Slashdot Mirror
EU And Microsoft Clash Over Vista Security
An anonymous reader wrote to mention coverage of further clashes between Microsoft and the EU, this time over security in Windows Vista. Microsoft is 'urging' the EU to allow all of the security elements of Vista to remain intact. The EU seems to be under the impression it's not asking for security to be lax; it just wants the software company to ensure a fair playing field for all businesses. From the Newsday article: "European Union officials warned Microsoft Corp. on Tuesday not to shut out rivals in the security software market as the company plans to launch its Windows Vista operating system with built-in protection from hackers and malicious programs. EU spokesman Jonathan Todd told reporters that the European Commission is "ready to give guidance to Microsoft" concerning Vista but added that it was up to the U.S. software maker 'to accept and implement its responsibilities as a near monopolist to ensure full compliance' with EU competition rules."
The solution to me seems to be the approach used in linux, bsd, whatever. Fully document the security APIs, or command-line tools to configure the security aspects. Let other vendors write their GUIs for controlling security, such as firewalling, using that API. Let people pick the tool that fits their needs best, while all providing the same type of security through the OS.
"When Microsoft failed to meet Commission requirements, the EU executive fined the company another 281 million euros (about $350 million) this summer. "
All I want to know is when we get our 2*281 million euros?
If you divide that by the population of Europe you get about 3 euros each, that's enough for at least a beer each.
You can use whatever firewall you want, both in software and hardware. You can use whatever virus scanner you want, both software and hardware. When vista pops up with the security center it doesn't even focus on Microsoft products - your first choice are compatible third party products.
So what is the point of all of this?
The other security implementations would be like asking Unix to allow replacement of Sudo, root and user permissions and replace it with a third party app that would just give you want you were wanting to begin with in the first place.
What lame articles. Neither one says what the hell the thing being bundled is, other than "security" as though security could possibly be a product or module.
Ok, one of the articles made a brief mention of a firewall. Is all this noise about something as mundane as a software firewall?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It's hard to say what should be inherent in the OS and what shouldn't. However, most forms of computer security should be inherent to the OS and not part of some third-party solution. For instance, I want my OS to be resistant to running arbitrary code and be able to give me control over and info about programs and processess are running on my computer. If I have to get third party support to do those things the OS is failing me.
You are reading a copy of my copyrighted post.
This was brought up by someone in another discussion in a different context, but I think it applies equally well to Microsoft's current problems with the EU.
If they would simply modularize many of the components that come with Windows, they might wriggle out of a lot of legal troubles.
For example: I go to install Windows from scratch. On the installation screen, i get a list of components...
[x] Windows OS (base system, required)
[_] Internet Explorer
[_] Windows Security Center
[_] MS Firewall
[_] MS Antivirus
[_] MS Anti-Malware
etc.
I can check any of these things that i like, and they'll be included in the installation. For OEM installs, they could just include everything by default.
Most importantly, make them removable through Add/Remove Programs, so that if i decide at a later date that I no longer need a feature, i can uninstall it completely.
Suddenly a lot of the monopolistic legal troubles get much less worrisome for Redmond. EU worried about MS including Anti-Virus or Firewall? No problem, make them un-checked in the default install. Leave them on the disc, and make them freely available for download at the MS website to make it abundantly clear that they're a free service.
Not that I expect them to do any of this of course, but it would certainly help reduce the amount of resentment that many people feel towards them, even from their own users.
When MS ships it's products with it's own security software
(antivirus, intrusion detection, ), the market will shrink
dramatically. No one of the competitioners would have a chance
to sell it's products to private ans small buisness customers.
And i think we all know what happens when there is no more
competition at the free market. The quality goes down the drain.
BTW. This would end in a monoculture of security-products
by MS, and monoculture makes the whole infrastructure
extremely vulnerable for real big or well organized attacks.
