Slashdot Mirror
Microsoft Agrees to Changes in Vista Security
An anonymous reader writes "Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"
From the article (and /. summary):
It's only an author's surmise, but as I understand and interpret Microsoft's position, there is no line they will be able to cross ever while they are still a monopoly. Microsoft enjoys (immensely) their monopoly position in PC OSes, and as long as they do (immensely), they will continue to be proscribed from using their monopoly to leverage, influence, and otherwise compete unfairly with any other of their products.
There is no line to test.
"designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security"
Perhaps all the alert popups that Windows is more and more cluttered with are a problem? As an XP user, I'd be sorely tempted to use a simple option if available that suppressed ALL of these popups. They are just as annoying in an OS as they are in a browser, especially that one about hard disk free space being too small.
Where were you when the voynix came?
Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it.
On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive.
Make up your mind. Or is just permanent open season on MS?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'
Just like I test the waters before I dump the bodies... Oh, wait I better not cross that line
Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something. -Heinlein
Is this going to be a backdoor into the protected parts of the kernel that also handle media protection?
It would be nice if one batch of companies out to screw you over had accidentally been defeated by another batch of companies out to screw you over. Sort of collateral rebuilding, if you like.
Think of the Children; Sleep with your Sister
Finally MS gets their act together (somewhat) and who comes in to ruin the day? SYMANTEC. I don't know about the rest of you guys but I'd rather not have a 'Symantec Security Center' on my machine, because I know that two weeks later it'll just stop working for no apparent reason. The fact that there is a method of officially bypassing many of these built-in features is begging for misuse.
Yes, I recognize that MS shouldn't be leveraging their monopoly status to promote their own suite (OneCare) but there are certain things that I would rather let them do their own thing on.
Granted, for you or I these would be merely annoyances, who's to say they won't actually help the average computer user? Maybe this will finally stop the zombie machines that were once ma and pa's internet machines?
I know they're Microsoft and they're stupid/evil but you have to see at least some sort of benefit from these (all be they poorly implemented) security features.
My work here is dung.
People complain that windows is not secure , then when microsoft makes it secure people go nuts that its tooo secure and they complain .
THis is not right.
Companies like Symantec (aka Norton) have profited immensely from an industry created because Windows wasn't secure.
Now they're upset because Microsoft wants that piece of that market; in other words, Microsoft wants to profit from the fact that Windows isn't secure.
Yet in pretty much every other operating system, the solution is simply to make the darned thing secure.
Now, I realize that the issues are a bit larger than this, but I do wonder: IF Microsoft ever released a truly secure operating system, thus making Symantec and other such companies as relevant as the buggy whip, would they then sue to prevent the release of the O/S?
You don't get security from drastically changing your security model time and time again, and then once more as you're nearing your final release. Even if your conceptual model is improved, any source changes will quite possibly introduce new security glitches.
That's why for my systems, I only stick with OpenBSD. It's built on the decades-old UNIX security model, and put simply, it works. They take it further, by basically auditing every single line of code in their core system. While third-party packages may suffer from insecurity, the mere fact that the base system is so secure means that security issues in general are completely minimized. To harm a well-maintained OpenBSD system, one would essentially be forced to resort to social engineering, or physically accessing the machine.
I will not use Windows Vista, let alone use it for anything serious, since Microsoft is pulling shenanigans like this. What they're doing isn't an example of good software development techniques. And that ignores the potential problems that this new model, with its recent politically-incited tweaks, will no doubt have. The mere fact that third-party security software is needed just goes to show how bad the situation on Windows is.
I personally don't want a crippled OS to accommodate third party security vendors. If Microsoft can make there OS so secure that third party software is not needed I say go for it.
Of course if it turns out that Microsoft was just locking other vendors out to make users use their security software, which performed poorly I applaud the EU for helping the consumers. Because really all I care about is how well the end result is.
I honestly thing vista is the beginning of the end for Microsoft.
They are pissing off their corporate customers, the governmnent. end users, 3rd party vendors.. Pretty much everyone...
Much as the *AA's are starting to cross the line, and will pay the price if they dont adapt, quickly.
The world has changed, and people are more aware and just wont put up with it..
---- Booth was a patriot ----
Why should the OS be secure when I can pay $30 for a 3rd party can do it (and destabilize the system as they do it, since they root the OS in undocumented ways)? This is a bad precedent and a huge loss for consumers.
"Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel."
Can't say I'm particularly happy about this (breaking security in the name of security? Could even OneCare touch the kernel before this?), but this makes me wonder if they'll actually bend to user pressure to change the licensing terms?
Of course, the users don't have a legal team on speed-dial or other things to leverage against Microsoft. And there's no reason to believe that Vista will do anything but sell like hotcakes (after all, there are more reasons to go from XP to Vista than there were to go from 2k to XP), so there won't be any of the user backlash that most Slashdotters pretend they see in the future.
So, when all is said and done, I've got 14 months to figure out how I'm going to migrate to Linux before XP's end-of-life. It's a good thing I do most of my gaming on consoles...
