The Microsoft Protection Racket

bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.

Microsoft addresses Windows security concerns

[It doesn't come easy]

Microsoft Windows - Operating system. Provides resource allocation to underlying computer hardware. Note: No warrantee, no guarantees, may have security issues.
Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.

Conflict of interest

[Godeke]

While the views of the pundit may be questionable sometimes, it *is* a conflict of interest to charge fees for protection against your own flaws. Initially I'm sure they will try to continue securing the operating system while considering this service a backstop for users who violate basic common sense. When viewed that way, the extra fees make sense: I haven't had a security *alert* about an attempted infection in many years, mostly because I secure my environ and don't do stupid things. But for those who can't handle such things, and extra fee "security blanket" is acceptable.

In the long run though, if the security software becomes a security blanket for *Microsoft* and basically is a required purchase to host a secure environment despite the security efforts of administers outside such extra fee tools, it would appear to be nothing more than a backdoor to charge annual fees to all those who dare resist the "Software Assurance" garbage. Oh, and them too, just more fees.

He's kinda right

[nuggz]

He is somewhat correct, if security was a priority these problems wouldn't exist.

However consumers want easy to use and don't care about security. When you don't consider security (your customer doesn't care) and focus only on easy to use you will have an insecure system.

Given the choice most people will choose insecure and easy over secure and less easy. They'll even pay for the difference.

What fix?

[Anonymous Coward]

Everybody keeps saying shit like Microsoft should just fix their OS instead of releasing protection software. Contrarily though even with a "perfect" OS you still can have use for anti-malware software. What fix should MS implement that will prevent a browser plugin installer from also putting in a spam relay?

Maintenance should cost time or money

[dada21]

Every product we buy needs long and short term maintenance. Cars need oil, tires, waxing and tinkering under the hood. Software, especially complex operating systems with a ton of third party programs, are no different. As Linux gains features and popularity, it also gains incompatibilities.

Most end users seem to understand and accept some expense that decreases future downtime. Not a single customer of mine refused Microsoft's yearly subscription. Not one refuses to pay my employees' $95/hour invoices for applying all the various first and third party patches.

Back to cars... Does GM repair recalls for free? Sure. But if your new radio doesn't interface with hour Vette, you buy the harness. When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.

I've always felt F/OSS users ignore their time value. My personal time is worth $60/hour to me, including rest/sleep. My customers see a return of more valuable time when they pay for maintenance. F/OSS hasn't paid enough of a ROI for me to promote it.

Re:Pfft.

[MightyMartian]

And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time, and it sure makes down-and-dirty administration ten times easier. The registry editor is a f**cking nightmare compared to your favorite text editor and *.conf or *.rc. Security is handled through the file system. The registry was a bad idea from the get-go, but you're right, Microsoft's incompetence will be with us until the world finally tells Redmond to take their crappy operating system and shove it.

Re:Pfft.

[cthrall]

And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time

And where is it stored? ~/.app? ~/.app/.settings? /etc/app? /etc/app/settings? /etc/app/settings.xml? And what is the format of said INI file? And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.

I don't think it's any better.

Re:Maybe he has a point

[amliebsch]

There's really nothing wrong with the foundations at all. The problem has been (1) the shell and its various subsystems (particularly IE), (2) programmer practices, and (3) user practices. Microsoft is of course fully responsible for (1), and, in fairness, security for these is free even to pirates. For (2) and (3), though, while they have encouraged best practices, they have made the decision not to enforce them. Enforcement of best practices, though, would not be IMO a good idea - the user should always have ultimate control over their machine.

Re:Microsoft addresses Windows security concerns

[Anonymous Coward]

Most recently, I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries.

This is where Dvorak lost all credibility. He is obviously not qualified to speak on the subject of operating system security.

Re:Maintenance should cost time or money

[sqlrob]

When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

Microsoft's. Time for a recall.

From their XP Home Feature Page: (emphasis mine)
The Windows XP Home Edition operating system offers a number of new features that help you work smarter and connect faster to the Internet and with others. And the rock-solid dependability of Windows XP lets you work and play with more confidence than ever.

Re:Pfft.

[MightyMartian]

It's better because you can use a frickin text editor. The settings are discrete and can be easily copied. When I move my account to a different *nix box, I just zip up my configs, unzip them on the new account, and maybe, if locations are different, do a bit of tweaking. I've had the same damn .pinerc file for four years now. It's easy to archive, easy to restore and easy to alter. The registry is a pain to back up, can be really ugly to restore and alteration requires a stinking idiotic registry editor.

Re:Pfft.

[mugnyte]

The registry and analogous flat file data stores try to achieve the same goals. I think the registry makes several mistakes:

  - Consolidating all settings into one proprietary data store. This imposes a new security mechanism over that of simple file access. This unique data store does nothing by itself to "secure" the data, it's just a box. One can lock the entire box but simple users do effect changes in the registry.

  - INI files are plaintext versions of some sort of file. Their manipulation could be by hand (trad *nix style), or employ one of several storage syntax mediums (XML being one) which allows general tools to work across the items.

  - File-based security on INI files is stronger, and more easily managed with existing tools, than key-based security on the hive-based registry entries. Combining with journaling/versioning, INI files hold more depth than a registry (which has to import/export to a file-based representation to achieve this).

  - Line-item security on INI files is not as strong, hence the danger people have in by-hand editing. This can be overcome using a syntax that allows for tool-based editing, where then INI files expose their keys, and a security table holds a File/Key/Role association.

  - Shared INI files for library management (aka COM) have the same write-contention isses as the registry, so no differences there. GAC-style libraries are directory-based, which seems to lend evidence that both file and registry stores for libraries are based done higher up in the file system.

Re:Pfft.

[linzeal]

Why is a centralized file for every config option in the bloody OS down to the most minute of programs even considered when we have hard drives measured in the terrabytes coming soon? I like having the ability to see the config files in the directory of the program I am running sort of like having a chalet for every car I own, I do not enjoy the nebulous bloated enenity that the windows registry has become sort of like the floating harkonnen fat man making you milk a cat.

Re:Pfft.

[Moofie]

I'd argue that shared, incompatible code libraries were a Bad Idea.

If your crappy application will only function with a particular version of some .dll, then don't put it in the system directory where it's going to get upgraded by some other app.

Saving disk space by sharing DLL files is like be like saving on grocery bills by shooting yourself in the head.

Registry is the problem?

[Se7enLC]

What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname? In either case, the registry has NOTHING to do with spyware infection. It's merely the underlying system that gets edited once a malicious program gets in. SOMETHING has to contain system and application configuration options, and whatever it is will be called a registry. The actual implementation is irrelevant.

Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.

stating the obvious

[micromuncher]

I dislike the puppet intellectual (Dvorak) as much as the next guy, but this time he has done an effective job at restating the obvious.

He does however miss a point near and dear to my heart... that is - the dependency of the OS on these new MS integrated virus and spyware initiatives which will only get worse.

I live behind a firewall. It does a really good job and keeping out most sploits. I also live behind an email server that does a pretty good job at sending executables to the bit-bucket.

It annoys me to no end that IE is so insecure... but it also annoys me every time I boot my machine I get the Your system is insecure message, because I've chosen to disable the MS firewall and antivirus.

Perhaps it will become as irritating as norton, that revalidates itself every other day accross the internet telling me the key I bought last month expired... or having ccapp go crazy burning cpu even when I've disabled virus checking.

Norton is evil. It hooks into all sorts of stuff it shouldn't. Crappy virus ware (that patches file open) can potentially take down/slow down you computer even when its off, or you are disconnected.

So, the real issue, after my rambling, is dependency on this crap by the OS, the grafting *kludge* by which it was implemented, and an unhealthy assumption that every computer is connected to the internet all the time.

Re:Admit it, you l337 hardcore /.ers read PC Mag

[Anonymous Coward]

A stopped clock is accurate twice a day; one that is five minutes slow
is *always* wrong...

Dvorak and Hoagland (and others) have taken this to heart. If you are spinning
at exactly the right speed as the rest of the world, you will always be wrong.

So what if you start spinning wildly, at several revolutions per second?

Won't you be right dozens, or even hundreds of times in a day?

Never mind the fact that you'll be wrong thousands, or even tens of thousands
of times in that same period of time, and that's the problem with both men.

