Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Headaches from Vista Security

Posted by ryuzaki0 on from the bottle-of-pain-medication-shipped-with-every-sale dept.

Michael Cooney writes to tell us Windows Vista may have some serious headaches in store for corporate users with third-party authentication systems like VPNs. From the article: "ISVs say rewriting their code for the new architecture will produce headaches that will extend to their customers that have deployed strong authentication such as biometrics or tokens, enterprise single sign-on and a number of other systems integrated with the Windows authentication architecture."

24 of 240 comments (clear)

  1. At this point... by inertialmatrix · · Score: 1, Insightful

    I have the feeling that at this point the managers in Redmond care less about security and more about actually _shipping_ the product.

    Maybe even sometime this year.

    1. Re:At this point... by From+A+Far+Away+Land · · Score: 4, Insightful

      Vista Security - I sincerely hope that's not going to become another famous oxymoron like previous Windows releases. Remember how XP was the most secure operating system ever until a LAN flaw was found, then later Blaster made XP SP1 default security pointless?

      If Vista's default installation isn't cracked wide open by a worm in the first 90 days, then it will be a victory for Microsoft.

      --
      Oh You POS
    2. Re:At this point... by Anonymous Coward · · Score: 2, Insightful

      Oh please! If you even knew anything about the GINA or writing software, you'd have a different opinion. Novell, Cisco, and everybody else with a security shingle to hang out there wants to put in their custom GINA. This actually hurts security, because if Microsoft has to do a security fix there, it breaks all these custom GINAs, which delays those precious little patches.

      Of course, if you knew anything about building software, you'd know that adding custom code to any COTS product is equivalent to single vendor lock-in, and you feel it when the security pressure is on.

  2. Win-Win by foundme · · Score: 2, Insightful

    What are these ISVs whinging about? This is almost the perfect opportunity to convince their clients that it is time for another upgrade. But wait, that's not all, as mentioned in the article, the upgrade also requires extensive testing, so it's doubly good news.

    Programming wise, I guess this would teach these ISVs a lesson that, if they want to develop custom code, they should probably have a more flexible architecture to accommodate any OS changes, or even make it compatible across different OSs.

    I don't think Bridgestone can ask Ferrari to slow its F1 cars down because Bridgestone tyres cannot perform at high speed.

    --
    Please stop entering code 2,2,7,6,6,4
    1. Re:Win-Win by IdleTime · · Score: 2, Insightful
      I don't think Bridgestone can ask Ferrari to slow its F1 cars down because Bridgestone tyres cannot perform at high speed.
      Indinapolis 2005 F1 GP - Need I say more?
      --
      If you mod me down, I *will* introduce you to my sister!
    2. Re:Win-Win by Grishnakh · · Score: 4, Insightful

      You're missing some important points where the analogy completely fails:

      1. Ferraris are built extremely robust, so you can crash at 150+mph and walk away with a few scratches (google for the Enzo which crashed recently in California). I wouldn't call Windows "robust".

      2. Ferraris are extremely attractive machines. Windows looks like it was designed by Fisher-Price.

  3. Good! by Southpaw018 · · Score: 5, Insightful

    Wasn't it just a couple weeks ago we were lamenting "what could have been"?
    Microsoft capitulates and disables large chunks of Vista security by default in order to appease corporate customers. People are up in arms.
    Microsoft rewrites architecture to make things more secure. People are up in arms.

    Me, I'm with the "Good!" crowd. Make things more difficult for me when I transition. It'll make things easier later on.

    --
    ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
    1. Re:Good! by Unnngh! · · Score: 2, Insightful
      I don't see the conflict here. Microsoft wrote a large amount of code for their new OS without, apparently, any high regard for security. The code-test-debug model does not work very well for building security into software products. It needs to be designed to be secure from the ground up. MS has had plenty of time to see this coming, but their reduction in functionality for security purposes screams that this was not how many of the shiny new Vista features were designed. I'm sure it was code-test-debug all the way and you just can't catch everything like that. You can't catch *everything* anyway, but debugging "insecure" code to make it "secure" will just be a rerun of the last four years.

      Is it crazy to expect secure, functional, feature-rich applications from vendors?

  4. goodbye SecurID, VPNs, etc. by yagu · · Score: 1, Insightful

    A couple of interesting paragraphs in the article:

    The good news for users is that those same observers say Vista, which is being touted for its security features, will eventually deliver a more secure and flexible authentication architecture than exists today in Windows.
    The issue over the Vista authentication architecture began to emerge last week when RSA CEO Art Coviello lamented in a press interview the fact that Vista is not providing native support initially for RSA's SecureID for Windows. RSA refused to comment further, but the company will have to rewrite its GINA code using the Credential Provider model. Microsoft also refused comment on Coviello's remarks. A company spokesman says the strategic direction now is Smart Cards, which Microsoft is supporting natively in Vista.

