Slashdot Mirror
Hack in the Box Meets Windows Vista
Strange_Brew writes "It appears Microsoft is really going all out to get Windows Vista secured before its release date in 2007. There's an article on PC World which talks about Microsoft's plan to give Asia's largest hackers conference an inside look at the new security features in Windows Vista this coming September." From the article: "The Hack In The Box conference will host two speakers from Microsoft. The first, Dave Tamasi, a lead security program manager at Microsoft, will give a presentation on security engineering in Vista. The talk will include a discussion about features suggested by hackers and other security conscious members of the computing community, in addition to security improvements made on Vista. The second speaker, Douglas MacIver, a penetration engineer at Microsoft, will review Vista's BitLocker Drive Encryption and the company's analysis of threats and attempts to penetrate the security feature."
...when companies "invent" some home brewn encryption and offer $100,000 or so to anyone who can crack it.
When noone does the company calls his product uncrackable. These events and claims are without credibility, security doesn't get manufactured this way.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I myself think it's interesting that there are actually "penetration engineers" at Microsoft.
......
Makes sense, after all. I've always kinda felt like MS was giving it to us all up the
[/sarcasm]
I remember the days before the release of XP SP2 - it was announced to be a security update that will make Win XP the most secured OS out there. Since then who can count the number of patches, updates and vulnerabilities. I wonder if it will be different with Vista...
Omgili - Find out what people are saying.
I dont think that this and the anouncement about the Jan release are coincidental. Maybe they realize what is at stake. I dont use Windows and I certainly dont like M$, but i cant really find any reason why this or any further delays are bad. They may not indicate anything, but i think you really have to wait for the dust to settle before making a judgement, Perhaps we are seeing the dawn of a new era at Microsoft. Maybe one where they understand that Monopoly=Responsibility.
OR
not
This is probably true. On the other hand it has been claimed about every version of MS Windows since Windows NT 3.1. The bottom line is: will it be as secure (out of the box) as competing products such as Linux, BSD, Solaris and OSX? I personally doubt it. Microsoft has built itself into a box, through decisions taken years ago, from which it is hard for them to escape. I am trying to keep an open mind though.
One of the common myths is that Windows is just a victum of it's own success. The logic behind the myth is that if Mac or Linux where just as popular then the same exact problems would occur.
There is one major difference... Mac and Linux allow privileged processes to remove (and even replace) a file that still is in use. Vista continues to "protect" files that are in use from deletion.
Thank you for the deep insight in your security. You'll get our response after your release.
Yours,
Asia.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
...it probably requires clarification.
The box they built themselves into - or rather that they had to build around themselves - isn't so much the box that is the security model in Windows. I have no doubt whatsoever that Microsoft is entirely capable of locking down the system so badly that nobody but the most powerful ueber-god of a SysAdmin can open it back up to a casual user, let alone out to the internet for hackers to 'crack'.
But therein lies the problem as well. Windows users are -not- ueber-gods of SysAdmins, and this shows in the decisions that they feel are forced to make. I can't spot it in all the Slashdot story summaries on Vista right now, but there have been at least two stories in which there was a reference to Microsoft dropping a security feature or loosening a security setting -because- major clients of theirs told them that things were 'just too complex'. And this is in an operating system that guides you through reasonably easy-to-read GUIs with hint balloons and help files up the wazoo. You can well imagine what happens if you'd sit them down behind a screen that just shows a prompt and a one-liner telling them that security settings can be changed by editing the text file "omfglolwtfbbq.conf"
So yes, they're in a box that is difficult to get out of - but that's mostly because their clients make the walls so damn slippery after plating the bricks with titanium and burned down all but one of the ladders, then stationed several million angry users alongside it, hissing and whining at them whenever they try and scale it.
They are, well and truly, damned if they do - and damned if they don't. But at least they realize that they are a little less damned in the first case.
So MS delays Vista in order to fix security problems. Erm isn't this good? I'm assuming, of course, that no self-respecting slashdot reader has much intention of actually running Vista themselves, and that the less time you guys spend fixing your parents' Vista-crippled PC the better...
I don't know if it's the best idea in the world to go to a hacker conference and brag about how secure your new OS is. That may come off sounding like a challenge to the attendees.
This announcement followed shortly by a conference in which Asian hackers give Microsoft a look at the new hacked Vista. Good job everyone! Why not just hand them a DVD master of Pirates of the Carribean 2, and a stack of blanks, and say, "this DVD is copy-proof." Sure it is.
stuff |
1. the money that can be made by selling the secrets to bad guys.
2. MS hatred goes deep in the hacking community...a lot of "hackers" would love to see vista hackable out of the box to hurt MS.
