Slashdot Mirror
Windows Vista still Rife with Insecure Code
osxpetition writes "As noted in a News.com article, Symantec researchers have been testing the latest Microsoft Windows Vista build (Beta 2), and have found that the code is 'complete with new corner cases and defects' in the networking component. Symantec describes how Microsoft scrapped the old networking stack code from Windows XP in favour of newer, rewritten code. 'Microsoft has removed a large body of tried and tested code and replaced it with freshly written code.' Since January 2002, Microsoft has put a stronger emphasis on protecting PCs by attempting to implement stable, secure code into Windows XP and their new operating system. This latest report from Symantec brings attention to Microsoft's trustworthy computing campaign, and shows how it will be a long way before it is ready for the mainstream."
It is still beta, right?
The opposite of progress is congress
They figured out that the old network stack was starting to get too secure and not something they could live with! Not wanting to break the trend of security problems they went ahead and rewrote the code from scratch
have a solution that will "protect" you.
I would like to know If the so-called shatter attack still works in Vista. If it does, no amount of privilege limitation can help you.
Global warming is a cube.
Windows still buggy? What's next, "Sun has risen again this morning"?
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Symantec products wil lsecure it right up! How convenient!
Marketing deadlines always trumps everything else, except for OpenBSD and maybe Linux kernels. Curiously, both have dominant but benevolent personalities in charge......
Lets all remember that this is still Beta code. It's not suppossed to be perfect. If it was perfect it would be released now.
This may not be a bad thing.
I am much happier with well laid out, structured and simple code that has X rate of defects than well polished over the years, old, cruddy and complex with X rate of defects because with the former:
Fixes will be faster.
Fixes will be easier/cheaper.
Fixes will be possible!
Bug fixes will have less chance of introducing new bugs.
Given time we can then be sure that we will end up with... err well polished over the years, old, cruddy and complex. But it probably won't be as bad as if the process never happened in the first place.
Think of the Children; Sleep with your Sister
So they're saying that beta software still has bugs in it?
I don't think its particuarly fair to be making these public accusations at this time. I'm sure the developers appreciate the testing, but an article to CNET seems a little too much
On the one hand, you can see thier point. The XP code has become more mature and has all the latest fixes and is more or less stable, as Windows goes. On the other hand, the hackers and crackers have a pretty good bead on it and are capable of exploiting it more easily than they would a new and unknown body of code. There will be the inevitable bugs in the new code, but you have to admit, Micrososft has a lot of experience now at finding and fixing exploits. I figure the breaking in period for Vista won't be quite as long as it was for XP.
GetOuttaMySpace - The Anti-Social Network
How dare they! Just when I know all the exploits in the old code, they make me go and have to discover all new bugs in their new code. Being a hacker is hard some days...
If this signature is witty enough, maybe somebody will like me.
I believe its better to have a long term security with the new stack rather than keep patching decades old code, and now that MS and Symantec are at loggerheads, statements like these will be common.
As part of Microsoft's new anti-virus system they will replace old bugs with new bugs to keep one step ahead of hackers. Genius!
Note that if this were about linux, it would read: "Symantec claims Linux Still Rife with Insecure Code"
Since this is a Microsoft product, it reads "Windows Vista Still Rife with Insecure Code"
I guess many Linux advocates still believe anything they read on the subject of Microsoft criticisms.
I have been using Vista (Build 5381), and I've personally seen the effects of their new networking internals - in my opinion they have got a long way to go. I wish anyone who attempts to use this version on a machine with the Intel Pro Wireless 2200bg lots of luck... I've had an easier time using this card w/Linux (no surprises there).
I'm not fat, just big boned...
Occasionally when programmers leave a company that were in charge of projects like this its easier to rewrite the code instead of having a new set of programmers wade through years of hack and slash patches. Hopefully they will hire some that knows tcp/ip stacks well enough to write some decent code that doesn't have some of the most basic vulnerabilities.
