Slashdot Mirror
Security as a Profit Center?
Harry Erwin writes "This article seems to suggest Microsoft is now considering charging for security. I don't mind vendors like Counterpane Internet Security selling security services, but I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start. This proposal would create a two-tier Internet and probably make things worse rather than better. Security is like public health and education--if you think it's expensive, consider the alternative."
Haven't we ALL already paid for Microsoft security? Trojans, worms, and virii have cost my company a hell of a lot.
Oh, you want the tires that don't explode? They cost extra...
The Right Reverend K. Reid Wightman,
Sounds like vaporware to me.
So, based on your previous security record, Mr. Gates, I gleefully award you this multi-million dollar contract for security services. I already feel safer from all those evil hacker dudez.
Honestly, what schmuck would pay Microsoft for security??
Charge for (in)security! Raise the TCO! Push even more people to other platforms!
DMCA - Chilling free speech since 1998.
Don't they already charge us (albeit in a different manner) when they give us new EULA terms for security updates?
This is not unlike the anti-virus companies who charge us for new virus definitions. Except that here, the mistakes they made shouldn't have been in there to begin with.
Unless they give us *some* kind of extra service beyond the patches, I can only see this developing into a *very* strong reason to use OSS instead of MS whenever security is important to what you're doing (essentially, always).
Companies are already distrustful of Microsoft; they resent having to pay such high licensing fees for the systems they need to keep their businesses running. Requiring that customers pay additional fees just to keep those systems secure will increase the pressure on cash-strapped (or just financially responsible) companies to make the switch towards alternatives like Linux.
Face it, Microsoft; people resent a monopolist. You can't continue to browbeat your customer base forever, and the more you do, the more will abandon you in the end.
which is perfectly legitmate.
But the idea that Microsoft can parlay their usless reputation in security into profit is laughable.
-Peter
MS has a lot of nerve charging for security when they already charge and arm and a leg for their OS and it is an unsecure piece of garbage! Beyond that it takes them six months to get a security update released, if they even acknowledge the "security hole" as an actual issue!
Why the heck should I pay extra for MS "security"!?!
What a joke!!!
-AThere's a difference between common sense OS security (closing unneeded ports, cutting down buffer overflows, doing intelligent rights/process management) and doing "extra" security that *should* be more $$$ like virus scanners or personal firewall software; things that shouldn't be totally integrated into the installed OS to begin with.
I enjoy hearing of the ways that Microsoft proposes to screw their clientele. I'm a Windows user, and will be until another OS, whether it be Mac or Linux etc., starts getting all the first-tier games before Windows. I don't do anything else with my PC, so why switch?
If Microsoft can manage to alienate the game playing crowd enough, more and more developers will transition to Linux development, and I can switch too. They are, quite charitably, squashing the chicken/egg problem in PC gaming.
How many OSes really consider "security" as a part of "core functionality"? Only one spring to mind and that is OpenBSD.
Neither Windows, Linux, Mac OS X, Solaris state "security" as a "core functionality". Yes, all are securable, but on any OS it needs a certain amount of work (yes, even OpenBSD...you need to apply the patches!) This needs maintenance, and on "homebrew servers" (read: glorified desktops) security is unfortunately just a second thought. I do realise that a well administered server will probably be secured, but that is due to a competent admin, not due to "security as a core functionality".
I don't say that "security out of the box", should not be a worthy goal, I just think that it is a utopian dream.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Next they'll start charging per-mouseclick, so go ahead now and enable the "View as Webpage" setting in Windows Explorer so you can make do with a single-click.
that are not trolls?
While not a microsoft fan by any stretch, I don't think this is necessarily a bad idea because of this: Now, when a hacker/virus/trojan attacks, maybe Microsoft will have to accept some accountability, after all I am paying for the security. As it is now, we get hit by nimda, microsoft is not really liable for any damages. If I am paying for security, maybe they would be liable. Just a thought.
It seems to me that if Microsoft didn't have the reputation that they have with regard to security and reliability, the insurance policy wouldn't cost 'em so much. Kinda like auto insurance -- those that prove they can drive responsibly for a period of time pay far less than somebody who crashes 3 times in a week.
No matter what ill will the average /. user bears towards Microsoft, you can't possibly say that they are idiots.
And starting to charge for hotfixes, and obvious security holes in the OS would be an act of complete idiocy.
I have a feeling that whatever security initiatives MS is working on, certainly aren't aimed at hte average home user. There's no money in it. MS makes it's wad off corporate licensing. Where they don't have to worry about retailers, or packages, etc. The home user is an important market to them. But it's not what put Bill on top of the Forbes 400.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
Says the story write-up:
Internet Explorer is a fundamental, inseparable part of the operating system; but security is an add-on product. I love it.
...now promise E coli-free food for an extra fee. A spokesperson for McDonalds said, "Our revenue model doesn't normally lend itself to our being held responsible for the hygenic quality of our food; however, for a fee as disclosed in our End Eater License Agreement, we will make sure your burgers don't carry a horrid, filthy plague."
