The Microsoft Protection Racket 539
bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.
A Little Creative thinking maybe....?!?! (Score:5, Interesting)
Also there are exploits in the wild that are never reported, no disclosure, no fixed code. Thus if you can work around this by offering a software package to protect you, by all means Microsoft should go this route.
Also why is this retard writing about Security??
[ quote ] "I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries" [
Your f'ing joking right?.
Maybe he has a point (Score:2, Interesting)
Maybe foundationally the architecture is so poor that no amount of code writing could be done to fix it.
It may be the cost of paying for all those backward compatibility barnacles through the years.
Or maybe Microsoft just doesn't want to bothered with it. But don't you think that if windows code was open sourced that eventually all the leaks would be patched??
Re:Pfft. (Score:0, Interesting)
Or property lists, yes.
What do you suppose we do about the thousands of existing applications that use the registry?
Wrappers for the INI/PLIST files that behave like the old registry calls.
How do you suggest we support access controls for individual settings and keys - make a single INI file for each one?
Why not?
OS X does this like a dream, I can take my Library folder with me and wham, everything is the way I like it on a new machine. I'm sure it would be possible to do something similar on Windows, provided I paid $50 for some crappy shareware product.
Registry versus Config Files (Score:3, Interesting)
Use of the registry to store things that the application needs in order to work makes sense for a number of applications, especially enterprise stuff that needs remote installation and management and system software like firewalls and virus monitors, but there are quite a few user-application kinds of packages that use of the registry makes no sense for.
For me, an application that doesn't use the registry is a huge plus.
Of course. (Score:2, Interesting)
I feel dirty! (Score:5, Interesting)
Lets not forget that antivirus has a big problem. For it to recognize a virus someone must first dissect it and then create a signature. If someone would do 1000 versions of the same viruses you still have to dissect them all and create signatures for them. The hole that lets them in is still there and nothing is really fixed. All antivirus really helps against is getting a fix out for a specific virus in the wild until the vendor has time to fix the hole. If the vendor doesnt fix the hole quickly its pretty useless and creates and endless battle.
The antivirus companies ofcourse like this, and endless revenue stream. When Microsoft enters this market it creates a huge conflict of interest. This is why i agree with Dvorak. Now, im off to take a hot shower and cry trough the night.....
Argh (Score:5, Interesting)
His ignorant rantings are not in the least insightful.
Another windows bashing idiot (Score:2, Interesting)
On the notion of charging for patches, they must be joking, if they seriously think it will make them any money in the long run they are nuts. My guess is this is some new service which got totally blown out of proportion.
Re:Maybe he has a point (Score:2, Interesting)
Maybe, but I'd bet that the way that it would be done in practice would be to make a Microsoft compatibility layer over an existing, more secure OS. Then you could run each legacy application in a sandbox so that your whole system wouldn't be hosed by the inherent insecurity of Windows's architecture.
capone jokes and dvowrath aside... (Score:2, Interesting)
hell, it'd be a shrewd move on the part of MS if they were to build their own virus/spyware protection, but package it as a separate module--say, building MSAS into the core of Vista, but keeping the name and the interface. a shady move, but a shrew one.
Re:Clueless Moron -- Indeed. (Score:4, Interesting)
Re:Microsoft addresses Windows security concerns (Score:1, Interesting)
When you build up montrously complex systems requiring the megalomaniac individual or small council at the top to make all decisions across such breadth of matters, they make mountains of bullcrap, that eventually bring them down, due to their own lack of ability to see the future and know enough.
GM & their unions come to mind as does the former Soviet Union.
Gates recounted going away to a lake once a year for a week or two where he and he alone appears to read non-stop and think about where MicroSoft will "go".
Does this sound a lot like a dicatator?
Liability Risk? (Score:5, Interesting)
Re:Microsoft addresses Windows security concerns (Score:5, Interesting)
1. Create a subscription security service, and people complain they shouldn't have to pay. Someone call the class-action lawsuit attourneys!
2. Distribute it freely, and face anti-trust lawsuits from security software makers, and possibly the DOJ, depending on who's in the White House (Who! The guy in the White House. Who? Yes.).
Re:Pfft. (Score:4, Interesting)
Baloney (Score:2, Interesting)
No more than the fact that McAfee or Symantec offers antivirus software means they active release viruses to spurn the adoption of their software.
Microsoft is being pro-active about security by trying to get software into Windows that will stop undiscovered bugs from making systems expoitable. This will make users safer in the long run, and eventually (probably) will be included in every copy of Windows.
Standard Anti-Microsoft Propaganda (Score:3, Interesting)
Re:Pfft. (Score:4, Interesting)
If the rest of you would prefer to have a million ini files instead of a branching registry, then more power to you. Because, remember, each key of the registy allows for NTFS permissions. So you would need a seperate file for each key in the registry if you want to allow for the same level of security.
Geez, what's next. Are you going to call up MS and say "The who idea of SQL databases sucks.. you should change that to a flatfile to so that I can use my text editor!".
