More Headaches from Vista Security 240
Michael Cooney writes to tell us Windows Vista may have some serious headaches in store for corporate users with third-party authentication systems like VPNs. From the article: "ISVs say rewriting their code for the new architecture will produce headaches that will extend to their customers that have deployed strong authentication such as biometrics or tokens, enterprise single sign-on and a number of other systems integrated with the Windows authentication architecture."
Windows Bites (Score:2)
I mean, come on, it's hardly news that *EVERY* Windows breaks random stuff.
I rememeber the pain I went through after installing NT Option Pack 4, all sorts of stuff changed in operation. It was sorting that mess out that made me drop my "Microsoft Certified Solutions Provider" ambition.
Man, C-DILLA is going to be a beast too... (Score:3, Insightful)
Meanwhile, I hope the 3D Studio Max users are prepared for the impending headaches (same w/ anyone else that uses all kinds of software-based tokens and registration schemes like C-DILLA, if it's even in use anymore).
I wonder if dongles will come back?
On the upside? Umm, there's probably no upside.
Re:Man, C-DILLA is going to be a beast too... (Score:3, Informative)
http://www.microsoft.com/ntserver/nts/downloads/r
Re:Windows Bites (Score:3, Insightful)
And that's hardly news considering it tries to be backwards compatible all the way back to at least DOS 2.1; Can you imagine how hard it must be to NOT break more stuff, seriously?
The fact that people have to rewrite core drivers etc to support this model is a sign that Microsoft is finally putting security ahead of compatibility. This is a Good Thing.
- Oisin
Re:Windows Bites (Score:5, Informative)
It used to be recommended practice to stick the db connection in the session object at session.start.
Option Pack 4 changed this behaviour. But it didn't show up until the websites you had already deployed started to get "un-reproducable" errors. The unpooled connections hung around for 30 mins after the last request for that session. Once the site got enough traffic it started killing the application. Could be 6 months, could be a year. Took a while to work that one out, much to the annoyance of my customers, and at my expense "you wrote it, it must be a bug in your code, bug fixes are covered in our agreement". Getting off the MSDN treadmill was glorious.
Re:Windows Bites (Score:2)
Yes, I do remember being told to do that before, and it was an acceptable practice for low-traffic sites. If your site was too busy however, the idle connections sitting in session objects would eventually block new sessions until the session timed out. Not to sound high and mighty, but I never adopted this pattern; it just didn't make sense for low-traffic sites, since it was a "performance" hack, and low traffic sites perform fine. Implementing it on a high-traffic site only made the problem worse.
You say
Re:Windows Bites (Score:2)
Win-Win (Score:3, Insightful)
Programming wise, I guess this would teach these ISVs a lesson that, if they want to develop custom code, they should probably have a more flexible architecture to accommodate any OS changes, or even make it compatible across different OSs.
I don't think Bridgestone can ask Ferrari to slow its F1 cars down because Bridgestone tyres cannot perform at high speed.
Re:Win-Win (Score:5, Funny)
Wait a minute! Did you just compare Windows Vista with Ferrari?
Re:Win-Win (Score:2)
1. It has its moments of brilliance,
2. It has an almost continuous monopoly in its turf
3. It relies more or less on a single product for its success
4. There is an increasing pressure to challenge its domination
5. Its star is usually arrogant and breaks his seats
6. Its new version is almost always the last to arrive despite promises
7. Its new version always breaks and it takes a few patches to get it up to speed
8. Regulations and rules are introduced mainly to remov
Re:Win-Win (Score:2)
9. Every time you have a problem with a Ferrari, you can fix it with a re-boot.
Re:Win-Win (Score:5, Insightful)
1. Ferraris are built extremely robust, so you can crash at 150+mph and walk away with a few scratches (google for the Enzo which crashed recently in California). I wouldn't call Windows "robust".
2. Ferraris are extremely attractive machines. Windows looks like it was designed by Fisher-Price.
Re:Win-Win (Score:5, Funny)
It's expensive to own, expensive to fix, and makes you curse like an italian.
Your point is ???
Re:Win-Win (Score:3, Insightful)
Re:Win-Win (Score:2)
At least I'm glad this year Bridgestone doesn't suck so much compared to last year. I mean Schumi is actually arriving within the top 3, and even winning!
Re:Win-Win (Score:2)
http://edition.cnn.com/2005/SPORT/06/19/usa.grand
Haha (Score:5, Funny)
Good! (Score:5, Insightful)
Microsoft capitulates and disables large chunks of Vista security by default in order to appease corporate customers. People are up in arms.
Microsoft rewrites architecture to make things more secure. People are up in arms.
Me, I'm with the "Good!" crowd. Make things more difficult for me when I transition. It'll make things easier later on.
Re:Good! (Score:2, Offtopic)
See, the real problem with Vista is not whehter it has flaws or not. The real problem is that it keeps being Microsoft.
Remember how IE5 was the best internet browser "ever"? It was fast, it was stable! The old Netscape couldn't even compare to it! But when it dominated the market, well, you know what happened.
I really don't know if Vista will be the best OS ever. What I know is that people will be forced to use it, and that new Micro
Re:Good! (Score:3, Interesting)
And when you say "forced" you mean "go out and buy themselves". And when you say "new Microsoft apps" you mean "new Microsoft apps released 5+ years later".
Re:Good! (Score:3, Insightful)
Re:Good! (Score:2)
Also, though it may be difficult, I know I am capable of adapting and succeeding. Others will not be, and they'll get weeded out of the IT field, thereby putting me in more demand. End users, who are used to the current "default installation is completely insecure, but you can do anything you want," will need my assistance more; any time a minor hoop needs to be jumped through to accomplish something (security), they'll throw up their arms and call me to
Bad summary (Score:5, Informative)
Re:Bad summary (Score:2)
-Rick
Re:Bad summary (Score:2)
Yes, because heaven forbid that something as fundamental as the operating system be something other than a moving target from version to version. Witness the plethora of different driver models and APIs that Windows has foisted upon the world over the years, and the ridiculous amount of time developers have to spend just keeping up with the changes.
Not unexpected at all. (Score:4, Insightful)
I used to run PCAnywhere on a Windows NT 4 server. We had to dance around on one foot while swinging a chicken around our heads, singing voodoo chants backwards to upgrade the OS and PCAnywhere at the same time, all so that we could get PCAnywhere to (a) work and (b) not crash the server on boot once we upgraded it to Windows 2000.
Re:Not unexpected at all. (Score:2)
I recall Amiga developers having to learn this going from Workbench 1.2 to Workbench 1.3. Not that the ROM addresses might be different, but that they will be, and the only way around it was to use the published API.
Re:Bad summary (Score:2)
The fact that an architectural change is happening this late in the process is yet another clue
I'm not a Ub3r-geek, but how is this newsworthy? (Score:3, Informative)
Re:I'm not a Ub3r-geek, but how is this newsworthy (Score:3, Informative)
Never mind running Win98 software under XP. If you get hold of a copy of Windows 1.0 you can run the applications that came with that under Windows XP. The only quirk is that the app windows open at the smallest possible window size, because Windows 1.0 didn't support overlapping windows and so the apps didn't actually choose a size for themselves.
Microsoft's devotion to backwards-compatibility is astounding. It's just a shame that their architecture has to suffer because of it.
In other news ... (Score:2, Funny)
It has recently been determined that new versions of operating systems are not always 100% backward-compatible.
Wow, sudo means repeating signon (Score:3, Informative)
Re:Wow, sudo means repeating signon (Score:2)
Re:Wow, sudo means repeating signon (Score:2)
Re:Wow, sudo means repeating signon (Score:2)
Hm. You're saying that interfacing to a 'gina will be a lengthy process? I'll volunteer!
Backwards Compatibility (Score:2, Insightful)
It's expected that migrating to a new architecture would require, well, rewriting of existing code that worked with the old OS. Wouldn't there be more cause to worry if Vista supported all of the OLD authentication mechanisms as well as its own ones, since maintaining backwards compatibility seems like it could introduce unnecessary security holes?
Somewhat redundant (Score:5, Interesting)
The more interesting question (imho) is why Microsoft abandoning GINA since "the company had started talking about it at its Professional Developers Conference last September."
Re:Somewhat redundant (Score:2)
Re:Somewhat redundant (Score:2, Informative)
Also, applications such as games and productivity software which were intended to be run
Interesting.. (Score:3, Interesting)
On the other hand it's true than the winlogon stuff in Vista Beta isn't entirely complete, and consequently I have to wonder what Microsoft mean by 'beta'? When I (and lots of other people) release a beta it's basically feature-complete and API-locked, but isn't entirely tested
As for MS GINA being dropped
While you're at it... (Score:4, Insightful)
Re:While you're at it... (Score:4, Insightful)
In other news... (Score:2, Funny)
Third Party Software?? (Score:3, Funny)
Corporation (in voice of Smithers): But if you do that, then no 3rd party software will work, and we will be forced to use MS.
Bill (in voice of Mr. Burns): excellent./p?
The Cult (Score:2, Insightful)
Re:The Cult (Score:2)
I heard Bill just stole the Kool-Aid from Steve Jobs.
Next up: Balmer in a black turtle neck.
Not just them... (Score:3, Informative)
About damn time.
Re:Not just them... (Score:5, Informative)
Incompetent OS designers... (Score:2)
Look at Unix/Unix like OSes. A port to the next generation or a different incarnation is often a recompile and nothing else. Why? Because there is a stable API! Nobody uses platform specific stuff, unless there is no choice. Effect: Far less bugs, far less security critical stuff, because the software is older and we
Re:Incompetent OS designers... (Score:3, Informative)
Are you for real?
/proc on something other than Linux and I'll guarantee that things will fail badly (as one example). Try re
This is true of user level applications, but certainly not for system level ones. The stuff in Unix is hideously incompatible across incarnations - try parsing
Re:Incompetent OS designers... (Score:2)
Which "interfaces" in Windows are you thinking of that change "every few years" ?
Look at Unix/Unix like OSes. A port to the next generation or a different incarnation is often a recompile and nothing else.
As it is on Windows. Hell, even having to recompile on Windows at all is unusual.
Why? Because there is a stable API!
Which part of Windows's APIs haven't been stable ?
Nobody uses platform specific stuff, unles
Fortunately, there is a solution (Score:4, Insightful)
Don't upgrade. You don't need Vista anyway.
Re:Fortunately, there is a solution (Score:2, Interesting)
It had to fixed anyway... (Score:5, Informative)
Now Vista will support new architecture for security providers with possibility of multiple providers registered at the same time. A definite improvement for users.
In fact the new architecture is not THAT different from the previous one, so the entire article is moot. Then again, it's SlashDot...
How MSGINA works... (Score:4, Informative)
A single registry value holds what GINA to execute. If the registry value is blank, it executes MSGINA (the Microsoft default).
If you replace the GINA with a 3rd-party program (VPN, Wireless, Encryption, et cetera), then the 3rd-party is responsible for either (a) completely handling the logon, or (b) passing control to MSGINA when it is finished executing.
As a rule, this happens by your 3rd-party GINA keeping a value of its own (in the registry or INI) of what the previous GINA was. That way, if you install a new GINA, when it finishes executing, it calls whatever GINA *used* to be in the default registry location.
First you have MSGINA.
You install ENCRYPT-GINA.
ENCRYPT-GINA executes and calls MSGINA.
Then you install VPN-GINA.
VPN-GINA sees ENCRYPT-GINA as the GINA to execute when complete.
VPN-GINA executes and calls ENCRYPT-GINA
ENCRYPT-GINA keps its own value for what to call next and calls MSGINA.
Add all the GINAs you want.
It's true that *some* GINAs don't play nicely, or won't always execute if a certain GINA has executed before it (or comes after it) - but for the most part it works.
The only REAL problem is when a GINA is stupid enough to place itself incorrectly in the chain -- which can leave a machine executing GINAs in a loop...and Windows is smart enough to restore MSGINA when that happens anyway.
Re:How MSGINA works... (Score:2)
There's something very ironic about this (Score:3, Insightful)
Everything about Vista (Score:3, Interesting)
It still seems like Me revisited.
bomb (Score:2)
Vista the scapegoat for the next 3 years... (Score:3, Insightful)
Less Secure we Complain More Secure we Complain? (Score:3, Informative)
Can we just pick a side..
Do we hate Vista because it will be more secure and that is causing Third party applicaiton problems?
Or do we hate Vista because it is not secure enough?
Or do we hate Vista becuase it is more secure but prompts for passwords when doing Root level activities and that will confuse people?
We have to pick a story, we can't be on the opposite side of the fence as each story is released.
Maybe we should just hate Vista just to hate Vista but at least stop contradicting ourselves?
Don't rule out smart cards (Score:3, Insightful)
Re:At this point... (Score:2)
If new OS's and their features turn out to be vital in the next year, it's a good time to be selling Linux or other OS solutions.
Re:At this point... (Score:2)
How true. Of course, I've yet to see a feature they've left in that would make me want to upgrade so the featurectomies haven't changed my mind. I'm already dual-booting into Linux, and if there's anything I can't run under Win98SE, there's always Wine.
Re:At this point... (Score:2)
Sometimes I wonder how Microsoft even managed to stay afloat, much less become dominant in the market... It's one thing to sell to pimple faced gamers who apparently just accept that stuff breaks e
Re:At this point... (Score:2)
I've watched this happen repeatedly where the new server is installed with a mandatory server grade license hot off the presses that it doesn't
Re:At this point... (Score:5, Insightful)
If Vista's default installation isn't cracked wide open by a worm in the first 90 days, then it will be a victory for Microsoft.
