Microsoft Realizes No One Wants To Pay Microsoft To Fix Its Own Security Flaws
from the that's-how-it-works dept
Back in 2005, when Microsoft was first mulling the idea of offering security software, we noted that the company was between something of a rock and a hard place. If it decided to charge for the software, people would accuse the company of trying to get people to pay to protect themselves from the security vulnerabilities in Microsoft’s own software. Yet, if they went free, then they would face screams about antitrust violations for undercutting competitors in the security software market. We also suggested a third option: design better software that doesn’t need security software. But, failing that, Microsoft chose what I think was the worst of the three options: selling security software. Perhaps not too surprisingly, not too many people took Microsoft up on the offer. It could be a combination of reasons why. First, Microsoft just doesn’t have a good reputation when it comes to security. Second, that whole issue of paying the same company that created the security holes in the first place. Finally, it might just be inertia. People buy from McAfee or Symantec because they’re two names that have been around forever and are recognized (and, most importantly, bundled on many brand-name computers).
So, after a couple years of failing to make much of a dent in the market, Microsoft has abruptly shifted to option number two. It will no longer be selling its OneCare security software and, instead, will be offering a free security suite for users, though with fewer features than the old OneCare offering. The various security software companies put out statements saying, of course, that this is no big deal, but you have to believe they’re now doing whatever possible to stir up some complaints out of the Justice Department that this is an antitrust violation. Maybe a few years down the road Microsoft will simply move on to option three, and make software that doesn’t require separate security software.
Filed Under: antitrust, free, security, software
Companies: mcafee, microsoft, symantec
Comments on “Microsoft Realizes No One Wants To Pay Microsoft To Fix Its Own Security Flaws”
Add another example to oxymoron
Two words that do not go together:
Microsoft Security
Military Intelligence
Deafening silence
Pretty Ugly
Resident alien
Nondairy creamer
Jumbo shrimp
Civil War
Microsoft Security
There is a flaw in the logic that MS should create an OS that doesn’t need security software. It can’t be done, there will always be security holes as there are a handful of guys developing the OS and thousands trying to break it. Just look at the music and movie industry. They have spent billions of $ and their protection schemes are usually broken before it hits the shelves.
Re: Re:
Yeah, but Microsoft could backup and release an operating system that is just an operating system and not an experience. Let the user decide if we want Windows Media Player, Internet Explore, Outlook Express, Windows Defender (vista), and however many other programs that come with a flat install of windows. There are only a few true Windows updates, the rest are to patch a security hole in one of the added programs.
Re: Re: Re:
Oh, you mean Linux?
Re: Re: Re: Re:
No, I seriously do not. I’ve found that Linux is just as bloated if not more so than Windows, same with the new Mac OS.
I mean more like Windows 3.1. It came with notepad and a calculator. Put in a vary basic browser so people can get online and download the full IE or Firefox and then they can download the other programs of their choice. From there, the third party programs aren’t a security vulnerability for windows any more.
Re: Re: Re:2 Re:
You’ve been using the wrong distro. Linux kernel fits on a 1.44 MB stiffy. You don’t need to install ALL the window managers. Get a book and educate yourself.
On software without defects
I should note that I joined Micrsooft about 5 years ago, and have been working on security for the entire time.
It is not that it is impossible to make such software, but that nobody would want it: Formal methods and verification methods are available that can come very close, but only for very small systems.
Protocols that are provably correct are very simple and are not the ones that are deployed in the market. Customers scream when you break app compat and are always looking for new neat feature sets. Increasingly, the feature and the vulnerability are one and the same, the difference is the intent, look at the issue of web mashups, neat when used as you intended, not so neat when used maliciously.
We have been heavily criticized for our “overempahisis on security” in Vista — people want features and ease of use first.
As for me, I run Server 2008 on my notebook. It doesn’t have all those neat features.
Re: On software without defects
“We have been heavily criticized for our “overempahisis on security” in Vista — people want features and ease of use first.”
No, MS has been criticized for a poor implementation that trains users to click “OK” on everything that pops up and can still conceivably be worked around. The other OSs still have a better security model, and they don’t sacrifice usability in the process.
Re: On software without defects
So what you’re saying is that it’s a balance of
security vs. (convenient)features.
Would it be overstating to say that at your company,
the emphasis is on features…
-cmh
Re: On software without defects
You know what I want? Windows 2000 with DirectX 10. Will MS give it to me? No.
I have to say its pretty fucking typical for a dev to blame his users for the crap in his software. I dont care about your problems. If you want me to pay for your software then make it work and make it useable.
Re: On software without defects
I have to disagree with you on customers screaming for new features. I have stopped using MS Office and moved to Open Office due to the constant churning of the software interface and introduction of features very few people want or use and the rearrangement or deletion of those that they do use.
