Microsoft May Charge for Security Tools

rscrawford writes "CNN reports that Microsoft may charge extra for security software. So first they edge their competition out of the browser market, then they tie IE into the OS so tightly that a crash in IE can crash the computer, and then they make IE so vulnerable that just using it is hazardous to the typical computer's health, and now they want to CHARGE users to fix it?"

oblig...

[Mad_Rain (674268)]

So THAT'S what Step two is. =P

Re:oblig...

[Trailwalker (648636)]

Step two is to issue a patch for a critical vulnerability in the new MS-AntiSpyware app.

Six months after it is discovered.

Good advertisement.

[by Anonymous Coward]

If Microsoft were to hire on the Verizon Wireless guy, they could have him walking across the country asking "Can I screw you now?"

Re:Good advertisement.

[Moofie (22272)]

And here, I thought that our British forebears could spell.

Guess you're not all that civilized after all...

Re:Good advertisement.

[Steve Franklin (142698)]

I absolutely refuse to believe that a real Britisher would spell it "Britan," even in haste. I think he may be referring to Britain as an example. He never actually says he's British, though the term "advert" puts him somewhere in the Commonwealth.

Personally, I think it's quite a humorous little series of ads, at least it was when I stopped watching TV a year ago. From what I've seen on the web, ads are pretty consistent throughout the Euro-centric world. "Buy our stuff, it's better, faster, stronger, newe

Once again, Microsoft blames the users.

[IO ERROR (128968)]

Some experts blame Microsoft for Windows vulnerabilities that help spread spyware. Microsoft and some others, meanwhile, said blame should be directed instead at spyware manufacturers.

"Spyware usually gets on your computer through human error," said Marc Maiffret of eEye Digital Security Inc., which regularly discovers serious Windows flaws.

Yeah, sure, if starting the computer is human error. It takes what, five minutes or less, for an XP box to get riddled with viruses, Trojans, etc.? The error is Microsoft didn't ship an operating system that could remotely be considered secure. You can't connect to the network to download SP2 without risking the computer. Where's the sense in this? Where's the user error?

Re:Once again, Microsoft blames the users.

[yelvington (8169)]

When Microsoft activates Skynet, the error-prone users will no longer be an issue.

Re:Once again, Microsoft blames the users.

[by Anonymous Coward]

You can't connect to the network to download SP2 without
risking the computer. Where's the sense in this? Where's the user error?

This is how people think after so much time with viruses. They are used to performing workarounds for Windows that lead to acceptance of viruses (just buy an antivirus) that lead to acceptance of spyware (just buy an antispyware) and that lead to acceptance of systems so bogged down by combinations of the above (just reinstall every 6 months).

It's a bit like living in a really bad neighbourhood and denying it's a problem. "Oh we're OK, we live in a safe area. As long as you put bars on all your windows, don't leave the house when it's dark, put up bullet proof windows, and don't make eye contact with the neighbours you're perfectly safe"

Apart from how it's broken, it works perfectly.

MS is fucked, but they don't mind. The consumer state of society today means MS can just tell people they need to buy something, and people will do what they're told to.

Re:Once again, Microsoft blames the users.

[Jace of Fuse! (72042)]

They are used to performing workarounds for Windows that lead to acceptance of viruses (just buy an antivirus) that lead to acceptance of spyware (just buy an antispyware) and that lead to acceptance of systems so bogged down by combinations of the above (just reinstall every 6 months).

There are small, efficient, safe, and free programs that perform these tasks without bogging the system down.

But your points do to some degree stand. Though even if the virus/worm/spyware problem weren't as bad today as it is, I probably would STILL run a software firewall and a good antivirus just as a matter of precaution. I also have all of my systems behind the network firewall but not everyone has that option.

The point is, that just because things are worse now on Windows than they have ever been, doesn't mean that good precautions wouldn't be paying off.

It's only a matter of time before MacOS X gains enough popularity that it's own security holes (though admittingly less serious than many of those in Windows) are mass exploited causing many Mac users some grief.

As it stands right now MOST Linux users can fend for themselves. How true do you think that would be if there was a huge wave of new Linux users converting from Windows? The clueless masses would show people that even a Linux box in the wrong hands can exploited, and I would dare say that an arm compromised *nix boxes is a far greater threat to the internet as a whole than the army of zombie Dialup AOL connected budget PCs running XP home that we currently have to dela with.

Security IS a problem right now, but Windows is only PART of the problem. The clueless human side of the equation isn't going to go away no matter how many people ditch Windows.

Re:Once again, Microsoft blames the users.

