Flawed Survey Suggests XP More Secure Than Vista

SkeeLo writes "One of Vista's big selling points is security, but a report from CRN concludes that Vista offers little in the way of security advancements over Windows XP. Ars Technica analyzed the report and found some methodological problems. 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software — something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.' That's not all: 'It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.'"

Let's see

[anss123]

Study finding Vista more secure then XP = X hits.

Study finding XP more secure than Vista = Y hits.

if (x > y)
  post Vista more secure than XP
else
  post Vista less secure than XP

Re:

[dgatwood]

XP more secure than Vista, apparently.

Google fight [googlefight.com]

Re:

[wile_e_wonka]

Taking cues from the other posters, I tried "battling" the same searches they did but adding quotation marks around the phrases. (I did them all in "googlefight" because it required less typing)

"study finding xp more secure than vista" -- 0 results
"study finding vista more secure than xp" -- 0 results

"vista more secure than xp" -- 1820 results (note I changed "then" to "than." It's amazing what differences correct spelling can make)
"xp more secure than vista" -- 2 results

Then I wondered how these results

Re:

[Penguin Programmer]

"xp more secure than vista" -- 2 results
"xp more secure then vista" -- 131 results!

The only reasonable conclusion, then, is that only idiots post that XP is more secure than Vista.

Re:

[dvice_null]

"linux more secure than windows" 9210 results

I think we have a winner.

Anti-Virus

[biocute]

That's life for being MS.

If MS put in a AV software, other AV companies will file for anti-competition lawsuits; If MS didn't, consumers will moan about it too.

Re:

[flukus]

Because it's an unfair advantage to make an insecure OS and then charge "protection" money!

Re:Anti-Virus

[Vombatus]

Because it's an unfair advantage to make an insecure OS and then charge "protection" money!

No. No! No!!

It is a Genuine advantage

Re:

[rizzo420]

they put in their anti-spyware program. i'm wondering if the anti-spyware companies that charge for their products will bitch and moan, even though the best anti-spyware programs are all free (even if they don't do real-time protection).

i still put most of the blame on the user who clicks every popup even if it says "don't click this, your computer will be immediate infected with viruses". i haven't had a virus or spyware infection when running XP, 2000, 98, and for the past several months since i install

Re:

[Tony Hoyle]

Nobody's bitching - their anti spyware app sucks, hard. I've had to sort out three trojanned vista boxes now (don't know anyone else running it) - all running 'microsoft anti spyware' which declared there was no spyware on the machine, even as porn popups appeared on the desktop..

Re:

[Rodness]

When your product REQUIRES antivirus software, your product is not secure by itself.

Of course, if they had engineered in things like privilege separation and all the other "security" features of Unix (any of 'em, take your pick, Mac, Linux, what have you) then they'd enjoy all the "intrinsic" lack of NEED for antivirus that Unix systems enjoy.

Had they actually spent the last 7 years improving the underlying privilege model instead of just building and dropping vampireware like WinFS that never saw the light

Re:

[baadger]

Windows XP may have had 6 years of testing and pawing over by people with various shades of monochrome hats but there is still an appreciable stream of security related bug fixes coming out of Redmond on the 2nd Tuesday of every month.

You're right that security isn't a product, it's a process, but over the last 6 years we would hope MS would have learnt enough about the issues they faced with XP to incorporate solutions into Vista.. What you have to remember is a product can be the end of a very long proces

Re:

[rtb61]

Have you not read the M$ (P)OS warranty/EULA, they wont gaurantee that the OS is even virus free, so the very first thing an anti-virus embedded version of windows would have to do is un-install itself ;). M$ are also silly enough to have the same clause in their anti-virus offering :/.

AV is not a lock

[normuser]

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

By the time your AV software comes into play your already infected. So AV software is not the lock on your door. Its the rifle in your house.
Still important, But vary different.

Re:

[yakumo.unr]

That's not strictly true any more tbh, with net traffic monitoring systems like imon in nod32. the code, or at least part of it (I'd expect a lot of threats would be detected before the code was completely downloaded) , may have been downloaded but couldn't have been activated at all.

Re:

[misleb]

I wouldn't call having a file on your desktop (from email, for example) that could potentially infect your system and infection in and of itself. A good AV package will detect and clean the virus BEFORE it infects your system. That is, before you open/exec the file. Though there are other viruses that infect through the network without any user action required. So in that case your are correct.

