Sorry for the delay of part 3 of my series (Part 1, Part 2) on The FUDing of Windows Vista, but I've been pretty busy.
Today, however, I simply couldn't stop myself. The Register decided to write a "review" of Windows Vista's security features. Needless to say, it's a prime example of the FUD I'm talking about.
So, point by point:
While referring to IE's Protected Mode feature:
However, there is a brokering mechanism that enables users to download files to any location they have access to, or to install browser plugins and extensions, and the like. So users are still invited to make a mess of their systems, and no doubt many will, while Microsoft has a chance to shift blame away from itself.
Uh huh. First, you can't install plugins/extensions (with the exception of signed ActiveX) without admin privs. Period. Second, how, exactly, would you propose the user be able to save files to their Documents folder, or do any other file operation in their profile (or basically anyplace on the system) without this brokering mechanism? Would you prefer that Microsoft not allow users to download *any* files via the browser? Ya, that would work out well.
However, IE7 on Vista does still write to parts of the registry in protected mode.
IE7 is running as an extremely low-rights user. This does *not* mean that it doesn't have the ability to write to any part of the registry. It means that the registry's ACLs must explicitly allow write access to the IE's low-rights user. Certain locations have been explicitly marked as write-safe for the low integrity process. The example given by The Register is one of them. In other words, it's not an issue.
However, DEP, when full on, may cause a number of applications to crash, or interfere with their installation. I'm betting that a majority of users will opt for the more conservative setting, and this of course means less defense for everyone.
You're betting that the majority of users, most of whom think "DEP" is an actor's last name, will go and hunt down the DEP setting and turn it off because it will supposedly cause lots of applications to crash? Really? You mean they won't selectively turn it off via the dialog box that comes up after a DEP-related crash that asks if you want to turn it off just for this application? Oh, and what quantitative study are you citing that shows that lots of commonly used applications will crash because of DEP? Give me a break.
User Account Control (UAC) is another good idea, because it finally, finally, finally allows the machine's owner to work from a standard user account, and still perform administrative tasks by supplying admin credentials as needed on a per-action basis. You know, the way Linux has been doing it forever.
Windows has supported running individual processes as admin (or any other account) since NT4. It was integrated into the GUI in Windows 2000. That is not the point of UAC, and it's not how Linux does it at all. If you try and run an application or perform an operation on Linux or Unix that requires admin access, it will fail. It doesn't prompt you. It's a subtle, but big difference. And it's a critical difference in the Windows world where that vast majority of applications won't work without admin privs.
Of course, it only works if everyone stays out of the admin account as much as possible, and if everyone with an admin password knows better than to install a questionable program with admin privileges. And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."
Wrong. It works regardless of what user you *think* you're running as. An admin account on Vista (with UAC enabled) is NOT AN ADMIN ACCOUNT. It's a limited user. The *only* difference is that an admin account isn't prompted to type in credentials in the UAC prompt, where as a limited user is.
So you see that, here again, MS's security strategy involves shifting responsibility to the user.
Ok, smart ass. What's a better solution? Get rid of admin accounts entirely? Don't allow any programs to run at all? Never allow a user to connect to the net? Oh, how about only allowing signed, Microsoft approved applications to be installed on Vista. Ya, that would go over well. What would you say about "The Vole", then?
And the reason why it's never going to work is because MS still encourages the person who installs Vista (the owner presumably) to run their machine with admin privileges by default....Until MS gets it through their thick skulls that a multi-user OS needs a separate admin account and a user account for the owner, and that the owner should be encouraged to work from a regular user account as much as possible, UAC will never work as intended.
Wow. Ok. Imagine this scenario: A person installs/buys Vista and sets up the machine. Vista does what you want so badly and first asks for an admin account password, but then asks the user for the login/password for their limited account. Having an admin account on the machine is unavoidable if you ever want to do anything on the machine past checking your e-mail and reading high-quality publications like The Register.
So now the user has the admin account (that they're not using as their primary account), and they have their limited user account. Now anytime they need to do something that does require admin privs they will be prompted via UAC for the admin password. Since they're the ones who setup the machine, they'll type in the admin password. For all the other users on the machine, they'll have to go get the person who setup the machine to type in the admin password, exactly as they'll have to do right now in Vista.
So, how is this any better? Now, instead of the occasional annoying OK button, you'll have an OK button and be required to type in admin credentials. If you're the guy who setup the machine, you know the password. If you're not, then it works just like it does now.
Or perhaps you would rather have it just like it is in Linux, and have all operations simply fail with access denied errors? See, it works fairly well for Linux because all Linux applications were designed from the ground up with a multi-user system in mind. But Microsoft *must* support as many legacy applications as possible. That legacy application support is one big reason why Linux on the desktop has failed to defeat Windows.
Furthermore, if you want UAC to always prompt for credentials even as the "admin" user, there is a policy setting to make that the case.
UAC is, in my opinion, a good solution to a problem that exists only on Windows. Saying that Windows should operate its elevation system like Linux simply shows that you don't understand the problems at hand.
