Please create an account to participate in the Slashdot moderation system


Forgot your password?
Microsoft IT

The Microsoft Protection Racket 539

bonch writes "Dvorak writes about the 'Microsoft protection racket' in his latest column--'charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system.' Dvorak argues that someone took a look at the expense of Microsoft's monthly 'Patch Tuesday' and decided to find a way to make money from it instead of fix the code (e.g., abandoning the use of the registry)." I enjoy salt with my Dvorak, but that's just me.
This discussion has been archived. No new comments can be posted.

The Microsoft Protection Racket

Comments Filter:
  • by It doesn't come easy ( 695416 ) * on Friday October 14, 2005 @01:35PM (#13791940) Journal
    Microsoft Windows - Operating system. Provides resource allocation to underlying computer hardware. Note: No warrantee, no guarantees, may have security issues.
    Microsoft Security - Subscription security service. Provides security monitoring of underlying insecure operating system. Note: No warrantee, no guarantees, may have security issues.
    • by iotashan ( 761097 ) on Friday October 14, 2005 @02:17PM (#13792330)
      Microsoft has created a no-win situation for themselves...

      1. Create a subscription security service, and people complain they shouldn't have to pay. Someone call the class-action lawsuit attourneys!
      2. Distribute it freely, and face anti-trust lawsuits from security software makers, and possibly the DOJ, depending on who's in the White House (Who! The guy in the White House. Who? Yes.).
      • by Pxtl ( 151020 ) on Friday October 14, 2005 @02:39PM (#13792528) Homepage
        I don't think that any anti-trust suits have been brought to them for their security fixes. The point is that _security_ should be there already, and fixes for security should be free because they basically sold you something that didn't work otherwise.

        Meanwhile, bundling in software that competes with competators with the expressed purpose of putting them out of business (note how MS software stagnates the moment the competator is gone) is a whole different story.
  • by Anonymous Coward on Friday October 14, 2005 @01:35PM (#13791943)
    But that's just me.
  • by rob_squared ( 821479 ) <<rob> <at> <>> on Friday October 14, 2005 @01:37PM (#13791952)
    I love your keyboards, but I trust a drunk man's predictions of the tech market more than I do yours.

    And yes, I know he isn't the same as the keyboard guy.

  • Frank Nitti (Score:3, Informative)

    by jkind ( 922585 ) on Friday October 14, 2005 @01:40PM (#13791972) Homepage
    In case you aren't ready when Dvorak makes Al Capone related references: []
  • by tenzig_112 ( 213387 ) on Friday October 14, 2005 @01:40PM (#13791974) Homepage
    It'd be a real shame if something happened to it. []
    from the article:

    REDMOND, WA- For years Windows users have lived under a blanket of fear, constantly checking their computers for malicious programs that take advantage of critical security flaws in the operating system lest they lose their hardware, their data, or even their identities. Thankfully those days might soon be over thanks to a new subscription service aimed at cleaning up Microsoft's mess. Even better, this new utility comes from the most trusted name in computing: Microsoft.

    In truth, anti-spyware and anti-virus programs flood the market already, but they all share a common flaw: they're free. With freeware it is difficult, if not impossible, for consumers to know if it's really working. Experts say it takes a financial sting to make the software's real value apparent. While it would certainly be innovative for Microsoft to charge for the freely available service, the forward-thinking software company is not content to stop there. They plan to ask customers to pay for these features every year.
  • Pfft. (Score:5, Informative)

    by JanusFury ( 452699 ) <(moc.liamg) (ta) (ddag.nivek)> on Friday October 14, 2005 @01:42PM (#13791994) Homepage Journal
    Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software. What do you suggest we replace it with, INI files? What do you suppose we do about the thousands of existing applications that use the registry? How do you suggest we support access controls for individual settings and keys - make a single INI file for each one?

    Changes like 'get rid of the registry' are changes you make when you release a new OS, not when you release a service pack. OS X, for example, uses flatfiles to store most (if not all) preferences, but that's something they designed in from the start.

    It's pretty annoying how people always suggest blatantly stupid 'solutions' to problems instead of focusing on real fixes like better design and better testing...
    • " What do you suppose we do about the thousands of existing applications that use the registry? "

      How about a virtual registry?
    • Re:Pfft. (Score:5, Insightful)

      by MightyMartian ( 840721 ) on Friday October 14, 2005 @01:53PM (#13792096) Journal
      And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time, and it sure makes down-and-dirty administration ten times easier. The registry editor is a f**cking nightmare compared to your favorite text editor and *.conf or *.rc. Security is handled through the file system. The registry was a bad idea from the get-go, but you're right, Microsoft's incompetence will be with us until the world finally tells Redmond to take their crappy operating system and shove it.
      • Re:Pfft. (Score:2, Insightful)

        by cthrall ( 19889 )

        And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time

        And where is it stored? ~/.app? ~/.app/.settings? /etc/app? /etc/app/settings? /etc/app/settings.xml? And what is the format of said INI file? And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.

        I don't think it's any better.

        • Re:Pfft. (Score:5, Insightful)

          by MightyMartian ( 840721 ) on Friday October 14, 2005 @02:00PM (#13792177) Journal
          It's better because you can use a frickin text editor. The settings are discrete and can be easily copied. When I move my account to a different *nix box, I just zip up my configs, unzip them on the new account, and maybe, if locations are different, do a bit of tweaking. I've had the same damn .pinerc file for four years now. It's easy to archive, easy to restore and easy to alter. The registry is a pain to back up, can be really ugly to restore and alteration requires a stinking idiotic registry editor.
        • Re:Pfft. (Score:3, Funny)

          by Gulthek ( 12570 )
          Your superficial arugment has convinced me of something alright.
        • Re:Pfft. (Score:5, Insightful)

          by Rasta Prefect ( 250915 ) on Friday October 14, 2005 @02:38PM (#13792526)
          And where is it stored? ~/.app? ~/.app/.settings? /etc/app? /etc/app/settings? /etc/app/settings.xml?

          Global settings go in /etc. Per-User settings go under the home directory. The default per-user settings are stored in /usr/share and copied in the first time the program is run. Wow, that was hard wasn't it?

          See the way Apple has done this. Global app settings in /Library, personal App settings in ~user/Library. When I used to do desktop support (50/50 mix of OS X and Windows) all we had to do when we moved a user to a different machine was image it and copy their home directory. Easy as pie, takes about 10 minutes of my time. Wow, once again it was really hard to answer that "where does it go" question.

          Gotta save a users settings when moving them to a different windows install (usually because the students laptop was so spyware ridden it was easier to just reformant)? Let the nightmare begin!

          Trying to reinstall a hosed application that won't uninstall properly? Lets just see you try to track down all those registry keys. On a Mac or Linux you just remove the rc file or plist.

          And what is the format of said INI file?

          Once again, see Apple's plists. XML all the way, with tools to manipulate them if you don't like your text editor.

          And what do the permissions need to be for the app to run? And what do the permissions need to be for a sane security approach.

          Users their own config settings. If you want to restrict access to global config settings, just don't give them access to the config file. If you don't want them to run the program, don't give them read and execute permissions on the app itself. There are other operating systems out the besides windows, and they've already solved these problems. In the case of Unix, about 20 years ago. I've done Unix, Apple and Microsoft desktop administration, and while the Unix and Apple solutions do have a few quirks (Apple's system doesn't really have many), the Registry is by far the most broken and the biggest PITA.

      • Re:Pfft. (Score:5, Informative)

        by jsight ( 8987 ) on Friday October 14, 2005 @02:07PM (#13792238) Homepage

        And what is wrong with an individual INI file per app and/or per user? I mean, *nix has been using that for a long time, and it sure makes down-and-dirty administration ten times easier.

        Unless, of course, you are a Gnome use, in which case you get GConf. What is GConf? Well, it's a nice implmentation of a registry. :)
        • Re:Pfft. (Score:3, Insightful)

          Unless, of course, you are a Gnome use, in which case you get GConf. What is GConf? Well, it's a nice implmentation of a registry. :)

          Well, it's a registry anyway.
      • LOL (Score:3, Funny)

        by sheldon ( 2322 )
        There's nothing wrong with the registry that a little knowledge wouldn't fix.
      • Re:Pfft. (Score:3, Informative)

        I think the registry's origin was related to, or motivated by, the introduction of OLE (now ActiveX) controls.

        Theoretically, when you register an OLE / ActiveX control, any application in the system should be able to use it. I believe registring the control tells Windows what the mapping is between a short identifier (GUID) for the control, and the DLL that contains its code. When an application wants to use an OLE/ActiveX control, it supplies the GUID to the Win32 API, and Windows then consults the regist
      • Re:Pfft. (Score:5, Insightful)

        by badriram ( 699489 ) on Friday October 14, 2005 @02:18PM (#13792334)
        Both systems blow, and just as equally. It is the difference between any centralized and distributed system.

            Clean standard
            less flexibility
            single point of failure
            better security (advanced ACL support, not every app has it own parser)
            OS maintained
            Terrible portability

            no standard exists
            more flexibity
            no single point of failure
            weaker security (it is either put in user or etc, you do not have an option of put in etc but allow just this setting for users)
            App maintained
            Easy portability

        Best solution is to use both and let app decide
            but a nightmare for sys admins
      • Re:Pfft. (Score:4, Interesting)

        by Eccles ( 932 ) on Friday October 14, 2005 @02:21PM (#13792359) Journal
        The Registry had some practical benefits, I think, but could have been handled in a better way. As one other use suggested, a virtual registry. It appears as one editable object for use with a reasonable GUI tool, although the actual data is a number of distinct XML encoded files. That way it's easy to copy, to edit, and with OS support, easy for user apps to create, read, and write.
      • Re:Pfft. (Score:5, Insightful)

        by DaveJay ( 133437 ) on Friday October 14, 2005 @02:36PM (#13792510)
        You have to remember, the main purpose of the registry is to obscure information, not to make it easy to find and edit. Software makers want to be able to put autostart hooks, serial numbers and other such nonsense on the computers, and Microsoft gives them what they want. If you put everything in an .ini file, users would be able to find it and control it, which is exactly what software manufacturers don't want (in most cases).

        They can get rid of the registry once they have "Trusted Computing" in place, as they'll easily be able to drop application information into encrypted files that the user has no way of breaking into.
    • I'm not just being a curmudgeon here, but when it comes to 'real fixes', it looks like most of them would require a radically different codebase in order to prevent more knots down the rope when one is loosened, thus nesessitating a new version of Windows. And not just a marginally tightened service pack like Vista, but something entirely new. Microsoft realizes that with about 90'ish percent of the desktop market at their doorstep, treatment is much more lucrative than a cure. After all, what have they got
    • Re:Pfft. (Score:5, Insightful)

      by mugnyte ( 203225 ) on Friday October 14, 2005 @02:03PM (#13792198) Journal
      The registry and analogous flat file data stores try to achieve the same goals. I think the registry makes several mistakes:

        - Consolidating all settings into one proprietary data store. This imposes a new security mechanism over that of simple file access. This unique data store does nothing by itself to "secure" the data, it's just a box. One can lock the entire box but simple users do effect changes in the registry.

        - INI files are plaintext versions of some sort of file. Their manipulation could be by hand (trad *nix style), or employ one of several storage syntax mediums (XML being one) which allows general tools to work across the items.

        - File-based security on INI files is stronger, and more easily managed with existing tools, than key-based security on the hive-based registry entries. Combining with journaling/versioning, INI files hold more depth than a registry (which has to import/export to a file-based representation to achieve this).

        - Line-item security on INI files is not as strong, hence the danger people have in by-hand editing. This can be overcome using a syntax that allows for tool-based editing, where then INI files expose their keys, and a security table holds a File/Key/Role association.

        - Shared INI files for library management (aka COM) have the same write-contention isses as the registry, so no differences there. GAC-style libraries are directory-based, which seems to lend evidence that both file and registry stores for libraries are based done higher up in the file system.

    • Re:Pfft. (Score:4, Informative)

      by omibus ( 116064 ) on Friday October 14, 2005 @02:52PM (#13792647) Homepage Journal
      I agree, we can't just do away with the blasted thing, but...

      Even Microsoft is telling people not to use it anymore to store app setting. They actually do recomend using ini or xml files for that. Case in point, the default place to store app settings in ASP.NET and WinForms is in an xml file (either web.config or app.config).

      Now, completely doing away with the registry? Impossible. There are too many things that the registry does for Windows that the blowhards on this list dont even know about. All of .NET and ActiveX run thru the thing at one level or another.

      And as much as the people of slashdot hate ActiveX (and its big brother .NET), that is what makes writing apps on windows do-able, and a lot more fun than Linux.

      Thats right, because of the restistry, stuff just works. We have installs that just work. We have programs that can talk to eachother, and it just works. Linux, not so much.
    • Re:Pfft. (Score:3, Informative)

      Actually, abandonning the registry is one thing I would like to see. My main reason being applications over-dependency on it and that if you reinstall the system you are left reinstalling every program that assumed that a given entry would be there. Good programs, will still work even if you drag them to another computer, where the installation program was not run. Visio and TextEdit are two programs that I found worked well after reinstalling the system. Microsoft Office was one program that did not.

      If you
    • Anyone who suggests 'abandoning the use of the registry' has obviously never written Windows software.

      Anyone who suggests that there is no valid alternative to the registry has obviously not (properly) written .NET Windows software.

      Some people at Microsoft themselves suggest avoiding the registry--as of Windows Vista THE REGISTRY IS ESSENTIALLY DEPRECATED. So what is the alternative? How 'bout a standardised XML .config file [] for each application? That is what Microsoft advocates. And to all those Regis
  • by Godeke ( 32895 ) * on Friday October 14, 2005 @01:43PM (#13792005)
    While the views of the pundit may be questionable sometimes, it *is* a conflict of interest to charge fees for protection against your own flaws. Initially I'm sure they will try to continue securing the operating system while considering this service a backstop for users who violate basic common sense. When viewed that way, the extra fees make sense: I haven't had a security *alert* about an attempted infection in many years, mostly because I secure my environ and don't do stupid things. But for those who can't handle such things, and extra fee "security blanket" is acceptable.

