The Washington Post says Parallels is bad...

Discussion in 'Parallels Desktop for Mac' started by scottmcdaniel, Feb 10, 2007.

  1. JollyRoger

    JollyRoger

    Messages:
    46

    Developers are anything but security experts... I will ask you the same question again.

    What qualifies you as a SECURITY expert, specifically what qualifies you as an expert in malware/viri and current threats and vectors of attack?

    With out such credentials i am sorry to say you are anything but an expert on the topics you are attempting to discuss.

    And lets be 100% clear on this subject. This is not about zealotry, this is not about os preference. This is about someone attempting to pass themselves off as a security expert. If you have the credentials then absolutely discuss the topic as a subject matter expert. If you don't please refrain from misleading people based on your own limited experience and opinion. And please dont take this as a personal attack, it isnt. I am just sick and tired of people acting like they know what they are talking about. If you are the expert you try and come off as then by all means i am sorry. If you are not then please state your "opinions" as they are.
     
  2. JollyRoger

    JollyRoger

    Messages:
    46
    Let me clarify for others..

    This is a SECURITY ISSUE, not a development issue.

    It is just a matter of time before Proof of concept code pops up. Then what?
     
  3. drval

    drval

    Messages:
    490
    Then we deal with what arises when it arises -- like the attacks that will eventually come to Mac as it gains market share and profile. Yes, the quality and nature of the attacks willundoubtedly be different, but they will emerge over time. i haven't characterized myself as a security expert -- and you haven't given any specific qualifications that are meaningful/relevant for you, so I don't know if I'd fulfill those or not. I've described myself, my experience and my role in the world of computing, including that the applications I've developed and those with which I interact require transmission of confidential information. I do understand the relevant issues at least a little bit. If you have a different view, then present it as a different view.

    I provide remote desktop-based maintenance services in real time and am aware of the security issues with Windows. As a user, developer and maintainer of such systems I know that ease of interoperability is a high priority for Windows users. In this sense -- and FWIW -- I'd say that MS was right about tight integration of the working environment. Most users don't want to have to "figure out" how to interface a different browser to a special media player so that...They just want the overall system to work.

    Yes, Mac does this as well -- this isn't a "Windows is better" or "Mac is better" debate, at least not as far as I'm concerned.

    BTW there was at least one other poster who also characterized this particular disagreement as a difference in perspective. I do hope that you;re NOT saying there's only one true way and faith?
     
  4. Resuna

    Resuna

    Messages:
    54
    Then there will be a brief flurry of flamage on Slashdot, and Parallels will either change the default or follow Microsoft's and Apple's lead and put some half-baked patch to try and make an inherently insecure operation secure. Nobody will bother turning the demo into a live exploit, Parallels fanboys will trumpet how secure Parallels is, Apple's fanboys will trumpet about how secure Parallels is thanks to mac OS X, and I'll add another entry to my blog about how a problem is being papered over.

    What, me cynical?
     
  5. drval

    drval

    Messages:
    490
    And has anyone here discussed the role that Shared Networking could play in this, along with "due diligence" concern for removable media being mounted, and the same concerns about attachments and such that WIndows users already know?
     
  6. Resuna

    Resuna

    Messages:
    54
    You don't need to make people "figure out how to interface a different browser to a special media player" to have a secure environment.

    You can write a media player for a sandboxed environment, or write a plugin that can be installed externally by the user, depending on whether a sandboxed media player is adequate or not. Most sites these days do both at the same time: they use a sandboxed media player that runs in a sandboxed environment provided by a plugin they download and install. And somehow people manage to download and install Flash Player and use it without difficulty.

    Meanwhile, less than one percent of websites out there actually require ActiveX to operate.

    Which means that all the viruses and worms and spyware that have used Microsoft's inherently unfixably insecure ActiveX-HTML combination have been suffered in vain, because Microsoft was wrong about sandboxes being inherently too slow, and they were wrong about plugins being inherently too hard.
     
  7. JollyRoger

    JollyRoger

    Messages:
    46
    MOAB anyone?

    I dont need to share my credentials, im not the one spouting off as if was an expert. I am simply trying to question your expertise. And since you are not able to provide any credentials (not even a cissp number) I doubt you are qualified to make a proper risk assessment on this matter.

    I have not made a comment on mac/windows.. Different tools in the toolbox.

    My questioning has been about your qualifications as a expert in this subject matter based on your constant posting and attempts to pass your opinion off as fact.

    My worry is that other people who are not well versed in infosec and curent attack vectors will be mislead into a false sense of security. As for "no one will make an exploit for a beta product" dont kid yourself. I have seen attacks in the wild for active x controls that have a much smaller market penetration then parallels on mac.
     
  8. Resuna

    Resuna

    Messages:
    54
    I've been a system administrator and security guy for 20 years, I've been fighting a rearguard action against Internet Explorer for 10, and I've had to put up with a bloody professional software developer whining at me about how HE should be an exception to my rule about not using Outlook while I was cleaning his computer because he'd gotten a virus through Outlook. So I don't believe that "Windows users already know".
     
