Slashdot Mirror
Hack in the Box Meets Windows Vista
Strange_Brew writes "It appears Microsoft is really going all out to get Windows Vista secured before its release date in 2007. There's an article on PC World which talks about Microsoft's plan to give Asia's largest hackers conference an inside look at the new security features in Windows Vista this coming September." From the article: "The Hack In The Box conference will host two speakers from Microsoft. The first, Dave Tamasi, a lead security program manager at Microsoft, will give a presentation on security engineering in Vista. The talk will include a discussion about features suggested by hackers and other security conscious members of the computing community, in addition to security improvements made on Vista. The second speaker, Douglas MacIver, a penetration engineer at Microsoft, will review Vista's BitLocker Drive Encryption and the company's analysis of threats and attempts to penetrate the security feature."
I myself think it's interesting that there are actually "penetration engineers" at Microsoft.
......
Makes sense, after all. I've always kinda felt like MS was giving it to us all up the
[/sarcasm]
I remember the days before the release of XP SP2 - it was announced to be a security update that will make Win XP the most secured OS out there. Since then who can count the number of patches, updates and vulnerabilities. I wonder if it will be different with Vista...
Omgili - Find out what people are saying.
I dont think that this and the anouncement about the Jan release are coincidental. Maybe they realize what is at stake. I dont use Windows and I certainly dont like M$, but i cant really find any reason why this or any further delays are bad. They may not indicate anything, but i think you really have to wait for the dust to settle before making a judgement, Perhaps we are seeing the dawn of a new era at Microsoft. Maybe one where they understand that Monopoly=Responsibility.
OR
not
One of the common myths is that Windows is just a victum of it's own success. The logic behind the myth is that if Mac or Linux where just as popular then the same exact problems would occur.
There is one major difference... Mac and Linux allow privileged processes to remove (and even replace) a file that still is in use. Vista continues to "protect" files that are in use from deletion.
Thank you for the deep insight in your security. You'll get our response after your release.
Yours,
Asia.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
...when companies "invent" some home brewn encryption
You do realize BitLocker isn't about some "home brewn" encryption algorithm right? It uses standard encryption algorithms (256 bit AES for example). The "invent" part here is how this standard encryption is used. From hardware, boot process, drive access, etc. Here is a good place to start for a basic overview.
offer $100,000 or so to anyone who can crack it
Didn't see that in the articles.
When noone does the company calls his product uncrackable. These events and claims are without credibility, security doesn't get manufactured this way.
True. If ANY company says ANY product is uncrackable, they are full of it and/or marketing is having too much of a say in thier message. However, again I'm not seeing any claims like that in any of the links. Am I missing something?
"reality has a well-known liberal bias" - Steven Colbert
...it probably requires clarification.
The box they built themselves into - or rather that they had to build around themselves - isn't so much the box that is the security model in Windows. I have no doubt whatsoever that Microsoft is entirely capable of locking down the system so badly that nobody but the most powerful ueber-god of a SysAdmin can open it back up to a casual user, let alone out to the internet for hackers to 'crack'.
But therein lies the problem as well. Windows users are -not- ueber-gods of SysAdmins, and this shows in the decisions that they feel are forced to make. I can't spot it in all the Slashdot story summaries on Vista right now, but there have been at least two stories in which there was a reference to Microsoft dropping a security feature or loosening a security setting -because- major clients of theirs told them that things were 'just too complex'. And this is in an operating system that guides you through reasonably easy-to-read GUIs with hint balloons and help files up the wazoo. You can well imagine what happens if you'd sit them down behind a screen that just shows a prompt and a one-liner telling them that security settings can be changed by editing the text file "omfglolwtfbbq.conf"
So yes, they're in a box that is difficult to get out of - but that's mostly because their clients make the walls so damn slippery after plating the bricks with titanium and burned down all but one of the ladders, then stationed several million angry users alongside it, hissing and whining at them whenever they try and scale it.
They are, well and truly, damned if they do - and damned if they don't. But at least they realize that they are a little less damned in the first case.
This announcement followed shortly by a conference in which Asian hackers give Microsoft a look at the new hacked Vista. Good job everyone! Why not just hand them a DVD master of Pirates of the Carribean 2, and a stack of blanks, and say, "this DVD is copy-proof." Sure it is.
stuff |
Specifically, my issue is with the "It appears Microsoft is really going all out to get Windows Vista secured before it's release date in 2007." sentence, and that somehow presenting a system for security experts would make it more security, as a direct causality.
Security is not a product, it is a process. If one chain in the link fails, the whole chain fails. And MS can continue to give presentations about their system and abstract design concepts, and if security experts spot weakness in the design they can tell all about it to MS, but it's throwing peas at a wall. They never listened, and I see no reason why would they listen. This is just a cheap PR stunt to reassure some less in-the-know folk. That is why I compared the situation to the example in my original post. It has nothing to do with encryption. Encryption isn't the issue. Design, security principles and how MS responds to security issues are.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I think you are under the false assumption that all the mainstream OS's out there (Windows, OS X, and *nix) are all equally flawed with regards to security, and it's just that whoever happens to be on top has all their flaws exposed to the world. Such a position assumes that, just by creating a polished and fully-featured OS, it is inherently unstable or insecure.
I for one am sick of this argument, because it simply isn't true. It IS possible for the primary OS publisher out there - be it Microsoft or someone else - to release a secure OS for the masses. While being top dog does expose you to the most flak, it doesn't a priori prevent you from doing a good job in the first place.