Top security firm: Default Windows 7 less secure than Vista
Reviled UAC nagware finds a defender
Windows 7 is less secure out-of-the box than Vista, despite Redmond's protestations to the contrary, a top security firm has claimed.
Trend Micro said that the default configurations of Windows 7 are less secure than Vista. Raimund Genes, CTO of Trend Micro, said that Windows 7 had sacrificed security for useability - at least for default configurations.
"I'm not saying Windows 7 is insecure, but out of the box Vista is better," Genes told El Reg.
The User Account Control (UAC) feature that debuted with Vista was a security safeguard that asked users for permission before allowing applications to run. The nagware technology irked users and was blamed for producing numerous largely meaningless pop-ups that users blithely clicked past.
Even senior Microsoft execs, for example UK security advisor Ed Gibson, have taken to describing the technology disparagingly as "User Annoyance Control" over recent months. A toned down version of UAC has been developed for Windows 7, but Genes regards this and other changes as a step backwards.
"I was disappointed when I first used a Windows 7 machine that there was no warning that I had no anti-virus, unlike Vista," Genes said. "There are no file extension hidden warnings either. Even when you do install anti-virus, warnings that it has not been updated are almost invisible."
Genes said the security of Windows 7 for consumers might be improved by offering virtual XP, a sandboxed version of the older OS, with Windows 7 home editions. The virtualisation technology (criticised by other security firms, most notable Sophos, as a security risk in its own right because it needs separate patching and security protection) was only released in enterprise versions of the operating system.
Trend's unfavorable default security comparison between Vista and Windows 7 was released alongside its Trend Micro 2010 Future Threat Report. The main focus of the report places the security implication of the wider IT industry shift towards cloud computing and virtualisation under the spotlight.
While offering significant benefits and cost-savings, the architectural shift means cybercrooks are likely to turn their sights towards manipulating the connection to the cloud, or attacking the data center and cloud itself, instead of trying to infect desktop or server systems.
"The focus for security firms has been protecting desktops or servers, but this needs to shift to providing security for the cloud, where sensitive information such as credit card records will be held. Using encryption to establish shielded containers for sensitive data and improving the security and back-up of cloud computing systems needs to be improved so that we can have safe cloud computing," Genes explained. ®
Damned if they do, damned if they don't
So let's see... if the OS nag you to death, you complain, if it doesn't, you complain that is "insecure". If the OS tell you that you don't have an antivirus (that you should already know since it's YOUR fscking computer) you complain, if the Os assume that you're a grown up man now and you do know what you have and what you don't have, then you complain!
How about learning how to use a computer and looking after your own stuff?
Don't Listen To The Users
Savvy users are probably perfectly happy with UAC. Indeed when I'm running Kubuntu I'm perfectly happy to provide my password to run administrative tasks. The problem MS have is that too many of their users know cock about computers (even a lot of the ones who claim to be IT literate) and just don't understand what UAC is about.
A Cloud is Not a Physical Entity
>>"The focus for security firms has been protecting desktops or servers, but this needs to shift to providing security for the cloud, where sensitive information such as credit card records will be held. Using encryption to establish shielded containers for sensitive data and improving the security and back-up of cloud computing systems needs to be improved so that we can have safe cloud computing," Genes explained.
Genes doesn't seem to understand what cloud computing is or isn't. Take away the buzz words and all you are saying is you need to secure the network. A cloud is just a squiggly line on a network topology map. It's still workstations talking to servers, you've just increased the distance between them. Instead of having a few hundred meters of semi trusted CAT5 cable in your building you now have several thousand miles of untrusted network of questionable basis, maybe satellite, maybe fiber, maybe wireless, maybe an undersea cable the Russians/Chinese/Americans are tapping. You have no idea how exposed your data is. The only way to do trustworthy cloud computing is to encrypt everything where it leaves your premise and not decrypt it until it returns. Of course this also means they can never provide processing, only storage.
You can never trust the cloud provider, they are competing on price and will deliver the least security they can possibly get away with. Out of your hands means out of your control means assume the worst. EG: All the credit card processors who have been hacked recently despite their "secure" assertions and standards. They are "the cloud" for everyone with a POS terminal.
You get what you pay for. If the cloud offers to do it cheaper than in-house its not because they have economy-of-scale, its because they are willing to cut corners. They have a staff to pay too but they don't have some other profit center to offset the IT department.