Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Security as a Profit Center? 479

Harry Erwin writes "This article seems to suggest Microsoft is now considering charging for security. I don't mind vendors like Counterpane Internet Security selling security services, but I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start. This proposal would create a two-tier Internet and probably make things worse rather than better. Security is like public health and education--if you think it's expensive, consider the alternative."
This discussion has been archived. No new comments can be posted.

Security as a Profit Center?

Comments Filter:
  • What next? (Score:2, Funny)

    by NWT ( 540003 )
    Do we have to pay for stability next? Uh-Uh!
    • by pizza_milkshake ( 580452 ) on Tuesday October 08, 2002 @05:24PM (#4412587)
      Next they'll start charging per-mouseclick, so go ahead now and enable the "View as Webpage" setting in Windows Explorer so you can make do with a single-click.
  • by Punk Walrus ( 582794 ) on Tuesday October 08, 2002 @05:16PM (#4412540) Journal
    Haven't we ALL already paid for Microsoft security? Trojans, worms, and virii have cost my company a hell of a lot.
    • Haven't we ALL already paid for Microsoft security? Trojans, worms, and virii have cost my company a hell of a lot.

      Yes, but Microsoft didn't get any share of that.

      • by CheechBG ( 247105 ) on Tuesday October 08, 2002 @05:48PM (#4412767) Homepage
        Sure they did. By touting every new OS as "more secure and reliable, a new era in trustworthy computing", they are getting a couple thousannd of poor schmucks to cough up some major cash to upgrade to a OS that they would have not otherwise needed, to try and get rid of all the "lockups" or "l33t h4x0rs" that are invading.
    • 'Security' in the sense of 'protecting you from all the evil stuff out there' will cost a lot, and probably continue to cost more and more. 'Security' in the sense of 'protecting the RIAA from you' will be built in, free and compulsory

      Of course once M$ has a biz plan where customers pay extra for security the incentive to no fix (or even leave in) security bugs will be tempting ...

    • Yes, it's cost the country millions in repairing, so MS has decided that they may as well be the ones to collect money from their screwups. And the claim about insurance is a diversionary tactic. They coule still mak the product more secure without accepting insane liability. Cap unchecked buffes by default, install only the network components needed, and don't allow them to be remotely exploited by bad design, and for features like the Remote Help Center, at least allow the user to select the security level at run time, so that at least they'll be WARNED about those exploitative URLs and have a chance to CANCEL the action. By putting off the topic to insurance, they avoid having to admit that they could make the product secure without accepting massive liabilities for failure. OSS projects like Linux or Mozilla don't accept liability for the products' security failures, yet they usually go out of their way to make it secure by default, and fix holes fast, without insurance.

      And what disturbs me about the story submitter is he says, "Security is like public health and education--if you think it's expensive, consider the alternative." That's much more a defense of charging for security than it is a defense of security by default. "Hey, if you think spending $500 for a secure OS that used to be $100 butinsecure, imagine what you'll spend if you are subject to a massive failure from insecurity." That's bad thinking and flawed logic.

  • by giminy ( 94188 ) on Tuesday October 08, 2002 @05:16PM (#4412541) Homepage Journal
    Oh, you want the tires that don't explode? They cost extra...
    • No, this is why a new car today costs (on average) about $22,000 (US) whereas when I started driving in 1976 the average was closer to US$10,000. Cars are much better today: more reliable, safer for passengers, better on the environment, etc. That did not come for free: consumers said what they wanted and they got it but someone has to pay the bill.
      Again, back in 1976 I was working on minicomputers. Very reliable, very secure, very expensive. Now I work on PCs and related servers: kinda reliable, not very secure, quite cheap. The market spoke and vendors listened. You want a PC with the reliability of a mini and real security but you won't pay US$20,000 for it. Don't feel bad, most people would rather have their own PC, warts and all, than go back to the bad old days of having to beg for timesharing on a big, expensive, secure beast and having to explain to the high priest himself that arrays and pointers are, in fact, recognized computing practices so please can I run my program now...
      • Silly me.

        *smacks himself*

        And here was I, thinking that inflation was the cause!
        • Look at the posts on this thread. They are all talking about cost inflation and the price of autos. Hilarious.

          Guys... they meant proper tire inflation. If you are not a citizen of the USA, then you are of course pardoned. If you are a US citizen, I can assure you that where you live the news usually comes on at 5, 6, and probably also 9, 10, and 11.

          SO HERE'S a little history.

          The real reason why everyone else modded this joke up was that at the a certain point in the debauchery that caused so many Expedition/BIG Ford SUV deaths, both Ford and Firestone tried to shift the blame on the consumer stating that most of these roll over deaths could have been prevented by the driver having proper tire inflation.

          This, in a sense is the equivalent of saying that if a consumer does something so benign as not change their VCR remote batteries on a regular basis, then they deserve to be electrocuted the moment they try to turn the TV off manually.

      • by ChaosDiscord ( 4913 ) on Tuesday October 08, 2002 @05:58PM (#4412816) Homepage Journal
        No, this is why a new car today costs (on average) about $22,000 (US) whereas when I started driving in 1976 the average was closer to US$10,000.

        I suspect that inflation has more to do with the issue. Given inflation since 1976 [] (PDF, sorry. You'll get similar numbers from other sources []) cars are now proportionally cheaper. Assuming car prices moved exactly with inflation, your $10,000 car would now run $31,600. Naturally this cost saving is due to other reasons (more efficient manufacturing processes, cheaper foreign labor, newer and cheaper materials). Sure, adding safety features did increase the cost, but not by a huge margin.

        • by twitter ( 104583 ) on Tuesday October 08, 2002 @09:45PM (#4413996) Homepage Journal
          Assuming car prices moved exactly with inflation, your $10,000 car would now run $31,600.

          Ahh, but if you started working in 1976 for $20,000/year you would now be earning $60,000 or your raises did not keep up with inflation. Starting slaraies are not generally $60,000 so car prices now cost more relative to real earning power. Oh dear, the golden calf costs way too much.

          As for M$, if their software had kept up with hardware developments it would have four virtual desktops, be able to support four concurent users on four different machines, be able to play and edit movies with ease and do other neat tricks right out of the box. Instead, the capabilities right out of the box are about the same as Win3.1, but it does not last as long. Oh dear, the M$ tax has grown but the software has failed to keep up with what's available that's free.

      • First, the car costs more now because of inflation. Adjusted for inflation, your $10,000 car was actually more expensive then the $22,000 one.

        Second, Microsoft can't use inflation to explain their ever increasing prices. Except for the cost of ever more programmers to create ever bigger bloatware (but nobody to check those buffer overflows or fix those bugs^H^H^H^Hfeatures), they don't have an explanation for their pricing. Except of course for the real reason: Monopoly.

      • Again, back in 1976 I was working on minicomputers. Very reliable, very secure, very expensive.

        Umm, NO.

        They only seemed very reliable and very secure because they weren't exposed to a hostile network.

    • That new handgun you purchased is a fine one; however, we are going to have to charge extra for the safety mechanism.
  • by Ruis ( 21357 ) on Tuesday October 08, 2002 @05:16PM (#4412542)
    Sounds like vaporware to me.
  • Yea, right..... (Score:5, Interesting)

    by FreeLinux ( 555387 ) on Tuesday October 08, 2002 @05:17PM (#4412544)
    So, based on your previous security record, Mr. Gates, I gleefully award you this multi-million dollar contract for security services. I already feel safer from all those evil hacker dudez.

    Honestly, what schmuck would pay Microsoft for security??
    • Re:Yea, right..... (Score:2, Insightful)

      by FCAdcock ( 531678 )
      You'd be suprised. Millions of people already pay him for servers, shouldn't they include security? My guess is millions of those same people, will pay him for "security".
    • Sheesh. (Score -1, Unexamined Bias)

      In case you haven't noticed, a good many people pay Microsoft for lots of things. Despite what you'd like to believe, this is not due to extortion. Many people actually choose to do business with Microsoft.

      But what you said reminds me a lot of an episode of Charles in Charge, where Buddy and I were in the pizza parlor when some shady looking guys showed up to ask for "protection money" from the owner. We thought for sure it was mobsters, and we couldn't figure out why the owner was paying them. After arguing with the owner about doing the right thing (and the argument was filled with misunderstandings and double entendres: "If you give them money for protection, they'll just come back again for more!" "I'd rather pay him now than have my roof cave in!"), Buddy and I went to the police about it, and the police ended up busting the termite exterminator!

      It really makes me wish I was still working.

      • Re:Yea, right..... (Score:3, Insightful)

        by nullard ( 541520 )
        Many people actually choose to do business with Microsoft.

        Except for the clued-in few, most people consider doing business with Microsoft about as optional as obeying the law of gravity. That's the funny thing about monopolies.
  • by robkill ( 259732 ) on Tuesday October 08, 2002 @05:17PM (#4412545)
    Charge for (in)security! Raise the TCO! Push even more people to other platforms!
  • Well... (Score:5, Interesting)

    by Xenographic ( 557057 ) on Tuesday October 08, 2002 @05:17PM (#4412546) Journal
    Don't they already charge us (albeit in a different manner) when they give us new EULA terms for security updates?

    This is not unlike the anti-virus companies who charge us for new virus definitions. Except that here, the mistakes they made shouldn't have been in there to begin with.

    Unless they give us *some* kind of extra service beyond the patches, I can only see this developing into a *very* strong reason to use OSS instead of MS whenever security is important to what you're doing (essentially, always).
  • by mesozoic ( 134277 ) on Tuesday October 08, 2002 @05:18PM (#4412554)
    Companies are already distrustful of Microsoft; they resent having to pay such high licensing fees for the systems they need to keep their businesses running. Requiring that customers pay additional fees just to keep those systems secure will increase the pressure on cash-strapped (or just financially responsible) companies to make the switch towards alternatives like Linux.

    Face it, Microsoft; people resent a monopolist. You can't continue to browbeat your customer base forever, and the more you do, the more will abandon you in the end.
  • by pete-classic ( 75983 ) <> on Tuesday October 08, 2002 @05:19PM (#4412556) Homepage Journal
    which is perfectly legitmate.

    But the idea that Microsoft can parlay their usless reputation in security into profit is laughable.

  • If they are talking about charging for any of the security updates or patches to make things secure against attacks on specific flaws? then yes, it's horrible and will create a gigantic mess.

    More than likely they are talking about custom security systems or services. as in a service to offer to customers and clients.

    It's like redhat charging for the RH update.. they will shoot themselves in the foot if they charge for updates.. in order for your OS to be percieved as secure and safe to use you HAVE to give away free fixes patches and security updates... and make them as easy as possible to install if not automatic.
  • A lot of nerve (Score:3, Insightful)

    by cenonce ( 597067 ) <> on Tuesday October 08, 2002 @05:19PM (#4412559)

    MS has a lot of nerve charging for security when they already charge and arm and a leg for their OS and it is an unsecure piece of garbage! Beyond that it takes them six months to get a security update released, if they even acknowledge the "security hole" as an actual issue!

    Why the heck should I pay extra for MS "security"!?!

    What a joke!!!

  • All joking aside (Score:5, Insightful)

    by Telastyn ( 206146 ) on Tuesday October 08, 2002 @05:20PM (#4412562)
    There's a difference between common sense OS security (closing unneeded ports, cutting down buffer overflows, doing intelligent rights/process management) and doing "extra" security that *should* be more $$$ like virus scanners or personal firewall software; things that shouldn't be totally integrated into the installed OS to begin with.
    • Ignoring all the other follow-up comments, I do believe this to be insightful. My main observation drawn from experience contradicts the concept of "common sense OS security", unfortunately.The reason is simple: in the day-to-day personal and business world (U.S.) there is almost zero technical literacy among the rank-and-file. This is in sharp contrast to IT workers, if your employer is large enough to require them.

      The problem seems to be as much cultural as it is technical. It seems that the business demands are "Get it done now! We'll sweat the details later!" Indeed, most of the consumer market seems to be driven by the idea that "convenience sells". How many times have you heard "I just want it to work"?

      Excellence seems to be left by the wayside as the lemmings jump over the cliff of expediency. Too bad there's big rocks at the bottom of that cliff...

      I can't count how many days I've wasted my breath trying to convey the difference between an app and an OS, let alone a secure one. After all, "That's just details, I just want it to work, we can fine-tune it later..."

  • good (Score:5, Interesting)

    by gornar ( 572285 ) on Tuesday October 08, 2002 @05:21PM (#4412569)
    I enjoy hearing of the ways that Microsoft proposes to screw their clientele. I'm a Windows user, and will be until another OS, whether it be Mac or Linux etc., starts getting all the first-tier games before Windows. I don't do anything else with my PC, so why switch?
    If Microsoft can manage to alienate the game playing crowd enough, more and more developers will transition to Linux development, and I can switch too. They are, quite charitably, squashing the chicken/egg problem in PC gaming.
  • by jawtheshark ( 198669 ) <slashdot@ja w t h e s h a r k . com> on Tuesday October 08, 2002 @05:22PM (#4412573) Homepage Journal
    How many OSes really consider "security" as a part of "core functionality"? Only one spring to mind and that is OpenBSD.
    Neither Windows, Linux, Mac OS X, Solaris state "security" as a "core functionality". Yes, all are securable, but on any OS it needs a certain amount of work (yes, even need to apply the patches!) This needs maintenance, and on "homebrew servers" (read: glorified desktops) security is unfortunately just a second thought. I do realise that a well administered server will probably be secured, but that is due to a competent admin, not due to "security as a core functionality".
    I don't say that "security out of the box", should not be a worthy goal, I just think that it is a utopian dream.
    • by amarodeeps ( 541829 ) <dave AT dubitable DOT com> on Tuesday October 08, 2002 @05:41PM (#4412716) Homepage

      Well, there are two types of security we could talk about here: one is the sort that you need to do to set up a box securely with any OS. That includes configuring ports to be shut down and starting only the services/daemons that you want running, implementing firewall rules, setting up intrusion detection, etc. OpenBSD doesn't really do so much of that either from what I know (probably more than most any other OS I guess...), but they don't start anything up out of the box if I recall correctly, so there is a basic level of configuration-dependent security.

      However, it seems like Microsoft has a lot of security problems that are based around poor coding practices. This is definitely something the OpenBSD folks try to mitigate, with their constant code auditing. But MS doesn't seem to care if they toss out a product with numerous buffer overflow vulnerabilities, permission violations, etc. And these are the sorts of problems they are always releasing patches for.

      Now, there are certainly plenty of patches going around for other products and certainly open source ones, but I don't think that anybody thinks that a patch due to poor programming should be something the user has to deal with. There are best practices involved with coding things securely, and they aren't necessarily things that you have to do that are outside of what it means to code something well.

      So what I want to know is if they are going to be charging for these sorts of 'programmer error' fixes, or what? Are they going to start selling their OS in a 'non-sloppily' programmed version?

      I find it pretty offensive that they would charge for patches to software that wasn't written well in the first place.

    • Yes, but Linux, MAC OS X, and Solaris attempt to ship with reasonable defaults... the Windows philosophy to date has been "everything wide open by default".
    • For Unix-like mainstream operating systems, OpenBSD is probably about the best of them, but security is still something that's only partly built in - Unix had good security design goals, and OpenBSD intensively beats up anything it adopts, but there's still a "root", rather than a collection of least-privilege administrative functions, and if you're root, you can still make things setuid-root in spite of weaknesses. The Mach microkernels had some possibilities of doing real security, but just about everybody's abandoned them for big monolithic kernels.

      EROS [], the Extremely Reliable Operating System, by Jonathan Shapiro et al., is a capability-based operating system, inspired by KeyKOS and other academic systems from a decade or so ago. A capability is similar to an object handle - you can only access an object (file, process, etc.) if you have a capa that gives you the kinds of permissions you need for the action you want to take. Lots more information at

      (Note: that's, not, which is something entirely different :-)

  • by Mitchell Mebane ( 594797 ) on Tuesday October 08, 2002 @05:24PM (#4412585) Homepage Journal
    As long as they charge for DRM, we're all set!
  • by GreyWolf3000 ( 468618 ) on Tuesday October 08, 2002 @05:25PM (#4412595) Journal
    Johnny Hughes was a 21-year old college student. He had a lot of free time on his hands, and decided to start a 'pr0n' site, "'" featuring a man prying [censored] wide open, showing a gaping [censored]."

    He needed a webserver--he had heard about Microsoft's new version of Windows (XP), and that it was built on NT technology. "That means," his friends said, "your IIS webserver is stable, reliable, and easy to configure the way you want it." After a few weeks of uptime, John noticed few crashes, but due to the nature of his website, found many so-called 'l337' hackers taking his services down.

    "It was getting bad. I called Microsoft's online tech-support, and they were friendly and helpful. We worked out a licensing plan for them to secure my webserver, and within a week they had a qualified MCSE at my server working hard."

    "It was definately a good decision. Microsoft help my business expand and grow, in spite of being involved with many criminals and hackers. Best of all: it was easy and affordable."

  • by Mu*puppy ( 464254 ) on Tuesday October 08, 2002 @05:25PM (#4412596)
    -then you better pay Guido here, else your data might have an unfortunate "accident"...
  • by JeanBaptiste ( 537955 ) on Tuesday October 08, 2002 @05:25PM (#4412597)
    that are not trolls?

    While not a microsoft fan by any stretch, I don't think this is necessarily a bad idea because of this: Now, when a hacker/virus/trojan attacks, maybe Microsoft will have to accept some accountability, after all I am paying for the security. As it is now, we get hit by nimda, microsoft is not really liable for any damages. If I am paying for security, maybe they would be liable. Just a thought.
    • So I guess that 300 bucks for XP Pro was bought with the full intention of being open to attacks. While you cheerily installed it you thought about how you were open to l33t haxors and such.

      Come on. When you purchase something you buy it with certain ideas. When I buy ( which I don't ) MSSQL then I expect nobody to get my data. When I buy ( another one I don't use ) Exchange I expect nobody else but me and the user to be able to read emails.

      You don't buy a product with the expectation of it being crippled ( DRM aside ) and thus you ARE paying for security. I'm not a MS Fan, I'm not a MS Critic ( although lately I seem to be ) I just get pissed when I see a company charging for something that is presumed and expected to be included with the product.

    • The minute Microsoft signs off on some agreement that they are accountable and liable for the machine they purport to secure will be about 60 minutes before someone with a very large sense of humor and real talent hears about it, and about three hours before Microsoft eats that contract.

      I can't think of a better way for them to put a target on the back of the first client that bites, or themselves, for that matter.
  • wouldnt this be a monopolistic move for them to add security consulting. I mean we all know their track record...

    but seriously. who is to say that they arent going to engineer security holes into their systems that only they know about - then come forward and say that they have the fix - but since its such a "complex" issue - the only option to fix it is to have their value added security consulting force come in and "secure" your systems.

    no thanks Microsoft. I am not happy with you in general - why would i trust your lackeys to secure my systems. An MCSE is one thing - but a Microsoft employed security consultant is a whole 'nother beast.

