whatever it wants.

    Whereas requiring the signing of everything good that run at r0 is a good thing for ~reducing~ and block the malware creators, it will not make it at (nearly) zero cost -ready to bet it.

    The reason, again, is ethic and is tied to the willingness of m$ to impose what it thinks right for it to billion users, in the name of 'security' without really giving ppl a true choice, just an 'order'.

    The reasoning you exposed is wrong -in my opinion- because the choice is not taken by many ppl like ANSI, but by a very restricted group of ppl which probably follows DRM rules, not surely 'what is better for end-user'. If it was, winhome should not possess full socket implementation, a basic firewall should have been implemented since win95 days at least etc etc.

    So, whereas I agree in principle that certain choices should be removed from endless discussions and removed from socials, I still think that they should not be superimposed by a buch of programmers that have the duty of preventing DRM breaks -at least they should be engineered in a more serious fashion.

    I perfectly understand that this is impossible due to the fact m$ is a private company. Still, a company with a billion of users should have 'limits' for its heavy social impact.

    Regards,
    Maximus
    Last edited by Maximus; February 10th, 2006 at 08:02.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  14. #14
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Quote Originally Posted by Maximus
    This is true, but the problem remains: why should I pay $$ for signing drivers and each update/upgrade at m$? They started this 'policy' when they initially marketed the 'designed 4 win95 app' logo in the nineties, and still go on on such line.

    I
    Regards,
    Maximus

    You don't have to pay to have them signed. As the article states M$ will give out the PID for free to use for signing, all the developer has to pay for is the Verisign license for the digital signature.

    -nt20

  15. #15
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by Maximus
    why should I pay $$ for signing drivers and each update/upgrade at m$?
    nikolatesla answered the drivers part. As for the update part, Microsoft doesn't charge people for updates.

    Quote Originally Posted by Maximus
    It would just be a tax (well, another one) on small developers
    Small developers aren't manufacturing hardware en masse, though. This is not aimed at small developers.

    Quote Originally Posted by Maximus
    (do you think they'll sign for free every patch/upgrade and so on? Not even ATI signs all its drivers...)
    ATI is not a small developer. I would rather install a signed ATI driver than an unsigned one.

    Quote Originally Posted by Maximus
    I know many users really worried of security, often discouraged when they discover they need to install and use 5-6 products to gather a minimal security level.
    5-6 products?! I see the need for antivirus software, and perhaps firewall software if they're not behind a router, but they shouldn't need anything else if they follow safe habits.

    Quote Originally Posted by Maximus
    Who is M$ for chosing in my name what is good and what is not for me?
    Microsoft is not choosing for you. You're not the average user. Microsoft is choosing what's best for the average user, and tries to give everyone else optoins to change the defaults (related to the 80/20 rule).

    Quote Originally Posted by Maximus
    And m$ 'should' guarantee my rights of having the OS work for my software
    What if your software is malware? Why should Microsoft guarantee that your malware will work?

    Quote Originally Posted by Maximus
    The reason, again, is ethic and is tied to the willingness of m$ to impose what it thinks right for it to billion users, in the name of 'security' without really giving ppl a true choice, just an 'order'.
    I still don't see why you keep saying that people don't have a choice. People will still be able to install unsigned drivers if they want to.

    Quote Originally Posted by Maximus
    a buch of programmers that have the duty of preventing DRM breaks
    Again, this has nothing to do with DRM. This is to make it more difficult to write and spread malware.

Similar Threads

  1. How to go about debugging drivers with IDA Pro?
    By tlgspk in forum The Newbie Forum
    Replies: 2
    Last Post: January 8th, 2013, 09:28
  2. a question about un-signing signed java appets
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: April 20th, 2012, 02:37
  3. a question from those who know how to develop drivers
    By Hero in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: July 3rd, 2008, 08:22
  4. drivers
    By arboc in forum OllyDbg Support Forums
    Replies: 4
    Last Post: October 31st, 2005, 17:33
  5. Any way to add new vid drivers for SoftICE?
    By Chal021 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: May 16th, 2004, 01:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •