August 10, 2006 2:55 PM PDT
Windows defense handcuffs good guys
- Related Stories
-
Piecing together Windows Vista
November 8, 2006 -
Symantec picks away at Vista's core
August 9, 2006 -
Symantec continues Vista bug hunt
July 24, 2006 -
Chills at Microsoft's security huddle
July 24, 2006 -
Rootkits get better at hiding
July 18, 2006 -
Microsoft swims upstream on security
June 22, 2006 -
Microsoft shakes up security fray
June 7, 2006 -
Beware the Microsoft 'monoculture'
May 18, 2006 -
Intel's VPro to boost security
April 24, 2006 -
Symantec won't 'whine' about Microsoft
October 11, 2005 -
Microsoft launches 64-bit Windows
April 25, 2005 -
AMD unveils details of its 64-bit chip
September 23, 2003
(continued from previous page)
Security vendors are calling on Microsoft to allow exceptions in the kernel shield for trusted third parties.
"There is definitely a legitimate need to lock down the kernel," McCorkendale said. "I don't suggest they eliminate PatchGuard. What I am asking for is an exception. There are less restrictive means available, and we have proposed many solutions to Microsoft. But it has fallen on deaf ears."
Microsoft opposes the idea of making exceptions, as it would increase the number of entry points that miscreants could take advantage of, Toulouse said.
"When you get into the concept of exceptions, you get on a slippery slope," he said. "What made a lot of sense to us is simply to restrict the kernel without exception, creating a level playing field that all of the vendors, including Microsoft, can then operate by." Toulouse's argument is that Microsoft's security software is also unable to touch the kernel.
Dropped ball
With the advent of threats such as rootkits, which that nestle deep inside the operating system, Microsoft should protect the Windows core, analysts said. However, the company has dropped the ball on letting other software makers in on what the new kernel protections mean for them, said John Pescatore, an analyst at Gartner.
"This is a complex issue, but Microsoft has definitely been deficient in including the impacted software makers early on," Pescatore said. "That definitely does work to their advantage from a competitive viewpoint. However, the rootkit issue has to be fixed, and kernel protection has to be stronger for all operating systems."
Indeed, Symantec is playing the anticompetitive card for the first time. The Cupertino, Calif.-based company had said it would beat Microsoft by using its security wits as long as the competition is fair. Now the fairness seems to be gone, McCorkendale said.
"It seems a bit disingenuous of Microsoft. They are getting into the security market and are disallowing this whole class of security products that they don't have," McCorkendale said. "It does not feel like a level playing field at that point."
McCorkendale stopped short of saying that Symantec would sue Microsoft or complain to antitrust authorities. However, Yankee Group analyst Jaquith believes that step is getting closer, especially if Microsoft were to give its own security products a way to bypass PatchGuard.
"Microsoft's anti-kernel hacking feature could conceivably create a formidable barrier to entry to their competitors in the security market," Jaquith said. He expects Microsoft to deliver host intrusion prevention capabilities in its Forefront products next year.
"I think you'll see the larger security companies run to the Department of Justice and the European Union faster than you can say 'Penfield Jackson'," Jaquith said, referring to Thomas Penfield Jackson, the judge who oversaw the landmark U.S. antitrust case against Microsoft.
See more CNET content tagged:
kernel, Stephen Toulouse, Symantec Corp., 64-bit, security
69 comments
Join the conversation! Add your comment (Log in or register)
competition. </sarcasm>
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
You see, I had been serious considering upgrading to a full 64 bit machine when Vista finally gets around to shipping, but if they're going to make it impossible to secure my computer, I have to reconsider.
Harry Voyager
First off this a BETA...yes BETA...BETA...BETA. Some things in this BETA will be fixed before shipping.
Second thing most of these comments come from MS rivals who are feeling the heat from MS offering their own securit tools. Most will cry monopoly and unfair play by MS....these same people will say MS products are full of holes and they need to patch them. MS cant win.
Lastly I think AV products makers are just scare mongers out to scare you into buying their products.
Hackers.....are just a total waste of air and take everything for society and give nothing back...someone should set off a tactical nuke at the next Black Hat convention and take out most of them with one shot.
I have been buying AV products for years at home and for the corporations I have worked at. I have never gotten a virus at home...but being in IT all my life I have my home enviroment always patched and locked down. At work I have seen a few outbreaks and 99.9% of the time they could have been prevented with either good administration or proper patching. MS gets fixes out fast for most of their products and warns the world to apply them.
