EU And Microsoft Clash Over Vista Security

An anonymous reader wrote to mention coverage of further clashes between Microsoft and the EU, this time over security in Windows Vista. Microsoft is 'urging' the EU to allow all of the security elements of Vista to remain intact. The EU seems to be under the impression it's not asking for security to be lax; it just wants the software company to ensure a fair playing field for all businesses. From the Newsday article: "European Union officials warned Microsoft Corp. on Tuesday not to shut out rivals in the security software market as the company plans to launch its Windows Vista operating system with built-in protection from hackers and malicious programs. EU spokesman Jonathan Todd told reporters that the European Commission is "ready to give guidance to Microsoft" concerning Vista but added that it was up to the U.S. software maker 'to accept and implement its responsibilities as a near monopolist to ensure full compliance' with EU competition rules."

The solution

[SCHecklerX (229973)]

The solution to me seems to be the approach used in linux, bsd, whatever. Fully document the security APIs, or command-line tools to configure the security aspects. Let other vendors write their GUIs for controlling security, such as firewalling, using that API. Let people pick the tool that fits their needs best, while all providing the same type of security through the OS.

Vista does do that..

[cybrthng (22291)]

You can use whatever firewall you want, both in software and hardware. You can use whatever virus scanner you want, both software and hardware. When vista pops up with the security center it doesn't even focus on Microsoft products - your first choice are compatible third party products.

So what is the point of all of this?

The other security implementations would be like asking Unix to allow replacement of Sudo, root and user permissions and replace it with a third party app that would just give you want you

Re:Vista does do that..

[nsayer (86181)]

The other security implementations would be like asking Unix to allow replacement of Sudo

The irony here is delicious. sudo is, in fact, a third-party replacement for the su command. You may not think so because Linux distros have been including it for a long time, but of course Linux (or GNU/Linux, if you insist) != Unix(tm).

Re:Vista does do that..

[vadim_t (324782)]

Linux security is very customizable.

First of all, sudo is just a normal application, that can be replaced. Second, there's PAM, which allows you to plug pretty much anything into the security system. You can replace the mechanism for password entry, authenticate with a fingerprint or an USB flash drive, etc, and have it all automatically integrate with existent software -- you don't even need to patch tools like su and sudo to accept different authentication methods, as it's handled through PAM.

Same goes for firewalling, nothing stops you from building whatever UI you want to talk to netfilter. You can ignore iptables completely, which is just an userspace tool.

Then the kernel has a whole system of security hooks which is used by things like SELinux. New security models can be integrated.

Re:

[walt-sjc (145127)]

Linux application security consists of "run it as 'nobody'" or "just don't do that."

You are ignoring SELinux.

Re:

[QuantumG (50515)]

No, I'm not.

Re:The solution

[swillden (191260)]

It's not like the concept of an application firewall even exists on Linux.

Sure it does. It's not difficult to firewall at an application level in Linux, and there is at least one tool (fireflier) that provides a nice GUI for managing such firewall rules.

Few people bother, because there's simply not much need, but it's not at all accurate to say that it doesn't exist.

Linux application security consists of "run it as 'nobody'" or "just don't do that."

Or run it in a chroot jail, or run it with fine-grained mandatory access controls from SELinux, or ...

Unix/Linux application security provides lots of different options. That they're more commonly used for securing Internet-facing services than for locking down random local apps acquired from untrusted sources is because there's little need, not because the security tools don't exist. I used to keep a chroot jail configured just to run random little apps. These days I run such stuff in a virtual machine instead, but that's just because I find it more convenient.

Re:The solution

[johansalk (818687)]

> "Clearly this is not a realistic option on Windows, where regular day to day usage of your computer includes exploring the massive catalog of software available on the Internet"

I would call the 15,000 packages or more on Debian repositories quite a massive catalog.

Re:

[WhiteWolf666 (145211)]

Let me quote some AppArmor literature. It's really vastly superior to Vista, in that AppArmor isn't a "hacked on" bandaid, but a fundamental hook into the lowest levels of the system; AppArmor has incredibly fine grained controls; and AppArmor is not terribly difficult to work with.

Security Through LSM: Linux Security Modules Interface
To achieve security (non-bypassability) mediation methods like AppArmor need to be inside the kernel. AppArmor originally was a kernel patch, but that imposes major problems

European beer party

[edxwelch (600979)]

"When Microsoft failed to meet Commission requirements, the EU executive fined the company another 281 million euros (about $350 million) this summer. "

All I want to know is when we get our 2*281 million euros?
If you divide that by the population of Europe you get about 3 euros each, that's enough for at least a beer each.

If it work like in the US

[wsanders (114993)]

You will get a coupon good for a free mouse pad with any purchase of Vista, and the lawyers will pocket $150 million of the $350 million.

Could we get any more vague?

[Sloppy (14984)]

What lame articles. Neither one says what the hell the thing being bundled is, other than "security" as though security could possibly be a product or module.

Ok, one of the articles made a brief mention of a firewall. Is all this noise about something as mundane as a software firewall?

Security should be inherent in the OS

[paladinwannabe2 (889776)]

It's hard to say what should be inherent in the OS and what shouldn't. However, most forms of computer security should be inherent to the OS and not part of some third-party solution. For instance, I want my OS to be resistant to running arbitrary code and be able to give me control over and info about programs and processess are running on my computer. If I have to get third party support to do those things the OS is failing me.

Re:Security should be inherent in the OS

[mrjb (547783)]

The current anti-virus business is mainly built on loose ground: (the lack of) security in the main OS that they support. As the OS gets more secure, the need for AV software greatly diminishes, and it is likely that some AV companies will go out of business as a result of it. At this moment, however, this hardly seems the problem yet, as most security issues are addressed by "patches" rather than real solutions: antivirus, anti-spyware, anti-whatnot, which when bundled with the OS would be unfair competition to Antivirus-software houses.

As said- Europe isn't demanding reduced security, but fair competition. But even when 'fair' competition is allowed and security keeps improving, the software houses that provide security solutions should seriously consider rethinking their strategy as they may become redundant and go out of business anyway.

So, seeing that the anti-virus business is in a lose-lose situation, I guess they concluded they might as well cry wolf. This isn't impressive- it's just money talking. So am I defending MS on this? No (of course not- this is slashdot). I think the AV business should be allowed to compete. I just don't think that it will make much of a difference, in this case.

Modularization

[theckhd (953212)]

This was brought up by someone in another discussion in a different context, but I think it applies equally well to Microsoft's current problems with the EU.

If they would simply modularize many of the components that come with Windows, they might wriggle out of a lot of legal troubles.

For example: I go to install Windows from scratch. On the installation screen, i get a list of components...
[x] Windows OS (base system, required)
[_] Internet Explorer
[_] Windows Security Center
[_] MS Firewall
[_] MS Antivirus
[_] MS Anti-Malware

etc.

I can check any of these things that i like, and they'll be included in the installation. For OEM installs, they could just include everything by default.

Most importantly, make them removable through Add/Remove Programs, so that if i decide at a later date that I no longer need a feature, i can uninstall it completely.

Suddenly a lot of the monopolistic legal troubles get much less worrisome for Redmond. EU worried about MS including Anti-Virus or Firewall? No problem, make them un-checked in the default install. Leave them on the disc, and make them freely available for download at the MS website to make it abundantly clear that they're a free service.

Not that I expect them to do any of this of course, but it would certainly help reduce the amount of resentment that many people feel towards them, even from their own users.

Re:

[pe1chl (90186)]

This seems reasonable, but are the Linux vendors taking this approach?

When I install SuSE Linux, it installs SuSE Firewall. When I want to uninstall it, a whole list of other items that "depend on" this SuSE Firewall pop up, hindering its removal.
The best thing I can do is "disable firewall", but it still remains installed (mostly a set of scripts to manipulate a very complex set of iptables rules that never gets loaded because it is disabled).

Also, are you sure "security" and "optional components" would

Re:

[Amendt (802679)]

"We are the borg, we will assimilate you" If only the EU could stand up to Steve's hurling of chairs. :)

Re:

[linebackn (131821)]

And for those that recall what got them in trouble a while back with Windows Media Player could have easily been solved by adding:

[_] Windows Media Player

to the installer and add/remove screen. But what did they do? They they got all snotty and created "Windows Reduced Media Edition", a "special" version of Windows completely without WMP (not an option - just none).

