Microsoft Agrees to Changes in Vista Security

An anonymous reader writes "Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"

testing the waters?

[yagu]

From the article (and /. summary):

It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet," Northcutt said. "That's a good thing, because it's just too easy for mistakes to happen when you are only left with a single security provider."

It's only an author's surmise, but as I understand and interpret Microsoft's position, there is no line they will be able to cross ever while they are still a monopoly. Microsoft enjoys (immensely) their monopoly position in PC OSes, and as long as they do (immensely), they will continue to be proscribed from using their monopoly to leverage, influence, and otherwise compete unfairly with any other of their products.

There is no line to test.

Re:

[Deathlizard]

No, they should have fought the EU to the end on this.

According to the EU, MS apparently has some obligation to keep these security companies leeching off their OS exploits alive, even to the point of opening their system to security exploits in Vista to do so.

Don't get me wrong, I can understand Symantec going nuts about the OneCare advertising, and can somewhat understand the security center, (although I think MS should allow Symantec to write whatever they want there instead of letting Symantec Disable t

the correct OS behavior should be obvious

[r00t]

Only signed drivers can install, but I can add my own keys.

Perhaps like this:

1. copy a file with the key into a specific directory
2. press alt-ctrl-del
3. select "prepare key for installation"
4. enter password
5. key is moved to a protected directory
6. you verify that you want the key
7. reboot, then press alt-ctrl-k early in the boot
8. enter your password, select the kay, and confirm that it is the one you want

That will do. A business can install their own keys. An anti-virus program could ask you to install

Re:

[Xiph1980]

may I assume that you took the blue pill?

Re:testing the waters?

[Guppy06]

"Microsoft isn't a monopoly though. There is absolutely nothing stopping anyone from using any number of other x86 operating systems on their PC. Don't like Windows? Fine, install Linux, FreeBSD, NetBSD, OpenBSD, etc. Hell, buy a Mac and use MacOS X."

We've all been over this before...

1. Computer manfuacturers are bent over a barrel to include an OEM Windows install on every machine they sell. The only realistic way for a user to get a computer without Windows is to build one themself.
2. Since everybody is already getting a copy of Windows, what incentinve is there for the end user to try an alternative OS? Better yet, even if they do, they've already paid for Windows and Microsoft still has their money and their "installed base" numbers
3. People write software for the dominant OS rather than invest even more money into R&D for multiple OSes. Meaning that most applications (read "games") out there are designed for Windows

The 95% of end users out there who don't build their own PCs from scratch are left with choosing to continue running the Windows their machine came with, or to take on the Sisyphusean challenge of working to install their own OS and tailoring their software shopping (if not their life in general) around that OS instead of simply using what they already paid for.

"You know why people use Microsoft Windows? Because they like it."

Microsoft will never allow anybody to test that hypothesis in any meaningful way. You can't say that with any certainty until Dell and HP start saying "Would you like Vista or Fedora with your new computer?"

And how does Microsoft do this? By abusing their monopoly power.

Re:

[Columcille]

We've all been over this before...

Let's go over it once more...

Computer manfuacturers are bent over a barrel to include an OEM Windows install on every machine they sell. The only realistic way for a user to get a computer without Windows is to build one themself.

Computer manufacturers are motivated to provide a product customers want to buy. The number of people that would buy machines with some flavor of Linux is very small. It would be foolish for computer manufacturers to make computers without

Re:

[Stradivarius]

Your last paragraph identified the real issue, which is applications. Most people could care less what operating system they run. They just want to be able to use the computer in certain specific ways - write documents, play games, surf the web, etc. If people could get all their applications and not have to put up with all the Windows spyware and viruses, I bet they'd jump at alternatives. (Just look at the recent upswing in the popularity of Macs, despite the much smaller choice of software available on

Re:

[Overly Critical Guy]

Computer manufacturers are motivated to provide a product customers want to buy. The number of people that would buy machines with some flavor of Linux is very small. It would be foolish for computer manufacturers to make computers without Windows.

Um, that's because Microsoft has OEM contracts in place that raise Windows license fees if companies ship competing software, even if it's simply provided as an option. Why do you think Dell barely advertises Linux? Yes, it would be foolish for OEMs to cross Mic

Re:

[Columcille]

I used to be quite the anti-Microsoft zealot. Then I realized I was only anti-Microsoft because it was the geek thing to do. Microsoft has its problems, but it really does deliver good products and, IMO, the best OS's out there. In the end that sort of claim is simply a matter of personal opinion, but at the very least it is one of the options on the table.

Re:

[xanadu-xtroot.com]

Because they like it. It's stable, friendly, and well supported from both the vendor and third-party software point of view.

...And well supported by people like me (us IT folks), you forgot to mention. I've yet again had to do a "Standard Windows Cleanup" this past week. My GF'S Dad's XP machine was under the weather (again). He's teh Average, Joe Six-Pack (l)user. Multiple versions of AOL installed (and couldn't uninstall a single one of them), Anti-Virus Defs about a year old, etc.

OK, most of th

Forced to use

[Mateo_LeFou]

I don't use windows, because I want to control my computer.

I am, however, forced to *buy Windows every time I get a new computer. I could build my own, I guess, but that's quite a bit of work.

Or would you say that the US Postal service doesn't have a monopoly because after all I can drive my letters to Nevada myself if I don't like their product?

Re:

[Criterion]

So, welcome to the 0.5% of us (and that might well be stretching it even then) that can do so. What about the other 99.5%? You know, the ones that don't know the diff between pci-e and agp.

Breaking news.. It IS that hard for the vast majority of users. This is how large scale PC manufacturers, not to mention small build shops, are able to exist.

Build from Scratch?

[Bilbo]

Build your own system? HA!!! I can do it in about 10 minutes. (Takes me longer to install the OS than it does to put the hardware together.)

However, expecting the average user to know how to do that is like expecting the average person to perform brain surgery. Most people I know have a hard time telling the difference between RAM memory and Disk memory. They think the tower is the "CPU", and that SCSI is what you call gum stuck to the bottom of your chair. It's not that the people aren't smart. It

Re:

[deathy_epl+ccs]

You could probably learn how to bake bread from scratch, but why bother if you can just go to the store and buy it ready made? Sure, bread made from scratch is better tasting, and probably a LOT better for you, but you don't have time to fiddle around with it. So, you let other people do the baking for you, and you just keep buying scuzzy store-bought bread.

So what you're saying is, we need the computer building equivelent of a bread machine? Buy a big bag of parts, dump it into the hopper, and turn it on

Re:

[Overly Critical Guy]

Microsoft isn't a monopoly though.

They were found to be one in a court of law.

There is absolutely nothing stopping anyone from using any number of other x86 operating systems on their PC.

There is plenty stopping people from using other operating systems on their PC, #1 being that it's difficult to find PCs that ship non-Windows on them. Dell doesn't even advertise it.

Don't like Windows? Fine, install Linux, FreeBSD, NetBSD, OpenBSD, etc. Hell, buy a Mac and use MacOS X. This myth that you're somehow forced

Are the alerts perhaps the problem?

[krell]

"designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security"

Perhaps all the alert popups that Windows is more and more cluttered with are a problem? As an XP user, I'd be sorely tempted to use a simple option if available that suppressed ALL of these popups. They are just as annoying in an OS as they are in

Re:Are the alerts perhaps the problem?

[Anonymous Coward]

You must restart your computer. Would you like to do it now, or would you like me to display this same dialog 30 seconds from now, while you're doing something else like typing a slashdot comm

Re:

[krell]

"You must restart your computer. Would you like to do it now, or would you like me to display this same dialog 30 seconds from now, while you're doing something else like typing a slashdot comm"

Did that end with "NO CARRIER"? hahaha. Often accompanied by a badly-designed message window that has two or three options, NONE of which you want (one reason being is that they are poorly described). So you decide to ignore the popup and minimize it. Oh look, it breaks windows-design standards by not having "mini

Re:

[tomhudson]

(or drag it to a corner of the screen where it sits with other unstoppable inscrutable popup windows until you reboot).

Finally, a reason for the masses to go to a dual-monitor setup. Drag that old obsolete 12" monochrome monitor and hercules card out and just "drag-and-ignore".

Re:

[tomhudson]

That's not a bad idea. And when they're finished, they can just lock their computer to that screen ... anyone else wanting to use it will have to click click click click click click click click click click click click ...

Re:

[GTMoogle]

In college I worked at a software company where one developer arbitrarily decided that the product needed to restart when first installed. So he activated the standard windows restart routine that gives you a dialog that says "Windows will restart in 30 seconds", a graph that's counting down, and a 'restart now' button.

QA didn't have a cow, they had an entire herd.

Re:

[pdbaby]

I wonder how long it will be before operating systems come with a "you're running low on disk space: want me to order a 250gb drive for you?" ...or buy internet-based storage like on S3. While I doubt it'd have the best prices, I'm sure it'd be a big hit with normal users

Re:You & I Are Smarter Than the Average Bear

[krell]

"These alerts and popups may be the thing needed to prevent my computer ignorant siblings from obediantly installing viruses on my parent's computer."

You mean the ignorant siblings who always click "OK" every time they see a popup, so when you go home you find a desktop filled with bonzi buddies and casino shortcuts, 3 toolbars on the browser, and full-screen ads that pop-up at any time at random?

"I know they're Microsoft and they're stupid/evil but you have to see at least some sort of benefit from t

Two approaches to security.

[krell]

"I know they're Microsoft and they're stupid/evil but you have to see at least some sort of benefit from these (all be they poorly implemented) security features."

You know, you can either train the guy cowering in the room in the middle of the house on how to use a blunderbuss to deal with intruders..... Or you can address the fact that there are no actual windows or doors in the empty door/windowframes of the house, and maybe consider the removing the big "FREE FURNITURE - COME ON IN" sign that is on th

I don't get it.

[Shivetya]

Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it.

On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive.

Make up your mind. Or is just permanent open season on MS?

Re:

[UnknowingFool]

Here's the crux of the complaint: In Windows, to combat viruses and add security like firewalls, these programs need kernel level access (as many APIs unfortunately do). Now with Vista, MS had decided to close off that access to all software except their commercial security apps (which they will charge extra to the customer). To some that is abusing their monopoly. It would one thing if they closed it totally because of security and that nothing but the OS could access it. But they had set it up to whe

Re:I don't get it.

[jb.hl.com]

MS had decided to close off that access to all software except their commercial security apps (which they will charge extra to the customer)

Lies. Trend and Avast have apparently been able to run on Vista without any problems. They knuckled down and wrote code so they worked on Vista, and indeed Vista has an API called Windows Filtering Platform, which allows anti-virus makers to monitor file activity. Symantec and McAfee, on the other hand, threw a hissy fit.

Microsoft is, for once, clearly in the right.

Re:

[stubear]

This is not insightful, it'd FUD. Scratch that, it's outright bullshit. Microsoft's security apps use the same interfaces that they offered Symantec and McAfee, not special-super-secret-knwown-ony-to-microsoft hooks or other tricks. Trend Micro, a European security software company, was able to get their anti-virus application to work just fine with the new security API's in Vista, no hooks into the kernel necessary. If they can do it, the EU should back fuck off and tell Symantec and McAfee to do the s

Re:

[CDPatten]

"Now with Vista, MS had decided to close off that access to all software except their commercial security apps (which they will charge extra to the customer). "

That is very deceptive, and frankly a lie. All the anti-virus makers can use the same built in APIs for anti-virus protection. In fact they all plan on doing it without any complaints too. Symantec and MsAfee are always involved in the development of those API's with MS.

What is in question is the security center. MS designed a tool that ALL de

Government Interference in the Marketplace

[mosel-saar-ruwer]

Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it. On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive. Make up your mind. Or is just permanent open season on MS?

Exactly.

That is why we got such awful security in Internet Explorer [although for the opposite reason]: Back in the mid-to-late 1990s, the Clinton administration

Re:

[Dmala]

Back in the mid-to-late 1990s, the Clinton administration was suing Microsoft over their "monopolistic" marketshare, and because of that [vis-a-vis Netscape and their browser], Microsoft was forced to integrate Internet Explorer into the operating system so that they could say to the Justice Department that they couldn't ship a version of Windows without it.

That wasn't the only course of action they could have taken. They could have just actually made a better browser than Netscape. It's a radical idea

Re:

[Tridus]

Its worth noting that by version 4, they DID make a better browser then Netscape (some would argue around version 3). Netscape turned into garbage around that point.

Re:

[Karzz1]

"...governments forcing Microsoft browsers into the operating system..."

Whiskey. Tango. Foxtrot.

Re:

[Karzz1]

Oops.... Forgot to quote this line as well:

"Microsoft was forced to integrate Internet Explorer into the operating system so that they could say to the Justice Department that they couldn't ship a version of Windows without it."

Re:

[s4ltyd0g]

The anti virus companies have made tons of money off of Microsoft insecurties.

Now that there's a chance all those holes might go away, they will fight tooth and nail to prevent that from happening. I'm no Microsoft fan but these companies whining about Microsoft using their monopoly position to shut them out of the market, are in conflict of interest.

Nothing new here, just buisness as usual.

Re:

[fermion]

Perhaps putting this in another context might be worthwhile. MS has never seemed to be an ivory tower software company. It has not focused on forcing developers to work with best practices. It has not focused on punishing developers who break the rules. Given the diarrhea of frameworks, it does not even seem to have an internal culture or best practices.

This is not necessarily a bad thing. Developers, like every one else, are generally lazy and do not really want to do more work than necessary. Firm

Re:

[javaxjb]

But the crux of the matter is that the kernel is not off limits. Signed drivers from third parties are allowed to access the kernel. So how is this any different? Why make an arbitrary distinction between say video drivers and antivirus software? Shouldn't we welcome the choice. After all, if Microsoft can actually make a decent security add-on, won't we be better served by the competition between the third party vendors. Maybe then the other players products will be more efficient and less annoying.

The Wikipedia treatment

[ArikTheRed]

That's because if you hack a Linux box all you get is control a system that belongs to some 28 year old guy who lives in his aunts basement. [citation needed]
The value in finding security holes in a Windows box is that there are millions that can be turned into zombies to be used to crank out spam or worse. There is no money in hacking Linux. [citation needed]
Most of the holes found in Windows come from Linux hackers who rarely take a look at their own OS. While there are many secure features in a stand

Re:

[SillyNickName4me]

IBM indeed qualifies for being a 28 years old living in his aunts basement..

So do the companies I work for of course..

