The Microsoft Protection Racket 539
bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.
Frank Nitti (Score:3, Informative)
Pfft. (Score:5, Informative)
Changes like 'get rid of the registry' are changes you make when you release a new OS, not when you release a service pack. OS X, for example, uses flatfiles to store most (if not all) preferences, but that's something they designed in from the start.
It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing...
Re:goodbye registry... hello registry! (Score:2, Informative)
Clueless Moron (Score:3, Informative)
Amazing how he jumps to the conclusion that because something told him he had spyware on his system, he assumes it's because he left an FTP client in memory overnight. Interesting theory.
Because FTP clients typically aren't exploitable "through an open port", you dingleberry, let me propose an alternate theory: You're a clueless moron that doesn't understand the most basic of security concepts.
Re:goodbye registry... hello registry! (Score:3, Informative)
I am not so keen on either but GConf is still the better option
Re:Argh (Score:3, Informative)
He has actually gone out and complained in a column about the System Idle Process taking up 98% of cpu on his Windows machine and making the box thrash.
This is the said article.
http://www.pcmag.com/article2/0,1759,1304348,00.a
Re:Pfft. (Score:5, Informative)
Unless, of course, you are a Gnome use, in which case you get GConf. What is GConf? Well, it's a nice implmentation of a registry.
Replacing the Registry with flat files (Score:5, Informative)
>> has obviously never written Windows software. What do
>> you suggest we replace it with, INI files?
> Or property lists, yes.
Well, INI files don't scale well; not because they are flat text files, but because the way a hierarchy is modelled in an INI file is inefficient and error prone. Something in the nature of a property list would be quite reasonable.
It is also worth noting that since DotNet, lots of data that used to be in the Registry is now in XML files in the application folder. That's a big part of the XCOPY install feature MS brags about for DotNet.
>> What do you suppose we do about the thousands of existing
>> applications that use the registry?
> Wrappers for the INI/PLIST files that behave like the old
> registry calls.
Perfectly doable.
>> How do you suggest we support access controls for individual
>> settings and keys - make a single INI file for each one?
> Why not?
Well, it isn't strictly necessary to use the Registry to support access controls on keys and settings. As long as the file itself only allows administrator access, the APIs that model the current Registry APIs can implement key and value level security within the file. This would make the files read-only in a text editor for common users; however a simple editor could be created that allows the appropriate access to the individual keys via the APIs.
But INI files aren't appropriately structured for that; XML files would be better, or any number of less-verbose-than-XML text formats.
> OS X does this like a dream, I can take my Library folder with me
> and wham, everything is the way I like it on a new machine. I'm
> sure it would be possible to do something similar on Windows,
> provided I paid $50 for some crappy shareware product.
Well, it wouldn't be a crappy $50 shareware product to virtualize the Registry. Since the APIs are inside ADVAPI32.DLL, and are used during the boot process, it would be a kernel hack; generally more expensive when done third-party. MS could do it safely; third parties would need to worry about MS breaking the hack with an OS update.
No, Zonk, it isn't just you (Score:2, Informative)
Word of the post: benign
Re:Pfft. (Score:3, Informative)
Theoretically, when you register an OLE / ActiveX control, any application in the system should be able to use it. I believe registring the control tells Windows what the mapping is between a short identifier (GUID) for the control, and the DLL that contains its code. When an application wants to use an OLE/ActiveX control, it supplies the GUID to the Win32 API, and Windows then consults the registry to hunt down the corresponding DLL.
I could be wrong, but I think applications' use of the Registry may have come after that.
Re:Registry is the problem? (Score:3, Informative)
Re:Maybe he has a point (Score:3, Informative)
I could understand it if those best practices were really complicated or undocumented, but they're not. Programmers are just lazy.
Re:Microsoft addresses Windows security concerns (Score:4, Informative)
He has no business complaining about Microsoft's "protection racket" if he honestly doesn't understand that his recent issue has jack-squat to do with Microsoft.
Re:Pfft. (Score:4, Informative)
Even Microsoft is telling people not to use it anymore to store app setting. They actually do recomend using ini or xml files for that. Case in point, the default place to store app settings in ASP.NET and WinForms is in an xml file (either web.config or app.config).
Now, completely doing away with the registry? Impossible. There are too many things that the registry does for Windows that the blowhards on this list dont even know about. All of
And as much as the people of slashdot hate ActiveX (and its big brother
Thats right, because of the restistry, stuff just works. We have installs that just work. We have programs that can talk to eachother, and it just works. Linux, not so much.
