Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×

Hack in the Box Meets Windows Vista 159

Posted by ScuttleMonkey from the book-your-flights-now dept.
Strange_Brew writes "It appears Microsoft is really going all out to get Windows Vista secured before its release date in 2007. There's an article on PC World which talks about Microsoft's plan to give Asia's largest hackers conference an inside look at the new security features in Windows Vista this coming September." From the article: "The Hack In The Box conference will host two speakers from Microsoft. The first, Dave Tamasi, a lead security program manager at Microsoft, will give a presentation on security engineering in Vista. The talk will include a discussion about features suggested by hackers and other security conscious members of the computing community, in addition to security improvements made on Vista. The second speaker, Douglas MacIver, a penetration engineer at Microsoft, will review Vista's BitLocker Drive Encryption and the company's analysis of threats and attempts to penetrate the security feature."
This discussion has been archived. No new comments can be posted.

Hack in the Box Meets Windows Vista More

Hack in the Box Meets Windows Vista

Comments Filter:
  • ...when companies "invent" some home brewn encryption and offer $100,000 or so to anyone who can crack it.

    When noone does the company calls his product uncrackable. These events and claims are without credibility, security doesn't get manufactured this way.

    • Re:Reminds me of home made encryptions (Score:5, Insightful)

      by CaymanIslandCarpedie ( 868408 ) on Wednesday July 12, 2006 @08:00AM (#15704324) Journal
      ...when companies "invent" some home brewn encryption

      You do realize BitLocker isn't about some "home brewn" encryption algorithm right? It uses standard encryption algorithms (256 bit AES for example). The "invent" part here is how this standard encryption is used. From hardware, boot process, drive access, etc. Here [microsoft.com] is a good place to start for a basic overview.

      offer $100,000 or so to anyone who can crack it

      Didn't see that in the articles.

      When noone does the company calls his product uncrackable. These events and claims are without credibility, security doesn't get manufactured this way.

      True. If ANY company says ANY product is uncrackable, they are full of it and/or marketing is having too much of a say in thier message. However, again I'm not seeing any claims like that in any of the links. Am I missing something?

      • Re:Reminds me of home made encryptions (Score:5, Insightful)

        by A beautiful mind ( 821714 ) on Wednesday July 12, 2006 @08:12AM (#15704357)
        Am I missing something?
        Yes, you are. I didn't say Microsoft acts like this, but rather what their behaviour reminds me of.

        Specifically, my issue is with the "It appears Microsoft is really going all out to get Windows Vista secured before it's release date in 2007." sentence, and that somehow presenting a system for security experts would make it more security, as a direct causality.

        Security is not a product, it is a process. If one chain in the link fails, the whole chain fails. And MS can continue to give presentations about their system and abstract design concepts, and if security experts spot weakness in the design they can tell all about it to MS, but it's throwing peas at a wall. They never listened, and I see no reason why would they listen. This is just a cheap PR stunt to reassure some less in-the-know folk. That is why I compared the situation to the example in my original post. It has nothing to do with encryption. Encryption isn't the issue. Design, security principles and how MS responds to security issues are.
        • That sentence was put in by the article submitter, no such claims are made by MS.

          And they arent talking about abstract design concepts, they're presenting how their system works, at a conference of security experts; they want feedback on their implementation. But let's just keep trotting out the party line shall we? A beautiful mind indeed...
  • that this will only result in further delays, until MS have the product "satisfactory". Almost makes the $9 billion investment seem like a joke.

    • Re:I have a feeling... (Score:4, Interesting)

      by instantkamera ( 919463 ) on Wednesday July 12, 2006 @07:38AM (#15704250)
      I dont think that this and the anouncement about the Jan release are coincidental. Maybe they realize what is at stake. I dont use Windows and I certainly dont like M$, but i cant really find any reason why this or any further delays are bad. They may not indicate anything, but i think you really have to wait for the dust to settle before making a judgement, Perhaps we are seeing the dawn of a new era at Microsoft. Maybe one where they understand that Monopoly=Responsibility.




