http://www.theglobeandmail.com/servlet/story/LAC.20060803.TWVISTA03/TPStory/Business By RAF BRUSILOW Special to The Globe and Mail 03/08/06 As early test versions of the upcoming Windows Vista operating system make the rounds on the Internet, Microsoft Corp.'s approach to any potential new security gaffes is becoming apparent: Once more, with feeling. Windows Vista will be shipped with an entire suite of defensive software preinstalled and, among other features, a digital safety net that should make it nearly impossible for malicious software to gain control of a computer through a user's own blunders while using the Internet. Though Vista is still in the cocoon stage and thus months away from market, the consensus among some computer security analysts and experts who have tried out the test versions seems to be that, while hopes are generally high, expectations are low. "Some of what I've seen [in Vista] is really good, but it's not just about the idea; it's the execution. The devil is in the details," said Bruce Schneier, a best-selling computer security author and security consultant. "My prediction? Vista will be a smashing commercial success, filled with security vulnerabilities. Microsoft's track record with security is pretty lousy." Claudiu Popa, a Toronto-based computer security consultant and chief executive officer of Informatica Corp., says Vista's current security features are a positive step but a bit underwhelming. "I was pleasantly surprised to find that there are some features here that offer the promise of strong support for the kind of best practices I preach on a daily basis . . . but the changes are more evolutionary than revolutionary. Microsoft will not produce a home run with Vista. It will give the market what it needs today: a more secure version of [Windows] XP," Mr. Popa said. Microsoft is pumping Vista full of advanced security features in the hope that it will be the most secure operating system ever created. It's a steep goal for a company more accustomed to being the punchline of jokes about computer security than a pillar of strength, but Microsoft's general manager of security, Rebecca Norlander, said Microsoft is bending over backward to ensure Vista succeeds. "I can tell you Vista is our greatest effort on security to date. We're not aiming low here -- we want to be the best," Ms. Norlander said. Derek Wong, head of security products at Microsoft, admitted the pressure to create something known more for its security victories than failures is high. "We know that if five years from now we've done nothing, people will be unsatisfied, so we've made an incredible investment of both time and effort into security," Mr. Wong said. The effort put forth on Vista has been huge but the process hasn't been without controversy. Encroaching delays, project overruns and rumours of staff firings and shake-ups have meant that, on the surface at least, little has changed and many cosmetic features -- for example, on-screen navigation windows that look and behave like real "glass" -- have been dropped. For Paul Thurrott, editor of Windows IT Pro Magazine, security is the only bright spot in a half-decade-long project dogged by setbacks. "It's a train wreck. There has never been a software project as mismanaged as Windows Vista," said Paul Thurrott, editor of Windows IT Pro Magazine. "[Microsoft] publicly announced it, 'This is going to be the kitchen sink,' and unfortunately, they did not live up to their promises. Security is the only aspect of Windows Vista that is dramatically better than what they originally promised." Ultimately, perhaps the biggest problem Microsoft will have to solve with Vista is how to combat human nature, since all the programming in the world can't prevent a user from clicking "Yes" when a suspicious program asks to install itself on his or her machine. Mr. Schneier calls it the phenomenon of the "dancing pigs." "People are terrible about making security tradeoffs. If you give a naive user a choice, such as, 'If you want to see the dancing pigs, you could be compromising your machine,' most users will choose the dancing pigs over security every time," Mr. Schneier said. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Aug 04 2006 - 10:06:08 PDT