Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Microsoft Protection Racket

Posted by Zonk on from the friday-afternoon-fightin-words dept.

bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.

36 of 539 comments (clear)

  1. Microsoft addresses Windows security concerns by It+doesn't+come+easy · · Score: 5, Insightful

    Microsoft Windows - Operating system. Provides resource allocation to underlying computer hardware. Note: No warrantee, no guarantees, may have security issues.
    Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.

    --
    The NSA: The only part of the US government that actually listens.
    1. Re:Microsoft addresses Windows security concerns by iotashan · · Score: 5, Interesting

      Microsoft has created a no-win situation for themselves...

      1. Create a subscription security service, and people complain they shouldn't have to pay. Someone call the class-action lawsuit attourneys!
      2. Distribute it freely, and face anti-trust lawsuits from security software makers, and possibly the DOJ, depending on who's in the White House (Who! The guy in the White House. Who? Yes.).

      --
      Behold the glorious bragging rights
    2. Re:Microsoft addresses Windows security concerns by null+etc. · · Score: 4, Insightful
      This is where Dvorak lost all credibility. He is obviously not qualified to speak on the subject of operating system security.

      Oh yeah? Is he approaching this issue from the viewpoint of a security expert? No, he's approaching it from the perspective of a typical person (it might be your mother, or father).

      Personally, I could not tolerate any of Dvorak's articles. But I have to admit his recent ones are starting to get much more on-topic (as opposed to his older lunatic rants, proclaiming that Microsoft would go out of business in 10 years, etc.)

    3. Re:Microsoft addresses Windows security concerns by Pxtl · · Score: 4, Insightful

      I don't think that any anti-trust suits have been brought to them for their security fixes. The point is that _security_ should be there already, and fixes for security should be free because they basically sold you something that didn't work otherwise.

      Meanwhile, bundling in software that competes with competators with the expressed purpose of putting them out of business (note how MS software stagnates the moment the competator is gone) is a whole different story.

    4. Re:Microsoft addresses Windows security concerns by wernercd · · Score: 4, Insightful

      yup. because everyone knows experts know everything about all programs and never make mistakes.

    5. Re:Microsoft addresses Windows security concerns by RobinH · · Score: 5, Insightful

      Ultimately, all monolithic, and particularly authoritarian human endeavors FAIL! Microsoft seems to be amongst that group, and I question if they can escape it easily.

      Yeah, that whole apollo program was a complete failure wasn't it? Or the manhattan project? Or building any modern skyscraper? Or any serious engineering project of our time? They all fail miserably, don't they.

      What is the alternative to authoritarian human endeavors? There were several X-prize contenders that tried to use a more open-source, everybody pitches in, communism type approach, and they were all bested by Burt Rutan.

      And stop calling Microsoft a failure. It's the opposite of failure, obviously. Are you just trying to troll?

      --
      "I have never let my schooling interfere with my education." - Mark Twain
  2. I enjoy calling Dvorak a blohward with my Dvorak by Anonymous Coward · · Score: 5, Funny

    But that's just me.

  3. Oh noes, Dvorak! by rob_squared · · Score: 4, Funny
    I love your keyboards, but I trust a drunk man's predictions of the tech market more than I do yours.

    And yes, I know he isn't the same as the keyboard guy.

    --
    I don't get it.
  4. That's a nice enterprise network you have there... by tenzig_112 · · Score: 5, Funny
    It'd be a real shame if something happened to it.
    from the article:

    REDMOND, WA- For years Windows users have lived under a blanket of fear, constantly checking their computers for malicious programs that take advantage of critical security flaws in the operating system lest they lose their hardware, their data, or even their identities. Thankfully those days might soon be over thanks to a new subscription service aimed at cleaning up Microsoft's mess. Even better, this new utility comes from the most trusted name in computing: Microsoft.

    In truth, anti-spyware and anti-virus programs flood the market already, but they all share a common flaw: they're free. With freeware it is difficult, if not impossible, for consumers to know if it's really working. Experts say it takes a financial sting to make the software's real value apparent. While it would certainly be innovative for Microsoft to charge for the freely available service, the forward-thinking software company is not content to stop there. They plan to ask customers to pay for these features every year.
  5. Pfft. by JanusFury · · Score: 5, Informative

    Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software. What do you suggest we replace it with, INI files? What do you suppose we do about the thousands of existing applications that use the registry? How do you suggest we support access controls for individual settings and keys - make a single INI file for each one?

    Changes like 'get rid of the registry' are changes you make when you release a new OS, not when you release a service pack. OS X, for example, uses flatfiles to store most (if not all) preferences, but that's something they designed in from the start.

    It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing...

    --
    using namespace slashdot;
    troll::post();
    1. Re:Pfft. by MightyMartian · · Score: 4, Insightful

      And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time, and it sure makes down-and-dirty administration ten times easier. The registry editor is a f**cking nightmare compared to your favorite text editor and *.conf or *.rc. Security is handled through the file system. The registry was a bad idea from the get-go, but you're right, Microsoft's incompetence will be with us until the world finally tells Redmond to take their crappy operating system and shove it.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Pfft. by MightyMartian · · Score: 4, Insightful

      It's better because you can use a frickin text editor. The settings are discrete and can be easily copied. When I move my account to a different *nix box, I just zip up my configs, unzip them on the new account, and maybe, if locations are different, do a bit of tweaking. I've had the same damn .pinerc file for four years now. It's easy to archive, easy to restore and easy to alter. The registry is a pain to back up, can be really ugly to restore and alteration requires a stinking idiotic registry editor.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:Pfft. by mugnyte · · Score: 4, Insightful

      The registry and analogous flat file data stores try to achieve the same goals. I think the registry makes several mistakes:

        - Consolidating all settings into one proprietary data store. This imposes a new security mechanism over that of simple file access. This unique data store does nothing by itself to "secure" the data, it's just a box. One can lock the entire box but simple users do effect changes in the registry.

        - INI files are plaintext versions of some sort of file. Their manipulation could be by hand (trad *nix style), or employ one of several storage syntax mediums (XML being one) which allows general tools to work across the items.

        - File-based security on INI files is stronger, and more easily managed with existing tools, than key-based security on the hive-based registry entries. Combining with journaling/versioning, INI files hold more depth than a registry (which has to import/export to a file-based representation to achieve this).

        - Line-item security on INI files is not as strong, hence the danger people have in by-hand editing. This can be overcome using a syntax that allows for tool-based editing, where then INI files expose their keys, and a security table holds a File/Key/Role association.

        - Shared INI files for library management (aka COM) have the same write-contention isses as the registry, so no differences there. GAC-style libraries are directory-based, which seems to lend evidence that both file and registry stores for libraries are based done higher up in the file system.

    4. Re:Pfft. by jsight · · Score: 4, Informative

      And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time, and it sure makes down-and-dirty administration ten times easier.


      Unless, of course, you are a Gnome use, in which case you get GConf. What is GConf? Well, it's a nice implmentation of a registry. :)
      --
      Throw the bums out!
    5. Re:Pfft. by badriram · · Score: 4, Insightful

      Both systems blow, and just as equally. It is the difference between any centralized and distributed system.

      Centralzied-
          Clean standard
          less flexibility
          single point of failure
          better security (advanced ACL support, not every app has it own parser)
          OS maintained
          Terrible portability

      Distributed
          no standard exists
          more flexibity
          no single point of failure
          weaker security (it is either put in user or etc, you do not have an option of put in etc but allow just this setting for users)
          App maintained
          Easy portability

      Best solution is to use both and let app decide
          but a nightmare for sys admins

    6. Re:Pfft. by JustASlashDotGuy · · Score: 4, Interesting

      As someone who write code and manipulates the registry everday, I for one love it. Those who want to take the registry and produce a flat file out of it don't know what they are talking about. The registry is 100x more secure and robust than a flat file.

      If the rest of you would prefer to have a million ini files instead of a branching registry, then more power to you. Because, remember, each key of the registy allows for NTFS permissions. So you would need a seperate file for each key in the registry if you want to allow for the same level of security.

      Geez, what's next. Are you going to call up MS and say "The who idea of SQL databases sucks.. you should change that to a flatfile to so that I can use my text editor!".

