Become a fan of Slashdot on Facebook


Forgot your password?

Whistler MAY Refuse To Run All Unsigned Code UPDATED 437

Carnage4Life writes: "This ZDNet article describes how Microsoft's next generation consumer OS, condenamed Whistler, will begin a tradition started by Windows 2000 where programs that have not been digitally signed by Microsoft certified signature are flagged. Currently Windows 2000 merely issues a warning when an uncertified/unsigned device driver is used, the Microsoft vision is to expand this to include all executable programs. On the surface, this may seem like a good idea until one realizes that this means that it is conceivable that all executables that expect to run on Windows will have to be Microsoft certified or risk being flagged or even worse refused to run on future Microsoft OSes. As the ZDNet article speculates, this will put even more power over Windows software developers in the hands of Microsoft. " This story has been turning up a bit over the last few days - while I'm not one to buy into conspiracy theories, this whole thing seems like a plan that originally had good intentions, but the potentials for foul play are pretty easy to think up.Well, I've finally got X running again and can update this story - I should have been more clear that this is /not/ set in stone, but a potential path.
This discussion has been archived. No new comments can be posted.

Whistler To Refuse To Run All Unsigned Code

Comments Filter:
  • > If I see a control that was authored by
    > Macromedia or Microsoft, I feel safe in running
    > it, because I know that neither one of these
    > companies is likely to insert malicious
    > code into their systems.

    So you never download shareware or code written by anyone but a huge company and run it?

    Now... signing JUST means that the person who wrote it has access to a key that was given to them (or rather signed) by verisign.

    If you have it check for signatures...does it stop before EVERY peice of code and tell you who signed it and ask "do you trust them?"

    My understanding was that if code is signed, it is executed with no question, regardless of who signed it (as long as the key has a valid verigign signature)

    So anyone who is capable of getting a key with a valid verisign signature can have code executed.
    That makes it kind of pointless I think. Unless of course it is really hard and only biog companies can get that case maybe it has a point.

    Of course...since I don't usually run much software thats written by big companies...I don't know.

  • The Register ran a similar article citing this was another attempt at M$ to control the world, blah blah blah...

    What I told them as I'll tell you now, is nothing stops a third party from becoming their own certificate authority and signing their own applications. Signed apps are nothing new - ever right-click on the .exe for a Windows NT/2000 service pack? This uses the same Crypto API that IE uses for SSL and S/MIME, and permits users to install new certificate authorities.

    What this means for the office that develops their own in-house software is they can sign their own apps if they have OpenSSL or another SSL toolkit to make the CA cert. No doubt the tools for signing Win32 apps come with the latest Platform SDK. You don't need to pay Veri$ign or anyone else, but having your cert signed by a well known CA helps.

    What this means for software houses like Corel is they can sign their own apps with their own cert, and their users can choose to trust them (or not) by importing their CA Cert into their system. Even Open Source houses can maintain their own certs and perhaps use a central CA operated by, say, Souce Forge. Again, having your cert signed by a well known CA helps but isn't necessary.
  • by IntlHarvester ( 11985 ) on Tuesday November 21, 2000 @05:53AM (#609561) Journal
    Where this could present a problem is for shareware/PD/free software apps in the enterprise, where IS is more likely to enforce the signed app rule

    And this is where Microsoft's concept falls on it's face -- because there is no self-signing or apparent way for a System Admin to indicate that an app is trusted. Outside of the political issues surrounding signed code, talking the SA's rignt to blow his leg off makes for a very inflexible system.

    I already have this problem with a USB printer driver that won't load for unprivliged users because it's not signed. But I know it's an authentic driver right from Lexmark, just not one that has had MS's unholy certification pee sprinked on it.

    You also see this move with the System File Protection feature, which is neat, but can't be disabled per-file by the admin. So, now it's impossible to remove Notepad.exe or the Comic Sans font without jumping through hoops.
  • by faye ( 23766 ) on Tuesday November 21, 2000 @05:54AM (#609562)
    This seems to be yet another example of a useless security feature from MS.

    Why useless? Well I admit that in principal it would be great to stop people running only "authorised" programs on any of the PCs I maintain , the problem is with the definition of authorised. Many of the programs we use are written "in-house" and are not going to get authorised, we teach programming so the students code is not going to get authorised, we knock together small scripts to help us automate a task which we may do once or twice and are not going to get authorised.

    All this authorisation will cost money - so if I want to use any of my own tools, or anything useful that somebody else has written that hasn't been authorised I've got to switch the setting off. And of course it's a global setting so that's it off for all programs. The result is a security feature that adds to the illusion of security without adding to the substance.

    If only MS had put just a little bit more thought into it and made it on a per program basis and allowed the sysadmin/root to "authorise" programs for their machines it would have been *very* useful. Of course the cynic in me says that that way they wouldn't have as much control....


  • Refresh my memory as to why a free software vendor can't get a signature? Why are you such an asshole as to feel that MS is going to exclude free software people? Does it say this anywhere? NO. You fucken zealots really make me sick sometimes.

    Thanks, Cunt!

  • Typical slashfuck hype isn't it? .. I remember when (misty-fade-in) slashdot used to offer good and useful news and there was less 'spin' on everything... Or maybe I'm just hallucinating.

    I'm sure VA / Andover won't let a proper story get in the way of a good sensationalistic piece now. You can bet that the slashbots are well brow-beaten into believing that too.

  • I've been wondering for a long time why Microsoft hasn't done this before. This is a great way to stop email virii such as iloveyou right in their tracks. Sysadmins of major corporations can turn it on, probably on the domain server so it can't be turned off, and can rest assured that they won't pay the millions in damage for their employees stupidity. This is *more* power for those employees, as sysadmins don't have to resort to tactics such as disallowing all attachments, or all attachments of certain types.

    Attachments don't kill people, people kill people.
  • Well that's hardly relavent, since you don't have to show your source code or even it's compiled results to Microsoft, or VeriSign. You just have to apply the digital signature that's been issued to you.

    But don't let me stop you from drawing ridiculous analogies to prove a stupid point.

  • It always amuses me to see the non-newbie Linux zealots get their panties in an uproar if there is ever any news about Microsoft. Yes Whistler has an option to only let certified applications be run by users or user groups. Big fucking deal. If you're a serious Unix admin you spend hours configuring your system so foreign binaries don't get executed on your box and fuck everything up. Certificates are the next logical step in system security. Say I have a bunch of Whistler workstations and I write a cool VB script to automate some tasks and keep the systems in top shape even when I'm not in the office. Wait a second, it's a bad idea to allow VB scripts to run on your system because of malicious code. Solution, sign MY script with a signature (anything I can import, not just VeriSign) and allow it to run unfettered because it is signed by me. When you write a shell script do you not make sure it runs with an SUID but can't be executed by unprivilaged users? Oh yeah huh. Microsoft with Whistler is going to start integration of the .NET concept, security is going to be an enormous concern in this area. NextBestThing.exe fires up and uses some ActiveX components somewhere on the internet if there is no handshaking and authorization going on in this transaction you've just opened a huge security hole in your system and network. The EJB 1.0 spec has a problem of this sort that crops up. It supports authorization as you can have a user have access to a certain set of objects but beyond that it is up to the developer how to impliment more security. If I was planning to start offering applications that resided or executed remotely I would want some proof they were the real shebang. I'd actually like to see a good certificate implimentation on Linux, especially in a professional environment where you need real reliability and authorization, not just strong crypto on your pr0n and mp3s.
  • by Anonymous Coward
    The real danger in this is what it will do to public perception. For example, if one thinks back to the Caldera (DRDOS) lawsuit, this talked about, among other things, the use of a section
    of code in windows which was used to create the public impression that DR-DOS (or any non MS-DOS) was defective.

