A protective feature in Windows is locking out the good guys, but letting in a lot of bad guys, according to security software makers.
Microsoft designed PatchGuard to safeguard core parts of Windows, including Vista, against malicious code attacks. But some security companies say that the feature makes it harder for them to protect Windows PCs, as it locks them out of the kernel, the core of the operating system.
"PatchGuard is hurting security vendors more than it is hurting malware writers," Bruce McCorkendale, a chief engineer at Symantec, told CNET News.com in an interview Wednesday. "There are types of security policies and next-generation security products that can only work through some of the mechanisms that PatchGuard prohibits."
Symantec is not alone in its complaints, but it is the largest security company to speak out publicly. Sana Security and Agnitum, two smaller vendors, said they share its concerns, but giants Cisco Systems and McAfee declined to comment for this story.
Microsoft defends the technology, which applies only to 64-bit versions of Windows. Cybercrooks have found ways to exploit the kernel for malicious purposes, making the protection offered by PatchGuard key to securing the operating system, said Stephen Toulouse, a program manager in Microsoft's Security Technology Group.
"It is more important to prevent the installation of malicious software than it is to allow third-party vendors, no matter what the software, to extend the kernel," Toulouse said. "This is not specific to security software. This is a global change to 64-bit Windows to provide a more security computing experience."
"PatchGuard will make it harder for third parties, particularly host intrusion prevention software, to function in Vista," said Yankee Group analyst Andrew Jaquith. "Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use 'black hat' techniques to bypass the restrictions."
Barriers to the kernel PatchGuard debuted a year ago in Windows XP x64 Edition, but the technology was never broadly adopted. That's set to change when Windows Vista hits store shelves in January, analysts expect. As people buy PCs with 64-bit processors use of the 64-bit edition of Windows will increase.
In particular, PatchGuard inhibits host intrusion prevention products, security vendors and analysts said. These "HIPS" products are an upcoming class of security software that determines whether a program is malicious by looking at its behavior, rather than using the classic signature-based approach, which checks a program against a database of known threats.
On top of this, PatchGuard blocks features to protect against tampering with security tools, McCorkendale said. Malicious programs increasingly try to disable security software, and the tamper-protection features aim to prevent that.
"There is a whole bunch of companies out there that have pioneered next-generation security, that are limited by PatchGuard," McCorkendale said.
There's another "disturbing side effect," according to a Symantec blog posting. While legitimate security vendors can no longer make extensions to the Vista kernel, attackers have already found ways to disable and work around PatchGuard, it says.
"There is a whole bunch of companies out there that have pioneered next-generation security, that are limited by PatchGuard."
"Bad guys can bypass PatchGuard today," said Vlad Gorelik, chief technology officer at Sana Security, which makes host intrusion prevention software. "Microsoft has this assumption that if you put a shield in, the bad guys will stay out. That is not the way it works. But now they force security vendors to bring a knife to a gun fight."
The barrier to the Windows kernel forces security companies to adopt hacker tactics, Gorelik said. "We will have to come up with alternative mechanisms for doing the same thing," he said. "In some cases, we can actually take a page out of the bad guys' text book and bypass PatchGuard."
With PatchGuard, Microsoft is effectively taking control of security for the Windows core, Gorelik said. Previously, third parties could also provide defenses for that part of the operating system, he said. Now, if PatchGuard breaks, it will be up to Microsoft to fix the flaw and make Windows PCs secure.
"They would have to patch the kernel if someone bypasses PatchGuard," Gorelik said, noting that the kernel is the toughest thing to fix in the operating system.
MS trying to make its kernal more secure has nothing to do with using its monopoly to stomp any one. I am betting you would be the one of the first one to complain if it didn't. So shut that crap.
underground security circles have known about this for a while... (includes me)
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
Yet I still depend upon Zone Alarm to protect my PC. If their new techinque is going to prevent them from performing to the fullest extent of their abilities, while still being hackable, then I am a concerned customer, who would really like to know about it, too.
You see, I had been serious considering upgrading to a full 64 bit machine when Vista finally gets around to shipping, but if they're going to make it impossible to secure my computer, I have to reconsider.
Hahahahah. They will print anything that is anti-MS.
First off this a BETA...yes BETA...BETA...BETA. Some things in this BETA will be fixed before shipping.
Second thing most of these comments come from MS rivals who are feeling the heat from MS offering their own securit tools. Most will cry monopoly and unfair play by MS....these same people will say MS products are full of holes and they need to patch them. MS cant win.