    Reminds me of that simpsons episode when Billy G want to buy out Homer's ISP - and he "writes a check" for the ISP through his thugs smashing the place up.
  • The fact that Microsoft is considering providing security services for a fee, just shows that it knows that its OSs are not secure enough. But if they cant build security into the OS itself then is there any guarantee that they will be able to do it later on, for a separate fee? Judging from the number patches, they release, for other patches, i dont think that Microsoft is capable of providing these services for which it plans to charge.
  • by cballowe ( 318307 ) on Tuesday October 08, 2002 @05:27PM (#4412616) Homepage
    In presenting Microsoft's trustworthy computing initiative, Mundie defended the company's reluctance to follow through and accept legal responsibility for the security of its products. "If we took that responsibility, say for a big contract at Airbus, I would have to take out a giant insurance policy from Lloyds or another insurance broker, and pay a giant invoice," said Mundie. "The product would then cost not 50 euros, but 50 million."

    It seems to me that if Microsoft didn't have the reputation that they have with regard to security and reliability, the insurance policy wouldn't cost 'em so much. Kinda like auto insurance -- those that prove they can drive responsibly for a period of time pay far less than somebody who crashes 3 times in a week.
  • I'll wait, and see (Score:5, Insightful)

    by unicorn ( 8060 ) on Tuesday October 08, 2002 @05:30PM (#4412630)
    No matter what ill will the average /. user bears towards Microsoft, you can't possibly say that they are idiots.

    And starting to charge for hotfixes, and obvious security holes in the OS would be an act of complete idiocy.

    I have a feeling that whatever security initiatives MS is working on, certainly aren't aimed at hte average home user. There's no money in it. MS makes it's wad off corporate licensing. Where they don't have to worry about retailers, or packages, etc. The home user is an important market to them. But it's not what put Bill on top of the Forbes 400.
    • And starting to charge for hotfixes, and obvious security holes in the OS would be an act of complete idiocy.

      That's how I thoght when MS started charging more that $100 for office and guess what? Idiots will pay.

      This is not a flame it was practically given away. WP would sell for over $150 (I can't recall the exact price but it was at least that).

      SH!T i'm old....

    • The question is not whether or not they're idiots. Everyone is likely good at something.

      The real problem is WHAT they're good at...

      I want a company that is good at engineering computing systems, not good at blackmailing customers (MITS,IBM) or commiting fraud (IBM).
  • Priorities (Score:5, Insightful)

    by catfood ( 40112 ) on Tuesday October 08, 2002 @05:31PM (#4412639) Homepage

    Says the story write-up:

    I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start.

    Internet Explorer is a fundamental, inseparable part of the operating system; but security is an add-on product. I love it.

  • When asked about security Mundie states:
    "Because customers wouldn't pay for it until recently."

    I interpet this as:
    People ASSUMED they were getting something secure. When they realized they were not they went elsewhere to find something that was. Microsoft ironically wants to be the elsewhere too. They can get there two ways. Make the product more secure the first time, or continue as normal and sell yet something else on top of or next to the other product. A tier level of security I guess. Seems like a very odd way to operate..
    • I have to disagree here. I don't read his comment as a comment on consumers at all, but rather perception. Consider:

      It's 10 years ago. We're all enjoying Doom on our 486-DX2's, and drooling over the latest Pentium preview (coming soon... MMX!). Someone comes up to us, and tells us that those fun USENET and NEWSGROUP things we keep playing around in may hold evil hax0rs, who can hack our boxes and steal our.... Doom savegames. "Egads!", we exclaim, "whatever can we do?". "Well, " says Mr. Someone, "we can make it nice and secure, but it's likely that Memphis, Chicago, and especially Cairo will cost more. So, do you want us to protect your savegames?"

      Now, lets be honest. 10 years ago (hell, 5 years ago, for most people), we didn't have much on our PC's worth protecting with security, firewalls, etc... at least those of us on WinTel. Come on, how many people had a firewall on their 19.2 baud modem? Did you worry about hax0rs when you upgraded to 28.8? 33.6? The magical 56k? (complete with the X2 wars). Would you have paid extra back then, so that MS could spend millions (stop laughing, they really do) working on security n' chit? Now that hackers (black, grey white and blue) are in the mainstream, broadband is common, and people actually put a monetary value on the data in their computer, security is important to consumers, and they're willing to pay a little extra. It doesn't seem so evil to me...

  • it sounds more like they are going to charge for security extras not for basic security patches and what not. This isn't MS cutting its massive user bass off, its MS trying to make a few extra bucks off the companies that need enhanced security. Sure, you could argue that the best possible security should be available on all versions of windows, but they are a for profit company and are trying to make a few dollars in this rough economy.

    This is not a troll.
  • Flippant? (Score:2, Interesting)

    by Jack Auf ( 323064 )
    Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security

    I wouldn't say that was a flippant question. Obvious yes, and valid to be sure. But how is that question supposed to be 'flippant'? Why has it taken 25 years for you to take security seriously? Nevermind that you're asking me to *pay* for something that should have been an intrinsic part of the product from the start. Seems like a good question to me.

