Forgot your password?
typodupeerror

More Headaches from Vista Security 240

Posted by ScuttleMonkey
from the bottle-of-pain-medication-shipped-with-every-sale dept.
Michael Cooney writes to tell us Windows Vista may have some serious headaches in store for corporate users with third-party authentication systems like VPNs. From the article: "ISVs say rewriting their code for the new architecture will produce headaches that will extend to their customers that have deployed strong authentication such as biometrics or tokens, enterprise single sign-on and a number of other systems integrated with the Windows authentication architecture."
This discussion has been archived. No new comments can be posted.

More Headaches from Vista Security

Comments Filter:
  • Film at 11!

    I mean, come on, it's hardly news that *EVERY* Windows breaks random stuff.

    I rememeber the pain I went through after installing NT Option Pack 4, all sorts of stuff changed in operation. It was sorting that mess out that made me drop my "Microsoft Certified Solutions Provider" ambition.

    • Dontcha mean "Service Pack 4"?

      Meanwhile, I hope the 3D Studio Max users are prepared for the impending headaches (same w/ anyone else that uses all kinds of software-based tokens and registration schemes like C-DILLA, if it's even in use anymore).

      I wonder if dongles will come back?

      On the upside? Umm, there's probably no upside.

      /P

    • Re:Windows Bites (Score:3, Insightful)

      by x0n (120596)
      > I mean, come on, it's hardly news that *EVERY* Windows breaks random stuff.

      And that's hardly news considering it tries to be backwards compatible all the way back to at least DOS 2.1; Can you imagine how hard it must be to NOT break more stuff, seriously?

      The fact that people have to rewrite core drivers etc to support this model is a sign that Microsoft is finally putting security ahead of compatibility. This is a Good Thing.

      - Oisin
      • Re:Windows Bites (Score:5, Informative)

        by DrSkwid (118965) on Monday May 08, 2006 @07:20PM (#15289140) Homepage Journal
        It's not "a good thing" when they change how database connection pooling works.

        It used to be recommended practice to stick the db connection in the session object at session.start.

        Option Pack 4 changed this behaviour. But it didn't show up until the websites you had already deployed started to get "un-reproducable" errors. The unpooled connections hung around for 30 mins after the last request for that session. Once the site got enough traffic it started killing the application. Could be 6 months, could be a year. Took a while to work that one out, much to the annoyance of my customers, and at my expense "you wrote it, it must be a bug in your code, bug fixes are covered in our agreement". Getting off the MSDN treadmill was glorious.

        • Yes, I do remember being told to do that before, and it was an acceptable practice for low-traffic sites. If your site was too busy however, the idle connections sitting in session objects would eventually block new sessions until the session timed out. Not to sound high and mighty, but I never adopted this pattern; it just didn't make sense for low-traffic sites, since it was a "performance" hack, and low traffic sites perform fine. Implementing it on a high-traffic site only made the problem worse.

          You say
        • Meh, theyve done better. A simple MDAC (Data Access Componenets) upgrade to fix security errors and memory leaks completely changed the SQL syntax to Foxpro databases through ODBC. Uninstall was not possible. It was either reformat the machine, or go through every sql query and re-write it to the new syntax.
  • Win-Win (Score:3, Insightful)

    by foundme (897346) on Monday May 08, 2006 @05:26PM (#15288483) Homepage
    What are these ISVs whinging about? This is almost the perfect opportunity to convince their clients that it is time for another upgrade. But wait, that's not all, as mentioned in the article, the upgrade also requires extensive testing, so it's doubly good news.

    Programming wise, I guess this would teach these ISVs a lesson that, if they want to develop custom code, they should probably have a more flexible architecture to accommodate any OS changes, or even make it compatible across different OSs.

    I don't think Bridgestone can ask Ferrari to slow its F1 cars down because Bridgestone tyres cannot perform at high speed.
    • Re:Win-Win (Score:5, Funny)

      by lucabrasi999 (585141) on Monday May 08, 2006 @05:28PM (#15288507) Journal
      don't think Bridgestone can ask Ferrari to slow its F1 cars down because Bridgestone tyres cannot perform at high speed.

      Wait a minute! Did you just compare Windows Vista with Ferrari?

      • I thought it was an appropriate comparison.

