Slashdot Mirror


The Microsoft Protection Racket

bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.

17 of 539 comments (clear)

  1. A Little Creative thinking maybe....?!?! by OneByteOff · · Score: 5, Interesting

    I think the idea is not so much about making money or fixing code, its about offering protection to users of Microsoft Products. If you can protect against vulnerabilities via a software package that allows for Buffer Overflows, Stack Overflows and any common exploit to be detected and blocked, this is far superior then pushing out one or two patches (or 9 this week) to fix a problem.

    Also there are exploits in the wild that are never reported, no disclosure, no fixed code. Thus if you can work around this by offering a software package to protect you, by all means Microsoft should go this route.

    Also why is this retard writing about Security??
    [ quote ] "I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries" [ /quote ]

    Your f'ing joking right?.

  2. Registry versus Config Files by Anonymous Coward · · Score: 3, Interesting

    Remember the good old days when applications stored all of their configuration data in a file like SETTINGS.CFG? You could zip the entire application directory up, unzip it on another machine, and it would run just fine. An uninstall was as simple as erase *.*, cd .., rmdir foocalc.

    Use of the registry to store things that the application needs in order to work makes sense for a number of applications, especially enterprise stuff that needs remote installation and management and system software like firewalls and virus monitors, but there are quite a few user-application kinds of packages that use of the registry makes no sense for.

    For me, an application that doesn't use the registry is a huge plus.

  3. I feel dirty! by miffo.swe · · Score: 4, Interesting

    I can nothing but agree with what Dvorak says, It is pretty disturbing that the company that lets the malware in also charges you money for fixing it. I do not think antivirus is any real solution either but one that comes from Microsofts unwillingness to fix the problem. Thus a void was created wich was filled by other companies. To see Microsoft trying to take over that market is obnoxious. They should have fixed the underlying design problems in Windows that lets all the malware in, not slap a new layer ontop of the old broken one.

    Lets not forget that antivirus has a big problem. For it to recognize a virus someone must first dissect it and then create a signature. If someone would do 1000 versions of the same viruses you still have to dissect them all and create signatures for them. The hole that lets them in is still there and nothing is really fixed. All antivirus really helps against is getting a fix out for a specific virus in the wild until the vendor has time to fix the hole. If the vendor doesnt fix the hole quickly its pretty useless and creates and endless battle.

    The antivirus companies ofcourse like this, and endless revenue stream. When Microsoft enters this market it creates a huge conflict of interest. This is why i agree with Dvorak. Now, im off to take a hot shower and cry trough the night.....

    --
    HTTP/1.1 400
  4. Argh by Alioth · · Score: 4, Interesting

    Argh. Stop posting Dvorak articles! The man is an idiot who doesn't check his facts. He has actually gone out and complained in a column about the System Idle Process taking up 98% of cpu on his Windows machine and making the box thrash.

    His ignorant rantings are not in the least insightful.

  5. Re:Clueless Moron -- Indeed. by Svartalf · · Score: 3, Interesting

    I've long since quit taking Dvorak seriously. He's repeatedly shown himself to be clueless when it comes to these things. But then, you don't need any usable current qualifications in the industry that you're being a pundit for- all you need is an opinion, it seems.

    --
    I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
  6. Liability Risk? by Spudnuts · · Score: 4, Interesting

    I wonder whether Microsoft changing their policy to charge for security updates might be a sufficient impetus for their EULA's denial of liability to be thrown out through legislation.

  7. Re:Microsoft addresses Windows security concerns by iotashan · · Score: 5, Interesting

    Microsoft has created a no-win situation for themselves...

    1. Create a subscription security service, and people complain they shouldn't have to pay. Someone call the class-action lawsuit attourneys!
    2. Distribute it freely, and face anti-trust lawsuits from security software makers, and possibly the DOJ, depending on who's in the White House (Who! The guy in the White House. Who? Yes.).

  8. Re:Pfft. by Eccles · · Score: 3, Interesting

    The Registry had some practical benefits, I think, but could have been handled in a better way. As one other use suggested, a virtual registry. It appears as one editable object for use with a reasonable GUI tool, although the actual data is a number of distinct XML encoded files. That way it's easy to copy, to edit, and with OS support, easy for user apps to create, read, and write.

