Whistler MAY Refuse To Run All Unsigned Code UPDATED

Carnage4Life writes: "This ZDNet article describes how Microsoft's next generation consumer OS, condenamed Whistler, will begin a tradition started by Windows 2000 where programs that have not been digitally signed by Microsoft certified signature are flagged. Currently Windows 2000 merely issues a warning when an uncertified/unsigned device driver is used, the Microsoft vision is to expand this to include all executable programs. On the surface, this may seem like a good idea until one realizes that this means that it is conceivable that all executables that expect to run on Windows will have to be Microsoft certified or risk being flagged or even worse refused to run on future Microsoft OSes. As the ZDNet article speculates, this will put even more power over Windows software developers in the hands of Microsoft. " This story has been turning up a bit over the last few days - while I'm not one to buy into conspiracy theories, this whole thing seems like a plan that originally had good intentions, but the potentials for foul play are pretty easy to think up.Well, I've finally got X running again and can update this story - I should have been more clear that this is /not/ set in stone, but a potential path.

Re:but ...

[TheCarp]

> If I see a control that was authored by
> Macromedia or Microsoft, I feel safe in running
> it, because I know that neither one of these
> companies is likely to insert malicious
> code into their systems.

So you never download shareware or code written by anyone but a huge company and run it?

Now... signing JUST means that the person who wrote it has access to a key that was given to them (or rather signed) by verisign.

If you have it check for signatures...does it stop before EVERY peice of code and tell you who signed it and ask "do you trust them?"

My understanding was that if code is signed, it is executed with no question, regardless of who signed it (as long as the key has a valid verigign signature)

So anyone who is capable of getting a key with a valid verisign signature can have code executed.
That makes it kind of pointless I think. Unless of course it is really hard and only biog companies can get them...in that case maybe it has a point.

Of course...since I don't usually run much software thats written by big companies...I don't know.

-Steve
-Steve

What about 3rd party certificates?

[gfecyk]

The Register ran a similar article citing this was another attempt at M$ to control the world, blah blah blah...

What I told them as I'll tell you now, is nothing stops a third party from becoming their own certificate authority and signing their own applications. Signed apps are nothing new - ever right-click on the .exe for a Windows NT/2000 service pack? This uses the same Crypto API that IE uses for SSL and S/MIME, and permits users to install new certificate authorities.

What this means for the office that develops their own in-house software is they can sign their own apps if they have OpenSSL or another SSL toolkit to make the CA cert. No doubt the tools for signing Win32 apps come with the latest Platform SDK. You don't need to pay Veri$ign or anyone else, but having your cert signed by a well known CA helps.

What this means for software houses like Corel is they can sign their own apps with their own cert, and their users can choose to trust them (or not) by importing their CA Cert into their system. Even Open Source houses can maintain their own certs and perhaps use a central CA operated by, say, Souce Forge. Again, having your cert signed by a well known CA helps but isn't necessary.

Re:What about 3rd party certificates?

[Ektanoor]

If the certifying authority is not bound to one entity then everything is ok! Yes, let's not forget that users should keep the right to revoke Whistler's control. However if this means one house - Verisign that is Bad Move. First because the house is private. Second because it is commercial. Third because it is only one.

Not having a state or non-governemntal institution here is potential step for trouble as we don't have a counterweight for possible abuses.

Being commercial means that you buy and sell things. And some people may think it would be a good thing to sell some stuff on the side. Or Verisign may go bankrupt and we get some cold shower over the whole system. Or it can be bought by M$ and farewell independence...

It is only one house. In case of financial crisis, takeovers, corruptions, theft and earthquakes in their basement, we will have trouble.

Re:Wooaahhhh!!! Relax

[IntlHarvester]

Where this could present a problem is for shareware/PD/free software apps in the enterprise, where IS is more likely to enforce the signed app rule

And this is where Microsoft's concept falls on it's face -- because there is no self-signing or apparent way for a System Admin to indicate that an app is trusted. Outside of the political issues surrounding signed code, talking the SA's rignt to blow his leg off makes for a very inflexible system.

I already have this problem with a USB printer driver that won't load for unprivliged users because it's not signed. But I know it's an authentic driver right from Lexmark, just not one that has had MS's unholy certification pee sprinked on it.

You also see this move with the System File Protection feature, which is neat, but can't be disabled per-file by the admin. So, now it's impossible to remove Notepad.exe or the Comic Sans font without jumping through hoops.
--

Another example of insecure security for Redmond

[faye]

This seems to be yet another example of a useless security feature from MS.

Why useless? Well I admit that in principal it would be great to stop people running only "authorised" programs on any of the PCs I maintain , the problem is with the definition of authorised. Many of the programs we use are written "in-house" and are not going to get authorised, we teach programming so the students code is not going to get authorised, we knock together small scripts to help us automate a task which we may do once or twice and are not going to get authorised.

All this authorisation will cost money - so if I want to use any of my own tools, or anything useful that somebody else has written that hasn't been authorised I've got to switch the setting off. And of course it's a global setting so that's it off for all programs. The result is a security feature that adds to the illusion of security without adding to the substance.

If only MS had put just a little bit more thought into it and made it on a per program basis and allowed the sysadmin/root to "authorise" programs for their machines it would have been *very* useful. Of course the cynic in me says that that way they wouldn't have as much control....

TTFN

Faye

Re:Wait a minute...

[Signal+11]

Refresh my memory as to why a free software vendor can't get a signature? Why are you such an asshole as to feel that MS is going to exclude free software people? Does it say this anywhere? NO. You fucken zealots really make me sick sometimes.

Thanks, Cunt!

Re:Relaxation would indeed be good

[Delphis]

Typical slashfuck hype isn't it? .. I remember when (misty-fade-in) slashdot used to offer good and useful news and there was less 'spin' on everything... Or maybe I'm just hallucinating.

I'm sure VA / Andover won't let a proper story get in the way of a good sensationalistic piece now. You can bet that the slashbots are well brow-beaten into believing that too.

--

excellent idea

[aozilla]

I've been wondering for a long time why Microsoft hasn't done this before. This is a great way to stop email virii such as iloveyou right in their tracks. Sysadmins of major corporations can turn it on, probably on the domain server so it can't be turned off, and can rest assured that they won't pay the millions in damage for their employees stupidity. This is *more* power for those employees, as sysadmins don't have to resort to tactics such as disallowing all attachments, or all attachments of certain types.

Attachments don't kill people, people kill people.

Re:but ...

[Foogle]

Well that's hardly relavent, since you don't have to show your source code or even it's compiled results to Microsoft, or VeriSign. You just have to apply the digital signature that's been issued to you.

But don't let me stop you from drawing ridiculous analogies to prove a stupid point.

Armadillos in a thunderstorm

[Graymalkin]

It always amuses me to see the non-newbie Linux zealots get their panties in an uproar if there is ever any news about Microsoft. Yes Whistler has an option to only let certified applications be run by users or user groups. Big fucking deal. If you're a serious Unix admin you spend hours configuring your system so foreign binaries don't get executed on your box and fuck everything up. Certificates are the next logical step in system security. Say I have a bunch of Whistler workstations and I write a cool VB script to automate some tasks and keep the systems in top shape even when I'm not in the office. Wait a second, it's a bad idea to allow VB scripts to run on your system because of malicious code. Solution, sign MY script with a signature (anything I can import, not just VeriSign) and allow it to run unfettered because it is signed by me. When you write a shell script do you not make sure it runs with an SUID but can't be executed by unprivilaged users? Oh yeah huh. Microsoft with Whistler is going to start integration of the .NET concept, security is going to be an enormous concern in this area. NextBestThing.exe fires up and uses some ActiveX components somewhere on the internet if there is no handshaking and authorization going on in this transaction you've just opened a huge security hole in your system and network. The EJB 1.0 spec has a problem of this sort that crops up. It supports authorization as you can have a user have access to a certain set of objects but beyond that it is up to the developer how to impliment more security. If I was planning to start offering applications that resided or executed remotely I would want some proof they were the real shebang. I'd actually like to see a good certificate implimentation on Linux, especially in a professional environment where you need real reliability and authorization, not just strong crypto on your pr0n and mp3s.

social engineering

The real danger in this is what it will do to public perception. For example, if one thinks back to the Caldera (DRDOS) lawsuit, this talked about, among other things, the use of a section
of code in windows which was used to create the public impression that DR-DOS (or any non MS-DOS) was defective.

By using signing and making this the default behavior, MS can accomplish much the same goal without having the same legal risks. The
question then is what impression does it create
in the public's mind when they are told everything they might run which hasn't been "approved" must
be considered suspect and automatically excluded
by default.

If a user can sign for and self "certify" applications at thier own discretion when encountering unsigned images, it it not
nessisarly a bad feature. But if it pops up with a highly negative warning and refuses to run, then
I think it's a brilliant piece of propoganda and
social engineering, and one that could have very
negative consequences for the marketplace for
third party (non MS certified) software, and a
wonderful oppertunity for certificate authorities, or even better yet (from MS point of view), if
one must get a certificate from microsoft itself
before one can sign apps. Certainly it's a ca's wet dream come true.

Useful, surely?

[slim]

Surely this is a useful feature. I'm assuming tools will be available to sign your own code.

I can envisage wanting to create a self-signed root CA certificate for myself, and signing anything I compile, such that nobody can sneak in with a trojan and replace my lovingly created binaries.

Freeware distributors could equally sign their binaries with certificates from their own Certificate Authority to reassure users that the version they have is kosher.
--

This isn't what I submitted

[Carnage4Life]

Y'know, this kind of crap doesn't help the Geek Community At Large overcome the image of being a bunch of fanatical morons

Hemos took a lot of liberty with my submission including changing the title as well as cutting of some technical analysis at the end of my submission.

Basically the gist of my submission was that Microsoft is taking a heavyhanded and incorrect approach to attempting to solve the problems with Outlook viruses and the like. Specifically, instead of coming up with some Draconian all-or-nothing security policy why not introduce more granular access levels to Whistler?

For example, I currently run ZoneAlarm and it prompts whenever a program I haven't given permission tries to access the Internet (in fact I found a Trojan this way). ZoneAlarm has three permission settings Always Deny, Always Allow, and Always Ask. I wouldn't mind seeing such functionality moved to the OS and made even more granular so that programs have very explicit permissions as to what they can do (similar to java.policy files). Outlook should not be able to tweak the registry nor delete files (via the ILOVEYOU virus) regardless of whether it is signed by Microsoft or not.

Basically I am proposing something similar to Access Control Lists for executables on the OS, after all, there already is a central repository of information (the registry) so adding that data shouldn't be too hard.

Second Law of Blissful Ignorance

Re:This isn't what I submitted

[American+AC+in+Paris]

[posted by Carnage4Life, author of article submission:]
Hemos took a lot of liberty with my submission including changing the title as well as cutting of some technical analysis at the end of my submission.

Then I feel doubly sorry for you, as you're pretty clearly approaching this issue from a rational standpoint. I thought that this might be the case, and thus was careful to avoid pointing fingers at you the author, but rather at the /. editorial staff.

Having said that, a granular permissions model would be a decidedly better approach to this kind of problem than the all-or-nothing model Whistler will evidently implement. Sadly, this message was nowhere to be found in what finally got posted under your name. I'd be raising holy hell if I were you.

Knowing that this wasn't your intent in the first place makes me feel even angrier at /. than I did before. It's one thing to post zealous articles by zealous authors; it's another thing entirely to edit zealotry into them. Absolutely shameful.

$ man reality

Re:This isn't what I submitted

[pen]

This is already how every Unix out there works, and how NT supposedly works.