Now yes, the registy has become very bloated. However, the reason is because everyone uses it. It's amazing how that works, isn't it? Big deal. I'd be willing to bet that most of you only use the HKLM\Software key or HKCU\Software key most the time anyway.
In my book, the registry is glorious. Being able to go to a single database'ish file pull nearly any system setting, many program setting (IE: program versions, install paths, etc), etc makes my life easy. And yes, I'm one of those people that store both plain text and encrypted data in the registry and also uses the NTFS type security to lock down keys in the registy.
I use the registry to share information between programs and I also use windows PIPE$ calls to relay information between programs. I suppose PIPE calls could be replaced with flat text files too. I suppose it's not long before someone says, 'PIPEs suck... use INI files'.
If you want to complain about some.. complain about all those annoying balloon pop ups from the system tray. I will agree with you there. Those little balloon tips are annoying. I hate ballons tips... and hippies.
Transparency and Simplicity (Score:5, Interesting)
A browser plugin should be a single file that goes in a plugins folder. An application should be a self-contained package that can live anywhere on the system. You shouldn't have to RUN a program to ADD a program to your system - why can the installer program live and run self-contained wherever it is, but other programs have to be 'installed'? Nothing you're installing besides security updates and other OS patches should need to stick files all over the place and modify settings everywhere.
Get rid of the notion of installers, and you get rid of installers putting malicious stuff on your system. Give the user the program. Let them stick it wherever they want. You've still got a possibility for trojan horses, I suppose, but with proper security they shouldn't be able to write to anything outside of userland without at least a password prompt.
I guess the point I'm trying to make is, the system should be transparent and simple. When you've got a complex, tangled mess of invisible (files / dependencies / tasks / settings / etc), all hidden behind an "easy" face that's just plastered over the mess, then you're going to hit problems because the "easy" interface isn't really what's going on on the system. Things are hidden and so the user isn't really in control of their system - how can we expect users to be aware of what's going on with their computers when we try so hard to hide it from them? And if you're about to say that the real workings are too complex, users could never understand them - THERE'S YOUR PROBLEM.
Make the system simple, modular, transparent. Like protected memory - every app runs in its own sandbox and can't write over all the others. Maybe we need some buzzword to make clueless users and equally clueless developers aware of the importance of having "protected file structures" - every app (by which I mean userland things like Word and Photoshop) is its own self-contained package and isn't spewing its shit all over the system. No hidden files, no hidden processes, let users see what's going on, and make what's going on simple enough for them to grok.
Then and only then can we expect users to be able to avoid social engineering.
You want a good example of an OS going strongly in this direction, take a look at OS X. And this 'everything-is-self-contained-and-doesn't-spew-sh
Dvorak - Security Expert (Score:5, Interesting)
1) CuteFTP is a client not a server. The only way anyone got in through that is by him connecting to a malicious site.
2) If someone got in through a bug in CuteFTP, it isn't Microsoft's fault.
3) Typical Windows running as Administrator.
4) If software has a security problem, it has nothing to do with leaving it on all night. What, does he think he is safe if it is running during the day? Or so long as he is watching it?
5) "How a burgler climbs in through an open window and steals my money is beyond me, but it happens all the time."
His registry comment... He sounds like Jerry Seinfeld: "The registry, what's up with that. I mean like, there has to be a better way." With that brilliant thinking, we can eliminate the registry and viruses and spyware will go away. Thanks John!
I hadn't thought of this before. (Score:3, Interesting)
If you bought a car and then had to pay extra to keep it from falling apart, you might have some real problems with that.
No, I am not a real MS basher.
Dorvack is such an idiot (Score:3, Interesting)
There is no incentive to fix the code base if it can make additional money selling "protection."
That's not true at all. Microsoft has all types of incentives, namely competition from alternatives like Linux and Mac OS. But even from a programming standpoint, it makes sense. Virtually all software companies update their software; it makes sense that MS will too. It's foolish and cynical to think they "just don't care", even though I know a lot of people do.
Not to change the subject, but isn't it about time we junked the entire concept of a "registry?" This concept has been the bane of Windows since its invention. It prevents easy program migration. It creates conflicts. It invites tampering. It's exploited by viruses and spyware. Why does Microsoft insist on continuing its use? There has to be a better way.
Two points about this:
1. There is a lot of functionality added by the registry. Yes, it has a curse along with the blessing, but does Dorvack actually think Windows ran better without a registry like it did in 3.1? I think he's just a little behind the times.
2. How about he actually suggest an alternative? Bashing MS is one thing. How about Dorvack suggest a better way? It's easy to say "Microsoft sucks". How about he come up with a plan on his own?
This from the man who said "No CD software should cost $50 when it only costs .50 to make a CD"
Real profound.