Both can point to a number of times when they were spot-on, either through plain old
dumb luck or because someone who really does know told them so (and they parrotted it)

Trouble is, the times they are correct are so outnumbered by the times they are
wrong that they just aren't worth following, regardless of the absolute number
of times they are correct. How do you know for sure when they are correct, unless
you do all the leg work yourself to verify?

Re:I enjoy calling Dvorak a blohward with my Dvora

[Anonymous Coward]

"That's the joke." - McBain

Re:Maintenance should cost time or money

[Anonymous Coward]

When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

What use is a computer that cannot be safely connected to the Web? If your Vette could not "interface with the road" without suffering from fatal errors, it would be subject to immediate replacement (the technical term is "lemon").

A computer that is safe assuming it is never connected to the Web is like a car that is safe as long as it stays in the garage. Both are completely safe and completely useless.

Re:goodbye registry... hello registry!

[m50d]

Maybe because GConf is only a tool to flip switches in human readable xml files..not a registry.

XML is not human-readable, for all the kerfuffle about a different file format for samba and nfs and so on I'd take any and all of them over XML any day. And can a human even find the XML? Can the apps use it without the gconf interface? MS could make the registry backend XML tomorrow, I suspect the only reason they don't is efficiency. But it wouldn't make any difference, all the problems we have would still be there. And gnome is introducing the same problems.

Re:Pfft.

[badriram]

Both systems blow, and just as equally. It is the difference between any centralized and distributed system.

Centralzied-
    Clean standard
    less flexibility
    single point of failure
    better security (advanced ACL support, not every app has it own parser)
    OS maintained
    Terrible portability

Distributed
    no standard exists
    more flexibity
    no single point of failure
    weaker security (it is either put in user or etc, you do not have an option of put in etc but allow just this setting for users)
    App maintained
    Easy portability

Best solution is to use both and let app decide
    but a nightmare for sys admins
   

Re:Pfft.

[billyhoward]

Indeed. Is the savings of cheap memory and cheaper harddisk worth the cost of the fragility that is shared libs? I would rather have drag and drop apps in a container like OSX as opposed to a jillion libraries to get non-free-codec movies working in mplayer in ubuntu.

Re:Pfft.

[Skjellifetti]

Unless, of course, you are a Gnome use, in which case you get GConf. What is GConf? Well, it's a nice implmentation of a registry. :)

Well, it's a registry anyway.

Re:Microsoft addresses Windows security concerns

[null etc.]

This is where Dvorak lost all credibility. He is obviously not qualified to speak on the subject of operating system security.

Oh yeah? Is he approaching this issue from the viewpoint of a security expert? No, he's approaching it from the perspective of a typical person (it might be your mother, or father).

Personally, I could not tolerate any of Dvorak's articles. But I have to admit his recent ones are starting to get much more on-topic (as opposed to his older lunatic rants, proclaiming that Microsoft would go out of business in 10 years, etc.)

Re:Thank you Bill May I have another!?

[jnaujok]

I encourage this type of arrogance on the part of Microsoft, I would suspect that they would find themselves tied up in another legal battle. In addition, this may be exactly the type of thing that Linux needs.

This kind of epicaricacy (look it up) is exactly the problem. Linux acceptance doesn't need to be dependent on the competition sucking. Linux needs to be made better, not their competition worse. All that does is assure we're just about the worst possible option. Admittedly Linux has gotten much better in the last few years, but they still have a ways to go before my sixty+ mother is going to drop Windows, no matter what Microsoft charges.

Re:Pfft.

[DaveJay]

You have to remember, the main purpose of the registry is to obscure information, not to make it easy to find and edit. Software makers want to be able to put autostart hooks, serial numbers and other such nonsense on the computers, and Microsoft gives them what they want. If you put everything in an .ini file, users would be able to find it and control it, which is exactly what software manufacturers don't want (in most cases).

They can get rid of the registry once they have "Trusted Computing" in place, as they'll easily be able to drop application information into encrypted files that the user has no way of breaking into.

Re:He's kinda right

[Phisbut]

But isn't that the reason that Window's Longhorn (now Vista) is so delayed in coming? Because the entire Microsoft corporation was going to stop everything and focus solely on security issues? What, did they just give up on that idea when the bean-counters pointed out it would be better to leave the security issues and charge for "protection"?

Vista isn't delayed because they want to focus more on security. It's been delayed because they just can't finish a project on time. This ain't a troll, seriously. Just have a look at the features they removed from Vista just so it could almost try to ship on time. They didn't remove those features because of security issues, they removed it because they can't make them fast enough. Heck, Microsoft was supposed to have WinFS (maybe not the same name, but still an object-oriented file system) in WinNT4... that's in 1996. They are 10 years late on their schedule, and they still can't make it.

Just like any other software company out there, Microsoft has a marketing department, and that department keeps promising stuff and giving release dates without ever consulting the developers. That is why it always gets delayed. Programmers know they can't hit the deadlines, marketing pretends they will. What's more... if marketing puts enough pressure on the developers so they actually release on the promised date, I truly doubt security will have been taken care of.

Re:Pfft.

[Rasta Prefect]

And where is it stored? ~/.app? ~/.app/.settings? /etc/app? /etc/app/settings? /etc/app/settings.xml?

Global settings go in /etc. Per-User settings go under the home directory. The default per-user settings are stored in /usr/share and copied in the first time the program is run. Wow, that was hard wasn't it?

See the way Apple has done this. Global app settings in /Library, personal App settings in ~user/Library. When I used to do desktop support (50/50 mix of OS X and Windows) all we had to do when we moved a user to a different machine was image it and copy their home directory. Easy as pie, takes about 10 minutes of my time. Wow, once again it was really hard to answer that "where does it go" question.

Gotta save a users settings when moving them to a different windows install (usually because the students laptop was so spyware ridden it was easier to just reformant)? Let the nightmare begin!

Trying to reinstall a hosed application that won't uninstall properly? Lets just see you try to track down all those registry keys. On a Mac or Linux you just remove the rc file or plist.

And what is the format of said INI file?

Once again, see Apple's plists. XML all the way, with tools to manipulate them if you don't like your text editor.

And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.

Users their own config settings. If you want to restrict access to global config settings, just don't give them access to the config file. If you don't want them to run the program, don't give them read and execute permissions on the app itself. There are other operating systems out the besides windows, and they've already solved these problems. In the case of Unix, about 20 years ago. I've done Unix, Apple and Microsoft desktop administration, and while the Unix and Apple solutions do have a few quirks (Apple's system doesn't really have many), the Registry is by far the most broken and the biggest PITA.

Re:Microsoft addresses Windows security concerns

[Pxtl]

I don't think that any anti-trust suits have been brought to them for their security fixes. The point is that _security_ should be there already, and fixes for security should be free because they basically sold you something that didn't work otherwise.

Meanwhile, bundling in software that competes with competators with the expressed purpose of putting them out of business (note how MS software stagnates the moment the competator is gone) is a whole different story.

electronic/physical analogies are shoddy, but...

[theSpaceCow]

I know this post will get modded down because it doesn't suggest immediate formatting and installing of *nix on every hard drive in existence, but here's something I don't understand about the folks who complain about Microsoft's approach toward security: Why didn't they also complain about, say, the designers of the Alfred P. Murrah Federal Building [wikipedia.org]?

Microsoft makes this giant software behemoth called Windows that's comprised of hundreds of thousands of lines of code. Somebody finds a flaw in the way that it's put together, and Microsoft's the bad guy because they let it happen. Worse yet, they're taking another PR beating by selling an ongoing security service for their behemoth. (Whether this service is provided in a complete or timely manner is both highly unlikely and outside the scope of the point I'm making).

In the physical world, people built a giant behemoth of a building comprised of hundreds of thousands of pounds of concrete and steel in Oklahoma City. Somebody finds a flaw ("Hey! I can park this rental truck full of explosives only a few feet away on the street!"), and to my knowledge, no one thought to blame the building's architects and construction workers for not thinking to encase the whole building in a blast-proof dome. Now, let's say that when Freedom Tower is finished in New York, they hire a full-time security force to patrol the grounds and monitor the skies so we don't have a repeat of the WTC bombings. Would they be bad guys and extortionists too?

The Registry is a single point of failure.

[Richard Steiner]

A classic example of poor design.

By having many different INI files, the loss of one file isn't going take the whole frigging system out.

I guess convenience is more important than resiliency to some, but since that's been Microsoft's approach to damn near everything for the past 20 years it doesn't surprise me in the least...

