Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security as a Profit Center?

Posted by ryuzaki0 on from the we're-already-experiencing-the-alternative dept.

Harry Erwin writes "This article seems to suggest Microsoft is now considering charging for security. I don't mind vendors like Counterpane Internet Security selling security services, but I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start. This proposal would create a two-tier Internet and probably make things worse rather than better. Security is like public health and education--if you think it's expensive, consider the alternative."

24 of 468 comments (clear)

  1. I don't understand... by Punk+Walrus · · Score: 5, Funny

    Haven't we ALL already paid for Microsoft security? Trojans, worms, and virii have cost my company a hell of a lot.

  2. Then the Ford dealer asks by giminy · · Score: 5, Funny

    Oh, you want the tires that don't explode? They cost extra...

    --
    The Right Reverend K. Reid Wightman,
    1. Re:Then the Ford dealer asks by CyberKnet · · Score: 5, Funny

      Silly me.

      *smacks himself*

      And here was I, thinking that inflation was the cause!

      --
      Video meliora proboque deteriora sequor - Ovidius
    2. Re:Then the Ford dealer asks by ChaosDiscord · · Score: 5, Insightful
      No, this is why a new car today costs (on average) about $22,000 (US) whereas when I started driving in 1976 the average was closer to US$10,000.

      I suspect that inflation has more to do with the issue. Given inflation since 1976 (PDF, sorry. You'll get similar numbers from other sources) cars are now proportionally cheaper. Assuming car prices moved exactly with inflation, your $10,000 car would now run $31,600. Naturally this cost saving is due to other reasons (more efficient manufacturing processes, cheaper foreign labor, newer and cheaper materials). Sure, adding safety features did increase the cost, but not by a huge margin.

      --
      Search 2010 Gen Con events
  3. Microsoft selling security? by Ruis · · Score: 5, Funny

    Sounds like vaporware to me.

  4. Yea, right..... by FreeLinux · · Score: 5, Interesting

    So, based on your previous security record, Mr. Gates, I gleefully award you this multi-million dollar contract for security services. I already feel safer from all those evil hacker dudez.

    Honestly, what schmuck would pay Microsoft for security??

  5. Well... by Xenographic · · Score: 5, Interesting

    Don't they already charge us (albeit in a different manner) when they give us new EULA terms for security updates?

    This is not unlike the anti-virus companies who charge us for new virus definitions. Except that here, the mistakes they made shouldn't have been in there to begin with.

    Unless they give us *some* kind of extra service beyond the patches, I can only see this developing into a *very* strong reason to use OSS instead of MS whenever security is important to what you're doing (essentially, always).

  6. They're asking for it. by mesozoic · · Score: 5, Insightful

    Companies are already distrustful of Microsoft; they resent having to pay such high licensing fees for the systems they need to keep their businesses running. Requiring that customers pay additional fees just to keep those systems secure will increase the pressure on cash-strapped (or just financially responsible) companies to make the switch towards alternatives like Linux.

    Face it, Microsoft; people resent a monopolist. You can't continue to browbeat your customer base forever, and the more you do, the more will abandon you in the end.

  7. All joking aside by Telastyn · · Score: 5, Insightful

    There's a difference between common sense OS security (closing unneeded ports, cutting down buffer overflows, doing intelligent rights/process management) and doing "extra" security that *should* be more $$$ like virus scanners or personal firewall software; things that shouldn't be totally integrated into the installed OS to begin with.

  8. good by gornar · · Score: 5, Interesting

    I enjoy hearing of the ways that Microsoft proposes to screw their clientele. I'm a Windows user, and will be until another OS, whether it be Mac or Linux etc., starts getting all the first-tier games before Windows. I don't do anything else with my PC, so why switch?
    If Microsoft can manage to alienate the game playing crowd enough, more and more developers will transition to Linux development, and I can switch too. They are, quite charitably, squashing the chicken/egg problem in PC gaming.

  9. "core functionality"? by jawtheshark · · Score: 5, Insightful

    How many OSes really consider "security" as a part of "core functionality"? Only one spring to mind and that is OpenBSD.
    Neither Windows, Linux, Mac OS X, Solaris state "security" as a "core functionality". Yes, all are securable, but on any OS it needs a certain amount of work (yes, even OpenBSD...you need to apply the patches!) This needs maintenance, and on "homebrew servers" (read: glorified desktops) security is unfortunately just a second thought. I do realise that a well administered server will probably be secured, but that is due to a competent admin, not due to "security as a core functionality".
    I don't say that "security out of the box", should not be a worthy goal, I just think that it is a utopian dream.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
    1. Re:"core functionality"? by amarodeeps · · Score: 5, Insightful

      Well, there are two types of security we could talk about here: one is the sort that you need to do to set up a box securely with any OS. That includes configuring ports to be shut down and starting only the services/daemons that you want running, implementing firewall rules, setting up intrusion detection, etc. OpenBSD doesn't really do so much of that either from what I know (probably more than most any other OS I guess...), but they don't start anything up out of the box if I recall correctly, so there is a basic level of configuration-dependent security.

      However, it seems like Microsoft has a lot of security problems that are based around poor coding practices. This is definitely something the OpenBSD folks try to mitigate, with their constant code auditing. But MS doesn't seem to care if they toss out a product with numerous buffer overflow vulnerabilities, permission violations, etc. And these are the sorts of problems they are always releasing patches for.

      Now, there are certainly plenty of patches going around for other products and certainly open source ones, but I don't think that anybody thinks that a patch due to poor programming should be something the user has to deal with. There are best practices involved with coding things securely, and they aren't necessarily things that you have to do that are outside of what it means to code something well.

      So what I want to know is if they are going to be charging for these sorts of 'programmer error' fixes, or what? Are they going to start selling their OS in a 'non-sloppily' programmed version?

      I find it pretty offensive that they would charge for patches to software that wasn't written well in the first place.

  10. Re:What next? by pizza_milkshake · · Score: 5, Funny

    Next they'll start charging per-mouseclick, so go ahead now and enable the "View as Webpage" setting in Windows Explorer so you can make do with a single-click.

  11. Chicken and egg problem? by cballowe · · Score: 5, Insightful
    In presenting Microsoft's trustworthy computing initiative, Mundie defended the company's reluctance to follow through and accept legal responsibility for the security of its products. "If we took that responsibility, say for a big contract at Airbus, I would have to take out a giant insurance policy from Lloyds or another insurance broker, and pay a giant invoice," said Mundie. "The product would then cost not 50 euros, but 50 million."


    It seems to me that if Microsoft didn't have the reputation that they have with regard to security and reliability, the insurance policy wouldn't cost 'em so much. Kinda like auto insurance -- those that prove they can drive responsibly for a period of time pay far less than somebody who crashes 3 times in a week.
  12. I'll wait, and see by unicorn · · Score: 5, Insightful

    No matter what ill will the average /. user bears towards Microsoft, you can't possibly say that they are idiots.

    And starting to charge for hotfixes, and obvious security holes in the OS would be an act of complete idiocy.

    I have a feeling that whatever security initiatives MS is working on, certainly aren't aimed at hte average home user. There's no money in it. MS makes it's wad off corporate licensing. Where they don't have to worry about retailers, or packages, etc. The home user is an important market to them. But it's not what put Bill on top of the Forbes 400.

    --
    "Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
  13. Priorities by catfood · · Score: 5, Insightful

    Says the story write-up:

    I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start.

    Internet Explorer is a fundamental, inseparable part of the operating system; but security is an add-on product. I love it.

  14. In other news, restaurants nationwide... by Theatetus · · Score: 5, Funny

    ...now promise E coli-free food for an extra fee. A spokesperson for McDonalds said, "Our revenue model doesn't normally lend itself to our being held responsible for the hygenic quality of our food; however, for a fee as disclosed in our End Eater License Agreement, we will make sure your burgers don't carry a horrid, filthy plague."

    --
    All's true that is mistrusted
  15. Buffer Overflow by sdjunky · · Score: 5, Interesting

    "Windows runs an arbitrary set of applications, in an arbitrary configuration, with arbitrary devices, said Mundie. 'The operating system is designed to run on machines that are not designed yet.' While Microsoft could demand that it creates the drivers for all hardware, the industry would not accept that. 'Each time we accede to the reality of the industry, we accede to the problem,' he said."

