Linked by Thom Holwerda on Fri 16th Jun 2006 01:11 UTC, submitted by Eugenia
Windows Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry. But a bold statement can only go so far, and much of this week's conference has been spent reinforcing that point.
Order by: Score:
Wha?
by rayiner on Fri 16th Jun 2006 01:19 UTC
rayiner
Member since:
2005-07-06

Um, what industry is that? Are they just talking about the desktop market, or are they comparing themselves to something like Trusted Solaris?

Moreover, how can you judge the security of a product that isn't out yet? Security, like usability, isn't a feature that you check off. It's a reputation you earn based on experience and time.

Reply Score: 5

RE: Wha?
by chlordane on Fri 16th Jun 2006 02:35 UTC in reply to "Wha?"
chlordane Member since:
2006-05-11

Microsoft only comes close with Server 2003 vs Linux....
(running a GUI)....when it comes to stability...but secure? I dont think so....

There is a reason they call it Trusted Solaris....

Lets see what Microsoft has got when they release this Vista..

Edited 2006-06-16 02:40

Reply Score: 1

RE: Wha?
by raver31 on Fri 16th Jun 2006 08:31 UTC in reply to "Wha?"
raver31 Member since:
2005-07-06

It is called marketing.....

Who is going to want to buy Vista if they think it is as unsecure as XP ?
Companies always market the new products as better/more stable/more secure.....

Look at washing powder adverts for example....

Reply Score: 4

RE: Wha?
by slate on Sun 18th Jun 2006 11:34 UTC in reply to "Wha?"
slate Member since:
2006-04-04

compared to Linux it's not a big feat

Reply Score: 1

Wait until it's mainstream
by diegocg on Fri 16th Jun 2006 01:25 UTC
diegocg
Member since:
2005-07-08

Microsoft has put a lot of efforts to secure Vista, but until it really hits the streets how will we know?

For example, if you look into the WinHEC link posted today (http://osnews.com/comment.php?news_id=14900) youll find a presentation where they explain that they've added a new type of processes: "protected" processes, which will be used for software implementing DRM technology. Those processes are protected to avoid people hacking them so you can't debug/kill/look at them, but that also means (they warn it) that antimalware/antivirus software can't kill those processes. Theorically only some signed software will be allowed to create those processes but uh, it'd a wonderful hole if someone manages to jump that signed protection.

So I will wait for real world testing to see if this is REALLY secure before trusting people that told us that XP was also secure.

Reply Score: 5

RE: Wait until it's mainstream
by bards1888 on Fri 16th Jun 2006 08:31 UTC in reply to "Wait until it's mainstream"
bards1888 Member since:
2005-07-06

And what if the malware/virus is able to *become* one of these "protected" processes ? Which, given the MS track record, is entirely possible.

Reply Score: 4

RE[2]: Wait until it's mainstream
by siki_miki on Fri 16th Jun 2006 10:22 UTC in reply to "Wait until it's mainstream"
siki_miki Member since:
2006-01-17

Essentially Microsoft is implementing in-kernel copy protection.

If MPAA will be dumb enough to allow implementations of software blu-ray or hd-dvd decoders as protected process, someone will promptly hack the kernel and gain access to ring0. Without processor TCPA support, Microsoft doesn' have any chances.

If starforce (a very nasty protection) was defeated, I don't believe that Microsoft can be any harder.

Btw, I doubt that Vista will be able to detect (without the TPM chip) if the system is virtualised/emulated in something like vmware. At that point, anyone will be able to dump unencrypted code or a even get a decryption key for it.

Edited 2006-06-16 10:27

Reply Score: 3

Thanks a lot guys
by ma_d on Fri 16th Jun 2006 01:26 UTC
ma_d
Member since:
2005-06-29

Consumers are being plagued with spam, phishing attacks and spyware, while the corporate world fends off data and identity theft. Microsoft believes its new wave of software will be the panacea for such problems, thanks to the Security Development Lifecycle (SDL) and technologies such as BitLocker and smart cards.

So after years of worms and viruses abounding we've finally got it through to a number of people that they have to be aware of what they do to keep from getting into trouble and here comes Microsoft: "Don't look before you cross the street, with Win Vista!"

Reply Score: 3

RE: Thanks a lot guys
by rockwell on Fri 16th Jun 2006 14:13 UTC in reply to "Thanks a lot guys"
rockwell Member since:
2005-09-13

Not only that, but isn't MS *responsible* for the "spam, phishing attacks and spyware" to some degree?

I'm a (careful) Windows user, but sheesh ... have the nuts to say, "we screwed up royal on many of our past OS's, but we're trying to make Vista better."

Reply Score: 1

I agree!
by burtis on Fri 16th Jun 2006 01:26 UTC
burtis
Member since:
2005-11-15

Can't argue with that. Can't crack it until it comes out.

Reply Score: 5

Honestly...
by Janizary on Fri 16th Jun 2006 01:28 UTC
Janizary
Member since:
2006-03-12

I skipped Windows XP because it was more of the same from Microsoft, a bunch of posturing and proclamations with no results. I am going to do the same with Vista and likely whatever follows it, because I cannot trust Microsoft, it has made it abundantly clear that it is incapable of security.

I will use OpenBSD instead, at least it actually is secure.

