Slashdot Mirror
The Microsoft Protection Racket
bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.
Microsoft Windows - Operating system. Provides resource allocation to underlying computer hardware. Note: No warrantee, no guarantees, may have security issues.
Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.
The NSA: The only part of the US government that actually listens.
But that's just me.
And yes, I know he isn't the same as the keyboard guy.
I don't get it.
In case you aren't ready when Dvorak makes Al Capone related references: http://en.wikipedia.org/wiki/Frank_Nitti
~jennifer.k~
from the article:
Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software. What do you suggest we replace it with, INI files? What do you suppose we do about the thousands of existing applications that use the registry? How do you suggest we support access controls for individual settings and keys - make a single INI file for each one?
Changes like 'get rid of the registry' are changes you make when you release a new OS, not when you release a service pack. OS X, for example, uses flatfiles to store most (if not all) preferences, but that's something they designed in from the start.
It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing...
using namespace slashdot;
troll::post();
While the views of the pundit may be questionable sometimes, it *is* a conflict of interest to charge fees for protection against your own flaws. Initially I'm sure they will try to continue securing the operating system while considering this service a backstop for users who violate basic common sense. When viewed that way, the extra fees make sense: I haven't had a security *alert* about an attempted infection in many years, mostly because I secure my environ and don't do stupid things. But for those who can't handle such things, and extra fee "security blanket" is acceptable.
In the long run though, if the security software becomes a security blanket for *Microsoft* and basically is a required purchase to host a secure environment despite the security efforts of administers outside such extra fee tools, it would appear to be nothing more than a backdoor to charge annual fees to all those who dare resist the "Software Assurance" garbage. Oh, and them too, just more fees.
Sig under construction since 1998.
He is somewhat correct, if security was a priority these problems wouldn't exist.
However consumers want easy to use and don't care about security. When you don't consider security (your customer doesn't care) and focus only on easy to use you will have an insecure system.
Given the choice most people will choose insecure and easy over secure and less easy. They'll even pay for the difference.
"Nice server room you got there.... It would be a shame if something happened to it."
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I think the idea is not so much about making money or fixing code, its about offering protection to users of Microsoft Products. If you can protect against vulnerabilities via a software package that allows for Buffer Overflows, Stack Overflows and any common exploit to be detected and blocked, this is far superior then pushing out one or two patches (or 9 this week) to fix a problem.
/quote ]
Also there are exploits in the wild that are never reported, no disclosure, no fixed code. Thus if you can work around this by offering a software package to protect you, by all means Microsoft should go this route.
Also why is this retard writing about Security??
[ quote ] "I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries" [
Your f'ing joking right?.
Remember the good old days when applications stored all of their configuration data in a file like SETTINGS.CFG? You could zip the entire application directory up, unzip it on another machine, and it would run just fine. An uninstall was as simple as erase *.*, cd .., rmdir foocalc.
Use of the registry to store things that the application needs in order to work makes sense for a number of applications, especially enterprise stuff that needs remote installation and management and system software like firewalls and virus monitors, but there are quite a few user-application kinds of packages that use of the registry makes no sense for.
For me, an application that doesn't use the registry is a huge plus.
Every product we buy needs long and short term maintenance. Cars need oil, tires, waxing and tinkering under the hood. Software, especially complex operating systems with a ton of third party programs, are no different. As Linux gains features and popularity, it also gains incompatibilities.
Most end users seem to understand and accept some expense that decreases future downtime. Not a single customer of mine refused Microsoft's yearly subscription. Not one refuses to pay my employees' $95/hour invoices for applying all the various first and third party patches.
Back to cars... Does GM repair recalls for free? Sure. But if your new radio doesn't interface with hour Vette, you buy the harness. When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?
You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.
I've always felt F/OSS users ignore their time value. My personal time is worth $60/hour to me, including rest/sleep. My customers see a return of more valuable time when they pay for maintenance. F/OSS hasn't paid enough of a ROI for me to promote it.
I can nothing but agree with what Dvorak says, It is pretty disturbing that the company that lets the malware in also charges you money for fixing it. I do not think antivirus is any real solution either but one that comes from Microsofts unwillingness to fix the problem. Thus a void was created wich was filled by other companies. To see Microsoft trying to take over that market is obnoxious. They should have fixed the underlying design problems in Windows that lets all the malware in, not slap a new layer ontop of the old broken one.
