Windows 7 is less secure out-of-the box than Vista, despite Redmond's protestations to the contrary, a top security firm has claimed. Trend Micro said that the default configurations of Windows 7 are less secure than Vista. Raimund Genes, CTO of Trend Micro, said that Windows 7 had sacrificed security for useability - at least …
Don't Listen To The Users
Savvy users are probably perfectly happy with UAC. Indeed when I'm running Kubuntu I'm perfectly happy to provide my password to run administrative tasks. The problem MS have is that too many of their users know cock about computers (even a lot of the ones who claim to be IT literate) and just don't understand what UAC is about.
I don't mind entering my password on unbuntu when I need to do something I don't normally have privs for such as loading new software, or when running the Update Manager.
I think the real problem is, as you've suggested, that a lot of computer users out there don't stop to think "Why am I being asked to provide my password" when they're using their computers. If they did stop to think that then maybe there'd be fewer computers out there running in botnets.
Damned if they do, damned if they don't
So let's see... if the OS nag you to death, you complain, if it doesn't, you complain that is "insecure". If the OS tell you that you don't have an antivirus (that you should already know since it's YOUR fscking computer) you complain, if the Os assume that you're a grown up man now and you do know what you have and what you don't have, then you complain!
How about learning how to use a computer and looking after your own stuff?
And lopping off
...the tits and superglueing a knob on?
To answer your points...
1/ If the OS nag you to death, you complain - Yes I do. I don't want my OS to nag me. I want it to sit there and do as it is told. Nothing more. I don't want it to tell me the network cable is unplugged or that I have some unused icons, or the zillion other stupid little bubbles and boxes that Windows insists on popping up all the time.
2/ if it doesn't, you complain that is "insecure" - Why does nagging equate to "secure". Two completely different things. I would like my OS to be secure WITHOUT nagging me. Not much to ask
3/ If the OS tell you that you don't have an antivirus ... you complain - I would like a computer that doesn't NEED an anti-virus program. Oh silly me - I have one! It's called BSD :-)
4/ if the Os assume that you're a grown up man now and you do know what you have and what you don't have, then you complain! - No MS Windows version have never reached this stage. Ever! It would be great if it did.
5/ How about learning how to use a computer and looking after your own stuff? I have done, and I do.
No the problem is...
...that the first user account created on Windows Vista or 7 is an Administrator account so UAC is merely a nag screen when in that context. You don't have to enter any password, so the danger is users than just click OK to everything regardless of what the prompt is for. They then become conditioned to just clicking OK to make it go away and that's where you get the problems.
Instead Win Vista and 7 should create 2 accounts, the user account and the manager account. I am not sure how you could explain this to a typical end user though. For me on Win7, I was running as Admin, but have since added a separate user for doing admin and I run my account as a limited user, so now UAC prompts for the Admin users password to do stuff. That might emphasise the difference.............. *hahahahahahahahahaha* yeah I know straws and clutching!
No need to create a separate limited account in WIN 7. If the UAC is enabled it will automatically strip out admin privileges when you go online. Firefox users can have visual confirmation of their account status by installing the ISADMIN extension.
Haven't used Vista so can't comment on the relative default security levels between it and WIN 7, but coming from XP to 7 provides a major improvement in default security behaviour. No need to install "Drop My Rights" or create a separate limited account.
And yes, the UAC still nags me when I run Ccleaner, but when it comes to a trade off between convenience and security it is "no-contest."
Troll or tard?
Pardon me, but imho the reason you provide your pass in (K)Ubuntu is that being a distro for the (m)asses they didnt feel comfy letting you have the root acc (Windows is a textbook case on not giving the (l)users the root/admin acc...).
Now, on a "Real Men TM" OS/Distro, you will be given the root/admin acc, because the people that made it have trust in you. They trust that if you ARE using the root/admin acc you have a (DAMN GOOD) reason to do it.
UAC or any other NannySecurityTM always lead to FAIL. Real security education is what you need, but no one preaches on that cause its not worth $$$.
And small wonder, Trend doesn't like that W7 isn't pushing the worthless AV sales. +1 M$, maybe one of these days (l)users will wake up and realize they can be safe wo/ using that cr@pware IF they practice "Safe HEX".
Beer, cause its a better use for cash than buying AV cr@pware...
A horse is a horse, of course of course
Why shouldn't we believe an anti-virus maker when they tell us our computers aren't secure?