Reply Score: 4

RE: Honestly...
by buff on Fri 16th Jun 2006 01:38 UTC in reply to "Honestly..."
buff Member since:
2005-11-12

I skipped XP also until this year when I upgraded from 2K. It was worth it. XP runs applications faster, quicker launch times, and it manages memory better. It is not just a pretty face on the 2K OS. Upgrade you will like it. If you don't like the bright colors just set it back to look like classic. Keep in mind I am not a MS fan at all. Fedora linux is my main workstation.

Edited 2006-06-16 01:39

Reply Score: 3

RE[2]: Honestly...
by dylansmrjones on Fri 16th Jun 2006 02:09 UTC in reply to "RE: Honestly..."
dylansmrjones Member since:
2005-10-02

I prefer Win2K over XP at any time.

It's faster, it has a much better User Organisation (what's up with only "Limited User" and "Administrator" - what happened to "User", "Power User", etc.), consumes much fewer system resources.

It's not as themeable as default, but that's about it. Oh, and Win2K doesn't handle games too well, compared with XP.

Reply Score: 2

RE[3]: Honestly...
by suryad on Fri 16th Jun 2006 03:25 UTC in reply to "RE[2]: Honestly..."
suryad Member since:
2005-07-09

Win2k is faster? How so? Are there benchmarks to prove it or is it just a seat of the pants kind of feeling that a certain OS is zippier than the other? I read from some forums that if you turn of the XP "eye candy" then you get the same performance as Win2k. I dont know if that is true or not. The reason why I ask is because then I would try to install Win2000. Thanks for any info!

Reply Score: 2

RE[4]: Honestly...
by dylansmrjones on Fri 16th Jun 2006 03:50 UTC in reply to "RE[3]: Honestly..."
dylansmrjones Member since:
2005-10-02

The time it takes to open windows, the speed with which menues react, not to mention the console. All of this perhaps should be called "snappiness" or "latency" ? And Win2K do not require >512 MB ram to feel snappy. 256 MB is enough (running XP with 512 MB ram is like running Gnome with 512 MB ram... pure S/M).

You can get a reasonable performance in XP without all the fancy stuff, but then you'll end up with a system with less functionality than Win2K. Win2K3 is better though. If you can get your hands on a legal copy, then tweak it to be a workstation OS. That's probably the best Windows-on-the-Desktop one can possibly get. Just remember to tweak it, though.

XP suffers from a primitive unacceptable User Organisation. Win2K3 (and Win2K) are much better at this.

But to the ordinary clueless user, that of course is irrelevant.

Reply Score: 2

RE[5]: Honestly...
by BluenoseJake on Fri 16th Jun 2006 19:00 UTC in reply to "RE[4]: Honestly..."
BluenoseJake Member since:
2005-08-11

All you have to do to manage users in WinXP like in win2K and Win2k3 is go into Administrative tools and go to manage computer, and all the old groups and users are there. There is not any less user functionality in XP compared to Win2k/2k3

Reply Score: 1

RE[4]: Honestly...
by ma_d on Fri 16th Jun 2006 05:10 UTC in reply to "RE[3]: Honestly..."
ma_d Member since:
2005-06-29

For his personal preference I imagine the seat of his pants is all that matters, don't you think?

The type of speed he's talking about is only important in perception anyway. Who really cares if it's actually faster when it feels faster, it's not like the 12 microseconds were going to go to good use anyway.

Reply Score: 2

RE[5]: Honestly...
by raver31 on Fri 16th Jun 2006 08:36 UTC in reply to "RE[4]: Honestly..."
raver31 Member since:
2005-07-06

thay all add up !

Reply Score: 1

RE[5]: Honestly...
by fretinator on Fri 16th Jun 2006 13:43 UTC in reply to "RE[3]: Honestly..."
fretinator Member since:
2005-07-06

Win2k is faster? How so?

For me, it is based on meory usage. Here is my guideline for appropriate memory usage in the windows world:

Win 3.1 - 8MB
Win 95 - 32 MB
Win 98 - 128 MB
Win 2K - 256 MB
Win XP - 512 MB
Vista - 1024 MB

** Win ME - Just turn it off and walk away slowly!

Reply Score: 1

RE[6]: Honestly...
by Nicram on Fri 16th Jun 2006 13:50 UTC in reply to "RE[5]: Honestly..."
Nicram Member since:
2006-01-31

You forgot NT4 that is very good OS ;) Stable & don't need a lot of RAM ;)

Reply Score: 1

RE[7]: Honestly...
by fretinator on Fri 16th Jun 2006 14:02 UTC in reply to "RE[6]: Honestly..."
fretinator Member since:
2005-07-06

You forgot NT4 that is very good OS ;) Stable & don't need a lot of RAM ;)

Good Point!

Win NT4 Desktop - 64 MB to 128 MB
Win NT4 Server - 128 MB and up

Actually, being a server OS, NT4 Server depends on what you are serving. I have used NT4 Server boxes with as little as 16MB (file sharing). Of course, with heavy load, it goes up, but it really did seem to need a lot less Ram than I would have thought.

Reply Score: 1

RE[6]: Honestly...
by rockwell on Fri 16th Jun 2006 14:16 UTC in reply to "RE[5]: Honestly..."
rockwell Member since:
2005-09-13

//Win ME - Just turn it off and walk away slowly!//

Take it from a Windows fan ... walk away slowly? RUN LIKE HELL!

