Security as a Profit Center?

Harry Erwin writes "This article seems to suggest Microsoft is now considering charging for security. I don't mind vendors like Counterpane Internet Security selling security services, but I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start. This proposal would create a two-tier Internet and probably make things worse rather than better. Security is like public health and education--if you think it's expensive, consider the alternative."

What next?

[NWT]

Do we have to pay for stability next? Uh-Uh!

Re:What next?

[pizza_milkshake]

Next they'll start charging per-mouseclick, so go ahead now and enable the "View as Webpage" setting in Windows Explorer so you can make do with a single-click.

Re:What next?

[Reziac]

Nah, just charge per character written to the screen. Or better yet, for each pixel rewrite, so higher-res customers automagically pay more. And that way the user need not experience the tedium of counting mouse clicks.

I don't understand...

[Punk+Walrus]

Haven't we ALL already paid for Microsoft security? Trojans, worms, and virii have cost my company a hell of a lot.

Re:I don't understand...

[the_machine]

Haven't we ALL already paid for Microsoft security? Trojans, worms, and virii have cost my company a hell of a lot.

Yes, but Microsoft didn't get any share of that.

Re:I don't understand...

[CheechBG]

Sure they did. By touting every new OS as "more secure and reliable, a new era in trustworthy computing", they are getting a couple thousannd of poor schmucks to cough up some major cash to upgrade to a OS that they would have not otherwise needed, to try and get rid of all the "lockups" or "l33t h4x0rs" that are invading.

Re:I don't understand...

[bluephone]

Yes, it's cost the country millions in repairing, so MS has decided that they may as well be the ones to collect money from their screwups. And the claim about insurance is a diversionary tactic. They coule still mak the product more secure without accepting insane liability. Cap unchecked buffes by default, install only the network components needed, and don't allow them to be remotely exploited by bad design, and for features like the Remote Help Center, at least allow the user to select the security level at run time, so that at least they'll be WARNED about those exploitative URLs and have a chance to CANCEL the action. By putting off the topic to insurance, they avoid having to admit that they could make the product secure without accepting massive liabilities for failure. OSS projects like Linux or Mozilla don't accept liability for the products' security failures, yet they usually go out of their way to make it secure by default, and fix holes fast, without insurance.

And what disturbs me about the story submitter is he says, "Security is like public health and education--if you think it's expensive, consider the alternative." That's much more a defense of charging for security than it is a defense of security by default. "Hey, if you think spending $500 for a secure OS that used to be $100 butinsecure, imagine what you'll spend if you are subject to a massive failure from insecurity." That's bad thinking and flawed logic.

Re:I don't understand...

[rseuhs]

Just say in any forum at any time that you run [insert not latest MS OS here] and you have security problems.

Hundreds of Microsoft supporters will insult you and order you to immediately upgrade to [insert newest MS OS here].

Re:I don't understand...

[mpe]

Haven't we ALL already paid for Microsoft security? Trojans, worms, and virii have cost my company a hell of a lot.

But you havn't paid this money to Microsoft. Remember that their business model appears to require not stable profits, not increasing profits, but profits which increase at an ever increasing rate. At least up until the inevitable crash.

Then the Ford dealer asks

[giminy]

Oh, you want the tires that don't explode? They cost extra...

Re:Then the Ford dealer asks

[Rocketboy]

No, this is why a new car today costs (on average) about $22,000 (US) whereas when I started driving in 1976 the average was closer to US$10,000. Cars are much better today: more reliable, safer for passengers, better on the environment, etc. That did not come for free: consumers said what they wanted and they got it but someone has to pay the bill.
Again, back in 1976 I was working on minicomputers. Very reliable, very secure, very expensive. Now I work on PCs and related servers: kinda reliable, not very secure, quite cheap. The market spoke and vendors listened. You want a PC with the reliability of a mini and real security but you won't pay US$20,000 for it. Don't feel bad, most people would rather have their own PC, warts and all, than go back to the bad old days of having to beg for timesharing on a big, expensive, secure beast and having to explain to the high priest himself that arrays and pointers are, in fact, recognized computing practices so please can I run my program now...

Re:Then the Ford dealer asks

[dattaway]

That new handgun you purchased is a fine one; however, we are going to have to charge extra for the safety mechanism.

Re:Then the Ford dealer asks

[CyberKnet]

Silly me.

*smacks himself*

And here was I, thinking that inflation was the cause!

Re:Then the Ford dealer asks

[sharkey]

That new handgun you purchased is a fine one; however, we are going to have to charge extra for the safety mechanism.

No need. I already have a fully-functional brain.

Re:Then the Ford dealer asks

[ChaosDiscord]

No, this is why a new car today costs (on average) about $22,000 (US) whereas when I started driving in 1976 the average was closer to US$10,000.

I suspect that inflation has more to do with the issue. Given inflation since 1976 (PDF, sorry. You'll get similar numbers from other sources) cars are now proportionally cheaper. Assuming car prices moved exactly with inflation, your $10,000 car would now run $31,600. Naturally this cost saving is due to other reasons (more efficient manufacturing processes, cheaper foreign labor, newer and cheaper materials). Sure, adding safety features did increase the cost, but not by a huge margin.

Re:Then the Ford dealer asks

[rodgerd]

However, you'll also need to factor in average income as well. Don't know about the States, but in Australasian surveys, cars are more expensive in terms of the number of weeks the average person is required to work in order to afford one than they were 25 years ago.

Of course, they're vastly superior, and it's hard to compare like with like (I doubt most mid-70s model cards could even get on the road today, which brings us back to the poster's point).

Re:Then the Ford dealer asks

[karlm]

Cars are much better today: more reliable, safer for passengers, better on the environment, etc. That did not come for free: consumers said what they wanted and they got it but someone has to pay the bill.

Check inflation. I think automobile costs as a percentage of the cost of living index and/or the average houehold income, have remained fairly stable for a few decades. I could be wrong, but the magic of compund interest does alot over 26 years. A geometric average of 3% anual inflation will double costs after 24 years. (e^0.72 =~ 2) The cunsumer price index is currently showing aobut 2.3 % seasonally-adjusted anual growth, but inflation is pretty well in check. We've had a few bouts of bad inflation since 76. I think 1.8x -2.2x inflation since 1976 isn't unreasonable. The market sets the prices of cars and technology allows more features for the price over time.

The nature of technological advances is to do things more efficiently. Over time in many areas, we can do the same thing for much less money (after adjusting for inflation). Someone has to pay the costs, but they are one-time costs of technological advancement that get distributed over many years of product sales. In this case, you do practically get something for nothing. If you think security has gotten worse, you were wither running MULTICS, or you're currently running the wrong OS/software packages on your commodity hardware. (Debian and SELinux are good choices on the Llinux side. OpenBSD 3.2 is comming out soon, wink, wink, nudge, nudge, say no more.) Oh, and if you need reliability, use RAID and have a backup server. Your cost for a given level of performance/security/relaibility has absolutely plumetted, especialy in the performance realm.

Re:Then the Ford dealer asks

[ArsonSmith]

Plus in 1970 it was considered nearly unheardof to get 100k+ miles on a car. No we are getting 200-300k miles on some of the newer ones. My 1995 Jeep has over 110k miles on it. not easy ones either I have done a lot of off road driving. it still runs great. I have had few problems with it. My 1972 Ford Mavrik didn't make it to 60k miles.

Re:Then the Ford dealer asks

[Blkdeath]

I see this as alternative versions of the OS that's hardened more than the typical user might want.

Firstly, Microsoft products are reknowned to be insecure. Outlook's irresponsible display/handling of attachments single-handedly cost the North American economy something to the tune of $6 billion in a single year (Melissa). It continues to cost consumers money, time and time again. Outlook's new default attachment 'protection' policy is almost all-or-none, therefore either you get all attachments enabled, or you have so many disabled that it becomes crippling for home and business users alike.

MS's products are designed from the ground-up to be used and administered by mindless drones. From the sounds of the article, it sounds to me like they've decided to start charging a subscription fee for security updates, or start charging all users a premium per license for security concerns.

The Gartner group has already stated that in their professional opinion, IIS should be re-written from the ground-up.

I think it's about time that people woke up to the fact that Microsoft does not care about them or their companies, and that in the long run Microsoft products are actually MORE expensive.

Think about it - combine the MCSE salaries with the cost of licensing per server per seat with the cost of virus scanning software with the annual subscription costs of virus updates with the cost of large-scale re-installations when a new trojan/worm/virus inevietably finds its way past the detection systems with the cost of server and workstation downtime - then compare that to the cost of installing and administering a proper UNIX network.

This is completely timely on Microsoft's part of course. Now that they have everyone so completely hooked on their products, and CIOs bowing at the feet of the company, they can convince them that they're somehow getting something more special than everyone else because of the premium they're paying for it.

Everybody - make it your mission to train your company CIO. Show them hard facts and figures as to what Microsoft will cost them - demonstrate how their precious bottom line will be affected by the insecure, unstable nature of Microsoft products. The bottom line is all they understand, so give it to them.

Re:Then the Ford dealer asks

[Louis_Wu]

Or maybe:

No need, I already have a fully-functional Glock.

Safeties? We don't need no stinkin' safeties.

Re:Then the Ford dealer asks

[jcr]

Again, back in 1976 I was working on minicomputers. Very reliable, very secure, very expensive.

Umm, NO.

They only seemed very reliable and very secure because they weren't exposed to a hostile network.

-jcr

Re:Then the Ford dealer asks

[jcr]

The Gartner group has already stated that in their professional opinion, IIS should be re-written from the ground-up. .. by people who actually know something about data security, please..

-jcr

Re:Then the Ford dealer asks

[Blkdeath]

by people who actually know something about data security, please..

The significance was a Microsoft Choir Member coming to the realization that they've been horribly wrong the whole time about IIS.

Re:Then the Ford dealer asks

[Pig+Hogger]

No, this is why a new car today costs (on average) about $22,000 (US) whereas when I started driving in 1976 the average was closer to US$10,000.

Automobiles (and everything that gravitates around it) are the only consumer goods whose price has increased FASTER than inflation during the last 30 years.

Re:Then the Ford dealer asks

[Citizen+of+Earth]

Given inflation since 1976 [orst.edu] (PDF, sorry. You'll get similar numbers from other sources [google.com]) cars are now proportionally cheaper. Assuming car prices moved exactly with inflation, your $10,000 car would now run $31,600.

You're also getting a lot more 'car' today than you did with your $10K in 1976. (No, I'm not talking about gross tonnage.)

Re:Then the Ford dealer asks

[wadetemp]

Hell, most SUVs don't ever see anything but pavement (well, maybe a gravel parking lot once in a while, but that's it). Note that I'm generalizing. ...
You're roughly in the same position as I am in my Boxster...

Hell, most Boxsters never see roads where they can be driven 100mph (well, maybe a straightaway just before a blind corner once in a while, but that's it.) Note that I'm also generalizing.

Safety is what you make it. There are plenty of non-SUV cars that wouldn't fit under the dangerous area of a SUV's bumper. No one forced you to get the car you got; you chose it and assumed the risk and responsibility on your own.

Re:Then the Ford dealer asks

[DunbarTheInept]

In places with real winter weather, you don't need to go "off road" to find ground clearance useful. You just have to wait until it snows.

Re:Then the Ford dealer asks

[Osty]

Hell, most Boxsters never see roads where they can be driven 100mph (well, maybe a straightaway just before a blind corner once in a while, but that's it.) Note that I'm also generalizing.

Sure, but I've taken mine to the track, and plan on doing that more often. However, owning a Boxster and driving it as a daily driver does not make me any more dangerous to other vehicles (please don't make the "speed kills" argument here -- I'm not talking about speeding, and even if I were, many SUVs where I'm at drive much faster than I do; I'm not treating my daily commute as though it were an F1 race ...). Owning an SUV and driving it as a daily driver does make the SUV owner more dangerous to other drivers (... unless all the other drivers are in SUVs. I'm not buying that argument). If I never tracked my Boxster, then the only person who's lost anything is me (the enjoyment from really driving the car). If you've never off-roaded your SUV, then you've wasted your money on a vehicle that's dangerous to other drivers on a normal road and has no more utility than a van.

Then again, the thrill of a Boxster (or an MR2, for that matter) is not flat-out speed. These aren't dragsters. For the real fun, you need twisties, and there are quite a few of them around here if you know where to look (aside from any racetracks).

Safety is what you make it. There are plenty of non-SUV cars that wouldn't fit under the dangerous area of a SUV's bumper. No one forced you to get the car you got; you chose it and assumed the risk and responsibility on your own.

Correct. I'm not lobbying for SUV bumpers to be lowered, or any other extra safety restrictions put in place. I'm just making the point that SUVs are still dangerous, even if most other cars are safer today than they were 20 years ago. (Oh, yeah, and it doesn't help that many SUV drivers are idiots, driving their vehicles with no regard for drivers around them, going at speeds their vehicle was never designed to handle, without ever once looking up from the morning paper.) Yeah, it'd be nice to look out of my window and see a door or window or person's face rather than the SUV's suspension next to me, but I deal with it -- by making sure I can predict what the idiots are going to do before they do it, and making sure I'm not where they'll be doing whatever they're going to do.

Re:Then the Ford dealer asks

[Osty]

In places with real winter weather, you don't need to go "off road" to find ground clearance useful. You just have to wait until it snows.

Seattle doesn't have "real winter weather", yet every fourth car here is an SUV. Odd.

I grew up in central Illinois, where we did have some bad winters. Somehow, my family always survived with just a normal sedan. Sure, my dad had big pickup trucks (hey, he's a farmer, they're actually used as workhorses like they were designed), but only in the very worst of winters did we ever need to break one of them out instead of the car. So while I'll give credence to the argument that an SUV is nice to have where weather is bad, I will disagree that it's a necessity as some people will try to tell you. (If so, why would they continue to drive the SUV in nice weather? And that says nothing about the 2-wheel drive SUVs ...)

Re:Then the Ford dealer asks

[twitter]

Assuming car prices moved exactly with inflation, your $10,000 car would now run $31,600.

Ahh, but if you started working in 1976 for $20,000/year you would now be earning $60,000 or your raises did not keep up with inflation. Starting slaraies are not generally $60,000 so car prices now cost more relative to real earning power. Oh dear, the golden calf costs way too much.

As for M$, if their software had kept up with hardware developments it would have four virtual desktops, be able to support four concurent users on four different machines, be able to play and edit movies with ease and do other neat tricks right out of the box. Instead, the capabilities right out of the box are about the same as Win3.1, but it does not last as long. Oh dear, the M$ tax has grown but the software has failed to keep up with what's available that's free.

Re:Then the Ford dealer asks

[sharkey]

Safeties? We don't need no stinkin' safeties.

A Glock is just as safe as any other gun I have owned and/or carried, be it a Colt, Kimber, Star, etc. The only truly effective safety is the person holding the gun.

Re:Then the Ford dealer asks

[Louis_Wu]

Pretty much my point. But I made a pathetic attempt at humor. :)

Re:Then the Ford dealer asks

[rodgerd]

Uh, which model Toyota are you comparing. I'm pretty sure if you got a comparable Toyota - like a Supra or Soarer - you could hit 145 mph quite easily. If you've picked up a Corolla, well, it ain't designed to do that.

Re:Then the Ford dealer asks

[AftanGustur]

They only seemed very reliable and very secure because they weren't exposed to a hostile network.

Duh ?, Different environments => Different requirements for the same level of security.

Re:Then the Ford dealer asks

[mpe]

No, this is why a new car today costs (on average) about $22,000 (US) whereas when I started driving in 1976 the average was closer to US$10,000. Cars are much better today: more reliable, safer for passengers, better on the environment, etc. That did not come for free: consumers said what they wanted and they got it but someone has to pay the bill.

How much do the prices compare once you adjust for inflation? Does the average widget cost 2.2 times what it did 26 years ago?

Re:Then the Ford dealer asks

[sharkey]

But I made a pathetic attempt at humor. :)

Welcome aboard.

Re:Then the Ford dealer asks

[gorilla]

I don't belive starting salaries were $20,000/year in $60,000 either. According to this link average starting salaries for lawyers was $18,000 in 1977. I think it's safe to assume that lawyers have higher than average starting salaries.

Re:Then the Ford dealer asks

[Reziac]

[laughing] Seattle has sleet. This explains all the 4WDs. :) But as you point out, and as nicely parallels the software situation, it's not so much WHAT you drive as HOW you drive (that is, how good you are at it and whether you apply appropriate tools for whatever you're driving).

I grew up mostly in Montana, where winters make Illinois look like the tropics. My first vehicle was a 1963 Olds F-85, a "sporty small sedan". It could go anywhere a 4WD could go (except deep mud), and some places they couldn't (like right over the top of deep snow), and it could stop on a dime on glare ice. The trick was knowing how to handle it and what it could or couldn't do (and having studded snow tyres on all four wheels, but it never needed chains).

My next vehicle was a '78 Ford halfton 2WD pickup. Not very good in deep snow.. unless I put chains on. Then I'd go ripping right out of our snow-clogged road, while my next-door neighbour spent part of each morning being stuck with his 4WD.

Call studded snow tyres and tyre chains the equivalent of security patches for various OSs, and using the right tool for the job and for the OS at hand.

BTW, I'm still driving the same Ford pickup. There is something to be said for durability in both vehicles and software. :)

Re:Then the Ford dealer asks

[jedrek]

Right now WinXP supports virtual desktops (well, with a M$ Power Toy) and movie editing right out of the box. It can also support 4 users on four machines (1 at each machine) so... what are you complaining about?

Re:Then the Ford dealer asks

[jedrek]

I always thought that inflation is the rise in the consumer price index. How about quoting a source for your statement?

Re:Then the Ford dealer asks

[Pig+Hogger]

It's a study done by some french institute back around 1995.

Re:Then the Ford dealer asks

[sharkey]

1) Have a kid rummaging through the drawer you thought was secret

I do not keep any of my guns in a drawer, "secret" or otherwise. They are not kept "secret", but are stored in a location known to my family.

2) Drop the weapon for any reason

If you drop a firearm that is "ready-to-fire", it will likely discharge. "Ready-to-fire" is the state where the safety (if it exists, revolvers, for example) is off, the chamber is loaded and the action is a trigger-pull from firing.

3) Get handed the weapon by a friend who (arguably rightfully) expects a safety mechanism

If a friend has a gun, and is handing to me, said friend will not be expecting a mechanical safety, as he would have been apprised that there is no such safety. Also, "there is no such thing as an unloaded gun". Unless you can see that the chanber is empty, you should behave as if the gun is in "ready-to-fire" condition.

4) have any other unexpected situation

The very most important reason for having a gun. Thank you for pointing that out.

Re:Then the Ford dealer asks

[DunbarTheInept]

Seattle doesn't have "real winter weather", yet every fourth car here is an SUV. Odd.

Somehow you thought I was talking about Seattle. Odd.

I will disagree that it's a necessity as some people will try to tell you. (If so, why would they continue to drive the SUV in nice weather?

Because owning two cars is more expensive than one, duh.

Re:Then the Ford dealer asks

[twitter]

It can also support 4 users on four machines (1 at each machine) so... what are you complaining about?

Oh really? So I can take one copy of Word and have everyone in my family run it concurrently on a powerful machine using three or four less powerful machines as terminals? I don't think so. Indeed, WinXPlode won't run on the kind of hardware most people have available.

I'm complaining about greed and intentional waste. M$ has been promoting the use of "Dual Headed" computers over virtual desktops. They have made their software so bloated it won't run on the average Pentium class machine and make it so it breaks every two years so you can get even more abused later. These are policies that waste money, feed landfills and hurt the IT industry. The average computer user will no longer buy "third party" software and are loath to buy hardware thanks to M$'s insistence on low quality. Money flowing into M$ coffers, $250/year/US-citezen, would better be spent on building communications infrastructure, software that actually serves a purpose and hardware that fills real needs.

I don't worry much because people will discover free software and the waste will end.

Re:Then the Ford dealer asks

[jcr]

No, an unlocked door is not secure just because nobody's tried opening it yet.

-jcr

Re:Then the Ford dealer asks

[rodgerd]

I was referring to an Australasian study that appeared in a dead tree magazine. If you'd bothered to read my post, you'd see I wasn't claiming anything about the States.

If you read the fucking post, your comments would be unecessary. And that's why there's so much rubbish in threads. Get a clue. Or a reading primer.

Microsoft selling security?

[Ruis]

Sounds like vaporware to me.

Yea, right.....

[FreeLinux]

So, based on your previous security record, Mr. Gates, I gleefully award you this multi-million dollar contract for security services. I already feel safer from all those evil hacker dudez.

Honestly, what schmuck would pay Microsoft for security??

Re:Yea, right.....

[FCAdcock]

You'd be suprised. Millions of people already pay him for servers, shouldn't they include security? My guess is millions of those same people, will pay him for "security".

Re:Yea, right.....

[Scott+Baio]

Sheesh. (Score -1, Unexamined Bias)

In case you haven't noticed, a good many people pay Microsoft for lots of things. Despite what you'd like to believe, this is not due to extortion. Many people actually choose to do business with Microsoft.

But what you said reminds me a lot of an episode of Charles in Charge, where Buddy and I were in the pizza parlor when some shady looking guys showed up to ask for "protection money" from the owner. We thought for sure it was mobsters, and we couldn't figure out why the owner was paying them. After arguing with the owner about doing the right thing (and the argument was filled with misunderstandings and double entendres: "If you give them money for protection, they'll just come back again for more!" "I'd rather pay him now than have my roof cave in!"), Buddy and I went to the police about it, and the police ended up busting the termite exterminator!

It really makes me wish I was still working.

Re:Yea, right.....

[nullard]

Many people actually choose to do business with Microsoft.

Except for the clued-in few, most people consider doing business with Microsoft about as optional as obeying the law of gravity. That's the funny thing about monopolies.

Re:Yea, right.....

[mjh]

Honestly, what schmuck would pay Microsoft for security??

The hordes of schmucks that are so heavily invested into MS products so deeply that paying to divest themselves would be more expensive than paying for security services from Microsoft.

Go for it Microsoft!

[robkill]

Charge for (in)security! Raise the TCO! Push even more people to other platforms!

Well...

[Xenographic]

Don't they already charge us (albeit in a different manner) when they give us new EULA terms for security updates?

This is not unlike the anti-virus companies who charge us for new virus definitions. Except that here, the mistakes they made shouldn't have been in there to begin with.

Unless they give us *some* kind of extra service beyond the patches, I can only see this developing into a *very* strong reason to use OSS instead of MS whenever security is important to what you're doing (essentially, always).

They're asking for it.

[mesozoic]

Companies are already distrustful of Microsoft; they resent having to pay such high licensing fees for the systems they need to keep their businesses running. Requiring that customers pay additional fees just to keep those systems secure will increase the pressure on cash-strapped (or just financially responsible) companies to make the switch towards alternatives like Linux.

Face it, Microsoft; people resent a monopolist. You can't continue to browbeat your customer base forever, and the more you do, the more will abandon you in the end.

Re:They're asking for it.

[ninthwave]

Well below is an example of one company ditching Microsoft because the new EULA is too expensive. The support for Windows NT 4 ends in June, I believe. Large IT companies will have to upgrade. When you have 24k plus machines, as in the company I work for, and invest time in build images and internal support but have to balance that over equipment upgrades, security patches and inhouse developement, the microsoft support option is nice to get extended technical data and review. When the support goes you have to move to the new product or an alternative product.

We have some products that are out of support that are non microsoft and getting the skill set in employment to support them gets harder as time goes on, especially on in house developement packages. NT4 to Windows 2000 and XP is a big deal because of the EULA and the fact that NT4 is working. Also when the support goes so usually does the patches which would be fatal with the current virus outbreaks. I don't think these considerations for companies to upgrade are en-vogue or hip it is crucial to either update or as the below example, move on.

here is an example
http://www.managementconsultancy.co.uk/Ne ws/113081 5

There are more but this is 30k machines on order because of the end of support on NT4.

Re:They're asking for it.

[Wyatt+Earp]

Had to upgrade?

Anyone that wants to use USB with Windows NT. It was coming with SP 6, then it was dropped because Windows 2000 was coming.

Energy Management was coming with NT 4, then it was dropped and put in Windows 2000.

Another big migrator is 3rd party software. Say HR is tied into some package and then the vendor says "Oh, those problems that have been making your life hell...those are fixed in the new upgrade that will only work with Windows 2000."

Alot of things once were on the todo list for NT4 and Service Packs that got moved to Win 2000 and thus people that to upgrade.

And don't forget the OEMs that Microsoft forced to bundle the OS of the week. My workplace wanted to standardize on Win2000 for laptops but MS forced the OEMs to WinXP, and some of the laptops get really bothersome when Win2000 is placed on them.

Re:They're asking for it.

[rodgerd]

NT 4 and Office 97 are no longer officially supported, and Microsoft no longer recognise qualifications for such. You can no longer purchase them, and you'll have a hard time finding replacement hardware that has drivers (indeed, it's already getting hard to run Win2K on some new lines of laptops).

Once you've upgraded some systems in the office to the next most recent systems because you can't buy NT4, then put on a newer version of Office with incompatible file formats, you'll find it to hard to leave everyone else behind.

Too many people pontificate on the topic of leaving the old stuff in place without having a fucking clue what the real world implications of this are.

Sounds like consulting

[pete-classic]

which is perfectly legitmate.

But the idea that Microsoft can parlay their usless reputation in security into profit is laughable.

-Peter

It has worse implications...

[Lumpy]

If they are talking about charging for any of the security updates or patches to make things secure against attacks on specific flaws? then yes, it's horrible and will create a gigantic mess.

More than likely they are talking about custom security systems or services. as in a service to offer to customers and clients.

It's like redhat charging for the RH update.. they will shoot themselves in the foot if they charge for updates.. in order for your OS to be percieved as secure and safe to use you HAVE to give away free fixes patches and security updates... and make them as easy as possible to install if not automatic.

A lot of nerve

[cenonce]

MS has a lot of nerve charging for security when they already charge and arm and a leg for their OS and it is an unsecure piece of garbage! Beyond that it takes them six months to get a security update released, if they even acknowledge the "security hole" as an actual issue!

Why the heck should I pay extra for MS "security"!?!

What a joke!!!

-A

Re:A lot of nerve

[Dr+Caleb]

Why the heck should I pay extra for MS "security"!?!

Microsoft goon: {*cracks knuckles*} "So's you don't have no 'accidents'. We like to tink of in as 'insurance' yas know"

/humour

To Spalling and Grammer Nazis: Speling errorz are on porpoise.

All joking aside

[Telastyn]

There's a difference between common sense OS security (closing unneeded ports, cutting down buffer overflows, doing intelligent rights/process management) and doing "extra" security that *should* be more $$$ like virus scanners or personal firewall software; things that shouldn't be totally integrated into the installed OS to begin with.

Re:All joking aside

[Telastyn]

Okay. Now lets look at this with a realistic view. If Microsoft includes said security software on the cd it will be installed by default. Why? Because if it isn't then they get bad PR for not making it default. Will they make the AV or other security software nice and modular? No. All historical evidence shows they won't. Is that choice? Not at all. Is it "wrong-headed"? Certainly, but unfortunately it is the smart thing to do if you're trying to sell software to common people or companies.

Do power users want tons of options to pick and choose software packages from multiple vendors? Hell yeah, that'd be fucking wonderful, but it won't happen. There's no reason Microsoft (or even Apple) would ever do or allow that.

I specifically mention those software pieces as things that would be logical extensions by the company into markets where they could make money. The article doesn't say a damned thing except a small portion about insurance for what can only be guessed to be contractual guarantees that the reporter almost certainly knows nothing about.

Re:All joking aside

[inode_buddha]

Ignoring all the other follow-up comments, I do believe this to be insightful. My main observation drawn from experience contradicts the concept of "common sense OS security", unfortunately.The reason is simple: in the day-to-day personal and business world (U.S.) there is almost zero technical literacy among the rank-and-file. This is in sharp contrast to IT workers, if your employer is large enough to require them.

The problem seems to be as much cultural as it is technical. It seems that the business demands are "Get it done now! We'll sweat the details later!" Indeed, most of the consumer market seems to be driven by the idea that "convenience sells". How many times have you heard "I just want it to work"?

Excellence seems to be left by the wayside as the lemmings jump over the cliff of expediency. Too bad there's big rocks at the bottom of that cliff...

I can't count how many days I've wasted my breath trying to convey the difference between an app and an OS, let alone a secure one. After all, "That's just details, I just want it to work, we can fine-tune it later..."

Re:All joking aside

[bwhaley]

There's a difference between common sense OS security (closing unneeded ports, cutting down buffer overflows, doing intelligent rights/process management) and... virus scanners or personal firewall software

Good point. The article doesn't say much about which products would have added security charges, whether it is Windows itself or other MS products. Mundie is never quoted as mentioning Windows directly. For all we know these could be standalone packages, not add-ons, upgrades or packages.

As for the common sense stuff, FreeBSD does that for us already anyway =p

Ben

Re:All joking aside

[Guppy06]

"virus scanners or personal firewall software; things that shouldn't be totally integrated into the installed OS to begin with."

My old Pentium 90 came with WFW 3.11 and a copy of Microsoft Anti-Virus. (They got out of that market real fast, didn't they?)

My current copy of XP claims to have an integrated personal firewall.

Too late!

good

[gornar]

I enjoy hearing of the ways that Microsoft proposes to screw their clientele. I'm a Windows user, and will be until another OS, whether it be Mac or Linux etc., starts getting all the first-tier games before Windows. I don't do anything else with my PC, so why switch?
If Microsoft can manage to alienate the game playing crowd enough, more and more developers will transition to Linux development, and I can switch too. They are, quite charitably, squashing the chicken/egg problem in PC gaming.

Re:good

[Malcontent]

Excellent. I think that we should all start pushing the fact that windows is only good for games. Real business requires another operating system.

Re:good

[Billly+Gates]

Actually linux is quite good with quake3, ut2k3, ut, tribes2, and the upcoming doom3.

I tried quake3 recently under rh8 and I could not believe the performance increase from w2k. Not really in fps but in sound latency, and ping times. My pings were literally cut in half! Yes, I do have netbios under tcp/ip disabled si that was not the cause. My guess is tcp/ip compression is in the linux kernel and absent in w2k.

Anyway rh 8 sucked for web development and I had to downgrade back to w2k to run perl, mysql and apache. (rh 8 used perl 5.8, apache 2, a crippled mysql, and no cgi support for perl!). I usually score low in the average range for frags in quake3 under w2k. I am in the high range under linux! MY score really goes up thanks to the better sound driver model! The sound latency under any NT kernel is crippling. Imagine getting hit by a rocket at close range and then hear the rocket come after you, after your dead!
What a pos! Anyone here who dual boots please try this? ITs mainly noticable on close range.

Re:good

[jpt.d]

Windows almost annoyed me for the last time, I have been using a mac for a few months too. I hate to say it but the mac is almost as apple's marketing says - about not getting in the way. But onto the real beefy stuff. Mac is a platform where you find Otto Matic and EV:Nova. You will not find either of those games on the Devilish Windows Monopoly Platform (DWMP). EV:Nova is actually being ported to Windows ;p. You may never have heard of those games before, but they are just as good as any windows games I know of.

My ibook can play quake3 freeze good enough. But what am I going to think about now is getting an XBOX, specifically for doom3. It may be that these things should be separated. For 'business' I don't need a powerful graphics chip, but for gaming you do. A gaming platform in a computer can be quite expensive. My windows computer would have to have at least $1000 of upgrades before it can even run Doom3. But the XBOX wouldn't cost half that.

Re:good

[CAIMLAS]

ii apache 1.3.26-1.1
ii perl 5.6.1-7

That's from a debian sid machine. I suspect you would have a more difficult time getting X set up to play Q3 than in rh8, but you'd have your perl, apache (with whatever features you want), and mysql.

I suspect that your problems stem from a lack of understanding of how apache and such run, and you didn't bother to take the time to read the documentation. I doubt that redhat would cripple mysql, being as redhat tends to target the server and/or the office market more than any other distro. (And if you 'wasted alot of money' on buying redhat... cheapbytes.com, bitch. use it, love it! buy directly if you feel they deserve the support/you continue to use their distro)

I imagine the latest mandrake would be a better choice than redhat, too. I've never much cared for redhat and their late-breaking-version packaging of very fundamental server tools.

On top of that, it's complete nonsense to even consider using activeperl on a nonwindows system. perl is written for UNIX and ported to activeperl for linux. Running a port on a system, when it could be run natively, is stupid.

Re:good

[berzerke]

...I'm a Windows user, and will be until another OS, whether it be Mac or Linux etc., starts getting all the first-tier games before Windows...

Actually, nowadays the game consoles are getting the games even before windoze. If you really want the games as early as possible, try a nintendo, or playstation and dump windoze.

"core functionality"?

[jawtheshark]

How many OSes really consider "security" as a part of "core functionality"? Only one spring to mind and that is OpenBSD.
Neither Windows, Linux, Mac OS X, Solaris state "security" as a "core functionality". Yes, all are securable, but on any OS it needs a certain amount of work (yes, even OpenBSD...you need to apply the patches!) This needs maintenance, and on "homebrew servers" (read: glorified desktops) security is unfortunately just a second thought. I do realise that a well administered server will probably be secured, but that is due to a competent admin, not due to "security as a core functionality".
I don't say that "security out of the box", should not be a worthy goal, I just think that it is a utopian dream.

Re:"core functionality"?

[amarodeeps]

Well, there are two types of security we could talk about here: one is the sort that you need to do to set up a box securely with any OS. That includes configuring ports to be shut down and starting only the services/daemons that you want running, implementing firewall rules, setting up intrusion detection, etc. OpenBSD doesn't really do so much of that either from what I know (probably more than most any other OS I guess...), but they don't start anything up out of the box if I recall correctly, so there is a basic level of configuration-dependent security.

However, it seems like Microsoft has a lot of security problems that are based around poor coding practices. This is definitely something the OpenBSD folks try to mitigate, with their constant code auditing. But MS doesn't seem to care if they toss out a product with numerous buffer overflow vulnerabilities, permission violations, etc. And these are the sorts of problems they are always releasing patches for.

Now, there are certainly plenty of patches going around for other products and certainly open source ones, but I don't think that anybody thinks that a patch due to poor programming should be something the user has to deal with. There are best practices involved with coding things securely, and they aren't necessarily things that you have to do that are outside of what it means to code something well.

So what I want to know is if they are going to be charging for these sorts of 'programmer error' fixes, or what? Are they going to start selling their OS in a 'non-sloppily' programmed version?

I find it pretty offensive that they would charge for patches to software that wasn't written well in the first place.

Re:"core functionality"?

[El]

Yes, but Linux, MAC OS X, and Solaris attempt to ship with reasonable defaults... the Windows philosophy to date has been "everything wide open by default".

Re:"core functionality"?

[El]

Well, you're half right... the "continual upgrades" are free, so in fact their only real profit center IS support contracts. But I don't think people would pay for support contracts unless they already beleived the software to be of high quality, so I don't think intentionally shipping buggy software would work as a business model for Red Hat. However, nearly everyone concedes that M$ software in unreliable and yet many continue to pay for it. Seems like shipping buggy software DOES work as a business model for Microsoft. And by the way, can't everybody quickly get the security patches for Red Hat for free? I don't think people buy Red Hat support mainly because of security concerns!

Re:Slashdot's at it again

[jamie]

That's the original submitter's text, not Michael's.

is there going to be any posts on this topic

[JeanBaptiste]

that are not trolls?

While not a microsoft fan by any stretch, I don't think this is necessarily a bad idea because of this: Now, when a hacker/virus/trojan attacks, maybe Microsoft will have to accept some accountability, after all I am paying for the security. As it is now, we get hit by nimda, microsoft is not really liable for any damages. If I am paying for security, maybe they would be liable. Just a thought.

Re:is there going to be any posts on this topic

[sdjunky]

So I guess that 300 bucks for XP Pro was bought with the full intention of being open to attacks. While you cheerily installed it you thought about how you were open to l33t haxors and such.

Come on. When you purchase something you buy it with certain ideas. When I buy ( which I don't ) MSSQL then I expect nobody to get my data. When I buy ( another one I don't use ) Exchange I expect nobody else but me and the user to be able to read emails.

You don't buy a product with the expectation of it being crippled ( DRM aside ) and thus you ARE paying for security. I'm not a MS Fan, I'm not a MS Critic ( although lately I seem to be ) I just get pissed when I see a company charging for something that is presumed and expected to be included with the product.

Re:is there going to be any posts on this topic

[rworne]

Yeah, we found that bug that cost you $250,000 in downtime, and we have this service pack that you need to apply. Will that be cash or charge?

This is the very reason EULA's claim the program you are pur^H^H^Hlicensing has no fitness for any purpose whatsoever.

Some MS EULA's give purchase price or $5.00 limitations on damages (whichever is greater) as their limit on liability.

Finally, here's a great excerpt from the MS Messenger license:

Disclaimer of warranties: Microsoft and its suppliers provide the software "as is" and with all faults, and hereby disclaim all other warranties and conditions, either express, implied or statutory, including but not limited to any (if any) implied warranties or conditions of merchantability, of fitness for a particular purpose, of lack of viruses, and of lack of negligence or lack of workmanlike effort.

It speaks volumes about what MS thinks of their own work. MS Word has a disclaimer that states the product you licensed isn't a word processor: the product has no warranty for "fitness for a particular purpose".

Yes, that even includes "word processor." So does that mean it's unfit for any purpose?

Re:is there going to be any posts on this topic

[limekiller4]

The minute Microsoft signs off on some agreement that they are accountable and liable for the machine they purport to secure will be about 60 minutes before someone with a very large sense of humor and real talent hears about it, and about three hours before Microsoft eats that contract.

I can't think of a better way for them to put a target on the back of the first client that bites, or themselves, for that matter.

Since when?

[unicorn]

I've never paid for a patch. They are all freely downloadable from their support site currently.

Re:Since when?

[cioxx]

Win98 -> Win98SE -> WinME Sounds like they have been charging for patches all along.. =P

You consider WinME to be an upgrade to Win98SE? This begs the question: "Have you ever witnessed the carnage that was Windows Millenium?"

go to jail - dont pass go...

[_ph1ux_]

wouldnt this be a monopolistic move for them to add security consulting. I mean we all know their track record...

but seriously. who is to say that they arent going to engineer security holes into their systems that only they know about - then come forward and say that they have the fix - but since its such a "complex" issue - the only option to fix it is to have their value added security consulting force come in and "secure" your systems.

no thanks Microsoft. I am not happy with you in general - why would i trust your lackeys to secure my systems. An MCSE is one thing - but a Microsoft employed security consultant is a whole 'nother beast.

Reminds me of that simpsons episode when Billy G want to buy out Homer's ISP - and he "writes a check" for the ISP through his thugs smashing the place up.

Microsoft Proves my point

[orcaaa]

The fact that Microsoft is considering providing security services for a fee, just shows that it knows that its OSs are not secure enough. But if they cant build security into the OS itself then is there any guarantee that they will be able to do it later on, for a separate fee? Judging from the number patches, they release, for other patches, i dont think that Microsoft is capable of providing these services for which it plans to charge.

Chicken and egg problem?

[cballowe]

In presenting Microsoft's trustworthy computing initiative, Mundie defended the company's reluctance to follow through and accept legal responsibility for the security of its products. "If we took that responsibility, say for a big contract at Airbus, I would have to take out a giant insurance policy from Lloyds or another insurance broker, and pay a giant invoice," said Mundie. "The product would then cost not 50 euros, but 50 million."

It seems to me that if Microsoft didn't have the reputation that they have with regard to security and reliability, the insurance policy wouldn't cost 'em so much. Kinda like auto insurance -- those that prove they can drive responsibly for a period of time pay far less than somebody who crashes 3 times in a week.

Re:Well, they charge for patches...

[Philbert+Desenex]

Maybe it isn't - both seem like MSFT is charging their locked-in users for fixing a defective product.

I guess it depends on what they've sold you - a license to use their intellectual property or the actual product that you expect to be fit to use.

Software companies in general and MSFT in particular want things both ways: they want you to be a loyal product buyer AND they want what you buy to be a license to use. I think that promoting things one way (Great Product! Easy to Use! The Useful Internet!) and then actually selling you the other (EULA!) is the commercial eqivalent of equivocation.

I'll wait, and see

[unicorn]

No matter what ill will the average /. user bears towards Microsoft, you can't possibly say that they are idiots.

And starting to charge for hotfixes, and obvious security holes in the OS would be an act of complete idiocy.

I have a feeling that whatever security initiatives MS is working on, certainly aren't aimed at hte average home user. There's no money in it. MS makes it's wad off corporate licensing. Where they don't have to worry about retailers, or packages, etc. The home user is an important market to them. But it's not what put Bill on top of the Forbes 400.

Re:I'll wait, and see

[MeNeXT]

And starting to charge for hotfixes, and obvious security holes in the OS would be an act of complete idiocy.

That's how I thoght when MS started charging more that $100 for office and guess what? Idiots will pay.

This is not a flame it was practically given away. WP would sell for over $150 (I can't recall the exact price but it was at least that).

SH!T i'm old....

Re:I'll wait, and see

[jedidiah]

The question is not whether or not they're idiots. Everyone is likely good at something.

The real problem is WHAT they're good at...

I want a company that is good at engineering computing systems, not good at blackmailing customers (MITS,IBM) or commiting fraud (IBM).

Priorities

[catfood]

Says the story write-up:

I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start.

Internet Explorer is a fundamental, inseparable part of the operating system; but security is an add-on product. I love it.

What he really means..

[nolife]

When asked about security Mundie states:
"Because customers wouldn't pay for it until recently."

I interpet this as:
People ASSUMED they were getting something secure. When they realized they were not they went elsewhere to find something that was. Microsoft ironically wants to be the elsewhere too. They can get there two ways. Make the product more secure the first time, or continue as normal and sell yet something else on top of or next to the other product. A tier level of security I guess. Seems like a very odd way to operate..

Re:What he really means..

[Cervantes]

I have to disagree here. I don't read his comment as a comment on consumers at all, but rather perception. Consider:

It's 10 years ago. We're all enjoying Doom on our 486-DX2's, and drooling over the latest Pentium preview (coming soon... MMX!). Someone comes up to us, and tells us that those fun USENET and NEWSGROUP things we keep playing around in may hold evil hax0rs, who can hack our boxes and steal our.... Doom savegames. "Egads!", we exclaim, "whatever can we do?". "Well, " says Mr. Someone, "we can make it nice and secure, but it's likely that Memphis, Chicago, and especially Cairo will cost more. So, do you want us to protect your savegames?"

Now, lets be honest. 10 years ago (hell, 5 years ago, for most people), we didn't have much on our PC's worth protecting with security, firewalls, etc... at least those of us on WinTel. Come on, how many people had a firewall on their 19.2 baud modem? Did you worry about hax0rs when you upgraded to 28.8? 33.6? The magical 56k? (complete with the X2 wars). Would you have paid extra back then, so that MS could spend millions (stop laughing, they really do) working on security n' chit? Now that hackers (black, grey white and blue) are in the mainstream, broadband is common, and people actually put a monetary value on the data in their computer, security is important to consumers, and they're willing to pay a little extra. It doesn't seem so evil to me...

If you read the article..

[AlbanySux]

it sounds more like they are going to charge for security extras not for basic security patches and what not. This isn't MS cutting its massive user bass off, its MS trying to make a few extra bucks off the companies that need enhanced security. Sure, you could argue that the best possible security should be available on all versions of windows, but they are a for profit company and are trying to make a few dollars in this rough economy.

This is not a troll.

Re:If you read the article..

[miffo.swe]

You make it sound like they have a tough time doing profit. When almost all of the industry is suffering only MS i able to get even higher profit. Doesnt that ring a bell somewhere? They have more money than they can spend but they wont spend it on better products. Thats plain wrong and points to the fact that no real competition exists in the OS market today. Would apple have released MacOS X on intel if there was room for competition, hell yes!

Flippant?

[Jack+Auf]

Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security

I wouldn't say that was a flippant question. Obvious yes, and valid to be sure. But how is that question supposed to be 'flippant'? Why has it taken 25 years for you to take security seriously? Nevermind that you're asking me to *pay* for something that should have been an intrinsic part of the product from the start. Seems like a good question to me.

Is there something in the Micros~1 corporate culture that breeds contempt for anyone that dares to ask an valid, though perhaps embarrassing question?

In other news, restaurants nationwide...

[Theatetus]

...now promise E coli-free food for an extra fee. A spokesperson for McDonalds said, "Our revenue model doesn't normally lend itself to our being held responsible for the hygenic quality of our food; however, for a fee as disclosed in our End Eater License Agreement, we will make sure your burgers don't carry a horrid, filthy plague."

MS Security and government services?

[Dannon]

Security is like public health and education

Isn't MS's security already at least as good the quality of teaching in our government schools? ;-)

Infinite support, for a flat fee?

[unicorn]

At some point a vendor has a reasonable right to drop support for a product. There is no way they could afford to support with patches etc. Every product released has a "life span" and face it. Office 97 is WELL past it's expected life span. It's 5+ years old, and 2 full versions back now.

If you want code that's open to updates forever, go with open source. No vendor in the commercial software markets will support products once they have reached "end of life" status.

Re:Infinite support, for a flat fee?

[0x0d0a]

The problem is that not adding features or providing technical support is different from shipping a product with problems, finding out about said problems, and simply refusing to fix them.

This is one of the things I really like about Apple (presumably IBM is the same way). Apple makes their money on hardware, so they hand out bug fixes and minor feature additions freely. When I got System 7.5, I got a continuous stream of free updates up to System 7.5.5, and lots of neat software (like the Appearance Manager).

Microsoft sells software and profits from a certain minimal degree of bugginess ("Upgrade and we'll fix lots of bugs! Sure, we'll introduce new ones, but...").

Re:MS security?

[foobar104]

Microsoft is charging for something that should be free? When did this start?

About the same time they started giving away something for which they should have charged.

Model

[_ph1ux_]

1. Make big insecure operating systems
2. Form Securtiy Consulting Arm
3. ....
4. Profit!!

in this case - the .... is just what it means.

Does charging imply liability?

[kindofblue]

It seems to me that if Microsoft can charge for enhanced security, then they are admitting that their non-enhanced versions are partially defective. From a legal standpoint, it sounds like they would be culpable for such security defects in their non-security enhanced versions, because they cannot then claim that such defects are intrinsic to the complexity of their software itself, and they cannot claim that they just didn't know how to fix it.

On the other hand, if a third-party adds security features, that company can claim that they have found ways to secure Windows, which Microsoft was not able to do.

I'm not a lawyer, but it seems that charging for security enhancement would be like charging extra for a car with a working airbag, instead of a cheaper model that works maybe 80% of the time.

How would this compare to a warranty on consumer products? It seems like a warranty is just like insurance, because you get cheaper repairs in case something goes wrong. Is this applicable to software?

BTW, I'm asking a legal question, not a ethical business question.

Re:Does charging imply liability?

[Reziac]

I think the parent post is asking about *availability* of security. AFAIK, RedHat only charges extra for the handholding, not for the updates and patches themselves. So everyone has *access* to the same level of security.

M$'s concept apparently is to make security *unavailable* unless you pay extra. (Of course they'd charge you =again= for handholding, if needed...)

Blah, blah and triblah!

[jukal]

I have to run Windows at work to be able to communicate with the Windows world without problems. It is Microsoft that should pay me for their "security", I waste atleast 5 hours per week booting this stupid machine after every stupid critical security update that requires a stupid reboot after every damn install. This is the only option I have to keep the system atleast somewhat "secure".

I understand that a system needs patches, but is it really so hard to make an operating system whose maximum uptime is limited to 2-3 days because of the stupid required reboots. I know a couple of such operating systems.

I am sorry, but you will need to rewrite the whole damn thing.

Quote from the Story

[ReadParse]

Mundie, speaking about MS Windows: "The operating system is designed to run on machines that are not designed yet."

There's a joke in there somewhere, but I'm having trouble finding it. Discuss.

RP

Re:Quote from the Story

[GunFodder]

The secret is that Bill Gates is a precog and the actual Windows code base has been frozen for the last 20 years. The entire OS runs in 640K and will continue to operate on Intel hardware until they go belly up in 2069 when the transistor density of their final design combined with the intense heat it generates spontaneously punches through time/space to form a black hole.

Each new release is the last version with an exponentially increasing "fudge factor", a data file of randomized pRon collected by a web spider. This makes it look like they are actually doing work in Redmond instead of playing CounterStrike 24/7.

All Windows development ("cat Windows2000 pRon.dat > WindowsXP") occurs on a single IBM XT running Minix.

Re:Quote from the Story

[karlm]

Mundie, speaking about MS Windows: "The operating system is designed to run on machines that are not designed yet."

• possible quote completions:
• ...you should see how great Windows Imaginary Edition runs on imaginary hardware!
• ...it was designed by idoits for use on idiot-proof silicon.
• ...to this end, we are currently researching ruminant dung based chips to replace silicon
• ...so we gave up on coding to the design spec and just started coding under the influence
• ...and all of our security problems are due to attacks financed by the Emperor of Pluto.
• ...but it will run great on Iraqi nukes, which are going to be designed any day now! Just ask our friend Dubya!

Okay, the Iraq thing went too far, but it was begging to be said.

so sue 'em

Does that mean it would be possible to sue M$, if they fail to provide a bought service, ie) security?

Buffer Overflow

[sdjunky]

"Windows runs an arbitrary set of applications, in an arbitrary configuration, with arbitrary devices, said Mundie. 'The operating system is designed to run on machines that are not designed yet.' While Microsoft could demand that it creates the drivers for all hardware, the industry would not accept that. 'Each time we accede to the reality of the industry, we accede to the problem,' he said."

Yep. All those string buffer overflows are obviously caused by the ram. And those virii that use Outlook automation obviously use the fact that Windows has to account for various pieces of hardware too.

Pricing Security

[Orne]

In my humble opinion, the secondary cost of the operating system's security should be inversely proportional to the control granted by said operating system to the external network. What do I mean by this? The more networking gadgets one puts into their operating system, the more they are responsible for the access to said gadgets.

Security in DOS was practically non-existant, because frankly, you couldn't do much on it. The worst you could do was write data to COM1, and native DOS wouldn't do anything with it. Then came Win2 and they introduced the OLE concept, where a person could control application A through application B. Security req: still marginally zero, because of the single-user environment. Win311 brought us the Network Neighborhood, and now you could control application A over a network to control application B. Because of MS's DLL approach, the operating system now must track login names, and validate IDs, and coordinate data flows. Now we have XP, with automated updates, drivers for everything, protected modes, lots of complexity that MUST be secured by the operating system.

Brief Analogy: I build you a house, and I install a cardboard front door, then to protect this cardboard door I want to sell you the steel door as a security "upgrade". In a perfect world without crimes, we wouldn't need any doors, but that's not the way things work...

In short, Microsoft measured their rope, and now they're trying to avoid the gallows. They built an operating system that's practically transparent to the network, then they're horrified that someone other than MS might exploit this transparency. If they aren't willing to protect the public from their own products, then someone needs to inform the public that there are better products in existance...

Re:Pricing Security

[BCoates]

Security in DOS was practically non-existant, because frankly, you couldn't do much on it. The worst you could do was write data to COM1, and native DOS wouldn't do anything with it.

ctty com1

--
Benjamin Coates

You don't understand...

[taniwha]

'Security' in the sense of 'protecting you from all the evil stuff out there' will cost a lot, and probably continue to cost more and more. 'Security' in the sense of 'protecting the RIAA from you' will be built in, free and compulsory

Of course once M$ has a biz plan where customers pay extra for security the incentive to no fix (or even leave in) security bugs will be tempting ...

Government contracts?

[supabeast!]

Any bets on how long it will take MS to get exclusive, multi-billion dollar contracts with US Government Agencies to help secure Microsoft products?

And are an US taxpayers interested in suing both parties when it happens?

Major conflict of interest

[clemfoley]

Microsoft is at a conflict of interest and as an end-user, I am not impressed.

We all know how secure MS products are. By having MS consult in areas of security, there would be no motivation for MS to make their products more secure. Also, what stops MS from deliberately leaving holes in it's software to have its security consultants patch them up later?

If they don't disclaim liability, this is fine

[mike449]

Companies would gladly pay big bucks for secure products, if the promise of security is backed by liability or some kind of warranty. If EULA stays the same, MS will not provide an extra piece of mind, and nobody will pay more money for "maybe more secure" software.

Re:Maybe they should be held liable?

[jedidiah]

Perhaps we really should views Mundie's excuses as the perfect argument why Microsoft software is simply inappropriate in some places. Mundie's comments are simply crass and insulting. Why should Microsoft be guaranteed profitability in a certain market niche? Why should we just forgo products liability just because it might not make a particular company competitive anymore.

Liability concerns have forced far more worthy companies out of this particular market (aircraft subcontractors). Why should Microsoft expect special treatment?

In other news...

[RobinH]

...in order to secure their products, Microsoft today announced its new line of security software: "MS/GNU/Linux".

Wrong and wrong again.

[burgburgburg]

First, the car costs more now because of inflation. Adjusted for inflation, your $10,000 car was actually more expensive then the $22,000 one.

Second, Microsoft can't use inflation to explain their ever increasing prices. Except for the cost of ever more programmers to create ever bigger bloatware (but nobody to check those buffer overflows or fix those bugs^H^H^H^Hfeatures), they don't have an explanation for their pricing. Except of course for the real reason: Monopoly.

Some things money can't buy

[McCart42]

Microsoft Windows XP: $100/license.
Microsoft Office XP: $300/license.
Paying extra for security: Thousands of dollars per site.
Realizing there's a free, secure alternative: Priceless.

Some things money can't buy. For everything else, there's Microsoft.

Mr. Gates, hire me!

[MadFarmAnimalz]

I get lots of good ideas. I'll even give you some for free. But hire me afterwards, OK?

1. Well, you can charge people less for running at lower resolutions like 640x480. See? It even sounds better than saying 'our higher res clientele will have to pay more'

2. You can also charge extra licensing fees for users that think they might need a mouse. Heck, Linux does it... yes linux does too, since the mouse functionality costs nothing, which is precisely as expensive as the whole OS...

3. You might as well begin to start charging admission fees to all buildings that contain a machine with windows on it. KA-CHING!

That's it. 3 ideas are all you get. Now will you hire me?

Re:Mr. Gates, hire me!

[FredGray]

1. Well, you can charge people less for running at lower resolutions like 640x480. See? It even sounds better than saying 'our higher res clientele will have to pay more'

Actually, you should charge more for running at lower resolution so that the fonts aren't so gosh-darn small. :-)

5 years, is not a short life span at all

[unicorn]

Enough customers do want added features, that product revs are inevitable.

And as the codebase moves forwards, eventually older versions of it are going to become sufficiently arcane that nobody continues to understand them, etc. It's just the nature of business, that they can't possibly support all products forever. Not even when it comes to vulnerabilities. I'm sure that you could dig up vulnerabilities in other 5 year old applications, and odds are, most/all of those vendors either aren't supporting the product anymore. Or they simply don't exist anymore at all.

Just ring up IBM, and ask them for bugfixes for SmarSuite 97. Good luck.

It's the nature of the beast, that eventually support WILL die off for old products. That's the case with almost any industry. And the computer industry prides itself in moving further, and faster than any other industry in history. Part of moving fast, is the danger of getting left behind.

Re:5 years, is not a short life span at all

[plague3106]

Enough customers do want added features, that product revs are inevitable.

Um, actually everyone i know that works with MS office complains that it a) doesn't do what they want (not that it can't, just that it makes simple thigns difficult) b) don't use 80% of the 'features.' They therefore conclude that its bloated. Which it is.

Did anyone really want a word processor to be able to produce html? There are many features in word that are not needed, and many more that are more complex then need be. The latter is usually caused by word assuming it can read your mind..

Re:5 years, is not a short life span at all

[Christopher+Thomas]

Did anyone really want a word processor to be able to produce html?

Yes, because it's one of the few portable, widely-supported document formats that exists. It's my first choice for telling people what to re-save as when someone sends a Word document to my *nix account (postscript saves are much larger).

Sorry, but I disagree..

[Anonvmous+Coward]

"...but I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start."

I find this comment a little short sighted: The problem is that security has an inverse relationship to features/usability. The reason that a virus can do damage on a Windows system isn't a flaw in the OS (though I suppose the OS could be patched to fix it), but rather because a program like Outlook Express has a feature that somebody learned to exploit. That feature was put in for other reasons, mainly to make OE more usable, but it also provided an outlet for mischief.

Frankly, I'd rather a company make money by being more secure. It gives them a good solid reason to not only add features, but test them against potential exploits. Money is a much better motivator than a good mission statement. When MS thinks it can make money at something, it usually excels at it. If MS thinks people will pay more for 'security', then let them have a go at it

The worst that can happen is that MS actually loses money for failing to meet that promise. Yeah, I'm sure the Slashdot floor would be wet with tears of that happened. But the best that could happen is that MS combines a good user experience with security, a product we could all benefit from.

Re:Sorry, but I disagree..

[Anonvmous+Coward]

Heh nice Red Dwarf quote.

"Why is it always assumed that security must come at the expense of usability."

Why? Because the greater number of features, the greater the likelihood of mischief. Remember Melissa? I'll use a non computery example: Universal remotes. Now you can buy a remote that'll operate nearly any TV. Result? I'm wearing a watch right now with a built in universal remote. I've been quite obnoxious at places like Applebee's because their TV's don't have an authentication system with regard to their remote control. If they were to implement one, then their TV's would only work with the permitted remotes, which would become a rather huge hassle if the remote needed to be replaced.

Not the strongest example, but hopefully you get my idea. Buffer overruns can be predictably fixed, unexpected mischevious results from added features cannot.

"As for the comment that MS excels at things it thinks it can make money from WinME anyone???"?

My mistake. As your 1 (one) example clearly shows (I'll just have to take your word for it that MS didn't make money on it, heh.), I am 100% completely wrong. Microsoft has never ever made money on anything it has ever been intersted in. I'll have to agree with you there!

Don't you need...

[DaytonCIM]

to have security in your software in order to charge for it?

Aim at foot, pull trigger

[El]

What incentive does M$ have to make sure the operating system they sell you today works, when their business model calls for them to sell you a new operating system every year? (In fact, they've even used the fact that their previous release was a POS to sell new releases!) What incentive does M$ have to fix the vast security holes in their standard releases, when they can make even more money by charging you for the security patches?

At what point does the consumer stop doing business with a company that admits that everything they sold you in the past is a POS in order to get you to buy yet another upgrade? At what point do corporations decide it might be a bad idea to single source all its software from a company that considers security to be optional?

Lots of OSs were B-rated by NCSC

[billstewart]

• AT&T System V/MLS was B1-rated
  
• Sun did several secure Unix variants, including Compartmented Mode Workstation, which met requirements from a slightly different set of DoD bureaucrats, and was roughly B 1.5.
  
• There were probably some others.
  
• Boeing and some Honeywell stuff had A-rated special-purpose network gateway machines

Wonder if this will increase their liability

[cuberat]

I'm surprised that no one has yet sued Microsoft for some egregious breach of security, enabled by a flaw in Microsoft's released code, that ended up costing some company a ton of money. This is, afer all, the country where someone eats too many hamburgers and then sues the person who made the hamburgers.

IANAL, but it seems reasonable to me that if you use a product as it is intended to be used, and it wrecks unexpected havoc on your system, you should be entitled to redress.

If Microsoft now starts charging for extra security and other such 'features,' I'd think that would increase their liability if something does go wrong. I can't believer their EULAs are that iron-clad

That'ts the choice you make tho

[unicorn]

Nobody is forcing you to upgrade. But at the same time, if there was no market in improving the product, MS would just let it die off. And in that case there wouldn't be support for it either. Just try and find patches for MS Bob.

As I said. ALL consumer products have a finite life span. Computer based products moreso than any other. And sooner or later, you have to either upgrade, or live with a static, unsupported product.

Call a spade a spade...