OK, so Symantec makes money selling products that patch up problems with Windows OSes. Microsoft trying to put them out of a job. I'm not saying Vista is really achieving this goal, but what sort of report did you expect from Symantec? "Wow, this Vista really makes our products unnecssary"!
FUD. At least they learned Microsoft's greatest marketing strategy.
-Ryan C.
What if the Hokey Pokey really is what it's all about?
Isn't it to Semantecs best interest to generate demand for their product by creating uncertainty when it comes to OS security. They did this to linux too...
Granted Microsoft may be using new code, but that doesn't necessarily mean it's more insecure than the current network stack.
Let's see what the non-beta software looks like, and see what a independent lab reports.
Bill
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Since January 2002, Microsoft has put a stronger emphasis on protecting PCs by attempting to implement stable, secure code into Windows XP and their new operating system. This latest report from Symantec brings attention to Microsoft's trustworthy computing campaign, and shows how it will be a long way before it is ready for the mainstream.
This reminds me of the secret language I've read/a> supervisors have when discussing sub-par employees.
So, Symantec, let's see the vulnerabilities you claim to have found.
Oh, you have none? It was just fearmongering to scare people into buying your products? I'm shocked, I tell you. Shocked!
This would be half as funny if Symantec products didn't open more holes than they close.
I had never heard of such a thing before (actually, initially I thought you were just punning on Windows + 'shattering', har har).
It would seem that Vista allegedly fixes the design flaw that allows for the attack, by not running system services in the same session as the user. At least, that seems to be what the Wikipedia article on the topic is suggesting.
The key to shatter attacks is that Windows allows processes running in the same session to pass messages between each other, the result of which is that via code injection, any process can escalate up to the level of the highest process also running in its session. MS is quoted in the article as saying "[This is not] a flaw in Windows. In reality, the flaw lies in the specific, highly privileged service. By design, all services within the interactive desktop are peers, and can levy requests upon each other. As a result, all services in the interactive desktop effectively have privileges commensurate with the most highly privileged service there." (Which is amusingly doublespeak-ish; they're saying "this isn't a design flaw, we designed it that way!")
This blog post by a member of the IE7 team would confirm that they've at least tried to address this in Vista (but of course that's what you'd expect them to say). It says: "User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages."
Yet another nice legacy "feature" from the single-user-OS days.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I'd bet that every single country in which Microsoft has a devlopment team has at least one back-door programmed into their code -- perhaps more in countries where they have more than one security agency that don't share info with each other.
...they also tend to have the best networking stacks I ever worked with.
When are Symantec going to start protecting users against that?
I'm thinking Symantec is feeling the heat from Windows defender. Once people have that, a large number of people will probably be too unconcerned or too lazy to bother installing a different virus program. Symantec cannot be trusted for a neutral veiw (NPOV comes to mind).
Before you die, you see DoubleRing...
Vista in 2008 anyone?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
"Friedrichs noted that in the Linux networking stack, vulnerabilities and stability issues continue to surface well over five years after it was first released."
And about vista's new stack "This may provide for a more stable networking stack in the long term, but stability will suffer in the short term."
I think the report overall is positive for Vista. ANYONE who expects a new OS to come out bug free is a fool. Unfortunately, on CNET as on Slashdot, a positive microsoft article isn't news, thus the SPIN.
slashdot troll = you make a compelling argument I do not like the implications of.
'complete with new corner cases and defects'.
I think Symantec misspelled coroner.
How does an article about how a new network stack could come with unknown security flaws and the fact that most security flaws that have been found in the beta builds have been fixed - as is to be expected - turn into "ZOMG M$ Winblows still rife with unsecure Hax!!" I'm not a Microsoft fan by any stretch and the world would possibly be a better place without them, but for Pete's sake stop acting like children. The article is "Symantec sees an Achilles' heel in Vista," so at least use that as the slashdot title. If the same article was written about a new network stack for Apple's new OS, the slashdot title would certainly not be spinned as much. Actually, it probably would, but the other way. Maybe I didn't read the article well enough, but it just seems that the summary isn't talking about the same article.
As I say this, I have to admit that I am primarily a Windows user and find XP to be the first version of Windows that is entirely usable and not entirely frustrating; I have been a big fan since I first used it.
But even so, I find that Windows Networking never works. I have a file/print server runner Server 2003 which does work very well, but XP is a different story. I am a perfectly capable advanced user, and I can never get two different computers running XP on the same router to share printers or files, with less than an hour of work/directionless mucking about/rebooting. Same shit always used to happen with Win98, but XP does other things so much better that I had great hopes for networking. No luck.
It's tried and tested, and lousy. So I'm excited to hear that it will be replaced with something completely new, because for the first time in years, I have hopes that it might work.
We all know that from Windows NT up, they used the BSD TCP/IP stack. And it's usually not the TCP stack that is vulnerable, it's the next layer up that doesn't/can't handle what TCP brings in. So why did they throw it out and re-write it? It was one of the only pieces that made Windows semi-stable on a network and made it server-worthy. It was also pointed out that the MS implementation of the TCP/IP stack was the slowest stack around in the late 90's (I don't know about now). OS/2, Linux and even DOS had a faster TCP/IP stack back then.
Custom electronics and digital signage for your business: www.evcircuits.com
I program professionaly and I've looked over some BSD & Linux code and quite frankly it is lot more involved than what I do. So I guess I shouldn't complain but jumping Jesus H. Christ if the BSD guys can do it with the resources they have, how is it that a company the size of Microsoft can't make this work?
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Well, the funny part is that, with TCPA and DRM built core-deep into Vista, we can only hope for insecure code...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
- Improved graphics (more complete icon set, fancier installation and login graphics, nicer titlebar look on non-3D capable systems)
- More stability in general (some blue screen bugs I've reported have gone away with later versions)
- More gadgets in the sidebar
- A bit faster for file copies, file searches work a lot better -- file searching wasn't working at all at one point
So... I'm still skeptical of their early 2007 predicted time frame, but it's definitely been getting more polished over the months....scientists discovered that beta code contains bugs!
Oh man! I can't even begin to think of a joke worthy of that setup...
I'll bet the code got re-written from scratch because it's more fun and sexy to write new code than to fix problems in old code - and this time, dammit, it'll get written right!
(I can't take credit for the thought. JWZ says it somewhere on his site, though I don't have the time to find it.)
"Live as if you'll die tomorrow." Ridiculous. You could die later today.
"Symantec describes how Microsoft scrapped the old networking stack code from Windows XP in favour of newer, rewritten code."
Yeah, I imagine it really irked them, having to include that mention of BSD in their credits. Networking code written in-house by Microsoft Software Engineers should be WAY more secure.
Hmm... I wonder if anyone over there, even for a moment, talked about "extending" TCP/IP? Or maybe IPv6-MS?
I kid, I kid...
#DeleteChrome
Ok, I run a network in education, but I can imagine Network Mangers banging their heads into walls already. I think I've got my network locked down enough to cover most of the bases, but seriously, can anyone really say they are looking forward to rolling out Vista across an entire network? I understand network / computer security companies have a vested interest in showing there is a need for their product, but they are not the only ones suggesting Vista is going to be a nightmare.
They aren't trying to pay employees and maintain stock prices ....
Have you not been paying attention to MS's product releases and their "increased security" which never amounts to any code being ANY more secure in any way shape or form.
That isnt bias, that is a reality.
It is history that creates expectations.
Apple does not have an extremely consistent pattern of making poorly secured products. People would be interest and expecting a high quality securely coded system from them. They have earned a good repuation. Microsoft has routinely released bug infested crap, there is no other way to put it. When they finally made some gains in the security dept (and not even that much of a gain in all honesty) they put in a new bunch of new code into an important section of the OS. Gee, is it that hard to realize that this could cause some problems.