--

Re:This isn't what I submitted

[Ektanoor]

Frankly, slashdot staff is known for some yellowish view on submissions. And many people have talked about this. However, in this case I do not think that you people are seeing the whole picture. You blame the /. for overweighting the whistleblower stuff. I think that they are doing not enough here. Yes /. should be blamed to chenge the submission in such a way. But please stick in this fault and not in M$'s plans.

Frankly I am a damn anti-M$. And have reasons for such. 15 years people. Seeing some inside stories and a lot of outside ones. And I have always been too swift on public. On private I say Hell of them. But now I'll try to hold up some lines.

Does M$ needs to check their soft? YES! THANKS GOD THEY START TO REALISE IT!!! And certification is a good process to allow such things.

However Microsoft is on its own again. Yes, it gives power to some Versign to process certifications. But why is this needed. Why do we need another company to check certifications. Why not to give chances for users. Ranging from something similar to MD5/PGP checksums and over a database where one may get more detailed information about the characteristics of the package? If you are a good admin then you'll need exactly this last one option. You will surely want to see what was tampered and how. Only having this information, then you will be able to take measures necessary to protect your network and the potential victims of the exploit (specially if there was planned, objective, intentional and criminal intent).
Now M$ does everything for the lazy admin. "Oh it does not pass certification... BANG!" And the happy lazy admin waits until someone circumvents this and gets him on the hot seat. That what will happen if such scheme will be used. So "thanx but no thanx".
On the other side. You people seem to ignore a factor. Microsoft gives always cheese on a mousetrap. So do you think that, if you pay for freedom, M$ will keep these terms? You have to certify everything. So, in a possible future, someone may restrict the certification process and you're TRAPPED. You don't go anywhere. Much the same way we all have to pay for a M$ tax (my institution paid no less than $3500 once) you may be forced to accept such things as "you're soft didn't pass certification". And frankly, can you tell me that this will not happen from start? Verisign is an organisation that only issues certificates. It has no test labs, network control systems, staff with a good knowledge of software. Yes, they may issue certificates based only in the assurance that they may track the developer. But, in this virtual world, what is an address or a surname? Buy a mobile for $50, get a Verisign number addressed to Dock 3 Amsterdam, place it on the name of Ivan Ivanovich Ivanov and create havoc on the net. I hardly believe that Verisign will get over this without the help of our dear M$.

Besides. Who is M$ to forbid me the right to install a virus? Yes, I WANNA INSTALL IT! I wanna see how it acts and rips off the data on my HDD. I wanna see the how's and when's of it. Because no one knows about it and I have mission critical workstations that need to be protected. You may say that I am talking some nonsense. But when I don't know the original infector and I catch the virus on other program then it will be possible that this certification stuff will hang on my neck. I want the right to turn it off and I don't need M$ to think for me. Specially when millions of dollars or top-critical information is in question.

Ok people you're right that /. gets too yellow sometimes. Flame them at will. But don't start telling me about "oh poor M$". Specially on this stuff. I know the viper too well to know that they will not stop here.

but ...

[Gricey]

does it have to sign each of it's 65553 bugs?

Re:but ...

[Foogle]

Well I was talking about ActiveX controls, not applications. ActiveX controls being more dangerous because they're embeddable in websites.

However you make a good argument about signing. Will Windows simply run an application with *any* signature. If so, how is that useful?

I see it as being more useful than the situation we have right now. If someone wants to get a signature from VeriSign, they need to submit contact information and (I'm not sure about this) probably a marginal fee. Now, this signature requirement doesn't stop malicious code from being executed on anyone's system, but it does add some accountability.

How many trojan-authors are willing to pay a fee to sign their apps? It's possible that they can do it, but they'll have to be willing to have their trojan discovered and their signature black-listed. And if their payment required some form of ID (even a credit-card), it would be much easier to trace the author.

I'm not saying it's a great solution. It's not a great solution. But it's better than nothing, which is what we have now. Besides, if you don't like it, you can just shut it off.

Re:but ...

[Enahs]

The certificates are controlled by VeriSign.

Re:but ...

[Foogle]

First of all: if you could lophtcrack the admin password on a P90 in under an hour, then the admin password *had* to be a dictionary word, or a very simple derivative of one.

Second: Given the same password, a brute-force cracking system would've been able to do the exact same thing under Linux, BSD, etc. It simply doesn't matter *how* the password is encrypted when you're dealing with brute force.

Now, on top of all of this, Microsoft doesn't write the software that signs applications. VeriSign does. It uses the same cryptographic principles that make SSH and SSL usable and secure.

Re:but ...

[Foogle]

Now that's funny. Reverse engineer the signing process? If you think you can "reverse engineer" a cryptographically secure system, I'd love to see it done.

Re:but ...

[Stephen+Samuel]

No big problem with having to register all code with Microsoft (possibly even having to show them your source) -- It's kinda like needing internal passports to travel between states... This would have make things a good deal more difficult for the Oklahoma Bombers....

Then we can add fingerprinting all children in Junior High. Makes tracking rapists and killers that much easier.

Then there's this "innocent until proven guilty" bullshit.... I mean do you know how many guilty murderers have gone free because of this? Why not have the accused prove their innocence?
.....

The road to a dictatorship is paved with good explanations.
`ø,,ø`ø,,ø!

Re:but ...

[Foogle]

Yes, case sensitity does increase your keyspace, but so do longer passwords and larger character sets. The method used to encrypt/hash those passwords is still relatively irrelevant, as long as it's cryptographically secure, which NT's system is.

And, we may agree to disagree here, but I am fairly familiar with lophtcrack and, although it is a very efficient system, it's not supernatural. To go through every alphanumeric combination of an NT password, on a Pentium 90, would still take a really long time. A month maybe? The bottom line is that on NT or Unix systems, a well-chosen password could take months or years to brute force, depending on the speed of the machine.

As for the idea being silly -- I disagree. Look at ActiveX controls right now. They're almost all signed, and it's works very well in alerting users to potentially dangerous or untrusted code. If I see a control that was authored by Macromedia or Microsoft, I feel safe in running it, because I know that neither one of these companies is likely to insert malicious code into their systems. However, if I see an ActiveX control that *isn't* signed, I won't run it. Why? Because it would easily delete all the system files on my machine without me being able to stop it.

The same is true for any application, and I see no reason not to extend the idea to other realms.

Re:You miss the point....

[Saurentine]

A lot of people I know (the ones who don't know computers anyway) don't even read the error messages that pop up. I can't count the times that someone as said "It's not working, there was an error." And every time, when I ask what it said, they responded very defensively that they didn't read it.

Well, it's no wonder because everyone's been conditioned to think of Windows error messages as something only a senior Windows programmer working at MS would understand, and no one ever found useful. I can't count the number of times I've seen "Error in FOOBAR.DLL at 0E132:12592" or the like, or called Microsoft (back when they actually pretended to support their products) and told them the exact error message ony to be told "reboot the system, it'll go away".

With Windows error messages, the faster you can dismiss them, the faster you can reboot the farging machine and get back to work. These messages have been so very useless for so very long that no one ever believes that they could offer any useful information anymore.

Crazy

[OzJimbob]

This is just crazy - MS seem to be doing everything POSSIBLE to piss off consumers! I can see a big crash ahead....

Re:Crazy

[ichimunki]

I'm not sure I see where and how the article explains that MS itself will do any sort of certification. All it says is that they are building an option to prevent execution of unsigned code. The biggest problem I can see is MS requiring that certificates (which are different from certification) be purchased from them. Even if the certificates come from a 3rd party like Verisign, this is still additional expense for shareware developers. And if it relies on patented or non-Free algorithms to be applied, then it starts to take Free software out of the picture. However, simply having the option to not execute unsigned binaries is hardly a terrible thing. Security paranoid sysadmins should like this, since it means that all binaries come from a "trusted" source. How easily the ability to trojan a binary that appears trusted remains to be seen. But this option doesn't really sound like much more than the current (hihgly manual) option in Linux to download signed source code, use checksums, then compile, so that the odds of a trojaned binary are pretty much reduced to an impossibility.

I doubt Microsoft does the signing

[donutello]

It's probably licensed out to an external agency to manage.

At least this is how Windows logo certification is handled. Microsoft determined the criteria that had to be satisfied in order to obtain the logo certification and it is managed by an external company. Microsoft products have to work just as hard and comply just as much as any other ones in order to obtain certification.

I seriously doubt this will be any different.

Re:Wooaahhhh!!! Relax

[1010011010]

Until, of course, they sell "developer" versions of Windows, and the regular version run only signed programs. This would kill the shareware market for Windows, though, not to mention free software for Windows.

________________________________________

I hope this is true

[Tet]

I really hope this happens. If Windows refuses to run anything but authorised code, then it'll hasten the end of Windows as a viable platform, and the world's computers might just switch to more reliable alternatives that little bit quicker. Given that Bill Gates has always been a fierce defender of unregulated development (and it's about the only area where I agree with him), I doubt this will ever happen, but it's possible. I suspect they won't take it any further than flagging unsigned code as potentially dangerous, and letting the users decide whether or not to run it.

Re:I hope this is true

[GeZ117]

>I suspect they won't take it any further than flagging unsigned code as potentially dangerous
Considering the amount of bugs in common bloatware like Office, I don't think signed code will be less dangerous. Except if they don't sign their own products.
Oh, dangerousness refer to viral risks, not bugs ? Well, I hope they won't sign Outlook nor its Express version. Melissa or ILoveYou, you remember ?

Re:Digital signatures cost a fat wad of bills.

[Foogle]

The target system does not require all code to be signed; It's an option. As for the GPL issue, I am hardly a legal expert, but I don't see how the GPL would be interpereted this way, as the signature is not related to the code, or its execution, in any way (other than its authorization).

Having said that, you could be correct. It's entirely possible that MS is creating a scenario where EVERY developer has to have their own signature. However, this isn't any more relevant to the free software community than it is to the closed-source community. To compile *anything*, closed or open, you'd have to have a signature.

Re:Will never be mandatory

[Foogle]

You'd never have to pay *every* time you compile. You'd pay for your signature once, and then apply it to every new executable you create. It's a one-time deal (unless it's subscription based, but that's still not unreasonable).

Re:Remember the history...correctly

[freeBill]

MS-DOS 1.0 was licensed from SCP and was out long before CP/M-86

I don't believe I (or anyone else) has claimed that MS-DOS 1.0 (or PC-DOS 1.0) was copied from CP/M-86 or any version of CP/M intended for processors made by Intel. The matter that was litigated (and settled by Microsoft in DRI's favor) was whether earlier versions of CP/M were used in developing that version which was licensed from SCP.

The case was settled when it became clear that Microsoft had the evidence which could have either cleared them of this charge or proved they did it. Since it became clear to the judge they were not going to allow that evidence to be seen by the court or its representatives under circumstances designed to protect their proprietary interests, he had ordered they reveal what they had described as their "crown jewels" to the court. Then they told him they couldn't find those "crown jewels." When it became clear they had lost credibility with the court (first claiming the source code to PC-DOS 1.0 was very valuable, then claiming they lost it), they decided to settle.

I apologize to anyone who objects to my conclusion from this evidence that MS probably stole the CP/M code. But my point was not that they did so, rather that they didn't do so until they had tried to help DRI get a good contract first.

I was trying to point out that the history of Microsoft shows that, even when they seem to be operating honorably in the beginning, their ethics have been known to slip. Thus, IT managers who wish to assume their eventual use of a given technology will be honest simply because they are currently not doing anything unethical with it may find themselves being hurt by that assumption.

AC is welcome to make that assumption, ignore the history, and take "The Road Ahead" to the Microsoft-prescribed future.

Word for Windows, Word for OS/2, WordPerfect for Windows and WordPerfect for OS/2 were all out years before Windows 95. (Microsoft and IBM split in the Windows 3.0 timeframe - five years before Win95)

The accusations of a head-fake by MS with some of the developers with whom they had long partnerships were made roughly one or two years after the release of OS2. Microsoft encouraged their partners to support OS2 while they were planning their own response to it.

Obviously, they could not maintain this dishonesty once they had announced Win95 (which happened long before its release). Traditionally, those who have defended Microsoft on this issue have argued not that it didn't happen, but that the owners of WordPerfect were naive in believing them. In other words, that MS's tactics were simply tough tactics which should be expected in the rough-and-tumble world of business. I've never heard anyone argue it didn't happen. (Or, stranger still, that it didn't happen when it did.)

Once again, I'm merely trying to point out that the relationship between MS and the developers with which it eventually began competing unfairly was entirely ethical and honest for a long time before anyone started claiming dishonest tactics. Indeed, I would argue the fundamental honesty of that set of relationships was largely responsible for the PC boom and the innovation of that period. I would also argue that the destruction of that fundamental honesty is responsible for the lack of innovation since the Internet browser was introduced (the last killer app, in my opinion).

About the only reality in the Netscape story is that there was a company called Netscape.

And that minor inconvenience of an anti-trust consent agreement and a subsequent anti-trust decision, not to mention Bill's testimony in court which serves as a virtual signed admission of guilt.

But don't let any of those facts get in the way of your decision to trust Microsoft. Trust them. Embrace them. Those of us who pay attention to the history know who will be screwed next.

And it's not gonna be us.

Drivers already support Signing - it's a failure

[jbridges]

Anyone already running Win2000 is familiar with the "Signed Drivers" problem.

Win2000 supports signed drivers, guess what? Have I ever see a signed driver from anyone besides Microsoft?

As far as I can remember... Nope!

So everytime I install a driver I get a nasty warning of unknown danger from Microsoft. Make that warning an error/abort, and then you have Whistler.

Would hardware people take all this more seriously if they HAD to have their drivers signed? Nahhh, they will just tell you to turn the requires signing feature off!

Re:A few points on cost, practical application.

[Foogle]

Yeah, right. You also showed that you really don't understand the concept of signing an executable. It's not something that Microsoft does for individual EXEs, DLLs, etc. It's a cryptographically secure signature that get's written to new applications by their authors. The signature is registered with an authority (think VeriSign, not Microsoft) and then it's okay to run.

Your "malicious" DLL would have to be signed too, in order to be run under this scheme. The certification is in no way meant as an indicator of a program's relative maliciousness. It's just a method of verifying who authored it, for accountability purposes.

It is workable. Not everyone will want to keep this feature enabled, but I can think of tons of companies who will eat it up.

Conspiracy theory?

[finkployd]

Since we have seen Microsoft again and again engage in this kind of action, do we really have to refer to it as a conspiracy theory? How about business as usual.

Finkployd

Microsoft is ass-covering, not controlling

[sethg]

Whether or not this code-signing requirement is turned on by default, the majority of Whistler users will probably turn it off, because the majority of Whistler users will have at least one piece of unsigned code that they want to run (perhaps Emacs, perhaps a shareware game, perhaps a legacy program, perhaps some tool that's used within their companies).

But when a virus spreads through millions of Whistler machines, Microsoft can just blame the users for letting their machines run unsigned code.
--

Re:Relaxation would indeed be good

[vees]

I did the same thing yesterday, with similar results. I was surprised when it finally made it to the front page today. I figured someone had already posted it before me. My title was "Whistler may block unsigned code."

--

Rotten Apple

[Trinition]

Didn't Apple used to make all software and hardware be certfieied by them before it could me sold as a product for the Macintosh? Isn't that bottleneck part of what made Apple rot? Could this be a blessing in disguise?

Linux zealots spread anti-MS FUD shock horror

[steve.m]

Code can be signed by anyone - the point is you can configure the OS to only run signed code.

Then it becomes a case of who do YOU, the user trust - just because code is signed, doesn't mean it won't do anything naughty (like trash your disk). It just means you're trusting someone not to.

Unix could benifit from this - when you 'su -' to do that 'make install' how many of you read the Makefile to see what it's gonna do first?

Re:Will never be mandatory

[Foogle]

That's right it is tied to the executable. The 'signing' process is the combination of the executable and the digital-signature. However, my point still stands -- you can use the same signature on multiple files; you don't have to pay for new ones every time you release.

Re:Digital signatures cost a fat wad of bills.

[Foogle]

Okay, I can imagine that scenario. In that situation, Joe Free Software Hacker would have to apply for his own signature before he could release software that would be run on that company's systems.

Or Joe Free Software Hacker could opt to release the software unsigned, and then the IT department at said company could sign it themselves, authorizing it for use in the department. It's not complicated, it's just less anonymous than the process is now. Besides, it's not like there's never been a platform that you've had to pay to develop on before. Think consoles, anyway.

Re:Old Hardware/Software/Drivers

[shippo]

They've already done this. I had a perfectly valid souncard, but I had to junk it when one version of DirectX appeared, because the drivers hadn't been updated. The card worked fine, but wouldn't run this version of DirectX. Unfortunatly the card was on a non-standard daughterboard and couldn't be removed without a hacksaw.

Re:That means...

[Foogle]

Oh, for Christ's sake! Make sure you understand how secure-signing works before you post anything about the subject.

"They" don't get a say in what is and is not a valid application. It doesn't work that way. A developer gets a signature and it is cryptographically written to their executables. It's just a simple method of authenticating *who* wrote/distributed the application. The process has nothing to do with whether the application is "ok" in anyone's view.

Re:Anti-MS FUD

[cheekymonkey_68]

Any particular reason why Slashdot is always running rampant with Anti-MS FUD

Slashdot is an openly 'nix and open source biased site, most people here simply don't like Micro$oft for personal and/or ethical reasons.

Remember the opinions on /. posting are of slashdot readers and do not necessarily represent the views of the slashdot team.

From an IT point of view:

[ErichTheRed]

For those who work in IT (networks and delivery, not coding) think about the mindset of your average boss:

• We use Windows because it's the most common desktop platform in existence.
• We use Office because it works well with Windows, it's universal and the staff likes it.
• Microsoft just came out with a new version of Windows that the marketing guys say is Better! Cheaper! Faster! More Stable!!!
• They also say it'll only run with programs they've tested.
• Oh, wait, we only use Windows, SQL Server, Exchange, SMS, Office, and IIS.
• Plus, we won't have Jane Secretary running the buggy Thanksgiving screensaver on all the PCs in her office.
• No problems here. Order 1,000 licenses.

What I'm trying to point out is that MS is catering to business again. IT people loved the dumb-terminal days because user control was real easy. Now they have to worry about staff trashing their PCs with software they got from friends and losing their productivity while the helpdesk reimages their PC.

The circle is closing for MS with regards to enterprise computing. Not only do they have people convinced that Windows is the only OS available, now they are designing the product to give them even more control. Scary.

Re:From an IT point of view:

[Shotgun]

There's a one point you missed:

- Our line-of-business in-house apps aren't signed and won't run on this new OS.

ie, for most large companies, the most important apps are those that are designed in-house to meet specific business needs. These apps are usually the ones that run the company.

So, most companies use VBA, why can't MS just have VBA runtime signed and then all VBA apps will work. Well, then the whole system is useless, (see LOVE virus).

This move would do nothing but tighten MS' hold on the SOHO market, the one that Whistler is aimed at and the one that MS fears losing to Linux. The feature is not aimed at Enterprise class organizations. Win200 is reserved for that. Expect to see this implemented, and expect to see open-source take a punch in the nose because of it.

Re:From an IT point of view:

[MousePotato]

Great points. One of the firms I worked at took the dumb terminal days and revisited them to an extreme: mandatory/roaming profiles. All the machines were locked down real tight(ok as tight as winbloze allows) and then we set up roaming profiles. Thanksgiving screen saver? No problem. Just be sure to set it every time you log in and you can have it. Amazing how fast that trains employees not to mess with that stuff. It all worked great with the exception of the one user pref that we would have to unlock the profile for and let them set on day one: mouse speed and click/double click settings. From an IT point of view this is a dream state. From an end luser point of view this has to be one of the worst things your boss can do to you. I remember hearing employees moan to each other 'I have a name! I am not a number! I am a free man!' and other classic Dilbertarian / Orwelian type movie quotes. Various emails to the IT deptartment begging for this wallpapar to be set, that shortcut to be placed and this usser profile for launch on Autocad that all had to be replied with the 'This modification to your user account does not meet office standards and cannot be completed without you supervisor's approval.' Which btw, had an equally amazing effect on not hearing from that user again on that issue.

Re:From an IT point of view:

[MousePotato]

The boss had zero tolerance for win95 and 98. The machines were all NT workstations and all of the profiles were stored on one of the servers. Lots of other things were locked out from users too. No command prompt. No Run option on the start menu (was a hack i hadn't seen before). No Floppies. CD's had to be placed in a cd server. The IT director was brilliant in his execution of the 'office standard' there.

Microsoft shoots its own foot?

[Trinition]

Suppose this "certification" grows to be a way to certify that a program won't crash when you run it. Does this mean Microsoft's own products won't be able to run on Whistler?

What of the even greater paradox that Whistler will probably crash, so wouldn't be certified, so you couldn't even run Whistler in the first place?

However, somehow I doubt Microsoft would take it to that meaningful level. Instead, it will be a way for them to get more revenue, assert control, and get a listing of all Windows developers.

MPAA/RIAA/DVDCCA will love this!

[snookums]

With an OS that refuses to use unsigned drivers, it will be a lot harder to make dummy sound and video drivers that write their output to a file.
Say goodbye to taking future-proof backups of proprietary-format data.

Please

[Fervent]

This is strictly pro-Slashdot FUD. Signed drivers are the second best thing that's come to my box recently (Windows 2000 being first). You don't know how good it feels to take a look at a video card driver, see that it's not signed and say "hey, do I really want to support this? It probably won't run."

Re:Please

[Fervent]

Conspiracy theorists, take note.

This already exists - in a fashion.

[shippo]

Under IE a feature like this already exists for downloaded executables, where a warning is displayed in an attempt is made to run an executable downloaded directly, with the option to automatically trust all code signed by a particular certificate. Entities other than Microsoft can sign their own code. The purpose of this is to prevent trojans being installed. However it is easy to revoke.

The plans for whistler appear to be to extend this further.

It will never work

[uradu]

It would be a developer's worst nightmare. Each time you whip out a quick utility--on a good week that could be dozens for me--you need to go through the signing process. Also, enterprises and shops that write their own software and distribute it internally are going to get sick REALLY quickly of the extra cycle involved.

If you simply add a signing capability to the compiler or IDE, and it signs the executable automatically when you hit RUN, what's the point? The signature is meaningless, it doesn't signify squat regarding the safety of the code. If, on the other hand, the signature has to be applied by QA after at least some testing, they'll get sick really quickly of signing every little piece of shit code churned out by anybody--they simply won't have time to do it, and/or the developers will eventually quit in disgust.

A few points on cost, practical application.

[seizer]

I have absolutely no idea how many win32 x86 executables there are out there, but I'm fairly sure that there are far more than Microsoft could ever certify, even if they only tried to certify newly released ones, let alone try certifying the old ones - and I think I'm correct in that Whistler will still run good ole x86 code.

So, far too much to certify. Without charging, anyway.

So, only allow executables to run if they've been certified AND the author has paid for that certification? Doesn't sound likely! Even if there WAS a paid scheme, there would be far too many executables for MS to certify on its own. It would have to outsource the certification to an external company.

So, what happens when this company certifies code which turns out to crash in an interesting way causing huge damage to someone? Someone's very very liable, because MS even said that it'd work safely. I don't see themselves setting up a legal tripfall like that.

And what about what is classed as an executable? Just EXE and COM files? Just Win32 EXE files? What happens, say, if someone certifies winword.exe as safe, and then I come along and insert some malicious DLL file which is then loaded (uncertified, but with full "privileges")? Oh, so they'll have to certify those too.

I'm sorry, but in the 2 minutes in which I've brainstormed (incompletely) I think I've noticed something.

It's completely unworkable. What a surprise.



--Remove SPAM from my address to mail me

Re:Wooaahhhh!!! Relax

[Dannon]

Not just a burden on the 'small guys', but also on major developers.

I remember a long wait for Win2000 SoundBlaster Live! drivers... not because further development was necessary, but because Creative had, for the first time, bothered to submit their drivers to Microsoft for a thorough inspection and 'certification', so that a certain warning wouldn't pop up during the install.

And while Creative was waiting for the MS guys to send the drivers back with a 'stamp of approval', the PR guys had no way to answer the 'when will we have working drivers' question other than 'any day now'. Definitely not what any customer wants to hear.
---

Leaked notes from MS Committee for Win Future Dev

[dkh2]

Names obfuscated to protect the "innocent."

[bill] :: The Win2K launch has been a raging success. What items do we have to discuss for future development.

[steve] :: Well, we've had very strong feedback regarding the unsigned driver warning in 2K. We'd like to expand that for Whistler.

[bill] :: Tell me more.

[steve] :: We'd like to require that all apps be signed and certified by a special team of Application SSigning Speciallists, or ASSes before they are permitted to run on Whister.

[bill] :: What's the up side for us?

[steve] :: Through effective marketing to the open source community we can get them to submit their code for certification. This will undoubtedly provide us insights into how to fix things in our own system. Additionally we can charge for this service and eliminate the drain from our evil tactics fund.

[bill] :: I think we should run this by legal. Jim, what's legal's take on this.

[jim] :: We're on board for now. Now that things in Florida are starting to look like Dubya will win we can divert some of our team from the anti-trust case to preparing the spin for this. We should be able to cut our potential detractors off at the knees.

[bill] :: Great! To prepare for this, we need to send all of our coders through that advanced firearms training course. We don't want anybody to miss their foot when release time comes.

Code commentary is like sex.
If it's good, it's VERY good.

How will it be implemented?

[segmond]

Is it going to be checksum like? If so, what makes them think it can't be cracked? I mean, how long did it take to figure out the checksum for dreamcast, n64, psx? what if the code modifies itself? say for example, shareware programmers? what if my program has it's own checksum, and whistler is using another checksum, how will they both co exist? will this only be limited to dll, exe? what if an authorized signed code tries to run an unsigned code or depends on one? Is the opensource community going to sign their codes? Mmm, many questions...

A few questions

[macdaddy]

If there is an option to turn this BS "feature" off, what's the default setting?

If I create an installer for common Internet applications for the faculty/staff/students at my University, do I have to send it to M$ for approval?

"We're sorry. You didn't include IE in your installer. We've included it for you, made sure it always installs no matter what the user specifies because we know they'll always want to install it even if they didn't say so, set it's default homepage to www.microsoft.com and search page to our MSN site because they are the best and soon to be the standard, signed up the user (and everyone in their address book) for MSN because it's really where they want to go tomorrow, and removed Netscape because we don't approve of their code. Thank you."

If I update that installer each semester, do I have to send it back to M$ for approval?

What is M$ going to charge me to approve my app?

How can they actually audit my app without me sending them my actual code, part of my IP?

Can I make them sign an NDA so that my code and I are protected from M$ stealing ideas and code?

Am I forced to sign a M$ NDA that says they can do whatever they want with my code?

Re:Wait a minute...

[f5426]

> According to the article, this is an option that can be turned on or off - so in the appropriate setting, this is actually a very useful feature

So it will be turned on in corporate environments. And there, you could only run software signed by Microsoft.

I find this scary as hell. It won't be anymore secure (because you won't have all the scripts, excel macros, etc, etc, signed). But it will be more difficult to run free softweare.

Cheers,

--fred

Re:Wooaahhhh!!! Relax

[morzel]

Where this could present a problem is for shareware/PD/free software apps in the enterprise, where IS is more likely to enforce the signed app rule.

If that would be true, Melissa, ILOVEYOU,... wouldn't have caused the havoc they wreaked.

Okay... I'll do the stupid things first, then you shy people follow.

Re:So who get's to sign apps and how much $$$?

[gimgol]

So is the signature merely a means of tracing back to the developer or is it a system of software certification?

Tracing back to the developer. See this article for details on how this technology is going to work in the Windows Scripting Host.

Re:Possibly sane

[MidnightLog]

Hmmm. I'm not so sure that this is going to help sys-admins. I agree that people installing random, unapproved stuff on their PC's can be a problem, but how do you define unapproved. There are several commercial packages that, when installed on certain PC's in our environment, will cause problems. These packages will undoubtably be digitally signed in the future (if they aren't already). This "feature" of Whistler won't stop people from installing those packages. It also won't stop people from installing commercial software that they brought from home. It will, however, stop people from installing most free/shareware. Whether or not this is a good thing is up to you to decide. I don't think it is.

I am not a sys-admin, so please have patience. Aren't there already MS-approved ways of controlling software installation?

One final point, what happens when someone wants to run some older (legacy) software which isn't certified? Is it going to be handled the same way, or is there going to be a "backdoor" for currently existing software or some kind of "opt-out" list?

Re:Possibly sane

[el_chicano]

As a former sysadmin/support person for several big companies, I can tell you that people installing random, unapproved stuff on their PC's is a major source of support calls.

Two words: diskless workstations...
--
You think being a MIB is all voodoo mind control? You should see the paperwork!

Even so, this could be a problem

[nehril]

While I agree that there will always have to be an option to shut off code verification, the problem lies in what the default settings for whistler will be.

If MS decides that code signing will be on by default, and that to disable it you have to go through a convoluted series of clicks and/or registry hacks, there may be a problem. We could find that suddenly "unsigned" applications will cause scary looking error messages to be popped up on, say, your grandmother's screen. What will most people think when an error dialog pops up warning them that this application may be a virus and could damage the computer? 90% of home users will instead look for apps that don't display any error messages on install.

This could be a situation similar to the "Designed for Windows 95/98/2000" logo process, which Microsoft uses to gain leverage over software developers. The logo program has had a lot of success among users who might otherwise mistakenly buy a Playstation CD or Nintendo cartridge for their PC (that's most users folks). Except that now it's not just a graphic on your packaging.

My bet is that code signing will be necessary to get the "Designed for Windows 200x" logo, and that developers who don't follow the party line will be at a serious disadvantage in the marketplace. MS may be moving towards a console-esque software scheme (xbox, anyone?), where they get money for every "certified" application sold. And even if some hacker found some way around the signing process, a legitimate software company probably couldn't use it due to DMCA "anticircumvention".

So the question is not whether it will be optional, but will it be on by default, and who gets to sign the code?

Useless even when turned on...

[kris]

Of course, such an option to run only signed code is completely useless even when it is turned on in any Microsoft operating system. Remember we are talking a system here where any document can also be an application. That is, you can write a Microsoft word document that does a complete Linux install in VBA macros, including formatting the hard disk.

Unless turning on this option also disabled the WSH, all macro capabilities in all programming languages and certain other options (such as being able to call RUNDLL), turning on this option will NOT prevent the next Melissa and will NOT increase your systems security.


© Copyright 2000 Kristian Köhntopp

Re:Wooaahhhh!!! Relax

[GooberToo]

If an application has been signed as being an official certified application, does that, in the consumer mind, open the door for a libel mind set? In other words, if this certified and signed application hoses my data, doesn't that mean that Microsoft, or whom ever signed it, should pay for the restoration of my data? What about pain and suffering? After all, I had to tell my boss that the report that would of won us a $1,000,000 contract is now destroyed by this application. If not, why do I care that it's signed. Surely since it is signed and certified, this gives me as a consumer some additional recourse?

I'm not saying that there is or is not merit to such a claim, but doesn't it create the possibility of such an end-user mind share?

Greg

Remember the history...

[freeBill]

...of Microsoft's cheating:

First, they compete honestly. Then, when they lose that fight, they cheat.

They didn't start out to steal CPM from DRI. First, they recommended IBM buy the operating system from DRI. Then, when they saw their language-compiler deal with Big Blue going up in smoke, they stole the OS, repackaged it, and sold it to IBM.

They didn't start out to screw over developers for their OSes. First, they gave them free rein. Then, they competed outside a "Chinese wall." Then, when they were still losing, they told WordPerfect et al that they were committing to OS2 while secretly planning Win95, which was closely integrated with Office.

They didn't start out to squash Netscape. First, they helped them develop Navigator. Then, they decided to compete with them honestly with IE, promising not to breach their "Chinese wall." Then, when they failed to win with Explorer, they decided to cheat by bundling. Finally, when they were forced to stop bundling because it is illegal, they decided to cheat by calling it "integration."

So, don't be fooled because they seem to be implementing this in an entirely fair and honest fashion at first. They probably are being fair, and they probably intend to avoid cheating. But, when it looks like they may be in trouble with some competitor who is beating them in the future, do not be surprised if they panic and cheat.

They do it so consistently one could almost call it their business model. But that would probably be unfair to them because it implies intentionality from the start.

My prediction: They will be scrupulously honest about this in the beginning and maybe even offer their users some some modicum of security derived from it. Then some killer app will come along and be certified after the code is submitted to them. Then they will decide to compete directly in the space created by the new killer app all the while promising not to use any clues derived from the code they certified. Finally, when they fail to compete in the new market, they will leverage the code submitted to them for all manner of dirty tricks, from finding out about new features before release to stealing code and re-designing APIs to break their competitor's code.

Solution (not)

[RPoet]

Port WINE to Windows, get Microsoft to sign it, and voila, you can run "all" windows applications ;)

--

Wooaahhhh!!! Relax

[91degrees]

Whistler will have the option to only run signed applications. You can turn this off. If people find that they need to run older software, then they WILL turn it off. Since developers need to be able to run unsigned applications (you can't get a certificate for each incremental compile), this will have to always be an option.

Re:Wooaahhhh!!! Relax

[gargle]

The problem is that consumers will _expect_ "professional" applications to be signed. Which, as the article points out, will be a real burden on shareware programmers and small developers.

Re:Wooaahhhh!!! Relax

[Weezul]

Your not necissarily correct. Microsoft could just sell a seperate developer version of windows with the option, but all the normal windows versions would require the person to run signed applications.

Re:Wooaahhhh!!! Relax

[Zigg]

Honestly, I doubt that consumer-grade users will ever come to that expectation. I mean, come on, these are the people who shut off their worm and virus warnings so that they can run e-mailed exectuable greeting cards or animations.

Where this could present a problem is for shareware/PD/free software apps in the enterprise, where IS is more likely to enforce the signed app rule.

Re:Wooaahhhh!!! Relax

[zorgon]

Yep. You got it bra. Who says M$ can't learn from Sun? Remember when Solaris stopped coming with the development package and compilers? Of course, all that did was make Gnu dominant, but with this signed programs trick M$ obviates the third-party compiler issue. Wow.

Dear Microsoft

You may remember that earlier in this year, we faced each other in a court of law of the United States Of America. You may further recall that you, as a corporation, were found guilty of abusing your market power to efectivly create a monopolistic business for yourself.

Now, we understand that a day is a long time in the age of the Internet, but we really think you would have remembered something as big as this. Therefore we are sending you this email to remind you of the legal ruling against you.

This action has been prompted by your blatently stupid plane to enforce a digital signiture on all software that wishes to run on your latest operating system version (Codenamed Whistler, we believe) This is clearly a move to block further compitition in the applications market, and will obviously allow you to extort money from hard working, but low income, shareware and freeware software authors. If you would like, we can take you to court again and prove it. We'd probably win you know.

We find this action perplexing in light of your confirmed monopolistic status. Therfore, we have acelerated plans to bust your ass down. Please be advised that as of 1st January 2001, Microsoft will be broken up into itty bitty little peices, and sold off to the lowest bidder. Mr William Henry Gates III will be required to attend a special three hour, live showing, of "The Jerry Springer" show, to publically apoligise for being such a pleb.

We look forward to your prompt response on this matter, and wish you a nice day.

Yours,

Department of Justice (US)

Re:Possibly sane

[NineNine]

That IS a good idea. As a former sysadmin/support person for several big companies, I can tell you that people installing random, unapproved stuff on their PC's is a major source of support calls. This should make W2K be an even better choice for corporate desktops. This is yet another feature that shows that MS is thinking about enterprise implementation on the desktop. You do NOT want people to be able to install any old RPM on their desktop in a networked environment. That's a BIG "no-no".

Wait a minute...

[TopShelf]

According to the article, this is an option that can be turned on or off - so in the appropriate setting, this is actually a very useful feature. Far be it from me, however, to let the facts get in the way of a sensational headline...

Re:Wait a minute...

[ca1v1n]

Free software vendor? Last I checked, anyone can be a free software vendor. That's the beauty of the system. Requiring apps to be signed cuts off the ability for people to do work as a labor of love, which is how some of our best free software was created and is still maintained.

This has to be optional

[TommyW]

Because if it's not optional, then the end-user (rather than end-luser) can't run software they've written themselves. Well, not without registering with Microsoft anyway. Which isn't going to happen.

And once the option's been turned off, you'll be able to run anything. I presume.

So it's got advantages for businesses, as they'll be able to ensure that their desktop machines don't get infected with screensavers, whilst home users will probably disable it at the first opportunity.

I hope...
--
Too stupid to live.

Re:Relaxation would indeed be good

[Dannon]

from the turn-on-red-alerts dept.

Says it all, doesn't it?

An unfortunate truth: Even in the best of news media, sensationalism always wins out over objective, balanced, and reasonable reporting. Clue to MSNBC and other news networks: 'Too close to call' ain't exactly 'breaking news' any more!

---

Re:Possibly sane

[bockman]

It will be sane if it will allow anyone to handle the signature approvals. so that a corporate IT department set-up its desktop so that it can run only software with their (of IT department) signature. This would allow IT departments to deploy more secure installation ( if that is possible with M$oft software) without having to depend from M$oft.

/PARANOIA ON
For the sake of conspiration theories let's think of a different scnario : when the first virus/worm/trojan of Whistler will appear, a dialogue like this will take place:
User:"Help, help. This virus just f*ked up my data!"
M$oft: "oh, but you turned out this very important security feature!!!!! It is **your** fault, then !!!"
User:"But I just wanted to run FooSoft SuperBestSoftware 1.2"
M$soft:"Ah, but FooSoft does not comply with our security policy and it's not certified. Why don't you run M$oft UseOnlyMe application. It does the same thing, but better. And it's more secure. You'll have to pay every time you run it, but security has no price in this virus-ridden world."
/PARANOIA OFF

How long 'till it gets hacked?

[Alioth]

How secure is the signature anyway?

We know how long it took until DeCSS showed up, and the DVD security was broken. How long until signatures are broken?

Anti-MS FUD

[Fervent]

Any particular reason why Slashdot is always running rampant with Anti-MS FUD? It's like, every single article that the dot posts about Bill ("Bill Gates gives to 14 children's charities") is plagued by responses basically saying, to different degrees of intelligence, "M$ $ucks!".

Re:Anti-MS FUD

[Stephen+Samuel]

If this were a startup or a company with a more positive history things would be different. As it is, you'll just have to adapt.

If this were a startup or a company which had a better history (i.e. wasn't used to acting like a monopoly), we wouldn't even dream of them being able to get away with the the kind of control-freak bull that this threat seems to entail.

"Do exactly as we say, and nobody will get hurt. &nbsp Just remember: It's for your own good."
`ø,,ø`ø,,ø!

I totally quit reading the Register.

[Jeff+DeMaagd]

Sometimes they actually get something right, but usually every story had some unjustified amount of skew in it.

There was a time when Slashdot used the Register as news a lot, like at least a story every week. I think the "editors" here finally wised up. Now to take ZDNet off should be our next task.

Re:I totally quit reading the Register.

[Paul+Komarek]

The Reg is proud of its skew! And any intelligent reader should be able to identify it--it's usually humorous. Obviously you're an intelligent reader. Why does this put so many people off?

And I don't care about protecting readers who can't detect the skew. For those interested, The Reg is skewed against everything--they don't like anyone.

-Paul

Re:I totally quit reading the Register.

[Jeff+DeMaagd]

Oops you are right! The whole site seemed to be the stereotypical trash rag. I know the use lots of unnamed insiders which is a good thing and a bad thing.

Oh well. It's not funny enough to make it worth my time, and rarely has useful or interesting enough news either, and unless I keep up it's hard enough to tell fact from fiction, so I don't read it anymore, besides "unannounced" news can change many times before it makes a real product, if ever.

Re:Possibly sane, but scores points for other OS

[ackthpt]

Ok, if it's optional then it's not so insidious. If they take that optional away and become sole arbeiter of good code it'll be the best thing they've ever done to promote Apple, Un*xes and Linux.

Nearly a laughable concept from a company well known, by now, for the security gaps in their own applications which pose perhaps the single most damning threat to business and personal users.

--

Re:Possibly sane

[Happy+Monkey]

It also says that you have the option to send it to them for testing so they can approve it and stuff.

Can someone sue MS for having lots of copies of unlicensed software then?
___

Isn't that ironic...

[Amokscience]

RANT:

You know, Slashdot feels more and more like Windows 9x. I 'have' to use it (or find even less suitable alternatives) but it makes me feel angrier, dirtier, and less prodcutive the longer I use it.

Not only that, they're obviously a bunch of irresponsible. hypocrites. Talk about FUD FUD FUD FUD FUD FUD. Dear lord, someone hand these clowns a cluestick.

...and for my opinion on the signed apps: I've for it, as long as I can turn it off and have different restriction levels. It's an excellent way to protect against virii and trojans.

Easy of Use vs Security

[dirk]

Maybe I'm in the minority here, but I can't see how this is a bad thing. When ILOVEYOU and MELISSA were running rampant, everyone screamed about how MS set everything on low security by default, and no one would change it. Now they decide to set security higher by default (which would avoid a lot of the problems) and now people are screaming about that. There is no perfect way to set security by default. The only way to have real security is to set it yourself. If people take what MS is giving them as security settings, that is their choice. If low default is bad, and high default is bad, what is good?

if you can

[dalinian]

Yeah, it can be turned off. Just like macro execution in MS Word. ;-)

Re:if you can

[Zigg]

Point well taken. However, seeing as how Whistler will be almost totally useless for the majority of users without the capability to turn this off, I doubt it'll be hard to have it shut off. Besides, Microsoft's history when it comes to implementing security options is to leave the less-secure option on by default. I doubt this will be getting in anyone's way.

Re:Break it before it breaks you

[Foogle]

Microsoft doesn't handle the certification; they have no say in the process, and there are no standards to say what sorts of applications can be signed or not. The bottom line is that a signature just adds accountability, not certification of usefulness.

Relaxation would indeed be good

[Zigg]

God, no kidding. What amazes me is that when this cropped up a couple weeks ago on The Register, I submitted an article about this being an option... it was refused in the space of an hour.

Apparently refusing to read the entire article and making the headline as sensational as possible is a formula for success when you're looking to get a Slashdot headline.

Re:Relaxation would indeed be good

[Ektanoor]

Well twice I saw this same thing. What amused me was that the submission about Plex86 was late a day, it was refused, and next day they published it.
Besides the situation with this article is quite bad as it is a typical example of yellow journalistics that people have been highly fearing. This way /. will loose every single drop of respect. Frankly, if it wasn't the fact that we readers make 80% of it, I would have quit reading long ago. The headers are sometimes irritating and stupid. Some comments and headers about M$ are on the same level as M$ FUD itself. And published submissions have been degrading highly. First they are coming terribly late, haven't you noted? Second they sometimes forget/delay some critical launches, events. Mandrake was nearly forgotten and only came out when people where already firing Hell for days, about an american distribution chain launching a pre-release as 7.2. And third, their selectivity seems to show that /. keeps living in the end of 90's and does not want to move further. In a day they seem to get 100-300 sumissions. And, published, we see only the same number as before 5-10 a day. It would be curious to think that all 90-290 are dupes, spam, trolls, anti-linux FUD, mass-media junk and co.

And sincerly. I believe Rob is getting no better than Bill. Keeping to rule of the game only in his own and his command is what M$ does and not the OSS/GNU/Free Software community. Open the house Rob, you will not loose but win. If you do it smartly, of course...

Re:Possibly sane

[devapoj]

One might say that it is optional, and perhaps even desirable in a secure, corporate environment. But that is beside the point. The point is that anyone who wants their software signed will have to bear all to microsoft and thereby allow microsoft's engineers in the process of "certifying" it, pilfer any good ideas that package might contain.

No doubt the empire will encourage businesses that such a move will be a "good thing", and any competitor that effectively does not show their source code to microsoft will be shown the back door by corporations that have taken the bait. Sounds anti-competitive to me.

It's retarded BUT...

[jcostom]

There's a way to turn the behavior off...

I saw it described on one of the beta newsgroups, but don't recall the exact sequence to do it. I think it's an incredibly stupid default.
--

Whose butt did they pull this story from?

[AFCArchvile]

Only drivers are digitally signed right now. I can go ahead and download stuff from Freshmeat that's in the alpha stage and run it nag-free. The whole reason for digitally signed drivers is to prevent from having shoddy drivers run on a mission-critical system. The biggest problem with this is either Microsoft's refusal to digitally sign drivers, or the companies' sheer laziness.

If the digital signing process is carried over to applications, though, then it would mean the end of Win32 application development as we know it, which is why Microsoft will most likely never implement such a draconian system.

There, I said it; the article is all FUD spread around by the Linux zealots.

"Relax, this won't hurt a bit."

[twitter]

Don't worry, Windows productivity will always shine. Older applications, aslo known as unsigned or unapproved and insecure, may crash newer versions of Windows because we broke the old code. To protect you from such crashes, we have put this new feature in that you will have to disable to find out your favorite piece of software no longer works. This will force you to buy one of our newer offerings, so you can be more productive than ever. Ah yes, see how good our subscription service looks? You will alwasy be (paying for) using new software when you trust MS.

The easiest option to turn off is Windows.

