Vista Security — Too Little Too Late 483
Thomas Greene of The Register has a fairly comprehensive review of Vista and IE7 user security measures. The verdict is: better but not adequate, and mostly an attempt to shift blame onto the user when things go wrong. From the review: "[Vista is] a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they've been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on."
Re:dear lord... (Score:4, Interesting)
I don't think you can simultaneously pull on the resources of society when you fall victim to fraud, malware, or viruses (e.g. turned into a bot), and then reject learning how the tools work. Why should I pay interest rates, taxes, and other socially collected fees [ISP rates for instance] to cover for people who willing put themselves into harms way?
I never said we should have licenses though, you're putting words into my post (nice AC troll-fu btw). I just think society would be better served if as a whole, people had the first slightest clue about computers.
And it's not like the majority of folk don't want to use computers. So why is making it a mandatory part of the high school [or better yet elementary] curriculum such a bad idea? Of course, I'd love to see such curriculum not focus solely on Windows, maybe through in OS X and a Linux distro for good measure.
Tom
Users (Score:3, Interesting)
So, you can be "insecure by design", or you can expect your users to educate themselves just a little about how things work and their own role in the security equation. I'm sure the focus groups all say, "We'll take our chances, just don't make us have to think!"
Re:You can't build a fort on a foundation of shit. (Score:1, Interesting)
The DAC model is the same as that found on typical Linux, Solaris, AIX, Mac OS X, FreeBSD, etc. installations. The Biba model is rarer (but nonetheless theoretically sound), but it's rumoured that Leopard will use it too.
In other words, shut the fuck up; you don't know what you're talking about. But I guess that's to be expected of anonymous cowards when talking about Windows.
Re:dear lord... (Score:1, Interesting)
Re:Limited User Accounts (Score:5, Interesting)
UAC is still useful as an Administrator. Until you elevate your privileges, a UAC user *is* a regular user (essentially they have two possible tokens, a regular user token and an Administrator token, and unless you elevate, they're using on the regular user token). This means that the "protection" that it offers is the same; what differs is the ease with which you can switch between the two kinds of user (click a button vs. enter a password). So I don't think that's actually a huge problem.
Whenever something is done for which the regular user token isn't good enough, you can elevate to an Administrator token. That brings up the UAC prompt; it does it for broadly the same category of operations that MacOS X or Linux will demand root access for.
The thing is, the prompt is quite annoying. It's not any more annoying than it is on other OSes; they're annoying too. But a password is even more annoying than clicking the box. And if something is annoying, well, people are going to try to avoid it.
That's the dilemma faced by MS. If they make the thing too annoying, everyone will one way or another disable it. Originally UAC not only required a password, but also a ctrl-alt-del (so that the password couldn't be intercepted or anything). ctrl-alt-del to enter the password was too annoying; it was too intrusive. So they disabled that by default (though you can reinstate it if you want, through a GPO). Entering a password by default was also too intrusive, so again, they disabled it by default (and again, you can reinstate it across the board, even for Administrators, if you want). The reason they did this is because they want the level of annoyance to be livable. If UAC is so annoying that people outright disable it, it's useless. If it's a minor annoyance, they probably won't turn it off.
I've been using Vista since it went RTM, and I have to say, I don't see many UAC prompts any more. I did at first, when I was installing all my software, but now, it's pretty infrequent. It's certainly something I can live with. I did try cranking it right up--passwords for all users, with ctrl-alt-del to enter them--but it's far too annoying to put up with. I can't really fault MS for making the trade-off the way they made it. Hopefully, as applications improve, elevation prompts will become more infrequent (for example, I have to elevate to play Battlefield 2, because Punkbuster "needs" admin rights... this is something that they really need to fix), and when this happens, demanding a password to elevate won't be so onerous. But as things stand right now, there are just too many problematic applications. This isn't really MS's fault (it's not like NT's DAC is new...), but it is something that they've got to live with, and provide a solution for.
Re:Vista security is.. (Score:2, Interesting)
Sounds like perhaps, they didn't do the most obvious thing, and kill ActiveX. There is absofuckinglutely no reason for a web page to execute native code. I'd say use C#, but from what I understand they didn't properly sandbox that for the web either. If we could at least get through to the web designer community, that might help. No respectable web site should use ActiveX. Period.
Re:Nice Article (Score:3, Interesting)
"Fairly comprehensive" and "The Register" never, ever belong in the same sentence together.
This is one of those few times I've found myself wishing Slashdot had Digg's "Bury Story" feature – this article serves neither to enlighten nor to persuade. It's not aimed at the kind of intelligent, informed people at the center of the open source community who would genuinely be interested in how Vista's release affects Windows security; it only preaches to the choir of those poor and confused souls who hate Microsoft because it feels good to hate Microsoft.
This quote was particularly enlightening:
Honestly, how is this any different from the state of affairs on Linux, BSD, OS X, Solaris, or any other operating system? Thankfully Windows now does what it can to ensure you're fully aware when software is being installed on your system, but within the realm of current technology, it will always be ultimately up to the administrator (i.e., end user) to differentiate between trustworthy and untrustworthy software. That's just the nature of the game. To try to play this off as some particular flaw in Windows is idiotic, and completely wrecks the author's credibility.
