I have a Dual G5 to my right, and a Core Duo-powered HP laptop (same specs/chips as MBP, but with nVidia instead of crap ATI graphics) and the Mac is the machine I have to reboot at least once during the week.
Umm, why? Are you actually experiencing a gradual leak of resources that cannot be fixed by just quitting and reopening an application? The only person I know who had to reboot OS X regularly was a person who experienced regular crashes because of some bad RAM and the problem went away when they swapped it for a good pair of chips. I have plenty of apps on OS X that leak resources (often the same ones as leak on Windows) but I've never had to reboot the mac in order to solve the issue.
I'm not a lawyer, but that sounds illegal. Surely non-RIAA companies could sue Apple and/or the RIAA about such terms being forced on them by a competitor.
It's only illegal if you get caught. These agreements are almost always trade secrets and no one has standing to reveal them to the courts. Just because Apple says they won't sell you music without DRM does not mean the courts will let you see the trade secret agreement between Apple and the RIAA. Apple could reveal the info voluntarily, but unless the courts were effective they would have just flushed their licensing agreement down the toilet and seriously damaged their multimillion dollar iPod business. Nobody takes a risk like that for no good reason, especially when legally obligated to act in the best interests of the shareholders. The RIAA has already been convicted of cartel abuse twice for price fixing and once for payola so it is not like this would be unusual behavior for them.
A good example would be your activity as you start the PC in the morning: You launch Outlook to fetch email, a messenger, a web browser and probably additional applications such as a development environment. If you do this repeatedly and ideally in the same order, SuperFetch will recognize this and then proactively populate these applications into all available main memory the next time you start the PC. You should only wait for a few minutes before you commence work to give the SuperFetch service the time to "superfetch" your applications.
This is amusing to me because when I had a separate Windows machine I would boot it every other morning because otherwise it would be too slow to be usable (WinXP+some big Adobe apps). My OS X box, however, gets rebooted pretty much only when their is a software update that requires it. Windows XP "boots" in about 2 seconds, because I have a VM running on top of OS X so I just restore from a known good state every time.
It seems rather archaic to consider how long it takes to boot and start applications up when it is such a rare task. Not that I mind improvements, it just seems pretty useless to a person that does not have rebooting as a part of their normal workflow.
...as the from the apple-could-do-this dept. statement opines, but only for the artists and/or labels with direct legal standing to make such a request with Apple. Hint: it's not anywhere near the number people think it is. Even some artists who sell or provide DRM-free music via other channels may not actually have such a (legal) capability with Apple, for example, because their label's contract with Apple (or other stipulations) doesn't currently allow it.
I'd say the chances are about 80% that one of Apple's agreements with the RIAA stipulates that all music sold from the iTMS will have DRM on it regardless who it is from. It is likely Apple is contractually obligated to not provide DRM free tracks of any music, regardless of that label's wishes. I don't know why everyone seems to assume this is not the case in light of other contracts the RIAA has put such stipulations in.
Documents should be stored in some sort of version control system (CVS, etc). When you hit the road you check out the revision you need and store it locally. Not exactly hard.
Well, Firefox 3 is supposedly going to support running online apps, offline, so that partially mitigates this. I think, however, going for version control is aiming too low. Rather, replicating the functionality of a full content management system would be a more useful endeavor that takes more advantage of a service being online. It might be nice to be able to work with a version of a doc and merge it with other versions, but think how much better it would be to have smaller chunks that are single sourced. What if the legal boilerplate in your document and all others automatically updated when the legal team made a revision or the copyright date changed? What if you had the option of updating the feature description you "copied" from a whitepaper when one of the developers noticed in the original document that it was incorrectly reflecting what was actually implemented in the production system? There is a whole lot of duplication between the documents that ship from a given company, and reducing the duplication of effort and making it easy for users to find any bit of information and globally update that information within your company is a real timesaver. Versioning is only one part of what such an integrated system can do.
The cost savings isn't what its cracked up to be either, since the cost is $50 per employee, per year. It seems like Microsoft is about 4-5 years between major releases, so your cost is $200-$250 per seat for 4-5 years.
I'm not about to jump at this either, but I think you're way off base with this comment. The Office cost was yearly as well and if anything was hugely understated in that it does not include the yearly Windows cost (which is not required with the Google solution), the cost of providing and administration for the Web server, e-mail server, and backups (which is included in the Google offering), the cost of assuring your licenses are in compliance (not an issue with the Google version and little chance that the BSA will come after you), or the cost of direct phone support (included in the Google offering).
Google's product is different with a variety of strengths and weaknesses compared to traditional MS Office, but the cost comparison was very understated, not overstated.
If you're looking for the state of the art today, take a look at the SubEthaEdit text editor for OS X. Basically, it is a text editor that can post a document on a LAN (autodiscovery via zeroconf) or on the internet if you know the hostname or IP and allow for collaborative editing. What is really nice is it has multiple, real time cursors so everyone can be typing at once with their own insertion point. It makes pair programming so much easier than hacked together solutions where giant chunks of text are suddenly appearing or where you have to trade control of the cursor off. The zeroconf discovery is really the icing on the cake. Go to the coffee shop, open the program, and select the file with no messing around with setting things up or connecting to one another somehow. I've seen it used for collaborative fiction as well.
They're focusing on the $225 vs $50 per employee per year, but $225 isn't the TCO number. You also have to calculate the salaries of the IT staff who maintain the company email server and such, or the hosting for the same.
Don't forget fileservers for the data and backup of it and administration costs for those. Also don't forget the cost of installing and maintaining licensing for office applications as well as the danger of accidentally installing too many copies of office for your licenses. Don't forget the cost of direct phone support.
That said, this would not fly at my company for two reasons. One, although several browsers are working on it, running apps like this when the internet connection is down is not feasible today. Two, it just is not secure enough for sensitive business communications. We need to control who has access to our files and that includes from Google. We need to be in control of when files are deleted and assured that they are gone for good, for both legal and strategic reasons. Google seems to be run by good guys (including a few people that used to work here) but that is not "good enough" for the board of directors.
I see this really taking off in the education and home markets, with some use in certain small business environments. Until it is proven for the above security aspects, however, I don't see any enterprise business seriously considering it, despite the cost advantages. OpenOffice makes a lot more sense.
Nope, engineering, but I have helped out with white papers and technical reviews of marketing materials. I was told just the other day that marketers are allowed and encouraged to increase the English lexicon with wonderful new terms.
Google for "windows local privilege escalation" and you will find about one in five of the resulting thousands of hits is a long standing unpatched escalation in XP. Here is one that has been unpatched since 2004. Vista hasn't been on the market long enough to build up such a list, but unless MS has severely changed their methods the vista list will just as long soon. Here is a link to one reported three days ago which is unpatched. I don't think there has ever been a time when there was not at least one outstanding, public, unpatched, local escalation in Windows. They are not even considered serious by MS and are so common they don't make the news, unlike local escalations in other OS's.
It's not really quite as big of a deal as people are making out, due to the rarity that it would ever work (installing software as non-admin).
I disagree. Most users need to install software or their computer does not work for their everyday tasks. MS's decision means most users thus need to be admin to run the average installer and so will expect to have to authenticate when installing anything. This means it will not be uncommon for admin privileges to be asked for when installing some small, non-malicious piece of software making the process identical to installing a rootkit and meaning the user is given no warning at all when faced with a trojan.
However, I do agree that its a shame you cant just runas and run an installer as an arbitrary non-admin account.
Theoretically, users can run installers as non-admin, if they do it manually. The problem is in practice this will not work because of MS's defaults and how that will affect developers' installers. Because of this default by MS, software people use will expect to be admin and be developed and tested as such. It completely undermines the idea of using user accounts to stop malware.
Is that really a fair comparison, though? Google's email is great, but their Spreadsheet and Word Processor solutions are nowhere near as sophisticated as MS Office. And in an office environment, many of those differences do matter.
There are advantages and disadvantages to both systems. You're correct that Google's offerings are not as featureful. They also require Web access at all times to use (for now) which is a huge drawback for many people. Also, sending confidential over the network is a security no-no for a lot of organizations.
Google's offering has some real advantages too. You can access it from any machine, including one at work and home or one at home and school and the library. Google's offering runs on any OS, a big plus for the many organizations looking at Linux as a viable solution. They also offer easy migration to and from other formats and standards compliance that makes them eligible bidders for some jobs Word currently is not compliant for. Google's offering includes backed up disk space and direct phone support both of which are nontrivial expenses. They also offer better options for document collaboration at this time.
I don't see Google as a real contender in a lot of markets, but I do see them as having real advantages for some market segments, especially education where if schools are remotely sensible they will begin migrations pronto which will, in turn, lead to increased adoption in the casual/home/freeware market segment.
I'm not sure what this means, but I dont believe this is correct. Privilege escalation exploits get found and patched a couple times a year. The patch applies to all versions of the OS, since they're all the same core. Are you saying that they release patches but fix the patch so that it explicitly wont run on the Home versions?