Microsft CAN but WON'T fix the basic problems. (Score:3, Interesting)
Microsoft CAN fix the code, but there is no way they can get the political will to do it. They have too much time, face, and capital tied up in their internet-oriented OS to ever back away from it. Internet Explorer, Outlook, Windows Update,
The security problems inherent in such a design were obvious to me in 1997, and when I banned the use of the "outside-facing" members of this family of tools at the local office we were able to easily ride out every one of the worm/virus outbreaks that slammed the rest of the company on a regular basis. I don't claim any great insight in this... virtually everyone else I knew in the security business came to more or less the same conclusion... but unfortunately few of them had the luxury of working for a company willing to give them the support for such an obvious step, and equally unfortunately I wasn't able to expand the policy beyond our building
Microsoft could redesign their system to once again be application-centered, with the HTML control a display-only module that requires the application to install internet access, trusted scripting, and other potentially dangerous components only when needed. But they're moving the other direction, and so while they COULD fix their basic problems it's ever less likely that they WILL.
Re:Registry is the problem? (Score:3, Interesting)
At least there are only 6 or 7 places where you can hide those startup programs, think about how many places there are on an average linux system for a program to hide. It's even easier to do on a linux system:
echo "/usr/hack/program_to_run & \>/dev/null " >>
(forgive any slight errors in that command, I'm not going to spend a whole lot of time testing it right now)
There. Now that little program will load on boot with root privs. Replace rc.local with pretty much ANY shell script on the system, and you'll have a silent application start that will be a bear to find.
The problem is not in the registry making it easy for those programs to do that, the problem is that those programs are allowed to make those registry changes without permission. The fact that programs can run at all without your permission, and especially the fact that simply connecting your windows machine to the internet will cause those types of spyware infestations to occur. It's the security holes that are the problem - Once I tell a program that it is allowed to install, I'd like for it to be easy to run on startup - it's those programs that I *didn't* allow to install that are the problem.
(Side note: somebody will probably want to comment on this and say "but in linux, you can't do that without root, so it's better". Well, what's the first thing you do when you want to install a program? "su root". So there ya go. If windows would fix those security holes and make it so that it actually required administrator privs to make changes, we'd be all set.)
ALTERNATIVELY, you may also say something like "but some of those things in windows don't require admin privs to wreak havok!" - well, same in linux. As a normal user, I may not be able to edit rc.local, but I can sure-as-heck add things to
The key is preventing windows from installing and running programs that you didn't ask for, through security holes. If you click "yes" to install something, it's allowed to do whatever it wants, but the real problem is in those programs that take advantage of security holes to make it so that you don't need to click yes to install/run. Those holes need to be fixed.
Re: "I think the registry makes several mistakes" (Score:4, Interesting)
Re:Transparency and Simplicity (Score:4, Interesting)
The Bonobo model Gnome uses has a similar problem - how does the Object Request Broker know what shared library to invoke to create an Bonobo object?
In both cases there has to be *some* centralized repository of UID to library mappings, and as I understand it, that was what the origins of the Windows Registry were.
However, programmers were encouraged to store other information beyond object mappings in the Registry - like program settings and such.
However, even were Microsoft to revert all non-"COM mapping" data out of the Registry, the system would still have the problem that if the Registry gets toasted, nobody can find the DLLs for their objects, and thus nothing works.
Re:Microsoft addresses Windows security concerns (Score:3, Interesting)
If you're totally clueless, don't run applications like CuteFTP.
Re:Microsoft addresses Windows security concerns (Score:3, Interesting)
Thank you! Where are my moderator points when I need them? Someone should mod this guy up.
Seriously, it's astounding how some folks assume that if you're a self-proclaimed computer expert or power user, that you have to automatically know everything they think you should know. There are varying levels of expertise, and while I know Dvorak isn't in the Guru league, he's not entirely a dope.
Oddly enough, this article by Dvorak is one of the few where I find myself agreeing with (most of) what he says.
I'm pretty savvy about Windows security, enough so that I have managed to keep the one Windows 2000 system I run at home from getting any viruses or other malware, but even I was unaware that CuteFTP had a nasty security exploit like that.
Then again, I wouldn't get caught dead running CuteFTP -- tried it a long time ago, many versions back, and it never really worked right for me.
Re:Microsoft addresses Windows security concerns (Score:2, Interesting)
If the OS were designed properly, no defect in an application would allow a malicious user access to something like the registry. But since applications have to have write access to everything on Windows...
Re:Pfft. (Score:3, Interesting)
There doesn't seem to be an easy way to extract and restore entries made by a particular application. Yes, I know you can extract single keys and trees. However, how do you extract only the keys that belong to the application? Applications that use an INI file are simple to back up, restore, or even move to a new system. Applications that use the registry (generally) must be completely reinstalled.
The search functionality seems a bit limited. In the registry editor, is there a way for me to find orphaned entries? Can I search out non system entries that haven't been accessed in x number of days? Is it possible to do a simple search and replace? This is fairly easy to do with INI files using basic file system utilities.
I can think of a few more problems. However, they have more to do with standard usage than the registry itself. It would be nice if applications would protect their entries from other applications using the registry security settings. However, the only way I can think of doing this would be to set up a per application user that only has security rights to that application's settings, kind of like Unix system accounts.
Keep in mind, I don't dislike the registry. However, it would be nice if it were as flexable as INI files. Yes, I am a Linux user. However, between gconf for desktop and application settings, and openldap for user/network settings, Linux seems to slowly be moving in the same direction.
Re:Microsoft addresses Windows security concerns (Score:4, Interesting)