      OR
      not
    • I think they will eventually manage to get security right. Back in the Win98 time, Linux was considered superior because of stability, so they improved stability. Now it is security, they will improve security. Never underestimate the capabilities of a $80 billions Behemoth to strive to secure its survival.

  • Will Vista ship with firewall ENABLED?! (Score:1, Funny)

    by Anonymous Coward
    heck, I'm afraid of my dual booting XP just sharing a data partition on my Linux drive..

  • Microsoft job listings (Score:5, Funny)

    by RMB2 ( 936187 ) on Wednesday July 12, 2006 @07:32AM (#15704235)
    I myself think it's interesting that there are actually "penetration engineers" at Microsoft.

    Makes sense, after all. I've always kinda felt like MS was giving it to us all up the ......
    • Yeah, but wouldn't you want to have a job with the title of "penetration engineer"?
    • Well, I wonder what kind of background would be required to apply for such a position? In any case, if Vista fails from a security point of view, I'd advise Microsoft to go for the likes of Ron Jeremy, after all, that guy has years of experience in the penetration business. Sorry for the silly joke, but I could not avoid thinking of stupid names for very "specialized" movies stemming from M$ projects. Like "Debby does Vista" or "Developers gone wild"... Once again, sorry for my teenage rants...

  • The never ending story (Score:5, Insightful)

    by rangeva ( 471089 ) on Wednesday July 12, 2006 @07:35AM (#15704240) Homepage Journal
    I remember the days before the release of XP SP2 - it was announced to be a security update that will make Win XP the most secured OS out there. Since then who can count the number of patches, updates and vulnerabilities. I wonder if it will be different with Vista...

    • Re:The never ending story (Score:5, Insightful)

      by Vo0k ( 760020 ) on Wednesday July 12, 2006 @07:45AM (#15704275) Journal
      will make Win XP the most secured OS out there


      If I hang 2000 padlocks on most from the 2200 doors of my house, it will be most secured in the whole neighbourhood. Not more secure than the guy across the street, with front and back door, one good quality lock in each, and good windows from break-proof glass.

      Windows is too big to be secured whole, it has too many dependencies on insecure behaviours of programs, the security too often stands in the way of usablity and as such will often be disabled or neglected. If you need to type admin password 50 times a day to perform quite simple (though potentially remotely risky) tasks, you will type in the 51st time when a trojan asks you to do so.

      • Re:The never ending story (Score:4, Informative)

        by Opportunist ( 166417 ) on Wednesday July 12, 2006 @07:56AM (#15704308)
        Most of all, every piece of crap program is tied into the kernel, or needs kernel level privileges. Can anyone give a reasonable clue why of all things a webbrowser, something that by its very nature deals with insecure content of the worst kind, needs kernel level permissions?

        I mean, aside of being able to claim that you can't remove it from your system...

        Who had that smart idea to make the webbrowser the local file manipulation tool, and why is he still alive? Why are (other) kernel level programs responsible for dealing with DNS and other network related issues? The whole system is flawed. Not because the code is buggy, but because the design has serious flaws that break it. Not at a code level, but at the level of the underlying design work.

        • Re:The never ending story (Score:3, Informative)

          by Tom ( 822 )
          Who had that smart idea to make the webbrowser the local file manipulation tool, and why is he still alive?

          I think the KDE team gave him refugee. At least they copied the idea. Idiots.

          (disclaimer: I use KDE. I hate konqueror. If you're one of the konqueror designers, please go and drown yourself.)

          • Re:The never ending story (Score:3, Funny)

            by Anonymous Coward
            I've only met one person that liked Konqueror, and I think he was lying to annoy me.
            • I've only met one person that liked Konqueror

              You know him? You know that person? Really?
              Tell him he's a celebrity. A true one-of-a-kind guy.

              Quite seriously, Konq is ... well, better than nothing, but usually it suffers the same fate IE suffers at the hands of someone who can rub more than 2 brain cells together: To be pointed to www.firefox.org to get a webbrowser.

              My guess is that K is an attempt to make Linux "feel like Windows" for those that complain it "feels" differently, and K is an attempt to mimick
              • To be pointed to www.firefox.org to get a webbrowser.

                I use Firefox for some things, but Konqueror isn't such a memory pig.