Genes must be using a different Win7 to me because all the copies I've installed have warned me about lack of a-v immediately and I've used 3 different editions. Personally I think Vista's ton of confirmation dialogs that encourage users to just click ok without reading even more than they do already is less secure than a more focused UAC that might cause them to read before they click. But the icing on the cake is Genes saying having a virtual copy of XP in Win7 Home would make it more secure. When everyone else in the industry says the opposite you've got to think he's talking nonsense before you consider the facts and come to the same conclusion.
Didn't have that problem . . .
I just performed two Windows 7 installations, and both instances warned me about lack of firewall, antivirus, and having Windows Updates turned off until I either rectified the issue or explicitly disabled the warning.
It does warn...
I didn't notice this on my core machine when i upgraded it a couple of months ago, as the first thing I did was install AV and tweak some of the security settings. However, on tuesday I just blew away the wife's old notebook and put 7 pro on it. (she now has a shiny MacBook Pro 15" btw, a truly incredible machine... running Win 7 in a VM on top od 10.6 it gets a better framerate in DDO than my 8800GT, though it does take a bit longer to load maps and high detail graphics)
I did not install AV immediately on this machine as i had the wrong (older) version in my network share and did not have the new version shared out from a different folder it was recently downloaded to. I was pestered after every reboot to install an AV client. When i finally RDP's to the other machine and shared up the files, and installed AV, within a minute or two it prompted about out-of-date definitions.
Win 7 absolutely pesters about the lack of AV in its default state.
A Cloud is Not a Physical Entity
>>"The focus for security firms has been protecting desktops or servers, but this needs to shift to providing security for the cloud, where sensitive information such as credit card records will be held. Using encryption to establish shielded containers for sensitive data and improving the security and back-up of cloud computing systems needs to be improved so that we can have safe cloud computing," Genes explained.
Genes doesn't seem to understand what cloud computing is or isn't. Take away the buzz words and all you are saying is you need to secure the network. A cloud is just a squiggly line on a network topology map. It's still workstations talking to servers, you've just increased the distance between them. Instead of having a few hundred meters of semi trusted CAT5 cable in your building you now have several thousand miles of untrusted network of questionable basis, maybe satellite, maybe fiber, maybe wireless, maybe an undersea cable the Russians/Chinese/Americans are tapping. You have no idea how exposed your data is. The only way to do trustworthy cloud computing is to encrypt everything where it leaves your premise and not decrypt it until it returns. Of course this also means they can never provide processing, only storage.
You can never trust the cloud provider, they are competing on price and will deliver the least security they can possibly get away with. Out of your hands means out of your control means assume the worst. EG: All the credit card processors who have been hacked recently despite their "secure" assertions and standards. They are "the cloud" for everyone with a POS terminal.
You get what you pay for. If the cloud offers to do it cheaper than in-house its not because they have economy-of-scale, its because they are willing to cut corners. They have a staff to pay too but they don't have some other profit center to offset the IT department.
UAC is not the same as sudo. Sudo requires you to stop with the clickey-clickey and enter your password. Even the dumbest and laziest user will notice that happening and be forced to stop for a second and make a deliberate action to actually enter their password. The real dumb and lazy users will just think F that and hit cancel.
UAC otoh, just perpetuates the usual Pavlovian Windows user behaviour of going click-click-click until all the "annoying boxes" go away.
It's just Redmonds way of deflecting the responsibility for all the worlds windows infections away from their own terrible security model and onto their idiot users.
Nagging isn't security
Some of us don't consider nagging three extra times before renaming a file to actually be better security. It's just the ILLUSION of better security, and Top Security Firm seems to have been hypnotized into believing the illusion.
It also doesn't add to security to nag people so incessantly that they get into the habit of reflexively answering "Yes" to every prompt just so they can get things done. I wonder if this report took that into account?
... Not that I have any love for Windows 7. I just dislike it fractionally less than I dislike Vista.
Let me get this straight...
The article is suggesting that Microsoft include a sandboxed version of XP with every copy of Windows 7 to provide extra security. Isn't the newer version of Windows expected to be more secure than the older version, not less?
re: No the problem is..
sudo is a really easy concept.
They can explain it to Mac users and most people find Mac easier to use than Windows.