        1. It has its moments of brilliance,
        2. It has an almost continuous monopoly in its turf
        3. It relies more or less on a single product for its success
        4. There is an increasing pressure to challenge its domination
        5. Its star is usually arrogant and breaks his seats
        6. Its new version is almost always the last to arrive despite promises
        7. Its new version always breaks and it takes a few patches to get it up to speed
        8. Regulations and rules are introduced mainly to remov
        • You forgot

          9. Every time you have a problem with a Ferrari, you can fix it with a re-boot.
        • Re:Win-Win (Score:5, Insightful)

          by Grishnakh (216268) on Monday May 08, 2006 @07:06PM (#15289081)
          You're missing some important points where the analogy completely fails:

          1. Ferraris are built extremely robust, so you can crash at 150+mph and walk away with a few scratches (google for the Enzo which crashed recently in California). I wouldn't call Windows "robust".

          2. Ferraris are extremely attractive machines. Windows looks like it was designed by Fisher-Price.
      • Re:Win-Win (Score:5, Funny)

        by eclectro (227083) on Monday May 08, 2006 @05:55PM (#15288720)
        Wait a minute! Did you just compare Windows Vista with Ferrari?

        It's expensive to own, expensive to fix, and makes you curse like an italian.

        Your point is ???
    • Re:Win-Win (Score:3, Insightful)

      by IdleTime (561841)
      I don't think Bridgestone can ask Ferrari to slow its F1 cars down because Bridgestone tyres cannot perform at high speed.
      Indinapolis 2005 F1 GP - Need I say more?
    • Well, its not that they ask Ferrari to slow down, its that due to their contract, Ferrari has no choice but remain uncompetitive.

      At least I'm glad this year Bridgestone doesn't suck so much compared to last year. I mean Schumi is actually arriving within the top 3, and even winning! /pissed about the V8s though. Stupid.
    • Why couldn't Bridgestone do that? Shoot, Michelin did that very thing at the U.S. Grand Prix in Indianpolis last year.

      http://edition.cnn.com/2005/SPORT/06/19/usa.grand/ [cnn.com]
  • Haha (Score:5, Funny)

    by Ecko7889 (882690) on Monday May 08, 2006 @05:27PM (#15288491)
    Hasta la Vista security.
  • Good! (Score:5, Insightful)

    by Southpaw018 (793465) * on Monday May 08, 2006 @05:28PM (#15288500) Journal
    Wasn't it just a couple weeks ago we were lamenting "what could have been"?
    Microsoft capitulates and disables large chunks of Vista security by default in order to appease corporate customers. People are up in arms.
    Microsoft rewrites architecture to make things more secure. People are up in arms.

    Me, I'm with the "Good!" crowd. Make things more difficult for me when I transition. It'll make things easier later on.
    • Re:Good! (Score:2, Offtopic)

      by Spy der Mann (805235)
      Wasn't it just a couple weeks ago we were lamenting "what could have been"?

      See, the real problem with Vista is not whehter it has flaws or not. The real problem is that it keeps being Microsoft.

      Remember how IE5 was the best internet browser "ever"? It was fast, it was stable! The old Netscape couldn't even compare to it! But when it dominated the market, well, you know what happened.

      I really don't know if Vista will be the best OS ever. What I know is that people will be forced to use it, and that new Micro
      • Re:Good! (Score:3, Interesting)

        by drsmithy (35869)
        What I know is that people will be forced to use it, and that new Microsoft apps will require Vista features to work properly.

        And when you say "forced" you mean "go out and buy themselves". And when you say "new Microsoft apps" you mean "new Microsoft apps released 5+ years later".

    • Re:Good! (Score:3, Insightful)

      by Unnngh! (731758)
      I don't see the conflict here. Microsoft wrote a large amount of code for their new OS without, apparently, any high regard for security. The code-test-debug model does not work very well for building security into software products. It needs to be designed to be secure from the ground up. MS has had plenty of time to see this coming, but their reduction in functionality for security purposes screams that this was not how many of the shiny new Vista features were designed. I'm sure it was code-test-deb
    • Make things more difficult for me when I transition.

      Also, though it may be difficult, I know I am capable of adapting and succeeding. Others will not be, and they'll get weeded out of the IT field, thereby putting me in more demand. End users, who are used to the current "default installation is completely insecure, but you can do anything you want," will need my assistance more; any time a minor hoop needs to be jumped through to accomplish something (security), they'll throw up their arms and call me to
  • Bad summary (Score:5, Informative)

    by Umbral Blot (737704) on Monday May 08, 2006 @05:28PM (#15288508) Homepage
    As expected the summary on /. is just trying to be inflammatory. The real gist of the article is as follows: Vista will require some programs to be re-written, espcially ones that interfaced closely with the old operating system. Thus many authentication systems will need to be updated. It's not really unexpected or unheard of for new APIs to break old programs. So if you want to bitch about how Vista is going to make you rewrite your code go ahead (I know I am not looking forward to it), but don't pretend it is a security problem.
    • Yeah, it sounds like for the most part, if you are using managed code you should be fine. If you are depending on OS level API calls, you are hosed. Nothing to suprising here. For most Java/.Net apps this isn't the end of the world. For biometrics drivers, and applications that interact with them, yeah, it's going to suck.