              • I think I may be "that guy."

                On my lil' 800MHz notebook with "only"(?) 256M RAM, Konqueror kicks Firefox's ass. I don't have time to wait for Firefox. Firefox is my choice on beefier machines, but as a "slimmed down Mozilla," it's a joke. There's nothing slimmed-down about it, and I'm amazed that they turned an I/O-bound application into a CPU-and-memory sucking experience.

          • Re:The never ending story (Score:5, Informative)

            by James_Duncan8181 ( 588316 ) on Wednesday July 12, 2006 @09:06AM (#15704603) Homepage
            The browser and the file manager are only visually the same in that they inhabit the same window. They are different kparts. Do you understand what this means? They are seperate components, with potentially different rights. Unless you think that the fact that you can use Gecko in Konqueror with the kmozilla kpart means that the Mozilla Foundation also make a file browser.

            (Disclaimer: I use GNOME. I am also not a big fan of Konq. If you're someone who talks about technical issues but clearly doesn't bother to have an informed opionon, please go and drown yourself.)
          • As a file manager, Konqueror is good.

            As a web browser, I'd rather die.
          • Agree with you there --I am a KDE fan (Kubuntu 6.06 currently), but from the start, I thought that Konqueror tried to be everything: web browser, file manager, image browser, basically the Swiss Army knife of KDE. Which is great --I think Konqi has its place-- but just as you wouldn't use the Swiss Army knife for your daily screwdriver / can-opener needs, I had no interest in using Konqi for web browsing or file managing. Firefox has enough mindshare that I use it, with its myriad extensions (if I need so
        • Who had that smart idea to make the webbrowser the local file manipulation tool, and why is he still alive?

          That guy died last year.

        • Re:The never ending story (Score:5, Insightful)

          by cnettel ( 836611 ) on Wednesday July 12, 2006 @08:52AM (#15704504)
          Please enlighten me how the web browser has kernel level permissions in Windows NT-based systems. It was certainly not a VXD in Win9x (defining only VXD code as kernel might be problematic, but the real problem is that 9x had no well-defined central kernel). I know that IIS does have a kernel part these days (but not back when it was even less secure), to shorten roundtrips for cached requests or something, but that's the server side, not the browser. I actually think Sun tried to advertise a similar addition when Solaris 10 was released.

          Regarding DNS, I'm not sure what you actually mean here. The DNS client and DNS server are services, but they are not in kernel. A Windows service does not mean it's in kernel mode. Winsock itself has some kernel thunking, and as name resolution is generally done through Winsock, that might be what you mean.

          • I actually think Sun tried to advertise a similar addition when Solaris 10 was released.

            That would be SNCA [hejazi.org] but it seems to be there since Solaris 8.

            There are also at least two in-kernel httpd for Linux: TUX [stllinux.org] and khttpd [demon.nl] but they don't seem to be used by much people.

        • Microsoft was surprised by the net, and only now have gotten the message. When they originally designed IE, the didn't forsee the myriad of problems that have come to it. They really don't like the net (or didn't), because they prefer to control everything that you have on your computer. With the net, you don't get that.
          • Yes but MSFT was warned by security and 3rd party developers telling them that the base designs were heavily flawed. MSFT said it would be fixed later in a patch.

            many of those flaws still exist.

        • Re:The never ending story (Score:4, Insightful)

          by Tim C ( 15259 ) on Wednesday July 12, 2006 @09:02AM (#15704565)
          Most of all, every piece of crap program is tied into the kernel, or needs kernel level privileges.

          Do you have any proof at all to back up that assertion?

          I've seen it repeated time and again here (especially with regards to IE), but have never once seen any proof.

          • What they're really saying is that the default install has administrator access.

            ---

            DRM'ed content breaks the copyright bargain, the first sale doctrine and fair use provisions. It should not be possible to copyright DRM'ed content.

          • Unfortunately none that I could disclose without breaking a few (quite costy) NDAs.

