Slashdot Mirror


Vista Firewall to be Crippled

UltimaGuy writes "The firewall in Windows Vista will, by default, have half its protection turned off because that is what enterprise customers have requested, according to the software giant. The firewall will be set to only block incoming traffic even though it will be capable of blocking outgoing traffic. Microsoft also claims that configuring the Vista firewall to block outgoing connections from rogue applications and malware will require a varying degree of technical knowledge, depending on each user's security requirements."

5 of 365 comments (clear)

  1. Re:Half So? by BVis · · Score: 0, Flamebait
    Probably not. The firewall only added value if it ever corectly stopped a program from gaining access.
    Value was added, but the ignorance and/or stupidity and/or laziness of the home user negated it.
    I am willing to bet good money that in 90% of typical homes, the users accept everything. Or they deny one thing once which they should have accepted, which breaks some functionality. They then "learn the lesson" and accept everything from then on, including whatever malware they may have.
    That's not ZoneAlarm's fault, part of its basic functionality is to prompt the user to see if it's ok to allow the traffic. The fact that the user is an ignorant moron is no reason to remove a layer of protection. MS's enterprise customers have requested this because upper management is tired of the prompts to allow traffic, and doesn't understand (or care) about why they're there.

    Microsoft claims to be comitted to increased IT security; this proves that to be a lie. After all, fixing machines is far more lucrative than putting out an OS that doesn't break in the first place. For example:

    "Microsoft support, may I have your case or credit card number" "Hey! Your system allowed spyware to steal all my IP!" "May I have your credit card number please" "Don't you support this OS?" "Yes, may I have your credit card number please."
    --
    Never underestimate the power of stupid people in large groups.
  2. Re:Half So? by BVis · · Score: 0, Flamebait
    Whose the more moronic, the moron, or the moron who knows the first one is a moron, but depends on him for security decisions anyway?
    It's a stupid situation all around, but like it or not, the morons with the CxO job titles make these decisions and the IT folks are stuck with trying to make it work. You could argue that the IT folks are morons for allowing the situation to continue, but for some reason they're not stupid enough to lose their jobs by trying to override the boss.
    Prompts to ask whether certain traffic should be allowed are not are idiotic if the person you are asking doesn't know. Most users don't know, care, want to know, or wish to have to care what a UDP port is.
    Exactly my point. It's not OK for them not to know. They've been given the tools to educate themselves or be educated, and they've chosen not to take advantage of those situations.

    The point I was trying to make was that the solution to the problem is definitely not removing a security feature because people are stupid. The solution involves people becoming less stupid.

    Needless to say, the problem will not improve anytime soon.
    --
    Never underestimate the power of stupid people in large groups.
  3. Re:ZoneAlarm fails horribly GUI-wise by BVis · · Score: 0, Flamebait
    The user cares and understands why ZoneAlarm is there: he does not want his system infected. The problem is that the user does not know the internal workings of their applications or OS, and thus are not in the position to really judge which connections are good and which are bad.
    Whose fault is that? More importantly, how do we fix it? I don't have a definitive answer to that, but I know that it DEFINITELY does not involve lowering security to accomodate the ignorant.
    This is where ZoneAlarm errs: the user should not HAVE to know which IP addresses and port numbers are bad. Heck, as a techie, even I dont even want to have to know -- I have more interesting things to do. There are obviously patterns which allows us to judge roughly which connections to block. But ZoneAlarm should detect those patterns (heck, maybe even by quering a zonealarm.com server or your-techie-nephew.com for info), and tell the user what he DOES want to know: the probability the connection is dangerous.
    Let's start by encouraging the great unwashed to actually READ the damn popup before they click OK, and try to get it through their skull that "not program you use = no clicky OK." Not really all that advanced a concept.
    It also wouldn't hurt if applications could inform the user and ask for a retry if the firewall blocks the connection. The firewall should then of course also support that in a user-friendly way, instead of browsing through a zillion settings.
    Correct me if I'm wrong, as I haven't actually used the product (my experience is mostly with the XP SP2 firewall), but isn't that exactly what it does? The popup basically means "This traffic from this application is new, I've blocked it for now, is it OK to unblock it?"
    The firewall should then of course also support that in a user-friendly way, instead of browsing through a zillion settings.
    Uh, I don't think "Yes" or "No" qualifies as a zillion settings :)
    --
    Never underestimate the power of stupid people in large groups.
  4. Re:Half So? by BVis · · Score: 0, Flamebait

    And if you have the technical knowledge to turn on that functionality, then IMHO you're not who we're talking about here. We're talking about accomodating people who just blindly click "OK" on any popup.. is that really behavior that should be rewarded?

    --
    Never underestimate the power of stupid people in large groups.
  5. Re:Half So? by BVis · · Score: 0, Flamebait

    When it comes to maintaining security on their computers, which is what we're talking about, yes, yes, yes, yes, and yes.

    Becoming a brain surgeon and learning some basic rules about firewalls (#1 being READ THE FUCKING POPUP) are very different things.

    --
    Never underestimate the power of stupid people in large groups.