      -Rick
      • If you are depending on OS level API calls, you are hosed. Nothing to suprising here.

        Yes, because heaven forbid that something as fundamental as the operating system be something other than a moving target from version to version. Witness the plethora of different driver models and APIs that Windows has foisted upon the world over the years, and the ridiculous amount of time developers have to spend just keeping up with the changes.

    • by Kelson (129150) * on Monday May 08, 2006 @05:57PM (#15288727) Homepage Journal
      Yep. Any time you're interfacing with the OS at that low a level, you have to consider that new versions of the OS might be different under the hood.

      I used to run PCAnywhere on a Windows NT 4 server. We had to dance around on one foot while swinging a chicken around our heads, singing voodoo chants backwards to upgrade the OS and PCAnywhere at the same time, all so that we could get PCAnywhere to (a) work and (b) not crash the server on boot once we upgraded it to Windows 2000.
      • Yep. Any time you're interfacing with the OS at that low a level, you have to consider that new versions of the OS might be different under the hood.

        I recall Amiga developers having to learn this going from Workbench 1.2 to Workbench 1.3. Not that the ROM addresses might be different, but that they will be, and the only way around it was to use the published API.

    • My take is that the ISVs are not as much concerned by the fact that things are changing, but that the product is supposed to be in late beta, and they have no idea what the model is changing *to*. The old interface has gone away and the new interface is incomplete. They will not get a chance to design/develop/test anything during the beta period. This is odd considering that betas exist for *exactly* this reason.

      The fact that an architectural change is happening this late in the process is yet another clue
  • by pcgamez (40751) on Monday May 08, 2006 @05:28PM (#15288509)
    From what I can tell, TFA is saying that because much of Windows has been rewritten (including logon and authentication), it is going to be a pita to adapt existing software. No frigging kidding. Doesn't this happen with every major update? If so, why is Slashdot even reporting this? It is something that is normal.
  • by l2718 (514756)

    It has recently been determined that new versions of operating systems are not always 100% backward-compatible.

  • by cnettel (836611) on Monday May 08, 2006 @05:29PM (#15288518)
    Basically, what's this is all about is that the way to alter the login process in Windows, all the way back to NT 3.1, has been a custom "GINA", that replaced part of the Ctrl-Alt-Del login process. Naturally, a lengthy biometric process migth be fine if you do it once a day, but it will both need new software and possibly some thought to work well with a LUA approach, where you need to repeat your credentials more frequently for specific operations. This is basically no different from using sudo or doing admin operations in MacOS X. It's also no different from that you can't use a custom GINA to run a specific app as admin in current Windows versions.
  • IANSE (I am not a software engineer), but this might not be a "feature" not a "bug".

    It's expected that migrating to a new architecture would require, well, rewriting of existing code that worked with the old OS. Wouldn't there be more cause to worry if Vista supported all of the OLD authentication mechanisms as well as its own ones, since maintaining backwards compatibility seems like it could introduce unnecessary security holes?
  • Somewhat redundant (Score:5, Interesting)

    by JediLow (831100) * on Monday May 08, 2006 @05:31PM (#15288534)
    Saying that Vista is going to cause 'headaches' because the old login software isn't compatiable with it is sort of redundant isn't it? Since Vista is a new architecture and is abandoning GINA for CTP why would anyone expect the programs written for GINA to work?

    The more interesting question (imho) is why Microsoft abandoning GINA since "the company had started talking about it at its Professional Developers Conference last September."

    • You're taking that quote out of context. They were starting to mention that it would be phased out back in September. GINA has been with us/Windows forever. Custom GINAs never worked well with fast user switching and "Run as" in XP, either, so it's not surprising that it's replaced.
    • Hello, OP is right on target. There are quite a few programs which interface with the operating system that I am expecting will need to be updated. In no particular order:
      1. Security - anti-virus, anti-spyware, firewall, IPS/IDS
      2. Backup - traditional (tape) backup, CD and DVD disc burning software, disk imaging software
      3. Performance tuning/optimization - disk defragmentation, registery tweakers/cleaners and so forth

      Also, applications such as games and productivity software which were intended to be run

  • Interesting.. (Score:3, Interesting)

    by onion2k (203094) on Monday May 08, 2006 @05:33PM (#15288550) Homepage
    On the one hand I'm feeling that this sort of doomsaying article is merely an excuse for the producers of authentication systems to ramp up their prices in a "but this is an whole new version .. no upgrades possible .. you'll need to relicense!" scam.