The whole idea of sudo is to encourage people to only use elevated privs when they need them, rather than running as root.
btw you *can* still get a root terminal with "sudo -s", but that's not something that joe and jane sixpack need to do.
Security vs usability...
...Are not supposed to be opposite concepts. Yet as far as this debate goes, they seem to be. Few comments:
1) A computer is never connected to external media or the Internet (a gaming computer I used basically fulfilled this function - ok, it used a CD drive to install the games, but that's yer lot.) Yet windows will mark it as "insecure" if it doesn't have security software installed. That immediately suggests to me that what UAC says is "secure" or "insecure", and what actually is the case, don't always match up.
2) The choice of programs my current (Vista) box marks as "insecure" seem to be practically random - for example I use some poker clients, some of which need UAC every time they're used (why do they need this and why can't I turn it off for those programs only?) and some don't. Whether or not this is fixed in Windows 7, I don't know, but I feel safe in calling it a bug, not a feature.
3) I agree with everyone who's said that nagware does not provide security, although it seems such an obvious point that it's almost unworthy of comment. (Of course, MS seem to have missed it with their last OS.)
4) The default user account shouldn't be an administrator one. Whether or not this is fixed in Windows 7 I don't know, but it wasn't in Vista.
5) To most users a computer is a tool. This simple fact seems to get two extreme and opposite reactions - one from people who insist that computer users be technically-minded to a ridiculous degree, the other from people who insist that no technical knowledge about how a computer works should be required to simply operate one. I'd advocate a middle ground - seriously, it's not that hard to understand the concept of an administrator account versus a basic user account, provided that what you can do in those accounts is made clear. Unfortunately that's rarely the case.
(For example, how is it that when I install a program on Windows Vista, regardless of the user account I'm using at the time, it doesn't ask me which user accounts I want to have access to the program? The "default" option of "this account only" would be enough for most users but people who want a more customized computer could choose a different one. From a usability point of view it's not hard, so what's the technical barrier to this happening?)
I'm interested by the point made by one commentator that most users are "happy with" UAC. I count myself as reasonably tech-savvy but not expert, and to my fairly uneducated eyes it simply doesn't do what it's supposed to do. It nags me about programs that it shouldn't (and doesn't give me the option to stop it from doing so), fails to give explicit details about what the programs in question are requesting, and on a few occasions has failed to pick up things that I thought it should have picked up easily. I imagine other users have encountered the same issues. The only people I can imagine being "happy" with it are the ones who've turned it off, in which case their computers are inherently less secure; and while this is unlikely to affect any of them directly, I doubt the ones who've been infected or hacked would be too happy about the situation either.
Why can't MS copy...
...the Apple OS X security model? They copy everything else from Cupertino after all.
No nagging in OS X. You can rename files, delete files and move files without being nagged to death. That's assuming you have privileges to do such things on the particular file, otherwise you enter a valid user name and password.
Software can't 'self install' in OS X. System settings can't be changed without user consent. The user has to, at the very least least, physically use an input device to do something - e.g. copy the application to a drive (for drag and drop install) or enter a username and password for something that runs an installer. Even then you're advised this is a new 'thing' that has been 'downloaded' that is being 'opened for the first time' and asks if you wish to proceed. That's the only nag to make sure you mean to do what you're about to do.
I've been running OS X for as long as it has been around, have run anti-malware software regularly (it's better to be safe than sorry) and have yet to find anything that can actually infect OS X. I've found the odd bit of nefarious Windowsesque crap from my occasional file sharing forays, but nothing - NOTHING - that's nasty for OS X.
BTW, almost no one needs to be logged in as root and those who do will mostly do so very rarely and for very specific reasons.
And thankfully, OS X doesn't bombard me with bubbles telling me I have hidden icons, or that I'm disconnected from the network (even though I'm still connected), or asks if I want to take a tour of Windows - NO for the MILLIONTH F**KING TIME - NO!! - and God knows what other useless info I couldn't care diddly-squat about!
Perhaps MS could add the option to those annoying bubbles "Don't call me, I'll call you" so I'll never ever see them again. Now THAT would be useful.
Oh, and if Windows could remember my damn clipboard settings. And store my quick-launch bar, desktop picture, printer profiles and screen resolution settings to follow me around, instead of having to waste 10 minutes every other day recreating them. Oh god, and why Windows assumes I'd rather look at jagged fonts instead of smoothed out ones is totally crazy. Urgh!
