Slashdot Mirror
Flawed Survey Suggests XP More Secure Than Vista
SkeeLo writes "One of Vista's big selling points is security, but a report from CRN concludes that Vista offers little in the way of security advancements over Windows XP. Ars Technica analyzed the report and found some methodological problems. 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software — something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.' That's not all: 'It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.'"
Study finding Vista more secure then XP = X hits.
Study finding XP more secure than Vista = Y hits.
if (x > y)
post Vista more secure than XP
else
post Vista less secure than XP
That's life for being MS.
If MS put in a AV software, other AV companies will file for anti-competition lawsuits; If MS didn't, consumers will moan about it too.
Virtual Betting on Facebook for non-geeks.
By the time your AV software comes into play your already infected. So AV software is not the lock on your door. Its the rifle in your house.
Still important, But vary different.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
XXX#######
Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.
Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.
"" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
Seriously. A pro-MS article? whats next, mr spock with a goatee? Doc
If at first you don't succeed, redefine 'success'
I'm sorry, but if I bought a security door that claimed it would keep out 99% of criminals, I would be a bit pissed off if I got it home and realised that an actual lock for that door was considered an 'optional extra'. The idea of browsing the internet with IE, no anti-virus and the windows firewall for any length of time, even no longer than it takes to download zonealarm and avg, gives me the heebie-jeebies.
"If you want a vision of the future, Winston, imagine a boot stamping on a human face forever." - George Orwell, 1984
Maybe I missed it when I RTFA, but it didnt mention which version of XP was used... a look at HPs site shows that the HP Compaq nc6400 did ship with XP Pro (whether that matters much compared to home edition or not)
Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)
I do agree with the title, flawed survey indeed.
I dont blame Vista or XP so much as I blame IE version X.XX
Id like to see the exact same suite of tests ran against the latest version of Opera, Netscape and Firefox.
Of course from practical point of view XP right now is more secure. And I don't mean default install. For example take my company and few facts:
- we managed to make the machines behave as we will
- we have invested money into third party security software
- we have invested time (which equals money) into free (as in speech) third party security software
- we have some knowledge and experience into XP security -- after these - what like 7? - years who doesn't?!
Right now we have quite healthly and working infrastructure based on XP and surrounding (like VPNs, IDSs, AVs, proxies, backup, imagining etc.) services. We know how to do it, we have experience.
Now Vista from my standpoint is just big black hole - another system from MS that does not offer me anything significant but opens a can of unknown worms... I don't see any serious businesses building their security infrastructure around brand new shining Vista systems.
Of course in *theory* Vista can be more secure, but from practical standpoint it is new and untested product that has ben rushed to the market.
It really depends on your security definition. Security is not a product - security is a proces in which you have knowledge about what you are doing. In which you have educated users. In which you have policies and audits and so on. Vista isn't anywhere near to be even a stable product from security standpoint.
What about home routers? If you can hack into few million broadband routers, you've got yourself a major botnet with little to no antivirus. Not to mention you're past the primary protection of the average home network. From there, you could spam networked printers with ad printouts and read the contents of any netork shares. Not to mention sniffing and redirecting network traffic...
tasks(723) drafts(105) languages(484) examples(29106)
I'm getting tired of the XP vs. Vista vs. XP vs. Vista vs. ... articles posted here all the time. Microsoft will eventually drop support for XP and will continue to support Vista. Microsoft will continue to focus on Vista. If Vista is now less secure than XP Microsoft will eventually it stronger ... that is until the next Windows OS is released.
Dammit we had to listen to XP versus everything-else-before-it. Tiresome, damn tiresome. No worthwhile discussion came from it last decade but you never know ....
What? I know we get a lot of "RTFA" around here, but read the fucking summary! Shall I condense it down for you further, since I see your time is precious?
/. reports on study #2.
Study #1 finds that Microsoft has made no improvements (XP -> Vista)
Study #2 finds Study #1 to be incorrect and badly done.
In essence, the story accepts that XP isn't as secure as it could be, but Vista improves on this significantly. Its one of the most pro-MS stories I've seen on slashdot for a little while now. Of course, I'd never touch Vista personally, but that doesn't mean it isn't an improvement over XP in security.
How does an OS know what apps are good and what apps are bad? That's what a virus scanner is: It's a list of known bad apps. If one wanted a real world analogy it wouldn't be like a locked door or anything, but rather a bouncer with a list of people who need to stay out.
Vista already has privilege escalation if that's what everyone is bitching about. So evil apps that want system access will have to ask for it, just like everything else. However if the user says "Sure, you can have that," what can the OS do about it? Apps don't have an "evil bit" they are just code to be executed.