I'd say AV software is more like having a bouncer at the door... preferably with a rifle. :-)

-matthew

Re:

[someone1234]

I thought mail scan and on access file scan are 'before the event' and also part of AV. How could anyone rate the parent as insightful? Oh, sorry, i just noticed i'm on slashdot.

Re:

[DaveWick79]

Right now linux is more like an empty house. No one bothers to break into the house because they know there's not enough in it for them to do so.

Windows is more like the house with a simple lock on the door. Plenty of other ways to get in, but it's up to the homeowner to implement the security.

Re:

[Short Circuit]

Right now linux is more like an empty house. No one bothers to break into the house because they know there's not enough in it for them to do so.

Corporate, government and financial databases aren't enough of an incentive? There's millions of dollars worth of information tied up there for anyone who figures out how to get at it.

What about home routers? If you can hack into few million broadband routers, you've got yourself a major botnet with little to no antivirus. Not to mention you're past the primary protection of the average home network. From there, you could spam networked printers with ad printouts and read the contents of any netork sha

Re:

[Compholio]

Corporate, government and financial databases aren't enough of an incentive? There's millions of dollars worth of information tied up there for anyone who figures out how to get at it.

You forgot all of Google and most of the major domain registrars. Think of Google's entire world-wide cluster as a botnet - now that IS scary.

What? My linux box is 100% secure.

[raehl]

And since it's not plugged into an electrical outlet, it doesn't draw any power either!

Re:

[SanityInAnarchy]

Only problem: AV is based on the assumption that we know what a virus looks like. There are enough false positives that the heuristics can't be working well, and the very existence of a signature means someone must've been infected already.

AV is a bit like the rifle, because it's the last line of defense, and a pretty damned weak one. I'd say anytime your AV hits, if you didn't see it coming with that particular file, you're doing something wrong.

Urg

[hyfe]

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.

Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.

Re:

[king-manic]

Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.

Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.


Even if Vista was as secure as OS X or a tinfoil hat version of linux you'd still have to contend with insecure applications and stupid users. Apple's install base tends to have more

Re:

[MrCrassic]

Apple's install base tends to have more of a clue then Windows users and Linux boys can at the very least ID when their infected or comprimised.

What?

If you are talking about the population that uses Apple Mac products, then I think you are HIGHLY misinformed. The main reason why many of them made the switch is PRECISELY BECAUSE of their inadequate knowledge on how to protect their Windows PC from viruses, spyware, etc. Many experienced power users who run Windows (XP, at least) software have NO protection and can still have great security provided strictly by the OS. Are all of those configured BY DEFAULT? Of course not, which is a major reason

Re:

[jez9999]

Linux boys can at the very least ID when their infected or comprimised.

How, exactly? The key to a well-designed trojan is that the user can't easily tell it's there.

Re:

[QuantumG]

So long as users can create "executables" then viruses will exist. Of course, the problem in Windows is that just about everything is executable. Was a time when if it didn't have .exe on the end then it wasn't an executable.. now you have scripts (which for some inexplicable reason can write to my harddrive) and brain dead things like Microsoft running an exe if you rename it to be a png (did they ever fix that?) and Microsoft hiding the extensions of files so you have no idea whether or not they are exe

Re:

[Babbster]

Was a time when if it didn't have .exe on the end then it wasn't an executable..

Was that in the long-ago days before the ".com" extension or the ".bat" file...unless you're referring to some halcyon period before MS-DOS?

Re:

[pe1chl]

The problem is easily fixed by:
- having users use a least-privileged account that cannot write into C:\WINDOWS and C:\Program Files
- installing a service like TrustNoExe that disallows running programs that are not stored in those directories

Users can download whatever they want, they just cannot run it, install it, etc. They will have to log in as an Administrator first (or at least provide the password).
In a company environment this works very well. At home it probable does less, because the user and th

Re:

[Tony Hoyle]

Great - until the apps won't run, which in my experience is most of them. Oh and a least privileged account should *only* be able to write into their own home directory. Listing what they can't do is backwards - assume deny by default and allow a limited set of actions.

MS could have sorted the mess out by locking down vista by default, instead they bottled it and introduced all sorts of shadow directories so the apps still think they have write access to program files and the system registry... and they a

Re:

[Foofoobar]

exactly. These were never necessary before the 'leave everything open' operating system mentallity that microsoft bread. Then taking over all other spaces and having all their applications talk to each other and trust each other without any question was an even bigger mistake. Hence, if it was built by Microsoft and runs on Microsofts and uses Microsoft, then it must be safe... let it through. WRONG!!!

They are JUST NOW realizing that both a) leaving your system wide open is a bad idea and b)having all app

So how do you do that?

[Sycraft-fu]

How does an OS know what apps are good and what apps are bad? That's what a virus scanner is: It's a list of known bad apps. If one wanted a real world analogy it wouldn't be like a locked door or anything, but rather a bouncer with a list of people who need to stay out.

Vista already has privilege escalation if that's what everyone is bitching about. So evil apps that want system access will have to ask for it, just like everything else. However if the user says "Sure, you can have that," what can the OS do about it? Apps don't have an "evil bit" they are just code to be executed.

Same deal with the real world. If you choose to unlock your door and let someone in, it's not the fault of the people who made the lock or the door that you did.

I think the grandparent is just another of many Windows haters that seems to think there's some magic that could be done to keep viruses out that MS just won't do. Well, actually there IS such a technology and that would be the scary version of trusted computing. If hardware enforced protections past what the OS could override, and checked signatures on apps, then only valid, signed apps could run. Provided the signing authority did their job, there'd be no viruses. Of course that would mean giving total control of your computer to a third party, something I think none of us want.

What it comes down to is there is no way for an OS to both give someone control of their system and protect them from themselves. The ability to grant the authority to run code at a privileged level implies the ability to do it for both good and bad code. Thus the necessity of virus scanners. They maintain a known list of bad code, and can warn you if you try to run that. I suppose you could build it in to the OS, but it changes nothing, it is just a virus scanner that's part of the OS now. There's no magic juju, other than taking away the user's administrative rights, that will work.

Just to be clear: By taking away administrative rights I don't mean running as a deprivileged user, Vista does that, I mean NO admin access AT ALL. No escalation, period. That'll do it. Indeed we do that at work as much as we can and on those computers, we have no problems as users simply can't install software. However to do it at home, well you can see how that'd be a problem.

Re:

[rtb61]

Think of it as a vault with in the house. There is no reason that any user installed application should ever run in the operating system vault. Sure the user might lose their user application and data area but the system will still and and at the very least provide an opportunity for the user to recover their user area.

If M$ had not been so monopolistic and tied everything together to give their applications an OS advantage and to keep competitors from equal install capability or equal access to protocols

Ok, major problems with that

[Sycraft-fu]

The first would be how do you design this system that is supposedly so secure that nothing ever needs to run in kernel mode, and yet runs with reasonable performance. Can you show me ANY system like that? At a bare minimum, you have hardware drivers that get installed and there's generally plenty more. Also, even if you lcok down the kernel mode there's still the user mode to think about. There are plenty of cases where you want to put something on the system that everyone can have access to. When we instal

Re:

[Tony Hoyle]

Show me the OS that can protect itself against a user with administrative privileges installing bad software. Unless you can do that, it really is disingenuous to demand that Windows should be able to do it.

Linux (with selinux enabled) can be configured to do that.

You miss the point though. A *user* with administrative privilege. That's the problem with Windows. The only person with admin rights should be the admin. Hopefully someone with enough clue to know what they're installing.

Oh and you need to fi

Re:

[Tony Hoyle]

Following on your analogy, userland firewalls are like posting a separate security guard in each of the rooms of the building, and leaving the main entrance unlocked. The apparent effect in security in the same but walking between separate rooms has just become a major hassle.

is this /.?

[defwu]

Seriously. A pro-MS article? whats next, mr spock with a goatee? Doc

Re:

[MrSpock]

Me? Goatee? Highly illogical...

Pretty crappy door IMO

[Ren.Tamek]

"Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted."

I'm sorry, but if I bought a security door that claimed it would keep out 99% of criminals, I would be a bit pissed off if I got it home and realised that an actual lock for that door was considered an 'optional extra'. The idea of browsing the internet with IE, no anti-virus and the windows firewall for any length of time, even no longer than it takes to download zonealarm and avg, gives me the heebie-jeebies.

Re:

[mschuyler]

MS is damned if they do and damned if they don't. If MS put AV in Vista there would be loud cries of "unfair competition, you're taking away our niche!" and we'd be on another round of anti-MS propaganda. If they don't, the cries are "unfair! I wanted to buy a door with a lock and now anyone can get in."

Re:

[gardyloo]

If MS put AV in Vista there would be loud cries of "unfair competition, you're taking away our niche!" and we'd be on another round of anti-MS propaganda.

I've always thought there's a huge disconnect between the way most computer users think, and the way people think who'd bitch about that "unfair competition". The operative word in the quoted statement above is "our". Those people constituting the "our" group are much, much less important than the regular computer users.
I, being one of those "most computer users", think that however Windows is secured is just fine by me, as long as it doesn't limit _too_ much of the functionality. I d

Re:

[JoeCommodore]

The problem is Windows still NEEDS to have something that stops viruses. In XP it is a required 3rd party addition; without it the OS is toast in operating as it was intended (to go into a network or on the Internet.)

Microsoft should not have to "include an AV program" or "provide one by default" they should eliminate the need for any such thing entirely.

Of course, I am well aware (as is surely those at MS) that it would break too much compatibility of all those many, many legacy apps that keep the custome

Re:

[VertigoAce]

Find me anything from Microsoft that claims Vista (or any other product) is secure. It turns out that making the claim that any piece of software is secure will result in a lawsuit as soon as somebody discovers a single vulnerability. This is why you see phrases like "safer", "more secure", and "helps provide security". These phrases emphasize the degree of security, not some binary concept (if you insist on a binary concept, you may as well assume that no non-trivial software is secure).

The Flaw is the Survey.

[twitter]

Comparing XP to Vista security is kind of like having a SUV milage competition, except SUV's are sometimes useful and that utility is destroyed by poor fuel economy.

Missed?

[schlichte]

Maybe I missed it when I RTFA, but it didnt mention which version of XP was used... a look at HPs site shows that the HP Compaq nc6400 did ship with XP Pro (whether that matters much compared to home edition or not)

Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)

I do agree with the title, flawed survey indeed.

I dont blame Vista or XP so much as I blame IE version X.XX

Id like to see the exact same suite of tests ran against the latest version of Opera, Netscape and Firefox.

Re:

[dabraun]

Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)

By default the Administrator account in Vista is disabled and you can not log in as Administrator. You need to go to mmc to change this, it isn't visible in the normal "users" control panel applet (and you shouldn't change this, if for no other reason than because MS did not spend a significant amount time testing Vista running as Admin and there

Re:

[Tony Hoyle]

News to me.. I've logged into administrator hundreds of times on vista and never changed anything.

Oh and administrator does have UAC. I only wish it didn't.. it's a royal pain in the ass trying to get anything done until I've created a privileged cmd.exe shortcut (itself a pain in the ass as they've blocked the name cmd.exe from elevating, you have to create a renamed copy).

Security == knowledge and other stuff

[kosmosik]

Of course from practical point of view XP right now is more secure. And I don't mean default install. For example take my company and few facts:
- we managed to make the machines behave as we will
- we have invested money into third party security software
- we have invested time (which equals money) into free (as in speech) third party security software
- we have some knowledge and experience into XP security -- after these - what like 7? - years who doesn't?!

Right now we have quite healthly and working infrastructure based on XP and surrounding (like VPNs, IDSs, AVs, proxies, backup, imagining etc.) services. We know how to do it, we have experience.

Now Vista from my standpoint is just big black hole - another system from MS that does not offer me anything significant but opens a can of unknown worms... I don't see any serious businesses building their security infrastructure around brand new shining Vista systems.

Of course in *theory* Vista can be more secure, but from practical standpoint it is new and untested product that has ben rushed to the market.

It really depends on your security definition. Security is not a product - security is a proces in which you have knowledge about what you are doing. In which you have educated users. In which you have policies and audits and so on. Vista isn't anywhere near to be even a stable product from security standpoint.

Re:

[ekhben]

(like VPNs, IDSs, AVs, proxies, backup, imagining etc.)

I like to imagine that my XP install isn't riddled with viruses, too.

Re:

[kosmosik]

Imagining like distributing configured system images to workstations.

No funny points for you. :P

Re:

[kosmosik]

Sorry I am not a native English speaker. :)

Re:

[ekhben]

No problem, as long as I can have my funny points back! :)

flaw-reporting report flawed?

[Tom]

Don't look that flawed to me.

XP: No AV included
Vista: No AV included

Report says: "Vista no improvement over XP"

Report is pretty much correct.

XP vs. Vista is so ... (yawn) ... zzzzz zz z zz

[icepick72]

I'm getting tired of the XP vs. Vista vs. XP vs. Vista vs. ... articles posted here all the time. Microsoft will eventually drop support for XP and will continue to support Vista. Microsoft will continue to focus on Vista. If Vista is now less secure than XP Microsoft will eventually it stronger ... that is until the next Windows OS is released. Dammit we had to listen to XP versus everything-else-before-it. Tiresome, damn tiresome. No worthwhile discussion came from it last decade but you never know ....

Moot point

[dj245]

The point that Microsoft will drop support is moot. There are a lot of companies that still run NT servers and workstations. I worked for one last summer that used embedded NT workstations as a frontend to access the GE LM6000 turbine PLCs. They also had NT servers and NT desktops for SCADA. My current desktop at a different company is windows 2000. Companies will balance cost, security, and familiarity. Microsofts support cycles often have nothing to do with that.

Re:

[texaport]

All you have to know about the difference between XP and Vista is that the business model for the latter will include a subscription-based version eventually. Microsoft has executives and marketing people who go to meetings where over-and-over again they ask, "How else can we provide less product for more money?"

It's not like they are wholesalers who buy 100 units of something for fifty bucks and then turn around and sell 100 units of something for eighty dollars at retail. Perhaps they will someday begin

NO AV != No protection against viruses

[A beautiful mind]

Let's face it. Anti Virus software is the day after pill. I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken. So no, not including an anti virus software doesn't mean an operating system shouldn't employ design and tactics against viruses. Ars Technica is simply wrong.

AV software is the day after pill

[cdn-programmer]

Noooo.

Since few people update their AV software each day they use their computer and indeed since the best that AV software can do is reactive in nature... AV software is more like the month after pill or even the 9 months after pill.

At best AV software is doomed to failure. This incident illustrates how serious the lack of security in common practice is. Clearly the perpetrators were a novices. Perhaps they were just a couple script kiddies playing around wondering if the lack of security was real.

If an

Re:

[Nebu]

I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken

So how do you defend yourself against viruses? The only ways I can think of off the top of my head are:

• Don't download any software, ever. In fact, don't even connect to the internet at all. Assuming the OS itself didn't come with a virus, this is the only 100% foolproof way to avoid getting a virus.
• Don't download any software, ever. But allow yourself to be connect to

Re:

[A beautiful mind]

I defend against viruses by either downloading software from a gpg signed trusted debian repository, or compiling software from sourcecode.

Thing is, there is no 100% percent way, as you say. Noone wants "100% security" either, because it's impossible to have. But there are good methods to have a reasonable percentage of security and there are methods that don't guarantee a thing and only bring a marginal increase in security against unwanted code. Antivirus software is the latter. There is a huge fucking

Re:

[Nebu]

There is a huge fucking gap of security and usability between the "sound security practices" and "using a virus scanner" (The third option from the back and the second from the back on your list).

Right. But the list recommends that you do both. And so do I.

No Locks on the door?

[smartin]

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

I think the point is that M$ should have learned their lesson last time, and the time before that, and made vista such that having anti-virus software would be unnecessary. Or in the terms of the analogy, Having forgotten to put a lock on the door of their previous house and repeatedly come home to find their underwear scattered all over the yard, you would have thought they would have made a secure door this time.

Shrug, I disagree

[trawg]

the report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software

I thought the big issue everyone had with Windows products were that they needed AV products in the first place because they were fundamentally insecure?

Shipping Vista with an AV package would have practically been admitting that they can't make secure products and the only thing left to do is have a separate layer in the OS to try to intercept stuff before it caused problems (or clean up after it), rather than blocking the holes in the first place - which is, I believe, part of the point of Vista's entire

Vista is a faulty OS?

[feranick]

"Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted." This simply means that Vista is a basically a faulting program!!! Any Linux distro or OSX do not ship with antivirus either. That doesn't make them faulty or unsafe to use it. Vista should be safer "regardless" of the presence of the antivirus, otherwise it simply faulty by design.

Re:

[SCPRedMage]

The problem with locks is that no matter how good they are, they can be picked, one way or another. If the bad guys can make a set of lockpicks that work on an almost everyone, there's no point in making tools to break the few locks that their existing tools won't.

Point is, Linux and OS X don't ship with AV software because they simply aren't big enough targets for people to actually care about.

Flawed counter argument

[Weaselmancer]

'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

Vista is supposed to have these features built-in, as well as a host of other improvements. Such as service hardening, anti-malware (which does claim to kill viruses), network a

Inflamatory titles, this applied to corps ONLY!

