Security by deniability: impressions of Vista security

Ryan S. at 37signals put it best when it comes to Windows Vista:

"windows in general has been like a confused and slow person.
vista is like a person who lost their meds and is
trying their best to ignore the voices"

There’s a lot of brouhaha out there about how Vista is “the most secure Windows yet”. BFD. That’s a bit like saying that something is “the least disgusting meal Jeffrey Dahmer ever cooked.” Set the bar low enough and you’ll never run short of superlatives with which to describe your newest venture.

Microsoft just doesn’t get it. That doesn’t get more obvious than when you try out Vista. It tries so hard to emulate Linux and falls so short… When you want to install something new, for instance, a confirmation dialog pops up telling you that you’re changing something within the system. Which is good and fine, until you realize that the user doesn’t have to enter any kind of password to make the confirmation box goes away.

So, of course, the average Windows user will get used to just automatically click the OK button or press Enter whenever ANY such dialog box appears. In no time we’ll be back to the same old situation where people install stuff on their PC that they don’t know about, because that stupid confirmation dialog comes up every time you even open any of the control panels.

It’s the same thing for drivers too. Right now Vista really isn’t useable because the signed drivers are largely lacking. However, Microsoft in its wisdom provides you with a way around this. Driver signature verification can easily be disabled by interrupting the boot process and pressing the F8 key.

So of course this will lead to frustrated users turning off signature verification on drivers because their new whiz-bang hardware doesn’t have signed drivers yet. As a result people will install just as many bad/nefarious drivers on their systems without so much as a peep from Windows, because verification will inevitably be disabled for most people.

That being said, let no one say that this process will not protect anyone! It’ll protect Microsoft. From what? criticism. How? The usual way.

You see, Microsoft will now be able to say “well we warned you.” All these so-called “security measures”, being so easily circumvented or ignored, are little more than Redmond covering its own ass and providing ITSELF with a way to blame the user for whatever happens to their next-generation OS.

Got Gator installed again? You shouldn’t have hit Enter when you saw that warning box! It doesn’t matter if you see it 30 times a day! System bogged down by Sony-sponsored spyware when you put in one of their “enhanced” CDs? Well, you shouldn’t have disabled driver signing! You did that because you’re running unsupported hardware? Well, it’s your fault for wanting to be so cutting edge!

I have hardware at home that’s years-old and for which Windows XP STILL doesn’t have a signed driver. It’s likely that you do too — if you have a non-standard webcam or 54G wireless card, you probably had to click through the “unsigned driver” dialog box when you installed it on your Windows system. One of them in particular is a Netgear 802.11g PCI card that’s been available for almost 3 years now. If 3 years wasn’t enough for Microsoft to verify the manufacturer’s drivers (which work fine, BTW), how long will it take before Microsoft gets off its ass and certifies the drivers for stuff that’s coming out now?

That’s why users will take the shortcut and allow their systems to load uncertified drivers. And that’s why Windows Vista will, to the average user, end up being as bug-ridden and insecure as XP has ever been. I don’t know if anyone at Microsoft has ever spent four evenings at a friend’s place to clean up a PC bogged down with several layers of spyware and viruses, but let me tell you that it’s long, tedious work. And if Microsoft thinks it has solved the problem, it should think again. That may be true of people running with a “clean” configuration, but the way Redmond designed the OS I can with certainty tell you that a year after Vista is released, the number of copies with a “clean” configuration will be a minority, because Vista isn’t designed to be terribly useable that way. It’s designed to be legally-safe for Microsoft that way. And that’s what really matters to Microsoft. The new feature they’re not telling you about is Vista’s built-in plausable deniability. The old “it’s not our fault” approach.

It’s a well-known truism of useability that if you put one warning in front of a user, that user will take the warning seriously, but that if you put 100 warnings in front of that same user he/she will ignore them all. And that’s where the useability of Vista security fails. And it doesn’t just fail in a theoretical and abstract way — it fails specifically for Vista’s target audience, the novice or light computer user. People like me know not to do certain things, like install a program that some web site sends to our browsers automatically (and frankly we know better than to visit the sort of scummy sites that pull this sort of shit on their users). We know we shouldn’t automatically open email attachments that don’t come from a trusted source (and even if they come from a trusted source we know to scan them first for malware). We know that if we’ve disabled driver signing we should be extra careful about assigning drivers to “unknown” hardware.

The target user for Windows Vista just doesn’t know these things. He visits weird Eastern European porn sites because he received an ad for it in his email. He thinks that CoolWebSearch is pretty neat, and why wouldn’t he want to install that? He’s the guy that will send someone like me an email that says “hey, you know that attachment you told me not to open? well I opened it and my computer doesn’t work too well anymore” (really). He’s the genius who opened the Anna Kournikova Naked email attachment at your office with a speed which lightning itself would envy. He’s the guy who doesn’t pay attention to warning dialog boxes, but will find the F8 startup trick somewhere on the web and enable it right away, not only without thinking of the consequences, but most likely without remembering that he’s even done it, and definitely without telling someone like me about it when he calls to ask me to fix his computer.

And that is where Vista security will undoubtedly fail. There is such a thing as too many warnings, especially when these warnings are dismissed with one motion of one finger. Leave the non-technical user overwhelmed, and soon enough he’ll be ignoring all the warnings.

So what would have been a better approach?

  1. For one thing, you can make the user enter his password before he can dismiss the warning and proceed. That’s what a Linux user must do when effecting certain changes through the Gnome or KDE panel, and it is absolutely a sensible thing to do. It forces the user to stop and think about what he’s doing.
  2. Reduce the number of warnings to those things that can truly mess up your system configuration.
  3. Reengineer the system so that the user has less opportunities to truly mess up his system configuration. Vista is supposed to be all new, and this offered some hope that the system might be made more solid and secure. While that’s been done to some extent, it’s clearly not been implemented sufficiently.
  4. Finally, implement an administrator/superuser account SEPARATE FROM THE DEFAULT USER ACCOUNT CREATED AT INSTALLATION. And I’m not talking about that half-assed local Administrator account from XP either, I mean one that’s actually used for something, and (I must repeat myself here) SEPARATE FROM THE DEFAULT USER ACCOUNT CREATED AT INSTALLATION. As it stands now that user account automatically has administrative privileges all the time. How Microsoft can claim to be in any way “secure” without grasping this easily-understood concept is beyond me. Even Ubuntu, which does not use a root account for administrative purposes, forces the installation user to operate unpriviledged until he absolutely needs to assume the administrator identity, and that’s a good deal more than Windows is doing at this time.

This is what Microsoft could have learned from Linux/UNIX. God knows they’ve had enough time to learn it. But they’ve decided not to implement these changes, which leads me to think that their new “secure” claims are just so much PR hype.
Yup, same sh*t, different day. Frankly it’s not as though Vista really offers ANY compelling reason to switch from XP whatsoever. It’s bigger, requires tons more resources, is more expensive, less mobile, and the EULA is so anti-customer it’s positively atrocious. But Joe Sixpack will run Windows in a couple of years’ time. A bug-ridden, spyware-runnin’, virus-infested copy of Vista. Because he doesn’t know any better. And Microsoft knows this.


Leave a Reply

Your email address will not be published. Required fields are marked *