Re:ok.. none of you have got it right yet

[Vinster]

> hehe.. uh oh... unsigned shorts range from 0 to 65535.. sorry
Actually a quick scan of eBay will show unsigned shorts going for much less than that.
I doubt even signed shorts would go that high! Maybe if they were signed and game-worn by Michael Jordan or someone like that. But 65535 sure seems high.

Re:Possibly sane

[powerlord]

Okay, lets say its 'optional'.

Whats the default setting going to be?

How many people are going to go looking to disable it, or are going to be alarmed when they suddenly see a big dialog box with a red stop sign that say s "WARNING! The system attempted to run a program with questionable authentication!" or some such error message?

Given MS's track record this smacks of future bullying potential.

Re:You miss the point....

[Zigg]

I'd bet (without any substantive data to correlate my bet) turning the thing off is as simple as checking a "Don't bother me about this lame-o signed app stuff" box, at least on a machine that hasn't been tightly configured by a competent administrator. The difference is that Microsoft's record on security settings diverges depending on the nature of the setting:

1. If the default setting is for more security, give a checkbox to the user to allow him to opt to stop being bothered by the security setting when the security setting causes an interruption in the flow of execution.
2. If the default setting is for less security, require the user to dig through the aforementioned mess of dialogs in order to turn the higher-security setting on.

Again, all bets are off if the machine has a policy configured by an IT control freak. Also, I might add that this attitude is not exclusive to Microsoft -- I think it was first pioneered by Netscape (i.e. Navigator's "do you want to run this?" dialog that could be bypassed vs. having to dig through preferences to turn the cookies off).

Remember, IE was once optional too.

[jabber01]

Remember, IE was once optional too.

The REAL jabber has the /. user id: 13196

MIcrosoft endorsement?

[onion2k]

So, does this means that its up to Microsoft who can write software that will be signed? What if they decide that Netscape is a profits^h^h^h^h^h^hsecurity risk and don't let them have a signature? Or, more comically, what if the post-breakup Microsoft OS division don't let the post-breakup Microsoft Office division have a certificate? Surely having the OS creator certify the applications is a conflict of interest. It'd be better to have a third party validate stuff. Right?

Re:It's an OPTION, guys!

[Golias]

The problem with this "option" is that if you are selling or distributing software you might be forced to assume that a certain percentage of your customers will have it turned on, which means that you have no choice but to send a fat wad of bills to Verisign (just like getting SSL certification on your web forms), and subject yourself to whatever anal probed MS insists on performing.

I think developers have plenty of reason to be uneasy about this news.

Why do we need the US?

[Ektanoor]

Well look at this GREAT future! Yes, this is an extrapolation of this certification stuff. But think well. Technically someone may lead things to such extreme...

1) Certifying things like patents. So why do we need courts, suits and such stuff? Courts will only deal with hackers, crackers and bad boys who use pirated/cracked soft.

2) Certifying application packages. Somehow this is a consequence of the first. No more need for these patent battles, wild concurrency that creates consumer confusion. No need for DOJ probes, FTC certifications. Everything is in the system itself.

3) Certifying computers. How many poor users suffer from this mess of hardware configurations that don't go well with soft. Let's certify them. And even no WTO's will be needed. Why to give certifications to the bad boys on the other side of the Ocean?

4) Certifying docs. Isn't this great? Amazon's will be assured that it is selling you its book and you are not reading some pirated copy. And no Phracks, hack mailists, underground chats like Slashdot. Consequently no need for FBI's and similar stuff.

So, in the end, why do we need the US? Frankly I don't see any need on it except to support a huge army that will fight rough states which refuse to accept the new rules. Specially Russia, EU, China and several others.

So let's certify the Constitution (after changing "We, the People..." for "You, the users..." and removing some subversive stuff) and publish it as the EULA of the New Age. How great this Marvellous New World!!!!

That's not what the article says at all!

[drivers]

Here is a quote from the article:
Developers may purchase the cryptographic certificates used to create such a signature from Verisign Inc.--Microsoft has no say in determining who may receive such certificates or what software may be signed.

It kind of says it all doesn't it? It never says Microsoft has a final say over who can write apps for it (although it does raise some issues, not the ones everyone is going on about here...)

(It's not like it was that long of an article.)

THis is an *option*,

[mindstrm]

And, regardles of how much anti-ms sentiment there is, a GOOD option. Linux should *also* have something along these lines. Think of the security that is made possible.

And it's an *OPTION*. Microsoft would NEVER get away with making this mandatory. Not in the US, not in the UK. They would be SLAUGHTERED in court (or by every developer out there first)

Also, who says you can't use *other* keys? I assume this follows standard PKI? WHo says you can't give other CA certs who can be used to validate an executable, and then your IT Dept. can also 'authorize' apps, while preventing useless employees from running things that aren't certified?

Re:THis is an *option*,

[Ektanoor]

Linux has several systems to verify the integrity of an archive/package/program (ex. PGP/MD5 signatures). I should note that it possesses also several systems that checkup the integrity of files installed (ex. Tripwire). What Linux may not have, is a mechanism doing these checks at run time. Probably this would be a useful option in some cases, but not all as this causes some overload that may be uncessary/undesirable.

On what concerns the lack of a Verisign or similar certification system. On Linux this is not a good option as the dynamics of development are much higher and variable. This specially concerns cases when people work in such projects like distros. I don't wanna say that we don't need Verisign-like certifications at all. But it is not as universal as in Windows, where development is more enclosed.

Nope.

[Fist+Prost]

Think about it, you're a third party S/W vendor, and you WANT your code to be blessed by MS, right? Who's going to sue the benevolent giant for making sure their apps are going to work?

What's really funny is that they say this as if the TPSV hasn't already sent their program to MS to get it approved and obviously failed, or else why would the *user* be sending it to them? Other than legacy/abandonware apps there shouldn't be any NEED for users to be sending programs to MS to test (not that it won't happen of course). Sounds like just another way to force the IT types to move over to an MS-Only shop.

Fist Prost

"We're talking about a planet of helpdesks."

So who get's to sign apps and how much $$$?

[Performer+Guy]

So is the signature merely a means of tracing back to the developer or is it a system of software certification?

If it's the latter who get's to sign applications and how much will it cost?

I assume that big developers like ADOBE will have to jump on board here, so will they have to send software to Microsoft to be signed (like WHQL or in this case WSQL), or will they be added to a database of default trusted signatories in the Operating System?

The devil's in the details, this could be a reasonable scheme or it could be evil incarnate. Does anyone have any more detailed information?

Possibly sane

[b0z]

From what I read on the article, it means that you have the *option* to set up the OS to warn you if you are trying to use an application that is unsigned by Micro$oft. It also says that you have the option to send it to them for testing so they can approve it and stuff. I think that is fine, so long as this ability is an option. It sounds like a decent security feature to me for a closed system. I know it goes completely against the open source ideals, but for M$ to improve their security this is one way to do it. If you are running a machine at work running Win2k or Whistler (when it comes out) that could be good to have this option enabled because you only want to run a few applications and services that your company approves, and you don't want people installing software that could potentially cause a problem on your system or network. Also, you can leave it disabled on your PC at home (if you want to run one of these crappy OS's) and install whatever you want. I don't really see a downside to this, if someone doesn't want to use this option but wants the OS, they simply turn it off. If this were mandatory, It would be crazy.

Re:Possibly sane

[NumberSyx]

You do NOT want people to be able to install any old RPM on their desktop in a networked environment. That's a BIG "no-no".

Linux doesn't have this problem to begin with, if you are setting up a desktop system for someone and you don't want them to install software, you simply do not give them the root password. They can still download, install and run software, but only in thier home directory and only with thier own user permissions. Which means; no formating the hard drive, deleting or altering system files and few if any virus.

Jesus died for sombodies sins, but not mine.

Re:Possibly sane

[TheAncientHacker]

Or we could go back to dumb terminals and mainframes. Or maybe submitting jobs to the MIS department's staff (wearing lab coats in their glass rooms) on punch cards after getting three levels of management approval and a six-month MIS review to see if it is really needed.

You guys just don't get what Personal Computers are about, do you?

Re:Possibly sane

[Sethb]

Why is it that Microsoft code is "assumed" (and you know what that means) to be BETTER than 3rd party code? I can't think of ANY app I've ever bought that was buggier than the first Windows `98, or the original Office 2000. Office 2000 was so annoying it made me switch to Star Office on my `Doze machine...

The point of having Microsoft certified apps isn't that Microsoft's code is better than another vendor's. The point is making sure that the vendors conform to Microsoft's way of doing things. There's one HUGE reason to do this, and it's all about .dll files. Microsoft certified apps won't write their .dll files into places they shouldn't, like the system folders. This is a huge problem on some Windows systems, depending on your particular mix of applications. Having an app be Microsoft Certified gives you at least some assurance that it won't hose your computer due to sloppiness on the part of the vendor.
---

Re:Possibly sane

[Sethb]

Linux doesn't have this problem to begin with, if you are setting up a desktop system for someone and you don't want them to install software, you simply do not give them the root password. They can still download, install and run software, but only in thier home directory and only with thier own user permissions. Which means; no formating the hard drive, deleting or altering system files and few if any virus.

You can do the same thing on an NT/Win2K/Whistler system, you just don't give the user "Administrator" or "Power User" rights. The problems come in when some appliations require that the user have that level of rights to be able to function. I've had problems with Adobe PageMaker and ImageReady not working with just plain "user" rights. So, as a SysAdmin, you wind up giving some people higher rights than you'd like to because they have tools they need to use that weren't properly tested by the vendor. But, you've opened the door up to them installing all sorts of crap on their system.

I personally hate After Dark the most, it's the fastest way to screw up your Windows machine...
---

poor assumptions, bad analogy

[twitter]

No, you say, I'm a hardcore free-software supporter. Sure. You may be the hardest of the hard-core, but will even you continue to use a truly free, non-proprietary internet when the only people on it are you and RMS? How will it feel, being the Amish of the next century? As the world around you embraces Windows 20xx and its wonderful billg-approved code, you'll be stuck in your horse and buggy, refusing to use them newfangled zippers because you think they're the tool of the devil.

C'mon, you know you'll want to send email to all your friends, and check out the cool new holographic websites (that 2-D stuff is so 2000). All you have to do is install the new version of Windows. No, you might not be able to compile your own programs, or upload websites which the Nonobscenity Certification Board fails to approve, but isn't that a small price to pay?

That's a nice look down a dark alley, but I'll bet that you are wrong.

You assume that people are stupid and enjoy being screwed. You also assume that MS will continue to be the harbiger of new cool stuff. Not so. MS has never been inovative and never will be. Expect new things to continue to come from free software. Expect more people to become sick of MS, banner adds and other anoyances.

The more MS breaks, the less useful it becomes. The less useful it is, the fewer people will use it. The less people use it, the less it will be relavent.

General purpose machines will always be able to connect to each other. The net routes around damage.

The problem with using Verisign and signed apps...

[w3woody]

is that a number of viruses that have been spread around the 'net were VBA macros. The problem I see with this is that if Microsoft requires a "software developer" to purchase a Verisign signature to sign all applications, this is going to have to extend to guys who hack together Excel spreadsheets or embed simple VBA macros into Word to sum rows in a table.

I'm wondering how pissed off some random accountant is going to get when he can no longer share his Excel spreadsheets with others in the office.

Further, when you put digital signatures in the way of a virus hackers, I wonder how long it will take before someone figures out how to hack a Microsoft Windows list of root certificates. By hacking the root certificates to include another root certifier beyond Verisign, you can easily circumvent signature security by generating your own key signatures. That's because the whole key signature system relies on a handful of trusted root certificates that come preinstalled on a Windows machine, and if you can add your own "trusted" root certificate, then it's a slam dunk to sign every bit of virus code that you wish to send out.