    In the long run though, if the security software becomes a security blanket for *Microsoft* and basically is a required purchase to host a secure environment despite the security efforts of administers outside such extra fee tools, it would appear to be nothing more than a backdoor to charge annual fees to all those who dare resist the "Software Assurance" garbage. Oh, and them too, just more fees.
  • He's kinda right (Score:4, Insightful)

    by nuggz ( 69912 ) on Friday October 14, 2005 @01:43PM (#13792012) Homepage
    He is somewhat correct, if security was a priority these problems wouldn't exist.

    However consumers want easy to use and don't care about security. When you don't consider security (your customer doesn't care) and focus only on easy to use you will have an insecure system.

    Given the choice most people will choose insecure and easy over secure and less easy. They'll even pay for the difference.
  • by 8127972 ( 73495 ) on Friday October 14, 2005 @01:44PM (#13792015)
    "Nice server room you got there.... It would be a shame if something happened to it."
  • by OneByteOff ( 817710 ) on Friday October 14, 2005 @01:45PM (#13792021)
    I think the idea is not so much about making money or fixing code, its about offering protection to users of Microsoft Products. If you can protect against vulnerabilities via a software package that allows for Buffer Overflows, Stack Overflows and any common exploit to be detected and blocked, this is far superior then pushing out one or two patches (or 9 this week) to fix a problem.

    Also there are exploits in the wild that are never reported, no disclosure, no fixed code. Thus if you can work around this by offering a software package to protect you, by all means Microsoft should go this route.

    Also why is this retard writing about Security??
    [ quote ] "I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry entries" [ /quote ]

    Your f'ing joking right?.
  • Vista - Won't Boot Edition... $29.95
            Vista - Preloaded with Viruses and Spyware Edition... $39.95
            Vista - Initially Clean but Use at Your Own Risk Edition... $49.95
            Vista - Clean with Firewall and Weekly Protection Update Edition... $200

    From TFA.
  • Maybe he has a point (Score:2, Interesting)

    by eclectro ( 227083 )
    From TFA;Therein lies the rub. Microsoft cannot fix the code--that's the point. It apparently cannot be done. Get over it. And when the spyware epidemic appeared, the company had to throw in the towel. Spyware exploits the basic architecture of the operating system, and no amount of patches will change that.

    Maybe foundationally the architecture is so poor that no amount of code writing could be done to fix it.

    It may be the cost of paying for all those backward compatibility barnacles through the years.

    Or ma
    • by amliebsch ( 724858 ) on Friday October 14, 2005 @01:59PM (#13792156) Journal
      There's really nothing wrong with the foundations at all. The problem has been (1) the shell and its various subsystems (particularly IE), (2) programmer practices, and (3) user practices. Microsoft is of course fully responsible for (1), and, in fairness, security for these is free even to pirates. For (2) and (3), though, while they have encouraged best practices, they have made the decision not to enforce them. Enforcement of best practices, though, would not be IMO a good idea - the user should always have ultimate control over their machine.
      • by tsotha ( 720379 )
        My take on Windows is it would be a hell of a lot more secure if programmers didn't force me to install everything as Administrator. I once tried to use non-administrator accounts at home and finally gave up in disgust. Every third-party peice of software required administrator access to install (which is fine) and could only be run successfully by the installing user (which is not), because pretty much Microsoft was the only company to follow best practices. Now I use the admin account for everything bu
  • What fix? (Score:2, Insightful)

    by Anonymous Coward
    Everybody keeps saying shit like Microsoft should just fix their OS instead of releasing protection software. Contrarily though even with a "perfect" OS you still can have use for anti-malware software. What fix should MS implement that will prevent a browser plugin installer from also putting in a spam relay?
    • by Pfhorrest ( 545131 ) on Friday October 14, 2005 @02:33PM (#13792477) Homepage Journal
      Get rid of the notion of "installers" altogether.

      A browser plugin should be a single file that goes in a plugins folder. An application should be a self-contained package that can live anywhere on the system. You shouldn't have to RUN a program to ADD a program to your system - why can the installer program live and run self-contained wherever it is, but other programs have to be 'installed'? Nothing you're installing besides security updates and other OS patches should need to stick files all over the place and modify settings everywhere.

      Get rid of the notion of installers, and you get rid of installers putting malicious stuff on your system. Give the user the program. Let them stick it wherever they want. You've still got a possibility for trojan horses, I suppose, but with proper security they shouldn't be able to write to anything outside of userland without at least a password prompt.