Microsoft spends most of its time producing new OS features in collaboration with other vendors. DRM, drivers, APIs all designed to make MS OSes work better with the rest of the products people will buy. That takes much longer, and more code, than the rest of the OS does.
But its "security" features are MS only. Of course that must be to protect the MS "near monopoly", always its #1 priority. Since the security market is neither very profitable nor already dominated by MS, I expect that their "security" also protects revealing other serious defects of the OS. Whether more monopoly protection, unnecessary security problems, or just bad coding. Therefore I don't see Microsoft opening those facilities for the EU before Vista is released, if ever.
--
make install -not war
The logical conclusion of the European Commission is that Microsoft should not incorporate these security features in Vista.
To make sense of this decision, you have to remember that the European Union was based, as far as the economy is concerned, on the idea of "fair competition" meaning that monopolies should be banned, and major companies (or states) cannot squeeze smaller competitors out of a market. Whether the squeeze is due to state protectionism, unfair tariffs or a dominant position -- which is the case here -- is irrelevant.
So, yes, it sounds ridiculous and bureaucratic at first sight, but it makes economic sense. And it may even provide better products in the end (I don't trust Microsoft products anyway).
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
They are trying to push MS into a no win situation.
A) MS doesn't include as complete and inclusive security as possible. This leaves the doors open for third party security developers, it also leaves the door open to the OS for malevolent people who will take advantage of the fact that many people won't think to add a product later for security.
B) MS includes all the security they can, possibly making it so that people don't need third party software for security. BAM new anti-trust action because they aren't being fair to people who made a living covering bad MS security architecture in a previous version and aren't being given an equally bad architecture to help "protect" for a profit this go around.
People complain that MS releases insecure OS products, then complain when they want to include more security features?!? bah
I won't even get into how Apple is bundling everything they can under the sun into OS X when the same actions by MS would be tantamount to kicking the interwebs dog.
I'm a fiscal conservative, it's a pity we don't have a political party anymore
Just because this request to ensure a "level playing field" is focused on security makes it no less valid than if it were aimed at other elements integrated into the operating system.
I Agree that i microsoft is integrating security products into its vista operating system that would enable it to enter markets where it has not got a large hold (i.e. Anti virus - where it is the main driver but not the main supplier...) and by virtue of its desktop OS monopoly becoming dominant in that market, then thats wrong. Especially if these integrated products are add ons masquerading as core operating system components.
It would be fine if Microsoft ensured that their Operating system was sufficiently secure not to require any additional software, but not to include a load of features in the operating system that ensures its system security sotware becomes dominant.
If it wants to sell these bits seperatley (reduce the cost of the OS and sell the security bits as additional extras) thats all fine too then those of us who use the OS can choose - but lets make it clear that selling a vista version with them in and one without at the same price is the same as integrating them in the first place....
This becomes an even bigger issue if the Microsoft Security products / components are written to take advantage of elements of the OS that other providers cannot gain access to (either due to lack of documentation or through some other means). That would give rise to the same interoperability issues as we have seen previous law suits attempt to resolve.
In short if MS want to secure their OS thats great, if they want to simply wipe out any external security providers to gain an extra revenue stream in the future (by say later charging for the components initially included for free), or become dominant in that area so as to play down securty vulnerabilities in their products thats not. After all would you buy your antivirus from the same guys who seem incapable of preventing their OS being succeptable in the first place?
Last point - If microsoft are in the business of supplying both the OS and the security software (and additional services such as one care) doesnt that leave a rather nasty potential conflict of interest?
From what I have been reading, Microsoft is designing Vista in such a way as to make it difficult for products that compete with whatever token security schemes Microsoft is planning to foist upon its hapless user base to be installed and/or run properly. Microsoft should make any and all APIs necessary to implement alternative (read: better) security solutions for Vista public. If it doesn't, I think it is fair to say that Microsoft is once again using proprietary standards/code to stifle the competition. That seems like a clear anti-trust violation, given Microsoft's technically undeserved but nonetheless practical monopoly of the commercial desktop PC operating system market.
