Microsoft Realizes No One Wants To Pay Microsoft To Fix Its Own Security Flaws
from the that's-how-it-works dept
Back in 2005, when Microsoft was first mulling the idea of offering security software, we noted that the company was between something of a rock and a hard place. If it decided to charge for the software, people would accuse the company of trying to get people to pay to protect themselves from the security vulnerabilities in Microsoft's own software. Yet, if they went free, then they would face screams about antitrust violations for undercutting competitors in the security software market. We also suggested a third option: design better software that doesn't need security software. But, failing that, Microsoft chose what I think was the worst of the three options: selling security software. Perhaps not too surprisingly, not too many people took Microsoft up on the offer. It could be a combination of reasons why. First, Microsoft just doesn't have a good reputation when it comes to security. Second, that whole issue of paying the same company that created the security holes in the first place. Finally, it might just be inertia. People buy from McAfee or Symantec because they're two names that have been around forever and are recognized (and, most importantly, bundled on many brand-name computers).So, after a couple years of failing to make much of a dent in the market, Microsoft has abruptly shifted to option number two. It will no longer be selling its OneCare security software and, instead, will be offering a free security suite for users, though with fewer features than the old OneCare offering. The various security software companies put out statements saying, of course, that this is no big deal, but you have to believe they're now doing whatever possible to stir up some complaints out of the Justice Department that this is an antitrust violation. Maybe a few years down the road Microsoft will simply move on to option three, and make software that doesn't require separate security software.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: antitrust, free, security, software
Companies: mcafee, microsoft, symantec
Reader Comments
Subscribe: RSS
View by: Time | Thread
Add another example to oxymoron
Microsoft Security
Military Intelligence
Deafening silence
Pretty Ugly
Resident alien
Nondairy creamer
Jumbo shrimp
Civil War
Microsoft Security
[ link to this | view in thread ]
[ link to this | view in thread ]
On software without defects
It is not that it is impossible to make such software, but that nobody would want it: Formal methods and verification methods are available that can come very close, but only for very small systems.
Protocols that are provably correct are very simple and are not the ones that are deployed in the market. Customers scream when you break app compat and are always looking for new neat feature sets. Increasingly, the feature and the vulnerability are one and the same, the difference is the intent, look at the issue of web mashups, neat when used as you intended, not so neat when used maliciously.
We have been heavily criticized for our "overempahisis on security" in Vista -- people want features and ease of use first.
As for me, I run Server 2008 on my notebook. It doesn't have all those neat features.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: On software without defects
No, MS has been criticized for a poor implementation that trains users to click "OK" on everything that pops up and can still conceivably be worked around. The other OSs still have a better security model, and they don't sacrifice usability in the process.
[ link to this | view in thread ]
I have been Happy enough with OneCare
The problem with any of the antivirus warnings is that the end user overrides an installation prompt. Some people are just that much more likely to become infected than others.
[ link to this | view in thread ]
Re: On software without defects
security vs. (convenient)features.
Would it be overstating to say that at your company,
the emphasis is on features...
-cmh
[ link to this | view in thread ]
Microsoft Security?
[ link to this | view in thread ]
WHen MS warned that vista was not going to be backwards compatible no one listened until it was too late and then all they could do was complain. THen MS had to change it.
Unix would never had thought of a gui interface if it was not for the work of MS. So people do all your complaining that you want about the MS but give them the credit thats due to them in a honest way and not a critical fashion. Otherwise if you cant do both then SHUT UP!!!!!!!
[ link to this | view in thread ]
Antitrust violation?
Windows Media Player comes bundled with Windows. Yet there are plenty of alternatives to it that are doing quite well. Just about everybody I know uses either the iTunes player or Winamp.
Isn't it something along those lines? Or is the fact that its about security and not music really change it into a possible antitrust violation that easily? Or, am I right in my assumptions here, and it is just that the security companies are probably going to try to complain through those channels because they don't want more competition?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Um, I agree that Microsoft has been indispensably influential, but don't you think your above claim is just a bit far-reaching? There were other GUIs before MS, and it is a pretty natural evolution to go from UI to GUI.
[ link to this | view in thread ]
Re: On software without defects
I have to say its pretty fucking typical for a dev to blame his users for the crap in his software. I dont care about your problems. If you want me to pay for your software then make it work and make it useable.
[ link to this | view in thread ]
Re:
The only worthwhile OS developed by MS was NT and that was largely designed by an outsider called David Cutler and was based on his experience with DEC's RSX-11.
The only thing MS has ever done right is marketing.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: On software without defects
I design and code software for a living. Users want new versions of software that work better. This means faster, more easily, more securely, more intuitively, and with less (hopefully no) problems. They do not want another layer of mostly useless crap to learn.
Security can be a painless part of any software if designed correctly.
It's interesting you run Server 2008 on you notebook. This shows that you also prefer functionality and speed over the glitzy but limited and often irritating interface offered with Vista. I would run a Windows Server OS on my machines too, if I could afford the license (Windows Server 2008 Standard: $999 (with five Client Access Licenses, or CALs)
source: http://www.microsoft.com/presspass/press/2007/nov07/11-12HyperVPR.mspx).
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Microsoft Security?
Programs need security holes opened to work, once people figure out what holes are opened they can abuse it, it's quite simple.
The only reason you see time after time, microsoft getting hit, is because of a 90% market share. Who do you think the Virus makers are going to target someone with 90% market share or the 10% which is spread between Unix, BSD, Linux, Mac OS, all which have different kernals and different security holes opened?
[ link to this | view in thread ]
Re: Re: Re:
Actually, the mouse was invented by SRI, and then copied by Xerox (well, some SRI guys went to Xerox).
[ link to this | view in thread ]
Re: Re:
you know - the immediate jump to idiomatic swearing shows a... lack of intelligence...
but putting that aside... here are the facts that you brutally misrepresented
The honor for producing the first working GUI goes to Doug Englebart – at the time an employee of Stanford Research Institute. Englebart and colleagues created a program called the oNLine System in 1965-‘68. This program used the first mouse, a windowing system, and hypertext, and was based on a description of a system called “memex” proposed by Vannevar Bush in 1945. The name “mouse” comes from this period. The mouse used in oNLine had three buttons on one end and the line coming out the other end. Apparently, the buttons for eyes and nose, plus a cord for a tail, reminded the users of a mouse and the name stuck.
Years later, still in a time when nobody knew what the future of computers was to be, Xerox put together a team of researchers who did nothing more than put ideas together to see what they produced. The team, located at the Xerox Palo Alto Research Center, was convinced that Englebart’s model would work on computers available for individual work stations, and they produced two working models, the Alto and the Star. The Star was made available to the public, mouse and all, in 1981. But it was very expensive, and they sold only 25 thousand of them. But this was the first GUI-based OS available to the public.
sorry to burst your bubble...
[ link to this | view in thread ]
Computers for Everyone
Gates was in the right place at the right time and had the ability (rich parents) to take advantage of the opportunity. If not Microsoft another company or companies would have provided a solution. And remember, the first IBM PC cost about $1600 in 1981 (about $5000 to $6000 in today's dollars). Hardly an everyman's budget.
Given different circumstances the PC market would be dominated by a much different company that rewrote UNIX or another OS for the PC (instead of buying a version of CP/M ported from the Z80 to the 8080 CPU) and called that operating system IBM-DOS.
Microsoft should be commended for donations to schools, charity works and other contributions to the people of the world. They deserve no credit for creating a PC market or making computers affordable. Free enterprise and democracy did that. Consumers must complain about a company's products in order for them to improve, the best way is to treat companies like politicians and vote with your dollars.
The problem is that MS controls the market and is dictatorial in it's policies. This may be why German government bodies, being more somewhat more aware and sensitive to the ramifications of acquiescing to fascism, have been world leaders in adapting non MS PC solutions (Linux).
[ link to this | view in thread ]
Re: Microsoft Security?
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re:
I mean more like Windows 3.1. It came with notepad and a calculator. Put in a vary basic browser so people can get online and download the full IE or Firefox and then they can download the other programs of their choice. From there, the third party programs aren't a security vulnerability for windows any more.
[ link to this | view in thread ]
While this doesn't prove anything, I found it interesting in some recent hacking tournament between Windows, Linux and OSX; OSX was exploited first and early in the tournament. The Apple fan boys cried.
