Big security risk with global sharing

Discussion in 'Parallels Desktop for Mac' started by goron, Jan 24, 2007.

  1. drval

    drval Pro

    Messages:
    490
    I'm pleased with what I see so far and it certainly isn't mediocre. It's definitely cutting edge and working directly towards a next general release with some really important usability features "for the rest of us". And you can disable the feature you don't like -- I still don't really see why this presents such a problem for you, esp since you complained of my being a "net nanny" in prior posts. Apparently you want to be a "program nanny" for some reason. I don't; instead I want to continue using a wonderful program and facilitate the continued development and stability of it. But, then again, I've been using Windows for a number of years now and know how to handle the security issues so I have a different perspective than yours.

    FWIW I cetainly appreciate your expertise and continued offers to support the Parallels effort -- as I appreciate the efforts of everyone on this forum. And I think it's best for us to work together, collegially, with some modicum of respect or at least acceptance.
     
  2. dkp

    dkp Forum Maven

    Messages:
    1,367
    Then perhaps you can have some sensitivity as to why I don't see why you cannot accept the safer customer-enabled global share. You can as easily enable what I would prefer be off by default as it is the more secure out of the box choice.

    But surely you must recognize the blackhats are winning the war of spambots and Windows drones. This is happening because a significant part of the user base does not care, or does not know how to make and keep their systems secure. This is not an imagined problem and any little thing we can do to make the Internet community safer for users of all skill levels the better.

    Something you said in another thread is sadly floating up as true - the Parallels product is not a data center class product, but rather more appropriate for the non-professional home user. That was not the impression I got last May when I became involved with Parallels. My problem is I don't want something that is adequate - I am a professional and I expect more of my tools, and now I find that even the developers are in your camp. This has been a most discouraging day.

    Then perhaps you can resist the urge to post snarky comments, and apologize for your droning, condescending, preachy comments to those of us who don't agree with you in this and other threads.
     
  3. Souken C.Ingram

    Souken C.Ingram Member

    Messages:
    28
    I simply cannot resist any longer...
    [​IMG]
    You may now proceed to bash be for the above image.
     
  4. dkp

    dkp Forum Maven

    Messages:
    1,367
  5. drval

    drval Pro

    Messages:
    490
    That is a really great image! Where did you get it -- do you have the URL? I'd love to use it in some other contexts.
     
  6. Souken C.Ingram

    Souken C.Ingram Member

    Messages:
    28
    Google image search is your friend ;) Results for "flamewar"

    Monty Python will be funny until the end of time.
     
  7. drval

    drval Pro

    Messages:
    490

    Nice, thanks for the URL.

    And now for something completely different....
     
  8. Fredric

    Fredric Member

    Messages:
    27
    No it isn't.
     
  9. dkp

    dkp Forum Maven

    Messages:
    1,367
  10. djsmmcp

    djsmmcp Bit poster

    Messages:
    3
    Deleting system files thru VM? DO NOT WANT.

    I love me some Parallels Desktop for my Mac, but I was alarmed to discover the "side effects" of global sharing. I'm less concerned about a virus or malware doing damage - I run AV and Anti-Spyware regularly in my VM and just am careful about what I execute. I'm more worried about....me!

    From within Windows, I was able to permanently delete files that I placed intentionally in my Home folder (I don't run as an admin in OS X), in my shared folder, and in my admin user folder. I'm clumsy. I could very easily accidentally delete something that I actually needed, or even an entire folder.

    Furthermore, because of the way Windows handles deleted files on shares, the files were gone forever. No recycle bin, no trash, no confirmation dialogue. (I don't run "System Restore" on my Windows VM to get them back. Should anyone really need to run that on a VM?)

    I won't join in any criticism of the Parallels team; I'll leave it to others to judge if they are doing their best to help prevent or alert users to the risk of significant problems as a result of these Mac directories being delete-able from within Windows. I just know I was alarmed to discover the implications of leaving global sharing enabled, and now that I do know, I have immediately disabled it.

    I'd have done so from day one of the install of the 3150 RC2 beta if I'd understood the risk of deletion of my Mac folders thru the VM. I suspect most users would not realize this risk any sooner than I did, but obviously I can't prove that.

    Thanks. Now back to your regularly scheduled....

    [​IMG]
     
  11. drval

    drval Pro

    Messages:
    490
    I believe that one can be equally, if not more, dangerous using unix commands within the Mac environment.
     
