Slashdot Mirror
Vista Security — Too Little Too Late
Thomas Greene of The Register has a fairly comprehensive review of Vista and IE7 user security measures. The verdict is: better but not adequate, and mostly an attempt to shift blame onto the user when things go wrong. From the review: "[Vista is] a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they've been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on."
.. A Dialog box asking if you wish to run the exploit or not.
And it is the first thing to be disabled for sure.
I'm shocked at these allegations!!!
can't believe I'm speaking up for Vista but ...
User security, is like car safety. It's nice to design for "in case shit happens" but if you drive like a lunatic, you're likely to get hurt.
I think a large part of security involves the self. People don't do enough thinking, and are too lazy to follow simple security procedures. No automated tool or system, that allows some freedoms can protect people entirely. Think about it, the OS'es solution to malware? Only allow MSFT signed binaries to run. But this is horrible as it means only MSFT can authorize binaries and it cuts out 3rd party developers.
At some point the users themselves have to stop and learn how to use their computers properly, if they want to use them. If they're too lazy to figure it out, *and* demand security, they should not use a computer.
Of course it's largely MSFT's fault for breeding a culture of contempt for knowledge. Oh look it's so easy anyone can use it with zero training.
Imagine if MSFT made automobiles (but with the a yolk instead of a wheel/pedals, and other "standard improvements"). No training required!
Tom
Someday, I'll have a real sig.
Once you start despising the jerks, you become one.
"and downloading every bit of malware they can get their hands on."
Come on. More than anything, Microsoft is in a no-win situation to try and protect people from themselves. If everyone ran Linux instead of Vista there'd be the same damn problems.
If a thirteen year old wants to download smileys for their IM client, the kid is going to do it. If the software has spyware, then that spyware would do what it takes to open up or break the system. It's pretty damn hard to code against human behaviour.
Microsoft is always going to leave network services on by default because otherwise users might have to go admin and turn them on to get their software to work. Of course the goal is to relieve users of the need to be concerned about what's going on in their computers, but unfortunately it also relieves them of the opportunity to ever learn anything and thereby participate in their own security.
So, you can be "insecure by design", or you can expect your users to educate themselves just a little about how things work and their own role in the security equation. I'm sure the focus groups all say, "We'll take our chances, just don't make us have to think!"
There doesn't seem to be an official Slashdot stance on Microsoft either... about the only thing you *do* notice is that most of the windows supporters post as AC's...
Back on topic: Vista tests for my corporation have been far from impressive in both security and performance. I'll stick with the XP Upgrade method I think. "Skin XP to look like Vista... open up the case, remove half the RAM and clock the CPU back a few notches"
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
With UAC on, the only difference between an admin account and a limited user account is that Windows doesn't ask for a user name and password when you need to use admin rights; it just asks you to OK it. Unless you OK admin rights to an app, you're still running with limited user rights.
If someone figures out an exploit to make that "OK" automatically, yes, running as admin will be significantly less secure. Until someone figures that out, though, running admin with UAC on is just as secure as running as a limited user.
And as far as users finding UAC "annoying", riddle me this: how is any more annoying than Linux? Linux will do the SAME DAMN THING as Vista's UAC. It'll make the SAME prompts when trying something that requires admin rights as a limited user. The only difference is that Vista gives you the prompts while running as root, too. You can't blame M$ if stupid users disable security features they find "annoying" while praising Linux for doing the same thing.
My sig can beat up your sig.
I think that's a bit low. There are only about 30 viruses for Macs (most of which are holdovers from OS 8 days) and I've not encountered one bit of spyware or adware. I don't have experience with Linux, but I imagine it's similar
I think the reason Windows is such a target isn't just its market share, but also its vulnerability.
I'm in the hole of the broadband donut.
*ducks*
When the second paragraph contains this quote --
In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.
you know it's going to be fair and balanced.
From the article:
As Billg likes to point out, Windows is the platform on which 90 per cent of the computing industry builds, and this naturally means that it's the platform on which 90 per cent of spyware, adware, virus, worm, and Trojan developers build. That translates into 90 per cent of botnet zombies, 90 per cent of spam relays, 90 per cent of spyware hosts, and 90 per cent of worm propagators.
This implies that Linux, Mac, Solaris, VMS, etc stands for 10% of the malware. This is not true. I would guess that non-Windows systems have less than 1% of the malware.
)9TSS
Oh, the article is from the Register. I see.. no surprises there.
I am the maverick of Slashdot
They don't do it because typing a password is too damn annoying.