    By using signing and making this the default behavior, MS can accomplish much the same goal without having the same legal risks. The
    question then is what impression does it create
    in the public's mind when they are told everything they might run which hasn't been "approved" must
    be considered suspect and automatically excluded
    by default.

    If a user can sign for and self "certify" applications at thier own discretion when encountering unsigned images, it it not
    nessisarly a bad feature. But if it pops up with a highly negative warning and refuses to run, then
    I think it's a brilliant piece of propoganda and
    social engineering, and one that could have very
    negative consequences for the marketplace for
    third party (non MS certified) software, and a
    wonderful oppertunity for certificate authorities, or even better yet (from MS point of view), if
    one must get a certificate from microsoft itself
    before one can sign apps. Certainly it's a ca's wet dream come true.
  • Surely this is a useful feature. I'm assuming tools will be available to sign your own code.

    I can envisage wanting to create a self-signed root CA certificate for myself, and signing anything I compile, such that nobody can sneak in with a trojan and replace my lovingly created binaries.

    Freeware distributors could equally sign their binaries with certificates from their own Certificate Authority to reassure users that the version they have is kosher.
  • by Carnage4Life ( 106069 ) on Tuesday November 21, 2000 @06:01AM (#609584) Homepage Journal
    Y'know, this kind of crap doesn't help the Geek Community At Large overcome the image of being a bunch of fanatical morons

    Hemos took a lot of liberty with my submission including changing the title as well as cutting of some technical analysis at the end of my submission.

    Basically the gist of my submission was that Microsoft is taking a heavyhanded and incorrect approach to attempting to solve the problems with Outlook viruses and the like. Specifically, instead of coming up with some Draconian all-or-nothing security policy why not introduce more granular access levels to Whistler?

    For example, I currently run ZoneAlarm [] and it prompts whenever a program I haven't given permission tries to access the Internet (in fact I found a Trojan this way). ZoneAlarm has three permission settings Always Deny, Always Allow, and Always Ask. I wouldn't mind seeing such functionality moved to the OS and made even more granular so that programs have very explicit permissions as to what they can do (similar to java.policy [] files []). Outlook should not be able to tweak the registry nor delete files (via the ILOVEYOU virus []) regardless of whether it is signed by Microsoft or not.

    Basically I am proposing something similar to Access Control Lists for executables on the OS, after all, there already is a central repository of information (the registry) so adding that data shouldn't be too hard.

    Second Law of Blissful Ignorance
  • by Gricey ( 154787 ) on Tuesday November 21, 2000 @04:46AM (#609587)
    does it have to sign each of it's 65553 bugs?
  • A lot of people I know (the ones who don't know computers anyway) don't even read the error messages that pop up. I can't count the times that someone as said "It's not working, there was an error." And every time, when I ask what it said, they responded very defensively that they didn't read it.

    Well, it's no wonder because everyone's been conditioned to think of Windows error messages as something only a senior Windows programmer working at MS would understand, and no one ever found useful. I can't count the number of times I've seen "Error in FOOBAR.DLL at 0E132:12592" or the like, or called Microsoft (back when they actually pretended to support their products) and told them the exact error message ony to be told "reboot the system, it'll go away".

    With Windows error messages, the faster you can dismiss them, the faster you can reboot the farging machine and get back to work. These messages have been so very useless for so very long that no one ever believes that they could offer any useful information anymore.

  • This is just crazy - MS seem to be doing everything POSSIBLE to piss off consumers! I can see a big crash ahead....
  • It's probably licensed out to an external agency to manage.

    At least this is how Windows logo certification is handled. Microsoft determined the criteria that had to be satisfied in order to obtain the logo certification and it is managed by an external company. Microsoft products have to work just as hard and comply just as much as any other ones in order to obtain certification.

    I seriously doubt this will be any different.
  • by 1010011010 ( 53039 ) on Tuesday November 21, 2000 @06:05AM (#609593) Homepage
    Until, of course, they sell "developer" versions of Windows, and the regular version run only signed programs. This would kill the shareware market for Windows, though, not to mention free software for Windows.

  • by Tet ( 2721 ) <slashdot@a s t r a> on Tuesday November 21, 2000 @04:50AM (#609599) Homepage Journal
    I really hope this happens. If Windows refuses to run anything but authorised code, then it'll hasten the end of Windows as a viable platform, and the world's computers might just switch to more reliable alternatives that little bit quicker. Given that Bill Gates has always been a fierce defender of unregulated development (and it's about the only area where I agree with him), I doubt this will ever happen, but it's possible. I suspect they won't take it any further than flagging unsigned code as potentially dangerous, and letting the users decide whether or not to run it.
  • The target system does not require all code to be signed; It's an option. As for the GPL issue, I am hardly a legal expert, but I don't see how the GPL would be interpereted this way, as the signature is not related to the code, or its execution, in any way (other than its authorization).

    Having said that, you could be correct. It's entirely possible that MS is creating a scenario where EVERY developer has to have their own signature. However, this isn't any more relevant to the free software community than it is to the closed-source community. To compile *anything*, closed or open, you'd have to have a signature.

  • You'd never have to pay *every* time you compile. You'd pay for your signature once, and then apply it to every new executable you create. It's a one-time deal (unless it's subscription based, but that's still not unreasonable).
  • MS-DOS 1.0 was licensed from SCP and was out long before CP/M-86

    I don't believe I (or anyone else) has claimed that MS-DOS 1.0 (or PC-DOS 1.0) was copied from CP/M-86 or any version of CP/M intended for processors made by Intel. The matter that was litigated (and settled by Microsoft in DRI's favor) was whether earlier versions of CP/M were used in developing that version which was licensed from SCP.

    The case was settled when it became clear that Microsoft had the evidence which could have either cleared them of this charge or proved they did it. Since it became clear to the judge they were not going to allow that evidence to be seen by the court or its representatives under circumstances designed to protect their proprietary interests, he had ordered they reveal what they had described as their "crown jewels" to the court. Then they told him they couldn't find those "crown jewels." When it became clear they had lost credibility with the court (first claiming the source code to PC-DOS 1.0 was very valuable, then claiming they lost it), they decided to settle.

    I apologize to anyone who objects to my conclusion from this evidence that MS probably stole the CP/M code. But my point was not that they did so, rather that they didn't do so until they had tried to help DRI get a good contract first.

    I was trying to point out that the history of Microsoft shows that, even when they seem to be operating honorably in the beginning, their ethics have been known to slip. Thus, IT managers who wish to assume their eventual use of a given technology will be honest simply because they are currently not doing anything unethical with it may find themselves being hurt by that assumption.

    AC is welcome to make that assumption, ignore the history, and take "The Road Ahead" to the Microsoft-prescribed future.

    Word for Windows, Word for OS/2, WordPerfect for Windows and WordPerfect for OS/2 were all out years before Windows 95. (Microsoft and IBM split in the Windows 3.0 timeframe - five years before Win95)

    The accusations of a head-fake by MS with some of the developers with whom they had long partnerships were made roughly one or two years after the release of OS2. Microsoft encouraged their partners to support OS2 while they were planning their own response to it.

    Obviously, they could not maintain this dishonesty once they had announced Win95 (which happened long before its release). Traditionally, those who have defended Microsoft on this issue have argued not that it didn't happen, but that the owners of WordPerfect were naive in believing them. In other words, that MS's tactics were simply tough tactics which should be expected in the rough-and-tumble world of business. I've never heard anyone argue it didn't happen. (Or, stranger still, that it didn't happen when it did.)