      I guess the point I'm trying to make is, the system should be transparent and simple. When you've got a complex, tangled mess of invisible (files / dependencies / tasks / settings / etc), all hidden behind an "easy" face that's just plastered over the mess, then you're going to hit problems because the "easy" interface isn't really what's going on on the system. Things are hidden and so the user isn't really in control of their system - how can we expect users to be aware of what's going on with their computers when we try so hard to hide it from them? And if you're about to say that the real workings are too complex, users could never understand them - THERE'S YOUR PROBLEM.

      Make the system simple, modular, transparent. Like protected memory - every app runs in its own sandbox and can't write over all the others. Maybe we need some buzzword to make clueless users and equally clueless developers aware of the importance of having "protected file structures" - every app (by which I mean userland things like Word and Photoshop) is its own self-contained package and isn't spewing its shit all over the system. No hidden files, no hidden processes, let users see what's going on, and make what's going on simple enough for them to grok.

      Then and only then can we expect users to be able to avoid social engineering.

      You want a good example of an OS going strongly in this direction, take a look at OS X. And this 'everything-is-self-contained-and-doesn't-spew-shi t-everywhere' concept is a traditional thing in the Mac world. This isn't something new, just something that the mainstream hasn't done. I think it's time, as Mac and Windows have caught up to Unix in the world of protected memory and real multitasking, that Windows and Unix catch up to the Mac in the world of sane and modular file organization structures. (And yes, I'm aware that OSX, being unix-based, shares some of the same messy tangles as unixes, just with a pretty face slapped over it. And yes, that bothers me).
      • by wowbagger ( 69688 ) on Friday October 14, 2005 @03:26PM (#13792930) Homepage Journal
        Installers exist in Windows due to the Component Object Model (COM). An application is *supposed* to be a collection of component objects that can be instantiated by requesting the GUID of the object, rather than explicitly calling an object constructor. You need a mapping between the GUIDs and the DLL embodying the object, and that mapping is stored within the Registry. Were programs truly self-contained directories, there would be no way for, say, Word to say "Hey, I need an Excel object here - give me one", as the system would have no way to locate the DLL and constructor which embodied the Excel object.

        The Bonobo model Gnome uses has a similar problem - how does the Object Request Broker know what shared library to invoke to create an Bonobo object?

        In both cases there has to be *some* centralized repository of UID to library mappings, and as I understand it, that was what the origins of the Windows Registry were.

        However, programmers were encouraged to store other information beyond object mappings in the Registry - like program settings and such.

        However, even were Microsoft to revert all non-"COM mapping" data out of the Registry, the system would still have the problem that if the Registry gets toasted, nobody can find the DLLs for their objects, and thus nothing works.

  • by Anonymous Coward on Friday October 14, 2005 @01:49PM (#13792056)
    Remember the good old days when applications stored all of their configuration data in a file like SETTINGS.CFG? You could zip the entire application directory up, unzip it on another machine, and it would run just fine. An uninstall was as simple as erase *.*, cd .., rmdir foocalc.

    Use of the registry to store things that the application needs in order to work makes sense for a number of applications, especially enterprise stuff that needs remote installation and management and system software like firewalls and virus monitors, but there are quite a few user-application kinds of packages that use of the registry makes no sense for.

    For me, an application that doesn't use the registry is a huge plus.
  • Of course. (Score:2, Interesting)

    by showardkid ( 823639 )
    Seriously, folks, Microsoft is not running a charity here. What he suggests doing is dirty, scummy, and cheap because it will make them more money. I often agree with Dvorak, and this is definitely the case. Now, if Microsoft does this, it will inevitably hurt their profits in the long run, but for the short term, it'll boost them. The same thing happens with outsourcing. The same thing happens when customer service is moved to a call center in India where the workers don't speak passable English. Th
  • by dada21 ( 163177 ) * <> on Friday October 14, 2005 @01:51PM (#13792080) Homepage Journal
    Every product we buy needs long and short term maintenance. Cars need oil, tires, waxing and tinkering under the hood. Software, especially complex operating systems with a ton of third party programs, are no different. As Linux gains features and popularity, it also gains incompatibilities.

    Most end users seem to understand and accept some expense that decreases future downtime. Not a single customer of mine refused Microsoft's yearly subscription. Not one refuses to pay my employees' $95/hour invoices for applying all the various first and third party patches.

    Back to cars... Does GM repair recalls for free? Sure. But if your new radio doesn't interface with hour Vette, you buy the harness. When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

    You can always remove your 3rd party radio in your car. Go back to the OEM one. You can stop browsing through AOL using your Intel NIC, get MSN service and only browse MS websites, too.

    I've always felt F/OSS users ignore their time value. My personal time is worth $60/hour to me, including rest/sleep. My customers see a return of more valuable time when they pay for maintenance. F/OSS hasn't paid enough of a ROI for me to promote it.
    • by sqlrob ( 173498 ) on Friday October 14, 2005 @02:00PM (#13792170)
      When Windows is defeated by a new loophole that only occurs from connecting to the web, who's fault is it?