Explorer Freeze (Score:1, Informative)
That's quite common in some situations, and Russinovitch dissecates one quite nicely in his blog:
http://www.sysinternals.com/blog/2005/08/case-of-
Re:Pfft. (Score:4, Informative)
Yes, but:
No, sadly, CuteFTP contains exploitable adware (Score:5, Informative)
Later versions of CuteFTP supposedly don't contain Aureate. Supposedly. You may or may not believe them. Better to not use CuteFTP, any other Globalscape product, any Aureate/Radiate product, or any product that ever contained Aureate. Here's a old list of programs known to contain Aureate. [accs-net.com]
Aureate changed its name to Radiate. In 2001, they settled a class action [clickz.com] over privacy issues.
Radiate tried again with "Go!Zilla". Some versions of Go!Zilla have adware and/or spyware. The current makers of GoZilla claim "The current Go!Zilla software contains no advertising. There are several older, out-of-date versions of Go!Zilla which contain advertising from 3rd parties." But then they say "Go!Zilla will make certain partner software programs available to you during the Go!Zilla trial version's installation. These products are not necessary to the function of Go!Zilla, and you may decide if wish to install them. Make sure you read the installation prompts carefully to insure you get the best installation for you. Each partner program has its own privacy policy, and Go!Zilla is careful to screen partners for product quality and responsible privacy policies."
Or, in other words, "we're going to load up your machine with adware if you're not very, very careful during the install."
Aureate/Radiate appears to be defunct. Unclear whether they went bankrupt, were acquired, or are on the lam.
AdAware can be helpful if your system is infected with Aureate/Radiate, although it may not find attacks downloaded via the security holes.
For more details about Aureate, Radiate, and CuteFTP, click here (long .pdf). [unwantedlinks.com]
Re:Microsoft addresses Windows security concerns (Score:3, Informative)
If that's the case, why does Windows XP Home Edition default to making the user's primary account an administrative account -- one which requires no password unless you tell it explicitly to require one?
In many corporate IT organizations, it's become commonplace to grant administrative privileges to a user for their local machine; they still can't use those privileges network-wide, but it gives them enough ammo to shoot themselves in the foot. It's just more practical (in the eyes of IT staffers, anyway, if not in reality) to do that, rather than have an administrative account and password that's global which everyone knows. This has the added advantage of creating an audit trail so that when a user installs some unauthorized software on a workstation, it becomes pretty easy to tell who installed it.
Logging in with an unprivileged account and then running binaries piecemeal with administrative privileges sounds great in theory, until you have to run some ill-behaved software that assumes you're already logged in as an administrator. (This happens a lot at my workplace, but I can't really elaborate more than that.) The inconvenience and impracticality really has an effect on productivity.
I'm not saying that your suggestion (using "Run As...") won't work... just that in the real world, most people would chafe if they were forced to work like that. That, plus the ill-behaved 3rd party software issue I mentioned, really makes it not a very good practical idea.
Re:Pfft. (Score:3, Informative)
If you ever used OS/2, then you will know some of the dangers of having a rapidly changing central directory.
From having used MacOS X I got to like the way it handled storing configuration settings. Here The system wide settings are stored in the form of XML files, in
Re:Pfft. (Score:3, Informative)
Re:Microsoft addresses Windows security concerns (Score:4, Informative)
Would you give out the root password to your users?
The Registry Isn't The Problem (Score:2, Informative)
1. As of W2K, you can assign permissions (granted, useless if everybody runs as admin)
2. Program settings under HKCU follow users around (when implemented properly, this works very well)
3. Easy to read/write from
The pains of the registry often have not much to do with the registry itself:
1. Silly things like HKCU\Software\Microsoft\Windows\CurrentVersion\Ru
2. IE's poorly-implemented ActiveX plug-in architecture is not a registry problem, it is an application design problem (if IE used a flat config file to store the ActiveX info, it would still be just as bad)
3. Microsoft Office stores its configuration data as binary blobs instead of typed data - laziness that causes unnecessary cross-version compatibility issues
If Microsoft would simply disable the Run key in HKCU, set up an Execute flag (like *nix) and make it default to run as non-admin (which it does in Vista, AFAIK), it would be quite a bit more secure than it is. At any rate, though, none of these things has much to do with the registry. If startup programs were stored in a file somewhere, it would be well-known quickly enough, and we would have just as many problems. Security through obfuscation doesn't work, we all know that.
Re:I can write on PC Magazine too! (Score:3, Informative)
Nope. He's not a troll or a zealot. He's just another pissed off user who's not afraid to tell the hard truth.