    Once again, I'm merely trying to point out that the relationship between MS and the developers with which it eventually began competing unfairly was entirely ethical and honest for a long time before anyone started claiming dishonest tactics. Indeed, I would argue the fundamental honesty of that set of relationships was largely responsible for the PC boom and the innovation of that period. I would also argue that the destruction of that fundamental honesty is responsible for the lack of innovation since the Internet browser was introduced (the last killer app, in my opinion).

    About the only reality in the Netscape story is that there was a company called Netscape.

    And that minor inconvenience of an anti-trust consent agreement and a subsequent anti-trust decision, not to mention Bill's testimony in court which serves as a virtual signed admission of guilt.

    But don't let any of those facts get in the way of your decision to trust Microsoft. Trust them. Embrace them. Those of us who pay attention to the history know who will be screwed next.

    And it's not gonna be us.

  • Well I was talking about ActiveX controls, not applications. ActiveX controls being more dangerous because they're embeddable in websites.

    However you make a good argument about signing. Will Windows simply run an application with *any* signature. If so, how is that useful?

    I see it as being more useful than the situation we have right now. If someone wants to get a signature from VeriSign, they need to submit contact information and (I'm not sure about this) probably a marginal fee. Now, this signature requirement doesn't stop malicious code from being executed on anyone's system, but it does add some accountability.

    How many trojan-authors are willing to pay a fee to sign their apps? It's possible that they can do it, but they'll have to be willing to have their trojan discovered and their signature black-listed. And if their payment required some form of ID (even a credit-card), it would be much easier to trace the author.

    I'm not saying it's a great solution. It's not a great solution. But it's better than nothing, which is what we have now. Besides, if you don't like it, you can just shut it off.

  • Anyone already running Win2000 is familiar with the "Signed Drivers" problem.

    Win2000 supports signed drivers, guess what? Have I ever see a signed driver from anyone besides Microsoft?

    As far as I can remember... Nope!

    So everytime I install a driver I get a nasty warning of unknown danger from Microsoft. Make that warning an error/abort, and then you have Whistler.

    Would hardware people take all this more seriously if they HAD to have their drivers signed? Nahhh, they will just tell you to turn the requires signing feature off!

  • Yeah, right. You also showed that you really don't understand the concept of signing an executable. It's not something that Microsoft does for individual EXEs, DLLs, etc. It's a cryptographically secure signature that get's written to new applications by their authors. The signature is registered with an authority (think VeriSign, not Microsoft) and then it's okay to run.

    Your "malicious" DLL would have to be signed too, in order to be run under this scheme. The certification is in no way meant as an indicator of a program's relative maliciousness. It's just a method of verifying who authored it, for accountability purposes.

    It is workable. Not everyone will want to keep this feature enabled, but I can think of tons of companies who will eat it up.

  • Since we have seen Microsoft again and again engage in this kind of action, do we really have to refer to it as a conspiracy theory? How about business as usual.

  • by ichimunki ( 194887 ) on Tuesday November 21, 2000 @06:44AM (#609625)
    I'm not sure I see where and how the article explains that MS itself will do any sort of certification. All it says is that they are building an option to prevent execution of unsigned code. The biggest problem I can see is MS requiring that certificates (which are different from certification) be purchased from them. Even if the certificates come from a 3rd party like Verisign, this is still additional expense for shareware developers. And if it relies on patented or non-Free algorithms to be applied, then it starts to take Free software out of the picture. However, simply having the option to not execute unsigned binaries is hardly a terrible thing. Security paranoid sysadmins should like this, since it means that all binaries come from a "trusted" source. How easily the ability to trojan a binary that appears trusted remains to be seen. But this option doesn't really sound like much more than the current (hihgly manual) option in Linux to download signed source code, use checksums, then compile, so that the odds of a trojaned binary are pretty much reduced to an impossibility.
  • Whether or not this code-signing requirement is turned on by default, the majority of Whistler users will probably turn it off, because the majority of Whistler users will have at least one piece of unsigned code that they want to run (perhaps Emacs, perhaps a shareware game, perhaps a legacy program, perhaps some tool that's used within their companies).

    But when a virus spreads through millions of Whistler machines, Microsoft can just blame the users for letting their machines run unsigned code.

  • by vees ( 10844 ) <> on Tuesday November 21, 2000 @06:09AM (#609629) Homepage Journal

    I did the same thing yesterday, with similar results. I was surprised when it finally made it to the front page today. I figured someone had already posted it before me. My title was "Whistler may block unsigned code."


  • Didn't Apple used to make all software and hardware be certfieied by them before it could me sold as a product for the Macintosh? Isn't that bottleneck part of what made Apple rot? Could this be a blessing in disguise?
  • Code can be signed by anyone - the point is you can configure the OS to only run signed code.

    Then it becomes a case of who do YOU, the user trust - just because code is signed, doesn't mean it won't do anything naughty (like trash your disk). It just means you're trusting someone not to.

    Unix could benifit from this - when you 'su -' to do that 'make install' how many of you read the Makefile to see what it's gonna do first?

  • The certificates are controlled by VeriSign.
  • That's right it is tied to the executable. The 'signing' process is the combination of the executable and the digital-signature. However, my point still stands -- you can use the same signature on multiple files; you don't have to pay for new ones every time you release.
  • Okay, I can imagine that scenario. In that situation, Joe Free Software Hacker would have to apply for his own signature before he could release software that would be run on that company's systems.

    Or Joe Free Software Hacker could opt to release the software unsigned, and then the IT department at said company could sign it themselves, authorizing it for use in the department. It's not complicated, it's just less anonymous than the process is now. Besides, it's not like there's never been a platform that you've had to pay to develop on before. Think consoles, anyway.

  • They've already done this. I had a perfectly valid souncard, but I had to junk it when one version of DirectX appeared, because the drivers hadn't been updated. The card worked fine, but wouldn't run this version of DirectX. Unfortunatly the card was on a non-standard daughterboard and couldn't be removed without a hacksaw.
  • by Foogle ( 35117 ) on Tuesday November 21, 2000 @06:47AM (#609644) Homepage
    Oh, for Christ's sake! Make sure you understand how secure-signing works before you post anything about the subject.

    "They" don't get a say in what is and is not a valid application. It doesn't work that way. A developer gets a signature and it is cryptographically written to their executables. It's just a simple method of authenticating *who* wrote/distributed the application. The process has nothing to do with whether the application is "ok" in anyone's view.

  • Any particular reason why Slashdot is always running rampant with Anti-MS FUD

    Slashdot is an openly 'nix and open source biased site, most people here simply don't like Micro$oft for personal and/or ethical reasons.

    Remember the opinions on /. posting are of slashdot readers and do not necessarily represent the views of the slashdot team.

  • by ErichTheRed ( 39327 ) on Tuesday November 21, 2000 @05:35AM (#609653)

    For those who work in IT (networks and delivery, not coding) think about the mindset of your average boss:

    • We use Windows because it's the most common desktop platform in existence.
    • We use Office because it works well with Windows, it's universal and the staff likes it.
    • Microsoft just came out with a new version of Windows that the marketing guys say is Better! Cheaper! Faster! More Stable!!!
    • They also say it'll only run with programs they've tested.
    • Oh, wait, we only use Windows, SQL Server, Exchange, SMS, Office, and IIS.
    • Plus, we won't have Jane Secretary running the buggy Thanksgiving screensaver on all the PCs in her office.
    • No problems here. Order 1,000 licenses.

    What I'm trying to point out is that MS is catering to business again. IT people loved the dumb-terminal days because user control was real easy. Now they have to worry about staff trashing their PCs with software they got from friends and losing their productivity while the helpdesk reimages their PC.

    The circle is closing for MS with regards to enterprise computing. Not only do they have people convinced that Windows is the only OS available, now they are designing the product to give them even more control. Scary.

  • Suppose this "certification" grows to be a way to certify that a program won't crash when you run it. Does this mean Microsoft's own products won't be able to run on Whistler?

    What of the even greater paradox that Whistler will probably crash, so wouldn't be certified, so you couldn't even run Whistler in the first place?

    However, somehow I doubt Microsoft would take it to that meaningful level. Instead, it will be a way for them to get more revenue, assert control, and get a listing of all Windows developers.

  • by snookums ( 48954 ) on Tuesday November 21, 2000 @05:36AM (#609657)
    With an OS that refuses to use unsigned drivers, it will be a lot harder to make dummy sound and video drivers that write their output to a file.
    Say goodbye to taking future-proof backups of proprietary-format data.

  • by Fervent ( 178271 ) on Tuesday November 21, 2000 @06:15AM (#609658)
    This is strictly pro-Slashdot FUD. Signed drivers are the second best thing that's come to my box recently (Windows 2000 being first). You don't know how good it feels to take a look at a video card driver, see that it's not signed and say "hey, do I really want to support this? It probably won't run."
  • Under IE a feature like this already exists for downloaded executables, where a warning is displayed in an attempt is made to run an executable downloaded directly, with the option to automatically trust all code signed by a particular certificate. Entities other than Microsoft can sign their own code. The purpose of this is to prevent trojans being installed. However it is easy to revoke.

    The plans for whistler appear to be to extend this further.

  • It would be a developer's worst nightmare. Each time you whip out a quick utility--on a good week that could be dozens for me--you need to go through the signing process. Also, enterprises and shops that write their own software and distribute it internally are going to get sick REALLY quickly of the extra cycle involved.

    If you simply add a signing capability to the compiler or IDE, and it signs the executable automatically when you hit RUN, what's the point? The signature is meaningless, it doesn't signify squat regarding the safety of the code. If, on the other hand, the signature has to be applied by QA after at least some testing, they'll get sick really quickly of signing every little piece of shit code churned out by anybody--they simply won't have time to do it, and/or the developers will eventually quit in disgust.
  • I have absolutely no idea how many win32 x86 executables there are out there, but I'm fairly sure that there are far more than Microsoft could ever certify, even if they only tried to certify newly released ones, let alone try certifying the old ones - and I think I'm correct in that Whistler will still run good ole x86 code.

    So, far too much to certify. Without charging, anyway.

    So, only allow executables to run if they've been certified AND the author has paid for that certification? Doesn't sound likely! Even if there WAS a paid scheme, there would be far too many executables for MS to certify on its own. It would have to outsource the certification to an external company.

    So, what happens when this company certifies code which turns out to crash in an interesting way causing huge damage to someone? Someone's very very liable, because MS even said that it'd work safely. I don't see themselves setting up a legal tripfall like that.

    And what about what is classed as an executable? Just EXE and COM files? Just Win32 EXE files? What happens, say, if someone certifies winword.exe as safe, and then I come along and insert some malicious DLL file which is then loaded (uncertified, but with full "privileges")? Oh, so they'll have to certify those too.

    I'm sorry, but in the 2 minutes in which I've brainstormed (incompletely) I think I've noticed something.

    It's completely unworkable. What a surprise.

    --Remove SPAM from my address to mail me
  • by Dannon ( 142147 ) on Tuesday November 21, 2000 @06:52AM (#609669) Journal
    Not just a burden on the 'small guys', but also on major developers.

    I remember a long wait for Win2000 SoundBlaster Live! drivers... not because further development was necessary, but because Creative had, for the first time, bothered to submit their drivers to Microsoft for a thorough inspection and 'certification', so that a certain warning wouldn't pop up during the install.

    And while Creative was waiting for the MS guys to send the drivers back with a 'stamp of approval', the PR guys had no way to answer the 'when will we have working drivers' question other than 'any day now'. Definitely not what any customer wants to hear.
  • Names obfuscated to protect the "innocent."

    [bill] :: The Win2K launch has been a raging success. What items do we have to discuss for future development.

    [steve] :: Well, we've had very strong feedback regarding the unsigned driver warning in 2K. We'd like to expand that for Whistler.

    [bill] :: Tell me more.

    [steve] :: We'd like to require that all apps be signed and certified by a special team of Application SSigning Speciallists, or ASSes before they are permitted to run on Whister.

    [bill] :: What's the up side for us?

    [steve] :: Through effective marketing to the open source community we can get them to submit their code for certification. This will undoubtedly provide us insights into how to fix things in our own system. Additionally we can charge for this service and eliminate the drain from our evil tactics fund.

    [bill] :: I think we should run this by legal. Jim, what's legal's take on this.

    [jim] :: We're on board for now. Now that things in Florida are starting to look like Dubya will win we can divert some of our team from the anti-trust case to preparing the spin for this. We should be able to cut our potential detractors off at the knees.

    [bill] :: Great! To prepare for this, we need to send all of our coders through that advanced firearms training course. We don't want anybody to miss their foot when release time comes.

    Code commentary is like sex.
    If it's good, it's VERY good.

  • Is it going to be checksum like? If so, what makes them think it can't be cracked? I mean, how long did it take to figure out the checksum for dreamcast, n64, psx? what if the code modifies itself? say for example, shareware programmers? what if my program has it's own checksum, and whistler is using another checksum, how will they both co exist? will this only be limited to dll, exe? what if an authorized signed code tries to run an unsigned code or depends on one? Is the opensource community going to sign their codes? Mmm, many questions...

  • If there is an option to turn this BS "feature" off, what's the default setting?

    If I create an installer for common Internet applications for the faculty/staff/students at my University, do I have to send it to M$ for approval?

    "We're sorry. You didn't include IE in your installer. We've included it for you, made sure it always installs no matter what the user specifies because we know they'll always want to install it even if they didn't say so, set it's default homepage to and search page to our MSN site because they are the best and soon to be the standard, signed up the user (and everyone in their address book) for MSN because it's really where they want to go tomorrow, and removed Netscape because we don't approve of their code. Thank you."
    If I update that installer each semester, do I have to send it back to M$ for approval?

    What is M$ going to charge me to approve my app?

    How can they actually audit my app without me sending them my actual code, part of my IP?

    Can I make them sign an NDA so that my code and I are protected from M$ stealing ideas and code?

    Am I forced to sign a M$ NDA that says they can do whatever they want with my code?

  • > According to the article, this is an option that can be turned on or off - so in the appropriate setting, this is actually a very useful feature

    So it will be turned on in corporate environments. And there, you could only run software signed by Microsoft.

    I find this scary as hell. It won't be anymore secure (because you won't have all the scripts, excel macros, etc, etc, signed). But it will be more difficult to run free softweare.


  • by American AC in Paris ( 230456 ) on Tuesday November 21, 2000 @06:19AM (#609678) Homepage

    [posted by Carnage4Life, author of article submission:]
    Hemos took a lot of liberty with my submission including changing the title as well as cutting of some technical analysis at the end of my submission.

    Then I feel doubly sorry for you, as you're pretty clearly approaching this issue from a rational standpoint. I thought that this might be the case, and thus was careful to avoid pointing fingers at you the author, but rather at the /. editorial staff.

    Having said that, a granular permissions model would be a decidedly better approach to this kind of problem than the all-or-nothing model Whistler will evidently implement. Sadly, this message was nowhere to be found in what finally got posted under your name. I'd be raising holy hell if I were you.

    Knowing that this wasn't your intent in the first place makes me feel even angrier at /. than I did before. It's one thing to post zealous articles by zealous authors; it's another thing entirely to edit zealotry into them. Absolutely shameful.

    $ man reality

  • Where this could present a problem is for shareware/PD/free software apps in the enterprise, where IS is more likely to enforce the signed app rule.
    If that would be true, Melissa, ILOVEYOU,... wouldn't have caused the havoc they wreaked.

    Okay... I'll do the stupid things first, then you shy people follow.

  • So is the signature merely a means of tracing back to the developer or is it a system of software certification?

    Tracing back to the developer. See this [] article for details on how this technology is going to work in the Windows Scripting Host.
  • Hmmm. I'm not so sure that this is going to help sys-admins. I agree that people installing random, unapproved stuff on their PC's can be a problem, but how do you define unapproved. There are several commercial packages that, when installed on certain PC's in our environment, will cause problems. These packages will undoubtably be digitally signed in the future (if they aren't already). This "feature" of Whistler won't stop people from installing those packages. It also won't stop people from installing commercial software that they brought from home. It will, however, stop people from installing most free/shareware. Whether or not this is a good thing is up to you to decide. I don't think it is.

    I am not a sys-admin, so please have patience. Aren't there already MS-approved ways of controlling software installation?

    One final point, what happens when someone wants to run some older (legacy) software which isn't certified? Is it going to be handled the same way, or is there going to be a "backdoor" for currently existing software or some kind of "opt-out" list?

  • As a former sysadmin/support person for several big companies, I can tell you that people installing random, unapproved stuff on their PC's is a major source of support calls.
    Two words: diskless workstations...
    You think being a MIB is all voodoo mind control? You should see the paperwork!
  • While I agree that there will always have to be an option to shut off code verification, the problem lies in what the default settings for whistler will be.

    If MS decides that code signing will be on by default, and that to disable it you have to go through a convoluted series of clicks and/or registry hacks, there may be a problem. We could find that suddenly "unsigned" applications will cause scary looking error messages to be popped up on, say, your grandmother's screen. What will most people think when an error dialog pops up warning them that this application may be a virus and could damage the computer? 90% of home users will instead look for apps that don't display any error messages on install.

    This could be a situation similar to the "Designed for Windows 95/98/2000" logo process, which Microsoft uses to gain leverage over software developers. The logo program has had a lot of success among users who might otherwise mistakenly buy a Playstation CD or Nintendo cartridge for their PC (that's most users folks). Except that now it's not just a graphic on your packaging.

    My bet is that code signing will be necessary to get the "Designed for Windows 200x" logo, and that developers who don't follow the party line will be at a serious disadvantage in the marketplace. MS may be moving towards a console-esque software scheme (xbox, anyone?), where they get money for every "certified" application sold. And even if some hacker found some way around the signing process, a legitimate software company probably couldn't use it due to DMCA "anticircumvention".

    So the question is not whether it will be optional, but will it be on by default, and who gets to sign the code?

  • Of course, such an option to run only signed code is completely useless even when it is turned on in any Microsoft operating system. Remember we are talking a system here where any document can also be an application. That is, you can write a Microsoft word document that does a complete Linux install in VBA macros, including formatting the hard disk.

    Unless turning on this option also disabled the WSH, all macro capabilities in all programming languages and certain other options (such as being able to call RUNDLL), turning on this option will NOT prevent the next Melissa and will NOT increase your systems security.

    © Copyright 2000 Kristian Köhntopp []
  • If an application has been signed as being an official certified application, does that, in the consumer mind, open the door for a libel mind set? In other words, if this certified and signed application hoses my data, doesn't that mean that Microsoft, or whom ever signed it, should pay for the restoration of my data? What about pain and suffering? After all, I had to tell my boss that the report that would of won us a $1,000,000 contract is now destroyed by this application. If not, why do I care that it's signed. Surely since it is signed and certified, this gives me as a consumer some additional recourse?

    I'm not saying that there is or is not merit to such a claim, but doesn't it create the possibility of such an end-user mind share?

  • by freeBill ( 3843 ) on Tuesday November 21, 2000 @06:57AM (#609695) Homepage
    ...of Microsoft's cheating:

    First, they compete honestly. Then, when they lose that fight, they cheat.

    They didn't start out to steal CPM from DRI. First, they recommended IBM buy the operating system from DRI. Then, when they saw their language-compiler deal with Big Blue going up in smoke, they stole the OS, repackaged it, and sold it to IBM.

    They didn't start out to screw over developers for their OSes. First, they gave them free rein. Then, they competed outside a "Chinese wall." Then, when they were still losing, they told WordPerfect et al that they were committing to OS2 while secretly planning Win95, which was closely integrated with Office.

    They didn't start out to squash Netscape. First, they helped them develop Navigator. Then, they decided to compete with them honestly with IE, promising not to breach their "Chinese wall." Then, when they failed to win with Explorer, they decided to cheat by bundling. Finally, when they were forced to stop bundling because it is illegal, they decided to cheat by calling it "integration."

    So, don't be fooled because they seem to be implementing this in an entirely fair and honest fashion at first. They probably are being fair, and they probably intend to avoid cheating. But, when it looks like they may be in trouble with some competitor who is beating them in the future, do not be surprised if they panic and cheat.

    They do it so consistently one could almost call it their business model. But that would probably be unfair to them because it implies intentionality from the start.

    My prediction: They will be scrupulously honest about this in the beginning and maybe even offer their users some some modicum of security derived from it. Then some killer app will come along and be certified after the code is submitted to them. Then they will decide to compete directly in the space created by the new killer app all the while promising not to use any clues derived from the code they certified. Finally, when they fail to compete in the new market, they will leverage the code submitted to them for all manner of dirty tricks, from finding out about new features before release to stealing code and re-designing APIs to break their competitor's code.
  • Port WINE to Windows, get Microsoft to sign it, and voila, you can run "all" windows applications ;)

  • by 91degrees ( 207121 ) on Tuesday November 21, 2000 @04:52AM (#609704) Journal
    Whistler will have the option to only run signed applications. You can turn this off. If people find that they need to run older software, then they WILL turn it off. Since developers need to be able to run unsigned applications (you can't get a certificate for each incremental compile), this will have to always be an option.
  • by Anonymous Coward
    You may remember that earlier in this year, we faced each other in a court of law of the United States Of America. You may further recall that you, as a corporation, were found guilty of abusing your market power to efectivly create a monopolistic business for yourself.

    Now, we understand that a day is a long time in the age of the Internet, but we really think you would have remembered something as big as this. Therefore we are sending you this email to remind you of the legal ruling against you.

    This action has been prompted by your blatently stupid plane to enforce a digital signiture on all software that wishes to run on your latest operating system version (Codenamed Whistler, we believe) This is clearly a move to block further compitition in the applications market, and will obviously allow you to extort money from hard working, but low income, shareware and freeware software authors. If you would like, we can take you to court again and prove it. We'd probably win you know.

    We find this action perplexing in light of your confirmed monopolistic status. Therfore, we have acelerated plans to bust your ass down. Please be advised that as of 1st January 2001, Microsoft will be broken up into itty bitty little peices, and sold off to the lowest bidder. Mr William Henry Gates III will be required to attend a special three hour, live showing, of "The Jerry Springer" show, to publically apoligise for being such a pleb.

    We look forward to your prompt response on this matter, and wish you a nice day.


    Department of Justice (US)
  • That IS a good idea. As a former sysadmin/support person for several big companies, I can tell you that people installing random, unapproved stuff on their PC's is a major source of support calls. This should make W2K be an even better choice for corporate desktops. This is yet another feature that shows that MS is thinking about enterprise implementation on the desktop. You do NOT want people to be able to install any old RPM on their desktop in a networked environment. That's a BIG "no-no".

