Security - XP & Longhorn

Posted By: surferdude | May 2nd, 2004 @ 12:39 PM
page 1 of 2
Comments: 35 | Views: 13196
#May 2nd, 2004 @ 12:39 PM
surferdude
surferdude
surferdude
Hey All,

With the recent unleashing of yet another worm targeted at Microsoft's most secure operating system yet, I'd appreciate hearing a bit about what you guys are doing differently to make Longhorn more secure. Microsoft has accomplished many amazing thing over the last 25 years. When you put your minds to it, you usually accomplish something very impressive.  (Internet Explorer for example) Is software security something you now have as top priority? Are we going to see 'revolutionary' improvement?  (IMHO - we really need too.)
 
And maybe, if you have the time, help me a little - how would you characterize XP today security wise? Would you describe XP as being secure? How would you defend yourselves when challenged by non Windows users who use the worm and virus outbreaks as anti-Microsoft ammunition?
 
- surferdude

#May 2nd, 2004 @ 12:42 PM
Shining Arcanine
Shining Arcanine
Wait for Windows XP Service Pack 2 to come out.
#May 2nd, 2004 @ 2:09 PM
Steve411
Steve411
I would describe windows Xp as a pretty good security system.  Alot of security features have been added to it therefore preventing hackers to having access to your computer. Service Pack 2 will 'boost' up those features. The firewall for example, i love it, pop up blocker, love it!
#May 2nd, 2004 @ 2:15 PM
Charles
Charles
Welcome Change
surferdude wrote:
 Is software security something you now have as top priority? Are we going to see 'revolutionary' improvement?


Yes. Security is Microsoft's top priority accross all of our products. With XP SP2, for example, you will see revolutionary improvements in both core system security and user administration of security settings via the Windows Security Center. You will have much more granular control over what Windows can and can't do on your behalf.

Securing our products comes before everything else we do and this will not change.


Charles
#May 2nd, 2004 @ 5:41 PM
eagle
eagle
My Security is my responsibility. Microsoft can give me the tools, but I have to build my apps and OS securely.

 
#May 2nd, 2004 @ 5:49 PM
jonathanh
jonathanh
My mod color is red
The last few worms/virii have used exploits that were only publicised after the appropriate Microsoft patch had been released. In other words, the malware writers are sitting around waiting for a patch to appear, then reverse-engineering the patch, producing a worm to exploit the hole, and hoping that enough people haven't patched their systems to allow their worm to spread.

For example, the current Sasser worm targets a Win2k/WinXP hole that was patched two weeks ago - and that hopefully most systems have picked up by auto-update.
 
#May 3rd, 2004 @ 4:30 AM
Manip
Manip
Thing is, you say that like your blaming the home users that haven't patched... I think if people are not patching that means you haven't done your job.

They should be made aware of why they need to patch or do it for them. People like us of course patch regularly but we are not the people that this worms targets or strikes.

I know it sounds tripe but there needs to be some idiot proof tutorial or something which explains why people are patching.. I'm thinking clippy appears on the screen and starts deleting their files, he then says "If you patched I wouldn't be deleting your files", and then explains that he will continue deleting their files until they patch (and the Windows Update button lights up).

The main problem I see at the moment is, your relying on SP2 to fix these peoples systems and stop them from hurting themselves, but these are the LAST people who will install SP2. Kind of dug your own grave on this one. If nobody (home users) installs SP2, you could release a very cheap 'XP Enhancement pack' for like £5 that gives them new backgrounds and installs SP2 Smiley 

 

#May 3rd, 2004 @ 12:23 PM
surferdude
surferdude
surferdude

IMHO - Expecting every internet user running Windows to apply a patch within a two week period is a pipe dream. Plus, patches are reactionary - the right solution is to prevent coding the vulnerability in the first place. This was more what my question was - How is Microsoft preventing / detecting security holes in Longhorn before the release? Can you prevent them? Or can we expect major worm outbreaks that exploit holes in Longhorn as well?