At any rate, as part of my job I do forensics and cleanup of compromised machines, Windows, Linux and many Unix variations... Linux (and in general Unix) machines are typically a desirable target for those involved in denial of service attacks, distribution of illegal files and so on, usually because they are used as a server and have a lot of bandwidth.

Re:

[Merovign]

The "people will get it eventually" provision will not work with lawyers.

MS is making these changes in response to legal threats, so common sense doesn't enter into it.

Most important question

[also-rr]

Is this going to be a backdoor into the protected parts of the kernel that also handle media protection?

It would be nice if one batch of companies out to screw you over had accidentally been defeated by another batch of companies out to screw you over. Sort of collateral rebuilding, if you like.

I find it kind of interesting...

[dghcasp]

Companies like Symantec (aka Norton) have profited immensely from an industry created because Windows wasn't secure.

Now they're upset because Microsoft wants that piece of that market; in other words, Microsoft wants to profit from the fact that Windows isn't secure.

Yet in pretty much every other operating system, the solution is simply to make the darned thing secure.

Now, I realize that the issues are a bit larger than this, but I do wonder: IF Microsoft ever released a truly secure operating system, thus making Symantec and other such companies as relevant as the buggy whip, would they then sue to prevent the release of the O/S?

Re:

[MalusCaelestis]

You're missing the point that this is exactly what's happening. By implementing PatchGuard, Microsoft was trying to make the OS more secure. But because these "security" companies bitched and moaned that Microsoft shut them out of the kernel (where no software but the OS ought to be), Microsoft must now make the system less secure in order to look like they're not abusing their monopoly powers. No reasonable person can place the blame on Microsoft here. If they don't open up the kernel to Symantec, McAfee,

Re:

[a_n_d_e_r_s]

No reasonable person can place the blame on Microsoft here.

Actually no reasonable person can ignore the fact that its Microsofts own fault.

Its because of Microsoft inability to create secure software that Symantec, McAfee et al exists at all. So basically its Microsofts inability to create good software that forces them to do these changes now.

Basically bad choices from before has come back and bitten them in the tail. Bad hacks has a tendency to do just that.

Re:

[Duhavid]

No reasonable person can place the blame on Microsoft here.

You have a very good point. There is one minor point to make here, I think, and that
is that Microsoft is responsible for Microsoft abusing their monopoly position and putting
themselves under the scrutiny they are under. If their actions and attitudes had
been different, they would have more options at times like this.

Re:

[CDPatten]

that just isn't true. MS patches security holes just like Apple, and the rest of them.

The difference is 1 and only 1 of the Operating Systems are used by virtually everyone on the planet... while the others struggle to get above 5%.

See, linux, osx, etc. are really that much more secure than Vista, its that not enough people use them to write viruses for.

You guys were on your high horses about Firefox being more secure than IE, but the bugs and security holes have been out pacing IE every since it broke th

Re:

[udippel]

Yet in pretty much every other operating system, the solution is simply to make the darned thing secure.

Where do you buy your smoke-stuff ?
There is nothing like a secure OS. FYI.

Re:

[dghcasp]

There is nothing like a secure OS.

People who forget Multics [wikipedia.org] are doomed to, er, um, forget that it existed.

While I dislike the M$ monopoloy...

[Ichigo Kurosaki]

I personally don't want a crippled OS to accommodate third party security vendors. If Microsoft can make there OS so secure that third party software is not needed I say go for it.

Of course if it turns out that Microsoft was just locking other vendors out to make users use their security software, which performed poorly I applaud the EU for helping the consumers. Because really all I care about is how well the end result is.

Re:

[Guppy06]

"I personally don't want a crippled OS to accommodate third party security vendors."

But before this you were willing to spend money on a crippled OS to accommodate third party media vendors?

Re:

[Tim C]

At least it would have been that little bit harder for rogue apps to pwn the box.

Re:

[MooUK]

Part of the issue is that some of the security software developers had already found ways to bypass the protection that was casuing the problems to some extent - and if they can, it's safe to assume that malevolent entities can and probably already have too. Of course, being a flaw, eventually MS would fix it - killing all the security software using it until they found another workaround.

At least, that's how I understood part of the issue. If anything there is wrong, though, I would like to know.

Beginning of the downfall

[nurb432]

I honestly thing vista is the beginning of the end for Microsoft.

They are pissing off their corporate customers, the governmnent. end users, 3rd party vendors.. Pretty much everyone...

Much as the *AA's are starting to cross the line, and will pay the price if they dont adapt, quickly.

The world has changed, and people are more aware and just wont put up with it..

Re:

[Kijori]

Vista can't be the beginning of the end for Microsoft - there's nowhere else for customers to go. There is no OS that offers the same level of hardware support, software support or technical support. There's no other operating system that companies can go to without retraining their staff. There's no other operating system that customers want pre-installed on their desktops and laptops, and there's no other operating system for software and hardware companies to design for.

I'm not a Windows fan. I gave up W

I dont agree

[nurb432]

No, i do remmber. and I dont agree they were pioneers. They were a bunch of wealthy snot nosed kids raised on theft from others. Bills parents were lawers .. a rotten industry if there ever was one.

They stole products ( DOS ) and concepts ( GEM anyone? ), and screwed people over during their 'rise to total domination'. From day one they were against software freedom. "dont copy our paper tapes of BASIC, its wrong" . They screwed IBM with NT after they drained IBM of the OS/2 code during their 'partnership'

Re:

[LocalH]

They suck and are immoral, illegal and should be terminated completely. Bill should have been aborted before birth for the same reason.

WTF

You're a nutbag. You really think that is going to persuade people to agree with you?

3rd parties should protect the OS

[dioscaido]

Why should the OS be secure when I can pay $30 for a 3rd party can do it (and destabilize the system as they do it, since they root the OS in undocumented ways)? This is a bad precedent and a huge loss for consumers.

What other changes before launch?

[Guppy06]

"Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel."

Can't say I'm particularly happy about this (breaking security in the name of security? Could even OneCare touch the kernel before this?), but this makes me wonder if they'll actually bend to user pressure to change the licensing terms [slashdot.org]?

Of course, the users don't have a legal team on speed-di

Re:

[tomhudson]

And there's no reason to believe that Vista will do anything but sell like hotcakes (after all, there are more reasons to go from XP to Vista than there were to go from 2k to XP), so there won't be any of the user backlash that most Slashdotters pretend they see in the future.

For those who missed the "irony" tags - people didn't switch from 2k to XP - they went from Win9x to XP - the 2k users continually dug in their heels when it came to switching. And certainly nobody I know even has Vista on their ra

Symantec too lazy to recode for PatchGuard

[I'm Don Giovanni]

Can't say I'm particularly happy about this (breaking security in the name of security? Could even OneCare touch the kernel before this?),

No, One Care doesn't touch the kernel.
Vista already had APIs to allow security software to monitor file activity without touching the kernel. This the API that One Care uses. And *most* security software already use that API, such as:
Trend Micro's "PC-cillin" [trendbeta.com]
Avast! [avast.com]
Sophos [betanews.com]

Symantec and McAfee, unfortunately implement their software by mucking directly with the kernel, so

The anti-virus market shouldn't exist

[ByTor-2112]

Microsoft's responsibility should be to provide an operating system that isolates the kernel from the user to the extent that no application run by an unpriviledged user could ever compromise anything other than that user's files. If they succeed, then the AV vendors have no need to get into the kernel. They just create software that looks for malicious software or libraries and eliminate them. If no app can get into the kernel they have nowhere to hide. That's the real solution IMO (not like I'm the first,

Re:

[SillyNickName4me]

Microsoft's responsibility should be to provide an operating system that isolates the kernel from the user to the extent that no application run by an unpriviledged user could ever compromise anything other than that user's files. If they succeed, then the AV vendors have no need to get into the kernel.

Problem is that all software contains bugs, so actually making this perfect is impossible.

Hence, there will still be a need to look in kernel space to see if everything there is really ok.

Surely the AV compan

Just let them have it already

[Temujin_12]

To my own suprise, when I read this I thought, "So, MS is striping away a part of its core security to accommodate 3rd party businesses? What would we say if our favorite *nix distribution started doing this?" Perhaps it is time to just let MS be. Let them provide their own security, their own browser, their own IM, etc, that are all tightly interwoven. Let them squelch creativity on their OS to the point that they either blow us away with what they can do when they lock the doors or alienate themselves from the entire software industry. Let them do whatever they want to lock/unlock 3rd party vendors out/in. We all complain about security, but then come unglued when MS tries to take a hard line to improve it because they close holes. Granted, the way they are closing holes may not be the best approach.

I say, let's just let them do whatever they want. A few things could come of this:
-Nothing really changes, we take off our tin foil hats, and life continues just fine
-Vista may actually be more secure and developers become adjusted to developing for it
-Vista becomes so hard to work with (as a software developer) that no software is written for it and everyone keeps using (developing for) XP, or switches OSes (and Vista becomes one of MS's big blunders)
-Vista becomes hard to work with (as a software developer) and we see more software makers moving over to alternative OSes (OSX, *nix, etc)

Really, what is so wrong with the LONG TERM results of these scenarios? Let's let MS make or break itself. Let's let them "test the waters" and see what happens.

Re:

[KarmaMB84]

Microsoft did this because they were going to be sued for billions. They'd rather close it off and force the security companies to use a supported API than let them hook into the kernel and do whatever they want. The EU just made Windows Vista less secure on x64 systems.

NO NO NO.

[jb.hl.com]

Trend Micro's anti-virus and Avast both work on Vista, because their respective developers spent time developing new software to work with it.

