Hack in the Box Meets Windows Vista

Strange_Brew writes "It appears Microsoft is really going all out to get Windows Vista secured before its release date in 2007. There's an article on PC World which talks about Microsoft's plan to give Asia's largest hackers conference an inside look at the new security features in Windows Vista this coming September." From the article: "The Hack In The Box conference will host two speakers from Microsoft. The first, Dave Tamasi, a lead security program manager at Microsoft, will give a presentation on security engineering in Vista. The talk will include a discussion about features suggested by hackers and other security conscious members of the computing community, in addition to security improvements made on Vista. The second speaker, Douglas MacIver, a penetration engineer at Microsoft, will review Vista's BitLocker Drive Encryption and the company's analysis of threats and attempts to penetrate the security feature."

The never ending story

[rangeva]

I remember the days before the release of XP SP2 - it was announced to be a security update that will make Win XP the most secured OS out there. Since then who can count the number of patches, updates and vulnerabilities. I wonder if it will be different with Vista...

Re:The never ending story

[Vo0k]

will make Win XP the most secured OS out there

If I hang 2000 padlocks on most from the 2200 doors of my house, it will be most secured in the whole neighbourhood. Not more secure than the guy across the street, with front and back door, one good quality lock in each, and good windows from break-proof glass.

Windows is too big to be secured whole, it has too many dependencies on insecure behaviours of programs, the security too often stands in the way of usablity and as such will often be disabled or neglected. If you need to type admin password 50 times a day to perform quite simple (though potentially remotely risky) tasks, you will type in the 51st time when a trojan asks you to do so.

Re:The never ending story

[cnettel]

Please enlighten me how the web browser has kernel level permissions in Windows NT-based systems. It was certainly not a VXD in Win9x (defining only VXD code as kernel might be problematic, but the real problem is that 9x had no well-defined central kernel). I know that IIS does have a kernel part these days (but not back when it was even less secure), to shorten roundtrips for cached requests or something, but that's the server side, not the browser. I actually think Sun tried to advertise a similar addition when Solaris 10 was released.

Regarding DNS, I'm not sure what you actually mean here. The DNS client and DNS server are services, but they are not in kernel. A Windows service does not mean it's in kernel mode. Winsock itself has some kernel thunking, and as name resolution is generally done through Winsock, that might be what you mean.

Re:Reminds me of home made encryptions

[CaymanIslandCarpedie]

...when companies "invent" some home brewn encryption

You do realize BitLocker isn't about some "home brewn" encryption algorithm right? It uses standard encryption algorithms (256 bit AES for example). The "invent" part here is how this standard encryption is used. From hardware, boot process, drive access, etc. Here is a good place to start for a basic overview.

offer $100,000 or so to anyone who can crack it

Didn't see that in the articles.

When noone does the company calls his product uncrackable. These events and claims are without credibility, security doesn't get manufactured this way.

True. If ANY company says ANY product is uncrackable, they are full of it and/or marketing is having too much of a say in thier message. However, again I'm not seeing any claims like that in any of the links. Am I missing something?

Re:Reminds me of home made encryptions

[A+beautiful+mind]

Am I missing something?

Yes, you are. I didn't say Microsoft acts like this, but rather what their behaviour reminds me of.

Specifically, my issue is with the "It appears Microsoft is really going all out to get Windows Vista secured before it's release date in 2007." sentence, and that somehow presenting a system for security experts would make it more security, as a direct causality.

Security is not a product, it is a process. If one chain in the link fails, the whole chain fails. And MS can continue to give presentations about their system and abstract design concepts, and if security experts spot weakness in the design they can tell all about it to MS, but it's throwing peas at a wall. They never listened, and I see no reason why would they listen. This is just a cheap PR stunt to reassure some less in-the-know folk. That is why I compared the situation to the example in my original post. It has nothing to do with encryption. Encryption isn't the issue. Design, security principles and how MS responds to security issues are.

Re:No good

[necro81]

I think you are under the false assumption that all the mainstream OS's out there (Windows, OS X, and *nix) are all equally flawed with regards to security, and it's just that whoever happens to be on top has all their flaws exposed to the world. Such a position assumes that, just by creating a polished and fully-featured OS, it is inherently unstable or insecure.

I for one am sick of this argument, because it simply isn't true. It IS possible for the primary OS publisher out there - be it Microsoft or someone else - to release a secure OS for the masses. While being top dog does expose you to the most flak, it doesn't a priori prevent you from doing a good job in the first place.