Vista's two-faced firewall inspected, called out
Sure, reading through the feature set of Windows Vista is one way to get a taste of what an upgrade will do for your life, and reading "expert" reviews of the operating system and its minutiae certainly add an additional bit of insight not conveyed on the box alone, but one aspect of Vista is facing some serious criticism from a skeptical reviewer. In Microsoft's latest OS, the "Windows Firewall" boasts about offering up two-way protection -- that is, blocking both incoming and outgoing data -- but after careful analysis, it's apparently not that cut and dry. CNET's Robert Vamosi has noticed that the system does a fair job of blocking malicious content from reaching your PC, but when inspecting the outgoing blocker a bit more carefully, it appears that you're covered from moment one, as it's turned on by default -- or not. Interestingly, having this section of the firewall enabled does absolutely nothing for your protection, as in the default configuration "there are no block rules, only allow rules," which essentially means that it's capable of blocking, but until you specifically enable blocking rules for specific programs, you're exposed. Microsoft's reasoning is that maximum protection would cause new users to see a warning with every single application they launched on their PC, causing both frustration and a desensitized view of the firewall itself, and while we can certainly sympathize with how annoying those pop-ups would be, CNET feels that this excuse stems more from Microsoft's handiwork in crafting the OS more for enterprise use and less for novice "home" users. Nevertheless, knowing that your outbound firewall is likely wide open should help more than a few of you close any potential holes in your fortress, and be sure to hit the read link if you secretly enjoy hearing Vista take a severe tongue-lashing.[Thanks, Randall]
Reader Comments (Page 1 of 1)
chuck @ Feb 6th 2007 6:04PM
haha.. apple already has an ad regarding this matter. and it just so happened to show up randomly on the upper-right corner of engadget when i read this post.
Alex @ Feb 6th 2007 6:06PM
I've seen things like this happen a lot with Vista development. It's like "hey we've got a great idea" then someone comes by and says "but the dumb users won't get it!" and it's scrapped. It's not made an option, but scrapped completely. That's right, make the dumbest users happy, but don't allow an option for your more intelligent ones? I wanted to like Vista so bad.
Kurtis @ Feb 6th 2007 9:56PM
Dude, you are a moron. It was not scrapped. The intelligent users can go in and add block rules.
Matt @ Feb 6th 2007 6:09PM
Mama Boucher: Bobby the Windows Vista firewall is the devil!
Jeremy @ Feb 6th 2007 6:17PM
This is rather assinine.
MS is damned if it does and damned if it doesn't in this case. I have witnessed first hand what happens when a lay-user uses a computer that has a "two-way" firewall installed...They get tired of getting pop ups about every application that needs outbound access and eventually call someone (me) to find out how to just allow everything.
It's a full time job now just helping my dad to understand when to/not-to update some application when it asks and even worse what to not install at all (i.e. google/yahoo/etc toolbar options). It would be a nightmare trying to explain every little firewall popup and what it's trying to do and why this one's good and this one's bad, etc.
Jeremy @ Feb 6th 2007 6:22PM
Alex: In regards to this feature, it has not been scrapped. It is there, and is enabled by default. You just have to define the rules. This is a win-win as the power user can tweak to their hearts content and the lay user won't be bothered (or bother the power user).
Jumbie @ Feb 6th 2007 6:30PM
Couldn't agree with Jeremy more.
When a user installs something like a firewall, unless another person they trust tells them to install it (as I've done with some of my friends), they will usually (hopefully) have read about it so that they know what to expect.
But if this "new" feature is thrust upon the masses without any warning (and MS can try as hard as they like to educate consumers but they will fail cause most people seem to be brainless idiots) they will think that their computer is broken or has a virus or some such.
Like Jeremy, I know what this is like first hand. My father runs a very successful business. He's a smart individual but not very computer literate. I set up his computer at home and threw a firewall on it and made sure everything was working properly. Google Talk likes to stealthily update itself so one day he got a pop-up informing him that an application had changed and was trying to access the internet and if he wanted to allow it. That sounded bad to him so he clicked on no (doesn't help that English isn't his first language either). Of course, Google Talk didn't work after that and I had to try and figure that out by baby stepping him through everything that he'd done on the computer in the past while (over the phone cause I was in another country).
I've since taught him about firewalls but I can see where MS is unfortunately coming from on this one. I mean hell, look at wireless routers that broadcast the SSID by default cause people are morons. Even though they will be advised during setup to change it and/or put a password on, how many unencrypted, open networks do you see every day?
blaQ @ Feb 6th 2007 7:01PM
oh wow...now i wont buy vista. gimme a break. show me one os without its problems, shortcomings
Trojan @ Feb 6th 2007 7:17PM
Defaults to Not Block has nothing to do with Enterprise users, Enterprise IT Departments would be controlling all of those settings through Group Policies anyway.