      Now yes, the registy has become very bloated. However, the reason is because everyone uses it. It's amazing how that works, isn't it? Big deal. I'd be willing to bet that most of you only use the HKLM\Software key or HKCU\Software key most the time anyway.
      In my book, the registry is glorious. Being able to go to a single database'ish file pull nearly any system setting, many program setting (IE: program versions, install paths, etc), etc makes my life easy. And yes, I'm one of those people that store both plain text and encrypted data in the registry and also uses the NTFS type security to lock down keys in the registy.

      I use the registry to share information between programs and I also use windows PIPE$ calls to relay information between programs. I suppose PIPE calls could be replaced with flat text files too. I suppose it's not long before someone says, 'PIPEs suck... use INI files'.

      If you want to complain about some.. complain about all those annoying balloon pop ups from the system tray. I will agree with you there. Those little balloon tips are annoying. I hate ballons tips... and hippies.

    7. Re:Pfft. by Speare · · Score: 5, Funny
      I've had the same damn .pinerc file for four years now.

      Son, I got a .emacs file that's older than you and most of your friends.

      --
      [ .sig file not found ]
    8. Re:Pfft. by DaveJay · · Score: 4, Insightful

      You have to remember, the main purpose of the registry is to obscure information, not to make it easy to find and edit. Software makers want to be able to put autostart hooks, serial numbers and other such nonsense on the computers, and Microsoft gives them what they want. If you put everything in an .ini file, users would be able to find it and control it, which is exactly what software manufacturers don't want (in most cases).

      They can get rid of the registry once they have "Trusted Computing" in place, as they'll easily be able to drop application information into encrypted files that the user has no way of breaking into.

    9. Re:Pfft. by Rasta+Prefect · · Score: 4, Insightful
      And where is it stored? ~/.app? ~/.app/.settings? /etc/app? /etc/app/settings? /etc/app/settings.xml?

      Global settings go in /etc. Per-User settings go under the home directory. The default per-user settings are stored in /usr/share and copied in the first time the program is run. Wow, that was hard wasn't it?

      See the way Apple has done this. Global app settings in /Library, personal App settings in ~user/Library. When I used to do desktop support (50/50 mix of OS X and Windows) all we had to do when we moved a user to a different machine was image it and copy their home directory. Easy as pie, takes about 10 minutes of my time. Wow, once again it was really hard to answer that "where does it go" question.

      Gotta save a users settings when moving them to a different windows install (usually because the students laptop was so spyware ridden it was easier to just reformant)? Let the nightmare begin!

      Trying to reinstall a hosed application that won't uninstall properly? Lets just see you try to track down all those registry keys. On a Mac or Linux you just remove the rc file or plist.

      And what is the format of said INI file?

      Once again, see Apple's plists. XML all the way, with tools to manipulate them if you don't like your text editor.

      And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.

      Users their own config settings. If you want to restrict access to global config settings, just don't give them access to the config file. If you don't want them to run the program, don't give them read and execute permissions on the app itself. There are other operating systems out the besides windows, and they've already solved these problems. In the case of Unix, about 20 years ago. I've done Unix, Apple and Microsoft desktop administration, and while the Unix and Apple solutions do have a few quirks (Apple's system doesn't really have many), the Registry is by far the most broken and the biggest PITA.

      --
      Why?
  6. Conflict of interest by Godeke · · Score: 4, Insightful

    While the views of the pundit may be questionable sometimes, it *is* a conflict of interest to charge fees for protection against your own flaws. Initially I'm sure they will try to continue securing the operating system while considering this service a backstop for users who violate basic common sense. When viewed that way, the extra fees make sense: I haven't had a security *alert* about an attempted infection in many years, mostly because I secure my environ and don't do stupid things. But for those who can't handle such things, and extra fee "security blanket" is acceptable.

    In the long run though, if the security software becomes a security blanket for *Microsoft* and basically is a required purchase to host a secure environment despite the security efforts of administers outside such extra fee tools, it would appear to be nothing more than a backdoor to charge annual fees to all those who dare resist the "Software Assurance" garbage. Oh, and them too, just more fees.

    --
    Sig under construction since 1998.
  7. I can see it now.... by 8127972 · · Score: 5, Funny

    "Nice server room you got there.... It would be a shame if something happened to it."

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  8. A Little Creative thinking maybe....?!?! by OneByteOff · · Score: 5, Interesting

    I think the idea is not so much about making money or fixing code, its about offering protection to users of Microsoft Products. If you can protect against vulnerabilities via a software package that allows for Buffer Overflows, Stack Overflows and any common exploit to be detected and blocked, this is far superior then pushing out one or two patches (or 9 this week) to fix a problem.