Re:This could be a good idea

[zCyl]

Definitely! Reading the headline, I was hoping someone had voiced this view. Personally, I prefer to stay lightyears from most Microsoft products, but this is definitely a positive step forward for Microsoft users, under one condition... That condition being that Microsoft opens up the ability for system administrators to declare other authenticating agents besides Microsoft as authorized binary signers. I wouldn't want Microsoft to be the only agent who can authorize what software I run on my system, but if I can declare, say, Microsoft, Symantec, CERN, etc, then maybe I have a wonderful useful system that can protect or immunize against unwanted viruses and downloaded trojans that pretend to be real software.

Little developers can't afford the cost...

[Cerlyn]

... right now, anyway. Check out http://www.verisign.com/developer/index.html I believe each of those certificates are $400.00 US *per year*.

Duh... think about it.

[Bad_CRC]

they put the default option as programs they don't approve won't run... BUT, they give you an option to turn that off, knowing 90% of consumers run everything at the default settings, thereby causing any program not certified by them to be instantly useless.

They will probably start out with a "third" party (which they will own) verifying software, then after a while, switch it back to themselves.

Want to get rid of netscape? no problem, no need to refuse to disclose the critical api's they need, just don't sign off on their program. boom. Netscape is instantly out of business.

this should scare the hell out of everyone.

________

Break it before it breaks you

[HiyaPower]

Given the M$ attitude toward competing products, what do you think the chances are that it will "permit" a competing office suite? How about something that competes with Windows Media Player. Divx anyone? This is analogous to a car manufacturer demanding that you get their prior approval to buy from a gas station. If I develop my own code do I have to go to unka Bill and say "Pretty please Mr. Gates, let me run it huh??" It is time that M$ was broken up into little pieces before they sink the software industry. Whats big and grey, eats peanuts and is in your living room? Yeah, that's right its an elephant, now talk about it.

Re:It's an OPTION, guys!

[Golias]

Yes, but it is NOT an option to turn it off on your CUSTOMERS' SYSTEMS. If you sell software to Whistler users, you will have to assume that SOME of them WILL have it turned ON, which means you are FORCED TO BUY a certificate, unless you want those customers frightened off my nasty MS error messages saying that your software is not trustworthy.

Nice racket, if you can get in on it.

Reaction to Java

[AT]

This is totally another reaction to Java. Now that MS has come up with .NET, lifting and proprieterizing the Java network service architecture, it needs to address the security issues that were designed into the core of Java. Namely, the idea of sandboxes, trusted code, and code signers.

This is an unavoidable step, a key building block needed to compete with Java as a network service provider platform. It's highly doubtful this will have any impact at all on user targeted applications.

it's about kernel space software, not userland's

[Otis_INF]

When I code a win32 app under windows2000 using vc++, and I execute it, I don't get a warning nor is it flagged as 'perhaps bad'. These 'flags' and errorreporting is only done when you want to install a piece of software that runs in kernelspace (f.e. a driver, or a subsystem layer). Because it's important that that kind of software is stable, secure and robust, it needs testing, plus it should follow the guidelines set by the OS manufacturer. Well, that's exactly what the signing program does: MS testlabs test the stuff for stability/robustness/security (no jokes please, the tests are very thourough) and also for usage of the win32 api and the os features like the Windows Installer. If you want to get your software signed/certified, it also has to follow rules like it has to work with policies/multiple profiles for more than 1 user etc.

Why is this important? -> the user doesn't know any better. He just purchases/downloads a piece of software and expects it to run. If it's signed/certified, he CAN BE SURE it's tested to bring what it should and that it should work on the OS PROPERLY.

Signing of software and especially kernelspace software is very important: it brings reliability to the softwareworld. Userland software should also follow the guidelines set by MS (check the MSDN for more details) so the USER of the software gets what he expects.
--

What will dumb user think

[smartin]

Sure someone with a clue will know how to turn the feature off, but what will your dad think when he runs non-M$ sanctioned programs and it pops up warnings to the effect that they are dangerous and may trash his computer. Many people are going to be tricked into only buying M$ products because of this. Yet another subtle way that the evil empire is using it's monopoly position push all competition out of the market.

Different types of certs

[Zigg]

Which brings up an interesting point -- is it just executables that are signed? When it comes down to security risks, scripting files and macros are *much* worse. Will Microsoft perhaps get a clue and only allow signed Word macros to do things outside of the document scope?

This could be a good idea

[hey!]

The details of this are just speculation, but if users and admin could control who they extend trust to, and their is provision for third party certificate authorities, this would be a very good thing indeed.

Lotus Notes has worked this way for a decade, and has provided all the programmability of Outlook (albeit with a poor UI) with much less virus vulnerability. It is unconscionable that any executable code gets run out of e-mail without a signature when the technology to do this has existed and been proven years before Outlook even existed. In addition if every DLL and exe were cryptographically checked when it was loaded, there might be a bit of a performance hit but it would be worth it in many environments.

I think it would great if Microsoft considered any drivers signed by them as equivalent to "original equipment" -- in other words no more blaming third party drivers for BSODs.

Of course we don't know what the details are yet, but there's no reason to engage in FUD. It could be a very good thing or a very bad thing.

Re:Widespread Paranoia about this feature....

[brianvan]

I boast about 85 hours uptime only because I don't expect it out of Win9x code - long term stability and constant uptime is NOT supposed to be a feature of the OS I use, so it's a bonus that I see that somewhat. Besides, soon after I posted, I needed a reboot. (My DSL software/driver likes to stop working sometimes, and even though it doesn't really crash on me, I need the reboot to reconnect the DSL connection) That's irony for you.

How do I know that applications cause errors and not Windows itself? Well, first of all, Windows itself CAN cause errors. But you just have to apply a little common sense when assigning blame. If an application crashes randomly, if something like that usually doesn't happen with that particular application, and if the occurrence of such crashes among different applications is far greater than the occurence of crashes in particular programs, then you can say that the OS is flaky. However, if the same 2 or 3 programs crash all the time, and other programs that you use a lot do not crash often, and if you don't have those kind of crashes among most or all the programs you run, then I'd say that those 2 or 3 programs are suspect.

The rest of your post is an anti-corporate rant. MS is no better or worse than any other big corporation out there, and in general they do good thing for consumers at the expense of their freedom. I could start talking like Patrick Henry here, but let's face it... we're talking about PC's, not food or education. Besides, I don't want to think about a company bad-ass enough to bring down MS, as that possibility is just too scary...

3rd party signing and MS viewing source code

[jesterzog]

It's already been established that it's going to be an option to turn this on. Hopefully Microsoft will let others create their own signatures and any IT department with any intelligence will be able to sign whatever software they want to use, as well as trust whatever other organisation they want.

For the Microsoft signing part of it, I'm wondering what they'll need before they put their name on someone's software. Will they need to view the source code to make sure it's not malicious?

===

Re:3rd party signing and MS viewing source code

[Ektanoor]

This is one of the potential dangers. (Note that I refer to POTENTIAL dangers)
If you are producing closed source programs and M$ asks for your code to certify it, then this will give an unileral competitive advantage to M$. They can reuse your code, hijack/steal it, or block its distribution due to something they didn't like on it. Note the "reuse your code" does not forcefully means that they will steal it from you. That's why I refer to hijack/steal. They may offer you a million dollars bargain for it. But in the market, your code could cost 2-3-10 times more. However the fact that only M$ sees it will give them the power to offer a "get or die" contract.

Besides do not think that stealing/hijacking code means Microsoft Corp. It means something worse. It means all what is M$ is made of. The potential of such situation may create a "inner bazaar" where code is trafficked by M$ employees, departments and other organisms. This would look too similar to Soviet Union, where some valuable items where confiscated to be traded among commissars, Central Committee people and party workers. The point here is that creating such a form of restricted "overlook" will forcefully lead to such.

Interesting to note that the only way to overcome the degree of this danger would be to open the software. Then, such situation would be less critical.

Yowza.

[American+AC+in+Paris]

..."Whistler To Refuse To Run All Unsigned Code"? Oh, come on, Slashdot. -10, ÜberTroll.

Y'know, this kind of crap doesn't help the Geek Community At Large overcome the image of being a bunch of fanatical morons. Every time I think that Slashdot just might be making the transition into mature, thoughtful news reporting, this kind of rubbish appears on the front page. It's an OPTION. you can turn it OFF. I don't recall seeing healines of "Linux Installs Insecure By Default" because several distros automatically installed and configured an insecure WU-FTP...

When am I going to be able to read Slashdot without feeling like I'm listening to a bunch of pre-teen 133t k1dd13z taking shots at The Man on #haX0rzC3ntRa1?

$ man reality

Re:Get it right.

[radja]

even if it is an option... it will make a user think twice about installing something that isn't M$ certified.. I know (and probably you too) that software is never guaranteed to work.

it could put people off...and you can bet M$ considered this...even if it is not the first goal.

//rdj

Peer Pressure and Lawrence Lessig

[jamiemccarthy]

If you don't understand why this is important, go read Code and Other Laws of Cyberspace, by Lawrence Lessig. The future he fears is one where freedom and anonymity on the net are erased because general-purpose computing devices will no longer be able to connect.

The only freedom we have exists because we can connect Turing devices to the net. Once we are forced to use hardware or software that can perform only "approved" functions, any freedoms we have are in the hands of the people who approve those functions. You will only be anonymous if Bill Gates wants to allow anonymity. You will only have free speech if Bill Gates prefers it. Even your intellectual property rights will be mediated through Bill Gates' software.

Here's how the net ends -- not with a bang but an upgrade. The government won't put a gun to your head and make you give up your civil rights online. Instead, Microsoft and other vendors will come out with new features that you've just got to have. Well, maybe not you, but when every other person on the internet blindly upgrades, you will find yourself longing for them.

That's the dark flipside of the law of network efficiency. A network's value is proporational to the square of the number of people on it. And as the rest of the net flees to a Microsoft-only, proprietary operating system, using proprietary protocols, with none of your code allowed, you will discover that the remaining free network's value to you is being square-rooted.

No, you say, I'm a hardcore free-software supporter. Sure. You may be the hardest of the hard-core, but will even you continue to use a truly free, non-proprietary internet when the only people on it are you and RMS? How will it feel, being the Amish of the next century? As the world around you embraces Windows 20xx and its wonderful billg-approved code, you'll be stuck in your horse and buggy, refusing to use them newfangled zippers because you think they're the tool of the devil.

C'mon, you know you'll want to send email to all your friends, and check out the cool new holographic websites (that 2-D stuff is so 2000). All you have to do is install the new version of Windows. No, you might not be able to compile your own programs, or upload websites which the Nonobscenity Certification Board fails to approve, but isn't that a small price to pay?

Jamie McCarthy

Widespread Paranoia about this feature....

[brianvan]

I'm gonna be the 90th person to say this, but the feature is an option... it's kind of like the ActiveX settings under Internet Explorer, where you can run only certified applets... it's simply an option and/or a dialog box to confirm if you want to run a program that isn't certified.

On one hand, perhaps MS should not make itself the lone entity in charge of certification. It IS a bit of a power position (just like the MPAA has a lot of power to wield when it comes to movie ratings... they can let mass violence and gratuitous sex by with an R rating, but Clerks got an NC-17) and perhaps they'd be doing a better service to the world by forming a certification committee composed of members from other high profile tech companies. This may have already been planned... and it's nothing new in the tech industry, either.

