Microsoft Locking Out Anti-Virus Makers?

twitter writes "Anti-virus makers have more to fear than stonewalling by Microsoft if a report by Agnitum, maker of Outpost Personal Firewall, is right about recent trusted computing changes. All the problems were summarized in a choice Register quote, 'In addressing the potential problem of not being able to install Outpost on new versions of Windows, we have discovered that it is possible to drill past the new security measures introduced by Microsoft - if we use the same techniques used by hackers.'"

Re:They Started With Device Drivers

[gnuman99]

It is called "Designed for Windows" program. Yes, applications have to be signed. And yes, you have to send a copy to MS so they can verify if you follow guidelines when they get 1000s of core dumps from your application. Or complaints about spyware and crap.

http://www.microsoft.com/winlogo/default.mspx [microsoft.com]

Yes, it costs money because you have to buy a digical certificate from Verisign. And send the software on a CD to MS, so a postage stamp there too.

And yes, MS will probably start treating software from unknown vendors differently than those that have registered. But afterall, how can you blame them with all the spyware screensavers and other crap.

We already see digital signatures in Linux like Debian. Untrusted repositories get flagged as "WARNING!! Untrusted source. WARNING!!". Microsoft should be doing the same to protect its user base.

Agnitum Outpost

[bananaendian]

I've been using a free version Agnitum's Outpost firewall [agnitum.com] for several years now on my w2k machine and its a clever little program, far simpler and thinner than the offererings from the major players. However like any good firewall program it does require the user to make very technical decisions on network traffic permissions whenever a process tries to contact the internet. Now before I praise it for not letting a process (virus/spyware/legitware) do a thing I don't want for the last couple of years, I do have to mention a disclaimer that in addition I've got the latest security updates for w2k, a NATted hardware firewall on the router and generally secured my system according to NSA's manuals [nsa.gov].

Unlike in a Unix environment, in Windows the basic security concepts aren't required of the user. Windows computers despite the networking or even server capabilities are still built upon the philisophy of Personal Computer where the user has total control but also total responsiblity for what the software does. Microsoft's attempts to somehow augment security on top of this flawed concept is not going to succeed and in fact seems to be going the opposite way. Certainly my w2k box is easier to make secure than XP with its 'security improvements' and it seems Vista will make it impossible for the user to secure the computer that he's supposed to own and control.

Sadly I will try to stick with poor old w2k as long as possible but eventually I might have to resort to going the OSX way...

Re:They Started With Device Drivers

[bogado]

If the user can choose on who he trusts, then it is okay. In my fedora computer I can easily install install a new source to my software and say that all packages signed by this source is okay to go in. I can also de-install a default source if they show that they are not trustworthy.

If the windows user has the same set of choices, then it is okay, but if MS is the only one who can bless application to install or run without warnings in the windows plataform and there is nothing I joe user can do to change this, then I believe it is a problem.

Just imagine if MS will give its blessing to all the open source software that is available now for windows. The answer is no, and the author will probably naver even ask for such bless for the simple fact the it will cost money. Now if the windows user could just say to his system that the software package with the signature of that John Doe who happen to signs all kinds of open source software and distributes them in his site, then it is fine. Just like I can install software from Livna that packages software that redhat simply don't want, and will never do, to distribute due to legal problems.

Re:ORly?

[Traiklin]

and I know first hand how easy it is to.

I decided to try out vista one time and it installed and ran perfectly fine on my computer, the only drawback to it was EVERYTIME I wanted to open a folder or program a window would pop up asking me if I was sure I wanted to open it (apperantly Microsoft doesn't even trust themselves cause I was opening Windows Media Player 11 when I got the most windows) after about the 20th popup window asking me if I wanted to open a file I knew was ok I just started clicking yes to see how the damn thing worked.

now, just imagine someone getting to that point when they launch and it's been out for a little while, how many calls will tech support (Dell, Microsoft any company that makes PCs) get from people asking if it's ok to run a microsoft product? how many calls will they get when they accidentally click No to an important option (say their email, they read it wrong and suddenly they no longer can use outlook), how many calls will family members get when their Mother/Father/Uncle/whatever says they don't have a clue if the security warning that microsoft put in place is ok to click Yes or No to when they run WMP, Outlook, IE or any other MS owned programs.