            But you don't even have to go that far. Every program has, provided it runs with Admin privileges, which it does as soon as the user starting it has admin privs (which is the default), every right necessary to use functions like CreateRemoteThread. So if you really need some special permissions, just get them from a program that has them.
            • But you still can't CreateRemoteThread yourself into kernel mode. On the other hand, if you have debug and admin rights, you can of course add a driver or poke the memory directly to run kernel code (note: not so easily in XP 64/Vista 64, but that's another story...). So you're basically saying: "nah, nah, I can't tell you anything, but as user with default security settings is root, and root can load drivers, and drivers run in kernel mode, every application is running at a kernel level".

              "The emperor is nu

        • Maybe there should be a mechanism by which a post says "i disagree with the parent". Then, when reply posts become scored highly, and disagree with the parent, the parent gets modded down automagically.

          Why? Because of posts like the parent.

          Let's begin

          Most of all, every piece of crap program is tied into the kernel, or needs kernel level privileges. Can anyone give a reasonable clue why of all things a webbrowser, something that by its very nature deals with insecure content of the worst kind, needs kernel
          • Apologies for being imprecise. Allow me to claim it's a matter of a bad translation, it's called "kernel level" here what, I guess, you'd call system level. The intended meaning was a program that has access to system critical resources.

            As for your questions:

            1. A kernel's responsibility is resource management, resource abstraction and providing interfaces to them for the rest of the system, as well as userspace programs.
            2. In current systems, the number of programs that don't "use" the kernel would be quite
            • It is critical to the system in the following ways.

              * Windows Help is no longer a proprietary format... it actually is HTML that is rendered nicely using the IE COM component
              * Outlook Express using the IE COM component to render email messages
              * About a billion applications use the IE COM component, each of whom have not (and should not) write their own HTML renderer because, as the number of vulns in IE & FF have shown, it's really hard to write a secure web browser and updating it is a hard problem (TM)
              • The problem is bigger than just whether you can "see" the application running. The point is that when it's possible to inject code into running processes, you can inject the code into processes that have privilege levels you should not have (for good reasons). Current trojans usually inject into explorer.exe, since it does not matter currently (because the default user is cruising at admin level), and explorer.exe is guaranteed to run on every machine, from startup 'til shutdown, so it's a perfect target.

                Ra
            • As for "removing the icon as the solution", you could not remove the ability to run the IE? I can well understand that it is nonsensical to remove every library the IE touches. It is of course impossible to remove Winsock or dnsapi (or kernel32) just because they are used in IE. But the program itself? Can't be removed? How is a program that runs in userspace, or should run there, critical to the system?

              You seem to be confused.

              Locate iexplore.exe and delete it. There, you've just removed IE from your sy

        • Can anyone give a reasonable clue why of all things a webbrowser...needs kernel level permissions?

          So it can install all of those kewl, utilizable ActiveX controls without bothering the user, of course! After all, what desktop is complete without Comet Cursor, Bonzi Buddy, and a handy tool that downloads pr0n directly to your desktop?!

          • Where do I get that last tool you mentioned? I mean, if nothing else it would be handy when my boss finds the stash of pr0n on my system to claim it wasn't me, one of the trojans I'm butchering must've escaped...

  • Windows Vista: most secure version of Windows yet (Score:4, Insightful)

    by Mostly a lurker ( 634878 ) on Wednesday July 12, 2006 @07:41AM (#15704259)
    This is probably true. On the other hand it has been claimed about every version of MS Windows since Windows NT 3.1. The bottom line is: will it be as secure (out of the box) as competing products such as Linux, BSD, Solaris and OSX? I personally doubt it. Microsoft has built itself into a box, through decisions taken years ago, from which it is hard for them to escape. I am trying to keep an open mind though.

    • That box you speak of... (Score:5, Interesting)

      by Animaether ( 411575 ) on Wednesday July 12, 2006 @08:07AM (#15704338) Journal
      ...it probably requires clarification.

      The box they built themselves into - or rather that they had to build around themselves - isn't so much the box that is the security model in Windows. I have no doubt whatsoever that Microsoft is entirely capable of locking down the system so badly that nobody but the most powerful ueber-god of a SysAdmin can open it back up to a casual user, let alone out to the internet for hackers to 'crack'.

