Microsoft May Charge for Security Tools

rscrawford writes "CNN reports that Microsoft may charge extra for security software. So first they edge their competition out of the browser market, then they tie IE into the OS so tightly that a crash in IE can crash the computer, and then they make IE so vulnerable that just using it is hazardous to the typical computer's health, and now they want to CHARGE users to fix it?"

Once again, Microsoft blames the users.

[IO+ERROR]

Some experts blame Microsoft for Windows vulnerabilities that help spread spyware. Microsoft and some others, meanwhile, said blame should be directed instead at spyware manufacturers.

"Spyware usually gets on your computer through human error," said Marc Maiffret of eEye Digital Security Inc., which regularly discovers serious Windows flaws.

Yeah, sure, if starting the computer is human error. It takes what, five minutes or less, for an XP box to get riddled with viruses, Trojans, etc.? The error is Microsoft didn't ship an operating system that could remotely be considered secure. You can't connect to the network to download SP2 without risking the computer. Where's the sense in this? Where's the user error?

Re:Once again, Microsoft blames the users.

You can't connect to the network to download SP2 without
risking the computer. Where's the sense in this? Where's the user error?

This is how people think after so much time with viruses. They are used to performing workarounds for Windows that lead to acceptance of viruses (just buy an antivirus) that lead to acceptance of spyware (just buy an antispyware) and that lead to acceptance of systems so bogged down by combinations of the above (just reinstall every 6 months).

It's a bit like living in a really bad neighbourhood and denying it's a problem. "Oh we're OK, we live in a safe area. As long as you put bars on all your windows, don't leave the house when it's dark, put up bullet proof windows, and don't make eye contact with the neighbours you're perfectly safe"

Apart from how it's broken, it works perfectly.

MS is fucked, but they don't mind. The consumer state of society today means MS can just tell people they need to buy something, and people will do what they're told to.

Re:Once again, Microsoft blames the users.

[rackhamh]

I've loaded Windows (various versions) onto machines, then downloaded service packs, with no firewall, MANY times, and never gotten a single trojan or spyware.

Perhaps the 20 minute figure that people like to bandy about has more to do with common user behaviors -- namely, the fact that most people don't even know what a service pack IS?

I imagine the average user's behavior to be something like this:

1. Turn on computer.
2. Install AOL.
3. Check email. Oh look, there's an email from Aunt Marge! And it has an attachment! Aunt Marge has a great sense of humor -- I bet it's a funny picture or something!
4. Open attachment.
5. Congratulations, your computer is infected.

Please note that in this process, the thought of patching the machine never crossed the user's mind. Microsoft (and computer manufacturers) may be failing to properly inform the users of the importance of patching, but c'mon, face it -- even Linux has to be patched to be secure... and the burden is ultimately on THE USER to do so.

Re:Once again, Microsoft blames the users.

[Jace+of+Fuse!]

They are used to performing workarounds for Windows that lead to acceptance of viruses (just buy an antivirus) that lead to acceptance of spyware (just buy an antispyware) and that lead to acceptance of systems so bogged down by combinations of the above (just reinstall every 6 months).

There are small, efficient, safe, and free programs that perform these tasks without bogging the system down.

But your points do to some degree stand. Though even if the virus/worm/spyware problem weren't as bad today as it is, I probably would STILL run a software firewall and a good antivirus just as a matter of precaution. I also have all of my systems behind the network firewall but not everyone has that option.

The point is, that just because things are worse now on Windows than they have ever been, doesn't mean that good precautions wouldn't be paying off.

It's only a matter of time before MacOS X gains enough popularity that it's own security holes (though admittingly less serious than many of those in Windows) are mass exploited causing many Mac users some grief.

As it stands right now MOST Linux users can fend for themselves. How true do you think that would be if there was a huge wave of new Linux users converting from Windows? The clueless masses would show people that even a Linux box in the wrong hands can exploited, and I would dare say that an arm compromised *nix boxes is a far greater threat to the internet as a whole than the army of zombie Dialup AOL connected budget PCs running XP home that we currently have to dela with.

Security IS a problem right now, but Windows is only PART of the problem. The clueless human side of the equation isn't going to go away no matter how many people ditch Windows.

Re:Once again, Microsoft blames the users.

[owenb]

I have recently found a copy of an old check from an anti-virus company to a student which proves that the student was paid to write viruses to help improve the bottom line.

OK, I'm going to call you on that. Can you provide some data? A scan of the check online? The name of the student? The name of the anti-virus company? The virus that the student wrote? Otherwise, I'm highly skeptical

Re:Once again, Microsoft blames the users.

[mindriot]

There's a difficult concept to grasp here. You actually have to wait until the OS is booted and the firewall is enabled and _then_ plug the cable in.

Hmm. Seems that my DHCP request has to be sent using IP-over-Magic then...

If your interface is DHCP'd and you don't have the cable in, does the firewall still come up if the initial DHCP fails??

And, in any case, that's another workaround people get used to and learn to live with... it should not be like that. Microsoft claims that their operating system's usability is so good that you don't need much experience in using Windows. But the usability approaches zero with all these workarounds you have to know about just to get the system to a state where you can actually concentrate on what you really wanted to work on.

That adds a whole new perspective to the Linux-on-the-desktop discussion. Maybe Linux isn't as straightforward. Windows might be. But with all the crap you have to deal with in Windows (and it seems to just get more and more), it seems that in the end, Linux ends up being a MUCH better Desktop OS, even in its current state of relatively worse usability.

ack!

[nizo]

Microsoft's disclosure that it may eventually charge extra for Windows protection reflects a recognition inside the company that it could collect significant profits by helping to protect its customers.

And they don't see a conflict of interest here? Exactly what incentive would they have to fix security holes which are allowing malware into the machine in the first place if they are selling other products to "block" these kinds of attacks, or are they planning on charging for patches?

Re:ack!

[moexu]

"[H]elping to protect its customers" seems awfully euphemistic to me. Wouldn't it help their customers more to release software without the security holes that allow malware in the first place?

Seems unusually blatant

[bigberk]

I mean, they were buying up security competitors as recently as Wednesday! Wouldn't that be a bit too blatant? Are they really trying to monopolize the desktop security market, or are they just trying to help cover costs in what is going to prove to be a very, very expensive area (once they start getting sued for having such a shoddy, insecure product)

Software sales - marketing

[Ogrez]

The only thing in this world I have found to be sleazier than lawyers are software salesmen. This isnt isnt a new idea from Microsoft... IBM did it for years with mainframe releases. You have to have a service contract to get the updates to fix the bugs.

This problem of releasing buggy software and charging for fixes is inherent in the software world.

That's not quite what they said.

Security fixes are going to be free.

The question is whether or not the AV and/or AS tools are going to be free.

Think of it as a choice - you can put them in the OS (so they'll be "free") at the cost of adding more bloatware (important bloatware, but bloatware) to the OS.

Or they can fix the @#$@#$ security holes that the spyware vendors are using to install their software and sell anti-spyware software to the dumb users who are stupid enough to download kazaa.

It's not like giant's antispyware software was EVER free...

In Microsoft language...

[gmuslera]

as all problems are user generated, then is coherent that users must pay for solutions. After all, who click on attachments? (well, when the mail reader dont load the attachments by itself) Who not install firewalls when connecting to internet? who chooses to use a faulty browser?

See? is end-user fault all those security problems, they must pay!

According to /. they will lose either way...

[C.+Mattix]

Look at it this way. They bought an adware company because the see that this is a problem. If they suddenly "bundled" an adware solution, the zealots would say they are trying to drive adaware and spybot out of the market. But since they are selling the solution and hence giving the customers choice, they are trying to screw the customers. No matter how secure they make the OS, there WILL be people who will run as admins and click "yes" to everything. These are the solutions that they are going to sell.

It isn't the first time they've had security software either. Anyone remember MSAV.exe?

The Push to Linux

[Nom+du+Keyboard]

now they want to CHARGE users to fix it

More than anyone or anything else, Microsoft will become the major force pushing users to Linux.

Short answer

[Phibrizo]

So first they edge their competition out of the browser market, then they tie IE into the OS so tightly that a crash in IE can crash the computer, and then they make IE so vulnerable that just using it is hazardous to the typical computer's health, and now they want to CHARGE users to fix it?

Yes.

Well...

[rewt66]

As an employee of a security company, I don't have a problem with this. I would have more of a problem with Microsoft giving it away for free. (And, I hope, the toothless antitrust enforcement might have a problem with it, too, but I wouldn't bet on it.)

But really, we cry "unfair" over what they did to Netscape. Rightly so; it was unfair. If they had sold IE as a separate product, it wouldn't have been unfair. So now they sell this stuff as a separate product. They're not bundling. So what's the problem?

And there's another way this is good: TCO studies. The more extra charges you have to have from Microsoft to have a working product, the better TCO Linux has by comparison. (That is, if it's an honest comparison. But instead, what we'll probably see is bogus TCO "studies" where Microsoft looks good, but it omits the security stuff. Then when you go to actually buy it, there's these extra costs, like the auto dealers do with "dealer prep".)

Gee, no bias on this website

[rd_syringe]

After reading such a thoughtful, nonbiased, objective article submission, I'm left at a loss as to how to respond with my own subjective opinion without ruining the objectivity laid down by this stunning example of research and fact.

So let's see

[YrWrstNtmr]

MS includes a necessary tool for free: "Unfair bundling! They're just trying to muscle everyone else out of the market"

MS charges a fee for a necessary tool: "Charging for this? What a ripoff!" (even though their major competitors charge a fee for similar tools)

Yes, that money may have been better spent in actually fixing the items that need these security tools, but it seems like they can't win either way.

Re:So let's see

[RealAlaskan]

MS includes a necessary tool for free: "Unfair bundling!

MS charges a fee for a necessary tool: "Charging for this? What a ripoff!"

How about:

MS includes a necessary tool free, using the profits from their OS monopoly to destroy a competitor: ``Unfair bundling!''

MS charges a fee for a tool which is only necessary because of their mal- or non-feasance: ``Charging for this? What a ripoff!''

No inconsistancy here.

it's their business plan, not a "conflict"

really this is ingenius.

monopoly
+
user-idiocy
+
shitty software
=
self-re-enforcing money machine.

really a brilliantly simple plan if ya think about it from a monopoly business's p.o.v.

no surprise to anyone familiar with thier previously demonstrated propensity for... ahem... evil?

Sue MSFT for racketeering?

[G4from128k]

This sounds like a classic protection racket. They create a defective product and then extort the customer. "Pay us or bad things happen to your computer." I wonder if a nice RICO suit will change their mind about this.

Re:Sue MSFT for racketeering?

[DerWulf]

RICO suit? Are you out of your mind? RICO is about membership in a criminal organization. Do you suggest that MS is the mafia? Has there been a MS led drive-by shooting I somehow missed in the news?

Futhermore, their product is not defective because there is no standard of security that can be regared as 'whole'. Every operating system has ways to delete data for instance. There is your virus right there.

Concerning your choice of words: Extortion would be if they exploitet the security holes to bully you into buying their security package. Now, the article did in no way, shape or form suggest that, did it?

I don't see anything wrong with this.

[WasterDave]

See, there's been a bit of a noise around the web about this whole thing over the last day or so and I really can't see the problem with it.

Microsoft charge for software. Charge. Money. Whether you pay it, or you pay it when you buy your box, or your suppliers pay it and pass the cost on, or your customers pay it and have less money left over to pay it for you, or your government taxes you then uses that to pay it the basic equation is still there. Micosoft charges money for software. Get over it.

They also charge money for shit software, in case you hadn't noticed. Then they charge more money for shit-software-server, then more again for a CAL onto shit-software-server, then some more for shit-CMS and so on and so forth. So, on the rare occasion that Microsoft buys someone that makes good software and badge engineers it, why is everyone suddenly up in arms?

It's not like this is the first time that Microsoft has used a flaw in one product to sell another.

Dave

The difference between a software salesman...

[AmazingRuss]

...and a used car salesman is that the used car salesman KNOWS when he's lying to you.

Profit? From where?

[Alwin+Henseler]

I wonder where MSFT thinks the money for this extra software should come from? I mean, are IT budgets of customers (including Joe Sixpack) suddenly going up, so that extra funds are available to sink into these tools? If not, that would mean that either:

1. Windows should get cheaper, otherwise customers wouldn't have money left over to invest in these extra tools. This seems feasible; with competition from Free/OSS and users getting fed up with buggy software, market value of Windows is likely to drop. This could be a covert way to restore profit margins.
2. Hardware should get cheaper, so that more money is left over for software. Doesn't seem likely; hardware does get cheaper, but Joe Sixpack still buys expensive PC's, he just gets more bang for his bucks.
3. These extra tools are meant to replace competitor's offerings. Interesting option: if they are just another offering in a crowded field, okay. But first given away as a freebie, and then start charging after a while, when users become convinced they absolutely need it? In that case, could be an interesting candidate for another anti-competitive investigation.