Re:At this point... (Score:4, Funny)
Hey, you hit on another oxymoron (at least with regards to Vista) - "Windows release".
Duck and cover, duck and cover...
Re:At this point... (Score:3, Interesting)
I seem to recall someone had written a prototype virus within 24 hours of the first beta being released, which caused Microsoft to drop the advanced scripting they had planned.
I'd try and find a reference but I really can't be arsed. Vista won't be out until next year and by all accounts it's going to suck just as badly as any previous version of windows. Dapper Drake will be out next month and it's going to rock! I've been running it since flight4, it was awesome even back
Re:At this point... (Score:4, Funny)
To maintain backwards compatability with other Windows versions, of course...
Re:At this point... (Score:2)
Re:At this point... (Score:2, Insightful)
Of course, if you knew anything about building software, you'd know that adding custom code to any COTS product is equivalent to single
Re:Another day, another microsoft problem (Score:5, Interesting)
Re:Another day, another microsoft problem (Score:2)
Im not talking about this in particular
Every other day a microsoft problem is announced in slashdot. We cant wake up to a day that microsoft wont be appearing with some problem it seems.
And we knew that GINA was going away for more than (Score:3, Informative)
And we have had an API for more than one year - to create CredMan plugins.
And the architecture is "better" - more PAM-like.
Now you won't break SecureID with a service pack.
And this is a problem, how again?
Re:And we knew that GINA was going away for more t (Score:2)
And that's a good thing?
A quote from Theo de Raadt:
PAM is completely and utterly broken and cannot be fixed. [seclists.org]
Re:And we knew that GINA was going away for more t (Score:2)
Re:And we knew that GINA was going away for more t (Score:2)
Fortunately, the OpenSSH developers seem to mostly ignore Theo and actually care about cross-compatibility.
Re:Another day, another microsoft problem (Score:2)
Not a MS problem - a problem almost always synonymous with progress. Stop hating on MS.
Re:Another day, another microsoft problem (Score:2, Funny)
Re:Another day, another microsoft problem (Score:2)
Re:Problem Solved (Score:4, Interesting)
In other news, random Slashdot user creeves1982 blurts out the usual Slashdot banality about Linux.
It's not so simple and you know it. You can use Linux. I can use Linux, but many MANY people can't use anything but Windows, because they're not computer-oriented, have been trained with Windows-XX and Word/Excel-YY and wouldn't conceive anything else exists, must less be able to use it.
That's how the world is. Microsoft is still the biggest OS and software vendor in the world despite its many shortcomings and its outrageous economic practices because the Windows userbase is massively reluctant to change. The real challenge is to make Linux truly as user-friendly as Windows, and to get users to discover it and get used to it. Simply saying "use linux problem solved" is childish.
Re:Problem Solved (Score:2)
You are both right and wrong there. I agree that getting users to shift to Linux is really a big problem, but Linux has been more user-friendly and easy to use than Windows for several years now, both for newcomers (example: the main menu that appears when you click at the lower left side of the screen is labeled by function in Linux, rather than by software vendor as in Windows) and fo
Installation wizards (Score:2)
The reason it's so easy to install on Windows is not because of any package manager. It's the use of any one of the myriad "Installation Wizards" out there.
And they also exist for Linux. The fact that developers choose not to use them is another matter altogether.
Re:Problem Solved (Score:2)
But where did your grandma get the installation CD? How did she know which CD to get? Or where to download the software? What if the software your grandma wanst isn't in superdownloads.com? Last time I saw, there were a total of about 18000 available packages in the repositories that come in the standard Ubuntu distribution.
In Linux, (well, in Ubuntu, at least) a
Re:Problem Solved (Score:2)
Well, that's the problem - MicroSoft is a victim of its own success and will have to make sure that they don't make things too difficult to learn for the people migrating from older versions of Windows. If Vista is too different, some of those people may actually go over to Linux (or Mac OS X, or Amiga
Re:Problem Solved (Score:2)
So what are all these people going to do when Vista comes out and it's totally different from XP, just like XP was totally different from 2k and 98? Sounds like they'll need retraining. Why not retrain them for something e
Re:Problem Solved (Score:2)
Re:Problem Solved (Score:2, Informative)
Re:Lame... (Score:5, Insightful)
There's 3 problems here.. all Microsoft's.
first, this is not enough notice for heavy duty security testing. Things like log in script changes should have been final with the first beta. Trivial changes would be OK, but at this point nobody should have to expect sweeping API changes. ID security products expect to have long term testing completed by the time Vista is on the shelf... that's not a starting point for testing key security features.
