The Microsoft Protection Racket

bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.

Microsoft addresses Windows security concerns

[It doesn't come easy]

Microsoft Windows - Operating system. Provides resource allocation to underlying computer hardware. Note: No warrantee, no guarantees, may have security issues.
Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.

Re:Microsoft addresses Windows security concerns

[iotashan]

Microsoft has created a no-win situation for themselves...

1. Create a subscription security service, and people complain they shouldn't have to pay. Someone call the class-action lawsuit attourneys!
2. Distribute it freely, and face anti-trust lawsuits from security software makers, and possibly the DOJ, depending on who's in the White House (Who! The guy in the White House. Who? Yes.).

Re:Microsoft addresses Windows security concerns

[Pxtl]

I don't think that any anti-trust suits have been brought to them for their security fixes. The point is that _security_ should be there already, and fixes for security should be free because they basically sold you something that didn't work otherwise.

Meanwhile, bundling in software that competes with competators with the expressed purpose of putting them out of business (note how MS software stagnates the moment the competator is gone) is a whole different story.

Re:Amen, brother

[DetrimentalFiend]

Is this the first time? It can't be more than the second or third.

Re:I can write on PC Magazine too!

[Anonymous Coward]

You appearently are not familiar with Dvorak or his writing. He is definately NOT a linux zealot and he always writes like that. I've been reading his articles for 15 years and he almost always makes me laugh at least once per article. This one was no exception.

Nope. He's not a troll or a zealot. He's just another pissed off user who's not afraid to tell the hard truth.

Re:Microsoft addresses Windows security concerns

[null etc.]

This is where Dvorak lost all credibility. He is obviously not qualified to speak on the subject of operating system security.

Oh yeah? Is he approaching this issue from the viewpoint of a security expert? No, he's approaching it from the perspective of a typical person (it might be your mother, or father).

Personally, I could not tolerate any of Dvorak's articles. But I have to admit his recent ones are starting to get much more on-topic (as opposed to his older lunatic rants, proclaiming that Microsoft would go out of business in 10 years, etc.)

Re:Microsoft addresses Windows security concerns

[YU Nicks NE Way]

He claims to be qualified to blame Microsoft for security holes in its products, doesn't he? It's clear that he was slammed by a security hole in a third-party application he was running on his system as an Administrator. (Not to mention, a third party application with a history of known defects...)

He has no business complaining about Microsoft's "protection racket" if he honestly doesn't understand that his recent issue has jack-squat to do with Microsoft.

Re:Microsoft addresses Windows security concerns

[wernercd]

yup. because everyone knows experts know everything about all programs and never make mistakes.

Re:Microsoft addresses Windows security concerns

[LionMage]

yup. because everyone knows experts know everything about all programs and never make mistakes.

Thank you! Where are my moderator points when I need them? Someone should mod this guy up.

Seriously, it's astounding how some folks assume that if you're a self-proclaimed computer expert or power user, that you have to automatically know everything they think you should know. There are varying levels of expertise, and while I know Dvorak isn't in the Guru league, he's not entirely a dope.

Oddly enough, this ar

Re:Microsoft addresses Windows security concerns

[Skreems]

That still doesn't make it Microsoft's fault, though. You can run a buggy FTP client on Linux just as easily as on Microsoft, and you can get your system rooted just as quickly. The only way for Microsoft to keep your system safe from stupid user actions like that is for them to mandate that you WILL NOT run any networked programs not approved by them. And you can imagine how much of an uproar there would be if they actually tried something like that.

The one major issue that allows this (running as Admini

Re:Microsoft addresses Windows security concerns

[YU Nicks NE Way]

[CuteFTP] never really worked right for me

That's usually the single best indicator of security issues, you know. If the client doesn't "work right" for you, then it's buggy. If it's buggy, and particularly if it's perceptibly buggy, then it's almost always insecure.

Re:Microsoft addresses Windows security concerns

[farzadb82]

It's clear that he was slammed by a security hole in a third-party application he was running on his system as an Administrator

Windows almost always forces you to be administrator in order to do most tasks. Also, you cannot even upgrade your account temporarily to apply patches/run games - you have to log out and log back in as administrator. To that end, its almost always convenient to have administrative grants.

So regardless of whether it was a bug in a third-party application or not, it boils down to

Re:Microsoft addresses Windows security concerns

[LionMage]

If you read any official Microsoft documentation regarding the administrator account, they recommend that users do not log on to a workstation with the administrator account as their regular user account.

If that's the case, why does Windows XP Home Edition default to making the user's primary account an administrative account -- one which requires no password unless you tell it explicitly to require one?

In many corporate IT organizations, it's become commonplace to grant administrative privileges to a user

Re:Microsoft addresses Windows security concerns

[sconeu]

The problem with "Run As..." is that it still requires you to give out the Admin (root) password. There is no equivalent to su/sudo/setuid programs, where you can give out privileges on a per-program basis.

Would you give out the root password to your users?

Re:Microsoft addresses Windows security concerns

[klubar]

I left my car door unlocked and the keys in the ignition. After someone stole my car I'm blaming toyota fault for not making a secure vehicle.

If you're totally clueless, don't run applications like CuteFTP.

Re:Microsoft addresses Windows security concerns

[RobinH]

Ultimately, all monolithic, and particularly authoritarian human endeavors FAIL! Microsoft seems to be amongst that group, and I question if they can escape it easily.

Yeah, that whole apollo program was a complete failure wasn't it? Or the manhattan project? Or building any modern skyscraper? Or any serious engineering project of our time? They all fail miserably, don't they.

What is the alternative to authoritarian human endeavors? There were several X-prize contenders that tried to use a more open-source, everybody pitches in, communism type approach, and they were all bested by Burt Rutan.

And stop calling Microsoft a failure. It's the opposite of failure, obviously. Are you just trying to troll?

Re:Microsoft addresses Windows security concerns

[killjoe]

'And stop calling Microsoft a failure. It's the opposite of failure, obviously. Are you just trying to troll?"

Depends on your definition of failure doesn't it. In terms of building a solid product it's a humiliating failure. In terms of good corporate citizenship it's a dismal failure. In terms of ethical and moral behavior it's a shocking and shameful failure.

Yes they make a lot of money. If you measure success in terms of money then they are not a failure.

Re:Microsoft addresses Windows security concerns

[shmlco]

In terms of building a solid product... it's used on roughly 95% of the world's desktops. Nothing significantly better exists, or the vast majority of people would have jumped ship long ago.

In terms of good corporate citizenship... shall we talk about the $28.8 billion dollars in the Gates Foundation? The $7.5 billion given away to date?

In terms of ethical and moral behavior? Sorry, Enron is shocking and shameful. Dow's toxic waste dumps in India are shocking and shameful. Declaring bankruptcy just to g

Re:Microsoft addresses Windows security concerns

[killjoe]

"In terms of building a solid product... it's used on roughly 95% of the world's desktops. Nothing significantly better exists, or the vast majority of people would have jumped ship long ago."

Apple has alwasy been better. OS/2 was better, hell Amiga was better. If you think that what's popular is what's best then you plain old stupid.

"In terms of good corporate citizenship... shall we talk about the $28.8 billion dollars in the Gates Foundation? The $7.5 billion given away to date?"

1) Gates foundation is not microsoft. 2) Gates foundation was created in order to influence people like you (it worked!) into thinking Gates was actually a nice guy. 3) 7 billion is petty cash 4) Gates didn't actually give away money, he just gave stock he got for free to the foundation which then sold it.

"In terms of ethical and moral behavior? Sorry, Enron is shocking and shameful. Dow's toxic waste dumps in India are shocking and shameful. Declaring bankruptcy just to get out from under your employee's pension obligations is shocking and shameful."

Whoo Whoo, MS is less sleazy then enron and DOW!. It's nice to see corporations set their standards so low.

Re:Microsoft addresses Windows security concerns

[vertinox]

Yeah, that whole apollo program was a complete failure wasn't it? Or the Manhattan project?

Those projects weren't monolithic or authoritarian. They had the brightest minds of their time all collaborating with free reign of direction of the project without some political body directing them specifics in their day to day work. Besides the massive security with the Manhattan project I don't think that the US government had a say in the scientists work other than to get the project done as soon as possible. And

I enjoy calling Dvorak a blohward with my Dvorak

[Anonymous Coward]

But that's just me.

Re:I enjoy calling Dvorak a blohward with my Dvora

[Moofie]

"I enjoy calling Dvorak a blohward with my Dvorak"

I think you need more practice.

Re:I enjoy calling Dvorak a blohward with my Dvora

[cloudmaster]

blohward, n: 1; An archaic term used to describe one who frequenly wonders how a hole in the ground ended up in the middle of his ass. 2; The lead ship in John Austin's legendary journey around Hudson Bay, wherin a realiable process for the vulcanization of rubber was discovered.

He was probably using definition 1.

Oh noes, Dvorak!

[rob_squared]

I love your keyboards, but I trust a drunk man's predictions of the tech market more than I do yours.

And yes, I know he isn't the same as the keyboard guy.

Re:Oh noes, Dvorak!

[Pope]

Dvorak predicts time and time again that Apple will fail at one thing or another and go out of business Any Time Now(tm). Their last quarter results speak to the contrary, as do the zillions of other wrong things Dvorak spouts on about.

Frank Nitti

[jkind]

In case you aren't ready when Dvorak makes Al Capone related references: http://en.wikipedia.org/wiki/Frank_Nitti [wikipedia.org]

That's a nice enterprise network you have there...

[tenzig_112]

It'd be a real shame if something happened to it. [ridiculopathy.com]
from the article:

REDMOND, WA- For years Windows users have lived under a blanket of fear, constantly checking their computers for malicious programs that take advantage of critical security flaws in the operating system lest they lose their hardware, their data, or even their identities. Thankfully those days might soon be over thanks to a new subscription service aimed at cleaning up Microsoft's mess. Even better, this new utility comes from the most trusted name in computing: Microsoft.

In truth, anti-spyware and anti-virus programs flood the market already, but they all share a common flaw: they're free. With freeware it is difficult, if not impossible, for consumers to know if it's really working. Experts say it takes a financial sting to make the software's real value apparent. While it would certainly be innovative for Microsoft to charge for the freely available service, the forward-thinking software company is not content to stop there. They plan to ask customers to pay for these features every year.

Re:That's a nice enterprise network you have there

[compro01]

i don't trust pay-for antispyware software as it's really easy for a spyware firm to shove an envelope of large bills under the table to a big company and say "ignore our stuff".

Pfft.

[JanusFury]

Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software. What do you suggest we replace it with, INI files? What do you suppose we do about the thousands of existing applications that use the registry? How do you suggest we support access controls for individual settings and keys - make a single INI file for each one?

Changes like 'get rid of the registry' are changes you make when you release a new OS, not when you release a service pack. OS X, for example, uses flatfiles to store most (if not all) preferences, but that's something they designed in from the start.

It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing...

Re:Pfft.

[lawpoop]

" What do you suppose we do about the thousands of existing applications that use the registry? "

How about a virtual registry?

Re:Pfft.

[MightyMartian]

And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time, and it sure makes down-and-dirty administration ten times easier. The registry editor is a f**cking nightmare compared to your favorite text editor and *.conf or *.rc. Security is handled through the file system. The registry was a bad idea from the get-go, but you're right, Microsoft's incompetence will be with us until the world finally tells Redmond to take their crappy operating system and shove it.

Re:Pfft.

[cthrall]

And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time

And where is it stored? ~/.app? ~/.app/.settings? /etc/app? /etc/app/settings? /etc/app/settings.xml? And what is the format of said INI file? And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.

I don't think it's any better.

Re:Pfft.

[MightyMartian]

It's better because you can use a frickin text editor. The settings are discrete and can be easily copied. When I move my account to a different *nix box, I just zip up my configs, unzip them on the new account, and maybe, if locations are different, do a bit of tweaking. I've had the same damn .pinerc file for four years now. It's easy to archive, easy to restore and easy to alter. The registry is a pain to back up, can be really ugly to restore and alteration requires a stinking idiotic registry editor.

Re:Pfft.

[Speare]

I've had the same damn .pinerc file for four years now.

Son, I got a .emacs file that's older than you and most of your friends.

Re:Pfft.

[Gulthek]

Your superficial arugment has convinced me of something alright.

Re:Pfft.

[Rasta Prefect]

And where is it stored? ~/.app? ~/.app/.settings? /etc/app? /etc/app/settings? /etc/app/settings.xml?

Global settings go in /etc. Per-User settings go under the home directory. The default per-user settings are stored in /usr/share and copied in the first time the program is run. Wow, that was hard wasn't it?

See the way Apple has done this. Global app settings in /Library, personal App settings in ~user/Library. When I used to do desktop support (50/50 mix of OS X and Windows) all we had to do when we moved a user to a different machine was image it and copy their home directory. Easy as pie, takes about 10 minutes of my time. Wow, once again it was really hard to answer that "where does it go" question.

Gotta save a users settings when moving them to a different windows install (usually because the students laptop was so spyware ridden it was easier to just reformant)? Let the nightmare begin!

Trying to reinstall a hosed application that won't uninstall properly? Lets just see you try to track down all those registry keys. On a Mac or Linux you just remove the rc file or plist.

And what is the format of said INI file?

Once again, see Apple's plists. XML all the way, with tools to manipulate them if you don't like your text editor.

And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.

Users their own config settings. If you want to restrict access to global config settings, just don't give them access to the config file. If you don't want them to run the program, don't give them read and execute permissions on the app itself. There are other operating systems out the besides windows, and they've already solved these problems. In the case of Unix, about 20 years ago. I've done Unix, Apple and Microsoft desktop administration, and while the Unix and Apple solutions do have a few quirks (Apple's system doesn't really have many), the Registry is by far the most broken and the biggest PITA.

Re:Pfft.

[jsight]

And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time, and it sure makes down-and-dirty administration ten times easier.

Unless, of course, you are a Gnome use, in which case you get GConf. What is GConf? Well, it's a nice implmentation of a registry. :)

Re:Pfft.

[Skjellifetti]

Unless, of course, you are a Gnome use, in which case you get GConf. What is GConf? Well, it's a nice implmentation of a registry. :)

Well, it's a registry anyway.

Re:Pfft.

[ettlz]

Yes, but:

1. it's done in XML and can be hand-edited;
2. it's stored in a directory hierarchy in the filesystem so it's more robust; and
3. you can nuke it and not FUBAR the system.

Re:Pfft.

[InfiniteWisdom]

0. Entries have a "short description" and "long description" attached to them that tell you what each setting does, what the valid values are and so on instead of just being some magical value.

LOL

[sheldon]

There's nothing wrong with the registry that a little knowledge wouldn't fix.

Re:Pfft.

[DoofusOfDeath]

I think the registry's origin was related to, or motivated by, the introduction of OLE (now ActiveX) controls.

Theoretically, when you register an OLE / ActiveX control, any application in the system should be able to use it. I believe registring the control tells Windows what the mapping is between a short identifier (GUID) for the control, and the DLL that contains its code. When an application wants to use an OLE/ActiveX control, it supplies the GUID to the Win32 API, and Windows then consults the regist

Re:Pfft.

[badriram]

Both systems blow, and just as equally. It is the difference between any centralized and distributed system.

Centralzied-
    Clean standard
    less flexibility
    single point of failure
    better security (advanced ACL support, not every app has it own parser)
    OS maintained
    Terrible portability

Distributed
    no standard exists
    more flexibity
    no single point of failure
    weaker security (it is either put in user or etc, you do not have an option of put in etc but allow just this setting for users)
    App maintained
    Easy portability

Best solution is to use both and let app decide
    but a nightmare for sys admins
   

Re:Pfft.

[Eccles]

The Registry had some practical benefits, I think, but could have been handled in a better way. As one other use suggested, a virtual registry. It appears as one editable object for use with a reasonable GUI tool, although the actual data is a number of distinct XML encoded files. That way it's easy to copy, to edit, and with OS support, easy for user apps to create, read, and write.

Re:Pfft.

[DaveJay]

You have to remember, the main purpose of the registry is to obscure information, not to make it easy to find and edit. Software makers want to be able to put autostart hooks, serial numbers and other such nonsense on the computers, and Microsoft gives them what they want. If you put everything in an .ini file, users would be able to find it and control it, which is exactly what software manufacturers don't want (in most cases).

They can get rid of the registry once they have "Trusted Computing" in place, as they'll easily be able to drop application information into encrypted files that the user has no way of breaking into.

Re:Pfft.

[Iriel]

I'm not just being a curmudgeon here, but when it comes to 'real fixes', it looks like most of them would require a radically different codebase in order to prevent more knots down the rope when one is loosened, thus nesessitating a new version of Windows. And not just a marginally tightened service pack like Vista, but something entirely new. Microsoft realizes that with about 90'ish percent of the desktop market at their doorstep, treatment is much more lucrative than a cure. After all, what have they got

Re:Pfft.

[mugnyte]

The registry and analogous flat file data stores try to achieve the same goals. I think the registry makes several mistakes:

  - Consolidating all settings into one proprietary data store. This imposes a new security mechanism over that of simple file access. This unique data store does nothing by itself to "secure" the data, it's just a box. One can lock the entire box but simple users do effect changes in the registry.

  - INI files are plaintext versions of some sort of file. Their manipulation could be by hand (trad *nix style), or employ one of several storage syntax mediums (XML being one) which allows general tools to work across the items.

  - File-based security on INI files is stronger, and more easily managed with existing tools, than key-based security on the hive-based registry entries. Combining with journaling/versioning, INI files hold more depth than a registry (which has to import/export to a file-based representation to achieve this).

  - Line-item security on INI files is not as strong, hence the danger people have in by-hand editing. This can be overcome using a syntax that allows for tool-based editing, where then INI files expose their keys, and a security table holds a File/Key/Role association.

  - Shared INI files for library management (aka COM) have the same write-contention isses as the registry, so no differences there. GAC-style libraries are directory-based, which seems to lend evidence that both file and registry stores for libraries are based done higher up in the file system.

Re: "I think the registry makes several mistakes"

[Joe5678]

HKEY_CURRENT_USER is a hive loaded from the NTUSER.DAT file in the user's profile directory. Copy that and you can copy all the settings, probably more settings than you want though. It works for the most part, but it's not a good solution.

Re:Pfft.

[omibus]

I agree, we can't just do away with the blasted thing, but...

Even Microsoft is telling people not to use it anymore to store app setting. They actually do recomend using ini or xml files for that. Case in point, the default place to store app settings in ASP.NET and WinForms is in an xml file (either web.config or app.config).

Now, completely doing away with the registry? Impossible. There are too many things that the registry does for Windows that the blowhards on this list dont even know about. All of .NET and ActiveX run thru the thing at one level or another.

And as much as the people of slashdot hate ActiveX (and its big brother .NET), that is what makes writing apps on windows do-able, and a lot more fun than Linux.

Thats right, because of the restistry, stuff just works. We have installs that just work. We have programs that can talk to eachother, and it just works. Linux, not so much.

Re:Pfft.

[Midnight Thunder]

Actually, abandonning the registry is one thing I would like to see. My main reason being applications over-dependency on it and that if you reinstall the system you are left reinstalling every program that assumed that a given entry would be there. Good programs, will still work even if you drag them to another computer, where the installation program was not run. Visio and TextEdit are two programs that I found worked well after reinstalling the system. Microsoft Office was one program that did not.

If you

1998 called--it wants your code back

[WebCowboy]

Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software.

Anyone who suggests that there is no valid alternative to the registry has obviously not (properly) written .NET Windows software.

Some people at Microsoft themselves suggest avoiding the registry--as of Windows Vista THE REGISTRY IS ESSENTIALLY DEPRECATED. So what is the alternative? How 'bout a standardised XML .config file [microsoft.com] for each application? That is what Microsoft advocates. And to all those Regis

Replacing the Registry with flat files

[QuestorTapes]

>> Anyone who suggests 'abandoning the use of the registry'
>> has obviously never written Windows software. What do
>> you suggest we replace it with, INI files?

> Or property lists, yes.

Well, INI files don't scale well; not because they are flat text files, but because the way a hierarchy is modelled in an INI file is inefficient and error prone. Something in the nature of a property list would be quite reasonable.

It is also worth noting that since DotNet, lots of data that used to be in the Registry is now in XML files in the application folder. That's a big part of the XCOPY install feature MS brags about for DotNet.

>> What do you suppose we do about the thousands of existing
>> applications that use the registry?

> Wrappers for the INI/PLIST files that behave like the old
> registry calls.

Perfectly doable.

>> How do you suggest we support access controls for individual
>> settings and keys - make a single INI file for each one?

> Why not?

Well, it isn't strictly necessary to use the Registry to support access controls on keys and settings. As long as the file itself only allows administrator access, the APIs that model the current Registry APIs can implement key and value level security within the file. This would make the files read-only in a text editor for common users; however a simple editor could be created that allows the appropriate access to the individual keys via the APIs.

But INI files aren't appropriately structured for that; XML files would be better, or any number of less-verbose-than-XML text formats.

> OS X does this like a dream, I can take my Library folder with me
> and wham, everything is the way I like it on a new machine. I'm
> sure it would be possible to do something similar on Windows,
> provided I paid $50 for some crappy shareware product.

Well, it wouldn't be a crappy $50 shareware product to virtualize the Registry. Since the APIs are inside ADVAPI32.DLL, and are used during the boot process, it would be a kernel hack; generally more expensive when done third-party. MS could do it safely; third parties would need to worry about MS breaking the hack with an OS update.

Re:Pfft.

[Kombat]

You say that in UNIX is not multiuser? And UNIX is using INI-like-files for something like 30 years and it just works...

I'm sorry, but did you just use the words "UNIX" and "it just works" in the same sentence? With a straight face?

Re:Pfft.

[JustASlashDotGuy]

As someone who write code and manipulates the registry everday, I for one love it. Those who want to take the registry and produce a flat file out of it don't know what they are talking about. The registry is 100x more secure and robust than a flat file.

If the rest of you would prefer to have a million ini files instead of a branching registry, then more power to you. Because, remember, each key of the registy allows for NTFS permissions. So you would need a seperate file for each key in the registry if you want to allow for the same level of security.

Geez, what's next. Are you going to call up MS and say "The who idea of SQL databases sucks.. you should change that to a flatfile to so that I can use my text editor!".

Now yes, the registy has become very bloated. However, the reason is because everyone uses it. It's amazing how that works, isn't it? Big deal. I'd be willing to bet that most of you only use the HKLM\Software key or HKCU\Software key most the time anyway.
In my book, the registry is glorious. Being able to go to a single database'ish file pull nearly any system setting, many program setting (IE: program versions, install paths, etc), etc makes my life easy. And yes, I'm one of those people that store both plain text and encrypted data in the registry and also uses the NTFS type security to lock down keys in the registy.

I use the registry to share information between programs and I also use windows PIPE$ calls to relay information between programs. I suppose PIPE calls could be replaced with flat text files too. I suppose it's not long before someone says, 'PIPEs suck... use INI files'.

If you want to complain about some.. complain about all those annoying balloon pop ups from the system tray. I will agree with you there. Those little balloon tips are annoying. I hate ballons tips... and hippies.

The Registry is a single point of failure.

[Richard Steiner]

A classic example of poor design.

By having many different INI files, the loss of one file isn't going take the whole frigging system out.

I guess convenience is more important than resiliency to some, but since that's been Microsoft's approach to damn near everything for the past 20 years it doesn't surprise me in the least...

Re:Pfft.

[Overly Critical Guy]

As someone who write code and manipulates the registry everday, I for one love it. ...says every malware author on the planet.

You claim the registry is "100x" more secure and robust but then don't explain why. Permissions? Flat-files have that. Robust? If one flat file goes, the whole thing doesn't corrupt.

And for the user, you can see, manipulate, and back up your configuration files. Please see OS X. Somehow, it manages without your crappy registry and uses slick XML property lists to do it.

If the rest of you would prefer to have a million ini files instead of a branching registry, then more power to you.

Hello, OS X.

Geez, what's next. Are you going to call up MS and say "The who idea of SQL databases sucks.. you should change that to a flatfile to so that I can use my text editor!".

I hate when people apply one situation to another. No, in the case of application configuration values, a central database isn't ideal. The registry blows, and just because you're one of those militant Windows developers who defends the crumbling Windows architecture doesn't make your loud opinion any more correct. It's not.

Or go on supporting a design that lets malware bury anything it wants and manipulate the system. A single store of the entire computer's configuration values in one object is completely ridiculous.

Re:Pfft.