Re:Maintenance should cost time or money

[beattie]

Back to cars... Does GM repair recalls for free? Sure. But if your new radio doesn't interface with hour Vette, you buy the harness. When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.

I think a better analogy between windows and the internet would be like a car and roads, or cars and tires. Not a car and some extraneous piece of equipment. Chances are that your windows box is connected to the internet and that's all it takes for it to be compromised. If your car couldn't move, and the dealer just says, "It's your car now. You can pay us to make it work." you'd be pretty mad. Especially when you have to pay that cost over and over.

Re:Registry is the problem?

[wbradney]

The registry, as a place to keep application configuration, is fairly uncontroversial. But the the registry is a whole lot more than that. It's the nexus for COM and ActiveX (without it these won't function), and becomes essentially one big "code lookup" database -- and this is what makes it more vulnerable. When COM/ActiveX makes way for the .NET Framework (with Longhorn/Vista?) expect the registry to go away too (or at least be relegated to some kind of sandboxed emulation layer), and then there's no reason why application configuration and user settings could not be kept in suitably ACL'd XML policy files.

Re:Oh noes, Dvorak!

[Pope]

Dvorak predicts time and time again that Apple will fail at one thing or another and go out of business Any Time Now(tm). Their last quarter results speak to the contrary, as do the zillions of other wrong things Dvorak spouts on about.

Re:Microsoft addresses Windows security concerns

[wernercd]

yup. because everyone knows experts know everything about all programs and never make mistakes.

Re:Microsoft addresses Windows security concerns

[RobinH]

Ultimately, all monolithic, and particularly authoritarian human endeavors FAIL! Microsoft seems to be amongst that group, and I question if they can escape it easily.

Yeah, that whole apollo program was a complete failure wasn't it? Or the manhattan project? Or building any modern skyscraper? Or any serious engineering project of our time? They all fail miserably, don't they.

What is the alternative to authoritarian human endeavors? There were several X-prize contenders that tried to use a more open-source, everybody pitches in, communism type approach, and they were all bested by Burt Rutan.

And stop calling Microsoft a failure. It's the opposite of failure, obviously. Are you just trying to troll?

Re:Microsoft addresses Windows security concerns

[farzadb82]

It's clear that he was slammed by a security hole in a third-party application he was running on his system as an Administrator

Windows almost always forces you to be administrator in order to do most tasks. Also, you cannot even upgrade your account temporarily to apply patches/run games - you have to log out and log back in as administrator. To that end, its almost always convenient to have administrative grants.

So regardless of whether it was a bug in a third-party application or not, it boils down to the fact that the OS "forced" the user to run as administrator, thus leading to the breech. The OS in this case should have still prevented the problem.

Re:Pfft.

[Overly Critical Guy]

As someone who write code and manipulates the registry everday, I for one love it. ...says every malware author on the planet.

You claim the registry is "100x" more secure and robust but then don't explain why. Permissions? Flat-files have that. Robust? If one flat file goes, the whole thing doesn't corrupt.

And for the user, you can see, manipulate, and back up your configuration files. Please see OS X. Somehow, it manages without your crappy registry and uses slick XML property lists to do it.

If the rest of you would prefer to have a million ini files instead of a branching registry, then more power to you.

Hello, OS X.

Geez, what's next. Are you going to call up MS and say "The who idea of SQL databases sucks.. you should change that to a flatfile to so that I can use my text editor!".

I hate when people apply one situation to another. No, in the case of application configuration values, a central database isn't ideal. The registry blows, and just because you're one of those militant Windows developers who defends the crumbling Windows architecture doesn't make your loud opinion any more correct. It's not.

Or go on supporting a design that lets malware bury anything it wants and manipulate the system. A single store of the entire computer's configuration values in one object is completely ridiculous.

Re:That's a nice enterprise network you have there

[compro01]

i don't trust pay-for antispyware software as it's really easy for a spyware firm to shove an envelope of large bills under the table to a big company and say "ignore our stuff".

Re:Pfft.

[bxbaser]

Plus the best part about it is.
Its so well commented.
I love how i can look at the registry and know what to change and where to change it.
Throw all the config settings from an apache conf file and then make apache changes.
With ini files you can comment things

Re:Riddle me this...