To me this just seems like a win-win situation: that is letting third-party by-pass their security measures to install their own.
At best, the third-party solution is better than Microsoft's, people's confidence in running Windows Vista has increased, which may prompt more people to switch from XP.
At worst, the third-party solution is worse than Microsoft's, in which case they can point fingers and re-affirm to the public that Vista has great security. The increased confidence in Microsoft's capability of delivering security solutions may help with sales of Vista as well.
So MS does what we have asking for a decade or more to make their OS secure. Now, some 3rd party vendors bitch and MS is the evil oppressor for not "leaving access to the kernel open".
So, once the haxors get a hold of this open API, they will be cranking out root kits and other hacks that no one will be able to stop.
Great, thanks EU.
Microsoft's responsibility should be to provide an operating system that isolates the kernel from the user to the extent that no application run by an unpriviledged user could ever compromise anything other than that user's files. If they succeed, then the AV vendors have no need to get into the kernel. They just create software that looks for malicious software or libraries and eliminate them. If no app can get into the kernel they have nowhere to hide. That's the real solution IMO (not like I'm the first, second or even millionth person to opine that!)
Surely the AV companies had to know that MS would eventually be pulling a netscape on them. The company has to grow, and that market is a great opportunity for them. That being said, Microsoft being in the anti-virus market itself seems like some form of collusion. Imagine if the car manufacturers were also the owners of all the gas companies.
Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it. On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive. Make up your mind. Or is just permanent open season on MS?
Exactly.
That is why we got such awful security in Internet Explorer [although for the opposite reason]: Back in the mid-to-late 1990s, the Clinton administration was suing Microsoft over their "monopolistic" marketshare, and because of that [vis-a-vis Netscape and their browser], Microsoft was forced to integrate Internet Explorer into the operating system so that they could say to the Justice Department that they couldn't ship a version of Windows without it.
Fast forward eight or ten years, and now we've got the reverse: Microsoft is forced to open up the operating system to appease EU regulators who want all of their security vendors to be able to get a cut of the action.
In either direction [governments forcing Microsoft browsers into the operating system, governments forcing third party vendors into the operating system], what you get is government-induced mayhem.
But of course that's not the politically correct point of view here at Slashdot, so expect me to get modded down to "-1 Troll".
Just edit the registry:
n \PatchGuard\AllowRootKits
Set
HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersio
to 1
To my own suprise, when I read this I thought, "So, MS is striping away a part of its core security to accommodate 3rd party businesses? What would we say if our favorite *nix distribution started doing this?" Perhaps it is time to just let MS be. Let them provide their own security, their own browser, their own IM, etc, that are all tightly interwoven. Let them squelch creativity on their OS to the point that they either blow us away with what they can do when they lock the doors or alienate themselves from the entire software industry. Let them do whatever they want to lock/unlock 3rd party vendors out/in. We all complain about security, but then come unglued when MS tries to take a hard line to improve it because they close holes. Granted, the way they are closing holes may not be the best approach.
I say, let's just let them do whatever they want. A few things could come of this:
-Nothing really changes, we take off our tin foil hats, and life continues just fine
-Vista may actually be more secure and developers become adjusted to developing for it
-Vista becomes so hard to work with (as a software developer) that no software is written for it and everyone keeps using (developing for) XP, or switches OSes (and Vista becomes one of MS's big blunders)
-Vista becomes hard to work with (as a software developer) and we see more software makers moving over to alternative OSes (OSX, *nix, etc)
Really, what is so wrong with the LONG TERM results of these scenarios? Let's let MS make or break itself. Let's let them "test the waters" and see what happens.
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
The real reason they are doing this is that vista is behind and they need may also need a way to get out of Software Assurance / RTM release dates by saying that due to legal / antitrust regulations they must push back vista to test the changes out.
Trend Micro's anti-virus and Avast both work on Vista, because their respective developers spent time developing new software to work with it.
Symantec and McAfee on the other hand, rather than invest money in development for a version of their programs which fits Vista's new security model, decided to bitch and whine loudly about Microsoft's new security in Vista while doing nothing of any value. In a sane and equitable world, Microsoft would have offered to aid them in building their new anti-virus products for Vista, and McAfee and Symantec would have agreed. Instead, probably with the threat of a lawsuit from the two companies, and because of the two launching attack ads, they let them bypass their new security features.
This should not be happening. This is BAD for security, as once you let one program bypass security barriers it's only a matter of time before others do, not all of them friendly. This is STUPID because Microsoft has kowtowed to pressure from two companies far more focused on saving money on developing their shitty, shitty antivirus programs than actually providing any more security.
Fuck Symantec, fuck McAfee.
By summer it was all gone...now shesmovedon. --
microsoft should offer a choice of kernels, an open one for use friendlyness and a hardened one for security, but i guess they never thought of giving their victoms ^^ er customers a choice...
Politics is Treachery, Religion is Brainwashing
And of course, this new way that MS lets AV vendors bypass Patchguard isn't going to comprised by anyone at all, ever ....
