According to a news story at IT Pro, malware writers are doing a better job of making their code Vista compatible than the developers of the security software meant to protect users of the soon to be released operating system. Rene Millman reports that Tim Eades, a senior vice-president at security company Sana Security, reckons no less than 38% of malware is Vista friendly, if that’s the right word.

The fact that Microsoft has changed core pieces of the Windows architecture for Vista has meant that the security industry has found itself having to reengineer code rather than simply tweak it as usual. The result a longer than expected delay in getting product ready to ship, and a nice window (excuse the pun) in which crimeware coders can use the Windows Hardware Quality Labs lists to ensure that their much simpler code does work. It’s a catch 22 situation, and it’s the end user, early adopter of Vista that is likely to get caught.

So, will I be one of those early adopters? Will the laptop I am currently researching as a replacement for my Sony sub-notebook with the thumb pad I have completely worn away and the keys that are not far behind it in the component graveyard, be loaded with Vista? No, sorry, not me. I have a test machine with Vista running, and have had since the early Betas (all legit, technical review copy supplied by Microsoft to keep journos such as myself up to speed with developments) but will not be letting a ‘live’ machine, a mission critical one, a machine that’s not sandboxed off the network anywhere near it for a while yet.

How long? Well at least until Fiji, also known as Windows Vista Service Pack 1, arrives in the summer. The very fact that work is underway, based upon the test data from the extensive enterprise adoption of Vista, on a service pack before the consumer launch of Vista even takes place does not do a great deal for instilling me with confidence that it would be a good choice just now.

You know something else that does not fill me with good cheer on the Vista security front, and call me a paranoid hippy if you like, but the fact that the National Security Agency helped to develop some of the security functionality is not a great selling point here. According to reports in the Washington Post the NSA provided a Red Team of hackers for penetration testing and a Blue Team of security experts for configuration advice.

Sorry, but as soon as the No Such Agency gets involved with an operating system that is predicted by certain analysts to have 600 million users by 2010, then I start to worry. As someone with a long memory when it comes to US security agencies chasing down advocates and developers of privacy technology, anyone remember Phil Zimmerman, I am not exactly enamored by the thought of the Grand Master of Secret Squirrel organization, the NSA, being allowed to dig deep into the Vista OS on the pretence of making us more secure.

I could be wrong, I hope I am. But maybe I am not, and maybe it is just one more reason to start thinking outside of the Windows box. Literally.

jbennet 1,618

didnt the NSA design SELinux?

And don't the security firms have access to the same beta and prerelease versions you do (and early access versions of development tools for Vista)?
Seems someone's looking for something negative to say about Microsoft, as usual.

Lets face it; it seems to be little in the way of a challenge to find something negative to say about MS. There are definately plenty of positive things to say, but as in most cases, that doesn't tend to hold interest for quite as long... Microsoft get it pretty rough, but that's not suprising considering the size of their user base.

There's really no excuse for the security problems that riddle MS products. A big problem is the difficulty in integrating third-party security software at any level below the same level that any virus could potentially gain access to, and a blatent lack (in recent products) of good core security.

Perhaps MS are a bit worried about implementing comprehensive security at-or-below the OS level, in case the companies that work specifically in security software throw a case similar to the media player monopoly fiasco not so long ago.

There shouldn't really be a 'choice' or 'variety' in how to protect a system.

I would like to see an unstoppable background guard that specifies access permissions on a per-folder/file/process basis. There shouldn't be an API that allows third-parties to control the guard, disable the guard, or even sense the guard exists. It would obviously require a drop of intelligence from a user, as no program would be able to manually set up the guard for the program's normal access. The system wouldn't ever need to generate questions that were too uncomprehnsible. Think along the lines of, when you try to save a Word document into a folder you've never saved a Word document into before; the guard asks "Microsoft Word is attempting to save a file into the folder X:\Y\Z. Allow this once? Allow this always? Deny? Investigate?". Restricting everything until an un-synthesizable user action confirms that a certain individual process or compound process is permittable in every explicit situation, even if the answer is "Always Allow"; would certainly make me feel safer.

MS had something like this in Windows XP, but it was implemented at a relatively high level, and didn't permutate the entire system well enough to qualify as real security.

If Vista's just a prettied up WXP with a better API for third party security integration and no attempt on the part of MS to enforce their own system's boundaries; I'll never be getting it.

"There shouldn't really be a 'choice' or 'variety' in how to protect a system. "

There should be. What you're saying is equivalent to saying that everyone should be required by law to wear a bulletproof vest 24/7 because someone might fire a gun and you might be hit, same for a fireretardent suit because there might be fire somewhere, complete crashprotection because you might get hit by a car or fall and break something, etc. etc. etc.
You should also have a government dictated diet, listing exactly what you should eat and drink and when to do so, all in the name of protecting your health.

People should take their own responsibility, not have the government dictate whatever they must do.
That's the communist way, the abandonment of all personal freedoms.

The problem isn't that there's a lot of negative things to say about Microsoft, but that there are a lot of things that are made out to sound negative and a lot of things that are just sucked out of someone's big thumb to make up a negative story about them.
It's 90% jealousy combined with 10% lack of understanding.

It's got absolutely nothing to do with government legislation.

Windows is a very closed system; with pretty much everything running on the system being on the same priviledge level. Having it possible for security software to be contravened by viruses is a very weak idea.

The only way to really protect the application layer and data layer is not software running at the application level. It's having software running below the accessible application layer.

Because Windows is a closed system*; it's difficult for third party security software to be truely efficient. Live heueristic AV scanning feels like the mechanical equivelent of pouring concrete through the gearbox; and if security software can be installed it can almost certainly be uninstalled or compromised.

I don't think anyone here is jealous of Microsoft; they're certainly on a different level to me. Speaking as a programmer who wouldn't even use a computer if it wasn't for Win 3.11, it'd be like being jealous of God.

*Letting security software developers have better information access; even being able to 'see' the source code doesn't constitute as the system being unclosed. Every sold version ships closed; and I doubt whether MS would risk another competition/favoritism enquiry if they 'picked' a good solution by another party and let that have more authoritative priviledges than every other solution.

> And don't the security firms have access to the same beta and
> prerelease versions you do (and early access versions of development
> tools for Vista)?

Indeed, and what has that got to do with anything?

This posting picked up on the fact that malware vendors are ahead of the game as far as making their code compatible with Vista when compared to the security vendors.

It also picked up on the fact that Microsoft brought in the NSA to help them with the security of Vista.

The former is not something bad to say about Microsoft it's a straightforward reporting of some news.

The latter is an opinion, and one shared by many, that involving the NSA in operating system security development leaves a bitter taste in the mouth (and mind) of those who worry about privacy.

As for me not using Vista on a mission critical machine, would you? I don't use any new OS on mission critical machines until the initial bugs have been fixed, so at least until SP1 is out. And that is Microsoft bashing how exactly?

> Seems someone's looking for something negative to say about
> Microsoft, as usual.

Seems someone's looking for something negative to say about a posting that does not drop down onto its knees and praise Microsoft without hesitation. As usual.

This is a blog that mixes news, analysis and opinion. It is not the Microsoft Appreciation Society, nor is it the Microsoft Haters Club. It will remain that way...