[OLD] Aero Glass for Win8.1+

[Kelsenellenelvian]

I notice you completely ignored most of my post..

What about adobe products, stardock products, IE, and ms smartscreen?

How about the regular holes and exploits found in products most regular users are practically forced to use all the time? i.e. flash, adobe reader, java?

Also where does it says I have infections? Now you're insinuating I have issues too?

Edited May 1, 2014 by Kelsenellenelvian

[aphelion]

I notice you completely ignored most of my post..

What about adobe products, stardock products, IE, and ms smartscreen?

How about the regular holes and exploits found in products most regular users are practically forced to use all the time? i.e. flash, adobe reader, java?

Also where does it says I have infections? Now you're insinuating I have issues too?

I was referring to them all as a group. They are all addressed the same way as the same types of behaviors are audited on a per-occurence basis. That applies to Adobe, Stardock, IE and SmartScreen. All of MS products that are inherently insecure by design cna be disabled through group policy as I understand is the best practice I've not had any issues follwowing that approach. Flash player should be sandboxed in an out of process context and java not installed if at all possible, otherwise would also need to be sandboxed as its own is not sufficient.

I assumed you were asking about the problems they caused because you were having those issues. If that not correct I'm not sure how I can help as there's othing to fix. In any case dont want to clutter up the thread with things unrelated to aeroglass more than already have, so happy to answer any questions over PM or in another thread to sort out those concerns. I do find there is a big benefit to performance and stability when they are addressed so more than happy to help

[Wolfshadow]

To aphelion posts in general:

First and foremost for anyone is to never use programs of this genre on a mission critical machine.

If your account is admin, then you can pretty much do what you want with files. If there are other accounts on the machine, you can restrict them by policy so that changes cannot be done.

Security on a machine is fairly straight forward. Use good encrypted passwords, good security software with good rules, and be vigilant as no software is 100% protection. You can go as far as bitlocking also.

I am also assuming you are not worrying about outside hacking, as there are easier ways to take control of a machine than mucking around with the DWM routines.

For the most part, I imagine we are all adults here and are free to make our own choices as to what we want on our machines.

You quote about security, especially about the watermark. Security for whom, and from whom? If your machine is secure, you are the only one to take advantage of possible openings. It is caveat emptor - let the buyer beware. This is true for tangible or intangible products. Let people make up their own minds on what they want or do not want.

As to charging to remove the watermark, this is getting old. Bigmuscle developed this and has the right to ask for donations for his time spent.

The reason for AeroGlass is simple. It enhances the theming of ones machine using metro or other third party themes, some of which are also not free and they ask to be paid for their efforts and few complain.

All of which comes down to an analogy...IE has a security flaw. It is on the 6 o'clock news. Now people have a risk from hackers who probably did not know about it until it was aired through the media. The proper thing to do is bring it up with the developer discreetly and not plaster it for everyone to see.

Thanks for listening.

Edited May 1, 2014 by Wolfshadow

[aphelion]

Everything you said is absolutely true and I agree with, except for the very last sentence that you somehow how an entirely incorrect impression.

The security community uniformly disagrees with "security by obscurity" (I'm sick of that term too) as you describe "discretely reporting". It that was mentioned before as "usually in software development this is done in private" as though that's even remotely true.

Find me one reputable source that says it results in more effective fixes and I'll throw away everything I know from personal and professional experience, and tell them that they're wrong too.

Here's one of the thousands that disagrees, it's the same link I just posted about security by design. It's the first hit on google but I can't justify spending more time than that. It does seem like a good place to start if you believe that. And if you are in infosec then those sources are referenced there as well: http://en.wikipedia.org/wiki/Full_disclosure_(computer_security)

Caveat emptor does not apply for security matters. Neither does this outdated idea. The only thing it helps is someone's feelings, if they haven't actualized themselves to that extent. That's not a primary concern

Edit: nicer

Edited May 1, 2014 by aphelion

[aphelion]

The consensus is clear from the first pagraph and matches up with my experience dealing with anyone who actually cares about, practices, or works in security related specialties. I let it go before but let's not propagate this falsehood unnecessarily

[aphelion]

I don't run Glass at work but that's because I'm not done analyzing it yet. I do run StartIsBack and that took a lot more work to get secure. It's a huge security nightmare and it doesn't help that it's all given the gold stamp of approval by a "trusted' root certificate authority.

Which kinds of brings me back full circle to the very first screenshot I posted. Just because it's possible within the framework, and it hasn't yet been recognized as an attack vector or for whatever reason doesn't raise alarms, does that make it okay? Here's something I cooked up trying to figure out how it jumped out of my sandbox in 10 ms. Turns out this is all it takes.

Do you trust me with that level of access? That's more than RSA and Verisign trust themselves. And it is perfectly slipstreamed into any installation right into the system store, no warning or notice to the end user as they have a new trusted friend with EVERY policy available to override, including microsoft's own certificate revocation list that's designed to prevent an abuse like this even if it's ever caught. The have been less revoked certs than I can count on two hands and the last one IIRC was years ago.

So am I good to then start using this for “all purpose” access? That refers to encrypting data, confirming its authenticity, and decrypting any of it on demand using my private key.

Data and purposes are checkboxes: server authentication, code signing, secure email, internet and system security (SSL and encrypted files). Even issuing and verifying other certificates. Do you still believe caveat emptor still applies here, well within established security protocols?

That's exactly like the cert StartIsBack uses, except that one is from a strangely similarly named company in Israel. They might have a PO Box, they might not, or there may not be a they at all. Doesn't matter since apparently Windows trusts me just the same, so I don't need them either.