    Yep. All those string buffer overflows are obviously caused by the ram. And those virii that use Outlook automation obviously use the fact that Windows has to account for various pieces of hardware too.

  16. Re:Maybe they should be held liable? by jedidiah · · Score: 5, Interesting

    Perhaps we really should views Mundie's excuses as the perfect argument why Microsoft software is simply inappropriate in some places. Mundie's comments are simply crass and insulting. Why should Microsoft be guaranteed profitability in a certain market niche? Why should we just forgo products liability just because it might not make a particular company competitive anymore.

    Liability concerns have forced far more worthy companies out of this particular market (aircraft subcontractors). Why should Microsoft expect special treatment?

    --
    A Pirate and a Puritan look the same on a balance sheet.
  17. Some things money can't buy by McCart42 · · Score: 5, Funny

    Microsoft Windows XP: $100/license.
    Microsoft Office XP: $300/license.
    Paying extra for security: Thousands of dollars per site.
    Realizing there's a free, secure alternative: Priceless.

    Some things money can't buy. For everything else, there's Microsoft.

    --
    "I may be quite wrong." - Socrates
  18. 5 years, is not a short life span at all by unicorn · · Score: 5, Insightful

    Enough customers do want added features, that product revs are inevitable.

    And as the codebase moves forwards, eventually older versions of it are going to become sufficiently arcane that nobody continues to understand them, etc. It's just the nature of business, that they can't possibly support all products forever. Not even when it comes to vulnerabilities. I'm sure that you could dig up vulnerabilities in other 5 year old applications, and odds are, most/all of those vendors either aren't supporting the product anymore. Or they simply don't exist anymore at all.

    Just ring up IBM, and ask them for bugfixes for SmarSuite 97. Good luck.

    It's the nature of the beast, that eventually support WILL die off for old products. That's the case with almost any industry. And the computer industry prides itself in moving further, and faster than any other industry in history. Part of moving fast, is the danger of getting left behind.

    --
    "Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
  19. Aim at foot, pull trigger by El · · Score: 5, Insightful
    What incentive does M$ have to make sure the operating system they sell you today works, when their business model calls for them to sell you a new operating system every year? (In fact, they've even used the fact that their previous release was a POS to sell new releases!) What incentive does M$ have to fix the vast security holes in their standard releases, when they can make even more money by charging you for the security patches?


    At what point does the consumer stop doing business with a company that admits that everything they sold you in the past is a POS in order to get you to buy yet another upgrade? At what point do corporations decide it might be a bad idea to single source all its software from a company that considers security to be optional?

    --

    "Freedom means freedom for everybody" -- Dick Cheney

  20. Quality, not security by nsayer · · Score: 5, Insightful

    When people talk about software security, they're putting the cart before the horse. Security is a metaphor for quality. Every time a vulnerability exists, it is because of some sort of an error. This is true almost by definition.

    Microsofts products are not crappy because they are insecure. They are insecure because they are crappy.

    If you take the article in question and substitute the word "Quality" for "Security," it becomes a much more truthful statement of what's really going on. Microsoft never cared about quality because they had a monopoly. Their overriding concern has never been quality, it's been in maintenance of their monopoly position. So they've shoehorned in any new feature that has shown any promise of being a technology that they can monopolize down the road or that can comoditize the work of a competitor and thus help drive them out of business.

    1. Re:Quality, not security by Florian+Weimer · · Score: 5, Insightful

      Microsoft never cared about quality because they had a monopoly.

      A few years ago, Microsoft didn't have a monopoly at all. But the competition couldn't really compete on quality (or security, for that matter). The UNIX camp had it's internal conflicts, IBM marketed OS/2 as a Windows emulator (and got cautious when it was too successful in Germany), and MacOS required a brainwash to view its qualitiy (and most of it's security was the result of a single-user system).

      The market demanded only a very basic level of software quality, and Microsoft delivered software which matched the expectations of the market. What else could have made Microsoft such a huge company? Alien influence?

      Apart from that, I believe that charging for critical security information is morally wrong (and not in the "proprietary software is bad" sense, but in the "not warning your neighbor when he's about to get hurt" sense). But who's seriously into (the very practical aspects of) computer security and does not sell e.g. early-access information?