Compartilhar via

Something Windows Vista Parental Controls cannot protect against

  • Artigo

Howdy from RSA in San Francisco - I just got here, and I have a talk tomorrow morning @ 9AM about Windows Vista Security Engineering.

Now to the topic of this post.

One of my favorite features in Windows Vista is Parental Controls. I like the feature because my 5 year old son, Blake, loves to use the computer but I really don't want him using the computer too much, because he gets that glazed-over-eyes look. You know the look! So I limit his use to between 4PM and 7PM during the week, which basically means he can't use it before school.

The other day (a Saturday) he wanted to use the computer, and my wife had asked me to lock him out because he'd hit his sister, or something. So I tweaked the Parental Controls policy to block out Saturday. He came to me asking if he could use the computer because he couldn't logon. I said, No, because he'd hit his kid sister, or something.

I went to go about my own business, and came back fifteen minutes later to see that Blake had opened the computer case and, with screwdriver in hand, was trying to "fix things, daddy" so he could access the computer!

I didn't know whether to laugh, cry or be proud that my son wasn't going to be held back by some stinkin' software policy! :-)

Comments

  • Anonymous
    February 07, 2007
    Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore :)

  • Anonymous
    February 07, 2007
    The comment has been removed

  • Anonymous
    February 07, 2007
    Great story!  Seems that the children of security nerds seem to tend toward becoming hackers.  Two anecdotes:

  1. Once when my middle child was about three and a half and beginning to learn to read, he pointed to a stop sign and read, "S T Zero P".  I didn't think we had been teaching him 733t speak.
  2. When I told the above story to Robert Hensing, he replied with this great story: "So I have a 4 year old son as well who is also doing stuff on the computer.  He doesn’t really know what I do for a living, he thinks I play pool and Xbox at Microsoft. :) Anyhoo - one day I noticed in my security event logs . . . An unusual amount of failed logons for my account (we have a family shared MCE2004 PC). The logon types were all type 2's!!! So one night I'm watching TV and my son walks over to the keyboard to login (he's got a 6 character fairly complex password for a 4 year old <G>).  I see him trying and trying so I figure he just forgot his password so I go over to help him out and to my utter amazement he's trying to login to MY account.  I ask him what he's doing and his reply was "I'm trying to login as you" rather matter of factly.  I was like 'why!?'.  He goes 'I want to watch TV'.  I don't have MCE2004 setup in his profile in a way he can easily get to it (if he figures THAT out it's all over for me). Dude, my 4 year old son was trying to brute-force my password over a series of days / weeks all so he could login and watch TV. I'm scared."

  • Anonymous
    February 07, 2007
    Read it at http://blogs.msdn.com/michael_howard/archive/2007/02/07/something-windows-vista-parental-controls-cannot-protect-against.asp

  • Anonymous
    February 08, 2007
    you got pwn3d by a five year old!

  • Anonymous
    February 08, 2007
    Dear Sir, I would like to know if there is any requirement in any of the security team at microsoft like windows one care or windows defender or any other team where maleware and spyware research is being done. Also let me know the best way to apply there. Regards, SecGeek secgeek@secgeeks.com

  • Anonymous
    February 08, 2007
    We just did a cartoon about this called Compliance Tools http://securitybullshit.wordpress.com/2007/02/05/cartoon-012-compliance-tools/

  • Anonymous
    February 08, 2007
    Couldn't Windows monitor a case switch or something? I thought that was already implemented somewhere. I tell parents that if they really believe the parental controls on their TV or PC are strong enough to stop their children, either they're mistaken or their kids aren't particularly clever (sounds like the former, in your case). Regardless of that, it is strange conditioning to make kids need to circumvent things like that. Remember that, before computers, childrens' toys didn't have parental controls but parents could still discipline their children. Eventually your son will probably come home with another OS's Live CD, and windows security will be no more problem for him :)

  • Anonymous
    February 08, 2007
    If you have small children like that, might I suggest getting a computer case made out of strong metal that has a latch for a padlock. When the latch is engaged, the case cannot be opened. We had to get a bunch of locks after RAM came up missing in a few machines in a lab I used to administer. Luckily, every single case in that room was designed to handle a lock.

  • Anonymous
    February 08, 2007
    And now you have to protect him against electrocution!

  • Anonymous
    February 09, 2007
    Heh, sounds like the kid got the right idea. If nothing else works, senseless violence usually do. We got a saying in Sweden which translates quite good to English. Will, violence and vaseline. On a related note i was bummed to find that Vista still doesn't feature the two things i really want, the haunted Windows logo from Futurama and the interface from Chef's tv in South Park that makes it transform into a r203 style killbot with laserguns. :-P I guess you saved that for SP1.

  • Anonymous
    February 19, 2007
    The comment has been removed

  • Anonymous
    February 20, 2007
    Michael, You and Jeff gave interesting session. That presentation was not available in RSA CD so RSA uploaded it on the conference website. I tried to download it but it's corrupted pdf file. I have asked RSA to post correct version of your presentation but haven't seen it so far on the website. Can you please provide a correct version to RSA or post it on your blog or send it to me? Thank you, Rajiv rajiv_sh@hotmail.com

  • Anonymous
    February 23, 2007
    We all have our kids trying to exploit our computers. This was a couple of years ago: http://blogs.msdn.com/dmuscett/archive/2005/01/06/347523.aspx In your case it was at least good to see him being so determined. That is a good quality. He wasn't trying to circumvent anything, he was trying to "fix" stuff because he thought it was broken. Kids at that age don't understand how things can be "virtual" such as software, and of course he thought he could fix the PC - fixing the hardware :-)) Good that you stopped him in time before he could actually damage the hardware, anyway... :-)

  • Anonymous
    March 19, 2007
    The comment has been removed

  • Anonymous
    May 03, 2007
    I personally think that really young children should always be supervised when at the PC. During teens, they get to an age where they start to research all this stuff on security like myself. I think vista is ruined by parental controls as it encourages parents to enforce regulations on trust worthy teens for the sake of it. It is usefull I'd say fir the 13's and below.