Vista Security — Too Little Too Late

← Back to Stories (view on slashdot.org)

Vista Security — Too Little Too Late

Posted by kdawson on Wednesday February 21, 2007 @01:02AM from the five-years-work dept.

Thomas Greene of The Register has a fairly comprehensive review of Vista and IE7 user security measures. The verdict is: better but not adequate, and mostly an attempt to shift blame onto the user when things go wrong. From the review: "[Vista is] a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they've been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on."

10 of 483 comments (clear)

Min score:

Reason:

Sort:

Vista security is.. by Anonymous Coward · 2007-02-21 01:05 · Score: 5, Insightful

.. A Dialog box asking if you wish to run the exploit or not.

And it is the first thing to be disabled for sure.
1. Re:Vista security is.. by madcow_bg · 2007-02-21 01:36 · Score: 5, Insightful
  
  If that was it, then the security team has won the game!
  Alas... I think it is asking for everything, therefore asking for nothing. An automatic OK is just as bad as no confirmation asked. Even worse, IMHO.
2. Re:Vista security is.. by Gription · 2007-02-21 03:47 · Score: 5, Insightful
  
  People running as admins isn't even close to the real problem with UAC. (User Aggravation Control) The real problem is their whole concept of security is flawed. Any conceptual framework that it relies on the user knowing enough about computers to make a decision about what you should and shouldn't do is going down in flames.
  
  Here is a little tidbit to shock you...
  The vast majority of users that use a computer don't really know anything about computers and they shouldn't have to!!! If a computer is operating correctly they shouldn't even have to think about their computer. They should be thinking about their task at hand. They shouldn't even want to "know about computers" because if they did they would have different jobs. (A lot of "computer people" can't get it through their heads that the users shouldn't have to know much about computers and if they all did the "computer people" would be mostly out of jobs.)
  
  The very first example of MS's real conceptual problem with computer security is showcased by the first thing you see when you start up the computer. Let me ask you: What do you need to know to get into a computer? A username and a password. So MS's idea of increased security is to hand you a list of all the usernames on a platter so you can skip past the "find a valid username" step and go straight to the "lets find the user with a weak password" step. I haven't even been able find a way to force a 'classic' text login. We are 'clicking' our way into the pits of hell.
  
  Right after XP came out Mr. Bill public stated that "the next version of Windows will not be an Operating System. It will be a Digital Rights Management Platform." He said it in public and everyone seems to have forgotten it. Why would anyone PAY for a system that's only reason for existence is to inhibit the user's actions? Bill is a master at knowing which way people will jump. (That is the only thing he is really brilliant at.) He knows that people won't rush out and buy a DRM/Platform so he has to sell it as something different. It is pretty easy to do too. People (are Raccoons. Give them something shiney and their eyes glaze over and they will clutch it with both hands and won't let go. Vista has every bright and shiny go-ga that MS could throw in. Will Vista be a "success"? Of course! The Raccoons will demand their bright/shiny (pointless) 'upgrades' because how can we live without a computer that will use video as a desktop image. (I think that running the movie Idiocracy as a desktop would be perfect!)
  
  BTW - Has anyone figured out a hack to force an old style text login? I might even mod your posts up if you find a solution and share it! ;-)
Re:Why should they have a problem? by Architect_sasyr · 2007-02-21 01:25 · Score: 5, Funny

There doesn't seem to be an official Slashdot stance on Microsoft either... about the only thing you *do* notice is that most of the windows supporters post as AC's...

Back on topic: Vista tests for my corporation have been far from impressive in both security and performance. I'll stick with the XP Upgrade method I think. "Skin XP to look like Vista... open up the case, remove half the RAM and clock the CPU back a few notches"

--
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Re:dear lord... by Zebra_X · 2007-02-21 01:35 · Score: 5, Funny

Imagine if MSFT made automobiles

It would be pretty horrific...