      But therein lies the problem as well. Windows users are -not- ueber-gods of SysAdmins, and this shows in the decisions that they feel are forced to make. I can't spot it in all the Slashdot story summaries on Vista right now, but there have been at least two stories in which there was a reference to Microsoft dropping a security feature or loosening a security setting -because- major clients of theirs told them that things were 'just too complex'. And this is in an operating system that guides you through reasonably easy-to-read GUIs with hint balloons and help files up the wazoo. You can well imagine what happens if you'd sit them down behind a screen that just shows a prompt and a one-liner telling them that security settings can be changed by editing the text file "omfglolwtfbbq.conf"

      So yes, they're in a box that is difficult to get out of - but that's mostly because their clients make the walls so damn slippery after plating the bricks with titanium and burned down all but one of the ladders, then stationed several million angry users alongside it, hissing and whining at them whenever they try and scale it.

      They are, well and truly, damned if they do - and damned if they don't. But at least they realize that they are a little less damned in the first case.

      • ...telling them that security settings can be changed by editing the text file "omfglolwtfbbq.conf"

        In Windows, I believe the equivalent file is actually called "pwndjoon00b!.ini".

      • Hate replying to myself, but here's a nice example of this happening only 3 days after my post (not implying relation):

        http://it.slashdot.org/article.pl?sid=06/07/15/172 236 [slashdot.org]
        Microsoft Retracts Private Folder Option
        "Just recently, an update to Windows added the option to password-encrypt a personal folder. The intent was to allow users who share PCs to have a measure of privacy, but C|Net reports the company is now removing that functionality with a patch. IT managers hit the roof when the option was added, c
    • I don't doubt that Vista is going to be the most secure Windows version ever. Anything else would not only be disappointing but a desaster. It would mean that Windows is getting even LESS secure as it moves through the years, that development caused the system to worsen instead of improve.

      That Vista is going to be the most secure Windows Version ever is a given. I'd laugh at anyone who tries to sell it with this as the catchphrase. It's like saying "Oh, well, he's on time every day" when trying to say somet
    • Yeah, but can Windows EVER be that secure? Linux, BSD, etc. aren't used by Joe-sixpack. When Joe sees the message "Sorry, you need administrator rights to install this application" he isn't going to know to log back in as administrator (assuming he even remembers the password he gave when he installs it). All he knows is that his computer isn't working. So he goes to the phone and calls Dell and screams at them. And even if he understands the concept of admin rights, he still may find it an annoying hassle.

      • When Joe sees the message "Sorry, you need administrator rights to install this application" he isn't going to know to log back in as administrator

        Have you used a recent Linux distribution? I use Windows about 50% of the time (most of my customers use Windows) and Linux most of the rest. I literally cannot remember the last time I logged on as root under Linux (except during initial installs). In pretty much all modern Linux systems, the system knows when administrative rights are needed and prompts for

        • If Joe cannot handle the typing in of a password, then Vista is toast

          When I worked in tech support, I would have conversations like this on a REGULAR basis:

          Me: Okay, turn the computer off and back on again
          Them: Which button is that?
          Me: The one you use to turn your computer on.
          Them: Okay (hits the monitor power button instead)

          I'm not joking, that was a TYPICAL conversation.

          -Eric

    • Actually, I'd imagine that the most secure windows ever was DOS+3.11 running a Netware client. Sure the machine had no local security to speak of, but the era of pervasive remote exploits (ports open by default, Ping of Death, ActiveX, Internet Exploder, email worms, etc) all began with Win95. They've been trying to put the genie back in the bottle ever since.

  • Vista still "protective" of keeping it's malware (Score:5, Interesting)

    by Anonymous Coward on Wednesday July 12, 2006 @07:41AM (#15704260)
    One of the common myths is that Windows is just a victum of it's own success. The logic behind the myth is that if Mac or Linux where just as popular then the same exact problems would occur.

    There is one major difference... Mac and Linux allow privileged processes to remove (and even replace) a file that still is in use. Vista continues to "protect" files that are in use from deletion.
    • Yeah, because overwriting core OS files would be so much harder if the OS allowed it.
      • Yup, Core OS files like Windows Movie Maker (protected in Windows XP [my old copy anyway] by the don't-let-the-OS-files-get-fucked-up filter- if you delete it, it comes back! if you replace it, your change is negated and it comes back! fuck you if you don't want it!).