First, you'll note I was speaking specifically of local, not remote elevations. In general, MS only patches local escalation exploits under the following conditions: It is found in the server edition and publicly known or it is found in the desktop version and it is publicly known and someone feels like it. Prior to Vista, this did not matter much because nearly everyone as an admin in order to do anything anyway. It is so trivial to find a local escalation in Windows it is not even considered an issue. The consensus of the security community is and has been that if you can run code you can elevate that code.
I'm not at all sure what you mean by this, but as stated, this is flatly incorrect.
Read this article which was also covered on Slashdot. By default installers run with admin privileges, which means they will be designed to run with admin privileges for the foreseeable future. That means little timmy will regularly download installers and be given the exact same procedure for installing a rootkit as for installing a freeware game of something.
Signing allows me to identify where the application came from and that it has not been modified since it was signed. It's extremely useful. Get a grip.
Okay so you're Joe average user. An application is not singed or is signed by someone you've never heard of and don't trust. How does this help you? It basically doesn't. Most people just take a chance and run it and hope for the best because they don't have a better option.
Measure input from multiple groups about what? Are you saying that you want people to vote on whether or not an application is safe? That's an interesting idea, but one that doesn't exist anywhere right now, as far as I know.
Take a look at the blacklist services packaged with fancy scanners from Norton and Symantec and MS. What if instead of just a blacklist these services or others like them provided trust levels. Application X gets a grade of C, because the publisher is known, but we haven't verified that their ACL is correct. Application Y gets an A because we tested the ACL included with it an it does nothing unexpected and the app remains within the bounds of that ACL. Suppose further that you can subscribe to several such services both free and pay and the results will be merged based upon how much you trust each of these services.
I'm not talking about users voting on what applications to trust, I'm talking about free or pay services that test and rate application and provide ACLs for applications that did not ship with them.
You have any documentation about how the Mac magically makes it so that unmanaged applications can be restricted from performing tasks that the user running that application can perform, and in a manner that would not require all existing applications to be rewritten? No, I suspect you don't.
Yes. Google for "mandatory access control" All of the existing ones work with software not designed for them, albeit not ideally. MS is already fudging things with legacy applications and they can do more such behaviors even so far as providing a VM in extreme cases, although that is obviously not ideal.
There are certain vital requirements that you need to have in order to make sure an application can only do certain things, regardless of the user's privileges running it.
The MAC framework from TrustedBSD already runs on OS X 10.4 and Apple is working on their own that was announced for OS X 10.5, but then vanished from their public docs. You don't need a particular programming language or framework, although it certainly helps to use standardized APIs and services. SELinux, Solaris, and OpenBSD have had functional MAC frameworks for a long time, although they are aimed mostly at the secure server and government workstation markets.
Oh, so you haven't even used the product your bashing incoherently.
Nope, it isn't free and is not licensed to run in a VM unless I want to shell out big bucks. Also, our company evaluation found no reason to move to it until it has at least stabilized for a year or so. I work in the real world. We're discussing why even in theory the security mechanisms they have implemented are not sufficient.
As far as "persistence" of authentication, yes, they do have that. When you authorize something to run elevated, it continues to run elevated until you close it.
When last I used it this applied to only a given application, not a UI session, and did not even apply across all of the explorer application. Has this changed?
What list are you looking for?
Default enabled network services, also known as chinks in the armor.
That article points out how Microsoft dramatically improved the security of services in general...
No, is says they drastically improved security, with precious few details on how they claim to have accomplished this or how they are measuring security for an OS that has not yet been widely field tested.
I think you're missing the point here. It isn't about "simulating mouse and keyboard input is the only possible attack vector", it's that you don't want excessive UAC prompts, so anything that doesn't require admin access should be allowed to start without prompting you, right?
Wrong. Applications should not be restricted by running as the user or by running as admin. They should be restricted to running within the ACL that shipped with the application and within the ACL for the trust level for that application. Applications should prompt when they want permission above and beyond that combination, which is to say almost never with legitimate applications.
That's what happens in MacOS and Linux.
Mac an Linux do not have a malware problem. Mac and Linux both have MAC systems like I described available, but they are not installed by default because no one needs them because there is not a malware problem. Windows needs to do better because they do have a malware problem.
But the point I'm making is that these programs that you "allow" to run, including malware (you're allowing it to run but not realizing it) can still wreak havoc on your system.
This should not be the case. See the above description of ACLs.
Hence Microsoft's decision to trap a lot attack vectors (deleting files, accessing the control panel, etc.) with UAC prompts. What's the problem here?
This is wrong because the UI component is completely broken. False positives are way, way beyond the threshold where such a system would be useful for a normal user. They will simply click "allow" out of reflex. People are not machines and cannot be treated as such.
You make good points about MACs, but there's plenty of drawbacks to them. If you have a bad security policy, you're still open to attack.
Yeah and if you have a lousy firewall policy you're open to attack, how is that an argument against using them?
On that note, configuration is incredibly complex. Who's going to provide a new security policy for every single new program that gets added to the machine? The average user? Surely you jest. The application provider? That couldn't possibly go wrong.
I described this above. For a given trust level of application (pre-installed, signed and certified, just certified, just signed, install from CD, install from internet) you have one or more ACLs. Each application also ships with an ACL from the application developer. If you trust the application enough it uses just the included ACL. If not, it is restricted more. If any app wants more permission it asks, but since this should almost never happen false positives will be extremely rare.
And if you think blindly clicking "Allow" on security boxes is bad, just wait until users blindly accept security policies!
A user should never be presented with an "OK" or "allow" button and you'd never be accepting arbitrary policies, just specific actions uniquely labeled. Compare: "program 'MarsKiller' needs admin access (allow)(deny)" with "The program 'MarsKiller' would like to read your AddressBook file (Stop it from reading AddressBook)(Let it read AddressBook Once)(Always allow it to read AddressBook)." Do you see the difference in both the specificity of the information and control and in the UI? In the first case the user doesn't have enough information to make a good choice and if they deny the application they don't get to run it. In the latter case they know exactly what it is accessing and can deny access without necessarily giving up on playing the game.
There's also CPU overhead involved
Compared to other features in Vista there is not significant overhead and this amount will decrease as their are fewer and fewer legacy programs running afoul of ACLs.
Hmm, maybe there's a good reason a user-friendly, commercial MAC implementation hasn't been implemented yet...?
There is an excellent reason. The only demand for such a
Aside from the "open" part of your request, Microsoft does have this. Applications can be signed using digital certificates, and policies can be used to restrict access to certain applications based on these policies.
First, signing alone is useless. It is one of the three vital components of a MAC desktop. Second, unless it is open to all comers it will be fairly useless. Competition among verification services is the only way to get accurate ones.
Applications can be signed using digital certificates, and policies can be used to restrict access to certain applications based on these policies.
Applications don't ship with ACLs, I don't see a way to measure the input from multiple groups, and I don't see a distinction between certified software from a given domain and verified software from a developer or third party.
Your request regarding being able to restrict what that app does is not really possible in the non-managed world, but it's exactly what Code Access Security does in the.NET world. Vista includes.NET v3, so we'll see a lot more of these things being used more frequently.
It is very, very possible in a non-managed word as you put it. MAC have been in use for over a decade. If one was included and enabled by default in Windows, developers would code with that in mind. What makes you think it is not possible?
I've seen this several times on Slashdot. NO IT DOES NOT.
I only tried RC1 and it certainly did then, but regardless by all accounts there are a great many notifications for common tasks. One fairly reputable review on a security site I read showed it appearing 7 times while the user attempted to change their IP address. Because they decided not to use persistence of authentication for a given period it will almost certainly appear a lot more than sudo based systems. Add to this the terrible UI (Allow)(Deny) that does not have unique action for a given prompt and it is certain to be fairly useless to the average person.
That site lists services that you can disable without it breaking Vista. That's a *lot* different than services that you can disable without affecting Vista's common functionality. Sure, I can disable the service that handles network device discovery, but then all of a sudden I can't connect to my Xbox 360 anymore.
I don't have an Xbox. I never plan to. So that service for me is simply a security hole. You don't see that as a potential problem?
Microsoft spent a lot of time making sure things we not enabled if they didn't need to be to support common use-cases out of the box.
I scanned through that article the other day. I did not see it listing the services. It looked like PR fluff.
Really? Why? Seems to me they did exactly that.
Are you joking? Do you work in security? If someone asked me how to redesign Windows so it was secure I'd immediately look at the high security projects like SELinux, realize that it is fundamentally a more secure model for computing and it is already supported by the NT core and the design would be a no-brainer. I certainly would not think about adding hacks on top of Windows with no real changes. I seriously hope you are not a security engineer if you actually hold said opinion.
I would say you're completely wrong. The biggest changes in Vista are centered around security.
No, most of the work in Vista was expanding into other markets and embracing them and trying to gain feature parity with OS X. Vista adds eye candy, searching, widgets, expose, included apps, etc. in order to try to counter Apple's slow gains in market share. They add XPS, defender and several other features to move into the PDF tool and antivirus markets. The security they added was more one to add the perception of security than to add real security. Do you really expect this to stop the proliferation of malware?
Not only that, but it's the first consumer OS to com
I'll try ANOTHER example, because you're starting to catch on.