[MikShapi]

More fanboys.

For whoever doesn't see this screaming at him, here's a breakdown:
In home-user-land, credendials were an option nobody used until Vista. NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one. Vista and XP for the home user are incomparable and are in totally different leagues, vista winning by very, very, very long shot.

In corp-land, everybody (who gives a da

Re:

[bluefoxlucid]

NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one.

... *sets IP datagram length to 1400* ... *sets TCP datagram length to 63* ... *lets kernel copy remainder of IP packet to 63 byte buffer* ... *obtains kernel level access without even connecting to an open port, before the packet even reaches the installed zonealarm/mcafee/norton firewall or built-in Windows fi

Re:

[MikShapi]

/Specific/ overflow bugs are a VERY POOR basis for an OS choice decision that will accompany you for the next so-and-so years. Why? because they will be fixed next week.

I'm not saying vista in unexploitable, or that particular exploits do not at all contribute to an OS's security rating. I'm saying a car with a seatbelt is better than a car without a seatbelt, regardless of which has what easily-pathchable (hence, minor) flaws.

I don't think there is *ANY* debate as to whether /WITH/ user-level security mode

Re:

[bluefoxlucid]

He made a blanket statement. I blew cold air under it. Yes I know the hypothetical overflow doesn't exist; point is though, UAC or sudo or whatever doesn't magic-bullet your security because, yes, OS services run with high privileges. On Windows crap like IIS has uberuser access (not administrator superuser, but System access!); on Apache, not just things like Web servers and DNS, but also directory servers and core system processes like printing run with restricted privileges. If Windows took a least-p

Okay, here's the deal on CRN.

[Chas]

My company gets delivered (hey, it's free, so they don't argue). As such, I've run across their "reviews" before this. And I believe I can summarize.

They look at things from a distinctly user-centric POV. They're focused on what the apps/solutions/OS they review do for the end user.

As such, they're not a "technical review" in any real way, shape, or form.

The term "fluff piece" comes to mind.

They add just enough to give the business users who read CRN a bare taste of what they're talking about. Any more,

In other news, it has been discovered...

[SadGeekHermit]

...That submarines with screen windows offer slightly better floatation than submarines with screen doors.

MacroSubs has affirmed that this is incorrect, however, and stated today that the question will be settled once and for all when their new submarine, entirely made out of screening material, captures the imagination of the nation with its launch in 2009.

So-called "alternative" submarine manufacturers continue to insist on using steel for their doors and heavy lexan for their windows. They claim this quaint, antiquated approach lets them offer better floatation, efficiency at depth, and crew survivability, but independent studies have shown that their apparent "floatation edge" is due to the fact that far fewer of these submarines are produced, not any superiority in design. A. Noying, of an independent think-tank funded in part by contributions from MacroSubs, had this to say:

"Look, we all know that as more of these all-steel and plastic subs get produced, you'll start seeing network effects and their buoyancy will be reduced down to normal levels. Currently, with only a few percent of the market, the oceans aren't interested in them as a point of ingress. This will change soon and you'll see some interesting numbers from my lab to back this up."

When asked about the widespread buoyancy failures of MacroSub submarines around the world, Mr. Noying said only "it's hardly MacroSub's fault if submarine captains tend to drive their submarines into reefs and long-forgotten sea monsters. Their duty is only to make subs buoyant, not idiotproof. However, they are working on an interesting feature called USC, or User Submergence Controls, which should make things a little easier. The submarine will basically ask the captain if he's really, really sure he wants to increase depth, once per fathom. If the captain insists on running into that reef after all the help he's been given, perhaps he shouldn't be driving a sub anyway..."

"Vista remains riddled with holes"

[bl8n8r]

People. Get off the denial job already. Vista is not magically going to become the upgrade you were hoping for; No matter how many studies, weblogs, reviews, taste tests, or procto exams happen, Vista sucks, end of story. Microsoft will come out with service packs this fall, there will be all sorts of heavy breathing once again, but it's going to be the same historical disappointment. Microsoft needs to get their shit together and stop robbing people.

Whose security?

[Livius]

The "security enhancements" in Vista were to protect Microsoft from piracy, not to protect Vista users. Microsoft still doesn't care about them.

Flawed Survey Shows Penguins Eat Own Babies

[ryanisflyboy]

Those dirty little penguins! Who knew?

