Slashdot Mirror
Microsoft May Charge for Security Tools
rscrawford writes "CNN reports that Microsoft may charge extra for security software. So first they edge their competition out of the browser market, then they tie IE into the OS so tightly that a crash in IE can crash the computer, and then they make IE so vulnerable that just using it is hazardous to the typical computer's health, and now they want to CHARGE users to fix it?"
If they can make a shitload of money out of any marketting strategy, Microsoft will do anything in their power to sell the most of anything and make profit.
Yes it is stupid. Users/companies pay for licenses of Windows which is somewhat costly when you compare what other solutions can do for a fraction of a price (Linux?!) and on top of that, they want to potentially sell you crap so their crap can be more secure using the previous crap. What a load of crap.
It's no different to the toll road operator where I live that puts their tolls up by the maximum permitted year after year without any explanation at all - the same one who quite frequently refuses to explain their actions for unusual lane closures (usually during rush hour) with no readily apparent reason, who only pays refunds for their mistakes when the media gets hold of the story. Quite simply, if you want to get through my city quickly and easily, you have no choice.
(free "well done" to whomever identifies the city I live in and the toll operator I'm referring to)
Something from the article rubbed me the wrong way:
"Spyware usually gets on your computer through human error," said Marc Maiffret of eEye Digital Security Inc., which regularly discovers serious Windows flaws.
First.. a confession: My name is kRYPT, and I used to use Internet Explorer. I used to keep it patched, and updated. I browsed on High Security. I ran Spybot S&D and Adaware regularly, and TeaTimer always.
Spyware STILL got in. Every Spybot scan would regularly reveal something nasty (normally DSO or other IE Exploits).
Perhaps it's true that most Spyware is the result of user action (such as installing shady "free" smiley-enhancing software), but _lots_ of the Spyware out there is simply a direct result of using IE.
PS: I see the spyware people are trying to attack Firefox too.. see cracks.am for an example. However, in Firefox, a nice dialog pops up, makes it perfectly clear the code that's being requested to run is unsigned and unvalidated, and makes you wait for 2 seconds before you have the chance to accept or deny installing it.
DJ kRYPT's Free MP3s!
There are already good anti-spyware solutions available for home-users (ie Ad-aware, etc.), and I can't imagine home users shelling out a lot of money when they can get a personal version of Ad-aware for free. I suppose Microsoft is going to be targetting corporate users, but if their solutions aren't much better than companies like Ad-Aware (hopefully) corporations will go with competitors. But then again, they might just choose Microsoft because it seems like the "right thing to do" (that is, MS makes the OS, so OBVIOUSLY they should go with MS because it'll "work better" together).
Then again, if the MS anti-spyware is moderately priced and a lot of home-users do buy it, it may serve to drive the gap between richer vs poorer computer users (home users who shell out big bucks for a loaded Windows box vs users who pay a couple hundred for one of those Linux PCs that Walmart and others are selling).
Even a longtime MS user like myself...
I've been an advocate for MS software and OS's for some time now, but the prospect of charging to fix something that is a result of many of the flaws in their software just pisses me off!
It's really unfortunate that Linux isn't viable on the desktop yet because this would likely be the straw that breaks this camel's back.
Unfortunately, Linux is not ready for the desktop yet, and please, save your fingers from typing because I have been evaluating distros for the desktop for many years now, the most recent being Mandrake 10.0 and Fedora Core 3. Although there is slow and steady progress, Linux for the desktop still sucks compared to WinXP.
For now, for me and my clients, a firewalled network behind which lives a well patched XP machine (preferrably kept up to date with SUS) with Firefox, Spybot S&D (with Tea Timer), Ad Aware, Symantec AV corporate and (for my clients), the daily use account does not have administrator privileges.
This will keep most any PC free from spyware and cruft and keep users happy.
You need people like me so you can point your fucking fingers, and say "that's the bad guy."
Let's not call this "security software", Microsoft; remember, software should simply be secure. If you have to add a qualifier like this, guess what: you're saying most of your software has nothing to do with security, and this special extra software, for extra charge, provides the security "feature".
These terminology differences really point to a philosophical difference at Microsoft, which is the root of all their problems. They really don't understand. Why should we think they ever will, at any price?
"Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
And for only $59.99 we'll show you how serious we are.
*DrugCheese rants*
I am in much the same situation as yourself, fully patched, running Ad Aware and Spybot regularly with Javascript OFF.
I was researching information on the Roman Empire and was directed by Google to a great web site. About five minutes in I notice a small pop up window that when maximized displayed a blank window. The router, modem and network lights start to blink and the hard drive begins to churn. Ugh, I realize I am the victim of drive by spyware installation on of all things a web site on Ancient Rome. If I can't protect myself given all the above safeguards, how the hell is the average person going to?
It took an hour or two of work with Ad Aware, Spybot and Hijackthis to remove the five or six pieces of spyware shit that installed from an innocuous web site. I am well and truly tired of this bullshit, Firefox here I come...
My windows box is up nearly 24/7 and I haven't had a single problem with spyware or viruses. I am, of course behind a FreeBSD NAT/ipfw gateway and Firefox is my web browser of choise... Even when I used IE though, I had few problems if any. I also have 3 room mates with windows boxen behind the same NAT/ipfw. Out of those 3 the one irresponsible user is the only one that has spyware problems. My situation tells me human error is to blame. You hate Microsoft just a little too much, me thinks.
Buy Steampunk Clothing Online!
If you don't follow basic computer security procedures, yes.
You can't connect to the network to download SP2 without risking the computer.
Sure you can.
Where's the user error?
Not turning the firewall on before connecting to an untrusted network.
Running untrusted code as an Administrator.
Using buggy software like IE.
Same user errors you get on _any_ platform.
Mozilla extensions have full access to your system constrained by the users security of course. Therefore if someone wanted to write a malicous extension that installed spyware/trojan/virus, they could. It has nothing to do with the OS. Try running IE under a non priviledge account and see if activex can install stuff.
Have you ever been to a turkish prison?
I work at an educational institute. Connect a Windows machine to our network and you WILL get Welchia in under a minute (assuming you aren't patched). I have done this several times.
The scenario you describe -- plugging into the internet without getting a worm -- is only the case because the chances are lower that you will get a worm. Basically, you are defending Microsoft on the grounds that the chances are not good that you will get a worm. But decrease the number of computers to that of a medium-sized college campus, and suddenly the chances become very good indeed. Your argument is not particularly good.
And this is not user error, unless you count not enabling a firewall before you plug into the network as a user error. But then, how do you enable a firewall on a built-in wireles card as you are installing Windows?
(Note that there are solutions around this problem -- and I use a few of them. I'm just pointing out that the argument, "I don't immediately get a worm on an unpatched Windows machine, so no one does," doesn't hold any water.)
I work at an educational institute. Connect a Windows machine to our network and you WILL get Welchia in under a minute (assuming you aren't patched). I have done this several times.
I bet you $1,000.00 that I can install an upatched Windows XP system on your network and not get infected by Welchia in under a minute or evern a month. Game? Didn't think so you because you're making it up.
Yes, that money may have been better spent in actually fixing the items that need these security tools, but it seems like they can't win either way.
Since they haven't fixed those items, they don't deserve to "win" either way.
I keep seeing the analogy with people's complaints about IE. Not the same. With IE, MS undercut the competition with a tool for using the computer, not for fixing problems of its own making. The WWW isn't a Microsoft bug.
MS is caught in a Catch-22 of its own making. My heart bleeds.
"It's only a matter of time before MacOS X gains enough popularity that it's own security holes (though admittingly less serious than many of those in Windows) are mass exploited causing many Mac users some grief."
It's a matter of proper security design that those exploits will be limited in scope and number.
Windows doesn't get exploited just because it's popular. It gets exploited because it was designed wrong.
Why yes, I AM a rocket scientist!
Before I start this rant, let me first preempt it with the following: IE is totally dated, a pain to use (when compared to other browsers), and is not secure (out of the box). However, it is important to realize that it CAN be secure. It just takes a little bit of work to setup. Hell, the typical amount of time it takes to get a linux disto operational to the point of it being "easy" to install applications, locked down, hardware and software configured, etc... one can easily get an IE installation to perform flawlessly. Not, that I would spend my time doing so, however I have done it on occasion. So please don't get all IE is satan, when one can configure the crap out of it (because it is part of the OS). I've had Firefox crash many more times then I've seen IE do the same. Would I then blanketly state that Firefox is a horrible piece of code because it is not tied into the Operating System. Of course not, plus for the longest amount of time... they could just state that they are in Beta, or are Open Source. I feel many times certain software isn't held as responsible for its uses because of this. I often see Open Source projects trying to become the be-all do-all next big thing, with everything about it being customizable. Yet, at the same Word "sucks" because it has to many options. Not saying I condone Microsoft and the many business practices, but shit... c'mon, be fair for goodness sake.
oh by the way.
Do you know how many people get tripped up with FireFox's "inability" to handle Java, Flash, Shockwave, "cool 3d super plugin", etc...
Obviously it can, but on this same token... users can't simply click yes to everything and then it works (like they can with IE).
You are lucky. I connected on *dial-up* with Windows to just DL one form from a gov't website and got infected in under 10 seconds. Before I could actually type the URL into Mozilla, the box was already infected.
I'd say your 10 minutes is pretty good :P
has come to this.
The personal computer (Apple/Commadore/Tandy/IBM/Atari/Amiga) was supposed to release the creative gene in all of us. At first it did (1978 - 1995), Viri at most were limited boot sector infestations and nothing more.
Leave it to Microsoft to add BSOD and AdWare, and Windows Virus to the english language (Whats it called in other languages)? Instead of removing IE from the core of the O/S they chose to patch the system by purchasing a supposed solution. Now they are going to charge money for a problem that they induced. I also see that Win98/ME is excluded from the list. If I sold buggy software and didn't update 40 percent of my clients, I would be sacked as a vendor.
I'm sorry. Maybe I'm becoming too old, but Virus/Adware are/should not be the norm. When did it become mainstream to run all these utilities just to use your computer?
Enjoy,
It's just the normal noises in here.
Not turning the firewall on before connecting to an untrusted network.
Which firewall would that be?
Running untrusted code as an Administrator.
Using buggy software like IE.
I'm not quite sure how you propose to access Windows Update without doing both of these.
So we are back to square one:
You can't connect to the network to download SP2 without risking the computer.
Perhaps the 20 minute figure that people like to bandy about has more to do with common user behaviors -- namely, the fact that most people don't even know what a service pack IS?
I've personally had an XP pro machine infected by a worm wirelessly over a GPRS connection. I wanted to test the claims.
It took about 4 hours of total online time, I didn't download any software or email.
For most of those 4 hours, the built in firewall was on. But I turned it off for about 10 minutes and the machine was infected.
A worm found that port 445 was open on my machine and took over the machine. Thereafter my machine attempted to connect to random ip addresses on port 445 and no other internet connectivity worked at all.
The scary thing is that I saw my machine successfully connect to a few of those random IP addresses.
A virus checker found 5 infected executables. Executable programs I had never heard of. Including a batch file.
I also personally witnessed a windows 2000 machine suffer the same fate (but different worm) in less than 1 hour. Remember, this is OVER 56kbps GPRS.
Believe me. From personal experience I can attest that you dont have time to download the latest service pack before your machine is infected.
You may get lucky, but is all it is. LUCK.
If you are using a DSL connection and your machine is using a 192.x.x.x private IP address that could explain why you aren't getting an infection. Your DSL modem is essentially firewalling you.
Fortunately antivirus software cleaned up the mess with no loss of any data. (as far as I know).
No one has a right to their *own* opinion. They have a right to the TRUTH.
Once OSx gets hacked in a big way, I expect that Apple will get sued for engineering negligence. I've made it clear to Microsoft that the next time their buggy software nails my server (which runs freebsd), they will have to answer in court. The last time they managed to pay off my hosting provider after their tech support people tried to talk me into installing anti virus software on the server. It wasn't a virus on the server, it was millions of machines trying to talk to my news server. That was Sep of 2003 and the thing is still going wild.
.3% of the product cost, there isn't a judge in the US that won't give the damaged party most of what they are asking for.
If you sell a modern operating system and the install disks aren't safe to use (meaning no innocent third party suffers damage) then the product must be recalled. I've had enough of this crud that the next time I'm in the cross hairs, I'm going after whoever dropped the ball and I don't care if its MS, Apple or Sun. There is no excuse for not recalling a CD since its small and cost so little. In past court cases involving cars, that has made a huge difference in payouts. If sun is shipping hackable software with their cheapest v100 which cost $1000 and the fix of sending everyone a new CD which cost $3 or
The same goes for Apple. They have teamed up with an Antivirus software company with imac when they could have just included that feature in the OS. I have recently found a copy of an old check from an anti-virus company to a student which proves that the student was paid to write viruses to help improve the bottom line. Thats racketeering and the resulting class action suit could kill a company.
