Slashdot Mirror
More Headaches from Vista Security
Michael Cooney writes to tell us Windows Vista may have some serious headaches in store for corporate users with third-party authentication systems like VPNs. From the article: "ISVs say rewriting their code for the new architecture will produce headaches that will extend to their customers that have deployed strong authentication such as biometrics or tokens, enterprise single sign-on and a number of other systems integrated with the Windows authentication architecture."
What are these ISVs whinging about? This is almost the perfect opportunity to convince their clients that it is time for another upgrade. But wait, that's not all, as mentioned in the article, the upgrade also requires extensive testing, so it's doubly good news.
Programming wise, I guess this would teach these ISVs a lesson that, if they want to develop custom code, they should probably have a more flexible architecture to accommodate any OS changes, or even make it compatible across different OSs.
I don't think Bridgestone can ask Ferrari to slow its F1 cars down because Bridgestone tyres cannot perform at high speed.
Please stop entering code 2,2,7,6,6,4
Hasta la Vista security.
$sig$
Wasn't it just a couple weeks ago we were lamenting "what could have been"?
Microsoft capitulates and disables large chunks of Vista security by default in order to appease corporate customers. People are up in arms.
Microsoft rewrites architecture to make things more secure. People are up in arms.
Me, I'm with the "Good!" crowd. Make things more difficult for me when I transition. It'll make things easier later on.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
As expected the summary on /. is just trying to be inflammatory. The real gist of the article is as follows: Vista will require some programs to be re-written, espcially ones that interfaced closely with the old operating system. Thus many authentication systems will need to be updated. It's not really unexpected or unheard of for new APIs to break old programs. So if you want to bitch about how Vista is going to make you rewrite your code go ahead (I know I am not looking forward to it), but don't pretend it is a security problem.
Philosophy.
From what I can tell, TFA is saying that because much of Windows has been rewritten (including logon and authentication), it is going to be a pita to adapt existing software. No frigging kidding. Doesn't this happen with every major update? If so, why is Slashdot even reporting this? It is something that is normal.
Basically, what's this is all about is that the way to alter the login process in Windows, all the way back to NT 3.1, has been a custom "GINA", that replaced part of the Ctrl-Alt-Del login process. Naturally, a lengthy biometric process migth be fine if you do it once a day, but it will both need new software and possibly some thought to work well with a LUA approach, where you need to repeat your credentials more frequently for specific operations. This is basically no different from using sudo or doing admin operations in MacOS X. It's also no different from that you can't use a custom GINA to run a specific app as admin in current Windows versions.
IANSE (I am not a software engineer), but this might not be a "feature" not a "bug".
It's expected that migrating to a new architecture would require, well, rewriting of existing code that worked with the old OS. Wouldn't there be more cause to worry if Vista supported all of the OLD authentication mechanisms as well as its own ones, since maintaining backwards compatibility seems like it could introduce unnecessary security holes?
The more interesting question (imho) is why Microsoft abandoning GINA since "the company had started talking about it at its Professional Developers Conference last September."
This ain't a Microsoft problem. When Linus decided to change the driver model in the kernel, many hardware vendors had to rewrite their drivers. When Solaris 2.5 came out, all those SunOS 4.3 drivers became obsolete. Of course, if documentation of the upcoming Vista security model was hard to come by then these vendors would have a real beef, but no-one is saying that this is the case.
Vista Security - I sincerely hope that's not going to become another famous oxymoron like previous Windows releases. Remember how XP was the most secure operating system ever until a LAN flaw was found, then later Blaster made XP SP1 default security pointless?
If Vista's default installation isn't cracked wide open by a worm in the first 90 days, then it will be a victory for Microsoft.
Oh You POS
On the one hand I'm feeling that this sort of doomsaying article is merely an excuse for the producers of authentication systems to ramp up their prices in a "but this is an whole new version .. no upgrades possible .. you'll need to relicense!" scam.
.. no major differences are likely between the beta and the final. If MSFT are releasing beta software than isn't complete then why are they calling it a beta instead of an alpha or preview?
