Windows Vista - Not So Bad?

Shantyman writes "ZDNet has a counterpoint to the negative impressions of Vista's Beta 2 going around. Entitled Vista Beta 2, up close and personal, Ed Bott writes: 'I've spent the last three months running beta versions of Windows Vista on the PCs I use for everyday work. February and March were exasperating. April's release was noticeably better, and the Beta 2 preview - Build 5381, released to testers in early May - has been running flawlessly on my notebook for nearly three weeks.'"

Microsoft eating their own dogfood?

[yagu]

From the very first paragraph of the article:

Up in Redmond, Microsoft developers proudly talk of dogfooding the software they write. Running beta software is the only way to learn what works and what doesn't. A copy of Windows Vista running on a test machine in the corner isn't likely to get a serious workout. To find the pain points -- another popular Microsoft expression -- you have to run that beta code on the machine you use every day.

Wasn't there a slashdot reference to an article in the last week where Microsoft "was considering" removing admin access from their employees? That doesn't sound like "eating their own dogfood". As long as they're all running Windows with the highest access levels (admin), they're potentially missing serious security problems.

Since Lowest User Access (LUA) is a huge issue around tightening Windows security, running Vista within Microsoft means little around testing security. And, unless they're shipping Vista with defaults of non-admin user accounts, the beta testing world isn't likely to bang on that code hard enough.

It's not clear from the article, nor do I know enough about the Vista beta (not about to try it on any of my machines...) whether the LUA concept is in play. Any beta testers out there care to weigh in?

Does "not too bad" count as a good reason?

[pla]

April's release was noticeably better, and the Beta 2 preview - Build 5381, released to testers in early May - has been running flawlessly on my notebook for nearly three weeks.

I haven't tried b2 yet, but from my experience with b1, I didn't so much have a problem with "stability" as the fact that it had nothing new that I wanted.

Not to say it doesn't have PLENTY of new ways to waste CPU and memory, as well as DRM-to-the-core, but I can't really say I consider those a reason to upgrade.


Rearranging the clicky-widgets doesn't make it "new", and taking away the user's rights on their own machine doesn't make it "improved". Making it harder to pirate doesn't make it "secure". Throwing in an SQL server turned on by default might make it "biger", but not in a good way.

Vista works

Me and some of my coworkers have been running vista build 5308 and I just installed build 5381 on those machines and they have been running very well. The install was improved and the interface is running a lot smoother and the new ati beta drivers are working good too. It's also running directx 10 now compared to 9L in the last build. We also have Office 2007 Beta 2 running on it and that too is working very well, We have both machines on a 2003 active directory network with exchange. The UAC does get annoying when it keeps asking you if your sure you want to do things, but a quick skim through the local security policy solved that :-) All in all I'd say Beta 2 has improved greatly over the past few releases. The memory usage at least is way down. It was using about 750mbs on our machines. I am upset that an Athlon X2 4200, with 4 gigs of ddr-400, a sata2 80 gig drive, and an atix1300 with 265mb on the card only gets a 3 out of 5 on the stupid rating system. Especially when everything works smooth, including the 3d page flip. I do feel that the "minimum requirements" that microsoft posted are of course a joke but that's nothing new.

Re:My problem

[|/|/|||]

Exactly. When I saw the "not so bad" headline, I assumed that the story was that Vista's intrusive DRM/Trusted computing "features" had been dropped. Those are the things that make Vista "bad". I'll take an OS that crashes over an OS that supervises how I use my data.

Sorry Microsoft, but I'll never buy (or even *use*) that kind of crap.

Re:They haven't fixed the real security problems.

[argent]

I have been involved in computer security longer than Microsoft has been shipping an OS with any security at all. That includes Xenix. I've been watching this train wreck called the Microsoft HTML control for a decade now, and every time I point out how horrible it is some Microsoft apologist comes up and tells me I'm trolling, and that Micrsoft has got it right this time.

So far they have never been correct.

If you had bothered to read almost anything about Vista from the last year, you'd know that they are much bigger on the non-admin roles.

Windows maze of interlocking privileges means that this doesn't matter. There's so many ways to boost privilieges that almost any combination of non-frustrating privileges is going to end up equivalent to root.

The first time I used WIndows NT, I tried out several obvious attacks on the privilege model, and succeeded more often than I failed. I was even able to boost Power User to Local System, which actually has more privileges than Administrator.

If you had done some more reading (say, some of the comments posted earlier on this story), you'd see that even if you are running as administrator you still don't have full root priviledges, and have to confirm certain changes.

"You have to cofirm certain changes" says absolutely nothing about the privileges you have.

Nothing.

Confirmation and approval dialogs are almost worthless from a security standpoint. They operate at the application level, and the component that generates them has to have the privileges they're allegedly protecting, since Windows doesn't use UNIX's far more flexible and secure "setuid" mechanism. This means that not only do they they provide little protection for accidents by users, they provide NO protection from exploit code.

None.

Zip.

Layered security is wonderful.

Unfortunately, Microsoft has yet to implement it.

One of the principles of layered security s that you design each layer as if it had to perform the whole of the security protection, then you implement the next layer *anyway*, and you design it under the assumption that the first layer will provide no protection.

Microsoft designs each layer so that it's only as secure as they feel convenient, in the naive belief that the other layers will be used and will cover for them.

Other operating systems allow you to bind services to unique ports and interfaces, so that local firewalls are an additional layer of security. Microsoft needs firewalls to prevent people from attacking insecure local services because they have no other way to limit them to listening only at localhost.

Other browsers treat untrusted documents as untrusted, and assume that if their security fails the whole system is broken. Microsoft has the browser trust the HTML control to do the job, and doesn't give the HTML control enough information to do the job, and rather than GET RID OF the whole pile of ActiveX and "Security Zones" and "trusted sites" they're now pushing people to use "we got it right this time in .NET, honest".

If I were to tell you exactly what I thought of this approach to "layered security" I'd be banned from slashdot for abusive language.

Troll, forsooth, for nothing less than the simple truth.