Reply Score: 2

RE[7]: Honestly...
by chlordane on Sat 17th Jun 2006 01:55 UTC in reply to "RE[5]: Honestly..."
chlordane Member since:
2006-05-11

Win 3.1 - 8MB
Win 95 - 32 MB
Win 98 - 128 MB
Win 2K - 256 MB
Win XP - 512 MB
Vista - 1024 MB

The beast seems to get bigger with every release:

http://en.wikipedia.org/wiki/Lines_of_code

Year Operating System SLOC (Million)
1993 Windows NT 3.1 6
1994 Windows NT 3.5 10
1996 Windows NT 4.0 16
2000 Windows 2000 29
2002 Windows XP 40

I wonder how much more will be added with Vista?
Sever 2003 will run just fine with the right hardware set up...

Edited 2006-06-17 01:57

Reply Score: 1

RE[3]: Honestly...
by Sodapop on Fri 16th Jun 2006 03:41 UTC in reply to "RE[2]: Honestly..."
Sodapop Member since:
2005-07-06

Played games just fine when I was running it. In fact, played games XP won't.

Reply Score: 0

RE[4]: Honestly...
by dylansmrjones on Fri 16th Jun 2006 03:45 UTC in reply to "RE[3]: Honestly..."
dylansmrjones Member since:
2005-10-02

Try Worms 2 (it does play but not too well - the movie clips don't work too well) or Diablo 1 ( I know I know.. ooooold games, but in my mind they are still new... old games are those from my C64 ;) )

If you can make it run under Win2k, please let me know how.

Reply Score: 1

RE[5]: Honestly...
by Sodapop on Fri 16th Jun 2006 05:08 UTC in reply to "RE[4]: Honestly..."
Sodapop Member since:
2005-07-06

I don't know about Worms 2 but Diablo (1) ran fine for me. And yes, the older games do seem to be the better ones don't they? =)

Have you tried ntcompatible.com? they have a nice data base on how to get games working.

Reply Score: 0

RE[6]: Honestly...
by dylansmrjones on Fri 16th Jun 2006 08:56 UTC in reply to "RE[5]: Honestly..."
dylansmrjones Member since:
2005-10-02

Haven't heard of it before (or cannot remember having heard of it), but I'll give it a look now. Thx ;)

And oh yes. The older games are the best ;)

Summer Games, here I come ;)

Reply Score: 0

RE[5]: Honestly...
by tryphcycle on Fri 16th Jun 2006 15:43 UTC in reply to "RE[3]: Honestly..."
tryphcycle Member since:
2006-02-16

wow.... MS invests more than a billion developing this OS... and you make a comment on how well it plays games! WOW....


what a total waste!

Reply Score: 1

RE[3]: Honestly...
by kaosphere on Fri 16th Jun 2006 07:22 UTC in reply to "RE[2]: Honestly..."
kaosphere Member since:
2006-06-16

//
It's faster, it has a much better User Organisation (what's up with only "Limited User" and "Administrator" - what happened to "User", "Power User", etc.), consumes much fewer system resources.
//

User organization is the same.
run
control userpasswords2

Reply Score: 2

RE[4]: Honestly...
by dylansmrjones on Fri 16th Jun 2006 08:36 UTC in reply to "RE[3]: Honestly..."
dylansmrjones Member since:
2005-10-02

Thx ;)

It doesn't explain why MS changed the behaviour. Is it supposed to be easier the other way?

Reply Score: 1

RE[3]: Honestly...
by BluenoseJake on Fri 16th Jun 2006 18:52 UTC in reply to "RE[2]: Honestly..."
BluenoseJake Member since:
2005-08-11

"what's up with only "Limited User" and "Administrator" - what happened to "User", "Power User", etc"

Ugh....all those still exist, and always have, under computer management, in adminstrative tools, where they always have been, since NT

Reply Score: 1

RE[3]: Honestly...
by mmebane on Fri 16th Jun 2006 23:05 UTC in reply to "RE[2]: Honestly..."
mmebane Member since:
2005-07-06

"it has a much better User Organisation (what's up with only "Limited User" and "Administrator" - what happened to "User", "Power User", etc.),"

control userpasswords2

Reply Score: 1

RE[4]: Honestly...
by mmebane on Fri 16th Jun 2006 23:08 UTC in reply to "RE[3]: Honestly..."
mmebane Member since:
2005-07-06

Oops, missed the prev comment on this. o_0

What happened to the edit button?

Reply Score: 1

RE[5]: Honestly...
by dylansmrjones on Fri 16th Jun 2006 23:27 UTC in reply to "RE[4]: Honestly..."
dylansmrjones Member since:
2005-10-02

The edit button doesn't always work. Usually it does, but sometimes it's not there.

Reply Score: 1

RE[2]: Honestly...
by Tweek on Fri 16th Jun 2006 17:38 UTC in reply to "RE: Honestly..."
Tweek Member since:
2006-01-12

well we know it isnt a pretty face. that was pretty obvious from the beginning

Reply Score: 1

RE: Honestly...
by MikeekiM on Fri 16th Jun 2006 02:17 UTC in reply to "Honestly..."
MikeekiM Member since:
2005-11-16

>>I will use OpenBSD instead, at least it actually is secure.

Damn you, beat me to the punch.
Of Course Virus-ta is the most secure os in the industry, if you've never ever heard of another OS. Just more MS folks showing their "Windows Starter System" experience.

Reply Score: 2

At this point
by orestes on Fri 16th Jun 2006 01:31 UTC
orestes
Member since:
2005-07-06

One has to wonder whether the folks in Redmond understand the difference between having buzzword compliant security features and actually being secure.