Lastly I think AV products makers are just scare mongers out to scare you into buying their products.
Hackers.....are just a total waste of air and take everything for society and give nothing back...someone should set off a tactical nuke at the next Black Hat convention and take out most of them with one shot.
I have been buying AV products for years at home and for the corporations I have worked at. I have never gotten a virus at home...but being in IT all my life I have my home enviroment always patched and locked down. At work I have seen a few outbreaks and 99.9% of the time they could have been prevented with either good administration or proper patching. MS gets fixes out fast for most of their products and warns the world to apply them.
underground security circles have known about this for a while... (includes me)
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
There are methods of getting around the protection (Agnitum claims they've found ways), so the notion this will make the kernal more secure is not entirely accurate. It is inevitable that people with malicious intent will develop code to get around it as well. Once that code gets released your back to square one. It is harder for Symantec etc because they have to try and make their software as stable and user friendly as possible where those with malicious intent have no such concern.
Ok, I see this as a double edge sword, not just for MS, but for everyone. Everybody knows that as long as your computer is connected to the internet, your not safe from hackers regardless of what o/s, security software, etc you are using (yes, that includes all the macs out there as well). Some computers are safer than others (use firewalls, updated antivirus, or run alternate o/s where there are less threats *Macs are not safer, they just have less viruses for them*), but in the end they are still hackable.
The steps MS is taking are good ones, even if they software is not perfected. If they can find a way to secure the kernal without making it too secure, then it will be a large step in protecting those ignorant users who fall prone to being clones in a DDoS attack. However, you can not make a computer foolproof unless you cut the cat5 between the pc and the internet. So, how far do they go?
Do I see this as them trying to compete with McAfee, Norton, etc? No. I see this as MS trying to bring to market a more secure O/S to remove the lable they have worn over the last 10 years. Basically its like an engineer trying to design a secure building to prevent break-ins. However, you still have to have doors to allow those who are supposed to be in access. And for that, there will always be the threat of break ins. Its a catch 22 with the ignorant users caught in the midst.
They have less viruses(last count:0) because they were designed that way. The recent media hype regarding "hacks" into OSX boxes have proved to be very disingenous, if not downright dishonest. Put any computer in a LAN and give the "hacker" the root credentials, and yes you can hack it. Put it on the internet and use the default settings, with a firewall, a proper password, and good luck. The viruses you have been hearing about are theoretical, not something out in the wild.
Windows has more viruses(last count: 543523432+) because they are designed that way. It is also very eay to hack into, also by design.
Let me guess, your idea of a good firewall is the MS firewall in XP, ya know the one that blocks incoming but allows all outgoing(including all the dastardly programs that windows flaws let piggyback in on legit data.
Your claim is so ridiculous, it would be funny if ignorance were funny.
A few steps they are taking are good ones(like finally catching up to the decades old idea of a true multi-user system, which is one reason why *nix is so damn secure), but many are half-baked at best. Like moving critical system processes in memory to one of 512 static places, that is an amaterish security "fix" and I am being generous. That "innovation" will be hacked and exploited within 3 days of Vista being released, if that day ever comes.
BTW, how can a kernel(do you even know what that is?) be "too secure"?
You are right about one thing: "Its a catch 22 with the ignorant users caught in the midst.", with you smack dab in the middle of the ignorant users.
I'm going to cut and paste a post from another thread:
The historical problem with Windows is the scripting systems and internal message authentication.
Since Windows was stupidly designed as a networked OS and not provided with enough security, it was easy for a hacker to send you an email which automatically launches a script as if someone were typing at the keyboard as Admin, let it raid your Outlook address book, install an application, turn you into a mail server, populate itself to all your other Windows user friends, record everyone's actions, send back any 16 digit numbers you type in... on and on.
Unix and everything after Windows NT are network OSs, meaning if you make any network connection, you're in the kernel. Security depends upon how well you can contain the input from a network connection. Unix usually launches a process that dies immediately after it's done - doesn't persist and wait for the next command. The old Mac OS had networking as a layer on top of the OS and you needed the password to get to the OS. That's one reason why there were only 40 viruses for the old Mac OS.
Windows RELIES on the ability of applications to talk to each other freely and make system calls without restriction. Hackers are just using those abilities for themselves.
Those paths largely don't exist in Linux or OS X. Sure, there are patches to fix problems all the time - it's electronic warfare, after all - but LInux and OS X have a HUGE jump on Windows. Unlike Windows which runs as root (Admin) and will happily run whatever you tell it, the majority of exploits the common Linux or Mac user will encounter would require someone to be at the keyboard with the Admin password to install it first. Windows can be made to attack itself with four lines of code.
You want security? Encrypt the important stuff on your computer and be done with it.
I don't care even if it is anti-competitive at this point, I just want a secure O/S for once.
I fix many people's computers (most often destroyed by viruses and spyware) and end up having to reinstall windows. A lot. There's 2 things about this that make me want to cry. The lack of base security and install times.
Vista cuts down install time, so that's one problem down. Now there's argument over securing the kernal. What? This is what thousands of windows users have been crying for since windows 98. Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?
So Symantec McCrappyProduct is having problems adapting to a secure (cross our fingers) O/S? Tough. If they were concerned about people and not profit, they wouldn't be in buisness. I don't want to continue my initial boot ritual of downloading 50 programs to try to secure a hole-filled O/S. If I could convince non-tech-savvy people to switch to Macs I would, but compatability with jobs and refusal to learn a new O/S is like a 20ft cement wall.
If MS actually secures Vista to a reasonable degree, I can do without 3rd party security support, and so can the majority of the non-tech-savvy people who are suckered into paying for extra security, or are otherwise forced to reinstall windows every 2 months.
Instead hand out this bucket of sand and tell people to stick their heads into it.
"I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. "
Making a kernel that is more difficult to secure does not make it more secure. There is no such thing as an "over secure kernel". If something has been "secured" to a point it is unusable, it is just that - unusable.
Security starts from bottom up, from the kernel, to user environment, to applications, to user education.
"Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?"
I would like the choice of doing this or not. If M$ do intend to use anti-competitive practices then I would be against it as it affects my ability as a consumer to make a choice.
The main problem I have with lots of people's attitude with security and Windows is their need to fuzz the whole subject into a neat tidy single solution. Security is a moving target, it doesn't matter how many patches are out there for a system. What matters is the cause of the problem and how it is dealt with and how quickly.
Lots of security issues with XP with to do with the nature of XP such as the need for an administrator account for day to day use, or the lack of distinction between trusted and untrusted applications. The list goes on and on, and not just for M$. The point is if you truly believe the statement of "I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. " with regards to an inaccessible kernel to third parties. You deserve a bucket of sand to stick your head in to protect you from all those nasty things out there.
May be it should be set on by default and advance users should be able to choose,how much do they want to have kernel locked-down and which programs are allowed.
Another article I found similar to this one on dotso.com > <a class="jive-link-external" href="http://www.eweek.com/print_article2/0,1217,a=185803,00.asp" target="_newWindow">http://www.eweek.com/print_article2/0,1217,a=185803,00.asp</a>
Let me get this straight, the Dept of Homeland <a class="jive-link-external" href="http://www.techknowcafe.com/content/view/603/43/" target="_newWindow">http://www.techknowcafe.com/content/view/603/43/</a> Stupidity issues a warning to update Windows when it's now announced that the Windows defense has more holes in it to give hackers easier access. Huh? Good one, idiots! Dept of Homeland Stupidity is more of a threat to U.S. citizens.
Let me get this straight. After years of bashing MS for not being secure enough, the argument is that if they build secure systems it is 'anti-competitive' because of the cottage industry that has grown up around securing Windows??? I hope no one cures cancer anytime soon. Think what that would do to all the funding for companies working on a cure...
The problem is not that they would put Symantec out of business. The problem is that they prevent 3rd party tools, which are currently the only protection that really works, while only slightly slowing the bad guys.
Imagine that we outlaw gas engines and mandate that everyone switch to electric. The private security companies that protect buildings will not be able to keep up with the crooks that, since they are breaking the law anyway, do not care that gas engines are illegal and use them anyway. The Dodge Viper outruns the golf cart every day, and the only people not able to keep up are those following the law.
Why should Microsoft care if their operating system breaks Symantec's ability to continue its business? Symantec is now a rival to Microsoft's Windows Live OneCare product. Its within Microsoft's business interest now to break Symantec, and do all its can to get folks to use Windows Live OneCare. <a class="jive-link-external" href="http://www.windowsonecare.com/" target="_newWindow">http://www.windowsonecare.com/</a>
If Microsoft manage to kill off Symantec, everyone will be thankful...
I don't think anyone would complain. I'm happy for Symantec to be taken out. The sooner Symantec become bankrupt the better. I hate Securityfocus.com and Symantec.com
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
If Microsoft manage to kill off Symantec, everyone will be thankful...
