Slashdot Mirror
EU And Microsoft Clash Over Vista Security
An anonymous reader wrote to mention coverage of further clashes between Microsoft and the EU, this time over security in Windows Vista. Microsoft is 'urging' the EU to allow all of the security elements of Vista to remain intact. The EU seems to be under the impression it's not asking for security to be lax; it just wants the software company to ensure a fair playing field for all businesses. From the Newsday article: "European Union officials warned Microsoft Corp. on Tuesday not to shut out rivals in the security software market as the company plans to launch its Windows Vista operating system with built-in protection from hackers and malicious programs. EU spokesman Jonathan Todd told reporters that the European Commission is "ready to give guidance to Microsoft" concerning Vista but added that it was up to the U.S. software maker 'to accept and implement its responsibilities as a near monopolist to ensure full compliance' with EU competition rules."
The solution to me seems to be the approach used in linux, bsd, whatever. Fully document the security APIs, or command-line tools to configure the security aspects. Let other vendors write their GUIs for controlling security, such as firewalling, using that API. Let people pick the tool that fits their needs best, while all providing the same type of security through the OS.
"When Microsoft failed to meet Commission requirements, the EU executive fined the company another 281 million euros (about $350 million) this summer. "
All I want to know is when we get our 2*281 million euros?
If you divide that by the population of Europe you get about 3 euros each, that's enough for at least a beer each.
What lame articles. Neither one says what the hell the thing being bundled is, other than "security" as though security could possibly be a product or module.
Ok, one of the articles made a brief mention of a firewall. Is all this noise about something as mundane as a software firewall?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It's hard to say what should be inherent in the OS and what shouldn't. However, most forms of computer security should be inherent to the OS and not part of some third-party solution. For instance, I want my OS to be resistant to running arbitrary code and be able to give me control over and info about programs and processess are running on my computer. If I have to get third party support to do those things the OS is failing me.
You are reading a copy of my copyrighted post.
This was brought up by someone in another discussion in a different context, but I think it applies equally well to Microsoft's current problems with the EU.
If they would simply modularize many of the components that come with Windows, they might wriggle out of a lot of legal troubles.
For example: I go to install Windows from scratch. On the installation screen, i get a list of components...
[x] Windows OS (base system, required)
[_] Internet Explorer
[_] Windows Security Center
[_] MS Firewall
[_] MS Antivirus
[_] MS Anti-Malware
etc.
I can check any of these things that i like, and they'll be included in the installation. For OEM installs, they could just include everything by default.
Most importantly, make them removable through Add/Remove Programs, so that if i decide at a later date that I no longer need a feature, i can uninstall it completely.
Suddenly a lot of the monopolistic legal troubles get much less worrisome for Redmond. EU worried about MS including Anti-Virus or Firewall? No problem, make them un-checked in the default install. Leave them on the disc, and make them freely available for download at the MS website to make it abundantly clear that they're a free service.
Not that I expect them to do any of this of course, but it would certainly help reduce the amount of resentment that many people feel towards them, even from their own users.
When MS ships it's products with it's own security software
(antivirus, intrusion detection, ), the market will shrink
dramatically. No one of the competitioners would have a chance
to sell it's products to private ans small buisness customers.
And i think we all know what happens when there is no more
competition at the free market. The quality goes down the drain.
BTW. This would end in a monoculture of security-products
by MS, and monoculture makes the whole infrastructure
extremely vulnerable for real big or well organized attacks.
The logical conclusion of the European Commission is that Microsoft should not incorporate these security features in Vista.
To make sense of this decision, you have to remember that the European Union was based, as far as the economy is concerned, on the idea of "fair competition" meaning that monopolies should be banned, and major companies (or states) cannot squeeze smaller competitors out of a market. Whether the squeeze is due to state protectionism, unfair tariffs or a dominant position -- which is the case here -- is irrelevant.
So, yes, it sounds ridiculous and bureaucratic at first sight, but it makes economic sense. And it may even provide better products in the end (I don't trust Microsoft products anyway).
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
They are trying to push MS into a no win situation.