Edited 2006-06-16 01:37

Reply Score: 5

Poor guy
by bouh on Fri 16th Jun 2006 01:31 UTC
bouh
Member since:
2005-10-27

He had to say it or he will be thrown chairs at.

Edit: typo

Edited 2006-06-16 01:31

Reply Score: 4

Oi
by sappyvcv on Fri 16th Jun 2006 02:06 UTC
sappyvcv
Member since:
2005-07-06

Gotta love the executive and manager types that say stupid crap like this and make the whole company look bad. What an idiot.

What's even more sad is that people will think saying this somehow makes Vista any different or that it's another reason to not use Vista.

Reply Score: 1

RE: Oi
by vitae on Fri 16th Jun 2006 19:26 UTC in reply to "Oi"
vitae Member since:
2006-02-20

Gotta love the executive and manager types that say stupid crap like this and make the whole company look bad. What an idiot.

But you have to wonder. Did he just blab it out for the hell of it or was he told to say it?

Reply Score: 1

Hmmm... déjà vu
by CapEnt on Fri 16th Jun 2006 02:07 UTC
CapEnt
Member since:
2005-12-18

It's not the first time who MS says that, and will not be the last... in fact, i remember several speeches like that between 2000 and 2001 about winXP.

Reply Score: 1

Vista is as secure..
by historyb on Fri 16th Jun 2006 02:09 UTC
historyb
Member since:
2005-07-06

as the titanic was unsinkable

Reply Score: 5

v RE: Vista is as secure..
by proforma on Fri 16th Jun 2006 04:40 UTC in reply to "Vista is as secure.."
RE[2]: Vista is as secure..
by raver31 on Fri 16th Jun 2006 08:45 UTC in reply to "RE: Vista is as secure.."
raver31 Member since:
2005-07-06

Possibly, there is a public beta available, so anyone can now take it and crack it.. Nothing amazing about that

Reply Score: 1

Yea Right
by tpaws on Fri 16th Jun 2006 02:15 UTC
tpaws
Member since:
2006-06-02

They said the same about Windows XP.

Reply Score: 2

What The Flap-Jack!?!?!
by chlordane on Fri 16th Jun 2006 02:31 UTC
chlordane
Member since:
2006-05-11

Do I even need to say anything else?
Who writes this stuff, Steve Ballmer?

Reply Score: 1

OpenBSD Most Secure OS Ever
by Lengsel on Fri 16th Jun 2006 02:43 UTC
Lengsel
Member since:
2006-04-19

Like Janizary and MikeekiM said, who can beat OpenBSD? I would like to hear OpenBSD's hackers and users complaints and mockery of Vista's security. The real security test for an OS is how long does it take the default unpatched installation to fall to hackers/crackers and viruses or trojans. "One remote hole in the default install" seems to be an incomprehendable, or should a say unattainable, standard for Microsoft.

Reply Score: 4

Wait for some time...
by TusharG on Fri 16th Jun 2006 02:46 UTC
TusharG
Member since:
2005-07-06

Wait for some time to become Vista the most unsecure OS on earth... Have you forgotton what happened to WindowsXP? Have you not gone through the Microsoft history books?

Reply Score: 1

Deeds, Not Words
by elsewhere on Fri 16th Jun 2006 03:08 UTC
elsewhere
Member since:
2005-07-13

But Microsoft acknowledges that nothing is infallible when it comes to computer security. In turn, the company has employed black hat hackers for what is called a penetration, or pen, test team. This group has only one duty: to break the security in Windows Vista and help the company develop fixes for the vulnerabilities.

Er, no. You don't "employ" black hats. They work for themselves and have their own agendas, and they've been happily pen testing Windows for years now without a paycheque from MS. If they're on the payroll, they're white hats.

The company is working closely with developers to add custom "shims" that will ensure their programs are compatible with User Account Control.

10-to-1 odds we have the makings for our first exploit right there.

Work to streamline the experience for consumers will not stop with the final release, however, as Microsoft already has compatibility improvements planned through Windows Vista Service Pack 1.

So they've thrown in the towel and are already planning SP1? That's not inspiring.

In fairness, Microsoft seems to finally "get" it now. Issues with permissions, services, default settings etc. These were all known and discussed prior to XP, and were happily ignored. So I'll give MS credit for almost admitting where they were wrong, and taking steps to correct it.

But that's on paper. What really remains to be seen is the execution. The real black hats are waiting...

Reply Score: 4

RE: Deeds, Not Words
by suryad on Fri 16th Jun 2006 03:28 UTC in reply to "Deeds, Not Words"
suryad Member since:
2005-07-09

Interesting post. Thanks for the white/black hat info. As for SP1, I have learned not to use an MS product until there is at least 1 SP out for it. Well XP 64 bit is an exception. Great OS but it already technically has a SP because I think it was based on the OS with an SP in it already. There is supposedly a Vista R2 in the works....which is Vista Redux...or Vista Properly Done...or something along the lines. I dont think I will be the only one in saying, if I were indeed required to upgrade to Vista, waiting for R2 would probably be the best idea. My 2 cents.

Reply Score: 2

RE: Deeds, Not Words
by sappyvcv on Fri 16th Jun 2006 12:59 UTC in reply to "Deeds, Not Words"
sappyvcv Member since:
2005-07-06

Go look up the word "employ". It doesn't neccesarily mean they are paying them. They are simply using the services of the hackers.

