Live Mesh - Good or Bad Idea?
I huge part of what we do is to spot trends and have a look at them before it is too late. Today I would like to talk about Live Mesh, a technology you are probably not very familiar with but it is a brand new thing and it will hit the streets in the next couple of months. Therefore, it is a good candidate for abuse from attackers, bot masters and other friendly
inhabitants of the Undernet.
The idea is very simple. Live Mesh is a Microsoft technology that will allow you to synchronize all your private data across every single device, i.e. you create a mesh network. This means that if I update a document on one computer, that change will be reflected across all other participants in the same mesh network. Sounds good and interesting but the more you read about it the worser taste it leaves in your mount. Let’s see why:
- It is based on Microsoft Live ID. This means that if someone hacks into your WebMail they essentially hack into your network as well. Cross-site Scripting attacks does not look that harmless now, do they? That messages is intended for all haters.
- It works form the browser using SilverLight. This means that everything is accessible via the reach GUI environment of .NET. Sweet! Files, documents, etc.
- It uses HTTP enhanced RDP to provide remote desktop connectivity. As the video on Channel 10 suggest,
It bypasses the firewall!
Now this is interesting. I wonder how my RDP shell injection attack will work here.
So now, at the age where Web technologies merge with the desktop, we have some serious security consequences to think about. I’ve been talking about this for ages and I am glad to see that my predictions are coming so right.
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
“HTTP enhanced RDP to provide remote desktop connectivity”
Just so we’re sure here, you mean HTTP and not HTTPS? Oh boy, the fun is just about to start with this new ‘tool’.
details are yet to emerge but just see the video and make up your own mind :)
I love how enthusiastic they are about this. “This looks to me like remote desktop, and indeed it is, but you are saying that the differences here is that I don’t have to traverse any firewalls, or do any crazy things with the connection, and I can actually launch just from Internet Explorer?” Security implications aside suppose Shadow Copy and its related functions are disabled on the user’s operating system. What happens when a file becomes corrupted, and replaces the existing document across each back-up?
Joel Spolsky of Joel on Software wrote about this the other day, blasting the idea of Live Mesh because it was a waste of resources, doesn’t actually solve a need that customers want solved, and never took off from its previous incarnation, Hailstorm.
Good read.
http://www.joelonsoftware.com/.....05/01.html
I see where Microsoft is heading and they are not the only one. Check Mozilla’s Weave (it synchronizes your browser extensions :) so that they are available on every computer you sit) and I think Apple had .MAC or something which is like remote access, I am sure that they will try to one-up Microsoft in this field.
“taste it lives in your mount” shouldn’t it be “taste it leaves in your mouth” ??
nice one! :)