While the computing industry has been working to tighten up the security of its products amid increasing threats from viruses and hackers, a truly trustworthy infrastructure is still a few years off, Hewlett-Packard’s security head said in an interview this week.
Expect security leap after Longhorn, says HP exec
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
..leap to another platform.
Will these technologies help most Wintel consumers? I wonder how pervasive these hardware solutions will be.
See topic.
Who cares? Empty promises for a vapour product.
lol nice one!
“We need the hardware, operating systems, and applications to all be tightened up and work together to give us true trustworthy computing.”
Pure hypocrisy in my opinion.
Multimedia and software lobbies need all that stuff to control what music people are allowed to listen to, what movies people are allowed to watch, and what software people are allowed to run.
It’s good to know that there are alternatives (Linux, for instance).
I am getting tired of hearing “computer industry”. There is ONE major vendor with gaping security holes so bad that they have scheduled monthly patch updates. Yes, other vendors (and open source) have security issues too, but generally the infrastructure is there. When was the last time that AIX, Solaris, zOS, etc had a vulnerability in cursor images (See this months MS patches)? How about “amid increasing threats from viruses and hackers”? Which vendor is constantly under attack from Viruses and Hackers? Yes, all OS’s have some risk, but “the computer industry” is NOT to blame — ONE vendor is responsible for most of the problems.
And to continue my rant — I used the word responsible in the last line of the previous paragraph. If my car, and 10,000 other cars of the same year, make and model, all suddenly broke down, would not we, and various federal agencies, hold the vendor responsible? Why do we not hold Microsoft accountable for the shoddy workmanship of their product, which costs companies millions of dollars in reactive support and downtime?
Whew – I feel better. Thank you.
Software seems to be in a different realm than cars. Basically Microsoft can simply say “Well, you used our product in a way that causes these problems.”
I’m sure they found ways of distancing themselves from any liability of their workmanship. It’s the reward they get for forcing every competitor away and becoming a monopoly.
“Why do we not hold Microsoft accountable for the shoddy workmanship of their product, which costs companies millions of dollars in reactive support and downtime?”
This is because someone, somehow made people believe it is normal behaviour for PC’s to crash and viruses to mutilate your computer.
“And to continue my rant — I used the word responsible in the last line of the previous paragraph. If my car, and 10,000 other cars of the same year, make and model, all suddenly broke down, would not we, and various federal agencies, hold the vendor responsible? Why do we not hold Microsoft accountable for the shoddy workmanship of their product, which costs companies millions of dollars in reactive support and downtime? ”
Because by using their products, you accept their EULA, and they deny all responsability there.
The best part is all the linux zealots really have to complain about are holes in the IE rendering engine. There are no critial kernel holes, VMM errors, device driver exploits, GUI instability crashes… the issues its does have are just the parts of IE/OE/WMP (and other programs) that use the IE rendering engine. Really all they’re doing is beating a dead-horse that was designed back in 1994 when client side scripting, ActiveX, Java in-line scripting, DHTML, CSS were all introducted at once and features were the focuse instead of security.
Sure Firefox is safer now – it was written nearly a decade later and during at time when security matters to most end-users. I wonder what the Linux trolls will complain about when Longhorn ships with a newly coded IE that actually focuses on security? They obviously don’t have any other “security holes” to sight – eh knowing them – they will just making something up.
“And to continue my rant — I used the word responsible in the last line of the previous paragraph. If my car, and 10,000 other cars of the same year, make and model, all suddenly broke down, would not we, and various federal agencies, hold the vendor responsible?”
Because there’s not a group of people dedicated to sticking potatoes up Ford exhaust pipes and instrument obscuring advertisements on Ford dashboards. If there were, the nasty potatoe people, not Ford, would be blamed and held responsible.
“a truly trustworthy infrastructure is still a few years off”
Yeah, a few-10s-of-years – maybe!
A truly secure system would be one that had the inherent ability to protect itself from clueless users. Otherwise, as long as you can get an end user to do anything you want by promising them nude pics of J-Lo, is there any hope at all?
Not to be a linux zealot, the vulnerabilies from this month include Cursor, Icon, and Help file exploits, and last month included *Wordpad*, LSASS and Kernel exploits. This is NOT just about IE.
I also truly worry about moving IIS into the Kernel, as W2k3 supports. Sure, better performance — but is it worth the risk?
Microsoft made it a problem when it tied IE to the OS. Sorry, it’s not “just an app”, it’s “part of the OS” (their words, not mine…) When an exploit (and there have been) can be used even when IE isn’t running, that’s an OS problem, not an app problem.
It’s not a dead horse if the issue keeps popping up and Microsoft just applies band-aids to a fundamentally flawed structure. So much for dead horses. Funny how a browser with security in mind was made by someone OTHER than Microsoft.
No one HAS to make something up with Microsoft… it’s RIGHT there on their website when you get “security update X for IE”. Sorry, but unless Longhorn completely rewrites the OS with ACTUAL security in mind, we will be revisiting this again and again, until such time as people realize that Microsoft is not going to fix it.
You think IE will still be tied to the OS and cannot be uninstalled with Longhorn? You betcha….
No, I don’t use Linux. I use FreeBSD.
Could point, but I think the “Potato->Exhaust Pipe” analogy is a little off. The exhaust pipe is correctly performing, exactly as it is supposed to. The prankster is exploiting the true purpose of the exhaust pipe.
Few computer exploits occur by exploiting *true* functionality. A buffer overlow, an integer overrun, an off-by-one, a bad string parser, etc are vulnerabilities through bad design, shoddy craftsmanship. There is no loss of functionality when these holes are fixed, so why were they there is the first place?
The real exploit will be when authorities insist on having industry-wide standards that restrict what users can do, just because Microsoft, for a good while now, hasn’t been able to get its act together.
Maybe the reason why it takes so long to chase the cow out of the barn in Redmond is that they need to hammer the code really badly in order to straighten it out.
And I agree: although there are bugs in systems of every ilk, THE reference when it comes to bad security has to be Microsoft. And that’s Microsoft’s fault entirely.
In previous posts you will not find me a supporter of Microsoft but of course I acknowledge their dominance in the market place. Whatever the EULA says: by being the dominant force in the market, they have a de facto responsibility for the quality of their products. I don’t mean to light a flame war, but when you look at last year [what was it? 5,000 viruses?], I’m just not impressed with the quality of their products. Given the vast numbers of Windows users, why don’t you guys just innundate Redmond with letters [the physical kind] to demand better quality?
/not saying anything about the many people who use the system, as long as I don’t have to. You can even have a doggy sniffing its butt when you’re performing a search operation… oh, wait…
[please don’t tell me about the feature that allows you to remove the doggy from the UI].
“You think IE will still be tied to the OS and cannot be uninstalled with Longhorn? You betcha….”
Actually I think, non-windows users will keep repeating this over and over not matter how many people point out to them its simply not true.
Dotmatt,
Good point, I hadn’t noticed those patches as they aren’t as widely talked about as the IE ones.
“When an exploit (and there have been) can be used even when IE isn’t running, that’s an OS problem, not an app problem.”
You’ve just elevated any single shared dll exploit to being an “OS problem”. Just because this dll is installed by a bundled microsoft program doesn’t make it any different than if a 3rd party application installed a buggy dll. Its still just a buggy dll.
So you predict Longhorn will be secure, eh?
Okay, then, I predict Linux will be a game platform. It will be 100% Windows and OSX compatible and have 0 bugs. That’s right, all the bugs will be fixed by the time Longhorn is secure.
Care to pull any more predictions out of your arse?
You’ve just elevated any single shared dll exploit to being an “OS problem”. Just because this dll is installed by a bundled microsoft program doesn’t make it any different than if a 3rd party application installed a buggy dll. Its still just a buggy dll.
And its still a security hole put in there by Microsoft, therefore still a problem. Whats your point? Do you have one?
Nobody listens to those PHBs anyways (incl. Gartner, IDC, <insert “pull numbers out of ass for money”>). They just need to be mentioned in the press from time to time or they fell like the world doesent give a flying fcsk about them, which it dont.
I could make my own Maltaq Group and predict the following;
* The Sun will continue to rise in 2005
* Apple will have another smash hit with iPod Shuffle and Mac Mini.
* Critical Windows vulnerabilities to surface during Q1-Q4 of 2005.
* Linux will continue to gain traction in small to large sized businesses.
Im sure most of these will prove to be true, wheres my money?
I wonder how motivated Microsoft really is to fix any security issues at this time. The more security issues they have right now the easier it is to push their trusted computing scheme. Microsoft has a-lot to gain by having this trusted security thing go through. They can kill of their competition and make a ton of money from the (non-os)software/music/motion picture industries by locking your computer down.
“And its still a security hole put in there by Microsoft, therefore still a problem. Whats your point? Do you have one?”
The point is that its not an OS flaw. Its an application flaw – there is a difference.
Actually I think, non-windows users will keep repeating this over and over not matter how many people point out to them its simply not true.
Ok, how do we do it then?
The prob. is most Linux OS users refuse to come of their “I am so leet” mountain top to help formor windows users get into linux oss. Then you have MS thinking of ways to keep users from playing illegal media, that is the MS’ security focus. Tieing IE into window has to be one of the stupidest things I ever heard of. Oh & another thing when a peron wants a easier linux OS, they don’t want a windows clone. Why make a windows clone when someone can go get WINDOWS. Like Mac OS X is easier then linux, but it is not linux.
What is the difference? Microsoft says that IE is an integral part of windows. Since they are tied together so tightly, where does one end and the other start?
Mr. Chunky,
IE is said to be integral because its basically used as dll for webfunctionality in other programs by the system and third party programs.