[jofi]

Windows (2000/XP) has a security model that works really well and XP has even a better one than 2000. The main reason is because most people run as admin because that is default because alot of 3rd party programmers do not follow the same guidelines a linux programmer would (i.e. for Windows: program files are static, place user's data in their profile folder for writing; HKEY_LOCAL_MACHINE is static, use HKEY_CURRENT_USER to write). Therefore many programs are broken as a result of the disservice 3rd party programmers brought upon their users when run as non admin (mind you, by default because those are curable by adjusting permissions but that should never have to be done in the first place). Running as a limited user in IE does completely stop alot of exploits, the exploit isn't even there and it doesn't matter where your user can write to on the file system.

Second, viruses/spyware are executed like any program. Even if you have the securest model, some users are gonna defeat it in order to run annakornikova.exe or hotcum.exe.

Third, there are ALOT of Windows users. ALOT of Windows users DO NOT patch. Therefore, ALOT of people get affected. Do you sh*t on Linus because he is making you patch your kernel? If you don't and you get rooted, do you blame Linus or the other programmers? No, but you do blame Microsoft for getting rooted in Windows for not patching. My point is, users do not know of patching. They get affected by exploits fixed years after the fact. These users only patch when they buy a new copy of XP with the latest service pack or a new computer with the latest service pack. Some people when I fix their prblems, I tell them that is imperative that you patch and show them how they do that.

Riddle me this: Why are Linux users hypocrites on the third reason, and why are they such jackasses?

Re:Maintenance should cost time or money

[Anonymous Coward]

>You can always remove your 3rd party radio in your car. Go back to the OEM one. You can >stop browsing through AOL using your Intel NIC, get MSN service and only browse MS >websites, too.

How does this crap get modded as insightful? /. needs a -5 retarded moderation.

Re:Microsoft addresses Windows security concerns

[killjoe]

'And stop calling Microsoft a failure. It's the opposite of failure, obviously. Are you just trying to troll?"

Depends on your definition of failure doesn't it. In terms of building a solid product it's a humiliating failure. In terms of good corporate citizenship it's a dismal failure. In terms of ethical and moral behavior it's a shocking and shameful failure.

Yes they make a lot of money. If you measure success in terms of money then they are not a failure.

Re:Microsoft addresses Windows security concerns

[Skreems]

That still doesn't make it Microsoft's fault, though. You can run a buggy FTP client on Linux just as easily as on Microsoft, and you can get your system rooted just as quickly. The only way for Microsoft to keep your system safe from stupid user actions like that is for them to mandate that you WILL NOT run any networked programs not approved by them. And you can imagine how much of an uproar there would be if they actually tried something like that.

The one major issue that allows this (running as Administrator by default) HAS been addressed in Vista. I'm no fan of the registry, but config files can get hacked just as easily. It's still no protection against opening a barn door and hanging a "Free Stuff Inside" sign over it, with strobe lights going off. And then he complains when someone comes and steals his toaster.

1998 called--it wants your code back

[WebCowboy]

Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software.

Anyone who suggests that there is no valid alternative to the registry has obviously not (properly) written .NET Windows software.

Some people at Microsoft themselves suggest avoiding the registry--as of Windows Vista THE REGISTRY IS ESSENTIALLY DEPRECATED. So what is the alternative? How 'bout a standardised XML .config file [microsoft.com] for each application? That is what Microsoft advocates. And to all those Registry bigots out there:

* .config files are not centralised and a bad setting won't corrupt a whole system
* you can edit .config files without the aid of a specialised tool like regedit
* Unlike .ini files, there is a standard XML specification established so all .config files are structured the same--also they are always located in the same directory as the application so it is easy to find.
* .NET libraries are provided for the creation and modification of .config files, so there is no need to manually parse the file and no excuse not to comply with the standard specification

Of course, we are talking about Windows here, so the legacy registry will be around for another decade I'm sure...and I'm sure as in the past short-sighted developers (both within Microsoft and outside) will ignore this excellent recommendation and continue to use the brain-damaged registry.

It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing

Well, *I* find it pretty annoying when solutions are dismissed as "stupid" because they are different and people can't take the time to understand them. BTW, eliminating dependency on the registry *is* a "real fix"---the registry is a design flaw and .config files are "better design".