A) MS doesn't include as complete and inclusive security as possible. This leaves the doors open for third party security developers, it also leaves the door open to the OS for malevolent people who will take advantage of the fact that many people won't think to add a product later for security.
B) MS includes all the security they can, possibly making it so that people don't need third party software for security. BAM new anti-trust action because they aren't being fair to people who made a living covering bad MS security architecture in a previous version and aren't being given an equally bad architecture to help "protect" for a profit this go around.
People complain that MS releases insecure OS products, then complain when they want to include more security features?!? bah
I won't even get into how Apple is bundling everything they can under the sun into OS X when the same actions by MS would be tantamount to kicking the interwebs dog.
I'm a fiscal conservative, it's a pity we don't have a political party anymore
Just because this request to ensure a "level playing field" is focused on security makes it no less valid than if it were aimed at other elements integrated into the operating system.
I Agree that i microsoft is integrating security products into its vista operating system that would enable it to enter markets where it has not got a large hold (i.e. Anti virus - where it is the main driver but not the main supplier...) and by virtue of its desktop OS monopoly becoming dominant in that market, then thats wrong. Especially if these integrated products are add ons masquerading as core operating system components.
It would be fine if Microsoft ensured that their Operating system was sufficiently secure not to require any additional software, but not to include a load of features in the operating system that ensures its system security sotware becomes dominant.
If it wants to sell these bits seperatley (reduce the cost of the OS and sell the security bits as additional extras) thats all fine too then those of us who use the OS can choose - but lets make it clear that selling a vista version with them in and one without at the same price is the same as integrating them in the first place....
This becomes an even bigger issue if the Microsoft Security products / components are written to take advantage of elements of the OS that other providers cannot gain access to (either due to lack of documentation or through some other means). That would give rise to the same interoperability issues as we have seen previous law suits attempt to resolve.
In short if MS want to secure their OS thats great, if they want to simply wipe out any external security providers to gain an extra revenue stream in the future (by say later charging for the components initially included for free), or become dominant in that area so as to play down securty vulnerabilities in their products thats not. After all would you buy your antivirus from the same guys who seem incapable of preventing their OS being succeptable in the first place?
Last point - If microsoft are in the business of supplying both the OS and the security software (and additional services such as one care) doesnt that leave a rather nasty potential conflict of interest?
From what I have been reading, Microsoft is designing Vista in such a way as to make it difficult for products that compete with whatever token security schemes Microsoft is planning to foist upon its hapless user base to be installed and/or run properly. Microsoft should make any and all APIs necessary to implement alternative (read: better) security solutions for Vista public. If it doesn't, I think it is fair to say that Microsoft is once again using proprietary standards/code to stifle the competition. That seems like a clear anti-trust violation, given Microsoft's technically undeserved but nonetheless practical monopoly of the commercial desktop PC operating system market.
Like most things that Microsoft touts as benefiting the user (think Windows Genuine (Dis)Advantage, DRM, and the "recommended" options on various configuration pages), whatever so-called security Microsoft puts into Vista will undoubtedly profit Microsoft first and the user as a mere afterthought, assuming that Microsoft can think up a good marketing gimmick to scare users into paying for it.
I'm still planning on not wasting money on yet another overpriced, under performing piece of Microsoft Buggy Bloatware, namely Vista. Ubuntu Linux is working well for me and doesn't seem to suffer from the gaping security holes most major Microsoft products (Windows, Office, and IE) are infamous for.
I must admit that Microsoft has a lot of nerve, trying to exclude competitors from cleaning up the security disaster that Vista is expected to be, so that it can make users dumb enough to buy Vista also pay through the nose to fix flaws that wouldn't be there if Microsoft sold quality programs in the first place.