[cornice]

Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security, and it is only in the last ten years that Microsoft has attempted to play in the security-requiring worlds of banking payroll and networked systems.

The reality is that M$ sold products that were expected to perform to a base level in terms of quality and security. Because users can't look under the hood so to speak, the quality and security issues didn't emerge until it was too late. Now the customer is screaming for relief and MS is there with its hand out.

Also does it sound like the lines between security and DRM are being intentionally blurred here?

What's "security"?

[ceejayoz]

The article doesn't specify what "security" is.

Will MS be selling firewall and antivirus software? Or do they mean they'll sell a more secure version of Windows?

EROS! OpenBSD is just a good start

[billstewart]

For Unix-like mainstream operating systems, OpenBSD is probably about the best of them, but security is still something that's only partly built in - Unix had good security design goals, and OpenBSD intensively beats up anything it adopts, but there's still a "root", rather than a collection of least-privilege administrative functions, and if you're root, you can still make things setuid-root in spite of weaknesses. The Mach microkernels had some possibilities of doing real security, but just about everybody's abandoned them for big monolithic kernels.

EROS, the Extremely Reliable Operating System, by Jonathan Shapiro et al., is a capability-based operating system, inspired by KeyKOS and other academic systems from a decade or so ago. A capability is similar to an object handle - you can only access an object (file, process, etc.) if you have a capa that gives you the kinds of permissions you need for the action you want to take. Lots more information at www.eros-os.org.

(Note: that's eros-os.org, not eros.org, which is something entirely different :-)

98se and ME had new FEATURES

[yerricde]

Win98 -> Win98SE -> WinME Sounds like they have been charging for patches all along

Windows 98 Service Pack 1 included all Win98se changes that weren't new features.

Of *course* they're charging!

[billstewart]

Hey, it takes a lot of work to install Unix, set up WINE, and then get all the MSOffice applications to work well on top of WINE :-)

180

[Myco]

Couple of weeks ago they were whining about how they're unable to secure their products because the relentless droves of evil H4X0RZ are always three steps ahead. Heartfelt apologies for not delivering the promised security that should have been delivered with the product.

Now they turn around and say "oh, actually, we *can* do that... but it'll cost ya." Real cute, folks.

Copying IBM et al?

[krmt]

Funny... the big thing about Free Software is that it generally forces a software company in to a service business model. The reason IBM can make so much money while throwing all their clients towards Linux is that they have an insanely large services division.

Perhaps Microsoft is trying to copy this. They know windows is already a commodity, as is Office. This is not only a possible new revenue stream, but a potential salvation should they have to start giving Windows and Office away for free (this is a very distant possibility, but a possibility nonetheless).

This also fits with other moves on their part, like .net's emphasis on web services and the entire passport/hailstorm project, which doesn't rely on selling software but providing transaction services. This just seems like another piece of their overall scheme.

That said, I don't think by charging for security they mean charging for updates. More likely providing extra software outside the core OS functionality or a consulting division to deal directly with customers.

They want some of Symantec's marketshare...

[aquarian]

Microsoft has seen how much Symantec has been making in this market, and they want a piece of the action.

Quality, not security

[nsayer]

When people talk about software security, they're putting the cart before the horse. Security is a metaphor for quality. Every time a vulnerability exists, it is because of some sort of an error. This is true almost by definition.

Microsofts products are not crappy because they are insecure. They are insecure because they are crappy.

If you take the article in question and substitute the word "Quality" for "Security," it becomes a much more truthful statement of what's really going on. Microsoft never cared about quality because they had a monopoly. Their overriding concern has never been quality, it's been in maintenance of their monopoly position. So they've shoehorned in any new feature that has shown any promise of being a technology that they can monopolize down the road or that can comoditize the work of a competitor and thus help drive them out of business.

Re:Quality, not security

[Florian+Weimer]

Microsoft never cared about quality because they had a monopoly.

A few years ago, Microsoft didn't have a monopoly at all. But the competition couldn't really compete on quality (or security, for that matter). The UNIX camp had it's internal conflicts, IBM marketed OS/2 as a Windows emulator (and got cautious when it was too successful in Germany), and MacOS required a brainwash to view its qualitiy (and most of it's security was the result of a single-user system).

The market demanded only a very basic level of software quality, and Microsoft delivered software which matched the expectations of the market. What else could have made Microsoft such a huge company? Alien influence?

Apart from that, I believe that charging for critical security information is morally wrong (and not in the "proprietary software is bad" sense, but in the "not warning your neighbor when he's about to get hurt" sense). But who's seriously into (the very practical aspects of) computer security and does not sell e.g. early-access information?

Re:Quality, not security

[Frater+219]

Every time a vulnerability exists, it is because of some sort of an error. This is true almost by definition.

This is a very good point -- indeed, an essential one. As anyone who's as much as lurked on Bugtraq or other security-oriented fora can tell you, the discovery of many vulnerabilities begins with the discovery of a way to crash the affected service.

This is particularly the case with buffer and stack overflows: if I can crash your FTP server by sending it a huge string of junk, that means that your FTP server is doing something invalid (such as smashing the stack) with that input. To crash a service entails getting it to execute nonsense code -- to crack it entails getting it to execute my code.

What does this mean for Microsoft's code -- or anyone else's? Well, any means to get a network-facing program to crash should really be considered a security vulnerability waiting to happen. Bug reports of the form "I can crash your program by sending it gubbish" should not be answered "Well, don't do that!" They should be treated almost as seriously as vulnerability reports themselves. While there are classes of remote crashes that don't lead to vulnerabilities, that's not the safe way to bet.

Re:Quality, not security

[Reziac]

Very, very good points. And as a tester/user, I've had similar arguments with coders:

Me: Hey, it breaks when I do THIS!
Coder: Well, don't DO that!

Um.. instead of assuming all users will always follow the rules (or worse yet, special rules for avoiding problems in the software), why not just bloody FIX the problem?

Yeah, sometimes fixing it is not that simple, but even so, as you say such reports shouldn't be just blown off as a Stupid User Problem.

[/rant]

sad but true

[GunFodder]

It is unfortunate that as it stands it makes sense for Microsoft to charge extra to be accountable for their product. I am sure there are other examples of this, but the vast majority of software developers don't take any responsibility for their product at all.

This may actually be an opportunity to commercialize OSS. If a company is willing to pay Microsoft to compensate them for monetary loss caused by Windows then might that same company want to pay less for the same assurance for an insured distro of linux? Insurance for linux should cost less since it is inherently more stable.

I guess this is just a sign that the software market is finally maturing to some extent. In a mature market, like automobiles, everyone guarantees their product and the cost is included in the price of the vehicle.

Before everyone flips out

[mindstrm]

First.. they said they were not ready to approach trusted computing until people were ready to pay for it.

Well, does that not make sense? there is no business sense in spending the money to develop something if people are not willing to pay for it.

Trusted computing is not about security.. it's about accountability. It's about being able to have a proper audit trail for who did what when, no matter what. Your data can still be stolen, you just know who did it.

Microsoft is not talking about charging for security patches or updates. They are talking about complete trusted systems, something they don't have yet (though NT goes further in this regard than linux does, by quite a bit. Notice how if a user changes the permissions on a file so adminstrator can't read it, then Administrator can't read it until he a) takes ownership of it and b) changes the permissions. Admin still has the power to read anything, but not without leaving a mark that they did it.)

They are talking about having secure offerings for trusted computing.

Re:*old man voice* when I was your age...

[ArsonSmith]

yea when someone, almost in the same sentance can say

"When I was a kid I worked 60 hours a week for $12 for the week."

then say "I can't belive the prices now days, stuff is 10x more than what it was when I was a kid."

Wall damn I make 100x what you made back then so I would say we are doing pretty good.

its always the damn Americans at fault

[GunFodder]

If SUVs didn't look cool with high bumpers then stupid Americans would stop buying them, resulting in massive losses by GM and Ford that would plunge the US into a major depression.

FYI I am an American and I resent the massive waste of resources that SUVs represent.

Re:its always the damn Americans at fault

[DunbarTheInept]

Besides, how often does it snow in California?

Lots. There's mountains there. And while we are on the subject of stupid stereotypes of America, only the southern half of California is a desert. Get far enough away from Los Angeles (which is all most people see of California, via Hollywood's media influence) and the rest of the state extends all the way north to Oregon, you know.

Re:its always the damn Americans at fault

[DunbarTheInept]

The problem with sarcasm is that it has to come from a source you respect to be noticed as such. Otherwise the more likely explanation when something dumb is said is that the person really is dumb, not that they were trying to be funny. Based on the past posts, I assumed you just didn't know any better.

For the most extreme example of this, imagine if there was satire used in a Jack Chick (tm) track. Would you notice?

Look at their market

[GunFodder]

For 20+ years Microsoft didn't take any flak for security because their market was shmoes running spreadsheets and games. It's a flippant question because it only takes a modicum of thought to realize that no one was complaining about Microsoft security until the internet became easy and affordable.

A valid question might be "Why didn't Microsoft build security into their first generation network protocols and products?"

A new level of absurdity.

[miffo.swe]

1. Release unsecure software.
2. Sell services to mend the broken software
3. Profit 2-ways!

Open Source

[0x0d0a]

And sooner or later, you have to either upgrade, or live with a static, unsupported product.

Or use an open source product where you can get the bugs fixed.

Your lucky day

[Jester99]

I would prefer operating system vendors to treat security as part of the core functionality of their products.

Some do.

Re:Your lucky day

[Jester99]

As far as I can remember, they didn't disclose the bug for 48 hours, while they worked out a fix. They had a fix within two days and disseminated it then.

Thus the slogan, "1 remote exploit in 6 years."

The point of full disclosure is to light a fire under the asses of whoever should be fixing the problem. Since they were already working on it full steam, it didn't make sense to tell everyone else "hey, go root anybody with an openbsd box!"

My thoughts exactly

[0x0d0a]

So Microsoft's *web browser* is a vital part of the core operating system, inseparable despite all the efforts of their engineers...but security is an add-on product.

Odd how "harsh technical realities" always seem to favor MS's bottom line.

Try explaining

[jmv]

Try explaining to the DOJ that a browser is really part of an OS, but a security fix is not...

I just like the idea of someone saying this...