.. I hope that VA release a version instead .. they could integrate it into sourceforge or something. *chuckle*
On the other hand it's true than the winlogon stuff in Vista Beta isn't entirely complete, and consequently I have to wonder what Microsoft mean by 'beta'? When I (and lots of other people) release a beta it's basically feature-complete and API-locked, but isn't entirely tested
As for MS GINA being dropped
http://twitter.com/onion2k
US Democracy:The best person for the job (among These pre-selected choices...)
Microsoft is leveraging its flagship operating system to corner the market on aspirin...
Meanwhile, I hope the 3D Studio Max users are prepared for the impending headaches (same w/ anyone else that uses all kinds of software-based tokens and registration schemes like C-DILLA, if it's even in use anymore).
I wonder if dongles will come back?
On the upside? Umm, there's probably no upside.
Quo usque tandem abutere, Nimbus, patientia nostra?
Dont use windows use Linux problem solved
In other news, random Slashdot user creeves1982 blurts out the usual Slashdot banality about Linux.
It's not so simple and you know it. You can use Linux. I can use Linux, but many MANY people can't use anything but Windows, because they're not computer-oriented, have been trained with Windows-XX and Word/Excel-YY and wouldn't conceive anything else exists, must less be able to use it.
That's how the world is. Microsoft is still the biggest OS and software vendor in the world despite its many shortcomings and its outrageous economic practices because the Windows userbase is massively reluctant to change. The real challenge is to make Linux truly as user-friendly as Windows, and to get users to discover it and get used to it. Simply saying "use linux problem solved" is childish.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Yeah, cause Linux never has low level compatibility updates between releases. Give me a break. Linux is not a cure all. For example, figuring out whether a program is being compiled on an SMP aware Linux system requires looking in a different directory for a specific include file, depending on whether the kernel is 2.2, 2.4 or 2.6. And of course, for certain distros it will be in a completely different location (and if you give the wrong include directory, there is an identically named file in /usr/include which will be snapped up and used, even though it gives no SMP info, so it's hard to tell you failed). Other aspects of the Linux API change in subtle but annoying ways that will break older code that relied on specific behaviors.
Of course, most programs don't need to know whether it is being compiled on an SMP enabled Linux system. Similarly, most people don't need to know much about the low level Windows API. But when programs are written that rely on it, major updates tend to cause breaks. Don't blame Microsoft for that. Be thankful they are trying to make the API more robust. Hell of a lot better than releasing "Windows XP: Vista Edition with nifty keen graphics" and no actual under the hood improvements.
Corporation (in voice of Smithers): But if you do that, then no 3rd party software will work, and we will be forced to use MS.
Bill (in voice of Mr. Burns): excellent./p?
It puts the lotion on it's skin, or else it gets the hose again.
I have the feeling that at this point the managers in Redmond care less about security and more about actually _shipping_ the product.
;-)
To maintain backwards compatability with other Windows versions, of course...
Vista is also making life very hard for invasive spyware makers like Blizzard (Warden) and NCSoft (GameGuard)...
About damn time.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Yep. Any time you're interfacing with the OS at that low a level, you have to consider that new versions of the OS might be different under the hood.
I used to run PCAnywhere on a Windows NT 4 server. We had to dance around on one foot while swinging a chicken around our heads, singing voodoo chants backwards to upgrade the OS and PCAnywhere at the same time, all so that we could get PCAnywhere to (a) work and (b) not crash the server on boot once we upgraded it to Windows 2000.
Here's a great idea:
Don't upgrade. You don't need Vista anyway.
There's 3 problems here.. all Microsoft's.
first, this is not enough notice for heavy duty security testing. Things like log in script changes should have been final with the first beta. Trivial changes would be OK, but at this point nobody should have to expect sweeping API changes. ID security products expect to have long term testing completed by the time Vista is on the shelf... that's not a starting point for testing key security features.
Why didn't Microsoft work with providers to solidify the API first, then maybe tweak it if necessary? Apple gives Devs a 3 - 6 month start for stuff like this at WWDC with the new features... why can't MS? I understand this is a huge change.. all the more reason to DOCuMENT it up front!!!