Re:Transparency and Simplicity

[Jherek Carnelian]

Are you saying that you'd rather have 100 DLL's between the two programs instead of just 70?

Absolutely. Human time spent dealing with screw-ups is expensive. Disk space is cheap. You could even load individual copies into memory because RAM is cheap, although a clever versioning system could probably avoid that with only a little extra complexity, entirely invisible to the user.

I dump all of them into a standard path (the path is also stated in the registry). That way, when I find a bug in a DLL, I can update the DLL in one place and all of my apps are fixed at once.

That knife cuts two ways. You as a coder can enjoy the convenience of global bug-fixes, but every change brings the risk of new bugs too. So you can just as easily fix a big in all of the programs as you can introduce a bug in all of the programs. That's part of what people are talking about when they refer to "DLL-Hell."

As a user, I don't want a bug-fix for Adobe Photoshop making any changes, good or bad, to any other program, from Adobe or any other supplier.

Re:Microsoft addresses Windows security concerns

[shmlco]

In terms of building a solid product... it's used on roughly 95% of the world's desktops. Nothing significantly better exists, or the vast majority of people would have jumped ship long ago.

In terms of good corporate citizenship... shall we talk about the $28.8 billion dollars in the Gates Foundation? The $7.5 billion given away to date?

In terms of ethical and moral behavior? Sorry, Enron is shocking and shameful. Dow's toxic waste dumps in India are shocking and shameful. Declaring bankruptcy just to get out from under your employee's pension obligations is shocking and shameful.

Microsoft's big crime seems to have been giving companies a bigger discount if they sell more of their products. Let's see...

Depends on your definition, doesn't it?

Re:Microsoft addresses Windows security concerns

[vertinox]

Yeah, that whole apollo program was a complete failure wasn't it? Or the Manhattan project?

Those projects weren't monolithic or authoritarian. They had the brightest minds of their time all collaborating with free reign of direction of the project without some political body directing them specifics in their day to day work. Besides the massive security with the Manhattan project I don't think that the US government had a say in the scientists work other than to get the project done as soon as possible. And these projects weren't for money either...

If you want to give an example of monolith and authoritarian project, I would suggest looking at Germany's V2 [wikipedia.org] project or the Soviet Nuclear Program [wikipedia.org] headed by Beria (Stalin's lethal Security NKVD chief). Both of these projects used massive amounts of forced/slave labor.

However, those projects didn't fail. *coughs* Just their political systems. Although Apollo did have the help of Wernher von Braun [wikipedia.org] from the V2 and the Soviets got a head start by stealing US atomic secrets.

Re:Pfft.

[theLOUDroom]

The registry is 100x more secure and robust than a flat file.

That's nonsense.
A) The mechanisms proctecting the registry are the same type that protect the file system. It's not like the registry encrypt's each user's setting individually.

b) Robust! How!? I want to add tab completion to my command line and I have to risk editing a file that can fubar my whole computer? How is that "robust"? Where are the fucking comments that tell me what this entry is and what it does?

The registry is a dirty, brittle hack used by lazy programmers like yourself. It's a pain in the ass for end users. Especially those with multiple computers who don't want to manually configure the preferences for every app on each PC they use.

Re:Microsoft addresses Windows security concerns

[killjoe]

"In terms of building a solid product... it's used on roughly 95% of the world's desktops. Nothing significantly better exists, or the vast majority of people would have jumped ship long ago."

Apple has alwasy been better. OS/2 was better, hell Amiga was better. If you think that what's popular is what's best then you plain old stupid.

"In terms of good corporate citizenship... shall we talk about the $28.8 billion dollars in the Gates Foundation? The $7.5 billion given away to date?"

1) Gates foundation is not microsoft. 2) Gates foundation was created in order to influence people like you (it worked!) into thinking Gates was actually a nice guy. 3) 7 billion is petty cash 4) Gates didn't actually give away money, he just gave stock he got for free to the foundation which then sold it.

"In terms of ethical and moral behavior? Sorry, Enron is shocking and shameful. Dow's toxic waste dumps in India are shocking and shameful. Declaring bankruptcy just to get out from under your employee's pension obligations is shocking and shameful."

Whoo Whoo, MS is less sleazy then enron and DOW!. It's nice to see corporations set their standards so low.