        Or maybe that zip file I downloaded a week ago that got bugged and I'm never going to be able to delete.
    • Well it is a two part problem. Surely if windows wasn't as popular there wouldn't be so many viruses and hacks to it, and If Apple or Linux had that level of popularity they would have more viruses and hacks. But I would contend the Apple and Linux flaws will be less far reaching and more relegated to local spots. It is not just file locking that is the problem. It is a whole slew of problems eg.

      Many applications require Administrator rights to install, and some require Administration rights to run even th
      • "I still take persuasions..." I assume you meant precautions? I'm not sure how to take a persuasion...

        On that note, you're definitely right about Windows users not taking precautions, but the problem is that that isn't going to change. Most Windows users don't know enough to know what precautions to take. I have enough trouble getting my grandfather to remember how to get on the internet. I'd rather have to clean his computer on a regular basis than try to explain to him how to avoid viruses and malwar

    • One of the common myths is that Windows is just a victim of it's own success. The logic behind the myth is that if Mac or Linux were just as popular then the same exact problems would occur.

      I dont think it is a myth, it is just too convenient to exaggerate those claims to make it look like "everyone is out to get us because we are Microsoft". I am sure as many viruses would be attempted to be written for other OSes if they were as popular as Windows, but less would actually be successful on the others tha

      • While what you say is true, who needs a hole to exploit a machine? All you need is to convince a user to run your malware and you're away.

        If they have root access, they can hose the whole system. If they don't have root access (or refuse to supply the credentials), they can still hose their own user account. Either way, if you're looking to add another PC to your zombie botnet, the difference is immaterial, especially on single-user machines.

        Even if there were absolutely no remotely exploitable holes, there
        • Of course, the biggest hole in any system (IT or otherwise) is the humans.

          And which users do you aim for, the 10% or the 90%? (I dont know the exact figures). Of course you go for the latter, with the greater number of Windows users you have more chance of getting a hit. Thus my point that the disparity in the number of breaks of Windows vs OSX/Linux/etc is partly due to its greater prevalence.
  • a penetration engineer

    I don't even know where to begin on that one...

  • Dear Microsoft, (Score:5, Funny)

    by Opportunist ( 166417 ) on Wednesday July 12, 2006 @07:49AM (#15704289)
    Thank you for the deep insight in your security. You'll get our response after your release.

    Yours,
    Asia.

  • Good Idea? (Score:3, Interesting)

    by BigNumber ( 457893 ) on Wednesday July 12, 2006 @08:08AM (#15704343)
    I don't know if it's the best idea in the world to go to a hacker conference and brag about how secure your new OS is. That may come off sounding like a challenge to the attendees.
  • This announcement followed shortly by a conference in which Asian hackers give Microsoft a look at the new hacked Vista. Good job everyone! Why not just hand them a DVD master of Pirates of the Carribean 2, and a stack of blanks, and say, "this DVD is copy-proof." Sure it is.

  • hacks are valuable... (Score:3, Interesting)

    by a_greer2005 ( 863926 ) on Wednesday July 12, 2006 @08:14AM (#15704363)
    on the black market; face it, a back door or hole would be worth a TON of money to spyware vendors or governments that dont have MS wrapped around their finger...letting the hackers see and attempt to break it will ENCURE that vista comes pre-hacked because of 2 things:

    1. the money that can be made by selling the secrets to bad guys.

    2. MS hatred goes deep in the hacking community...a lot of "hackers" would love to see vista hackable out of the box to hurt MS.

  • welcome to the real world (Score:4, Insightful)

    by Tom ( 822 ) on Wednesday July 12, 2006 @08:15AM (#15704366) Homepage Journal
    Windos security problems were seldom rooted in theoretical shortcomings, but in what we call the "real world". You know, the one where people are too lazy to create a second, non-admin account. Where IT staff is too busy to bother with the full feature set of Active Directory, and where developers are too careless and still write software that doesn't work unless you run it as admin.