I don't use windows, because I want to control my computer.
I am, however, forced to *buy Windows every time I get a new computer. I could build my own, I guess, but that's quite a bit of work.
Or would you say that the US Postal service doesn't have a monopoly because after all I can drive my letters to Nevada myself if I don't like their product?
My turnips listen for the soft cry of your love
Not being a troll here, but I am genuinely interested on US 'dotters opinions on this one: just how likely would've a similar decision been made in US courts, and what body would be the one to have done it?
Is it just me or is this a huge security risk. By opening up the kernel to access by outside programs, you're not only allowing security vendors to access it, but also people who would seek to exploit it. Perhaps I'm just being simple-minded here, but programs that can bypass and disable inbuilt security systems seems senseless.
Android Software Engineer
It's here: http://malfy.org/
That's because if you hack a Linux box all you get is control a system that belongs to some 28 year old guy who lives in his aunts basement. [citation needed]
The value in finding security holes in a Windows box is that there are millions that can be turned into zombies to be used to crank out spam or worse. There is no money in hacking Linux. [citation needed]
Most of the holes found in Windows come from Linux hackers who rarely take a look at their own OS. While there are many secure features in a standard Linux distro most sysadmins never address them. [citation needed]
The way most people implement Linux is like parking an armored car outside of the bank but leaving the doors open. [citation needed]
Just because you say it in a expert tone, does not make it credible or correct.
http://www.coderoshi.com/
"I know they're Microsoft and they're stupid/evil but you have to see at least some sort of benefit from these (all be they poorly implemented) security features."
You know, you can either train the guy cowering in the room in the middle of the house on how to use a blunderbuss to deal with intruders..... Or you can address the fact that there are no actual windows or doors in the empty door/windowframes of the house, and maybe consider the removing the big "FREE FURNITURE - COME ON IN" sign that is on the lawn.
Maybe when you do the latter, it might not be so important that the guy keep his itchy trigger finger on the blunderbuss.
Where were you when the voynix came?
Why is it that Symantec and McAfee were complaining about it, yet Kaspersky and Sophos said it was fine? Does Symantec and McAfee do something different than Kaspersky that they can't adapt to it at all? Lazy programming?
We have all seen this before, each one of us that has worked anywhere in IT for more than a month. How many times have you been asked to implement a poor system or work around to make another department or division happy because they don't want to put forth the effort to do things the right way? MS faces the same problems on a greater scale. They try to do it right but everyone on the planet tries to get them to implement their version of "right" and we end up with the best of a series of a million compromises.
I swear I didn't know it was loaded...
I could understand why the EU was upset about the media player bundling. I can understand them being upset about the splash screen for MSs AV stuff. I dont agree with them forcing MS to get rid of those things, but I understand where they are coming from.
Forcing MS to weaken Vista's security and reliability to accomodate these AV companies sucks though.
This is a -bad- thing. Why are we applauding it on slashdot? Are we so caught up in MS hate that we want the government to force them to weaken their product from a technical standpoint?
Maybe this is an example of how having a reputation for lying will make people think you are being dishonest even when you are telling the truth. I know a lot of people on this website dont totally understand the technical issues involved. But doesnt the EU commission have any experts that can explain to them that they are weakening Vista by forcing this on MS?
As we have realised with DVD-CSS, and DRM, exceptions like these cannot be restricted to certain parties.
Put simply, crackers will ultimately be able to use the same backdoors to do Bad Things(tm).
UPS and FedEx come to mind as alternatives. Now these aren't subsidized by the government, hence they will cost more, but they are quite good at getting things to people fast.
While I suppose one could say that the USPS does receive some benefits from being a gov't organization, they are independently funded, and don't receive taxes or subsidies directly.
Minor difference, because like I said, they do receive some benefits from being what they are. Like not having to pay taxes, or obey local regulations.
No, i do remmber. and I dont agree they were pioneers. They were a bunch of wealthy snot nosed kids raised on theft from others. Bills parents were lawers .. a rotten industry if there ever was one.
They stole products ( DOS ) and concepts ( GEM anyone? ), and screwed people over during their 'rise to total domination'. From day one they were against software freedom. "dont copy our paper tapes of BASIC, its wrong" . They screwed IBM with NT after they drained IBM of the OS/2 code during their 'partnership'. The list goes on and on.
They have NEVER been a good company. Ever.
Though, i do agree that in the old days we *thought* they were the good guy fighting the good cause against the 'man'.. They snowed us on that one.
---- Booth was a patriot ----
This is a major change in the security model of the OS. As such it means the security model must be reviewed and re-evaluated. If Vista is released on the current schedule, that will mean that Microsoft have not done this essential work, which will mean the whole security model of the OS is invalid and (heh heh!) "untrustworthy". Not to mention the knock-on effects of this change on all those comingled applications (Internet Explorer, etc) - their security models are now b0rked as well, as the OS will no longer be behaving as it was expected when the app was designed...
So either there are another 6-9 months' delay (at least), or Vista will be released with it's security fundamentally compromised. Your call, Billy-boy!