But, on the other hand... rarely do I run anything that comes with the OS and experience a crash. I use Win98SE with Internet Explorer on a very regular basis, and right now I'm on 85 hours uptime - not an unusual occurance, and certainly not bad for a consumer OS. I also run a lot of programs from other software companies and hardware makers (drivers), and in general they never crash either. Basically, if I want Windows to crash, I know what to do - start playing lots of Java games in IE, start 30 applications at once, or install lots of iffy beta-test software. That, in the past, has caused me endless pain with Windows. AND Linux. (Well, I only ran Red Had 6.0 a couple of times, I can't help that Netscape locked up the whole system 15 minutes after installing the OS) Essentially, it's a lot of bad programming on the part of non-Microsoft companies that causes Windows to crash. With the bad rap that people give their OS for all its crashing, they can't help but sit back and take it... unless they can tell people what to run that won't crash, which would save them some face in the long run. I also believe that perhaps this is a great way for them to increase the stability of the OS for the everyday user... that is, the user that chooses to run certified programs only. Otherwise, you're on your own...

Another thing... maybe it's a move to reduce/filter tech support calls better? With 90% of the consumer OS market, can you blame them for wanting to do that?

Digital signatures cost a fat wad of bills.

[yerricde]

sign the [compiled Apache] executable with a digital signature that has been assigned to them by VeriSign.

But it's different for GPL programs. The GNU GPL requires that all the tools necessary to rebuild the application be distributed and redistributable (except for compilers and other parts of the OS). This would include a private key, if the target system is one that requires all code to be signed. And VeriSign's monopoly on giving out Authenticode keys means that anyone who wants to build the application must pony up USD $400.

So how do free software authors create apps now?

[yerricde]

What they show you is that a program has an author and that author is registered with VeriSign.

Registering with VeriSign, the Authenticode certificate monopoly holder, currently costs USD $400. Most individual free software developers cannot afford to create apps that will run on systems whose policy has been set to run only signed code. (This is why there are no Free drivers for Win2K devices.)

Re:What's the point then?

[Foogle]

You don't understand the concepts behind signing. It has nothing to do with the compiler. The compiler doesn't sign the executable (although, in theory, this functionality could be added to a compiler).

You can digitally sign any sort of file. It's like adding your PGP signature to an email. It doesn't certify that the contents of your email are particularly interesting, or truthful. What it does is mathematically certify that you are the only person who could've produced the email (provided your signature hasn't been compromised, which would be your own fault).

So here's how it goes: Say I'm a Win32 developer, and I have an application called FooSpaz. I finish a release version of this application, and it's ready for distribution to the unwashed masses. Before I start the factory burning it to the CDs, I digitally sign the executables (and probably the installation program as well), certifying that they haven't been altered by any third-parties.

The signature I write has been given to me by VeriSign, and I am the only one who can sign files with it, because no one else has my key, cerrtainly not my compiler or microsoft.

What you need to keep in mind is that these signatures do not, in any way, indicate that a program is trustworthy. That's not their intention. What they show you is that a program has an author and that author is registered with VeriSign. If the application happens to be malicious, you'll know who produced it. However, this is not a certification process, by any means.

You miss the point....

[Carnage4Life]

Whistler will have the option to only run signed applications. You can turn this off.

The average user does not tweak defaults, especially when the menu options are as hidden as they are in Microsoft products. After all there has been an option to turn of scripting support in Outlook for several years yet Melissa and ILOVEYOU theoretically caused billions of dollars in damage because people do not change the default settings.

Anyway, how many non-computer savvy people are going to run an executable if Windows pops up a suitably scary error message up? After all Microsoft effectively killed Dr DOS with phony error messages. If Microsoft decides to implement this policy it is very conceivable that all the major software houses will get Windows Certified(TM) thus pressurizing smaller shops to do the same. Where does this then leave independent developers?

Second Law of Blissful Ignorance

Not quite

[alanjstr]

If you read the articles about it, they are considering it as an option. One of the security features that you can turn on and off would be installation of signed programs. As the article mentions, as soon as you have one little program that isn't signed that is critical, you'll turn it off and never use it again. Think of all the in-house developed programs out there.

The other issue is who certifies it. If its M$, then it would be considered a monopoly control (especially over competitors). Drivers are one thing, applications are another.

Certification? on what bsis?

[Cmdr.+Marille]

Well I guess this a interesting move by Microsoft and actually could turn out to be either bad or good for customers.
The point is: On what basis will MS certifiy apps, drivers ?
Does anybody know how the system works with drivers for Windows 2000?
I know that MS is certainly not going do certify for free, I think that is obvious but what does the MS certification really mean beside that fact that the publisher of the certified software has transferred a certain amount of money over to MS?
I mean it's relatively(very relative in fact) easy to certify drivers up to a certain extend, but apps?
If MS signs some program does that mean that they certify that it will work flawless(which seems somewhat impossible with all the Interactions in a system).
If i submit my program for certification does that mean I have to submit sourcecode?
This could turn out to be a measure by Microsoft to gain higher stabilty and industry respect for their platform but it might as well become a way of assuring total control over the platform which might piss a lot of developers of
I would certainly like to have some insight from someone who was or is in the process of getting a driver certified for Windows 2000.

So where does a fellow get MS-DOS?

[yerricde]

Does Microsoft still sell MS-DOS? No. For desktop systems, Microsoft is pushing Windows 2000 Professional Bloatware Edition. For embedded systems, Microsoft is pushing Windows CE. You can still, however, get a DOS-compatible operating system from other publishers. For example, GPL'd FreeDOS is very popular among comp.os.msdos.programmer regulars.

Re:It's an OPTION, guys!

[Golias]

If you sell software and want it installed on the maximum number of machines possible, buy a certificate.

This is my whole point. In the world you envision, every time somebody tries to sell a new program, MS and Verisign get a taste of the action... risk free! They get paid even if your program makes no profit, even though they did nothing to help develop it. All they would be doing is extorting money out of you by threatening to frighten away your prospective customers if you don't buy their protection^H^H^H^H^H^H^H^H^H^Hcertificate. It's what the feds used to call racketeering.

How SFP works

[Huusker]

Windows System File Protection (SFP) is enforced by SFC.DLL, which is run by a thread in WINLOGON.EXE. It monitors for any file changes in the Windows directory. When it spots a change, it rescans the file by calling SfpVerifyFile() in SFC.DLL.

SfpVerifyFile() computes the 160-bit SHA digital signature hash of the file data and compares it to the signature in the corresponding catalog (.CAT) file. Note that the signature is not stored in the file itself.

The .CAT files are located under \WINNT\SYSTEM32\CATROOT. They are heavily armored with RSA PK and obfuscation of the data format. The catalog is modified by calling InstallCatalog() in SETUPAPI.DLL

The Office division of Microsoft doesn't use SFP, so files like WINWORD.EXE and EXCEL.EXE are not protected. Neither are macro files like NORMAL.DOT. If history is any guide, the Office division will run off and invent their own separate way of doing it.

Whistler/Office/.NET tech support line

[Chris+Johnson]

"Are you running any software which produces a warning dialog?"

...

"Well, we apologize, but we cannot support 'hacked' systems. In these cases our recommendation is to reinstall the system and all Office/.NET files, and don't install the untrusted software. If you've done this and are still experiencing problems you may qualify for tech support, but we can't take responsibility for 'hacked' systems, okay?"

It's that simple. On the one hand- this makes perfect sense. Windows is _plagued_ with horrible little shareware programs and random junk and AOL and who knows what else- it _is_ absurd to try and support some Windows system in which some idiot has installed a really old version of AOL from some random old CD or floppy. On the other hand, this is the mother of all network effects- a really strong argument for freezing out _all_ other software developers, essentially delivering on that long forgotten promise of Microsoft: "We think 100% penetration is a good marketshare". It is downright justifiable to take this attitude as Windows is easily rendered useless by screwed up software (so's MacOS, FYI). At the same time- this turns the situation at a stroke from a market into a command economy with MS the sole supplier- if you can't get support unless you abandon all untrusted code, a surprising number of people will do just that, particularly in controlled situations such as workplaces, or the large number of people who are _not_ busily checking out all the new games or whatever. Aunt Fannie, who only reads email and uses Word, is square in the crosshairs of this new development, and there are a lot of people like that out there.

Nothing more than a warning dialog and loss of 'support' need ever happen. Think of it as a combination cutting of support for 'renegade' users who run untrusted code- and keeping in line 'good' users who want normal, expected support from the vendor.

Re:That means...

[Foogle]

A decent question. Let's take Apache for example, because they produce a Win32 version of their program.

Before the Apache group puts a new (compiled) version of their program online, for people to download, they would sign the executable with a digital signature that has been assigned to them by VeriSign. This signature would guarantee that the application was released by Apache, and not altered by any third parties.

Now, if you were to download the source and compile it yourself, there would be no such signature. And there shouldn't be one either, because Apache can't verify that you haven't altered the source. It's not guaranteed to be the same executable anymore. However, you're perfectly capable of putting *your* signature on the Apache application, after you've compiled it. That would certify that the application hasn't been altered by anyone, after it was altered (compiled) by you.

Optional, still a serious problem

[Vulpine]

Even if this is an option, it still poses a problem to anyone producing scripts on a small scale. Example: Let's say I am an ISP, and I write a small script to configure a end-user's computer with the Internet. Obviously, I'm not going to spend the time & money to get it 'certified' by Microsoft, but my newbie end users will call endlessly because either: a) they don't want to run 'uncertified' code or b) they are afraid to because Papa Microsoft tells them it's bad. Remember, these are the people that click on those 'Your Internet Feed is Not Optimized!' banner ads, thinking they are real Windows errors.

The other problem is that Microsoft is doing this as a direct result of their own sloppy code writing -- the article states that it is at least partially in response to Melissa/I Love You viruses, which only work because of crappy code & programming on their own products (Outlook, et al). Rather than fixing those security holes, they are adding this nifty new 'feature.'

Change for VB Course Syllabus

[blogan]

In addition to learning about dialog boxes, If statements, and for loops, people taking courses in VB will now get to learn how to have Hello World signed by Microsoft.

Think about it. Microsoft can't deny any program from being denied, no matter how small it is. The courts would have a field day with it. "What? You refused to allow this program to properly run? And you say you program is the start of an Office competitor, that right now just says 'Hello World'?"

This is the other half of subscription

[gelfling]

This is simply and only a lock on what code you can run and when. This is simply giving subscription type control for ANY chunk of code to the OS. So it's not just drivers. Even for a moment if it were just drivers consider this. Compaq now can have a certified version of the OS that only runs on their hardware and only supports the hardware that they want to sell you. Same for Dell or IBM or anyone else. So if you want a sexy new liquid helium cooled plutonioum powered 9 dimensional video adapter and Brand "Z" wants you to buy only their crappy ol' model then you are S.O.L. Now let's expand that. Say there is a hardware company - let's call it HP for example and now let's say that they buy a management consulting company - let's say its called PriceWaterhouseCoopers, and let's assume that this management consulting company makes most of their money selling Siebel software to Fortune 500 companies. Ummmm . . . . d'ya think that there is a possibility that those HP units will only be able to run a flavor of Siebel that was installed by PWC. d'ya think that the DMCA has ANYTHING to do with this? ? ? ? ? Can you imagine a time when software vendors can use the OS to prohibit running an application that was restored from another media like an uncertified backup or a gold CD used internally for common build distribution? ? ? Can you imagine a day when SMS becomes an application subscription licence management system and its the only game in town? ?