Linked by Thom Holwerda on Tue 10th Oct 2006 20:41 UTC, submitted by snds24
Windows A senior Microsoft executive has promised that its new operating system will be more secure than ever. Jean-Philippe Courtois, president of Microsoft International, said that beefing-up security was one reason behind delays to Windows Vista. Microsoft has been criticised for flaws in previous systems that left users vulnerable to attacks by hackers. Mr Courtois said Microsoft had done "tons of work to make Vista a fantastic experience when it comes to security".
Thread beginning with comment 170543
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: never
by Morgul on Tue 10th Oct 2006 21:19 UTC in reply to "RE: never"
Morgul
Member since:
2005-07-06

While I won't debate that it will be a better setup by default, there's a big mistake that they've been doing all over Vista... rewritting things from the ground up. there is an article (here: http://www.osnews.com/story.php?news_id=15399) that details the security holes in the networking stack. That alone is going to kill it's security.

Here's another problem with Security in Vista: UAC. Frankly that solution has only made things worse, not better. Why? Well, no one pays attention to an alarm that goes off every ten minutes.... And UAC is going to be so much a part of the user's experiance that they will ignore it, and always allow everything through... or worse, disable it. That's BAD from a security standpoint.

Something I would love to see Windows bring in some honest to goodness security guys (like this guy: http://www.schneier.com/blog/) to evaluate, and help design their systems. Ah, well, they'd just be told to do it like unix does things anyway. Oh well.

Edited 2006-10-10 21:20

Reply Parent Score: 2

RE[3]: never
by n4cer on Tue 10th Oct 2006 22:49 in reply to "RE[2]: never"
n4cer Member since:
2005-07-06

While I won't debate that it will be a better setup by default, there's a big mistake that they've been doing all over Vista... rewritting things from the ground up. there is an article (here: http://www.osnews.com/story.php?news_id=15399) that details the security holes in the networking stack. That alone is going to kill it's security.

Those holes were identified and fixed by Microsoft before they were even publicized. If you examine what the new stack brings to the table, you'd realize the rewrite was warranted.

Here's another problem with Security in Vista: UAC. Frankly that solution has only made things worse, not better. Why? Well, no one pays attention to an alarm that goes off every ten minutes.... And UAC is going to be so much a part of the user's experiance that they will ignore it, and always allow everything through... or worse, disable it. That's BAD from a security standpoint.

Most complaints about UAC are from pre-RC builds, and mainly from power users more likely to perform admin tasks more frequently than average end-users. Many complaints also stem from a lack of understanding of permissions. One of the more common complaints I've seen about UAC is not being able to perform file operations on secondary harddrives without being prompted. The simple fix for this is to enable Write permissions on the drive for standard users, but power users that don't really know what they're doing choose the sledgehammer approach of disabling UAC altogether. UAC isn't the problem. People resisting the transition from running as admin full-time to running as standard user most of the time is the problem.

Something I would love to see Windows bring in some honest to goodness security guys (like this guy: http://www.schneier.com/blog/) to evaluate, and help design their systems.

http://blogs.msdn.com/michael_howard
is the guy you're looking for, and he's by far not the only security guy at Microsoft. They also have partnerships with several external security firms.

Ah, well, they'd just be told to do it like unix does things anyway. Oh well.

Thank goodness they don't follow that advice.

Reply Parent Score: 4

RE[4]: never
by blitze on Tue 10th Oct 2006 23:29 in reply to "RE[3]: never"
blitze Member since:
2006-09-15

Some good points n4cer. Goto take UAC complaints with a grain of salt as most of them are Win Power Users who have f-all idea of security and permissions.

MS is doing a decent job to rectify problems Windows has had in the past and most of them are due to normal users running an Admin account with XP.

That's 6 years of bad user habits to break. Not going to happen without some winging on the end user side but the dust will settle after the 1st year and people will wonder what ll the fuss was about.

Reply Parent Score: 1

RE[3]: never
by noamsml on Wed 11th Oct 2006 10:42 in reply to "RE[2]: never"
noamsml Member since:
2005-07-09

1. As for the fresh new code,you have to remember that they've been testing their stuff quite vigorously, so the jury is still out on this one.

2. Unix-esque security is definitely not the ultimate security scheme against modern attacks targeted at home computers. These attacks don't try to harm the system, but instead simply want to run on it and exploit its resources or display advertisements to the user. These activities don't require root access, they just require one security hole in any app the user runs.

Reply Parent Score: 1

RE[4]: never
by netpython on Wed 11th Oct 2006 12:04 in reply to "RE[3]: never"
netpython Member since:
2005-07-06

Unix-esque security is definitely not the ultimate security scheme against modern attacks targeted at home computers.

It's not the holy grail,but what is?
Many simple design features could help to make it a lot more difficult to take advantage.

These attacks don't try to harm the system, but instead simply want to run on it and exploit its resources or display advertisements to the user.

What's the difference,i wouldn't want that either.And i think hardly any user.

These activities don't require root access, they just require one security hole in any app the user runs.

Most users are root by default.I think very few users run w2k/XP professional where you have limited user versus administrator separation.

Reply Parent Score: 2