    Also there are exploits in the wild that are never reported, no disclosure, no fixed code. Thus if you can work around this by offering a software package to protect you, by all means Microsoft should go this route.

    Also why is this retard writing about Security??
    [ quote ] "I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries" [ /quote ]

    Your f'ing joking right?.

    1. Re:A Little Creative thinking maybe....?!?! by bradkittenbrink · · Score: 5, Funny

      Also why is this retard writing about Security??

      He's not writing about security, he's writing about Microsoft security. He's obviously fully qualified.

  9. I feel dirty! by miffo.swe · · Score: 4, Interesting

    I can nothing but agree with what Dvorak says, It is pretty disturbing that the company that lets the malware in also charges you money for fixing it. I do not think antivirus is any real solution either but one that comes from Microsofts unwillingness to fix the problem. Thus a void was created wich was filled by other companies. To see Microsoft trying to take over that market is obnoxious. They should have fixed the underlying design problems in Windows that lets all the malware in, not slap a new layer ontop of the old broken one.

    Lets not forget that antivirus has a big problem. For it to recognize a virus someone must first dissect it and then create a signature. If someone would do 1000 versions of the same viruses you still have to dissect them all and create signatures for them. The hole that lets them in is still there and nothing is really fixed. All antivirus really helps against is getting a fix out for a specific virus in the wild until the vendor has time to fix the hole. If the vendor doesnt fix the hole quickly its pretty useless and creates and endless battle.

    The antivirus companies ofcourse like this, and endless revenue stream. When Microsoft enters this market it creates a huge conflict of interest. This is why i agree with Dvorak. Now, im off to take a hot shower and cry trough the night.....

    --
    HTTP/1.1 400
  10. Argh by Alioth · · Score: 4, Interesting

    Argh. Stop posting Dvorak articles! The man is an idiot who doesn't check his facts. He has actually gone out and complained in a column about the System Idle Process taking up 98% of cpu on his Windows machine and making the box thrash.

    His ignorant rantings are not in the least insightful.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  11. Re:Maybe he has a point by amliebsch · · Score: 4, Insightful

    There's really nothing wrong with the foundations at all. The problem has been (1) the shell and its various subsystems (particularly IE), (2) programmer practices, and (3) user practices. Microsoft is of course fully responsible for (1), and, in fairness, security for these is free even to pirates. For (2) and (3), though, while they have encouraged best practices, they have made the decision not to enforce them. Enforcement of best practices, though, would not be IMO a good idea - the user should always have ultimate control over their machine.

    --
    If you don't know where you are going, you will wind up somewhere else.
  12. Re:I enjoy calling Dvorak a blohward with my Dvora by Moofie · · Score: 5, Funny

    "I enjoy calling Dvorak a blohward with my Dvorak"

    I think you need more practice.

    --
    Why yes, I AM a rocket scientist!
  13. Registry is the problem? by Se7enLC · · Score: 5, Insightful

    What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname? In either case, the registry has NOTHING to do with spyware infection. It's merely the underlying system that gets edited once a malicious program gets in. SOMETHING has to contain system and application configuration options, and whatever it is will be called a registry. The actual implementation is irrelevant.

    Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.

  14. Replacing the Registry with flat files by QuestorTapes · · Score: 4, Informative

    >> Anyone who suggests 'abandoning the use of the registry'
    >> has obviously never written Windows software. What do
    >> you suggest we replace it with, INI files?

    > Or property lists, yes.

    Well, INI files don't scale well; not because they are flat text files, but because the way a hierarchy is modelled in an INI file is inefficient and error prone. Something in the nature of a property list would be quite reasonable.

    It is also worth noting that since DotNet, lots of data that used to be in the Registry is now in XML files in the application folder. That's a big part of the XCOPY install feature MS brags about for DotNet.

    >> What do you suppose we do about the thousands of existing
    >> applications that use the registry?

    > Wrappers for the INI/PLIST files that behave like the old
    > registry calls.

    Perfectly doable.

    >> How do you suggest we support access controls for individual
    >> settings and keys - make a single INI file for each one?

    > Why not?

    Well, it isn't strictly necessary to use the Registry to support access controls on keys and settings. As long as the file itself only allows administrator access, the APIs that model the current Registry APIs can implement key and value level security within the file. This would make the files read-only in a text editor for common users; however a simple editor could be created that allows the appropriate access to the individual keys via the APIs.

    But INI files aren't appropriately structured for that; XML files would be better, or any number of less-verbose-than-XML text formats.

    > OS X does this like a dream, I can take my Library folder with me
    > and wham, everything is the way I like it on a new machine. I'm
    > sure it would be possible to do something similar on Windows,
    > provided I paid $50 for some crappy shareware product.

    Well, it wouldn't be a crappy $50 shareware product to virtualize the Registry. Since the APIs are inside ADVAPI32.DLL, and are used during the boot process, it would be a kernel hack; generally more expensive when done third-party. MS could do it safely; third parties would need to worry about MS breaking the hack with an OS update.

  15. Liability Risk? by Spudnuts · · Score: 4, Interesting

    I wonder whether Microsoft changing their policy to charge for security updates might be a sufficient impetus for their EULA's denial of liability to be thrown out through legislation.

  16. Thank you Bill May I have another!? by pgnas · · Score: 4, Funny

    "Does Microsoft think it is going to get away with charging real money for any sort of add-on service, or new product that protects clients against flaws in its own operating system?"

    I encourage this type of arrogance on the part of Microsoft, I would suspect that they would find themselves tied up in another legal battle. In addition, this may be exactly the type of thing that Linux needs.

    "Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me.."

    This is one of those "features" brought about by the "tight integration" that Microsoft oh-so likes to spout off, the same goes for their "feature rich", "Tightly Integrated" Office Suite!

    [regarding the Registry]"Why does Microsoft insist on continuing its use? There has to be a better way."

    Another "tightly integrated" feature of the Windows OS, Surely there is a way, maybe when they receive the money for the patch management services, they will fix the problems with the registry.

    I really don't know why Microsoft is even worried about it, Isn't it the Coders Fault anyway?

    "Why doesn't the company just bite the bullet and bring out various exploitable versions?"

    Vista - Wont't Install (BSOD) Edition
    Vista - Phisermans Dream Editition (Code Named CHUM)
    Vista - Cleaned and Optimized (Linux , Gnome w/Vista Skin)


  17. Transparency and Simplicity by Pfhorrest · · Score: 5, Interesting

    Get rid of the notion of "installers" altogether.

    A browser plugin should be a single file that goes in a plugins folder. An application should be a self-contained package that can live anywhere on the system. You shouldn't have to RUN a program to ADD a program to your system - why can the installer program live and run self-contained wherever it is, but other programs have to be 'installed'? Nothing you're installing besides security updates and other OS patches should need to stick files all over the place and modify settings everywhere.

    Get rid of the notion of installers, and you get rid of installers putting malicious stuff on your system. Give the user the program. Let them stick it wherever they want. You've still got a possibility for trojan horses, I suppose, but with proper security they shouldn't be able to write to anything outside of userland without at least a password prompt.

    I guess the point I'm trying to make is, the system should be transparent and simple. When you've got a complex, tangled mess of invisible (files / dependencies / tasks / settings / etc), all hidden behind an "easy" face that's just plastered over the mess, then you're going to hit problems because the "easy" interface isn't really what's going on on the system. Things are hidden and so the user isn't really in control of their system - how can we expect users to be aware of what's going on with their computers when we try so hard to hide it from them? And if you're about to say that the real workings are too complex, users could never understand them - THERE'S YOUR PROBLEM.

    Make the system simple, modular, transparent. Like protected memory - every app runs in its own sandbox and can't write over all the others. Maybe we need some buzzword to make clueless users and equally clueless developers aware of the importance of having "protected file structures" - every app (by which I mean userland things like Word and Photoshop) is its own self-contained package and isn't spewing its shit all over the system. No hidden files, no hidden processes, let users see what's going on, and make what's going on simple enough for them to grok.

    Then and only then can we expect users to be able to avoid social engineering.

