Microsoft May Charge for Security Tools

rscrawford writes "CNN reports that Microsoft may charge extra for security software. So first they edge their competition out of the browser market, then they tie IE into the OS so tightly that a crash in IE can crash the computer, and then they make IE so vulnerable that just using it is hazardous to the typical computer's health, and now they want to CHARGE users to fix it?"

oblig...

[Mad_Rain]

So THAT'S what Step two is. =P

Re:oblig...

[Trailwalker]

Step two is to issue a patch for a critical vulnerability in the new MS-AntiSpyware app.

Six months after it is discovered.

Good advertisement.

If Microsoft were to hire on the Verizon Wireless guy, they could have him walking across the country asking "Can I screw you now?"

Re:Good advertisement.

[Moofie]

And here, I thought that our British forebears could spell.

Guess you're not all that civilized after all...

Once again, Microsoft blames the users.

[IO+ERROR]

Some experts blame Microsoft for Windows vulnerabilities that help spread spyware. Microsoft and some others, meanwhile, said blame should be directed instead at spyware manufacturers.

"Spyware usually gets on your computer through human error," said Marc Maiffret of eEye Digital Security Inc., which regularly discovers serious Windows flaws.

Yeah, sure, if starting the computer is human error. It takes what, five minutes or less, for an XP box to get riddled with viruses, Trojans, etc.? The error is Microsoft didn't ship an operating system that could remotely be considered secure. You can't connect to the network to download SP2 without risking the computer. Where's the sense in this? Where's the user error?

Re:Once again, Microsoft blames the users.

[yelvington]

When Microsoft activates Skynet, the error-prone users will no longer be an issue.

Re:Once again, Microsoft blames the users.

You can't connect to the network to download SP2 without
risking the computer. Where's the sense in this? Where's the user error?

This is how people think after so much time with viruses. They are used to performing workarounds for Windows that lead to acceptance of viruses (just buy an antivirus) that lead to acceptance of spyware (just buy an antispyware) and that lead to acceptance of systems so bogged down by combinations of the above (just reinstall every 6 months).

It's a bit like living in a really bad neighbourhood and denying it's a problem. "Oh we're OK, we live in a safe area. As long as you put bars on all your windows, don't leave the house when it's dark, put up bullet proof windows, and don't make eye contact with the neighbours you're perfectly safe"

Apart from how it's broken, it works perfectly.

MS is fucked, but they don't mind. The consumer state of society today means MS can just tell people they need to buy something, and people will do what they're told to.

Re:Once again, Microsoft blames the users.

[Jace+of+Fuse!]

They are used to performing workarounds for Windows that lead to acceptance of viruses (just buy an antivirus) that lead to acceptance of spyware (just buy an antispyware) and that lead to acceptance of systems so bogged down by combinations of the above (just reinstall every 6 months).

There are small, efficient, safe, and free programs that perform these tasks without bogging the system down.

But your points do to some degree stand. Though even if the virus/worm/spyware problem weren't as bad today as it is, I probably would STILL run a software firewall and a good antivirus just as a matter of precaution. I also have all of my systems behind the network firewall but not everyone has that option.

The point is, that just because things are worse now on Windows than they have ever been, doesn't mean that good precautions wouldn't be paying off.

It's only a matter of time before MacOS X gains enough popularity that it's own security holes (though admittingly less serious than many of those in Windows) are mass exploited causing many Mac users some grief.

As it stands right now MOST Linux users can fend for themselves. How true do you think that would be if there was a huge wave of new Linux users converting from Windows? The clueless masses would show people that even a Linux box in the wrong hands can exploited, and I would dare say that an arm compromised *nix boxes is a far greater threat to the internet as a whole than the army of zombie Dialup AOL connected budget PCs running XP home that we currently have to dela with.

Security IS a problem right now, but Windows is only PART of the problem. The clueless human side of the equation isn't going to go away no matter how many people ditch Windows.

Re:Once again, Microsoft blames the users.

[wastingtape]

Yes. I noticed the glitch in the Matrix as well.

Re:Once again, Microsoft blames the users.

I work at an educational institute. Connect a Windows machine to our network and you WILL get Welchia in under a minute (assuming you aren't patched). I have done this several times.

The scenario you describe -- plugging into the internet without getting a worm -- is only the case because the chances are lower that you will get a worm. Basically, you are defending Microsoft on the grounds that the chances are not good that you will get a worm. But decrease the number of computers to that of a medium-sized college campus, and suddenly the chances become very good indeed. Your argument is not particularly good.

And this is not user error, unless you count not enabling a firewall before you plug into the network as a user error. But then, how do you enable a firewall on a built-in wireles card as you are installing Windows?

(Note that there are solutions around this problem -- and I use a few of them. I'm just pointing out that the argument, "I don't immediately get a worm on an unpatched Windows machine, so no one does," doesn't hold any water.)

Re:Once again, Microsoft blames the users.

[Moofie]

"It's only a matter of time before MacOS X gains enough popularity that it's own security holes (though admittingly less serious than many of those in Windows) are mass exploited causing many Mac users some grief."

