Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

EU And Microsoft Clash Over Vista Security 311

An anonymous reader wrote to mention coverage of further clashes between Microsoft and the EU, this time over security in Windows Vista. Microsoft is 'urging' the EU to allow all of the security elements of Vista to remain intact. The EU seems to be under the impression it's not asking for security to be lax; it just wants the software company to ensure a fair playing field for all businesses. From the Newsday article: "European Union officials warned Microsoft Corp. on Tuesday not to shut out rivals in the security software market as the company plans to launch its Windows Vista operating system with built-in protection from hackers and malicious programs. EU spokesman Jonathan Todd told reporters that the European Commission is "ready to give guidance to Microsoft" concerning Vista but added that it was up to the U.S. software maker 'to accept and implement its responsibilities as a near monopolist to ensure full compliance' with EU competition rules."
This discussion has been archived. No new comments can be posted.

EU And Microsoft Clash Over Vista Security

Comments Filter:
  • The solution (Score:5, Insightful)

    by SCHecklerX ( 229973 ) <greg@gksnetworks.com> on Tuesday September 12, 2006 @12:47PM (#16089378) Homepage
    The solution to me seems to be the approach used in linux, bsd, whatever. Fully document the security APIs, or command-line tools to configure the security aspects. Let other vendors write their GUIs for controlling security, such as firewalling, using that API. Let people pick the tool that fits their needs best, while all providing the same type of security through the OS.
    • by cybrthng ( 22291 )
      You can use whatever firewall you want, both in software and hardware. You can use whatever virus scanner you want, both software and hardware. When vista pops up with the security center it doesn't even focus on Microsoft products - your first choice are compatible third party products.

      So what is the point of all of this?

      The other security implementations would be like asking Unix to allow replacement of Sudo, root and user permissions and replace it with a third party app that would just give you want you
      • by nsayer ( 86181 ) * <nsayer@kfPASCALu.com minus language> on Tuesday September 12, 2006 @01:36PM (#16089906) Homepage
        The other security implementations would be like asking Unix to allow replacement of Sudo

        The irony here is delicious. sudo is, in fact, a third-party replacement for the su command. You may not think so because Linux distros have been including it for a long time, but of course Linux (or GNU/Linux, if you insist) != Unix(tm).

      • No No No.

        The other "security" implementations would be like asking Unix to allow admin userspace programs to access the Linux Kernel security interfaces, manipulating operating system controls on a real-time bases.

        Which is exactly what the Linux Security Modules project did []

        The Linux Security Modules (LSM) project provides a lightweight, general purpose framework for access control. Contemporary computing environments are increasingly hostile. Adding enhanced access control models to the kernel improves ho
      • by vadim_t ( 324782 ) on Tuesday September 12, 2006 @02:29PM (#16090356) Homepage
        Linux security is very customizable.

        First of all, sudo is just a normal application, that can be replaced. Second, there's PAM, which allows you to plug pretty much anything into the security system. You can replace the mechanism for password entry, authenticate with a fingerprint or an USB flash drive, etc, and have it all automatically integrate with existent software -- you don't even need to patch tools like su and sudo to accept different authentication methods, as it's handled through PAM.

        Same goes for firewalling, nothing stops you from building whatever UI you want to talk to netfilter. You can ignore iptables completely, which is just an userspace tool.

        Then the kernel has a whole system of security hooks which is used by things like SELinux. New security models can be integrated.
        • by arose ( 644256 )
          And if all that fails you are still free to hack the kernel appart and put it together around your product.
  • by edxwelch ( 600979 ) on Tuesday September 12, 2006 @12:49PM (#16089401)
    "When Microsoft failed to meet Commission requirements, the EU executive fined the company another 281 million euros (about $350 million) this summer. "

    All I want to know is when we get our 2*281 million euros?
    If you divide that by the population of Europe you get about 3 euros each, that's enough for at least a beer each.

  • by Sloppy ( 14984 ) on Tuesday September 12, 2006 @12:52PM (#16089432) Homepage Journal

    What lame articles. Neither one says what the hell the thing being bundled is, other than "security" as though security could possibly be a product or module.

