Boning Two Kurds With One Still

Windows Vista and Personal/Social Responsibility

In case there are any Kurdish people reading this, the title is a phonemagram. It has nothing to do with Kurds or Kurdistan.

I haven't been exactly faithful in keeping my blog up to date lately. I have been busy. Very busy. However, as I have no idea if anyone reads this blog, and no indication that anyone does, I suppose it doesn't really matter. At any rate, there has been little I could do about it, because I have been busy.

Along with the usual herculean work load, I have been getting Windows Vista installed and configured on my machine here at home. It took awhile. Three or four weekends, as I recall. My first attempt involved upgrading from my previous XP Professional operating system. While educational, I eventually realized that recovering from the upgrade would take longer than a clean install of the operating sytem and a reinstall of all the software. So, last weekend, that is what I did. Now everything is beautiful, and I feel much better.

Don't get me wrong; most users are not going to have the difficulty that I had. I am a software developer, and the hardware and software that I require are somewhat outside the bell curve, as far as hardware and software are concerned, particularly with regards to the software. In face, most users aren't likely to be installing the Vista operating system for themselves, and are really not likely to be able to, much less to install software on it, at least for the time being. And there are good reasons for this, having to do with security and support cost.

The chief security improvements in Windows Vista (at least those that are the most visible) fall into 3 categories: User Access Control, Windows Defender, and Service Hardening.

User Access Control.

This, along with Windows Defender, are the chief reasons why most users will no longer be able to successfully add and use new software, at least in many cases, at least for awhile (until current software becomes obsolete). And this is a (mostly) good thing. For one thing, it speaks to the "support" issue I mentioned earlier. Please allow me to elaborate.

For many years, computer operating systems have evolved much like automobiles. Like early automobiles, the inner workings of the "engine" have been fairly simple and exposed, enabling the owner of the computer (or the car) to tinker rather easily. This was both, for automobiles and computers, an advantage and a disadvantage. On the plus side, one could easily save money by doing one's own "tune-ups," minor repairs, and adding accessories, without knowing too much about what one was doing. On the minus side, one could easily get into trouble with regards to the changes that one made, if one didn't know what one was doing.

Like automobiles, computers have become more sophisticated as time has gone by. Automobiles have abandoned things like spark plugs and distributors in favor of electronic ignition, and have had computers in them for various reasons, including aiding in maintenance. Computers have evolved even more, and more dangerously, with the advent of the Internet and distributed computing.

Unlike automobiles, computers are in a much less secure environment than they used to be. But like automobiles, the inner workings of computers are increasingly complex and difficult to get into, and in both cases, chiefly for the purpose of disabling the user's ability to damage the machine by tinkering with it.

Unlike automobiles, computer users do not require a license to operate one, even though, like automobiles, computer users now "drive" on "public roads," like the "Information SuperHighway" (an older term that was coined for the Internet). I have often joked that users should be required to have a minimum of understanding about computers and obtain a license by passing a fairly simple test in order to operate one. While I disdain the idea of government interference on the Internet (or almost anywhere else for that matter), the public nature of the Internet makes the idea less offensive to me, although I would still not advocate such. The day that the governments get involved in the Internet is the last day of freedom on earth. Governments are never satisfied with a little control; they thirst for absolute control. While government is a necessary evil, it is both necessary, and evil. But that is a topic for another discussion.

We are left with a dilemma. Computer users are increasingly dangerous to one another when they interact via the Internet. The world is not a nice place; it is full of evil-doers. Hackers and other socially-irresponsible people fill the Internet with SPAM, malware, viruses, trojan horses, network attacks, and the like. The average user is not only ignorant about what to do with regards to such evil; the average user is willfully ignorant about such things. "I don't want to know how it works; I just want it to do what I want it to do" is the slogan of the day.

People are willfully ignorant of the stupidity of computers. The old saying "Garbage in, Garbage out" (GIGO) remains, even though most people are dazzled by what they perceive as the intelligence of computers and software. It is the fact that computers can perform a huge number of instructions in a blazingly short amount of time, and the hiding of the inner mechanisms of this, which has led to the impression, along with the natural laziness inherent in the human psyche.

Therefore, people expect their computers to protect them, rather than the other way around. Perhaps it is the influence of creeping socialism that has led to this impression. Socialism has always relied on the inherent laziness of people to enable the empowerment of larger, more Machiavellian government. But that again, is a topic for another discussion.

In any case, software vendors such as Microsoft, are left to wrestle with the dilemma. To remain competitive, they must create software that satisfies the desire of users to be able to accomplish more, while protecting them from themselves. To keep support cost down, they must make it increasingly difficult for users to do things to their computers that will enable them to break them, as well as breaking other computers by proxy, via network attacks, spyware, malware, etc.

So, like automobiles, it has become necessary to make the engine more difficult to tinker with. The alternative would be to empower government to handle the protection of users from one another, an alternative that only a government could find attractive.

Enter User Access Control. This feature addresses some of the issues that have been passed down from one generation of operating system to another, issues which have simplified the operation of the computer in the past, but now make it much more dangerous. Users have traditionally run their computers with Administrator priveleges for the local machine, which gives them essentially carte blanche permission to do anything to the computer via any application they run. Users, even administrators, will now run under a Standard User Account, and when an application needs permission beyond the allowed permissions for that account, it will prompt them for the necessary credentials.

While this might seem problematic, with regards to the day-to-day operation of the computer, there are things which can be manually configured to prevent the constant interruption of the user for such things as registry permission. But they must be manually configured, with User Access Control firmly involved in the process. And this requires a more sophisticated understanding of security than your average user is likely to have.

This is going to be a tragedy for mal-ware, which typically assumes the identity of the loggged-on user, and attempts to run processes without the user's being aware of it. It also results in the increased difficulty of users to perform certain types of tinkering, at least without a mimimum of knowledge about the inner mechanisms of the computer.

Thus, not only is the computer better protected from the evil outside world, but also from the willfully-ignorant average user. This means that software companies can continue to provide software that does more without being overwhelmed by support incidents that stem from user error.

Windows Defender

Windows Defender has been available as a free add-on for the XP operating system, and marketed as a tool for protection against spyware (while Windows OneCare Live has been marketed as the Microsoft anti-virus solution). While this is certainly true with regards to spyware, it is not the whole truth with regards to the Vista operating system.

Windows Defender is used by Vista to support other services that monitor the health of the system. It also allows the user to remove or disable any software running on the system that may be suspicious. In a sense, it is the "Software GateKeeper" for the operating system.

Service Hardening

Windows Services have traditionally been a point of vulnerability to the system, mostly due to the fact that they run without any visible user interface, performing tasks in the background, without the user's knowledge. Again, traditionally, a number of factors have enabled Services to perform necessary maintenance tasks in the context of the local System or Administrator account. This in no longer the case.

Most Services have traditionally run under the System or LocalSystem account, which has granted them carte blanche access to almost everything in the local system. Vista runs most services under the LocalService or NetworkService accounts, accounts which have much more restrictions with regards to changes made to the operating system.

Services now run with individual security identifiers (SIDs). This gives each Service a unique identity, enabling each Service to be individually configured with regards to what specific permissions it has. Each Service may have its own Access Control List (ACL), which enables it to allow or deny access to its services on a user-by-user basis.

Services are write-restricted on an individual basis, meaning that each service can be explicitly granted or denied write permission to files and registry entries.

Services by default are not allowed to interact with the user's desktop, preventing cross-session interaction, and such things as Shatter attacks.

Services are configured with individual Firewall policies, meaning that each Service has specific Firewall priveleges, rather than carte blanche access to network ports and addresses.

As a software developer, I need to run as an administrator, I need to be able to grant applications such as Microsoft Visual Studio permission to do low-level debugging, and I need to run a plethora of diagnostic and devlopment applications that perform operations on the local operating system and the network. I need to set up Internet Information Services on the local machine, to run a Microsoft SQL Server on the local machine, and so on.

So, I had a bit of difficulty installing all of my software. It wasn't really difficult; it required some research and time to do it. Still, I was able to set up my system and software in a few days. And if I had to do it again, I could probably do it all in a single day.

But as a software developer, I can understand and appreciate the enhanced security in the Vista operating system. I can accept the apparent intrusiveness of User Access Control (which I have turned off on my local machine, but would not recommend it to anyone other than a developer). I can also accept the fact that I will have to perform additional tasks with regards to writing software to run on Windows Vista. This will require more time in the short run, but save much support time in the long run. I'm sure every software developer has experienced the headache of hearing from users who have done something completely unrelated to the software in question, which has had an effect on their software, and had to straighten out a user's self-made mess. At least every developer who has been in this business long enough has experienced this, and no doubt Microsoft has had an earful of it.

Support is by far the most expensive aspect of software development, contrary to what most people may believe. While development itself is costly, the cost is short-term, while the cost for support is on-going, and may go on for years.

So, Mrs. Lincoln, other than that, how did you enjoy the play? I have to say that I am highly impressed with Windows Vista. There is far more there than meets the eye, and a lot more than you will hear about in advertisements and commercials for the operating system. Eye candy sells software, but it is power and potential that gives it legs. Vista is well-supplied with both power and potential, more than anyone not working at Microsoft will know about for years to come.

I look forward to the continuing learning experience of working with it.