The phrase "more better" is acceptable English. suck it grammar Nazis
This is news how? Was anybody suprised?
I don't remember where I read it but it suprise suprise costs more to develop new code than trying to maintain old code even though it may be in a horrible condition. The same seems to go for bugs and security holes.
Windows Vista still Rife with Insecure Code
See what happens when you constantly tease it? Now it's got an inferiority complex. You people should be ashamed.
Has anyone else noticed that Vista is stripping away some of the old keyboard shortcuts? Maybe it's just a beta thing, but I've noticed, for example... you used to be able to hit CTRL-ALT-DEL and then "T" for Task Manager. Now it seems you have to add at least an extra ALT (ALT-T) to get it. Also tabbing within Explorer windows is bringing up the menus for me instead of tabbing through panes. Especially for people that suffer from RSI--i.e. the mouse is best avoided--this is a real pain.
people should understand the ramifications of a virgin network stack
By the time the average person gets a shot at this network stack it will about as "virgin" as Madonna!
BTW, saw her in concert live in Chicago... kick some major ass she does!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
...representatives of the US automotive insurance industry announced today that after careful analysis of 2007 model year vehicles that every last one of them could run into something and get damaged.
Joel has addressed this technique long ago, and far away: http://www.joelonsoftware.com/articles/fog00000000 69.html
Rediculous: A word indicating the writer is ridiculously ignorant.
The old stuff had so many holes we stopped counting. Based on BSD stuff that had been around since the early '90s, Microsoft had to change the stacks.
The new provider modules are a step ahead of what they'd been using. This is what Symantec is mad about: being left out of the anti-virus and spyware game. Look to see that Microsoft also purchased Win/Sysinternals today to see what else motivates Symantec. Their cash cow, a flea-bitten operating system-- might just work for a change.
But I doubt it.
---- Teach Peace. It's Cheaper Than War.
Otherwise there'd be no incentive to upgrade to the version that comes after, would there?
Once I was a four stone apology. Now I am two separate gorillas.
Am I the first to say, I thought Slashdot was about news?
COMPETENT:
Is still able to get work done EVEN if supervisor helps.
Emphasis on correction.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
They've been too busy with cool stuff.
This just in: Windows XP STILL rife with insecure code...
noobcake or noobmuffin? It is the same price...
Just look at the number of security defects between IIS 5/5.1 -> 6.0 after Microsoft essentially re-wrote IIS.
Microsoft has improved the reliability/security of their products with every iteration NT -> 2000 -> XP -> 2003 and there is nothing to suggest that trend won't continue with Vista.
any un-supported beta software crashes alot.. ohh wait, thats because its beta software, not ment for general use, as it says when you use it...
portfolio
Marketing deadlines always trumps everything else, except for OpenBSD and maybe Linux kernels. Curiously, both have dominant but benevolent personalities in charge......
Also, both of them lack marketing departments.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I doubt anyone was suprised, but some are probably surprised. As you may be now about your spelling. :)
Microsoft has put a signifigant amount of work into creating USER/GDI messaging passing barriers between the new Vista integrity levels. This feature is called UIPI and mostly works in the betas.
BTW, almost no Microsoft written applications are still vulnerable to shatter attacks on XP. This is mostly an issue that still hits ISVs because they don't understand the problem.
This isn't Beta code, this is a public beta, the current name for what was originally called "Gamma". Aka, the stuff right before release.
This isn't a problem if the problem you find is a minor thing where if you click on a button it crashes only if you have a ATI card that was made in June 2005.
This is a problem if the majority of code, that has been rewritten from near scratch has major flaws that would take another full rewrite to get rid of (or years of critical updates). Vista is supposed to be the reinvention of Microsoft security, however this isn't secure. This isn't a "we're still adding features" problem this is a critical flaw at the core of the system.
sky still blue... grass still green... more at 11...
