Slashdot Mirror
More Headaches from Vista Security
Michael Cooney writes to tell us Windows Vista may have some serious headaches in store for corporate users with third-party authentication systems like VPNs. From the article: "ISVs say rewriting their code for the new architecture will produce headaches that will extend to their customers that have deployed strong authentication such as biometrics or tokens, enterprise single sign-on and a number of other systems integrated with the Windows authentication architecture."
Hasta la Vista security.
$sig$
Wasn't it just a couple weeks ago we were lamenting "what could have been"?
Microsoft capitulates and disables large chunks of Vista security by default in order to appease corporate customers. People are up in arms.
Microsoft rewrites architecture to make things more secure. People are up in arms.
Me, I'm with the "Good!" crowd. Make things more difficult for me when I transition. It'll make things easier later on.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
Wait a minute! Did you just compare Windows Vista with Ferrari?
As expected the summary on /. is just trying to be inflammatory. The real gist of the article is as follows: Vista will require some programs to be re-written, espcially ones that interfaced closely with the old operating system. Thus many authentication systems will need to be updated. It's not really unexpected or unheard of for new APIs to break old programs. So if you want to bitch about how Vista is going to make you rewrite your code go ahead (I know I am not looking forward to it), but don't pretend it is a security problem.
Philosophy.
The more interesting question (imho) is why Microsoft abandoning GINA since "the company had started talking about it at its Professional Developers Conference last September."
This ain't a Microsoft problem. When Linus decided to change the driver model in the kernel, many hardware vendors had to rewrite their drivers. When Solaris 2.5 came out, all those SunOS 4.3 drivers became obsolete. Of course, if documentation of the upcoming Vista security model was hard to come by then these vendors would have a real beef, but no-one is saying that this is the case.
Vista Security - I sincerely hope that's not going to become another famous oxymoron like previous Windows releases. Remember how XP was the most secure operating system ever until a LAN flaw was found, then later Blaster made XP SP1 default security pointless?
If Vista's default installation isn't cracked wide open by a worm in the first 90 days, then it will be a victory for Microsoft.
Oh You POS
Wait a minute! Did you just compare Windows Vista with Ferrari?
It's expensive to own, expensive to fix, and makes you curse like an italian.
Your point is ???
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Here's a great idea:
Don't upgrade. You don't need Vista anyway.
There's 3 problems here.. all Microsoft's.
first, this is not enough notice for heavy duty security testing. Things like log in script changes should have been final with the first beta. Trivial changes would be OK, but at this point nobody should have to expect sweeping API changes. ID security products expect to have long term testing completed by the time Vista is on the shelf... that's not a starting point for testing key security features.
Why didn't Microsoft work with providers to solidify the API first, then maybe tweak it if necessary? Apple gives Devs a 3 - 6 month start for stuff like this at WWDC with the new features... why can't MS? I understand this is a huge change.. all the more reason to DOCuMENT it up front!!!
Lastly, if security is so important, why are they still mucking about with login changes 6 months before release?! Authenticating to networks is the core of security! cutting out the key providers of enterprise level stuff is just embarassing. All the more reason to look for MS on the way out soon.
Sadly the DRM functions in Vista is more about making the lives of intrusive spyware easier, not harder. This is because Vista has support for drivers untouchable by the users. Microsoft calls it security, i call it rootkits built into the OS. Blizzard and the rest of the pinheads will be using Microsofts DRM to make your computer a real VIP party for everyone byt yourself.
HTTP/1.1 400
The way "Windows authentication architecture" is extended in XP is very limiting - essentially you write DLL (so called GINA) that replaces part of XP log-in system and this DLL is responsible for retrieval of users credentials for Windows. However it was possible to have only single GINA installed at the same time, so if you wanted to have two security products installed - you were in trouble.
Now Vista will support new architecture for security providers with possibility of multiple providers registered at the same time. A definite improvement for users.
In fact the new architecture is not THAT different from the previous one, so the entire article is moot. Then again, it's SlashDot...
Slashdot - free anti-Microsoft propaganda 24/7
You're missing some important points where the analogy completely fails:
1. Ferraris are built extremely robust, so you can crash at 150+mph and walk away with a few scratches (google for the Enzo which crashed recently in California). I wouldn't call Windows "robust".
2. Ferraris are extremely attractive machines. Windows looks like it was designed by Fisher-Price.
Never said it (they) did. Actually if you look at your direct quote from my post, I used the term "paradigm". So, in that context, let me expand a bit: the paradigm was very much an assumption, one machine/computer, one user, hence the bizarre logical drives, all accessible to all levels by all users (by default at least -- yes, that's now changing, welcome to century 21).
As for intent, I was on the original NT Beta support team at Microsoft (there were 16 of us), and after walking in the door, I immediately began asking for information on setting up my machine with a multi-user configuration. The team treated me like I was some sort of nut case -- they emphasized multi-user meant multiple users could access services on one machine (file services, not new in NT though, etc.), not multiple users logged onto one machine.
They were barely comfortable with the notion of more than one user ever using one machine, even one user at a time!
As for all of this being a hack, you are absolutely right. I would actually probably be less adversarial with Microsoft if they were more candid about things like this, but to read their literature, they concede nothing, ever. (For example, the initial security access levels "rings" in the NT kernel were elegantly designed and promptly trampled to allow performance by granting direct video hardware access to non-privileged code -- go figure.)
I joined Microsoft in 1992 excited about being a part of what I thought was a sea change in their OS direction. I left shortly after when behind closed doors I discovered it was a facade designed to show Microsoft was ready to play on the same court with the big boys (namely, Unix). Unfortunately, they weren't. Unfortunately, they got away with it. Unfortunately, even today, they don't stand up to hardened Unix systems (they're closer than ever, but still not there).
It's not "a good thing" when they change how database connection pooling works.
It used to be recommended practice to stick the db connection in the session object at session.start.
Option Pack 4 changed this behaviour. But it didn't show up until the websites you had already deployed started to get "un-reproducable" errors. The unpooled connections hung around for 30 mins after the last request for that session. Once the site got enough traffic it started killing the application. Could be 6 months, could be a year. Took a while to work that one out, much to the annoyance of my customers, and at my expense "you wrote it, it must be a bug in your code, bug fixes are covered in our agreement". Getting off the MSDN treadmill was glorious.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter