EU And Microsoft Clash Over Vista Security

An anonymous reader wrote to mention coverage of further clashes between Microsoft and the EU, this time over security in Windows Vista. Microsoft is 'urging' the EU to allow all of the security elements of Vista to remain intact. The EU seems to be under the impression it's not asking for security to be lax; it just wants the software company to ensure a fair playing field for all businesses. From the Newsday article: "European Union officials warned Microsoft Corp. on Tuesday not to shut out rivals in the security software market as the company plans to launch its Windows Vista operating system with built-in protection from hackers and malicious programs. EU spokesman Jonathan Todd told reporters that the European Commission is "ready to give guidance to Microsoft" concerning Vista but added that it was up to the U.S. software maker 'to accept and implement its responsibilities as a near monopolist to ensure full compliance' with EU competition rules."

The solution

[SCHecklerX]

The solution to me seems to be the approach used in linux, bsd, whatever. Fully document the security APIs, or command-line tools to configure the security aspects. Let other vendors write their GUIs for controlling security, such as firewalling, using that API. Let people pick the tool that fits their needs best, while all providing the same type of security through the OS.

Vista does do that..

[cybrthng]

You can use whatever firewall you want, both in software and hardware. You can use whatever virus scanner you want, both software and hardware. When vista pops up with the security center it doesn't even focus on Microsoft products - your first choice are compatible third party products.

So what is the point of all of this?

The other security implementations would be like asking Unix to allow replacement of Sudo, root and user permissions and replace it with a third party app that would just give you want you were wanting to begin with in the first place.

Re:Vista does do that..

[nsayer]

The other security implementations would be like asking Unix to allow replacement of Sudo

The irony here is delicious. sudo is, in fact, a third-party replacement for the su command. You may not think so because Linux distros have been including it for a long time, but of course Linux (or GNU/Linux, if you insist) != Unix(tm).

Re:Vista does do that..

[eldepeche]

The solution to that problem is open source evangelism and so on, not expensive and pointless intervention in the market. Remember "Windows XP: no media player edition"? No one bought it. How well is "Windows Vista: Not Even Pretending To Be Secure Edition" going to sell? You're not providing people with a choice, you're just punishing Microsoft.

I think i know what the EU means...

[d3m0nCr4t]

They don't want to make Vista less secure, they just want to avoid that MS starts to integrate more and more 'features' neatly tied together as so called 'security'. Eg. further integration of the MS firewall in Vista, possible integration of anti-virus software in Vista. Because MS is still walking the same path as before, and doing the same as before (Netscape, anyone ?). So it might be better to warn MS from the beginning, then to react when the damage has been done.

Re:I think i know what the EU means...

[kcornia]

Me, I think this is a knee jerk reaction to the complaining that security software companies have been doing lately. Your post sums it up, EU sees this as another potential "embrace and extend" scenario when they read the bitching by Symantec/McAfee, etc., and starts beating the drum.

To be honest, it seems like most of the features MS is trying to put in, while long overdue, aren't features that are meant to cut out security companies. They're meant to secure the OS like it should have been from the beginning. Cutting out the security companies is more of a byproduct IMO.

Security should be inherent in the OS

[paladinwannabe2]

It's hard to say what should be inherent in the OS and what shouldn't. However, most forms of computer security should be inherent to the OS and not part of some third-party solution. For instance, I want my OS to be resistant to running arbitrary code and be able to give me control over and info about programs and processess are running on my computer. If I have to get third party support to do those things the OS is failing me.

Re:Security should be inherent in the OS

[mrjb]

The current anti-virus business is mainly built on loose ground: (the lack of) security in the main OS that they support. As the OS gets more secure, the need for AV software greatly diminishes, and it is likely that some AV companies will go out of business as a result of it. At this moment, however, this hardly seems the problem yet, as most security issues are addressed by "patches" rather than real solutions: antivirus, anti-spyware, anti-whatnot, which when bundled with the OS would be unfair competition to Antivirus-software houses.

As said- Europe isn't demanding reduced security, but fair competition. But even when 'fair' competition is allowed and security keeps improving, the software houses that provide security solutions should seriously consider rethinking their strategy as they may become redundant and go out of business anyway.

So, seeing that the anti-virus business is in a lose-lose situation, I guess they concluded they might as well cry wolf. This isn't impressive- it's just money talking. So am I defending MS on this? No (of course not- this is slashdot). I think the AV business should be allowed to compete. I just don't think that it will make much of a difference, in this case.