UAC is still useful as an Administrator. Until you elevate your privileges, a UAC user *is* a regular user (essentially they have two possible tokens, a regular user token and an Administrator token, and unless you elevate, they're using on the regular user token). This means that the "protection" that it offers is the same; what differs is the ease with which you can switch between the two kinds of user (click a button vs. enter a password). So I don't think that's actually a huge problem.
Whenever something is done for which the regular user token isn't good enough, you can elevate to an Administrator token. That brings up the UAC prompt; it does it for broadly the same category of operations that MacOS X or Linux will demand root access for.
The thing is, the prompt is quite annoying. It's not any more annoying than it is on other OSes; they're annoying too. But a password is even more annoying than clicking the box. And if something is annoying, well, people are going to try to avoid it.
That's the dilemma faced by MS. If they make the thing too annoying, everyone will one way or another disable it. Originally UAC not only required a password, but also a ctrl-alt-del (so that the password couldn't be intercepted or anything). ctrl-alt-del to enter the password was too annoying; it was too intrusive. So they disabled that by default (though you can reinstate it if you want, through a GPO). Entering a password by default was also too intrusive, so again, they disabled it by default (and again, you can reinstate it across the board, even for Administrators, if you want). The reason they did this is because they want the level of annoyance to be livable. If UAC is so annoying that people outright disable it, it's useless. If it's a minor annoyance, they probably won't turn it off.
I've been using Vista since it went RTM, and I have to say, I don't see many UAC prompts any more. I did at first, when I was installing all my software, but now, it's pretty infrequent. It's certainly something I can live with. I did try cranking it right up--passwords for all users, with ctrl-alt-del to enter them--but it's far too annoying to put up with. I can't really fault MS for making the trade-off the way they made it. Hopefully, as applications improve, elevation prompts will become more infrequent (for example, I have to elevate to play Battlefield 2, because Punkbuster "needs" admin rights... this is something that they really need to fix), and when this happens, demanding a password to elevate won't be so onerous. But as things stand right now, there are just too many problematic applications. This isn't really MS's fault (it's not like NT's DAC is new...), but it is something that they've got to live with, and provide a solution for.
Microsoft can't fix the users, there will always be the crowd blindly clicking OK or tuning off the firewall because their game's troubleshooting tells them to.
But reducing the number of services and installed programs running, can reduce the number of vunerabilities present and active by default. How long did it take for them to give the option of actually turning off Messenger, despite no one ever using it. The deault install should be the minimum needed to access the net and use office. If we are all used to prompts and downloading programs a wait of a few seconds to install a progam from a file in the Windows install folder, to run something new, shouldn't be too much of a problem.
Especially if we have the option of actually uninstalling IE7 completely.
And on another note, I have watched this Vista launch and still I wonder. -
Why should I get it? I see alot of hype but not a single reason to upgrade.
If this were really happening, what would you think?
The only story I want to hear about Vista security is what it fixes. We already know what Microsoft broke.
I've been telling you for years and I'll tell you again. The fix is:
Diversity is the only solution to internet security. The user gains immediate security in the short term. The community gains security in the long term as weak platforms are eliminated and can no longer be used to attack strong ones. Everyone wins when the monoculture ends. Free software provides both transparency and a diversity of hard targets. Confronted with rising costs, criminals will go back to their usual meat space businesses.
Friends don't help friends install M$ junk.
This is exactly what Vista security is.
My main problem with Vista security is that it is an OS that cries wolf. When I installed Vista, I had to click no less than 50 security confirmation dialog boxes (it's important to note that these were security dialog boxes) within the first hour or so in order to do simple, stupid stuff that clearly should not have needed confirmation. Stuff like changing my desktop background. Stuff like moving some documents around on a removable hard drive. Stuff like copying a line of text from an IE7 edit box. Stuff like pasting that line of text into a different IE7 edit box. Stuff like creating a new text file on my removable hard drive. And so on, and so on, ad nauseum.
This isn't security. This is constant aggravation, and yes, I cannot imagine any normal user calling their geek friend after five minutes and saying, "How do I turn this damn thing off?" Even if they don't, they "mentally" disable it by simply clicking Allow without thinking. Hell, I'm a computer expert, and I did it. "You are installing the pwnzj00 virus." Allow. "You are sending your bank account numbers to Nigeria." Allow, allow, allow, dammit! Leave me alone!
I try to give Microsoft the benefit of a doubt. I'm not a zealot or a Microsoft basher, seriously. I think they've put out some good software, but on this point, I have to agree with the folks who are saying that Microsoft isn't serious about security, they're simply trying to push the blame for when things go wrong onto the users.