  • by TopShelf ( 92521 ) on Tuesday November 21, 2000 @04:53AM (#609712) Homepage Journal
    According to the article, this is an option that can be turned on or off - so in the appropriate setting, this is actually a very useful feature. Far be it from me, however, to let the facts get in the way of a sensational headline...
  • Because if it's not optional, then the end-user (rather than end-luser) can't run software they've written themselves. Well, not without registering with Microsoft anyway. Which isn't going to happen.

    And once the option's been turned off, you'll be able to run anything. I presume.

    So it's got advantages for businesses, as they'll be able to ensure that their desktop machines don't get infected with screensavers, whilst home users will probably disable it at the first opportunity.

    I hope...
    Too stupid to live.
  • by Dannon ( 142147 ) on Tuesday November 21, 2000 @05:47AM (#609715) Journal
    from the turn-on-red-alerts dept.

    Says it all, doesn't it?

    An unfortunate truth: Even in the best of news media, sensationalism always wins out over objective, balanced, and reasonable reporting. Clue to MSNBC and other news networks: 'Too close to call' ain't exactly 'breaking news' any more!

  • It will be sane if it will allow anyone to handle the signature approvals. so that a corporate IT department set-up its desktop so that it can run only software with their (of IT department) signature. This would allow IT departments to deploy more secure installation ( if that is possible with M$oft software) without having to depend from M$oft.

    For the sake of conspiration theories let's think of a different scnario : when the first virus/worm/trojan of Whistler will appear, a dialogue like this will take place:
    User:"Help, help. This virus just f*ked up my data!"
    M$oft: "oh, but you turned out this very important security feature!!!!! It is **your** fault, then !!!"
    User:"But I just wanted to run FooSoft SuperBestSoftware 1.2"
    M$soft:"Ah, but FooSoft does not comply with our security policy and it's not certified. Why don't you run M$oft UseOnlyMe application. It does the same thing, but better. And it's more secure. You'll have to pay every time you run it, but security has no price in this virus-ridden world."

  • How secure is the signature anyway?

    We know how long it took until DeCSS showed up, and the DVD security was broken. How long until signatures are broken?

  • Any particular reason why Slashdot is always running rampant with Anti-MS FUD? It's like, every single article that the dot posts about Bill ("Bill Gates gives to 14 children's charities") is plagued by responses basically saying, to different degrees of intelligence, "M$ $ucks!".
  • Sometimes they actually get something right, but usually every story had some unjustified amount of skew in it.

    There was a time when Slashdot used the Register as news a lot, like at least a story every week. I think the "editors" here finally wised up. Now to take ZDNet off should be our next task.
  • Ok, if it's optional then it's not so insidious. If they take that optional away and become sole arbeiter of good code it'll be the best thing they've ever done to promote Apple, Un*xes and Linux.

    Nearly a laughable concept from a company well known, by now, for the security gaps in their own applications which pose perhaps the single most damning threat to business and personal users.


  • It also says that you have the option to send it to them for testing so they can approve it and stuff.

    Can someone sue MS for having lots of copies of unlicensed software then?

  • RANT:

    You know, Slashdot feels more and more like Windows 9x. I 'have' to use it (or find even less suitable alternatives) but it makes me feel angrier, dirtier, and less prodcutive the longer I use it.

    Not only that, they're obviously a bunch of irresponsible. hypocrites. Talk about FUD FUD FUD FUD FUD FUD. Dear lord, someone hand these clowns a cluestick.

    ...and for my opinion on the signed apps: I've for it, as long as I can turn it off and have different restriction levels. It's an excellent way to protect against virii and trojans.
  • by Foogle ( 35117 ) on Tuesday November 21, 2000 @07:01AM (#609740) Homepage
    First of all: if you could lophtcrack the admin password on a P90 in under an hour, then the admin password *had* to be a dictionary word, or a very simple derivative of one.

    Second: Given the same password, a brute-force cracking system would've been able to do the exact same thing under Linux, BSD, etc. It simply doesn't matter *how* the password is encrypted when you're dealing with brute force.

    Now, on top of all of this, Microsoft doesn't write the software that signs applications. VeriSign does. It uses the same cryptographic principles that make SSH and SSL usable and secure.

  • Maybe I'm in the minority here, but I can't see how this is a bad thing. When ILOVEYOU and MELISSA were running rampant, everyone screamed about how MS set everything on low security by default, and no one would change it. Now they decide to set security higher by default (which would avoid a lot of the problems) and now people are screaming about that. There is no perfect way to set security by default. The only way to have real security is to set it yourself. If people take what MS is giving them as security settings, that is their choice. If low default is bad, and high default is bad, what is good?
  • Conspiracy theorists, take note.
  • There's a one point you missed:

    - Our line-of-business in-house apps aren't signed and won't run on this new OS.

    ie, for most large companies, the most important apps are those that are designed in-house to meet specific business needs. These apps are usually the ones that run the company.

    So, most companies use VBA, why can't MS just have VBA runtime signed and then all VBA apps will work. Well, then the whole system is useless, (see LOVE virus).

    This move would do nothing but tighten MS' hold on the SOHO market, the one that Whistler is aimed at and the one that MS fears losing to Linux. The feature is not aimed at Enterprise class organizations. Win200 is reserved for that. Expect to see this implemented, and expect to see open-source take a punch in the nose because of it.

  • Yeah, it can be turned off. Just like macro execution in MS Word. ;-)
  • Now that's funny. Reverse engineer the signing process? If you think you can "reverse engineer" a cryptographically secure system, I'd love to see it done.
  • Microsoft doesn't handle the certification; they have no say in the process, and there are no standards to say what sorts of applications can be signed or not. The bottom line is that a signature just adds accountability, not certification of usefulness.
  • by Zigg ( 64962 ) on Tuesday November 21, 2000 @04:58AM (#609770)

    God, no kidding. What amazes me is that when this cropped up a couple weeks ago on The Register [], I submitted an article about this being an option... it was refused in the space of an hour.

    Apparently refusing to read the entire article and making the headline as sensational as possible is a formula for success when you're looking to get a Slashdot headline.

  • by devapoj ( 83412 ) on Tuesday November 21, 2000 @06:33AM (#609772) Homepage
    One might say that it is optional, and perhaps even desirable in a secure, corporate environment. But that is beside the point. The point is that anyone who wants their software signed will have to bear all to microsoft and thereby allow microsoft's engineers in the process of "certifying" it, pilfer any good ideas that package might contain.

    No doubt the empire will encourage businesses that such a move will be a "good thing", and any competitor that effectively does not show their source code to microsoft will be shown the back door by corporations that have taken the bait. Sounds anti-competitive to me.
  • There's a way to turn the behavior off...

    I saw it described on one of the beta newsgroups, but don't recall the exact sequence to do it. I think it's an incredibly stupid default.

  • Only drivers are digitally signed right now. I can go ahead and download stuff from Freshmeat that's in the alpha stage and run it nag-free. The whole reason for digitally signed drivers is to prevent from having shoddy drivers run on a mission-critical system. The biggest problem with this is either Microsoft's refusal to digitally sign drivers, or the companies' sheer laziness.

    If the digital signing process is carried over to applications, though, then it would mean the end of Win32 application development as we know it, which is why Microsoft will most likely never implement such a draconian system.

    There, I said it; the article is all FUD spread around by the Linux zealots.

  • Don't worry, Windows productivity will always shine. Older applications, aslo known as unsigned or unapproved and insecure, may crash newer versions of Windows because we broke the old code. To protect you from such crashes, we have put this new feature in that you will have to disable to find out your favorite piece of software no longer works. This will force you to buy one of our newer offerings, so you can be more productive than ever. Ah yes, see how good our subscription service looks? You will alwasy be (paying for) using new software when you trust MS.

    The easiest option to turn off is Windows.