    --
    Ooh, a sarcasm detector. Oh, that's a real useful invention.
  9. Standard Anti-Microsoft Propaganda by Shakes268 · · Score: 3, Interesting

    You know, whenever there is a story with Microsoft stating something about Linux or a writer compares the two and says something more favorable about Microsoft the half-penguin/half-sheep here start crying conspiracy. Countless times an author of a story has been trampled on this site due to past affiliations or past viewpoints. It is fairly obvious that Dvorak is not objective and his points are nothing more than attacks fired at MS and praises aimed at Linux. Show me something completely non-biased.

  10. Re:Pfft. by JustASlashDotGuy · · Score: 4, Interesting

    As someone who write code and manipulates the registry everday, I for one love it. Those who want to take the registry and produce a flat file out of it don't know what they are talking about. The registry is 100x more secure and robust than a flat file.

    If the rest of you would prefer to have a million ini files instead of a branching registry, then more power to you. Because, remember, each key of the registy allows for NTFS permissions. So you would need a seperate file for each key in the registry if you want to allow for the same level of security.

    Geez, what's next. Are you going to call up MS and say "The who idea of SQL databases sucks.. you should change that to a flatfile to so that I can use my text editor!".

    Now yes, the registy has become very bloated. However, the reason is because everyone uses it. It's amazing how that works, isn't it? Big deal. I'd be willing to bet that most of you only use the HKLM\Software key or HKCU\Software key most the time anyway.
    In my book, the registry is glorious. Being able to go to a single database'ish file pull nearly any system setting, many program setting (IE: program versions, install paths, etc), etc makes my life easy. And yes, I'm one of those people that store both plain text and encrypted data in the registry and also uses the NTFS type security to lock down keys in the registy.

    I use the registry to share information between programs and I also use windows PIPE$ calls to relay information between programs. I suppose PIPE calls could be replaced with flat text files too. I suppose it's not long before someone says, 'PIPEs suck... use INI files'.

    If you want to complain about some.. complain about all those annoying balloon pop ups from the system tray. I will agree with you there. Those little balloon tips are annoying. I hate ballons tips... and hippies.

  11. Transparency and Simplicity by Pfhorrest · · Score: 5, Interesting

    Get rid of the notion of "installers" altogether.

    A browser plugin should be a single file that goes in a plugins folder. An application should be a self-contained package that can live anywhere on the system. You shouldn't have to RUN a program to ADD a program to your system - why can the installer program live and run self-contained wherever it is, but other programs have to be 'installed'? Nothing you're installing besides security updates and other OS patches should need to stick files all over the place and modify settings everywhere.

    Get rid of the notion of installers, and you get rid of installers putting malicious stuff on your system. Give the user the program. Let them stick it wherever they want. You've still got a possibility for trojan horses, I suppose, but with proper security they shouldn't be able to write to anything outside of userland without at least a password prompt.

    I guess the point I'm trying to make is, the system should be transparent and simple. When you've got a complex, tangled mess of invisible (files / dependencies / tasks / settings / etc), all hidden behind an "easy" face that's just plastered over the mess, then you're going to hit problems because the "easy" interface isn't really what's going on on the system. Things are hidden and so the user isn't really in control of their system - how can we expect users to be aware of what's going on with their computers when we try so hard to hide it from them? And if you're about to say that the real workings are too complex, users could never understand them - THERE'S YOUR PROBLEM.

    Make the system simple, modular, transparent. Like protected memory - every app runs in its own sandbox and can't write over all the others. Maybe we need some buzzword to make clueless users and equally clueless developers aware of the importance of having "protected file structures" - every app (by which I mean userland things like Word and Photoshop) is its own self-contained package and isn't spewing its shit all over the system. No hidden files, no hidden processes, let users see what's going on, and make what's going on simple enough for them to grok.

    Then and only then can we expect users to be able to avoid social engineering.

    You want a good example of an OS going strongly in this direction, take a look at OS X. And this 'everything-is-self-contained-and-doesn't-spew-shi t-everywhere' concept is a traditional thing in the Mac world. This isn't something new, just something that the mainstream hasn't done. I think it's time, as Mac and Windows have caught up to Unix in the world of protected memory and real multitasking, that Windows and Unix catch up to the Mac in the world of sane and modular file organization structures. (And yes, I'm aware that OSX, being unix-based, shares some of the same messy tangles as unixes, just with a pretty face slapped over it. And yes, that bothers me).