Modularization

[theckhd]

This was brought up by someone in another discussion in a different context, but I think it applies equally well to Microsoft's current problems with the EU.

If they would simply modularize many of the components that come with Windows, they might wriggle out of a lot of legal troubles.

For example: I go to install Windows from scratch. On the installation screen, i get a list of components...
[x] Windows OS (base system, required)
[_] Internet Explorer
[_] Windows Security Center
[_] MS Firewall
[_] MS Antivirus
[_] MS Anti-Malware

etc.

I can check any of these things that i like, and they'll be included in the installation. For OEM installs, they could just include everything by default.

Most importantly, make them removable through Add/Remove Programs, so that if i decide at a later date that I no longer need a feature, i can uninstall it completely.

Suddenly a lot of the monopolistic legal troubles get much less worrisome for Redmond. EU worried about MS including Anti-Virus or Firewall? No problem, make them un-checked in the default install. Leave them on the disc, and make them freely available for download at the MS website to make it abundantly clear that they're a free service.

Not that I expect them to do any of this of course, but it would certainly help reduce the amount of resentment that many people feel towards them, even from their own users.

You don't see the problem.

[TransEurope]

When MS ships it's products with it's own security software
(antivirus, intrusion detection, ), the market will shrink
dramatically. No one of the competitioners would have a chance
to sell it's products to private ans small buisness customers.

And i think we all know what happens when there is no more
competition at the free market. The quality goes down the drain.

BTW. This would end in a monoculture of security-products
by MS, and monoculture makes the whole infrastructure
extremely vulnerable for real big or well organized attacks.

Vista security and consumer protection.

[Noryungi]

Here is my take on it:

• Some european companies (F-Secure/Finland, Panda Software/Spain, etc) are involved in anti-virus protection and provide security products for Windows.
• Microsoft Vista is going to integrate a lot of security products -- anti-virus is just one -- that will squeeze these european companies out of a market.
• The above action can be qualified as "unfair competition" and "monopoly abuse" by the European Commission, since Microsoft owns... what? 97% 98%? of the market.

The logical conclusion of the European Commission is that Microsoft should not incorporate these security features in Vista.

To make sense of this decision, you have to remember that the European Union was based, as far as the economy is concerned, on the idea of "fair competition" meaning that monopolies should be banned, and major companies (or states) cannot squeeze smaller competitors out of a market. Whether the squeeze is due to state protectionism, unfair tariffs or a dominant position -- which is the case here -- is irrelevant.

So, yes, it sounds ridiculous and bureaucratic at first sight, but it makes economic sense. And it may even provide better products in the end (I don't trust Microsoft products anyway).

Idiotic on the part of the EU.

[Churla]

They are trying to push MS into a no win situation.

A) MS doesn't include as complete and inclusive security as possible. This leaves the doors open for third party security developers, it also leaves the door open to the OS for malevolent people who will take advantage of the fact that many people won't think to add a product later for security.

B) MS includes all the security they can, possibly making it so that people don't need third party software for security. BAM new anti-trust action because they aren't being fair to people who made a living covering bad MS security architecture in a previous version and aren't being given an equally bad architecture to help "protect" for a profit this go around.

People complain that MS releases insecure OS products, then complain when they want to include more security features?!? bah

I won't even get into how Apple is bundling everything they can under the sun into OS X when the same actions by MS would be tantamount to kicking the interwebs dog.

Fair Play

[Ajehals]

Just because this request to ensure a "level playing field" is focused on security makes it no less valid than if it were aimed at other elements integrated into the operating system.

I Agree that i microsoft is integrating security products into its vista operating system that would enable it to enter markets where it has not got a large hold (i.e. Anti virus - where it is the main driver but not the main supplier...) and by virtue of its desktop OS monopoly becoming dominant in that market, then thats wrong. Especially if these integrated products are add ons masquerading as core operating system components.

It would be fine if Microsoft ensured that their Operating system was sufficiently secure not to require any additional software, but not to include a load of features in the operating system that ensures its system security sotware becomes dominant.

If it wants to sell these bits seperatley (reduce the cost of the OS and sell the security bits as additional extras) thats all fine too then those of us who use the OS can choose - but lets make it clear that selling a vista version with them in and one without at the same price is the same as integrating them in the first place....

This becomes an even bigger issue if the Microsoft Security products / components are written to take advantage of elements of the OS that other providers cannot gain access to (either due to lack of documentation or through some other means). That would give rise to the same interoperability issues as we have seen previous law suits attempt to resolve.

In short if MS want to secure their OS thats great, if they want to simply wipe out any external security providers to gain an extra revenue stream in the future (by say later charging for the components initially included for free), or become dominant in that area so as to play down securty vulnerabilities in their products thats not. After all would you buy your antivirus from the same guys who seem incapable of preventing their OS being succeptable in the first place?

Last point - If microsoft are in the business of supplying both the OS and the security software (and additional services such as one care) doesnt that leave a rather nasty potential conflict of interest?

Microsoft Monopolism : making Buggy Bloatware pay!

[FractalZone]

From what I have been reading, Microsoft is designing Vista in such a way as to make it difficult for products that compete with whatever token security schemes Microsoft is planning to foist upon its hapless user base to be installed and/or run properly. Microsoft should make any and all APIs necessary to implement alternative (read: better) security solutions for Vista public. If it doesn't, I think it is fair to say that Microsoft is once again using proprietary standards/code to stifle the competition. That seems like a clear anti-trust violation, given Microsoft's technically undeserved but nonetheless practical monopoly of the commercial desktop PC operating system market.

Like most things that Microsoft touts as benefiting the user (think Windows Genuine (Dis)Advantage, DRM, and the "recommended" options on various configuration pages), whatever so-called security Microsoft puts into Vista will undoubtedly profit Microsoft first and the user as a mere afterthought, assuming that Microsoft can think up a good marketing gimmick to scare users into paying for it.

I'm still planning on not wasting money on yet another overpriced, under performing piece of Microsoft Buggy Bloatware, namely Vista. Ubuntu Linux is working well for me and doesn't seem to suffer from the gaping security holes most major Microsoft products (Windows, Office, and IE) are infamous for.

I must admit that Microsoft has a lot of nerve, trying to exclude competitors from cleaning up the security disaster that Vista is expected to be, so that it can make users dumb enough to buy Vista also pay through the nose to fix flaws that wouldn't be there if Microsoft sold quality programs in the first place.

Spin on definitions

[Todd+Knarr]

Bear in mind that the EU isn't saying that Microsoft can't include security software in Windows Vista. What they're saying is that MS can't include it in such a way as to exclude competitors. For example, take a firewall. If MS integrates their firewall into the network stacks at the physical-code level so that no other firewall can take over, that's not allowed. However, if MS adds hooks to their network stacks to allow other modules/drivers to tap in and filter packet traffic, and then implements their firewall completely using those hooks and makes it so you can replace the loading of MS's firewall modules with a third-party firewall's modules, that's perfectly fine. And for anyone who says this can't be done, I'd point out that Linux and *BSD implement their firewalls in exactly that manner so obviously it can be done.

Re:Spin on definitions

[Todd+Knarr]

Except that your premise is false. Firstly, the hooks aren't there to allow built-in measures to be disabled. They're there to allow non-built-in measures to be added. MS's firewall then becomes one of possibly several that can be added. Modules can be added, but no module can remove another (other than by configuring the system to not load the other module, which no module should ever have permission to do). Secondly, security and open/proprietary aren't connected. If they were, and your premise was right, then Windows would have far fewer exploits than Linux or *BSD. The fact that the reverse is true is a good indication your premise is incorrect.

The rest of your argument rests on air, and on accepting MS's definition that they are the only supplier of security in the OS. The EU's position is that MS shall not be the sole supplier. I'd note that that's true for OSX and Linux now: you probably won't go searching out third-party firewall modules, but nothing in OSX or Linux prevents someone from creating a set and completely replacing the standard firewall subsystem with their own with no loss in functionality or performance (other than that caused by their own code and their own decision whether or not to implement various bits of functionality). If MS's firewall and other security products are so good, no other company will be able to compete on the merits. The EU is merely saying that MS will have to compete on the merits, not by preventing any competition from existing at all. I'd note that blocking competition will be bad for consumers as well. We've already seen that with the Windows XP firewall: MS's offering lacks significant functionality, but the way they implemented it interferes with more capable third-party firewalls and makes them unable to function stably. I had to take a significant hit by dropping my Sygate firewall because it simply wouldn't work after XP SP2 (when it had worked perfectly for a year before, and the problems started exactly when SP2 was applied). I was more secure before MS decided theirs would be the only firewall allowed on XP.