For instance removing the IE rendering engine “breaks” these things:
– IE application plan and simply will not work
– OE will not be able to render HTML email
– WMP will not be able to access webcontent from its GUI nor access the MSN music store
– Windows Explorer will no longer be able to browse URLs typed into it instead of physical drive paths.
– System Help cannot access the web database for help queries
– It will no longer be possible to manually go to the Windows Update website using a web-browser to selectively install patches. (However automatic updates will still work and update your machine in the background)
The rest of the Shell be haves perfectly normal as one would expect.
Nick James,
There are two ways.
One is turning off Windows File protection in group/local policy and then editing registry keys to allow for IE and its Rendering Engine to show up in the Add Remove Programs Menu. I don’t like posting instructions on how to do it this way as invariable people who don’t know about the registery end up mutiliating it. So if you’d like to do it this way – use google it will tell you the details.
The second way is to go to http://www.xplite.com and you can pay for a small application with will do all of this for you through a GUI interface. This is what I usually recommend to people who are not familiar with the registery.
There are you’re ways to do it. One is easy and involves a small amount of money for its ease of use. The other is harder and requires you know what you are doing – and can use google (not asking to much for a poweruser it?).
As for what relies on the IE rendering engine,the fact that IE no longer works is obviously intended so removing the IE application at the same time is assumed.
Interms of OE, you can remove this as well and use a mail application that does not rely on IE’s rendering engine to view HTML email. A few programs include the Opera Mail Client, the Mozilla Mail client, and Thunderbird.
WMP will still play embedded files in HTML irrespective of browser used. Additionally http://www.windowsmedia.com is the webportal to the MSN music store etc and is alternative browser friendly so you can still buy music etc – it just won’t be directly throught WMP’s GUI.
System Help will search local help files just fine and will display local helpfile just fine. Its also possible to view the online help files from http://www.microsoft.com through any webbrowser you wish.
Again windows update, is accessable by the windows update serivce and gives you the options of installing, downloading, ignoring updates as you wish just like manually going the windows update site in IE did.
If an operating system is secure, it doesn’t mean it’s good, because security is the first presumption that software could in any way be usable. If an operating system isn’t secure, it’s not worth looking at.
So, if Longhorn really (and I mean _really_) is secure, I might look at it, but only if it’s as cheap as the retail Linux boxes (50-150€).
MS claimed in court that it was not possible. so is it either them or you ?
MS claimed it was not possible to remove IE without breaking things, both things in the OS and 3rd party applications.
Moron.
“The best part is all the linux zealots really have to complain about are holes in the IE rendering engine.”
Hardly. Microsoft avidly supports DRM, they leave open lots of opportunities for PCs to transmit marketing data straight to Microsoft, Microsoft thwarts competition and choice in the “free” market, Microsoft does not like open standards, Microsoft relies on poor logic in their marketing rather than competing on merit, Microsoft cheats schools into training students on only Microsoft software, Microsoft has to pay for case studies favoring them, Microsoft uses baiting tactices like shared source and OSS .NET, Microsoft does not engineer and stabilize their APIs for the long term, Microsoft adds features for strategic lock-in purposes, and, yes, IE is a piece of crap.
Yes, other vendors (and open source) have security issues too, but generally the infrastructure is there.
What infrastructure do you think is missing from Windows ?
When was the last time that AIX, Solaris, zOS, etc had a vulnerability in cursor images (See this months MS patches)?
No, they get them in things like PDF viewers instead.
And to continue my rant — I used the word responsible in the last line of the previous paragraph. If my car, and 10,000 other cars of the same year, make and model, all suddenly broke down, would not we, and various federal agencies, hold the vendor responsible?
Well, that would depend on whether you and those 10,000 other people had been driving those cars around with every warning light on the dashboard flashing for 6 months (after you let an unqualified mechanic “fix it”) prior to it failing.
I also truly worry about moving IIS into the Kernel, as W2k3 supports. Sure, better performance — but is it worth the risk?
IIS is not in the kernel. Only the *HTTP Listener service* runs in kernel *space*. The bulk of IIS runs in user space.
Microsoft made it a problem when it tied IE to the OS. Sorry, it’s not “just an app”, it’s “part of the OS” (their words, not mine…) When an exploit (and there have been) can be used even when IE isn’t running, that’s an OS problem, not an app problem.
So when there’s an exploit in a Linux library I never use, but some malicious code can use, that’s an OS problem or a problem with the library ?
Sorry, but unless Longhorn completely rewrites the OS with ACTUAL security in mind, we will be revisiting this again and again, until such time as people realize that Microsoft is not going to fix it.
There is no need whatsoever to rewrite for Longhorn. All the security infrastructure is already there and always has been. 90% of the security “problems” in Windows (and any OS) are caused by ignorant end users and poor default settings. The former is unfixable by any OS developer and the latter is not a design issue.