Windows Vista - worst OS yet?


http://publicaddress.net/default,3836.sm#post3836

The Suicide Note | Jan 10, 2007 10:41

My thought as I started reading the essay
(http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt) by Auckland
University cryptographer Peter Gutman on the "suicide note" implicit in the
content protection layer of Windows Vista was that the utility of computers
was being sacrificed on the altar of content protection.
And, indeed, that's basically what Gutman is saying. Here's his executive
summary:

Windows Vista includes an extensive reworking of core OS elements in order
to provide content protection for so-called "premium content", typically HD
data from Blu-Ray and HD-DVD sources. Providing this protection incurs
considerable costs in terms of system performance, system stability,
technical support overhead, and hardware and software cost. These issues
affect not only users of Vista but the entire PC industry, since the effects
of the protection measures extend to cover all hardware and software that
will ever come into contact with Vista, even if it's not used directly with
Vista (for example hardware in a Macintosh computer or on a Linux server).
This document analyses the cost involved in Vista's content protection, and
the collateral damage that this incurs throughout the computer industry.
He's also saying that the overwhelming focus on locking down "premium"
content has significant implications for security, especially if any PC
component is deemed to have a content leak:

Content-protection "features" like tilt bits also have worrying
denial-of-service (DoS) implications. It's probably a good thing that modern
malware is created by programmers with the commercial interests of the
phishing and spam industries in mind rather than just creating as much havoc
as possible. With the number of easily-accessible grenade pins that Vista's
content protection provides, any piece of malware that decides to pull a few
of them will cause considerable damage. The homeland security implications
of this seem quite serious, since a tiny, easily-hidden piece of malware
would be enough to render a machine unusable, while the very nature of
Vista's content protection would make it almost impossible to determine why
the denial-of-service is occurring. Furthermore, the malware authors, who
are taking advantage of "content-protection" features, would be protected by
the DMCA against any attempts to reverse-engineer or disable the
content-protection "features" that they're abusing.

Even without deliberate abuse by malware, the homeland security implications
of an external agent being empowered to turn off your IT infrastructure in
response to a content leak discovered in some chipset that you
coincidentally happen to be using is a serious concern for potential Vista
users. Non-US governments are already nervous enough about using a
US-supplied operating system without having this remote DoS capability built
into the operating system.

The extent of supplication to content owners is indicated here:

As security researcher Ed Felten quoted from Microsoft documents on his
freedom-to-tinker web site about a year ago
(http://www.freedom-to-tinker.com/?p=882):
"The evidence [of security] must be presented to Hollywood and other content
owners, and they must agree that it provides the required level of security.
Written proof from at least three of the major Hollywood studios is
required".

So if you design a new security system, you can't get it supported in
Windows Vista until well-known computer security experts like Disney, MGM,
and 20th Century Fox give you the go-ahead. It's absolutely astonishing to
find paragraphs like that in what are supposed to be Windows technical
documents, since it gives Hollywood studios veto rights over Windows
security mechanisms.

There's a lot more in the full essay. It's not essential that you understand
all the technical details to get the gist of it, but I'd welcome geekier
readers coming in here with some explanatory comments for non-geeks. I
confess, I find it hard to believe it could be this bad, but Peter Gutman is
a lot smarter than I am.



.

Relevant Pages

  • MTIndia Newsletter - Proactive provisions to protect PHI
    ... on India's Information Security Environment. ... Security orientation of the Indian IT services and ITES-BPO market. ... Protection is through implication and therefore damages ... transcription and information management services to University of Michigan ...
    (sci.med.transcription)
  • Re: Vistas Security Rendered Completely Useless by New Exploit
    ... security conference was an analysis a number ... of the protection mechanisms built into Windows Vista and Windows Server ... presented a number of attacks against Vista's various security features ... impact of 'buffer overflows' ...
    (microsoft.public.windows.vista.general)
  • Re: Vistas Security Rendered Completely Useless by New Exploit
    ... security conference was an analysis a number ... of the protection mechanisms built into Windows Vista and Windows Server ... presented a number of attacks against Vista's various security features ... impact of 'buffer overflows' ...
    (microsoft.public.windows.vista.general)
  • Easy Money
    ... PINs and security codes were offered ... British bank details A fraudster offering to sell 30,000 British credit card ... Protection Act. ... addional powers that he says are needed to prevent breaches of data ...
    (uk.legal)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)