Other flawed surveys show:
- Bush Is Actually Orangutan In Suit
- RIAA Hates DRM Music, Gives Thousands To College Kids
- Emacs Is Better Than Vim
- IE Is Most Secure Browser Of All Time
- Volcano Likely To Erupt In Redmond

You know what they say: "News for nerds. Stuff that matters."

Dumb statements r us...

[pookemon]

"'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'"

No, it's like comparing an old door without a lock to a new door without a lock and saying that the new door is no more secure than the old door. (Which sounds reasonable to me)

I guess nobody noticed

[Whuffo]

The summary says that Vista has "taken care" of buffer overflow problems. I'd like to submit that one of the key features of XP SP2 was that they'd gone over the code completely and eliminated all unchecked buffers - which (according to MS) eliminated buffer overflow problems.

Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it. This bit of design stupidity has been the cause of millions of systems being exploited. Just a simple check to see if the file header matches the selected file type would go a long way - but no, this is too difficult. Here, have a UAC nuisance instead...

Re:

[monopole]

But of course XP is also an MS product.

Re:

[smallfries]

The bit of the XP vs Vista comparison that I liked the most (in the summary of course, no I haven't RTFA) :

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

To be fair, with windows you don't have to twist the lock... a strong fart on the way past would do it.

Re:

[rs79]

Of course the great irony is W98 is more secure than either.

Re:

[Hal_Porter]

Of course the great irony is W98 is more secure than either.

No it's not. I remember in Systems Programming for Windows 95, there was a great quote. They talked about protected mode, descriptor tables and so on. At the end of it, the author said something like

"I bet now you're trying to work out if it's possible to subvert this stuff. Well, it's so easy that there's no point. Windows doesn't protect the descriptor tables from Ring 3 [the least privileged] code so it's easy to create a trap gate or call gate

Re:Anything to slam MS

[Stormx2]

What? I know we get a lot of "RTFA" around here, but read the fucking summary! Shall I condense it down for you further, since I see your time is precious?

Study #1 finds that Microsoft has made no improvements (XP -> Vista)
Study #2 finds Study #1 to be incorrect and badly done. /. reports on study #2.

In essence, the story accepts that XP isn't as secure as it could be, but Vista improves on this significantly. Its one of the most pro-MS stories I've seen on slashdot for a little while now. Of course, I'd never touch Vista personally, but that doesn't mean it isn't an improvement over XP in security.

Re:

[Miseph]

I wouldn't even call it pro-MS, I'd call it anti-anti-MS and pro-"not being a douche bag and making incredibly controversial claims based on obviously and likely intentionally flawed studies".

I'm all about bashing MS, but using spurious logic to do so is just detrimental to the entire anti-MS movement.

Re:Anything to slam MS

[dotgain]

I've been using it for a few months.

It's almost done logging me in, in fact.

Re:

[dwarfsoft]

You must be still clicking endless Cancel or Allows...

Personally, I am waiting until at LEAST SP1 is released before I install it.

Re:Anything to slam MS

[dotgain]

You're absolutely right, but now it's time for me to be truthful.
My comment was based on my experience earlier this week on Monday, only the second time I've been close enough to be able to identify a Vista install, and the very first time I'd used it. It had just been installed (as well as Office 2007) by one of my colleagues on a brand new HP laptop. No, didn't get asked to Allow or Cancel anything, but what I did experience didn't surprise me in the least.

From the instant I hit Ctrl-Alt-Delete (and this is after waiting for the machine to finish choking itself) it was the same familiar Windows experience - watching the HDD LED as if it's going to give some sort of indication as to when it might be safe to go on to the next step as the machine crawls through the login procedure - totally unresponsive for the majority of the time.

People bag Windows about insecurity, DRM and UAC all the time - they're not the things I have problems with. I play the game, keep machines patched, AV installed if the shareholders demand it, and so on. My only real gripe with Windows it simply that I habitually find small sub-tasks to do like clip my fingernails or organise desk-drawers while waiting for countless delays my Windows box gives me. Screwed if I'm going to spend a month of my life waiting for start menus to render.

Where with a different OS, I'd start the kettle boiling and check my email while that's going on, in Windows I launch outlook and then go and see to the kettle, because I know which will make me wait longer.

Re:

[Stormx2]

I don't mean to nitpick, but have a glance over the Wikipedia page on plural of virus [wikipedia.org]. A good discussion on the matter.