    Concerning "good news for users", I doubt it. Nothing good has come of Microsoft's perception of "what is good" for users, from the crippled layering of a multi-user paradigm on top of what started out as a single user design (NT/XP over Windows/DOS) to their constant and misguided attempts to create intuitive GUIs (dancing paperclips, self-altering menus with chevrons anyone?). Security is typically hard, and Microsoft will screw this up too.

    As for the second paragraphs, could Microsoft again be forcing the hands of third party vendors? Seems they could (indeed, it almost seems likely) wiggle their way into the security market and start charging for different mechanisms of security. Of course that can only happen after they've provided it "free" long enough to get rid of pesky competitors like SecurID (GREAT product, btw) and VPN providers.

    I'll fight Microsoft's practices til forever, but I must admit, I'm glad I'm near retirement as far as having to deal with this crap anymore.

    1. Re:goodbye SecurID, VPNs, etc. by throx · · Score: 3, Insightful
      crippled layering of a multi-user paradigm on top of what started out as a single user design (NT/XP over Windows/DOS)

      Oh, please! Learn your OS history. NT/XP never sat on top of DOS, Win3.x or Win9x. The original NT design was actually supposed to support multiuser UI sessions out of the box (hence the entire UI being designed around a client/server RPC model) but it didn't end up that way for any number of performance and time-to-market constraints.

      The Vista design could best be described as a multiuser kernel that got hacked up to service a single user GUI that looked a lot like the existing single user product that was on the market, which was then moved into the kernel to improve performance, which then got a multiuser terminal layer hacked over the top (using the multiuser not-GUI-part-of-the-kernel that was already there), which then got morphed into "Fast User Switching".

      The multiuser UI in Windows XP/Vista is most definitely a hack, but it's got nothing to do with Win3.x or DOS.

      As for the original context - (yawn). OS upgrades change APIs. MS has been working on security so their security APIs are going to change. If you tie yourself to MS, then you get to do some work to use their new APIs. Nothing to see here - move along.
      --

      Fear: When you see B8 00 4C CD 21 and know what it means

  5. Backwards Compatibility by TwentyLeaguesUnderLa · · Score: 2, Insightful

    IANSE (I am not a software engineer), but this might not be a "feature" not a "bug".

    It's expected that migrating to a new architecture would require, well, rewriting of existing code that worked with the old OS. Wouldn't there be more cause to worry if Vista supported all of the OLD authentication mechanisms as well as its own ones, since maintaining backwards compatibility seems like it could introduce unnecessary security holes?

  6. While you're at it... by BrynM · · Score: 3, Insightful
    From TFA
    During migrations, users will have key security infrastructures that straddle two different authentication environments, one for Vista and one for earlier versions of Windows, until migrations are complete... In addition, users with any homegrown authentication mechanisms linked to Windows will have to rewrite their code from the ground up... That task will be painful in part because ISVs say Vista's new authentication architecture is incomplete in the beta released in February.
    Why wait for headaches when you could just start porting your authentication systems to any platform except Windows right now? Then, while everyone else is going throught the "dual Win32 backdoor^^^^^^^^authentication" period hell, you can just laugh and say "I did that over a year ago and I won't have to do it again becuase I moved away from MS Products completely".
    --
    US Democracy:The best person for the job (among These pre-selected choices...)
    1. Re:While you're at it... by deacon · · Score: 3, Insightful

      Maybe it's time to look at some new applications. People did that when they moved from expensive VAXs (that worked) to cheap PCs that were rolling on the floor laughably crippled by comparison, just to save the bucks. People are moving now away from windows, to a free OS, which not only works, has a ton of free apps, and saves even more bucks. The only thing that is constant is change.

  7. Man, C-DILLA is going to be a beast too... by Penguinisto · · Score: 2, Insightful
    Dontcha mean "Service Pack 4"?

    Meanwhile, I hope the 3D Studio Max users are prepared for the impending headaches (same w/ anyone else that uses all kinds of software-based tokens and registration schemes like C-DILLA, if it's even in use anymore).

    I wonder if dongles will come back?

    On the upside? Umm, there's probably no upside.

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  8. The Cult by the+eric+conspiracy · · Score: 1, Insightful

    If you are going to drink Bill's Kool-Aid, you shouldn't be surprised if there are undesirable side effects.

  9. Not unexpected at all. by Kelson · · Score: 3, Insightful

    Yep. Any time you're interfacing with the OS at that low a level, you have to consider that new versions of the OS might be different under the hood.