  • > hehe.. uh oh... unsigned shorts range from 0 to 65535.. sorry
    Actually a quick scan of eBay will show unsigned shorts going for much less than that.
    I doubt even signed shorts would go that high! Maybe if they were signed and game-worn by Michael Jordan or someone like that. But 65535 sure seems high.
  • by gargle ( 97883 ) on Tuesday November 21, 2000 @05:00AM (#609795) Homepage
    The problem is that consumers will _expect_ "professional" applications to be signed. Which, as the article points out, will be a real burden on shareware programmers and small developers.

  • by GeZ117 ( 162744 ) on Tuesday November 21, 2000 @05:01AM (#609802)

    >I suspect they won't take it any further than flagging unsigned code as potentially dangerous
    Considering the amount of bugs in common bloatware like Office, I don't think signed code will be less dangerous. Except if they don't sign their own products.
    Oh, dangerousness refer to viral risks, not bugs ? Well, I hope they won't sign Outlook nor its Express version. Melissa or ILoveYou, you remember ?

  • by Golias ( 176380 ) on Tuesday November 21, 2000 @07:15AM (#609803)
    The problem with this "option" is that if you are selling or distributing software you might be forced to assume that a certain percentage of your customers will have it turned on, which means that you have no choice but to send a fat wad of bills to Verisign (just like getting SSL certification on your web forms), and subject yourself to whatever anal probed MS insists on performing.

    I think developers have plenty of reason to be uneasy about this news.

  • by Ektanoor ( 9949 ) on Tuesday November 21, 2000 @08:05AM (#609822) Journal
    Frankly, slashdot staff is known for some yellowish view on submissions. And many people have talked about this. However, in this case I do not think that you people are seeing the whole picture. You blame the /. for overweighting the whistleblower stuff. I think that they are doing not enough here. Yes /. should be blamed to chenge the submission in such a way. But please stick in this fault and not in M$'s plans.

    Frankly I am a damn anti-M$. And have reasons for such. 15 years people. Seeing some inside stories and a lot of outside ones. And I have always been too swift on public. On private I say Hell of them. But now I'll try to hold up some lines.

    Does M$ needs to check their soft? YES! THANKS GOD THEY START TO REALISE IT!!! And certification is a good process to allow such things.

    However Microsoft is on its own again. Yes, it gives power to some Versign to process certifications. But why is this needed. Why do we need another company to check certifications. Why not to give chances for users. Ranging from something similar to MD5/PGP checksums and over a database where one may get more detailed information about the characteristics of the package? If you are a good admin then you'll need exactly this last one option. You will surely want to see what was tampered and how. Only having this information, then you will be able to take measures necessary to protect your network and the potential victims of the exploit (specially if there was planned, objective, intentional and criminal intent).
    Now M$ does everything for the lazy admin. "Oh it does not pass certification... BANG!" And the happy lazy admin waits until someone circumvents this and gets him on the hot seat. That what will happen if such scheme will be used. So "thanx but no thanx".
    On the other side. You people seem to ignore a factor. Microsoft gives always cheese on a mousetrap. So do you think that, if you pay for freedom, M$ will keep these terms? You have to certify everything. So, in a possible future, someone may restrict the certification process and you're TRAPPED. You don't go anywhere. Much the same way we all have to pay for a M$ tax (my institution paid no less than $3500 once) you may be forced to accept such things as "you're soft didn't pass certification". And frankly, can you tell me that this will not happen from start? Verisign is an organisation that only issues certificates. It has no test labs, network control systems, staff with a good knowledge of software. Yes, they may issue certificates based only in the assurance that they may track the developer. But, in this virtual world, what is an address or a surname? Buy a mobile for $50, get a Verisign number addressed to Dock 3 Amsterdam, place it on the name of Ivan Ivanovich Ivanov and create havoc on the net. I hardly believe that Verisign will get over this without the help of our dear M$.

    Besides. Who is M$ to forbid me the right to install a virus? Yes, I WANNA INSTALL IT! I wanna see how it acts and rips off the data on my HDD. I wanna see the how's and when's of it. Because no one knows about it and I have mission critical workstations that need to be protected. You may say that I am talking some nonsense. But when I don't know the original infector and I catch the virus on other program then it will be possible that this certification stuff will hang on my neck. I want the right to turn it off and I don't need M$ to think for me. Specially when millions of dollars or top-critical information is in question.

    Ok people you're right that /. gets too yellow sometimes. Flame them at will. But don't start telling me about "oh poor M$". Specially on this stuff. I know the viper too well to know that they will not stop here.
  • by b0z ( 191086 ) on Tuesday November 21, 2000 @05:02AM (#609829) Homepage Journal
    From what I read on the article, it means that you have the *option* to set up the OS to warn you if you are trying to use an application that is unsigned by Micro$oft. It also says that you have the option to send it to them for testing so they can approve it and stuff. I think that is fine, so long as this ability is an option. It sounds like a decent security feature to me for a closed system. I know it goes completely against the open source ideals, but for M$ to improve their security this is one way to do it. If you are running a machine at work running Win2k or Whistler (when it comes out) that could be good to have this option enabled because you only want to run a few applications and services that your company approves, and you don't want people installing software that could potentially cause a problem on your system or network. Also, you can leave it disabled on your PC at home (if you want to run one of these crappy OS's) and install whatever you want. I don't really see a downside to this, if someone doesn't want to use this option but wants the OS, they simply turn it off. If this were mandatory, It would be crazy.
  • by Ektanoor ( 9949 ) on Tuesday November 21, 2000 @08:20AM (#609848) Journal
    Linux has several systems to verify the integrity of an archive/package/program (ex. PGP/MD5 signatures). I should note that it possesses also several systems that checkup the integrity of files installed (ex. Tripwire). What Linux may not have, is a mechanism doing these checks at run time. Probably this would be a useful option in some cases, but not all as this causes some overload that may be uncessary/undesirable.

    On what concerns the lack of a Verisign or similar certification system. On Linux this is not a good option as the dynamics of development are much higher and variable. This specially concerns cases when people work in such projects like distros. I don't wanna say that we don't need Verisign-like certifications at all. But it is not as universal as in Windows, where development is more enclosed.
  • by Zigg ( 64962 ) on Tuesday November 21, 2000 @05:14AM (#609884)

    Which brings up an interesting point -- is it just executables that are signed? When it comes down to security risks, scripting files and macros are *much* worse. Will Microsoft perhaps get a clue and only allow signed Word macros to do things outside of the document scope?

  • by hey! ( 33014 ) on Tuesday November 21, 2000 @05:15AM (#609888) Homepage Journal
    The details of this are just speculation, but if users and admin could control who they extend trust to, and their is provision for third party certificate authorities, this would be a very good thing indeed.

    Lotus Notes has worked this way for a decade, and has provided all the programmability of Outlook (albeit with a poor UI) with much less virus vulnerability. It is unconscionable that any executable code gets run out of e-mail without a signature when the technology to do this has existed and been proven years before Outlook even existed. In addition if every DLL and exe were cryptographically checked when it was loaded, there might be a bit of a performance hit but it would be worth it in many environments.

    I think it would great if Microsoft considered any drivers signed by them as equivalent to "original equipment" -- in other words no more blaming third party drivers for BSODs.

    Of course we don't know what the details are yet, but there's no reason to engage in FUD. It could be a very good thing or a very bad thing.

  • by Zigg ( 64962 ) on Tuesday November 21, 2000 @05:09AM (#609912)

    Honestly, I doubt that consumer-grade users will ever come to that expectation. I mean, come on, these are the people who shut off their worm and virus warnings so that they can run e-mailed exectuable greeting cards or animations.

    Where this could present a problem is for shareware/PD/free software apps in the enterprise, where IS is more likely to enforce the signed app rule.