I'm not "starting to catch on" I'm trying different ways of getting through your thick skull. You completely ignored my examples and did not answer my questions. I'll answer yours after you go back and answer mine. It's called the rules of rhetoric.
ouldn't you like to be prompted if you somehow picked up a piece of malware that wanted to randomly change your desktop background, delete the files in your home directory, empty the recycle bin, etc.?
Yes. What does that have to do with anything? Are the programmers at MS so incompetent they can't tell the difference between my mouse input to explorer windows and a random binary taking the same actions? The NT core was built with ACLs to restrict applications, why are they only used with IE?
You're expecting Vista to "know" that it's "you" performing these actions and not some piece of malware that's doing it programmatically.
I'm expecting any OS that is compromised by malware 25% of the time would enable application level security and restrict behaviors not only by explorer, but also by every other application running including said malware. It shouldn't have permission to simulate mouse and keyboard input by default.
You're looking at this from the perspective of Linux and MacOS, which really don't have much of anything in the way of malware. Windows, unfortunately, does.
Yup. Windows has a malware problem so it needs to be ahead of the curve, not behind. On Linux I can run SELinux to restrict applications. Apple already announced they are working on a mandatory access control framework and there is a third party one available. Neither is polished or well integrated into the OS, but there is no real demand on those platforms. What is MS waiting for, must a dozen other companies do everything before they get off their butts? Can they truly only copy and when they have a problem other OS's don't Windows users have to suffer?
And part of the problem is that malware can still wreak havoc on your system even if you aren't running as an administrator (i.e., I would be just as devastated to lose all the files in my home directory as I would the entire system).
This is exactly what MAC is designed to stop. There is no reason random programs should have access to delete my files unless I give it to them. This is a solved problem that MS is ignoring.
So what does Microsoft decide to do? Plug up the holes with prompts. Yes, it does seem excessive, but they're doing the responsible thing.
No, the responsible thing is to rework your OS so users don't need elevated privileges to do simple things, so it can determine and restrict what applications are doing, and to create default ACLs so that users are almost never prompted for anything unless it is malware.
If one day you were using Windows and out of the blue you were prompted to allow or deny "del *.* in home", you'd probably be thankful it was there.
Most people wouldn't understand what that meant and would click "allow" reflexively because thy had been conditioned to do so by hundreds of unneeded prompts. Most people would probably click "allow" before they even read the prompt. This is not their fault. It is the result of a security scheme that ignores the human interaction component and assumes people will behave in unrealistic ways as though they were computers themselves. People aren't computers. After a few hundred times, we stop paying attention and that needs to be accounted for in the design of a security system.
You ask what MS could do, but they could do much, much better than this simply by doing a better job of copying others. Or they could *gasp* actually innovate and be the first to implement a well designed MAC framework with good usability for a desktop OS. What are they doing with those billions?
Do people here honestly think that a site that refers to Microsoft as "The Vole" would give a fair minded, intelligent, and well though out review of a Microsoft product.
You're right that the Register makes a lot of incorrect assumptions and mistakes and it is good of you to point them out. On the other hand, however, they are simply pointing out issues from their perspective and experience. Some of their opinions are far fetched, but at the same time I think their premise is correct. This is too little too late. Users have been besieged by malware and given huge lists of things they shouldn't do and MS has not effectively responded. MS has finally managed to implement a better default account, but limiting applications by user has not been "good enough" for many years now. MS should have taken the lead and brought real security to the masses, but they have fumbled the ball this time.
Wrong. It works regardless of what user you *think* you're running as. An admin account on Vista (with UAC enabled) is NOT AN ADMIN ACCOUNT. It's a limited user. The *only* difference is that an admin account isn't prompted to type in credentials in the UAC prompt, where as a limited user is.
I don't want to argue details of their user account scheme, but I think after enough security people have looked at it that it is clear they did not think it through. All installers are free to go wild. That is a hole big enough to drive a semi through.
Ok, smart ass. What's a better solution? Get rid of admin accounts entirely? Don't allow any programs to run at all? Never allow a user to connect to the net? Oh, how about only allowing signed, Microsoft approved applications to be installed on Vista.
Microsoft should absolutely implement an application signing scheme, but not to allow or deny applications the ability to run. They need an open signing/certification framework where you users can subscribe to multiple services and use the merged results as a method of determining trust. That is step one. Let the OS and users know how trustworthy a binary is. Some.exe I just got aimed by a stranger with no credentials should not be given the same level of trust as the pre-installed wordpad program which should not be given the same level of trust as Adobe Dreamweaver.
I'll repeat this again, this should not be used to stop applications from running, but to determine what those applications are allowed to do by default. Running with all the user's permissions, with complete access, or not at all is not sufficient granularity. Vista should be using the ACL framework to restrict new applications by default. Also, the format for applications should be changed to include an ACL, so applications can be further restricted by that ACL and so that more trusted applications can be assigned an ACL that does not result in pestering the user with unnecessary prompts which lead to decreased awareness and conditioned responses.
Having an admin account on the machine is unavoidable if you ever want to do anything on the machine past checking your e-mail and reading high-quality publications like The Register.
Only if Vista does not allow applications to be installed within a user's account. When you add in that functionality, you've accommodated most users entirely.
Now, instead of the occasional annoying OK button, you'll have an OK button and be required to type in admin credentials. If you're the guy who setup the machine, you know the password. If you're not, then it works just like it does now.
If you aver see an "OK" button the OS has failed. "OK" is not an action. "OK" is a meaningless button people click to make their computer keep working because they been condition by repetitive behavior for years. All buttons should be actions for the user to take and they should depend on what the user is doing.
But Microsoft *must* support as many legacy applications as possible.
...same can be said for Apple users. I have seen the Apple users here enter in their password when prompted too.
Usability studies show this is actually much less common on macs because users are rarely asked for their password on macs so they are much more likely to question the behavior. Also, for the most part the users are right. They don't have any negative consequences from randomly entering their password in some field because of the market realities. A targeted attack can certainly affect Mac computers and their security is not ideal, but they do not suffer from widespread exploitation. If they did, the OS would be fixed to deal with this because Apple has to keep users happy to make sales. MS is a monopoly and does not have to so widespread exploitation does not bother them (financially).
Policy kicked in and their macs were rebuilt.
Umm, I'm not sure there is any logical reason for this. How would a Web site do something malicious with their password on a default system?
The main point is that stupid user is not limited to just ms, it exists everywhere.
This isn't about "stupidity." his is about normal users performing normal behaviors and the likelihood of their machine being compromised. That is what determines what security measures need to be implemented. Windows needs to have much tighter security than Macs because Windows is subject to attacks all the time and 1/4 of all people are currently infected with malware.
As far as the firewall goes, a single application is can be granted access... The default behavior is to prompt the user if they want to allow a program to access.
Yes, but it can't be granted access easily by the user so the user ends up just turning the firewall off rather than dealing with regular prompts. Usability is a security concern. Theoretically, I can sandbox every application I run on Windows within a VM, but I'm not going to because it is a huge pain in the ass. You can't just ignore the user when designing a security system and assume they will somehow change their behaviors to match a security model they do not understand. Users want to perform tasks. The OS needs to be designed to make performing those tasks securely, a simple one.
The right way to do this is with ACs that restrict application not only by network access but also by files they can access and other system resources. Restrict every pre-installed application to just what it needs to do to stop buffer overflows from having free reign. Restrict new applications based upon how much they are trusted. User certificates to determine if they are certified as coming from a particular domain and if they have been verified by independent parties. Assign them a combination of the ACL included with them and a more restrictive ACL for each trust level in order to make sure they are not behaving maliciously. This would reduce the number of user prompts 90%, while actually providing them in the cases it is really needed. It would require serious modifications to Windows and to the format for application on Windows, but MS is in a better position to do that than any other OS vendor. The only reason MS did not do this 5-10 years ago is because it would cost money and it brought them no real benefit. As a monopolist it made more sense financially to work on DRM and embracing other markets by building competitors into Windows than it did to fix their security nightmare.
So the real problem is USERS choosing to run as admins and blindly downlaoding[sic] and installing things they shouldn't...
Why do people own computers? What is their purpose? They run arbitrary software. The problem is Windows is not designed to run arbitrary software safely. Also, users don't know what an "admin" account is or why they should have one. They just want to install and run software, without letting that software have free reign to own their machine and send spam. That's not too unreasonable in my opinion.
When you tell a child to not do this or bad things will happen do they usually listen?
That depends on what you call "bad things." For example if you tell a child not to speak, either they do so anyway or they grow up with serious mental problems. That is because speaking is a very basic and common behavior.
If you go to places known to be full of sickness and disease who do you blame when you get sick?
Well that depends, can other people go to those same places and have basically no risk of ever catching a disease because they made better choice and decided not to suppress their immune systems? Running Windows is like suppressing your immune system.
The blaming of MS for the huge numbers of malware out there is stupid.