    Is there something in the Micros~1 corporate culture that breeds contempt for anyone that dares to ask an valid, though perhaps embarrassing question?

  • by Theatetus ( 521747 ) on Tuesday October 08, 2002 @05:33PM (#4412658) Journal promise E coli-free food for an extra fee. A spokesperson for McDonalds said, "Our revenue model doesn't normally lend itself to our being held responsible for the hygenic quality of our food; however, for a fee as disclosed in our End Eater License Agreement, we will make sure your burgers don't carry a horrid, filthy plague."

  • Security is like public health and education

    Isn't MS's security already at least as good the quality of teaching in our government schools []? ;-)
  • 1. Make big insecure operating systems
    2. Form Securtiy Consulting Arm
    3. ....
    4. Profit!!

    in this case - the .... is just what it means.
  • by kindofblue ( 308225 ) on Tuesday October 08, 2002 @05:35PM (#4412668)
    It seems to me that if Microsoft can charge for enhanced security, then they are admitting that their non-enhanced versions are partially defective. From a legal standpoint, it sounds like they would be culpable for such security defects in their non-security enhanced versions, because they cannot then claim that such defects are intrinsic to the complexity of their software itself, and they cannot claim that they just didn't know how to fix it.

    On the other hand, if a third-party adds security features, that company can claim that they have found ways to secure Windows, which Microsoft was not able to do.

    I'm not a lawyer, but it seems that charging for security enhancement would be like charging extra for a car with a working airbag, instead of a cheaper model that works maybe 80% of the time.

    How would this compare to a warranty on consumer products? It seems like a warranty is just like insurance, because you get cheaper repairs in case something goes wrong. Is this applicable to software?

    BTW, I'm asking a legal question, not a ethical business question.

  • I have to run Windows at work to be able to communicate with the Windows world without problems. It is Microsoft that should pay me for their "security", I waste atleast 5 hours per week booting this stupid machine after every stupid critical security update that requires a stupid reboot after every damn install. This is the only option I have to keep the system atleast somewhat "secure".

    I understand that a system needs patches, but is it really so hard to make an operating system whose maximum uptime is limited to 2-3 days because of the stupid required reboots. I know a couple of such operating systems.

    I am sorry, but you will need to rewrite the whole damn thing.

  • Mundie, speaking about MS Windows: "The operating system is designed to run on machines that are not designed yet."

    There's a joke in there somewhere, but I'm having trouble finding it. Discuss.

    • The secret is that Bill Gates is a precog and the actual Windows code base has been frozen for the last 20 years. The entire OS runs in 640K and will continue to operate on Intel hardware until they go belly up in 2069 when the transistor density of their final design combined with the intense heat it generates spontaneously punches through time/space to form a black hole.

      Each new release is the last version with an exponentially increasing "fudge factor", a data file of randomized pRon collected by a web spider. This makes it look like they are actually doing work in Redmond instead of playing CounterStrike 24/7.

      All Windows development ("cat Windows2000 pRon.dat > WindowsXP") occurs on a single IBM XT running Minix.
  • so sue 'em (Score:3, Interesting)

    by Anonymous Coward on Tuesday October 08, 2002 @05:37PM (#4412686)
    Does that mean it would be possible to sue M$, if they fail to provide a bought service, ie) security?
  • Buffer Overflow (Score:5, Interesting)

    by sdjunky ( 586961 ) on Tuesday October 08, 2002 @05:38PM (#4412688)
    "Windows runs an arbitrary set of applications, in an arbitrary configuration, with arbitrary devices, said Mundie. 'The operating system is designed to run on machines that are not designed yet.' While Microsoft could demand that it creates the drivers for all hardware, the industry would not accept that. 'Each time we accede to the reality of the industry, we accede to the problem,' he said."

    Yep. All those string buffer overflows are obviously caused by the ram. And those virii that use Outlook automation obviously use the fact that Windows has to account for various pieces of hardware too.

  • Pricing Security (Score:3, Interesting)

    by Orne ( 144925 ) on Tuesday October 08, 2002 @05:38PM (#4412696) Homepage
    In my humble opinion, the secondary cost of the operating system's security should be inversely proportional to the control granted by said operating system to the external network. What do I mean by this? The more networking gadgets one puts into their operating system, the more they are responsible for the access to said gadgets.

    Security in DOS was practically non-existant, because frankly, you couldn't do much on it. The worst you could do was write data to COM1, and native DOS wouldn't do anything with it. Then came Win2 and they introduced the OLE concept, where a person could control application A through application B. Security req: still marginally zero, because of the single-user environment. Win311 brought us the Network Neighborhood, and now you could control application A over a network to control application B. Because of MS's DLL approach, the operating system now must track login names, and validate IDs, and coordinate data flows. Now we have XP, with automated updates, drivers for everything, protected modes, lots of complexity that MUST be secured by the operating system.

    Brief Analogy: I build you a house, and I install a cardboard front door, then to protect this cardboard door I want to sell you the steel door as a security "upgrade". In a perfect world without crimes, we wouldn't need any doors, but that's not the way things work...

