Is Vista security a selling point?

(continued from previous page)

"I've got clients at the moment who are getting very excited about BitLocker," Vista's hard-drive encryption technology, Okin added.

This encryption feature is a long-awaited improvement to a Windows operating system that ethical hacker Peter Wood says is a definite move in the right direction.

"The BitLocker technology is quite an interesting approach. We've been pushing a long time for (corporations) to take whole-disk encryption seriously, particularly on laptops and other devices outside the physical perimeter, and the majority of people we've spoken to still don't have a strategy in place," Wood said.

However, Wood also suggested that BitLocker, like other Windows features, could yet be undermined.

"We use PGP (the Pretty Good Privacy encryption program) for our whole-disk encryption because it is independent of the operating system," Wood said. "My experience to date with Microsoft's controls of these systems is that there is usually a way around it because it is so part of the Windows environment."

Security as a selling point
Wood said that determined hackers may discover that searching for holes in the operating system will offer the path of least resistance. But he admits he has yet to get his hands on Vista and is basing his criticism on the ease with which he has cracked past Microsoft code.

And he remains to be convinced Microsoft can learn from all its past mistakes.

Probability plays a part, said Wood: "It's an enormous chunk of code and it is going to be full of holes because anybody's code would be."

BitLocker, though, will most definitely be an improvement, because encryption that could potentially be cracked is still better than nothing. But as with any new technology, Wood's major concerns with Vista relate to the biggest potential security weakness: the end user.

And because encryption will be tied to individuals' Windows user accounts, Wood fears this, too, will make BitLocker inherently insecure.

He doesn't share Okin's confidence that two-factor authentication--and Vista's greater receptiveness to stronger authentication--will make much difference, or even be used.

Wood fears that for all Vista's improvements, passwords--a "perpetual, primitive and stupid problem"--will still be the Achilles' heel for many businesses rolling out the operating system.

And while biometrics and smart cards are an improvement on passwords, he says, they are still only a superficial improvement. He instead favors pass phrases, which he says could dramatically increase the security of any Vista environment and make its other features work more effectively.

But the bottom line is it seems Microsoft is going to need more than one generation of secure code under its belt before people start to believe the prerelease Vista hype. All in all, Accenture's Okin isn't convinced security will have much to do with how well Vista sells.

"The clients I work with today are probably looking at migration because they are using Windows 2000 and they aren't about to switch to XP," Okin noted. "I've seen economics around power usage and around lost laptops and savings that could be made from BitLocker and everything else, but even jointly they are not compelling."

It's more likely businesses will be swayed by other factors, such as the timing of their equipment-replacement cycle or by a wish to not be out of step with employees using Vista's home edition outside of work.

Okin says chief technology officers are telling him: "I don't want my guys to go home and have a better experience."

"If you are on Windows 2000, then of course it's compelling and you may as well go. Those on XP will be trialing and can pick their time to go.

"But are they doing it because of the security features? No. Have I seen security features as part of a business justification? Part of them, yes, but really the business justification (based on Vista's security features) is weak as a whole."

Will Sturgeon of Silicon.com reported from London.

[KonradK]

Vista will be more secure, but ...

I hate Microsoft as much as the next guy, however I have to
admit that Vista will be more secure than XP. Why? After all
these years, Microsoft has finally adopted some of the security
features that have been part of Unix for years. For most is a
more meaningful separation between user and administrator
privileges. Why has Microsoft adopted these features? Because
these security features work!

That said, Vista will still be plagued by security problems for
years to come. Why? Rightly or wrongly, Microsoft has
emphasized backwards compatibility. Microsoft will only be able
to produce and OS that approaches Unix's security, if they make
a clean break as Apple did in their transition between OS 9 and
10.

[ejevo]

Vista upgrades the end user??

If Vista doesn't magically instill the end user with security knowledge and concern, then it isn't going to improve security much. No matter how slick Vista is, unless the end user of the Vista system understands their part in the security equation, then the system will remain insecure.

[qwerty75]

MS passing the buck

Despite the many security changes, most(not all) of them are cosmetic and they have pushed the burden completely on the user by nagging them to death.

The OS's out there that are reasonably secure(Linux, OSX, Unix) do so without getting in the users way. Linux does it and only bugs the user when the root password is needed.

So why did MS go the opposite direction?

Simple, they know they can't secure the bloated pig they have so now they can avoid working on real security solutions and just blame the end-users.

Reason #232432243 why no one should buy this POS, and move to an alternative. Before you whine about not running your favorite program in a non-windows environment, you should know that many programs run perfectly(especially games), and there are great alternatives to the software that is keeping you stuck to an incompetent software company.

[mh20932]

NO, it's not a selling point...