    There's a 95% probability that Vista will fall into the same traps, and will be just about as insecure as any other windos because of these problems and because Outlook still executes binaries sent by mail, and users can still be tricked by calling your virus.exe virus.jpg.exe and providing the proper icon.

    (the other 5% are that Vista doesn't ship at all)
  • Obviously, the hackers would have to sign a non-disclosure agreement with MS before being allowed a quick glance at Vista's innards. So, what would this result in? Some kid getting sued when the he first hacks Vista (which will happen on Vista's release day minus a fortnight or so). That's not novel you say? It is, because he'll not only get sued for the usual bunch of crap, but also for violating the non-disclosure agreement, because MS will have the lawyers to cover that.

    And if that doesn't happen, how's

  • Security? (Score:3, Insightful)

    by Sobrique ( 543255 ) on Wednesday July 12, 2006 @08:55AM (#15704525) Homepage
    No OS is ever 'truly secure'. You get to a middle ground, where you can do most of the stuff you want to, without making it too easy to break into. Thing is, all this exploit/patch cycles are just putting out the fires you get by living next to a volcano. The real problem with Windows is that it started from a single user 'integrated' environment. Unix had the luxury of being pretty much multi-user from day one. So the design model reflects things like concurrent access, and has the security foundation that are just vital for that to happen. Unix is fairly modular kernel shell GUI application. And when you have that sort of thing, you end up with something that's _fairly_ easy to keep straight, and you keep things that need to 'do stuff' in their sandbox. Windows is getting better, but I still get the impression that that's more because it's covered in sticky plasters sealing up the holes.

  • basics (Score:2, Insightful)

    by Tzinger ( 550448 )
    While it is true that architecture has a great deal to do with security and that architecture still poses a problem for Microsoft, it is also still true that over 80% of security problems are a direct result of bad coding practices dealing with input data. Stuff that we learned how to do 30 years ago is still the bane of our existence. (Ref. CERT ). [http]

  • It's time to dump most of the legacy code (Score:4, Insightful)

    by Luscious868 ( 679143 ) on Wednesday July 12, 2006 @09:11AM (#15704631)
    I think after Vista Microsoft needs to seriously revamp their existing code. Forget backward compatibility. They could include virtualization technology to allow users to run most legacy applications and offer an easy to use dual boot wizard like Apple provides for those instances where virtualization won't cut it. The Windows code base has been to big and bloated for quite some time and attempting to maintain backward compatibility, while a noble goal, is the primary culprit preventing serious innovation. Would Windows lose some market share in the short term? Probably but IMHO it's necessary in order to really move the product forward. From a users perspective there weren't that many compelling reasons to upgrade from Windows 2000 to Windows XP and it would seem as though there are even fewer compelling reasons to move from XP to Vista. The added security features will probably help the uninformed casual user maintain a more secure system but let's face it, most advanced users don't have virus, spyware or malware problems because we run the software and do the preventative maintenance necessary to prevent them and anyone who thinks Vista will be so secure as to not require additional software and preventative maintenance is crazy. The support for legacy applications practically guarantees that there will continue to be all kinds of security issues. All of the coolest features promised at the beginning of the Vista development cycle have been removed. We're left with a hodge podge of various things that, while interesting for Windows users, have been available in OS X and other operating systems for quite some time and those other operating systems don't have the inherent security issues and other baggage that Windows has. In short, I don't see much of a reason to upgrade to Vista. In fact, I don't ever plan on upgrading to Vista unless a game comes out that I want to play that requires it. After buying a Mac Mini in December and absolutely loving it and with Apple's switch to Intel and the subsequent release of Bootcamp and Parallels Desktop for Mac, I'm making the switch.
    • 1) Carriage return is your friend

      2) You should've downloaded and tried the Vista beta before commenting on what they've done and not done.

      Hint: an awful lot of software will not run on it. Many of those that don't can be run in a "compatibility" sandbox, which is pretty isolated from the system.

      • Hint: an awful lot of software will not run on it. Many of those that don't can be run in a "compatibility" sandbox, which is pretty isolated from the system.