- surferdude

#May 3rd, 2004 @ 9:00 PM
jonathanh
jonathanh
My mod color is red

Manip - yep, we're not going to have done our job until all systems get updated in time, whether that's by auto-update or by user education. It's a hard problem, with a lot of sociological (as opposed to strictly technical) aspects to it. And "in time" is a shorter and shorter interval these days. But I'm not sure that bringing Clippy back from the dead to devour their files is quite the education that many users are looking for Smiley

Personally I'm hoping that we flood the market with free SP2 CDs - and maybe cheap "upgrade from Win9x to XP SP2" offers? The idea of adding extra content to the CDROMs as an incentive for people to actually take them home is a good one, though!

surferdude - there are no absolute guarantees. But Longhorn *will* be the most secure Microsoft OS yet. Windows Server 2003 currently holds that title - it's immune to Sasser, for example - and Longhorn is going to be another big jump beyond that. Windows Server 2003 was being written as the big security push at Microsoft was just starting, with lots of developer training, extra tools, security reviews, threat surface analyses, etc etc. Now the dev teams are taking that experience and putting it into Longhorn.

#May 4th, 2004 @ 12:25 AM
jamie
jamie
everything is secure enough..

SECURITY MEANS LOSS OF USER RIGHTS

and because there are alot of programmers here - i used caps on the above.

NO more security
Release some free stuff
YOU ARE BORING THE PANTS OFF YOUR CORE AUDIENCE
* even i am thinking of playing with Linux as there is nothing new thats EASY to play with from MS

Security... bleuagh

Just like "homeland" security -= loss of people "user" rights

you are all out of your mind if you think SP2 is liberating - it is BAD

just WAIT for the press

"MS goes against all it's core philosophies with SP2"

" Service PAck TOO much!"

"Service pack or rights attack?"

#May 4th, 2004 @ 12:43 AM
JParrish
JParrish
Jamie.. are you insane? Microsoft put everything they had into a lot of core technologies in the last 5-7 years only to have it all visciously attacked resulting in nimba, iloveu, etc.. and they were the target of more than one "Microsoft losing the enterprise" articles in business magazines.

Everyone pretty much agrees that MS has very feature rich applications, but without security those applications are worthless. I think that windows server 2003 is awesome in that out of the box it is not listening for sh*t.. that is rule number one. LOCK DOWN THE ATTACK SURFACE!

I hope you are only kidding because some of your past posts I am inclined to think that. If you aren't .. whoa.. ^_^
#May 4th, 2004 @ 2:19 AM
Manip
Manip
jonathanh wrote:
But I'm not sure that bringing Clippy back from the dead to devour their files is quite the education that many users are looking for Smiley


I was kind of joking about the clippy thing Wink

Microsoft is always discussing 'Value Add' and such, well if people don't care about security then from that point of view SP2 adds nothing! That is a scary thought... I think depending on how much Microsoft 'cares' about its customers, it could consider giving away ($0) XP Plus pack, that would definitely encourage people to update. You could also (Although annoying) force other Microsoft applications to require SP2. Like MSN Messenger - "Please Install SP2 before updating MSN Messenger" etc.

I will admit that the pop-up blocker would be good for normal home users, but most of them don't know what pop-up's are (or at least not by that name).

I most definitely agree that it is a social issue but XP is a social tool. That is why you guys went to such lengths to ensure XP is as usable as possible and do usability studies etc. I think the current Windows Update is a step in the right direction (compared to downloading individual patches) but a lot of people don't want to use it because they don't understand what is does and feel - 'If it ant broke don't fix it'.

On that note, I just want to say I hate it when people say that. If we (humanity) stuck to that then we would still be living out of caves. Another expression that bothers me is "Reinventing the wheel", like nobody should try to progress because they might fail. I mean if everyone did try and re-invent the wheel don't you think we would have fare superior wheels than we do at the moment? - Just something I wanted to get off my chest Smiley

#May 4th, 2004 @ 2:20 PM
jamie
jamie
i wish i was kidding but im not

2 years of nothing but patches updates and security secturity security with the next version of windows no where near in sight - 2/3 years.

forgive me for getting bored..

release aqua - err - i mean aero/avalon as a free patch for XP or something..

give us something new and fun

STOp letting Jim Alchin hord all new features till next version

that mans gotta go


#May 4th, 2004 @ 2:21 PM
lars
lars

Exactly what is so bad about SP2, and which rights does it take away?

/Lars.

#May 4th, 2004 @ 3:47 PM
eddwo
eddwo
Wheres my head at?
SP2 is a step in the right direction. I think it'll take to longhorn to see some major progress.
The recent article on MSDN about least privilege access shows some of the steps they are taking.
Focus on Least Privilege I really like the Copy-On-Write registry and file system that allows you to run older programs without admin rights without them breaking,
Please don't try to ship Longhorn too early and remove features like this.

I agree with the need to add some consumer doodah to SP2 to get people to install it. Ideally make SP2 discs as available as AOL CDs as well. Computer stores, magazine covers, etc. Maybe include something like Plus! DME, or perhaps just a few extra themes screensavers and wallpapers.

On the "Diversionary Tactics" section of the .Net Show the last couple of times they have had a guy interviewing people on the street about Windows Security.
Very few people knew anything about Windows Update and fewer knew what a firewall was. "How do I know its really from Microsoft", "I don't want to install anything because it might be a Virus"

I've seen it myself, people who have been using XP for over two years are still getting the balloon popup "Stay current with Automatic Updates" every day. They just ignore and close the balloon. They've never taken the time to tell it if they even want to be told when updates are available.

SP2 has automatic updates on by default, which is a good idea until there is a patch that misfires and breaks a few people installations overnight.
The patch that fixes the vulerability that Sasser attacks has caused a whole load of problems for some people. Perhaps you shouldn't try to fix so many issues in a single patch in future?
#May 4th, 2004 @ 4:03 PM
Manip
Manip
The problem with that balloon popup is that after the first click-away it is easier for them to get into a pattern of clicking away at it. I have been described it in context of a bug on more occasions than I like to remember. I have no suggestions on improving the box except putting it in simpler context - "Your computer is unsafe, download free update to protect it", it is a little long winded but maybe something to that effect.

Microsoft should also be looking at its education links and start getting IT courses in the US and UK to add 'Computer security 101' to the course. And a little half hour talk for those beginner classes. Give away free presentations with open copyrights...

Thing is, on one hand there computer pushes them away. These are applications like bonzi buddy and spyware always asking the user to click this and do that and then you have good software asking them to click something else. They are so confused by the good|bad split that they can no longer tell which is which.
#May 4th, 2004 @ 4:53 PM
lars
lars
Microsofts secrecy isn't helping either. It just spawns distrust and articles like this one: Inside Windows-Update

I think there should be an even clearer separation between what is CRITICAL and must be downloaded, and the other not so important add-on crap. Users on 56k modems that can't tell the difference get tired of windows update real quick.

And after the update is done, there should be some kind of better feedback to the end user. To in some way explain why it was important that they just spent 2 hours online downloading something they don't know what it is, what it does, and why it's needed in the first place. All they know is that now they're protected against, well, something or another.

It was also a dumb move to block pirated version of XP from updating. Serves them pirates right one might say. Yarr. But since they're on the same internet as paying customers they hurt everyone when they turn into unupdated cyberzoombies. Spreading spam and worms.

As far as the baloon tips go, I think it's yet another shot in the foot. There are just too many of them. And one of the first ones that pop up is about getting a Passport account. No wonder people turn those off ASAP. Or just keeps igoring them.

Given some thought windows update could have been alot more effective.

/Lars.
#May 4th, 2004 @ 8:34 PM
lostdude
lostdude
I'm not this cute

I think that, with a full retail price of $300.00 (U.S.) for WinXP, each registered user of an operating system should receive a annual replacement disk with a fully updated version (all patches, SP's and updates), Until a more current operating system is released. You could drop it in and be offered the option of updating or boot from it for a full regular install. OEM's could be responsible for part of the cost.

I do understand the difficulty with the task, especially after I read articles like "Windows XP hits 210 million in sales", but not only would this make life easier for power users and free up bandwidth at Windows Update, it would be a giant step towards securing the network systems.

Windows update is one of the great things in this industry. It's a shame that it's so poorly thought of by so many. I've actually read people complaining about having things (updates) pushed on them. Of course, these are the same users that immediately click yes on a Security Warning while they're web surfing, without reading it. Now SP1, Direct X, Media Player and codec's are all available for download separately as is IE (for Win98 only, which bugs me). I've got them all on the same cd going back several versions. I've also merged my XP install cd with SP1 so that it's all on a separate bootable cd (actually makes for a great install).

I think the other thing to keep in mind, is that we here, using these forums, are very VERY different than the average end user, who wants nothing to do with any of this. They simply want to turn on their PC and go to work. Making it easier for them to stay secure makes all of us more secure. Sure it seems simple enough to teach them how to do things properly but try doing it...lol..I support over 65 users, all in different environments.

The small business user has a written policy they have to adhere to or they lose their job, but home and SOHO users are a nightmare. I've actually had a client pay me for cleaning up his spy ware mess, then tell me he didn't have time to learn what went wrong, he'd just call me again. I've written step be step procedures for SOHO users, on my own time and at no cost to them, and they'll flat out tell me they don't have time for it. It puts me in a very difficult position. On one hand I have a business to run and a family to feed, on the other, it seems like I'm pounding my head against a wall trying to make them better users, when they have no interest in being better users.

I can see a future where the computers with always on connections will have all internet activity stopped with a warning up in front of them that states they are not allowed to proceed without first updating their PC.

 

#May 6th, 2004 @ 4:47 PM
jamie
jamie
lars wrote:

Exactly what is so bad about SP2, and which rights does it take away?

/Lars.



i just find everything about it rude and demanding. Forced reboot - no Cancel - nag every 5 min till you do - no turning it off

updates that start downloading while your working - saying nothing of what they are doing with no option to stop and hogging alot of resources ( when i have like 80 photos open and frontpage and corel)

"You are not allowed to run this on your computer it may not be safe" - click bar:  ok - what is not safe?
Go to "About this error" option - goes to a lame help page - with nothing about whats on the page thats causing the error ie; "SP2 will not let you run the "make this your homepage" script anymore because its javascript and we are sticking it to Sun" Line 23 .

So you say - OK OK OK OK allow - it says "are you sure cause it can wreck your machine" - it does this everytime with again..NO OPTION to say "Dont bug me about this" - without disabling it entirely

The big red X in my notification area - because i dont have a virus program installed ( have had like 2 virus's in 10 years) and i cant remove it or again say "I no i dont have a virus program DONT ASK ME THIS AGAIN"

i could litterally go on about this for a week.

MS use to be famous for user empowerment - not NO OPTIONS

in regard to loss of rights - thats all the Fullscreen / kiosk mode they have removed/buggered up so as to make it next to impossible to build your own interface on top of windows - like ie 3,4,5,6 have always allowed. In the name of "security" we now have a status bar - even when its off in XP) and a stupid toolbar at the top like poopy Mozilla does fullscreen

(* ps - i run sp2 default - non-customised - as a normal unadvanced user would)
#May 7th, 2004 @ 11:52 AM
Charles
Charles
Welcome Change
Jamie,

Your frustrations are certainly understandable. Unfortunately, the Internet connected world is not a very friendly place and you can bet people are out to get onto your system and take advantage of you every single time you connect to the Internet. Sasser is is just one of several examples of bad people doing bad things.

Operating systems need to account for this dark side of the Internet. This means, as an operating system company, we need to make it really hard for hackers to exploit you (this includes making it hard for them to successfully get you with social engineering hacks).

Of course, the unexpected and sometimes frustrating things you are experiencing in UI are but a fraction of what was done to protect your system at the core level. Much of what has changed is not visible to you in the shell.

We've made the bet that making it hard for users to make themselves vulnerable to attack is the right thing to do even if one of the consequences of this is an increase in "annoying" warning and information dialogs and changes in default behaviors.

We really don't want people getting on to your system and doing bad things to you. Certainly, an OS can't protect against you installing some evil program, but it can warn you about the potential consequences of doing this. But that's just one part of the equation. With SP2 your system will be secure by default and the bad people out there who want to take advantage of you will have a very, very hard time finding holes to exploit. That's the basic goal.   

Charles
#May 7th, 2004 @ 1:54 PM
GooberDLX
GooberDLX
Avatar.Image = Jake.GetFemales();
Why not.. change their wallpaper, screensaver and default internet explorer home to some "hacked" page that says something like...

"This is your computer, this is your computer being hacked" .. it sorta worked for the drug arena! Wink

Also.. send a page to their printer and a popup saying the same thing when they log in..

Possibly not even let them log in and say that their password has changed, possibly by a hacker.

hehehe

Jake
#May 8th, 2004 @ 2:27 AM
Steve411
Steve411



  Thing is, you say that like your blaming the home users that haven't patched... I think if people are not patching that means you haven't done your job.



 
NO, not really, you see.
  It is the users fault, they have to get their lazy butt up and download the patch if they do not have autoupdate enabled. They make a mistake like that and they blame Microsoft for it, it makes no sense at all.. 
   That also is a matter of security..
  You want more free stuff as based on security?
  I would not even think about that, if they leave the security to you, i bet that your computer would go dead in a few seconds, there are lots of ppl out there who are just waiting to get in and mess you up for good. Microsofts response to that is to block those people as much as possible, so that they would NOT GET BLAMED FOR YOUR MISTAKES! AND YOU ARE WRONG ABOUT SP2! YOU JUST WAIT TILL IT COMES OUT! YOU WILL BE GLAD THAT YOU HAVE IT! Since most attacks come from online webpage scripts, such as ASP, and install 'secretly,' it gives you a GREATER CHANCE OF LOOSING DATA! MICROSOFT RESPONSE TO THAT IS ADD A 'SCRIPT BLOCKER' TO SP2! THEREFORE PROMPTING YOU IF YOU DO OR IF YOU DO NOT WISH TO ALLOW SCRIPTS TO ON THE PAGE! With the little information bar at the top of the window.
  Security to you may not matter, but that is only one person, just think for a second dude, if Microsoft did not increase its security to greater limits, then everyone could have access to your computer, and to business computers as well, and they would ALWAYS TAKE THE BLAME FOR IT!
  You say that you do not need security, and that you can manage without it, well, guess what, i'am one of those people who say that you ARE WRONG!
   Your bro in Christ, 
 /Steve
  Think about it!

#May 8th, 2004 @ 2:33 AM
Steve411
Steve411

   I think that, with a full retail price of $300.00 (U.S.) for WinXP, each registered user of an operating system should receive a annual replacement disk with a fully updated version (all patches, SP's and updates), Until a more current operating system is released. You could drop it in and be offered the option of updating or boot from it for a full regular install. OEM's could be responsible for part of the cost.
 


Then how do you expect microsoft to get money for further copies of XP? As well as for further projects.....
#May 8th, 2004 @ 2:34 AM
Steve411
Steve411

   I think that, with a full retail price of $300.00 (U.S.) for WinXP, each registered user of an operating system should receive a annual replacement disk with a fully updated version (all patches, SP's and updates), Until a more current operating system is released. You could drop it in and be offered the option of updating or boot from it for a full regular install. OEM's could be responsible for part of the cost.
 


Then how do you expect microsoft to get money for further copies of XP? As well as for further projects.....
#May 8th, 2004 @ 7:27 AM
Shining Arcanine
Shining Arcanine
lostdude wrote:
I think that, with a full retail price of $300.00 (U.S.) for WinXP, each registered user of an operating system should receive a annual replacement disk with a fully updated version (all patches, SP's and updates), Until a more current operating system is released. You could drop it in and be offered the option of updating or boot from it for a full regular install. OEM's could be responsible for part of the cost.


That is called slipstreaming. It can be done but isn't as easy as it could be. Maybe Microsoft could make it easier to create a slipstreamed disk, that would be easier than creating them itself and then handling the task of distribution.

Steve411 wrote:
Then how do you expect microsoft to get money for further copies of XP? As well as for further projects.....


Maybe my suggestion might be more feasible.
page 1 of 2
Comments: 35 | Views: 13196
Microsoft Communities