Are you sure you want to unlock your car? (Yes/No)
Please confirm this action: Start car (Allow/Deny)
The manufacturer of this car is not trusted, are you sure you want to start this car? (Yes/No)
The car is attempting to use gas that does not fall between 89 and 91 octane are you sure you want to continue? (Yes/No)
Are you sure you want to turn on the radio (Allow/Deny)
The manufacturer of this radio is not trusted, are you sure you want to turn on radio? (Yes/No)
Station 104.7 is attempting to play content that requires special priveliges, do you want to play 104.7? (yes/no)
Please confirm your administrative username and password.
Please confirm this action: Change to D (Allow/Deny)
This feature requires administrative priveligeges, please enter your username and password. ... ...
Re:Limited User Accounts by DrPizza · 2007-02-21 01:43 · Score: 5, Interesting

They don't do it because typing a password is too damn annoying.

UAC is still useful as an Administrator. Until you elevate your privileges, a UAC user *is* a regular user (essentially they have two possible tokens, a regular user token and an Administrator token, and unless you elevate, they're using on the regular user token). This means that the "protection" that it offers is the same; what differs is the ease with which you can switch between the two kinds of user (click a button vs. enter a password). So I don't think that's actually a huge problem.

Whenever something is done for which the regular user token isn't good enough, you can elevate to an Administrator token. That brings up the UAC prompt; it does it for broadly the same category of operations that MacOS X or Linux will demand root access for.

The thing is, the prompt is quite annoying. It's not any more annoying than it is on other OSes; they're annoying too. But a password is even more annoying than clicking the box. And if something is annoying, well, people are going to try to avoid it.

That's the dilemma faced by MS. If they make the thing too annoying, everyone will one way or another disable it. Originally UAC not only required a password, but also a ctrl-alt-del (so that the password couldn't be intercepted or anything). ctrl-alt-del to enter the password was too annoying; it was too intrusive. So they disabled that by default (though you can reinstate it if you want, through a GPO). Entering a password by default was also too intrusive, so again, they disabled it by default (and again, you can reinstate it across the board, even for Administrators, if you want). The reason they did this is because they want the level of annoyance to be livable. If UAC is so annoying that people outright disable it, it's useless. If it's a minor annoyance, they probably won't turn it off.

I've been using Vista since it went RTM, and I have to say, I don't see many UAC prompts any more. I did at first, when I was installing all my software, but now, it's pretty infrequent. It's certainly something I can live with. I did try cranking it right up--passwords for all users, with ctrl-alt-del to enter them--but it's far too annoying to put up with. I can't really fault MS for making the trade-off the way they made it. Hopefully, as applications improve, elevation prompts will become more infrequent (for example, I have to elevate to play Battlefield 2, because Punkbuster "needs" admin rights... this is something that they really need to fix), and when this happens, demanding a password to elevate won't be so onerous. But as things stand right now, there are just too many problematic applications. This isn't really MS's fault (it's not like NT's DAC is new...), but it is something that they've got to live with, and provide a solution for.
What you said, except more amusing by Gzip+Christ · 2007-02-21 02:55 · Score: 5, Interesting

There's an "I'm a Mac" ad which covers this: http://images.apple.com/movies/us/apple/getamac/ap ple-getamac-security_480x376.mov
Re:The OS that cried "wolf!" by Blue+Stone · 2007-02-21 03:17 · Score: 5, Insightful

It's almost like Microsoft, sick and tired of all the complaints about poor security in their operating systems, said, "RIGHT! If you want security, we'll GIVE you security!" and then handed it out as a punishment.

--
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Re:dear lord... by GeePrime · 2007-02-21 03:49 · Score: 5, Funny

You have gotten in an accident and the airbag wants to deploy (allow/deny)
You're absolutely right by Gzip+Christ · 2007-02-21 05:06 · Score: 5, Funny

You are absolutely right, the Mac ads are horrendously misleading. The lines from that commercial aren't actual Vista prompts. Even more scandalous: John Hodgman isn't really a PC and Justin Long isn't really a Mac ! Shame on Steve Jobs for his lies.