        From what I've read, it is kinda, sorta isolated. If they wanted security, however, all applications would be running in a sandbox for security reasons, not just compatibility. For that matter the security and privileges of those sandboxes should be set to functional defaults and easily editable via a top-notch UI. If I had 100 billion and 6 years t

        • Um.

          Go install it and try it. You'll see what it does.

          Every damn program that needs to do anything with any sort of escalated privlidges pops up a window. A window you CAN'T say "don't show again" to.

          There's a lot under the covers that has changed as well. The whole security model is totally different.

          • Go install it and try it. You'll see what it does.

            Quite frankly, I don't have the time or inclination. I've read the reviews and seen briefs.

            Every damn program that needs to do anything with any sort of escalated privlidges[sic] pops up a window. A window you CAN'T say "don't show again" to.

            The problem major is the definition of "escalated privileges." Windows has not implemented the granularity of control necessary and has not set reasonable defaults for behavior of existing and new software. Hundre

  • You can get Windows Vista for free at Jack In The Box? Microsoft must be desperate if they the need the market share that badly.

  • MS Business Practices (Score:4, Funny)

    by E++99 ( 880734 ) on Wednesday July 12, 2006 @10:00AM (#15704961) Homepage
    ...Douglas MacIver, a penetration engineer at Microsoft...
    They seriously need to stop letting people make up their own job titles.

  • fundamentally flawed (Score:3, Insightful)

    by Neptune0z ( 930626 ) on Wednesday July 12, 2006 @10:37AM (#15705261)
    my $.02: The problem with windows security is primarily one of legacy support. In the beginning noone even slighly cared about security, because computers were such a small part of the overall 'picture'. Of course, times changed and we all grew more dependant on these machines. An operating system is really only as valuable as it's application base. From the start, inter-processes communication was flawed lacking any authentication method, kernel / userland seperation was virtually nonexistant, and multi-user support was severally lacking; to name just a few problems. In almost all cases these issues persisted right up till XP when microsoft started to take security seriously with SP2. Microsoft just like the rest of us is new to the whole OS design thing. We've all thought of ways we can do things differently to make a more secure / better OS, and microsoft is right there with the rest of us; learning as we go. Remember all the broken legacy apps when NT4.0 came out? Hell, the only reason I still have a windows box in my home is because of the vast library of applications available to me. Now if they go changing the underlying fundamentals of how their OS works, they are going to break their greatest strength. What needs to be done is to find a way to write binaries that are more platform independant, let the application support for this grow for a few years, and then break away from the mold and implement a version of windows that incorporates everything we've learned over the last 20 years or so. Just my $.02

    • Re:fundamentally flawed (Score:3, Interesting)

      by rs232 ( 849320 )
      "The problem with windows security is primarily one of legacy support."

      Noncense, backward compatibility should not break security. Windows was sold as suitable for secure use in a networked environment. It was even given C2 [infoworld.com] security certification. The problem is the WinNT memory management unit running under the x86 processor. Something that was first tackled under Linux with Exec Shield [redhat.com]. The Windows version called NX [findarticles.com] can be bypassed as otherwise JIT bytecode won't work.

      "inter-processes communication
  • Design is what is wrong with 99.999% of all software. No one ever spends the time, effort, and money to make sure that their system is designed correctly. Rarely do they update the initial requirements during development, or test the system against the requirements. This is why MS has failed before. They keep throwing money at the problem and never addressing the process that is really the problem. I can tell just by looking at the MSDN documentation that MS has no clue how a good majority of their sof
  • 0) receive pre-release Vista to look for holes 1) identify 3 or 4 holes in Vista 2) report 1 or 2 of them to microsoft 3) ??? = exploit remaining, unreported flaws 4) Profit!

  • COM and DCOM (Score:2, Insightful)

    by RuneSpyder ( 963917 )
    I'm no OS master, but it seems to me that the root of all Window's virus problems stems from COM and DCOM. (OLE Automation, ActiveX...whatever you want to call it..) IIRC, you could install a DCOM component on some machine on your network, connect to it from some other machine via straight-up tcp/ip and you could pretty much do whatever you wanted with the machine running the DCOM component. I mean, you could have the DCOM component do whatever you wanted it to do...delete files...format stuff..whatever

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close