Lets not forget that antivirus has a big problem. For it to recognize a virus someone must first dissect it and then create a signature. If someone would do 1000 versions of the same viruses you still have to dissect them all and create signatures for them. The hole that lets them in is still there and nothing is really fixed. All antivirus really helps against is getting a fix out for a specific virus in the wild until the vendor has time to fix the hole. If the vendor doesnt fix the hole quickly its pretty useless and creates and endless battle.
The antivirus companies ofcourse like this, and endless revenue stream. When Microsoft enters this market it creates a huge conflict of interest. This is why i agree with Dvorak. Now, im off to take a hot shower and cry trough the night.....
HTTP/1.1 400
Argh. Stop posting Dvorak articles! The man is an idiot who doesn't check his facts. He has actually gone out and complained in a column about the System Idle Process taking up 98% of cpu on his Windows machine and making the box thrash.
His ignorant rantings are not in the least insightful.
Oolite: Elite-like game. For Mac, Linux and Windows
There's really nothing wrong with the foundations at all. The problem has been (1) the shell and its various subsystems (particularly IE), (2) programmer practices, and (3) user practices. Microsoft is of course fully responsible for (1), and, in fairness, security for these is free even to pirates. For (2) and (3), though, while they have encouraged best practices, they have made the decision not to enforce them. Enforcement of best practices, though, would not be IMO a good idea - the user should always have ultimate control over their machine.
If you don't know where you are going, you will wind up somewhere else.
"I enjoy calling Dvorak a blohward with my Dvorak"
I think you need more practice.
Why yes, I AM a rocket scientist!
What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname? In either case, the registry has NOTHING to do with spyware infection. It's merely the underlying system that gets edited once a malicious program gets in. SOMETHING has to contain system and application configuration options, and whatever it is will be called a registry. The actual implementation is irrelevant.
Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.
I dislike the puppet intellectual (Dvorak) as much as the next guy, but this time he has done an effective job at restating the obvious.
He does however miss a point near and dear to my heart... that is - the dependency of the OS on these new MS integrated virus and spyware initiatives which will only get worse.
I live behind a firewall. It does a really good job and keeping out most sploits. I also live behind an email server that does a pretty good job at sending executables to the bit-bucket.
It annoys me to no end that IE is so insecure... but it also annoys me every time I boot my machine I get the Your system is insecure message, because I've chosen to disable the MS firewall and antivirus.
Perhaps it will become as irritating as norton, that revalidates itself every other day accross the internet telling me the key I bought last month expired... or having ccapp go crazy burning cpu even when I've disabled virus checking.
Norton is evil. It hooks into all sorts of stuff it shouldn't. Crappy virus ware (that patches file open) can potentially take down/slow down you computer even when its off, or you are disconnected.
So, the real issue, after my rambling, is dependency on this crap by the OS, the grafting *kludge* by which it was implemented, and an unhealthy assumption that every computer is connected to the internet all the time.
/\/\icro/\/\uncher
>> Anyone who suggests 'abandoning the use of the registry'
>> has obviously never written Windows software. What do
>> you suggest we replace it with, INI files?
> Or property lists, yes.
Well, INI files don't scale well; not because they are flat text files, but because the way a hierarchy is modelled in an INI file is inefficient and error prone. Something in the nature of a property list would be quite reasonable.
It is also worth noting that since DotNet, lots of data that used to be in the Registry is now in XML files in the application folder. That's a big part of the XCOPY install feature MS brags about for DotNet.
>> What do you suppose we do about the thousands of existing
>> applications that use the registry?
> Wrappers for the INI/PLIST files that behave like the old
> registry calls.
Perfectly doable.
>> How do you suggest we support access controls for individual
>> settings and keys - make a single INI file for each one?
> Why not?
Well, it isn't strictly necessary to use the Registry to support access controls on keys and settings. As long as the file itself only allows administrator access, the APIs that model the current Registry APIs can implement key and value level security within the file. This would make the files read-only in a text editor for common users; however a simple editor could be created that allows the appropriate access to the individual keys via the APIs.
But INI files aren't appropriately structured for that; XML files would be better, or any number of less-verbose-than-XML text formats.
> OS X does this like a dream, I can take my Library folder with me
> and wham, everything is the way I like it on a new machine. I'm
> sure it would be possible to do something similar on Windows,
> provided I paid $50 for some crappy shareware product.