I agree with what you said first about common sense, and would say let's stick with that. Analogies like the one you made can only hurt the message whic is in all other respects perfectly agreeable.

Edited May 1, 2014 by aphelion

[dhjohns]

This used to be such a good forum, until it was hijacked by trolls.

[aphelion]

This used to be such a good forum, until it was hijacked by trolls.

Lots of bliss all over should you wish to seek it.

Afraid this has turned into a thread "where people go to know".

That is the title of the forum, isn't it?

[bigmuscle]

First and foremost for anyone is to never use programs of this genre on a mission critical machine.

This is a good point. It is also a reason why I discourage beginners from using this tool and even guide specifies that this software is intended for advanced users only. I also many times specified that this software uses memory patching and hooking which can be very dangerous (and it is one of the reason why I don't provide this software for regular buying). Advanced user should be aware of any possible security risks when installing such kind of software and if his priority is the security and he worries that some dark power could replace DWMGlass.dll with some malicious code, he surely won't install it in the shared directory but he rather selects some place protected e.g. by UAC (or by any other technology). But if someone sees in Process Explorer that message box is displayed through CSRSS.EXE process, has no knowledge about session isolation and starts making scenes then he is a bit paranoid.

EDIT: when I officialy release version 1.2.2, I will create a clean topic for it and ask moderators to close this one. I hope we will keep the new topic cleaner than this one.

Edited May 2, 2014 by bigmuscle

[aphelion]

Sure. I appreciate you taking the time to answer those questions I had however roundabout the answers. Will certainly try to stay away from tht anyway given the answers turn out to take a while. But would need equal effort from your to not trivialize by focusing on one typo like such, where 20 times saying hijack and once saying hook that extrapolates out to no understanding of basic os principles, I'm sure you can see there is nothing productive to come from that. Would be like me saying its not MessageBox the issue but MessageW used for inter window communications you're misrepresenting a a dialog box function. It's just endless and I type it when I see clear need but would rather not

Looking forward to future versions. Anything else I may wrap up in a day or two since I think i did not import the right symbols into IDA or there is something else missing for the moment. In any case as that wraps and if anything appears to be confirmed on my end I will try pm first now that I know that is a preference. There are many month old tickets, with the mentions not to email that it's easy to mistake that to mean no PM's as I did, but perfectly normal to use given it's the same thing on a forum. And the less distractions the better.

Edit for typos on iPad. Noticed now it's session instead of process isolation. I'm sure that was a mistake since no way you missed command launch instructions, where session isolation is worked around. That would be deliberate and I'm sure it wasn't. Also process isolation is subset of integrity level if you want to add those so the dll can't be replaced by a batch file

Edited May 1, 2014 by aphelion

[aphelion]

System integrity would be good since it gets that protection in memory, but on disk zero protection not even admin. i trust you are following up on that now even without acknowledging or saying anything. Hate repeating since ILs are easy to set but not on other people's systems, and impossible to know if what you saw or didn't. sometimes it's 1 line, other times very specific, but for the important fixes, nothing

So I guess the only thing to do is wait and see. Without a fix it would be up to others to do based on some guide I'd have to write for what was left unseen. What a bigger waste of time than this post that would be. I can see why you think I hate Glass even though I clearly dont, its because of the frustration of documenting and screenshots for no idea if it went to anything good. I guess its your style, thats a personal choice

[NoelC]

I for one am glad someone with a deep knowledge of security is looking at the software and providing thoughtful feedback here. That some folks view the input as an attack on Aero Glass for Win 8.1 or trolling seems a mystery to me. There's nothing wrong with questioning how things work. It had also occurred to me that the product should ultimately add things like code signatures and some measure of self-protection.

As far as not using the software on mission critical machines, well, that may make sense, but it depends on the definition of "mission critical". For serious / business use, If it increases productivity and it's reliable (i.e. Introduces an acceptably low level of additional risk), why not? People buy commercial software with who knows what in it all the time. Some of us HAVE tested this software quite thoroughly. From a reliability perspective Big Muscle seems to be a more detail-conscious and talented software designer than most or all of the folks at Microsoft these days. Are those saying it should be restricted just to frivolous use implying they believe there's unacceptable additional risk of failure or embedded malware?

-Noel

Edited May 1, 2014 by NoelC

[McKay91]

I ran into the "Your DWM is incompatible" error which kept making the screen flash black and eventually log me out, to which it would keep reappearing and repeatedly log me out. I managed to uninstall it before the error logged me out, but now everytime I log in, my window frames are completely see-through.

Is there some remnants of AeroGlass doing this? The folder is completely gone. I just want to this to stop happening and return to solid windows.

Edited May 2, 2014 by McKay91

[bigmuscle]

McKay91: if Aero Glass is really uninstalled, it means no DWMGlass.dll is loaded into DWM, then this problem is not caused by Aero Glass. The most probable reason is that you applied some 3rd party tweak during Aero Glass period which results in this behaviour after AG was uninstalled.

[bigmuscle]

That some folks view the input as an attack on Aero Glass for Win 8.1 or trolling seems a mystery to me. There's nothing wrong with questioning how things work.

I already explained why I think this and it's especially the form of presenting it here. Sure, there is nothing wrong with questioning but it is wrong to state how Aero Glass behaves bad although it does not behaves in that way at all. And... as in the past, doesn't it look bad when user installs debug version and then he complains that it displays debug messages? It does to me and it is same in this situation, user installs the software into the user folder and then complains that it gets "on disk zero protection not even admin" and he can simply replace DLL with one batch file, because the file is protected in the same way as any file on the desktop.

Edited May 2, 2014 by bigmuscle