If you can't baffle them with brilliance, dazzle them with bullshit.

How long until they charge for Service Packs?

[FreeLinux]

This is something that has been bothering me lately. How long will it be before Microsoft starts charging for Service Packs and Hot Fixes? So far, they haven't done it but, it occurs to me that it is only a matter of time.

But, the worst part of the idea is that Open Source vendors are opening the door for Microsoft and blazing a trail toward exactly that. Open Source vendors such as Red Hat and Novell/SuSE are selling "cheap" software, built by the Open Source community, and charging a premium for patches. It is a "new business model".

The base software is sold cheap or given away and they make their real money from "support services". However, close inspection of the "support services" show that they offer very little in the way of technical support. They do however offer password protected access to the sites used to download the patches and security fixes for the free/cheap software.

All this isn't going un-noticed by Microsoft, who has toyed with the idea of charging for Service Packs before. In the past however, customers told them in no uncertain terms that they would not pay for bug fixes to software that those customers had already paid a premium for.

Microsoft then developed the "Software Assurance" subscription model, where customers pay a subscription fee that entitles them to future version upgrades. But, Microsoft is still spending money and effort to provide free patches and they don't like doing it as they perceive it as lost revenue.

But, with the "new business model" that Open Source vendors are acclimating their customers to is likely to open up that revenue stream for Microsoft. Just as all the other software vendors were able to leverage the subscription model after Microsoft had acclimatized the customers, it is entirley likely that customers who are accustomed to the the Open Source method of paying for patches will not balk at paying Microsoft for their patches too.

It's a dark and pessimistic vision of the future, I know. But, can you imagine Microsoft actually passing up a new revenue stream from the same old product? That doesn't seem likely to me.

RTFA!

It's a misleading headline. The article is about anti-spyware software, not about security-hole patches. Spyware can end up installed, by an app from a "reputable" vendor, on a perfectly "secure" machine on any OS (as anyone who's used any RealNetworks software knows**).

Now, commence the nit-picking arguments about how xx% of spyware IS installed through security holes without the user doing anything, and the annoying semantic arguments about whether the fact that spyware is even possible means that there's a security hole.

After you're done with that, realize that this is still not the same thing as charging to fix security holes.

**this may have changed; I haven't used RealAnything in about 5 years.

Microsoft...

[rice_burners_suck]

So first they edge their competition out of the browser market, then they tie IE into the OS so tightly that a crash in IE can crash the computer, and then they make IE so vulnerable that just using it is hazardous to the typical computer's health, and now they want to CHARGE users to fix it?

Microsoft is beginning to remind me of the INS. This kind of unreasonable reasoning is, in fact, quite similar to that which occurs in government bureaucracies. Allow me to explain: When I moved to the U.S. from Europe, I had to go through this government disaster called the INS. As it turns out, at the time that my paperwork was being processed by that disorganization, there were some people working there who shredded documents belonging to about 80,000 U.S. immigrants. They did this because there was a huge backlog in paperwork processing, so some wise guy decided that by shredding the documents instead of filing them, he could make it look like his company was making improvements. This was eventually caught, and I believe that criminal charges were filed.

But that didn't exactly help me. I was one of those 80,000 people. The result of this shredding was that after going through the process, which takes years by the way, nearly all of the paperwork from my file was shredded. As a result, the INS got "confused" in a way very similar to that of a computer running Windows, when the operating system is suddenly deleted in mid-operation. It took quite a few years to finally get a hold of someone deep enough in the disorganization who had the power to do something about it.

Here's the part relevant to this story: When they discovered that my file was shredded, they told me that as a result of the INS's errors, I would have to pay a fine of over 1,000 dollars to get the process back on track.

In other words, they create a disorganization so big that putting some stamps on some pieces of papers takes years, then they shred my papers, then they make me wait years (and if I hadn't fought tooth and nail, they would never have acknowledged that they screwed up), and then, I had to pay a fine to fix it.

So, yes, to people who put a system like that into effect, it makes a whole lot of sense to make a browser so crufty and full of holes that it won't hold water even when submerged, and then to charge people for bloated layers of crufty software that is supposed to fix it, except for hundreds of corner cases that malware authors can use to work around it. And, did I mention that they'll charge you for the priviledge? I suggest trying free software instead. It's so much less painful.

