Microsoft Agrees to Changes in Vista Security 318
An anonymous reader writes "Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"
testing the waters? (Score:3, Insightful)
From the article (and /. summary):
It's only an author's surmise, but as I understand and interpret Microsoft's position, there is no line they will be able to cross ever while they are still a monopoly. Microsoft enjoys (immensely) their monopoly position in PC OSes, and as long as they do (immensely), they will continue to be proscribed from using their monopoly to leverage, influence, and otherwise compete unfairly with any other of their products.
There is no line to test.
Re: (Score:3, Insightful)
According to the EU, MS apparently has some obligation to keep these security companies leeching off their OS exploits alive, even to the point of opening their system to security exploits in Vista to do so.
Don't get me wrong, I can understand Symantec going nuts about the OneCare advertising, and can somewhat understand the security center, (although I think MS should allow Symantec to write whatever they want there instead of letting Symantec Disable t
the correct OS behavior should be obvious (Score:2)
Perhaps like this:
1. copy a file with the key into a specific directory
2. press alt-ctrl-del
3. select "prepare key for installation"
4. enter password
5. key is moved to a protected directory
6. you verify that you want the key
7. reboot, then press alt-ctrl-k early in the boot
8. enter your password, select the kay, and confirm that it is the one you want
That will do. A business can install their own keys. An anti-virus program could ask you to install
Re: (Score:2, Funny)
Re:testing the waters? (Score:5, Insightful)
We've all been over this before...
- Computer manfuacturers are bent over a barrel to include an OEM Windows install on every machine they sell. The only realistic way for a user to get a computer without Windows is to build one themself.
- Since everybody is already getting a copy of Windows, what incentinve is there for the end user to try an alternative OS? Better yet, even if they do, they've already paid for Windows and Microsoft still has their money and their "installed base" numbers
- People write software for the dominant OS rather than invest even more money into R&D for multiple OSes. Meaning that most applications (read "games") out there are designed for Windows
The 95% of end users out there who don't build their own PCs from scratch are left with choosing to continue running the Windows their machine came with, or to take on the Sisyphusean challenge of working to install their own OS and tailoring their software shopping (if not their life in general) around that OS instead of simply using what they already paid for."You know why people use Microsoft Windows? Because they like it."
Microsoft will never allow anybody to test that hypothesis in any meaningful way. You can't say that with any certainty until Dell and HP start saying "Would you like Vista or Fedora with your new computer?"
And how does Microsoft do this? By abusing their monopoly power.
Re: (Score:3, Interesting)
Let's go over it once more...
Computer manfuacturers are bent over a barrel to include an OEM Windows install on every machine they sell. The only realistic way for a user to get a computer without Windows is to build one themself.
Computer manufacturers are motivated to provide a product customers want to buy. The number of people that would buy machines with some flavor of Linux is very small. It would be foolish for computer manufacturers to make computers without
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Um, that's because Microsoft has OEM contracts in place that raise Windows license fees if companies ship competing software, even if it's simply provided as an option. Why do you think Dell barely advertises Linux? Yes, it would be foolish for OEMs to cross Mic
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
OK, most of th
Forced to use (Score:3, Interesting)
I am, however, forced to *buy Windows every time I get a new computer. I could build my own, I guess, but that's quite a bit of work.
Or would you say that the US Postal service doesn't have a monopoly because after all I can drive my letters to Nevada myself if I don't like their product?
Re: (Score:2)
Breaking news.. It IS that hard for the vast majority of users. This is how large scale PC manufacturers, not to mention small build shops, are able to exist.
Build from Scratch? (Score:3, Insightful)
However, expecting the average user to know how to do that is like expecting the average person to perform brain surgery. Most people I know have a hard time telling the difference between RAM memory and Disk memory. They think the tower is the "CPU", and that SCSI is what you call gum stuck to the bottom of your chair. It's not that the people aren't smart. It
Re: (Score:2)
So what you're saying is, we need the computer building equivelent of a bread machine? Buy a big bag of parts, dump it into the hopper, and turn it on
Re: (Score:2)
They were found to be one in a court of law.
There is plenty stopping people from using other operating systems on their PC, #1 being that it's difficult to find PCs that ship non-Windows on them. Dell doesn't even advertise it.
Are the alerts perhaps the problem? (Score:2, Interesting)
Perhaps all the alert popups that Windows is more and more cluttered with are a problem? As an XP user, I'd be sorely tempted to use a simple option if available that suppressed ALL of these popups. They are just as annoying in an OS as they are in
Re:Are the alerts perhaps the problem? (Score:5, Funny)
Re: (Score:2)
Did that end with "NO CARRIER"? hahaha. Often accompanied by a badly-designed message window that has two or three options, NONE of which you want (one reason being is that they are poorly described). So you decide to ignore the popup and minimize it. Oh look, it breaks windows-design standards by not having "mini
Re: (Score:2)
Finally, a reason for the masses to go to a dual-monitor setup. Drag that old obsolete 12" monochrome monitor and hercules card out and just "drag-and-ignore".
Re: (Score:2)
That's not a bad idea. And when they're finished, they can just lock their computer to that screen ... anyone else wanting to use it will have to click click click click click click click click click click click click ...
Re: (Score:2, Funny)
QA didn't have a cow, they had an entire herd.
Re: (Score:2)
Re:You & I Are Smarter Than the Average Bear (Score:3, Funny)
You mean the ignorant siblings who always click "OK" every time they see a popup, so when you go home you find a desktop filled with bonzi buddies and casino shortcuts, 3 toolbars on the browser, and full-screen ads that pop-up at any time at random?
"I know they're Microsoft and they're stupid/evil but you have to see at least some sort of benefit from t
Two approaches to security. (Score:2)
You know, you can either train the guy cowering in the room in the middle of the house on how to use a blunderbuss to deal with intruders..... Or you can address the fact that there are no actual windows or doors in the empty door/windowframes of the house, and maybe consider the removing the big "FREE FURNITURE - COME ON IN" sign that is on th
I don't get it. (Score:4, Insightful)
On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive.
Make up your mind. Or is just permanent open season on MS?
Re: (Score:3, Insightful)
Re:I don't get it. (Score:5, Insightful)
Lies. Trend and Avast have apparently been able to run on Vista without any problems. They knuckled down and wrote code so they worked on Vista, and indeed Vista has an API called Windows Filtering Platform, which allows anti-virus makers to monitor file activity. Symantec and McAfee, on the other hand, threw a hissy fit.
Microsoft is, for once, clearly in the right.
Re: (Score:2)
Re: (Score:2)
That is very deceptive, and frankly a lie. All the anti-virus makers can use the same built in APIs for anti-virus protection. In fact they all plan on doing it without any complaints too. Symantec and MsAfee are always involved in the development of those API's with MS.
What is in question is the security center. MS designed a tool that ALL de
Government Interference in the Marketplace (Score:2, Insightful)
Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it. On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive. Make up your mind. Or is just permanent open season on MS?
Exactly.
That is why we got such awful security in Internet Explorer [although for the opposite reason]: Back in the mid-to-late 1990s, the Clinton administration
Re: (Score:2)
That wasn't the only course of action they could have taken. They could have just actually made a better browser than Netscape. It's a radical idea
Re: (Score:2)
Re: (Score:2)
Whiskey. Tango. Foxtrot.
Re: (Score:2)
"Microsoft was forced to integrate Internet Explorer into the operating system so that they could say to the Justice Department that they couldn't ship a version of Windows without it."
Re: (Score:3, Insightful)
Now that there's a chance all those holes might go away, they will fight tooth and nail to prevent that from happening. I'm no Microsoft fan but these companies whining about Microsoft using their monopoly position to shut them out of the market, are in conflict of interest.
Nothing new here, just buisness as usual.
Re: (Score:2)
This is not necessarily a bad thing. Developers, like every one else, are generally lazy and do not really want to do more work than necessary. Firm
Re: (Score:2, Insightful)
The Wikipedia treatment (Score:2, Insightful)
The value in finding security holes in a Windows box is that there are millions that can be turned into zombies to be used to crank out spam or worse. There is no money in hacking Linux. [citation needed]
Most of the holes found in Windows come from Linux hackers who rarely take a look at their own OS. While there are many secure features in a stand
Re: (Score:2)
So do the companies I work for of course..
At any rate, as part of my job I do forensics and cleanup of compromised machines, Windows, Linux and many Unix variations... Linux (and in general Unix) machines are typically a desirable target for those involved in denial of service attacks, distribution of illegal files and so on, usually because they are used as a server and have a lot of bandwidth.
Re: (Score:2)
MS is making these changes in response to legal threats, so common sense doesn't enter into it.
Most important question (Score:4, Interesting)
It would be nice if one batch of companies out to screw you over had accidentally been defeated by another batch of companies out to screw you over. Sort of collateral rebuilding, if you like.
I find it kind of interesting... (Score:5, Insightful)
Companies like Symantec (aka Norton) have profited immensely from an industry created because Windows wasn't secure.
Now they're upset because Microsoft wants that piece of that market; in other words, Microsoft wants to profit from the fact that Windows isn't secure.
Yet in pretty much every other operating system, the solution is simply to make the darned thing secure.
Now, I realize that the issues are a bit larger than this, but I do wonder: IF Microsoft ever released a truly secure operating system, thus making Symantec and other such companies as relevant as the buggy whip, would they then sue to prevent the release of the O/S?
Re: (Score:2, Insightful)
Re: (Score:2)
Actually no reasonable person can ignore the fact that its Microsofts own fault.
Its because of Microsoft inability to create secure software that Symantec, McAfee et al exists at all. So basically its Microsofts inability to create good software that forces them to do these changes now.
Basically bad choices from before has come back and bitten them in the tail. Bad hacks has a tendency to do just that.
Re: (Score:2)
You have a very good point. There is one minor point to make here, I think, and that
is that Microsoft is responsible for Microsoft abusing their monopoly position and putting
themselves under the scrutiny they are under. If their actions and attitudes had
been different, they would have more options at times like this.
Re: (Score:2)
The difference is 1 and only 1 of the Operating Systems are used by virtually everyone on the planet... while the others struggle to get above 5%.
See, linux, osx, etc. are really that much more secure than Vista, its that not enough people use them to write viruses for.
You guys were on your high horses about Firefox being more secure than IE, but the bugs and security holes have been out pacing IE every since it broke th
Re: (Score:2)
Where do you buy your smoke-stuff ?
There is nothing like a secure OS. FYI.
Re: (Score:3, Insightful)
There is nothing like a secure OS.
People who forget Multics [wikipedia.org] are doomed to, er, um, forget that it existed.
While I dislike the M$ monopoloy... (Score:2, Insightful)
Of course if it turns out that Microsoft was just locking other vendors out to make users use their security software, which performed poorly I applaud the EU for helping the consumers. Because really all I care about is how well the end result is.
Re: (Score:2, Offtopic)
But before this you were willing to spend money on a crippled OS to accommodate third party media vendors?
Re: (Score:2)
Re: (Score:2)
At least, that's how I understood part of the issue. If anything there is wrong, though, I would like to know.
Beginning of the downfall (Score:2)
They are pissing off their corporate customers, the governmnent. end users, 3rd party vendors.. Pretty much everyone...
Much as the *AA's are starting to cross the line, and will pay the price if they dont adapt, quickly.
The world has changed, and people are more aware and just wont put up with it..
Re: (Score:2)
Vista can't be the beginning of the end for Microsoft - there's nowhere else for customers to go. There is no OS that offers the same level of hardware support, software support or technical support. There's no other operating system that companies can go to without retraining their staff. There's no other operating system that customers want pre-installed on their desktops and laptops, and there's no other operating system for software and hardware companies to design for.