    In short, Microsoft measured their rope, and now they're trying to avoid the gallows. They built an operating system that's practically transparent to the network, then they're horrified that someone other than MS might exploit this transparency. If they aren't willing to protect the public from their own products, then someone needs to inform the public that there are better products in existance...
  • by supabeast! ( 84658 ) on Tuesday October 08, 2002 @05:49PM (#4412770)
    Any bets on how long it will take MS to get exclusive, multi-billion dollar contracts with US Government Agencies to help secure Microsoft products?

    And are an US taxpayers interested in suing both parties when it happens?
  • Microsoft is at a conflict of interest and as an end-user, I am not impressed.

    We all know how secure MS products are. By having MS consult in areas of security, there would be no motivation for MS to make their products more secure. Also, what stops MS from deliberately leaving holes in it's software to have its security consultants patch them up later?
  • Companies would gladly pay big bucks for secure products, if the promise of security is backed by liability or some kind of warranty. If EULA stays the same, MS will not provide an extra piece of mind, and nobody will pay more money for "maybe more secure" software.
  • order to secure their products, Microsoft today announced its new line of security software: "MS/GNU/Linux".
  • by McCart42 ( 207315 ) on Tuesday October 08, 2002 @06:02PM (#4412840) Homepage
    Microsoft Windows XP: $100/license.
    Microsoft Office XP: $300/license.
    Paying extra for security: Thousands of dollars per site.
    Realizing there's a free, secure alternative: Priceless.

    Some things money can't buy. For everything else, there's Microsoft.
  • by MadFarmAnimalz ( 460972 ) on Tuesday October 08, 2002 @06:03PM (#4412846) Homepage
    I get lots of good ideas. I'll even give you some for free. But hire me afterwards, OK?

    1. Well, you can charge people less for running at lower resolutions like 640x480. See? It even sounds better than saying 'our higher res clientele will have to pay more'

    2. You can also charge extra licensing fees for users that think they might need a mouse. Heck, Linux does it... yes linux does too, since the mouse functionality costs nothing, which is precisely as expensive as the whole OS...

    3. You might as well begin to start charging admission fees to all buildings that contain a machine with windows on it. KA-CHING!

    That's it. 3 ideas are all you get. Now will you hire me?

  • "...but I would prefer operating system vendors to treat security as part of the core functionality of their products, if only because effective security has to be designed into the operating system from the start."

    I find this comment a little short sighted: The problem is that security has an inverse relationship to features/usability. The reason that a virus can do damage on a Windows system isn't a flaw in the OS (though I suppose the OS could be patched to fix it), but rather because a program like Outlook Express has a feature that somebody learned to exploit. That feature was put in for other reasons, mainly to make OE more usable, but it also provided an outlet for mischief.

    Frankly, I'd rather a company make money by being more secure. It gives them a good solid reason to not only add features, but test them against potential exploits. Money is a much better motivator than a good mission statement. When MS thinks it can make money at something, it usually excels at it. If MS thinks people will pay more for 'security', then let them have a go at it

    The worst that can happen is that MS actually loses money for failing to meet that promise. Yeah, I'm sure the Slashdot floor would be wet with tears of that happened. But the best that could happen is that MS combines a good user experience with security, a product we could all benefit from.

  • to have security in your software in order to charge for it?
  • by El ( 94934 ) on Tuesday October 08, 2002 @06:10PM (#4412890)
    What incentive does M$ have to make sure the operating system they sell you today works, when their business model calls for them to sell you a new operating system every year? (In fact, they've even used the fact that their previous release was a POS to sell new releases!) What incentive does M$ have to fix the vast security holes in their standard releases, when they can make even more money by charging you for the security patches?

    At what point does the consumer stop doing business with a company that admits that everything they sold you in the past is a POS in order to get you to buy yet another upgrade? At what point do corporations decide it might be a bad idea to single source all its software from a company that considers security to be optional?

  • I'm surprised that no one has yet sued Microsoft for some egregious breach of security, enabled by a flaw in Microsoft's released code, that ended up costing some company a ton of money. This is, afer all, the country where someone eats too many hamburgers and then sues the person who made the hamburgers.

    IANAL, but it seems reasonable to me that if you use a product as it is intended to be used, and it wrecks unexpected havoc on your system, you should be entitled to redress.

    If Microsoft now starts charging for extra security and other such 'features,' I'd think that would increase their liability if something does go wrong. I can't believer their EULAs are that iron-clad

  • by cornice ( 9801 ) on Tuesday October 08, 2002 @06:23PM (#4412970)

    Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security, and it is only in the last ten years that Microsoft has attempted to play in the security-requiring worlds of banking payroll and networked systems.

    The reality is that M$ sold products that were expected to perform to a base level in terms of quality and security. Because users can't look under the hood so to speak, the quality and security issues didn't emerge until it was too late. Now the customer is screaming for relief and MS is there with its hand out.