Re:Microsoft is just isolating itself

[grcumb]

"It's silly to think that developers should have full access to every single internal structure or API call. It's called "bad design principle". It means they can't change things internally."

WTF? I understand what you're getting at, but please think about what you've just written for a second.

It's not at all silly to give developers full access to your system internals, as long as you're clear about the repercussions of using them. In fact, there's a whole bunch of developers using this stuff called FOSS, which is based entirely on this principle.

I know, I know; your point is that if developers depend on a certain implementation, then the vendor is forced to continue supporting it forever, which, according to your reasoning, leaves them with no further room to grow or innovate. Unfortunately, that perspective is just bollocks. FOSS developers deal with this every day, and they've found a perfectly workable process:

Supported APIs are marked as such. Deprecated APIs are marked, too, with the clear warning that past this version, you're on your own. Unsupported interactions with the internals are marked - not fenced, but simply labled Here Be Dragons. You're welcome to venture there if you want, but don't go asking for help if something goes wrong. Most developers benefit from a better understanding of how the whole system works, and can in fact suggest or offer improvements in upstream functionality as well as better implementing their own.

I'd be fascinated to know why you think that things are somehow different for Microsoft than they are for IBM or Novell.

Re:ORly?

[Crayon Kid]

If Redmond locks out 3rd party security and utility vendors from full ring 0 access they become the only ones able to provide the most powerful utilities and security products.

But how can it be done? From the Agnitum story I for one understood that it's not possible to achieve this.

Sure, they can actually and fully deny access to low level kernel functions to every piece of software, but in that case how will certain things get done? Some stuff needs access to get it's job done. Obviously not a choice.

Or, they can just not document the API (which I get the impression is what they're trying to do now), in which case people will reverse engineer the software that uses it and they'll find out how what they need to know. Malware writers and legit software writers alike.

I'd like a saner alternative, myself. But how can the kernel tell which software is legit and which is not? Should the software present a key? Not really an airtight solution. Should the software ask the user to enter the admin password? Again, can be circumvented and misused.

So, how can one safely regulate access to a machine's lower functions? Deny it all? Allow it all? What if you want something in between?

Re:Microsoft is just isolating itself

[cob666]

do you really believe that developers of Microsoft security products (firewall, antispyware, OneCare, etc.) will NOT have access to whatever API they ask for? That if they need access to one, a technical solution will not be devised?

I have a friend that was working on the transactional file system for Vista and I asked him a similar question regarding undocumented APIs. Hi answer was two-fold.
Part 1 of his answer was that normally if a developer requires access to a system process that is not currently exposed via an API then he must request that interface from the development team responsible for that particular system process. This is normally the long way to get something done as this new interface must be documented.
Part 2 of his answer was that MOST undocumented APIs in Windows are actually APIs that were never intended to be included in the released product. A common way for an undocumented API to make it to release would be that a developer requires access to a system process for testing purposes so they have an alternate way to access that process. The interface is designed with the full intention of removing it. Application Developer B finds out about this new interface and actually uses it for the next release of Media Player (or any other Windows application). When the time comes to remove the interface, Developer B informs the group that the interface is being used in a production application and can't be removed.

Re:ORly?

[werewolf1031]

Typical of M$ "security", this change is just another inconvenience to the legitimate user.

This isn't about inconveniencing the legitimate user. It's about inconveniencing the legitimate developer. The black-hat hackers will still get in once they figure out ways around this, and since the legit devs will be locked out by no-reverse-engineering laws, the legit users will be forced to rely on MS and only MS for security. It's another win for MS monopolization in the guise of "enhanced security".