Windos security problems were seldom rooted in theoretical shortcomings, but in what we call the "real world". You know, the one where people are too lazy to create a second, non-admin account. Where IT staff is too busy to bother with the full feature set of Active Directory, and where developers are too careless and still write software that doesn't work unless you run it as admin.
There's a 95% probability that Vista will fall into the same traps, and will be just about as insecure as any other windos because of these problems and because Outlook still executes binaries sent by mail, and users can still be tricked by calling your virus.exe virus.jpg.exe and providing the proper icon.
(the other 5% are that Vista doesn't ship at all)
Assorted stuff I do sometimes: Lemuria.org
Sure, whatever system is the dominant one is the primary target for hacks, trojans, exploits and whatnot. I'm convinced that there is a lot in store on Linux, if people would spend their time searching for overflows, exploits or other weaknesses. Hell, it's even easier in Linux. Grab the Source, have a blast!
Yes, it simply "does not pay" to dig into Linux insecurities. What for? First of all, there are very few "clueless" users. Linux still has the "geek system" halo, users that consider themselves "normal users" without any ambitions to run servers or who just want to browse the web and write the odd letter or two won't even go near it.
And they tend to be the prime targets for spammers, trojan injectors and other malware. The clueless, gullible people.
But let's assume, just for a moment, Linux was the dominant system. Let's say it had a nice, clean user interface that lets even the most inapt monkey set it up and use it. Then we would, of course, start to see a lot of Linux based malware.
In Linux, though, you can actually implement a complete, useful and enforceable security model. You can use every kind of software that you might need without compromising the security of the whole system. Something that is by its very design impossible with current versions of Windows. In short, it is not necessary to give the average user administrator privileges, something that is simply a necessity in Windows with a fair lot of programs.
I guess, was Linux the dominant system, the blame would shift. From the system, as it is now, to the clueless user who dared to go online as root.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Patch count means nothing. You'd need to have to examine patch content, what was patched (core OS? default install? other software?) Debian, for example, contains what, 20,000 packages? That's a little more than your windos install CD contains, even if you install everything from minesweeper to paint.
Also, MS has moved to regular patch cycles and every patch is actually a container with many patches inside, which you don't see unless you check the details.
So in short: You simply can not compare these numbers, because the methods and contents are too different to make any comparison meaningful. Maybe comparing with OSX would work better.
Assorted stuff I do sometimes: Lemuria.org
Um. Start at the bottom, and work your way up?
No OS is ever 'truly secure'. You get to a middle ground, where you can do most of the stuff you want to, without making it too easy to break into. Thing is, all this exploit/patch cycles are just putting out the fires you get by living next to a volcano. The real problem with Windows is that it started from a single user 'integrated' environment. Unix had the luxury of being pretty much multi-user from day one. So the design model reflects things like concurrent access, and has the security foundation that are just vital for that to happen. Unix is fairly modular kernel shell GUI application. And when you have that sort of thing, you end up with something that's _fairly_ easy to keep straight, and you keep things that need to 'do stuff' in their sandbox. Windows is getting better, but I still get the impression that that's more because it's covered in sticky plasters sealing up the holes.
While it is true that architecture has a great deal to do with security and that architecture still poses a problem for Microsoft, it is also still true that over 80% of security problems are a direct result of bad coding practices dealing with input data. Stuff that we learned how to do 30 years ago is still the bane of our existence. (Ref. CERT ).
"If all the American people want is security, let them live in prisons." Eisenhower
I think after Vista Microsoft needs to seriously revamp their existing code. Forget backward compatibility. They could include virtualization technology to allow users to run most legacy applications and offer an easy to use dual boot wizard like Apple provides for those instances where virtualization won't cut it. The Windows code base has been to big and bloated for quite some time and attempting to maintain backward compatibility, while a noble goal, is the primary culprit preventing serious innovation. Would Windows lose some market share in the short term? Probably but IMHO it's necessary in order to really move the product forward. From a users perspective there weren't that many compelling reasons to upgrade from Windows 2000 to Windows XP and it would seem as though there are even fewer compelling reasons to move from XP to Vista. The added security features will probably help the uninformed casual user maintain a more secure system but let's face it, most advanced users don't have virus, spyware or malware problems because we run the software and do the preventative maintenance necessary to prevent them and anyone who thinks Vista will be so secure as to not require additional software and preventative maintenance is crazy. The support for legacy applications practically guarantees that there will continue to be all kinds of security issues. All of the coolest features promised at the beginning of the Vista development cycle have been removed. We're left with a hodge podge of various things that, while interesting for Windows users, have been available in OS X and other operating systems for quite some time and those other operating systems don't have the inherent security issues and other baggage that Windows has. In short, I don't see much of a reason to upgrade to Vista. In fact, I don't ever plan on upgrading to Vista unless a game comes out that I want to play that requires it. After buying a Mac Mini in December and absolutely loving it and with Apple's switch to Intel and the subsequent release of Bootcamp and Parallels Desktop for Mac, I'm making the switch.
