Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Headaches from Vista Security

Posted by ryuzaki0 on from the bottle-of-pain-medication-shipped-with-every-sale dept.

Michael Cooney writes to tell us Windows Vista may have some serious headaches in store for corporate users with third-party authentication systems like VPNs. From the article: "ISVs say rewriting their code for the new architecture will produce headaches that will extend to their customers that have deployed strong authentication such as biometrics or tokens, enterprise single sign-on and a number of other systems integrated with the Windows authentication architecture."

11 of 240 comments (clear)

  1. Good! by Southpaw018 · · Score: 5, Insightful

    Wasn't it just a couple weeks ago we were lamenting "what could have been"?
    Microsoft capitulates and disables large chunks of Vista security by default in order to appease corporate customers. People are up in arms.
    Microsoft rewrites architecture to make things more secure. People are up in arms.

    Me, I'm with the "Good!" crowd. Make things more difficult for me when I transition. It'll make things easier later on.

    --
    ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
  2. Re:At this point... by From+A+Far+Away+Land · · Score: 4, Insightful

    Vista Security - I sincerely hope that's not going to become another famous oxymoron like previous Windows releases. Remember how XP was the most secure operating system ever until a LAN flaw was found, then later Blaster made XP SP1 default security pointless?

    If Vista's default installation isn't cracked wide open by a worm in the first 90 days, then it will be a victory for Microsoft.

    --
    Oh You POS
  3. While you're at it... by BrynM · · Score: 3, Insightful
    From TFA
    During migrations, users will have key security infrastructures that straddle two different authentication environments, one for Vista and one for earlier versions of Windows, until migrations are complete... In addition, users with any homegrown authentication mechanisms linked to Windows will have to rewrite their code from the ground up... That task will be painful in part because ISVs say Vista's new authentication architecture is incomplete in the beta released in February.
    Why wait for headaches when you could just start porting your authentication systems to any platform except Windows right now? Then, while everyone else is going throught the "dual Win32 backdoor^^^^^^^^authentication" period hell, you can just laugh and say "I did that over a year ago and I won't have to do it again becuase I moved away from MS Products completely".
    --
    US Democracy:The best person for the job (among These pre-selected choices...)
    1. Re:While you're at it... by deacon · · Score: 3, Insightful

      Maybe it's time to look at some new applications. People did that when they moved from expensive VAXs (that worked) to cheap PCs that were rolling on the floor laughably crippled by comparison, just to save the bucks. People are moving now away from windows, to a free OS, which not only works, has a ton of free apps, and saves even more bucks. The only thing that is constant is change.

  4. Not unexpected at all. by Kelson · · Score: 3, Insightful

    Yep. Any time you're interfacing with the OS at that low a level, you have to consider that new versions of the OS might be different under the hood.

    I used to run PCAnywhere on a Windows NT 4 server. We had to dance around on one foot while swinging a chicken around our heads, singing voodoo chants backwards to upgrade the OS and PCAnywhere at the same time, all so that we could get PCAnywhere to (a) work and (b) not crash the server on boot once we upgraded it to Windows 2000.

  5. Fortunately, there is a solution by Dachannien · · Score: 4, Insightful

    Here's a great idea:

    Don't upgrade. You don't need Vista anyway.

  6. Re:Lame... by mabhatter654 · · Score: 4, Insightful
    When you're talking about RSA, you're talking about ISVs expected to have "0-day" compatibility. IT people will want to buy a windows vista box for dev purposes then find out they can't authenticate to their network for months because there's no plugin available.

    There's 3 problems here.. all Microsoft's.
    first, this is not enough notice for heavy duty security testing. Things like log in script changes should have been final with the first beta. Trivial changes would be OK, but at this point nobody should have to expect sweeping API changes. ID security products expect to have long term testing completed by the time Vista is on the shelf... that's not a starting point for testing key security features.
    Why didn't Microsoft work with providers to solidify the API first, then maybe tweak it if necessary? Apple gives Devs a 3 - 6 month start for stuff like this at WWDC with the new features... why can't MS? I understand this is a huge change.. all the more reason to DOCuMENT it up front!!!
    Lastly, if security is so important, why are they still mucking about with login changes 6 months before release?! Authenticating to networks is the core of security! cutting out the key providers of enterprise level stuff is just embarassing. All the more reason to look for MS on the way out soon.

  7. Re:goodbye SecurID, VPNs, etc. by throx · · Score: 3, Insightful
    crippled layering of a multi-user paradigm on top of what started out as a single user design (NT/XP over Windows/DOS)

    Oh, please! Learn your OS history. NT/XP never sat on top of DOS, Win3.x or Win9x. The original NT design was actually supposed to support multiuser UI sessions out of the box (hence the entire UI being designed around a client/server RPC model) but it didn't end up that way for any number of performance and time-to-market constraints.

    The Vista design could best be described as a multiuser kernel that got hacked up to service a single user GUI that looked a lot like the existing single user product that was on the market, which was then moved into the kernel to improve performance, which then got a multiuser terminal layer hacked over the top (using the multiuser not-GUI-part-of-the-kernel that was already there), which then got morphed into "Fast User Switching".

    The multiuser UI in Windows XP/Vista is most definitely a hack, but it's got nothing to do with Win3.x or DOS.

    As for the original context - (yawn). OS upgrades change APIs. MS has been working on security so their security APIs are going to change. If you tie yourself to MS, then you get to do some work to use their new APIs. Nothing to see here - move along.
    --

    Fear: When you see B8 00 4C CD 21 and know what it means

  8. Re:Win-Win by Grishnakh · · Score: 4, Insightful

    You're missing some important points where the analogy completely fails:

    1. Ferraris are built extremely robust, so you can crash at 150+mph and walk away with a few scratches (google for the Enzo which crashed recently in California). I wouldn't call Windows "robust".

    2. Ferraris are extremely attractive machines. Windows looks like it was designed by Fisher-Price.

  9. There's something very ironic about this by notaprguy · · Score: 3, Insightful

    Love 'em or hate 'em, Microsoft's historic strength was that they made it very easy (many would say TOO easy) to write software for Windows. Because Windows' genesis was in the pre Internet days, they designed it in a way that made it powerful for developers but insecure. Now that they're finally GETTING IT and making Windows Vista more secure, the people who have been writing software for Windows are going to have to do a little more work to make their stuff work. This is probably all for the best but it may open up opportunities for other platforms during the transition to secure Windows.

  10. Don't rule out smart cards by CCNV · · Score: 3, Insightful

    Windows may be breaking things for RSA Tokens that are expensive and expire in three years, but they are adding in much native support for smart cards that are much cheaper than RSA Tokens and do not expire in three years. US Department of Defense, US Federal Govt and big corporations like HP and Sun have adopted Smart Cards. I am not a MS fan, but re-architecting their login and vpn for native smart card support does not seem a bad idea. We should at least look into the economics of smart cards, they may save IT money in the long run.