I am a geek. Love to learn. Love computers. Used to love pc security (ok, I still do deep down). Its been, maybe 4 or 5 years now without any 3rd party apps other than SBIE and chrome (and MBAM is installed, but never run it). My security was based soley on OS mechanisms. I run as admin on win7 (and xp before that), all the time. A couple years ago I stopped using any security. No SRP, no UAC, no ACLs, absolutely naked except for chrome and my pfsense router and only used SBIE if I was going somewhere I thought was "nefarious". (and I should note, I only do banking etc on a dedicated machine) My world did not end. My pc did not die. I know what to look for, and monitor it all the time. For me, its more about what I know and what I do (or don't do) that makes the difference. I've proved that to myself. And while I don't need anyones approval, and I know with certainty that it can be done, I am never going to convince others to do it, nor should I. That would be pointless unless they had my experience and did things in the same way. I can certainly appreciate others opinions and input. I love that in fact. But, and really, I mean, BUT, there is no definitive right or wrong, best or worse form of "computer security", because it will never truly be secure. We all hedge our bets as it were, based on what we are comfortable with, based on what we think we know, and often times based on what has a user interface that we can understand. If your security setup works, great. If not, thankfully there are threads similar to this one that can give you some ideas. But this thread seems to be more like an argument than a discussion. Funny thing is, its not a topic one can ever win in an argument
Totally agree. If you want to run Chrome sandboxed then do it. If you want to run it without then by all means do it. That way,we all will all be happy for ever more. Peace over and out. As I said pages ago we all seem to agree to disagree.
Not everybody uses Sandboxie the same way but this is how I handle files in general. When I download something and recover it out of the browser sandbox, I don't stop running that file sandboxed just because it has been recovered. I keep running that file sandboxed until the day it gets deleted. Thats how I use Sandboxie. Its really simple and it works. All done automatically with very little thinking required. If a file its going to run in my computer, that file its going to run sandboxed. The only time that I run something out of a sandbox is when I install something. And I never do. My computers are pretty much static. Nothing changes. Bo
I never assume anything about any file that gets written in my computers. I found the simple and efficient way of handling files is to run all files and programs that run in my computers untrusted under Sandboxie, all the time. Works really nice. I donr even have to think about it. I click on a PDF file, it runs sandboxed. I click on a DOC document, it runs sandboxed, etc. Bo
That's good approach. Never trust anything... If I don't trust anything I similarly run it inside VM.
Sandboxie motto is "Trust no program" , that means something to me, I believe running all or most programs and files in the computer under Sandboxie is what Tzuk had in mind when he created the motto. Bo
Reverse here zero third party, just Windows internals (GPO+UAC+SRP+ACL+WFW) and Chrome (sandbox using windows internals)
I'm not sure what you mean with this, this whole forum is mostly made up of different point of views and opinions. About AppContainer, it's meant to keep Metro Apps running sandboxed, it's not really geared to other "normal" apps, only IE is making use of it at the moment. I also think it's spiraling out of control. But the main question was, does it make sense to run SBIE on top of Chrome? I already gave numerous of reasons why it does. And I also explained why "added attack surface" is hardly relevant at the moment.
Wrong. It's an IL on it's own. It's compulsory for Metro apps but desktop apps can utilize it too. 2 sides to the story. There are others who already gave reasons why it does not make sense to run SBIE on top & why the attack surface is relevant.
Chrome on Win8 uses AppContainer. IMO, more apps should utilize AppContainer. Here's a good explanation: http://blog.nextxpert.com/2013/01/31/demystifying-appcontainers-in-windows-8-part-i/ http://blog.nextxpert.com/2013/02/18/internet-explorers-special-way-handling-appcontainers/
I never said that it wasn't, I just said that it was mainly invented to sandbox Metro Apps. Yes exactly, and people should decide for themselves which of those arguments makes more sense. There is no reason to get emotional about this.