I think the AV/security vedor buisness is 90% BS!
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
They would direct their experts to wait for the launch and shipment of Vista before making announcements :D
I think Symantec live in a love / hate relationship with regards of making money out the bad guys and hating their eh-fing gutts
They would direct their experts to wait for the launch and shipment of Vista before making announcements :D
I think Symantec live in a love / hate relationship with regards of making money out the bad guys and hating their eh-fing gutts
Symantec has been prone to Vista Hysteria lately. It seems to me that they are overreacting.
As you can tell, I trust them even less than I do Microsoft.:-)
Bruce, you should fix your own bloatware psuedo software, before whining about someone elses. Symantec and Big Steaming Pile, synonymous.
The steps MS is taking are good ones, even if they software is not perfected. If they can find a way to secure the kernal without making it too secure, then it will be a large step in protecting those ignorant users who fall prone to being clones in a DDoS attack. However, you can not make a computer foolproof unless you cut the cat5 between the pc and the internet. So, how far do they go?
Do I see this as them trying to compete with McAfee, Norton, etc? No. I see this as MS trying to bring to market a more secure O/S to remove the lable they have worn over the last 10 years. Basically its like an engineer trying to design a secure building to prevent break-ins. However, you still have to have doors to allow those who are supposed to be in access. And for that, there will always be the threat of break ins. Its a catch 22 with the ignorant users caught in the midst.
They have less viruses(last count:0) because they were designed that way. The recent media hype regarding "hacks" into OSX boxes have proved to be very disingenous, if not downright dishonest. Put any computer in a LAN and give the "hacker" the root credentials, and yes you can hack it. Put it on the internet and use the default settings, with a firewall, a proper password, and good luck. The viruses you have been hearing about are theoretical, not something out in the wild.
Windows has more viruses(last count: 543523432+) because they are designed that way. It is also very eay to hack into, also by design.
Let me guess, your idea of a good firewall is the MS firewall in XP, ya know the one that blocks incoming but allows all outgoing(including all the dastardly programs that windows flaws let piggyback in on legit data.
Your claim is so ridiculous, it would be funny if ignorance were funny.
A few steps they are taking are good ones(like finally catching up to the decades old idea of a true multi-user system, which is one reason why *nix is so damn secure), but many are half-baked at best. Like moving critical system processes in memory to one of 512 static places, that is an amaterish security "fix" and I am being generous. That "innovation" will be hacked and exploited within 3 days of Vista being released, if that day ever comes.
BTW, how can a kernel(do you even know what that is?) be "too secure"?
You are right about one thing: "Its a catch 22 with the ignorant users caught in the midst.", with you smack dab in the middle of the ignorant users.
The historical problem with Windows is the scripting systems
and internal message authentication.
Since Windows was stupidly designed as a networked OS and not
provided with enough security, it was easy for a hacker to send
you an email which automatically launches a script as if
someone were typing at the keyboard as Admin, let it raid your
Outlook address book, install an application, turn you into a
mail server, populate itself to all your other Windows user
friends, record everyone's actions, send back any 16 digit
numbers you type in... on and on.
Unix and everything after Windows NT are network OSs,
meaning if you make any network connection, you're in the
kernel. Security depends upon how well you can contain the
input from a network connection. Unix usually launches a
process that dies immediately after it's done - doesn't persist
and wait for the next command. The old Mac OS had networking
as a layer on top of the OS and you needed the password to get
to the OS. That's one reason why there were only 40 viruses for
the old Mac OS.
Windows RELIES on the ability of applications to talk to each
other freely and make system calls without restriction. Hackers
are just using those abilities for themselves.
Those paths largely don't exist in Linux or OS X. Sure, there are
patches to fix problems all the time - it's electronic warfare,
after all - but LInux and OS X have a HUGE jump on Windows.
Unlike Windows which runs as root (Admin) and will happily run
whatever you tell it, the majority of exploits the common Linux
or Mac user will encounter would require someone to be at the
keyboard with the Admin password to install it first. Windows
can be made to attack itself with four lines of code.
You want security? Encrypt the important stuff on your computer
and be done with it.
I fix many people's computers (most often destroyed by viruses and spyware) and end up having to reinstall windows. A lot. There's 2 things about this that make me want to cry. The lack of base security and install times.
Vista cuts down install time, so that's one problem down. Now there's argument over securing the kernal. What? This is what thousands of windows users have been crying for since windows 98. Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?
So Symantec McCrappyProduct is having problems adapting to a secure (cross our fingers) O/S? Tough. If they were concerned about people and not profit, they wouldn't be in buisness. I don't want to continue my initial boot ritual of downloading 50 programs to try to secure a hole-filled O/S. If I could convince non-tech-savvy people to switch to Macs I would, but compatability with jobs and refusal to learn a new O/S is like a 20ft cement wall.
If MS actually secures Vista to a reasonable degree, I can do without 3rd party security support, and so can the majority of the non-tech-savvy people who are suckered into paying for extra security, or are otherwise forced to reinstall windows every 2 months.
"I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. "
Making a kernel that is more difficult to secure does not make it more secure. There is no such thing as an "over secure kernel". If something has been "secured" to a point it is unusable, it is just that - unusable.
Security starts from bottom up, from the kernel, to user environment, to applications, to user education.
"Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?"
I would like the choice of doing this or not. If M$ do intend to use anti-competitive practices then I would be against it as it affects my ability as a consumer to make a choice.
The main problem I have with lots of people's attitude with security and Windows is their need to fuzz the whole subject into a neat tidy single solution. Security is a moving target, it doesn't matter how many patches are out there for a system. What matters is the cause of the problem and how it is dealt with and how quickly.
Lots of security issues with XP with to do with the nature of XP such as the need for an administrator account for day to day use, or the lack of distinction between trusted and untrusted applications. The list goes on and on, and not just for M$. The point is if you truly believe the statement of "I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. " with regards to an inaccessible kernel to third parties. You deserve a bucket of sand to stick your head in to protect you from all those nasty things out there.
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/603/43/" target="_newWindow">http://www.techknowcafe.com/content/view/603/43/</a>
Stupidity issues a warning to update Windows when it's now announced that the Windows defense has more holes in it to give hackers easier access. Huh?
Good one, idiots! Dept of Homeland Stupidity is more of a threat to U.S. citizens.
Imagine that we outlaw gas engines and mandate that everyone switch to electric. The private security companies that protect buildings will not be able to keep up with the crooks that, since they are breaking the law anyway, do not care that gas engines are illegal and use them anyway. The Dodge Viper outruns the golf cart every day, and the only people not able to keep up are those following the law.
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
Cheers.
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
Cheers.
Why is it then, we don't see through it when the media reports one of its tired Microsoft storylines? For the newcomers, I'll name three - "Microsoft can't ship software on time," "Microsoft code is not secure", "Microsoft is using its monopoly for evil purposes."
Anyone ever wonder if things aren't that simple?Yeah, I'm sure Steve Ballmer walked into a meeting with the core OS devs at Microsoft and said, "guys, we need a way to squash all those security vendors we've been working with for years - you know, the ones who have allowed shrinking profits and massive consolidation to serve as excuses for failing to innovate and actually provide useful features for customers while we've been getting a shellacquing in the media over security." And I'm sure all those developers said, "sure Steve, but what should we do about all those stories about Microsoft not being able to ship software on time. Rearchitecting the kernel to put Symantec out of business is going to take some time."
So Microsoft changes some stuff for Vista and Symantec, et al have to port their code forward. Yep - they actually have to try and find a few of those engineers they laid off after the last OS shipped. Also, if they'd all discovered such easy ways around Patchguard, why wouldn't they disclose it? Doesn't that only strengthen their case? I suspect their backdoor is more like, "login as administrator, then replace the kernel with one from the previous beta without patchguard, then hope the OS doesn't detect what you just did."
In terms of the kernel being secure, I think the state of Israel is a really good analogy (whatever your politics). El-Al is the most secure airline in the world. The Mossad is a serious bunch of bad-*****, and the Israeli army is one of the most lethal fighting forces on the planet. Battle-tested is a good thing, and Windows has a lot more time in the trenches than Mac OS.
One time my son was begging me to install that piece of software received from his friend. I checked on Internet and found that it is a trojan. You know what would happen if he had admin privileges.
NT-based Windows is a secure OS (don't laugh). All kernek objects have a security descriptor attached, NTFS files have user-level access rights, etc.
MS advised for long time (since NT 3.0) that any user-modifiable items, like settings, user INI files and data files, go to user-specific profile folder. But most ignorant ISVs (name any software developper, including some divisiong of MS) kept putting user data in Windows and Program files folders.