To those who seem to be enjoying this article so much: If you just like the adrenaline rush, consider playing a game of racquetball instead. For the sake of the rest of us, please leave Slashdot for actual, honest-to-goodness news and analysis.
Re:The OS that cried "wolf!" (Score:2, Interesting)
When I installed Vista, I had to click no less than 50 security confirmation dialog boxes (it's important to note that these were security dialog boxes) within the first hour or so in order to do simple, stupid stuff that clearly should not have needed confirmation. Stuff like changing my desktop background. Stuff like moving some documents around on a removable hard drive. Stuff like copying a line of text from an IE7 edit box. Stuff like pasting that line of text into a different IE7 edit box. Stuff like creating a new text file on my removable hard drive. And so on, and so on, ad nauseum.
What you said, except more amusing (Score:5, Interesting)
Re:asbestos cloak of ignorance (Score:1, Interesting)
This argument has been used by Microsoft for years in defending their abyssmal security record. It sounds plausible, but unfortunately, there's no truth in it.
MS Bashing threads are so funny.
The first time I installed Linux for myself many years ago, it was hacked in a half-hour as I took a break and went to get some freaking lunch downstairs. I was lucky I knew enough at the time (although not that much) to know that someone was in the machine and uploading some crap when I got back and continued work on setting it up. Did I stop using Linux because its security is teh suxx0rz and I got a lot of flak about being dumb from 'the community' as I asked questions about how to secure the thing? No.
Will hackers attack anything they can find? Yes. My Windows box has never been attacked because I know enough to keep it secure. The better / worse design discussion is pointless and in a lot of cases incorrect anyways, as others have pointed out on here.
I agree with a lot of other stuff I've been reading, MS has themselves a bit of a pickle. They want to make an accessible product (i.e., your 10-year-old sister can sit down and start using it without apt-getting), and at the same time they have to try to protect those people from themselves to some extent. To add more problems, because their product is sold, they get all the critical press, because the press loves doing that.
Then there's the DRM issue. Why does everyone on here just complain about Vista and DRM? Newsflash folks, it's not just Vista!! What about all the hardware manufacturers building the same sort of capabilities into their products? Computer components, stereo components, even bloody cables now... how about complaining about them? Nah, it's just Microsoft. In fact, they invented DRM. BALLS.
For once, I'd like to see a thread on Slashdot complaining about the other enablers; they're not making their products only "because Vista says so". Products advertise HDMI and HDCP as features now. [ncix.com]
Article is wrong... (Score:2, Interesting)
Re:Limited User Accounts (Score:2, Interesting)
Re:What you said, except more amusing (Score:3, Interesting)
"You want to write a file to a directory you don't have permission to use. Please log in as an administrator to do so. Otherwise, fuck off."
Of course in OSX you could just SU and go ahead and write that damn file wherever you please. Wait, that seems a little familiar...
On a side note, since you brought up Apple's ads, I'd like to discuss the difference between Apple's ads and Microsoft's Vista ads. Have you noticed the huge difference? Vista focuses on all the nifty things you can do (albeit a little too much on the window-switching gimmick -- we get it!), while Apple focuses instead on the other guy. Why? "This product sucks, buy my product instead!" isn't exactly whelming.
Want to bet? (Score:2, Interesting)
I'll tell you what. If you can figure out some kind of way that we can have a trusted escrow, I'll bet you a large sum of money that I'm not lying and can supply evidence of such.
Actually, it's just the opposite. You seem to be wearing pro-MS rosy-color-glasses, and have no idea what you're talking about. If you're not experiencing these issues with Vista, I'd say that you are the one who hasn't even tried it, as it's common knowledge—and yes, personal experience—that it is, indeed, this bad.
Re:The OS that cried "wolf!" (Score:3, Interesting)
As I offered in another reply to one of your weird posts, you figure out a way to set up escrow, and I'll take you up on that.
I can show you my receipt, if you want me to. In fact, if you're willing to give me what I paid for it, I'll be more than willing to sell you my copy. (Not an OEM or upgrade, so the license is freely transferable.) Although, honestly, thanks to the foresight of making an OS partition image, I am indeed no longer actually running Vista. (Back and happily using Windows XP.)
Nope, everyone has full control permissions on the drive, though I am running as a non-administrator account while trying to perform file operations on it. I'm sorry if I conveyed the idea that I'm some kind of computer newbie; I'm actually very familiar with how permissions and security (and most other features of OSes, both Windows and Linux) work, having been an MCSE-certified Windows systems admin for over eleven years (since Windows NT 3.51), and performed various levels of end-user workstation support as well.
If you're not receiving UAC warnings for moving stuff among drives, I'd be much more inclined to think that you are the one logging in as administrator, not me.
I'm also sorry if I conveyed the impression that I'm anti-Microsoft. I'm not, and though I use both Ubuntu Linux and Windows XP at home, I use the latter far more frequently. I will, however, admit that after a few hours of rigorous use, I am strongly anit-Vista.
But to anyone who's reading this, don't believe me. And certainly don't believe this yahoo. Talk to people you know and trust who have used it. Try it out for yourself if possible. Read what the media is saying about it. Once you have experience the endlessly irritating world of Windows Vista for yourself, well, you'll see who's lying and who actually knows what they're talking about.