Users want to run arbitrary software and visit arbitrary Web sites. That is why they bought the computer. There is no reason a properly designed OS cannot do these things. MS has not properly designed their OS, so doing common things safely is very, very hard. This is because MS is a monopoly and they don't lose any money when they deliver a product that is crap. Fix the OS, then if users make unreasonable poor choices (like installing arbitrary binaries and specifically allowing it complete access) you can complain. It is not unreasonable for me to assume I can visit any Web site without having to worry about malware. It is not unreasonable for me to be able to double click on a random binary someone IM'd me and for me to expect it won't be able to start sending spam e-mails without the OS informing me or giving me the option of stopping it.
Do they honestly think it would be any different if any other OS held 90% of the computer market?
I think it would be very different if no OS held 90% of the market and OS manufacturers have to actually give customers what they want. I think it would be different if Linux had 90% market share because, by nature, it cannot exercise monopoly power and would have to give customers what they want. If MS were broken up into two competing Windows companies, there would be a relatively secure version of Windows within 2 years. If Linux gained 90% market share, malware would be ported in a month and in 6 months mandatory access controls and trust systems would be standard in 6 months making almost all that malware useless and reducing the problem to a tiny fraction of what it is today.
It's like blaming banks for the existance of bank robbers.
No, its like banks blaming robbers for getting away with all the money, when the bank did not bother to install a vault and just leaves all the cash in piles in the back room, with an unlocked window and no security cameras. Banks perform due diligence to prevent robberies, MS does not.
Get a clue. Please!
You're the one who needs to wake up and take a big sniff of what you're shoveling.
I think a large part of security involves the self. People don't do enough thinking, and are too lazy to follow simple security procedures.
Oh those poor, stupid users. Can't they follow "simple security procedures?" For example, if a user wants to run some game posted on a Web site all they need to do is purchase and install a virtual machine, then install Windows again from scratch then copy the binary into the VM's shared folder, disable the VM from having access tot he internet and the shared folder, then run it in the VM. I mean what is wrong with these stupid users? It only costs $80 for a good VM a user can install and with a week or two worth of training courses they can probably learn how to do installs of Windows. There is only a 50% chance the Windows activation will break the VM and stop it from working.
Users do need to be educated, but not until Windows is fixed so that it is easy to perform simple tasks like running untrusted software safely. Right now you need to be an expert to use Windows safely and that is unacceptable. Blame the OS until it is fixed, then if users still mess up you can start blaming them.
No automated tool or system, that allows some freedoms can protect people entirely. Think about it, the OS'es solution to malware? Only allow MSFT signed binaries to run. But this is horrible as it means only MSFT can authorize binaries and it cuts out 3rd party developers.
No system can protect users entirely, that does not mean we should ignore all security measures and give up and rely upon people to learn incredibly complicated and expensive procedures in order to perform simple tasks. The solution to current malware is to increase the granularity of security, introduce trust mechanisms, create a UI that was not written by morons, and give the users the information and control they need.
There is no need to allow or disallow binaries to run if they are signed by MS or anyone else. Windows has had a proper ACL architecture in place for years, they just haven't implemented it in the rest of the OS or let users access it. Here's an idea, how about if I download a random application that is neither signed nor certified and was not pre-installed, by default when a user double clicks on it it runs in a sandbox defined by a default ACL and is not given permission to do anything it wants. How about when it tries to install a rootkit the OS provides a useful dialogue box that reads "The program 'MartainHunt' would like permission to have complete control of your computer for all time (Stop it from controlling my computer for all time)(allow it to control my computer for all time)." How about if it tries to harvest my e-mail addresses it pops up a different dialogue box that still does not have OK/Cancel in it, like "The program 'MartainHunt' would like permission to read your AddressBook (Stop it from reading my AddressBook)(allow it to read my AddressBook once)(Always Allow it to read my AddressBook)." Why is that so hard?
The reason Windows is a security nightmare is because MS did not design it properly taking into account what kind of malware is out there and what tasks users need to accomplish. If they were not a monopoly they would be slaughtered in the market by now. Stop blaming users. They have perfectly reasonable expectations for their OS that are not being met.
I can not imagine why a tax preparation office would need a 802.11 network if 20 people are sitting in front of their wired computers and execute only one officially approved software.
But is this the situation we're talking about? We were discussing instances where employees bring in a wireless access point from home to use. In the above situation they should be unable to connect to that wireless point or run Web apps. When users bring in a wireless access point from home and are using it, usually that is because it provides them with some real benefit and you need to look at what that benefit is and why they went to such an extreme. Maybe it is simply surfing Web sites for fun while on break and there is real value in providing that access to them in a controlled way. Improving morale by giving employees a better workplace is one of the cheapest and most beneficial ways to increase security and get more work done.
I don't quite understand what you are saying here - do you advocate vigilantism?
No I advocate a flexible network that is not so brittle that an average user has to go to IT to do something new.
I don't quite understand what you are saying here - do you advocate vigilantism?
Those types of changes are minimal compared to changes that do not have larger security concerns attached. By building your infrastructure to be secure in the face of slightly changing conditions you speed up the workflow, have fewer instances where IT has to intervene and are more resistant to new types of malicious behavior. Do you know what the most likely way for your data to be compromised is? An insider copies it and takes it home and sells it. You can try to lock down your workplace with cameras and disabling all USB ports and bluetooth and by locking down every machine to the point that if someone needs to run a new piece of software they need permission to go to various sites to research them and then permission to install and run it and permission for it to access files from the internal file server, but they can still print it or take pictures of their screen w/ a camera. Realistically, treating your employees with a certain level of trust is more likely to make them not steal the data because they feel bad about violating your trust.
Security is more than a technological problem and security is not an end goal in itself. You have to look at the real risks and rewards of some security measure not only on security but on it affect on users to efficiently do their jobs.
Come on. More than anything, Microsoft is in a no-win situation to try and protect people from themselves.
Wrong. MS's is in the position of having to implement more fine grained security than "don't install the program" and "let kill babies and piss on the carpet." Stopping malware isn't protecting users from themselves, its giving users the option of performing normal tasks like installing and running random software from the internet safely. Vista fails to give users a measure of how much they should trust a given application, inform the user what an application is doing, or sandbox it so that by default it is not allowed to read your e-mail address book and start running a spam server.
If everyone ran Linux instead of Vista there'd be the same damn problems.
Again I disagree. If everyone ran Linux tomorrow, malware would be ported in a month and in 6 months every major distribution would implement fine grained security such as mandatory access controls and trust protocols/certification needed to stop the current breed of malware. The only reason these technologies are not mainstream on Linux today is because Linux does not have a malware problem. Linux is responsive to customers because it is not a monopoly, so it actually adapts to solve customers problems.
If a thirteen year old wants to download smileys for their IM client, the kid is going to do it.
Agreed.
If the software has spyware, then that spyware would do what it takes to open up or break the system. It's pretty damn hard to code against human behaviour.
You should code for human behavior, not expect users to change. What is so hard about running new software in a sandbox with restricted access to the rest of the system and a good UI and trust framework? Sure it is not super easy, but what the hell has MS been doing for the last decade since malware exploded on their machines? Linux, OS X, Solaris, and the BSDs all have better options for this than Vista and Windows is the only one that really needs it. How hard is it to stop all applications form accessing my e-mail address book or sending mail unless the user approves it? Most people never install a new e-mail client so would never see this. 99% of the time someone did it would be a worm and would let them stop it. 1% of the time they would be installing an e-mail app and it would not be unexpected. This isn't rocket science.
Microsoft can't fix the users, there will always be the crowd blindly clicking OK or tuning off the firewall because their game's troubleshooting tells them to.
"Users blindly clicking OK." Where to start. First, it is MS's fault that they designed an insecure UI that uses operant conditioning to train people to blindly click "OK." Thousands of useless dialogue boxes with technobabble where OK means "make it work again" and surprise surprise people always click "OK." Second, if the OS ever shows the user an OK/Cancel dialogue box, it has failed. All buttons should be labeled with a real action that applies to what they are being asked. "OK" is not an action. "Let it control my computer for all time" is an action. UI design is part of security and it is MS's fault they have ignored that.
As for the firewall, why isn't there an option to allow a given program to access the network and not let any other application do so that is as easy to access as turning off the entire firewall? Why isn't it in the "File menu" under "allow access to the internet?" It is MS's fault for not making this task easy and the result of people disabling their entire firewall.
If someone figures out an exploit to make that "OK" automatically, yes, running as admin will be significantly less secure. Until someone figures that out, though, running admin with UAC on is just as secure as running as a limited user.
I know a great way to do that, but it will take a lot of work from the inside. What if we spent an entire decade using operant conditioning to force people to click "OK" over and over and over again just to keep their machines operating and doing normal tasks and without ever giving users useful options. They'd be so conditioned to clicking "OK" they would do so automatically regardless of what the dialogue box said. Sure it would only work on 99% of users, but that's quite a few... oh wait someone beat me to this and started this scheme more than a decade ago. Never mind.
And as far as users finding UAC "annoying", riddle me this: how is any more annoying than Linux?
On Linux most software installs and runs just fine in a regular user account. To date, this is not so with Windows, leading to more, useless prompts. On Linux, authentication persists for a period of time so if you take privileged actions you only need to authenticate once, not once per action, like copying files from a network share and then copying them to a privileged location (which should not have to be two steps anyway, but seems to be on Vista.
