|
|
http://www.theglobeandmail.com/servlet/story/LAC.20060803.TWVISTA03/TPStory/Business
By RAF BRUSILOW
Special to The Globe and Mail
03/08/06
As early test versions of the upcoming Windows Vista operating system make
the rounds on the Internet, Microsoft Corp.'s approach to any potential
new security gaffes is becoming apparent: Once more, with feeling.
Windows Vista will be shipped with an entire suite of defensive software
preinstalled and, among other features, a digital safety net that should
make it nearly impossible for malicious software to gain control of a
computer through a user's own blunders while using the Internet.
Though Vista is still in the cocoon stage and thus months away from
market, the consensus among some computer security analysts and experts
who have tried out the test versions seems to be that, while hopes are
generally high, expectations are low.
"Some of what I've seen [in Vista] is really good, but it's not just about
the idea; it's the execution. The devil is in the details," said Bruce
Schneier, a best-selling computer security author and security consultant.
"My prediction? Vista will be a smashing commercial success, filled with
security vulnerabilities. Microsoft's track record with security is pretty
lousy."
Claudiu Popa, a Toronto-based computer security consultant and chief
executive officer of Informatica Corp., says Vista's current security
features are a positive step but a bit underwhelming.
"I was pleasantly surprised to find that there are some features here that
offer the promise of strong support for the kind of best practices I
preach on a daily basis . . . but the changes are more evolutionary than
revolutionary. Microsoft will not produce a home run with Vista. It will
give the market what it needs today: a more secure version of [Windows]
XP," Mr. Popa said.
Microsoft is pumping Vista full of advanced security features in the hope
that it will be the most secure operating system ever created. It's a
steep goal for a company more accustomed to being the punchline of jokes
about computer security than a pillar of strength, but Microsoft's general
manager of security, Rebecca Norlander, said Microsoft is bending over
backward to ensure Vista succeeds.
"I can tell you Vista is our greatest effort on security to date. We're
not aiming low here -- we want to be the best," Ms. Norlander said.
Derek Wong, head of security products at Microsoft, admitted the pressure
to create something known more for its security victories than failures is
high.
"We know that if five years from now we've done nothing, people will be
unsatisfied, so we've made an incredible investment of both time and
effort into security," Mr. Wong said.
The effort put forth on Vista has been huge but the process hasn't been
without controversy. Encroaching delays, project overruns and rumours of
staff firings and shake-ups have meant that, on the surface at least,
little has changed and many cosmetic features -- for example, on-screen
navigation windows that look and behave like real "glass" -- have been
dropped.
For Paul Thurrott, editor of Windows IT Pro Magazine, security is the only
bright spot in a half-decade-long project dogged by setbacks.
"It's a train wreck. There has never been a software project as mismanaged
as Windows Vista," said Paul Thurrott, editor of Windows IT Pro Magazine.
"[Microsoft] publicly announced it, 'This is going to be the kitchen
sink,' and unfortunately, they did not live up to their promises. Security
is the only aspect of Windows Vista that is dramatically better than what
they originally promised."
Ultimately, perhaps the biggest problem Microsoft will have to solve with
Vista is how to combat human nature, since all the programming in the
world can't prevent a user from clicking "Yes" when a suspicious program
asks to install itself on his or her machine.
Mr. Schneier calls it the phenomenon of the "dancing pigs."
"People are terrible about making security tradeoffs. If you give a naive
user a choice, such as, 'If you want to see the dancing pigs, you could be
compromising your machine,' most users will choose the dancing pigs over
security every time," Mr. Schneier said.
_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org