Well, it wouldn't be a crappy $50 shareware product to virtualize the Registry. Since the APIs are inside ADVAPI32.DLL, and are used during the boot process, it would be a kernel hack; generally more expensive when done third-party. MS could do it safely; third parties would need to worry about MS breaking the hack with an OS update.
I've long since quit taking Dvorak seriously. He's repeatedly shown himself to be clueless when it comes to these things. But then, you don't need any usable current qualifications in the industry that you're being a pundit for- all you need is an opinion, it seems.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I wonder whether Microsoft changing their policy to charge for security updates might be a sufficient impetus for their EULA's denial of liability to be thrown out through legislation.
"Does Microsoft think it is going to get away with charging real money for any sort of add-on service, or new product that protects clients against flaws in its own operating system?"
I encourage this type of arrogance on the part of Microsoft, I would suspect that they would find themselves tied up in another legal battle. In addition, this may be exactly the type of thing that Linux needs.
"Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me.."
This is one of those "features" brought about by the "tight integration" that Microsoft oh-so likes to spout off, the same goes for their "feature rich", "Tightly Integrated" Office Suite!
[regarding the Registry]"Why does Microsoft insist on continuing its use? There has to be a better way."
Another "tightly integrated" feature of the Windows OS, Surely there is a way, maybe when they receive the money for the patch management services, they will fix the problems with the registry.
I really don't know why Microsoft is even worried about it, Isn't it the Coders Fault anyway?
"Why doesn't the company just bite the bullet and bring out various exploitable versions?"
Vista - Wont't Install (BSOD) Edition
Vista - Phisermans Dream Editition (Code Named CHUM)
Vista - Cleaned and Optimized (Linux , Gnome w/Vista Skin)
You know, whenever there is a story with Microsoft stating something about Linux or a writer compares the two and says something more favorable about Microsoft the half-penguin/half-sheep here start crying conspiracy. Countless times an author of a story has been trampled on this site due to past affiliations or past viewpoints. It is fairly obvious that Dvorak is not objective and his points are nothing more than attacks fired at MS and praises aimed at Linux. Show me something completely non-biased.
Get rid of the notion of "installers" altogether.
i t-everywhere' concept is a traditional thing in the Mac world. This isn't something new, just something that the mainstream hasn't done. I think it's time, as Mac and Windows have caught up to Unix in the world of protected memory and real multitasking, that Windows and Unix catch up to the Mac in the world of sane and modular file organization structures. (And yes, I'm aware that OSX, being unix-based, shares some of the same messy tangles as unixes, just with a pretty face slapped over it. And yes, that bothers me).
A browser plugin should be a single file that goes in a plugins folder. An application should be a self-contained package that can live anywhere on the system. You shouldn't have to RUN a program to ADD a program to your system - why can the installer program live and run self-contained wherever it is, but other programs have to be 'installed'? Nothing you're installing besides security updates and other OS patches should need to stick files all over the place and modify settings everywhere.
Get rid of the notion of installers, and you get rid of installers putting malicious stuff on your system. Give the user the program. Let them stick it wherever they want. You've still got a possibility for trojan horses, I suppose, but with proper security they shouldn't be able to write to anything outside of userland without at least a password prompt.
I guess the point I'm trying to make is, the system should be transparent and simple. When you've got a complex, tangled mess of invisible (files / dependencies / tasks / settings / etc), all hidden behind an "easy" face that's just plastered over the mess, then you're going to hit problems because the "easy" interface isn't really what's going on on the system. Things are hidden and so the user isn't really in control of their system - how can we expect users to be aware of what's going on with their computers when we try so hard to hide it from them? And if you're about to say that the real workings are too complex, users could never understand them - THERE'S YOUR PROBLEM.
Make the system simple, modular, transparent. Like protected memory - every app runs in its own sandbox and can't write over all the others. Maybe we need some buzzword to make clueless users and equally clueless developers aware of the importance of having "protected file structures" - every app (by which I mean userland things like Word and Photoshop) is its own self-contained package and isn't spewing its shit all over the system. No hidden files, no hidden processes, let users see what's going on, and make what's going on simple enough for them to grok.
Then and only then can we expect users to be able to avoid social engineering.
You want a good example of an OS going strongly in this direction, take a look at OS X. And this 'everything-is-self-contained-and-doesn't-spew-sh
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
1) CuteFTP is a client not a server. The only way anyone got in through that is by him connecting to a malicious site.
2) If someone got in through a bug in CuteFTP, it isn't Microsoft's fault.
3) Typical Windows running as Administrator.