There's no way in hell that they could have conducted any usability tests and found the currently scheme acceptable. But they still let it out the door, most likely to meet some sort of artificial management deadline to keep the OS from shipping any later than it already had.
So now, we've gone from OSes that never alert you to potential security risks to an OS that is even worse because it alerts you to everything, security risk or not.
I'll be interested to see how Microsoft tries to fix this mess, both from a technical standpoint and a PR standpoint.
The vulnerability of Vista or any other OS can be traced back to the requirement to modify the OS for software installation. It makes no reasonable sense that an end-user should modify the operating system when installing a software package (exceptions for servers but that's iffy, too). CONFINE the end-user software to the end-user's space (i.e., home directory) - and as suggested earlier, the notion of each user having an independent registry instead of the global system-wide Windows registry is a great idea. An infinite number of users should be able to use a Windows environment without any influence by one user upon another. This goes for all operating systems. I can't understand why this idea hasn't been pursued already. It's too late for Vista but in another 3 years or so this may happen.
One of these days Microsoft will realize that system-wide changes are killing them. Perhaps when they start leasing remote desktop connections for $9.95 a month they will figure this out.
The security of Windows has always been built upon such a foundation of shit. That's why it's had so many problems. Instead of drawing from the proven security models of systems like UNIX and VMS, the Windows developers went and rolled their own. And you know what? It was shit. It didn't have a solid theoretical underpinning like the security model of other systems have. It's been over 20 years later, and they still haven't looked to the proven models for inspiration.
Windows has the same "theoretical underpinning" as VMS (hardly surprising, given they're designed by the same person). Which is, I must point out, vastly superior to that of traditional (and most contemporary, at least as commonly configured) UNIXes.
There is little, to nothing, wrong with the "foundation" of Windows.
"And as far as users finding UAC "annoying", riddle me this: how is any more annoying than Linux? "
Piece of cake.
UAC annoys you when you try to run a setup program, _any_ setup program, for whatever reason, even a screensaver or desktop picture if it is a setup format.
In Linux you are not asked root's password to change desktop picture or installing random program and that's a major difference. Installed program has user account rights, but _that's the assumption_ and most programs respect that and, contrary to MS-systems, _can be installed and run_ just on user rights.
In MS-environment, _every_ program_ _must have_ (major) write-access to registry and system directories -> UAC every time you try to install or change anything. That's a _big_ difference. Like 1 to 100.
The idea that every program may write whatever they want in registry is outrageous. Only an idiot could design something like that.
IX CCXLIX XVII II CLVII CXVI CCXXVII XCI CCXVI LXV LXXXVI CXCVII XCIX LXXXVI CXXXVI CXCII
There can't be an OS which you'll have to be root to actually be able to do something.
Try to run win XP and see if you can get along with it without root permissions for one day.
The programmers concept for windows is just wrong! you can not require root privileges to run Acrobat Reader, Adobe Photoshop or who knows what
For that matter, try to get along with regular user on Linux, you'll be able to do so (and you'll stay of-course), why? cause Linux was built in as Multi user OS, un-like Windows in which you have to be root to install un-related stuff which you can't even think of why it requires root permissions.
The lesson is, that most of programmers of big companies are basing their programs on the fact that 95% of Windows users runs as Admins.
And also, the whole concept of multi-users is in-fact okay, but the implementation, dir oh lord, is just wrong.
That's why Windows Security just sucks. no matter what
Do what feels good, switch to Linux
Ah yes, the foundation is well designed. But when they were mixing up the concrete they forgot the cement.
See... in a corporate environment, the network team will secure Windows. Believe it or not, it can be done quite easily... you just have to set the permissions. Windows may not be, by default, anywhere near as secure as Linux, but it has provisioning for running people without admin privileges, without permissions to change the registry or write anywhere on the hard drive but their home directory. You can prevent people from installing stuff. It really *can* be locked down. By a competent admin.
The problem is that it's totally different in a home environment. My desktop is running Linux, I've been running Linux since 1994, so I do have some experience here.... um, how many linux users do you know who neither a) know their root password, nor b) know how to get root access?
Joe User isn't going to use a system at home if he can't install his software. If he has to log in as root to do it, so be it. He's still going to be able to install dangerous software as long as he has root access on the system, and he's never going to use a system if he doesn't have a way to get root access.
If you believe everything you read, you'd better not read. - Japanese proverb
What security or performance "tests" did you run that you found "far from impressive"?
Note:
1) Open web browser
2) Load www.slashdot.org
3) Read what other people who haven't actually tested Vista posted
... is not a valid test. ;)
So changing the desktop wallpaper is a security issue in Linux too?
The problem is not that Vista asks for permission where admin is required, it's that it asks for permission everywhere.
It's not that Windows asks you once for "sudo" permission to change a setting, it's that it asks you 10 times when you do things like change your IP address. Once is fine, 10 times is pointless.
Linux will allow a normal user to install normal user programs without root access. It just installs them only in that user's space, so they can't potentially hurt other users. You only receive admin prompts when doing things that affect the whole system, like installing OS updates. I don't care how restricted a user you are, I don't think I've EVER seen linux prompt for permission when cutting and pasting, how asenine is that? OOH, you changed your wallpaper, better make sure your REALLY want to do that, since we all know the potential system wide implications of changing from prairie rain to a picture from digital blasphemy. I can sometimes go a week or longer without seeing a linux admin prompt and doing normal things, whereas I challenge you to work on your computer as you normally would and go an HOUR without getting a UAC prompt for something UTTERLY STUPID.
But think about why you trust an Id game more... and then about how a relatively new user of computers, who hasn't been playing Id games for a decade, would know to make the same distinction.
You can't expect newbies to have the same base of computing experience to draw on that you do, to know what is historically trustworthy and what is historically shady. They don't know the history, and there's really no way to acquire that knowledge except through years of use.
If a game requests admin rights to install for my user, that would raise a red flag, etc.It should -- but there are so many legitimate applications that do require admin rights, even though they shouldn't, that this test also fails to be useful. Too many false positives.
Wow, two simple ideas that didn't involve a masters thesis from MIT.But one of them doesn't provide a useful discriminator, and the other requires significant background in PC computing/gaming.
Have you taken a look at Bitfrost? That project has the design goals right, IMO. Of course, it also has the tremendous luxury of not caring at all about backward compatibility, something Microsoft absolutely cannot discard.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Are you advocating Microsoft create it's own software repositories, vet all submissions to make sure they are not malware, and only allow windows to install software from those repositories?
.deb and install it with dpkg. Now, if I write some nasty little app that turns your box into a spambot, roll it into a deb and put it up on a website as "Cool_new_gaim_smileys.deb", what is going to stop little Johnny from downloading and installing it? Remember, once he types in his root password, he is totally screwed.
Apt-get is great, if the software you want is available from your distributions repositories. If it isn't, like the last piece of software I installed on my Ubuntu box, then you are left to download a
The alternative of course is to only install packages from your distributions repos. Which is all well and good, until you want something they don't contain. As soon as you allow a user the ability to install non-distro-approved software, you allow them to install malware. There is absolutely no workable way around this which does not either remove the users control over their system, or third party vendors ability to distribute software without the approval of the distro vendor. If I know the root password for a box, and I can install any program I want on it, then I can break it. That holds true for Linux, OSX, Windows, or any other OS you care to mention.
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
There's an "I'm a Mac" ad which covers this: http://images.apple.com/movies/us/apple/getamac/ap ple-getamac-security_480x376.mov
In MS-environment, _every_ program_ _must have_ (major) write-access to registry and system directories -> UAC every time you try to install or change anything. That's a _big_ difference. Like 1 to 100.
The idea that every program may write whatever they want in registry is outrageous. Only an idiot could design something like that. Using Ubuntu/Fedora, you install most of the programs using aptitude/yum and that requires root password. The idea that any program can write its configuration into a centralized system (the registry) could be better than having 100's of configuration files around in different places (The fact that any program can write in any part of the registry is obviously bad).
You can have a privacy-protecting, DRM-free, open source system that also has good security - these goals are not mutually exclusive. A few years ago Apple implemented a sudo workalike for OS X that lets you run a system as a normal user; the so-called 'administrative' Mac user is not really one with root privileges, but is just allowed to sudo if you provide authentication. Many UNIX flavors and and Linux distributions had this as a configurable option for years, but after OS X some common Linux distros (Ubuntu comes to mind) started implementing a nearly identical configuration and integrating it with the GUI. Microsoft would have been wise to emulate this as well, as it's extremely easy to use, and relies on existing authentication models, but prevents you from messing up your system.
This is just an industry best-practice, well implemented by everyone else but ignored by Microsoft. The 'elitist' you are referring to might seem elite to you because he thinks like a sysadmin.
on at least one count. It says that the typed URLs in the registry don't get purged when you clear the history. I just tested it, and it does get purged. It's the one thing I tested, and it was wrong. Doesn't give me a whole lot of faith for everything else in the article (including the fact that there was another correction listed at the end of the article).
