Make it less secure so we can sell products

  • Thread starter Thread starter Alan Simpson
  • Start date Start date
A

Alan Simpson

Be interesting to see if Symantec tries to make an issue of this in court.

http://www.vnunet.com/vnunet/news/2162150/symantec-cries-foul-vista

In essence they're trying to say that you have to make it less secure to
make it more secure. The argument that independent driver sigining, which
simply enforces accountability and nonrepudiation, somehow stifles
innovation seems weak to me. And "...claimed that it is possible to
circumvent the security features." neglects to mention that this was found
in a beta, which means it might not exist at all in the finished product.
 
Alan Simpson said:
Be interesting to see if Symantec tries to make an issue of this in court.

http://www.vnunet.com/vnunet/news/2162150/symantec-cries-foul-vista

In essence they're trying to say that you have to make it less secure to
make it more secure. The argument that independent driver sigining, which
simply enforces accountability and nonrepudiation, somehow stifles
innovation seems weak to me. And "...claimed that it is possible to
circumvent the security features." neglects to mention that this was found
in a beta, which means it might not exist at all in the finished product.
Click to expand...

Perhaps the real issue is Symantec will have to hire proper coders to write
proper software and this will cut into their profit...
 
LOL. Lawyers like to say that behind every lawsuite there's a reason and an
excuse. The "excuse" here is "it'll be less secure in the long run" (not
likely). The reasons are probably two 1) We'll sell less product and 2)
We'll be accountable for the products we do sell ;-)

I like it when I'm burning a DVD and the time remaining estimate switches
from "6 minutes 24 seconds" to "23 days, 19 hours". I saw that one a few
times.
 
I was talking about this on my radio show a couple weeks ago.

I do think that the "security utility" companies, like symantec, etc will
make a big deal out of how much business they will lose because windows is
being built more secure than before. Why buy their software if it's no
longer needed?

So, there are 2 choices for the people who like to bash windows:

Complain because the OS itself isn't secure enough. *OR* Complain because
their Norton Internet Security wont run on Vista.

You KNOW they will pick whichever comes about, simply because they have to
have SOMETHING to point at MS or they aren't happy.
 
Ooops ... you mean Symantecs rootkits will no longer work in Vista? I think
that is rather grand.
 
Symantec speaks about innovation limits??? Norton security and NAV are
the most bad-performing products I could see. I'ts a joke.

Alan Simpson escribió:
 
Symantec (despite their generally awful products) have got a point, in that
the majority of system-level tools won't work on Vista, signed or no.

As for driver signing, I fail to see what use this is. The majority of buggy
drivers come from major vendors like Lexmark. These will of course be signed
anyway. Is the bluescreen less annoying when it comes from a signed driver?
Or not?
 
Getting a WHQL cerificate and signing a driver never insured the qualtiy of
your software. To do that, every driver would have to be tested on every
possible hardware conifguration and software configuration. That is
virtually impossible. What does signing do then if it does not guarantee
that the driver you about to install will work on the system inwhich you are
installing it? Simple. The signature tells the installer that this driver
was built by Whomever, Inc. and heres the certificate to prove it. Signing
provides trust and authenticity, not quality.
 
Drivers act as part of the operating system. They can do pretty much
anything they want.

Enforcing driver signing makes it near impossible for a large chunk of
malicious software developers to create a malicious driver, since they won't
have the reasources to get their driver signed.

Also, I believe that the driver signing process does some stability
checks... of course, that doesn't make them bug proof.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/
 
Bug-proof? No. Work properly? No. Ability of tracing a bad driver back
to its source quickly and easily? There's the beauty of it!
 
Nearly every one of us in the driver development community do not squack
about having to sign our drivers. The only complaint we have had with Vista
was when 64 bit signing was announced, only Verisign, the single most
expensive source for an Authenticode certificate, was the only CA that could
be used. that however has changed with other CA now acceptable.
 
I wanted to stay out of the Driver Signing convo because, TBH, I don't know
much about it...BUT

I DO know that there are benefits to it from the point made by Mark. *I* (I
don't know about the rest of you) want to know who is making the driver I
just downloaded from whatever source. (and there are a LOT of them) When
you depend on sources like windrivers.com or what-have-you to find a driver
for an obscure piece of hw because you haven't been able to find the
manufacturer's website, it's nice to know that someone has paid attention
enough to realize the need for security of SOME type.
 
Back
Top