XMAS: working with 20% of overflow ... ... ... ... ... ...

I know, it’s Xmas. I should stop working and stay with my family or.. something like that. Well I really wanna stopping but I’m still working on 3 different papers, the deadlines are at the end of January and February . It seems reasonable stop blogging just for some days but actually I don’t now If I’ll withstand to write some news on my blog. Anyway , tomorrow I wanna point out  a very interesting post by Ann in her blog. Here you can find the original post  (MSI Script vs Windows Security), where Ann describes how :

1) Change the value of windows system registry values:
2) Run a low-level system tool:

Running some script (see the original post) during installation phase it’s possible get higher permissions. The main problem seems in msiexec, which gets elevated priviledges during installation phase.

If you try to do this explicitly as a regular user (or without elevated privs on Vista), Windows will politely tell you that you can’t. But if you execute the following MSI script during an installation (running the installation as a regular user), msiexec gets elevated priviledges, and can do whatever you want. Here’s an example silently disabling UAC during an installation by launching regedit from cmd. (This is run in Wise via ‘Execute Program from Destination’, Working directory: SystemFolder):

Another interesting project that I’ve seen during the past days is PhisTank.It’s a website where dedicated volunteers submit URLs from suspected phishing websites and vote on whether the submissions are valid. The idea behind PhishTank is to bring together the expertise and enthusiasm of people across the Internet to fight phishing attacks. The more people participate, the larger the crowd, the more robust it should be against errors and perhaps even manipulation by attackers.
I’m interested on this project for several reasons but one of the most important reason that carried me through this project has been reading this paper by University of Cambridge. Tyler Moore and Richard Clayton describe why and how this (great) service is vulnerable. I was amazing during the reading because it’s impossible understanding how a pretty-important conference like Financial Crypto may public this kind of (easy and not innovative) work. Maybe my though on Financial Crypto is wrong.