    I used to run PCAnywhere on a Windows NT 4 server. We had to dance around on one foot while swinging a chicken around our heads, singing voodoo chants backwards to upgrade the OS and PCAnywhere at the same time, all so that we could get PCAnywhere to (a) work and (b) not crash the server on boot once we upgraded it to Windows 2000.

  10. Fortunately, there is a solution by Dachannien · · Score: 4, Insightful

    Here's a great idea:

    Don't upgrade. You don't need Vista anyway.

  11. Re:Lame... by mabhatter654 · · Score: 4, Insightful
    When you're talking about RSA, you're talking about ISVs expected to have "0-day" compatibility. IT people will want to buy a windows vista box for dev purposes then find out they can't authenticate to their network for months because there's no plugin available.

    There's 3 problems here.. all Microsoft's.
    first, this is not enough notice for heavy duty security testing. Things like log in script changes should have been final with the first beta. Trivial changes would be OK, but at this point nobody should have to expect sweeping API changes. ID security products expect to have long term testing completed by the time Vista is on the shelf... that's not a starting point for testing key security features.
    Why didn't Microsoft work with providers to solidify the API first, then maybe tweak it if necessary? Apple gives Devs a 3 - 6 month start for stuff like this at WWDC with the new features... why can't MS? I understand this is a huge change.. all the more reason to DOCuMENT it up front!!!
    Lastly, if security is so important, why are they still mucking about with login changes 6 months before release?! Authenticating to networks is the core of security! cutting out the key providers of enterprise level stuff is just embarassing. All the more reason to look for MS on the way out soon.

  12. Re:Windows Bites by x0n · · Score: 2, Insightful

    > I mean, come on, it's hardly news that *EVERY* Windows breaks random stuff.

    And that's hardly news considering it tries to be backwards compatible all the way back to at least DOS 2.1; Can you imagine how hard it must be to NOT break more stuff, seriously?

    The fact that people have to rewrite core drivers etc to support this model is a sign that Microsoft is finally putting security ahead of compatibility. This is a Good Thing.

    - Oisin

    --

    PGP KeyId: 0x08D63965
  13. Re:Lame... by colinrichardday · · Score: 2, Insightful

    Hasn't Microsoft announced that Vista will be available for business users in November?

    http://www.helpwithwindows.com/WindowsVista/vista- availability.html

    from link:

    In a press conference call last Tuesday, Microsoft's Platforms & Services Division co-president Jim Allchin announced that Windows Vista will be available to business in November 2006 and broad consumer availability in January 2007.

  14. There's something very ironic about this by notaprguy · · Score: 3, Insightful

    Love 'em or hate 'em, Microsoft's historic strength was that they made it very easy (many would say TOO easy) to write software for Windows. Because Windows' genesis was in the pre Internet days, they designed it in a way that made it powerful for developers but insecure. Now that they're finally GETTING IT and making Windows Vista more secure, the people who have been writing software for Windows are going to have to do a little more work to make their stuff work. This is probably all for the best but it may open up opportunities for other platforms during the transition to secure Windows.

  15. More Overkill by Beefslaya · · Score: 2, Insightful

    XP was invariably a block of swiss cheese...Their answer was Service Pack 2 that made everyone feel like a Grad Students in Kindergarten. Firewall this, Firewall that, AHH your virus scanner is out of date!! Let us patch our holey weak assed code for you.

    Again, Microsoft because of their past transgessions will undoubtably fill this new OS with tons of weak assed apps to create a false sense of security.

    Hey Microsoft, do us Sys Admins a favor. Stop what you are doing...because it's not what we want. Just look at the *nixes, and how their OS is structured. THAT's how you do security. And don't release another form of Windows until you get it right. I won't buy it. My company can't afford it, and I don't need the hassle.

  16. Vista the scapegoat for the next 3 years... by Ingolfke · · Score: 2, Insightful

    Yes, these vendors are stating a fact. A new security system will mean a rewrite of the code that was dependant on the old system. That's to be expected. But what they're really doing here is starting the opening salvo in their justification for new versions of their software that they'll foist on the enterprise customers and no doubt make a nice profit. They'll reduce features and blame it on rewriting for Vista. Their will be bugs... and every one of them is going to be, as much as is possible, blamed on Vista. Vista's a scapegoat that the vendors are going to use to shift blame and scrutiny away from themselves and their products.

  17. Don't rule out smart cards by CCNV · · Score: 3, Insightful

    Windows may be breaking things for RSA Tokens that are expensive and expire in three years, but they are adding in much native support for smart cards that are much cheaper than RSA Tokens and do not expire in three years. US Department of Defense, US Federal Govt and big corporations like HP and Sun have adopted Smart Cards. I am not a MS fan, but re-architecting their login and vpn for native smart card support does not seem a bad idea. We should at least look into the economics of smart cards, they may save IT money in the long run.