Re:

[Sloppy (14984)]

Programs rely on the presence of these enriched tools.

Gentoo solves this problem with virtual packages that fill generic slots. For example, I have to have a system logger installed, but there are a variety of loggers to choose from.

People would turn off a whole bunch of stuff without knowing what it is, and then cry because their programs didn't work and blame MS.

It's really not all that hard to make an application display an informative error message. I've done it lots of times. :-) But let's suppo

Re:

[Sycraft-fu (314770)]

Have you done user support for the average user? If anything isn't precisely how they expect it's a pretty major problem. You have to remember that this would incur a rather large cost of MS as they'd need to provide the phone operators to take all these calls and they really couldn't get away with charging for them. Well that opens up a new problem in that people will start calling about support issues that aren't related. The way it works with support is that if you are on the phone, anything and everythi

One Microsoft Way

[Doc Ruby (173196)]

Microsoft spends most of its time producing new OS features in collaboration with other vendors. DRM, drivers, APIs all designed to make MS OSes work better with the rest of the products people will buy. That takes much longer, and more code, than the rest of the OS does.

But its "security" features are MS only. Of course that must be to protect the MS "near monopoly", always its #1 priority. Since the security market is neither very profitable nor already dominated by MS, I expect that their "security" also protects revealing other serious defects of the OS. Whether more monopoly protection, unnecessary security problems, or just bad coding. Therefore I don't see Microsoft opening those facilities for the EU before Vista is released, if ever.

Vista security and consumer protection.

[Noryungi (70322)]

Here is my take on it:

• Some european companies (F-Secure/Finland, Panda Software/Spain, etc) are involved in anti-virus protection and provide security products for Windows.
• Microsoft Vista is going to integrate a lot of security products -- anti-virus is just one -- that will squeeze these european companies out of a market.
• The above action can be qualified as "unfair competition" and "monopoly abuse" by the European Commission, since Microsoft owns... what? 97% 98%? of the market.

The logical conclusion of the European Commission is that Microsoft should not incorporate these security features in Vista.

To make sense of this decision, you have to remember that the European Union was based, as far as the economy is concerned, on the idea of "fair competition" meaning that monopolies should be banned, and major companies (or states) cannot squeeze smaller competitors out of a market. Whether the squeeze is due to state protectionism, unfair tariffs or a dominant position -- which is the case here -- is irrelevant.

So, yes, it sounds ridiculous and bureaucratic at first sight, but it makes economic sense. And it may even provide better products in the end (I don't trust Microsoft products anyway).

Idiotic on the part of the EU.

[Churla (936633)]

They are trying to push MS into a no win situation.

A) MS doesn't include as complete and inclusive security as possible. This leaves the doors open for third party security developers, it also leaves the door open to the OS for malevolent people who will take advantage of the fact that many people won't think to add a product later for security.

B) MS includes all the security they can, possibly making it so that people don't need third party software for security. BAM new anti-trust action because they aren't being fair to people who made a living covering bad MS security architecture in a previous version and aren't being given an equally bad architecture to help "protect" for a profit this go around.

People complain that MS releases insecure OS products, then complain when they want to include more security features?!? bah

I won't even get into how Apple is bundling everything they can under the sun into OS X when the same actions by MS would be tantamount to kicking the interwebs dog.

Re:Idiotic on the part of the EU.

[tokul (682258)]

...and aren't being given an equally bad architecture to help "protect" for a profit this go around.

Antivirus does not make OS secure. It only tries to patch insecure OS. If Microsoft makes OS secure, EU commission and antivirus companies can't argue about it. If own antivirus solution is bundled instead of securing OS, it looks like monopoly abuse. It is possible that Microsoft is trying to help users, but company is known to use its market position against competitors. Any bundling will look suspicious.

Apple is bundling everything ...

Symantec is still selling NAV for Mac. I think Apple does not bundle antivirus.

Fair Play

[Ajehals (947354)]

Just because this request to ensure a "level playing field" is focused on security makes it no less valid than if it were aimed at other elements integrated into the operating system.

I Agree that i microsoft is integrating security products into its vista operating system that would enable it to enter markets where it has not got a large hold (i.e. Anti virus - where it is the main driver but not the main supplier...) and by virtue of its desktop OS monopoly becoming dominant in that market, then thats wrong. Especially if these integrated products are add ons masquerading as core operating system components.

It would be fine if Microsoft ensured that their Operating system was sufficiently secure not to require any additional software, but not to include a load of features in the operating system that ensures its system security sotware becomes dominant.

If it wants to sell these bits seperatley (reduce the cost of the OS and sell the security bits as additional extras) thats all fine too then those of us who use the OS can choose - but lets make it clear that selling a vista version with them in and one without at the same price is the same as integrating them in the first place....

This becomes an even bigger issue if the Microsoft Security products / components are written to take advantage of elements of the OS that other providers cannot gain access to (either due to lack of documentation or through some other means). That would give rise to the same interoperability issues as we have seen previous law suits attempt to resolve.

In short if MS want to secure their OS thats great, if they want to simply wipe out any external security providers to gain an extra revenue stream in the future (by say later charging for the components initially included for free), or become dominant in that area so as to play down securty vulnerabilities in their products thats not. After all would you buy your antivirus from the same guys who seem incapable of preventing their OS being succeptable in the first place?

Last point - If microsoft are in the business of supplying both the OS and the security software (and additional services such as one care) doesnt that leave a rather nasty potential conflict of interest?

Microsoft Monopolism : making Buggy Bloatware pay!

[FractalZone (950570)]

From what I have been reading, Microsoft is designing Vista in such a way as to make it difficult for products that compete with whatever token security schemes Microsoft is planning to foist upon its hapless user base to be installed and/or run properly. Microsoft should make any and all APIs necessary to implement alternative (read: better) security solutions for Vista public. If it doesn't, I think it is fair to say that Microsoft is once again using proprietary standards/code to stifle the competition. That seems like a clear anti-trust violation, given Microsoft's technically undeserved but nonetheless practical monopoly of the commercial desktop PC operating system market.

Like most things that Microsoft touts as benefiting the user (think Windows Genuine (Dis)Advantage, DRM, and the "recommended" options on various configuration pages), whatever so-called security Microsoft puts into Vista will undoubtedly profit Microsoft first and the user as a mere afterthought, assuming that Microsoft can think up a good marketing gimmick to scare users into paying for it.

I'm still planning on not wasting money on yet another overpriced, under performing piece of Microsoft Buggy Bloatware, namely Vista. Ubuntu Linux is working well for me and doesn't seem to suffer from the gaping security holes most major Microsoft products (Windows, Office, and IE) are infamous for.

I must admit that Microsoft has a lot of nerve, trying to exclude competitors from cleaning up the security disaster that Vista is expected to be, so that it can make users dumb enough to buy Vista also pay through the nose to fix flaws that wouldn't be there if Microsoft sold quality programs in the first place.

Spin on definitions

[Todd Knarr (15451)]

Bear in mind that the EU isn't saying that Microsoft can't include security software in Windows Vista. What they're saying is that MS can't include it in such a way as to exclude competitors. For example, take a firewall. If MS integrates their firewall into the network stacks at the physical-code level so that no other firewall can take over, that's not allowed. However, if MS adds hooks to their network stacks to allow other modules/drivers to tap in and filter packet traffic, and then implements their firewall completely using those hooks and makes it so you can replace the loading of MS's firewall modules with a third-party firewall's modules, that's perfectly fine. And for anyone who says this can't be done, I'd point out that Linux and *BSD implement their firewalls in exactly that manner so obviously it can be done.

Re:

[Todd Knarr (15451)]

Except that your premise is false. Firstly, the hooks aren't there to allow built-in measures to be disabled. They're there to allow non-built-in measures to be added. MS's firewall then becomes one of possibly several that can be added. Modules can be added, but no module can remove another (other than by configuring the system to not load the other module, which no module should ever have permission to do). Secondly, security and open/proprietary aren't connected. If they were, and your premise was right,

installing security on Mac OS X and Windows

[falconwolf (725481)]

OSX is no different, everything is integrated (except AV) and the user isn't expected to go and hunt down any 3rd party firewall software.

Ah, but OSX allows you to install 3rd party firewalls. Currently I'm using a PC with Windows and I use ZoneAlarm for my firewall. However I plan on getting a MacBook pro and am looking for a firewall that offers me the same controls as ZoneAlarm does, for Macs. If Zone Labs offered one for Macs then I would get it. Apple doesn't lock me into using their firewall wh

I noticed the world despises Microsoft

[icepick72 (834363)]

So I watched the /. community and European Union argue how insecure Windows is and how bad that is, and then I watched them argue how Windows is unjustly implementing security and shutting out competition. Obviously, Microsoft cannot win, ever.
Sometimes I think the world is just full of dumb-asses. (sounds like a Jack Handy quote)

Re:

[crabpeople (720852)]

"Obviously, Microsoft cannot win, ever"

They make decent mice. Shitty keyboards though.. DAMN YOU F LOCK!!!

I don't understand why all the dissention.

[DoctorDyna (828525)]

It seems as though Microsoft is / will have it's security products built into Vista, and will most likely build them into the TCP/IP stack at some level. Here is what most people seem to be ignoring here, and it's pretty simple.

As it always has been, you can choose to use or disable any part of any feature in Windows. As it sits now with RC1, you can enable / disable features at will. Wireless networking configuration is built into Windows XP, but as everybody here knows who has a wireless network device of some sort, upon driver / software installation, that application takes over the duties of the Windows feature, usually by default. I don't know why anybody would have a reason to think that this would be any different from having a firewall in the OS, which, at the request of the user (by way of installation) gets replaced by some other product. We'll leave the discussion about inferiority for another time.

People really should stop talking about a feature of Vista as if its sure to be some set in stone incumberance, and it most likely will not be.

Oh, but it's built into TCP/IP! Anybody here ever installed the Novell client in Windows? Ever see what it does to your network protocols? Microsoft has said time and time again that it is keeping with backwards compatibility, are we naive enough to think that this won't include clients, protocols, craptastic software firewalls and anti-virus-viruses? Not so much. For those of you that need to experience a Novell client install for yourselves, go ahead. It's uninstallable. http://download.novell.com/SummaryFree.jsp?buildid =l1o2uFAj23U~/ [novell.com]

You don't see the problem.

[TransEurope (889206)]

When MS ships it's products with it's own security software
(antivirus, intrusion detection, ), the market will shrink
dramatically. No one of the competitioners would have a chance
to sell it's products to private ans small buisness customers.

And i think we all know what happens when there is no more
competition at the free market. The quality goes down the drain.

BTW. This would end in a monoculture of security-products
by MS, and monoculture makes the whole infrastructure
extremely vulnerable for real big or well organized attacks.

Re:

[neonprimetime (528653)]

Hackers must unite. When MS bundles in their own security, and users start not purchasing 3rd party protection, hackers must unite and start an all out war on Vista. Then we need a perfectly timed Associated Press article released that shows a correlation between the release of security bundled in Vista, the diminished use of 3rd party protection, and the increase in security breaches. Then we will win, right?

Re:

[djaj (704060)]

And if the "whole infrastructure [is] extremely vulnerable," third-party applications will be created to shore it up.

What's the problem again?

Re:You don't see the problem.

[jank1887 (815982)]

Problem: third party applications are prevented from working with the OS, to 'prevent weakening the built in security".

Re:You don't see the problem.

[tolan-b (230077)]

It'd help if you actually understood the issue.

MS is stopping *any* 3rd party security code from running, signed or un-signed, within the kernel.

The anti-virus vendors are essentially having to hack Vista to get their code to work.

Re:

[databyss (586137)]

--- Begin Sarcasm ---
Right!

We need to have the EU sue apple and linux producers too for destroying the anti-spyware market in their areas too!

We have to make sure that every OS is insecure so that other companies can profit!

--- End Sarcasm ---

Look, I'm no fan of Microsoft, (I figure I'll be wholly on linux by the time Vista comes out) but you can't force the company to make an (more?) insecure operating system so that security companies can make their dime.

Re:

[Kazoo the Clown (644526)]

The security market should dry up as soon as Microsoft creates an operating system that doesn't need it-- not when they create one that won't allow for it.

protocols

[jbeaupre (752124)]

I believe Apple isn't a target because the EU's complaints are about interoperability between clients and servers. Since OSX is built upon BSD/Unix protocols, the protocols are already well publicised. MS on the otherhand keeps the details of its protocols ambiguous at best.

