25. January 2007 21:41
Windows Vista is getting a bum rap. The media is painting a picture of Microsoft's new operating system as a pretty version of XP with few new features that users will care about. This is the same media that greets every new ".1" release from Apple as if it were the second coming of Jesus H. Christ. These reviews of Vista are so off base, so ill informed, and so superficial that they border on gross negligence.
I'm not even sure on where to begin analyzing these "reviews". Cnet's review, which gives Vista a "7.8", calls it a "warmed over XP", and makes multiple flat out factual errors. They claim that "most of Microsoft's [security] improvements in Windows Vista are within the Enterprise or 64-bit editions," which is a completely ridiculous statement.
There are no security features that Enterprise has that any of the other versions of Vista do not. (Indeed, this "review" was about Vista Ultimate, which contains every feature from every version, with the 1 exception which I'll mention in a minute.) Vista x64 contains a single feature that the others lack, kind of. Vista x64 restricts kernel mode driver installation to signed/certified drivers only. That's it.
Cnet goes on to state that there are no "big-name software packages written exclusively for Windows Vista". Wow, considering it hasn't even officially launched yet, that's a bit harsh.
Cnet criticizes the new Start Menu and search functionality, stating that they "would have preferred to have access to Search directly from the desktop rather than digging down a level or two", no doubt referring to Mac OS X's Spotlight field in the titlebar on the Mac desktop. Let's see, on the Mac I need to hit COMMAND + SPACE, or click in the field, to start searching. On Vista, I hit the Windows key and start typing. How, exactly, is that different? If anything, Vista's search is easier to get to.
Cnet continues to make factual errors by claiming that "aero is part of the Windows Presentation Foundation, a subgroup of the .Net Foundation Framework, an underlying foundation for developers to build new applications.". Um, no, it's not. Aero has nothing to do with WPF. Aero is a theme in Windows Vista. Nothing more. They even make the very confusing claim that "Aero is necessary to create Microsoft's new, Adobe PDF-like file format called XPS (Extensible Page System);", which is completely untrue.
Cnet shows how incredibly inept they are by then criticizing User Account Control while simultaneously plugging OS X. They state that "While UAC notifies you of pending system changes, it doesn't require a password. The Mac operating system does something similar but requires a password--that's security." What? First of all, UAC only doesn't prompt with a password IF YOU ARE AN ADMIN.
Administrators in Vista are treated like regular users in every way (in fact, they are regular users) except that they don't have to type in credentials in UAC prompts. If you run as a non-admin user, you have to type in the credentials of an admin complete the UAC prompt, just like the Mac.
Unlike the Mac, however, Vista displays these prompts on a secure desktop. This prevents malware from fooling you into authorizing something you didn't want to authorize by simply displaying a fake dialog over the real one. The Mac has nothing like this and is theoretically open to all sorts of spoofing malware attacks. Is that security? If the Cnet team had spent any time researching Vista they would know this.
They go on to say that "the jury is still out on whether Internet Explorer 7 is more secure than, say, Firefox 2", which I would agree with, but they neglect to mention anything about protected mode IE, which is a great security innovation from Microsoft that suggests that IE 7 will be, by far, the safest modern browser you can use.
Cnet's review makes many unsubstantiated claims about Vista's performance, calling it a "resource hog" without ever backing up that statement. (And no, you can't just look at Task Manager's RAM stats and use that to justify your opinion.)
Cnet's review was pretty much inline with many other sites, such as Time.com and even Tom's Hardware. (And don't get me started on Walter S. Mossberg.) Time, for instance, closes their review with the seemingly insightful musing that "translucent borders are all well and good, but out there in the jungle, no one cares how pretty you are." No kidding. If you guys were so concerned about Vista's security, why didn't you spend a little more time researching the many innovations and improvements Vista has in terms of security instead of trying to come up with more ways to mention Apple in your review? They have the gall to title their review "Windows Vista: why nobody cares." Maybe nobody cares because you guys have done a good job spreading FUD.
These people completely neglect to talk about hundreds of Vista's features which will end up really changing the way we use computers. Whether it's the fact that Vista will usher in the world of IPv6 (via it's support for PNRP), or how it will change the way applications are written and deployed for Windows via technologies like WPF/E and WCF. They almost universally ignore great technologies like ReadyBoost, SuperFetch, and ReadyDrive, all of which will make our computers feel zippier. And they're oblivious to things like Sideshow. And don't think that's the full list of features they're ignoring. It's not. For a full list, check out this excellent Wikipedia article.
Windows Vista is a great OS. If Apple was releasing an OS with this many new features they would be called geniuses and would be praised for ushering in a new era of computing. But Microsoft is not Apple, and so instead we get this FUD.
To be fair, there were a couple of decent reviews of Vista. One of them being from Paul Thurrott. Was his a complete review? No. But it wasn't willfully ignorant like the other clowns.
Please, go upgrade to Vista. Ignore these idiots. You'll be happy you did.
Update: Be sure to checkout the 2nd part in my series of blog posts about The FUDing of Windows Vista!
10. October 2006 15:03
I have a prediction.
I predict that when IE 7 on Vista starts to take significant market share (say, 30% or so), you'll start to see the attacks on Firefox increase dramatically. In other words, Firefox will become more and more dangerous to use as IE 7 on Vista gains market share.
I use Firefox because of what basically amounts to security through obscurity. Many people claim that Firefox is simply written better than IE and that is why it seems to have fewer security related incidents.
Indeed, Firefox at least seems to be more secure, having only 36 security related issues discovered since 2003, many of which were not particularly critical. (Versus a whopping 106 vulnerabilities for IE 6.x, many of which were critical.)
But that doesn't really tell you the whole story. The fact of the matter is that Internet Explorer is the best way to attack the largest number of computers. It's the single biggest attack vector into a Windows machine. The bad guys who want to install malware on the largest number of computers possible are going to target the OS with the most users (Windows) and the browser of choice for those users is still overwhelmingly IE 6.
It has long been my opinion that the more popular and widely used a piece of software, the more people are going to attack it for both glory and monetary gain. But every once in a while a technology will emerge that will essentially remove a particular attack vector from being feasible.
When Microsoft released XP SP2, the changes it made to ActiveX installation were enough, for the most part, to remove an entire genre of social engineering attacks by forcing the user to do just a few extra steps to install an ActiveX control. Of course this had little affect on the spread of malware. Malware distributors just started using buffer overflows and other types of exploits to install their software.
But IE 7 on Vista is different. For the first time a browser will run all the time with privileges far below that of the current user. It's called Protected Mode IE. IE will not even have the ability to write to places that the current user can write to, such as the desktop or My Documents folder. Instead, and actions which required elevated privileges will have to be done through something like the Service Broker. The Service Broker is a small (only a few thousand lines of code) application that runs with the privileges of the logged in user and takes "requests" from IE to do things like saves files to the desktop.
The result is that you really only have to audit a small piece of code to guarantee that IE 7 can't do anything bad, regardless of the vulnerability in question. Buffer overflows won't have any affect on the user because even with that overflow, IE 7 doesn't have permissions to do anything bad.
This technique has already proven itself successful. Despite the fact that a recent vulnerability in the VML rendering engine was present in IE 7, a vulnerability that was completely unknown to the IE 7 team, it had no affect on users running IE 7 on Vista thanks to protected mode.
But once the malware distributors see a decline in their successful installations due to Protected Mode IE 7, they will want to make it up somehow. The obvious choice is to attack the guy who has 2nd place in the market share battle. Guess who that is.
So while dramatically improving Windows security by removing the primary attack vector, Microsoft will have made Firefox far more dangerous a browser to use.
Just my opinion. Only time will tell if I'm right.
18. September 2006 17:01
No sooner than I return from my trip to the wonderful city of Los Angeles (yes, that's extreme sarcasm) than I see another way to hack a Diebold voting machine.
This one is far simpler than the one I described in my previous post. All you need is a hotel minibar key.
Wow. The Netherlands looks better and better with each and every passing day.
28. July 2006 22:53
Linux is more secure because...
I can't easily count the number of times I've been told that Linux is more secure than Windows. It happens so often that it has almost become "true" because so many people believe it. It's basically common knowledge at this point.
But what is this assertion based on? I suspect a lot of it is based on a combination of two things.
First is that Microsoft security gaffs get a lot of attention and rightfully so. Windows is used by 90%+ of all desktop users. Windows Servers run the majority of the Fortune 100. If there is a security problem with these products, people should know about it. Not to mention the fact that if there is a bug in software that 90% of people run, it has a very good chance of hurting a very large number of people.
Combine this with the widespread ABM (Anything But Microsoft) attitudes and you have a recipe for a seemingly endless stream of media stories about security holes in Microsoft products.
Second is that, on the flip side, you hear almost nothing about Linux vulnerabilities. Linux advocates constantly crow about how secure their OS is, and how you would have to be a fool to run the Swiss cheese that is Windows. Even when there is a security hole reported by the media, the stories almost always end with "but the hole was fixed in a patch released this morning".
The Real Deal
But what's the real deal here? How do you quantify how secure a piece of software is? I would say that the only even remotely valid way of quantifying security is by counting the number of known vulnerabilities while taking into account how long users were exposed before patches were available.
As it turns out, at least when you're comparing Windows XP SP2 with Redhat Desktop Linux
, Linux has quite a few more vulnerabilities than Windows, and, in general, users are actually exposed for a longer amount of time than for their Windows counterparts.
I know what many of those Linux advocates out there are saying right now. "But wait! Linux is open source! That means anybody can look at the code, and that means that more bugs will be discovered. Windows is closed source, so vulnerabilities hide out in that code until bad guys find them."
That may be true. Windows may have more vulnerabilities in the code, but there are several problems with concluding that Linux (and open source software in general) is therefore more secure.