I find it really offensive that Microsoft would use security to sell this 'upgrade'. This is a ploy to deflect attention from the fact that most of the security issues in the current platform are in fact defects in the software. Windows and Internet Explorer are fundamentally insecure products, and all the security 'features' in the world are not going to change that. Come on guys, admit it, allowing the browser to download and execute ActiveX components is a fundamentally stupid idea. Allowing Java to directly access the Win32 API is a stupid idea. Integrating the HTML API with the Operating System is a stupid idea. Allowing VBScript in Internet Explorer to access the Window Scripting Host is a stupid idea. Giving your users an endless array security 'options' to control these features is a stupid idea. You need to make security simpler, not more complex. Go back to the drawing board and develop something that supports web standards -- not just in name but in principle.

[rcrusoe]

Not yet

Vista may be more secure, but we won't know that until it has
been in wide use for a year or so. Microsoft uses the "most
secure version of Windows" marketing every time so that means
nothing.

So Vista may indeed be the most secure version of Windows ever
developed - and still carry on the tradition of being the least
secure operating system in wide use.

Time will tell.

[slim-1]

Anyone that thinks that MS has designed or will ever design a secure OS

I have some prime agriculture land in the Florida Everglades I'll sell you.

If you want something secure go with anything but Windows.

[HandGlad2]

Well the retards have spoken

Of course they wouldn't buy it anyway but the rest of us know what we want and Vista is bringing some (but not all) of it.

[redison]

Why so much attention to security in vista

These days the almost all of articles on Vista on the Web are about
security, why is that I wonder ?

[intelliadmin]

Vista Security will help

I think the biggest help in Vista will be the user access levels. Right now 99% of the XP machines are running as administrator. Out of the box, even when logged in as administrator, you are running as a standard user. This alone will have a huge effect on the amount of viruses and spyware that are able to get on your system.

Steve Wiseman
http://www.windows-admin-tools.com

[gwats1957]

So very true......

Microsoft is not willing to do the housecleaning they need to do to
make vista as stable as OSX. They have to admit defeat and build a
rock solid OS from the ground UP.

[gwats1957]

So very true......

Microsoft is not willing to do the housecleaning they need to do to
make vista as stable as OSX. They have to admit defeat and build a
rock solid OS from the ground UP.

[solrosenberg]

One of these days he'll get around to it

"But he admits he has yet to get his hands on Vista and is basing his criticism on the ease with which he has cracked past Microsoft code."


Ok, so despite MS making Vista betas available to literally millions this ******** couldn't find the time to actually try the software. And his opinions are quoteworthy? C'mon CNET, you can find better sources.

[Ryo Hazuki]

Yes, the biggest one, IMHO.

"Is Vista security a selling point?" IMHO, and for any unbiased human being (Apple/Linux fanboys out) who actually tried it and know something about the security changes in it, yes, it's even the greatest of all (selling points).

"Hoping this release will solve all your security headaches?" No, Microsoft never said that and no OS is absent of security headaches for people who use it so it would be totally ridiculous to think such thing and believe something can be perfect, I just hope (and believe) this release will solve many of my security headaches.

"Think again, say the experts." So, firstly: I need experts to tell me Vista is not perfect; secondly: the fact that someone plays cautiously and doesn't take risks with an OS means the OS is insecure, is it?

Another great prove of professionalism by CNET (very common in Microsoft-related stories, interestingly enough).

[tricky77puzzle]

Security, hmm...

Security against the user, maybe. This article actually disproves the security stuff around Windows Vista. There is even (as my friend tells me) a "user-protected processes" sandbox where processes are non-user-modifiable. (As in, you can't change the priority, or end, these processes.) If a hacker or spyware app somehow mananged to start a "user-protected" process, then it would be using a security feature against the user, therefore defeating the whole purpose of the security feature. I don't think XP can really be improved upon...

[iRhapsody]

what if...

just out of curiosity what if Microsoft introduces its own version of Linux, are those people still going to nickname it "insecure OS" simply because they hate the fact it is another product made by Microsoft?

[Lenter101]

Oh no, FireFox has a flaw

This will be hard for the lemmings to take, but...

The Internet browser Firefox 2 has a problem with its "password manager" that could allow a hacker to obtain usernames and passwords from Firefox users."

Say it ain't so, Joe.

[njsokalski]

Security doesn't matter if you can't install the software

I have used Windows Vista at work, and when installing SQL Server 2005 (which is the latest version) it not only wouldn't install, but it instantly canceled the installation. And Visual Studio 2005 (also the latest version) installed, but not all features work correctly, if at all. This obviously makes Vista useless for some (and in my case, often the most important) tasks, and many of the features in Vista itself are harder to use (not just getting used to them, but they are harder to use even when you are used to them). I think that when Microsoft designed Vista, they did a horrible job. Most of Vista is just changed names for Windows components (Windows Mail instead of Outlook Express, for example) and tons of fancy and overdone (and often very annoying as well) visual features, such as icons, taskbar buttons, etc. I don't care how much better Vista's security is, even when I do have to buy a new computer I'm keeping my XP machine as well so that I can still use my software and actually enjoy my computer.