Re:

[rahrens (939941)]

And where, pray tell, is Apple bundling anti-spy or virus-ware in with OS X? Unless you are talking about their making the OS more secure in the first place...

"Hey, Apple doesn't have any viruses, but MS Windows has over 100,000! Let's file suit against Apple, we want a level playing field here!" from the EU anti-trust folks...

Because MS is the big kid on the block

[Sycraft-fu (314770)]

And the one in the media spotlight. If you actually do some research you discover that for as much as people whine about MS's anti-competitiveness it's much, much worse in other areas. If you want a scary one look in to Sysco. They own basically every grain silo in the US. They, in a very real way, control the US food supply. Yet nobody makes a fuss because they aren't in the limelight.

It's just how it goes, when you are the one making all the news, you are the one that takes all the shit. The US is another

Re:

[giorgiofr (887762)]

You nailed it. And because of this, if I were MS I'd simply disregard all this idiocy and sell my OS all the same. What would they do, stop me? Make MS software illegal or worse free? As if it weren't 98% pirated anyway.
Then again as a European I'm all for milking foreign companies; but I know I won't see a dime of the many billions the gov't is stealing from MS, so meh.
My main complaint is that everyone's bitching and whining about competition, yet most markets are over-regulated and some draconian prote

Re:

[CastrTroy (595695)]

The reason that nobody is going after apple, is because MS's idea of security is building a spyware scanner or a virus scanner or a firewall. Apple doesn't include this kind of stuff in the OS. Instead, the only security that Apple includes is a user/permission system for who can access and run files. Also, in Vista, MS is making it impossible or really hard to install another virus/spyware/firewall tool. So you won't be able to use any other tools like this from anybody else. The MS security tools tha

Re:Message to EU: STFU

[DrXym (126579)]

No one is stopping Vista from implementing user access controls or other mechanisms to lock the leaky OS down. What they are objecting to are MS muscling into the firewall, antivirus, antispyware markets by installing or offering to install Windows Defender, preferentially promoting Windows Defender or using undocumented APIs in Windows Defender to make it run better than the competition. No doubt Bitlocker and other aspects of security could also be considered as preferentially pushing MS tech to the detriment of an existing market.

Re:

[The Living Fractal (162153)]

Let me say that I knew when posting my original comment I would get modded up and down at the same time. The issue is sharply divided.

To the parent: You obviously are on the Anti-MS side of the issue. I'm not really too enthralled by the idea of responding to your post, but here goes anyway.

In case you didn't even read the /. story quote from the article, here it is again:

"European Union officials warned Microsoft Corp. on Tuesday not to shut out rivals in the security software market as the company plan

Re:I think i know what the EU means...

[kcornia (152859)]

Me, I think this is a knee jerk reaction to the complaining that security software companies have been doing lately. Your post sums it up, EU sees this as another potential "embrace and extend" scenario when they read the bitching by Symantec/McAfee, etc., and starts beating the drum.

To be honest, it seems like most of the features MS is trying to put in, while long overdue, aren't features that are meant to cut out security companies. They're meant to secure the OS like it should have been from the beginning. Cutting out the security companies is more of a byproduct IMO.

Re:

[MooUK (905450)]

However, the major security companies have already found ways to hack round all this to make their products work - and if they can, so can malicious people. So what's the point in having it? It just makes the security companies have to spend more money, increasing the cost to the user in most cases. That's about it.

Re:Sounds like the EU wants it both ways

[Andy_R (114137)]

The EU doesn't 'want' anything. All this is about is making MS follow the same law that every company and citizen of the EU has to follow, a law which boils down to "If you happen to have a monopoly in one product, you cannot use that monopoly position to gain an unfair advantage in other areas."

Microsoft have consistently broken this law an many fields, and the EU justice system has been amazingly lenient with the company for many years.

Re:

[InsaneGeek (175763)]

But is it in the best interest of the public to cripple the security of an OS because a market around bugs has cropped up? Is it in the best interest of the people to remove security out of a product so that they individuals will have to turn around and buy something? Seems pretty darn insane if you ask me.