Slashdot Mirror
Vista Security — Too Little Too Late
Thomas Greene of The Register has a fairly comprehensive review of Vista and IE7 user security measures. The verdict is: better but not adequate, and mostly an attempt to shift blame onto the user when things go wrong. From the review: "[Vista is] a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they've been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on."
.. A Dialog box asking if you wish to run the exploit or not.
And it is the first thing to be disabled for sure.
can't believe I'm speaking up for Vista but ...
User security, is like car safety. It's nice to design for "in case shit happens" but if you drive like a lunatic, you're likely to get hurt.
I think a large part of security involves the self. People don't do enough thinking, and are too lazy to follow simple security procedures. No automated tool or system, that allows some freedoms can protect people entirely. Think about it, the OS'es solution to malware? Only allow MSFT signed binaries to run. But this is horrible as it means only MSFT can authorize binaries and it cuts out 3rd party developers.
At some point the users themselves have to stop and learn how to use their computers properly, if they want to use them. If they're too lazy to figure it out, *and* demand security, they should not use a computer.
Of course it's largely MSFT's fault for breeding a culture of contempt for knowledge. Oh look it's so easy anyone can use it with zero training.
Imagine if MSFT made automobiles (but with the a yolk instead of a wheel/pedals, and other "standard improvements"). No training required!
Tom
Someday, I'll have a real sig.
"and downloading every bit of malware they can get their hands on."
Come on. More than anything, Microsoft is in a no-win situation to try and protect people from themselves. If everyone ran Linux instead of Vista there'd be the same damn problems.
If a thirteen year old wants to download smileys for their IM client, the kid is going to do it. If the software has spyware, then that spyware would do what it takes to open up or break the system. It's pretty damn hard to code against human behaviour.
I think that's a bit low. There are only about 30 viruses for Macs (most of which are holdovers from OS 8 days) and I've not encountered one bit of spyware or adware. I don't have experience with Linux, but I imagine it's similar
I think the reason Windows is such a target isn't just its market share, but also its vulnerability.
I'm in the hole of the broadband donut.
Oh, the article is from the Register. I see.. no surprises there.
I am the maverick of Slashdot
``In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.
you know it's going to be fair and balanced.''
The sad thing is that it's actually true.
Please correct me if I got my facts wrong.
It may not be "fair and balanced," but that doesn't take away from the truth of the statement. This is slightly OT, but too many media entities today worry about being "fair," at the expense of giving their readers the whole story.
!#@%*)anks for hanging up the phone, dear.
Microsoft can't fix the users, there will always be the crowd blindly clicking OK or tuning off the firewall because their game's troubleshooting tells them to.
But reducing the number of services and installed programs running, can reduce the number of vunerabilities present and active by default. How long did it take for them to give the option of actually turning off Messenger, despite no one ever using it. The deault install should be the minimum needed to access the net and use office. If we are all used to prompts and downloading programs a wait of a few seconds to install a progam from a file in the Windows install folder, to run something new, shouldn't be too much of a problem.
Especially if we have the option of actually uninstalling IE7 completely.
And on another note, I have watched this Vista launch and still I wonder. -
Why should I get it? I see alot of hype but not a single reason to upgrade.
If this were really happening, what would you think?
The only story I want to hear about Vista security is what it fixes. We already know what Microsoft broke.
I've been telling you for years and I'll tell you again. The fix is:
Diversity is the only solution to internet security. The user gains immediate security in the short term. The community gains security in the long term as weak platforms are eliminated and can no longer be used to attack strong ones. Everyone wins when the monoculture ends. Free software provides both transparency and a diversity of hard targets. Confronted with rising costs, criminals will go back to their usual meat space businesses.
Friends don't help friends install M$ junk.
This is exactly what Vista security is.
My main problem with Vista security is that it is an OS that cries wolf. When I installed Vista, I had to click no less than 50 security confirmation dialog boxes (it's important to note that these were security dialog boxes) within the first hour or so in order to do simple, stupid stuff that clearly should not have needed confirmation. Stuff like changing my desktop background. Stuff like moving some documents around on a removable hard drive. Stuff like copying a line of text from an IE7 edit box. Stuff like pasting that line of text into a different IE7 edit box. Stuff like creating a new text file on my removable hard drive. And so on, and so on, ad nauseum.