You can't blame M$ if stupid users disable security features they find "annoying" while praising Linux for doing the same thing.
Yes I can because MS has more money than god and should be able to spend some of it on a good UI that takes security into account, as well as more granular security features. Mainly I blame Windows for not implementing an appropriate level of security for their OS. Windows machines are compromised by automated worms, en masse every day. If that was true for Linux, Linux developers would fix the problem in a a few months tops by implementing MAC, trust levels, etc. I don't blame MS for any given technological decisions. Everyone makes mistakes. I blame them for not giving a shit about user security because as a monopoly it does not affect their bottom line. No other OS would tolerate this level of compromises because they have to be responsive to end users.
Umm, why? Are you actually experiencing a gradual leak of resources that cannot be fixed by just quitting and reopening an application? The only person I know who had to reboot OS X regularly was a person who experienced regular crashes because of some bad RAM and the problem went away when they swapped it for a good pair of chips. I have plenty of apps on OS X that leak resources (often the same ones as leak on Windows) but I've never had to reboot the mac in order to solve the issue.
It's only illegal if you get caught. These agreements are almost always trade secrets and no one has standing to reveal them to the courts. Just because Apple says they won't sell you music without DRM does not mean the courts will let you see the trade secret agreement between Apple and the RIAA. Apple could reveal the info voluntarily, but unless the courts were effective they would have just flushed their licensing agreement down the toilet and seriously damaged their multimillion dollar iPod business. Nobody takes a risk like that for no good reason, especially when legally obligated to act in the best interests of the shareholders. The RIAA has already been convicted of cartel abuse twice for price fixing and once for payola so it is not like this would be unusual behavior for them.
This is amusing to me because when I had a separate Windows machine I would boot it every other morning because otherwise it would be too slow to be usable (WinXP+some big Adobe apps). My OS X box, however, gets rebooted pretty much only when their is a software update that requires it. Windows XP "boots" in about 2 seconds, because I have a VM running on top of OS X so I just restore from a known good state every time.
It seems rather archaic to consider how long it takes to boot and start applications up when it is such a rare task. Not that I mind improvements, it just seems pretty useless to a person that does not have rebooting as a part of their normal workflow.
...as the from the apple-could-do-this dept. statement opines, but only for the artists and/or labels with direct legal standing to make such a request with Apple. Hint: it's not anywhere near the number people think it is. Even some artists who sell or provide DRM-free music via other channels may not actually have such a (legal) capability with Apple, for example, because their label's contract with Apple (or other stipulations) doesn't currently allow it.I'd say the chances are about 80% that one of Apple's agreements with the RIAA stipulates that all music sold from the iTMS will have DRM on it regardless who it is from. It is likely Apple is contractually obligated to not provide DRM free tracks of any music, regardless of that label's wishes. I don't know why everyone seems to assume this is not the case in light of other contracts the RIAA has put such stipulations in.
Well, Firefox 3 is supposedly going to support running online apps, offline, so that partially mitigates this. I think, however, going for version control is aiming too low. Rather, replicating the functionality of a full content management system would be a more useful endeavor that takes more advantage of a service being online. It might be nice to be able to work with a version of a doc and merge it with other versions, but think how much better it would be to have smaller chunks that are single sourced. What if the legal boilerplate in your document and all others automatically updated when the legal team made a revision or the copyright date changed? What if you had the option of updating the feature description you "copied" from a whitepaper when one of the developers noticed in the original document that it was incorrectly reflecting what was actually implemented in the production system? There is a whole lot of duplication between the documents that ship from a given company, and reducing the duplication of effort and making it easy for users to find any bit of information and globally update that information within your company is a real timesaver. Versioning is only one part of what such an integrated system can do.
I'm not about to jump at this either, but I think you're way off base with this comment. The Office cost was yearly as well and if anything was hugely understated in that it does not include the yearly Windows cost (which is not required with the Google solution), the cost of providing and administration for the Web server, e-mail server, and backups (which is included in the Google offering), the cost of assuring your licenses are in compliance (not an issue with the Google version and little chance that the BSA will come after you), or the cost of direct phone support (included in the Google offering).
Google's product is different with a variety of strengths and weaknesses compared to traditional MS Office, but the cost comparison was very understated, not overstated.
If you're looking for the state of the art today, take a look at the SubEthaEdit text editor for OS X. Basically, it is a text editor that can post a document on a LAN (autodiscovery via zeroconf) or on the internet if you know the hostname or IP and allow for collaborative editing. What is really nice is it has multiple, real time cursors so everyone can be typing at once with their own insertion point. It makes pair programming so much easier than hacked together solutions where giant chunks of text are suddenly appearing or where you have to trade control of the cursor off. The zeroconf discovery is really the icing on the cake. Go to the coffee shop, open the program, and select the file with no messing around with setting things up or connecting to one another somehow. I've seen it used for collaborative fiction as well.
Don't forget fileservers for the data and backup of it and administration costs for those. Also don't forget the cost of installing and maintaining licensing for office applications as well as the danger of accidentally installing too many copies of office for your licenses. Don't forget the cost of direct phone support.
That said, this would not fly at my company for two reasons. One, although several browsers are working on it, running apps like this when the internet connection is down is not feasible today. Two, it just is not secure enough for sensitive business communications. We need to control who has access to our files and that includes from Google. We need to be in control of when files are deleted and assured that they are gone for good, for both legal and strategic reasons. Google seems to be run by good guys (including a few people that used to work here) but that is not "good enough" for the board of directors.
I see this really taking off in the education and home markets, with some use in certain small business environments. Until it is proven for the above security aspects, however, I don't see any enterprise business seriously considering it, despite the cost advantages. OpenOffice makes a lot more sense.
"Featureful" is a perfectly cromulent word.
You work in a marketing department, don't you?Nope, engineering, but I have helped out with white papers and technical reviews of marketing materials. I was told just the other day that marketers are allowed and encouraged to increase the English lexicon with wonderful new terms.
Google for "windows local privilege escalation" and you will find about one in five of the resulting thousands of hits is a long standing unpatched escalation in XP. Here is one that has been unpatched since 2004. Vista hasn't been on the market long enough to build up such a list, but unless MS has severely changed their methods the vista list will just as long soon. Here is a link to one reported three days ago which is unpatched. I don't think there has ever been a time when there was not at least one outstanding, public, unpatched, local escalation in Windows. They are not even considered serious by MS and are so common they don't make the news, unlike local escalations in other OS's.
It's not really quite as big of a deal as people are making out, due to the rarity that it would ever work (installing software as non-admin).I disagree. Most users need to install software or their computer does not work for their everyday tasks. MS's decision means most users thus need to be admin to run the average installer and so will expect to have to authenticate when installing anything. This means it will not be uncommon for admin privileges to be asked for when installing some small, non-malicious piece of software making the process identical to installing a rootkit and meaning the user is given no warning at all when faced with a trojan.
However, I do agree that its a shame you cant just runas and run an installer as an arbitrary non-admin account.Theoretically, users can run installers as non-admin, if they do it manually. The problem is in practice this will not work because of MS's defaults and how that will affect developers' installers. Because of this default by MS, software people use will expect to be admin and be developed and tested as such. It completely undermines the idea of using user accounts to stop malware.
There are advantages and disadvantages to both systems. You're correct that Google's offerings are not as featureful. They also require Web access at all times to use (for now) which is a huge drawback for many people. Also, sending confidential over the network is a security no-no for a lot of organizations.
Google's offering has some real advantages too. You can access it from any machine, including one at work and home or one at home and school and the library. Google's offering runs on any OS, a big plus for the many organizations looking at Linux as a viable solution. They also offer easy migration to and from other formats and standards compliance that makes them eligible bidders for some jobs Word currently is not compliant for. Google's offering includes backed up disk space and direct phone support both of which are nontrivial expenses. They also offer better options for document collaboration at this time.
I don't see Google as a real contender in a lot of markets, but I do see them as having real advantages for some market segments, especially education where if schools are remotely sensible they will begin migrations pronto which will, in turn, lead to increased adoption in the casual/home/freeware market segment.
I'm not sure what this means, but I dont believe this is correct. Privilege escalation exploits get found and patched a couple times a year. The patch applies to all versions of the OS, since they're all the same core. Are you saying that they release patches but fix the patch so that it explicitly wont run on the Home versions?
First, you'll note I was speaking specifically of local, not remote elevations. In general, MS only patches local escalation exploits under the following conditions: It is found in the server edition and publicly known or it is found in the desktop version and it is publicly known and someone feels like it. Prior to Vista, this did not matter much because nearly everyone as an admin in order to do anything anyway. It is so trivial to find a local escalation in Windows it is not even considered an issue. The consensus of the security community is and has been that if you can run code you can elevate that code.
I'm not at all sure what you mean by this, but as stated, this is flatly incorrect.
Read this article which was also covered on Slashdot. By default installers run with admin privileges, which means they will be designed to run with admin privileges for the foreseeable future. That means little timmy will regularly download installers and be given the exact same procedure for installing a rootkit as for installing a freeware game of something.
Signing allows me to identify where the application came from and that it has not been modified since it was signed. It's extremely useful. Get a grip.