Re:

[QuantumG]

The virus scene is dead. No-one is writing viruses.

There are people who write worms and bot-net building trojans, but they have nothing to do with the virus scene.

Re:

[WillAffleckUW]

Well, here in Seattle, they're pushing spam and bulldog puppy adoption rings, actually.

Virii and trojans are so last century.

Re:

[RobertM1968]

Most consumers dont know the technical merits or technical disadvantages to choose between the two and probably dont care. If you had said "most informed and educated IT Professionals" then maybe your statement would have been correct - I emphasize maybe, because though I think it would be the decision *I* would make, I have yet to see enough (accurate) statistics to confirm or agree with even such a statement as that.

Re:

[WillAffleckUW]

Except, we're on slashdot, therefore I can presume that we are normally referring to such individuals.

Personally, until I see an actual list of the questions, their sequence, the methodology, and the counts (with regional breakdowns, time of day, self-selection criteria versus random phone calls, how they handled people with unlisted cell numbers), any statistical study is meaningless.

Re:

[RobertM1968]

Except, we're on slashdot, therefore I can presume that we are normally referring to such individuals.

You can presume that, but that is not what you clearly stated:

Since most consumers aren't buying WinVista if they can avoid it.

"Since most of us aren't..." would have allowed you to claim a presumption about /. users that may have been more accurate (which is still debatable as there are people here who seem to love Vista, and there has never been a poll to determine how many here will wait and how many here will not).

Nonetheless, a contradictory presumption of your own clearly worded statement is ridiculous. Most consumers are not /. readers. All /. readers combi

Re:

[WillAffleckUW]

or ... you think acting like a lawyer wins you benes when it just gathers mala notes. ;-)

Re:

[westlake]

Since most consumers aren't buying WinVista if they can avoid it.
But, if that were true, chip sales by Intel and AMD would be down ... oh, wait, they are

Gas prices are up, home sales down, the economic outlook is uncertain. U.S. Economic Growth Weakest in Over 4 Years [nytimes.com] So all discretionary spending is down.

But the Geek is just whistling in the dark when he claims that those that will be entering the market for a new PC won't be looking at Vista.

What draws these customers isn't the warmed-over XP box.

It'

Re:Isn't greater security a selling point of Vista

[yakumo.unr]

Just wondering, how many linux distro's come with A/V? is it standard now?

And how fast would MS find themselves in court again for monopolising everything if they HAD included A/V.

Re:

[secPM_MS]

Security is a selling point for Vista. For me, it is the most compelling selling point, although I do like search a lot as a feature. Now for my perspective on why Vista is more secure than XP:

A lot of work was done to support running as normal user. This does not get much attention, but it means that I can (and I do) run as a normal user without administrative credentials (it is much harder to do this in XP). If I have to manage the system, I have to use full administrative credentials (read, su root). I

Re:

[grcumb]

The first is well known, Windows is hundreds of times more popular....

You mis-spelled predictable. The issue isn't that more people use Windows; the issue is that the same exploit reliably works on vast numbers of Windows machines. It's not the popularity, it's the monoculture [wikipedia.org], combined with a broken design that is trivially easy to exploit. Another example of monoculture and utter lack of security combining to create havoc is the Morris Worm [wikipedia.org] of 1988. Happily, *nix systems have moved on since then.

Second

Re:

[Nebu]

But common folks, after five(5) years and millions and millions of bucks they sure could have done better than this-- really. Its not Microsoft bashing--- its true and its fair.

How could Microsoft have done better? If Microsoft had bundled antivirus software with the OS, the other antivirus software companies (McAfee, Norton, etc.) would sue Microsoft for anti-competitive practices. If Microsoft doesn't bundle antivirus software with the OS, CRN write a review saying Vista without antivirus software is no

Re:

[Nebu]

No, I made no mention of Linux or MacOSX. But if you're curious, I am of the belief that neither Linux nor MacOSX without virus protection are immune to virus. The fact that there exists viruses for Linux and MacOSX seem to support my belief.

Re:

[Nebu]

My point was that your analogy is saying that even the thought that you could be remotely secure without anti-virus is like trying to print without a printer.

No, all I said is that complaining that Vista-without-antivirus is no better at defending against virus attacks than XP-without-antivirus is about as dumb as complaining that Vista-without-printer is no better at printing out documents than XP-without-printer.

Note that I specifically chose the wording "defend against virus attacks" as opposed to "r