This isn't security. This is constant aggravation, and yes, I cannot imagine any normal user calling their geek friend after five minutes and saying, "How do I turn this damn thing off?" Even if they don't, they "mentally" disable it by simply clicking Allow without thinking. Hell, I'm a computer expert, and I did it. "You are installing the pwnzj00 virus." Allow. "You are sending your bank account numbers to Nigeria." Allow, allow, allow, dammit! Leave me alone!
I try to give Microsoft the benefit of a doubt. I'm not a zealot or a Microsoft basher, seriously. I think they've put out some good software, but on this point, I have to agree with the folks who are saying that Microsoft isn't serious about security, they're simply trying to push the blame for when things go wrong onto the users.
There's no way in hell that they could have conducted any usability tests and found the currently scheme acceptable. But they still let it out the door, most likely to meet some sort of artificial management deadline to keep the OS from shipping any later than it already had.
So now, we've gone from OSes that never alert you to potential security risks to an OS that is even worse because it alerts you to everything, security risk or not.
I'll be interested to see how Microsoft tries to fix this mess, both from a technical standpoint and a PR standpoint.
The vulnerability of Vista or any other OS can be traced back to the requirement to modify the OS for software installation. It makes no reasonable sense that an end-user should modify the operating system when installing a software package (exceptions for servers but that's iffy, too). CONFINE the end-user software to the end-user's space (i.e., home directory) - and as suggested earlier, the notion of each user having an independent registry instead of the global system-wide Windows registry is a great idea. An infinite number of users should be able to use a Windows environment without any influence by one user upon another. This goes for all operating systems. I can't understand why this idea hasn't been pursued already. It's too late for Vista but in another 3 years or so this may happen.
One of these days Microsoft will realize that system-wide changes are killing them. Perhaps when they start leasing remote desktop connections for $9.95 a month they will figure this out.
The security of Windows has always been built upon such a foundation of shit. That's why it's had so many problems. Instead of drawing from the proven security models of systems like UNIX and VMS, the Windows developers went and rolled their own. And you know what? It was shit. It didn't have a solid theoretical underpinning like the security model of other systems have. It's been over 20 years later, and they still haven't looked to the proven models for inspiration.
Windows has the same "theoretical underpinning" as VMS (hardly surprising, given they're designed by the same person). Which is, I must point out, vastly superior to that of traditional (and most contemporary, at least as commonly configured) UNIXes.
There is little, to nothing, wrong with the "foundation" of Windows.
Newflash, "If everyone ran Linux" then malware writers would target Linux distributions with malware they way they target Windows now. Monocultures are targets like that. Linux is great, but it's not unbreakable. If the average person has root access, they can do serious damage.
Now, if everyone ran Linux and knew what they were doing I suspect malware authors would have a much more difficult time accomplishing anything. But that isn't really a fair comparison, because if Windows users knew what they were doing, it would be much harder for malware authors too (remote exploits notwithstanding. But even these problems can be mitigated by knowledgeable users.)
"And as far as users finding UAC "annoying", riddle me this: how is any more annoying than Linux? "
Piece of cake.
UAC annoys you when you try to run a setup program, _any_ setup program, for whatever reason, even a screensaver or desktop picture if it is a setup format.
In Linux you are not asked root's password to change desktop picture or installing random program and that's a major difference. Installed program has user account rights, but _that's the assumption_ and most programs respect that and, contrary to MS-systems, _can be installed and run_ just on user rights.
In MS-environment, _every_ program_ _must have_ (major) write-access to registry and system directories -> UAC every time you try to install or change anything. That's a _big_ difference. Like 1 to 100.
The idea that every program may write whatever they want in registry is outrageous. Only an idiot could design something like that.
There can't be an OS which you'll have to be root to actually be able to do something.
Try to run win XP and see if you can get along with it without root permissions for one day.
The programmers concept for windows is just wrong! you can not require root privileges to run Acrobat Reader, Adobe Photoshop or who knows what
For that matter, try to get along with regular user on Linux, you'll be able to do so (and you'll stay of-course), why? cause Linux was built in as Multi user OS, un-like Windows in which you have to be root to install un-related stuff which you can't even think of why it requires root permissions.
The lesson is, that most of programmers of big companies are basing their programs on the fact that 95% of Windows users runs as Admins.
And also, the whole concept of multi-users is in-fact okay, but the implementation, dir oh lord, is just wrong.
That's why Windows Security just sucks. no matter what
Do what feels good, switch to Linux
See... in a corporate environment, the network team will secure Windows. Believe it or not, it can be done quite easily... you just have to set the permissions. Windows may not be, by default, anywhere near as secure as Linux, but it has provisioning for running people without admin privileges, without permissions to change the registry or write anywhere on the hard drive but their home directory. You can prevent people from installing stuff. It really *can* be locked down. By a competent admin.
The problem is that it's totally different in a home environment. My desktop is running Linux, I've been running Linux since 1994, so I do have some experience here.... um, how many linux users do you know who neither a) know their root password, nor b) know how to get root access?
Joe User isn't going to use a system at home if he can't install his software. If he has to log in as root to do it, so be it. He's still going to be able to install dangerous software as long as he has root access on the system, and he's never going to use a system if he doesn't have a way to get root access.
If you believe everything you read, you'd better not read. - Japanese proverb
So changing the desktop wallpaper is a security issue in Linux too?
The problem is not that Vista asks for permission where admin is required, it's that it asks for permission everywhere.
It's not that Windows asks you once for "sudo" permission to change a setting, it's that it asks you 10 times when you do things like change your IP address. Once is fine, 10 times is pointless.
But think about why you trust an Id game more... and then about how a relatively new user of computers, who hasn't been playing Id games for a decade, would know to make the same distinction.
You can't expect newbies to have the same base of computing experience to draw on that you do, to know what is historically trustworthy and what is historically shady. They don't know the history, and there's really no way to acquire that knowledge except through years of use.
If a game requests admin rights to install for my user, that would raise a red flag, etc.It should -- but there are so many legitimate applications that do require admin rights, even though they shouldn't, that this test also fails to be useful. Too many false positives.
Wow, two simple ideas that didn't involve a masters thesis from MIT.But one of them doesn't provide a useful discriminator, and the other requires significant background in PC computing/gaming.
Have you taken a look at Bitfrost? That project has the design goals right, IMO. Of course, it also has the tremendous luxury of not caring at all about backward compatibility, something Microsoft absolutely cannot discard.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Are you advocating Microsoft create it's own software repositories, vet all submissions to make sure they are not malware, and only allow windows to install software from those repositories?
.deb and install it with dpkg. Now, if I write some nasty little app that turns your box into a spambot, roll it into a deb and put it up on a website as "Cool_new_gaim_smileys.deb", what is going to stop little Johnny from downloading and installing it? Remember, once he types in his root password, he is totally screwed.
Apt-get is great, if the software you want is available from your distributions repositories. If it isn't, like the last piece of software I installed on my Ubuntu box, then you are left to download a
The alternative of course is to only install packages from your distributions repos. Which is all well and good, until you want something they don't contain. As soon as you allow a user the ability to install non-distro-approved software, you allow them to install malware. There is absolutely no workable way around this which does not either remove the users control over their system, or third party vendors ability to distribute software without the approval of the distro vendor. If I know the root password for a box, and I can install any program I want on it, then I can break it. That holds true for Linux, OSX, Windows, or any other OS you care to mention.
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
In MS-environment, _every_ program_ _must have_ (major) write-access to registry and system directories -> UAC every time you try to install or change anything. That's a _big_ difference. Like 1 to 100.
The idea that every program may write whatever they want in registry is outrageous. Only an idiot could design something like that. Using Ubuntu/Fedora, you install most of the programs using aptitude/yum and that requires root password. The idea that any program can write its configuration into a centralized system (the registry) could be better than having 100's of configuration files around in different places (The fact that any program can write in any part of the registry is obviously bad).
Last time I checked, regular users couldn't fool around with ifconfig either. I would say changing your IP address is something that should require admin privileges. I think you picked a bad example there.
So it sounds to me like the issue boils down to Vista having much more fine-grained prompting than Linux or MacOS does. There are many entry points from which Windows can be compromised -- we know this. It sounds like Microsoft is at least doing the responsible thing and trying to plug them up with prompts. You guys expect them to work magic and "know" the difference between legitimate and illegitimate requests.
So, point by point:
While referring to IE's Protected Mode feature:
However, there is a brokering mechanism that enables users to download files to any location they have access to, or to install browser plugins and extensions, and the like. So users are still invited to make a mess of their systems, and no doubt many will, while Microsoft has a chance to shift blame away from itself.
Uh huh. First, you can't install plugins/extensions (with the exception of signed ActiveX) without admin privs. Period. Second, how, exactly, would you propose the user be able to save files to their Documents folder, or do any other file operation in their profile (or basically anyplace on the system) without this brokering mechanism? Would you prefer that Microsoft not allow users to download *any* files via the browser? Ya, that would work out well.
However, IE7 on Vista does still write to parts of the registry in protected mode.
IE7 is running as an extremely low-rights user. This does *not* mean that it doesn't have the ability to write to any part of the registry. It means that the register's ACLs must explicitly allow write access to the IE's low-rights user. Certain locations have been explicitly marked as write-safe for the low integrity process. The example given by The Register is one of them. In other words, it's not an issue.
However, DEP, when full on, may cause a number of applications to crash, or interfere with their installation. I'm betting that a majority of users will opt for the more conservative setting, and this of course means less defense for everyone.
You're betting that the majority of users, most of whom think "DEP" is an actor's last name, will go and hunt down the DEP setting and turn it off because it will supposedly cause lots of applications to crash? Really? You mean they won't selectively turn it off via the dialog box that comes up after a DEP-related crash that asks if you want to turn it off just for this application? Oh, and what quantitative study are you sighting that shows that lots of commonly used applications will crash because of DEP? Give me a break.
User Account Control (UAC) is another good idea, because it finally, finally, finally allows the machine's owner to work from a standard user account, and still perform administrative tasks by supplying admin credentials as needed on a per-action basis. You know, the way Linux has been doing it forever.
Windows has supported running individual processes as admin (or any other account) since NT4. It was integrated into the GUI in Windows 2000. That is not the point of UAC, and it's not how Linux does it at all. If you try and run an application or perform an operation on Linux or Unix that requires admin access, it will fail. It doesn't prompt you. It's a subtle, but big difference. And it's a critical difference in the Windows world where that vast majority of applications won't work without admin privs.
Of course, it only works if everyone stays out of the admin account as much as possible, and if everyone with an admin password knows better than to install a questionable program with admin privileges. And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."
Wrong. It works regardless of what user you *think* you're running as. An admin account on Vista (with UAC enabled) is NOT AN ADMIN ACCOUNT. It's a limited user. The *only* difference is that an admin account isn't prompted to t
Cruft on cruft?
You just described SELinux to a T.
Careful, you live in a glass house. The entire Linux permission and security system is at it's heart so utterly outdated as to be almost rediculous. NT had (and all version s of windows based on it) a beter base persmission and security system (Regardless of the fact that people decided not to use it) than Linux has at it's heart even today.
SE Linux is a hack on top of a lacking persmission system of a level even worse than what you are describing (wich is mostly false anyway).
What Linux needs to do is completely scrap it's kernel level permission and security and start over from scratch. But.. that would pretty much upset the entire universe and everyone and all code within it. Which is why it hasn't been done. Sound familiar?
Please don't offer sage advice about other peoples OSes when your OS is in the same boat.
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
Interesting.
Consumer Vista has been in general release for less than one month. But the Geek knows that most people are disabling the UAC. The Geek knows how users will respond to all the changes in Vista.
He doesn't need a crystal ball. He only needs to read what other Geeks are posting to their blogs.