I think you are under the false assumption that all the mainstream OS's out there (Windows, OS X, and *nix) are all equally flawed with regards to security, and it's just that whoever happens to be on top has all their flaws exposed to the world. Such a position assumes that, just by creating a polished and fully-featured OS, it is inherently unstable or insecure.
I for one am sick of this argument, because it simply isn't true. It IS possible for the primary OS publisher out there - be it Microsoft or someone else - to release a secure OS for the masses. While being top dog does expose you to the most flak, it doesn't a priori prevent you from doing a good job in the first place.
my $.02: The problem with windows security is primarily one of legacy support. In the beginning noone even slighly cared about security, because computers were such a small part of the overall 'picture'. Of course, times changed and we all grew more dependant on these machines. An operating system is really only as valuable as it's application base. From the start, inter-processes communication was flawed lacking any authentication method, kernel / userland seperation was virtually nonexistant, and multi-user support was severally lacking; to name just a few problems. In almost all cases these issues persisted right up till XP when microsoft started to take security seriously with SP2. Microsoft just like the rest of us is new to the whole OS design thing. We've all thought of ways we can do things differently to make a more secure / better OS, and microsoft is right there with the rest of us; learning as we go. Remember all the broken legacy apps when NT4.0 came out? Hell, the only reason I still have a windows box in my home is because of the vast library of applications available to me. Now if they go changing the underlying fundamentals of how their OS works, they are going to break their greatest strength. What needs to be done is to find a way to write binaries that are more platform independant, let the application support for this grow for a few years, and then break away from the mold and implement a version of windows that incorporates everything we've learned over the last 20 years or so. Just my $.02
While what you say is true, who needs a hole to exploit a machine? All you need is to convince a user to run your malware and you're away.
If they have root access, they can hose the whole system. If they don't have root access (or refuse to supply the credentials), they can still hose their own user account. Either way, if you're looking to add another PC to your zombie botnet, the difference is immaterial, especially on single-user machines.
Even if there were absolutely no remotely exploitable holes, there will always be enough naive and incautious users to provide a rich hunting ground for malware.
It's official. Most of you are morons.
Design is what is wrong with 99.999% of all software. No one ever spends the time, effort, and money to make sure that their system is designed correctly. Rarely do they update the initial requirements during development, or test the system against the requirements. This is why MS has failed before. They keep throwing money at the problem and never addressing the process that is really the problem. I can tell just by looking at the MSDN documentation that MS has no clue how a good majority of their software works. Definitions of object properties are pathetic. You can have a property called "htmlid" and the definition is the ID of the html... ?!? really... but what does it DO? Further investigation of Visual Studio Team System shows that the process is nothing more than a few high level diagrams. When you work at that level you miss the details... that is where the problem exists. An OS is so massive that the details are crucial. MS created the beast and they are responsible for taming it. Can you imagine the cost to MS of actually developing Vista the correct way... it would take YEARS and hundreds of billions of dollars... The interative process of refining the requirements the correct way would have cost them twice what they are claming Vista has already cost them. MS made themselves the industry leader and they should be responsible for maintaining their position appropriately. Instead we will get yet another half complete OS, with hundreds of updates every year, and never ending reports of defects. We will suffer and MS will continue to control the OS market. I would even go so far as to say if MS was a responsible company and did their job we would see far less defects in every other application that depends on Windows. I have found errors in the Windows IIS server through a .NET app. The developers swore it was their application but I persisted and we found the error was MS's fault. MS release a patch after months of investigation.
I wonder how often a defect fix is just a workaround of a bug that MS created in the first place?
0) receive pre-release Vista to look for holes 1) identify 3 or 4 holes in Vista 2) report 1 or 2 of them to microsoft 3) ??? = exploit remaining, unreported flaws 4) Profit!
Why, oh why, didn't I take the Blue Pill?
I'm no OS master, but it seems to me that the root of all Window's virus problems stems from COM and DCOM. (OLE Automation, ActiveX...whatever you want to call it..) IIRC, you could install a DCOM component on some machine on your network, connect to it from some other machine via straight-up tcp/ip and you could pretty much do whatever you wanted with the machine running the DCOM component. I mean, you could have the DCOM component do whatever you wanted it to do...delete files...format stuff..whatever you could do with any other Windows program. All it has to do is just sit there waiting for a connection and a command from your "master" application to start it's nasty-not-niceness. Just the IDEA that you could install an ActiveX control(when you get down to it, is just a small application that just needs a container), which has full access to your machine, just by visiting a website or opening an e-mail just seems incredibly stupid to me.