Slashdot Mirror


The Microsoft Protection Racket

bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.

24 of 539 comments (clear)

  1. Microsoft addresses Windows security concerns by It+doesn't+come+easy · · Score: 5, Insightful

    Microsoft Windows - Operating system. Provides resource allocation to underlying computer hardware. Note: No warrantee, no guarantees, may have security issues.
    Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.

    --
    The NSA: The only part of the US government that actually listens.
    1. Re:Microsoft addresses Windows security concerns by null+etc. · · Score: 4, Insightful
      This is where Dvorak lost all credibility. He is obviously not qualified to speak on the subject of operating system security.

      Oh yeah? Is he approaching this issue from the viewpoint of a security expert? No, he's approaching it from the perspective of a typical person (it might be your mother, or father).

      Personally, I could not tolerate any of Dvorak's articles. But I have to admit his recent ones are starting to get much more on-topic (as opposed to his older lunatic rants, proclaiming that Microsoft would go out of business in 10 years, etc.)

    2. Re:Microsoft addresses Windows security concerns by Pxtl · · Score: 4, Insightful

      I don't think that any anti-trust suits have been brought to them for their security fixes. The point is that _security_ should be there already, and fixes for security should be free because they basically sold you something that didn't work otherwise.

      Meanwhile, bundling in software that competes with competators with the expressed purpose of putting them out of business (note how MS software stagnates the moment the competator is gone) is a whole different story.

    3. Re:Microsoft addresses Windows security concerns by wernercd · · Score: 4, Insightful

      yup. because everyone knows experts know everything about all programs and never make mistakes.

    4. Re:Microsoft addresses Windows security concerns by RobinH · · Score: 5, Insightful

      Ultimately, all monolithic, and particularly authoritarian human endeavors FAIL! Microsoft seems to be amongst that group, and I question if they can escape it easily.

      Yeah, that whole apollo program was a complete failure wasn't it? Or the manhattan project? Or building any modern skyscraper? Or any serious engineering project of our time? They all fail miserably, don't they.

      What is the alternative to authoritarian human endeavors? There were several X-prize contenders that tried to use a more open-source, everybody pitches in, communism type approach, and they were all bested by Burt Rutan.

      And stop calling Microsoft a failure. It's the opposite of failure, obviously. Are you just trying to troll?

      --
      "I have never let my schooling interfere with my education." - Mark Twain
    5. Re:Microsoft addresses Windows security concerns by Skreems · · Score: 3, Insightful

      That still doesn't make it Microsoft's fault, though. You can run a buggy FTP client on Linux just as easily as on Microsoft, and you can get your system rooted just as quickly. The only way for Microsoft to keep your system safe from stupid user actions like that is for them to mandate that you WILL NOT run any networked programs not approved by them. And you can imagine how much of an uproar there would be if they actually tried something like that.

      The one major issue that allows this (running as Administrator by default) HAS been addressed in Vista. I'm no fan of the registry, but config files can get hacked just as easily. It's still no protection against opening a barn door and hanging a "Free Stuff Inside" sign over it, with strobe lights going off. And then he complains when someone comes and steals his toaster.

      --
      Slashdot needs a "-1, Wrong" moderation option.
      The Urban Hippie
    6. Re:Microsoft addresses Windows security concerns by killjoe · · Score: 3, Insightful

      "In terms of building a solid product... it's used on roughly 95% of the world's desktops. Nothing significantly better exists, or the vast majority of people would have jumped ship long ago."

      Apple has alwasy been better. OS/2 was better, hell Amiga was better. If you think that what's popular is what's best then you plain old stupid.

      "In terms of good corporate citizenship... shall we talk about the $28.8 billion dollars in the Gates Foundation? The $7.5 billion given away to date?"

      1) Gates foundation is not microsoft. 2) Gates foundation was created in order to influence people like you (it worked!) into thinking Gates was actually a nice guy. 3) 7 billion is petty cash 4) Gates didn't actually give away money, he just gave stock he got for free to the foundation which then sold it.