I don't think anyone would complain. I'm happy for Symantec to be taken out. The sooner Symantec become bankrupt the better. I hate Securityfocus.com and Symantec.com
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
c'mon folks - why is everyone so gullible? The movie studios have peddling the same tired, recycled storylines for years, and we see right through it.
Why is it then, we don't see through it when the media reports one of its tired Microsoft storylines? For the newcomers, I'll name three - "Microsoft can't ship software on time," "Microsoft code is not secure", "Microsoft is using its monopoly for evil purposes."
Anyone ever wonder if things aren't that simple?Yeah, I'm sure Steve Ballmer walked into a meeting with the core OS devs at Microsoft and said, "guys, we need a way to squash all those security vendors we've been working with for years - you know, the ones who have allowed shrinking profits and massive consolidation to serve as excuses for failing to innovate and actually provide useful features for customers while we've been getting a shellacquing in the media over security." And I'm sure all those developers said, "sure Steve, but what should we do about all those stories about Microsoft not being able to ship software on time. Rearchitecting the kernel to put Symantec out of business is going to take some time."
So Microsoft changes some stuff for Vista and Symantec, et al have to port their code forward. Yep - they actually have to try and find a few of those engineers they laid off after the last OS shipped. Also, if they'd all discovered such easy ways around Patchguard, why wouldn't they disclose it? Doesn't that only strengthen their case? I suspect their backdoor is more like, "login as administrator, then replace the kernel with one from the previous beta without patchguard, then hope the OS doesn't detect what you just did."
In terms of the kernel being secure, I think the state of Israel is a really good analogy (whatever your politics). El-Al is the most secure airline in the world. The Mossad is a serious bunch of bad-*****, and the Israeli army is one of the most lethal fighting forces on the planet. Battle-tested is a good thing, and Windows has a lot more time in the trenches than Mac OS.
yeah and cnet marked the article "HIGH IMPACT, but high impact for who? Symantec yes, Other security vendors yes, General public no, Microsoft no, Microsoft users no. Looks like its only the security vendors who are upset they won't be making as much money as they used to anyone. Microsoft are well within their rights to lock out third party security vendors. Microsoft only want their security products to secure their operating system, whats high impact and unfair about that?
I have never got a virus on my XP, even though I steered clear of any antivirus software. But then, I never work routinely logged on with administrator privileges, and none of my family members have admin provileges, either.
One time my son was begging me to install that piece of software received from his friend. I checked on Internet and found that it is a trojan. You know what would happen if he had admin privileges.
The AV companies have known it long time ago. MS have been discouraging using kernel hooks for long time, since it negatively impacts system stability. Those should have been replaced by FS filters. AV companies just been too lazy to fix their crap.
Folks, let me tell you something about Windows. NT-based Windows is a secure OS (don't laugh). All kernek objects have a security descriptor attached, NTFS files have user-level access rights, etc.
MS advised for long time (since NT 3.0) that any user-modifiable items, like settings, user INI files and data files, go to user-specific profile folder. But most ignorant ISVs (name any software developper, including some divisiong of MS) kept putting user data in Windows and Program files folders.
The problem with Windows XP started when MS, trying to reduce user complaints, gave all new users administrative rights by default. They didn't want complaints about that shiny game (put your favorite name here) to refuse to run. That actually might be fixed by user-level redirection, but didn't happen.
Now we have that any 10 years old sitting in front of Daddy's computer is an administrator. When that web site asks him: "want to install this cool thing?" Yes, of course, I want! Get a piece of malware...
If you run with limited user privileges, you can forget about AV, and so.
Not allowing kernel access will severely limit those applications which may require kernel access such as firewalls and other third party (non-Microsoft) products.
The real issue here is how well does Microsoft guard access to the kernel? Do they have the proper API's set up in their OS to allow 3rd parties to dock to the Operating System with Kernel or Kernel similar level access and do they authentication those processes contantly and do they have a special 3rd party certification program which would be required prior to giving such applications kernel or near-kernel access?
Microsoft will say that all of these are coming, but as they are not currently and readily available to 3rd parties... Microsoft is more or less shutting other 3rd party vendors out of the market until their 64-bit version has gained a bit of dominance.
MS will probably claim that it takes time to get all of those ready, but in the mean time... they are forcing others out of the market.
If they wanted to do it right, they should have already had the API's and the 3rd party certifications programs already activated prior to their beta release.