    --
    -Forrest Cameranesi, Geek of all Trades
    "I am Sam. Sam I am. I do not like trolls, flames, or spam."
    1. Re:Transparency and Simplicity by wowbagger · · Score: 3, Interesting

      Installers exist in Windows due to the Component Object Model (COM). An application is *supposed* to be a collection of component objects that can be instantiated by requesting the GUID of the object, rather than explicitly calling an object constructor. You need a mapping between the GUIDs and the DLL embodying the object, and that mapping is stored within the Registry. Were programs truly self-contained directories, there would be no way for, say, Word to say "Hey, I need an Excel object here - give me one", as the system would have no way to locate the DLL and constructor which embodied the Excel object.

      The Bonobo model Gnome uses has a similar problem - how does the Object Request Broker know what shared library to invoke to create an Bonobo object?

      In both cases there has to be *some* centralized repository of UID to library mappings, and as I understand it, that was what the origins of the Windows Registry were.

      However, programmers were encouraged to store other information beyond object mappings in the Registry - like program settings and such.

      However, even were Microsoft to revert all non-"COM mapping" data out of the Registry, the system would still have the problem that if the Registry gets toasted, nobody can find the DLLs for their objects, and thus nothing works.

  12. Dvorak - Security Expert by MobyDisk · · Score: 4, Interesting
    Dvorak shows his ignorance on security in this article.

    Most recently, I forgot to turn off my CUTEftp client and left it running all night...Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.
    This is wrong is so many ways.
    1) CuteFTP is a client not a server. The only way anyone got in through that is by him connecting to a malicious site.
    2) If someone got in through a bug in CuteFTP, it isn't Microsoft's fault.
    3) Typical Windows running as Administrator.
    4) If software has a security problem, it has nothing to do with leaving it on all night. What, does he think he is safe if it is running during the day? Or so long as he is watching it?
    5) "How a burgler climbs in through an open window and steals my money is beyond me, but it happens all the time."

    His registry comment... He sounds like Jerry Seinfeld: "The registry, what's up with that. I mean like, there has to be a better way." With that brilliant thinking, we can eliminate the registry and viruses and spyware will go away. Thanks John!
  13. I hadn't thought of this before. by elgee · · Score: 3, Interesting

    Yes, it may well be unintentional, but MS is certainly running a protection racket. If your local mob extorts money from businesses lest they get an unwelcome visit by enforcers, that is a protection raacket. Pay money or your business will suffer losses.

    If you bought a car and then had to pay extra to keep it from falling apart, you might have some real problems with that.

    No, I am not a real MS basher.

  14. Dorvack is such an idiot by kuriharu · · Score: 3, Interesting
    Sorry to sound so inflammatory, but the man's an idiot. He made stupid comments back on CNET when it was a TV show, and he did it again in this essay. Here's what I mean:

    There is no incentive to fix the code base if it can make additional money selling "protection."

    That's not true at all. Microsoft has all types of incentives, namely competition from alternatives like Linux and Mac OS. But even from a programming standpoint, it makes sense. Virtually all software companies update their software; it makes sense that MS will too. It's foolish and cynical to think they "just don't care", even though I know a lot of people do.

    Not to change the subject, but isn't it about time we junked the entire concept of a "registry?" This concept has been the bane of Windows since its invention. It prevents easy program migration. It creates conflicts. It invites tampering. It's exploited by viruses and spyware. Why does Microsoft insist on continuing its use? There has to be a better way.

    Two points about this:
    1. There is a lot of functionality added by the registry. Yes, it has a curse along with the blessing, but does Dorvack actually think Windows ran better without a registry like it did in 3.1? I think he's just a little behind the times.
    2. How about he actually suggest an alternative? Bashing MS is one thing. How about Dorvack suggest a better way? It's easy to say "Microsoft sucks". How about he come up with a plan on his own?

    This from the man who said "No CD software should cost $50 when it only costs .50 to make a CD"

    Real profound.

  15. Re: "I think the registry makes several mistakes" by Joe5678 · · Score: 3, Interesting

    HKEY_CURRENT_USER is a hive loaded from the NTUSER.DAT file in the user's profile directory. Copy that and you can copy all the settings, probably more settings than you want though. It works for the most part, but it's not a good solution.

  16. Re:Microsoft addresses Windows security concerns by YU+Nicks+NE+Way · · Score: 3, Interesting
    [CuteFTP] never really worked right for me
    That's usually the single best indicator of security issues, you know. If the client doesn't "work right" for you, then it's buggy. If it's buggy, and particularly if it's perceptibly buggy, then it's almost always insecure.