Hey, you're not supposed to mod people "troll" when you don't agree with what they say. It means they don't agree with what they say. And anyone who actually has experience maintaining windows knows that it's not worth a flying fuck until at LEAST the first service pack, usually the second. It was true of NT4, Win2k, and XP. Why shouldn't it be true of Vista?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
1. Fuck CNet and News.com
2. Fuck Symantec
3. ROFLMFAO @ Microsoft for rewriting Windows as Vista and STILL not getting it right...
It should be very easy to build a networking stack for Windows (or any other OS) that is bullet-proof, compact and fast, because it's not a particularly complex piece of logic. There are lots of rules, sure, but each rule within itself is very simple. That makes it possible to test each decsion-making component directly and individually, along with the rule that component applies. Because you know what a well-formed packet looks like - that is defined by the applicable RFC(s) - you can also do comprehensive bottom-up integrated testing.
Add in one of the multitude of profiling packages that will work with kernel-level code, and it should be child's play to make the code not only correct but damn fast.
Could Microsoft do this? Of course they could. They might act the part, but that doesn't make them idiots. In general, anyway. How long it would take and how much manpower it would take depends on how correct they'd want the code. If you want to guarantee fewer than N errors per M lines of code, you can do it, but halving N will more than double the effort required. Can you guarantee no errors at all? Yes. The networking stack is simple enough that you can prove it complete, sufficient and correct. It would cost Microsoft far less to prove their network stack totally bug-free than they're owing the EU in fines. Personally, I feel that producing better code would have been a wiser investment, but that's their decision to make.
could Linux developers do this? Again, sure. There are many tools for profiling and analyzing the Linux networking stack, and suitable test harnesses shouldn't be that hard to write. If kernel hackers had more of a liking for testing, Linux networking bugs should be all but extinct within a year. As things stand, the cleanup is OK but not enough to seriously endanger the bug population. I would like to see a concerted effort to clean up the code rigorously, but I do recognize that much of the code is "good enough" for most developers to be more interested in expanding the capabilities than polishing the code to perfection.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"I'm shocked, shocked to find that gambling is going on in here!"
/. all would be well in the world.
Funny how a post questioning the tone of the article as being slightly biased gets modded down. I'm sure if the tables were turned and I was asking about the harsh tone of a Linux article on
Ah Slashdot, how I love you.
There are a myriad companies that Microsoft has bought, then put to good use. Some were then thrown off a cliff (like McAfee does/did with Network General and OilChange) while others made them smarter. They need the brains. And they need a new authentication methodology, a new networking stack, and a new registry protection mechanism not made of tissue paper. That doesn't mean they'll get it. So many people have blown up Vista (yes, I know it's not RC+ yet) that Microsoft must be rattled to their very core (yes, Bill-- you, you crummy half-assed programmer) before they'll believe their customers. It's a classic case of Sales Department Rules (Ballmer) and everything else drools. Hit the sales department in the wallet, and things change. Look for a big change from Microsoft soon when they report that XP sales are down and that Windows 2003 server's recent sales peak has now hit the skids, and the X360's are costing a fortune. Mark these words.
---- Teach Peace. It's Cheaper Than War.
Microsoft will never work out the bugs in order to meet the deadline. We may never see Windows Vista unless it is released with the bugs.
What are the odds of the following things happening before Windows Vista is released?
ReActOS 1.0 is released.
Windows XP SP3 is released.
IBM releases the OS/2 source code to open source.
Duke Nuke'em Forever is released.
The Linux based Indrema game console is released.
Enron comes back from the dead.
SCO makes OpenLinux their main OS and drops the Linux lawsuits.
Mac OSX takes over marketshare from Windows and gains 80% of the market.
George W. Bush pulls US troops out of Iraq and Afghanistan and signs a peace treaty with the middle-east, and cuts military spending to pay for more welfare programs, and lets the UN police nation states while the USA sits out of foreign policy.
Jesus returns, resserects John and George for a Beatles Reunion Tour.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Bias. Not hard to spot. You just have to look.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
TFA says "For maintenance purposes and to improve performance and stability, the company is building much of Vista's networking technology from the ground up."