Like most things that Microsoft touts as benefiting the user (think Windows Genuine (Dis)Advantage, DRM, and the "recommended" options on various configuration pages), whatever so-called security Microsoft puts into Vista will undoubtedly profit Microsoft first and the user as a mere afterthought, assuming that Microsoft can think up a good marketing gimmick to scare users into paying for it.
I'm still planning on not wasting money on yet another overpriced, under performing piece of Microsoft Buggy Bloatware, namely Vista. Ubuntu Linux is working well for me and doesn't seem to suffer from the gaping security holes most major Microsoft products (Windows, Office, and IE) are infamous for.
I must admit that Microsoft has a lot of nerve, trying to exclude competitors from cleaning up the security disaster that Vista is expected to be, so that it can make users dumb enough to buy Vista also pay through the nose to fix flaws that wouldn't be there if Microsoft sold quality programs in the first place.
"You're young, you're drunk, you're in bed, you have knives; shit happens." -- Angelina Jolie
Bear in mind that the EU isn't saying that Microsoft can't include security software in Windows Vista. What they're saying is that MS can't include it in such a way as to exclude competitors. For example, take a firewall. If MS integrates their firewall into the network stacks at the physical-code level so that no other firewall can take over, that's not allowed. However, if MS adds hooks to their network stacks to allow other modules/drivers to tap in and filter packet traffic, and then implements their firewall completely using those hooks and makes it so you can replace the loading of MS's firewall modules with a third-party firewall's modules, that's perfectly fine. And for anyone who says this can't be done, I'd point out that Linux and *BSD implement their firewalls in exactly that manner so obviously it can be done.
Me, I think this is a knee jerk reaction to the complaining that security software companies have been doing lately. Your post sums it up, EU sees this as another potential "embrace and extend" scenario when they read the bitching by Symantec/McAfee, etc., and starts beating the drum.
To be honest, it seems like most of the features MS is trying to put in, while long overdue, aren't features that are meant to cut out security companies. They're meant to secure the OS like it should have been from the beginning. Cutting out the security companies is more of a byproduct IMO.
The EU doesn't 'want' anything. All this is about is making MS follow the same law that every company and citizen of the EU has to follow, a law which boils down to "If you happen to have a monopoly in one product, you cannot use that monopoly position to gain an unfair advantage in other areas."
Microsoft have consistently broken this law an many fields, and the EU justice system has been amazingly lenient with the company for many years.
A pizza of radius z and thickness a has a volume of pi z z a
So I watched the /. community and European Union argue how insecure Windows is and how bad that is, and then I watched them argue how Windows is unjustly implementing security and shutting out competition. Obviously, Microsoft cannot win, ever.
Sometimes I think the world is just full of dumb-asses. (sounds like a Jack Handy quote)
No one is stopping Vista from implementing user access controls or other mechanisms to lock the leaky OS down. What they are objecting to are MS muscling into the firewall, antivirus, antispyware markets by installing or offering to install Windows Defender, preferentially promoting Windows Defender or using undocumented APIs in Windows Defender to make it run better than the competition. No doubt Bitlocker and other aspects of security could also be considered as preferentially pushing MS tech to the detriment of an existing market.
It seems as though Microsoft is / will have it's security products built into Vista, and will most likely build them into the TCP/IP stack at some level. Here is what most people seem to be ignoring here, and it's pretty simple.
d =l1o2uFAj23U~/
As it always has been, you can choose to use or disable any part of any feature in Windows. As it sits now with RC1, you can enable / disable features at will. Wireless networking configuration is built into Windows XP, but as everybody here knows who has a wireless network device of some sort, upon driver / software installation, that application takes over the duties of the Windows feature, usually by default. I don't know why anybody would have a reason to think that this would be any different from having a firewall in the OS, which, at the request of the user (by way of installation) gets replaced by some other product. We'll leave the discussion about inferiority for another time.