"You're young, you're drunk, you're in bed, you have knives; shit happens." -- Angelina Jolie
Bear in mind that the EU isn't saying that Microsoft can't include security software in Windows Vista. What they're saying is that MS can't include it in such a way as to exclude competitors. For example, take a firewall. If MS integrates their firewall into the network stacks at the physical-code level so that no other firewall can take over, that's not allowed. However, if MS adds hooks to their network stacks to allow other modules/drivers to tap in and filter packet traffic, and then implements their firewall completely using those hooks and makes it so you can replace the loading of MS's firewall modules with a third-party firewall's modules, that's perfectly fine. And for anyone who says this can't be done, I'd point out that Linux and *BSD implement their firewalls in exactly that manner so obviously it can be done.
Me, I think this is a knee jerk reaction to the complaining that security software companies have been doing lately. Your post sums it up, EU sees this as another potential "embrace and extend" scenario when they read the bitching by Symantec/McAfee, etc., and starts beating the drum.
To be honest, it seems like most of the features MS is trying to put in, while long overdue, aren't features that are meant to cut out security companies. They're meant to secure the OS like it should have been from the beginning. Cutting out the security companies is more of a byproduct IMO.
The EU doesn't 'want' anything. All this is about is making MS follow the same law that every company and citizen of the EU has to follow, a law which boils down to "If you happen to have a monopoly in one product, you cannot use that monopoly position to gain an unfair advantage in other areas."
Microsoft have consistently broken this law an many fields, and the EU justice system has been amazingly lenient with the company for many years.
A pizza of radius z and thickness a has a volume of pi z z a
So I watched the /. community and European Union argue how insecure Windows is and how bad that is, and then I watched them argue how Windows is unjustly implementing security and shutting out competition. Obviously, Microsoft cannot win, ever.
Sometimes I think the world is just full of dumb-asses. (sounds like a Jack Handy quote)
The irony here is delicious. sudo is, in fact, a third-party replacement for the su command. You may not think so because Linux distros have been including it for a long time, but of course Linux (or GNU/Linux, if you insist) != Unix(tm).
No one is stopping Vista from implementing user access controls or other mechanisms to lock the leaky OS down. What they are objecting to are MS muscling into the firewall, antivirus, antispyware markets by installing or offering to install Windows Defender, preferentially promoting Windows Defender or using undocumented APIs in Windows Defender to make it run better than the competition. No doubt Bitlocker and other aspects of security could also be considered as preferentially pushing MS tech to the detriment of an existing market.
It seems as though Microsoft is / will have it's security products built into Vista, and will most likely build them into the TCP/IP stack at some level. Here is what most people seem to be ignoring here, and it's pretty simple.
d =l1o2uFAj23U~/
As it always has been, you can choose to use or disable any part of any feature in Windows. As it sits now with RC1, you can enable / disable features at will. Wireless networking configuration is built into Windows XP, but as everybody here knows who has a wireless network device of some sort, upon driver / software installation, that application takes over the duties of the Windows feature, usually by default. I don't know why anybody would have a reason to think that this would be any different from having a firewall in the OS, which, at the request of the user (by way of installation) gets replaced by some other product. We'll leave the discussion about inferiority for another time.
People really should stop talking about a feature of Vista as if its sure to be some set in stone incumberance, and it most likely will not be.
Oh, but it's built into TCP/IP! Anybody here ever installed the Novell client in Windows? Ever see what it does to your network protocols? Microsoft has said time and time again that it is keeping with backwards compatibility, are we naive enough to think that this won't include clients, protocols, craptastic software firewalls and anti-virus-viruses? Not so much. For those of you that need to experience a Novell client install for yourselves, go ahead. It's uninstallable. http://download.novell.com/SummaryFree.jsp?buildi
Windows has more viruses because linux has more virus coders.
Linux security is very customizable.
First of all, sudo is just a normal application, that can be replaced. Second, there's PAM, which allows you to plug pretty much anything into the security system. You can replace the mechanism for password entry, authenticate with a fingerprint or an USB flash drive, etc, and have it all automatically integrate with existent software -- you don't even need to patch tools like su and sudo to accept different authentication methods, as it's handled through PAM.
Same goes for firewalling, nothing stops you from building whatever UI you want to talk to netfilter. You can ignore iptables completely, which is just an userspace tool.
Then the kernel has a whole system of security hooks which is used by things like SELinux. New security models can be integrated.