[ISN] Windows Vista: High hopes, low expectations

From: InfoSec News (alerts@private)
Date: Fri Aug 04 2006 - 09:48:35 PDT


http://www.theglobeandmail.com/servlet/story/LAC.20060803.TWVISTA03/TPStory/Business

By RAF BRUSILOW
Special to The Globe and Mail
03/08/06

As early test versions of the upcoming Windows Vista operating system make 
the rounds on the Internet, Microsoft Corp.'s approach to any potential 
new security gaffes is becoming apparent: Once more, with feeling.

Windows Vista will be shipped with an entire suite of defensive software 
preinstalled and, among other features, a digital safety net that should 
make it nearly impossible for malicious software to gain control of a 
computer through a user's own blunders while using the Internet.

Though Vista is still in the cocoon stage and thus months away from 
market, the consensus among some computer security analysts and experts 
who have tried out the test versions seems to be that, while hopes are 
generally high, expectations are low.

"Some of what I've seen [in Vista] is really good, but it's not just about 
the idea; it's the execution. The devil is in the details," said Bruce 
Schneier, a best-selling computer security author and security consultant.

"My prediction? Vista will be a smashing commercial success, filled with 
security vulnerabilities. Microsoft's track record with security is pretty 
lousy."

Claudiu Popa, a Toronto-based computer security consultant and chief 
executive officer of Informatica Corp., says Vista's current security 
features are a positive step but a bit underwhelming.

"I was pleasantly surprised to find that there are some features here that 
offer the promise of strong support for the kind of best practices I 
preach on a daily basis . . . but the changes are more evolutionary than 
revolutionary. Microsoft will not produce a home run with Vista. It will 
give the market what it needs today: a more secure version of [Windows] 
XP," Mr. Popa said.

Microsoft is pumping Vista full of advanced security features in the hope 
that it will be the most secure operating system ever created.  It's a 
steep goal for a company more accustomed to being the punchline of jokes 
about computer security than a pillar of strength, but Microsoft's general 
manager of security, Rebecca Norlander, said Microsoft is bending over 
backward to ensure Vista succeeds.

"I can tell you Vista is our greatest effort on security to date.  We're 
not aiming low here -- we want to be the best," Ms. Norlander said.

Derek Wong, head of security products at Microsoft, admitted the pressure 
to create something known more for its security victories than failures is 
high.

"We know that if five years from now we've done nothing, people will be 
unsatisfied, so we've made an incredible investment of both time and 
effort into security," Mr. Wong said.

The effort put forth on Vista has been huge but the process hasn't been 
without controversy. Encroaching delays, project overruns and rumours of 
staff firings and shake-ups have meant that, on the surface at least, 
little has changed and many cosmetic features -- for example, on-screen 
navigation windows that look and behave like real "glass" -- have been 
dropped.

For Paul Thurrott, editor of Windows IT Pro Magazine, security is the only 
bright spot in a half-decade-long project dogged by setbacks.

"It's a train wreck. There has never been a software project as mismanaged 
as Windows Vista," said Paul Thurrott, editor of Windows IT Pro Magazine. 
"[Microsoft] publicly announced it, 'This is going to be the kitchen 
sink,' and unfortunately, they did not live up to their promises. Security 
is the only aspect of Windows Vista that is dramatically better than what 
they originally promised."

Ultimately, perhaps the biggest problem Microsoft will have to solve with 
Vista is how to combat human nature, since all the programming in the 
world can't prevent a user from clicking "Yes" when a suspicious program 
asks to install itself on his or her machine.

Mr. Schneier calls it the phenomenon of the "dancing pigs."

"People are terrible about making security tradeoffs. If you give a naive 
user a choice, such as, 'If you want to see the dancing pigs, you could be 
compromising your machine,' most users will choose the dancing pigs over 
security every time," Mr. Schneier said.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Fri Aug 04 2006 - 10:06:08 PDT