Russell @ Feb 6th 2007 7:59PM
Exactly, it's perfect the way they have it setup.
Luke @ Feb 6th 2007 8:08PM
How is this not a good thing? Microsoft created a powerful utility that can grow to support the needs and experience of its users? This is exactly how I would have done it if I was them. You guys know you'd be complaining about how much of a pain vista is if that 2-way firewall was enabled by default.
morcheeba @ Feb 6th 2007 8:56PM
I'm guessing that future updates will add new rules for specific malware microsoft finds, so that's why it's not enabled yet.
My question is why is the "blocked" message so bad?!
From http://content.zdnet.com/2346-10741_22-53425-12.html
"A program needs your permission to continue
If you started this program, continue
[Name of program]
[Company]
> Details Continue Cancel
User Account Control helps stop unauthorized changes to your computer."
First, it looks like a very generic "press any key" screen. It should *at least* explain that the firewall is the cause of the notice -- if you didn't expect the program to connect to the internet, then you should press cancel.
Second, what's with the "User Account Control" message & why should the user be concerned -- is an unauthorized change about to be made? Or (more likely), it's telling me indirectly that clicking "Continue" will make a change to the computer.
Josh @ Feb 6th 2007 9:16PM
Let me get half of the ensueing comments out of the way by posting an entry for them: "Apple is so great, they do something better about this, they are so totally cooler than M$, which sucks, and I want to have Steve Jobs' turtleneck clad baby".
And on a serious note, the rational posters here have the jist of this. It is a great tool for the power users, should be hidden from the normal users, and transparently updated by the MSRT each time it is pushed down with definitions for common malware to block. I can't imagine a better way for this to function by default. It would be nice if power users could set up an allow list rather than a disallow list, but personally it has annoyed me enough when I launched a multiplayer game that wasn't in the allow list, only to have it hang forever because it can't get out, that I am ok with this functionality being absent
Mischa Lockton @ Feb 6th 2007 9:18PM
So on the contrary (as usual) doesn't this actually mean the Apple ads are full of it? They are funny ads, just not too truthful.
I think I have been reading too much Appleinsider.... I was starting to believe
nathans @ Feb 6th 2007 9:24PM
Uh...does this guy know what the hell he's talking about? It blocks ALL outgoing traffic by default except with a few pre-configured applications. What a tool.
Chuckles McGee @ Feb 6th 2007 10:15PM
XPs firewall caught many a keygenned program trying to covertly "phone-home" and check it's serial against a database. Alas, no more.
Kev50027 @ Feb 6th 2007 10:53PM
Engadget takes good news about Vista and makes it look bad.. Just like any other day. I'm so tired of this anti-anything not Apple, this is BS. Engadget: PLEASE REPORT NEWS, not your OPINION.
Matt @ Feb 6th 2007 11:47PM
I just think it is time that everybody take 3 hours out of their lives and learn how to use a computer. It is not that hard to understand a computer if you TRY. The problem is, Americans are so lazy that they believe computers are supposed to solve all of their problems no questions asked. If people only realized that computers can NOT think (yet) maybe they would be more willing to understand their computer, instead of just calling the Geek Squad when their computer won't turn on because it isn't plugged in....
Brian @ Feb 7th 2007 8:45AM
Jeremy stole the words from my mouth. Microsoft is obviously damned if it does and damned if it doesn't. I'm quite sure we'd have seen a post about how annoying Vista was were it set up to block by default.
A.J. @ Feb 7th 2007 9:06AM
That's because they want you to purchase OneCare to get a functional firewall. If they really didn't want you to have to deal with it, would they have included that functionality in their OneCare product? No, it's all about making money.
CS @ Feb 7th 2007 9:07AM
I think it makes perfect sense; few people know how to config a software firewall. Bad article.
blaQ @ Feb 7th 2007 9:49AM
C-Net were exposed as iFanboys a long time ago-whats new Engadget.
ethana2 @ Feb 8th 2007 5:44PM
If you need help switching to Linux, please contact me. I'm trying to help as many people as possible away from wasting $250 dollars and prolonging M$'s existence. ethana2@gmail.com. I'm very glad to help. Arguing with M$ fan boys is fun too, so whatever. (I like getting emails.)
Hacking windows up to work the way you want is only fun until you realize-
"Hey. Linux does this already!"
Good luck with that UAC, vista. Maybe you could borrow from our solid implementation of it. Or not, whatever. Somehow I doubt most of your users know a good idea when they see it. Don't ask me why...