Whether people want to believe it or not, Windows is relatively secure. I have nothing against OSX, I think they have done a great job overall especially with the UI design and could give MS a serious run for their money if they released the OS on non Apple PC's for general home use where top security is not as important.
- posted using an Ubuntu box
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
BS. MS didn't invent a windowing system. That came out of PARC and Xerox. Unix had windowing systems years before MS. Moron.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
But...
[ link to this | view in thread ]
All an operating system can do is run code that it was told to run, if there is a lot of code out there, then of course there is going to be more malicious code.
All of this talk about "architecture this" and "inherently more secure that" is meaningless, Windows and Unix have, at the core, a very similar and comparable design. Historically, the principle of least privilege has been less ingrained in the community - UAC in Vista has been a wake up call for ISVs and Admins on the Windows platform - but Microsoft has been promoting it for *Years*.
It all comes down to user behaviour and the sheer scope of target audience.
[ link to this | view in thread ]
It's madness
I have a pretty simple solution: switch to a free and open source operating system like Linux or BSD.
[ link to this | view in thread ]
Re: On software without defects
[ link to this | view in thread ]
Security risks are Microsoft's fault? Sorry, but I absolutely disagree.
Yet now these same readers, many are anti-Microsoft, blame the company for its security flaws.
Explain to me how this situation is any different? Websites take care of issues when they're addressed just as Microsoft does.
The problem here is most people don't understand how software works. They don't understand the key links between what you're using and how it relates to the CPU. There are quite a few vulnerability points, some can't be closed due to legacy issues without breaking other software.
Granted, there are times where Microsoft does seem to drag its feet to rectify the situation, but expecting a company to build 100% security proof software is a dream no company will ever attain, but strives to do so.
I find it absolutely appalling you would expect Microsoft to take "option #3" when many of these vulnerabilities weren't the fault of Microsoft at all. Case in point: Last year, over 200 vulnerabilities were found in Windows XP Service Pack 2 upgrades which were discovered using non-Microsoft software! In fact, Mozilla's Firefox coding team found 2 using beta testing.
This is what happens when many processes are attacking a central location (CPU, which processes the data instructions). It's only then when "opportunities" are discovered by those who intentionally (damn, there's that word again!) try to find them.
If the software were to work as expected, there would be no breach. Instead, companies spend millions finding these breaches to alert software vendors to fix them, often times finding they can't without causing product to stop functioning without a complete redesign of the software (or have none of you Vista users figured this out yet?).
Sorry, but this blog message is wrong. It takes a combined effort, not just a sole responsible party. Find solution #4. You owe them that much.
[ link to this | view in thread ]
Fourth option
Of course, now that they've messed up with option #1 and are going to fail with option #2, this fourth option is more of "pull out" rather than "do not enter".
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
So why the heck do you want to look like a fool (unless you are one, in which case the point's moot) and keep rehashing the same tired old crap when you are the one who's unable to back up his comments with factual links?
Here is a link to the original comment (that no doubt RealisticComputer was referring to as well), in case you find it difficult to scroll the page or search for it:
http://www.techdirt.com/article.php?sid=20081119/0056492875&threaded=true#c374
And here's AC's comment that you conveniently ignored, only to raise the same point once again:
http://www.techdirt.com/article.php?sid=20081119/0056492875&threaded=true#c438
Now if you aren't just a Mac Fanboy but actually support the platform based on informed opinion and hard facts, then present the same (instead of ignoring what's in front of your nose 'cos it doesn't dovetail with your flawed view of the universe), or else just shut your trap and allow the adults to have an unemotional and informed conversation.
[ link to this | view in thread ]
Windoze is STILL a multi-threading OS. It is far easier to jump threads than processes.
Windoze is a monolithic kernal architecture and Internet Exploder is an integral part of the OS. If you can comprimise IE, you get the keys to the kingdom.
Windoze security policy implementation is a sad, sad creature. The linux access controls are orders of magnitude more manageable and mature.
Unrelated, but the cherry on top, is the registry. This alone guaruntees degrading performance every time you install something.
When you hear this tired schlock about market share and security, you can be sure the person spewing it:
- Probably doesn't want that MCSE to lose value
- Only understands one OS achitecture, if that
- Might have submitted an 'I'm a Pee-See' video
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]