Security as a Profit Center?

Harry Erwin writes "This article seems to suggest Microsoft is now considering charging for security. I don't mind vendors like Counterpane Internet Security selling security services, but I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start. This proposal would create a two-tier Internet and probably make things worse rather than better. Security is like public health and education--if you think it's expensive, consider the alternative."

They're asking for it.

[mesozoic]

Companies are already distrustful of Microsoft; they resent having to pay such high licensing fees for the systems they need to keep their businesses running. Requiring that customers pay additional fees just to keep those systems secure will increase the pressure on cash-strapped (or just financially responsible) companies to make the switch towards alternatives like Linux.

Face it, Microsoft; people resent a monopolist. You can't continue to browbeat your customer base forever, and the more you do, the more will abandon you in the end.

All joking aside

[Telastyn]

There's a difference between common sense OS security (closing unneeded ports, cutting down buffer overflows, doing intelligent rights/process management) and doing "extra" security that *should* be more $$$ like virus scanners or personal firewall software; things that shouldn't be totally integrated into the installed OS to begin with.

"core functionality"?

[jawtheshark]

How many OSes really consider "security" as a part of "core functionality"? Only one spring to mind and that is OpenBSD.
Neither Windows, Linux, Mac OS X, Solaris state "security" as a "core functionality". Yes, all are securable, but on any OS it needs a certain amount of work (yes, even OpenBSD...you need to apply the patches!) This needs maintenance, and on "homebrew servers" (read: glorified desktops) security is unfortunately just a second thought. I do realise that a well administered server will probably be secured, but that is due to a competent admin, not due to "security as a core functionality".
I don't say that "security out of the box", should not be a worthy goal, I just think that it is a utopian dream.

Re:"core functionality"?

[amarodeeps]

Well, there are two types of security we could talk about here: one is the sort that you need to do to set up a box securely with any OS. That includes configuring ports to be shut down and starting only the services/daemons that you want running, implementing firewall rules, setting up intrusion detection, etc. OpenBSD doesn't really do so much of that either from what I know (probably more than most any other OS I guess...), but they don't start anything up out of the box if I recall correctly, so there is a basic level of configuration-dependent security.

However, it seems like Microsoft has a lot of security problems that are based around poor coding practices. This is definitely something the OpenBSD folks try to mitigate, with their constant code auditing. But MS doesn't seem to care if they toss out a product with numerous buffer overflow vulnerabilities, permission violations, etc. And these are the sorts of problems they are always releasing patches for.

Now, there are certainly plenty of patches going around for other products and certainly open source ones, but I don't think that anybody thinks that a patch due to poor programming should be something the user has to deal with. There are best practices involved with coding things securely, and they aren't necessarily things that you have to do that are outside of what it means to code something well.

So what I want to know is if they are going to be charging for these sorts of 'programmer error' fixes, or what? Are they going to start selling their OS in a 'non-sloppily' programmed version?

I find it pretty offensive that they would charge for patches to software that wasn't written well in the first place.

Chicken and egg problem?

[cballowe]

In presenting Microsoft's trustworthy computing initiative, Mundie defended the company's reluctance to follow through and accept legal responsibility for the security of its products. "If we took that responsibility, say for a big contract at Airbus, I would have to take out a giant insurance policy from Lloyds or another insurance broker, and pay a giant invoice," said Mundie. "The product would then cost not 50 euros, but 50 million."

It seems to me that if Microsoft didn't have the reputation that they have with regard to security and reliability, the insurance policy wouldn't cost 'em so much. Kinda like auto insurance -- those that prove they can drive responsibly for a period of time pay far less than somebody who crashes 3 times in a week.

I'll wait, and see

[unicorn]

No matter what ill will the average /. user bears towards Microsoft, you can't possibly say that they are idiots.

And starting to charge for hotfixes, and obvious security holes in the OS would be an act of complete idiocy.

I have a feeling that whatever security initiatives MS is working on, certainly aren't aimed at hte average home user. There's no money in it. MS makes it's wad off corporate licensing. Where they don't have to worry about retailers, or packages, etc. The home user is an important market to them. But it's not what put Bill on top of the Forbes 400.

Priorities

[catfood]

Says the story write-up:

I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start.

Internet Explorer is a fundamental, inseparable part of the operating system; but security is an add-on product. I love it.

Re:Then the Ford dealer asks

[ChaosDiscord]

No, this is why a new car today costs (on average) about $22,000 (US) whereas when I started driving in 1976 the average was closer to US$10,000.

I suspect that inflation has more to do with the issue. Given inflation since 1976 (PDF, sorry. You'll get similar numbers from other sources) cars are now proportionally cheaper. Assuming car prices moved exactly with inflation, your $10,000 car would now run $31,600. Naturally this cost saving is due to other reasons (more efficient manufacturing processes, cheaper foreign labor, newer and cheaper materials). Sure, adding safety features did increase the cost, but not by a huge margin.

5 years, is not a short life span at all

[unicorn]

Enough customers do want added features, that product revs are inevitable.

And as the codebase moves forwards, eventually older versions of it are going to become sufficiently arcane that nobody continues to understand them, etc. It's just the nature of business, that they can't possibly support all products forever. Not even when it comes to vulnerabilities. I'm sure that you could dig up vulnerabilities in other 5 year old applications, and odds are, most/all of those vendors either aren't supporting the product anymore. Or they simply don't exist anymore at all.

Just ring up IBM, and ask them for bugfixes for SmarSuite 97. Good luck.

It's the nature of the beast, that eventually support WILL die off for old products. That's the case with almost any industry. And the computer industry prides itself in moving further, and faster than any other industry in history. Part of moving fast, is the danger of getting left behind.

Aim at foot, pull trigger

[El]

What incentive does M$ have to make sure the operating system they sell you today works, when their business model calls for them to sell you a new operating system every year? (In fact, they've even used the fact that their previous release was a POS to sell new releases!) What incentive does M$ have to fix the vast security holes in their standard releases, when they can make even more money by charging you for the security patches?

At what point does the consumer stop doing business with a company that admits that everything they sold you in the past is a POS in order to get you to buy yet another upgrade? At what point do corporations decide it might be a bad idea to single source all its software from a company that considers security to be optional?

Quality, not security

[nsayer]

When people talk about software security, they're putting the cart before the horse. Security is a metaphor for quality. Every time a vulnerability exists, it is because of some sort of an error. This is true almost by definition.

Microsofts products are not crappy because they are insecure. They are insecure because they are crappy.

If you take the article in question and substitute the word "Quality" for "Security," it becomes a much more truthful statement of what's really going on. Microsoft never cared about quality because they had a monopoly. Their overriding concern has never been quality, it's been in maintenance of their monopoly position. So they've shoehorned in any new feature that has shown any promise of being a technology that they can monopolize down the road or that can comoditize the work of a competitor and thus help drive them out of business.

Re:Quality, not security

[Florian+Weimer]

Microsoft never cared about quality because they had a monopoly.

A few years ago, Microsoft didn't have a monopoly at all. But the competition couldn't really compete on quality (or security, for that matter). The UNIX camp had it's internal conflicts, IBM marketed OS/2 as a Windows emulator (and got cautious when it was too successful in Germany), and MacOS required a brainwash to view its qualitiy (and most of it's security was the result of a single-user system).

The market demanded only a very basic level of software quality, and Microsoft delivered software which matched the expectations of the market. What else could have made Microsoft such a huge company? Alien influence?

Apart from that, I believe that charging for critical security information is morally wrong (and not in the "proprietary software is bad" sense, but in the "not warning your neighbor when he's about to get hurt" sense). But who's seriously into (the very practical aspects of) computer security and does not sell e.g. early-access information?