Reply Score: 1

We'll see ....
by WorknMan on Fri 16th Jun 2006 03:08 UTC
WorknMan
Member since:
2005-11-13

We'll have to wait until Vista gets out in the wild before we find out how secure it really is. BUT ...

If it does turn it to be secure, I bet the ABM'ers are going to be pissed .. they'll have less ammunition this time around ;)

Of course, with end users going out of their way to do anything they're told when they're promised nude pics of Jessica Simpson, there's only so much that can be done to secure an OS. Still though, if MS can eliminate the rootkits and drive-by installs, that'll certainly go a long way.

Reply Score: 1

RE: We'll see ....
by shotsman on Fri 16th Jun 2006 06:11 UTC in reply to "We'll see ...."
shotsman Member since:
2005-07-22

It could turn out to be the most Secure Microsoft OS ever released but if these "Security" features get in the way of actually using, configuring and administering the system for REAL then users & admins alike will quickly get pissed off and start truning off the bits that get in the way of their "Real Work"
IMHO, is that if an OS Security system is so obtrusive as to stop "Work" then it is a security risk in itself. Why?, Admins are only human and will 'remove' those bits that stop them from doing their work.
I think that the BSD Security Model is fine. Its there but not in your face.

Reply Score: 1

RE[2]: We'll see ....
by rayiner on Fri 16th Jun 2006 13:31 UTC in reply to "RE: We'll see ...."
rayiner Member since:
2005-07-06

The UNIX security model is "just right" for a networked desktop/workstation. It lacks the flexibility and fine-grainedness of ACLs, but at the same time, that lack of flexibility makes it much easier to create a good default security policy. It's also simple enough that the user has a hope of understanding it, which goes a long way to improving the security of the system by reducing user error.

Once you get into ACLs and authorizing capabilities, you get a framework that is much more powerful, but one that is probably outside the understanding of your average user. It's easy to succinctly summarize the UNIX security model: each file has an owner, and that owner can authorize either himself, his workgroup, or everyone to read, write, or execute that file. It's also easy to succinctly summarize the security policy on a UNIX system: each user owns and can write the files under ~/, while everything else on the system is only accessible to the administrator, except temporary directories. Can someone summarize the Vista "User Access Controls" policy in as succinct a manner?

Reply Score: 2

Well there is something to that
by Sphinx on Fri 16th Jun 2006 03:31 UTC
Sphinx
Member since:
2005-07-09

Security in lack of numbers.

Reply Score: 2

real security
by SK8T on Fri 16th Jun 2006 04:36 UTC
SK8T
Member since:
2006-06-01

Here is a very intelligent sentence from the godfather of security, OpenBSD:
"Security is not a product, but a process"

Reply Score: 5

v No comment needed on mental midgets.
by proforma on Fri 16th Jun 2006 04:42 UTC
Vista Security
by PlatformAgnostic on Fri 16th Jun 2006 05:17 UTC
PlatformAgnostic
Member since:
2006-01-02

All in all, XP has had very few remotely-exploitable non-interactive vulnerabilities. There were some pretty nasty ones which required user interaction, like the WMF flaw, but nothing that would hit you unless you're looking at scuzzy sites on the net. If people keep the UAC stuff on, then even this stuff won't be too bad.

What I'd love to see as a feature of UAC is a way to log on with it off for a single session, or to turn it off for a specific amount of time so that one can do a bunch of administrative tasks at once and then reenable it.

Reply Score: 1

RE: Vista Security
by SEJeff on Fri 16th Jun 2006 14:27 UTC in reply to "Vista Security"
SEJeff Member since:
2005-11-05

All in all, XP has had very few remotely-exploitable non-interactive vulnerabilities. There were some pretty nasty ones which required user interaction, like the WMF flaw, but nothing that would hit you unless you're looking at scuzzy sites on the net. If people keep the UAC stuff on, then even this stuff won't be too bad.

I think you forgot things like DCOM enabled by default:
http://packetstormsecurity.org/0307-exploits/dcom.c

Or maybe you also forgot the UPNP exploit:
http://packetstormsecurity.org/0112-exploits/XPloit.c

I can find more and then some unpublished ones, but those are a few I remembered using off of the top of my head. An unpatched version of XP is soooo easy to hack.

Reply Score: 3

uh, folks
by Soulbender on Fri 16th Jun 2006 05:57 UTC
Soulbender
Member since:
2005-08-18

In case you hadn't noticed, he's a *Microsoft* manager speaking at a *Microsoft* conference. He's essentially a salesman speaking to the already converted. You cant expect him to say that their new product isn't going to be better than the last.

Reply Score: 2

RE: uh, folks
by rayiner on Fri 16th Jun 2006 13:24 UTC in reply to "uh, folks"
rayiner Member since:
2005-07-06

But he's not saying "this is the most secure Windows ever" (like they did with XP). He's saying "its the ost secure OS in the industry". That's not just marketing, that's throwing down the gauntlet.

Reply Score: 1

RE: Deeds, Not Words
by Soulbender on Fri 16th Jun 2006 06:03 UTC
Soulbender
Member since:
2005-08-18

"Er, no. You don't "employ" black hats. They work for themselves and have their own agendas, and they've been happily pen testing Windows for years now without a paycheque from MS. If they're on the payroll, they're white hats."

Nonsense. There are legions of black (and white) hats that are more than happy to sell their services to the highest bidder. For some it's even the sole driving force behind becoming a white/black hat.
What are the guys from L0pht Heavy Industries (that was a pretty cool name, btw) doing these days? Oh right, they got "aqcuired" by @stake (now part of Symantec), a commercial security company that sells consulting services. So much for working for themselves, having their own agenda and not selling out.