It's a matter of proper security design that those exploits will be limited in scope and number.

Windows doesn't get exploited just because it's popular. It gets exploited because it was designed wrong.

Re:Once again, Microsoft blames the users.

[zulux]

You can't connect to the network to download SP2 without risking the computer.

Sure you can.

No you can't - in SP1 and below, the firewall gets put in place after the network interface is brought up. In face, the firewall is almost the last thing to initialize during the XP boot process.

Depending on your boot time, there can be few minutes where your computer is vulnerable.

Enjoy!

Re:Once again, Microsoft blames the users.

[DownloadTHIS]

I actually agree with Microsoft here. These problems are caused by human error. Running Windows definitely falls under that catagory.

Re:Once again, Microsoft blames the users.

If Microsoft is running Skynet, we have nothing to fear.

Re:Once again, Microsoft blames the users.

[thogard]

Once OSx gets hacked in a big way, I expect that Apple will get sued for engineering negligence. I've made it clear to Microsoft that the next time their buggy software nails my server (which runs freebsd), they will have to answer in court. The last time they managed to pay off my hosting provider after their tech support people tried to talk me into installing anti virus software on the server. It wasn't a virus on the server, it was millions of machines trying to talk to my news server. That was Sep of 2003 and the thing is still going wild.

If you sell a modern operating system and the install disks aren't safe to use (meaning no innocent third party suffers damage) then the product must be recalled. I've had enough of this crud that the next time I'm in the cross hairs, I'm going after whoever dropped the ball and I don't care if its MS, Apple or Sun. There is no excuse for not recalling a CD since its small and cost so little. In past court cases involving cars, that has made a huge difference in payouts. If sun is shipping hackable software with their cheapest v100 which cost $1000 and the fix of sending everyone a new CD which cost $3 or .3% of the product cost, there isn't a judge in the US that won't give the damaged party most of what they are asking for.

The same goes for Apple. They have teamed up with an Antivirus software company with imac when they could have just included that feature in the OS. I have recently found a copy of an old check from an anti-virus company to a student which proves that the student was paid to write viruses to help improve the bottom line. Thats racketeering and the resulting class action suit could kill a company.

ack!

[nizo]

Microsoft's disclosure that it may eventually charge extra for Windows protection reflects a recognition inside the company that it could collect significant profits by helping to protect its customers.

And they don't see a conflict of interest here? Exactly what incentive would they have to fix security holes which are allowing malware into the machine in the first place if they are selling other products to "block" these kinds of attacks, or are they planning on charging for patches?

Seems unusually blatant

[bigberk]

I mean, they were buying up security competitors as recently as Wednesday! Wouldn't that be a bit too blatant? Are they really trying to monopolize the desktop security market, or are they just trying to help cover costs in what is going to prove to be a very, very expensive area (once they start getting sued for having such a shoddy, insecure product)

Just one thing to say:

[sgant]

What balls!

What a huge, big, heavy set of balls this company has.

Hey, let's kick them!

Re:Just one thing to say:

[EnronHaliburton2004]

Hey, let's kick them!

You ever kick the balls of an 800 pound gorilla?

Software sales - marketing

[Ogrez]

The only thing in this world I have found to be sleazier than lawyers are software salesmen. This isnt isnt a new idea from Microsoft... IBM did it for years with mainframe releases. You have to have a service contract to get the updates to fix the bugs.

This problem of releasing buggy software and charging for fixes is inherent in the software world.

According to /. they will lose either way...

[C.+Mattix]

Look at it this way. They bought an adware company because the see that this is a problem. If they suddenly "bundled" an adware solution, the zealots would say they are trying to drive adaware and spybot out of the market. But since they are selling the solution and hence giving the customers choice, they are trying to screw the customers. No matter how secure they make the OS, there WILL be people who will run as admins and click "yes" to everything. These are the solutions that they are going to sell.

It isn't the first time they've had security software either. Anyone remember MSAV.exe?

User error, eh?

[kryptkpr]

Something from the article rubbed me the wrong way:

"Spyware usually gets on your computer through human error," said Marc Maiffret of eEye Digital Security Inc., which regularly discovers serious Windows flaws.

First.. a confession: My name is kRYPT, and I used to use Internet Explorer. I used to keep it patched, and updated. I browsed on High Security. I ran Spybot S&D and Adaware regularly, and TeaTimer always.

Spyware STILL got in. Every Spybot scan would regularly reveal something nasty (normally DSO or other IE Exploits).

Perhaps it's true that most Spyware is the result of user action (such as installing shady "free" smiley-enhancing software), but _lots_ of the Spyware out there is simply a direct result of using IE.

PS: I see the spyware people are trying to attack Firefox too.. see cracks.am for an example. However, in Firefox, a nice dialog pops up, makes it perfectly clear the code that's being requested to run is unsigned and unvalidated, and makes you wait for 2 seconds before you have the chance to accept or deny installing it.

Re:User error, eh?

[rackhamh]

Spyware STILL got in. Every Spybot scan would regularly reveal something nasty (normally DSO or other IE Exploits).

Moral of the story: pick your porn sites wisely.

