Security Vendors: Microsoft is making Vista Too Secure

Comments

# Roger said on 04 October, 2006 03:52 PM

Jesper, thanks for continuing to blog. I'm not fully informed on this issue as it feels more political than technical. Maybe you can help me respond to one question. Aren't some people making an argument that Patchguard is already circumvented by the bad guys so Microsoft is only locking out the good guys?

# Steve said on 04 October, 2006 04:20 PM

Putting aside claims of multi-million dollar gains on both sides, lets look at the security questions? 1. Is it good that Microsoft turns off the kernel hooking feature? a. Yes. This is good as long as it reduces the cost of me operating my system in the long term. I don’t care who gets my money (Microsoft v.s. Symantec) as long as I am protected better with less money. b. No. This could be bad as when Microsoft prevents other vendors from protecting it’s kernel, it better do a good job or there will be no other people working on how to defend it. c. So we have less threats, lower cost and less people/organizations looking at how to defend the system when a person breaks it. 2. Will changing the security of an operating system change the business models of software producers? a. Yes. Anti-virus, video games , tax software, Digital Rights Management content producers, security consultants and spyware vendors all have a lot to gain or loose over the level of security in an operating system. Too tight, they are all removed from the software ecosystem. Too loose and they can’t function at all as the base OS is non-useable. b. So, it is all a spectrum. When we move it, we disturb the software eco-system. 3. Could Microsoft make the transition easier? a. Yes, They could allow these people to put their Logo’s in the Security Center. b. No, If Microsoft is bug free, these vendors need to adapt to a new business model, as only people who purchase these services due to habit will stay around. c. So, besides cosmetic changes, unless the operating system grows in functionality, the only other place to focus is on securing their current functionality. 4. Will this sell more Microsoft O.S.? a. Yes, Usability will rise. Then I won’t have to watch those annoying/ untrue Apple Commercials about how unsafe windows operating systems are. b. No, Vista may spur the Linux business as software vendors may find the change to a web based business easier now that they have to re-write their software for a new operating system (Vista) anyway. These large groups may write applications that run on LAMP systems. Since most of the processing may move off of the desktop, people may not care what OS they have since people buy applications (functionality) not operating systems. c. So we can’t tell. 5. Are these changes O.S. functionality creep? a. No. It is so much easier to claim that media player or IE is function creep rather than “fixing my code that won’t currently work in today’s environment”. Otherwise you are claiming that a broken OS is the current feature and that fixing it is changing the scope of an O.S. 6. Does integrity of ring 500 of the Vista OS and its protections from administrators disturb me? a. Yes. As an administrator, I feel that we are one more step closer to a computer that will over-ride peoples judgment, and our requests can be denied. Then again, when the advent of the operating system doing automatic process memory isolation, I felt the same way as if I wanted to examine or adjust kernel memory, I am the owner of the system and should be able to. Otherwise, I don’t control the machine the O.S. does. b. No, most users don’t want or need that level of control. They want a system that just works. Most people don’t know what administrator rights are and will opt to see the dancing pigs. It is better to make computers safe, just like mandating that users have headlights in a yearly inspection. c. So, it is scary to give up control. People will do it as long as they can trust the person/thing they give control to. Just please don’t set the philosophic precedent that some future intelligent machine will decide that it’s administrator can’t be trusted. I don’t need terminator robots chasing me because of a disagreement with a security setting.

# jesper said on 04 October, 2006 05:40 PM

Roger: There have been a few reports about people bypassing PatchGuard, but as far as I know, they have all been blocked now. That does not mean new ones won't come up though. That being said, this is a moving target, like Steve says (I think). If you secure it, it will change.

# Steve said on 04 October, 2006 06:59 PM

Jesper, Yes, I agree. Sorry for the verbosity.

# Dan Halford said on 05 October, 2006 03:14 PM

A while ago, Nottinghamshire Police (in the UK) complained that their fancy new digital speed cameras (one set read your registration plate on the way in, another set on the way out, working out your average speed) were so effective in reducing speed that the revenue from fines had dropped to almost nothing, meaning that they cameras were now running at a loss. For thsi reason, they suggested shutting them down. Why is this relevant? Well, Symantec and McAfee are have a similiar missions statement to the Police; "keeping you safe". But, the organisations raison d'etre is not security - it's making money. Vista's security threatens their user base and revenue model. It's easy to see why they'd be worried.