All's true that is mistrusted
Microsoft is charging for something that should be free? When did this start?
About the same time they started giving away something for which they should have charged.
It seems to me that if Microsoft can charge for enhanced security, then they are admitting that their non-enhanced versions are partially defective. From a legal standpoint, it sounds like they would be culpable for such security defects in their non-security enhanced versions, because they cannot then claim that such defects are intrinsic to the complexity of their software itself, and they cannot claim that they just didn't know how to fix it.
On the other hand, if a third-party adds security features, that company can claim that they have found ways to secure Windows, which Microsoft was not able to do.
I'm not a lawyer, but it seems that charging for security enhancement would be like charging extra for a car with a working airbag, instead of a cheaper model that works maybe 80% of the time.
How would this compare to a warranty on consumer products? It seems like a warranty is just like insurance, because you get cheaper repairs in case something goes wrong. Is this applicable to software?
BTW, I'm asking a legal question, not a ethical business question.
Does that mean it would be possible to sue M$, if they fail to provide a bought service, ie) security?
"Windows runs an arbitrary set of applications, in an arbitrary configuration, with arbitrary devices, said Mundie. 'The operating system is designed to run on machines that are not designed yet.' While Microsoft could demand that it creates the drivers for all hardware, the industry would not accept that. 'Each time we accede to the reality of the industry, we accede to the problem,' he said."
Yep. All those string buffer overflows are obviously caused by the ram. And those virii that use Outlook automation obviously use the fact that Windows has to account for various pieces of hardware too.
In my humble opinion, the secondary cost of the operating system's security should be inversely proportional to the control granted by said operating system to the external network. What do I mean by this? The more networking gadgets one puts into their operating system, the more they are responsible for the access to said gadgets.
Security in DOS was practically non-existant, because frankly, you couldn't do much on it. The worst you could do was write data to COM1, and native DOS wouldn't do anything with it. Then came Win2 and they introduced the OLE concept, where a person could control application A through application B. Security req: still marginally zero, because of the single-user environment. Win311 brought us the Network Neighborhood, and now you could control application A over a network to control application B. Because of MS's DLL approach, the operating system now must track login names, and validate IDs, and coordinate data flows. Now we have XP, with automated updates, drivers for everything, protected modes, lots of complexity that MUST be secured by the operating system.
Brief Analogy: I build you a house, and I install a cardboard front door, then to protect this cardboard door I want to sell you the steel door as a security "upgrade". In a perfect world without crimes, we wouldn't need any doors, but that's not the way things work...
In short, Microsoft measured their rope, and now they're trying to avoid the gallows. They built an operating system that's practically transparent to the network, then they're horrified that someone other than MS might exploit this transparency. If they aren't willing to protect the public from their own products, then someone needs to inform the public that there are better products in existance...
Any bets on how long it will take MS to get exclusive, multi-billion dollar contracts with US Government Agencies to help secure Microsoft products?
And are an US taxpayers interested in suing both parties when it happens?
Perhaps we really should views Mundie's excuses as the perfect argument why Microsoft software is simply inappropriate in some places. Mundie's comments are simply crass and insulting. Why should Microsoft be guaranteed profitability in a certain market niche? Why should we just forgo products liability just because it might not make a particular company competitive anymore.
Liability concerns have forced far more worthy companies out of this particular market (aircraft subcontractors). Why should Microsoft expect special treatment?
A Pirate and a Puritan look the same on a balance sheet.
Microsoft Windows XP: $100/license.
Microsoft Office XP: $300/license.
Paying extra for security: Thousands of dollars per site.
Realizing there's a free, secure alternative: Priceless.
Some things money can't buy. For everything else, there's Microsoft.
"I may be quite wrong." - Socrates
I get lots of good ideas. I'll even give you some for free. But hire me afterwards, OK?
1. Well, you can charge people less for running at lower resolutions like 640x480. See? It even sounds better than saying 'our higher res clientele will have to pay more'
2. You can also charge extra licensing fees for users that think they might need a mouse. Heck, Linux does it... yes linux does too, since the mouse functionality costs nothing, which is precisely as expensive as the whole OS...
3. You might as well begin to start charging admission fees to all buildings that contain a machine with windows on it. KA-CHING!
That's it. 3 ideas are all you get. Now will you hire me?
Blearf. Blearf, I say.
Enough customers do want added features, that product revs are inevitable.
And as the codebase moves forwards, eventually older versions of it are going to become sufficiently arcane that nobody continues to understand them, etc. It's just the nature of business, that they can't possibly support all products forever. Not even when it comes to vulnerabilities. I'm sure that you could dig up vulnerabilities in other 5 year old applications, and odds are, most/all of those vendors either aren't supporting the product anymore. Or they simply don't exist anymore at all.
Just ring up IBM, and ask them for bugfixes for SmarSuite 97. Good luck.
It's the nature of the beast, that eventually support WILL die off for old products. That's the case with almost any industry. And the computer industry prides itself in moving further, and faster than any other industry in history. Part of moving fast, is the danger of getting left behind.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
At what point does the consumer stop doing business with a company that admits that everything they sold you in the past is a POS in order to get you to buy yet another upgrade? At what point do corporations decide it might be a bad idea to single source all its software from a company that considers security to be optional?