    On the other hand it's true than the winlogon stuff in Vista Beta isn't entirely complete, and consequently I have to wonder what Microsoft mean by 'beta'? When I (and lots of other people) release a beta it's basically feature-complete and API-locked, but isn't entirely tested .. no major differences are likely between the beta and the final. If MSFT are releasing beta software than isn't complete then why are they calling it a beta instead of an alpha or preview?

    As for MS GINA being dropped .. I hope that VA release a version instead .. they could integrate it into sourceforge or something. *chuckle*
  • by BrynM (217883) * on Monday May 08, 2006 @05:34PM (#15288557) Homepage Journal
    From TFA
    During migrations, users will have key security infrastructures that straddle two different authentication environments, one for Vista and one for earlier versions of Windows, until migrations are complete... In addition, users with any homegrown authentication mechanisms linked to Windows will have to rewrite their code from the ground up... That task will be painful in part because ISVs say Vista's new authentication architecture is incomplete in the beta released in February.
    Why wait for headaches when you could just start porting your authentication systems to any platform except Windows right now? Then, while everyone else is going throught the "dual Win32 backdoor^^^^^^^^authentication" period hell, you can just laugh and say "I did that over a year ago and I won't have to do it again becuase I moved away from MS Products completely".
  • Microsoft is leveraging its flagship operating system to corner the market on aspirin...
  • by highspl (523486) on Monday May 08, 2006 @05:43PM (#15288633)

    Corporation (in voice of Smithers): But if you do that, then no 3rd party software will work, and we will be forced to use MS.

    Bill (in voice of Mr. Burns): excellent./p?

  • The Cult (Score:2, Insightful)

    If you are going to drink Bill's Kool-Aid, you shouldn't be surprised if there are undesirable side effects.

  • Not just them... (Score:3, Informative)

    by Duncan3 (10537) on Monday May 08, 2006 @05:51PM (#15288695) Homepage
    Vista is also making life very hard for invasive spyware makers like Blizzard (Warden) and NCSoft (GameGuard)...

    About damn time.

  • This is the result from developing for an OS that changes its interfaces every few years. Complete and utter incompetence. Also on the side of those using this OS as development target platform.

    Look at Unix/Unix like OSes. A port to the next generation or a different incarnation is often a recompile and nothing else. Why? Because there is a stable API! Nobody uses platform specific stuff, unless there is no choice. Effect: Far less bugs, far less security critical stuff, because the software is older and we
    • Look at Unix/Unix like OSes. A port to the next generation or a different incarnation is often a recompile and nothing else. Why? Because there is a stable API! Nobody uses platform specific stuff, unless there is no choice.

      Are you for real?

      This is true of user level applications, but certainly not for system level ones. The stuff in Unix is hideously incompatible across incarnations - try parsing /proc on something other than Linux and I'll guarantee that things will fail badly (as one example). Try re

    • This is the result from developing for an OS that changes its interfaces every few years.

      Which "interfaces" in Windows are you thinking of that change "every few years" ?

      Look at Unix/Unix like OSes. A port to the next generation or a different incarnation is often a recompile and nothing else.

      As it is on Windows. Hell, even having to recompile on Windows at all is unusual.

      Why? Because there is a stable API!

      Which part of Windows's APIs haven't been stable ?

      Nobody uses platform specific stuff, unles

  • by Dachannien (617929) on Monday May 08, 2006 @06:02PM (#15288747)
    Here's a great idea:

    Don't upgrade. You don't need Vista anyway.

    • EXACTLY what I was thinking. Newer hardware gets cancelled out by newer software, making the whole upgrade cycle rather pointless. Stick with your current software and shell out your hard earned cash on new hardware that will [i]actually[/i] speed up your computer and increase productivity. There is a fine line where features become bloat...
  • by tereshchenko (715289) <alex@fxfp.com> on Monday May 08, 2006 @06:27PM (#15288887) Homepage
    The way "Windows authentication architecture" is extended in XP is very limiting - essentially you write DLL (so called GINA) that replaces part of XP log-in system and this DLL is responsible for retrieval of users credentials for Windows. However it was possible to have only single GINA installed at the same time, so if you wanted to have two security products installed - you were in trouble.

    Now Vista will support new architecture for security providers with possibility of multiple providers registered at the same time. A definite improvement for users.