[Bent Mind]

I agree with what you are saying. I like the per-key permissions. However, the registry does have a few problems. Most of these problems could probably be overcome with software. The most notable is corruption. If the registry gets corrupted, you have to reinstall everything. If an INI file gets corrupted, it only affects the applications that depend on it and it's simple to restore.

There doesn't seem to be an easy way to extract and restore entries made by a particular application. Yes, I know you can e

Re:Pfft.

[theLOUDroom]

The registry is 100x more secure and robust than a flat file.

That's nonsense.
A) The mechanisms proctecting the registry are the same type that protect the file system. It's not like the registry encrypt's each user's setting individually.

b) Robust! How!? I want to add tab completion to my command line and I have to risk editing a file that can fubar my whole computer? How is that "robust"? Where are the fucking comments that tell me what this entry is and what it does?

The registry is a dirty, brittle hack used by lazy programmers like yourself. It's a pain in the ass for end users. Especially those with multiple computers who don't want to manually configure the preferences for every app on each PC they use.

Conflict of interest

[Godeke]

While the views of the pundit may be questionable sometimes, it *is* a conflict of interest to charge fees for protection against your own flaws. Initially I'm sure they will try to continue securing the operating system while considering this service a backstop for users who violate basic common sense. When viewed that way, the extra fees make sense: I haven't had a security *alert* about an attempted infection in many years, mostly because I secure my environ and don't do stupid things. But for those who can't handle such things, and extra fee "security blanket" is acceptable.

In the long run though, if the security software becomes a security blanket for *Microsoft* and basically is a required purchase to host a secure environment despite the security efforts of administers outside such extra fee tools, it would appear to be nothing more than a backdoor to charge annual fees to all those who dare resist the "Software Assurance" garbage. Oh, and them too, just more fees.

He's kinda right

[nuggz]

He is somewhat correct, if security was a priority these problems wouldn't exist.

However consumers want easy to use and don't care about security. When you don't consider security (your customer doesn't care) and focus only on easy to use you will have an insecure system.

Given the choice most people will choose insecure and easy over secure and less easy. They'll even pay for the difference.

Re:He's kinda right

[Phisbut]

But isn't that the reason that Window's Longhorn (now Vista) is so delayed in coming? Because the entire Microsoft corporation was going to stop everything and focus solely on security issues? What, did they just give up on that idea when the bean-counters pointed out it would be better to leave the security issues and charge for "protection"?

Vista isn't delayed because they want to focus more on security. It's been delayed because they just can't finish a project on time. This ain't a troll, seriously. J

I can see it now....

[8127972]

"Nice server room you got there.... It would be a shame if something happened to it."

A Little Creative thinking maybe....?!?!

[OneByteOff]

I think the idea is not so much about making money or fixing code, its about offering protection to users of Microsoft Products. If you can protect against vulnerabilities via a software package that allows for Buffer Overflows, Stack Overflows and any common exploit to be detected and blocked, this is far superior then pushing out one or two patches (or 9 this week) to fix a problem.

Also there are exploits in the wild that are never reported, no disclosure, no fixed code. Thus if you can work around this by offering a software package to protect you, by all means Microsoft should go this route.

Also why is this retard writing about Security??
[ quote ] "I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries" [ /quote ]

Your f'ing joking right?.

Re:A Little Creative thinking maybe....?!?!

[bradkittenbrink]

Also why is this retard writing about Security??

He's not writing about security, he's writing about Microsoft security. He's obviously fully qualified.

Re:A Little Creative thinking maybe....?!?!

[portwojc]

I read that and thought it was strange. I didn't think the CuteFTP client provided services on the PC?

Funny ending

[jimbobborg]

Vista - Won't Boot Edition... $29.95
        Vista - Preloaded with Viruses and Spyware Edition... $39.95
        Vista - Initially Clean but Use at Your Own Risk Edition... $49.95
        Vista - Clean with Firewall and Weekly Protection Update Edition... $200

From TFA.

Maybe he has a point

[eclectro]

From TFA;Therein lies the rub. Microsoft cannot fix the code--that's the point. It apparently cannot be done. Get over it. And when the spyware epidemic appeared, the company had to throw in the towel. Spyware exploits the basic architecture of the operating system, and no amount of patches will change that.

Maybe foundationally the architecture is so poor that no amount of code writing could be done to fix it.

It may be the cost of paying for all those backward compatibility barnacles through the years.

Or ma

Re:Maybe he has a point

[amliebsch]

There's really nothing wrong with the foundations at all. The problem has been (1) the shell and its various subsystems (particularly IE), (2) programmer practices, and (3) user practices. Microsoft is of course fully responsible for (1), and, in fairness, security for these is free even to pirates. For (2) and (3), though, while they have encouraged best practices, they have made the decision not to enforce them. Enforcement of best practices, though, would not be IMO a good idea - the user should always have ultimate control over their machine.

Re:Maybe he has a point

[tsotha]

My take on Windows is it would be a hell of a lot more secure if programmers didn't force me to install everything as Administrator. I once tried to use non-administrator accounts at home and finally gave up in disgust. Every third-party peice of software required administrator access to install (which is fine) and could only be run successfully by the installing user (which is not), because pretty much Microsoft was the only company to follow best practices. Now I use the admin account for everything bu

What fix?

[Anonymous Coward]

Everybody keeps saying shit like Microsoft should just fix their OS instead of releasing protection software. Contrarily though even with a "perfect" OS you still can have use for anti-malware software. What fix should MS implement that will prevent a browser plugin installer from also putting in a spam relay?

Transparency and Simplicity

[Pfhorrest]

Get rid of the notion of "installers" altogether.

A browser plugin should be a single file that goes in a plugins folder. An application should be a self-contained package that can live anywhere on the system. You shouldn't have to RUN a program to ADD a program to your system - why can the installer program live and run self-contained wherever it is, but other programs have to be 'installed'? Nothing you're installing besides security updates and other OS patches should need to stick files all over the place and modify settings everywhere.

Get rid of the notion of installers, and you get rid of installers putting malicious stuff on your system. Give the user the program. Let them stick it wherever they want. You've still got a possibility for trojan horses, I suppose, but with proper security they shouldn't be able to write to anything outside of userland without at least a password prompt.

I guess the point I'm trying to make is, the system should be transparent and simple. When you've got a complex, tangled mess of invisible (files / dependencies / tasks / settings / etc), all hidden behind an "easy" face that's just plastered over the mess, then you're going to hit problems because the "easy" interface isn't really what's going on on the system. Things are hidden and so the user isn't really in control of their system - how can we expect users to be aware of what's going on with their computers when we try so hard to hide it from them? And if you're about to say that the real workings are too complex, users could never understand them - THERE'S YOUR PROBLEM.

Make the system simple, modular, transparent. Like protected memory - every app runs in its own sandbox and can't write over all the others. Maybe we need some buzzword to make clueless users and equally clueless developers aware of the importance of having "protected file structures" - every app (by which I mean userland things like Word and Photoshop) is its own self-contained package and isn't spewing its shit all over the system. No hidden files, no hidden processes, let users see what's going on, and make what's going on simple enough for them to grok.

Then and only then can we expect users to be able to avoid social engineering.

You want a good example of an OS going strongly in this direction, take a look at OS X. And this 'everything-is-self-contained-and-doesn't-spew-shi t-everywhere' concept is a traditional thing in the Mac world. This isn't something new, just something that the mainstream hasn't done. I think it's time, as Mac and Windows have caught up to Unix in the world of protected memory and real multitasking, that Windows and Unix catch up to the Mac in the world of sane and modular file organization structures. (And yes, I'm aware that OSX, being unix-based, shares some of the same messy tangles as unixes, just with a pretty face slapped over it. And yes, that bothers me).

Re:Transparency and Simplicity

[wowbagger]

Installers exist in Windows due to the Component Object Model (COM). An application is *supposed* to be a collection of component objects that can be instantiated by requesting the GUID of the object, rather than explicitly calling an object constructor. You need a mapping between the GUIDs and the DLL embodying the object, and that mapping is stored within the Registry. Were programs truly self-contained directories, there would be no way for, say, Word to say "Hey, I need an Excel object here - give me one", as the system would have no way to locate the DLL and constructor which embodied the Excel object.

The Bonobo model Gnome uses has a similar problem - how does the Object Request Broker know what shared library to invoke to create an Bonobo object?

In both cases there has to be *some* centralized repository of UID to library mappings, and as I understand it, that was what the origins of the Windows Registry were.

However, programmers were encouraged to store other information beyond object mappings in the Registry - like program settings and such.

However, even were Microsoft to revert all non-"COM mapping" data out of the Registry, the system would still have the problem that if the Registry gets toasted, nobody can find the DLLs for their objects, and thus nothing works.

Re:Transparency and Simplicity

[Jherek Carnelian]

Are you saying that you'd rather have 100 DLL's between the two programs instead of just 70?

Absolutely. Human time spent dealing with screw-ups is expensive. Disk space is cheap. You could even load individual copies into memory because RAM is cheap, although a clever versioning system could probably avoid that with only a little extra complexity, entirely invisible to the user.

I dump all of them into a standard path (the path is also stated in the registry). That way, when I find a bug in a DLL, I can u

Registry versus Config Files

[Anonymous Coward]

Remember the good old days when applications stored all of their configuration data in a file like SETTINGS.CFG? You could zip the entire application directory up, unzip it on another machine, and it would run just fine. An uninstall was as simple as erase *.*, cd .., rmdir foocalc.

Use of the registry to store things that the application needs in order to work makes sense for a number of applications, especially enterprise stuff that needs remote installation and management and system software like firewalls and virus monitors, but there are quite a few user-application kinds of packages that use of the registry makes no sense for.

For me, an application that doesn't use the registry is a huge plus.

Of course.

[showardkid]

Seriously, folks, Microsoft is not running a charity here. What he suggests doing is dirty, scummy, and cheap because it will make them more money. I often agree with Dvorak, and this is definitely the case. Now, if Microsoft does this, it will inevitably hurt their profits in the long run, but for the short term, it'll boost them. The same thing happens with outsourcing. The same thing happens when customer service is moved to a call center in India where the workers don't speak passable English. Th

Maintenance should cost time or money

[dada21]

Every product we buy needs long and short term maintenance. Cars need oil, tires, waxing and tinkering under the hood. Software, especially complex operating systems with a ton of third party programs, are no different. As Linux gains features and popularity, it also gains incompatibilities.

Most end users seem to understand and accept some expense that decreases future downtime. Not a single customer of mine refused Microsoft's yearly subscription. Not one refuses to pay my employees' $95/hour invoices for applying all the various first and third party patches.

Back to cars... Does GM repair recalls for free? Sure. But if your new radio doesn't interface with hour Vette, you buy the harness. When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.

I've always felt F/OSS users ignore their time value. My personal time is worth $60/hour to me, including rest/sleep. My customers see a return of more valuable time when they pay for maintenance. F/OSS hasn't paid enough of a ROI for me to promote it.

Re:Maintenance should cost time or money

[sqlrob]

When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

Microsoft's. Time for a recall.

From their XP Home Feature Page: (emphasis mine)
The Windows XP Home Edition operating system offers a number of new features that help you work smarter and connect faster to the Internet and with others. And the rock-solid dependability of Windows XP lets you work and play with more confidence than ever.

I feel dirty!

[miffo.swe]

I can nothing but agree with what Dvorak says, It is pretty disturbing that the company that lets the malware in also charges you money for fixing it. I do not think antivirus is any real solution either but one that comes from Microsofts unwillingness to fix the problem. Thus a void was created wich was filled by other companies. To see Microsoft trying to take over that market is obnoxious. They should have fixed the underlying design problems in Windows that lets all the malware in, not slap a new layer ontop of the old broken one.

Lets not forget that antivirus has a big problem. For it to recognize a virus someone must first dissect it and then create a signature. If someone would do 1000 versions of the same viruses you still have to dissect them all and create signatures for them. The hole that lets them in is still there and nothing is really fixed. All antivirus really helps against is getting a fix out for a specific virus in the wild until the vendor has time to fix the hole. If the vendor doesnt fix the hole quickly its pretty useless and creates and endless battle.

The antivirus companies ofcourse like this, and endless revenue stream. When Microsoft enters this market it creates a huge conflict of interest. This is why i agree with Dvorak. Now, im off to take a hot shower and cry trough the night.....

Clueless Moron

[bigtallmofo]

I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries...how anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.

Amazing how he jumps to the conclusion that because something told him he had spyware on his system, he assumes it's because he left an FTP client in memory overnight. Interesting theory.

Because FTP clients typically aren't exploitable "through an open port", you dingleberry, let me propose an alternate theory: You're a clueless moron that doesn't understand the most basic of security concepts.

Re:Clueless Moron -- Indeed.

[Svartalf]

I've long since quit taking Dvorak seriously. He's repeatedly shown himself to be clueless when it comes to these things. But then, you don't need any usable current qualifications in the industry that you're being a pundit for- all you need is an opinion, it seems.

Argh

[Alioth]

Argh. Stop posting Dvorak articles! The man is an idiot who doesn't check his facts. He has actually gone out and complained in a column about the System Idle Process taking up 98% of cpu on his Windows machine and making the box thrash.

His ignorant rantings are not in the least insightful.

Re:Argh

[Frankie70]

He has actually gone out and complained in a column about the System Idle Process taking up 98% of cpu on his Windows machine and making the box thrash.


This is the said article.

http://www.pcmag.com/article2/0,1759,1304348,00.as p [pcmag.com]

Registry is the problem?

[Se7enLC]

What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname? In either case, the registry has NOTHING to do with spyware infection. It's merely the underlying system that gets edited once a malicious program gets in. SOMETHING has to contain system and application configuration options, and whatever it is will be called a registry. The actual implementation is irrelevant.

Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.

Re:Registry is the problem?

[lgw]

How does a program run without you having any knowledge that it was started? The registry makes this easy, as there are many places for malware to hide. The argument is outdated, however, as there are good tools to find what's hiding in the 6 or 7 places in the registry that specify programs to start automatically, and malware is moving into kernel space.

Re:Registry is the problem?

[Se7enLC]

For starters, there are a lot of legitimate uses for silent startup programs. Specialized drivers for hardware, anti-virus/ anti-spyware applications, system security applications. Basically anything that needs to be started on the system before you touch it. If every one of those came with a dialog box and its own icon in the system tray, you'd scream.

At least there are only 6 or 7 places where you can hide those startup programs, think about how many places there are on an average linux system for a pr

stating the obvious

[micromuncher]

I dislike the puppet intellectual (Dvorak) as much as the next guy, but this time he has done an effective job at restating the obvious.

He does however miss a point near and dear to my heart... that is - the dependency of the OS on these new MS integrated virus and spyware initiatives which will only get worse.

I live behind a firewall. It does a really good job and keeping out most sploits. I also live behind an email server that does a pretty good job at sending executables to the bit-bucket.

It annoys me to no end that IE is so insecure... but it also annoys me every time I boot my machine I get the Your system is insecure message, because I've chosen to disable the MS firewall and antivirus.

Perhaps it will become as irritating as norton, that revalidates itself every other day accross the internet telling me the key I bought last month expired... or having ccapp go crazy burning cpu even when I've disabled virus checking.

Norton is evil. It hooks into all sorts of stuff it shouldn't. Crappy virus ware (that patches file open) can potentially take down/slow down you computer even when its off, or you are disconnected.

So, the real issue, after my rambling, is dependency on this crap by the OS, the grafting *kludge* by which it was implemented, and an unhealthy assumption that every computer is connected to the internet all the time.

Liability Risk?

[Spudnuts]

I wonder whether Microsoft changing their policy to charge for security updates might be a sufficient impetus for their EULA's denial of liability to be thrown out through legislation.

Thank you Bill May I have another!?

[pgnas]

"Does Microsoft think it is going to get away with charging real money for any sort of add-on service, or new product that protects clients against flaws in its own operating system?"

I encourage this type of arrogance on the part of Microsoft, I would suspect that they would find themselves tied up in another legal battle. In addition, this may be exactly the type of thing that Linux needs.

"Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me.."

This is one of those "features" brought about by the "tight integration" that Microsoft oh-so likes to spout off, the same goes for their "feature rich", "Tightly Integrated" Office Suite!

[regarding the Registry]"Why does Microsoft insist on continuing its use? There has to be a better way."

Another "tightly integrated" feature of the Windows OS, Surely there is a way, maybe when they receive the money for the patch management services, they will fix the problems with the registry.

I really don't know why Microsoft is even worried about it, Isn't it the Coders Fault anyway? [slashdot.org]

"Why doesn't the company just bite the bullet and bring out various exploitable versions?"

Vista - Wont't Install (BSOD) Edition
Vista - Phisermans Dream Editition (Code Named CHUM)
Vista - Cleaned and Optimized (Linux , Gnome w/Vista Skin)

Re:Thank you Bill May I have another!?

[jnaujok]

I encourage this type of arrogance on the part of Microsoft, I would suspect that they would find themselves tied up in another legal battle. In addition, this may be exactly the type of thing that Linux needs.

This kind of epicaricacy (look it up) is exactly the problem. Linux acceptance doesn't need to be dependent on the competition sucking. Linux needs to be made better, not their competition worse. All that does is assure we're just about the worst possible option. Admittedly Linux has gotten much be

Standard Anti-Microsoft Propaganda

[Shakes268]

You know, whenever there is a story with Microsoft stating something about Linux or a writer compares the two and says something more favorable about Microsoft the half-penguin/half-sheep here start crying conspiracy. Countless times an author of a story has been trampled on this site due to past affiliations or past viewpoints. It is fairly obvious that Dvorak is not objective and his points are nothing more than attacks fired at MS and praises aimed at Linux. Show me something completely non-biased.

Dvorak - Security Expert

[MobyDisk]

Dvorak shows his ignorance on security in this article.

Most recently, I forgot to turn off my CUTEftp client and left it running all night...Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.

This is wrong is so many ways.
1) CuteFTP is a client not a server. The only way anyone got in through that is by him connecting to a malicious site.
2) If someone got in through a bug in CuteFTP, it isn't Microsoft's fault.
3) Typical Windows running as Administrator.
4) If software has a security problem, it has nothing to do with leaving it on all night. What, does he think he is safe if it is running during the day? Or so long as he is watching it?
5) "How a burgler climbs in through an open window and steals my money is beyond me, but it happens all the time."

His registry comment... He sounds like Jerry Seinfeld: "The registry, what's up with that. I mean like, there has to be a better way." With that brilliant thinking, we can eliminate the registry and viruses and spyware will go away. Thanks John!