      "In terms of ethical and moral behavior? Sorry, Enron is shocking and shameful. Dow's toxic waste dumps in India are shocking and shameful. Declaring bankruptcy just to get out from under your employee's pension obligations is shocking and shameful."

      Whoo Whoo, MS is less sleazy then enron and DOW!. It's nice to see corporations set their standards so low.

      --
      evil is as evil does
  2. Conflict of interest by Godeke · · Score: 4, Insightful

    While the views of the pundit may be questionable sometimes, it *is* a conflict of interest to charge fees for protection against your own flaws. Initially I'm sure they will try to continue securing the operating system while considering this service a backstop for users who violate basic common sense. When viewed that way, the extra fees make sense: I haven't had a security *alert* about an attempted infection in many years, mostly because I secure my environ and don't do stupid things. But for those who can't handle such things, and extra fee "security blanket" is acceptable.

    In the long run though, if the security software becomes a security blanket for *Microsoft* and basically is a required purchase to host a secure environment despite the security efforts of administers outside such extra fee tools, it would appear to be nothing more than a backdoor to charge annual fees to all those who dare resist the "Software Assurance" garbage. Oh, and them too, just more fees.

    --
    Sig under construction since 1998.
  3. He's kinda right by nuggz · · Score: 3, Insightful

    He is somewhat correct, if security was a priority these problems wouldn't exist.

    However consumers want easy to use and don't care about security. When you don't consider security (your customer doesn't care) and focus only on easy to use you will have an insecure system.

    Given the choice most people will choose insecure and easy over secure and less easy. They'll even pay for the difference.

  4. Maintenance should cost time or money by dada21 · · Score: 3, Insightful

    Every product we buy needs long and short term maintenance. Cars need oil, tires, waxing and tinkering under the hood. Software, especially complex operating systems with a ton of third party programs, are no different. As Linux gains features and popularity, it also gains incompatibilities.

    Most end users seem to understand and accept some expense that decreases future downtime. Not a single customer of mine refused Microsoft's yearly subscription. Not one refuses to pay my employees' $95/hour invoices for applying all the various first and third party patches.

    Back to cars... Does GM repair recalls for free? Sure. But if your new radio doesn't interface with hour Vette, you buy the harness. When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

    You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.

    I've always felt F/OSS users ignore their time value. My personal time is worth $60/hour to me, including rest/sleep. My customers see a return of more valuable time when they pay for maintenance. F/OSS hasn't paid enough of a ROI for me to promote it.

    1. Re:Maintenance should cost time or money by sqlrob · · Score: 3, Insightful

      When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

      Microsoft's. Time for a recall.

      From their XP Home Feature Page: (emphasis mine)
      The Windows XP Home Edition operating system offers a number of new features that help you work smarter and connect faster to the Internet and with others. And the rock-solid dependability of Windows XP lets you work and play with more confidence than ever.

  5. Re:Pfft. by MightyMartian · · Score: 4, Insightful

    And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time, and it sure makes down-and-dirty administration ten times easier. The registry editor is a f**cking nightmare compared to your favorite text editor and *.conf or *.rc. Security is handled through the file system. The registry was a bad idea from the get-go, but you're right, Microsoft's incompetence will be with us until the world finally tells Redmond to take their crappy operating system and shove it.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  6. Re:Maybe he has a point by amliebsch · · Score: 4, Insightful

    There's really nothing wrong with the foundations at all. The problem has been (1) the shell and its various subsystems (particularly IE), (2) programmer practices, and (3) user practices. Microsoft is of course fully responsible for (1), and, in fairness, security for these is free even to pirates. For (2) and (3), though, while they have encouraged best practices, they have made the decision not to enforce them. Enforcement of best practices, though, would not be IMO a good idea - the user should always have ultimate control over their machine.

