Slashdot Mirror
Whistler MAY Refuse To Run All Unsigned Code UPDATED
Carnage4Life writes: "This ZDNet article describes how Microsoft's next generation consumer OS, condenamed Whistler, will begin a tradition started by Windows 2000 where programs that have not been digitally signed by Microsoft certified signature are flagged. Currently Windows 2000 merely issues a warning when an uncertified/unsigned device driver is used, the Microsoft vision is to expand this to include all executable programs.
On the surface, this may seem like a good idea until one realizes that this means that it is conceivable that all executables that expect to run on Windows will have to be Microsoft certified or risk being flagged or even worse refused to run on future Microsoft OSes. As the ZDNet article speculates, this will put even more power over Windows software developers in the hands of Microsoft. " This story has been turning up a bit over the last few days - while I'm not one to buy into conspiracy theories, this whole thing seems like a plan that originally had good intentions, but the potentials for foul play are pretty easy to think up.Well, I've finally got X running again and can update this story - I should have been more clear that this is /not/ set in stone, but a potential path.
Where this could present a problem is for shareware/PD/free software apps in the enterprise, where IS is more likely to enforce the signed app rule
And this is where Microsoft's concept falls on it's face -- because there is no self-signing or apparent way for a System Admin to indicate that an app is trusted. Outside of the political issues surrounding signed code, talking the SA's rignt to blow his leg off makes for a very inflexible system.
I already have this problem with a USB printer driver that won't load for unprivliged users because it's not signed. But I know it's an authentic driver right from Lexmark, just not one that has had MS's unholy certification pee sprinked on it.
You also see this move with the System File Protection feature, which is neat, but can't be disabled per-file by the admin. So, now it's impossible to remove Notepad.exe or the Comic Sans font without jumping through hoops.
--
Business. Numbers. Money. People. Computer World.
This seems to be yet another example of a useless security feature from MS.
Why useless? Well I admit that in principal it would be great to stop people running only "authorised" programs on any of the PCs I maintain , the problem is with the definition of authorised. Many of the programs we use are written "in-house" and are not going to get authorised, we teach programming so the students code is not going to get authorised, we knock together small scripts to help us automate a task which we may do once or twice and are not going to get authorised.
All this authorisation will cost money - so if I want to use any of my own tools, or anything useful that somebody else has written that hasn't been authorised I've got to switch the setting off. And of course it's a global setting so that's it off for all programs. The result is a security feature that adds to the illusion of security without adding to the substance.
If only MS had put just a little bit more thought into it and made it on a per program basis and allowed the sysadmin/root to "authorise" programs for their machines it would have been *very* useful. Of course the cynic in me says that that way they wouldn't have as much control....
TTFN
Faye
Y'know, this kind of crap doesn't help the Geek Community At Large overcome the image of being a bunch of fanatical morons
Hemos took a lot of liberty with my submission including changing the title as well as cutting of some technical analysis at the end of my submission.
Basically the gist of my submission was that Microsoft is taking a heavyhanded and incorrect approach to attempting to solve the problems with Outlook viruses and the like. Specifically, instead of coming up with some Draconian all-or-nothing security policy why not introduce more granular access levels to Whistler?
For example, I currently run ZoneAlarm and it prompts whenever a program I haven't given permission tries to access the Internet (in fact I found a Trojan this way). ZoneAlarm has three permission settings Always Deny, Always Allow, and Always Ask. I wouldn't mind seeing such functionality moved to the OS and made even more granular so that programs have very explicit permissions as to what they can do (similar to java.policy files). Outlook should not be able to tweak the registry nor delete files (via the ILOVEYOU virus) regardless of whether it is signed by Microsoft or not.
Basically I am proposing something similar to Access Control Lists for executables on the OS, after all, there already is a central repository of information (the registry) so adding that data shouldn't be too hard.
Second Law of Blissful Ignorance
does it have to sign each of it's 65553 bugs?
Sticking feathers up your butt does not make you a chicken.
