Slashdot Mirror
Microsoft Agrees to Changes in Vista Security
An anonymous reader writes "Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"
From the article (and /. summary):
It's only an author's surmise, but as I understand and interpret Microsoft's position, there is no line they will be able to cross ever while they are still a monopoly. Microsoft enjoys (immensely) their monopoly position in PC OSes, and as long as they do (immensely), they will continue to be proscribed from using their monopoly to leverage, influence, and otherwise compete unfairly with any other of their products.
There is no line to test.
Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it.
On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive.
Make up your mind. Or is just permanent open season on MS?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
You must restart your computer. Would you like to do it now, or would you like me to display this same dialog 30 seconds from now, while you're doing something else like typing a slashdot comm
Is this going to be a backdoor into the protected parts of the kernel that also handle media protection?
It would be nice if one batch of companies out to screw you over had accidentally been defeated by another batch of companies out to screw you over. Sort of collateral rebuilding, if you like.
Think of the Children; Sleep with your Sister
Companies like Symantec (aka Norton) have profited immensely from an industry created because Windows wasn't secure.
Now they're upset because Microsoft wants that piece of that market; in other words, Microsoft wants to profit from the fact that Windows isn't secure.
Yet in pretty much every other operating system, the solution is simply to make the darned thing secure.
Now, I realize that the issues are a bit larger than this, but I do wonder: IF Microsoft ever released a truly secure operating system, thus making Symantec and other such companies as relevant as the buggy whip, would they then sue to prevent the release of the O/S?
The problem is that Microsoft's record with security isn't great; lots of people (myself included) prefer to trust another company to provide anti-virus and firewall security under Windows. Microsoft will have to work very hard - in an equal arena -- to show that their AV and firewall solutions are as good or better as those of their competition
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
I personally don't want a crippled OS to accommodate third party security vendors. If Microsoft can make there OS so secure that third party software is not needed I say go for it.
Of course if it turns out that Microsoft was just locking other vendors out to make users use their security software, which performed poorly I applaud the EU for helping the consumers. Because really all I care about is how well the end result is.
"These alerts and popups may be the thing needed to prevent my computer ignorant siblings from obediantly installing viruses on my parent's computer."
You mean the ignorant siblings who always click "OK" every time they see a popup, so when you go home you find a desktop filled with bonzi buddies and casino shortcuts, 3 toolbars on the browser, and full-screen ads that pop-up at any time at random?
"I know they're Microsoft and they're stupid/evil but you have to see at least some sort of benefit from these (all be they poorly implemented) security features."
Real security involves preventing the security crisis in the FIRST place, rather than bombarding the user with a blizzard of poorly-worded popups.
Where were you when the voynix came?
Why should the OS be secure when I can pay $30 for a 3rd party can do it (and destabilize the system as they do it, since they root the OS in undocumented ways)? This is a bad precedent and a huge loss for consumers.
To my own suprise, when I read this I thought, "So, MS is striping away a part of its core security to accommodate 3rd party businesses? What would we say if our favorite *nix distribution started doing this?" Perhaps it is time to just let MS be. Let them provide their own security, their own browser, their own IM, etc, that are all tightly interwoven. Let them squelch creativity on their OS to the point that they either blow us away with what they can do when they lock the doors or alienate themselves from the entire software industry. Let them do whatever they want to lock/unlock 3rd party vendors out/in. We all complain about security, but then come unglued when MS tries to take a hard line to improve it because they close holes. Granted, the way they are closing holes may not be the best approach.
I say, let's just let them do whatever they want. A few things could come of this:
-Nothing really changes, we take off our tin foil hats, and life continues just fine
-Vista may actually be more secure and developers become adjusted to developing for it
-Vista becomes so hard to work with (as a software developer) that no software is written for it and everyone keeps using (developing for) XP, or switches OSes (and Vista becomes one of MS's big blunders)
-Vista becomes hard to work with (as a software developer) and we see more software makers moving over to alternative OSes (OSX, *nix, etc)
Really, what is so wrong with the LONG TERM results of these scenarios? Let's let MS make or break itself. Let's let them "test the waters" and see what happens.
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
Trend Micro's anti-virus and Avast both work on Vista, because their respective developers spent time developing new software to work with it.
Symantec and McAfee on the other hand, rather than invest money in development for a version of their programs which fits Vista's new security model, decided to bitch and whine loudly about Microsoft's new security in Vista while doing nothing of any value. In a sane and equitable world, Microsoft would have offered to aid them in building their new anti-virus products for Vista, and McAfee and Symantec would have agreed. Instead, probably with the threat of a lawsuit from the two companies, and because of the two launching attack ads, they let them bypass their new security features.
This should not be happening. This is BAD for security, as once you let one program bypass security barriers it's only a matter of time before others do, not all of them friendly. This is STUPID because Microsoft has kowtowed to pressure from two companies far more focused on saving money on developing their shitty, shitty antivirus programs than actually providing any more security.
Fuck Symantec, fuck McAfee.
By summer it was all gone...now shesmovedon. --
I don't use windows, because I want to control my computer.
I am, however, forced to *buy Windows every time I get a new computer. I could build my own, I guess, but that's quite a bit of work.
Or would you say that the US Postal service doesn't have a monopoly because after all I can drive my letters to Nevada myself if I don't like their product?
My turnips listen for the soft cry of your love
For those who missed the "irony" tags - people didn't switch from 2k to XP - they went from Win9x to XP - the 2k users continually dug in their heels when it came to switching. And certainly nobody I know even has Vista on their radar ...
Really, is there ANYBODY who knows a real live "Joe Sixpack end user" who is even aware that Vista exists? Its pretty bad when both OSX and Linux have a bigger awareness in the general community than linux's new flagship.
People will continue running XP long after its end-of-lifed, mostlyt to play games. And the antivirus vendors will cash in on this, by selling patching services to fix bugs in XP long after Microsoft stops supporting it - because its "good enough" for most users.
Its not like you need the source code to patch. Virus writers "patch" XP all the time.
That's because if you hack a Linux box all you get is control a system that belongs to some 28 year old guy who lives in his aunts basement. [citation needed]
The value in finding security holes in a Windows box is that there are millions that can be turned into zombies to be used to crank out spam or worse. There is no money in hacking Linux. [citation needed]
Most of the holes found in Windows come from Linux hackers who rarely take a look at their own OS. While there are many secure features in a standard Linux distro most sysadmins never address them. [citation needed]
The way most people implement Linux is like parking an armored car outside of the bank but leaving the doors open. [citation needed]
Just because you say it in a expert tone, does not make it credible or correct.
http://www.coderoshi.com/
In college I worked at a software company where one developer arbitrarily decided that the product needed to restart when first installed. So he activated the standard windows restart routine that gives you a dialog that says "Windows will restart in 30 seconds", a graph that's counting down, and a 'restart now' button.
QA didn't have a cow, they had an entire herd.
That trust is severely misplaced. Third-party companies can only play catch-up and do so from the disadvantage of external access to the system.
;)
The parent article misses a beat in that Microsoft has an API to the kernel for their AV needs, by definition. The only issue is should that be public. The EU is making them publish this API (in some form, I don't trust Microsoft to release all their 'goodies'). But should it remain private to Microsoft then the consequence is that virus writer's will de-engineer it as they have done with so much of Microsoft's closed technology. Obviously, then, it benefits the end-users that the API be published and it benefits the end user that third-parties have a better vehicle towards check&balances of their own AV solutions.
But don't ever expect them to be able to produce the tightly-integrated, non-intrusive extensions to the kernel that Microsoft *could* produce, were they sufficiently motivated. To that, having the load-library/file-access hooks published for the kernal and the necessary security credentials to do so is a good thing since various pieces can be compared as to how one or the other of third-parties or Microsoft works better/faster/less problematic. That's good for the end user.
The squeals heard from AV companies are to be expected. Any change affects their income lines. Vista could be remedially-exempt (eg. totally secure) and some form of the same complaints from them, and the EU, would still be heard. That's a case of they're damned if they do and if they don't. My assertion is they created the situation so just have to live with it
I could understand why the EU was upset about the media player bundling. I can understand them being upset about the splash screen for MSs AV stuff. I dont agree with them forcing MS to get rid of those things, but I understand where they are coming from.
Forcing MS to weaken Vista's security and reliability to accomodate these AV companies sucks though.
This is a -bad- thing. Why are we applauding it on slashdot? Are we so caught up in MS hate that we want the government to force them to weaken their product from a technical standpoint?
Maybe this is an example of how having a reputation for lying will make people think you are being dishonest even when you are telling the truth. I know a lot of people on this website dont totally understand the technical issues involved. But doesnt the EU commission have any experts that can explain to them that they are weakening Vista by forcing this on MS?
This is a major change in the security model of the OS. As such it means the security model must be reviewed and re-evaluated. If Vista is released on the current schedule, that will mean that Microsoft have not done this essential work, which will mean the whole security model of the OS is invalid and (heh heh!) "untrustworthy". Not to mention the knock-on effects of this change on all those comingled applications (Internet Explorer, etc) - their security models are now b0rked as well, as the OS will no longer be behaving as it was expected when the app was designed...
So either there are another 6-9 months' delay (at least), or Vista will be released with it's security fundamentally compromised. Your call, Billy-boy!
Everything I needed to know about life, I learnt from Blake's Seven
And I will tell you why. I actually like the NT kernel and architecture. I think it is well designed, and works great when built upon properly. I think Windows 2000 is the probably the best consumer OS ever made, even though Microsoft pointed it at business users. It's what I run, and likely will not switch from, except for (maybe) running XP in a VM to run some games.
But even with 2000, MS had to insert their boneheaded ideas in it. For example, with "Windows File Protection," which is really the sfc.exe ("System FIle Checker") and sfcfiles.dll (The actual list of files to be protected, stuck in a DLL) it gives an Admin NO WAY to add to or change which files are protected. And it includes things like PINBALL.EXE!!! in the list of protected, undeletable system files. And creates stupid things like "C:\Program Files\microsoft frontpage" when I DO NOT even have Frontpage or IIS installed. And unless you disable SFC (which I did) it will re-create the stupid directory on every re-boot. So what COULD HAVE BEEN a useful feature is more like a "let MS Admin your computer for you" feature, because there is no way for the owner of the computer to manage which files are protected under "Windows File Protection." And guess what, on COMPUTERS I OWN, **I** like to control what directories are created and where they are placed. It's MY computer!!!
Now I have read, from a recent article by Mary Jo Foley, ZDNET, that some of the new security in Vista will come from "Code protection technologies such as tamper resistance, code obfuscation, and anti-reverse engineering measures..." THIS IS NOT SECURITY. This is HIDING YOUR BUGS. Instead of actually fixing the bugs, or not having them to begin with, they are actively trying to just make them harder to find. But they are still IN THERE!! This is just simply boneheaded. This is not the way to develop an OS.
With this new WGA crap, they are trying to FORCE users to install (and keep installed) components that NO ONE WANTS (except MS, of course). But guess what, any decent computer Admin **MUST** have the ability to accept or deny ANY update to the OS and have the ability to rollback changes if they cause problems. Just Google for wgatray.exe for many fine examples of the horrible problems their crap is causing.
With Win 2000 at least, MS created a good OS, once you fix the initial problems. But for me at least, there is NO WAY I will "upgrade" to this Vista shit with requiring signed drivers (what about independent hardware hackers/developers?) or XP with "Activation" (what, I can't swap out my motherboard without CALLING and RE-ACTIVATING?) They have just gone too far with this DRM and Anti-Piracy shit. NOT IN MY OPERATING SYSTEM.
I need to move to Linux. Kubuntu is looking really good now. If I can just get the couple of games I like working under WINE or Cedega, then F*** MS. It's just too much. I've had enough.
Crax
P.S. The Mary Jo Foley article I quoted from is located at:
http://blogs.zdnet.com/microsoft/?cat=18
PK: 09F911029D74E35BD84156C5635688C0
However, expecting the average user to know how to do that is like expecting the average person to perform brain surgery. Most people I know have a hard time telling the difference between RAM memory and Disk memory. They think the tower is the "CPU", and that SCSI is what you call gum stuck to the bottom of your chair. It's not that the people aren't smart. It's just that they have no context to work from, and for that matter, no motivation to learn. You could probably learn how to bake bread from scratch, but why bother if you can just go to the store and buy it ready made? Sure, bread made from scratch is better tasting, and probably a LOT better for you, but you don't have time to fiddle around with it. So, you let other people do the baking for you, and you just keep buying scuzzy store-bought bread.
Your Servant, B. Baggins
Here's an informative link on KPP or PatchGuard.
-EB
Do you ever walk alone like a drifter in the dark?