Everything I needed to know about life, I learnt from Blake's Seven
I see both sides of the argument and both have valid points. My complaint is MS' methodology rarely offers choice. It assumes it knows what's best for me and my computer and until I spend the time learning how to bypass it, I have to deal with crap like forced reboots immediately after an update, etc.
That being said, no matter how hard they try to be secure, there will always be the foes who find a way around the security measures in place - and once that happens, the floodgates are open. When you're number #1 in the marketplace, everyone is nicking at your heels and will do whatever it takes to tarnish your name.
I prefer to have a choice in security vendors, as their whole reputation is propped up on getting updates done quickly. We've all heard how MS hasn't patched this, or refuses to acknowledge that - third parties don't enjoy the same marketshare of MS, and thus are out to prove something. That ultimately creates a win for the consumer.
I'm not a programmer, but I do know that creating an OS is no easy task. I just think that MS has other fish to fry and should find ways to partner up with people who eat, drink and sleep the security stuff and work closely to solve the problem. Then everyone makes money and provides strong solutions to their customers.
And I will tell you why. I actually like the NT kernel and architecture. I think it is well designed, and works great when built upon properly. I think Windows 2000 is the probably the best consumer OS ever made, even though Microsoft pointed it at business users. It's what I run, and likely will not switch from, except for (maybe) running XP in a VM to run some games.
But even with 2000, MS had to insert their boneheaded ideas in it. For example, with "Windows File Protection," which is really the sfc.exe ("System FIle Checker") and sfcfiles.dll (The actual list of files to be protected, stuck in a DLL) it gives an Admin NO WAY to add to or change which files are protected. And it includes things like PINBALL.EXE!!! in the list of protected, undeletable system files. And creates stupid things like "C:\Program Files\microsoft frontpage" when I DO NOT even have Frontpage or IIS installed. And unless you disable SFC (which I did) it will re-create the stupid directory on every re-boot. So what COULD HAVE BEEN a useful feature is more like a "let MS Admin your computer for you" feature, because there is no way for the owner of the computer to manage which files are protected under "Windows File Protection." And guess what, on COMPUTERS I OWN, **I** like to control what directories are created and where they are placed. It's MY computer!!!
Now I have read, from a recent article by Mary Jo Foley, ZDNET, that some of the new security in Vista will come from "Code protection technologies such as tamper resistance, code obfuscation, and anti-reverse engineering measures..." THIS IS NOT SECURITY. This is HIDING YOUR BUGS. Instead of actually fixing the bugs, or not having them to begin with, they are actively trying to just make them harder to find. But they are still IN THERE!! This is just simply boneheaded. This is not the way to develop an OS.
With this new WGA crap, they are trying to FORCE users to install (and keep installed) components that NO ONE WANTS (except MS, of course). But guess what, any decent computer Admin **MUST** have the ability to accept or deny ANY update to the OS and have the ability to rollback changes if they cause problems. Just Google for wgatray.exe for many fine examples of the horrible problems their crap is causing.
With Win 2000 at least, MS created a good OS, once you fix the initial problems. But for me at least, there is NO WAY I will "upgrade" to this Vista shit with requiring signed drivers (what about independent hardware hackers/developers?) or XP with "Activation" (what, I can't swap out my motherboard without CALLING and RE-ACTIVATING?) They have just gone too far with this DRM and Anti-Piracy shit. NOT IN MY OPERATING SYSTEM.
I need to move to Linux. Kubuntu is looking really good now. If I can just get the couple of games I like working under WINE or Cedega, then F*** MS. It's just too much. I've had enough.
Crax
P.S. The Mary Jo Foley article I quoted from is located at:
http://blogs.zdnet.com/microsoft/?cat=18
PK: 09F911029D74E35BD84156C5635688C0
Sheesh.
No, One Care doesn't touch the kernel.
Vista already had APIs to allow security software to monitor file activity without touching the kernel. This the API that One Care uses. And *most* security software already use that API, such as:
Trend Micro's "PC-cillin"
Avast!
Sophos
Symantec and McAfee, unfortunately implement their software by mucking directly with the kernel, so rather than adopt to the new world under Vista's disallowing direct kernel access, they bitched and moaned (to the EU, which is predisposed to rule against Microsoft regardless of the merits of the complaint), so now MS has added a new api which supposedly allows bypassing PatchGuard in a secure manner, whatever that means. Seems that malware will be able to take advantage of this new API, unless they require that any code using that API be digitally signed by a trusted authority or something like that.
-- "I never gave these stories much credence." - HAL 9000
However, expecting the average user to know how to do that is like expecting the average person to perform brain surgery. Most people I know have a hard time telling the difference between RAM memory and Disk memory. They think the tower is the "CPU", and that SCSI is what you call gum stuck to the bottom of your chair. It's not that the people aren't smart. It's just that they have no context to work from, and for that matter, no motivation to learn. You could probably learn how to bake bread from scratch, but why bother if you can just go to the store and buy it ready made? Sure, bread made from scratch is better tasting, and probably a LOT better for you, but you don't have time to fiddle around with it. So, you let other people do the baking for you, and you just keep buying scuzzy store-bought bread.