I'm not a Windows fan. I gave up W
I dont agree (Score:2)
They stole products ( DOS ) and concepts ( GEM anyone? ), and screwed people over during their 'rise to total domination'. From day one they were against software freedom. "dont copy our paper tapes of BASIC, its wrong" . They screwed IBM with NT after they drained IBM of the OS/2 code during their 'partnership'
Re: (Score:2)
WTF
You're a nutbag. You really think that is going to persuade people to agree with you?
3rd parties should protect the OS (Score:3, Insightful)
What other changes before launch? (Score:2)
Can't say I'm particularly happy about this (breaking security in the name of security? Could even OneCare touch the kernel before this?), but this makes me wonder if they'll actually bend to user pressure to change the licensing terms [slashdot.org]?
Of course, the users don't have a legal team on speed-di
Re: (Score:3, Insightful)
For those who missed the "irony" tags - people didn't switch from 2k to XP - they went from Win9x to XP - the 2k users continually dug in their heels when it came to switching. And certainly nobody I know even has Vista on their ra
Symantec too lazy to recode for PatchGuard (Score:2)
No, One Care doesn't touch the kernel.
Vista already had APIs to allow security software to monitor file activity without touching the kernel. This the API that One Care uses. And *most* security software already use that API, such as:
Trend Micro's "PC-cillin" [trendbeta.com]
Avast! [avast.com]
Sophos [betanews.com]
Symantec and McAfee, unfortunately implement their software by mucking directly with the kernel, so
The anti-virus market shouldn't exist (Score:2)
Re: (Score:2)
Problem is that all software contains bugs, so actually making this perfect is impossible.
Hence, there will still be a need to look in kernel space to see if everything there is really ok.
Surely the AV compan
Just let them have it already (Score:3, Interesting)
I say, let's just let them do whatever they want. A few things could come of this:
-Nothing really changes, we take off our tin foil hats, and life continues just fine
-Vista may actually be more secure and developers become adjusted to developing for it
-Vista becomes so hard to work with (as a software developer) that no software is written for it and everyone keeps using (developing for) XP, or switches OSes (and Vista becomes one of MS's big blunders)
-Vista becomes hard to work with (as a software developer) and we see more software makers moving over to alternative OSes (OSX, *nix, etc)
Really, what is so wrong with the LONG TERM results of these scenarios? Let's let MS make or break itself. Let's let them "test the waters" and see what happens.
Re: (Score:2)
NO NO NO. (Score:5, Interesting)
Symantec and McAfee on the other hand, rather than invest money in development for a version of their programs which fits Vista's new security model, decided to bitch and whine loudly about Microsoft's new security in Vista while doing nothing of any value. In a sane and equitable world, Microsoft would have offered to aid them in building their new anti-virus products for Vista, and McAfee and Symantec would have agreed. Instead, probably with the threat of a lawsuit from the two companies, and because of the two launching attack ads, they let them bypass their new security features.
This should not be happening. This is BAD for security, as once you let one program bypass security barriers it's only a matter of time before others do, not all of them friendly. This is STUPID because Microsoft has kowtowed to pressure from two companies far more focused on saving money on developing their shitty, shitty antivirus programs than actually providing any more security.
Fuck Symantec, fuck McAfee.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
But said government body only kicked up a fuss because Symantec and McAfee complained; MS are indeed kowtowing to them, the EU commission is just acting as a proxy.
Re: (Score:2)
"Redmond said it would modify the welcome screen presented
to Vista users to include links to other security software."
Maybe the forced Vista sound at logon will play a friendly tune for Microsoft's solution, and dire music for those who bypassed it.
Re: (Score:2)
blah, EU went too far (Score:3, Insightful)
Forcing MS to weaken Vista's security and reliability to accomodate these AV companies sucks though.
This is a -bad- thing. Why are we applauding it on slashdot? Are we so caught up in MS hate that we want the government to force them to weaken their product from a technical standpoint?
Maybe this is an example of how having a reputation for lying will make people think you are being dishonest even when you are telling the truth. I know a lot of people on this website dont totally understand the technical issues involved. But doesnt the EU commission have any experts that can explain to them that they are weakening Vista by forcing this on MS?
