I know, it’s Xmas. I should stop working and stay with my family or.. something like that. Well I really wanna stopping but I’m still working on 3 different papers, the deadlines are at the end of January and February . It seems reasonable stop blogging just for some days but actually I don’t now If I’ll withstand to write some news on my blog. Anyway , tomorrow I wanna point out a very interesting post by Ann in her blog. Here you can find the original post (MSI Script vs Windows Security), where Ann describes how :
2) Run a low-level system tool:
If you try to do this explicitly as a regular user (or without elevated privs on Vista), Windows will politely tell you that you can’t. But if you execute the following MSI script during an installation (running the installation as a regular user), msiexec gets elevated priviledges, and can do whatever you want. Here’s an example silently disabling UAC during an installation by launching regedit from cmd. (This is run in Wise via ‘Execute Program from Destination’, Working directory: SystemFolder):
Another interesting project that I’ve seen during the past days is PhisTank.It’s a website where dedicated volunteers submit URLs from suspected phishing websites and vote on whether the submissions are valid. The idea behind PhishTank is to bring together the expertise and enthusiasm of people across the Internet to fight phishing attacks. The more people participate, the larger the crowd, the more robust it should be against errors and perhaps even manipulation by attackers.
I’m interested on this project for several reasons but one of the most important reason that carried me through this project has been reading this paper by University of Cambridge. Tyler Moore and Richard Clayton describe why and how this (great) service is vulnerable. I was amazing during the reading because it’s impossible understanding how a pretty-important conference like Financial Crypto may public this kind of (easy and not innovative) work. Maybe my though on Financial Crypto is wrong.
Hi Marco,My email is Tyler.Moore AT NOSPAM .cl.cam.ac.ukMerry Christmas,Tyler
sorry again, Tyler… My phone dictionary didnt know your right name 🙁
thank you so much Taylor for your comment. You are right on most of the points. I like this kind of critics, they often help me growing up. I’ll be glad to continue the conversation offline and to exchange some ideas on your work. Really thanks.
I’m sorry that you found the paper ‘not innovative’, though I’m actually quite pleased that you found the attacks I described as ‘easy’. That’s part of the point: PhishTank is vulnerable to manipulation due the structure of its existing users’ participation.Using the ‘wisdom of crowds’ is fine whenever you’re < HREF="http://www.galaxyzoo.org/" REL="nofollow">classifying galaxies<>, because there’s no strong motivation for anyone to manipulate the outcome. However, PhishTank could well be targeted by phishermen, as they have already < HREF="http://www.pcworld.com/businesscenter/article/137084/" REL="nofollow">launched DoS attacks<> against other vigilate sites like CastleCops.Finally, in future, if you’re going to lift three sentences from my writing (“a website where dedicated volunteers submit URLs from suspected phishing websites and vote on whether the submissions are valid. The idea behind PhishTank is to bring together the expertise and enthusiasm of people across the Internet to fight phishing attacks. The more people participate, the larger the crowd, the more robust it should be against errors and perhaps even manipulation by attackers”), please < HREF="http://www.lightbluetouchpaper.org/2007/12/21/how-effective-is-the-wisdom-of-crowds-as-a-security-mechanism/" REL="nofollow">quote the source<> instead. This might be mistaken for plagiarism otherwise.