Your Servant, B. Baggins
Here's an informative link on KPP or PatchGuard.
-EB
Do you ever walk alone like a drifter in the dark?
The proposed PatchGaurd security model made perfect sense and was one of my favorite parts about Vista. Even though Brad Smith said in the press conference that they haven't dropped PatchGuard, by providing a hole in it they may as well.
And is anyone else incredibly annoyed when they find that some interface in the OS (like security center) has been disabled and replaced with something inferior? I don't think McAfee and Symantec care about that so much as making sure that Windows continues to face serious security threats. A secure Windows would mean they'd be out of a job.
Just remember a year or two down the road when you're helping somebody fix their rootkit/malware/spyware laden computer that Symantec and McAfee are the ones who made the problem possible.
Oh, right, because that's the time to design the security model of your operating system: after a few betas, several years into development, when the product is already late, as a token gesture to some competitors only after government pressure.</SNARK>
This is the OS that the vast majority of PC users will depend on for their privacy and data security. Billions of people, many in essential services like healthcare, defense, banking, emergency response, depending on it every day to work reliably, despite a threatening world of attacks. Counting votes, running stock exchanges, publishing journalism. It's the beginning of a new era of MS OSes, which will probably define the next decade or so, extending from embedded systems through mobile phones and PCs all the way through high-performace computing.
After so much loss due to Microsoft OS insecurity so far, MS should have designed the security model first, the way professionals serious about security always do. Instead, they throw propaganda about "shutting down all operations to concentrate on security", then tack on a security model literally as an afterthought.
The Microsoft nightmare never seems to end. They never seem to use the lessons of past disasters, except in selling more new products, despite the costs. Probably because their business model puts all those insecurity costs on the consumer, and never on Microsoft itself. Why shouldn't a corporation that will stop at nothing to protect its monopoly pay any attention to "intangibles" like exposing the world to costly, dangerous insecurity all the time? Stop at nothing, except fixing those insecurities when it gets a chance to roll out a new OS every 3-5 years.
--
make install -not war
If M$ can fix security issues of Window$, no chance that I will let some 3rd party f*****s like Symantec (Norton AV is able to make any hightech system behave like 10 years old Pentium3), MyAffee, Krispersky or what to f**k with the security of my Window$ boxes! Theese are just plain parasites! Window$ should be made secure (that's task of M$), and theese companies which made their business on the bases of Window$ vulnerabilities should just disappear!
Step 1: Modify existing virus that infects Norton and McAfee.
Step 2: Use its access to by pass windows new security and infect all of the system.
Step 3: Enjoy can of Moutain Dew and watch Symantec and McAfee back pedal and try to say it's MS's fault for letting people into the kernel.
So who wants to write it?
Thanks Symantec! You saved the Vx's a lot of time and headaches! Whooo!
Here's my business philosphy: Evolve or die. If Symantec couldn't figure out that all they need to do is fall back to file scanning instead of inserting themselves into every aspect of my computer, then they need to go out of business. Everyone else can figure it out, so figure it out, or please close your doors.
They say MS is a monopoly? Name a brand name PC that doesn't come with McAfee or Symantec?
-Brief appraisal of Microsoft: check. ..........
-Imminent follow-on thrashing of Microsoft: several-times-check.
-Mention of impending DRM: check.
-Favourable view of Windows 2000: check.
-Unfavourable view of Windows Vista: check.
-Thread of 'moving on to Linux': check.
"It looks like you're writing a Microsoft post!......"
P.S - http://crouchingbadger.com/movie/paperclip.mpg
throw new NoSignatureException();
Your argument seems to make sense only if you accept your premise that Microsoft has actually locked down their OS so that it is secure. I was told that the other security companies could STILL ACCESS THE WINDOWS KERNEL IF THEY HACKED IT LIKE THE BLACK HATS WILL.
I agree that if Microsoft could actually lock down the kernel in a way that would really secure their OS there would be no need for any other security software but your premise is not accurate.
The race isn't always to the swift... but that's the way to bet!
So MS is being forced to write an API which will turn off system security.
... or sony) can write to my kernel.
Will the MAIN users of the API be virus writers, or will they only be a minor percentage of the coders who use it?
Make no mistake - this API is a security vulnerability which virus developers WILL use. I really hope that the API requires a DLL which I can remove, unregiser and exorcise from my systems. Or some other way, which cannot be bypassed, which will ensure that NOTHING (not even symantec
My hopes that Vista might actually be a secure OS, I pretty much have to keep Windows around because of everyone else in my house and for gaming (WoW addict) and up until now it sounded like Vista may have been a fairly secure OS, but if they include a backdoor to the kernel for these 3rd-party vendors it's just a matter of time until it's discovered by malware developers and exploited to all hell.
So is there an API ready to go, or does this mean a return to beta from Release Candidate status?
We've already done this several times.
