Well as many developers already know: security is a concept, not a product! You can’t just throw “some security” at a piece of software. Security considerations must be part of the original design and development of software. The Pwn2Own hacking contest shows –once again– that there is too little security awareness in current software design. Look at these embarrassing results: all major browsers took a fall: Internet Explorer,  Firefox and Safari. Most browser are compromised by popular plugins like acrobat reader

These OS’s took a fall: Windows 7, Windows XP, Mac OS X snow leopard. The only OS that is still standing is Linux. Because Linux is indefinitely more secure? Well maybe but there’s also something else: Linux is an open source OS where highly skilled developers are coding. Changes are reviewed by others before they are merged into the main kernel tree. In other words: security is part of Linux. Another thing is that people who run linux are people who are aware of abuse. These are –in general– not the people who would click on the ‘cute-kitten-movie.exe‘ attachment. So Linux is just not that interesting to Black Hat Hackers. True: Mac OS X is build on an open source OS as well: FreeBSD but the presentation layer and Safari is proprietary code from Apple (except for the WebKit on which it is build).

Microsoft currently runs the Security Development Lifecycle (SDL) model. This should make security an integral part of the development lifecycle. Well to be honest when budgets are getting tight and deadlines are running out: documentation and code quality are the first areas that take the fall. So really I don’t expect much from SDL. Especially since MS is trying to develop a ‘catch all’ (silver bullet) security measure inside the kernel… I’m not saying these measures aren’t worthwhile, they are (Linux has them for ages now), it’s just not enough.

The phrase ‘security is a concept, not a product‘ proves its point when you look at the measures current OS’s are implementing to prevent ‘arbitrary code execution’. Windows XP, Windows Vista (still in use?) and Windows 7 has DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). Both ‘techniques’ should prevent (or make it harder) to execute arbitrary code… but they don’t. Dutch security researcher Peter Vreugdenhil showed an impressive circumvention of DEP and ASLR in windows 7. See: security is not a product…

The good thing is that the hackers are not just updating the vendors on the leaks they found. Instead they tell the vendors how to find the leaks themselves in an attempt to raise awareness.

Microsoft announced that it has already started working on “Windows 7″ as a successor to the less than satisfying Windows Vista. Microsoft promises a whole new desktop experience albeit based on the same kernel as Vista’s.

The first screenshots from Windows 7 start to appear on the net. Mac OS X users will recognize a whole lot of OS X in the Windows 7 screenshots. It is almost as if Microsoft is admitting that OS X offers a way better user experience than windows since Windows 7 seems to copy every single feature from OS X. Take a look at the screenshots. I still prefer running a Unix operating system but for those who prefer inferior OS technology this might give ‘m at least a decent user experience. I don’t think Windows 7 will be the actual name of the retail product. They should give it a name that is more up to par with copying OS X. Apple uses names like Puma, Jaguar, Panther, Leopard. So I think Windows 7 should be called “Windows Siamese twin cat” or just “Windows Copycat”.

So you got the brand-new windows rendition? Are you feeling secure now that you run the most secure windows ever? Well take a look at this and wonder how come Microsoft just doesn’t understand security. In this case priviliges are assigned based on a filename (Utilman.exe). So what happens when you rename another binary to Utilman.exe? Take a look and laugh your ass off. I’ve said it many times before and I will repeat it over and over again: Microsoft sucks!! They really don’t get security, they really don’t.

Here’s your video. Be careful I almost forgot to breathe while laughing. Hats off to the guys at offensive security. You almost killed me with this.

Backtrack is a live linux distro. You can boot it on any system to get a full working linux environment. That is used to copy the cmd.exe to Utilman.exe

Microsoft presented Windows Vista as the most secure Windows ever. It is, by far, the most annoying Windows version ever. It has a security measure called UAC (User Account Control) in which programs run under a restricted user (not new, Unix anyone?). When an application wants to do something that requires a higher privilege-level UAC will show a pop-up in which the user has to agree on the raised privileges. The result of this is a constant, non-stop, bombardment of pop-up windows bothering the user constantly with “security” questions. It feels secure. You think you are in control. Now read this. These guys created a program that lets you reboot Vista without UAC kicking in even once. The trick? Let part of your program run as a service which has “System Administrator” privileges.

Windows Vista is not more secure than windows XP is. All Vista users can now deactivate UAC since it is a hoax anyway. Cancel or Allow?

update: It seems Windows 2000 is the more secure Windows version. At least it requires a password of 18770 characters and cannot repeat any of your previous 30689 passwords.

Buizerd heeft een interessant artikel geschreven over de prijsverlaging die Microsoft heeft doorgevoerd op haar Vista operating systeem. Frank neemt de moeite om Vista te vergelijken met Leopard (apple fanboy waarschuwing) en daarbij de prijs van beide producten in ogenschouw te nemen. Welk OS wint? Lees het artikel.