Symantec and McAfee on the other hand, rather than invest money in development for a version of their programs which fits Vista's new security model, decided to bitch and whine loudly about Microsoft's new security in Vista while doing nothing of any value. In a sane and equitable world, Microsoft would have offered to aid them in building their new anti-virus products for Vista, and McAfee and Symantec would have agreed. Instead, probably with the threat of a lawsuit from the two companies, and because of the two launching attack ads, they let them bypass their new security features.

This should not be happening. This is BAD for security, as once you let one program bypass security barriers it's only a matter of time before others do, not all of them friendly. This is STUPID because Microsoft has kowtowed to pressure from two companies far more focused on saving money on developing their shitty, shitty antivirus programs than actually providing any more security.

Fuck Symantec, fuck McAfee.

Re:

[KarmaMB84]

They kowtowed to a government body that has control of an entire continent. If they hadn't made Symantec and McAfee happy, they'd be right back in the EU courts having even more restrictions they can never meet and fines that will never stop shoved down their throats.

Re:

[Barlo_Mung_42]

Sad but true. It would be just if they only sold this verison in Europe. They could call it Vista Swiss (now with holes).

Re:

[wik]

Nice idea, but it's an EU problem... and, oddly enough, Switzerland isn't part of the EU.

Re:

[Tim C]

They kowtowed to a government body that has control of an entire continent.

But said government body only kicked up a fuss because Symantec and McAfee complained; MS are indeed kowtowing to them, the EU commission is just acting as a proxy.

Re:

[texaport]

once you let one program bypass security barriers it's only a matter of time before others do, not all of them friendly.

"Redmond said it would modify the welcome screen presented
to Vista users to include links to other security software."

Maybe the forced Vista sound at logon will play a friendly tune for Microsoft's solution, and dire music for those who bypassed it.

Re:

[jb.hl.com]

So then, why are Symantec throwing their little tantrum then, if they have a working product already?

blah, EU went too far

[jorghis]

I could understand why the EU was upset about the media player bundling. I can understand them being upset about the splash screen for MSs AV stuff. I dont agree with them forcing MS to get rid of those things, but I understand where they are coming from.

Forcing MS to weaken Vista's security and reliability to accomodate these AV companies sucks though.

This is a -bad- thing. Why are we applauding it on slashdot? Are we so caught up in MS hate that we want the government to force them to weaken their product from a technical standpoint?

Maybe this is an example of how having a reputation for lying will make people think you are being dishonest even when you are telling the truth. I know a lot of people on this website dont totally understand the technical issues involved. But doesnt the EU commission have any experts that can explain to them that they are weakening Vista by forcing this on MS?

Re:

[topham]

If I thought for 1 minute Microsoft could actually accomplish a secure OS I would agree with you.

They haven't yet done it in a consumer grade OS and they never will.

Regardless of the fact I will not install Nortons on another system (too many issues in the past) the ability to do so if warranted is absolutely a requirement.

And really, at the end of the day, let me guess what they do... they sell a pre-approved private key to Symantec, or any other reputable company and provide them with the dll/api calls to

What is the point...

[MoogMan]

As we have realised with DVD-CSS, and DRM, exceptions like these cannot be restricted to certain parties.

Put simply, crackers will ultimately be able to use the same backdoors to do Bad Things(tm).

Must mean more delays

[OriginalArlen]

Full disclosure: I do security.

This is a major change in the security model of the OS. As such it means the security model must be reviewed and re-evaluated. If Vista is released on the current schedule, that will mean that Microsoft have not done this essential work, which will mean the whole security model of the OS is invalid and (heh heh!) "untrustworthy". Not to mention the knock-on effects of this change on all those comingled applications (Internet Explorer, etc) - their security models are now b

Re:

[I'm Don Giovanni]

So either there are another 6-9 months' delay (at least), or Vista will be released with it's security fundamentally compromised. Your call, Billy-boy!
I don't care whether you "do security" or not, you have no clue about the code involved. You're talking out of your ass.

Microsoft has NO CLUE AT all regarding security.

[Cap'n Crax]

And I will tell you why. I actually like the NT kernel and architecture. I think it is well designed, and works great when built upon properly. I think Windows 2000 is the probably the best consumer OS ever made, even though Microsoft pointed it at business users. It's what I run, and likely will not switch from, except for (maybe) running XP in a VM to run some games.

    But even with 2000, MS had to insert their boneheaded ideas in it. For example, with "Windows File Protection," which is really the sfc.exe ("System FIle Checker") and sfcfiles.dll (The actual list of files to be protected, stuck in a DLL) it gives an Admin NO WAY to add to or change which files are protected. And it includes things like PINBALL.EXE!!! in the list of protected, undeletable system files. And creates stupid things like "C:\Program Files\microsoft frontpage" when I DO NOT even have Frontpage or IIS installed. And unless you disable SFC (which I did) it will re-create the stupid directory on every re-boot. So what COULD HAVE BEEN a useful feature is more like a "let MS Admin your computer for you" feature, because there is no way for the owner of the computer to manage which files are protected under "Windows File Protection." And guess what, on COMPUTERS I OWN, **I** like to control what directories are created and where they are placed. It's MY computer!!!

