Feeds

The truth about Redmond's WinXP signed driver plans

You should only accept signed and quality-controlled articles on the subject...

  • alert
  • submit to reddit

Business security measures using SSL

Has Jim Allchin, Microsoft's Mr XP, finally lost it? Why is he writing letters to ZD denying things Microsoft hasn't been accused of? Doh...

The Register was indeed initially baffled by Jimbo's trenchant defence of XP's implementation of a signed driver regime, as described yesterday by the Smart Partner segment of The Mighty Z. He disputed "findings from beta testers and analysts that under Windows XP all applications and drivers need to be 'signed' or need to be re-registered online before they can run."

Oh really? One can just about grasp how the odd analyst might be deluded enough to believe this twaddle, but as WinXP beta testers will in the main be actually running WinXP, they'd have to be terminally asleep at the switch not to have noticed that this is, er, entirely untrue. But where were these allegations made in the first place? Aha, yes, Smart Partner, May 8th, in a piece encouraging people to refuse to upgrade to XP.

"Then there’s the requirement that all software be signed with a Microsoft-approved bit of code. MS has said that will be the case with device drivers, but it’s unclear whether XP apps will need to be signed, too. A Microsoft source tells me they will be."

You can see why Allchin might get a little bit worked up about this, first because it's entirely untrue on both counts, and second because it spreads precisely the kind of disinformation Microsoft really does not want doing the rounds in the run-up to XP's launch. The reality is that although Microsoft intends to actively encourage the use of signed drivers, and would like to apply a similar system to apps, the position is considerably more complex.

Windows XP does indeed have its defaults set to warn you about installing unsigned drivers, and it does indeed have the facility to be set to refuse to install these drivers. But while Microsoft wishes to encourage people to stick to signed ones, there is no "requirement that all software be signed with a Microsoft-approved bit of code." There's nothing to stop you running installing and running unsigned drivers, and in many cases - at least at the moment - they'll run better than the preferred Microsoft defaults.

The fact that a driver is signed does not per se mean that it is necessarily good, or even works at all. It probably does mean that it's highly unlikely to break your XP installation, which is a start.

The warnings you get seem to be on a graduated scale, but as yet The Register hasn't felt impelled to try to figure out what the rules are. We have however got the impression that matters connected with modems and USB seem to prompt particularly shrill ones, as well they might.

Naturally, as we've said here before, many users are going to be a bit worried by such warnings, which will mean hardware vendors will get griped at about getting their drivers 'up to snuff,' and Microsoft will have a 'told you so, contact your hardware vendor' get-out in cases where XP does break after unsigned drivers are installed. As we've also said here before, this will pressure hardware vendors to support Microsoft's signed driver regime, and will ultimately place even more power in Microsoft's hands. But it's not compulsory, and Redmond probably doesn't think there's any need for it to be.

As for apps, it's definitely not "unclear whether XP apps will need to be signed." Reference to a November piece in, er, Smart Partner (itself a follow-up to a slightly earlier piece in El Reg, reveals that XP will include the option to block all unsigned code. And in a presentation in Seattle earlier this year The Register distinctly heard senior Microsoft reps say that while they were extremely keen on digital signatures for apps, they realised it would be a highly sensitive area, so they were going ot be real careful.

As yet, Microsoft has not set a default to warn against installing unsigned apps, but even it it goes that far - which it quite probably won't, given the howls it would generate from ISVs - it would be politically impossible to set the default to block, at least in this rev of Windows. The pressures that will drive ISVs towards a signed regime are however the same as they are for signed drivers, and no doubt somewhere within Fort Redmond there are people mulling over possible opportunities for 'deflectors on full' editions.

Super-safe, super-crashproof corporate editions? The corps will like signed regimes anyway, because they stop users installing crud. Unbreakable, idiot-proof appliance editions for the home? Could happen - but Redmond's planners are too sophisticated (no, really...) to just slam down the shutters now, in one go.

Allchin's letter does however say something interesting that should be made more of. He correctly states that the default is set to warn, and that "we have been encouraged by computer manufacturers to change the default to block, but we are staying with warn. The warning message you get is scary if you are trying to load an unsigned driver and rightly so, in my view."

Undoubtedly, we are being somewhat economical with l'actualite here. What we presume is really happening is that Microsoft has been busily doing the rounds of the hardware manufacturers, extolling the virtues of signed driver regimes. As such regimes - operating correctly - will involve hardware manufacturers working closely with Microsoft to make sure their drivers work, and that Microsoft says they work, there would seem to be considerable upsides for PC manufacturers here.

They hate getting huge numbers of tech support calls, it costs them when Microsoft accidentally breaks things and then they've got to figure out why and placate their customers - on a level playing field, signed drivers could be a good thing for them. But it's not exactly the case that it's the evil hardware manufacturers who want to lock everything down, and plucky Microsoft that's defending liberty.

Get real, Jim. If they're lobbying for block all unsigned as the default, it's because that's precisely what you've effectively been encouraging them to lobby for. No doubt you'll be finding that your enterprise customers will be demanding that same default for drivers, and swiftly afterwards for apps, RSN.

So what's wrong with signed regimes anyway? Isn't it a good idea to have entirely approved systems where all of the software is guaranteed to work, and not to break things? In principle, nothing, and in principle it'd be great to have a big pile of all the stuff you'd ever need easily and instantly available in a giant store on the Windows Update site. But as we've said before, the problem lies in the nature of the custodian - It's the storekeeper's funny eyes. ®

Related Sm@rts:
XP, just say no, apparently
Allchin show denial
Whistler To Block Unsigned Code

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.