Nope it wasn't. It was invented for any app developer who cares to utilize it. It's just that Metro Apps are made compulsory to do so. 1. Once again, you are diverting the thread and making it personal. If anyone is emotional, it's the Sandboxie fanboys over here including 1 in particular who claims about "brainstorming" but insist on proving himself right despite countless of time others (& me) having said that it's a matter of trade-off & people seeing risks differently. How about you look back through a few pages behind and see whose words really smell of personal attacks...not just at me but also at HM, GJ and the likes. No wonder they bailed out. I wanted to bail out myself but thought "hey, here's a chance at posting 1 more time just to get the facts right" but hey, nope somebody has to make it personal once again... If I am emotional, it is because I am annoyed by the fact any reasoning made so far cannot go through the minds of people who tightly cling onto beliefs. How do anyone expect a fruitful discussion when 1 party keeps dismissing any facts made as "hypothesis", "it's just theory" or simply "most people don't care"? Seriously?
Do you have any more info about this, sounds interesting. And why didn't Chrome make use of it? And what about other apps, will we see this more in the future? This is exactly what I mean, you're getting emotional again. Just look at the length and the "tone" of your post, who are you kidding? I already explained that none of these posts were meant as personal attacks. And I never said I was right or wrong, I just gave several reasons why I believe that this "added attack surface" talk hardly makes any sense, I'm sure you don't want me to repeat it all again. Besides, seems like you completely missed the point of those posts. It looks like you're the one who can't deal with the fact, that there's 2 side of the story. But I might be wrong.
https://www.chromium.org/developers/design-documents/sandbox As for other apps, ISVs are usually slow to adopt changes like these. Just take a look at how long it takes for developers to adopt things like DEP and ASLR. Changing to a sandbox model would require some rewriting of their programs so I'm not expecting much change there. If anything, Microsoft is pushing for Universal Apps...because it's easier to start anew. Can we have a normal discussion without making this about me or you? Anyone can read through both of our posts & decide who is missing the point.
That's what I said a few posts back. I do wonder why M$ decided to implement AppContainer in Windows 8. I still have a feeling it might be because of the Metro environment. EDIT: I found this, for the ones who are interested: http://recxltd.blogspot.nl/2012/03/windows-8-app-container-security-notes.html
I'm a firm believer in "less is more" but at the same time I understand that there is not a single program to rule them all. If I had my way, there would be a super app that combined all my security products but I'm not holding my breath there. So rather than settle for 'bits and pieces' of security, I've come up with a group of programs that help protect me on many fronts. Every program added is a potential path for a targeted attack (larger surface area) but I've yet to encounter any such attacks or read about any such exploits for my products. Could it happen? Sure! It's a worthy argument, it's just not one I feel is worth opening many other (actually) targeted paths for or settling for subpar protection. I don't use chrome myself, but if I did, it'd be inside sandboxie like all my other internet facing apps.
This a bit fun to me as a read. Linux fanboys who don't have Sandboxie and then us windows users. It is a never ending thing and i so much hate hackers. They want access to what is most popular, sigh.
What is funnier is seeing the "windows vs linux" card being played here. The discussion on Chrome & Linux was a side-topic on how sandboxing works. Btw, it's such a disappointment to see the use of the word "hackers" in such a context because it disgraces the white-hat community.
Noth funny in here. We are able to see that mask as your avatar. White hat mentions are not ok coming from you!
Interesting discussion. FWIW i believe anyone new to chrome browser in particular reading this will be under the impression that chrome without sandboxie is somehow weak protection.
I had to run Chrome in Windows 8 compatibility mode for the context menu to appear. It didn't seem to work, so I checked HKEY_CURRENT_USER\Software\Google\Chrome\Metro Turns out it is on, but I can't seem to see any difference except that History and recent tabs are combined. *Nevermind, it was a Chrome update that changed the menus. I still don't seem to have Metro Mode. More: http://www.tenforums.com/browsers-e...-not-launch-when-windows-8-mode-selected.html *Aha!: https://code.google.com/p/chromium/issues/detail?id=470227
Yes, sadly someone not familiar with browser or computer security could get this impression when reading this thread...