IS building? Not "HAS built?" Months before ship they are not just mopping up, they are still in the process of designing the network stack?
I realize this is reading a lot into the verb tense chosen by a reporter... and maybe it's reporter so clueless that he doesn't understand what's meant by "performing a build..." but that is still astonishing language to me.
"How to Do Nothing," kids activities, back in print!
Its true, this is the more idiotic place to read news in. A lot of the GREAT linux news, and when a company that is in the verge to going bankrupcy cause of vista says that the OS is insecure, the news get its place here...
LOL
Who would've guessed it. Sendmail, anyone?
Universe still full of atoms ...
I think they mean "tried, tested, exploited, patched, exploited again, patched again, broken, fixed, obfuscated, exploited and patched yet again".
How is this news? Seriously. Yes, they dumped their "tried and tested code", but judging from the amount of updates I get each month for windows I wouldn't think that their "tried and tested code" is any better than anything they've written since.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Do I recall a long time ago that McAfee came out saying that because linux was open-source, it was less secure, hence they saw a "need" for commercial McAfee antivirus programs for linux "real soon"? This was before the .com bust, but I'm not sure I've seen a McAfee Antivirus: Linux edition yet. Not to say that Vista will be as secure as linux, just pointing out the relative "value" of such statements from antivirus companies.
"To help transition to the new protocol and for peer-to-peer networking features, Microsoft has functionality called IPv6 tunneling in Vista. This functionality could expose PCs that otherwise would be invisible behind a firewall, Symantec said."
Once again, Microsoft creates vulnerabilities in its operating system by adding new functionality that the majority of the world is not asking for.
Don't get me wrong, I think rebuilding the code is necessary in a big program like Windows from time to time. It allows for a cleaner, more comprehensible design. But adding features that most people -- users and managers alike -- neither expect nor want, is a recipe for trouble.
While it might not be a good practice, many people secure their Windows computer by hiding it behind a NAT router and hardware firewall, without an anti-virus or software firewall. If a standard feature in Vista allows hackers to get around this protection, I can see security problems becoming worse, not better.
I'm not even going to consider Vista until at least SP1 comes out. I might even wait until SP2 if things look really messy!
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
Getting off-track seems to be the proposed penultimate goal of most.
Here are the critical points of the article, for those lacking the ability to distinguish:
1)"Vista's networking technology will be less stable, at least in the short run."
Whoa, short run, imagine that. The intelligence to scrap an outdated stack-based system in order to produce an -ultimately- more stable networking system on Windows. Unbelievable.
2)"'We expect many of our results to be invalidated by changes made prior to its public release,' the researchers wrote."
See point number one; research the terminology "short run".
C'mon guys. Stop pussy-footing around with the ball when you have already lost it.
Lets see, I'm going to care what a company that makes Norton Disk Damager says? I can't remember the last time I saw the symantic suite of applications actually fix anything. It always generates problems, not fixes them.
I always loved how their crash protection app could actually make applications crash back on Win95/98.
Some Microsoft software is unstable, all of Symantic's is. (though, hey, ghost enterprise actually does work properly sometimes.)
Secure code from microsoft is a long ways away from being ready for the mainstream. "User Friendly" implementation of Linux is a long ways away from the desktop. Sounds like a lose lose situation....
No one is talking about graphics, stability, gadgets in the sidebar, file copies etc... We are talking about security here, or Vista's lack of it.
I'm STILL Getting uncouth behavior from netflix (i know they had a class aciton lawsuit they lost over the same once before)... namely, I watch a lot of SERIES... anime, scifi, etc... and they have, a good 9 times out of 10, send the following volue 2 or more days before the preceeding one... i.e., the first to arrive is volume 2... then acouple days later, volume 1... then 4 and 3... etc. Even though the processing station for returns is just an hour down the road, sometimes they register recv'd the next day, sometimes it takes then 2-3 days, which is rediculous. I like the service, but I don't think they learned their lesson from the last time they got caught screwing with deliveries in an attempt to make you keep discs longer and expand their profit margin.
Gimme 5 minutes
Not counting boot time and I'll have your computers doing whatever you want them to do.
Who will guard the guards?
Well, maybe you should take a read about the Win32 shatter attack and get back with us.
"Sufferin' succotash."
Here's a link to the paper:
n se/whitepapers.jsp
http://www.symantec.com/enterprise/security_respo
42 pages, by Tim Newsham and Jim Hoagland
but, it seems to me that security is one of the most, if not the most important parts of running a network. The way that I understand networking is that if it is not secured properly, it is only a matter of time before a major crash, or the software and/or hardware conflict with each other and lead to endless problems with one or the other, as opposed to a crash. Or am I missing something?
Surely Microsoft's constant supply of security woes is a major factor that keeps Symantec in business? You'd think they'd shut-up until after the final OS is released, and then plug their own security product range.
:-)
Then again, Symantec products are just as buggy, so maybe the title should read "People in glasshouses...."
Interesting how when code is in Windows, it is unsecure. As soon as they throw it out, it is "tried and tested". Maybe they should throw out all of Vista and our security problems will be solved!
Of course it should be noted that Symantec have a vested interest in reporting Vista to be unsecure.
Blessed are the 1337, for they shall pwn the earth.
That new Vista networking stack better handle The Internet tubes better than XP's!l _video=71653&ml_collection=&ml_gateway=&ml_comedia n=none&ml_context=show
http://www.comedycentral/motherload/index.jhtml?m
So, point me to the place in the article which says something is still rife with insecure code?
Well, of course, there'll be securite holes in Vista too, like most other OS's, but I'm not sure that's what the article means? It seems someone somewhere have come to the conclusion that there are still major problems with it and I just, darned as much as I try, can't find the place in the article.
It seems to me Symantec only speculates, as Vista will have a new network stack?
But then, Symantec themselves say:
So, which is it, and is the article just spun like this on Slashdot because it's Slashdot?
Beware: In C++, your friends can see your privates!
Definition of virgin network stack:
;-)
* See Slashdot
vista -
1. a view, esp through a narrow avenue of trees, buildings, etc , or such a pasage or avenue itself.
2. a comprehensive mental view of a distant time or a lengthy series of events.
VISTA -
acronym for Volunteers in Service to America; an organisation of volunteers established by the Federal government to assist the poor.
Source - The Collins English Dictionary (1986)
My hyperlinks aren't worth the paper they're printed on.
Are corner cases worse than edge cases?
(*) Hint: not you, and sorry about the dangling preposition.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Fighter of Spyware, Guardian of Viruses, Defender of Evi.... well uh.... hmmm...
Windows is a severely buggy, insecure platform. Please tell me something I don't know.
http://sohilsblog.blogspot.com
It will be a long, long time before any release of Microsoft Windows is ready for the mainstream. Its still an untidy hack of mangled code, put together by children and monkeys with little or no hope of ever being able to co-operate to produce a useful piece of software. Sure, a lot of computers have Microsoft Windows installed, but it is by no means "ready"; it just happens to be there. I have people who have been using Microsoft Windows for a number of years, and still can't get to grips with it. Before it is ready, as well as making it more stable and secure, they also have to make it easier to use.
Note: I'm not talking about a rules engine or expert system shell - which would be painfully slow and very hard to follow, but a complete writing out of the rules in such a way that one code block can only be entered by exactly one path through the decisions.
So what you do is you start with something that is valid but slow, then optimize it without changing the overall logic. This is considered "good programming" practice anyway, as optimizing too early can lead to sub-optimal code because you hide what may be become better possibilities. (It's slow because we've not considered the sequence of decisions, we've not considered early break-outs and we've not considered the frequency of differing cases. However, because it's flattened, it'll be faster than most of the procedural code out there. The biggest problem is that it would, well, be big. Very big.)