Okay so you're Joe average user. An application is not singed or is signed by someone you've never heard of and don't trust. How does this help you? It basically doesn't. Most people just take a chance and run it and hope for the best because they don't have a better option.
Measure input from multiple groups about what? Are you saying that you want people to vote on whether or not an application is safe? That's an interesting idea, but one that doesn't exist anywhere right now, as far as I know.
Take a look at the blacklist services packaged with fancy scanners from Norton and Symantec and MS. What if instead of just a blacklist these services or others like them provided trust levels. Application X gets a grade of C, because the publisher is known, but we haven't verified that their ACL is correct. Application Y gets an A because we tested the ACL included with it an it does nothing unexpected and the app remains within the bounds of that ACL. Suppose further that you can subscribe to several such services both free and pay and the results will be merged based upon how much you trust each of these services.
I'm not talking about users voting on what applications to trust, I'm talking about free or pay services that test and rate application and provide ACLs for applications that did not ship with them.
You have any documentation about how the Mac magically makes it so that unmanaged applications can be restricted from performing tasks that the user running that application can perform, and in a manner that would not require all existing applications to be rewritten? No, I suspect you don't.
Yes. Google for "mandatory access control" All of the existing ones work with software not designed for them, albeit not ideally. MS is already fudging things with legacy applications and they can do more such behaviors even so far as providing a VM in extreme cases, although that is obviously not ideal.
There are certain vital requirements that you need to have in order to make sure an application can only do certain things, regardless of the user's privileges running it.
The MAC framework from TrustedBSD already runs on OS X 10.4 and Apple is working on their own that was announced for OS X 10.5, but then vanished from their public docs. You don't need a particular programming language or framework, although it certainly helps to use standardized APIs and services. SELinux, Solaris, and OpenBSD have had functional MAC frameworks for a long time, although they are aimed mostly at the secure server and government workstation markets.
Oh, so you haven't even used the product your bashing incoherently.
Nope, it isn't free and is not licensed to run in a VM unless I want to shell out big bucks. Also, our company evaluation found no reason to move to it until it has at least stabilized for a year or so. I work in the real world. We're discussing why even in theory the security mechanisms they have implemented are not sufficient.
As far as "persistence" of authentication, yes, they do have that. When you authorize something to run elevated, it continues to run elevated until you close it.
When last I used it this applied to only a given application, not a UI session, and did not even apply across all of the explorer application. Has this changed?
What list are you looking for?
Default enabled network services, also known as chinks in the armor.
That article points out how Microsoft dramatically improved the security of services in general...
No, is says they drastically improved security, with precious few details on how they claim to have accomplished this or how they are measuring security for an OS that has not yet been widely field tested.
Ya, *very* slow gains, I guess.
About
I think you're missing the point here. It isn't about "simulating mouse and keyboard input is the only possible attack vector", it's that you don't want excessive UAC prompts, so anything that doesn't require admin access should be allowed to start without prompting you, right?
Wrong. Applications should not be restricted by running as the user or by running as admin. They should be restricted to running within the ACL that shipped with the application and within the ACL for the trust level for that application. Applications should prompt when they want permission above and beyond that combination, which is to say almost never with legitimate applications.
That's what happens in MacOS and Linux.
Mac an Linux do not have a malware problem. Mac and Linux both have MAC systems like I described available, but they are not installed by default because no one needs them because there is not a malware problem. Windows needs to do better because they do have a malware problem.
But the point I'm making is that these programs that you "allow" to run, including malware (you're allowing it to run but not realizing it) can still wreak havoc on your system.
This should not be the case. See the above description of ACLs.
Hence Microsoft's decision to trap a lot attack vectors (deleting files, accessing the control panel, etc.) with UAC prompts. What's the problem here?
This is wrong because the UI component is completely broken. False positives are way, way beyond the threshold where such a system would be useful for a normal user. They will simply click "allow" out of reflex. People are not machines and cannot be treated as such.
You make good points about MACs, but there's plenty of drawbacks to them. If you have a bad security policy, you're still open to attack.
Yeah and if you have a lousy firewall policy you're open to attack, how is that an argument against using them?
On that note, configuration is incredibly complex. Who's going to provide a new security policy for every single new program that gets added to the machine? The average user? Surely you jest. The application provider? That couldn't possibly go wrong.
I described this above. For a given trust level of application (pre-installed, signed and certified, just certified, just signed, install from CD, install from internet) you have one or more ACLs. Each application also ships with an ACL from the application developer. If you trust the application enough it uses just the included ACL. If not, it is restricted more. If any app wants more permission it asks, but since this should almost never happen false positives will be extremely rare.
And if you think blindly clicking "Allow" on security boxes is bad, just wait until users blindly accept security policies!
A user should never be presented with an "OK" or "allow" button and you'd never be accepting arbitrary policies, just specific actions uniquely labeled. Compare: "program 'MarsKiller' needs admin access (allow)(deny)" with "The program 'MarsKiller' would like to read your AddressBook file (Stop it from reading AddressBook)(Let it read AddressBook Once)(Always allow it to read AddressBook)." Do you see the difference in both the specificity of the information and control and in the UI? In the first case the user doesn't have enough information to make a good choice and if they deny the application they don't get to run it. In the latter case they know exactly what it is accessing and can deny access without necessarily giving up on playing the game.
There's also CPU overhead involved
Compared to other features in Vista there is not significant overhead and this amount will decrease as their are fewer and fewer legacy programs running afoul of ACLs.
Hmm, maybe there's a good reason a user-friendly, commercial MAC implementation hasn't been implemented yet...?
There is an excellent reason. The only demand for such a
Aside from the "open" part of your request, Microsoft does have this. Applications can be signed using digital certificates, and policies can be used to restrict access to certain applications based on these policies.
First, signing alone is useless. It is one of the three vital components of a MAC desktop. Second, unless it is open to all comers it will be fairly useless. Competition among verification services is the only way to get accurate ones.
Applications can be signed using digital certificates, and policies can be used to restrict access to certain applications based on these policies.
Applications don't ship with ACLs, I don't see a way to measure the input from multiple groups, and I don't see a distinction between certified software from a given domain and verified software from a developer or third party.
Your request regarding being able to restrict what that app does is not really possible in the non-managed world, but it's exactly what Code Access Security does in the .NET world. Vista includes .NET v3, so we'll see a lot more of these things being used more frequently.
It is very, very possible in a non-managed word as you put it. MAC have been in use for over a decade. If one was included and enabled by default in Windows, developers would code with that in mind. What makes you think it is not possible?
I've seen this several times on Slashdot. NO IT DOES NOT.
I only tried RC1 and it certainly did then, but regardless by all accounts there are a great many notifications for common tasks. One fairly reputable review on a security site I read showed it appearing 7 times while the user attempted to change their IP address. Because they decided not to use persistence of authentication for a given period it will almost certainly appear a lot more than sudo based systems. Add to this the terrible UI (Allow)(Deny) that does not have unique action for a given prompt and it is certain to be fairly useless to the average person.
That site lists services that you can disable without it breaking Vista. That's a *lot* different than services that you can disable without affecting Vista's common functionality. Sure, I can disable the service that handles network device discovery, but then all of a sudden I can't connect to my Xbox 360 anymore.
I don't have an Xbox. I never plan to. So that service for me is simply a security hole. You don't see that as a potential problem?
Microsoft spent a lot of time making sure things we not enabled if they didn't need to be to support common use-cases out of the box.
I scanned through that article the other day. I did not see it listing the services. It looked like PR fluff.
Really? Why? Seems to me they did exactly that.
Are you joking? Do you work in security? If someone asked me how to redesign Windows so it was secure I'd immediately look at the high security projects like SELinux, realize that it is fundamentally a more secure model for computing and it is already supported by the NT core and the design would be a no-brainer. I certainly would not think about adding hacks on top of Windows with no real changes. I seriously hope you are not a security engineer if you actually hold said opinion.
I would say you're completely wrong. The biggest changes in Vista are centered around security.
No, most of the work in Vista was expanding into other markets and embracing them and trying to gain feature parity with OS X. Vista adds eye candy, searching, widgets, expose, included apps, etc. in order to try to counter Apple's slow gains in market share. They add XPS, defender and several other features to move into the PDF tool and antivirus markets. The security they added was more one to add the perception of security than to add real security. Do you really expect this to stop the proliferation of malware?
Not only that, but it's the first consumer OS to com
I'll try ANOTHER example, because you're starting to catch on.
I'm not "starting to catch on" I'm trying different ways of getting through your thick skull. You completely ignored my examples and did not answer my questions. I'll answer yours after you go back and answer mine. It's called the rules of rhetoric.
ouldn't you like to be prompted if you somehow picked up a piece of malware that wanted to randomly change your desktop background, delete the files in your home directory, empty the recycle bin, etc.?
Yes. What does that have to do with anything? Are the programmers at MS so incompetent they can't tell the difference between my mouse input to explorer windows and a random binary taking the same actions? The NT core was built with ACLs to restrict applications, why are they only used with IE?
You're expecting Vista to "know" that it's "you" performing these actions and not some piece of malware that's doing it programmatically.