# Al said on 05 October, 2006 06:48 PM

Let's be fair here - Microsoft is in it for the money, too. And both issues seem to have the feel of Microsoft starting to elbow out the competition. That being said, McAfee and Symantec's argument against PatchGuard seems a bit weak to me; however, I am more open to their points regarding Security Center. If Microsoft can beat the 3rd-party security vendors at their own game (with regard to product quality, innovation, and/or value), then good for them. Personally, I don't see it happening regularly anytime soon. Jesper, thanks for taking the time to blog. I really enjoy your perspective and insight.

# jesper said on 05 October, 2006 09:33 PM

Al, of course, yes. Microsoft is obviously in it for the money, and don't think for a second that they would do something for the pure goodness of it without at least a remote chance that they would get the money back some way, somehow. That said, I am not convinced that Microsoft is in it to take away revenue from Symantec and McAfee; to compete with the anti-* vendors. It is more likely they are trying to get better at security to avoid having their own revenue stream taken away by someone else. It is not so much a matter of adding revenue in this case as it is not losing it.

Oh, and thanks for the good feedback!

# ASB said on 08 October, 2006 08:35 AM

Jesper, thanks for another source of information on this... And keep having fun in your post-Microsoft existence... :)

# Susan said on 09 October, 2006 07:39 PM

And interesting counter to this is the thoughts by Joe Wilcox about the 64 bit platform - http://www.microsoftmonitor.com/archives/2006/10/shooting_stars.html will it have enough of an impact to really matter? I know that in my own firm and personal computing, I am not running 64bit at this time and don't see going there other than for beta testing and what not in the near future. But all it takes is one read of this: http://www.securiteam.com/windowsntfocus/6Z0032AH5U.html Ask ourselves... given that history...that track record... should they have access?

# Alun Jones said on 10 October, 2006 10:52 AM

The difference between Microsoft making money off their OS, and Symantec / McAfee making money off Microsoft's OS is clear. Microsoft make money if the system is more secure, more usable more of the time. Symantec and McAfee make money if the system is less secure, less reliable more of the time. A little like Red Hat with their "we don't make money selling the OS, we make money selling support and consulting", while the initial intent may be a good one, you have to realise that the monetary pressure (which is a strong driving force in most companies) is pointing in a direction that is counter to your best interests as a consumer. Red Hat will obviously make more money if the OS they ship is a mess that needs lots of support and customisation; Symantec and McAfee will make more money if they can convince you that your OS is unsecure; Microsoft will make more money if they can convince you that you'll get more use out of your OS.

# *** Carlson said on 10 October, 2006 04:15 PM

What you're seeing here is not at all unusual -- if it didn't rain, I wouldn't need an umbrella. Look at the HMO model, auto insurance, or even getting married. (I'll wait here for some of you to catch up. All done? Good!) As a member of the MS hive, my views on this have certainly changed from my pre-Borg experience. There's really nothing that says because you have an existing business model that's working, you are guaranteed it will continue to. This applies to Detroit Autoworkers, home-based web designers, and all manufacturers of buggy accessories. Things change. It would be great to see some of these companies change their focus to OTHER areas where our product is still suck -- lacking. Not a security problem, but certainly something that would make me want to send money. 1. Improved UI and interface experience 2. Integration with other common tools and experiences 3. Faster, smoother, cooler experience Many of our existing products would be a ripe garden for the picking.

# Bravehart said on 13 October, 2006 10:25 PM

Dear Jesper. The reason I do like to switch to Vista is because of the third party alterations ability of the OS in XP! Particularly McAfee! Do not get me wrong, they "protected" me for many years. As your artical mentions, they like to take the credit? But as you wrote they use "hooks" and there is were the problem lies! When you disable some features of their program, windows is not able to take back or remove the hooks(which they leave in place)! Now your worst off than before( no protection or worst, instability)! McAfee tels me what is best for me, so are the others, they do not ask, or tell you what their program really does nor will they tell you what system resources are effected! That is where patch guard is so very important! McAfee & Symantec have became lazy and it is time they became inovative and work for their money! Please tell Microsoft to stand their ground NO HOOKS period or no VISTA, I might as well stay with XP and get srewed by a third party claiming to protect me? Yours Truly R. V.