In fact, UAC is the most complained-about new feature of Vista, and most people are disabling it as soon as possible.
It's the most complained about by people like you, and by a few vocal power users. But guess what, you're all in the minority. Most people will fairly rarely encounter UAC. As a person actually using Vista on a daily basis at both work and at home, I don't find UAC annoying at all. There ya go.
And when you're running in an admin account, UAC is nothing but a bother.
And when you're running as a non-admin account, UAC is nothing but a time consuming bother? Give me a break.
And once UAC is disabled, all of its security enhancements are lost. Yes, the basic idea is good, but the implementation has been completely bungled.
So what's the better solution?
And since it's very likely that you will still be running your Windows box as an admin, if you're going to open a file with Windows Explorer, you'd better look to see whether or not it's an executable, because it will run with your privileges. So, at a minimum, the folder view should default to showing file extensions.
I kind of agree with this, but the chances that you'll run an application without knowing it's an application are fairly small. If you downloaded this application from the net, Windows will flag it as potentially unsafe. When you try and run it, Windows will ask you to confirm that you really want to run this application and that you trust it. (And yes, you can turn this off by unchecking a box in the properties dialog of the file.)
As usual, Windows enables far too many services by default.
Examples? Oh, that's right... we don't need examples. This is The Register.
It's a little craplet with a stereotypical icon that looks like a shield, and it simply informs you of whether or not the firewall is on, whether or not you've got anti-virus software installed, and so on.
One major hurdle for users security their system is that they don't know all the things they need to secure. The Security Center provides a single place where they can check their most important security settings. Seems like a good idea to me, and it seems to work pretty well. But I guess because The Register thinks it's a "craplet", I must be wrong.
We have got, instead, a slightly more secure version than XP SP2.
Uh huh. And if I took this "review" at face value, I might have to agree with you. Except luckily, I don't usually take things at face value. The "review" ignores many of Vista's security features, and it gives an extremely biased and unfair assessment of the ones it does touch on.
Only time will tell as far as how security Vista will be against the onslaught of hackers that will undoubtedly be attacking it, but it's a helluva lot better than The Register gives it credit for.
On this day, in 1809, Charles Darwin was born.
In case you're not familiar with this little known scientist, he is best known for his theory of Evolution through Natural Selection. You know, the fundamental underpinnings of all of modern biology.
Darwin was, without a doubt, one of the greatest scientific minds to ever have lived. His contributions to the understanding of our world are almost unparalleled.
Happy birthday Charlie.
UPDATE: Whoops. I'm a day late. His birthday was on the 12th. Sorry!
I just saw an article posted on Slashdot regarding Bank of America's relatively new online security feature, called SiteKey. The basic gist of the story is that because users tend to ignore an incorrect or missing SiteKey, the security system is therefore flawed.
That's true, I guess. But the article more or less ignores the fact that SiteKey is also technically flawed. Of course, all knowledge-based security mechanisms are fundamentally flawed. That's the elephant in the living room that a lot of people are ignoring.
Bank of America's SiteKey feature is, for the most part, an improvement over previous security measures. It is designed to mitigate basic phishing techniques, not to protect against man-in-the-middle attacks or other more sophisticated hacks.
Other banks use different measures, each of which is typically aimed at a different security problem. For instance, HSBC uses a "virtual keyboard" to mitigate keyboard loggers, for instance.
But the basic flaw in all of these security measures is that they rely on knowledge to authenticate a user. The problem is, knowledge is transferable. Whether it was a keyboard logger or a phishing attack, whatever the company is using to try and make sure you are who you say you are can just as easily be used by somebody else.
The only way around this is using a combination of both knowledge *and* something non-transferable. This can be biometric (retinal, finger print, face, whatever), or something a lot more simple (and cheap), such as a smart card. (Yes, I know a smart card can be stolen, but it's going to be a *lot* harder to steal a smart card AND the login information at the same time.)
Using a combination of transferable and non-transferable authentication requirements means that even if somebody phishes my login/password/sitekey/mother's maiden name/social security number/etc, if they don't have the little card on my key chain, they're not getting into my bank account.
It's just a matter of time before this becomes widespread. Microsoft already requires this for all employees accessing their company network, and support for this kind of two phase authentication is built into Windows Vista. Vista also supports a technology called CardSpace, which can further mitigate the security problems associated with knowledge-based mechanisms.
As the technology becomes cheaper, it will slowly become an option for banking customers, and eventually a requirement. Only then will online transactions become, at least in principle, truly secure.
I finally got around to trying out Remote Desktop in Windows Vista. Wow. Very cool. Not only does this thing support multiple monitors (finally), but it fully supports desktop composition.
For those of you that don't know, desktop composition is what allows Vista to look so pretty. Without it, you're stuck with the "classic" look. No transparencies. No cool flip 3D stuff.
Remote Desktop on Vista, at least when connecting to another Vista machine, seems zippier. I'm not sure why, exactly, but it definitely feels even closer to being "local".
So, if you're still using VNC, this is even more reason to drop it like a bad habit.
Oh, and yes, even Flip 3D works!