    --
    If you don't know where you are going, you will wind up somewhere else.
  7. Re:Pfft. by MightyMartian · · Score: 4, Insightful

    It's better because you can use a frickin text editor. The settings are discrete and can be easily copied. When I move my account to a different *nix box, I just zip up my configs, unzip them on the new account, and maybe, if locations are different, do a bit of tweaking. I've had the same damn .pinerc file for four years now. It's easy to archive, easy to restore and easy to alter. The registry is a pain to back up, can be really ugly to restore and alteration requires a stinking idiotic registry editor.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  8. Re:Pfft. by mugnyte · · Score: 4, Insightful

    The registry and analogous flat file data stores try to achieve the same goals. I think the registry makes several mistakes:

      - Consolidating all settings into one proprietary data store. This imposes a new security mechanism over that of simple file access. This unique data store does nothing by itself to "secure" the data, it's just a box. One can lock the entire box but simple users do effect changes in the registry.

      - INI files are plaintext versions of some sort of file. Their manipulation could be by hand (trad *nix style), or employ one of several storage syntax mediums (XML being one) which allows general tools to work across the items.

      - File-based security on INI files is stronger, and more easily managed with existing tools, than key-based security on the hive-based registry entries. Combining with journaling/versioning, INI files hold more depth than a registry (which has to import/export to a file-based representation to achieve this).

      - Line-item security on INI files is not as strong, hence the danger people have in by-hand editing. This can be overcome using a syntax that allows for tool-based editing, where then INI files expose their keys, and a security table holds a File/Key/Role association.

      - Shared INI files for library management (aka COM) have the same write-contention isses as the registry, so no differences there. GAC-style libraries are directory-based, which seems to lend evidence that both file and registry stores for libraries are based done higher up in the file system.

  9. Registry is the problem? by Se7enLC · · Score: 5, Insightful

    What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname? In either case, the registry has NOTHING to do with spyware infection. It's merely the underlying system that gets edited once a malicious program gets in. SOMETHING has to contain system and application configuration options, and whatever it is will be called a registry. The actual implementation is irrelevant.

    Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.

  10. stating the obvious by micromuncher · · Score: 3, Insightful

    I dislike the puppet intellectual (Dvorak) as much as the next guy, but this time he has done an effective job at restating the obvious.

    He does however miss a point near and dear to my heart... that is - the dependency of the OS on these new MS integrated virus and spyware initiatives which will only get worse.

    I live behind a firewall. It does a really good job and keeping out most sploits. I also live behind an email server that does a pretty good job at sending executables to the bit-bucket.

    It annoys me to no end that IE is so insecure... but it also annoys me every time I boot my machine I get the Your system is insecure message, because I've chosen to disable the MS firewall and antivirus.

    Perhaps it will become as irritating as norton, that revalidates itself every other day accross the internet telling me the key I bought last month expired... or having ccapp go crazy burning cpu even when I've disabled virus checking.

    Norton is evil. It hooks into all sorts of stuff it shouldn't. Crappy virus ware (that patches file open) can potentially take down/slow down you computer even when its off, or you are disconnected.

    So, the real issue, after my rambling, is dependency on this crap by the OS, the grafting *kludge* by which it was implemented, and an unhealthy assumption that every computer is connected to the internet all the time.

    --
    /\/\icro/\/\uncher
  11. Re:Pfft. by badriram · · Score: 4, Insightful

    Both systems blow, and just as equally. It is the difference between any centralized and distributed system.

    Centralzied-
        Clean standard
        less flexibility
        single point of failure
        better security (advanced ACL support, not every app has it own parser)
        OS maintained
        Terrible portability

    Distributed
        no standard exists
        more flexibity
        no single point of failure
        weaker security (it is either put in user or etc, you do not have an option of put in etc but allow just this setting for users)
        App maintained
        Easy portability

    Best solution is to use both and let app decide
        but a nightmare for sys admins

  12. Re:Pfft. by DaveJay · · Score: 4, Insightful

    You have to remember, the main purpose of the registry is to obscure information, not to make it easy to find and edit. Software makers want to be able to put autostart hooks, serial numbers and other such nonsense on the computers, and Microsoft gives them what they want. If you put everything in an .ini file, users would be able to find it and control it, which is exactly what software manufacturers don't want (in most cases).

    They can get rid of the registry once they have "Trusted Computing" in place, as they'll easily be able to drop application information into encrypted files that the user has no way of breaking into.

  13. Re:Pfft. by Rasta+Prefect · · Score: 4, Insightful
    And where is it stored? ~/.app? ~/.app/.settings? /etc/app? /etc/app/settings? /etc/app/settings.xml?

    Global settings go in /etc. Per-User settings go under the home directory. The default per-user settings are stored in /usr/share and copied in the first time the program is run. Wow, that was hard wasn't it?

    See the way Apple has done this. Global app settings in /Library, personal App settings in ~user/Library. When I used to do desktop support (50/50 mix of OS X and Windows) all we had to do when we moved a user to a different machine was image it and copy their home directory. Easy as pie, takes about 10 minutes of my time. Wow, once again it was really hard to answer that "where does it go" question.

    Gotta save a users settings when moving them to a different windows install (usually because the students laptop was so spyware ridden it was easier to just reformant)? Let the nightmare begin!

    Trying to reinstall a hosed application that won't uninstall properly? Lets just see you try to track down all those registry keys. On a Mac or Linux you just remove the rc file or plist.

    And what is the format of said INI file?

    Once again, see Apple's plists. XML all the way, with tools to manipulate them if you don't like your text editor.

    And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.

    Users their own config settings. If you want to restrict access to global config settings, just don't give them access to the config file. If you don't want them to run the program, don't give them read and execute permissions on the app itself. There are other operating systems out the besides windows, and they've already solved these problems. In the case of Unix, about 20 years ago. I've done Unix, Apple and Microsoft desktop administration, and while the Unix and Apple solutions do have a few quirks (Apple's system doesn't really have many), the Registry is by far the most broken and the biggest PITA.

    --
    Why?
  14. The Registry is a single point of failure. by Richard+Steiner · · Score: 4, Insightful

    A classic example of poor design.

    By having many different INI files, the loss of one file isn't going take the whole frigging system out.

    I guess convenience is more important than resiliency to some, but since that's been Microsoft's approach to damn near everything for the past 20 years it doesn't surprise me in the least...

    --
    Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
    The Theorem Theorem: If If, Then Then.
  15. Re:Pfft. by Overly+Critical+Guy · · Score: 3, Insightful

    As someone who write code and manipulates the registry everday, I for one love it. ...says every malware author on the planet.

    You claim the registry is "100x" more secure and robust but then don't explain why. Permissions? Flat-files have that. Robust? If one flat file goes, the whole thing doesn't corrupt.

    And for the user, you can see, manipulate, and back up your configuration files. Please see OS X. Somehow, it manages without your crappy registry and uses slick XML property lists to do it.

    If the rest of you would prefer to have a million ini files instead of a branching registry, then more power to you.

    Hello, OS X.

    Geez, what's next. Are you going to call up MS and say "The who idea of SQL databases sucks.. you should change that to a flatfile to so that I can use my text editor!".

    I hate when people apply one situation to another. No, in the case of application configuration values, a central database isn't ideal. The registry blows, and just because you're one of those militant Windows developers who defends the crumbling Windows architecture doesn't make your loud opinion any more correct. It's not.

    Or go on supporting a design that lets malware bury anything it wants and manipulate the system. A single store of the entire computer's configuration values in one object is completely ridiculous.

    --
    "Sufferin' succotash."
  16. Re:That's a nice enterprise network you have there by compro01 · · Score: 3, Insightful

    i don't trust pay-for antispyware software as it's really easy for a spyware firm to shove an envelope of large bills under the table to a big company and say "ignore our stuff".

    --
    upon the advice of my lawyer, i have no sig at this time
  17. Re:Pfft. by theLOUDroom · · Score: 3, Insightful

    The registry is 100x more secure and robust than a flat file.

    That's nonsense.
    A) The mechanisms proctecting the registry are the same type that protect the file system. It's not like the registry encrypt's each user's setting individually.

    b) Robust! How!? I want to add tab completion to my command line and I have to risk editing a file that can fubar my whole computer? How is that "robust"? Where are the fucking comments that tell me what this entry is and what it does?

    The registry is a dirty, brittle hack used by lazy programmers like yourself. It's a pain in the ass for end users. Especially those with multiple computers who don't want to manually configure the preferences for every app on each PC they use.

    --
    Life is too short to proofread.