The Microsoft Protection Racket

bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.

Microsoft addresses Windows security concerns

[It+doesn't+come+easy]

Microsoft Windows - Operating system. Provides resource allocation to underlying computer hardware. Note: No warrantee, no guarantees, may have security issues.
Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.

Re:Microsoft addresses Windows security concerns

[iotashan]

Microsoft has created a no-win situation for themselves...

1. Create a subscription security service, and people complain they shouldn't have to pay. Someone call the class-action lawsuit attourneys!
2. Distribute it freely, and face anti-trust lawsuits from security software makers, and possibly the DOJ, depending on who's in the White House (Who! The guy in the White House. Who? Yes.).

Re:Microsoft addresses Windows security concerns

[RobinH]

Ultimately, all monolithic, and particularly authoritarian human endeavors FAIL! Microsoft seems to be amongst that group, and I question if they can escape it easily.

Yeah, that whole apollo program was a complete failure wasn't it? Or the manhattan project? Or building any modern skyscraper? Or any serious engineering project of our time? They all fail miserably, don't they.

What is the alternative to authoritarian human endeavors? There were several X-prize contenders that tried to use a more open-source, everybody pitches in, communism type approach, and they were all bested by Burt Rutan.

And stop calling Microsoft a failure. It's the opposite of failure, obviously. Are you just trying to troll?

I enjoy calling Dvorak a blohward with my Dvorak

But that's just me.

That's a nice enterprise network you have there...

[tenzig_112]

It'd be a real shame if something happened to it.
from the article:

REDMOND, WA- For years Windows users have lived under a blanket of fear, constantly checking their computers for malicious programs that take advantage of critical security flaws in the operating system lest they lose their hardware, their data, or even their identities. Thankfully those days might soon be over thanks to a new subscription service aimed at cleaning up Microsoft's mess. Even better, this new utility comes from the most trusted name in computing: Microsoft.

In truth, anti-spyware and anti-virus programs flood the market already, but they all share a common flaw: they're free. With freeware it is difficult, if not impossible, for consumers to know if it's really working. Experts say it takes a financial sting to make the software's real value apparent. While it would certainly be innovative for Microsoft to charge for the freely available service, the forward-thinking software company is not content to stop there. They plan to ask customers to pay for these features every year.

Pfft.

[JanusFury]

Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software. What do you suggest we replace it with, INI files? What do you suppose we do about the thousands of existing applications that use the registry? How do you suggest we support access controls for individual settings and keys - make a single INI file for each one?

Changes like 'get rid of the registry' are changes you make when you release a new OS, not when you release a service pack. OS X, for example, uses flatfiles to store most (if not all) preferences, but that's something they designed in from the start.

It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing...

Re:Pfft.

[Speare]

I've had the same damn .pinerc file for four years now.

Son, I got a .emacs file that's older than you and most of your friends.

I can see it now....

[8127972]

"Nice server room you got there.... It would be a shame if something happened to it."

A Little Creative thinking maybe....?!?!

[OneByteOff]

I think the idea is not so much about making money or fixing code, its about offering protection to users of Microsoft Products. If you can protect against vulnerabilities via a software package that allows for Buffer Overflows, Stack Overflows and any common exploit to be detected and blocked, this is far superior then pushing out one or two patches (or 9 this week) to fix a problem.

Also there are exploits in the wild that are never reported, no disclosure, no fixed code. Thus if you can work around this by offering a software package to protect you, by all means Microsoft should go this route.

Also why is this retard writing about Security??
[ quote ] "I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries" [ /quote ]

Your f'ing joking right?.

Re:A Little Creative thinking maybe....?!?!

[bradkittenbrink]

Also why is this retard writing about Security??

He's not writing about security, he's writing about Microsoft security. He's obviously fully qualified.

Re:I enjoy calling Dvorak a blohward with my Dvora

[Moofie]

"I enjoy calling Dvorak a blohward with my Dvorak"

I think you need more practice.

Registry is the problem?

[Se7enLC]

What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname? In either case, the registry has NOTHING to do with spyware infection. It's merely the underlying system that gets edited once a malicious program gets in. SOMETHING has to contain system and application configuration options, and whatever it is will be called a registry. The actual implementation is irrelevant.

Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.

Transparency and Simplicity

[Pfhorrest]

Get rid of the notion of "installers" altogether.

A browser plugin should be a single file that goes in a plugins folder. An application should be a self-contained package that can live anywhere on the system. You shouldn't have to RUN a program to ADD a program to your system - why can the installer program live and run self-contained wherever it is, but other programs have to be 'installed'? Nothing you're installing besides security updates and other OS patches should need to stick files all over the place and modify settings everywhere.

Get rid of the notion of installers, and you get rid of installers putting malicious stuff on your system. Give the user the program. Let them stick it wherever they want. You've still got a possibility for trojan horses, I suppose, but with proper security they shouldn't be able to write to anything outside of userland without at least a password prompt.

I guess the point I'm trying to make is, the system should be transparent and simple. When you've got a complex, tangled mess of invisible (files / dependencies / tasks / settings / etc), all hidden behind an "easy" face that's just plastered over the mess, then you're going to hit problems because the "easy" interface isn't really what's going on on the system. Things are hidden and so the user isn't really in control of their system - how can we expect users to be aware of what's going on with their computers when we try so hard to hide it from them? And if you're about to say that the real workings are too complex, users could never understand them - THERE'S YOUR PROBLEM.

Make the system simple, modular, transparent. Like protected memory - every app runs in its own sandbox and can't write over all the others. Maybe we need some buzzword to make clueless users and equally clueless developers aware of the importance of having "protected file structures" - every app (by which I mean userland things like Word and Photoshop) is its own self-contained package and isn't spewing its shit all over the system. No hidden files, no hidden processes, let users see what's going on, and make what's going on simple enough for them to grok.

Then and only then can we expect users to be able to avoid social engineering.

You want a good example of an OS going strongly in this direction, take a look at OS X. And this 'everything-is-self-contained-and-doesn't-spew-shi t-everywhere' concept is a traditional thing in the Mac world. This isn't something new, just something that the mainstream hasn't done. I think it's time, as Mac and Windows have caught up to Unix in the world of protected memory and real multitasking, that Windows and Unix catch up to the Mac in the world of sane and modular file organization structures. (And yes, I'm aware that OSX, being unix-based, shares some of the same messy tangles as unixes, just with a pretty face slapped over it. And yes, that bothers me).