Friday, December 15, 2006

go find some other argument

i'm going to preface what i'm about to say with this: i like security incite blog, i like it's content and i like it's name and i look forward to reading the daily incite each day...

that said, mike rothman needs to find a different angle to counter the anti-patchguard arguments than what he used here... it's pretty clear that it's an emotional argument, he criticizes what he perceives alex eckelberry's motives to be rather than arguing the facts...

here are the facts:
  1. there are important security functions (functions that remain important in spite of vista's enhanced security) that are just not possible under the current state of affairs with 64bit vista and won't be possible for years to come...
  2. microsoft security program manager stephen toulouse admits that functionality is missing from the currently supported API and that it won't be seen until sp1 or sp2 here...
  3. alex makes a very good argument for why full kernel access is needed (if/when a new type of kernel access is required to address a novel threat, there's no way to address the problem in a timely fashion if you have to negotiate access for months/years with microsoft to get that access)...

it's not about whether microsoft has the right to change their product, obviously they do have the right... it's about the fact that they're hurting security by saying that it can only be achieved in a certain narrowly defined set of ways and making attempts to go outside that set (like when it becomes obvious that microsoft didn't think of everything) cause the computer to crash...

maybe alex is just looking out for his bottom line but that doesn't mean that he's wrong or that the issues he's raised don't matter... microsoft has made entire classes of security monitoring impossible and anyone who cares about security should care about that and anyone who doesn't think those techniques are going to be useful anymore (that vista will obviate the need for such techniques) doesn't understand malware... to paraphrase jeff goldblum in jurassic park 'malware will find a way'...

sure vista looks all new and shiny and secure, and it will probably make a dent in malware too (at least existing malware), but in the long run that doesn't amount to a hill of beans... windows 95 probably did more to kill the major malware threat of the day (11 years ago the major threat was boot sector viruses) than any other technology or event but it didn't stop malware, malware evolved (obviously as windows is now seen as a malware magnet) and continues to evolve and will continue to evolve in the future... in order to deal with a constantly evolving threat landscape you need flexibility and that flexibility isn't there, nor is it even on the table (microsoft has promised additional kernel access but they haven't promised full kernel access)...

no one is arguing that there isn't good reason for microsoft to block access to the kernel, but doing so without first implementing all the necessary officially supported alternatives? come on, you don't brick over your back door if you don't have a front door yet...

0 comments: