Slashdot Mirror
Microsoft Locking Out Anti-Virus Makers?
twitter writes "Anti-virus makers have more to fear than stonewalling by Microsoft if a report by Agnitum, maker of Outpost Personal Firewall, is right about recent trusted computing changes. All the problems were summarized in a choice Register quote, 'In addressing the potential problem of not being able to install Outpost on new versions of Windows, we have discovered that it is possible to drill past the new security measures introduced by Microsoft - if we use the same techniques used by hackers.'"
Microsoft has actually been bending over the backwards to help the anti-virus companies properly integrate their products into the new windows Vista. The problem comes from miscommunication. Billy is using his new speech-to-text program for all correspondece.
They are basically saying that they want the existing weak kernel model to continue to be supported because at least it allows them to do things they way they have been for a long time. This is, of course, stupid. It's like my locksmith not wanting me to get a new door because his equipment won't work with it, even if the new door theoretically provides the basis for better security long-term.
I'm not saying the new intercept model is great, I'm saying the answer isn't "leave it like it was". Instead of whining, why don't they engage Microsoft and figure out what exactly they need. Regardless of what your average wanker things, Microsoft will NOT be in a good situation if Vista turns out to be a dud security-wise. They want it to work.
The real problem may just be limitations in the API they _ARE_ providing. That's fine, work with them on it. Don't whine that their internal structures and kernel level calls are changing - you are NOT supposed to use those anyway.
Ya RLY. Too easy? At ring 0 *everything* is, and should be, visible/alterable. That's the whole point of ring 0 existing in the first place. There is another concern as well: If Redmond locks out 3rd party security and utility vendors from full ring 0 access they become the only ones able to provide the most powerful utilities and security products. As it stands now, SoftICE has been discontinued and sysinternals has been acquired. I don't particularly relish the idea of having to take MS's word for what's happening down in kernel or having theirs being the only powerful security/utility products availble.
Binary patching a kernel is just plain wrong. It's an unstable hack.
You're supposed to patch the kernel source and recompile. Oh...
Prrogrammers are lazy, that's just how it goes. I remember all the Strum und Drang over Windows 2000 and it's new audio model. Basically, MS did a revamp of how audio was handled in 2000. It's a much better model. However it was different from what the pro audio companies were used to so they cryed about it. I had a $600 10-channel pro card at the time. When 2k came out, I wanted to switch. However they had no 2k drivers, you had to install the NT drivers which did work, but were a pain in the ass. They said "There will never be Windows 2000 drivers, 2000 is unsuited to audio."
What they were worked up about was the kernel mixer, a subsystem that introduces 30ms of latency to audio. Now of ocurse this isn't a problem, first because the drivers are aware of this and do time compensation so it only matters for live sound-on-sound recording (meaning you are playing something that a musician is listening to and recording what they are doing) and you can bupass teh kernel mixer anyhow.
Well finally they figured that out (it's in the documentation for the new driver model) and they released a driver... That only supported 2 channels of the 10 on the card. They claimed that the new driver model didn't support more than 2 channels on a card. I e-mailed MS about this and I think they were sufficiently supprised by the stupidity of the question that they responded. they pointed out that not only could they enumerate the device as multiple 2-channel devices (as you had to do in Win98 and NT since they only supported 2 channels) but WDM could handle real multi-channel devices as well.
Some e-mails back and forth with the company and finally they came out with a functioning WDM driver for their card. These days, their cards have ONLY WDM drivers available, they don't support 98 or NT anymore. However it was like pulling teeth to get them to learn the new method of doing things. Not because it was worse, it's not, but because they just wanted to keep doing things how they had in the past.
I'm sure that's basically what this is. MS has changed the way things work, if it's better or not one can debate, but it's not to screw the AV companies over. They are just being whiny because they don't want to have to change the way they do things.
It is called "Designed for Windows" program. Yes, applications have to be signed. And yes, you have to send a copy to MS so they can verify if you follow guidelines when they get 1000s of core dumps from your application. Or complaints about spyware and crap.
http://www.microsoft.com/winlogo/default.mspx
Yes, it costs money because you have to buy a digical certificate from Verisign. And send the software on a CD to MS, so a postage stamp there too.
And yes, MS will probably start treating software from unknown vendors differently than those that have registered. But afterall, how can you blame them with all the spyware screensavers and other crap.
We already see digital signatures in Linux like Debian. Untrusted repositories get flagged as "WARNING!! Untrusted source. WARNING!!". Microsoft should be doing the same to protect its user base.
They're not locking anybody out. It's silly to think that developers should have full access to every single internal structure or API call.
Fair enough. But, consider this: do you really believe that developers of Microsoft security products (firewall, antispyware, OneCare, etc.) will NOT have access to whatever API they ask for? That if they need access to one, a technical solution will not be devised?
WTF? I understand what you're getting at, but please think about what you've just written for a second.
It's not at all silly to give developers full access to your system internals, as long as you're clear about the repercussions of using them. In fact, there's a whole bunch of developers using this stuff called FOSS, which is based entirely on this principle.
I know, I know; your point is that if developers depend on a certain implementation, then the vendor is forced to continue supporting it forever, which, according to your reasoning, leaves them with no further room to grow or innovate. Unfortunately, that perspective is just bollocks. FOSS developers deal with this every day, and they've found a perfectly workable process:
Supported APIs are marked as such. Deprecated APIs are marked, too, with the clear warning that past this version, you're on your own. Unsupported interactions with the internals are marked - not fenced, but simply labled Here Be Dragons. You're welcome to venture there if you want, but don't go asking for help if something goes wrong. Most developers benefit from a better understanding of how the whole system works, and can in fact suggest or offer improvements in upstream functionality as well as better implementing their own.
I'd be fascinated to know why you think that things are somehow different for Microsoft than they are for IBM or Novell.
Crumb's Corollary: Never bring a knife to a bun fight.