Until, of course, they sell "developer" versions of Windows, and the regular version run only signed programs. This would kill the shareware market for Windows, though, not to mention free software for Windows.
________________________________________
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
I really hope this happens. If Windows refuses to run anything but authorised code, then it'll hasten the end of Windows as a viable platform, and the world's computers might just switch to more reliable alternatives that little bit quicker. Given that Bill Gates has always been a fierce defender of unregulated development (and it's about the only area where I agree with him), I doubt this will ever happen, but it's possible. I suspect they won't take it any further than flagging unsigned code as potentially dangerous, and letting the users decide whether or not to run it.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I'm not sure I see where and how the article explains that MS itself will do any sort of certification. All it says is that they are building an option to prevent execution of unsigned code. The biggest problem I can see is MS requiring that certificates (which are different from certification) be purchased from them. Even if the certificates come from a 3rd party like Verisign, this is still additional expense for shareware developers. And if it relies on patented or non-Free algorithms to be applied, then it starts to take Free software out of the picture. However, simply having the option to not execute unsigned binaries is hardly a terrible thing. Security paranoid sysadmins should like this, since it means that all binaries come from a "trusted" source. How easily the ability to trojan a binary that appears trusted remains to be seen. But this option doesn't really sound like much more than the current (hihgly manual) option in Linux to download signed source code, use checksums, then compile, so that the odds of a trojaned binary are pretty much reduced to an impossibility.
I do not have a signature
I did the same thing yesterday, with similar results. I was surprised when it finally made it to the front page today. I figured someone had already posted it before me. My title was "Whistler may block unsigned code."
--
Rob Carlson
"They" don't get a say in what is and is not a valid application. It doesn't work that way. A developer gets a signature and it is cryptographically written to their executables. It's just a simple method of authenticating *who* wrote/distributed the application. The process has nothing to do with whether the application is "ok" in anyone's view.
For those who work in IT (networks and delivery, not coding) think about the mindset of your average boss:
What I'm trying to point out is that MS is catering to business again. IT people loved the dumb-terminal days because user control was real easy. Now they have to worry about staff trashing their PCs with software they got from friends and losing their productivity while the helpdesk reimages their PC.
The circle is closing for MS with regards to enterprise computing. Not only do they have people convinced that Windows is the only OS available, now they are designing the product to give them even more control. Scary.
With an OS that refuses to use unsigned drivers, it will be a lot harder to make dummy sound and video drivers that write their output to a file.
Say goodbye to taking future-proof backups of proprietary-format data.
Be careful. People in masks cannot be trusted.
This is strictly pro-Slashdot FUD. Signed drivers are the second best thing that's come to my box recently (Windows 2000 being first). You don't know how good it feels to take a look at a video card driver, see that it's not signed and say "hey, do I really want to support this? It probably won't run."
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Not just a burden on the 'small guys', but also on major developers.
I remember a long wait for Win2000 SoundBlaster Live! drivers... not because further development was necessary, but because Creative had, for the first time, bothered to submit their drivers to Microsoft for a thorough inspection and 'certification', so that a certain warning wouldn't pop up during the install.
And while Creative was waiting for the MS guys to send the drivers back with a 'stamp of approval', the PR guys had no way to answer the 'when will we have working drivers' question other than 'any day now'. Definitely not what any customer wants to hear.
---
Good judgment comes from experience.
Experience comes from bad judgment.
[bill] :: The Win2K launch has been a raging success. What items do we have to discuss for future development.
[steve] :: Well, we've had very strong feedback regarding the unsigned driver warning in 2K. We'd like to expand that for Whistler.
[bill] :: Tell me more.
[steve] :: We'd like to require that all apps be signed and certified by a special team of Application SSigning Speciallists, or ASSes before they are permitted to run on Whister.
[bill] :: What's the up side for us?
[steve] :: Through effective marketing to the open source community we can get them to submit their code for certification. This will undoubtedly provide us insights into how to fix things in our own system. Additionally we can charge for this service and eliminate the drain from our evil tactics fund.