Re:Sounds like the EU wants it both ways

[Andy_R]

The EU doesn't 'want' anything. All this is about is making MS follow the same law that every company and citizen of the EU has to follow, a law which boils down to "If you happen to have a monopoly in one product, you cannot use that monopoly position to gain an unfair advantage in other areas."

Microsoft have consistently broken this law an many fields, and the EU justice system has been amazingly lenient with the company for many years.

Re:Message to EU: STFU

[DrXym]

No one is stopping Vista from implementing user access controls or other mechanisms to lock the leaky OS down. What they are objecting to are MS muscling into the firewall, antivirus, antispyware markets by installing or offering to install Windows Defender, preferentially promoting Windows Defender or using undocumented APIs in Windows Defender to make it run better than the competition. No doubt Bitlocker and other aspects of security could also be considered as preferentially pushing MS tech to the detriment of an existing market.

Re:The problem is

[Sloppy]

Programs rely on the presence of these enriched tools.

Gentoo solves this problem with virtual packages that fill generic slots. For example, I have to have a system logger installed, but there are a variety of loggers to choose from.

People would turn off a whole bunch of stuff without knowing what it is, and then cry because their programs didn't work and blame MS.

It's really not all that hard to make an application display an informative error message. I've done it lots of times. :-) But let's suppose the default behavior when a player isn't installed, is just to silently fail and not play anything (actually, I have to admit that from my perspective as a user, this is probably the most desirable behavior when it's embedded inside of a non-video-dedicated app, such as a web browser). The support call goes like this:

User: "my video doesn't play."
Support: "Go to control panels, blah blah, and look at what it says next to 'video player'"
User: "It says 'not installed'"
Support: "Ok, insert your Windows CD and..."

or..
User: "Next to video player, it says 'Foosoft Mediablitz'"
Support: "Ok, you'll need to call Foosoft for support with their product. Or I can talk you through installing our own video player, if you have your Windows CD."

That doesn't sound too nightmarish to me.

Microsoft Created the market

[ijakings]

Im not a fan of microsoft, hell im not even neutral to em, and i live in the EU (Wish i didnt because importing stuff is a bitch and they keep trying to take our pound away... but thats another story). Microsoft accidentally created this market through bad coding and this gave rise to the big security players. The tech community routinely bludgeons M$ about the bad secuirty in its products and as it takes steps to counter its own bad coding and poor security issues in the past it gets slapped with an anti-trust suit. Its a no win situation for microsoft. It created the market so how is it monopolistic to take it away by fixing problems?

The EU is doing the right thing .. Why?

Look at the facts.

MS want their own security production, they do not in any way want to let someone else in, why?

The next generation of DRM depends on this, depends very highly on MS being the only one who can authenticate drivers.

Provided MS can say "Only we can approve drivers", now MS can block out all those "third-party" applications such as Daemon Tools, that allows you to run a CD from your hard drive, or those applications that can record movies or DVDs.

This is the reality, if you like it or not, the implications go far beyond "other security companies".

By these companies not being able to tap into the API, it gives MS a way to lock out everything from the OS they don't want. What don't they want? Anything that can copy a DVD, CD, video, music, HD streams with the "do not save" flag. This allows them to lock down your computer to do as they see fit, all in the name of "security".

Lets get real here people - The security "API" that MS has is what keeps DRM firmly embeded in the operating system. Allowing a third part control over what drivers can and can not be installed allows users to write those applications they so much hate.

This isn't about "security", this is about "FairPlay".

installing security on Mac OS X and Windows

[falconwolf]

OSX is no different, everything is integrated (except AV) and the user isn't expected to go and hunt down any 3rd party firewall software.

Ah, but OSX allows you to install 3rd party firewalls. Currently I'm using a PC with Windows and I use ZoneAlarm for my firewall. However I plan on getting a MacBook pro and am looking for a firewall that offers me the same controls as ZoneAlarm does, for Macs. If Zone Labs offered one for Macs then I would get it. Apple doesn't lock me into using their firewall which I've heard is exactly what MS is trying to do with Vista. While I'm glad MS is finally paying attention to security I don't like their anticompetitive stances.

Falcon

Re:No, the problem *is* the market.

[Kazoo+the+Clown]

The security market should dry up as soon as Microsoft creates an operating system that doesn't need it-- not when they create one that won't allow for it.