After a suitable discovery of the facts, hearing of the arguments, several appeals and considerable political activism, many years pass. Microsoft finds itself in a climate amenable to a trivial settlement without admission of wrongdoing. For consumers relief is usually in the form of a coupon good for some small discount off further purchases, or in similar discount provided to some third party like schools.
Unfortunately for consumers justice delayed becomes justice denied. The versions of the software in dispute are long since obsolete by the time of settlement. Almost everyone who is harmed receives nothing. The cost is not a deterrent to repeated similar activity. In fact, by the time of the settlement most of the complaining competitors go out of business -- a significant strategic victory. Many believe that this is now part of the company's standard competetive strategy. This belief is supported by the fact that we're discussing it here and now again.
A grand profit is made by all the lawyers involved. This seems to be the actual purpose of the whole process.
Help stamp out iliturcy.
This is confusing.
Either protection of drivers and the kernel was important (perhaps cornerstone) to the security model or it was not?
And this is flushed down the toilet due to third party complaints over their security business becoming less necessary due to Microsofts improved security?
So is Vista now less secure?
And the parent poster was spot on when stating that this should precipitate a major delay for new rounds of testing. If Microsoft doesn't do this then it is all a very bad joke?
Or did MS overplay the whole matter from the beginning?
If this aspect of the new security model was genuinely important, MS should have stuck to their guns no matter what. This is not a matter of anti-trust and the claims were baseless if not for Microsoft being in the anti-virus/malware business to begin with. To that end, would it not have been better for MS to give up involvement in the bandaid fix for the real deal?
If they had then Symantec and McAfee wouldn't have a claim but since they are, it appears Microsoft is willing to roll back true security to enjoy their part in the profits to be garnered via the bandaid fix.
It appears this was Microsofts choice. That they were willing to provide improved security given their total monopoly with "Total Care" at the kernel level. That maintaining kernel level security would mean giving up "Total Care" thus removing their monopoly status on the revenue generating "bandaid fix." And that it appears that between improving kernel mode security and profit, Microsoft is choosing to share in profits over bandaid fixes rather than exit that business, removing the monopoly implications and providing the improved security model in full.
In trade then, Microsoft opens holes in the kernel security model to allow third party access thus reducing effectiveness while maintaining a need for additional software to be sold at profit to backfill the holes. That Microsoft would rather share in the profits (and by extension share the responsibility and liability) than remove the avenue of exploitation.
Less secure by design.
Only signed drivers can install, but I can add my own keys.
Perhaps like this:
1. copy a file with the key into a specific directory
2. press alt-ctrl-del
3. select "prepare key for installation"
4. enter password
5. key is moved to a protected directory
6. you verify that you want the key
7. reboot, then press alt-ctrl-k early in the boot
8. enter your password, select the kay, and confirm that it is the one you want
That will do. A business can install their own keys. An anti-virus program could ask you to install a key, but couldn't perform the operation itself. (probably the key install would be considered to difficult, which is good) There could even be a key granted to experimental and malware use, just in case you want to install signed malware drivers. You could make your own key.
I believe what Microsoft should do is take the anti virus software companies to court and be sure that big brother is there, and fight them tooth and nail. I would not lesson the security on the OS just because the software makers are too lazy to start from scratch too. Microsoft is doing what every one for years has told them to do and that is secure Windows. To lesson the security on the box just because you have a few balking is ludicrous. What Microsoft is doing now is reverting back to a unsecured box. I really, and I know some will hate this ... Would like to know how the US Gov feels about this and if they are in favor of Microsoft leaving the security measures in place or not? Are they willing to come forward and give Microsoft the ok? Are they willing to back Microsoft up? I would be willing to see two versions of Vista. Give EU the unsecured version, and the USA and anyone else the secure one. Then tell the security software vendors to either back off, or start from scratch. Microsft should sue the anti virus vendors for the rights to make Vista secure. Or Microsoft will never have a secure Operating System.
I personally would advise against kubuntu b/c some of my friends having stability issues against it. just my personal op though. I personally use gentoo w/i FVWM since I think that DE = worthless bloat. But, then again, thats just me.
This is wtfretarded, seriously.
Not only do people bitch and moan that microsoft is not secure, but when they finally come up with a potentially sercure solution the governments cry antitrust. Its one thing to object to them pressuring vendors to only sell their stuff (cough coke pepsi) but another to hinder innnovation altogether and for 'unobjective' governments to shoot them in the foot without even giving them a chance.
IMHO, governments are crushing microsoft.. they should give a few billion to north korea and laugh it up. Its retarded, free market my ass. Feels more like China to me.
The EU replied, "yes, we know that you're a monopoly, and that's why we're using anti-monopoly laws against you
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
And that's your opinion. I find it unstable, hostile to the very concept of freedom, and after using the alternatives for about four years now, hard to use. (Why doesn't Windows get some really good package management?
Of course, you know what they say about opinions, "Opinions are like like assholes, we all have one, and some smell better than others."
If you want your life to be different, live it differently.
I thought Release Candidate 2 was the last before the RTM? Neither RC1 nor 2 will install on my new "Windows Vista Premium Capable" laptop. While I appreciate the need to allow competition, they need to stop changing things and just fix bugs.
This is a case of too little too late.
Whats the point of agreeing to an API so close to the release of the OS? Any chance of vista being better, security wise, is gone, an API or a way around the 'Patchguard' system is going to be difficult to integrate and test so close to the release. Historically speaking, MS isn't known to be quick by any measure. This move comes after pressure from the EU regulators and has everything working against MS. In the end all we're going to have is a system which is, quite literally, hacked and patched together to make the deadline. The more I read about vista "security", the more I want to stick to XP or even switch to Ubuntu as my primary OS.
http://blogs.technet.com/security/archive/.../29/4 59749.aspx
Now make your own judgement on why Symatec and McAfee are trying to get rid of the security console altogether. Taking it to the EU was an easy slam dunk for them-so now it is business as usual-MS full of holes before so it needs to stay full of holes. I know that Trend, PC cillian, CA, and Kaspersky all work with the new security console and coded to work correctly. I never want to use McAfee again-so bloated and nagging me to purchase more of thier products. Stick with Avast-free and works super.
If you want your life to be different, live it differently.
Yet again, European powers are getting pushy with things that nobody cares about (nobody wanted a version of Windows without Media Player, and nobody really wants the kernel open to third parties).
Why can't they concentrate on things that really do matter, like the disgraceful licensing restrictions and treatment of legitimate customers.
Meanwhile in other news... The top networks online were brought to a halt buy the youcantstopme virus, weownyou virus, and the neenerneenerneener worm. Microsoft's Operating System has been hit hard this month by a plague of viruses. A trend that looks as though it will never go away. Microsft said... "They should of listened to the public in 2006." It is now three decades later and unfortunately this wasn't the case, we still have no secure Windows release. Microsoft has lost billions of dollars for not securing Windows in 2006.
Kubuntu works fine for me. IMO Gentoo isn't for new converts from windows, someone who tries and fails to make the switch is much worse for GNU/Linux adoption than someone who never switches at all.
I don't see what security centre does that is bad. I've been doing Vista compatibility testing at work and, of course, one of the things that came up is virus scanners. We unfortunately have a site license for Sophos so that's what's getting used. When you first install Vista security centre is whining it wants a virus scanner. Not One Care, but any virus scanner. When I install Sophos (which is not certified for Vista) Vista is mollified. It picks it up and that part of security centre goes green. In fact Sophos is a bad choice right now since it's updating is Vista incompatible (Sophos says their Vista version, 6.5, will be out soon) but Vista is just happy to have a working, up to date (at the time of install) virus scanner.
So what's the big fucking deal? As far as I can tell, security centre in Vista works the same way it does in XP. It just wants you to have the various security apps installed. Doesn't care who makes them, just so long as they are there and running. At home I use Kerio instead of the Windows firewall. Windows is just fine with that, it acknowledges Kerio as a firewall and is happy when it's on.
For that matter a user can even tell security centre to fuck off and stop warning them if they really want to.
I'm with you, as far as I can tell this is just Symantec and McAfee being whiny bitches. Vista appears to be perfectly compatible with 3rd party security software.
I don't buy this. Microsoft actually helped the Anti-virus market a great deal by making super unsecured systems.
MS nearly created the market--ok maybe not quite true because I remember installing anti-virus software on my Amiga 500.
The system will always be as secure as its weakest link. If MS starts unlocking parts of the kernel then we can be sure to continue getting plenty of malware, viruses, rootkits that are going to exploit that. Gladly that will continue to feed the whole industry.
Still, it would really be great if for once the EU let the market decide. If consumers get tired of paying big bucks for anti-virus software then maybe they'll turn to something better, like OS X or Debian, Fedora, Ubuntu, FreeBSD,Solaris, or any systems running on open-source Kernels.
Sort of related sort of not... it would be nice if they had full integration for RSA SecurID for Windows. This was the original plan for Vista but they ended up pulling the integrated support, at least for there original release(s). You can read all about it here if you please. Full support built in would be a nice security feature instead of having to install a third party add-on product. This would be a nice up front addition. Since RSA and M$ apparently already have a close relationship of some sort, it seems that this would be a no brainer to get in place. Oh well.
you are right in that Gentoo is not for new converts or for the faint of heart (though I know several new converts who do use it and like it). It requires an adeptness with bash which takes some time to develop and unless the user is experienced, the installation process is worse then hell.
Reading the comments here, I think that most people aren't aware of what PatchGuard is.
PatchGuard, quite simply, is "security through obscurity". Basically, while the kernel is running, a hidden background thread continuously hashes the code sections of the kernel and validates that nothing has changed. If something changes, the system bugchecks (blue screens). PatchGuard's security comes from it being obfuscated.