Wonder what the effects will be

[KneepadsOfAllure]

There are already good anti-spyware solutions available for home-users (ie Ad-aware, etc.), and I can't imagine home users shelling out a lot of money when they can get a personal version of Ad-aware for free. I suppose Microsoft is going to be targetting corporate users, but if their solutions aren't much better than companies like Ad-Aware (hopefully) corporations will go with competitors. But then again, they might just choose Microsoft because it seems like the "right thing to do" (that is, MS makes the OS, so OBVIOUSLY they should go with MS because it'll "work better" together).

Then again, if the MS anti-spyware is moderately priced and a lot of home-users do buy it, it may serve to drive the gap between richer vs poorer computer users (home users who shell out big bucks for a loaded Windows box vs users who pay a couple hundred for one of those Linux PCs that Walmart and others are selling).

Well...

[rewt66]

As an employee of a security company, I don't have a problem with this. I would have more of a problem with Microsoft giving it away for free. (And, I hope, the toothless antitrust enforcement might have a problem with it, too, but I wouldn't bet on it.)

But really, we cry "unfair" over what they did to Netscape. Rightly so; it was unfair. If they had sold IE as a separate product, it wouldn't have been unfair. So now they sell this stuff as a separate product. They're not bundling. So what's the problem?

And there's another way this is good: TCO studies. The more extra charges you have to have from Microsoft to have a working product, the better TCO Linux has by comparison. (That is, if it's an honest comparison. But instead, what we'll probably see is bogus TCO "studies" where Microsoft looks good, but it omits the security stuff. Then when you go to actually buy it, there's these extra costs, like the auto dealers do with "dealer prep".)

Re: thpt!

[Tackhead]

> "[H]elping to protect its customers" seems awfully euphemistic to me. Wouldn't it help their customers more to release software without the security holes that allow malware in the first place?

Not at all. The word "help" is used in the sense of "Hi. We're from Microsoft and we're here to help... ourselves."

Terminology is the root of the problem

[Killer+Eye]

Let's not call this "security software", Microsoft; remember, software should simply be secure. If you have to add a qualifier like this, guess what: you're saying most of your software has nothing to do with security, and this special extra software, for extra charge, provides the security "feature".

These terminology differences really point to a philosophical difference at Microsoft, which is the root of all their problems. They really don't understand. Why should we think they ever will, at any price?

So let's see

[YrWrstNtmr]

MS includes a necessary tool for free: "Unfair bundling! They're just trying to muscle everyone else out of the market"

MS charges a fee for a necessary tool: "Charging for this? What a ripoff!" (even though their major competitors charge a fee for similar tools)

Yes, that money may have been better spent in actually fixing the items that need these security tools, but it seems like they can't win either way.

Company charges money for product...

[kahei]

...slashdotters baffled.

Re:...and this is surprising because?

[Eggplant62]

Really, this is just MS's Xmas gift to the Open Source Software movement. They've shot themselves in the toes too many times to count so far. Now they've shot themselves in the kneecap; next shot will be to the head.

Drive by installs occur on many non-porn web sites

[Hamster+Lover]

I am in much the same situation as yourself, fully patched, running Ad Aware and Spybot regularly with Javascript OFF.

I was researching information on the Roman Empire and was directed by Google to a great web site. About five minutes in I notice a small pop up window that when maximized displayed a blank window. The router, modem and network lights start to blink and the hard drive begins to churn. Ugh, I realize I am the victim of drive by spyware installation on of all things a web site on Ancient Rome. If I can't protect myself given all the above safeguards, how the hell is the average person going to?

It took an hour or two of work with Ad Aware, Spybot and Hijackthis to remove the five or six pieces of spyware shit that installed from an innocuous web site. I am well and truly tired of this bullshit, Firefox here I come...

Profit? From where?

[Alwin+Henseler]

I wonder where MSFT thinks the money for this extra software should come from? I mean, are IT budgets of customers (including Joe Sixpack) suddenly going up, so that extra funds are available to sink into these tools? If not, that would mean that either:

1. Windows should get cheaper, otherwise customers wouldn't have money left over to invest in these extra tools. This seems feasible; with competition from Free/OSS and users getting fed up with buggy software, market value of Windows is likely to drop. This could be a covert way to restore profit margins.
2. Hardware should get cheaper, so that more money is left over for software. Doesn't seem likely; hardware does get cheaper, but Joe Sixpack still buys expensive PC's, he just gets more bang for his bucks.
3. These extra tools are meant to replace competitor's offerings. Interesting option: if they are just another offering in a crowded field, okay. But first given away as a freebie, and then start charging after a while, when users become convinced they absolutely need it? In that case, could be an interesting candidate for another anti-competitive investigation.

If you can't baffle them with brilliance, dazzle them with bullshit.

What's New

[thunderpaws]

The average Windows user will feel that MS is sooo wonderful for securing their computers against the wild and wooly internet. As the Windows machines again slow down and bcome even more clunky, the solution will be to buy a newer computer, and sales people will show the buyers how economical the new PC's are compared to those sooo expensive Mac's. Doesn't sound much different than the past 20 years, and people still put up with it.