The problem with Windows XP started when MS, trying to reduce user complaints, gave all new users administrative rights by default. They didn't want complaints about that shiny game (put your favorite name here) to refuse to run. That actually might be fixed by user-level redirection, but didn't happen.
Now we have that any 10 years old sitting in front of Daddy's computer is an administrator. When that web site asks him: "want to install this cool thing?" Yes, of course, I want! Get a piece of malware...
If you run with limited user privileges, you can forget about AV, and so.
The real issue here is how well does Microsoft guard access to the kernel? Do they have the proper API's set up in their OS to allow 3rd parties to dock to the Operating System with Kernel or Kernel similar level access and do they authentication those processes contantly and do they have a special 3rd party certification program which would be required prior to giving such applications kernel or near-kernel access?
Microsoft will say that all of these are coming, but as they are not currently and readily available to 3rd parties... Microsoft is more or less shutting other 3rd party vendors out of the market until their 64-bit version has gained a bit of dominance.
MS will probably claim that it takes time to get all of those ready, but in the mean time... they are forcing others out of the market.
If they wanted to do it right, they should have already had the API's and the 3rd party certifications programs already activated prior to their beta release.
Some applications require kernel or near kernel level access... so blocking them all out is beyond the call of duty. But on the other hand... giving just any application full reign without any security checks/controls is the opposite end of the spectrum.
MS has been on the weak opposite end of the spectrum and now they're switching full swing to the other side of the spectrum which allows nothing.
As more and more complain about it... they'll eventually open that part up and offer similar to what I've mentioned above, but in the mean time... they're ramming their 64-bit version which supports nothing else first until it has enough to make it a near dominant monopoly again and then finally open it up to others... after they've already gained a good lion's share of the market.
Thus this story is not really too far off the mark.
Sure Microsoft needs to make it's OS more secure, but it also requires compatibility with 3rd party products which rival theirs and that's where their push and shove methods start tipping to the monopolistic methods and tactics which they use.
They could have done as I mentioned above... but hey... MS's intent is for them to continue to be the major player and what better way than this... using security as the auspicies to shut others out.
You can still have a secure operating system and allow kernel or near-kernel access... you just have to do it properly... something which Microsoft has decided against at this time but which they will be forced to allow in the future... after they've forced the market yet again!!!
Microsoft has been using ploys like this for ages and thus it's nothing new or unexpected... but it does border on anti-competition which is why sparks are starting to fly.
FWIW
<a class="jive-link-external" href="http://news.com.com/2100-1002-6103949.html?tag=tb" target="_newWindow">http://news.com.com/2100-1002-6103949.html?tag=tb</a>
And, here is an interesting bit of that discussion that I have taken part in...
<a class="jive-link-external" href="http://news.com.com/5208-1002-0.html?forumID=1&threadID=20070&messageID=172840&start=-1" target="_newWindow">http://news.com.com/5208-1002-0.html?forumID=1&threadID=20070&messageID=172840&start=-1</a>
Hope this helps...
That it doesnt even really bear dissecting...
Mostly, it seems to me that, it is ONLY Microsoft, and their SHILLS, that keep demanding everyone believe that such things as MANDATORY "driver signing" - BY MICROSOFT, will in any way "improve security". Almost EVERYBODY ELSE sees this as yet another attempt by Microsoft to CONTROL THE INDUSTRY, and EXTRACT REVENUE. Maybe, you should honestly investigate the "technical arguments" that are being made.
And, as to being "happy" to upgrade...
...Its also a very well known FACT that, MOST OF THE INDUSTRY, seems to think that "Vista" is the MOST DEFINITE "hold-off on buying", on the computer-industry horizon. In fact, more and more people seem to think that "Vista" could be Microsofts BIGGEST-FAILURE, both commercially, ...and "legally".
But, I did like that "billions of mac users" line... It is simply PRECIOUS.
Does Microsoft have the benefit of this collective knowledge? On the face of it, that appears doubtful.
So what happens to the interests of Users?
We had many vendors to choose from - Symantec, McAfee, Kaspersky, Sophos, Panda .........
We could change Vendors whenever we wanted.
In contrast, we must now hope that Microsoft knows enough to do the PC Security job. OTHERWISE - we will have to rely on the old brigade who will now be forced to work "around and against" Microsoft - NOT - with Microsoft.
This certainly does not look like progress.