Slashdot Mirror
Security as a Profit Center?
Harry Erwin writes "This article seems to suggest Microsoft is now considering charging for security. I don't mind vendors like Counterpane Internet Security selling security services, but I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start. This proposal would create a two-tier Internet and probably make things worse rather than better. Security is like public health and education--if you think it's expensive, consider the alternative."
So, based on your previous security record, Mr. Gates, I gleefully award you this multi-million dollar contract for security services. I already feel safer from all those evil hacker dudez.
Honestly, what schmuck would pay Microsoft for security??
Don't they already charge us (albeit in a different manner) when they give us new EULA terms for security updates?
This is not unlike the anti-virus companies who charge us for new virus definitions. Except that here, the mistakes they made shouldn't have been in there to begin with.
Unless they give us *some* kind of extra service beyond the patches, I can only see this developing into a *very* strong reason to use OSS instead of MS whenever security is important to what you're doing (essentially, always).
I enjoy hearing of the ways that Microsoft proposes to screw their clientele. I'm a Windows user, and will be until another OS, whether it be Mac or Linux etc., starts getting all the first-tier games before Windows. I don't do anything else with my PC, so why switch?
If Microsoft can manage to alienate the game playing crowd enough, more and more developers will transition to Linux development, and I can switch too. They are, quite charitably, squashing the chicken/egg problem in PC gaming.
I think Linux and the other BSDs have always been more security conscious (and are becoming more so) than other operating systems. However, you're right - OpenBSD seems to be the only one that truly concentrates on it. Aside from maybe that gub'ment Linux distro, but I haven't heard much news about that lately. *shrug*
And of course, yes, throw in an idiot for an administrator, and you'll have an easily rootable OpenBSD box.
Security is like life. No matter how safe you think you are, you could walk out of your door and be hit by a bus.
Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security
I wouldn't say that was a flippant question. Obvious yes, and valid to be sure. But how is that question supposed to be 'flippant'? Why has it taken 25 years for you to take security seriously? Nevermind that you're asking me to *pay* for something that should have been an intrinsic part of the product from the start. Seems like a good question to me.
Is there something in the Micros~1 corporate culture that breeds contempt for anyone that dares to ask an valid, though perhaps embarrassing question?
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety" - BF
It seems to me that if Microsoft can charge for enhanced security, then they are admitting that their non-enhanced versions are partially defective. From a legal standpoint, it sounds like they would be culpable for such security defects in their non-security enhanced versions, because they cannot then claim that such defects are intrinsic to the complexity of their software itself, and they cannot claim that they just didn't know how to fix it.
On the other hand, if a third-party adds security features, that company can claim that they have found ways to secure Windows, which Microsoft was not able to do.
I'm not a lawyer, but it seems that charging for security enhancement would be like charging extra for a car with a working airbag, instead of a cheaper model that works maybe 80% of the time.
How would this compare to a warranty on consumer products? It seems like a warranty is just like insurance, because you get cheaper repairs in case something goes wrong. Is this applicable to software?
BTW, I'm asking a legal question, not a ethical business question.
Does that mean it would be possible to sue M$, if they fail to provide a bought service, ie) security?
"Windows runs an arbitrary set of applications, in an arbitrary configuration, with arbitrary devices, said Mundie. 'The operating system is designed to run on machines that are not designed yet.' While Microsoft could demand that it creates the drivers for all hardware, the industry would not accept that. 'Each time we accede to the reality of the industry, we accede to the problem,' he said."
Yep. All those string buffer overflows are obviously caused by the ram. And those virii that use Outlook automation obviously use the fact that Windows has to account for various pieces of hardware too.
In my humble opinion, the secondary cost of the operating system's security should be inversely proportional to the control granted by said operating system to the external network. What do I mean by this? The more networking gadgets one puts into their operating system, the more they are responsible for the access to said gadgets.
Security in DOS was practically non-existant, because frankly, you couldn't do much on it. The worst you could do was write data to COM1, and native DOS wouldn't do anything with it. Then came Win2 and they introduced the OLE concept, where a person could control application A through application B. Security req: still marginally zero, because of the single-user environment. Win311 brought us the Network Neighborhood, and now you could control application A over a network to control application B. Because of MS's DLL approach, the operating system now must track login names, and validate IDs, and coordinate data flows. Now we have XP, with automated updates, drivers for everything, protected modes, lots of complexity that MUST be secured by the operating system.
Brief Analogy: I build you a house, and I install a cardboard front door, then to protect this cardboard door I want to sell you the steel door as a security "upgrade". In a perfect world without crimes, we wouldn't need any doors, but that's not the way things work...
In short, Microsoft measured their rope, and now they're trying to avoid the gallows. They built an operating system that's practically transparent to the network, then they're horrified that someone other than MS might exploit this transparency. If they aren't willing to protect the public from their own products, then someone needs to inform the public that there are better products in existance...
Well below is an example of one company ditching Microsoft because the new EULA is too expensive. The support for Windows NT 4 ends in June, I believe. Large IT companies will have to upgrade. When you have 24k plus machines, as in the company I work for, and invest time in build images and internal support but have to balance that over equipment upgrades, security patches and inhouse developement, the microsoft support option is nice to get extended technical data and review. When the support goes you have to move to the new product or an alternative product.
e ws/113081 5
We have some products that are out of support that are non microsoft and getting the skill set in employment to support them gets harder as time goes on, especially on in house developement packages. NT4 to Windows 2000 and XP is a big deal because of the EULA and the fact that NT4 is working. Also when the support goes so usually does the patches which would be fatal with the current virus outbreaks. I don't think these considerations for companies to upgrade are en-vogue or hip it is crucial to either update or as the below example, move on.
here is an example
http://www.managementconsultancy.co.uk/N
There are more but this is 30k machines on order because of the end of support on NT4.
I was thinking of the immortal words of Socrates, who said: "I drank what?" - Chris Knight (Val Kilmer)- Real Genius
Microsoft is at a conflict of interest and as an end-user, I am not impressed.
We all know how secure MS products are. By having MS consult in areas of security, there would be no motivation for MS to make their products more secure. Also, what stops MS from deliberately leaving holes in it's software to have its security consultants patch them up later?
Instant Karma's gonna get you - John Lennon
Companies would gladly pay big bucks for secure products, if the promise of security is backed by liability or some kind of warranty. If EULA stays the same, MS will not provide an extra piece of mind, and nobody will pay more money for "maybe more secure" software.
Perhaps we really should views Mundie's excuses as the perfect argument why Microsoft software is simply inappropriate in some places. Mundie's comments are simply crass and insulting. Why should Microsoft be guaranteed profitability in a certain market niche? Why should we just forgo products liability just because it might not make a particular company competitive anymore.
Liability concerns have forced far more worthy companies out of this particular market (aircraft subcontractors). Why should Microsoft expect special treatment?
A Pirate and a Puritan look the same on a balance sheet.
I think the real issue for alot of people is everything MS has released since 1998 has been hideous, and they don't *want* to upgrade. Thats why there is such a fuss over being forced to upgrade.
At least thats the general opinion of quite a few people here.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security, and it is only in the last ten years that Microsoft has attempted to play in the security-requiring worlds of banking payroll and networked systems.
The reality is that M$ sold products that were expected to perform to a base level in terms of quality and security. Because users can't look under the hood so to speak, the quality and security issues didn't emerge until it was too late. Now the customer is screaming for relief and MS is there with its hand out.
Also does it sound like the lines between security and DRM are being intentionally blurred here?
First.. they said they were not ready to approach trusted computing until people were ready to pay for it.
Well, does that not make sense? there is no business sense in spending the money to develop something if people are not willing to pay for it.
Trusted computing is not about security.. it's about accountability. It's about being able to have a proper audit trail for who did what when, no matter what. Your data can still be stolen, you just know who did it.
Microsoft is not talking about charging for security patches or updates. They are talking about complete trusted systems, something they don't have yet (though NT goes further in this regard than linux does, by quite a bit. Notice how if a user changes the permissions on a file so adminstrator can't read it, then Administrator can't read it until he a) takes ownership of it and b) changes the permissions. Admin still has the power to read anything, but not without leaving a mark that they did it.)
They are talking about having secure offerings for trusted computing.
I've heard the argument that open source companies rely on the difficulty in using or installing their products (i.e. sendmail). However, now that MS is pondering charging for security, doesn't that suggest the argument that they are charging for what they can most easily make money on? Having many issues with security could become a strong business model and effectively force people to pay for the fixes as the "default" patch level that the OS ships with becomes correspondingly decrepit and bug-ridden.
Nice old article but exaggerated. Microsoft doesn't want to ruine tcp/ip, just want to make money making it "trustworthy".
Heh nice Red Dwarf quote.
"Why is it always assumed that security must come at the expense of usability."
Why? Because the greater number of features, the greater the likelihood of mischief. Remember Melissa? I'll use a non computery example: Universal remotes. Now you can buy a remote that'll operate nearly any TV. Result? I'm wearing a watch right now with a built in universal remote. I've been quite obnoxious at places like Applebee's because their TV's don't have an authentication system with regard to their remote control. If they were to implement one, then their TV's would only work with the permitted remotes, which would become a rather huge hassle if the remote needed to be replaced.
Not the strongest example, but hopefully you get my idea. Buffer overruns can be predictably fixed, unexpected mischevious results from added features cannot.
"As for the comment that MS excels at things it thinks it can make money from WinME anyone???"?
My mistake. As your 1 (one) example clearly shows (I'll just have to take your word for it that MS didn't make money on it, heh.), I am 100% completely wrong. Microsoft has never ever made money on anything it has ever been intersted in. I'll have to agree with you there!
Enough customers do want added features, that product revs are inevitable.
Um, actually everyone i know that works with MS office complains that it a) doesn't do what they want (not that it can't, just that it makes simple thigns difficult) b) don't use 80% of the 'features.' They therefore conclude that its bloated. Which it is.
Did anyone really want a word processor to be able to produce html? There are many features in word that are not needed, and many more that are more complex then need be. The latter is usually caused by word assuming it can read your mind..