And where did Apple nick the ideas from?
The OS X roots are in BSD/Unix. Don't pretend that Apple had all the good security ideas for themselves.
But yes, Windows nagging basically compels users to click-click-click until things go away. So I disagree with the whole thrust of the guy's argument: in terms of UAC, Vista and 7 are about as secure as each other for the average user (who is perhaps surprisingly tech-illiterate). The main difference is there are fewer clicks in 7 to make the annoying boxes go away.
OS X's BSD/Unix roots
"The OS X roots are in BSD/Unix. Don't pretend that Apple had all the good security ideas for themselves."
No one is saying that. OTOH, building on BSD/Unix is a pretty good start.
Amazing, really. NeXT/Apple has shown that it is much easier to make Unix user-friendly than it is to make Windows secure.
I'd like to add my 2p to that - indeed -
I DO get a bit fed up of hearing how fantastic OS-X's security is. While not necessarily wrong, it does completely ignore the fact that 99% of OS-X's security comes from its BSD roots. All Apple have done is add a new file system (which is far from perfect) and a GUI (which for reasons that completely escape me, seems to be held up as a shining beacon of how to write a GUI - I have used my Mac now for about the last 5 or 6 years and I HATE the GUI - it's awful, but I digress). If anything OS-X is less secure than any of the mainstream BSDs; again, something that seems to get forgotten or ignored. For example, the standard firewall on OS-X is less configurable than (say) OpenBSD's pf.
And in other news
a sack of rice fell over in the Northern Chinese Province Henan. According to witnesses, no one has been hurt.
Chicken and egg problem
Maybe if not so many programs "needed" admin rights to run, then MS could make the default user account a regular user. Of course it's them who encouraged that kind of thing in the first place.
Maybe some future Windows could automatically virtualise all apps which do privileged system calls unless specifically configured otherwise, so really running things as root takes more work (or at least a sudo-like command), I don't know. I guess that may be asking too much.
UAC was never the problem
The real issue with the UAC nagging wasn't UAC – it was the fact that windows programmers were incompetent and/or complacent. They'd gotten use to the idea of programming for an all-permissive environment (everyone is an admin, right?) and completely blanked when they were suddenly forced to program for a limited-mode environment.
Well-sorted programs never unduly triggered UAC; crap programs made by idiots did.
In some ways, it's no different than the move from Win95/98 to Win2k, when suddenly programs started to die horribly (most notably games, giving rise to the "Win2k can't run games myth) because those programs used various no-no ways of doing things that Win2k wouldn't allow. Just like UAC, it was a great way to weed out useless apps… also, Win2k was truely win for gaming ;D
Re: Nagging isn't security
Nagging isn't security
Nagging isn't security
Nagging isn't security
Vista nagged incessantly to the point that clicking UAC dialogs became the primary activity for anyone doing something more technically sophisticated than leeching porn, while staring slackjawed at their browser and sharing the lulz on their favorite social misfit client. It became worse than useless, it became dangerously meaningless. But hey, the consultancy that wrote this yawnfest in their parallel universe uninhabited by humans exhibiting, you know, human nature, got their press release into El Reg. It's not hard, I hear.
The fact that Vista and W7 still need root access to do certain things is a more pertinent issue, but not really the point of the article.
So let me get this straight - the default settings for Vista are to hide file extensions, and it then /nags/ you about this as a security issue?! Why don't they just NOT hide extensions by default? It's the most retarded "feature" in there anyway.
Extension hiding - microsofts contribution to virus writers
Hiding extensions by deafult is a stupid idea. A file with no extension and an applications thumbnail wont tell me if I'm looking at a JPG, GIF, TIFF, BMP etc. Not to mention the .JPG.EXE type viruses.
Even with hidden file extensions it's bloody obvious that a file is a an executable even when named *.jpg.exe, as it shows up as application not a picture; and it's only common file extensions which are hidden by default, so if they're hidden and you can see the .jpg extension, you know it's not a .jpg.
I hope none of you work in IT.
This is a none article anyway, the fact it's a quote from Trend should of set of alarm bells before the utter bilge that Genes started spewing; all of which is incorrect.
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- China building SUPERSONIC SUBMARINE that travels in a BUBBLE
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Review Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
- MEN WANTED to satisfy town full of yearning BRAZILIAN HOTNESS