Schneier on Security
A blog covering security and security technology.
« Prince Andrew Screened At Melbourne Airport |
| RFID Car Keys »
October 4, 2005
Windows OneCare is the next-generation pervasive security program that will be part of Microsoft Windows. I know nothing about it. Does anyone have any comments or opinions?
And the current rumor is that Ballmer and Nash are speaking at a Microsoft event in Munich. They're supposedly outlining Microsoft's security roadmap. Anyone have any inside information?
Posted on October 4, 2005 at 2:10 PM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So we're expected to pay Microsoft for software to protect us from security flaws in their software. Doesn't that sound like a protection racket?
And since they bought Gator, I've quit using their anit-spyware product. I wonder if OneCare will ignore Gator spyware as well.
OneCare just seems to be an extension of the existing "Security Center." It includes a firewall, automated backup, and works with your AV to ensure you're running scans on a regular basis. There's not much there to be thrilled about or appalled by at this point.
The main point of the software seems to be to keep the novice user up-to-date on their system security by displaying using the "Get Green, Stay Green" slogan. If you're up-to-date on your backups and scans, plus your firewall is activated, you'll be at the green level. If not, OneCare will bring any problems to your attention and you'll be at either the yellow or red level.
Well the beta is just a dumbed down version of the XP firewall + a quite dumb AV + a lame backup software under a common UI. Nothing exciting.
Microsoft did *not* purchase Claria (makers of Gator) and the MS anti-spyware product was a beta which had a built in expiration date so you wouldn't be able to use it regardless.
And to that last poster, the OneCare does appear to contain the antispyware program as well. This program is based on the Giant antispyware program that MS bought a year or so back.
Looks like the same well-worn path from one-time license to subscription-based services to me...what better thing to pay a subscription for than the thing everyone is already paying for -- security patches, malware filters, and more security patches.
However, this brings us back to last March, when OneCare visions were pre-announced. Even then many commented on the rigor being given to online license "validation" prior to allowing downloads.
hmmm.... I'm living in Munich now. Any idea when the "microsoft event" is? I'll keep my eye out for information on it.
All I know about Microsoft and Munich is that the city's plan to be Microsoft free by 2006 - migrating all 14,000 city-owned PCs to Linux and OpenOffice has hit some major snags and the whole project is in jeopardy...
Seems to me that Microsoft is putting themselves even further behind the 8-ball -> if they're providing a security solution *and* an operating system and the machine gets hacked anyway, it seems (to me anyway) more likely that they'd get hit with a liability suit.
Not if they don't sell it as a separate product, don't claim that you don't need anything else, and can disable it. At worst, it is better than what they currently offer.
BTW, the Microsoft AntiSpyware program was rated very highly in a square off with the other popular ones. I think PC mag predicted they would be a runaway winner in a year.
"They're supposedly outlining Microsoft's security roadmap"
I thought the idea was to make the OS shitty and so broken so eventually the paid off politicians and other officials could all work together to try and "fix" the internet to conform better to a proprietary OS and lock out other OS.
The day humanity begins to IGNORE M$ by REFUSING to publish news and/or advertisements related to said comp. is the day we all take one giant leap forward into innovation and true open source advantages for us all.
The future should be open
TRUST NO CLOSED SOURCE so-called SECURITY SOLUTION
"So we're expected to pay Microsoft for software to protect us from security flaws in their software. Doesn't that sound like a protection racket?"
Yes and no (don't just love those answers).
The problem with MS becoming the main supplier of security software is that they can use OneCare to attempt to detect a security breach instead of issuing an actual fix. They win with this strategy: less OS patches make the product look more secure and more frequent OneCare updates makes them look diligent about security.
The other obvious problem comes MS defining what "spyware" is. Once MS purchases or partners with a company on their "spyware" list, they will most likely try to reclassify it as "safe".
In Microsofts defence, one of their biggest security flaws is their users. People have to be able to install 3rd party software on their systems. Users rarely read warning messages, verify certificates, or consider the source of their downloads (there is slow progress in this area, however). You will always be able to fool some people into installing your virus (sadly, regardly of anti-virus warnings).
Logic and reality clash again... It seems blatantly obvious that software vendors should be liable for their products (like FireStone and their tires, for example), but the laws fall far short in this area. As long as MS doesn't clain perfect security, there's not much you can do legally. One could easily think of all sorts of product examples where this liablility model would be called ridiculous, but somehow we accept it for software.