  9. drval

    drval

    Messages:
    490
    I haven't said -- or implied -- that "no one will make an exploit for a beta product". And the point I was making about interoperability was not even essentially about ActiveX, and certainly not ActiveX-HTML in webpages.

    Perhaps you missed my post about how to really ensure security by not connecting to the internet, not using removable media, keeping your system completely isolated? As soon as you begin to work backwards from THAT POINT, the question of "what is reasonable risk" begins to emerge. And that question will be answered differently by different users in different environments.

    I don't see ANYONE saying there is no risk in using Parallels, specifically in using it with GFS enabled. The question is what is reasonable risk and how do we continue to assess that ongoingly as the environment shits, along with changing requirements and "wish lists" from users.

    Do you really think that people don't know there's a potential problem with GFS?

    So I'll say it again. I'm confortable with the curent implementation as a beta product -- work in progress -- and look forward to the ultimate GA. I think GFS is a great tool, as long as one keeps in mind the inherent problems of Windows environments. Perhaps this isn't an issue with Unix or other OSs at this time because such functionality isn't implemented -- I don't know because I'm using Parallels in that way and haven't even being to evaluate that. I also won't yet deploy systems with Paralles. It's just too early in the release process. But then again I also won't be deploying any Vista-based solution for a while either.

    I'm more comfortable than you are (apparently). Can that be a difference in perspective or not?
     
  10. JollyRoger

    JollyRoger

    Messages:
    46
    I care not about peoples preference for risk, i do how ever care about ignorance being pawned off as expertise. Everyone has their own pools of ignorance to draw from, but a wise man knows where those pools lay and walks around them with out getting his shoes soaked.
     
  11. jtenenb

    jtenenb

    Messages:
    35
    Not to step into the middle of this "conversation" but can someone layout the actual benefits to having the global share on aside from drag-and-drop functionality which apparently still works with it turned off? Can we list the pros and cons maybe?

    -J
     
  12. drval

    drval

    Messages:
    490
    I understand about walking around the pools and the real way to make certain to avoid ALL of "the pools" is to not connect to a network and not allow in removable media. Absent doing that, IMO the rest is calculated risk, based on assessment of what is required, what is desired, what is likely, what be avoided, minimized or recouped.

    So I'll ask again (in a short form) since you didn't respond directly to it:

    I'm more comfortable than you are (apparently). Can that be a difference in perspective or not?
     
  13. drval

    drval

    Messages:
    490
    Yes, I'd really like to see that, esp with a resonse from Paralles about what role is played by GFS acually being enabled or not. Someone else had mentioned that they had received a reply from Parallels concering or relating to this. I'd really like to have that information.

    I'm also interested in the relative contribution of Shared Networking vs other networking modes and would really like that to be directly addressed as well.
     
  14. JollyRoger

    JollyRoger

    Messages:
    46

    Most likely it is a difference in perspective given our different backgrounds.
     
  15. drval

    drval

    Messages:
    490
    Yes, that is usually the source of almost every difference in perspective. It's also IMO a fundamental reason for us all to maintain as much civility as possible, esp when sharing our different perspectives and different backgrounds.
     
  16. chrisj303

    chrisj303

    Messages:
    72
    No, most users probably don't. I didn't have a clue about it's potential problems until i read about it on these forums. I would have much rather have found out about it via Parallels documentation, at which point (if it was defaulted to OFF) i could have made an informed decision on whether or not to utilize it.
    Sadly this is not the case.
     
  17. drval

    drval

    Messages:
    490
    I think you're pointing out what WAS the case and, in that specific regard, I think it's also really important to remember that this is still beta/RC code. Documentation is frequently not very well done and certainly not complete in beta/RC code.

    It seems to me that, with titles like "Washington Post says Parallels is bad..." and "Big security risk with Global Sharing" that the word is definitely getting out there during this process. FWIW I never load on beta/RC code without thoroughly reading the available postings/documentation/whatever and still then not in any "mission critical" way.

    Perhaps that's something that I learned by working for so long in the Windows world but I think it just makes sense.
     
  18. Resuna

    Resuna

    Messages:
    54
    Regardless, it should default to "off" and have a warning in the preferences where you turn it on like the one Camino uses for their quivalent to Safari's "Open Safe Files After Downloading" option.
     
  19. drval

    drval

    Messages:
    490
    And perhaps networking should default to "Shared Networking" with a dialogue and warning that pops up if you try to change that...
     
  20. Resuna

    Resuna

    Messages:
    54
    Yes
    No. Approval dialogs provide a false sense of security, and train people to approve them. Look at what Camino does for their "auto-open" files option. (see attachment)
     

    Attached Files:

    Last edited: Feb 12, 2007

Share This Page