Lastly, if security is so important, why are they still mucking about with login changes 6 months before release?! Authenticating to networks is the core of security! cutting out the key providers of enterprise level stuff is just embarassing. All the more reason to look for MS on the way out soon.
TWO years!
And we have had an API for more than one year - to create CredMan plugins.
And the architecture is "better" - more PAM-like.
Now you won't break SecureID with a service pack.
And this is a problem, how again?
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
The way "Windows authentication architecture" is extended in XP is very limiting - essentially you write DLL (so called GINA) that replaces part of XP log-in system and this DLL is responsible for retrieval of users credentials for Windows. However it was possible to have only single GINA installed at the same time, so if you wanted to have two security products installed - you were in trouble.
Now Vista will support new architecture for security providers with possibility of multiple providers registered at the same time. A definite improvement for users.
In fact the new architecture is not THAT different from the previous one, so the entire article is moot. Then again, it's SlashDot...
Slashdot - free anti-Microsoft propaganda 24/7
Oh, please! Learn your OS history. NT/XP never sat on top of DOS, Win3.x or Win9x. The original NT design was actually supposed to support multiuser UI sessions out of the box (hence the entire UI being designed around a client/server RPC model) but it didn't end up that way for any number of performance and time-to-market constraints.
The Vista design could best be described as a multiuser kernel that got hacked up to service a single user GUI that looked a lot like the existing single user product that was on the market, which was then moved into the kernel to improve performance, which then got a multiuser terminal layer hacked over the top (using the multiuser not-GUI-part-of-the-kernel that was already there), which then got morphed into "Fast User Switching".
The multiuser UI in Windows XP/Vista is most definitely a hack, but it's got nothing to do with Win3.x or DOS.
As for the original context - (yawn). OS upgrades change APIs. MS has been working on security so their security APIs are going to change. If you tie yourself to MS, then you get to do some work to use their new APIs. Nothing to see here - move along.
Fear: When you see B8 00 4C CD 21 and know what it means
Multiple GINA programs is fairly straightforward.
A single registry value holds what GINA to execute. If the registry value is blank, it executes MSGINA (the Microsoft default).
If you replace the GINA with a 3rd-party program (VPN, Wireless, Encryption, et cetera), then the 3rd-party is responsible for either (a) completely handling the logon, or (b) passing control to MSGINA when it is finished executing.
As a rule, this happens by your 3rd-party GINA keeping a value of its own (in the registry or INI) of what the previous GINA was. That way, if you install a new GINA, when it finishes executing, it calls whatever GINA *used* to be in the default registry location.
First you have MSGINA.
You install ENCRYPT-GINA.
ENCRYPT-GINA executes and calls MSGINA.
Then you install VPN-GINA.
VPN-GINA sees ENCRYPT-GINA as the GINA to execute when complete.
VPN-GINA executes and calls ENCRYPT-GINA
ENCRYPT-GINA keps its own value for what to call next and calls MSGINA.
Add all the GINAs you want.
It's true that *some* GINAs don't play nicely, or won't always execute if a certain GINA has executed before it (or comes after it) - but for the most part it works.
The only REAL problem is when a GINA is stupid enough to place itself incorrectly in the chain -- which can leave a machine executing GINAs in a loop...and Windows is smart enough to restore MSGINA when that happens anyway.
Are you for real?
This is true of user level applications, but certainly not for system level ones. The stuff in Unix is hideously incompatible across incarnations - try parsing
RSA writes driver level code (to keep their proprietary algorithms sekrut) and hooks it to the Windows GUI logon process - that's something that changes between desktop managers on Unix, let alone versions or even incarnations! There may be pseudo-stable APIs there but there's an awful lot of redundancy and it's not exactly a clean landscape (xdm, kdm, gdm, whateverdm etc.)
Now, I'm not remotely suggesting Windows is any better than Unix in this regard, but the only thing it really does have going for it is there's a lot fewer "versions" out there. Like Unix, the core APIs are very stable. It's the fringe and special purpose stuff you have to worry about.
Note also that the same thing happens to Unix from time to time: shadow passwords broke a bunch of stuff, MD5 hashes broke more stuff, pam broke a whole different set of stuff, etc.