  • by American AC in Paris ( 230456 ) on Tuesday November 21, 2000 @05:10AM (#609914) Homepage
    ..."Whistler To Refuse To Run All Unsigned Code"? Oh, come on, Slashdot. -10, ÜberTroll.

    Y'know, this kind of crap doesn't help the Geek Community At Large overcome the image of being a bunch of fanatical morons. Every time I think that Slashdot just might be making the transition into mature, thoughtful news reporting, this kind of rubbish appears on the front page. It's an OPTION. you can turn it OFF. I don't recall seeing healines of "Linux Installs Insecure By Default" because several distros automatically installed and configured an insecure WU-FTP...

    When am I going to be able to read Slashdot without feeling like I'm listening to a bunch of pre-teen 133t k1dd13z taking shots at The Man on #haX0rzC3ntRa1?

    $ man reality

  • by jamiemccarthy ( 4847 ) on Tuesday November 21, 2000 @05:11AM (#609922) Homepage Journal
    If you don't understand why this is important, go read Code and Other Laws of Cyberspace [], by Lawrence Lessig. The future he fears is one where freedom and anonymity on the net are erased because general-purpose computing devices will no longer be able to connect.

    The only freedom we have exists because we can connect Turing devices to the net. Once we are forced to use hardware or software that can perform only "approved" functions, any freedoms we have are in the hands of the people who approve those functions. You will only be anonymous if Bill Gates wants to allow anonymity. You will only have free speech if Bill Gates prefers it. Even your intellectual property rights will be mediated through Bill Gates' software.

    Here's how the net ends -- not with a bang but an upgrade. The government won't put a gun to your head and make you give up your civil rights online. Instead, Microsoft and other vendors will come out with new features that you've just got to have. Well, maybe not you, but when every other person on the internet blindly upgrades, you will find yourself longing for them.

    That's the dark flipside of the law of network efficiency. A network's value is proporational to the square of the number of people on it. And as the rest of the net flees to a Microsoft-only, proprietary operating system, using proprietary protocols, with none of your code allowed, you will discover that the remaining free network's value to you is being square-rooted.

    No, you say, I'm a hardcore free-software supporter. Sure. You may be the hardest of the hard-core, but will even you continue to use a truly free, non-proprietary internet when the only people on it are you and RMS? How will it feel, being the Amish of the next century? As the world around you embraces Windows 20xx and its wonderful billg-approved code, you'll be stuck in your horse and buggy, refusing to use them newfangled zippers because you think they're the tool of the devil.

    C'mon, you know you'll want to send email to all your friends, and check out the cool new holographic websites (that 2-D stuff is so 2000). All you have to do is install the new version of Windows. No, you might not be able to compile your own programs, or upload websites which the Nonobscenity Certification Board fails to approve, but isn't that a small price to pay?

    Jamie McCarthy

  • by yerricde ( 125198 ) on Tuesday November 21, 2000 @03:27PM (#609930) Homepage Journal

    sign the [compiled Apache] executable with a digital signature that has been assigned to them by VeriSign.

    But it's different for GPL programs. The GNU GPL requires that all the tools necessary to rebuild the application be distributed and redistributable (except for compilers and other parts of the OS). This would include a private key, if the target system is one that requires all code to be signed. And VeriSign's monopoly on giving out Authenticode keys means that anyone who wants to build the application must pony up USD $400.

  • by Sethb ( 9355 ) <> on Tuesday November 21, 2000 @11:01AM (#609934)
    Linux doesn't have this problem to begin with, if you are setting up a desktop system for someone and you don't want them to install software, you simply do not give them the root password. They can still download, install and run software, but only in thier home directory and only with thier own user permissions. Which means; no formating the hard drive, deleting or altering system files and few if any virus.

    You can do the same thing on an NT/Win2K/Whistler system, you just don't give the user "Administrator" or "Power User" rights. The problems come in when some appliations require that the user have that level of rights to be able to function. I've had problems with Adobe PageMaker and ImageReady not working with just plain "user" rights. So, as a SysAdmin, you wind up giving some people higher rights than you'd like to because they have tools they need to use that weren't properly tested by the vendor. But, you've opened the door up to them installing all sorts of crap on their system.

    I personally hate After Dark the most, it's the fastest way to screw up your Windows machine...
  • by Carnage4Life ( 106069 ) on Tuesday November 21, 2000 @05:12AM (#609950) Homepage Journal
    Whistler will have the option to only run signed applications. You can turn this off.

    The average user does not tweak defaults, especially when the menu options are as hidden as they are in Microsoft products. After all there has been an option to turn of scripting support in Outlook for several years yet Melissa [] and ILOVEYOU [] theoretically caused billions of dollars in damage because people do not change the default settings.

    Anyway, how many non-computer savvy people are going to run an executable if Windows pops up a suitably scary error message up? After all Microsoft effectively killed Dr DOS [] with phony error messages. If Microsoft decides to implement this policy it is very conceivable that all the major software houses will get Windows Certified(TM) thus pressurizing smaller shops to do the same. Where does this then leave independent developers?

    Second Law of Blissful Ignorance
  • by Huusker ( 99397 ) on Tuesday November 21, 2000 @11:43AM (#609971) Homepage

    Windows System File Protection (SFP) is enforced by SFC.DLL, which is run by a thread in WINLOGON.EXE. It monitors for any file changes in the Windows directory. When it spots a change, it rescans the file by calling SfpVerifyFile() in SFC.DLL.

    SfpVerifyFile() computes the 160-bit SHA digital signature hash of the file data and compares it to the signature in the corresponding catalog (.CAT) file. Note that the signature is not stored in the file itself.

    The .CAT files are located under \WINNT\SYSTEM32\CATROOT. They are heavily armored with RSA PK and obfuscation of the data format. The catalog is modified by calling InstallCatalog() in SETUPAPI.DLL

    The Office division of Microsoft doesn't use SFP, so files like WINWORD.EXE and EXCEL.EXE are not protected. Neither are macro files like NORMAL.DOT. If history is any guide, the Office division will run off and invent their own separate way of doing it.

  • by Chris Johnson ( 580 ) on Tuesday November 21, 2000 @08:53AM (#609974) Homepage Journal
    "Are you running
    any software which produces a warning dialog?"


    "Well, we apologize, but we cannot support 'hacked' systems. In these cases our recommendation is to reinstall the system and all Office/.NET files, and don't install the untrusted software. If you've done this and are still experiencing problems you may qualify for tech support, but we can't take responsibility for 'hacked' systems, okay?"

    It's that simple. On the one hand- this makes perfect sense. Windows is _plagued_ with horrible little shareware programs and random junk and AOL and who knows what else- it _is_ absurd to try and support some Windows system in which some idiot has installed a really old version of AOL from some random old CD or floppy. On the other hand, this is the mother of all network effects- a really strong argument for freezing out _all_ other software developers, essentially delivering on that long forgotten promise of Microsoft: "We think 100% penetration is a good marketshare". It is downright justifiable to take this attitude as Windows is easily rendered useless by screwed up software (so's MacOS, FYI). At the same time- this turns the situation at a stroke from a market into a command economy with MS the sole supplier- if you can't get support unless you abandon all untrusted code, a surprising number of people will do just that, particularly in controlled situations such as workplaces, or the large number of people who are _not_ busily checking out all the new games or whatever. Aunt Fannie, who only reads email and uses Word, is square in the crosshairs of this new development, and there are a lot of people like that out there.

    Nothing more than a warning dialog and loss of 'support' need ever happen. Think of it as a combination cutting of support for 'renegade' users who run untrusted code- and keeping in line 'good' users who want normal, expected support from the vendor.

Money can't buy love, but it improves your bargaining position. -- Christopher Marlowe