Why didn't Microsoft work with providers to solidify the API first, then maybe tweak it if necessary? Apple gives Devs a 3 - 6 month start for stuff like this at WWDC with the new features... why can't MS? I understand this is a huge change.. all the more reason to DOCuMENT it up front!!!
Lastly, if security is so important, why are they still mucking about with login changes 6 months before release?! Authenticating to networks is the core of security! cutting out the key providers of enterprise level stuff is just embarassing. All the more reason to look for MS on the way out soon.
Re:Lame... (Score:2)
What this is really about is a bunch of software vendors crying that they'll have to spend more money on actualy software development. They want MS to leave things the way they were, despite the problems with the old model. While MS cannot afford to piss off ISVs, making their corporate customers happy
Re:Lame... (Score:3, Insightful)
http://www.helpwithwindows.com/WindowsVista/vista- availability.html [helpwithwindows.com]
from link:
In a press conference call last Tuesday, Microsoft's Platforms & Services Division co-president Jim Allchin announced that Windows Vista will be available to business in November 2006 and broad consumer availability in January 2007.
Re:While You're At it, Why Not Flip Over to Linux (Score:2)
Re:goodbye SecurID, VPNs, etc. (Score:4, Insightful)
Oh, please! Learn your OS history. NT/XP never sat on top of DOS, Win3.x or Win9x. The original NT design was actually supposed to support multiuser UI sessions out of the box (hence the entire UI being designed around a client/server RPC model) but it didn't end up that way for any number of performance and time-to-market constraints.
The Vista design could best be described as a multiuser kernel that got hacked up to service a single user GUI that looked a lot like the existing single user product that was on the market, which was then moved into the kernel to improve performance, which then got a multiuser terminal layer hacked over the top (using the multiuser not-GUI-part-of-the-kernel that was already there), which then got morphed into "Fast User Switching".
The multiuser UI in Windows XP/Vista is most definitely a hack, but it's got nothing to do with Win3.x or DOS.
As for the original context - (yawn). OS upgrades change APIs. MS has been working on security so their security APIs are going to change. If you tie yourself to MS, then you get to do some work to use their new APIs. Nothing to see here - move along.
Re:goodbye SecurID, VPNs, etc. (Score:5, Interesting)
Never said it (they) did. Actually if you look at your direct quote from my post, I used the term "paradigm". So, in that context, let me expand a bit: the paradigm was very much an assumption, one machine/computer, one user, hence the bizarre logical drives, all accessible to all levels by all users (by default at least -- yes, that's now changing, welcome to century 21).
As for intent, I was on the original NT Beta support team at Microsoft (there were 16 of us), and after walking in the door, I immediately began asking for information on setting up my machine with a multi-user configuration. The team treated me like I was some sort of nut case -- they emphasized multi-user meant multiple users could access services on one machine (file services, not new in NT though, etc.), not multiple users logged onto one machine.
They were barely comfortable with the notion of more than one user ever using one machine, even one user at a time!
As for all of this being a hack, you are absolutely right. I would actually probably be less adversarial with Microsoft if they were more candid about things like this, but to read their literature, they concede nothing, ever. (For example, the initial security access levels "rings" in the NT kernel were elegantly designed and promptly trampled to allow performance by granting direct video hardware access to non-privileged code -- go figure.)
I joined Microsoft in 1992 excited about being a part of what I thought was a sea change in their OS direction. I left shortly after when behind closed doors I discovered it was a facade designed to show Microsoft was ready to play on the same court with the big boys (namely, Unix). Unfortunately, they weren't. Unfortunately, they got away with it. Unfortunately, even today, they don't stand up to hardened Unix systems (they're closer than ever, but still not there).
Re:goodbye SecurID, VPNs, etc. (Score:2)
Granted, but reading it literally certainly implies that NT/XP sat over Windows/DOS. Now that you've expanded on what you meant, I definitely agree that the paradigm was lifted straight from Windows/DOS (or probably more strictly OS/2 1.x, then morphed to Win3.x).
In an interesting followup, I don't think moving the GDI into the kernel was that big of a deal. Most operating systems have done this
Re:goodbye SecurID, VPNs, etc. (Score:2)
Count yourself lucky that you didn't have the misfortune to have to deal with buggy video drivers then. Nothing brought more joy to my face than suffering frequent crashes due to a viddy driver problem only to have the card manufacturer disavow responsibility for it. Yes, Cirrus Logic, I'm looking at you. Great - because the OS lets display drivers play where they shouldn't, I now have to buy an
Re:goodbye SecurID, VPNs, etc. (Score:2)
[OT] Re: goodbye SecurID, VPNs, etc. (Score:2)
Re:In other news, Vista to include (Score:2)