The Microsoft Protection Racket 539
bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.
Microsoft addresses Windows security concerns (Score:5, Insightful)
Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.
Conflict of interest (Score:5, Insightful)
In the long run though, if the security software becomes a security blanket for *Microsoft* and basically is a required purchase to host a secure environment despite the security efforts of administers outside such extra fee tools, it would appear to be nothing more than a backdoor to charge annual fees to all those who dare resist the "Software Assurance" garbage. Oh, and them too, just more fees.
He's kinda right (Score:4, Insightful)
However consumers want easy to use and don't care about security. When you don't consider security (your customer doesn't care) and focus only on easy to use you will have an insecure system.
Given the choice most people will choose insecure and easy over secure and less easy. They'll even pay for the difference.
What fix? (Score:2, Insightful)
Maintenance should cost time or money (Score:4, Insightful)
Most end users seem to understand and accept some expense that decreases future downtime. Not a single customer of mine refused Microsoft's yearly subscription. Not one refuses to pay my employees' $95/hour invoices for applying all the various first and third party patches.
Back to cars... Does GM repair recalls for free? Sure. But if your new radio doesn't interface with hour Vette, you buy the harness. When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?
You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.
I've always felt F/OSS users ignore their time value. My personal time is worth $60/hour to me, including rest/sleep. My customers see a return of more valuable time when they pay for maintenance. F/OSS hasn't paid enough of a ROI for me to promote it.
Re:Pfft. (Score:5, Insightful)
Re:Pfft. (Score:2, Insightful)
And where is it stored? ~/.app? ~/.app/.settings?
I don't think it's any better.
Re:Maybe he has a point (Score:5, Insightful)
Re:Microsoft addresses Windows security concerns (Score:0, Insightful)
This is where Dvorak lost all credibility. He is obviously not qualified to speak on the subject of operating system security.
Re:Maintenance should cost time or money (Score:4, Insightful)
Microsoft's. Time for a recall.
From their XP Home Feature Page: (emphasis mine)
The Windows XP Home Edition operating system offers a number of new features that help you work smarter and connect faster to the Internet and with others. And the rock-solid dependability of Windows XP lets you work and play with more confidence than ever.
Re:Pfft. (Score:5, Insightful)
Re:Pfft. (Score:5, Insightful)
- Consolidating all settings into one proprietary data store. This imposes a new security mechanism over that of simple file access. This unique data store does nothing by itself to "secure" the data, it's just a box. One can lock the entire box but simple users do effect changes in the registry.
- INI files are plaintext versions of some sort of file. Their manipulation could be by hand (trad *nix style), or employ one of several storage syntax mediums (XML being one) which allows general tools to work across the items.
- File-based security on INI files is stronger, and more easily managed with existing tools, than key-based security on the hive-based registry entries. Combining with journaling/versioning, INI files hold more depth than a registry (which has to import/export to a file-based representation to achieve this).
- Line-item security on INI files is not as strong, hence the danger people have in by-hand editing. This can be overcome using a syntax that allows for tool-based editing, where then INI files expose their keys, and a security table holds a File/Key/Role association.
- Shared INI files for library management (aka COM) have the same write-contention isses as the registry, so no differences there. GAC-style libraries are directory-based, which seems to lend evidence that both file and registry stores for libraries are based done higher up in the file system.
Re:Pfft. (Score:2, Insightful)
Re:Pfft. (Score:2, Insightful)
If your crappy application will only function with a particular version of some
Saving disk space by sharing DLL files is like be like saving on grocery bills by shooting yourself in the head.
Registry is the problem? (Score:5, Insightful)
Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.
stating the obvious (Score:4, Insightful)
He does however miss a point near and dear to my heart... that is - the dependency of the OS on these new MS integrated virus and spyware initiatives which will only get worse.
I live behind a firewall. It does a really good job and keeping out most sploits. I also live behind an email server that does a pretty good job at sending executables to the bit-bucket.
It annoys me to no end that IE is so insecure... but it also annoys me every time I boot my machine I get the Your system is insecure message, because I've chosen to disable the MS firewall and antivirus.
Perhaps it will become as irritating as norton, that revalidates itself every other day accross the internet telling me the key I bought last month expired... or having ccapp go crazy burning cpu even when I've disabled virus checking.