      Microsoft's. Time for a recall.

      From their XP Home Feature Page: (emphasis mine)
      The Windows XP Home Edition operating system offers a number of new features that help you work smarter and connect faster to the Internet and with others. And the rock-solid dependability of Windows XP lets you work and play with more confidence than ever.
  • I feel dirty! (Score:5, Interesting)

    by miffo.swe ( 547642 ) <<daniel.hedblom> <at> <>> on Friday October 14, 2005 @01:55PM (#13792119) Homepage Journal
    I can nothing but agree with what Dvorak says, It is pretty disturbing that the company that lets the malware in also charges you money for fixing it. I do not think antivirus is any real solution either but one that comes from Microsofts unwillingness to fix the problem. Thus a void was created wich was filled by other companies. To see Microsoft trying to take over that market is obnoxious. They should have fixed the underlying design problems in Windows that lets all the malware in, not slap a new layer ontop of the old broken one.

    Lets not forget that antivirus has a big problem. For it to recognize a virus someone must first dissect it and then create a signature. If someone would do 1000 versions of the same viruses you still have to dissect them all and create signatures for them. The hole that lets them in is still there and nothing is really fixed. All antivirus really helps against is getting a fix out for a specific virus in the wild until the vendor has time to fix the hole. If the vendor doesnt fix the hole quickly its pretty useless and creates and endless battle.

    The antivirus companies ofcourse like this, and endless revenue stream. When Microsoft enters this market it creates a huge conflict of interest. This is why i agree with Dvorak. Now, im off to take a hot shower and cry trough the night.....
  • Clueless Moron (Score:3, Informative)

    by bigtallmofo ( 695287 ) on Friday October 14, 2005 @01:57PM (#13792140)
    I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called "active skin," and I had to use SpySubtract to remove 26 Registry anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.

    Amazing how he jumps to the conclusion that because something told him he had spyware on his system, he assumes it's because he left an FTP client in memory overnight. Interesting theory.

    Because FTP clients typically aren't exploitable "through an open port", you dingleberry, let me propose an alternate theory: You're a clueless moron that doesn't understand the most basic of security concepts.
  • Argh (Score:5, Interesting)

    by Alioth ( 221270 ) <no@spam> on Friday October 14, 2005 @01:58PM (#13792144) Journal
    Argh. Stop posting Dvorak articles! The man is an idiot who doesn't check his facts. He has actually gone out and complained in a column about the System Idle Process taking up 98% of cpu on his Windows machine and making the box thrash.

    His ignorant rantings are not in the least insightful.
  • by Se7enLC ( 714730 ) on Friday October 14, 2005 @02:08PM (#13792245) Homepage Journal
    What's wrong with the registry? Sure there are better ways to do it from an end-user point of view, but you can't blame the registry for all of windows problems. All the registry is is a database of configuration options for applications, system, etc. What would you rather have, a mess of unorganized and inconsistent files in /etc and ~/.appname? In either case, the registry has NOTHING to do with spyware infection. It's merely the underlying system that gets edited once a malicious program gets in. SOMETHING has to contain system and application configuration options, and whatever it is will be called a registry. The actual implementation is irrelevant.

    Whatever Dvorak would like to see replace it (notice that he didn't make a suggestion for improvement, just that "there has to be something better") will suffer the same problems as the registry if the security holes allowing unauthorized programs to edit it aren't fixed.
    • How does a program run without you having any knowledge that it was started? The registry makes this easy, as there are many places for malware to hide. The argument is outdated, however, as there are good tools to find what's hiding in the 6 or 7 places in the registry that specify programs to start automatically, and malware is moving into kernel space.
      • For starters, there are a lot of legitimate uses for silent startup programs. Specialized drivers for hardware, anti-virus/ anti-spyware applications, system security applications. Basically anything that needs to be started on the system before you touch it. If every one of those came with a dialog box and its own icon in the system tray, you'd scream.

        At least there are only 6 or 7 places where you can hide those startup programs, think about how many places there are on an average linux system for a pr
  • by micromuncher ( 171881 ) on Friday October 14, 2005 @02:09PM (#13792254) Homepage
    I dislike the puppet intellectual (Dvorak) as much as the next guy, but this time he has done an effective job at restating the obvious.

    He does however miss a point near and dear to my heart... that is - the dependency of the OS on these new MS integrated virus and spyware initiatives which will only get worse.

    I live behind a firewall. It does a really good job and keeping out most sploits. I also live behind an email server that does a pretty good job at sending executables to the bit-bucket.

    It annoys me to no end that IE is so insecure... but it also annoys me every time I boot my machine I get the Your system is insecure message, because I've chosen to disable the MS firewall and antivirus.

    Perhaps it will become as irritating as norton, that revalidates itself every other day accross the internet telling me the key I bought last month expired... or having ccapp go crazy burning cpu even when I've disabled virus checking.

    Norton is evil. It hooks into all sorts of stuff it shouldn't. Crappy virus ware (that patches file open) can potentially take down/slow down you computer even when its off, or you are disconnected.

    So, the real issue, after my rambling, is dependency on this crap by the OS, the grafting *kludge* by which it was implemented, and an unhealthy assumption that every computer is connected to the internet all the time.
  • Liability Risk? (Score:5, Interesting)

    by Spudnuts ( 21990 ) on Friday October 14, 2005 @02:15PM (#13792307)
    I wonder whether Microsoft changing their policy to charge for security updates might be a sufficient impetus for their EULA's denial of liability to be thrown out through legislation.
  • by pgnas ( 749325 ) on Friday October 14, 2005 @02:18PM (#13792335) Journal
    "Does Microsoft think it is going to get away with charging real money for any sort of add-on service, or new product that protects clients against flaws in its own operating system?"

    I encourage this type of arrogance on the part of Microsoft, I would suspect that they would find themselves tied up in another legal battle. In addition, this may be exactly the type of thing that Linux needs.

    "Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me.."

    This is one of those "features" brought about by the "tight integration" that Microsoft oh-so likes to spout off, the same goes for their "feature rich", "Tightly Integrated" Office Suite!

    [regarding the Registry]"Why does Microsoft insist on continuing its use? There has to be a better way."

    Another "tightly integrated" feature of the Windows OS, Surely there is a way, maybe when they receive the money for the patch management services, they will fix the problems with the registry.

    I really don't know why Microsoft is even worried about it, Isn't it the Coders Fault anyway? []

    "Why doesn't the company just bite the bullet and bring out various exploitable versions?"

    Vista - Wont't Install (BSOD) Edition
    Vista - Phisermans Dream Editition (Code Named CHUM)
    Vista - Cleaned and Optimized (Linux , Gnome w/Vista Skin)

    • I encourage this type of arrogance on the part of Microsoft, I would suspect that they would find themselves tied up in another legal battle. In addition, this may be exactly the type of thing that Linux needs.

      This kind of epicaricacy (look it up) is exactly the problem. Linux acceptance doesn't need to be dependent on the competition sucking. Linux needs to be made better, not their competition worse. All that does is assure we're just about the worst possible option. Admittedly Linux has gotten much be
  • by Shakes268 ( 856460 ) on Friday October 14, 2005 @02:25PM (#13792400)
    You know, whenever there is a story with Microsoft stating something about Linux or a writer compares the two and says something more favorable about Microsoft the half-penguin/half-sheep here start crying conspiracy. Countless times an author of a story has been trampled on this site due to past affiliations or past viewpoints. It is fairly obvious that Dvorak is not objective and his points are nothing more than attacks fired at MS and praises aimed at Linux. Show me something completely non-biased.
  • by MobyDisk ( 75490 ) on Friday October 14, 2005 @02:39PM (#13792535) Homepage
    Dvorak shows his ignorance on security in this article.

    Most recently, I forgot to turn off my CUTEftp client and left it running all night...Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.
    This is wrong is so many ways.
    1) CuteFTP is a client not a server. The only way anyone got in through that is by him connecting to a malicious site.
    2) If someone got in through a bug in CuteFTP, it isn't Microsoft's fault.
    3) Typical Windows running as Administrator.
    4) If software has a security problem, it has nothing to do with leaving it on all night. What, does he think he is safe if it is running during the day? Or so long as he is watching it?
    5) "How a burgler climbs in through an open window and steals my money is beyond me, but it happens all the time."

    His registry comment... He sounds like Jerry Seinfeld: "The registry, what's up with that. I mean like, there has to be a better way." With that brilliant thinking, we can eliminate the registry and viruses and spyware will go away. Thanks John!
    • by Animats ( 122034 ) on Friday October 14, 2005 @03:23PM (#13792900) Homepage
      Unfortunately, some versions of CuteFTP contain the Aureate adware client []. Aureate is an entry point for attacks. [] "It is able to secretly download and cause Windows to execute any arbitrary program into the unsuspecting user's computer". ... ""phones home" every single time you use your web browser" ... "can, at their whim, accept and download any file into your system named "update-dll.exe" and then arrange for Windows to run this unknown program" ... "is trivial to "redirect" so that instead of phoning home to one of Aureate's servers, it connects to any other arbitrary server on the Internet." ... "They will always be responsible for sneaking 22 million copies of buggy and frightfully insecure spyware into the world's Windows PCs."

      Later versions of CuteFTP supposedly don't contain Aureate. Supposedly. You may or may not believe them. Better to not use CuteFTP, any other Globalscape product, any Aureate/Radiate product, or any product that ever contained Aureate. Here's a old list of programs known to contain Aureate. []

      Aureate changed its name to Radiate. In 2001, they settled a class action [] over privacy issues.

      Radiate tried again with "Go!Zilla". Some versions of Go!Zilla have adware and/or spyware. The current makers of GoZilla claim "The current Go!Zilla software contains no advertising. There are several older, out-of-date versions of Go!Zilla which contain advertising from 3rd parties." But then they say "Go!Zilla will make certain partner software programs available to you during the Go!Zilla trial version's installation. These products are not necessary to the function of Go!Zilla, and you may decide if wish to install them. Make sure you read the installation prompts carefully to insure you get the best installation for you. Each partner program has its own privacy policy, and Go!Zilla is careful to screen partners for product quality and responsible privacy policies."

      Or, in other words, "we're going to load up your machine with adware if you're not very, very careful during the install."

      Aureate/Radiate appears to be defunct. Unclear whether they went bankrupt, were acquired, or are on the lam.

      AdAware can be helpful if your system is infected with Aureate/Radiate, although it may not find attacks downloaded via the security holes.

      For more details about Aureate, Radiate, and CuteFTP, click here (long .pdf). []

  • by elgee ( 308600 ) on Friday October 14, 2005 @02:45PM (#13792582)
    Yes, it may well be unintentional, but MS is certainly running a protection racket. If your local mob extorts money from businesses lest they get an unwelcome visit by enforcers, that is a protection raacket. Pay money or your business will suffer losses.

    If you bought a car and then had to pay extra to keep it from falling apart, you might have some real problems with that.

    No, I am not a real MS basher.
  • by kuriharu ( 756937 ) on Friday October 14, 2005 @03:03PM (#13792740)
    Sorry to sound so inflammatory, but the man's an idiot. He made stupid comments back on CNET when it was a TV show, and he did it again in this essay. Here's what I mean:

    There is no incentive to fix the code base if it can make additional money selling "protection."

    That's not true at all. Microsoft has all types of incentives, namely competition from alternatives like Linux and Mac OS. But even from a programming standpoint, it makes sense. Virtually all software companies update their software; it makes sense that MS will too. It's foolish and cynical to think they "just don't care", even though I know a lot of people do.

    Not to change the subject, but isn't it about time we junked the entire concept of a "registry?" This concept has been the bane of Windows since its invention. It prevents easy program migration. It creates conflicts. It invites tampering. It's exploited by viruses and spyware. Why does Microsoft insist on continuing its use? There has to be a better way.

    Two points about this:
    1. There is a lot of functionality added by the registry. Yes, it has a curse along with the blessing, but does Dorvack actually think Windows ran better without a registry like it did in 3.1? I think he's just a little behind the times.
    2. How about he actually suggest an alternative? Bashing MS is one thing. How about Dorvack suggest a better way? It's easy to say "Microsoft sucks". How about he come up with a plan on his own?

    This from the man who said "No CD software should cost $50 when it only costs .50 to make a CD"

    Real profound.

  • Therein lies the rub. Microsoft cannot fix the code--that's the point. It apparently cannot be done. Get over it. And when the spyware epidemic appeared, the company had to throw in the towel. Spyware exploits the basic architecture of the operating system, and no amount of patches will change that. A barrier has to be erected that changes the way the computer works, by monitoring things more aggressively.

    Microsoft CAN fix the code, but there is no way they can get the political will to do it. They have too much time, face, and capital tied up in their internet-oriented OS to ever back away from it. Internet Explorer, Outlook, Windows Update, ... instead of having individual applications that build extensions of appropriate security around a set of resources (HTML rendering, HTTP access, CIFS access, scripting, the registry, and so on) they have committed to applications (Windows Update, Windows Explorer to an ever-increasing degree, Outlook, ...) built out of components running under the web browser.

    The security problems inherent in such a design were obvious to me in 1997, and when I banned the use of the "outside-facing" members of this family of tools at the local office we were able to easily ride out every one of the worm/virus outbreaks that slammed the rest of the company on a regular basis. I don't claim any great insight in this... virtually everyone else I knew in the security business came to more or less the same conclusion... but unfortunately few of them had the luxury of working for a company willing to give them the support for such an obvious step, and equally unfortunately I wasn't able to expand the policy beyond our building

    Microsoft could redesign their system to once again be application-centered, with the HTML control a display-only module that requires the application to install internet access, trusted scripting, and other potentially dangerous components only when needed. But they're moving the other direction, and so while they COULD fix their basic problems it's ever less likely that they WILL.

"The number of Unix installations has grown to 10, with more expected." -- The Unix Programmer's Manual, 2nd Edition, June, 1972