May 02, 2006
Good security decisions keeps slipping in Vista
I'm a big fan of Vista. I see a lot of potential in the new features and function as it relates to security. I love UAC, even though it has a ways to go with its popup dialogs that are annoying many a beta tester. But this post isn't about talking about the goodness of Vista. I want to take a moment to just point out that everything isn't all rosey in the Vista security camp. Much like many security decisions of the past, good security decisions are getting trumped by poor human interaction. And it's really too bad.
People are demanding that UAC be turned off. I just shake my head. The benefits vs the draw backs of a few extra dialog prompts just aren't being seen by the end users. They don't realize just how much safer least privilege really is. Paul Thurrott does a good job to berate the Vista security features in a post about the very subject. Worse yet, Bruce Schneier supports Paul's conclusions, and I think it was best said when Bruce stated that:
Warning dialog boxes are only effective if the user has the ability to make intelligent decisions about the warnings. If the user cannot do that, they're just annoyances. And they're annoyances that don't improve security.
UAC isn't the only problem. Many readers know I spend a lot of time writing secure code. Not just security-related code, but code designed to be safer and more secure. One of the benefits of languages like C# and Java is the fact that its type safe. This is just fancy words for meaning that programmers can't as easily treat a value as a type to which it does not belong. We see a lot of vulnerabilities in the past that relate to the fact the programming language used was not type safe (aka C, C++ etc) and the programmers used it incorrectly, opening us up to new risk. When friends and colleagues of mine continue to see this in the field we shake our heads. Heck, Gary even wrote a good article on the topic in which he points out that Microsoft missed an opportunity with Vista to more enforce type safety. He has a really good point when he says:
I asked Butler why it was that Longhorn (Vista's codename at the time) was not built out of a type-safe language like those available for the .NET framework. He shook his head in dismay and decried the fact that we had let another great opportunity to make a huge impact on computer security pass us by. He said that opportunities like this come only once every decade or so in his experience and that he had seen four attempts to cause widescale adoption of type-safe languages founder on the rocks throughout his career.
The problem, it turns out, is that the .NET builders did not give much thought to providing many of the essential basic building blocks that operating systems construction crews need for their work. Interpreted code has some minor performance issues as well (note that there are many ways to overcome this often overly shrill critique). But the main problem was that the Microsoft OS guys are big C++ users. Getting them to switch over to C# was for these reasons not in the cards.
For those of you that don't know, Gary is referring to Butler Lampson, a legendary scientist, and he has done plenty of great pontificating about security, privacy, software, and technology. Like many superior computer scientists, Butler now works for Microsoft Research.
So we lose out on that opportunity with Vista. We will have to wait another 5 to 10 years for Microsoft's next real advancements to hopefully take advantage of type safety. By then most of the old gear head C coders will have retired or moved on, and C# will be more heavily adopted in the company. Hopefully. Who knows.
Today I heard on Cnet that Microsoft is dropping token support from Vista. Even in the face of Steve Riley coming to the community and asking what we want out of two factor authentication, and Bill Gates predicted death to passwords with the integration of SecurID in Windows for Vista, they have decided to drop it. That's really too bad. The thought of built in one time passwords with two factor authentication really appealed to me.
As Vista continues to be delayed time and time again, we continue to see things get dropped. Now, I respect that security decisions at Microsoft are not easy, and at times its easier to pull them. But it sure makes it difficult to make decisions on the future of security on Windows when Microsoft keeps moving the goal posts around. We can look at the history of the TCPA/NGSCB soap opera on that one.
Maybe a better idea would be to leave those type of things alone and let ISVs take care of that. Instead of running to try to add all these into Windows it would be better to make more generic systems that other vendors with expertise can hook into. Make the GINA (Graphical Identification and Authentication) hooks easier and let RSA, CryptoCard, Authenix etc build their own support in. And then have Microsoft certify and support it with strong Microsoft logo programs. Quit fighting with Windows Defender and work WITH security ISVs who have expertise in the field and use their common body of knowledge to apply directly into the Vista system instead of re-inventing the wheel.
A year ago if you asked me I would have given Microsoft an A on its report card for its secure software development lifecycle. But as we see the Vista shipping deadlines come and go, I start to wonder. What else is going to be cut before the shipping date? Just where will the security lie by the time Vista goes GOLD RTM. I really hope they don't do anything drastic like turn off UAC or minimize its effectiveness becauses users demand it. Security will always have compromises, but we need to make sure we don't sacrifice good security decisions to appease the user. We need to think more critically and find ways to simplify the process so the user can benefit from the security decisions without being heavily taxed in having to make the decisions themselves. UAC was not designed to absolve Microsoft from bad security decisions (ie: "Well you clicked ok to install that hostile code"), but to notify the users that a privilege operation is about to take place. Problem is, too much of that and the user will gloss over and just stop reading. I think Microsoft is going to need to keep working on that in the coming months to find the right balance.
In the meantime, here is a tip for the Vista users out there right now. If you feel compelled to turn off UAC, DON'T! That's a bad security decision if you ask me. Instead set the "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" policy to "No Prompt". In this way, when a privileged operation is required it will elevate as required. However, all other apps will run with standard user privileges, and you can turn on auditing to monitor the system a bit better. It's like turning UAC off, but better. Remember though, you are losing the benefit of being notified/prompted when a privileged operation occurs. Of course, I would recommend above all things to try running with a limited user account and NOT an admin account, and live with the UAC dialogs. After you use Vista for a while you will notice when a prompt will be required (you will see the security shield beside the function), and can decide if you really need that privilege or not.
Lets all hope that by the time Vista ships, that more security functionality doesn't slip out of the system. If anything, that some of this stuff comes back in. Or that a more clear path is available to understand where ISVs can add value without stepping on Microsoft's toes.Posted by SilverStr at May 2, 2006 12:50 PM | TrackBack