No, sadly, CuteFTP contains exploitable adware

[Animats]

Unfortunately, some versions of CuteFTP contain the Aureate adware client [sdnpk.org]. Aureate is an entry point for attacks. [grc.com] "It is able to secretly download and cause Windows to execute any arbitrary program into the unsuspecting user's computer". ... ""phones home" every single time you use your web browser" ... "can, at their whim, accept and download any file into your system named "update-dll.exe" and then arrange for Windows to run this unknown program" ... "is trivial to "redirect" so that instead of phoning home to one of Aureate's servers, it connects to any other arbitrary server on the Internet." ... "They will always be responsible for sneaking 22 million copies of buggy and frightfully insecure spyware into the world's Windows PCs."

Later versions of CuteFTP supposedly don't contain Aureate. Supposedly. You may or may not believe them. Better to not use CuteFTP, any other Globalscape product, any Aureate/Radiate product, or any product that ever contained Aureate. Here's a old list of programs known to contain Aureate. [accs-net.com]

Aureate changed its name to Radiate. In 2001, they settled a class action [clickz.com] over privacy issues.

Radiate tried again with "Go!Zilla". Some versions of Go!Zilla have adware and/or spyware. The current makers of GoZilla claim "The current Go!Zilla software contains no advertising. There are several older, out-of-date versions of Go!Zilla which contain advertising from 3rd parties." But then they say "Go!Zilla will make certain partner software programs available to you during the Go!Zilla trial version's installation. These products are not necessary to the function of Go!Zilla, and you may decide if wish to install them. Make sure you read the installation prompts carefully to insure you get the best installation for you. Each partner program has its own privacy policy, and Go!Zilla is careful to screen partners for product quality and responsible privacy policies."

Or, in other words, "we're going to load up your machine with adware if you're not very, very careful during the install."

Aureate/Radiate appears to be defunct. Unclear whether they went bankrupt, were acquired, or are on the lam.

AdAware can be helpful if your system is infected with Aureate/Radiate, although it may not find attacks downloaded via the security holes.

For more details about Aureate, Radiate, and CuteFTP, click here (long .pdf). [unwantedlinks.com]

I hadn't thought of this before.

[elgee]

Yes, it may well be unintentional, but MS is certainly running a protection racket. If your local mob extorts money from businesses lest they get an unwelcome visit by enforcers, that is a protection raacket. Pay money or your business will suffer losses.

If you bought a car and then had to pay extra to keep it from falling apart, you might have some real problems with that.

No, I am not a real MS basher.

Dorvack is such an idiot

[kuriharu]

Sorry to sound so inflammatory, but the man's an idiot. He made stupid comments back on CNET when it was a TV show, and he did it again in this essay. Here's what I mean:

There is no incentive to fix the code base if it can make additional money selling "protection."

That's not true at all. Microsoft has all types of incentives, namely competition from alternatives like Linux and Mac OS. But even from a programming standpoint, it makes sense. Virtually all software companies update their software; it makes sense that MS will too. It's foolish and cynical to think they "just don't care", even though I know a lot of people do.

Not to change the subject, but isn't it about time we junked the entire concept of a "registry?" This concept has been the bane of Windows since its invention. It prevents easy program migration. It creates conflicts. It invites tampering. It's exploited by viruses and spyware. Why does Microsoft insist on continuing its use? There has to be a better way.

Two points about this:
1. There is a lot of functionality added by the registry. Yes, it has a curse along with the blessing, but does Dorvack actually think Windows ran better without a registry like it did in 3.1? I think he's just a little behind the times.
2. How about he actually suggest an alternative? Bashing MS is one thing. How about Dorvack suggest a better way? It's easy to say "Microsoft sucks". How about he come up with a plan on his own?

This from the man who said "No CD software should cost $50 when it only costs .50 to make a CD"

Real profound.

Microsft CAN but WON'T fix the basic problems.

[argent]

Therein lies the rub. Microsoft cannot fix the code--that's the point. It apparently cannot be done. Get over it. And when the spyware epidemic appeared, the company had to throw in the towel. Spyware exploits the basic architecture of the operating system, and no amount of patches will change that. A barrier has to be erected that changes the way the computer works, by monitoring things more aggressively.

Microsoft CAN fix the code, but there is no way they can get the political will to do it. They have too much time, face, and capital tied up in their internet-oriented OS to ever back away from it. Internet Explorer, Outlook, Windows Update, ... instead of having individual applications that build extensions of appropriate security around a set of resources (HTML rendering, HTTP access, CIFS access, scripting, the registry, and so on) they have committed to applications (Windows Update, Windows Explorer to an ever-increasing degree, Outlook, ...) built out of components running under the web browser.

The security problems inherent in such a design were obvious to me in 1997, and when I banned the use of the "outside-facing" members of this family of tools at the local office we were able to easily ride out every one of the worm/virus outbreaks that slammed the rest of the company on a regular basis. I don't claim any great insight in this... virtually everyone else I knew in the security business came to more or less the same conclusion... but unfortunately few of them had the luxury of working for a company willing to give them the support for such an obvious step, and equally unfortunately I wasn't able to expand the policy beyond our building

Microsoft could redesign their system to once again be application-centered, with the HTML control a display-only module that requires the application to install internet access, trusted scripting, and other potentially dangerous components only when needed. But they're moving the other direction, and so while they COULD fix their basic problems it's ever less likely that they WILL.

Re:Slashdot Literalist

[temojen]

Zonk eats keyboards.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:goodbye registry... hello registry!

[kernelpanicked]

Maybe because GConf is only a tool to flip switches in human readable xml files..not a registry.

Re:goodbye registry... hello registry!

[m50d]

Maybe because GConf is only a tool to flip switches in human readable xml files..not a registry.

XML is not human-readable, for all the kerfuffle about a different file format for samba and nfs and so on I'd take any and all of them over XML any day. And can a human even find the XML? Can the apps use it without the gconf interface? MS could make the registry backend XML tomorrow, I suspect the only reason they don't is efficiency. But it wouldn't make any difference, all the problems we have would still be

Re:goodbye registry... hello registry!

[tehshen]

The Registry is a large, undocumented, binary file readable only by itself; GConf is a program to edit human-readable XML files.

I am not so keen on either but GConf is still the better option