    You want a good example of an OS going strongly in this direction, take a look at OS X. And this 'everything-is-self-contained-and-doesn't-spew-shi t-everywhere' concept is a traditional thing in the Mac world. This isn't something new, just something that the mainstream hasn't done. I think it's time, as Mac and Windows have caught up to Unix in the world of protected memory and real multitasking, that Windows and Unix catch up to the Mac in the world of sane and modular file organization structures. (And yes, I'm aware that OSX, being unix-based, shares some of the same messy tangles as unixes, just with a pretty face slapped over it. And yes, that bothers me).

    --
    -Forrest Cameranesi, Geek of all Trades
    "I am Sam. Sam I am. I do not like trolls, flames, or spam."
  18. Dvorak - Security Expert by MobyDisk · · Score: 4, Interesting
    Dvorak shows his ignorance on security in this article.

    Most recently, I forgot to turn off my CUTEftp client and left it running all night...Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.
    This is wrong is so many ways.
    1) CuteFTP is a client not a server. The only way anyone got in through that is by him connecting to a malicious site.
    2) If someone got in through a bug in CuteFTP, it isn't Microsoft's fault.
    3) Typical Windows running as Administrator.
    4) If software has a security problem, it has nothing to do with leaving it on all night. What, does he think he is safe if it is running during the day? Or so long as he is watching it?
    5) "How a burgler climbs in through an open window and steals my money is beyond me, but it happens all the time."

    His registry comment... He sounds like Jerry Seinfeld: "The registry, what's up with that. I mean like, there has to be a better way." With that brilliant thinking, we can eliminate the registry and viruses and spyware will go away. Thanks John!
  19. The Registry is a single point of failure. by Richard+Steiner · · Score: 4, Insightful

    A classic example of poor design.

    By having many different INI files, the loss of one file isn't going take the whole frigging system out.

    I guess convenience is more important than resiliency to some, but since that's been Microsoft's approach to damn near everything for the past 20 years it doesn't surprise me in the least...

    --
    Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
    The Theorem Theorem: If If, Then Then.
  20. No, sadly, CuteFTP contains exploitable adware by Animats · · Score: 4, Informative
    Unfortunately, some versions of CuteFTP contain the Aureate adware client. Aureate is an entry point for attacks. "It is able to secretly download and cause Windows to execute any arbitrary program into the unsuspecting user's computer". ... ""phones home" every single time you use your web browser" ... "can, at their whim, accept and download any file into your system named "update-dll.exe" and then arrange for Windows to run this unknown program" ... "is trivial to "redirect" so that instead of phoning home to one of Aureate's servers, it connects to any other arbitrary server on the Internet." ... "They will always be responsible for sneaking 22 million copies of buggy and frightfully insecure spyware into the world's Windows PCs."

    Later versions of CuteFTP supposedly don't contain Aureate. Supposedly. You may or may not believe them. Better to not use CuteFTP, any other Globalscape product, any Aureate/Radiate product, or any product that ever contained Aureate. Here's a old list of programs known to contain Aureate.

    Aureate changed its name to Radiate. In 2001, they settled a class action over privacy issues.

    Radiate tried again with "Go!Zilla". Some versions of Go!Zilla have adware and/or spyware. The current makers of GoZilla claim "The current Go!Zilla software contains no advertising. There are several older, out-of-date versions of Go!Zilla which contain advertising from 3rd parties." But then they say "Go!Zilla will make certain partner software programs available to you during the Go!Zilla trial version's installation. These products are not necessary to the function of Go!Zilla, and you may decide if wish to install them. Make sure you read the installation prompts carefully to insure you get the best installation for you. Each partner program has its own privacy policy, and Go!Zilla is careful to screen partners for product quality and responsible privacy policies."

    Or, in other words, "we're going to load up your machine with adware if you're not very, very careful during the install."

    Aureate/Radiate appears to be defunct. Unclear whether they went bankrupt, were acquired, or are on the lam.

    AdAware can be helpful if your system is infected with Aureate/Radiate, although it may not find attacks downloaded via the security holes.

    For more details about Aureate, Radiate, and CuteFTP, click here (long .pdf).

  21. Re:I enjoy calling Dvorak a blohward with my Dvora by cloudmaster · · Score: 4, Funny

    blohward, n: 1; An archaic term used to describe one who frequenly wonders how a hole in the ground ended up in the middle of his ass. 2; The lead ship in John Austin's legendary journey around Hudson Bay, wherin a realiable process for the vulcanization of rubber was discovered.

    He was probably using definition 1.