    In fact the new architecture is not THAT different from the previous one, so the entire article is moot. Then again, it's SlashDot...
    • How MSGINA works... (Score:4, Informative)

      by mythosaz (572040) on Monday May 08, 2006 @06:53PM (#15289014)
      Multiple GINA programs is fairly straightforward.

      A single registry value holds what GINA to execute. If the registry value is blank, it executes MSGINA (the Microsoft default).

      If you replace the GINA with a 3rd-party program (VPN, Wireless, Encryption, et cetera), then the 3rd-party is responsible for either (a) completely handling the logon, or (b) passing control to MSGINA when it is finished executing.

      As a rule, this happens by your 3rd-party GINA keeping a value of its own (in the registry or INI) of what the previous GINA was. That way, if you install a new GINA, when it finishes executing, it calls whatever GINA *used* to be in the default registry location.

      First you have MSGINA.
      You install ENCRYPT-GINA.
      ENCRYPT-GINA executes and calls MSGINA.

      Then you install VPN-GINA.
      VPN-GINA sees ENCRYPT-GINA as the GINA to execute when complete.
      VPN-GINA executes and calls ENCRYPT-GINA
      ENCRYPT-GINA keps its own value for what to call next and calls MSGINA.

      Add all the GINAs you want.

      It's true that *some* GINAs don't play nicely, or won't always execute if a certain GINA has executed before it (or comes after it) - but for the most part it works.

      The only REAL problem is when a GINA is stupid enough to place itself incorrectly in the chain -- which can leave a machine executing GINAs in a loop...and Windows is smart enough to restore MSGINA when that happens anyway.
  • by notaprguy (906128) on Monday May 08, 2006 @07:34PM (#15289201) Journal
    Love 'em or hate 'em, Microsoft's historic strength was that they made it very easy (many would say TOO easy) to write software for Windows. Because Windows' genesis was in the pre Internet days, they designed it in a way that made it powerful for developers but insecure. Now that they're finally GETTING IT and making Windows Vista more secure, the people who have been writing software for Windows are going to have to do a little more work to make their stuff work. This is probably all for the best but it may open up opportunities for other platforms during the transition to secure Windows.
  • by BCW2 (168187) on Monday May 08, 2006 @08:16PM (#15289385) Journal
    Everything about Vista is going to be a big headache. From the initial sale, think of the sales clerk trying to explain the differences between 6 or 7 versions, with minimal actual differences and major price differences. Add DRM, the usual raft of bugs, and even worse security problems than ever... it's going to be ugly folks. All white box stores need to stock up on XP or start the shift to Linux for all customers. Train them now and end this stupidity.

    It still seems like Me revisited.
  • by delong (125205)
    OK, I am always a bit skeptical of the "impending Microsoft release blunder" industry "news". But I think it is becoming plainly obvious that Vista is a trainwreck.
  • by Ingolfke (515826) on Monday May 08, 2006 @10:32PM (#15290005) Journal
    Yes, these vendors are stating a fact. A new security system will mean a rewrite of the code that was dependant on the old system. That's to be expected. But what they're really doing here is starting the opening salvo in their justification for new versions of their software that they'll foist on the enterprise customers and no doubt make a nice profit. They'll reduce features and blame it on rewriting for Vista. Their will be bugs... and every one of them is going to be, as much as is possible, blamed on Vista. Vista's a scapegoat that the vendors are going to use to shift blame and scrutiny away from themselves and their products.
  • by TheNetAvenger (624455) on Tuesday May 09, 2006 @02:02AM (#15291057)
    Less Secure we Complain More Secure we Complain?

    Can we just pick a side..

    Do we hate Vista because it will be more secure and that is causing Third party applicaiton problems?

    Or do we hate Vista because it is not secure enough?

    Or do we hate Vista becuase it is more secure but prompts for passwords when doing Root level activities and that will confuse people?

    We have to pick a story, we can't be on the opposite side of the fence as each story is released.

    Maybe we should just hate Vista just to hate Vista but at least stop contradicting ourselves?
  • by CCNV (973654) on Tuesday May 09, 2006 @03:16AM (#15291267)
    Windows may be breaking things for RSA Tokens that are expensive and expire in three years, but they are adding in much native support for smart cards that are much cheaper than RSA Tokens and do not expire in three years. US Department of Defense, US Federal Govt and big corporations like HP and Sun have adopted Smart Cards. I am not a MS fan, but re-architecting their login and vpn for native smart card support does not seem a bad idea. We should at least look into the economics of smart cards, they may save IT money in the long run.

Lisp Users: Due to the holiday next Monday, there will be no garbage collection.

Working...