No reason for it to be free

[DigitalCrackPipe]

Considering that Giant anti-spyware used a paid subscription-based model, it kindof makes sense that MS would charge for it. I wouldn't expect Halo to come free with windows just because MS owns it and it can run on windows. I would, however, be pissed if service pack 2 wasn't free.

For all those who have forgotten, Giant showed a lot of promise in the big anti-spyware head-to-head on the /. front page a few weeks ago.

And yes, as people mention this is good competetive behavior. You can buy the MS branded one, or you can buy something else (or use free stuff). If they have to compete for dollars, the spyware database will be maintained with more gusto.

What's New

[thunderpaws]

The average Windows user will feel that MS is sooo wonderful for securing their computers against the wild and wooly internet. As the Windows machines again slow down and bcome even more clunky, the solution will be to buy a newer computer, and sales people will show the buyers how economical the new PC's are compared to those sooo expensive Mac's. Doesn't sound much different than the past 20 years, and people still put up with it.

Re: Its all about Lowering Total Cost of Ownership

[Stuart+Poss]

This should help them in their campaign with regard to total cost of ownership of their systems versus Linux!

Its part of the new media blitz. Its all the rage these days. Get ignorant suckers to believe they are getting something great, when its only to charge them more for something that doesn't work well or at all in the first place.

It doesn't matter!

" I wonder where MSFT thinks the money for this extra software should come from?"

They don't care. Their latest licensing schemes are just ways to raise costs without appearing to raise costs.

The problem with MS is that the market is saturated, so the only way for them to show revenue growth is to (a) cut down on piracy or (b) raise the price.

In scenario A, we get product activation. Does it stop piracy? No, but maybe it improves it 10%, which helps the bottom line by, I dunno...1%? and scenario B can help to a certain extent because they effectively have a database. Butits hard to justify charging $100 for XP this year and $110 next, particularly since most are OEM deals that cannot be changed. So another way to raise prices is to charge for every little "innovation". The way you do that is to make it look as if you're adding real value to a product.

In this case, they have an abysmal security policy and they augment that by charging you money to fix their own problem. And it works because some portion of the people....30%? are convinced that MS is a good, decent company and that they must do this "because they must show a profit".

People keep saying "this will be hacked" or "people won't fall for this">

They don't need it to be 100%, only enough so that they show an increase in revenue.

This is heartening and disheartening

[HuguesT]

Since about the days of NT4.0 many people in the IT business were saying something along the line: "MS got their act together, they have released a professional O/S with security built-in, a reasonable kernel, good performance, that runs on multiple platforms including commodity hardware. This is the end of UNIX, and not a moment too soon, we are tired of the expensive hardware and of the Unix wars".

However MS has continually disappointed. Security ended up being very very bad, and becoming in fact worse with every new release (Microsoft still hasn't been able to break the old conflict between ease-of-use and security, unlike Apple).

Since then we've had Linux and the BSDs maturing (including Darwin). MS security is in fact worse with XP than it ever was with NT4 and this is affecting mere users in a huge way. Spyware removal has moved from a little cottage industry to big multinational business. Running a simple PC with Windows is fast becoming harder and more labour intensive than simply installing Linux on it.

My family members and friends are constantly asking me for advice. I'm always happy to help them with their Windows troubles (after all this keeps my skills up to date to a degree). I never mention the fact that they should try Linux or buy and Apple but when they ask me why I don't run Windows I simply say: "no spyware, no virus" and they start thinking about it. A few more years of Linux and OpenOffice maturing, and we'll see a shift of the order of the Firefox one.

Unless Microsoft get their act together, fast. But they are not, witness the current decision.

Microsoft is unable to make long term decisions that will affect their users positively. This is because they are driven by short-term profits. Even thought they have the resources 10 times over to make the right decisions, they are being trounced, little by little, by a band of volunteers.

This is both heartening and disheartening.

BTW I find all the replies to remarks along the line "but you can't even plug a windows machine in default mode to the Internet more than 10 minutes before becoming infected" absolutely hilarious.

1- first find a secure machine
2- download all the patches by hand
3- burn to CD
4- go to insecure machine.
5- unplug from network
6- install OS
7- install patches
8- boot
9- make sure firewall is on
10- plug network cable in. Browse to you heart's content!
11- Oh, and make sure you don't run IE, and keep your machine up-to-date! and don't run as the admin! What? games don't run except as admin? don't play games!

Easy! speaks for itself, doesn't it?