I'm expecting any OS that is compromised by malware 25% of the time would enable application level security and restrict behaviors not only by explorer, but also by every other application running including said malware. It shouldn't have permission to simulate mouse and keyboard input by default.
You're looking at this from the perspective of Linux and MacOS, which really don't have much of anything in the way of malware. Windows, unfortunately, does.
Yup. Windows has a malware problem so it needs to be ahead of the curve, not behind. On Linux I can run SELinux to restrict applications. Apple already announced they are working on a mandatory access control framework and there is a third party one available. Neither is polished or well integrated into the OS, but there is no real demand on those platforms. What is MS waiting for, must a dozen other companies do everything before they get off their butts? Can they truly only copy and when they have a problem other OS's don't Windows users have to suffer?
And part of the problem is that malware can still wreak havoc on your system even if you aren't running as an administrator (i.e., I would be just as devastated to lose all the files in my home directory as I would the entire system).
This is exactly what MAC is designed to stop. There is no reason random programs should have access to delete my files unless I give it to them. This is a solved problem that MS is ignoring.
So what does Microsoft decide to do? Plug up the holes with prompts. Yes, it does seem excessive, but they're doing the responsible thing.
No, the responsible thing is to rework your OS so users don't need elevated privileges to do simple things, so it can determine and restrict what applications are doing, and to create default ACLs so that users are almost never prompted for anything unless it is malware.
If one day you were using Windows and out of the blue you were prompted to allow or deny "del *.* in home", you'd probably be thankful it was there.
Most people wouldn't understand what that meant and would click "allow" reflexively because thy had been conditioned to do so by hundreds of unneeded prompts. Most people would probably click "allow" before they even read the prompt. This is not their fault. It is the result of a security scheme that ignores the human interaction component and assumes people will behave in unrealistic ways as though they were computers themselves. People aren't computers. After a few hundred times, we stop paying attention and that needs to be accounted for in the design of a security system.
You ask what MS could do, but they could do much, much better than this simply by doing a better job of copying others. Or they could *gasp* actually innovate and be the first to implement a well designed MAC framework with good usability for a desktop OS. What are they doing with those billions?
Do people here honestly think that a site that refers to Microsoft as "The Vole" would give a fair minded, intelligent, and well though out review of a Microsoft product.
You're right that the Register makes a lot of incorrect assumptions and mistakes and it is good of you to point them out. On the other hand, however, they are simply pointing out issues from their perspective and experience. Some of their opinions are far fetched, but at the same time I think their premise is correct. This is too little too late. Users have been besieged by malware and given huge lists of things they shouldn't do and MS has not effectively responded. MS has finally managed to implement a better default account, but limiting applications by user has not been "good enough" for many years now. MS should have taken the lead and brought real security to the masses, but they have fumbled the ball this time.
Wrong. It works regardless of what user you *think* you're running as. An admin account on Vista (with UAC enabled) is NOT AN ADMIN ACCOUNT. It's a limited user. The *only* difference is that an admin account isn't prompted to type in credentials in the UAC prompt, where as a limited user is.
I don't want to argue details of their user account scheme, but I think after enough security people have looked at it that it is clear they did not think it through. All installers are free to go wild. That is a hole big enough to drive a semi through.
Ok, smart ass. What's a better solution? Get rid of admin accounts entirely? Don't allow any programs to run at all? Never allow a user to connect to the net? Oh, how about only allowing signed, Microsoft approved applications to be installed on Vista.
Microsoft should absolutely implement an application signing scheme, but not to allow or deny applications the ability to run. They need an open signing/certification framework where you users can subscribe to multiple services and use the merged results as a method of determining trust. That is step one. Let the OS and users know how trustworthy a binary is. Some .exe I just got aimed by a stranger with no credentials should not be given the same level of trust as the pre-installed wordpad program which should not be given the same level of trust as Adobe Dreamweaver.
I'll repeat this again, this should not be used to stop applications from running, but to determine what those applications are allowed to do by default. Running with all the user's permissions, with complete access, or not at all is not sufficient granularity. Vista should be using the ACL framework to restrict new applications by default. Also, the format for applications should be changed to include an ACL, so applications can be further restricted by that ACL and so that more trusted applications can be assigned an ACL that does not result in pestering the user with unnecessary prompts which lead to decreased awareness and conditioned responses.
Having an admin account on the machine is unavoidable if you ever want to do anything on the machine past checking your e-mail and reading high-quality publications like The Register.
Only if Vista does not allow applications to be installed within a user's account. When you add in that functionality, you've accommodated most users entirely.
Now, instead of the occasional annoying OK button, you'll have an OK button and be required to type in admin credentials. If you're the guy who setup the machine, you know the password. If you're not, then it works just like it does now.
If you aver see an "OK" button the OS has failed. "OK" is not an action. "OK" is a meaningless button people click to make their computer keep working because they been condition by repetitive behavior for years. All buttons should be actions for the user to take and they should depend on what the user is doing.
But Microsoft *must* support as many legacy applications as possible.
This is what VM or partial VM is for
Usability studies show this is actually much less common on macs because users are rarely asked for their password on macs so they are much more likely to question the behavior. Also, for the most part the users are right. They don't have any negative consequences from randomly entering their password in some field because of the market realities. A targeted attack can certainly affect Mac computers and their security is not ideal, but they do not suffer from widespread exploitation. If they did, the OS would be fixed to deal with this because Apple has to keep users happy to make sales. MS is a monopoly and does not have to so widespread exploitation does not bother them (financially).
Policy kicked in and their macs were rebuilt.
Umm, I'm not sure there is any logical reason for this. How would a Web site do something malicious with their password on a default system?
The main point is that stupid user is not limited to just ms, it exists everywhere.
This isn't about "stupidity." his is about normal users performing normal behaviors and the likelihood of their machine being compromised. That is what determines what security measures need to be implemented. Windows needs to have much tighter security than Macs because Windows is subject to attacks all the time and 1/4 of all people are currently infected with malware.
As far as the firewall goes, a single application is can be granted access... The default behavior is to prompt the user if they want to allow a program to access.
Yes, but it can't be granted access easily by the user so the user ends up just turning the firewall off rather than dealing with regular prompts. Usability is a security concern. Theoretically, I can sandbox every application I run on Windows within a VM, but I'm not going to because it is a huge pain in the ass. You can't just ignore the user when designing a security system and assume they will somehow change their behaviors to match a security model they do not understand. Users want to perform tasks. The OS needs to be designed to make performing those tasks securely, a simple one.
The right way to do this is with ACs that restrict application not only by network access but also by files they can access and other system resources. Restrict every pre-installed application to just what it needs to do to stop buffer overflows from having free reign. Restrict new applications based upon how much they are trusted. User certificates to determine if they are certified as coming from a particular domain and if they have been verified by independent parties. Assign them a combination of the ACL included with them and a more restrictive ACL for each trust level in order to make sure they are not behaving maliciously. This would reduce the number of user prompts 90%, while actually providing them in the cases it is really needed. It would require serious modifications to Windows and to the format for application on Windows, but MS is in a better position to do that than any other OS vendor. The only reason MS did not do this 5-10 years ago is because it would cost money and it brought them no real benefit. As a monopolist it made more sense financially to work on DRM and embracing other markets by building competitors into Windows than it did to fix their security nightmare.
So the real problem is USERS choosing to run as admins and blindly downlaoding[sic] and installing things they shouldn't...
Why do people own computers? What is their purpose? They run arbitrary software. The problem is Windows is not designed to run arbitrary software safely. Also, users don't know what an "admin" account is or why they should have one. They just want to install and run software, without letting that software have free reign to own their machine and send spam. That's not too unreasonable in my opinion.
When you tell a child to not do this or bad things will happen do they usually listen?
That depends on what you call "bad things." For example if you tell a child not to speak, either they do so anyway or they grow up with serious mental problems. That is because speaking is a very basic and common behavior.
If you go to places known to be full of sickness and disease who do you blame when you get sick?
Well that depends, can other people go to those same places and have basically no risk of ever catching a disease because they made better choice and decided not to suppress their immune systems? Running Windows is like suppressing your immune system.
The blaming of MS for the huge numbers of malware out there is stupid.
Users want to run arbitrary software and visit arbitrary Web sites. That is why they bought the computer. There is no reason a properly designed OS cannot do these things. MS has not properly designed their OS, so doing common things safely is very, very hard. This is because MS is a monopoly and they don't lose any money when they deliver a product that is crap. Fix the OS, then if users make unreasonable poor choices (like installing arbitrary binaries and specifically allowing it complete access) you can complain. It is not unreasonable for me to assume I can visit any Web site without having to worry about malware. It is not unreasonable for me to be able to double click on a random binary someone IM'd me and for me to expect it won't be able to start sending spam e-mails without the OS informing me or giving me the option of stopping it.
Do they honestly think it would be any different if any other OS held 90% of the computer market?