"In Microsofts defence, one of their biggest security flaws is their users. People have to be able to install 3rd party software on their systems. Users rarely read warning messages, verify certificates, or consider the source of their downloads (there is slow progress in this area, however). You will always be able to fool some people into installing your virus (sadly, regardly of anti-virus warnings)."
Man, if that ain't the truth. I have yet another PC to clean up after the bozo user tried to save a few bucks by clicking on some link on a coupon site. "But I didn't do anything!" Yeah, right. That's why I'm fixing your PC (again) while everyone else's is fine.
"In Microsofts defence, one of their biggest security flaws is their users."
Yeah, that's probably news to them, right? In between throwing chairs at people Balmer must have said "Hey Bill, get a load of the fact that our users do bad things and we haven't put anything in place to stop them...I guess we were wrong about the design, but man were we right about the marketing. Woo hoo! High five! Better get the word -- old versions of Windows are critically flawed. Our dear loyal users will only be able to save themselves from insecure software and irate desktop support engineers through a great new subscription service."
The best thing about the marketing name "Onecare" is the almost French pronunciation used when promoting it ;-)
It sounds like a patch. It almost seems like they don't know /how/ their own OS works, so they patch it with more software and claim better security /in/ the OS. I feel this is an attempt to kill the anti virus / anti spyware vendors similar to when they buried Netscape and many others.
"Current security software makers, including Symantec, have complained bitterly about Microsoft’s upcoming entry into the security software market, although they have said that they will not pursue antitrust litigation against the software maker."
In other news, a pre-eschooler was heard to say he's not planning on prodding any high-school bullies with a stick.
"Although Microsoft is leaving room for the other security software makers, it remains to be seen how much room this will actually be."
At a guess, not much.
Unless the included anti-*-ware tools are truly awfull I suspect noone will want to spend extra money buying a third party app when the same features are already offered in the OS.
For most people, 'close enough' will be 'good enough', especially as it's 'free'.
"In Microsofts defence, one of their biggest security flaws is their users. ... Users rarely read warning messages, verify certificates, or consider the source of their downloads ...
... I have yet another PC to clean up after the bozo user tried to save a few bucks by clicking on some link on a coupon site. "But I didn't do anything!"
Rather than get mad at the "bozo users", try to remember that these people really don't have anything like our (techies') understanding of "how computers work". When they go clicking on unknown links, this is just like babies and toddlers who pick up random stuff from the floor, and "check it out", by *putting it in their mouth*.
This is just one of the reasons why most parents (et al) know better than to leave an infant unsupervised even briefly! The need to constantly supervise and "guard" small children is, a lot of why parents get those gray hairs.... Now, for our kids, we are willing to do that! Applying the same level of supervision to our adult co-workers, seems... well, *excessive*, to both us and them. But that's really what you'd need to keep them from getting in trouble -- so instead, it's usually easier to just keep backups up-to-date, and cleanup the messes as needed.
"In Microsofts defence, one of their biggest security flaws is their users. People have to be able to install 3rd party software on their systems."
Very true. However, a corollary would be:
In Microsoft's defense, one of their biggest security flaws is having to support too many lazy third-party programmers.
Microsoft wanted the default Windows XP user to have "restricted" rights instead of the "administrator" rights they have. The problem is, even though Microsoft for years (since before Windows 2000), had been telling developers that if their applications didn't require admin privileges (and 99% don't), then don't write code that requires the logged in user to have admin privileges.
Unfortunately, the third-party developers were lazy and wrote bad code, resulting in Microsoft having to give the default logged in user administrator privileges or else "break" many "must have" third-party applications.
Running the logged in user as non-admin, solves most of the Windows OS related security problems present today (in Windows Vista, Microsoft has "bitten the bullet" and all user applications run under restricted rights).
The real problem is too many lazy third-party developers are still writing bad code that unneccesarily requires admin privileges.
I've been following the MS desktop security strategy for a couple of years, so here's my take.
1) MS ANTI-SPYWARE IS NOT CURRENTLY INCLUDED IN ONECARE. Spyware has impacted the user experience in a dramatic way. Microsoft wants people to do more with their PCs, but when it takes 10 mins for your PC to boot up and then works extremely slow people will do less. That is why Microsoft bought GIANT, brought the Beta antispyware solution to market so quickly, and has announced that it will be a free download in the future. The antispyware package is NOT currently included in OneCare, though it is expected to be in the future.
2) ONECARE BETA CURRENT FEATURES. Current features in OneCare include a two-way firewall, antivirus, and a system backup utility. The firewall is not a stripped down version of the XP firewall, but a full two-way firewall.
3) MICROSOFT WILL NOT INCLUDE ONECARE WITH THE OS. Microsoft has already announced that it intends to sell OneCare as a subcription. It's not integrated with the security console, as someone posted earlier.
3) MY TAKE ON THE ONECARE STRATEGY. The actual penetration of desktop security products with active subscriptions (key point) in the consumer market is still relatively low. Probably around 50%. My take is that MS is hoping to market a low cost solution to increase this penetration and reduce the negative press associated with security in general. MS wants users to focus on doing more things with their PC, XBox, refrigerator, toaster, alarm clock, home stereo, etc in order to sell more operating systems.
Microsoft needs to make OneCare free. Charging for it is ridiculous. They are the cause of much of the insecurity to begin with.
The press needs to rake them over the coals for this move.
I think this is where security will eventually go; services that have remote control over security aspects of the system. There is no replacement for security awareness, though.
"too many lazy third-party developers are still writing bad code that unneccesarily requires admin privileges"
That's not quite right. Microsoft and third-party companies have literally thousands of very talented and active developers that are prevented from making the right choices. Perhaps "prevent" is a strong word, but just like the discussion on an Airbus engineer, software engineers are typically forced to filter their ideas through management. The decision to produce unsafe software, riddled with bugs that cause large residual costs to the users, comes from the top.
Microsoft, in particular, has had virtually no security values held up by their management for the better part of the last two decades.
In other words, it doesn't matter how active or committed you might be to secure and safe software as an engineer if management demands interoperability (withing the MS suite), ease of use, and functionality regardless of any other issues. OpenBSD is a good example of what happens when an engineer leaves his management behind to start a new company where security was one of the core values.
"The decision to produce unsafe software, riddled with bugs that cause large residual costs to the users, comes from the top."
I agree. I should have stated more clearly that it is not always individual developers, but development companies. So, I amend my previous statement to be:
The real problem is too many lazy third-party software development companies are still creating bad applications that unneccesarily require administrator privileges.
The main point here still being that this is not just a Microsoft problem. Certainly, Microsoft had a hand in it by not "putting their foot down" sooner, but today's security problems stem from third-party development companies that are creating applications that cannot run in a secure environment.
So, even if today you were to secure the Windows OS by running users with restricted rights (which prevents most Windows OS security problems), you will likely find out (as I have) that many of your third-party applications no longer work. That is not a Microsoft problem, even though they end up getting the blame most of the time.
From September 26, 2005
"Microsoft this summer considered purchasing Claria, an adware maker, though executives decided against the move after criticism arose from Claria's past business practices. Claria built a 50-million installation base by bundling its pop-up advertising software with free programs like file-sharing services. Critics maintained many users unwittingly downloaded the advertising software, a charge Claria has disputed."
@too many lazy programmers
"The real problem is too many lazy third-party software development companies are still creating bad applications..."
In my experience, it's not laziness that drives this but rather the fact that quality=effort=$. A company exists to make money. The quality of a product (in this case I'm relating security to quality) is always directly related the profit it can generate... in many cases, higher quality is the major value-added that diferrentiates one product from another (laundary soap A is better than B... even though they are both soap). Thus, it is only good business sense to invest the minimum amount of money that will generate the highest profit.
I think the problem comes back to liability... if you add the threat of legal costs into the equation, business leaders can start to justify spending more money of quality. I never like suggesting increased government oversight, but I do believe software companies need to be held liable for their products.
"Rather than get mad at the (users) ..."
I wasn't complaining about the user, I just wanted to state an observation. I don't expect the average user to understand the intricacies of the system.
So what happens when MS don't recognise your choice of security protection... For example:
I suspect SecondCopy won't be recognised by MS... Does that put me on red (until I disable it)
I also quite like the fact I am protected by multiple-vendors, it means there isn't a single target (vendor) to attack.
Anyway, back to Fedora...
Before addressing the fancy stuff with "added functionality" should they not attend to the basic abysmal nature of MS Windows security?
Who is doing anything about Windows root kit vulnerabilities? I was reliably told that if a normal virus is a bullet then a root kit is your 150MT hydrogen bomb, and that Windoze has almost no defence.
Come on MS, get your house in order before telling us to accept yet more flashy but poorly written bloatware...
The Microsoft OneCare briefing with Steve Balmer and Mike Nash is being held tomorrow (10/6/05) hosted at a Munich Airport Hotel (Hotel Airport Kempinski, Room Ciragan). It will start at 11AM Munich time. It may be limited to press - so depending on attendee background they may have to be creative to get entrance. Anything anyone comes up with on subscription pricing specifics and their plan for distribution/delivery of the product would be very interesting (not delivered in the O/S - so through MSN?).
I should add....
I think this is a good thing for Joe Bloggs. Seeing as Joe has no idea what a firewall/antivirus/backup/antispyware is, this could provide a decent level of protection for the average home user. I would however like the assurance that any program can be `plugged-in' to the software (i.e. McAffee AV, ZA, ...) allowing the slightly more intelligent user to do what she wants.
As for us lot - we'll disable it anyway, right?
I agree with your variation. And if you go with the old adage "you have time/cost/security, now pick two" you might even expect quick turnaround and a good price, given questionable security (quality).
It never ceases to amaze me that Windows development continues to be plagued by a "most-privilege" paradigm.
Some within the Microsoft camp are starting to percolate "least-privilege" wisdom out of the company, but it will take time before the larger MS-centric development community digests this and follows suit. Here's a good example of the new message:
"Browsing the Web and Reading E-mail Safely as an Administrator (Code Secure)"
But the legacy still bites -- just about anyone developing for DOS/Win9x systems had a heck of time accomodating "least privilege" controls in 2000 and beyond because it just wasn't well thought out or practiced by Microsoft themselves. You could count the number of true security practitioners working full-time at Microsoft with one hand a few years ago. It seems they just weren't making any recognizable headway until the chorous of externalized discontent came knocking...
"TRUST NO CLOSED SOURCE so-called SECURITY SOLUTION"
Linux is open source. Do you think it is secure? Does closed source cause Microsoft's security problems? Maybe there is no business need for security...yet.
I believe the question frequently asked is not "Does closed source cause Microsoft's security problems" but rather "Does closed source prevent finding a solution to Microsoft's security problems?"
Similarly, the question "Linux is open source. Do you think it is secure?" is better phrased as "Linux is open source. Can't you see for yourself if it is secure?"
Minor differences, but important.
And finally "Maybe there is no business need for security...yet" would read better as "Maybe there is no business appetite for security...yet". The need is clearly there, but the ability to pass off liability or postpone payments complicates the question of timing.
"Current features in OneCare include a two-way firewall,"
This is trouble. I have observed that most users are unable to make the correct choice when prompted by the firewall. Next thing you know, applications are broken and they don't know why.
Of course... if you have the code, it is easier to break...
(but equally, problems [may] get fixed)
"Current features in OneCare include a two-way firewall,"
"This is trouble."
I agree. I am also a bit surprised that Microsoft seems to now be endorsing outgoing firewalls.
Outoing firewalls provide a false sense of security for most users, since outgoing firewalls can only work if the logged in user is running with restricted privileges. Perhaps part of OneCare will be to enforce that users run with restricted privileges.
However, since most users today run with admin level privileges, any "rogue" application that the outgoing firewall might attempt block, can simple disable the outgoing firewall, modify firewall rules, disable/modify AV, etc. since it has full admin privileges on the computer.
"Outoing firewalls provide a false sense of security for most users, since outgoing firewalls can only work if the logged in user is running with restricted privileges. Perhaps part of OneCare will be to enforce that users run with restricted privileges."
Although I agree with what you are saying technically, I disagree with this line of reasoning from a strategic view. A huge objective of Microsoft's new security initiative is to move users towards least privilege and to help developers understand that they're now supposed to build RBAC-aware software.
In fact, you can blame the security community for one of the loudest voices demanding outgoing firewalls. When MS announced the security center at RSA a couple years ago one of the first things we discussed in the security forums was "What, no outbound filter? Every other host-based firewall worth it's salt gives the OPTION of outbound filters."
Frankly, if you think MS should base which/what security controls are available just based an average users' security awareness, then you're right back into the frying pan of Microsoft pre-2002. I think we have to give MS credit for making the big hurdle beyond that kind of self-defeating logic and taking on the burden of at least attempting to do the "right stuff", although with a somewhat simplified control center. If it works out, this could end up being no less impressive than when they abruptly dumped NetBEUI and went full TCP/IP.
"if you think MS should base which/what security controls are available just based an average users security awareness, then you're right back into the frying pan of Microsoft pre-2002."
How about if MS configured this firewall in a way that protects the average user, but hides the configuration? (In a everything locked down way)
[aside: everything runs on port 80 these days...]
The real advantage of a free (as in GPL) program (as opposed to one where you can only see the source code, not re-compile/redistribute it) is that if something that's really annoying you is broken, /you/ can fix it.
"two-way" is probably misspelled.
It should have been "two-day" for the two days some folks out there would need to come up with another exploit du jour of your favorite internet explorer to execute their untrusted code on your trusty pc.
Additionally, the "two-way" firewall would also need to peek into a bit more than just the packets to disallow illegitimate communication that's wrapped in - say - SSL.
My advice to anyone who's heard/read anything security related from microsoft is verify all of it from security experts elsewhere. I don't quit trust microsoft's competence with anything security related.
I can only hope that Microsoft intends to give this software to all who have Genuine Windows for free, otherwise it smacks of extortion - create a system that the user depends upon, but that contains serious flaws and then sell software to protect the user against those flaws. If it is given away for free then other security vendors will likely scream that they are being competed against unfairly.
To be honest, I make a fairly reasonable living trying to create secure architectures for Windows based networks. Also because Microsoft has made Windows such an easy target, I am able to use my Mac and Linux boxes with little fear (I do have a pair of dedicated firewalls protecting my office environment), but do not need anti-spyware or anti-virus software on non-Windows computers.
The efforts of Google also begin to reduce the threat, by providing a ubiquitious mail service, I no longer depend upon Microsoft Outlook.
The origins of Microsoft insecurity rests in part with the marketing department. The other responsible part is their provision of development tools that did not enforce good security practices on developers, their own and independent ones.
It's sounds Microsoft getting good in the future.
Ha! But how long into the future? Security was what Microsoft said they had in mind in 1993 when they released NT 3.1...in fact, I remember when MS marketing said the big jump in cost to a $300 NT license was justified, versus a DOS license, because NT came with security "bundled" in (protection against viruses, a memory manager, access controls, etc.). Of course we had to upgrade to 3.5 almost instantly because of all the painfully obvious memory leaks and rediculous network vulnerabilities.
Oh well, here we are today, looking at a price tag of over $600 for Windows 2003 (not including client access fees to use the server), which promises to have protection that 2000 lacks, but only if you pay more for a subscription to the fixes on top of the license...it almost seems like MS should drop the price of their software back to the $20-$50 range. Then the subscription would add up to being about the same as the $600 that you were paying for "enhancements" (as opposed to defect resolution) in the first place, no?
Microsoft has had plenty of time (years and years) to recover and revamp their security. They have consulted over and over again with the World's leading All Authoritative Subject Matter Experts. They have time and time again proven themselves incapeable and "partially" interested. They appear more interested in continuing to feed off of their upgrade and subscription strategies than to produce a quality operating system.
Time for the Industry to call a Spade a Spade and stop fearing "The Hand That Feeds Them".
They still have their hands in the pharmacudical industry "o/s platform" market and various other verticle markets, and their bread and butter no longer relies soley on their swiss cheese operating systems that they push out for PC's and Intel servers. (What do we expect from an O/S derived from a half-baked IBM o/s found in the garbage back in the 70's?) Really, people.
Once Macintosh's Tiger comes out for the PC next year, I will never ever advocate for MS again, even though I have dutifully been one of their biggest fans, sticking up for them even in light of all of the madness.
Even the State of Mass. has issued their decision last month (or so) to never use MS again in any Government, State, or Educational facility.
My proverbial "cup" of MS has "runneth over". I hope all of yours, and your decision makers, has, too.
The nickname of OneCare is actually NoOneCares
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.