Some applications require kernel or near kernel level access... so blocking them all out is beyond the call of duty. But on the other hand... giving just any application full reign without any security checks/controls is the opposite end of the spectrum.
MS has been on the weak opposite end of the spectrum and now they're switching full swing to the other side of the spectrum which allows nothing.
As more and more complain about it... they'll eventually open that part up and offer similar to what I've mentioned above, but in the mean time... they're ramming their 64-bit version which supports nothing else first until it has enough to make it a near dominant monopoly again and then finally open it up to others... after they've already gained a good lion's share of the market.
Thus this story is not really too far off the mark.
Sure Microsoft needs to make it's OS more secure, but it also requires compatibility with 3rd party products which rival theirs and that's where their push and shove methods start tipping to the monopolistic methods and tactics which they use.
They could have done as I mentioned above... but hey... MS's intent is for them to continue to be the major player and what better way than this... using security as the auspicies to shut others out.
You can still have a secure operating system and allow kernel or near-kernel access... you just have to do it properly... something which Microsoft has decided against at this time but which they will be forced to allow in the future... after they've forced the market yet again!!!
Microsoft has been using ploys like this for ages and thus it's nothing new or unexpected... but it does border on anti-competition which is why sparks are starting to fly.
So.. in a nutshell Symantec is complaining because they won't have the power to go in an alter the kernel to make things more secure.. because it'll already be more secure. Gee, maybe they'll have to innovate ways to secure the areas that will still need improvement.. wouldn't that be a shame. Heaven forbid people ever have to change the way they do things, because the way things work in the computer world actually occasionally changes now and then. Perhaps people would prefer everything stays the same and nobody actually at least tries to improve things by making a significant change.
Everybody complains that Microsoft OSes need to be more secure. There are billions of mac users screaming buy a mac, viruses, buy a mac, spyware, etc. Now Microsoft makes the OS more secure and idiotic companies like Symantec(just go out of business already) and others are criticizing Windows. I have no criticism for Vista, they did exactly what they set out to do . They made a safe, more reliable, more pretty, more powerful, more gaming friendly, more useful OS that everybody will be happy to upgrade. My thoughts on everyone who thinks we should go back to XP security, don't upgrade and keep buying antispyware and virus software.
...Because you sure are pumping out the MICROSOFT-LINE.
Mostly, it seems to me that, it is ONLY Microsoft, and their SHILLS, that keep demanding everyone believe that such things as MANDATORY "driver signing" - BY MICROSOFT, will in any way "improve security". Almost EVERYBODY ELSE sees this as yet another attempt by Microsoft to CONTROL THE INDUSTRY, and EXTRACT REVENUE. Maybe, you should honestly investigate the "technical arguments" that are being made.
And, as to being "happy" to upgrade...
...Its also a very well known FACT that, MOST OF THE INDUSTRY, seems to think that "Vista" is the MOST DEFINITE "hold-off on buying", on the computer-industry horizon. In fact, more and more people seem to think that "Vista" could be Microsofts BIGGEST-FAILURE, both commercially, ...and "legally".
But, I did like that "billions of mac users" line... It is simply PRECIOUS.
What about the Interests of Users and the People with the Best Solutions?
For many years, the Anti-virus companies have focussed on PC Security. We might conclude that in the evolution of their efforts they have learnt a great deal about PC Security.
Does Microsoft have the benefit of this collective knowledge? On the face of it, that appears doubtful.
So what happens to the interests of Users?
We had many vendors to choose from - Symantec, McAfee, Kaspersky, Sophos, Panda .........
We could change Vendors whenever we wanted.
In contrast, we must now hope that Microsoft knows enough to do the PC Security job. OTHERWISE - we will have to rely on the old brigade who will now be forced to work "around and against" Microsoft - NOT - with Microsoft.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
competition. </sarcasm>
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
You see, I had been serious considering upgrading to a full 64 bit machine when Vista finally gets around to shipping, but if they're going to make it impossible to secure my computer, I have to reconsider.
Harry Voyager
First off this a BETA...yes BETA...BETA...BETA. Some things in this BETA will be fixed before shipping.
Second thing most of these comments come from MS rivals who are feeling the heat from MS offering their own securit tools. Most will cry monopoly and unfair play by MS....these same people will say MS products are full of holes and they need to patch them. MS cant win.
Lastly I think AV products makers are just scare mongers out to scare you into buying their products.
Hackers.....are just a total waste of air and take everything for society and give nothing back...someone should set off a tactical nuke at the next Black Hat convention and take out most of them with one shot.