    Now I have read, from a recent article by Mary Jo Foley, ZDNET, that some of the new security in Vista will come from "Code protection technologies such as tamper resistance, code obfuscation, and anti-reverse engineering measures..." THIS IS NOT SECURITY. This is HIDING YOUR BUGS. Instead of actually fixing the bugs, or not having them to begin with, they are actively trying to just make them harder to find. But they are still IN THERE!! This is just simply boneheaded. This is not the way to develop an OS.

    With this new WGA crap, they are trying to FORCE users to install (and keep installed) components that NO ONE WANTS (except MS, of course). But guess what, any decent computer Admin **MUST** have the ability to accept or deny ANY update to the OS and have the ability to rollback changes if they cause problems. Just Google for wgatray.exe for many fine examples of the horrible problems their crap is causing.

    With Win 2000 at least, MS created a good OS, once you fix the initial problems. But for me at least, there is NO WAY I will "upgrade" to this Vista shit with requiring signed drivers (what about independent hardware hackers/developers?) or XP with "Activation" (what, I can't swap out my motherboard without CALLING and RE-ACTIVATING?) They have just gone too far with this DRM and Anti-Piracy shit. NOT IN MY OPERATING SYSTEM.

    I need to move to Linux. Kubuntu is looking really good now. If I can just get the couple of games I like working under WINE or Cedega, then F*** MS. It's just too much. I've had enough.

Crax

P.S. The Mary Jo Foley article I quoted from is located at:
http://blogs.zdnet.com/microsoft/?cat=18 [zdnet.com]

Re:Microsoft has NO CLUE AT all regarding security

[Toreo asesino]

-Brief appraisal of Microsoft: check.
-Imminent follow-on thrashing of Microsoft: several-times-check.
-Mention of impending DRM: check.
-Favourable view of Windows 2000: check.
-Unfavourable view of Windows Vista: check.
-Thread of 'moving on to Linux': check. ..........

"It looks like you're writing a Microsoft post!......"

P.S - http://crouchingbadger.com/movie/paperclip.mpg [crouchingbadger.com]

The article worded it wrong

[Eezy Bordone]

MS is not giving access to the kernel. In fact they're doing what they've been doing with V64 all along, providing API's to monitor the kernel but not hooks into it.

Here's an informative link [stepto.com] on KPP or PatchGuard.

This really stinks

[eraser.cpp]

The proposed PatchGaurd security model made perfect sense and was one of my favorite parts about Vista. Even though Brad Smith said in the press conference that they haven't dropped PatchGuard, by providing a hole in it they may as well.

And is anyone else incredibly annoyed when they find that some interface in the OS (like security center) has been disabled and replaced with something inferior? I don't think McAfee and Symantec care about that so much as making sure that Windows continues to face serious s

Security Afterthought

[Doc Ruby]

Oh, right, because that's the time to design the security model of your operating system: after a few betas, several years into development, when the product is already late, as a token gesture to some competitors only after government pressure.</SNARK>

This is the OS that the vast majority of PC users will depend on for their privacy and data security. Billions of people, many in essential services like healthcare, defense, banking, emergency response, depending on it every day to work reliably, despi

Re:

[eraser.cpp]

I'm probably missing something, but where are you getting the impression that security was an afterthought in Windows Vista? Everything I've read up until now has stated that security was a paramount idea throughout the entire Vista development process. The article in the OP is about Microsoft giving into McAfee/Symantec lawyers who had started bitching louder and louder, it's not like PatchGaurd is a new idea that was just implemented into Vista.

Re:

[Doc Ruby]

Letting 3rd parties bypass PatchGuard is a change to the security model. And at this point, any changes like that are afterthoughts.

Re:

[eraser.cpp]

It seems more to me like Microsoft fought to keep the security model the way it was and is now realizing they can't win in Europe and that continuing to try would hurt the company. I don't like the change either but saying that Microsoft made security an "afterthought" doesn't accurately describe what's happening here. McAfee and Symantec only started complaining loudly at the last minute while other antivirus vendors worked to make sure their products would work under Vista. The EU heard their complaints a

Re:

[Doc Ruby]

Not preparing the security model for that change at design time, years ago, is a stupid mistake by Microsoft.

Virus API

[daveb]

So MS is being forced to write an API which will turn off system security.

Will the MAIN users of the API be virus writers, or will they only be a minor percentage of the coders who use it?

Make no mistake - this API is a security vulnerability which virus developers WILL use. I really hope that the API requires a DLL which I can remove, unregiser and exorcise from my systems. Or some other way, which cannot be bypassed, which will ensure that NOTHING (not even symantec ... or sony) can write to my kernel.