[bill] :: I think we should run this by legal. Jim, what's legal's take on this.
[jim] :: We're on board for now. Now that things in Florida are starting to look like Dubya will win we can divert some of our team from the anti-trust case to preparing the spin for this. We should be able to cut our potential detractors off at the knees.
[bill] :: Great! To prepare for this, we need to send all of our coders through that advanced firearms training course. We don't want anybody to miss their foot when release time comes.
Code commentary is like sex.
If it's good, it's VERY good.
My office has been taken over by iPod people.
...of Microsoft's cheating:
First, they compete honestly. Then, when they lose that fight, they cheat.
They didn't start out to steal CPM from DRI. First, they recommended IBM buy the operating system from DRI. Then, when they saw their language-compiler deal with Big Blue going up in smoke, they stole the OS, repackaged it, and sold it to IBM.
They didn't start out to screw over developers for their OSes. First, they gave them free rein. Then, they competed outside a "Chinese wall." Then, when they were still losing, they told WordPerfect et al that they were committing to OS2 while secretly planning Win95, which was closely integrated with Office.
They didn't start out to squash Netscape. First, they helped them develop Navigator. Then, they decided to compete with them honestly with IE, promising not to breach their "Chinese wall." Then, when they failed to win with Explorer, they decided to cheat by bundling. Finally, when they were forced to stop bundling because it is illegal, they decided to cheat by calling it "integration."
So, don't be fooled because they seem to be implementing this in an entirely fair and honest fashion at first. They probably are being fair, and they probably intend to avoid cheating. But, when it looks like they may be in trouble with some competitor who is beating them in the future, do not be surprised if they panic and cheat.
They do it so consistently one could almost call it their business model. But that would probably be unfair to them because it implies intentionality from the start.
My prediction: They will be scrupulously honest about this in the beginning and maybe even offer their users some some modicum of security derived from it. Then some killer app will come along and be certified after the code is submitted to them. Then they will decide to compete directly in the space created by the new killer app all the while promising not to use any clues derived from the code they certified. Finally, when they fail to compete in the new market, they will leverage the code submitted to them for all manner of dirty tricks, from finding out about new features before release to stealing code and re-designing APIs to break their competitor's code.
Eternal vigilance only works if you look in every direction.
Whistler will have the option to only run signed applications. You can turn this off. If people find that they need to run older software, then they WILL turn it off. Since developers need to be able to run unsigned applications (you can't get a certificate for each incremental compile), this will have to always be an option.
According to the article, this is an option that can be turned on or off - so in the appropriate setting, this is actually a very useful feature. Far be it from me, however, to let the facts get in the way of a sensational headline...
Stop by my site where I write about ERP systems & more
from the turn-on-red-alerts dept.
Says it all, doesn't it?
An unfortunate truth: Even in the best of news media, sensationalism always wins out over objective, balanced, and reasonable reporting. Clue to MSNBC and other news networks: 'Too close to call' ain't exactly 'breaking news' any more!
---
Good judgment comes from experience.
Experience comes from bad judgment.
God, no kidding. What amazes me is that when this cropped up a couple weeks ago on The Register, I submitted an article about this being an option... it was refused in the space of an hour.
Apparently refusing to read the entire article and making the headline as sensational as possible is a formula for success when you're looking to get a Slashdot headline.
One might say that it is optional, and perhaps even desirable in a secure, corporate environment. But that is beside the point. The point is that anyone who wants their software signed will have to bear all to microsoft and thereby allow microsoft's engineers in the process of "certifying" it, pilfer any good ideas that package might contain.
No doubt the empire will encourage businesses that such a move will be a "good thing", and any competitor that effectively does not show their source code to microsoft will be shown the back door by corporations that have taken the bait. Sounds anti-competitive to me.
Karma makes sense. It makes a lot more sense if you add reincarnation.
I think developers have plenty of reason to be uneasy about this news.
Information wants to be anthropomorphized.