I have been buying AV products for years at home and for the corporations I have worked at. I have never gotten a virus at home...but being in IT all my life I have my home enviroment always patched and locked down. At work I have seen a few outbreaks and 99.9% of the time they could have been prevented with either good administration or proper patching. MS gets fixes out fast for most of their products and warns the world to apply them.
I think the AV/security vedor buisness is 90% BS!
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
They would direct their experts to wait for the launch and shipment of Vista before making announcements :D
I think Symantec live in a love / hate relationship with regards of making money out the bad guys and hating their eh-fing gutts
They would direct their experts to wait for the launch and shipment of Vista before making announcements :D
I think Symantec live in a love / hate relationship with regards of making money out the bad guys and hating their eh-fing gutts
Symantec has been prone to Vista Hysteria lately. It seems to me that they are overreacting.
As you can tell, I trust them even less than I do Microsoft.:-)
Bruce, you should fix your own bloatware psuedo software, before whining about someone elses. Symantec and Big Steaming Pile, synonymous.
The steps MS is taking are good ones, even if they software is not perfected. If they can find a way to secure the kernal without making it too secure, then it will be a large step in protecting those ignorant users who fall prone to being clones in a DDoS attack. However, you can not make a computer foolproof unless you cut the cat5 between the pc and the internet. So, how far do they go?
Do I see this as them trying to compete with McAfee, Norton, etc? No. I see this as MS trying to bring to market a more secure O/S to remove the lable they have worn over the last 10 years. Basically its like an engineer trying to design a secure building to prevent break-ins. However, you still have to have doors to allow those who are supposed to be in access. And for that, there will always be the threat of break ins. Its a catch 22 with the ignorant users caught in the midst.
They have less viruses(last count:0) because they were designed that way. The recent media hype regarding "hacks" into OSX boxes have proved to be very disingenous, if not downright dishonest. Put any computer in a LAN and give the "hacker" the root credentials, and yes you can hack it. Put it on the internet and use the default settings, with a firewall, a proper password, and good luck. The viruses you have been hearing about are theoretical, not something out in the wild.
Windows has more viruses(last count: 543523432+) because they are designed that way. It is also very eay to hack into, also by design.
Let me guess, your idea of a good firewall is the MS firewall in XP, ya know the one that blocks incoming but allows all outgoing(including all the dastardly programs that windows flaws let piggyback in on legit data.
Your claim is so ridiculous, it would be funny if ignorance were funny.
A few steps they are taking are good ones(like finally catching up to the decades old idea of a true multi-user system, which is one reason why *nix is so damn secure), but many are half-baked at best. Like moving critical system processes in memory to one of 512 static places, that is an amaterish security "fix" and I am being generous. That "innovation" will be hacked and exploited within 3 days of Vista being released, if that day ever comes.
BTW, how can a kernel(do you even know what that is?) be "too secure"?
You are right about one thing: "Its a catch 22 with the ignorant users caught in the midst.", with you smack dab in the middle of the ignorant users.
The historical problem with Windows is the scripting systems
and internal message authentication.
Since Windows was stupidly designed as a networked OS and not
provided with enough security, it was easy for a hacker to send
you an email which automatically launches a script as if
someone were typing at the keyboard as Admin, let it raid your
Outlook address book, install an application, turn you into a
mail server, populate itself to all your other Windows user
friends, record everyone's actions, send back any 16 digit
numbers you type in... on and on.
Unix and everything after Windows NT are network OSs,
meaning if you make any network connection, you're in the
kernel. Security depends upon how well you can contain the
input from a network connection. Unix usually launches a
process that dies immediately after it's done - doesn't persist
and wait for the next command. The old Mac OS had networking
as a layer on top of the OS and you needed the password to get
to the OS. That's one reason why there were only 40 viruses for
the old Mac OS.
Windows RELIES on the ability of applications to talk to each
other freely and make system calls without restriction. Hackers
are just using those abilities for themselves.
Those paths largely don't exist in Linux or OS X. Sure, there are
patches to fix problems all the time - it's electronic warfare,
after all - but LInux and OS X have a HUGE jump on Windows.
Unlike Windows which runs as root (Admin) and will happily run
whatever you tell it, the majority of exploits the common Linux
or Mac user will encounter would require someone to be at the
keyboard with the Admin password to install it first. Windows
can be made to attack itself with four lines of code.
You want security? Encrypt the important stuff on your computer
and be done with it.