- Just because something might be true, doesn't mean it is. Yes, it might be true that Windows has more buggy code. But there is no way to prove this other than by looking at the numbers. The only numbers we have are the ones regarding known vulnerabilities. Making conclusions based off a completely unproven (and probably improvable) assumption is foolish.
- Unknown vulnerabilities don't hurt anybody. If nobody ever finds that vulnerability, it's just as good as if it never existed in the first place. I know some coding purists out there are getting all mad right now, but it's a simple fact and you have to accept it. Security through obscurity does work if it stays obscure. Since fewer vulnerabilities are known for Windows, this likely means that Windows is more secure.
- Vulnerabilities can hide out in open source code as well. When there are hundreds of thousands or millions of lines of code, bugs don't exactly jump out at you. While there have been some iffy studies done on the quality of open source vs closed source code and how open source tends to have fewer bugs per line of code, the "Many Eyes" theory of open source security has never had any real numbers to back it up.
- It's an assumption that more people actually look at the source code when it's open. It's also an assumption that more eyes will result in more discovered vulnerabilities. In fact, many types of security issues require highly trained eyes to be detected. The kinds of eyes that companies like Microsoft employee many of and that are paid to look at the code day after day.
Now, again, I know what many Linux advocates are saying to this argument. They're saying something like "But you have no idea who knows about all those publicly unknown vulnerabilities. There could be bad guys using undisclosed exploits against Windows machines all over the planet right now!"
Again, that's true. But, again, there is basically no data to support that assertion. If you can find some data that suggests that Windows falls victim to a greater number of exploits that were previously unknown to the public than Linux (and you adjust for the far greater usage of Windows over Linux when considering those numbers), then you'll have a point. But until then, you got nothing.
Insecurity and Dangerousness are Different
One last point I'd like to make is that there is a difference between how dangerous a piece of software is, and how insecure a piece of software is.
If I'm using "Bob's Awesome Web Server" (BAWS), and BAWS has 300 vulnerabilities it might still be less dangerous to use than Apache or IIS. Why? Because I'm the only one using BAWS. Very few bad guys are going to take the time to write exploits for BAWS if basically nobody uses it.
This is one reason why I currently use Firefox. I don't really think that Firefox is more secure than IE. In fact, I'll take an educated guess and say there are likely more holes (many of which are yet to be discovered) in Firefox than there are in IE. (That's a guess, not an assertion. I can't prove it's true, and it really doesn't matter in the context of the point I'm making.) But Firefox is a lot less dangerous to use at this point. Why? Because IE has 90%+ market share, and Firefox has less than 7%. The bad guys are still spending most of their time hacking IE.
Anyway, next time you hear somebody assert that Windows is less secure than Linux, ask them to give you the hard numbers and don't let them change the subject.
13. July 2006 20:43
I recently responded to a particularly annoying post on slashdot regarding Windows and the fact that before Vista, the default user created was always an administrator. You can read the comment I was responding to here. Below is my response.
I know it's hard sometimes, but please try and actually read the post you're responding to before ranting:
Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer.
As far as Windows being the only OS where the user is admin by default, you're correct. Of all modern operating desktop systems, Windows XP is the only one to make the first user admin by default. But did you ever ask yourself why?
You claim it's a simple matter of "twenty years of fraudulent marketing bullshit trying to claim it wasn't a problem". Find me a single example of this. You can't, because you just made it up.
The fact of the matter is that Windows has a very long history on the desktop, and for a large percentage of that history they haven't even had memory isolation or a permissions system. (Read: Win X.XX, Win 9x, Win ME.) In Microsoft's defense, the Internet took them a bit by surprise. Until the Internet, desktop security wasn't an issue for anybody except businesses, and that's why they used NT.
Over those years many, many, many applications were written for those flavors of Windows. These applications all assumed they were running as admin, and for good reason... they were! It wasn't until just 5 years ago that Microsoft finally made the push to get consumers on to the NT kernel, with all its nice security features and the new world of multiple users with varying permissions. Ut oh. There in lies the problem. Microsoft couldn't simply make users non-admin by default because now almost all existing desktop applications, the very thing people buy Windows for in the first place, would break.
So Microsoft had to make a hard choice... break all existing applications and go out of business, or have the users run as admin by default. Tough choice.
Admittedly, Microsoft should have done a MUCH better job over the past 5 years to get people to develop Windows applications the correct way. Aside from their "Logo Certification", they've done almost nothing.
Vista's UAC is a huge step forward for Windows, and it solves a very difficult technical problem that is absolutely unique to Windows: a massive legacy software library dating back 20+ years that *must* run flawlessly on every new version of Windows. Microsoft does not have the luxury of breaking every existing application like Apple does (thanks to their extremely small, yet insanely loyal user base), nor do they have the pleasure of having a software library written with multi-user systems in mind from the get-go, like Unix/Linux.
Cleary this isn't as simple as Microsoft being "fraudulent", nor is it "marketing bullshit", and they certainly have never claimed it wasn't a problem.