From what I read on the article, it means that you have the *option* to set up the OS to warn you if you are trying to use an application that is unsigned by Micro$oft. It also says that you have the option to send it to them for testing so they can approve it and stuff. I think that is fine, so long as this ability is an option. It sounds like a decent security feature to me for a closed system. I know it goes completely against the open source ideals, but for M$ to improve their security this is one way to do it. If you are running a machine at work running Win2k or Whistler (when it comes out) that could be good to have this option enabled because you only want to run a few applications and services that your company approves, and you don't want people installing software that could potentially cause a problem on your system or network. Also, you can leave it disabled on your PC at home (if you want to run one of these crappy OS's) and install whatever you want. I don't really see a downside to this, if someone doesn't want to use this option but wants the OS, they simply turn it off. If this were mandatory, It would be crazy.
Mas vale cholo, que mal acompañado.
Linux has several systems to verify the integrity of an archive/package/program (ex. PGP/MD5 signatures). I should note that it possesses also several systems that checkup the integrity of files installed (ex. Tripwire). What Linux may not have, is a mechanism doing these checks at run time. Probably this would be a useful option in some cases, but not all as this causes some overload that may be uncessary/undesirable.
On what concerns the lack of a Verisign or similar certification system. On Linux this is not a good option as the dynamics of development are much higher and variable. This specially concerns cases when people work in such projects like distros. I don't wanna say that we don't need Verisign-like certifications at all. But it is not as universal as in Windows, where development is more enclosed.
Which brings up an interesting point -- is it just executables that are signed? When it comes down to security risks, scripting files and macros are *much* worse. Will Microsoft perhaps get a clue and only allow signed Word macros to do things outside of the document scope?
The details of this are just speculation, but if users and admin could control who they extend trust to, and their is provision for third party certificate authorities, this would be a very good thing indeed.
Lotus Notes has worked this way for a decade, and has provided all the programmability of Outlook (albeit with a poor UI) with much less virus vulnerability. It is unconscionable that any executable code gets run out of e-mail without a signature when the technology to do this has existed and been proven years before Outlook even existed. In addition if every DLL and exe were cryptographically checked when it was loaded, there might be a bit of a performance hit but it would be worth it in many environments.
I think it would great if Microsoft considered any drivers signed by them as equivalent to "original equipment" -- in other words no more blaming third party drivers for BSODs.
Of course we don't know what the details are yet, but there's no reason to engage in FUD. It could be a very good thing or a very bad thing.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Y'know, this kind of crap doesn't help the Geek Community At Large overcome the image of being a bunch of fanatical morons. Every time I think that Slashdot just might be making the transition into mature, thoughtful news reporting, this kind of rubbish appears on the front page. It's an OPTION. you can turn it OFF. I don't recall seeing healines of "Linux Installs Insecure By Default" because several distros automatically installed and configured an insecure WU-FTP...
When am I going to be able to read Slashdot without feeling like I'm listening to a bunch of pre-teen 133t k1dd13z taking shots at The Man on #haX0rzC3ntRa1?
$ man reality
Obliteracy: Words with explosions
The only freedom we have exists because we can connect Turing devices to the net. Once we are forced to use hardware or software that can perform only "approved" functions, any freedoms we have are in the hands of the people who approve those functions. You will only be anonymous if Bill Gates wants to allow anonymity. You will only have free speech if Bill Gates prefers it. Even your intellectual property rights will be mediated through Bill Gates' software.
Here's how the net ends -- not with a bang but an upgrade. The government won't put a gun to your head and make you give up your civil rights online. Instead, Microsoft and other vendors will come out with new features that you've just got to have. Well, maybe not you, but when every other person on the internet blindly upgrades, you will find yourself longing for them.
That's the dark flipside of the law of network efficiency. A network's value is proporational to the square of the number of people on it. And as the rest of the net flees to a Microsoft-only, proprietary operating system, using proprietary protocols, with none of your code allowed, you will discover that the remaining free network's value to you is being square-rooted.