[El+Camino+SS]

"You know, if you don't get our new MS Security Plus! you'll probably get infected with all sorts of viruses."

Now I am just *dying* to hear that from a kid at my local Circuit City.

An Interesting Conjecture

[Rambo]

I've heard the argument that open source companies rely on the difficulty in using or installing their products (i.e. sendmail). However, now that MS is pondering charging for security, doesn't that suggest the argument that they are charging for what they can most easily make money on? Having many issues with security could become a strong business model and effectively force people to pay for the fixes as the "default" patch level that the OS ships with becomes correspondingly decrepit and bug-ridden.

Funniest misinterperetation thread ever...

[El+Camino+SS]

Look at the posts on this thread. They are all talking about cost inflation and the price of autos. Hilarious.

Guys... they meant proper tire inflation. If you are not a citizen of the USA, then you are of course pardoned. If you are a US citizen, I can assure you that where you live the news usually comes on at 5, 6, and probably also 9, 10, and 11.

SO HERE'S a little history.

The real reason why everyone else modded this joke up was that at the a certain point in the debauchery that caused so many Expedition/BIG Ford SUV deaths, both Ford and Firestone tried to shift the blame on the consumer stating that most of these roll over deaths could have been prevented by the driver having proper tire inflation.

This, in a sense is the equivalent of saying that if a consumer does something so benign as not change their VCR remote batteries on a regular basis, then they deserve to be electrocuted the moment they try to turn the TV off manually.

Re:Funniest misinterperetation thread ever...

[Fulcrum+of+Evil]

This, in a sense is the equivalent of saying that if a consumer does something so benign as not change their VCR remote batteries on a regular basis, then they deserve to be electrocuted the moment they try to turn the TV off manually.

It's quite a stretch to compare tire inflation with the batteries in your remote. After all, the tires are the things that keep your car on the road. As I heard it, tire inflation was the main cause, and the reason the tires were underinflated was because that was what Ford recommended. You see, if the tires were fully inflated, people complained about the rough ride.

Re:Maybe they should be held liable?

[Billly+Gates]

Unfortunately that is not an option for most people.

I sure hope Mundie was refering to security as in consulting contracts. Then I have no problem for microsoft charging extra. Unfortunately Linux does not suite my needs due to the amount of vb projects I have at work and I need to recieve word docs from customers. If pallidium ever initializes, then Ms will be a requirement to read any protected word doc.

IF I get hacked and Windows update is no longer free, I know who to sue. Mr Mundie, I am sorry if things are expensive right now for Microsoft but perhaps you should all learn a lesson in software design. Every single software company is liable for its products. You are no exception. If you all decided to take security early on then you would not have this expensive problem. I will not pay for your mistakes. Your programming managers should of taken in long term costs during design and as consumers we will not pay for your mistakes.

Remember this?

[DopeRider]

Nice old article but exaggerated. Microsoft doesn't want to ruine tcp/ip, just want to make money making it "trustworthy".

Re:MS security?

[geordie]

Let me guess... Netscape 4.x?

Check in the task manager to make sure Netscape isn't still running. I get the exact same problem here and 99% of the time it's because Netscape hasn't closed properly.
If you see it in the task manager, kill it, then try double clicking on an html file... it should open.
If you open one HTML file in Netscape by double clicking on the file, chances are, the next HTML file you try double clicking on won't open.

I'm pretty sure it's a Netscape 4.x problem... Netscape 6/7 or Moz work fine when set as the default browser for opening HTML files.

Ground clearance isn't for mountains, idiot.

[DunbarTheInept]

My previous car, a Pontiac Pheonix with about 4 inches of ground clearance, would get stuck in the snow regularly in mild snowstorms because it kept getting the underbody resting up on top of the snow without enough weight left on the wheels to have any traction. This lead to many towing bills. My current car, a Jeep Cherokee, can drive through up to 8 inches deep of snow (more, probably, but I don't want to push it too much), and I haven't gotten it stuck once. Call that image or vanity if you will, but I call it the difference between being stuck at home and being able to go to work.

Re:Ground clearance isn't for mountains, idiot.

[DunbarTheInept]

The fact that I don't enjoy being reliant on government snow plows to deem it's finally time to get around to doing my street doesn't have a damn thing to do with ego.

yeah, Vinny!

[twitter]

There's a difference between common sense OS security (closing unneeded ports, cutting down buffer overflows, doing intelligent rights/process management)

Yeah, Tellie, like I was telling you there's a difference between book smarts and common senses. You take Vinny, he's got no education but a MSCE and lots of smarts. He always said that "Protection" was a good market. Now here's Bill Gates telling him he was right all along.

See? Ya gotta pay to play and if ya don't pay for the anti-viral and odda important stuff, ya gonna regret it.

Product Activation is irrelevant for a "group"

[unicorn]

As long as you're purchasing more than 5 units for a "starter" purchase, you can get corporate licensed product. That's 5 total units, across multiple sku's if so desired. So 3 Office, and 3 Windows, and you're already there. And corporate product doesn't require activation at all.

Absolutely

[unicorn]

That's is absolutely an option.

But can you still...

[unicorn]

get support on 7.5? Or did your innocent, pure "hardware" comapny end-of-life that product too?

Re:But can you still...

[0x0d0a]

I'm not sure. I haven't really used the computer for some time.

The last thing I wanted to download was the Appearance Manager. You need the libraries in it to run some newer software -- and Apple put out a version for 7.5.5.

They also put up System 6.0.8 (IIRC...been a while) up for free download, and 7.1 or so up for free download.

50,000,000 euros per user?

[ortholattice]

"If we took that responsibility, say for a big contract at Airbus, I would have to take out a giant insurance policy from Lloyds or another insurance broker, and pay a giant invoice," said Mundie. "The product would then cost not 50 euros, but 50 million."

I don't know what product he's talking about, but 50 euros sounds like it might be volume discounted Windows XP. Being conservative and assuming the insurance company wants a 50% profit margin for taking the risk, it seems Mundie is telling us that using Windows XP causes the average user 25,000,000 euros of damage. Well, Microsoft would want its 50% cut too, so make that 12,500,000 euros of average damage. It still sounds like a lot. I know several people who use Windows XP and I don't think they've suffered that much damage yet, but I'll have to ask them.

Re:MS security?

[foobar104]

You claim to be fixing an error on my part by throwing out the phrase "for which they couldn't charge for?" That takes balls, dude.

My Data Isn't Important?

[Bilbo]

> I have a feeling that whatever security initiatives MS is working on, certainly aren't aimed at hte average home user.

OK... and since when is my data, on my home computer less important than that on some corporate server?

Just because I can't afford to cough up another $10,000 in security costs, or even another $100, does that mean MS shouldn't give me all their latest fixes in a timely manner? Do you really want another CODE RED worm making its way around hundreds of thousands of home based web servers, all because MS thought it could make money off of selling security patches? Should my system be left wide open to be raped by any script kiddie who can figure out how to download the latest root kit for my Win98 box, because MS doesn't think it's profitable for them to provide patches for that discontinued product?

Re:My Data Isn't Important?

[Reziac]

You're a single $89 sale. A corporation is an ongoing multi-million dollar contract. Guess whose data and security means more to M$?? Er, scratch that. Guess whose dollars speak louder. I'm not sure they give a flip about anyone's data or security except as marketing tools to hawk their latest corporate contract.

It's not fair, and it's not reasonable from the user's POV, but it's how business works when the market is focused on big contracts, not on the end user.

Re:Maybe they should be held liable?

[berzerke]

The only security Microsoft really cares about is the security of M$'s profits rather than the user's data.

It's an american thing...

[Kjella]

Living here in Norway, that being about the same latitude as Alaska, there's hardly any SUVs here. If you americans need a big car to compensate for something I don't care, but don't blame it on the weather.

Kjella

Re:It's an american thing...

[DunbarTheInept]

Living here in Norway, that being about the same latitude as Alaska

For all your pretentiousness, you seem to lack some basic science understanding, like the fact that the gulf stream makes Europe a lot warmer than other places at the same lattitude. Even warm Spain is at the same latitude as Illinois. To imply that because Norway is the same lattitude as Alaska that it has similar weather is false. Granted, Norway DOES have wintery weather, but not to the same degree that other places at the same latitude, such as Siberia, Alaska, and Nunivut have.

even Mundie agrees

[budgenator]

Even micro$oft's desktop paradigm agrees with this; a desktop is only secure when the office door is closed and locked. I guess that's while I bristle a bit when people talk about Linix/unix desktops; they are better fitted to the workstation paradigm a place to do serious work, with a few locking drawers for security.
The mini/mainframe is like a bank vault very secure not everone in the office is allowed in and only good for specialized work.

Of course all of the paradigms are shifting desktops are blending into the workstation area, workstations are blending into both the desktop and mainframe domains and SuSE is selling linux for IBM S390's.

Mundie said "...it is only in the last ten years that Microsoft has attempted to play in the security-requiring worlds of banking payroll and networked systems."

so the desktop has tried for only ten years, then subtract out work on proprietary projects when BSD had the equivalent running better and more securely; this realy makes them the new kids on the block.
Back 1976 one of my friends dialed a wrong number on the computer and was completely flabergasted when another computer answered, now it's hard for the grandkids to call grandma because she's always on the internet.

Not What you think

[Lechter]

I'm never one to avoid kicking Microsoft (when it's down or up), but the ZDnet article seems rather unfair and narrowly focused.

Reading what the Reg has to say on the topic, it sounds more like MS is licensing encryption algorithms for inclusion in other products: programs (and smartcards?) to allow people to carry their encryption keys around in their PocketPC's, and giving better security to it's Passport service.

MS is a big enough company with more products than Windows, and if they offer improved security in these, or even products geared exclusively towards security (like carrying around encryption keys) then I'm sure companies will buy. (After all as far as many CIO's MS made a great solitare program so their other stuff must be just as good!)

The security flaws in Microsoft's programs go much farther than RSA Inc. could hope to deal with, and adding their nifty new algorithm to encrypt X by Y is not going to fix it. The only trouble that appears here, is that people may see this and think that buying the MS Windows add-on to carry keys on their PocketPC will make Windows and Office more secure - cuz it won't.

Fox. Henhouse.

[Reziac]

Any questions??