    Also does it sound like the lines between security and DRM are being intentionally blurred here?

  • The article doesn't specify what "security" is.

    Will MS be selling firewall and antivirus software? Or do they mean they'll sell a more secure version of Windows?
  • by billstewart ( 78916 ) on Tuesday October 08, 2002 @06:26PM (#4412995) Journal
    Hey, it takes a lot of work to install Unix, set up WINE, and then get all the MSOffice applications to work well on top of WINE :-)
  • by Myco ( 473173 )
    Couple of weeks ago they were whining about how they're unable to secure their products because the relentless droves of evil H4X0RZ are always three steps ahead. Heartfelt apologies for not delivering the promised security that should have been delivered with the product.

    Now they turn around and say "oh, actually, we *can* do that... but it'll cost ya." Real cute, folks.

  • by nsayer ( 86181 ) <nsayer @ k f u . c om> on Tuesday October 08, 2002 @06:40PM (#4413085) Homepage
    When people talk about software security, they're putting the cart before the horse. Security is a metaphor for quality. Every time a vulnerability exists, it is because of some sort of an error. This is true almost by definition.

    Microsofts products are not crappy because they are insecure. They are insecure because they are crappy.

    If you take the article in question and substitute the word "Quality" for "Security," it becomes a much more truthful statement of what's really going on. Microsoft never cared about quality because they had a monopoly. Their overriding concern has never been quality, it's been in maintenance of their monopoly position. So they've shoehorned in any new feature that has shown any promise of being a technology that they can monopolize down the road or that can comoditize the work of a competitor and thus help drive them out of business.
    • by Florian Weimer ( 88405 ) <> on Tuesday October 08, 2002 @07:26PM (#4413346) Homepage
      Microsoft never cared about quality because they had a monopoly.

      A few years ago, Microsoft didn't have a monopoly at all. But the competition couldn't really compete on quality (or security, for that matter). The UNIX camp had it's internal conflicts, IBM marketed OS/2 as a Windows emulator (and got cautious when it was too successful in Germany), and MacOS required a brainwash to view its qualitiy (and most of it's security was the result of a single-user system).

      The market demanded only a very basic level of software quality, and Microsoft delivered software which matched the expectations of the market. What else could have made Microsoft such a huge company? Alien influence?

      Apart from that, I believe that charging for critical security information is morally wrong (and not in the "proprietary software is bad" sense, but in the "not warning your neighbor when he's about to get hurt" sense). But who's seriously into (the very practical aspects of) computer security and does not sell e.g. early-access information?
    • Every time a vulnerability exists, it is because of some sort of an error. This is true almost by definition.
      This is a very good point -- indeed, an essential one. As anyone who's as much as lurked on Bugtraq or other security-oriented fora can tell you, the discovery of many vulnerabilities begins with the discovery of a way to crash the affected service.

      This is particularly the case with buffer and stack overflows: if I can crash your FTP server by sending it a huge string of junk, that means that your FTP server is doing something invalid (such as smashing the stack) with that input. To crash a service entails getting it to execute nonsense code -- to crack it entails getting it to execute my code.

      What does this mean for Microsoft's code -- or anyone else's? Well, any means to get a network-facing program to crash should really be considered a security vulnerability waiting to happen. Bug reports of the form "I can crash your program by sending it gubbish" should not be answered "Well, don't do that!" They should be treated almost as seriously as vulnerability reports themselves. While there are classes of remote crashes that don't lead to vulnerabilities, that's not the safe way to bet.

  • by mindstrm ( 20013 ) on Tuesday October 08, 2002 @06:54PM (#4413149)
    First.. they said they were not ready to approach trusted computing until people were ready to pay for it.

    Well, does that not make sense? there is no business sense in spending the money to develop something if people are not willing to pay for it.

    Trusted computing is not about security.. it's about accountability. It's about being able to have a proper audit trail for who did what when, no matter what. Your data can still be stolen, you just know who did it.

    Microsoft is not talking about charging for security patches or updates. They are talking about complete trusted systems, something they don't have yet (though NT goes further in this regard than linux does, by quite a bit. Notice how if a user changes the permissions on a file so adminstrator can't read it, then Administrator can't read it until he a) takes ownership of it and b) changes the permissions. Admin still has the power to read anything, but not without leaving a mark that they did it.)

    They are talking about having secure offerings for trusted computing.
  • by Rambo ( 2730 ) on Tuesday October 08, 2002 @08:02PM (#4413518)
    I've heard the argument that open source companies rely on the difficulty in using or installing their products (i.e. sendmail). However, now that MS is pondering charging for security, doesn't that suggest the argument that they are charging for what they can most easily make money on? Having many issues with security could become a strong business model and effectively force people to pay for the fixes as the "default" patch level that the OS ships with becomes correspondingly decrepit and bug-ridden.

Marvelous! The super-user's going to boot me! What a finely tuned response to the situation!