MS Security Guy Wants Vista Bugs Rated Down 167
jcatcw writes "Gregg Keizer reports that Michael Howard, an MS senior security program manager, says that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses."
Hal Howard (Score:2, Interesting)
An interesting response (Score:5, Interesting)
baked in? (Score:5, Interesting)
in Microsoft Vista, what's higher than administrator?
root
superroot
supersuperroot
that's right, there are three privilege layers above administrator in Vista.
users cannot access those, but software can.
"Oh, you're a process, here's the keys!"
"Oh you're a user? You want to access your computer, confirm or deny?"
Re:Its about the bug, not the environment (Score:3, Interesting)
And that is a correct assumption to make. If a security "feature" can be bypassed or disabled, you can't make any other assumption. I firmly believe the biggest threat to Microsoft security is Microsoft itself. Policy from one section of Microsoft is fighting policy from another section. The security folk are fighting the "ease of use" folk. The piracy folk are using the critical updates as a means of checking legitimacy. WGA thinks you're not legit? You stay vulnerable making Microsoft a menace to networking. All these are policy fights that make being a Microsoft user less and less attractive.
B.
Re:Its about the bug, not the environment (Score:3, Interesting)
Usually those are described as mitigations, since there are no security guarantees associated with them (since they can be bypassed, they're not security features.
Re:Hal Howard (Score:2, Interesting)
You sound like a contractor that is bitter you didn't get hired on. Those of us are employees of MS want to make certain that we get the remaining bugs fixed. That isn't going to happen if we point fingers and play the blame game.
I work on embedded devices at MS and we won't have Vista support ready for a couple more months. Once the Visual Studio GDR is released in Apr/May Windows Embedded 6 will release SP1 and it will then be possible to develop/debug embedded devices from Vista and I will update all of my machines. Until then I have machines running Vista and XP. If you did work at MS you would have been interested enough to take a look at it. You would have grabbed the source code for both Vista and XP so that you could compare them, but since you are obviously just a contractor you don't have that ability. If you could do it you would find that the Vista code base is much cleaner. The 70% rewrite that was done was worth it. The new kernel is modular and agile. There is still room left for some performance tweaks, but from an engineering standpoint it is beautiful. Over the next few years this will become very important. It took years to get the embedded version of XP ready, but thanks to the changes to the Vista kernel we should have Vista Embedded ready in less than a year. Once we strip out the shell, the graphics, and most of the managed code we will have a nice version that will run on a fraction of the resources required on the desktop.
When people ask me whether they should switch to Vista I generally tell them to stick with what their computer came with. If they are ordering a new computer then I ask them what they are ordering and recommend Vista if they are ordering a powerful machine. There are currently a few issues left with some applications, and there are many drivers that are not yet available for Vista. However, that situation is changing rapidly, and when Vista SP1 is released many of those problems will be fixed. A large part of the problem is that in order to make security better there were massive changes to the interfaces between user and kernel space, and the entire driver subsytem was rearchitected so that all drivers run in user space. We painstakingly went through and added as much backwards compatibility as we could into the system. However, there are literally millions of Windows programs that have been written, and we do not have copies of all of them. When a user finds a new program that doesn't work we do add it to a list of programs that are known to not work. Developers are constantly working to add back-compatibility support for the applications that don't work based on the popularity of the application.
Re:Isn't that ..... (Score:3, Interesting)
You're saying that as if it's a bad thing. Do you insist on an OS that makes you think a lot?
While you're thinking on the OS you could be thinking on the next YouTube or something. Why waste so much talent? Anyway, if Microsoft survives Vista (which it'll most likely do), and has success with Vienna, we'll have exactly that: proliferation of managed, secure code and deprecation of binary code (which will run in sandbox) except for a range of professional applications (media processing, database engines and so on resource intensive tasks).
Re:Isn't that ..... (Score:3, Interesting)
You say that as though the amount of thinking a person can do is a finite quantity, and that each time you think you decrease this quantity, so therefore the wise thing to do is conserve it as much as possible.
However, it's really more like a muscle -- the more you use it, the more able it becomes. Linux made me think very much when I first began using it, especially considering that this was 1997 so as you can imagine, the automatic graphical/menu-driven installers were not nearly as good as they are now. It took a decent amount of thinking to come to an understanding of why the system works the way that it does, but having done this I can now make related decisions instantly. I also learned a lot about how to find my own answers, which is also a skill that comes more easily now than it did before.
Depriving me of the ability to make security decisions on my own, on the premise that making those decisions requires thinking and well that's just too hard, is not my idea of the proper role of an operating system. The OS is not "making" me think, because all of the thinking done is inherent to the task performed; for example if I am setting up a network then I am thinking of how I want this done, what steps I will take to secure it, which computers will be used for what tasks, etc. The thinking is inherent in the task, just as sowing seed is implied by wanting to reap a harvest.
The thinking required cannot really be separated from the task; the best approximation is to have the designer of the system (Microsoft, in this case) try to determine in advance what you will and won't do and set defaults that attempt to please everybody. This is, of course, directed more by marketing's idea of what they think most people want rather than the developers' ideas of what is technically superior. That is (imho) the biggest difference between the Microsoft approach and that used by most Linux distributions.
To sum it up, no I do not believe that thinking is a bad thing, and thinking in particular is one of those things that I would much rather do myself than have someone try to do for me.