Re:

[pdbaby]

when microsoft makes it secure people go nuts that its tooo secure and they complain

The problem is that Microsoft's record with security isn't great; lots of people (myself included) prefer to trust another company to provide anti-virus and firewall security under Windows. Microsoft will have to work very hard - in an equal arena -- to show that their AV and firewall solutions are as good or better as those of their competition

Re:

[rhendershot]

That trust is severely misplaced. Third-party companies can only play catch-up and do so from the disadvantage of external access to the system.

The parent article misses a beat in that Microsoft has an API to the kernel for their AV needs, by definition. The only issue is should that be public. The EU is making them publish this API (in some form, I don't trust Microsoft to release all their 'goodies'). But should it remain private to Microsoft then the consequence is that virus writer's will de-enginee

Re:

[SillyNickName4me]

That trust is severely misplaced. Third-party companies can only play catch-up and do so from the disadvantage of external access to the system.

That is true only in theory when it comes to Microsoft.

One can for example make the same argument about the MS tool for finding malicious software. Granted, their tool is decent, but not the best one around, not by far even, despite their 'intimate knowledge' of their own system.

Matter of fact is that despite unpublished APIs, attempts at completely breaking competi

Re:

[SillyNickName4me]

Oh, I forgot one thing:

Vista could be remedially-exempt (eg. totally secure)

Totally secure does not exist. It is a theoretical impossibility.

Being able to use different tools from different vendors to analyse the current state of a machine is simply vital for being able to keep the machine secure. Why? because none of those tools will be perfect, and there will always be issues that are found by one but not the other tool.

Re:

[SillyNickName4me]

My thinking was that even if it were possible that an OS were totally secure (agreed that's of diminuative probablility) then the current crop of combatants would still find some way to argue, including the EU.

Agreed there.

I've felt the effect of failures in too many degree-removed apps (McAfee, Norton, etc.) to blindly trust them as it seems do you.

I have seen enough issues to not trust anyone blindly in this, not 'even' Microsoft. Please don't jump to conclusions..

I'm in the camp that should Microsoft cho

Re:

[PsychicX]

Implied in that is that the security solutions of people like McAfee and Symantec are actually good -- they're not. Those products are terribly written and border on malware themselves, installing deep system level hooks and frequently wreaking all sorts of havoc on a system. I've seen systems that didn't need viruses; Norton AV or McAfee was handling destroying the system just fine on its own. Maybe security should be trusted to someone other than MS, but it sure as fuck ain't these people.

Re:

[perlchild]

That's not quite exact...

People complain that Microsoft is making it hard to be secure, if not impossible. Then Microsoft changes things, to make it hard to be secure, if not impossible, but in a different way. People still complain.

It's inexact, and quite impossible to say right now, before Vista is released, that Vista is secure(which in this context, means unhackable).

Re:

[udippel]

It's inexact, and quite impossible to say right now, before Vista is released, that Vista is secure(which in this context, means unhackable).

Dreaming, are you !
There is nothing like a secure OS. FYI.

Re:

[Duhavid]

I agree that Microsoft is damned if they do and damned if
they dont.

It would be easier to sympathize with Microsoft if they had
taken security more seriously from the beginning, and had
worked more on these issues rather than chasing features.

That was not right.

Re:

[Darkon]

do think they need to restrict access to the kernel, but why from software makers such as Norton, AVG, McAfee?

If a means is offered for Norton, AVG, and McAfee to bypass the security then you can bet your bottom dollar that hackers and malware writers will use it as well. Personally I'd rather not have deliberate holes in my kernel just to keep 3rd party security companies happy.

Re:

[tomhudson]

Just like I test the waters before I dump the bodies...

Is that you Hans? http://geekz.co.uk/lovesraymond/archive/so-i-marri ed-a-kernel-programmer [geekz.co.uk]

Re:

[Shados]

Thats the issue here. With this, the customer lose, and thats it, they just don't know it. Many, MANY anti-virus softwares worked JUST FINE on Vista. Only heavily intrusive ones, like Norton and McCafe didn't work, because they do things they shouldn't be. Microsoft had a pretty good middle ground. The problem is that companies like Norton and McCafe, which relies, again, on highly intrusive softwares to flip the computer upside down, would have had to rethink their strategies, since they were heavily "abus

Re:

[Merovign]

I think the fact that other companies can manage to make their software work with the existing API, but that SYmantec is too lazy to code but can send lawyers to make threats, says a hell of a lot more about Symantec than it does about MS.

I hope the new API hooks don't become a security hole, and if it does, I hope the blame gets placed where it belongs - but I know it won't.

Many years ago, symantec was pretty good. Then again, maybe it's that Norton was good before Symantect bought them.

In either case, whe

American decision

[symbolset]

We've already done this several times.

After a suitable discovery of the facts, hearing of the arguments, several appeals and considerable political activism, many years pass. Microsoft finds itself in a climate amenable to a trivial settlement without admission of wrongdoing. For consumers relief is usually in the form of a coupon good for some small discount off further purchases, or in similar discount provided to some third party like schools.

Unfortunately for consumers justice delayed becomes justice