Security Now podcast unintentionally misleading listeners

[RedBonnet]

This may not be the right forum for this message; if so I apologize.

"Security Now" is one of the influential computer security podcasts in the country. Over the last few months, it may have given its listeners an inaccurate impression of how well Sandboxie can protect users. If you care, consider sending the host a message on Twitter (@SGgrc)

Episode 520 (August 11 2015): Discussed the Firefox PDF Viewer exploit that would exfiltrate user data from the infected machine. The podcast's host Steve Gibson made the point that a major weakness of Sandboxie is that it does not protect user data against this type of flaw: He said "obviously, if you had some evil script that was exfiltrating files on your system, Sandboxie doesn't solve the problem." To read what was said, open the show's transcript and search for "sandboxie"

Episode 522 (August 25 2015): Steve Gibson makes allusion in passing that SB can be configured to protect from unauthorized reads (transcript).

Episode 549 (March 1 2016): A podcast listener sent in the comment "it was revealed [in an earlier episode] that running a browser inside Sandboxie was not a viable alternative since it doesn't prevent the browser from reading potentially sensitive data from your disk and then sending it out to the Internet." The host Steve Gibson doesn't refute the core claim, so the impression remains that Sandboxie cannot protect against data theft (transcript)

I don't think Mr Gibson and his many listeners realize that SB can be configured to prevent access to sensitive folders. My guess is that most SB users don't know that either. Have you considered blocking access from the sandboxed browser to the Documents folder by default? Or at least presenting that as a binary choice during setup instead of burying that capability in settings? Most people place their private docs in that folder, and I don't think most add-ons access it by default. The Sandboxie notification window would open to let the user know when the browser was blocked from accessing the folder with an option to (temporarily or permanently) lift the restriction. The downside is that this will open a new class of issues for you from having to deal with frustrated users who don't realize the implications of blocking access.

[Craig@Invincea]

I've sent Mr. Gibson various emails since that first comment was made back in Aug that @Bo had pointed out.

I have had no response from Mr. Gibson, even though I had spoken with him in Late July to provide him with an updated SBIE activation code. He had the old activation key.

He said he was reviewing SBIE again.

When I pointed out exactly what you have mentioned in earlier podcasts, received no response. I also reached out to Leo and TWit.

Yes, we have considered the options, but forcing the blocks would not go over well we would think in the community. We would leave it up to the user to configure SBIE. But, we can certainly do better about making that "how to" info easier and more readily available.

We are looking at easier ways to configure SBIE...visually in the GUI..icon based short cuts in SBIE Control that would quick access instead of drilling down through menus, which can be maddening and very inefficient. It worked for a long time, but that's a tired and somewhat confusing approach. This probably will happen. Curt and I have talked about this a lot lately.

As for protecting private docs in the documents or mydocuments folder, Yep. Totally do-able in SBIE. Plus, there are many other 3 party options that can do that and offer many more options that simply "denying/hiding" access from a browser/program to that folder in conjunction with SBIE.

[Craig@Invincea]

I've reached out to Mr. Gibson again via his private email. Via TWit and GRC... I've also reached out to him via his Twitter account using @SandboxieHelp

[bo.elam]

RedBonnet I think its probably best to leave My Documents as is. Otherwise, many first time users probably would uninstall Sandboxie as soon as they try to upload something out of My Documents with the browsers File explorer. When they ll get blocked, they wont know whats going on and think Sandboxie blocks too much and wont allow them to use their computer in a convenient manner.

Its totally the opposite but I think its best to leave default settings as they are. The default settings are in my opinion, well balanced regarding security and convenience. Because of the way the default settings sandbox is designed, anybody can start using Sandboxie right away even without knowing anything about SBIE. People can learn Sandboxie as they go. A more restricted default sandbox would make Sandboxie harder to learn, I think.

Bo

[Craig@Invincea]

Agreed. But we need to make the "how do I..." Information much easier the access. By a new/updated webpage, etc.

I think leaving the settings the way they are...is fine...giving a better, quicker way to access those can also be good, without changing the "classic" stuff that everyone is used too. You know how well that whole "ribbon" thing with MS years ago went over.... people were lost.

[gizmo77]

I have been listening/watching Steve for a number of years. As an old Electronics Guy, dipped into the world of computering, I have learned one helluva lot from Steve. Further, I've run 'paid for' Sandboxie since the day I heard Steve interview Ronen on how S/B got created, etc. I've done a lot of testing, using Sandboxie as my *SOLE* Vicious-Ware protection; never ONCE has anything ever gotten out of my Main Sandbox...unless invited. I run Drop Rights, and I only remember twice having something 'want to run' in my 'Box...and I HAVE done some bottom-fishing, looking for trouble. I'm not 'programming savvy', but from what I DO understand,Vicious-Ware as defined by the contents of this thread *cannot* run in the 'Box, period. {I don't mind being corrected}. I know from long ago listening, Steve's preferred method was to run the browser No Scripting By Default, and I did that for a long time, pre-Ronen.