Norton is evil. It hooks into all sorts of stuff it shouldn't. Crappy virus ware (that patches file open) can potentially take down/slow down you computer even when its off, or you are disconnected.
So, the real issue, after my rambling, is dependency on this crap by the OS, the grafting *kludge* by which it was implemented, and an unhealthy assumption that every computer is connected to the internet all the time.
Re:Admit it, you l337 hardcore /.ers read PC Mag (Score:2, Insightful)
is *always* wrong...
Dvorak and Hoagland (and others) have taken this to heart. If you are spinning
at exactly the right speed as the rest of the world, you will always be wrong.
So what if you start spinning wildly, at several revolutions per second?
Won't you be right dozens, or even hundreds of times in a day?
Never mind the fact that you'll be wrong thousands, or even tens of thousands
of times in that same period of time, and that's the problem with both men.
Both can point to a number of times when they were spot-on, either through plain old
dumb luck or because someone who really does know told them so (and they parrotted it)
Trouble is, the times they are correct are so outnumbered by the times they are
wrong that they just aren't worth following, regardless of the absolute number
of times they are correct. How do you know for sure when they are correct, unless
you do all the leg work yourself to verify?
Re:I enjoy calling Dvorak a blohward with my Dvora (Score:1, Insightful)
Re:Maintenance should cost time or money (Score:1, Insightful)
What use is a computer that cannot be safely connected to the Web? If your Vette could not "interface with the road" without suffering from fatal errors, it would be subject to immediate replacement (the technical term is "lemon").
A computer that is safe assuming it is never connected to the Web is like a car that is safe as long as it stays in the garage. Both are completely safe and completely useless.
Re:goodbye registry... hello registry! (Score:3, Insightful)
XML is not human-readable, for all the kerfuffle about a different file format for samba and nfs and so on I'd take any and all of them over XML any day. And can a human even find the XML? Can the apps use it without the gconf interface? MS could make the registry backend XML tomorrow, I suspect the only reason they don't is efficiency. But it wouldn't make any difference, all the problems we have would still be there. And gnome is introducing the same problems.
Re:Pfft. (Score:5, Insightful)
Centralzied-
Clean standard
less flexibility
single point of failure
better security (advanced ACL support, not every app has it own parser)
OS maintained
Terrible portability
Distributed
no standard exists
more flexibity
no single point of failure
weaker security (it is either put in user or etc, you do not have an option of put in etc but allow just this setting for users)
App maintained
Easy portability
Best solution is to use both and let app decide
but a nightmare for sys admins
Re:Pfft. (Score:2, Insightful)
Re:Pfft. (Score:3, Insightful)
Well, it's a registry anyway.
Re:Microsoft addresses Windows security concerns (Score:5, Insightful)
Oh yeah? Is he approaching this issue from the viewpoint of a security expert? No, he's approaching it from the perspective of a typical person (it might be your mother, or father).
Personally, I could not tolerate any of Dvorak's articles. But I have to admit his recent ones are starting to get much more on-topic (as opposed to his older lunatic rants, proclaiming that Microsoft would go out of business in 10 years, etc.)
Re:Thank you Bill May I have another!? (Score:3, Insightful)
This kind of epicaricacy (look it up) is exactly the problem. Linux acceptance doesn't need to be dependent on the competition sucking. Linux needs to be made better, not their competition worse. All that does is assure we're just about the worst possible option. Admittedly Linux has gotten much better in the last few years, but they still have a ways to go before my sixty+ mother is going to drop Windows, no matter what Microsoft charges.
Re:Pfft. (Score:5, Insightful)
They can get rid of the registry once they have "Trusted Computing" in place, as they'll easily be able to drop application information into encrypted files that the user has no way of breaking into.
Re:He's kinda right (Score:3, Insightful)
Vista isn't delayed because they want to focus more on security. It's been delayed because they just can't finish a project on time. This ain't a troll, seriously. Just have a look at the features they removed from Vista just so it could almost try to ship on time. They didn't remove those features because of security issues, they removed it because they can't make them fast enough. Heck, Microsoft was supposed to have WinFS (maybe not the same name, but still an object-oriented file system) in WinNT4... that's in 1996. They are 10 years late on their schedule, and they still can't make it.
Just like any other software company out there, Microsoft has a marketing department, and that department keeps promising stuff and giving release dates without ever consulting the developers. That is why it always gets delayed. Programmers know they can't hit the deadlines, marketing pretends they will. What's more... if marketing puts enough pressure on the developers so they actually release on the promised date, I truly doubt security will have been taken care of.
Re:Pfft. (Score:5, Insightful)
Global settings go in /etc. Per-User settings go under the home directory. The default per-user settings are stored in /usr/share and copied in the first time the program is run. Wow, that was hard wasn't it?
See the way Apple has done this. Global app settings in /Library, personal App settings in ~user/Library. When I used to do desktop support (50/50 mix of OS X and Windows) all we had to do when we moved a user to a different machine was image it and copy their home directory. Easy as pie, takes about 10 minutes of my time. Wow, once again it was really hard to answer that "where does it go" question.
Gotta save a users settings when moving them to a different windows install (usually because the students laptop was so spyware ridden it was easier to just reformant)? Let the nightmare begin!
Trying to reinstall a hosed application that won't uninstall properly? Lets just see you try to track down all those registry keys. On a Mac or Linux you just remove the rc file or plist.
And what is the format of said INI file?
Once again, see Apple's plists. XML all the way, with tools to manipulate them if you don't like your text editor.
And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.
Users their own config settings. If you want to restrict access to global config settings, just don't give them access to the config file. If you don't want them to run the program, don't give them read and execute permissions on the app itself. There are other operating systems out the besides windows, and they've already solved these problems. In the case of Unix, about 20 years ago. I've done Unix, Apple and Microsoft desktop administration, and while the Unix and Apple solutions do have a few quirks (Apple's system doesn't really have many), the Registry is by far the most broken and the biggest PITA.
Re:Microsoft addresses Windows security concerns (Score:4, Insightful)
Meanwhile, bundling in software that competes with competators with the expressed purpose of putting them out of business (note how MS software stagnates the moment the competator is gone) is a whole different story.
electronic/physical analogies are shoddy, but... (Score:1, Insightful)
Microsoft makes this giant software behemoth called Windows that's comprised of hundreds of thousands of lines of code. Somebody finds a flaw in the way that it's put together, and Microsoft's the bad guy because they let it happen. Worse yet, they're taking another PR beating by selling an ongoing security service for their behemoth. (Whether this service is provided in a complete or timely manner is both highly unlikely and outside the scope of the point I'm making).
In the physical world, people built a giant behemoth of a building comprised of hundreds of thousands of pounds of concrete and steel in Oklahoma City. Somebody finds a flaw ("Hey! I can park this rental truck full of explosives only a few feet away on the street!"), and to my knowledge, no one thought to blame the building's architects and construction workers for not thinking to encase the whole building in a blast-proof dome. Now, let's say that when Freedom Tower is finished in New York, they hire a full-time security force to patrol the grounds and monitor the skies so we don't have a repeat of the WTC bombings. Would they be bad guys and extortionists too?
The Registry is a single point of failure. (Score:5, Insightful)
By having many different INI files, the loss of one file isn't going take the whole frigging system out.
I guess convenience is more important than resiliency to some, but since that's been Microsoft's approach to damn near everything for the past 20 years it doesn't surprise me in the least...
Re:Maintenance should cost time or money (Score:2, Insightful)
You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.
I think a better analogy between windows and the internet would be like a car and roads, or cars and tires. Not a car and some extraneous piece of equipment. Chances are that your windows box is connected to the internet and that's all it takes for it to be compromised. If your car couldn't move, and the dealer just says, "It's your car now. You can pay us to make it work." you'd be pretty mad. Especially when you have to pay that cost over and over.
Re:Registry is the problem? (Score:2, Insightful)
Re:Oh noes, Dvorak! (Score:3, Insightful)
Re:Microsoft addresses Windows security concerns (Score:4, Insightful)
Re:Microsoft addresses Windows security concerns (Score:5, Insightful)
Yeah, that whole apollo program was a complete failure wasn't it? Or the manhattan project? Or building any modern skyscraper? Or any serious engineering project of our time? They all fail miserably, don't they.
