Something Windows Vista Parental Controls cannot protect against

Published 07 February 07 06:17 PM

Howdy from RSA in San Francisco - I just got here, and I have a talk tomorrow morning @ 9AM about Windows Vista Security Engineering.

Now to the topic of this post.

One of my favorite features in Windows Vista is Parental Controls. I like the feature because my 5 year old son, Blake, loves to use the computer but I really don't want him using the computer too much, because he gets that glazed-over-eyes look. You know the look! So I limit his use to between 4PM and 7PM during the week, which basically means he can't use it before school.

The other day (a Saturday) he wanted to use the computer, and my wife had asked me to lock him out because he'd hit his sister, or something. So I tweaked the Parental Controls policy to block out Saturday. He came to me asking if he could use the computer because he couldn't logon. I said, No, because he'd hit his kid sister, or something.

I went to go about my own business, and came back fifteen minutes later to see that Blake had opened the computer case and, with screwdriver in hand, was trying to "fix things, daddy" so he could access the computer!

I didn't know whether to laugh, cry or be proud that my son wasn't going to be held back by some stinkin' software policy! :-)

by michael_HOWARD
Filed under: ,

Comments

# jmanning said on February 8, 2007 1:05 AM:

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore :)

# Petar Smilajkov said on February 8, 2007 1:23 AM:

Lol! This is fun ;)

When I read the title in the RSS I was like - wthell is up with the Parental Controls in Vista, but thank God it's just a new little hacker :)

Cheers,

Petar

www.VistaJuice.com

# Aaron Margosis said on February 8, 2007 3:12 AM:

Great story!  Seems that the children of security nerds seem to tend toward becoming hackers.  Two anecdotes:

1) Once when my middle child was about three and a half and beginning to learn to read, he pointed to a stop sign and read, "S T Zero P".  I didn't think we had been teaching him 733t speak.

2) When I told the above story to Robert Hensing, he replied with this great story:

"So I have a 4 year old son as well who is also doing stuff on the computer.  He doesn’t really know what I do for a living, he thinks I play pool and Xbox at Microsoft. :)

Anyhoo - one day I noticed in my security event logs . . . An unusual amount of failed logons for my account (we have a family shared MCE2004 PC).

The logon types were all type 2's!!!

So one night I'm watching TV and my son walks over to the keyboard to login (he's got a 6 character fairly complex password for a 4 year old <G>).  I see him trying and trying so I figure he just forgot his password so I go over to help him out and to my utter amazement he's trying to login to MY account.  I ask him what he's doing and his reply was "I'm trying to login as you" rather matter of factly.  I was like 'why!?'.  He goes 'I want to watch TV'.  I don't have MCE2004 setup in his profile in a way he can easily get to it (if he figures THAT out it's all over for me).

Dude, my 4 year old son was trying to brute-force my password over a series of days / weeks all so he could login and watch TV.

I'm scared."

# Donna's SecurityFlash said on February 8, 2007 4:16 AM:

Read it at http://blogs.msdn.com/michael_howard/archive/2007/02/07/something-windows-vista-parental-controls-cannot-protect-against.asp

# Jack Hackett said on February 8, 2007 8:14 AM:

you got pwn3d by a five year old!

# SecGeek said on February 8, 2007 8:57 AM:

Dear Sir,

I would like to know if there is any requirement in any of the security team at microsoft like windows one care or windows defender or any other team where maleware and spyware research is being done.

Also let me know the best way to apply there.

Regards,

SecGeek

secgeek@secgeeks.com

# Curphey said on February 8, 2007 9:10 AM:

We just did a cartoon about this called Compliance Tools

http://securitybullshit.wordpress.com/2007/02/05/cartoon-012-compliance-tools/

# Finite said on February 8, 2007 2:38 PM:

Couldn't Windows monitor a case switch or something? I thought that was already implemented somewhere.

I tell parents that if they really believe the parental controls on their TV or PC are strong enough to stop their children, either they're mistaken or their kids aren't particularly clever (sounds like the former, in your case). Regardless of that, it is strange conditioning to make kids need to circumvent things like that. Remember that, before computers, childrens' toys didn't have parental controls but parents could still discipline their children.

Eventually your son will probably come home with another OS's Live CD, and windows security will be no more problem for him :)

# Rosyna said on February 8, 2007 7:26 PM:

If you have small children like that, might I suggest getting a computer case made out of strong metal that has a latch for a padlock. When the latch is engaged, the case cannot be opened.

We had to get a bunch of locks after RAM came up missing in a few machines in a lab I used to administer. Luckily, every single case in that room was designed to handle a lock.

# Didier Stevens said on February 9, 2007 7:33 AM:

And now you have to protect him against electrocution!

# XStream said on February 9, 2007 9:02 AM:

Heh, sounds like the kid got the right idea. If nothing else works, senseless violence usually do. We got a saying in Sweden which translates quite good to English. Will, violence and vaseline.

On a related note i was bummed to find that Vista still doesn't feature the two things i really want, the haunted Windows logo from Futurama and the interface from Chef's tv in South Park that makes it transform into a r203 style killbot with laserguns. :-P

I guess you saved that for SP1.

# Alun Jones said on February 19, 2007 1:44 PM:

Yeah, my kid was less than two when he discovered the magic button that got Daddy's attention in a hurry. Lesson learned: Save early, save often, disable the power button.

At five he asks me, matter-of-factly, if there's a negative infinity.

At six, we have "the talk" about clicking on adverts, smiley downloads, etc - haven't seen spyware on his machine since.

At seven, we find him on a casino's web-site. He's been playing the free areas, and has realised on his own that even if he were to get a credit card, he shouldn't play any paid games, because over time he'd lose.

At eight, he has a friend over, and tells his friend to "look away, because I'm going to type my password".

Moments like these just make me so proud :)

# Rajiv said on February 20, 2007 11:51 AM:

Michael,

You and Jeff gave interesting session. That presentation was not available in RSA CD so RSA uploaded it on the conference website. I tried to download it but it's corrupted pdf file. I have asked RSA to post correct version of your presentation but haven't seen it so far on the website. Can you please provide a correct version to RSA or post it on your blog or send it to me?

Thank you,

Rajiv

rajiv_sh@hotmail.com

# Daniele Muscetta said on February 23, 2007 9:04 AM:

We all have our kids trying to exploit our computers.

This was a couple of years ago:

http://blogs.msdn.com/dmuscett/archive/2005/01/06/347523.aspx

In your case it was at least good to see him being so determined. That is a good quality. He wasn't trying to circumvent anything, he was trying to "fix" stuff because he thought it was broken.

Kids at that age don't understand how things can be "virtual" such as software, and of course he thought he could fix the PC - fixing the hardware :-))

Good that you stopped him in time before he could actually damage the hardware, anyway... :-)

# Michael Howard's Web Log said on March 19, 2007 7:02 PM:

A few weeks back I wrote how my 5 year old son, Blake, decided to hack into our computer. Well, it gets

# Alex said on May 3, 2007 8:56 AM:

I personally think that really young children should always be supervised when at the PC. During teens, they get to an age where they start to research all this stuff on security like myself. I think vista is ruined by parental controls as it encourages parents to enforce regulations on trust worthy teens for the sake of it. It is usefull I'd say fir the 13's and below.

New Comments to this post are disabled
Page view tracker