Something Windows Vista Parental Controls cannot protect against


Howdy from RSA in San Francisco – I just got here, and I have a talk tomorrow morning @ 9AM about Windows Vista Security Engineering.


Now to the topic of this post.


One of my favorite features in Windows Vista is Parental Controls. I like the feature because my 5 year old son, Blake, loves to use the computer but I really don’t want him using the computer too much, because he gets that glazed-over-eyes look. You know the look! So I limit his use to between 4PM and 7PM during the week, which basically means he can’t use it before school.


The other day (a Saturday) he wanted to use the computer, and my wife had asked me to lock him out because he’d hit his sister, or something. So I tweaked the Parental Controls policy to block out Saturday. He came to me asking if he could use the computer because he couldn’t logon. I said, No, because he’d hit his kid sister, or something.


I went to go about my own business, and came back fifteen minutes later to see that Blake had opened the computer case and, with screwdriver in hand, was trying to “fix things, daddy” so he could access the computer!


I didn’t know whether to laugh, cry or be proud that my son wasn’t going to be held back by some stinkin’ software policy! πŸ™‚

Comments (16)

  1. MSDN Archive says:

    Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore πŸ™‚

  2. Lol! This is fun πŸ˜‰

    When I read the title in the RSS I was like – wthell is up with the Parental Controls in Vista, but thank God it’s just a new little hacker πŸ™‚

    Cheers,

    Petar

    http://www.VistaJuice.com

  3. Great story!  Seems that the children of security nerds seem to tend toward becoming hackers.  Two anecdotes:

    1) Once when my middle child was about three and a half and beginning to learn to read, he pointed to a stop sign and read, "S T Zero P".  I didn’t think we had been teaching him 733t speak.

    2) When I told the above story to Robert Hensing, he replied with this great story:

    "So I have a 4 year old son as well who is also doing stuff on the computer.  He doesn’t really know what I do for a living, he thinks I play pool and Xbox at Microsoft. πŸ™‚

    Anyhoo – one day I noticed in my security event logs . . . An unusual amount of failed logons for my account (we have a family shared MCE2004 PC).

    The logon types were all type 2’s!!!

    So one night I’m watching TV and my son walks over to the keyboard to login (he’s got a 6 character fairly complex password for a 4 year old <G>).  I see him trying and trying so I figure he just forgot his password so I go over to help him out and to my utter amazement he’s trying to login to MY account.  I ask him what he’s doing and his reply was "I’m trying to login as you" rather matter of factly.  I was like ‘why!?’.  He goes ‘I want to watch TV’.  I don’t have MCE2004 setup in his profile in a way he can easily get to it (if he figures THAT out it’s all over for me).

    Dude, my 4 year old son was trying to brute-force my password over a series of days / weeks all so he could login and watch TV.

    I’m scared."

  4. Jack Hackett says:

    you got pwn3d by a five year old!

  5. SecGeek says:

    Dear Sir,

    I would like to know if there is any requirement in any of the security team at microsoft like windows one care or windows defender or any other team where maleware and spyware research is being done.

    Also let me know the best way to apply there.

    Regards,

    SecGeek

    secgeek@secgeeks.com

  6. Finite says:

    Couldn’t Windows monitor a case switch or something? I thought that was already implemented somewhere.

    I tell parents that if they really believe the parental controls on their TV or PC are strong enough to stop their children, either they’re mistaken or their kids aren’t particularly clever (sounds like the former, in your case). Regardless of that, it is strange conditioning to make kids need to circumvent things like that. Remember that, before computers, childrens’ toys didn’t have parental controls but parents could still discipline their children.

    Eventually your son will probably come home with another OS’s Live CD, and windows security will be no more problem for him πŸ™‚

  7. Rosyna says:

    If you have small children like that, might I suggest getting a computer case made out of strong metal that has a latch for a padlock. When the latch is engaged, the case cannot be opened.

    We had to get a bunch of locks after RAM came up missing in a few machines in a lab I used to administer. Luckily, every single case in that room was designed to handle a lock.

  8. And now you have to protect him against electrocution!

  9. XStream says:

    Heh, sounds like the kid got the right idea. If nothing else works, senseless violence usually do. We got a saying in Sweden which translates quite good to English. Will, violence and vaseline.

    On a related note i was bummed to find that Vista still doesn’t feature the two things i really want, the haunted Windows logo from Futurama and the interface from Chef’s tv in South Park that makes it transform into a r203 style killbot with laserguns. πŸ˜›

    I guess you saved that for SP1.

  10. Alun Jones says:

    Yeah, my kid was less than two when he discovered the magic button that got Daddy’s attention in a hurry. Lesson learned: Save early, save often, disable the power button.

    At five he asks me, matter-of-factly, if there’s a negative infinity.

    At six, we have "the talk" about clicking on adverts, smiley downloads, etc – haven’t seen spyware on his machine since.

    At seven, we find him on a casino’s web-site. He’s been playing the free areas, and has realised on his own that even if he were to get a credit card, he shouldn’t play any paid games, because over time he’d lose.

    At eight, he has a friend over, and tells his friend to "look away, because I’m going to type my password".

    Moments like these just make me so proud πŸ™‚

  11. Rajiv says:

    Michael,

    You and Jeff gave interesting session. That presentation was not available in RSA CD so RSA uploaded it on the conference website. I tried to download it but it’s corrupted pdf file. I have asked RSA to post correct version of your presentation but haven’t seen it so far on the website. Can you please provide a correct version to RSA or post it on your blog or send it to me?

    Thank you,

    Rajiv

    rajiv_sh@hotmail.com

  12. We all have our kids trying to exploit our computers.

    This was a couple of years ago:

    http://blogs.msdn.com/dmuscett/archive/2005/01/06/347523.aspx

    In your case it was at least good to see him being so determined. That is a good quality. He wasn’t trying to circumvent anything, he was trying to "fix" stuff because he thought it was broken.

    Kids at that age don’t understand how things can be "virtual" such as software, and of course he thought he could fix the PC – fixing the hardware :-))

    Good that you stopped him in time before he could actually damage the hardware, anyway… πŸ™‚

  13. A few weeks back I wrote how my 5 year old son, Blake, decided to hack into our computer. Well, it gets

  14. Alex says:

    I personally think that really young children should always be supervised when at the PC. During teens, they get to an age where they start to research all this stuff on security like myself. I think vista is ruined by parental controls as it encourages parents to enforce regulations on trust worthy teens for the sake of it. It is usefull I’d say fir the 13’s and below.