If you're admin, you might have to install a driver to scrape all memory. So... one hoop to jump through :)
Caveat: you're still trapped in your hypervisor partition. Enclaves (e.g. SGX) are also protected from admin/root snooping. IIRC, this is the same as on Linux.
Asylo is not tied to EPID; the framework aims to abstract away any unique behavior specific to TEE implementations, and provide a common backend interface that developers can code against. The goal is to allow developers to easily migrate their apps between backends with little to no source-code changes.
Specifically for attestation purposes, Asylo defines the EnclaveAssertionGenerator[1] and EnclaveAssertionVerifier[2] interfaces; these will need technology-specific implementations.
In this initial release we only support a simulated backend, for experimental development. We'll continue looking into specific TEE technologies going forward.
Your password hash is not sent over the wire. What is sent over the wire is the NTLMv2 response message. This, simplified, is: HMAC_MD5(Hash | challenge). If you want the gory details, check out MS-NLMP.
That said, a dictionary-attackable password + attacker with fast GPUs can still brute-forcing the HMAC, then attack the password hash (MD4). It's a bit harder than just banging on a simple hash, though not terrifically difficult.
The only common exceptions for smart pointer usage should be for interfacing with an awkward C library or the OS, in which case you'd typically be using specific memory allocation functions, not new/delete.
I've seen Microsoft employees across the web have to point this out a dozen times.
"The New Microsoft" seems to be making better decisions overall, but it apparently didn't learn anything from the early-2000s ".net branding clusterfuck" which conflated their runtime platform, development tools, consumer-facing single-sign-on, and a few dozen other things in the mind of the public.
Perhaps out of hope but more likely Stockholm syndrome, over the last decade I seem to have got stuck in a cycle of: Blind love and hope for a new product of theirs, utter disappointment at the resulting clusterfuck after a week, hatred, switch to something else, miss it, go crawling back.
Only just broken out of this loop but to be honest it knackered my productivity badly over the years.
Ultimately I'm a sucker I suspect but the revelation that FreeBSD hadn't actually poked me in the eye once in the last decade had turned my hand finally. That and ruby.
Yes I got tangled in DNA, ATL etc as well. Nothing but regret.
This is the burden of having firstlast@popular.com email address.
Once, my wife had someone setup some sort of financial account with her email (CC, IIRC). They didn't verify the address!
My wife called and tried to do the right thing, but the people on the phone just didn't understand the concept that the email address was wrong. It simply wouldn't compute for them. Since my wife had the email address, she /must/ have been the account holder. Right?
Me too. I'm particularly noticing in my case, since I get lots of people in India using my eponymous gmail address, that Indian banks, mobile carriers, and ISPs are terrible at every facet of this experience. Lots of spam, no unsubscribe opportunities, sending passwords in plain text in email, all mails are embedded images only with no text.
You don't think there is a material difference between Microsoft changing Windows to a closed platform and Apple creating a closed platform from scratch?
In the case of the latter it is well known and can be planned around. In the case of the former you have fully invested and then suddenly the game changes.
It won't happen though. The minute that Apple closed off the Mac, with the Mac App Store being the only software source, the minute that idea might have a little credence.
The Mac App Store is not (yet) the only software source, though that restriction is available as an opt-in setting in System Preferences.
Applications from outside the App Store run just fine, as long as they're signed with a developer certificate. The certificate presumably costs $99/year, but you don't need Apple to approve your application.
Furthermore, you don't technically need the certificate. The deafest are protective but the system will happily launch unsigned apps if you right click them.
Caveat: you're still trapped in your hypervisor partition. Enclaves (e.g. SGX) are also protected from admin/root snooping. IIRC, this is the same as on Linux.