The problem is all OS are designed wrong. Take Linux for example. First, written in C means buffer overflow and several other mistakes that are caught at compile time with other languages. Second, UGO is totally not up to the task. Mandatory fine-grained ACL are a minimum. A secure system means I logon as root, run every email binaries that I receive, and the worst that could happen is the OS saying that application X tried to do an unauthorized access to some ressource. Third,the system must be designed as a whole. Not some guys writing a kernel, some writing a GUI and some other writing a file system.
So... Can you name an OS that was well designed?
Please explain. What design flaw of Windows forces a user to run as an administrator?
The fact that Windows started out as a single user OS, and a lot of programs are built with that mindset. Windows as a multiple user OS still feels like a hack upon a single user OS. A few years ago, Microsoft could of said, "Sorry, many of your old Win9x programs aren't going to work in the NT line", and we wouldn't have this problem. They even could of provided us with a "classic mode" sandbox to run them in too. But instead they went the backwards compatible route. Ferthermore, since all the old programs basically run as they used to, it didn't give the programmers any incentive to change their habits. So to this day, many programs, including some of MS's own applications do not run right (or at all) unless you are Administrator.
Your DHCP request will be triggered when the cable is plugged in.
If your interface is DHCP'd and you don't have the cable in, does the firewall still come up if the initial DHCP fails??
Yes.
And, in any case, that's another workaround people get used to and learn to live with... it should not be like that.
It certainly shouldn't, which is why it was fixed.
Microsoft claims that their operating system's usability is so good that you don't need much experience in using Windows. But the usability approaches zero with all these workarounds you have to know about just to get the system to a state where you can actually concentrate on what you really wanted to work on.
It's a "workaround" you only need to use long enough to install SP2.
That adds a whole new perspective to the Linux-on-the-desktop discussion. Maybe Linux isn't as straightforward. Windows might be. But with all the crap you have to deal with in Windows (and it seems to just get more and more), it seems that in the end, Linux ends up being a MUCH better Desktop OS, even in its current state of relatively worse usability.
Not really, because this annoying little workaround only has to be used _once_, rather than being always present.
I wouldn't be skeptical if I were you.
e ry.htmlr /venc /data/life.is.beautiful.hoax.html
A couple of years ago, in response to a claim that Linux had 'as many' viruses as Windows does, I researched ALL the real and putative viruses posted on Symantec and other such sites. At that time I found a total of 47 viruses and worms, of which only three did actually infect some computers. The slapper worm was the most recent and the worst, it infected about 14,000 computers in Eastern Europe in a two week period before it died out. Since slapper required the user to assist, running as root, it had no real chance of infecting millions of computers like CodeRed, released around the same time, did.
What stunned me most wasn't the fact that there were less than 1/2 a dozen viable but now defunct Linux viruses, it was the fact that Symantec reported finding 3/4ths of the 47 viruses on less than 3 PCs or saying that they were "proof of concept" viruses!!! What are the odds that a virus company could encounter three dozen viruses "in the wild" but on fewer than 3 PCs. My interpretation of that data is that Symantec was experimenting with Linux viruses. Were they developing Linux anti-virus stratagies, or were they developing Linux viruses?
About a month ago, again in response to the same "Linux has thousands of viruses" claim, I went looking for the same list, but found it missing. What I found in its place was a list of over 5,000 supposed Linux viruses.
http://search.symantec.com/custom/us/qu
Following the first listed 'virus' leads to:
http://securityresponse.symantec.com/avcente
a windows hoax email.
The three known wild Linux viruses were on the list, even though they hadn't been active for over two years and modern Linux OSs are immune to them. Multiple listings abound. And many of the supposed Linux viruses were actually windows viruses (w32*) with the world 'linux' in their name. Digging deeper I noticed that many were for the putative JPEG viruses which supposedly can infect both Windows and Linux. Following the embedded links of hundreds of them in search of the original security notice I found instead a Symantec "Policy Statement", but no virus information!!! Why would Symantec "pad the books" on Linux virus counts? To sell unneeded software?
My conclusion after my latest review of Linux viruses is that there are none. In fact, if another slapper were to appear and infect even as few as it did the last time it would be front page news, or MS would pay for an NYT full page ad to be sure everyone noticed.
The fact is that while my KMail is hit with a dozen WinXX viruses each day, like bugs hitting the windshield of my car, I have yet to see any sort of Linux bug arrive at my mailbox in seven years of using Linux, four of those years being online 24/7 with a broadband connection.
Running with Linux for over 20 years!