No, you say, I'm a hardcore free-software supporter. Sure. You may be the hardest of the hard-core, but will even you continue to use a truly free, non-proprietary internet when the only people on it are you and RMS? How will it feel, being the Amish of the next century? As the world around you embraces Windows 20xx and its wonderful billg-approved code, you'll be stuck in your horse and buggy, refusing to use them newfangled zippers because you think they're the tool of the devil.
C'mon, you know you'll want to send email to all your friends, and check out the cool new holographic websites (that 2-D stuff is so 2000). All you have to do is install the new version of Windows. No, you might not be able to compile your own programs, or upload websites which the Nonobscenity Certification Board fails to approve, but isn't that a small price to pay?
Jamie McCarthy
Jamie McCarthy
jamie.mccarthy.vg
sign the [compiled Apache] executable with a digital signature that has been assigned to them by VeriSign.
But it's different for GPL programs. The GNU GPL requires that all the tools necessary to rebuild the application be distributed and redistributable (except for compilers and other parts of the OS). This would include a private key, if the target system is one that requires all code to be signed. And VeriSign's monopoly on giving out Authenticode keys means that anyone who wants to build the application must pony up USD $400.
Will I retire or break 10K?
Whistler will have the option to only run signed applications. You can turn this off.
The average user does not tweak defaults, especially when the menu options are as hidden as they are in Microsoft products. After all there has been an option to turn of scripting support in Outlook for several years yet Melissa and ILOVEYOU theoretically caused billions of dollars in damage because people do not change the default settings.
Anyway, how many non-computer savvy people are going to run an executable if Windows pops up a suitably scary error message up? After all Microsoft effectively killed Dr DOS with phony error messages. If Microsoft decides to implement this policy it is very conceivable that all the major software houses will get Windows Certified(TM) thus pressurizing smaller shops to do the same. Where does this then leave independent developers?
Second Law of Blissful Ignorance
Windows System File Protection (SFP) is enforced by SFC.DLL, which is run by a thread in WINLOGON.EXE. It monitors for any file changes in the Windows directory. When it spots a change, it rescans the file by calling SfpVerifyFile() in SFC.DLL.
SfpVerifyFile() computes the 160-bit SHA digital signature hash of the file data and compares it to the signature in the corresponding catalog (.CAT) file. Note that the signature is not stored in the file itself.
The .CAT files are located under \WINNT\SYSTEM32\CATROOT. They are heavily armored with RSA PK and obfuscation of the data format. The catalog is modified by calling InstallCatalog() in SETUPAPI.DLL
The Office division of Microsoft doesn't use SFP, so files like WINWORD.EXE and EXCEL.EXE are not protected. Neither are macro files like NORMAL.DOT. If history is any guide, the Office division will run off and invent their own separate way of doing it.
It's that simple. On the one hand- this makes perfect sense. Windows is _plagued_ with horrible little shareware programs and random junk and AOL and who knows what else- it _is_ absurd to try and support some Windows system in which some idiot has installed a really old version of AOL from some random old CD or floppy. On the other hand, this is the mother of all network effects- a really strong argument for freezing out _all_ other software developers, essentially delivering on that long forgotten promise of Microsoft: "We think 100% penetration is a good marketshare". It is downright justifiable to take this attitude as Windows is easily rendered useless by screwed up software (so's MacOS, FYI). At the same time- this turns the situation at a stroke from a market into a command economy with MS the sole supplier- if you can't get support unless you abandon all untrusted code, a surprising number of people will do just that, particularly in controlled situations such as workplaces, or the large number of people who are _not_ busily checking out all the new games or whatever. Aunt Fannie, who only reads email and uses Word, is square in the crosshairs of this new development, and there are a lot of people like that out there.
Nothing more than a warning dialog and loss of 'support' need ever happen. Think of it as a combination cutting of support for 'renegade' users who run untrusted code- and keeping in line 'good' users who want normal, expected support from the vendor.