Reply Score: 1

This is a bunch of band-aids
by PlatformAgnostic on Fri 16th Jun 2006 06:29 UTC
PlatformAgnostic
Member since:
2006-01-02

http://blogs.msdn.com/michael_howard/default.aspx

See link above:
Maybe if Vista is mummified enough, it will be nearly impossible to exploit. But almost all vulnerabilities in windows stems from the person at the keyboard/mouse.

Reply Score: 1

who are they kidding with this?
by 0xbadbeef on Fri 16th Jun 2006 06:35 UTC
0xbadbeef
Member since:
2005-11-12

ahaha, who are they kidding with this stuff, click-and-drool MCSE dimwits that think world doesn't exit outside of Windows? As far as security is concerned Vista does not have *anything* new or interesting. It is a re-hash of things other operating systems had for years. But MS astroturfers are grasping for straws trying to convince the less intelligent populace of some non-existent Vista superirority. Vista is the same old turd of an OS, which just like XP and W2K before that will suffer from myriad of security breaches (MS tried to convince us before that XP will be a truly secure OS and W2K before that and NT before that). If you want the most secure OS in the industry, go no further than Trusted Solaris, which truly deserves that title (mandatory access control and labels out of the box, enough said).

Reply Score: 3

bummer
by TDavis on Fri 16th Jun 2006 06:50 UTC
TDavis
Member since:
2006-06-10

Will the hard drive encryption lock the drive so you can't make a new operating system or run other operating systems? I presume Linux will overcome this, but it sucks there are more secrets in the industry. It's bad enough we don't get documentation on hardware. Security sucks and is just an excuse for companies which can't think of new features. See http://www.losethos.com for an operating system with no security, but lots of features.

Reply Score: 1

What industry?
by Darkelve on Fri 16th Jun 2006 07:21 UTC
Darkelve
Member since:
2006-02-06

The spyware industry... xD

"Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry."

Reply Score: 1

Most secure ... ROTFL
by Kwitschibo on Fri 16th Jun 2006 07:51 UTC
Kwitschibo
Member since:
2006-01-17

[snip]
http://secunia.com/product/96/
Currently, 0 out of 70 Secunia advisories, are marked as "Unpatched" in the Secunia database.

http://secunia.com/product/4670/
Currently, 0 out of 182 Secunia advisories, are marked as "Unpatched" in the Secunia database.

http://secunia.com/product/22/
Currently, 27 out of 140 Secunia advisories, are marked as "Unpatched" in the Secunia database.

Vista will be more secure then XP... but... most secure? Never.

Reply Score: 4

Panacea?
by vasko_dinkov on Fri 16th Jun 2006 08:17 UTC
vasko_dinkov
Member since:
2005-09-13

From the article:

"Consumers are being plagued with spam, phishing attacks and spyware, while the corporate world fends off data and identity theft. Microsoft believes its new wave of software will be the panacea for such problems..."

Yeah sure, but we all know panacea doesn't exist. ;)

Reply Score: 2

Would Microsoft bet on that?
by johnboyholmes on Fri 16th Jun 2006 09:09 UTC
johnboyholmes
Member since:
2005-11-16

I would love to see what odds one of those UK betting agencys would give you on Vista having less open security vulns, one month after official realease, than openBSD.

I am sure not even Microsoft employees would bet on Microsoft. The article is the best troll I have seen in ages :-)

Reply Score: 1

LOL-sadly April has already passed.
by djames on Fri 16th Jun 2006 09:36 UTC
djames
Member since:
2006-04-18

"not only is Vista the most secure operating system in the world but it's going to include Microsoft Bob and borrow some legacy stuff from our most advanced operating system Windows Millenium. People-if you don't have the horse power to run Vista-go to ebay and buy Windows ME."

I rather have a virus than to spend a total of 60 minutes weekly getting prompted to do something multiple times.

Reply Score: 1

Vista is secure...
by vasper on Fri 16th Jun 2006 10:20 UTC
vasper
Member since:
2005-07-22

until you decide to install it.. I am sure.

Reply Score: 3

Best Security....?
by Ranger on Fri 16th Jun 2006 12:55 UTC
Ranger
Member since:
2006-05-03

I'm sensing a pattern here. Not a very good one, either......

Yet Another Security Hole for the Windows Platform (December 2001) http://www.osnews.com/story.php?news_id=431
Microsoft may have touted Windows XP as the most secure operating system it has made, but the company on Thursday released a bug fix for a security hole that could leave some people's systems open to malicious attack.

I recall that the same claims were made my MS for Win98, WimME, Win2K, all the Server Editions......

After they were unleashed on the computing public, each one was soon discovered to have major security issues and exploitable holes.

As far as Vista is concerned, I'll stay away as long as I can.

Fool me once........ (or twice, three times, oh, boy!)

Reply Score: 2

RE: Best Security....?
by PlatformAgnostic on Fri 16th Jun 2006 15:13 UTC in reply to "Best Security....?"
PlatformAgnostic Member since:
2006-01-02

No mention of Server 2K3?

That's pretty secure. Most of the vulnerabilities in it are things like Media Player and IE, which no one would use in a production server environment. The only remotely exploitable vulnerability was WebDAV in IIS, but everything is off by default, so an unpatched 2k3 box would fare pretty well as a static web server.