Now we get onto malformed packets, optional parts, and the like. Yes, this does make things a lot more complicated. The optional parts less so, as those can still be represented by a well-defined set of decisions. It's the malformed packets, packets that are not strictly inside the specification but should be allowed anyway, that are the problem. You can't apply if/then logic if you don't know what the 'if' should be, or necessarily which 'then' is the most applicable. The best I can see here is to split into four types of malformed packet. The first needs to be done early, the other three should be treated as rogue optimizations.
The example with e-mail is well-taken. Yes, there are MANY ways to write the same e-mail address, if you include ! notation, multiple levels of @, comments, etc. Again, the overall complexity is provably very high, but the individual rules for handling each case encountered are all relatively simple, particularly if the complexity is caused by nesting, as you don't need to worry about anything at a layer deeper than you need to parse to deliver the mail. Parsing the address to find what you need, though, is (overall) a complex task that requires a fair amount of processing.
With packet validation, again the point that processing needs to be blazingly fast is well-taken. It does need to be blazingly fast. 100 MB/s cards are the standard, with gigabit moving into the mainstream and ten gigabit on the fringes. Any stack that chokes on the standard isn't going to be of much use to anyone, and ideally you'd want it to run fine on the standard-to-be. Validation is expensive, so you want to apply as little as you can, but many errors downstream are likely to be at least as expensive as the validation that would have prevented them.
Assuming we are applying the method of validate early/optimize late, then once we have validated the code, we would want to optimize it as much as possible. Now, code size isn't that important here - smaller code is generally more structured and will therefore often run slower. We're wanting here to make it run as fast as possible. The first thing to do is to decide if we're going to have to allow certain malformed paths. If we're allowing A and A' to have identical results then A can be optmized out entirely. You only need the test if the paths for A and A' differ.
You also want to reorder the decisions. If A' is a common case that MUST lead to
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Symantec is trying to carve up Vista so that they don't go the way of Iomega. I hate to defend Microsoft, but according to the link
"However, these were all fixed by Microsoft in build 5384, the version of the operating system that was publicly released in May as Beta 2."
That's not to say the code is totally secure but that that seems to be a very good sign.
Don't forget to question your sources. If I was Symantec, I would be worried that in the case that Windows Vista is secure, and does come with a good build in antivirus that my revenue would go down the drain. For those of you who have ever used recent versions of Norton Antivirus or Internet Security, you know what I'm talking about. The widely used Norton software is honestly rather bloated and probably presents a security risk of its own. As an IT technician, I get a lot of requests from workers to remove Norton because Norton causes an alarming measurable slowdown in system performance.
Given that all the bugs found by Symantec were fixed in build 5384 and the fact that Vista still has about 5-6 months before it goes gold (at the earliest), any attempts to speculate on the security of Vista is just that -- pure speculation.
A new TCP/IP stack might mean a whole new set of support problems as all those third party antivirus and spyware apps have to start again ironing out compatibilty problems with their LSPs. Oh what joy.
a product from microsoft with bugs, like this is news. whats next? sky == blue, water == wet, nerds == virgins.
This article/post is one example of why slashdot has so little credibilty outside of it's own little Microsoft bashing audience...
Comment removed based on user account deletion
Just look at Mac OS.
There are many posts here decrying the idea of writing again, you should refactor, etc. And for the most part, I agree.
But if rewriting is nearly always a bad idea, why is Linux so successful? GNU/Linux is a complete rewrite of the UNIX O/S, including its compiler, utilities, shell, etc. and it's worked out well enough that the GNU tools have become largely the standard of the industry!
Obviously, the poster-child of the F/OSS movement is a good argument for an occasional rewrite or two...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The discussion is about security kid, we all know that MSV is going to be shinny, have new colorful icons and have a nice wallpaper.
IANAL but write like a drunk one.
The point of "rewriting UNIX" in Linux was not about rewriting, but about free software. The UNIX vendors of the time would certainly not give their products away for free, so taking their existing code was not an option.