Same deal with the real world. If you choose to unlock your door and let someone in, it's not the fault of the people who made the lock or the door that you did.
I think the grandparent is just another of many Windows haters that seems to think there's some magic that could be done to keep viruses out that MS just won't do. Well, actually there IS such a technology and that would be the scary version of trusted computing. If hardware enforced protections past what the OS could override, and checked signatures on apps, then only valid, signed apps could run. Provided the signing authority did their job, there'd be no viruses. Of course that would mean giving total control of your computer to a third party, something I think none of us want.
What it comes down to is there is no way for an OS to both give someone control of their system and protect them from themselves. The ability to grant the authority to run code at a privileged level implies the ability to do it for both good and bad code. Thus the necessity of virus scanners. They maintain a known list of bad code, and can warn you if you try to run that. I suppose you could build it in to the OS, but it changes nothing, it is just a virus scanner that's part of the OS now. There's no magic juju, other than taking away the user's administrative rights, that will work.
Just to be clear: By taking away administrative rights I don't mean running as a deprivileged user, Vista does that, I mean NO admin access AT ALL. No escalation, period. That'll do it. Indeed we do that at work as much as we can and on those computers, we have no problems as users simply can't install software. However to do it at home, well you can see how that'd be a problem.
And since it's not plugged into an electrical outlet, it doesn't draw any power either!
paintball
Let's face it. Anti Virus software is the day after pill. I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken. So no, not including an anti virus software doesn't mean an operating system shouldn't employ design and tactics against viruses. Ars Technica is simply wrong.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The virus scene is dead. No-one is writing viruses.
There are people who write worms and bot-net building trojans, but they have nothing to do with the virus scene.
How we know is more important than what we know.
Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.
I think the point is that M$ should have learned their lesson last time, and the time before that, and made vista such that having anti-virus software would be unnecessary. Or in the terms of the analogy, Having forgotten to put a lock on the door of their previous house and repeatedly come home to find their underwear scattered all over the yard, you would have thought they would have made a secure door this time.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
A lot of work was done to support running as normal user. This does not get much attention, but it means that I can (and I do) run as a normal user without administrative credentials (it is much harder to do this in XP). If I have to manage the system, I have to use full administrative credentials (read, su root). It also means that malware that might hit me does not have the permissions needed to modify the system. This is even stronger than the UAC protections on administrative users. My wife and kids run as normal users and do not have administrative acess.
A lot of internal work was done to reduce service permissions and internally harden the OS, including the introduction of the integrity level mechanism that is used to support protected mode IE. These changes reduce the scope and impact of local compromises.
Enormous amounts of fuzzing of acessible interfaces and parsers was conducted and many issues were found and fixed.
The security bulletin data since Vista has shipped suggests that there is reduction on the order of 2X or greater in bulletin class vulnerabilities. Indeed, the numbers suggest that Vista is running fewer issues than either OSX or the major Linux distributions.
The user has a great deal of control about their vulnerabilities based upon how they configure and use their system. Microsoft exposes a very rich and neat set of functionality in Vista. If you are trying to reduce your security vulnerabilities, there are a number of things that you can do (at the expense of neatness and functionality):
Run as a normal user, not admin (which is standard UNIX practice)
turn off sidebar (less stuff running means less stuff to compromise)
turn off scripting, activeX, multimedia, etc, in your IE Internet zone
Add sites to your trusted zone (where scripting is allowed) only if you trust the site with your credit card info
If you run a desktop suite, run Office 2007 rather then Office 2003. Note that Office 2007 almost certainly has fewer security vulnerabilities than Open Office.
Be very cautious about what software you install.
To be fair, with windows you don't have to twist the lock... a strong fart on the way past would do it.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
...That submarines with screen windows offer slightly better floatation than submarines with screen doors.
MacroSubs has affirmed that this is incorrect, however, and stated today that the question will be settled once and for all when their new submarine, entirely made out of screening material, captures the imagination of the nation with its launch in 2009.
So-called "alternative" submarine manufacturers continue to insist on using steel for their doors and heavy lexan for their windows. They claim this quaint, antiquated approach lets them offer better floatation, efficiency at depth, and crew survivability, but independent studies have shown that their apparent "floatation edge" is due to the fact that far fewer of these submarines are produced, not any superiority in design. A. Noying, of an independent think-tank funded in part by contributions from MacroSubs, had this to say:
"Look, we all know that as more of these all-steel and plastic subs get produced, you'll start seeing network effects and their buoyancy will be reduced down to normal levels. Currently, with only a few percent of the market, the oceans aren't interested in them as a point of ingress. This will change soon and you'll see some interesting numbers from my lab to back this up."