[Moofie (22272)]

"It's only a matter of time before MacOS X gains enough popularity that it's own security holes (though admittingly less serious than many of those in Windows) are mass exploited causing many Mac users some grief."

It's a matter of proper security design that those exploits will be limited in scope and number.

Windows doesn't get exploited just because it's popular. It gets exploited because it was designed wrong.

Re:Once again, Microsoft blames the users.

[thogard (43403)]

Once OSx gets hacked in a big way, I expect that Apple will get sued for engineering negligence. I've made it clear to Microsoft that the next time their buggy software nails my server (which runs freebsd), they will have to answer in court. The last time they managed to pay off my hosting provider after their tech support people tried to talk me into installing anti virus software on the server. It wasn't a virus on the server, it was millions of machines trying to talk to my news server. That was Sep of 2003 and the thing is still going wild.

If you sell a modern operating system and the install disks aren't safe to use (meaning no innocent third party suffers damage) then the product must be recalled. I've had enough of this crud that the next time I'm in the cross hairs, I'm going after whoever dropped the ball and I don't care if its MS, Apple or Sun. There is no excuse for not recalling a CD since its small and cost so little. In past court cases involving cars, that has made a huge difference in payouts. If sun is shipping hackable software with their cheapest v100 which cost $1000 and the fix of sending everyone a new CD which cost $3 or .3% of the product cost, there isn't a judge in the US that won't give the damaged party most of what they are asking for.

The same goes for Apple. They have teamed up with an Antivirus software company with imac when they could have just included that feature in the OS. I have recently found a copy of an old check from an anti-virus company to a student which proves that the student was paid to write viruses to help improve the bottom line. Thats racketeering and the resulting class action suit could kill a company.

Re:Once again, Microsoft blames the users.

[wastingtape (576230)]

Yes. I noticed the glitch in the Matrix as well.

Re:Once again, Microsoft blames the users.

[DownloadTHIS (794378)]

I actually agree with Microsoft here. These problems are caused by human error. Running Windows definitely falls under that catagory.

Re:Once again, Microsoft blames the users.

[by Anonymous Coward]

I work at an educational institute. Connect a Windows machine to our network and you WILL get Welchia in under a minute (assuming you aren't patched). I have done this several times.

The scenario you describe -- plugging into the internet without getting a worm -- is only the case because the chances are lower that you will get a worm. Basically, you are defending Microsoft on the grounds that the chances are not good that you will get a worm. But decrease the number of computers to that of a medium-sized college campus, and suddenly the chances become very good indeed. Your argument is not particularly good.

And this is not user error, unless you count not enabling a firewall before you plug into the network as a user error. But then, how do you enable a firewall on a built-in wireles card as you are installing Windows?

(Note that there are solutions around this problem -- and I use a few of them. I'm just pointing out that the argument, "I don't immediately get a worm on an unpatched Windows machine, so no one does," doesn't hold any water.)

Luck 10 minutes!

[gnuman99 (746007)]

In under 10 minutes.

You are lucky. I connected on *dial-up* with Windows to just DL one form from a gov't website and got infected in under 10 seconds. Before I could actually type the URL into Mozilla, the box was already infected.

I'd say your 10 minutes is pretty good :P

Re:Once again, Microsoft blames the users.

[TCM (130219)]

What are you talking about? Just because rackhamh referred to a trojan in an e-mail attachement doesn't mean that there are no completely automatic ways to catch a worm with an _unpatched_ Windows system without a firewall.

There was at least some RPC issue that worms used to spread completely automatically. The topic never was about a legitimate site spreading trojans.

Re:Once again, Microsoft blames the users.

[zulux (112259)]

You can't connect to the network to download SP2 without risking the computer.

Sure you can.

No you can't - in SP1 and below, the firewall gets put in place after the network interface is brought up. In face, the firewall is almost the last thing to initialize during the XP boot process.

Depending on your boot time, there can be few minutes where your computer is vulnerable.

Enjoy!

ack!

[nizo (81281)]

Microsoft's disclosure that it may eventually charge extra for Windows protection reflects a recognition inside the company that it could collect significant profits by helping to protect its customers.

And they don't see a conflict of interest here? Exactly what incentive would they have to fix security holes which are allowing malware into the machine in the first place if they are selling other products to "block" these kinds of attacks, or are they planning on charging for patches?

Re:ack!

[Lord_Dweomer (648696)]

Reminds me of the spammers who send out spam for spam blockers.

Re: thpt!

[Tackhead (54550)]

> "[H]elping to protect its customers" seems awfully euphemistic to me. Wouldn't it help their customers more to release software without the security holes that allow malware in the first place?

Not at all. The word "help" is used in the sense of "Hi. We're from Microsoft and we're here to help... ourselves."

Seems unusually blatant

[bigberk (547360)]

I mean, they were buying up security competitors as recently as Wednesday! Wouldn't that be a bit too blatant? Are they really trying to monopolize the desktop security market, or are they just trying to help cover costs in what is going to prove to be a very, very expensive area (once they start getting sued for having such a shoddy, insecure product)

Just one thing to say:

[sgant (178166)]

What balls!

What a huge, big, heavy set of balls this company has.

Hey, let's kick them!

Re:Just one thing to say:

[EnronHaliburton2004 (815366)]

Hey, let's kick them!

You ever kick the balls of an 800 pound gorilla?

Software sales - marketing

[Ogrez (546269)]

The only thing in this world I have found to be sleazier than lawyers are software salesmen. This isnt isnt a new idea from Microsoft... IBM did it for years with mainframe releases. You have to have a service contract to get the updates to fix the bugs.

This problem of releasing buggy software and charging for fixes is inherent in the software world.

In Microsoft language...

[gmuslera (3436)]

as all problems are user generated, then is coherent that users must pay for solutions. After all, who click on attachments? (well, when the mail reader dont load the attachments by itself) Who not install firewalls when connecting to internet? who chooses to use a faulty browser?

See? is end-user fault all those security problems, they must pay!

...and this is surprising because?

[rjch (544288)]

and now they want to CHARGE users to fix it?

I don't know why this surprises anyone. Micro$oft is a company like any other who for all intents and purposes has a monopoly.
It's no different to the toll road operator where I live that puts their tolls up by the maximum permitted year after year without any explanation at all - the same one who quite frequently refuses to explain their actions for unusual lane closures (usually during rush hour) with no readily apparent reason, who only pays refunds for their mistakes when the media gets hold of the story. Quite simply, if you want to get through my city quickly and easily, you have no choice.
(free "well done" to whomever identifies the city I live in and the toll operator I'm referring to)

Re:...and this is surprising because?

[Eggplant62 (120514)]

Really, this is just MS's Xmas gift to the Open Source Software movement. They've shot themselves in the toes too many times to count so far. Now they've shot themselves in the kneecap; next shot will be to the head.

According to /. they will lose either way...

[C. Mattix (32747)]

Look at it this way. They bought an adware company because the see that this is a problem. If they suddenly "bundled" an adware solution, the zealots would say they are trying to drive adaware and spybot out of the market. But since they are selling the solution and hence giving the customers choice, they are trying to screw the customers. No matter how secure they make the OS, there WILL be people who will run as admins and click "yes" to everything. These are the solutions that they are going to sell.

It isn't the first time they've had security software either. Anyone remember MSAV.exe?

Re:According to /. they will lose either way...

[nizo (81281)]

No matter how secure they make the OS, there WILL be people who will run as admins and click "yes" to everything. These are the solutions that they are going to sell.

In this case I am thinking their solution will be a 2x4 labelled "Clue-by-four" with a little attached sheet that says, 'If you always run everything as admin and/or click YES on dialog boxes without thinking, hit yourself in the head with the Clue-by-four. Repeat as needed'. Cost: $380 plus shipping.

User error, eh?

[kryptkpr (180196)]

Something from the article rubbed me the wrong way:

"Spyware usually gets on your computer through human error," said Marc Maiffret of eEye Digital Security Inc., which regularly discovers serious Windows flaws.

First.. a confession: My name is kRYPT, and I used to use Internet Explorer. I used to keep it patched, and updated. I browsed on High Security. I ran Spybot S&D and Adaware regularly, and TeaTimer always.

Spyware STILL got in. Every Spybot scan would regularly reveal something nasty (normally DSO or other IE Exploits).

Perhaps it's true that most Spyware is the result of user action (such as installing shady "free" smiley-enhancing software), but _lots_ of the Spyware out there is simply a direct result of using IE.

PS: I see the spyware people are trying to attack Firefox too.. see cracks.am for an example. However, in Firefox, a nice dialog pops up, makes it perfectly clear the code that's being requested to run is unsigned and unvalidated, and makes you wait for 2 seconds before you have the chance to accept or deny installing it.

Re:User error, eh?

[rackhamh (217889)]

Spyware STILL got in. Every Spybot scan would regularly reveal something nasty (normally DSO or other IE Exploits).

Moral of the story: pick your porn sites wisely.

Drive by installs occur on many non-porn web sites

[Hamster Lover (558288)]

I am in much the same situation as yourself, fully patched, running Ad Aware and Spybot regularly with Javascript OFF.

I was researching information on the Roman Empire and was directed by Google to a great web site. About five minutes in I notice a small pop up window that when maximized displayed a blank window. The router, modem and network lights start to blink and the hard drive begins to churn. Ugh, I realize I am the victim of drive by spyware installation on of all things a web site on Ancient Rome. If I can't protect myself given all the above safeguards, how the hell is the average person going to?

It took an hour or two of work with Ad Aware, Spybot and Hijackthis to remove the five or six pieces of spyware shit that installed from an innocuous web site. I am well and truly tired of this bullshit, Firefox here I come...

Wonder what the effects will be

[KneepadsOfAllure (805661)]

There are already good anti-spyware solutions available for home-users (ie Ad-aware, etc.), and I can't imagine home users shelling out a lot of money when they can get a personal version of Ad-aware for free. I suppose Microsoft is going to be targetting corporate users, but if their solutions aren't much better than companies like Ad-Aware (hopefully) corporations will go with competitors. But then again, they might just choose Microsoft because it seems like the "right thing to do" (that is, MS makes the OS, so OBVIOUSLY they should go with MS because it'll "work better" together).

Then again, if the MS anti-spyware is moderately priced and a lot of home-users do buy it, it may serve to drive the gap between richer vs poorer computer users (home users who shell out big bucks for a loaded Windows box vs users who pay a couple hundred for one of those Linux PCs that Walmart and others are selling).

The Push to Linux

[Nom du Keyboard (633989)]

now they want to CHARGE users to fix it

More than anyone or anything else, Microsoft will become the major force pushing users to Linux.

Re:The Push to Linux

[nizo (81281)]

I always wondered if maybe they see the writing on the wall, and they are planning on milking their cash cow for all its worth while they can, even if blood starts coming out instead of milk. Eww I think I just grossed myself out.

Well...

[rewt66 (738525)]

As an employee of a security company, I don't have a problem with this. I would have more of a problem with Microsoft giving it away for free. (And, I hope, the toothless antitrust enforcement might have a problem with it, too, but I wouldn't bet on it.)

But really, we cry "unfair" over what they did to Netscape. Rightly so; it was unfair. If they had sold IE as a separate product, it wouldn't have been unfair. So now they sell this stuff as a separate product. They're not bundling. So what's the problem?

And there's another way this is good: TCO studies. The more extra charges you have to have from Microsoft to have a working product, the better TCO Linux has by comparison. (That is, if it's an honest comparison. But instead, what we'll probably see is bogus TCO "studies" where Microsoft looks good, but it omits the security stuff. Then when you go to actually buy it, there's these extra costs, like the auto dealers do with "dealer prep".)

Terminology is the root of the problem

[Killer Eye (3711)]

Let's not call this "security software", Microsoft; remember, software should simply be secure. If you have to add a qualifier like this, guess what: you're saying most of your software has nothing to do with security, and this special extra software, for extra charge, provides the security "feature".

These terminology differences really point to a philosophical difference at Microsoft, which is the root of all their problems. They really don't understand. Why should we think they ever will, at any price?

So let's see

[YrWrstNtmr (564987)]

MS includes a necessary tool for free: "Unfair bundling! They're just trying to muscle everyone else out of the market"

MS charges a fee for a necessary tool: "Charging for this? What a ripoff!" (even though their major competitors charge a fee for similar tools)

Yes, that money may have been better spent in actually fixing the items that need these security tools, but it seems like they can't win either way.

Re:So let's see

[RealAlaskan (576404)]

MS includes a necessary tool for free: "Unfair bundling!

MS charges a fee for a necessary tool: "Charging for this? What a ripoff!"

How about:

MS includes a necessary tool free, using the profits from their OS monopoly to destroy a competitor: ``Unfair bundling!''

MS charges a fee for a tool which is only necessary because of their mal- or non-feasance: ``Charging for this? What a ripoff!''

No inconsistancy here.

Re:So let's see

[ChuckleBug (5201)]

Yes, that money may have been better spent in actually fixing the items that need these security tools, but it seems like they can't win either way.

Since they haven't fixed those items, they don't deserve to "win" either way.

I keep seeing the analogy with people's complaints about IE. Not the same. With IE, MS undercut the competition with a tool for using the computer, not for fixing problems of its own making. The WWW isn't a Microsoft bug.

MS is caught in a Catch-22 of its own making. My heart bleeds.

Company charges money for product...

[kahei (466208)]

...slashdotters baffled.

We're serious about security!

[DrugCheese (266151)]

And for only $59.99 we'll show you how serious we are.

Sue MSFT for racketeering?

[G4from128k (686170)]

This sounds like a classic protection racket. They create a defective product and then extort the customer. "Pay us or bad things happen to your computer." I wonder if a nice RICO suit will change their mind about this.

I don't see anything wrong with this.

[WasterDave (20047)]

See, there's been a bit of a noise around the web about this whole thing over the last day or so and I really can't see the problem with it.

Microsoft charge for software. Charge. Money. Whether you pay it, or you pay it when you buy your box, or your suppliers pay it and pass the cost on, or your customers pay it and have less money left over to pay it for you, or your government taxes you then uses that to pay it the basic equation is still there. Micosoft charges money for software. Get over it.

They also charge money for shit software, in case you hadn't noticed. Then they charge more money for shit-software-server, then more again for a CAL onto shit-software-server, then some more for shit-CMS and so on and so forth. So, on the rare occasion that Microsoft buys someone that makes good software and badge engineers it, why is everyone suddenly up in arms?

It's not like this is the first time that Microsoft has used a flaw in one product to sell another.

Dave

how to become rich

[wikinerd (809585)]

1. Start a software company and fill up a new market with buggy software
2. Charge for bugfixes
3. Profit!!!

How long until they charge for Service Packs?

[FreeLinux (555387)]

This is something that has been bothering me lately. How long will it be before Microsoft starts charging for Service Packs and Hot Fixes? So far, they haven't done it but, it occurs to me that it is only a matter of time.

But, the worst part of the idea is that Open Source vendors are opening the door for Microsoft and blazing a trail toward exactly that. Open Source vendors such as Red Hat and Novell/SuSE are selling "cheap" software, built by the Open Source community, and charging a premium for patches. It is a "new business model".

The base software is sold cheap or given away and they make their real money from "support services". However, close inspection of the "support services" show that they offer very little in the way of technical support. They do however offer password protected access to the sites used to download the patches and security fixes for the free/cheap software.

All this isn't going un-noticed by Microsoft, who has toyed with the idea of charging for Service Packs before. In the past however, customers told them in no uncertain terms that they would not pay for bug fixes to software that those customers had already paid a premium for.

Microsoft then developed the "Software Assurance" subscription model, where customers pay a subscription fee that entitles them to future version upgrades. But, Microsoft is still spending money and effort to provide free patches and they don't like doing it as they perceive it as lost revenue.

But, with the "new business model" that Open Source vendors are acclimating their customers to is likely to open up that revenue stream for Microsoft. Just as all the other software vendors were able to leverage the subscription model after Microsoft had acclimatized the customers, it is entirley likely that customers who are accustomed to the the Open Source method of paying for patches will not balk at paying Microsoft for their patches too.

It's a dark and pessimistic vision of the future, I know. But, can you imagine Microsoft actually passing up a new revenue stream from the same old product? That doesn't seem likely to me.

Re:Windows isn't the problem

[Vengie (533896)]

*sigh*

You meant....

In Soviet Redmond, the problem is You!

-b

Re:Ignorant remarks

[dioscaido (541037)]

The fact that the OS gets infected has nothing to do with IE being 'tied to the OS'. It has everything to do with the fact that most people who run windows run as Admin. When you are admin no security in the world can stop a user from clicking 'yes' when asked to install software. While IE definitely doesn't make it hard for the program to be installed, even running Mozilla won't stop grandma from downloading an executable and installing it.

I'll refer you to my other post for good resources on how to fix t

Re:Ignorant remarks

[ad0gg (594412)]

Mozilla extensions have full access to your system constrained by the users security of course. Therefore if someone wanted to write a malicous extension that installed spyware/trojan/virus, they could. It has nothing to do with the OS. Try running IE under a non priviledge account and see if activex can install stuff.

Profit? From where?

[Alwin Henseler (640539)]

I wonder where MSFT thinks the money for this extra software should come from? I mean, are IT budgets of customers (including Joe Sixpack) suddenly going up, so that extra funds are available to sink into these tools? If not, that would mean that either:

1. Windows should get cheaper, otherwise customers wouldn't have money left over to invest in these extra tools. This seems feasible; with competition from Free/OSS and users getting fed up with buggy software, market value of Windows is likely to drop. This could be a covert way to restore profit margins.
2. Hardware should get cheaper, so that more money is left over for software. Doesn't seem likely; hardware does get cheaper, but Joe Sixpack still buys expensive PC's, he just gets more bang for his bucks.
3. These extra tools are meant to replace competitor's offerings. Interesting option: if they are just another offering in a crowded field, okay. But first given away as a freebie, and then start charging after a while, when users become convinced they absolutely need it? In that case, could be an interesting candidate for another anti-competitive investigation.

If you can't baffle them with brilliance, dazzle them with bullshit.