My absolute suspicion is that Steve has not had time to know the program as well as *WE* do, and considering the many, many topics and projects he is involved with, I'm prone to cut him a little slack. Nobody knows everything, even ME! [HI or ..depending on your background. You gotta take Mean-Pills to not like the Little Guy, although I think his bread and butter SPINRITE is as dated as a four barrel carb on your basic Chevvy V-8. That said, I have been watching the S/N podcasts less lately as a LOT of it is over my head, and, frankly, as an Old Defense Kind of Guy, his tunnel vision, 'blinders on' view of End to End encryption chaffs me a lot. Wonder what UNIFORM he wore in his twenties...or is he just a Secrecy over Defense parasite.

Learn what you can from GRC, 'SC' the rest, use Sandboxie... and have a beer.... or a few?

[Craig@Invincea]

When Steve emailed me in August, he actually thought I was Ronen. I guess he missed the Invincea memo and Ronens island purchase. He admitted he hadn't used SBIE in a long while, that was evident by has ancient activation key.

I offered him assistance, etc. but I never heard any further response. He's very knowledgeable. But, I agree, I don't think he had time or felt the need to explore SBIE a little deeper.

I'll send Leo some Sandboxie gear for him and Steve to reconsider their thoughts on sbie.

[gizmo77]

Concur. Good idea to send 'em info. It alway amazes me how few people know of Sandboxie...or even what 'virtual machine' means. I think the 'Man on the Street' culture has been so powerful in promoting REACTIONARY A/V stuff, he cannot get past it. My nephew, who picks up his share of Vicious-Ware, called it a 'Real Leap of Faith' to rely on Sandboxie, even though I showed him and showed him!

Giz

[Craig@Invincea]

Agreed. You should see the messages I get at the support email.

I'm going to ditch Sandboxie and just use....X

I think people are so conditioned to AV scanning, updates, virus def files, that they are either scared or not informed that sand boxing is the safest option. You're not basing your data on an AV update, heuristics, etc. that'll never be zero day.

[gizmo77]

It is a *CRAZY* world, Craig !!!

[Curt@invincea]

We've corrected him several times on this issue. It's not like he had to go digging for the correct information.

[gizmo77]

Listening this morning to Security Now 552, a small portion of a rather long podcast addressed Virtual Machine stuff as THE ONLY way to combat a crypto-ransome disease that is apparently common in the wild now, using ads on web-pages for the infection vector. Amongst the VM names considered was Sandboxie. There was something [over my head] regarding Sandboxie blocking only ONE 'port', leaving a b-zillion OPEN, but I wouldn't pretend to know what that means! [if anything]

BUT........... Steve *did* include Tzur's Magic in the tool kit to prevent infection by subject ransome-ware.

Just FYI

Giz

[RooJ]

Listening this morning to Security Now 552, a small portion of a rather long podcast addressed Virtual Machine stuff as THE ONLY way to combat a crypto-ransome disease that is apparently common in the wild now, using ads on web-pages for the infection vector. Amongst the VM names considered was Sandboxie. There was something [over my head] regarding Sandboxie blocking only ONE 'port', leaving a b-zillion OPEN, but I wouldn't pretend to know what that means!

Steve was comparing sandboxie's API blocking to port blocking in old firewalls. His point was that sandboxie blocks known bad API's (such as those that could allow an application to write data outside of the sandbox) but due to the amount of windows API's there's always a chance one will be missed that allows an escape. This has happened previously with CreateHardLink and NtGetNextProcess API's I believe so it's certainly a valid point and reinforces the idea that security should be layered.

I agree though it's a shame Steve didn't fully explore the capabilities of sandboxie before he made some of his previous points about malware reading sensitive files.

[Craig@Invincea]

As for the known bad APIs...yep..we do block what we determine, or find out that is "bad."

Unfortunately, the shear number of them makes that almost impossible to block or even have the man power to investigate single every single one.

We had a Bounty out for such a thing at the end of last year, they didn't discover anything new. But, there will always be a chance...no matter what you do. If you're online, there is a chance.

I think his idea is Utopia is nice, but just not feasible at the moment, at least not without having a really miserable online experience.

[gizmo77]

....Guarantee you, *I* don't care.....I was just encouraged HEAR 'Sandboxie', in the survival kit; wanted to share, for the benefit of any......