Fear: When you see B8 00 4C CD 21 and know what it means
"Vista Security - I sincerely hope that's not going to become another famous oxymoron like previous Windows releases."
Hey, you hit on another oxymoron (at least with regards to Vista) - "Windows release".
Duck and cover, duck and cover...
#DeleteChrome
> I mean, come on, it's hardly news that *EVERY* Windows breaks random stuff.
And that's hardly news considering it tries to be backwards compatible all the way back to at least DOS 2.1; Can you imagine how hard it must be to NOT break more stuff, seriously?
The fact that people have to rewrite core drivers etc to support this model is a sign that Microsoft is finally putting security ahead of compatibility. This is a Good Thing.
- Oisin
PGP KeyId: 0x08D63965
Never said it (they) did. Actually if you look at your direct quote from my post, I used the term "paradigm". So, in that context, let me expand a bit: the paradigm was very much an assumption, one machine/computer, one user, hence the bizarre logical drives, all accessible to all levels by all users (by default at least -- yes, that's now changing, welcome to century 21).
As for intent, I was on the original NT Beta support team at Microsoft (there were 16 of us), and after walking in the door, I immediately began asking for information on setting up my machine with a multi-user configuration. The team treated me like I was some sort of nut case -- they emphasized multi-user meant multiple users could access services on one machine (file services, not new in NT though, etc.), not multiple users logged onto one machine.
They were barely comfortable with the notion of more than one user ever using one machine, even one user at a time!
As for all of this being a hack, you are absolutely right. I would actually probably be less adversarial with Microsoft if they were more candid about things like this, but to read their literature, they concede nothing, ever. (For example, the initial security access levels "rings" in the NT kernel were elegantly designed and promptly trampled to allow performance by granting direct video hardware access to non-privileged code -- go figure.)
I joined Microsoft in 1992 excited about being a part of what I thought was a sea change in their OS direction. I left shortly after when behind closed doors I discovered it was a facade designed to show Microsoft was ready to play on the same court with the big boys (namely, Unix). Unfortunately, they weren't. Unfortunately, they got away with it. Unfortunately, even today, they don't stand up to hardened Unix systems (they're closer than ever, but still not there).
It's not "a good thing" when they change how database connection pooling works.
It used to be recommended practice to stick the db connection in the session object at session.start.
Option Pack 4 changed this behaviour. But it didn't show up until the websites you had already deployed started to get "un-reproducable" errors. The unpooled connections hung around for 30 mins after the last request for that session. Once the site got enough traffic it started killing the application. Could be 6 months, could be a year. Took a while to work that one out, much to the annoyance of my customers, and at my expense "you wrote it, it must be a bug in your code, bug fixes are covered in our agreement". Getting off the MSDN treadmill was glorious.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Hasn't Microsoft announced that Vista will be available for business users in November?
- availability.html
http://www.helpwithwindows.com/WindowsVista/vista
from link:
In a press conference call last Tuesday, Microsoft's Platforms & Services Division co-president Jim Allchin announced that Windows Vista will be available to business in November 2006 and broad consumer availability in January 2007.
Oh please! If you even knew anything about the GINA or writing software, you'd have a different opinion. Novell, Cisco, and everybody else with a security shingle to hang out there wants to put in their custom GINA. This actually hurts security, because if Microsoft has to do a security fix there, it breaks all these custom GINAs, which delays those precious little patches.
Of course, if you knew anything about building software, you'd know that adding custom code to any COTS product is equivalent to single vendor lock-in, and you feel it when the security pressure is on.
Love 'em or hate 'em, Microsoft's historic strength was that they made it very easy (many would say TOO easy) to write software for Windows. Because Windows' genesis was in the pre Internet days, they designed it in a way that made it powerful for developers but insecure. Now that they're finally GETTING IT and making Windows Vista more secure, the people who have been writing software for Windows are going to have to do a little more work to make their stuff work. This is probably all for the best but it may open up opportunities for other platforms during the transition to secure Windows.