"Freedom means freedom for everybody" -- Dick Cheney
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security, and it is only in the last ten years that Microsoft has attempted to play in the security-requiring worlds of banking payroll and networked systems.
The reality is that M$ sold products that were expected to perform to a base level in terms of quality and security. Because users can't look under the hood so to speak, the quality and security issues didn't emerge until it was too late. Now the customer is screaming for relief and MS is there with its hand out.
Also does it sound like the lines between security and DRM are being intentionally blurred here?
Hey, it takes a lot of work to install Unix, set up WINE, and then get all the MSOffice applications to work well on top of WINE :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
When people talk about software security, they're putting the cart before the horse. Security is a metaphor for quality. Every time a vulnerability exists, it is because of some sort of an error. This is true almost by definition.
Microsofts products are not crappy because they are insecure. They are insecure because they are crappy.
If you take the article in question and substitute the word "Quality" for "Security," it becomes a much more truthful statement of what's really going on. Microsoft never cared about quality because they had a monopoly. Their overriding concern has never been quality, it's been in maintenance of their monopoly position. So they've shoehorned in any new feature that has shown any promise of being a technology that they can monopolize down the road or that can comoditize the work of a competitor and thus help drive them out of business.
First.. they said they were not ready to approach trusted computing until people were ready to pay for it.
Well, does that not make sense? there is no business sense in spending the money to develop something if people are not willing to pay for it.
Trusted computing is not about security.. it's about accountability. It's about being able to have a proper audit trail for who did what when, no matter what. Your data can still be stolen, you just know who did it.
Microsoft is not talking about charging for security patches or updates. They are talking about complete trusted systems, something they don't have yet (though NT goes further in this regard than linux does, by quite a bit. Notice how if a user changes the permissions on a file so adminstrator can't read it, then Administrator can't read it until he a) takes ownership of it and b) changes the permissions. Admin still has the power to read anything, but not without leaving a mark that they did it.)
They are talking about having secure offerings for trusted computing.
The secret is that Bill Gates is a precog and the actual Windows code base has been frozen for the last 20 years. The entire OS runs in 640K and will continue to operate on Intel hardware until they go belly up in 2069 when the transistor density of their final design combined with the intense heat it generates spontaneously punches through time/space to form a black hole.
Each new release is the last version with an exponentially increasing "fudge factor", a data file of randomized pRon collected by a web spider. This makes it look like they are actually doing work in Redmond instead of playing CounterStrike 24/7.
All Windows development ("cat Windows2000 pRon.dat > WindowsXP") occurs on a single IBM XT running Minix.
So Microsoft's *web browser* is a vital part of the core operating system, inseparable despite all the efforts of their engineers...but security is an add-on product.
Odd how "harsh technical realities" always seem to favor MS's bottom line.
May we never see th
I've heard the argument that open source companies rely on the difficulty in using or installing their products (i.e. sendmail). However, now that MS is pondering charging for security, doesn't that suggest the argument that they are charging for what they can most easily make money on? Having many issues with security could become a strong business model and effectively force people to pay for the fixes as the "default" patch level that the OS ships with becomes correspondingly decrepit and bug-ridden.
Look at the posts on this thread. They are all talking about cost inflation and the price of autos. Hilarious.
Guys... they meant proper tire inflation. If you are not a citizen of the USA, then you are of course pardoned. If you are a US citizen, I can assure you that where you live the news usually comes on at 5, 6, and probably also 9, 10, and 11.
SO HERE'S a little history.
The real reason why everyone else modded this joke up was that at the a certain point in the debauchery that caused so many Expedition/BIG Ford SUV deaths, both Ford and Firestone tried to shift the blame on the consumer stating that most of these roll over deaths could have been prevented by the driver having proper tire inflation.
This, in a sense is the equivalent of saying that if a consumer does something so benign as not change their VCR remote batteries on a regular basis, then they deserve to be electrocuted the moment they try to turn the TV off manually.
Heh nice Red Dwarf quote.
"Why is it always assumed that security must come at the expense of usability."
Why? Because the greater number of features, the greater the likelihood of mischief. Remember Melissa? I'll use a non computery example: Universal remotes. Now you can buy a remote that'll operate nearly any TV. Result? I'm wearing a watch right now with a built in universal remote. I've been quite obnoxious at places like Applebee's because their TV's don't have an authentication system with regard to their remote control. If they were to implement one, then their TV's would only work with the permitted remotes, which would become a rather huge hassle if the remote needed to be replaced.
Not the strongest example, but hopefully you get my idea. Buffer overruns can be predictably fixed, unexpected mischevious results from added features cannot.
"As for the comment that MS excels at things it thinks it can make money from WinME anyone???"?
My mistake. As your 1 (one) example clearly shows (I'll just have to take your word for it that MS didn't make money on it, heh.), I am 100% completely wrong. Microsoft has never ever made money on anything it has ever been intersted in. I'll have to agree with you there!