Re: (Score:2)
If I thought for 1 minute Microsoft could actually accomplish a secure OS I would agree with you.
They haven't yet done it in a consumer grade OS and they never will.
Regardless of the fact I will not install Nortons on another system (too many issues in the past) the ability to do so if warranted is absolutely a requirement.
And really, at the end of the day, let me guess what they do... they sell a pre-approved private key to Symantec, or any other reputable company and provide them with the dll/api calls to
What is the point... (Score:2)
Put simply, crackers will ultimately be able to use the same backdoors to do Bad Things(tm).
Must mean more delays (Score:2, Interesting)
This is a major change in the security model of the OS. As such it means the security model must be reviewed and re-evaluated. If Vista is released on the current schedule, that will mean that Microsoft have not done this essential work, which will mean the whole security model of the OS is invalid and (heh heh!) "untrustworthy". Not to mention the knock-on effects of this change on all those comingled applications (Internet Explorer, etc) - their security models are now b
Re: (Score:2)
Microsoft has NO CLUE AT all regarding security. (Score:5, Interesting)
But even with 2000, MS had to insert their boneheaded ideas in it. For example, with "Windows File Protection," which is really the sfc.exe ("System FIle Checker") and sfcfiles.dll (The actual list of files to be protected, stuck in a DLL) it gives an Admin NO WAY to add to or change which files are protected. And it includes things like PINBALL.EXE!!! in the list of protected, undeletable system files. And creates stupid things like "C:\Program Files\microsoft frontpage" when I DO NOT even have Frontpage or IIS installed. And unless you disable SFC (which I did) it will re-create the stupid directory on every re-boot. So what COULD HAVE BEEN a useful feature is more like a "let MS Admin your computer for you" feature, because there is no way for the owner of the computer to manage which files are protected under "Windows File Protection." And guess what, on COMPUTERS I OWN, **I** like to control what directories are created and where they are placed. It's MY computer!!!
Now I have read, from a recent article by Mary Jo Foley, ZDNET, that some of the new security in Vista will come from "Code protection technologies such as tamper resistance, code obfuscation, and anti-reverse engineering measures..." THIS IS NOT SECURITY. This is HIDING YOUR BUGS. Instead of actually fixing the bugs, or not having them to begin with, they are actively trying to just make them harder to find. But they are still IN THERE!! This is just simply boneheaded. This is not the way to develop an OS.
With this new WGA crap, they are trying to FORCE users to install (and keep installed) components that NO ONE WANTS (except MS, of course). But guess what, any decent computer Admin **MUST** have the ability to accept or deny ANY update to the OS and have the ability to rollback changes if they cause problems. Just Google for wgatray.exe for many fine examples of the horrible problems their crap is causing.
With Win 2000 at least, MS created a good OS, once you fix the initial problems. But for me at least, there is NO WAY I will "upgrade" to this Vista shit with requiring signed drivers (what about independent hardware hackers/developers?) or XP with "Activation" (what, I can't swap out my motherboard without CALLING and RE-ACTIVATING?) They have just gone too far with this DRM and Anti-Piracy shit. NOT IN MY OPERATING SYSTEM.
I need to move to Linux. Kubuntu is looking really good now. If I can just get the couple of games I like working under WINE or Cedega, then F*** MS. It's just too much. I've had enough.
Crax
P.S. The Mary Jo Foley article I quoted from is located at:
http://blogs.zdnet.com/microsoft/?cat=18 [zdnet.com]
Re:Microsoft has NO CLUE AT all regarding security (Score:2)
-Imminent follow-on thrashing of Microsoft: several-times-check.
-Mention of impending DRM: check.
-Favourable view of Windows 2000: check.
-Unfavourable view of Windows Vista: check.
-Thread of 'moving on to Linux': check.
"It looks like you're writing a Microsoft post!......"