When asked about the widespread buoyancy failures of MacroSub submarines around the world, Mr. Noying said only "it's hardly MacroSub's fault if submarine captains tend to drive their submarines into reefs and long-forgotten sea monsters. Their duty is only to make subs buoyant, not idiotproof. However, they are working on an interesting feature called USC, or User Submergence Controls, which should make things a little easier. The submarine will basically ask the captain if he's really, really sure he wants to increase depth, once per fathom. If the captain insists on running into that reef after all the help he's been given, perhaps he shouldn't be driving a sub anyway..."
NO CARRIER
It's almost done logging me in, in fact.
NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one.
Support my political activism on Patreon.
The "security enhancements" in Vista were to protect Microsoft from piracy, not to protect Vista users. Microsoft still doesn't care about them.
You must be still clicking endless Cancel or Allows...
Personally, I am waiting until at LEAST SP1 is released before I install it.
Cheers, Chris
"'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'"
No, it's like comparing an old door without a lock to a new door without a lock and saying that the new door is no more secure than the old door. (Which sounds reasonable to me)
dnuof eruc rof aixelsid
My comment was based on my experience earlier this week on Monday, only the second time I've been close enough to be able to identify a Vista install, and the very first time I'd used it. It had just been installed (as well as Office 2007) by one of my colleagues on a brand new HP laptop. No, didn't get asked to Allow or Cancel anything, but what I did experience didn't surprise me in the least.
From the instant I hit Ctrl-Alt-Delete (and this is after waiting for the machine to finish choking itself) it was the same familiar Windows experience - watching the HDD LED as if it's going to give some sort of indication as to when it might be safe to go on to the next step as the machine crawls through the login procedure - totally unresponsive for the majority of the time.
People bag Windows about insecurity, DRM and UAC all the time - they're not the things I have problems with. I play the game, keep machines patched, AV installed if the shareholders demand it, and so on. My only real gripe with Windows it simply that I habitually find small sub-tasks to do like clip my fingernails or organise desk-drawers while waiting for countless delays my Windows box gives me. Screwed if I'm going to spend a month of my life waiting for start menus to render.
Where with a different OS, I'd start the kettle boiling and check my email while that's going on, in Windows I launch outlook and then go and see to the kettle, because I know which will make me wait longer.
Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.
I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.
What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it. This bit of design stupidity has been the cause of millions of systems being exploited. Just a simple check to see if the file header matches the selected file type would go a long way - but no, this is too difficult. Here, have a UAC nuisance instead...
Of course the great irony is W98 is more secure than either.
No it's not. I remember in Systems Programming for Windows 95, there was a great quote. They talked about protected mode, descriptor tables and so on. At the end of it, the author said something like
"I bet now you're trying to work out if it's possible to subvert this stuff. Well, it's so easy that there's no point. Windows doesn't protect the descriptor tables from Ring 3 [the least privileged] code so it's easy to create a trap gate or call gate for yourself to get into Ring 0 [the most privileged] where you'll probably crash and burn because you can't handle interrupts correctly. It's a "personal computer" - and you're free to do whatever you want to it, just like you're free to run your car without oil until the engine seizes up"
Which sums up Microsoft's attitude to security right up to the security push for XP that resulted in SP2 being deployed and all those patches getting downloaded unless the user stopped them. On the other hand people used to collect email over a dialup connection then if they used the internet at all and so the "personal computer" rule was kind of true. Before people started sending executables by email, probably the only ones people installed were ones that they got from the admin at work, or very occasionally bought in a shop.
So Win 9x and Dos seemed to be more secure because they weren't under constant attack in the way that a machine connected to DSL most of the time and bombarded with malicious software by email and websites is now. Actually another difference is that Dos and Win95 were mostly configured as client OSs - they aren't listening for (overly) complex protocols over a wider range of ports the way an NT machine does.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
or ... you think acting like a lawyer wins you benes when it just gathers mala notes. ;-)
-- Tigger warning: This post may contain tiggers! --
Show me the OS that can protect itself against a user with administrative privileges installing bad software. Unless you can do that, it really is disingenuous to demand that Windows should be able to do it.
Linux (with selinux enabled) can be configured to do that.
You miss the point though. A *user* with administrative privilege. That's the problem with Windows. The only person with admin rights should be the admin. Hopefully someone with enough clue to know what they're installing.
Oh and you need to fire your solaris admin. You don't *need* root to install any app in Unix. You can choose to install systemwide that often needs it (unless you've setup a nonprivileged account for the task).. but how many apps truly need that?