  12. dkp

    dkp Forum Maven

    Messages:
    1,367
    It proved more difficult than I imagined to have a rational, meaningful discussion of the problem, but you clearly got the message and acted based on your own requirements and that's all that matters. I'll bet you wish Parallels would have described the problem a bit better in their documentation rather than discovering it in a thread such as this or by good luck from your own investigations of the product.

    Cute picture :)
     
  13. Souken C.Ingram

    Souken C.Ingram Member

    Messages:
    28
    A lot of this comes down to philosophy and intent. If you want to use Windows on your Mac, global sharing should not be enabled. If you want to use Windows software on your Mac, then it probably should be enabled. I suppose the Parallels team belives the majority of users intend to do the latter.

    Either way, I'm glad to see we can all take a joke. To this day I still dare not argue Windows vs Mac vs Linux vs UNIX, unless a client demands it, of course.
     
  14. dkp

    dkp Forum Maven

    Messages:
    1,367
    Not to belabor the point, but Parallels also has a responsibility to customers and users who are not yet customers to provide some background on a feature that opens up a secured door like this. People shouldn't have to find out by serendipitous happenstance that their Mac is overexposed.
     
  15. drscience

    drscience Member

    Messages:
    30
    Precisely right. Not to mention the damage you can do with a sledge hammer, sulfuric acid or a by operating your MacBook in the shower.
     
  16. cetuma

    cetuma Member

    Messages:
    40
    Huzzah!

    Bootcamp partition loads and sudo both require me to enter an admin password. I can cause far more damage with that password with a: sudo rm -rf / than anything windows can do.
     
  17. cetuma

    cetuma Member

    Messages:
    40
    If I want to use Windows on my Mac, I boot into the boocamp partition and have video acceleration and all kinds of other windows goodies. 93.7% of the time (+/- 6.3%) I want to have windows software running in OSX. For this Parallels implemented what I wanted perfectly.
     
  18. dkp

    dkp Forum Maven

    Messages:
    1,367
    Windows viruses will have read/write access to your entire Mac hard drive, and all remote mounts you have have attached to your Mac. These viruses can delete your entire home directory there, or copy parts of it or any readable part of your hard drive to a remote location on the internet. They can quietly steal your VM's and you won't know it has happened. They will run just fine at their new home. The viruses can read and exploit your email, read all your documents and share them with the world. None of this is terribly hard to do once the virus has invaded your Windows system. It is as bad as if you'd gotten a Mac virus. All you need to know is your Mac is not well protected from Windows viruses that allow running arbitrary code in Windows.

    Not everyone knows this is possible.
     
  19. cetuma

    cetuma Member

    Messages:
    40
    Actually, windows viruses would only have read/write access to directories my account has read/write access. That is far from my entire Mac hard drive and remote mounts I have attached to my Mac. Many of the remote mounts are read only mounts - especially many of the remote windows mounts.

    Yes, the viruses can delete my entire home directory. This involves two critical components however. One is that I am stupid enough to not realize in this day and age how much security software must be loaded on a windows system that has a network connection. The second would be that I would allow the windows system access to the internet to get infected. The second is sometimes true, since within BootCamp, I do allow internet access. That still means I would have to get infected first. There are more than enough IPS devices, both network and host based that protect against 0-day attacks. Network based ones operate through anomalies in network and/or protocol traffic, while the host based systems operate through anomalies to standard system operation.

    The reason their are so many zombies and spambots out there are people still don't even have enough of a basic clue to realize they need to run security software on their system, and/or they trust in windows security.

    Granted, I've been in infosec for about 12 years now, but i've been using AV products for almost 20 years now. Between stores, magazines, and preloaded software, anybody not running protection on their machines deserve what they get. I do believe that application and OS vendors should do everything within their power to prevent memory leaks and buffer overflows, I don't however believe they should cripple a product to just to benefit a few ignorant people.

    People gain a basic understanding of the threats while driving before they connect their car to the world through roads, why should it be any different before connecting their computer to the world? Or should we just put a governer on each car for speed that users have to take off the car in order to use it to it's full potential. I'd rather a system that is maxed for performance with the capabilities for security.

    Realistically, even someone in pure Windows, using BootCamp to boot into Windows is still vulnerable to their Mac side being attacked. That partition still exists. Heck, i imagine it would be quite easy to configure a worm to zero out a partition so it is fully unrecoverable.

    Yes, I agree that the implication should be known of a setting, but I think it absurd that fear should win out over functionality.
     
  20. dkp

    dkp Forum Maven

    Messages:
    1,367
    The Global Share provides access to the top level of the Mac hard disk. Read-only mounts can and probably do contain data that can be harvested. Your call, I'm just the messenger.
     

Share This Page