My experience with UAC has lead me to turn the damn thing off as soon as I can. Everytime the UAC dialog box pops up, Both of my monitors go into sleep for 1-2 seconds, then turn back on like nothing ever happened, and now the UAC dialog box is there. If everything were to just gray out and the box pop up, and not have my monitors sleep on me, then I would maybe be more inclined to leave UAC on. I run linux. When I run it strictly as a user, I never have to agree to launch a program I clicked on, or downloaded. UAC is annoying because the underlying registry system of Windows is broken.
On every old webpage.
Ignore this signature. By order.
So, point by point:
While referring to IE's Protected Mode feature:
However, there is a brokering mechanism that enables users to download files to any location they have access to, or to install browser plugins and extensions, and the like. So users are still invited to make a mess of their systems, and no doubt many will, while Microsoft has a chance to shift blame away from itself.
Uh huh. First, you can't install plugins/extensions (with the exception of signed ActiveX) without admin privs. Period. Second, how, exactly, would you propose the user be able to save files to their Documents folder, or do any other file operation in their profile (or basically anyplace on the system) without this brokering mechanism? Would you prefer that Microsoft not allow users to download *any* files via the browser? Ya, that would work out well.
However, IE7 on Vista does still write to parts of the registry in protected mode.
IE7 is running as an extremely low-rights user. This does *not* mean that it doesn't have the ability to write to any part of the registry. It means that the register's ACLs must explicitly allow write access to the IE's low-rights user. Certain locations have been explicitly marked as write-safe for the low integrity process. The example given by The Register is one of them. In other words, it's not an issue.
However, DEP, when full on, may cause a number of applications to crash, or interfere with their installation. I'm betting that a majority of users will opt for the more conservative setting, and this of course means less defense for everyone.
You're betting that the majority of users, most of whom think "DEP" is an actor's last name, will go and hunt down the DEP setting and turn it off because it will supposedly cause lots of applications to crash? Really? You mean they won't selectively turn it off via the dialog box that comes up after a DEP-related crash that asks if you want to turn it off just for this application? Oh, and what quantitative study are you sighting that shows that lots of commonly used applications will crash because of DEP? Give me a break.
User Account Control (UAC) is another good idea, because it finally, finally, finally allows the machine's owner to work from a standard user account, and still perform administrative tasks by supplying admin credentials as needed on a per-action basis. You know, the way Linux has been doing it forever.
Windows has supported running individual processes as admin (or any other account) since NT4. It was integrated into the GUI in Windows 2000. That is not the point of UAC, and it's not how Linux does it at all. If you try and run an application or perform an operation on Linux or Unix that requires admin access, it will fail. It doesn't prompt you. It's a subtle, but big difference. And it's a critical difference in the Windows world where that vast majority of applications won't work without admin privs.
Of course, it only works if everyone stays out of the admin account as much as possible, and if everyone with an admin password knows better than to install a questionable program with admin privileges. And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."
Wrong. It works regardless of what user you *think* you're running as. An admin account on Vista (with UAC enabled) is NOT AN ADMIN ACCOUNT. It's a limited user. The *only* difference is that an admin account isn't prompted to t
I already moderated in this thread, but I'll cancel it out to reply to this.
Windows installers can ask for the level of access they need. If an installer doesn't request an access level (as most don't) then the default is to assume it needs maximum access. This is so that Vista can install XP/2000 etc apps are still able to install.
It's a good thing that Vista shows an annoying box if no level is set in the manifest, because hopefully it will mean developers write installers that only ask for the access level they need.
You are absolutely right, the Mac ads are horrendously misleading. The lines from that commercial aren't actual Vista prompts. Even more scandalous: John Hodgman isn't really a PC and Justin Long isn't really a Mac ! Shame on Steve Jobs for his lies.
Cruft on cruft?
You just described SELinux to a T.
Careful, you live in a glass house. The entire Linux permission and security system is at it's heart so utterly outdated as to be almost rediculous. NT had (and all version s of windows based on it) a beter base persmission and security system (Regardless of the fact that people decided not to use it) than Linux has at it's heart even today.
SE Linux is a hack on top of a lacking persmission system of a level even worse than what you are describing (wich is mostly false anyway).
What Linux needs to do is completely scrap it's kernel level permission and security and start over from scratch. But.. that would pretty much upset the entire universe and everyone and all code within it. Which is why it hasn't been done. Sound familiar?
Please don't offer sage advice about other peoples OSes when your OS is in the same boat.
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
Safer than giving up and running as Administrator is to use Filemon and Regmon to find out what exactly the broken application is doing that it shouldn't, then changing the ACL for just those files or registry keys.
Windows non-administrator LUA/UAC advice, tips and tricks.