I fix many people's computers (most often destroyed by viruses and spyware) and end up having to reinstall windows. A lot. There's 2 things about this that make me want to cry. The lack of base security and install times.
Vista cuts down install time, so that's one problem down. Now there's argument over securing the kernal. What? This is what thousands of windows users have been crying for since windows 98. Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?
So Symantec McCrappyProduct is having problems adapting to a secure (cross our fingers) O/S? Tough. If they were concerned about people and not profit, they wouldn't be in buisness. I don't want to continue my initial boot ritual of downloading 50 programs to try to secure a hole-filled O/S. If I could convince non-tech-savvy people to switch to Macs I would, but compatability with jobs and refusal to learn a new O/S is like a 20ft cement wall.
If MS actually secures Vista to a reasonable degree, I can do without 3rd party security support, and so can the majority of the non-tech-savvy people who are suckered into paying for extra security, or are otherwise forced to reinstall windows every 2 months.
"I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. "
Making a kernel that is more difficult to secure does not make it more secure. There is no such thing as an "over secure kernel". If something has been "secured" to a point it is unusable, it is just that - unusable.
Security starts from bottom up, from the kernel, to user environment, to applications, to user education.
"Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?"
I would like the choice of doing this or not. If M$ do intend to use anti-competitive practices then I would be against it as it affects my ability as a consumer to make a choice.
The main problem I have with lots of people's attitude with security and Windows is their need to fuzz the whole subject into a neat tidy single solution. Security is a moving target, it doesn't matter how many patches are out there for a system. What matters is the cause of the problem and how it is dealt with and how quickly.
Lots of security issues with XP with to do with the nature of XP such as the need for an administrator account for day to day use, or the lack of distinction between trusted and untrusted applications. The list goes on and on, and not just for M$. The point is if you truly believe the statement of "I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. " with regards to an inaccessible kernel to third parties. You deserve a bucket of sand to stick your head in to protect you from all those nasty things out there.
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/603/43/" target="_newWindow">http://www.techknowcafe.com/content/view/603/43/</a>
Stupidity issues a warning to update Windows when it's now announced that the Windows defense has more holes in it to give hackers easier access. Huh?
Good one, idiots! Dept of Homeland Stupidity is more of a threat to U.S. citizens.
Imagine that we outlaw gas engines and mandate that everyone switch to electric. The private security companies that protect buildings will not be able to keep up with the crooks that, since they are breaking the law anyway, do not care that gas engines are illegal and use them anyway. The Dodge Viper outruns the golf cart every day, and the only people not able to keep up are those following the law.
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
Cheers.
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
Cheers.
Why is it then, we don't see through it when the media reports one of its tired Microsoft storylines? For the newcomers, I'll name three - "Microsoft can't ship software on time," "Microsoft code is not secure", "Microsoft is using its monopoly for evil purposes."
Anyone ever wonder if things aren't that simple?Yeah, I'm sure Steve Ballmer walked into a meeting with the core OS devs at Microsoft and said, "guys, we need a way to squash all those security vendors we've been working with for years - you know, the ones who have allowed shrinking profits and massive consolidation to serve as excuses for failing to innovate and actually provide useful features for customers while we've been getting a shellacquing in the media over security." And I'm sure all those developers said, "sure Steve, but what should we do about all those stories about Microsoft not being able to ship software on time. Rearchitecting the kernel to put Symantec out of business is going to take some time."
So Microsoft changes some stuff for Vista and Symantec, et al have to port their code forward. Yep - they actually have to try and find a few of those engineers they laid off after the last OS shipped. Also, if they'd all discovered such easy ways around Patchguard, why wouldn't they disclose it? Doesn't that only strengthen their case? I suspect their backdoor is more like, "login as administrator, then replace the kernel with one from the previous beta without patchguard, then hope the OS doesn't detect what you just did."
In terms of the kernel being secure, I think the state of Israel is a really good analogy (whatever your politics). El-Al is the most secure airline in the world. The Mossad is a serious bunch of bad-*****, and the Israeli army is one of the most lethal fighting forces on the planet. Battle-tested is a good thing, and Windows has a lot more time in the trenches than Mac OS.
One time my son was begging me to install that piece of software received from his friend. I checked on Internet and found that it is a trojan. You know what would happen if he had admin privileges.
NT-based Windows is a secure OS (don't laugh). All kernek objects have a security descriptor attached, NTFS files have user-level access rights, etc.