Reply Score: 1

RE[2]: Best Security....?
by Nicram on Fri 16th Jun 2006 15:36 UTC in reply to "RE: Best Security....?"
Nicram Member since:
2006-01-31

"so an unpatched 2k3 box would fare pretty well as a static web server."

The problem is unpatched 2k3 is same problematic like unpatched XP. & i know that from autopsy ;)

Reply Score: 1

Yawn
by GCrain on Fri 16th Jun 2006 13:11 UTC
GCrain
Member since:
2005-07-11

LMAO!! I just reinstalled WinXP yesterday, and one of those advertising screens that pop up while it copies files over stated the EXACT SAME THING. More rehash. I have lost all trust in MS. With all the weird updates that are forced, and completely disregard my preferences (WGA), who knows whats going on in my computer. Even a virgin install of Windows and an clean scan with ad-aware finds MS installed spyware.

Reply Score: 1

Patchy
by Anonymo on Fri 16th Jun 2006 13:37 UTC
Anonymo
Member since:
2005-07-06

I'll believe it when they don't need a patch before it even rolls out.

Reply Score: 1

Not the most secure OS
by SEJeff on Fri 16th Jun 2006 14:18 UTC
SEJeff
Member since:
2005-11-05

Vista Security Features:
- User Account Control
- Seperating some of the drivers from the kernel
- Honoring the NX (No Execute) bit on modern CPUs
- Modularizing things like IIS Web Servers
- ALSR (Address Space Layout Randomization)
- A sandboxed version of Internet Explorer.

No, this does not make Vista the most secure OS out there, this just puts it closer to (yet still behind) 'nix security.

Redhat Enterprise Linux 4 Security Features:
- Exec-shield is an LKM that honors the NX bit and does some kernel-foo to prevent buffer overflows.
- FORTIFY_SOURCE - Many critical services are compiled with a hardened version of gcc designed to produce code that detects and prevents buffer overflows using a standard canary stack protection mechanism.
- Specially modified C libraries designed to detect and prevent buffer overflows
- SELinux MAC (Mandatory Access Control). Vista has no form of MAC that I was able to see anywhere in the beta or on the MS site.

ASLR and PIE (Position Independent Executables) works on Linux if you install a PAX kernel (http://pax.grsecurity.net)

Reply Score: 3

RE: Not the most secure OS
by BluenoseJake on Sat 17th Jun 2006 00:48 UTC in reply to "Not the most secure OS"
BluenoseJake Member since:
2005-08-11

SELinux is ACLs, which NT has had since version 3.1 (the first version) so Vista has MAC built in, and so did every other version of Windows, it was just nullified by the fact everyone ran as administrator.

Reply Score: 0

RE[2]: Not the most secure OS
by SEJeff on Sat 17th Jun 2006 03:39 UTC in reply to "RE: Not the most secure OS"
SEJeff Member since:
2005-11-05

SELinux is ACLs, which NT has had since version 3.1
Wow! Just wow...

SELinux is not ACLS, it is Mandatory Access Control. Windows has never had Mandatory Access Control or anything similar to it. Modern filesystems such as ext3 support acls when mounted with the correct options and acls are set using commands like setfacl.

Please understand that comparing ACLs to MAC is like comparing your highschool locker to the world bank safe. Access Control Lists are a beefed up form of Discretionary Access Control (DAC). There is a HUGE difference between MAC and DAC.
http://en.wikipedia.org/wiki/Mandatory_access_control
http://en.wikipedia.org/wiki/Discretionary_access_control

DAC says that I can have read, write, and execute permissions on a file. MAC says that if I am logging in as root using ssh and ssh is in a role that can only read /home/somedir and only write to /home/somedir/tmp, then thats all I can do. Properly configured MAC such as SELinux or Novell's AppArmour will prevent exploits in software running as root from doing much harm at all.

Does that make sense?

Reply Score: 2

RE[3]: Not the most secure OS
by BluenoseJake on Sat 17th Jun 2006 04:00 UTC in reply to "RE[2]: Not the most secure OS"
BluenoseJake Member since:
2005-08-11

"SELinux is not ACLS, it is Mandatory Access Control. Windows has never had Mandatory Access Control or anything similar to it. Modern filesystems such as ext3 support acls when mounted with the correct options and acls are set using commands like setfacl. "

What is the point of that statement? NTFS supports ACLs, you even say it yourself. Using wikipedia for your sources is not adding any credibilty to your arguments either. NTFS supports ACLs when running under NT/2k/2k3 and XP Pro. I can use ACLs to define what directories a user or group have access to. I can define group policy that says what a user can run and not run, where they can log in from (local or network) and how much access to system settings and configuration, just like in unix.

Reply Score: 1

RE[4]: Not the most secure OS
by SEJeff on Sat 17th Jun 2006 04:23 UTC in reply to "RE[3]: Not the most secure OS"
SEJeff Member since:
2005-11-05

You said, "SELinux is ACLs" and you were incorrect. I am refraining from saying wrong because you obviously don't understand what SELinux does by a longshot. SELinux also can be used to restrict network data depended on how it is labeled. Can you do that with NTFS or ACLs? No, because they aren't even similar.

Discretionary Access Control (what ntfs is) is weak compared to Mandatory Access Control. MAC and DAC compliment eachother, but they are VERY different.

Maybe I can break this down better for you to understand. What if...

I login as the Administrator over RDP to a windows 2003 server. I try to access the settings for Exchange Server, but can't. The rdp service was started with a role that doesn't have permissions to touch or even read any of those files/settings. Even thought you are the Administrator (which can modify anything), with MAC, you can't touch any of those settings. MAC makes it physically impossible for something in an unpriviliged role/domain to touch anything in a privileged one. This is currently impossible in Windows as it doesn't have a form of MAC. It is sooooooo much more than file permissions which is all ACLs are.

If you still don't understand, can I contact you offline to help you understand the difference between MAC and DAC? I'd be more than willing to help you learn if you are interested.

Reply Score: 2

RE[5]: Not the most secure OS
by BluenoseJake on Sun 18th Jun 2006 22:43 UTC in reply to "RE[4]: Not the most secure OS"
BluenoseJake Member since:
2005-08-11

Your condescending tone doesn't help your case, as your statement doesn't take into account group policy, which i can use to limit what users and groups can do when they log in and how they log in, so NTFS ACLs are by themselves not equivalent to SELinux, but mated with GP, they are "roughly" equivalent. I have used SELinux under Fedora Core, and I have used ACLs and GP under Windows for better than a decade.

My original point to my post was to inform the great grandparent that NT has had ACL technology (meaning fine-grained permissions on objects) longer then Linux, as SELinux is only a few years old, and so is AppArmor. I made some mistakes in my first post, granted, but that was due to haste, not misunderstanding. You have managed to ignore my subsequent comment that took Group policy into account. Using GP and AD, I can define what a person has access to, and what they don't. I can tell the OS not to allow certain users or groups access remotely, or what they can do when they have remote access. I can control what a particular user runs and when. they may not be the same from under the hood, but in my experience, and I do have quite a bit with both, your opinion notwithstanding, they allow similar capabilities.

Reply Score: 1

RE[6]: Not the most secure OS
by SEJeff on Mon 19th Jun 2006 12:32 UTC in reply to "RE[5]: Not the most secure OS"
SEJeff Member since:
2005-11-05

Ok, Mandatory Access Control and Discretionary Access Control are very different things. You do not seem to understand (or care) about this fact. Yes, NTFS has had ACL support longer than Linux. Modern filesystems such as ext3 and reiserfs introduced ACL support fairly recently when I know windows NT had them. However, ACL and SELinux are two different things altogether. Even ACL + Group Policy don't compare to what you can do with SELinux. The fact that you still compare ACL to SElinux is what concerns me, there is no comparison.

I apologize if I sounded condescending, but I really hate it when people ignore facts.
ACL != MAC, SELinux != DAC.
ACL == DAC, SELinux == MAC

If you would mind reading this short paper, it might help you to understand what I can obviously not explain to you very well:
http://www.linuxplanet.com/linuxplanet/tutorials/1527/2/

Reply Score: 1

RE[7]: Not the most secure OS
by BluenoseJake on Mon 19th Jun 2006 13:58 UTC in reply to "RE[6]: Not the most secure OS"
BluenoseJake Member since:
2005-08-11

You seem to be ignoring that I have amended my statements to include group policy, perhaps if you read my comments instead of just opening your mouth. I will accept that ACLs are not MAC but like I said, when combined with group policies, they HAVE SIMILIAR CAPABILITIES, if you have problems understanding this fact, I could contact you offline and explain it to you

Reply Score: 1

I thought Vista stood for...
by SpasmaticSeacow on Fri 16th Jun 2006 14:36 UTC
SpasmaticSeacow
Member since:
2006-02-17

Virus Infection and Simple Transmission Architecture. Is this not true? Why would Microsoft divert from an apparently winning product strategy?

Reply Score: 1

Yeah right....
by Governa on Fri 16th Jun 2006 16:03 UTC
Governa
Member since:
2006-04-09

I've heard this before... I don't trust them anymore. I've switched to a Unix based OS. All Windows versions are a bloatted buggy mess of spaghetti code... and hugely overpriced.

I don't care about Vista anymore.

Reply Score: 1

Re: Headline
by twenex on Fri 16th Jun 2006 17:38 UTC
twenex
Member since:
2006-04-21

Hahah. That was funny! Thanks, OSN.

Reply Score: 1

RE[3]: Honestly...
by NemesisBLK on Fri 16th Jun 2006 20:37 UTC
NemesisBLK
Member since:
2005-07-10

'"what's up with only "Limited User" and "Administrator" - what happened to "User", "Power User", etc"'

Only XP Home gives you the option of Administrator and Limited User accounts. XP Pro has the Power Users and more. You may be using XP Home so that is why you didn't see the other accounts.

Edited 2006-06-16 20:37

Reply Score: 1

Touche!
by DKR on Sat 17th Jun 2006 04:33 UTC
DKR
Member since:
2005-08-22

Nice work, Jeff.

http://www.indymedia.org/images/2004/06/111168.jpg


A heaping serving for BluenoseJake.

Reply Score: 1

RE: Touche!
by BluenoseJake on Sun 18th Jun 2006 22:45 UTC in reply to "Touche!"
BluenoseJake Member since:
2005-08-11

maybe, maybe not, but at least he was mature about it. are you 12?

Reply Score: 1

That's what they said about XP
by reddog on Mon 19th Jun 2006 12:04 UTC
reddog
Member since:
2006-04-20

Doesn't this remind you of what they said about XP. They claimed that the security issues of windows had now been resolved, and that it was going to be the most secure windows ever when released.

...Sounded promising, but we all know how it played out.

Reply Score: 1