PatchGuard doesn't offer true security. It has nothing to do with escalation of privilege - if you're able to modify the kernel, it's already too late. PatchGuard was intended to stop commercial products from patching the kernel because frequently they do so improperly, and end up causing instability and local privilege elevation exploits. If a company got around PatchGuard, their product would only work until the next second Tuesday. However, rootkit authors may not care about that "time limit".
Certainly PatchGuard helps slightly with DRM. However its more important use is preventing companies from doing bad kernel hacks. With Microsoft bowing to these companies, PatchGuard's only use is now DRM. Now I dislike it.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Alright, stepping in, and ignoring your apparently obligatory bash MS subject heading (seems to be par for the course on /.), let's take a look at this. Windows 2000 the best consumer OS ever made? Are you even aware of the issues it has? Was it better than NT 4? Absolutely! Was it better than NT 3.51, 98, 98SE, (95 and ME are so out that they are left off)? Definitely! Better than XP?! Not a chance.
A few things. 1. how about on a default install (which most users are going to do, and lets face it, that's the "consumer" that you MUST consider, and saying "consumer OS" you're talking about the average user for the most part) having not one, but 2 ADMINISTRATOR accounts with BLANK passwords (users generally just hit enter, though they are getting SLIGHTLY better about that) that CAN LOG ON REMOTELY. Hidden Admin shares (which I love, I use the hell out of them!), hell even telnet, remote registry, and terminal server, all can be accessed via an Admin account with a blank password from a default Win 2k Pro install.
XP? NOPE! An Administrative account on a default install of XP (Home or Pro) witha blank password is RESTRICTED to local logon ONLY. Windows XP (all these are true, but especially true for Pro) handles memory addressing better, scales better, performs faster (in nearly every regard, especially in terms of file system tasks), offers much better networking options, performance, etc. I loved 2000. I really did. And I love XP Pro (until Vista Beta 2 I ran nothing else, aside from the few times I've tinkered with Linux out of boredom). Nearly everything about XP is better than 2000. Personally, I hate XP Home, I think it's garbage. But it STILL offers BETTER security and performance than 2000. Am I saying it's "SECURE"? Nope! Simply MORE secure THAN.
I take it from this brilliant statement that you've never installed some 3rd party app/game/util/etc that replaced a nifty HEAVILY used system dll file, or even a dll file that just happens to be shared between several apps, with their own buggy POS that made your whole system unstable. Happened a LOT in 95/98. There's a REASON Microsoft included that. It actually *GASP* was a good IDEA FOR THE AVERAGE USER! Consider the BACKBONE of this industry is THE AVERAGE USER. They are the reason people like us EXIST. Someone has to keep TEHIR stuff running. I don't care if you're a Network Admin, Server Admin, Security Analyst, Network Engineer, Software Developer, or whatever, EVERYTHING you do, at it's base, is because of the Average USER. MS knows that Average user doesn't know #W%*&^ about dll files
Well, that's what I had anyway. A dozen kernel builds later my system actually booted! Hooray! That was my desktop though (Which, I can now do a full build from stage 1 Gentoo, total touch time is roughly an hour, hour and a half maybe). Laptop is...well, painful, hehe. Very new laptop, and I would be fine, but for some reason the fans don't work with the installer, and compiles don't tend to like it when the computer shuts off in the middle, hehe.
they are bundling and dumping programs that hide the insecure OS.
If MS secured the OS so that it was resitant to hack (as with the code reorganisation they've brought in - note: no complaints about that making AV worthless, just ones about how effective this is going to be) then the AV companies would die because THERE WAS NO MARKET.
However, what MS have done has kept the market.
Also, part of the problem is that MS OS is closed source. With Linux you can include in the kernel another firewall system and it can be done in such a way as to preclude it being replaced. This is because you can re-compile the OS yourself. You can't do that with MS's software, so you are left with a product that may not be suitable. e.g. with XP's original firewall it turned on at the end of the boot-up, leaving you vulnerable. If XP firewall had been secured in this way, you would not be able to install one that worked PROPERLY. That is why this needs to be open.
1. Find bug in MS's security system
2. use that to infect the system
3 your bug cannot be fixed because the OS refuses to let you change it or replace it's functionality
And if there are two companies you had to name to make a monopoly argument (McAfee and Symntec) then it isn't a monopoly. At best it is a duopoly. And that excludes the 100% of windows system that will come with MS's security software...
... the name someone at MS gave to the HPFS file system driver, as used in OS/2.
It was in NT 3.51, but not NT 4.0, and OS/2 users were advised to get a copy from an NT 3.51 installation kit if they wanted to dual boot NT 4.0 and OS/2. Advice from a newsgroup somewhere, somewhen.
Human memory is an unreliable resource, so please correct me if I am (now) wrong.
because
a) it is a significant vector of infection
b) it is a waste of corporate resources
However, the EU should have said that the WMP free version MUST be discounted by at least 2% of the cost of the software.
Saving 50p on each license if you're going to be installing Real anyway is very attractive. If you're going to be saving 0p, why bother. It wasn't EU meddling that is the problem wrt WMP it is that they left details up to MS and they gamed the request.