I think it would be very different if no OS held 90% of the market and OS manufacturers have to actually give customers what they want. I think it would be different if Linux had 90% market share because, by nature, it cannot exercise monopoly power and would have to give customers what they want. If MS were broken up into two competing Windows companies, there would be a relatively secure version of Windows within 2 years. If Linux gained 90% market share, malware would be ported in a month and in 6 months mandatory access controls and trust systems would be standard in 6 months making almost all that malware useless and reducing the problem to a tiny fraction of what it is today.
It's like blaming banks for the existance of bank robbers.
No, its like banks blaming robbers for getting away with all the money, when the bank did not bother to install a vault and just leaves all the cash in piles in the back room, with an unlocked window and no security cameras. Banks perform due diligence to prevent robberies, MS does not.
Get a clue. Please!
You're the one who needs to wake up and take a big sniff of what you're shoveling.
I think a large part of security involves the self. People don't do enough thinking, and are too lazy to follow simple security procedures.
Oh those poor, stupid users. Can't they follow "simple security procedures?" For example, if a user wants to run some game posted on a Web site all they need to do is purchase and install a virtual machine, then install Windows again from scratch then copy the binary into the VM's shared folder, disable the VM from having access tot he internet and the shared folder, then run it in the VM. I mean what is wrong with these stupid users? It only costs $80 for a good VM a user can install and with a week or two worth of training courses they can probably learn how to do installs of Windows. There is only a 50% chance the Windows activation will break the VM and stop it from working.
Users do need to be educated, but not until Windows is fixed so that it is easy to perform simple tasks like running untrusted software safely. Right now you need to be an expert to use Windows safely and that is unacceptable. Blame the OS until it is fixed, then if users still mess up you can start blaming them.
No automated tool or system, that allows some freedoms can protect people entirely. Think about it, the OS'es solution to malware? Only allow MSFT signed binaries to run. But this is horrible as it means only MSFT can authorize binaries and it cuts out 3rd party developers.
No system can protect users entirely, that does not mean we should ignore all security measures and give up and rely upon people to learn incredibly complicated and expensive procedures in order to perform simple tasks. The solution to current malware is to increase the granularity of security, introduce trust mechanisms, create a UI that was not written by morons, and give the users the information and control they need.
There is no need to allow or disallow binaries to run if they are signed by MS or anyone else. Windows has had a proper ACL architecture in place for years, they just haven't implemented it in the rest of the OS or let users access it. Here's an idea, how about if I download a random application that is neither signed nor certified and was not pre-installed, by default when a user double clicks on it it runs in a sandbox defined by a default ACL and is not given permission to do anything it wants. How about when it tries to install a rootkit the OS provides a useful dialogue box that reads "The program 'MartainHunt' would like permission to have complete control of your computer for all time (Stop it from controlling my computer for all time)(allow it to control my computer for all time)." How about if it tries to harvest my e-mail addresses it pops up a different dialogue box that still does not have OK/Cancel in it, like "The program 'MartainHunt' would like permission to read your AddressBook (Stop it from reading my AddressBook)(allow it to read my AddressBook once)(Always Allow it to read my AddressBook)." Why is that so hard?
The reason Windows is a security nightmare is because MS did not design it properly taking into account what kind of malware is out there and what tasks users need to accomplish. If they were not a monopoly they would be slaughtered in the market by now. Stop blaming users. They have perfectly reasonable expectations for their OS that are not being met.
I can not imagine why a tax preparation office would need a 802.11 network if 20 people are sitting in front of their wired computers and execute only one officially approved software.
But is this the situation we're talking about? We were discussing instances where employees bring in a wireless access point from home to use. In the above situation they should be unable to connect to that wireless point or run Web apps. When users bring in a wireless access point from home and are using it, usually that is because it provides them with some real benefit and you need to look at what that benefit is and why they went to such an extreme. Maybe it is simply surfing Web sites for fun while on break and there is real value in providing that access to them in a controlled way. Improving morale by giving employees a better workplace is one of the cheapest and most beneficial ways to increase security and get more work done.
I don't quite understand what you are saying here - do you advocate vigilantism?
No I advocate a flexible network that is not so brittle that an average user has to go to IT to do something new.
I don't quite understand what you are saying here - do you advocate vigilantism?
Those types of changes are minimal compared to changes that do not have larger security concerns attached. By building your infrastructure to be secure in the face of slightly changing conditions you speed up the workflow, have fewer instances where IT has to intervene and are more resistant to new types of malicious behavior. Do you know what the most likely way for your data to be compromised is? An insider copies it and takes it home and sells it. You can try to lock down your workplace with cameras and disabling all USB ports and bluetooth and by locking down every machine to the point that if someone needs to run a new piece of software they need permission to go to various sites to research them and then permission to install and run it and permission for it to access files from the internal file server, but they can still print it or take pictures of their screen w/ a camera. Realistically, treating your employees with a certain level of trust is more likely to make them not steal the data because they feel bad about violating your trust.
Security is more than a technological problem and security is not an end goal in itself. You have to look at the real risks and rewards of some security measure not only on security but on it affect on users to efficiently do their jobs.
Come on. More than anything, Microsoft is in a no-win situation to try and protect people from themselves.
Wrong. MS's is in the position of having to implement more fine grained security than "don't install the program" and "let kill babies and piss on the carpet." Stopping malware isn't protecting users from themselves, its giving users the option of performing normal tasks like installing and running random software from the internet safely. Vista fails to give users a measure of how much they should trust a given application, inform the user what an application is doing, or sandbox it so that by default it is not allowed to read your e-mail address book and start running a spam server.
If everyone ran Linux instead of Vista there'd be the same damn problems.
Again I disagree. If everyone ran Linux tomorrow, malware would be ported in a month and in 6 months every major distribution would implement fine grained security such as mandatory access controls and trust protocols/certification needed to stop the current breed of malware. The only reason these technologies are not mainstream on Linux today is because Linux does not have a malware problem. Linux is responsive to customers because it is not a monopoly, so it actually adapts to solve customers problems.
If a thirteen year old wants to download smileys for their IM client, the kid is going to do it.
Agreed.
If the software has spyware, then that spyware would do what it takes to open up or break the system. It's pretty damn hard to code against human behaviour.
You should code for human behavior, not expect users to change. What is so hard about running new software in a sandbox with restricted access to the rest of the system and a good UI and trust framework? Sure it is not super easy, but what the hell has MS been doing for the last decade since malware exploded on their machines? Linux, OS X, Solaris, and the BSDs all have better options for this than Vista and Windows is the only one that really needs it. How hard is it to stop all applications form accessing my e-mail address book or sending mail unless the user approves it? Most people never install a new e-mail client so would never see this. 99% of the time someone did it would be a worm and would let them stop it. 1% of the time they would be installing an e-mail app and it would not be unexpected. This isn't rocket science.
Microsoft can't fix the users, there will always be the crowd blindly clicking OK or tuning off the firewall because their game's troubleshooting tells them to.
"Users blindly clicking OK." Where to start. First, it is MS's fault that they designed an insecure UI that uses operant conditioning to train people to blindly click "OK." Thousands of useless dialogue boxes with technobabble where OK means "make it work again" and surprise surprise people always click "OK." Second, if the OS ever shows the user an OK/Cancel dialogue box, it has failed. All buttons should be labeled with a real action that applies to what they are being asked. "OK" is not an action. "Let it control my computer for all time" is an action. UI design is part of security and it is MS's fault they have ignored that.
As for the firewall, why isn't there an option to allow a given program to access the network and not let any other application do so that is as easy to access as turning off the entire firewall? Why isn't it in the "File menu" under "allow access to the internet?" It is MS's fault for not making this task easy and the result of people disabling their entire firewall.
If someone figures out an exploit to make that "OK" automatically, yes, running as admin will be significantly less secure. Until someone figures that out, though, running admin with UAC on is just as secure as running as a limited user.
I know a great way to do that, but it will take a lot of work from the inside. What if we spent an entire decade using operant conditioning to force people to click "OK" over and over and over again just to keep their machines operating and doing normal tasks and without ever giving users useful options. They'd be so conditioned to clicking "OK" they would do so automatically regardless of what the dialogue box said. Sure it would only work on 99% of users, but that's quite a few... oh wait someone beat me to this and started this scheme more than a decade ago. Never mind.
And as far as users finding UAC "annoying", riddle me this: how is any more annoying than Linux?
On Linux most software installs and runs just fine in a regular user account. To date, this is not so with Windows, leading to more, useless prompts. On Linux, authentication persists for a period of time so if you take privileged actions you only need to authenticate once, not once per action, like copying files from a network share and then copying them to a privileged location (which should not have to be two steps anyway, but seems to be on Vista.
You can't blame M$ if stupid users disable security features they find "annoying" while praising Linux for doing the same thing.
Yes I can because MS has more money than god and should be able to spend some of it on a good UI that takes security into account, as well as more granular security features. Mainly I blame Windows for not implementing an appropriate level of security for their OS. Windows machines are compromised by automated worms, en masse every day. If that was true for Linux, Linux developers would fix the problem in a a few months tops by implementing MAC, trust levels, etc. I don't blame MS for any given technological decisions. Everyone makes mistakes. I blame them for not giving a shit about user security because as a monopoly it does not affect their bottom line. No other OS would tolerate this level of compromises because they have to be responsive to end users.