What is the alternative to authoritarian human endeavors? There were several X-prize contenders that tried to use a more open-source, everybody pitches in, communism type approach, and they were all bested by Burt Rutan.
And stop calling Microsoft a failure. It's the opposite of failure, obviously. Are you just trying to troll?
Re:Microsoft addresses Windows security concerns (Score:3, Insightful)
Windows almost always forces you to be administrator in order to do most tasks. Also, you cannot even upgrade your account temporarily to apply patches/run games - you have to log out and log back in as administrator. To that end, its almost always convenient to have administrative grants.
So regardless of whether it was a bug in a third-party application or not, it boils down to the fact that the OS "forced" the user to run as administrator, thus leading to the breech. The OS in this case should have still prevented the problem.
Re:Pfft. (Score:4, Insightful)
You claim the registry is "100x" more secure and robust but then don't explain why. Permissions? Flat-files have that. Robust? If one flat file goes, the whole thing doesn't corrupt.
And for the user, you can see, manipulate, and back up your configuration files. Please see OS X. Somehow, it manages without your crappy registry and uses slick XML property lists to do it.
If the rest of you would prefer to have a million ini files instead of a branching registry, then more power to you.
Hello, OS X.
Geez, what's next. Are you going to call up MS and say "The who idea of SQL databases sucks.. you should change that to a flatfile to so that I can use my text editor!".
I hate when people apply one situation to another. No, in the case of application configuration values, a central database isn't ideal. The registry blows, and just because you're one of those militant Windows developers who defends the crumbling Windows architecture doesn't make your loud opinion any more correct. It's not.
Or go on supporting a design that lets malware bury anything it wants and manipulate the system. A single store of the entire computer's configuration values in one object is completely ridiculous.
Re:That's a nice enterprise network you have there (Score:4, Insightful)
Re:Pfft. (Score:2, Insightful)
Its so well commented.
I love how i can look at the registry and know what to change and where to change it.
Throw all the config settings from an apache conf file and then make apache changes.
With ini files you can comment things
Re:Riddle me this... (Score:1, Insightful)
Second, viruses/spyware are executed like any program. Even if you have the securest model, some users are gonna defeat it in order to run annakornikova.exe or hotcum.exe.
Third, there are ALOT of Windows users. ALOT of Windows users DO NOT patch. Therefore, ALOT of people get affected. Do you sh*t on Linus because he is making you patch your kernel? If you don't and you get rooted, do you blame Linus or the other programmers? No, but you do blame Microsoft for getting rooted in Windows for not patching. My point is, users do not know of patching. They get affected by exploits fixed years after the fact. These users only patch when they buy a new copy of XP with the latest service pack or a new computer with the latest service pack. Some people when I fix their prblems, I tell them that is imperative that you patch and show them how they do that.
Riddle me this: Why are Linux users hypocrites on the third reason, and why are they such jackasses?
Re:Maintenance should cost time or money (Score:1, Insightful)
How does this crap get modded as insightful?
Re:Microsoft addresses Windows security concerns (Score:3, Insightful)
Depends on your definition of failure doesn't it. In terms of building a solid product it's a humiliating failure. In terms of good corporate citizenship it's a dismal failure. In terms of ethical and moral behavior it's a shocking and shameful failure.
Yes they make a lot of money. If you measure success in terms of money then they are not a failure.
Re:Microsoft addresses Windows security concerns (Score:3, Insightful)
The one major issue that allows this (running as Administrator by default) HAS been addressed in Vista. I'm no fan of the registry, but config files can get hacked just as easily. It's still no protection against opening a barn door and hanging a "Free Stuff Inside" sign over it, with strobe lights going off. And then he complains when someone comes and steals his toaster.
1998 called--it wants your code back (Score:3, Insightful)
Anyone who suggests that there is no valid alternative to the registry has obviously not (properly) written
Some people at Microsoft themselves suggest avoiding the registry--as of Windows Vista THE REGISTRY IS ESSENTIALLY DEPRECATED. So what is the alternative? How 'bout a standardised XML
*
* you can edit
* Unlike
*
Of course, we are talking about Windows here, so the legacy registry will be around for another decade I'm sure...and I'm sure as in the past short-sighted developers (both within Microsoft and outside) will ignore this excellent recommendation and continue to use the brain-damaged registry.
It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing
Well, *I* find it pretty annoying when solutions are dismissed as "stupid" because they are different and people can't take the time to understand them. BTW, eliminating dependency on the registry *is* a "real fix"---the registry is a design flaw and
Re:Transparency and Simplicity (Score:3, Insightful)
Absolutely. Human time spent dealing with screw-ups is expensive. Disk space is cheap. You could even load individual copies into memory because RAM is cheap, although a clever versioning system could probably avoid that with only a little extra complexity, entirely invisible to the user.
I dump all of them into a standard path (the path is also stated in the registry). That way, when I find a bug in a DLL, I can update the DLL in one place and all of my apps are fixed at once.
That knife cuts two ways. You as a coder can enjoy the convenience of global bug-fixes, but every change brings the risk of new bugs too. So you can just as easily fix a big in all of the programs as you can introduce a bug in all of the programs. That's part of what people are talking about when they refer to "DLL-Hell."
As a user, I don't want a bug-fix for Adobe Photoshop making any changes, good or bad, to any other program, from Adobe or any other supplier.
Re:Microsoft addresses Windows security concerns (Score:3, Insightful)
In terms of good corporate citizenship... shall we talk about the $28.8 billion dollars in the Gates Foundation? The $7.5 billion given away to date?
In terms of ethical and moral behavior? Sorry, Enron is shocking and shameful. Dow's toxic waste dumps in India are shocking and shameful. Declaring bankruptcy just to get out from under your employee's pension obligations is shocking and shameful.
Microsoft's big crime seems to have been giving companies a bigger discount if they sell more of their products. Let's see...
Depends on your definition, doesn't it?
Re:Microsoft addresses Windows security concerns (Score:3, Insightful)
Those projects weren't monolithic or authoritarian. They had the brightest minds of their time all collaborating with free reign of direction of the project without some political body directing them specifics in their day to day work. Besides the massive security with the Manhattan project I don't think that the US government had a say in the scientists work other than to get the project done as soon as possible. And these projects weren't for money either...
If you want to give an example of monolith and authoritarian project, I would suggest looking at Germany's V2 [wikipedia.org] project or the Soviet Nuclear Program [wikipedia.org] headed by Beria (Stalin's lethal Security NKVD chief). Both of these projects used massive amounts of forced/slave labor.
However, those projects didn't fail. *coughs* Just their political systems. Although Apollo did have the help of Wernher von Braun [wikipedia.org] from the V2 and the Soviets got a head start by stealing US atomic secrets.
Re:Pfft. (Score:4, Insightful)
That's nonsense.
A) The mechanisms proctecting the registry are the same type that protect the file system. It's not like the registry encrypt's each user's setting individually.
b) Robust! How!? I want to add tab completion to my command line and I have to risk editing a file that can fubar my whole computer? How is that "robust"? Where are the fucking comments that tell me what this entry is and what it does?
The registry is a dirty, brittle hack used by lazy programmers like yourself. It's a pain in the ass for end users. Especially those with multiple computers who don't want to manually configure the preferences for every app on each PC they use.
Re:Microsoft addresses Windows security concerns (Score:4, Insightful)
Apple has alwasy been better. OS/2 was better, hell Amiga was better. If you think that what's popular is what's best then you plain old stupid.
"In terms of good corporate citizenship... shall we talk about the $28.8 billion dollars in the Gates Foundation? The $7.5 billion given away to date?"
1) Gates foundation is not microsoft. 2) Gates foundation was created in order to influence people like you (it worked!) into thinking Gates was actually a nice guy. 3) 7 billion is petty cash 4) Gates didn't actually give away money, he just gave stock he got for free to the foundation which then sold it.
"In terms of ethical and moral behavior? Sorry, Enron is shocking and shameful. Dow's toxic waste dumps in India are shocking and shameful. Declaring bankruptcy just to get out from under your employee's pension obligations is shocking and shameful."
Whoo Whoo, MS is less sleazy then enron and DOW!. It's nice to see corporations set their standards so low.