Vista Security

A while back we had an interesting discussion concerning the pro's and con's of Vista's security measures focused mostly on the UAC. Unfortunately that thread was pulled for unknown reasons, since we could add this article quit properly

Neowin.net - Vista's Security Rendered Completely Useless by New Exploit

 

[dmex]

A while back we had an interesting discussion concerning the pro's and con's of Vista's security measures focused mostly on the UAC. Unfortunately that thread was pulled for unknown reasons, since we could add this article quit properly

Neowin.net - Vista's Security Rendered Completely Useless by New Exploit

One thing about the article and demonstration application I found retarded was how they where saying they bypassed DEP protection and UAC used in Internet Explorer by Active Scripting...Well if you have physical access to the machine you can do anything, Thats been an established fact for way over 20 years plus DEP used by internet explorer is disabled by default and thats all thanks to Sun Microsystem`s (Java) and Adobe`s (Flash) being non-compliant so Thank SunMicrosystems and Adobe for that entire attack vector possibility...That is not Microsoft`s fault and can be turned back on very easily, They also mention it applys to every operating system including OSX and Linux...

These techniques require a really severe system vulnerability within many core compents to be used remotely so Im not concerned about that since they are all protected and patched unlike XP... DEP can be turned on in Internet Explorer so it kinda throws that argument they used out the window...If your using UAC and Internet Explorer and ProtectedMode is On then it uses a Guest account for running code (aka Sandbox) so thats another fault with the belief its vulnerable...

Like I said before if you have Physical Machine access you can do anything regardless of the amount of security you place on the machine they are just re-engineering a century old exploit (physical machine access)

They should have there facts strait because the issues they have raised have allways been possible and apply more to OSX and Linux than Microsoft Windows, They just want to bash them around to get more publicity about physical access issues and so called "new" attack methods used by a hypervisor (aka Virtualisation)...

 

[WildEagle]

Here's something else you must remember, IBM did a study within the past couple of months, and they determined that the rise in attacks is due to security researchers posting their information on the net and other news sources right away.

These guys like DMEX said, just want to bash Microsoft, and try and plant the OS 6 feet in the ground. A couple of years ago, it was revealed that Linux and Linux based OS'S when compared to Windows, actually have more security holes, and those security holes to this day still haven't been fixed that I know of.

 

[Bare Foot Kid]

@dmex, well said, Thank You!

I get tired of these complaints about UAC and DEP.
I just spent the last hour trying to help someone that got 'infected' because
they had disabled UAC. (and this persons not a noob)

If you don't like UAC and DEP don't use it; but PLEASE stop trying to convince
others, 'common users' that visit these forums not to use it.

WE'RE TIRED OF CLEANING UP YOUR MESS!


Later Ted

 

[WildEagle]

Bare Foot Kid, I agree with you. Dmex, you said the truth.

I'm tired of seeing people coming here and posting garbage like on that link that the OP posted, and then as BFK, as I will call him said, seeing people come here with UAC and DEP disabled and having to clean up that mess that people have as a result of UAC and DEP being disabled.

What I would like to really say, would get me in to trouble.

As a result of my having UAC, and DEP enabled for IE7, Vista 64, and having XD Technology, which is hardware DEP enabled, along with my internet security package, I have avoided a lot of junk.

I'm no expert on computer security or Vista, but I do get sick and tired of people coming trying to convince other's not to use UAC, and then come back when they have a various or other malware problem, because somebody got stupid and disabled UAC and DEP.

 

[petrossa]

Microsoft Windows, They just want to bash them around to get more publicity about physical access issues and so called "new" attack methods used by a hypervisor (aka Virtualisation)...

Sorry i am not a ms bashingtroll, just trying to discuss things somewhat reasonably. For those concerned with security it should be imho more prudent to not to rely on security measures in a general purpose OS too heavily. Logically in such a system they are the lowest common denominator between usability and security.

What is said and properly so is that the basic design of general purpose os's is flawed as far as security risks go. I am just conscious of the observed fact in my surroundings that there is a certain tendency to just accept that current level of protection in (mostly) vista is failsafe. Like, oh well i have dep and uac so i'll go take a nap.

I am of the opinion that proper security is not solely enforced but enlightened. Proper education, instruction and a modicum of enforced control are maybe more labourintensive but in the long run less frustrating

It would be maybe better not have pavlovian reactions such as written further on it serves no real purpose and just makes the thread degrade into a waste of time.

 

[Bare Foot Kid]

Then PLEASE, stop wasting our time ...











Later Ted

 

[dmex]

Microsoft Windows, They just want to bash them around to get more publicity about physical access issues and so called "new" attack methods used by a hypervisor (aka Virtualisation)...

Sorry i am not a ms bashingtroll, just trying to discuss things somewhat reasonably.
It would be maybe better not have pavlovian reactions such as written further on it serves no real purpose and just makes the thread degrade into a waste of time.

I wasn't talking about you Petrossa....I was talking about the IBM and VMWare researchers who would rather cause FUD (Fear, Uncertainty, Doubt) about Microsoft and mainly all about Vista...when the OS security issues they have raised affect all Operating Systems (Linux, OSX, and Unix) by means of physical access and will not affect anyone


A waste of time is saying I should not have a quote "pavlovian" (fixed behavioral reaction) to discuss and write about a Vista article on a Vista discussion forum when you posted it here for others to discuss

I just mentioned my thoughts on the article because its factually incorrect and has no remote security threat plus it looks purly designed to attract publicity by only attacking Microsoft using a physical method of exploit that affects every Operating System

 

[petrossa]

I wasn't talking about you Petrossa.
A waste of time is saying I should not have a quote "pavlovian"

and i wasn't talking about you there Dmex .
More about the angry attacks in the rest.

I also believe ( when i saw IBM as source) it's using a general problem as FUD to bash MS.

But what i wanted to introduce, as in the last discussion which also got polluted, is a sane discussion about security measures. As, unfortunately, MS did choose to patch rather then rebuild Vista, i believe that one should consider other ways of security then to rely on the stopholes introduced with uac and dep.

Imho it gives a false sense of invulnerability which can (and will) leave systems with vistaclients wide open to another (i am very sure) attack bypassing those protections.
Your argument that they need physical access is (perhaps) true at the moment but one day or another the obligatory government backdoors are going to be found, or some adolescent with to much time on his hands finds a similar way in.

The whole point of my opening this thread is to have a discussion about ways to secure systems other then just adding yet another stopgap.

One must be able i hope to rationally discuss these things. I come here because i found this forum to be populated by professionals mostly, why not have a professional, courteous discussion?

 

[johngalt]

While I applaud your intentions petrossa, you must also remember the adage "The road to HE|| is paved with good intentions." Posting an article like that in a forum dedicated to serving the Vista community will almost always be regarded as inciting, as much so as Everlong18's current avatar would have some Apple owners in uproars if he were to use it in an Apple dedicated forum.

Having a discussion on security is a good thing - but where do you want to start? More to the point, *what* do you want to discuss? Laying down the foundations of what you want rather than just posting an article would be of muc hmore use to the forums, and would engender much more (civil) discussion.

And, don't worry, even though I love my Vista, I am weilding a nice, sharp knife to cut out posts that get too fan-boyish.

 

[petrossa]

Having a discussion on security is a good thing - but where do you want to start? More to the point, *what* do you want to discuss? Laying down the foundations of what you want rather than just posting an article would be of muc hmore use to the forums, and would engender much more (civil) discussion.

I read the article for its worth, i am not pro/con any company/software. The general content of the article in my view exactly matched points i made here earlier about inherent design choises/flaws which makes that unfortunately my great hope Vista became less usable wilst not adding real security.

What do i want to discuss...

As i believed lots of professional system managers log in here to get a sort of brainstorm of experiences from which to destill a viable, easy to manage, secure system which works not by denying more and more access to the os. I mean, isn't there a way which makes more sense then to purchase a multitasking os filled to the brim with features and then filetting out the use of those in the name of security?

With Vista i was very well pleased from a personal use view. I personally dont need security like Vista offers and do well without it. However writing software taking uac and dep into account is as building a zero emission car which runs on containership fuel oil.

I am now writing a replacement for the task scheduler interface, the xp version runs already perfectly, but the effort i have to put in to get the vista version up and running......

Isnt there a better way then priviledges, access levels, user account restrictions. Arent we stuck in a way of looking at the problem derived from the olden days where platformrestrictions forced us into this form of accesscontrol?

 

[Bare Foot Kid]

One must be able i hope to rationally discuss these things. I come here because i found this forum to be populated by professionals mostly, why not have a professional, courteous discussion?

Because, as you put it -IMHO- I believe you intentionally posted that article
here to inflame and foster FUD; to continue an earlier discussion
you knew got out of hand and was removed, as I'm sure this one will get out
of hand and end up being removed also, IMHO I believe that is your whole intention!

It would be maybe better not have pavlovian reactions such as written further on it serves no real purpose and just makes the thread degrade into a waste of time.