4) If software has a security problem, it has nothing to do with leaving it on all night. What, does he think he is safe if it is running during the day? Or so long as he is watching it?
5) "How a burgler climbs in through an open window and steals my money is beyond me, but it happens all the time."
His registry comment... He sounds like Jerry Seinfeld: "The registry, what's up with that. I mean like, there has to be a better way." With that brilliant thinking, we can eliminate the registry and viruses and spyware will go away. Thanks John!
Yes, it may well be unintentional, but MS is certainly running a protection racket. If your local mob extorts money from businesses lest they get an unwelcome visit by enforcers, that is a protection raacket. Pay money or your business will suffer losses.
If you bought a car and then had to pay extra to keep it from falling apart, you might have some real problems with that.
No, I am not a real MS basher.
A classic example of poor design.
By having many different INI files, the loss of one file isn't going take the whole frigging system out.
I guess convenience is more important than resiliency to some, but since that's been Microsoft's approach to damn near everything for the past 20 years it doesn't surprise me in the least...
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
There is no incentive to fix the code base if it can make additional money selling "protection."
That's not true at all. Microsoft has all types of incentives, namely competition from alternatives like Linux and Mac OS. But even from a programming standpoint, it makes sense. Virtually all software companies update their software; it makes sense that MS will too. It's foolish and cynical to think they "just don't care", even though I know a lot of people do.
Not to change the subject, but isn't it about time we junked the entire concept of a "registry?" This concept has been the bane of Windows since its invention. It prevents easy program migration. It creates conflicts. It invites tampering. It's exploited by viruses and spyware. Why does Microsoft insist on continuing its use? There has to be a better way.
Two points about this:
1. There is a lot of functionality added by the registry. Yes, it has a curse along with the blessing, but does Dorvack actually think Windows ran better without a registry like it did in 3.1? I think he's just a little behind the times.
2. How about he actually suggest an alternative? Bashing MS is one thing. How about Dorvack suggest a better way? It's easy to say "Microsoft sucks". How about he come up with a plan on his own?
This from the man who said "No CD software should cost $50 when it only costs .50 to make a CD"
Real profound.
HKEY_CURRENT_USER is a hive loaded from the NTUSER.DAT file in the user's profile directory. Copy that and you can copy all the settings, probably more settings than you want though. It works for the most part, but it's not a good solution.
Later versions of CuteFTP supposedly don't contain Aureate. Supposedly. You may or may not believe them. Better to not use CuteFTP, any other Globalscape product, any Aureate/Radiate product, or any product that ever contained Aureate. Here's a old list of programs known to contain Aureate.
Aureate changed its name to Radiate. In 2001, they settled a class action over privacy issues.
Radiate tried again with "Go!Zilla". Some versions of Go!Zilla have adware and/or spyware. The current makers of GoZilla claim "The current Go!Zilla software contains no advertising. There are several older, out-of-date versions of Go!Zilla which contain advertising from 3rd parties." But then they say "Go!Zilla will make certain partner software programs available to you during the Go!Zilla trial version's installation. These products are not necessary to the function of Go!Zilla, and you may decide if wish to install them. Make sure you read the installation prompts carefully to insure you get the best installation for you. Each partner program has its own privacy policy, and Go!Zilla is careful to screen partners for product quality and responsible privacy policies."
Or, in other words, "we're going to load up your machine with adware if you're not very, very careful during the install."
Aureate/Radiate appears to be defunct. Unclear whether they went bankrupt, were acquired, or are on the lam.
AdAware can be helpful if your system is infected with Aureate/Radiate, although it may not find attacks downloaded via the security holes.
For more details about Aureate, Radiate, and CuteFTP, click here (long .pdf).
i don't trust pay-for antispyware software as it's really easy for a spyware firm to shove an envelope of large bills under the table to a big company and say "ignore our stuff".
upon the advice of my lawyer, i have no sig at this time
blohward, n: 1; An archaic term used to describe one who frequenly wonders how a hole in the ground ended up in the middle of his ass. 2; The lead ship in John Austin's legendary journey around Hudson Bay, wherin a realiable process for the vulcanization of rubber was discovered.
He was probably using definition 1.
You appearently are not familiar with Dvorak or his writing. He is definately NOT a linux zealot and he always writes like that. I've been reading his articles for 15 years and he almost always makes me laugh at least once per article. This one was no exception.
Nope. He's not a troll or a zealot. He's just another pissed off user who's not afraid to tell the hard truth.