People really should stop talking about a feature of Vista as if its sure to be some set in stone incumberance, and it most likely will not be.
Oh, but it's built into TCP/IP! Anybody here ever installed the Novell client in Windows? Ever see what it does to your network protocols? Microsoft has said time and time again that it is keeping with backwards compatibility, are we naive enough to think that this won't include clients, protocols, craptastic software firewalls and anti-virus-viruses? Not so much. For those of you that need to experience a Novell client install for yourselves, go ahead. It's uninstallable. http://download.novell.com/SummaryFree.jsp?buildi
Windows has more viruses because linux has more virus coders.
But is it in the best interest of the public to cripple the security of an OS because a market around bugs has cropped up? Is it in the best interest of the people to remove security out of a product so that they individuals will have to turn around and buy something? Seems pretty darn insane if you ask me.
However, the major security companies have already found ways to hack round all this to make their products work - and if they can, so can malicious people. So what's the point in having it? It just makes the security companies have to spend more money, increasing the cost to the user in most cases. That's about it.
Gentoo solves this problem with virtual packages that fill generic slots. For example, I have to have a system logger installed, but there are a variety of loggers to choose from.
It's really not all that hard to make an application display an informative error message. I've done it lots of times. :-) But let's suppose the default behavior when a player isn't installed, is just to silently fail and not play anything (actually, I have to admit that from my perspective as a user, this is probably the most desirable behavior when it's embedded inside of a non-video-dedicated app, such as a web browser). The support call goes like this:
User: "my video doesn't play."
Support: "Go to control panels, blah blah, and look at what it says next to 'video player'"
User: "It says 'not installed'"
Support: "Ok, insert your Windows CD and..."
or..
User: "Next to video player, it says 'Foosoft Mediablitz'"
Support: "Ok, you'll need to call Foosoft for support with their product. Or I can talk you through installing our own video player, if you have your Windows CD."
That doesn't sound too nightmarish to me.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Have you done user support for the average user? If anything isn't precisely how they expect it's a pretty major problem. You have to remember that this would incur a rather large cost of MS as they'd need to provide the phone operators to take all these calls and they really couldn't get away with charging for them. Well that opens up a new problem in that people will start calling about support issues that aren't related. The way it works with support is that if you are on the phone, anything and everything is your fault. That's just how the mindset is. HD failure? They'll call MS and say Windows is broken.
The help problem, in particular, would be a doozy. Should MS have to redo their entire help system just so you can remove IE? That seems rather stupid.
Also where does it end? I mean when you get right down to it, the explorer UI isn't necessary, even Win32 isn't necessary. You can strip things like that out in the embedded version of Windows. However everything stops working. Should MS be forced to provide only a kernel?
What it comes down to is most people don't want a minimal OS like Linux, where the kernel is the only included part and everything else is optional. They want an enriched OS that provides things for them. You can see the same thing with MacOS. Is Quicktime necessary? No, but pulling it out removes OS-X's ability to display any video. Is Aqua necessary? No, but people really don't want a CLI.
MS and Apple provide enriched OSes and there's nothing wrong with that and for normal users it's not something they should change. If you want a minimalist OS, use Linux.
OSX is no different, everything is integrated (except AV) and the user isn't expected to go and hunt down any 3rd party firewall software.
Ah, but OSX allows you to install 3rd party firewalls. Currently I'm using a PC with Windows and I use ZoneAlarm for my firewall. However I plan on getting a MacBook pro and am looking for a firewall that offers me the same controls as ZoneAlarm does, for Macs. If Zone Labs offered one for Macs then I would get it. Apple doesn't lock me into using their firewall which I've heard is exactly what MS is trying to do with Vista. While I'm glad MS is finally paying attention to security I don't like their anticompetitive stances.
FalconShould there be a Law?
The security market should dry up as soon as Microsoft creates an operating system that doesn't need it-- not when they create one that won't allow for it.