Hacker News new | past | comments | ask | show | jobs | submit login

Microsoft's products have long had broken security models close to their core, mostly owing to the fact that they pre-date the net and were originally not multi-user.

Instead of fixing this -- and to maintain backward compatibility -- they've always applied security models further up the tree, closer to the apps and the user. As a result MS has more and more complex security controls but is less secure. This complexity and security bloat results from trying to patch a boat that's full of holes in its fundamental design.

Secure boot is needed for the same reason lots of other controls are needed-- to make it harder to permanently screw the system once you've gotten malware onto it. This is so important because it is historically so easy to get malware onto Windows.

I didn't imagine a single person could type this amount of factually incorrect information in a single post. Hats off to you, sir !

Why, I agree with most of what he said. Please enlighten us to whatever you find incorrect!

>Why, I agree with most of what he said.

Sorry, then nothing I say will change your mind. It would be a waste of my time.

So, you firmly believe that people's minds can't be changed? By logic and reason, that is, of course.

Can you please elaborate? What specifically is incorrect?

>What specifically is incorrect?

Everything. I mean literally everything. Every single sentence.

First of all.. calling NT 'not multi-user' is laughable. Anyone who knows anything about OS design knows that NT was designed from the ground up to be muti-user - with an extremely well thought out token/object security model that was hands down superior to any other general purpose mainstream OS at the time.

Secondly secureboot is not an active security model. It is a one-time validation of a chained-loading sequence from the uefi/bios to the OS kernel. It has nothing to do with "patching holes" in NT. NT is already a highly secure operating system. Infact, there have only been a very small amount of kernel vulnerabilities ever found in NT compared to most other widely used OSs.

Secure boot is also nothing new. They have been using something similar on the xbox 360 for years. In any case, Secure Boot is an OS agnostic general security 'best practice'. Many Linux distributions are also adopting it.

I wouldn't call NT security model hands down superior to any other general purpose mainstream OS at the time. Much more complex and fine-grained, yes. However, it is the same complexity that is killing it. Nobody has the time to learn it properly and secure the system appropriately.

So in the end, worse is better, because it is usable in practice by people with deadlines.

Similarly, in the Linux world, SELinux provides much better security. But then again, very few people know how it works and how to configure it, so even when it is enabled, it relies on policies supplied by OS vendor.

I don't agree with your comparison. NT's security model does not have to be exposed to every single end-user for it to be useful. For e.g. things like taking a process token and stripping its rights to adding a layer of security to the processes is much superior to a chroot type hack. Modern UNIXs have added apparmor, but then again I was comparing NT with the OS landscape in the early 90s. Also file system ACLs is another place where NT was superior. There was nothing comparable elsewhere at the time.

The problem is you're comparing two unequal things and calling it even. Linux clearly has had to deal with several challenges in improving its design due to its UNIX heritage (time-sharing OS, synchronous I/O, blocking syscalls, etc), while NT did not because it was a fresh design.

Frankly this type of discussion is more suited for a comparative analysis type paper than the comments section. Also, FWIW - I don't claim any special expertise or knowledge on OS design, its simply a topic of general interest of mine.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact