Slashdot Mirror
EU And Microsoft Clash Over Vista Security
An anonymous reader wrote to mention coverage of further clashes between Microsoft and the EU, this time over security in Windows Vista. Microsoft is 'urging' the EU to allow all of the security elements of Vista to remain intact. The EU seems to be under the impression it's not asking for security to be lax; it just wants the software company to ensure a fair playing field for all businesses. From the Newsday article: "European Union officials warned Microsoft Corp. on Tuesday not to shut out rivals in the security software market as the company plans to launch its Windows Vista operating system with built-in protection from hackers and malicious programs. EU spokesman Jonathan Todd told reporters that the European Commission is "ready to give guidance to Microsoft" concerning Vista but added that it was up to the U.S. software maker 'to accept and implement its responsibilities as a near monopolist to ensure full compliance' with EU competition rules."
The solution to me seems to be the approach used in linux, bsd, whatever. Fully document the security APIs, or command-line tools to configure the security aspects. Let other vendors write their GUIs for controlling security, such as firewalling, using that API. Let people pick the tool that fits their needs best, while all providing the same type of security through the OS.
It's hard to say what should be inherent in the OS and what shouldn't. However, most forms of computer security should be inherent to the OS and not part of some third-party solution. For instance, I want my OS to be resistant to running arbitrary code and be able to give me control over and info about programs and processess are running on my computer. If I have to get third party support to do those things the OS is failing me.
You are reading a copy of my copyrighted post.
This was brought up by someone in another discussion in a different context, but I think it applies equally well to Microsoft's current problems with the EU.
If they would simply modularize many of the components that come with Windows, they might wriggle out of a lot of legal troubles.
For example: I go to install Windows from scratch. On the installation screen, i get a list of components...
[x] Windows OS (base system, required)
[_] Internet Explorer
[_] Windows Security Center
[_] MS Firewall
[_] MS Antivirus
[_] MS Anti-Malware
etc.
I can check any of these things that i like, and they'll be included in the installation. For OEM installs, they could just include everything by default.
Most importantly, make them removable through Add/Remove Programs, so that if i decide at a later date that I no longer need a feature, i can uninstall it completely.
Suddenly a lot of the monopolistic legal troubles get much less worrisome for Redmond. EU worried about MS including Anti-Virus or Firewall? No problem, make them un-checked in the default install. Leave them on the disc, and make them freely available for download at the MS website to make it abundantly clear that they're a free service.
Not that I expect them to do any of this of course, but it would certainly help reduce the amount of resentment that many people feel towards them, even from their own users.
When MS ships it's products with it's own security software
(antivirus, intrusion detection, ), the market will shrink
dramatically. No one of the competitioners would have a chance
to sell it's products to private ans small buisness customers.
And i think we all know what happens when there is no more
competition at the free market. The quality goes down the drain.
BTW. This would end in a monoculture of security-products
by MS, and monoculture makes the whole infrastructure
extremely vulnerable for real big or well organized attacks.
The logical conclusion of the European Commission is that Microsoft should not incorporate these security features in Vista.
To make sense of this decision, you have to remember that the European Union was based, as far as the economy is concerned, on the idea of "fair competition" meaning that monopolies should be banned, and major companies (or states) cannot squeeze smaller competitors out of a market. Whether the squeeze is due to state protectionism, unfair tariffs or a dominant position -- which is the case here -- is irrelevant.
So, yes, it sounds ridiculous and bureaucratic at first sight, but it makes economic sense. And it may even provide better products in the end (I don't trust Microsoft products anyway).
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
They are trying to push MS into a no win situation.
A) MS doesn't include as complete and inclusive security as possible. This leaves the doors open for third party security developers, it also leaves the door open to the OS for malevolent people who will take advantage of the fact that many people won't think to add a product later for security.
B) MS includes all the security they can, possibly making it so that people don't need third party software for security. BAM new anti-trust action because they aren't being fair to people who made a living covering bad MS security architecture in a previous version and aren't being given an equally bad architecture to help "protect" for a profit this go around.
People complain that MS releases insecure OS products, then complain when they want to include more security features?!? bah
I won't even get into how Apple is bundling everything they can under the sun into OS X when the same actions by MS would be tantamount to kicking the interwebs dog.
I'm a fiscal conservative, it's a pity we don't have a political party anymore
From what I have been reading, Microsoft is designing Vista in such a way as to make it difficult for products that compete with whatever token security schemes Microsoft is planning to foist upon its hapless user base to be installed and/or run properly. Microsoft should make any and all APIs necessary to implement alternative (read: better) security solutions for Vista public. If it doesn't, I think it is fair to say that Microsoft is once again using proprietary standards/code to stifle the competition. That seems like a clear anti-trust violation, given Microsoft's technically undeserved but nonetheless practical monopoly of the commercial desktop PC operating system market.
Like most things that Microsoft touts as benefiting the user (think Windows Genuine (Dis)Advantage, DRM, and the "recommended" options on various configuration pages), whatever so-called security Microsoft puts into Vista will undoubtedly profit Microsoft first and the user as a mere afterthought, assuming that Microsoft can think up a good marketing gimmick to scare users into paying for it.
I'm still planning on not wasting money on yet another overpriced, under performing piece of Microsoft Buggy Bloatware, namely Vista. Ubuntu Linux is working well for me and doesn't seem to suffer from the gaping security holes most major Microsoft products (Windows, Office, and IE) are infamous for.
I must admit that Microsoft has a lot of nerve, trying to exclude competitors from cleaning up the security disaster that Vista is expected to be, so that it can make users dumb enough to buy Vista also pay through the nose to fix flaws that wouldn't be there if Microsoft sold quality programs in the first place.
"You're young, you're drunk, you're in bed, you have knives; shit happens." -- Angelina Jolie
Bear in mind that the EU isn't saying that Microsoft can't include security software in Windows Vista. What they're saying is that MS can't include it in such a way as to exclude competitors. For example, take a firewall. If MS integrates their firewall into the network stacks at the physical-code level so that no other firewall can take over, that's not allowed. However, if MS adds hooks to their network stacks to allow other modules/drivers to tap in and filter packet traffic, and then implements their firewall completely using those hooks and makes it so you can replace the loading of MS's firewall modules with a third-party firewall's modules, that's perfectly fine. And for anyone who says this can't be done, I'd point out that Linux and *BSD implement their firewalls in exactly that manner so obviously it can be done.
Me, I think this is a knee jerk reaction to the complaining that security software companies have been doing lately. Your post sums it up, EU sees this as another potential "embrace and extend" scenario when they read the bitching by Symantec/McAfee, etc., and starts beating the drum.
To be honest, it seems like most of the features MS is trying to put in, while long overdue, aren't features that are meant to cut out security companies. They're meant to secure the OS like it should have been from the beginning. Cutting out the security companies is more of a byproduct IMO.
The irony here is delicious. sudo is, in fact, a third-party replacement for the su command. You may not think so because Linux distros have been including it for a long time, but of course Linux (or GNU/Linux, if you insist) != Unix(tm).
Linux security is very customizable.
First of all, sudo is just a normal application, that can be replaced. Second, there's PAM, which allows you to plug pretty much anything into the security system. You can replace the mechanism for password entry, authenticate with a fingerprint or an USB flash drive, etc, and have it all automatically integrate with existent software -- you don't even need to patch tools like su and sudo to accept different authentication methods, as it's handled through PAM.
Same goes for firewalling, nothing stops you from building whatever UI you want to talk to netfilter. You can ignore iptables completely, which is just an userspace tool.
Then the kernel has a whole system of security hooks which is used by things like SELinux. New security models can be integrated.