# Al said on 19 October, 2006 03:49 PM

So, does anyone know more details of this latest development? http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1224622,00.html?track=NL-358&ad=566751USCA&asrc=EM_NLN_650089&uid=1345032 I'm kind of surprised that Microsoft relented on PatchGuard, at least according to what the article states.

# OS said on 23 October, 2006 05:43 AM

"In a sense, they have built their business on protecting users of Windows from Microsoft, and Microsoft healing the patient cuts into their business doing the same. As Microsoft's Security Chief Ben Fathi said, the security vendors want Microsoft to "keep the patient sick," and by extension, keep customers at risk, so that the security vendors can keep charging for the healing."

An analogy with the medical world is used here. I think in that world it's common that you don't take the opinion of one single doctor. Your regular doctor cannot prevent you from taking the opinion of others. Your regular doctor can't prevent you to choose another doctor, another hospital. You can even take the opinion of a complete consortium of doctors and pick up the best there are to do the job.  Do you really won't your life to be in the hand of the one doctor with the bad track record based on his promise that he's now rehabilitated?

# micaman said on 09 November, 2006 02:31 AM

This is really funny when you think about it. For years, the security vendors have been blasting Microsoft for not securing Windows better. All the while, selling consumers products that they can hardly understand or operate. As a security consultant, both for companies and consumers, I sell and install several different brands of security products (McAfee the most) and services. Once I get my clients accepting of 1) computer security and 2) commit the money, they simply can not relate to the screens, instructions and the whole nine yards of security software. This is no fault of  consumers, but more of one for the security vendors! They are at fault for not making security easier by now. How long did they think they would have to build a loyal customer base and to invent something new? How long did they think software would be insecure? And how long did they think they could sell consumers products that they don't understand? Which puts machines at more of a risk, because consumers approve the wrong things or they turn them off or quit updating them. I have come across hundreds of machines over the years that when I open the security programs that they have installed, say "153 days since last updated" or something to the effect. This is crazy. If Microsoft can build a better mousetrap - they should do it! And who is stopping "Norton and the lot" from building their own OS to secure? Just think if we told General Motors not to provide lock & key to their cars 'cause the locksmith companies are depending on them for income. We are suppose to be moving towards advanced technologies, and to do this, we need Microsoft or whoever will do it - to move us forward. Vista is a move forward. And yes, Vista will have flaws and us security people will be needed all the same. Vista is the stepping stone we need to bring us to the true technology of tomorrow.          

# John A Thomson said on 14 November, 2006 03:19 AM

Nice post Jesper.

I listen to McAfee and Symantec whinging and think that if their products had actually done the job properly over the years then there wouldn't have been a need for Vista! Now that their years of less than effective products, or should that be bloatware, has come back to haunt them, they start to complain when Microsoft does a good job on hardening the operating system.

On a final note, no self-respecting IT professional would ever run any products from McAfee or Symantec! There are far better security products out there that are more effective and in many cases cheaper.

# Thomas said on 26 November, 2006 02:55 AM

"On a final note, no self-respecting IT professional would ever run any products from McAfee or Symantec! There are far better security products out there that are more effective and in many cases cheaper."

Do you really stand by a statement like that, john?

Leave a Comment

Title (required) 

Name: (required) 

Website: (optional)

Comments (required) 

Remember Me?

Search

This Blog

• Home

Tags

Community

Archives

Links

• My Microsoft Blog
• Steve's Blog
• Susan's SBS blog
• Alun Jones is a great guy, with great insight
• Aaron Margosis' blog

Syndication

• RSS for Posts
• Atom
• RSS for Comments
• Email Notifications
  Go

News

• The Windows Server 2008 Security Resource Kit is available!
  . You can also order it as part of the whole Windows Server 2008 Resource Kit and save some money.
  Or, if you need to know about Vista instead, there is:
   
  
  If you need a more general approach to help you Protect Your Windows Network, there is a book for that too
  

  There is now a mobile version of the blog.