I design and code software for a living. Users want new versions of software that work better. This means faster, more easily, more securely, more intuitively, and with less (hopefully no) problems. They do not want another layer of mostly useless crap to learn.
Security can be a painless part of any software if designed correctly.
It’s interesting you run Server 2008 on you notebook. This shows that you also prefer functionality and speed over the glitzy but limited and often irritating interface offered with Vista. I would run a Windows Server OS on my machines too, if I could afford the license (Windows Server 2008 Standard: $999 (with five Client Access Licenses, or CALs)
source: http://www.microsoft.com/presspass/press/2007/nov07/11-12HyperVPR.mspx).
Re: On software without defects
Are you sure that nobody would wnat software that’s well written and secure? Have you tried Linux?
I have been Happy enough with OneCare
I’ve been using OneCare for the past 10 months, and have been much happier with it than any of the consumer grade Norton or McCaffee products I’ve used recently. I’m sad to see MS appearing to be giving up on the product space.
The problem with any of the antivirus warnings is that the end user overrides an installation prompt. Some people are just that much more likely to become infected than others.
Microsoft Security?
Since when has Microsoft been into security? They have been busy trying to patch what they code for everything else. One Care was a joke. Microsoft is a JOKE! You want real security? either buy a MAC or get involved with Linux. Get real people Microsoft will always be the biggest joke of any OS known to man.
Re: Microsoft Security?
Microsoft is no worse for security then either of those operating systems, as mentioned earlier, the only real secure OS is one that doesn’t interact with other PC’s, Users or Programs.
Programs need security holes opened to work, once people figure out what holes are opened they can abuse it, it’s quite simple.
The only reason you see time after time, microsoft getting hit, is because of a 90% market share. Who do you think the Virus makers are going to target someone with 90% market share or the 10% which is spread between Unix, BSD, Linux, Mac OS, all which have different kernals and different security holes opened?
Re: Microsoft Security?
if it was not for MS computers would not be easily accessable by the average person. People forget to mention that and give credit where positive credit is due to them.
WHen MS warned that vista was not going to be backwards compatible no one listened until it was too late and then all they could do was complain. THen MS had to change it.
Unix would never had thought of a gui interface if it was not for the work of MS. So people do all your complaining that you want about the MS but give them the credit thats due to them in a honest way and not a critical fashion. Otherwise if you cant do both then SHUT UP!!!!!!!
Re: Re:
“Unix would never had thought of a gui interface if it was not for the work of MS.”
Um, I agree that Microsoft has been indispensably influential, but don’t you think your above claim is just a bit far-reaching? There were other GUIs before MS, and it is a pretty natural evolution to go from UI to GUI.
Re: Re:
What the fuck are you talking about? First GUI interface was developed by Apple you fucking moron.
The only worthwhile OS developed by MS was NT and that was largely designed by an outsider called David Cutler and was based on his experience with DEC’s RSX-11.
The only thing MS has ever done right is marketing.
Re: Re: Re:
The first real GUI was developed by Xerox, as was the mouse.
Re: Re: Re: Re:
The first real GUI was developed by Xerox, as was the mouse.
Actually, the mouse was invented by SRI, and then copied by Xerox (well, some SRI guys went to Xerox).
Re: Re: Re:
@cixelsid
you know – the immediate jump to idiomatic swearing shows a… lack of intelligence…
but putting that aside… here are the facts that you brutally misrepresented
The honor for producing the first working GUI goes to Doug Englebart – at the time an employee of Stanford Research Institute. Englebart and colleagues created a program called the oNLine System in 1965-‘68. This program used the first mouse, a windowing system, and hypertext, and was based on a description of a system called “memex” proposed by Vannevar Bush in 1945. The name “mouse” comes from this period. The mouse used in oNLine had three buttons on one end and the line coming out the other end. Apparently, the buttons for eyes and nose, plus a cord for a tail, reminded the users of a mouse and the name stuck.
Years later, still in a time when nobody knew what the future of computers was to be, Xerox put together a team of researchers who did nothing more than put ideas together to see what they produced. The team, located at the Xerox Palo Alto Research Center, was convinced that Englebart’s model would work on computers available for individual work stations, and they produced two working models, the Alto and the Star. The Star was made available to the public, mouse and all, in 1981. But it was very expensive, and they sold only 25 thousand of them. But this was the first GUI-based OS available to the public.
sorry to burst your bubble…
Re: Re: Re: Re:
Fuck whatever. I read like the first few lines of your boring post. Point is: it wasn’t MS. SOrry you had to spend 3 fucking hours writing that shit.
Re: Re: Re:
Yet another Mac Fanboy I guess, jumping up and down till his face turns blue ‘cos no one’s listening to his cries. Get the facts before you call someone a moron, moron.
Re: Re:
UH, pall Xerox invented the GUI, Apple bought the GUI, Microsoft coppied the GUI.
Re: Computers for Everyone
I disagree. This is like saying that if it were not for the existence of General Motors no one would be able to buy a car.
Gates was in the right place at the right time and had the ability (rich parents) to take advantage of the opportunity. If not Microsoft another company or companies would have provided a solution. And remember, the first IBM PC cost about $1600 in 1981 (about $5000 to $6000 in today’s dollars). Hardly an everyman’s budget.
Given different circumstances the PC market would be dominated by a much different company that rewrote UNIX or another OS for the PC (instead of buying a version of CP/M ported from the Z80 to the 8080 CPU) and called that operating system IBM-DOS.
Microsoft should be commended for donations to schools, charity works and other contributions to the people of the world. They deserve no credit for creating a PC market or making computers affordable. Free enterprise and democracy did that. Consumers must complain about a company’s products in order for them to improve, the best way is to treat companies like politicians and vote with your dollars.
The problem is that MS controls the market and is dictatorial in it’s policies. This may be why German government bodies, being more somewhat more aware and sensitive to the ramifications of acquiescing to fascism, have been world leaders in adapting non MS PC solutions (Linux).
Re: Re:
“Unix would never had thought of a gui interface if it was not for the work of MS. So people do all your complaining that you want about the MS but give them the credit thats due to them in a honest way and not a critical fashion. Otherwise if you cant do both then SHUT UP!!!!!!!”
BS. MS didn’t invent a windowing system. That came out of PARC and Xerox. Unix had windowing systems years before MS. Moron.
Re: Re:
GUI’s existed in Unix years before Microsoft Windows. Sun had a workstation long before Microsoft had a GUI.
Antitrust violation?
I apologize but I do not see how it could be an anti-trust violation. It is just a program that is meant to help clean up the mess they created.
Windows Media Player comes bundled with Windows. Yet there are plenty of alternatives to it that are doing quite well. Just about everybody I know uses either the iTunes player or Winamp.
Isn’t it something along those lines? Or is the fact that its about security and not music really change it into a possible antitrust violation that easily? Or, am I right in my assumptions here, and it is just that the security companies are probably going to try to complain through those channels because they don’t want more competition?
People still use Norton or McAfee? Years ago I dumped those turds down the ceramic punch bowl for making my PC’s FUBAR. A good firewall, open source anti-virus and common sense is all that is needed.
Wrong, Spectere. Even if Macs had more of a market share, their high security level would not change. The same is true of linux. This is because the underlying architecture is inherently more stable and secure than the architecture used in Windows. File storage is also handled differently, which is why in linux and MacOS you don’t have to defrag or virus scan or any of the other traditional maintenance tasks.
Re: Re:
strange. he gave a link to his sources. you didn’t. macs have always been hacked faster than vista. thats a known fact. so, its hard to say the Mac is more secure.
I thought the major reason why MS released OneCare as a pay only product rather than for free (as it was supposedly intended to be) was that Symantec and McAfee threw big fits over monopolization of the market, yadda yadda? If this is really the case, then MS shouldn’t be entirely bashed for doing what they intended to do in the first place.
Apple fan boys are the worst. They surf the net with their over priced PC’s thinking they are immune to everything. Ever think why Macs are not massively adopted by corporations? IT personnel will tell you they are not secure. Even the best architecture is not immune to security holes. The only reason this hasn’t been realized yet is due to it’s relatively small user base.
While this doesn’t prove anything, I found it interesting in some recent hacking tournament between Windows, Linux and OSX; OSX was exploited first and early in the tournament. The Apple fan boys cried.
Whether people want to believe it or not, Windows is relatively secure. I have nothing against OSX, I think they have done a great job overall especially with the UI design and could give MS a serious run for their money if they released the OS on non Apple PC’s for general home use where top security is not as important.
– posted using an Ubuntu box
But...
…other companies (Norton, Kaspersky etc) seem to be able to make a comfortable living off Microsoft’s security flaws. So Microsoft’s inability to do the same is clearly not down to the fundamental impossibility of the task, it’s probably just the poor quality of Microsoft’s particular products.
I don’t think people understand, most of the security problems affecting current versions of windows, are not what most people in security research would consider “flaws”. Sure there are the 1 or 3 remote code execution vulnerabilities every month or 2, but the main problem is that Windows will run code that a user tells it to. The Horror! There is no way, other than a black/white list (or perhaps some sort of heuristic, maybe) that an operating system (which is *designed* to RUN CODE) can tell the difference between an screen reader and a key logger, or a torrent client and a spammer, etc.
All an operating system can do is run code that it was told to run, if there is a lot of code out there, then of course there is going to be more malicious code.
All of this talk about “architecture this” and “inherently more secure that” is meaningless, Windows and Unix have, at the core, a very similar and comparable design. Historically, the principle of least privilege has been less ingrained in the community – UAC in Vista has been a wake up call for ISVs and Admins on the Windows platform – but Microsoft has been promoting it for *Years*.
It all comes down to user behaviour and the sheer scope of target audience.
It's madness
It’s pure madness: a software company writes crappy code, and instead of re-writing or fixing it, wants you to pay for software that fixes the buggy software. Like fools, a lot of their users will actually pay for the fix.
I have a pretty simple solution: switch to a free and open source operating system like Linux or BSD.
Security risks are Microsoft's fault? Sorry, but I absolutely disagree.
In a recent blog, many readers challenged me about my opinion on how websites are using Safe Harbors to protect themselves from users. Many replies stated it was impossible to screen every entry.
Yet now these same readers, many are anti-Microsoft, blame the company for its security flaws.
Explain to me how this situation is any different? Websites take care of issues when they’re addressed just as Microsoft does.
The problem here is most people don’t understand how software works. They don’t understand the key links between what you’re using and how it relates to the CPU. There are quite a few vulnerability points, some can’t be closed due to legacy issues without breaking other software.
Granted, there are times where Microsoft does seem to drag its feet to rectify the situation, but expecting a company to build 100% security proof software is a dream no company will ever attain, but strives to do so.
I find it absolutely appalling you would expect Microsoft to take “option #3” when many of these vulnerabilities weren’t the fault of Microsoft at all. Case in point: Last year, over 200 vulnerabilities were found in Windows XP Service Pack 2 upgrades which were discovered using non-Microsoft software! In fact, Mozilla’s Firefox coding team found 2 using beta testing.
This is what happens when many processes are attacking a central location (CPU, which processes the data instructions). It’s only then when “opportunities” are discovered by those who intentionally (damn, there’s that word again!) try to find them.
If the software were to work as expected, there would be no breach. Instead, companies spend millions finding these breaches to alert software vendors to fix them, often times finding they can’t without causing product to stop functioning without a complete redesign of the software (or have none of you Vista users figured this out yet?).
Sorry, but this blog message is wrong. It takes a combined effort, not just a sole responsible party. Find solution #4. You owe them that much.
Fourth option
Why does MS have to get into this product space at all? Given a review of the other three options (charge, free, make better s/w), the obviously missing fourth option is to do nothing at all and stay the course.
Of course, now that they’ve messed up with option #1 and are going to fail with option #2, this fourth option is more of “pull out” rather than “do not enter”.
The article is basically wrong. The comment by Fowl is a much more accurate description of the situation. The majority of viruses and malware are not exploiting OS security holes.
What hacking tournament would that be, RealisticComputer? What, where, how, and when? Interesting you don’t give any details about it.
Re: Re:
TDR, you’ve already been called out above by an AC for not giving links supporting your POV, whereas Spectere backed up his comments with one.
So why the heck do you want to look like a fool (unless you are one, in which case the point’s moot) and keep rehashing the same tired old crap when you are the one who’s unable to back up his comments with factual links?
Here is a link to the original comment (that no doubt RealisticComputer was referring to as well), in case you find it difficult to scroll the page or search for it:
http://www.techdirt.com/article.php?sid=20081119/0056492875&threaded=true#c374
And here’s AC’s comment that you conveniently ignored, only to raise the same point once again:
http://www.techdirt.com/article.php?sid=20081119/0056492875&threaded=true#c438
Now if you aren’t just a Mac Fanboy but actually support the platform based on informed opinion and hard facts, then present the same (instead of ignoring what’s in front of your nose ‘cos it doesn’t dovetail with your flawed view of the universe), or else just shut your trap and allow the adults to have an unemotional and informed conversation.
Listen up MS dum-dums – If Apple OSX had the same market share as Windoze, it would STILL have far less problems because of the architecture.
Windoze is STILL a multi-threading OS. It is far easier to jump threads than processes.
Windoze is a monolithic kernal architecture and Internet Exploder is an integral part of the OS. If you can comprimise IE, you get the keys to the kingdom.
Windoze security policy implementation is a sad, sad creature. The linux access controls are orders of magnitude more manageable and mature.
Unrelated, but the cherry on top, is the registry. This alone guaruntees degrading performance every time you install something.
When you hear this tired schlock about market share and security, you can be sure the person spewing it:
– Probably doesn’t want that MCSE to lose value
– Only understands one OS achitecture, if that
– Might have submitted an ‘I’m a Pee-See’ video
This makes sense, only because any other option would make zero sense. Can you imagine if MS had tried to make different versions of Windows 7 (undoubtedly this was discussed at some point), based on level of security. Windows 7 TITANIUM, for the ultimate in data protection!!! Fact is, the onus is on Windows to keep their own product secure, but I would like to see their security software integrated into the OS, instead of even being discussed as a separate product..