MS advised for long time (since NT 3.0) that any user-modifiable items, like settings, user INI files and data files, go to user-specific profile folder. But most ignorant ISVs (name any software developper, including some divisiong of MS) kept putting user data in Windows and Program files folders.
The problem with Windows XP started when MS, trying to reduce user complaints, gave all new users administrative rights by default. They didn't want complaints about that shiny game (put your favorite name here) to refuse to run. That actually might be fixed by user-level redirection, but didn't happen.
Now we have that any 10 years old sitting in front of Daddy's computer is an administrator. When that web site asks him: "want to install this cool thing?" Yes, of course, I want! Get a piece of malware...
If you run with limited user privileges, you can forget about AV, and so.
The real issue here is how well does Microsoft guard access to the kernel? Do they have the proper API's set up in their OS to allow 3rd parties to dock to the Operating System with Kernel or Kernel similar level access and do they authentication those processes contantly and do they have a special 3rd party certification program which would be required prior to giving such applications kernel or near-kernel access?
Microsoft will say that all of these are coming, but as they are not currently and readily available to 3rd parties... Microsoft is more or less shutting other 3rd party vendors out of the market until their 64-bit version has gained a bit of dominance.
MS will probably claim that it takes time to get all of those ready, but in the mean time... they are forcing others out of the market.
If they wanted to do it right, they should have already had the API's and the 3rd party certifications programs already activated prior to their beta release.
Some applications require kernel or near kernel level access... so blocking them all out is beyond the call of duty. But on the other hand... giving just any application full reign without any security checks/controls is the opposite end of the spectrum.
MS has been on the weak opposite end of the spectrum and now they're switching full swing to the other side of the spectrum which allows nothing.
As more and more complain about it... they'll eventually open that part up and offer similar to what I've mentioned above, but in the mean time... they're ramming their 64-bit version which supports nothing else first until it has enough to make it a near dominant monopoly again and then finally open it up to others... after they've already gained a good lion's share of the market.
Thus this story is not really too far off the mark.
Sure Microsoft needs to make it's OS more secure, but it also requires compatibility with 3rd party products which rival theirs and that's where their push and shove methods start tipping to the monopolistic methods and tactics which they use.
They could have done as I mentioned above... but hey... MS's intent is for them to continue to be the major player and what better way than this... using security as the auspicies to shut others out.
You can still have a secure operating system and allow kernel or near-kernel access... you just have to do it properly... something which Microsoft has decided against at this time but which they will be forced to allow in the future... after they've forced the market yet again!!!
Microsoft has been using ploys like this for ages and thus it's nothing new or unexpected... but it does border on anti-competition which is why sparks are starting to fly.
FWIW
<a class="jive-link-external" href="http://news.com.com/2100-1002-6103949.html?tag=tb" target="_newWindow">http://news.com.com/2100-1002-6103949.html?tag=tb</a>
And, here is an interesting bit of that discussion that I have taken part in...
<a class="jive-link-external" href="http://news.com.com/5208-1002-0.html?forumID=1&threadID=20070&messageID=172840&start=-1" target="_newWindow">http://news.com.com/5208-1002-0.html?forumID=1&threadID=20070&messageID=172840&start=-1</a>
Hope this helps...
That it doesnt even really bear dissecting...
Mostly, it seems to me that, it is ONLY Microsoft, and their SHILLS, that keep demanding everyone believe that such things as MANDATORY "driver signing" - BY MICROSOFT, will in any way "improve security". Almost EVERYBODY ELSE sees this as yet another attempt by Microsoft to CONTROL THE INDUSTRY, and EXTRACT REVENUE. Maybe, you should honestly investigate the "technical arguments" that are being made.
And, as to being "happy" to upgrade...
...Its also a very well known FACT that, MOST OF THE INDUSTRY, seems to think that "Vista" is the MOST DEFINITE "hold-off on buying", on the computer-industry horizon. In fact, more and more people seem to think that "Vista" could be Microsofts BIGGEST-FAILURE, both commercially, ...and "legally".
But, I did like that "billions of mac users" line... It is simply PRECIOUS.
Does Microsoft have the benefit of this collective knowledge? On the face of it, that appears doubtful.
So what happens to the interests of Users?
We had many vendors to choose from - Symantec, McAfee, Kaspersky, Sophos, Panda .........
We could change Vendors whenever we wanted.
In contrast, we must now hope that Microsoft knows enough to do the PC Security job. OTHERWISE - we will have to rely on the old brigade who will now be forced to work "around and against" Microsoft - NOT - with Microsoft.
This certainly does not look like progress.