What more do you expect with an inflammatory remark like this!



Later Ted

 

[SCSIraidGURU]

The admin at PlanetAMD64.com states this affects all OS: Windows and Linux.

As a senior network engineer with 25 years experience. I have seen more virus and exploit threats in the last 5 years than the previous 20 years. I think we need all the governments to get together to deal with all the threats. I don't blame Microsoft. I blame the lack of tracking these idiots and the light prison sentences given to hackers. I just busted a hacker last year. He did no damage. He ended up with getting his father fired for using his laptop to commit the crime. He can't use any cell phone or computer device for 5 years. So no college for him and many other costs.

Microsoft can't find all the problems. Look at the DNS issues on the internet. ISPs could install devices to detect viruses and stop them. They can adopt BATV (Bounce tag address verification) to stop pirated e-mails. Install intrustion detection modules on routers to detect issues before it gets to a network. I am looking at a new HP switch with threat technology for next year's budget.

I just had my first serious virus attack at home in 25 years. It took 4 days to fight off. I think more can be done by ISPs and governments. At work I block most of Asia, Russia, Mid East, Africa, and South America from accessing our network. I block their ISPs and IP ranges. I wish I could do that at home. Israel, Russia, and China are my three largest supplier of threats. India is catching up. Comcast up to a year ago was the worst in the US. They cleaned up their act. I like they block traffic for illegal downloaders.

When will be have a major attack that takes down the internet for weeks?

 

[dmex]

When will be have a major attack that takes down the internet for weeks?

That has almost happened a fair too many times over the last few years

Major attack hits internet's 'root' servers - electronic-threats - 07 February 2007 - New Scientist Tech

This one in 2002 came very, very close taking down 9 of 15 (2 hidden) root servers..

Internet's foundations shaken by attack - 23 October 2002 - New Scientist

Without the rootservers most internet traffic would never reach its destination...

 

[SCSIraidGURU]

How many don't we hear about. I am adding more network hardware for worms, trojans, and viruses to the network. We are talking $30,000 in security hardware.

 

[WildEagle]

The admin at PlanetAMD64.com states this affects all OS: Windows and Linux.

As a senior network engineer with 25 years experience. I have seen more virus and exploit threats in the last 5 years than the previous 20 years. I think we need all the governments to get together to deal with all the threats. I don't blame Microsoft. I blame the lack of tracking these idiots and the light prison sentences given to hackers. I just busted a hacker last year. He did no damage. He ended up with getting his father fired for using his laptop to commit the crime. He can't use any cell phone or computer device for 5 years. So no college for him and many other costs.

Microsoft can't find all the problems. Look at the DNS issues on the internet. ISPs could install devices to detect viruses and stop them. They can adopt BATV (Bounce tag address verification) to stop pirated e-mails. Install intrustion detection modules on routers to detect issues before it gets to a network. I am looking at a new HP switch with threat technology for next year's budget.

I just had my first serious virus attack at home in 25 years. It took 4 days to fight off. I think more can be done by ISPs and governments. At work I block most of Asia, Russia, Mid East, Africa, and South America from accessing our network. I block their ISPs and IP ranges. I wish I could do that at home. Israel, Russia, and China are my three largest supplier of threats. India is catching up. Comcast up to a year ago was the worst in the US. They cleaned up their act. I like they block traffic for illegal downloaders.

When will be have a major attack that takes down the internet for weeks?

Sorry to say, they can't anymore. The FCC smacked them down for violating current net nuetrality principles(in effect laws), and in effect what Comcast was doing is illegal. The FCC is still trying to decide what fines if any Comcast will get.

 

[SCSIraidGURU]

I wrote a letter to the FCC in support of allowing Comcast to block illegal download activity under US copyright and patent law along with DRM.

 

[WildEagle]

What triggered this, was that Comcast was also blocking legitmate P2P activating, ie companies transmitting through P2P, stuff like free software.

I don't agree with DRM, companies need to change their business models if they expect to survive in this day and age. The old business model like the record companies have doesn't work anymore. Sticking DRM in everything is not the way to go.

Sadly if these companies would go after active pirate groups, instead of the little guy all the time, this mess with DRM that exists in this country would exist.

 

[SCSIraidGURU]

The problem is you can't tell what is legal and illegal P2P activity.

 

[WildEagle]

That's part of the problem. I can understand wanting to ensure bandwidth for all subscribers, but not at the cost of blocking legitmate P2P traffic, which some companies use to distribute free software, to get their products on the market.