P.S - http://crouchingbadger.com/movie/paperclip.mpg [crouchingbadger.com]
The article worded it wrong (Score:2, Interesting)
Here's an informative link [stepto.com] on KPP or PatchGuard.
This really stinks (Score:2)
And is anyone else incredibly annoyed when they find that some interface in the OS (like security center) has been disabled and replaced with something inferior? I don't think McAfee and Symantec care about that so much as making sure that Windows continues to face serious s
Security Afterthought (Score:2)
This is the OS that the vast majority of PC users will depend on for their privacy and data security. Billions of people, many in essential services like healthcare, defense, banking, emergency response, depending on it every day to work reliably, despi
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Virus API (Score:2)
Will the MAIN users of the API be virus writers, or will they only be a minor percentage of the coders who use it?
Make no mistake - this API is a security vulnerability which virus developers WILL use. I really hope that the API requires a DLL which I can remove, unregiser and exorcise from my systems. Or some other way, which cannot be bypassed, which will ensure that NOTHING (not even symantec
Re: (Score:3, Insightful)
The problem is that Microsoft's record with security isn't great; lots of people (myself included) prefer to trust another company to provide anti-virus and firewall security under Windows. Microsoft will have to work very hard - in an equal arena -- to show that their AV and firewall solutions are as good or better as those of their competition
Re: (Score:2, Interesting)
The parent article misses a beat in that Microsoft has an API to the kernel for their AV needs, by definition. The only issue is should that be public. The EU is making them publish this API (in some form, I don't trust Microsoft to release all their 'goodies'). But should it remain private to Microsoft then the consequence is that virus writer's will de-enginee
Re: (Score:2)
That is true only in theory when it comes to Microsoft.
One can for example make the same argument about the MS tool for finding malicious software. Granted, their tool is decent, but not the best one around, not by far even, despite their 'intimate knowledge' of their own system.
Matter of fact is that despite unpublished APIs, attempts at completely breaking competi
Re: (Score:2)
Vista could be remedially-exempt (eg. totally secure)
Totally secure does not exist. It is a theoretical impossibility.
Being able to use different tools from different vendors to analyse the current state of a machine is simply vital for being able to keep the machine secure. Why? because none of those tools will be perfect, and there will always be issues that are found by one but not the other tool.
Re: (Score:2)
Agreed there.
I've felt the effect of failures in too many degree-removed apps (McAfee, Norton, etc.) to blindly trust them as it seems do you.
I have seen enough issues to not trust anyone blindly in this, not 'even' Microsoft. Please don't jump to conclusions..
I'm in the camp that should Microsoft cho
Re: (Score:2)
Re: (Score:2)
People complain that Microsoft is making it hard to be secure, if not impossible. Then Microsoft changes things, to make it hard to be secure, if not impossible, but in a different way. People still complain.
It's inexact, and quite impossible to say right now, before Vista is released, that Vista is secure(which in this context, means unhackable).
Re: (Score:2)
Dreaming, are you !
There is nothing like a secure OS. FYI.
Re: (Score:2)
they dont.
It would be easier to sympathize with Microsoft if they had
taken security more seriously from the beginning, and had
worked more on these issues rather than chasing features.
That was not right.
Re: (Score:2)
Re: (Score:2)
Is that you Hans? http://geekz.co.uk/lovesraymond/archive/so-i-marri ed-a-kernel-programmer [geekz.co.uk]
Re: (Score:2)
Re: (Score:2)
I hope the new API hooks don't become a security hole, and if it does, I hope the blame gets placed where it belongs - but I know it won't.
Many years ago, symantec was pretty good. Then again, maybe it's that Norton was good before Symantect bought them.
In either case, whe
American decision (Score:2)
We've already done this several times.
After a suitable discovery of the facts, hearing of the arguments, several appeals and considerable political activism, many years pass. Microsoft finds itself in a climate amenable to a trivial settlement without admission of wrongdoing. For consumers relief is usually in the form of a coupon good for some small discount off further purchases, or in similar discount provided to some third party like schools.
Unfortunately for consumers justice delayed becomes justice