Everything about Vista is going to be a big headache. From the initial sale, think of the sales clerk trying to explain the differences between 6 or 7 versions, with minimal actual differences and major price differences. Add DRM, the usual raft of bugs, and even worse security problems than ever... it's going to be ugly folks. All white box stores need to stock up on XP or start the shift to Linux for all customers. Train them now and end this stupidity.
It still seems like Me revisited.
Professional Politicians are not the solution, they ARE the problem.
90 days? that's a tad optimistic.
I seem to recall someone had written a prototype virus within 24 hours of the first beta being released, which caused Microsoft to drop the advanced scripting they had planned.
I'd try and find a reference but I really can't be arsed. Vista won't be out until next year and by all accounts it's going to suck just as badly as any previous version of windows. Dapper Drake will be out next month and it's going to rock! I've been running it since flight4, it was awesome even back then and it just keeps getting better.
455fe10422ca29c4933f95052b792ab2
XP was invariably a block of swiss cheese...Their answer was Service Pack 2 that made everyone feel like a Grad Students in Kindergarten. Firewall this, Firewall that, AHH your virus scanner is out of date!! Let us patch our holey weak assed code for you.
Again, Microsoft because of their past transgessions will undoubtably fill this new OS with tons of weak assed apps to create a false sense of security.
Hey Microsoft, do us Sys Admins a favor. Stop what you are doing...because it's not what we want. Just look at the *nixes, and how their OS is structured. THAT's how you do security. And don't release another form of Windows until you get it right. I won't buy it. My company can't afford it, and I don't need the hassle.
Yes, these vendors are stating a fact. A new security system will mean a rewrite of the code that was dependant on the old system. That's to be expected. But what they're really doing here is starting the opening salvo in their justification for new versions of their software that they'll foist on the enterprise customers and no doubt make a nice profit. They'll reduce features and blame it on rewriting for Vista. Their will be bugs... and every one of them is going to be, as much as is possible, blamed on Vista. Vista's a scapegoat that the vendors are going to use to shift blame and scrutiny away from themselves and their products.
Aaah! You're talking about the new Vista Augmented GINA. Nice acronym.
Less Secure we Complain More Secure we Complain?
Can we just pick a side..
Do we hate Vista because it will be more secure and that is causing Third party applicaiton problems?
Or do we hate Vista because it is not secure enough?
Or do we hate Vista becuase it is more secure but prompts for passwords when doing Root level activities and that will confuse people?
We have to pick a story, we can't be on the opposite side of the fence as each story is released.
Maybe we should just hate Vista just to hate Vista but at least stop contradicting ourselves?
Windows may be breaking things for RSA Tokens that are expensive and expire in three years, but they are adding in much native support for smart cards that are much cheaper than RSA Tokens and do not expire in three years. US Department of Defense, US Federal Govt and big corporations like HP and Sun have adopted Smart Cards. I am not a MS fan, but re-architecting their login and vpn for native smart card support does not seem a bad idea. We should at least look into the economics of smart cards, they may save IT money in the long run.
because much of Windows has been rewritten, it is going to be a pita to adapt existing software. No frigging kidding. Doesn't this happen with every major update?
No, it doesn't. Microsoft's track-record for backwards compatibility is among the best in the industry. Sorry, but while their software has many flaws, there are some things they do very well, and not breaking things in upgrades is one of them.
Compare the upgrade from Windows 98 to Windows XP with the comparable upgrade from OS 9 to OS X. You can run practically any bit of Windows 98 software in Windows XP. You can't run any OS 9 software in OS X without buying a separate copy of OS 9 and using emulation, and people on Mactels can't run any OS 9 software in OS X period.
I find it amusing that nobody ever complains about this, but if they find one single piece of Windows 98 software that doesn't work properly in XP, it's all OMG MICROSOFT IS TEH SUXOR!!!!!11. Can you say "double standards"?
Never mind running Win98 software under XP. If you get hold of a copy of Windows 1.0 you can run the applications that came with that under Windows XP. The only quirk is that the app windows open at the smallest possible window size, because Windows 1.0 didn't support overlapping windows and so the apps didn't actually choose a size for themselves.
Microsoft's devotion to backwards-compatibility is astounding. It's just a shame that their architecture has to suffer because of it.