The Photiot

Your description goes here

  • RSS
  • Delicious
  • Facebook
  • Twitter

Popular Posts

Hello world!
Righteous Kill
Quisque sed felis

About Me

My Photo
PhOTioT
โสดสนิทแต่หน้าตาค่อนข้างดี...ถุ๊ย!
View my complete profile

Popular Posts

Thumbnail Recent Post

Shopping Online

Blogroll

About

Add to Google

Blogger templates

Blogger news

Followers

Popular Posts

Popular Posts

Popular Posts

Righteous Kill

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque sed felis. Aliquam sit amet felis. Mauris semper, velit semper laoreet dictum, quam diam dictum urna, nec placerat elit nisl in ...

Quisque sed felis

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque sed felis. Aliquam sit amet felis. Mauris semper, velit semper laoreet dictum, quam diam dictum urna, nec placerat elit nisl in ...

Etiam augue pede, molestie eget.

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque sed felis. Aliquam sit amet felis. Mauris semper, velit semper laoreet dictum, quam diam dictum urna, nec placerat elit nisl in ...

Hellgate is back

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque sed felis. Aliquam sit amet felis. Mauris semper, velit semper laoreet dictum, quam diam dictum urna, nec placerat elit ...

Post with links

This is the web2feel wordpress theme demo site. You have come here from our home page. Explore the Theme preview and inorder to RETURN to the web2feel home page CLICK ...

Archive for October 2010

Make Your XP Desktop Look Like Windows 7 [Featured Desktop]: "
If you've considered dual booting Windows 7 with XP or Vista but all you really want is some Windows 7 eye candy, reader Dato' Fazly's Windows 7-like XP desktop might be right up your alley.
The desktop consists of the Vistart skin (from deviantART), then employs a tutorial from AskVG for installing a custom SevenVG Refresh Theme. At the time of this writing, the AskVG link was broken, so you may want to try the Google Cache version if you're not having any luck.
If you're living the Vista life, check out the previously mentioned Windows 7 theme for a Vista desktop.





"

Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code): "
uacbrokenwindows7

This is dedicated to every ignorant “tech journalist” who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it “less annoying” inadvertently clears the path for a simple but ingenius override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things.


First, I was originally going to blackmail Microsoft for a large ransom for the details of this flaw, but in these uncertain economic times, their ransom fund has probably been cut back so I’m just going to share this for free.


Secondly, the reason I’m blogging about this flaw is not because of its security implications - it is blatantly simple to fix - but Microsoft’s apparent ignorance towards the matter on their official Windows 7 beta feedback channel by noting the issue as “by design” and hinting it won’t be fixed in the retail version. A security-minded ‘whistleblower’ came forth to ask me if I could publicize this issue to maybe persuade them to change their mind. And that’s what I’m doing.


Now for a bit of background information on the changes to UAC in Windows 7. By default, Windows 7’s UAC setting is set to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. How it distinguishes between a (third party) program and Windows settings is with a security certificate. The applications/applets which manage Windows settings are signed with a special Microsoft Windows 7 certificate. As such, control panel items are signed with this certificate so they don’t prompt UAC if you change any system settings.


nevernotifyThe Achilles’ heel of this system is that changing UAC is also considered a “change to Windows settings”, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.


Of course it’s not a security vulnerability if you have to coerce the user into disabling UAC themselves (although sweet candy is exceptionally persuasive), I had to think “bad thoughts” to come up with a way to disable UAC without the user’s interaction. The solution was trivial, you could complete the whole process with just keyboard shortcuts so why not make an application that emulates a sequence of keyboard inputs.


With the help of my developer side-kick Rafael Rivera, we came up with a fully functional proof-of-concept in VBScript (would be just as easy in C++ EXE) to do that - emulate a few keyboard inputs - without prompting UAC. You can download and try it out for yourself here, but bear in mind it actually does disable UAC.


We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc.


securedesktopuacThis is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides, and that is to force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state. This is not a fool-proof solution (users can still inadvertently click “yes”) but a simple one I would encourage Microsoft to implement seeing how they’re on a tight deadline to ship this.


Having UAC on at the policy as it is currently implemented in Windows 7 is as good as not having it on at all.


Until when Microsoft decides to fix this, if they do at all, beta users of Windows 7 can also apply a simple fix. Changing the UAC policy to “Always Notify” will force Windows 7 to notify you even if UAC settings change. Annoying, but safe.


Update: I must credit Aubrey from WindowsConnected.com for also touching on this issue briefly today.


Update 2: Microsoft has officially responded to my concerns and continues to insist the functionality is “by design”, dismisses the security concerns and again leans towards they will not be addressing the issue for the final release of Windows 7.


Update 3: A reader has kindly asked me to highlight a particular condition for this to work, the user must be in the “Administrative” user group, and not in the “Standard” user group where they will be prompted for a administrative password. In defense of the seriousness of the issue, the Vista and Windows 7 default user group is “Administrative” and I’m sure that’s what most home users are running.


Update 4: Microsoft’s Jon DeVaan has posted a response on the official Windows 7 blog with an extensive look at the UAC system in Windows 7 and their decision on the default security policy. In conclusion, they continue to stand by their decision and does not indicate they will change the default UAC policy.





"

Simplifying the social web with XAuth: "
Have you ever seen a webpage with a collection of buttons for sharing or logging in like the ones below?

Screenshot of buttons taken at Pocket Link
Not all of these buttons are equally relevant, but because there is currently no convenient way to share your preferred services publicly, this approach has become extremely popular, even though the complexity of this interface may actually inhibit sharing!
On the desktop, this problem was solved long ago with what is called the “system registry”. When you install a new application, you are asked whether you want the new application to handle certain kinds of files, like photos. So, for example, if you install a new app and set the new application to be the default “handler” for photos, when you double click a photo next time, it’ll automatically open in your new application.
Until today, that kind of registry didn’t exist for the web, but thanks to a new collaboration between Meebo and several parties including Google, an initial launch of a service that acts as a registry for the web can be found at xauth.org.
Let me explain how XAuth works in simple terms: when you sign in to your Google account, Google will notify xauth.org that a user has signed in to a Google account and is maintaining an active session. Throughout this process, Google never shares any of your personal information with xauth.org — only that you have signed into some Google account (Google doesn’t even share which Google account you signed in to). This information is stored locally in your browser, and never on XAuth's servers; XAuth only acts as an intermediary that facilitates sharing this information with third parties that ask for it.
This is similar to installing a new desktop application which registers itself in the system registry. Because the registry is the central place where this information exists, any application that needs this information to function can ask the registry for the list of applications that perform certain functions. Similarly, any site that you visit can ask for the list of your active sessions from xauth.org, and customize its interface according to your preferences.
Now, there are two importance differences between xauth.org and the system registry:
  • First, when you sign out of your Google account, Google will notify xauth.org that your session has ended. Any site that asks xauth.org for the list of active sessions from that point forward will no longer see Google listed.
  • Second, you can control which sites show up on xauth.org, and are therefore available to the sites that you visit. In fact, on xauth.org, you can choose to delete or block service entries, or disable XAuth altogether.
We think that XAuth can simplify and improve the social web, while keeping your private information safe. This is just one of many steps that Google is taking, along with others in the industry, to make the social web easier and more personalized.
Posted by Chris Messina, Social Web Team
"
อ้างอิงจาก
Simplifying the social web with XAuth