    Ok, one of the articles made a brief mention of a firewall. Is all this noise about something as mundane as a software firewall?

  • by paladinwannabe2 ( 889776 ) on Tuesday September 12, 2006 @12:56PM (#16089475)
    It's hard to say what should be inherent in the OS and what shouldn't. However, most forms of computer security should be inherent to the OS and not part of some third-party solution. For instance, I want my OS to be resistant to running arbitrary code and be able to give me control over and info about programs and processess are running on my computer. If I have to get third party support to do those things the OS is failing me.
    • by mrjb ( 547783 ) on Tuesday September 12, 2006 @01:22PM (#16089771)
      The current anti-virus business is mainly built on loose ground: (the lack of) security in the main OS that they support. As the OS gets more secure, the need for AV software greatly diminishes, and it is likely that some AV companies will go out of business as a result of it. At this moment, however, this hardly seems the problem yet, as most security issues are addressed by "patches" rather than real solutions: antivirus, anti-spyware, anti-whatnot, which when bundled with the OS would be unfair competition to Antivirus-software houses.

      As said- Europe isn't demanding reduced security, but fair competition. But even when 'fair' competition is allowed and security keeps improving, the software houses that provide security solutions should seriously consider rethinking their strategy as they may become redundant and go out of business anyway.

      So, seeing that the anti-virus business is in a lose-lose situation, I guess they concluded they might as well cry wolf. This isn't impressive- it's just money talking. So am I defending MS on this? No (of course not- this is slashdot). I think the AV business should be allowed to compete. I just don't think that it will make much of a difference, in this case.
      • The current anti-virus business is mainly built on loose ground: (the lack of) security in the main OS that they support... So, seeing that the anti-virus business is in a lose-lose situation, I guess they concluded they might as well cry wolf.

        You're missing part of the picture. First, MS has a monopoly on the desktop OS. Second, they allowed a market for these security products to develop. As a result, it is illegal for MS to bundle a firewall or anti-virus program, or otherwise illegally tie it to thei

    • True, but consider this:

      When I buy a car, I expect it to have tires. However, when I drive a lot through the snow, I might want special tires which make driving through snow easier. As it is now, I can simply buy those better tires and put them on my car.

      The point that the EU wants to make is that if you buy Windows and you are not content with one of its features, you should be able to replace that. And the feature which they ask that for specifically is one that has been replaced by many third-party v

      • Sorry, your analog seems apt but I don't think you understand what you're applying it too. Microsoft hasn't locked out security companies and 3rd party tools can and do exist to extend the functionality of Vista. What deliberate move by MS are you referring to? Closing a lot of the gaping holes in the previous OS? Punishing someone for improving their product really doesn't seem like a bright idea even if they do have a near monopoly. I think if fines are to be dulled out they should at least choose a valid

  • Modularization (Score:5, Insightful)

    by theckhd ( 953212 ) on Tuesday September 12, 2006 @12:59PM (#16089510)
    This was brought up by someone in another discussion in a different context, but I think it applies equally well to Microsoft's current problems with the EU.

    If they would simply modularize many of the components that come with Windows, they might wriggle out of a lot of legal troubles.

    For example: I go to install Windows from scratch. On the installation screen, i get a list of components...
    [x] Windows OS (base system, required)
    [_] Internet Explorer
    [_] Windows Security Center
    [_] MS Firewall
    [_] MS Antivirus
    [_] MS Anti-Malware


    I can check any of these things that i like, and they'll be included in the installation. For OEM installs, they could just include everything by default.

    Most importantly, make them removable through Add/Remove Programs, so that if i decide at a later date that I no longer need a feature, i can uninstall it completely.

    Suddenly a lot of the monopolistic legal troubles get much less worrisome for Redmond. EU worried about MS including Anti-Virus or Firewall? No problem, make them un-checked in the default install. Leave them on the disc, and make them freely available for download at the MS website to make it abundantly clear that they're a free service.

    Not that I expect them to do any of this of course, but it would certainly help reduce the amount of resentment that many people feel towards them, even from their own users.
    • by pe1chl ( 90186 )
      This seems reasonable, but are the Linux vendors taking this approach?

      When I install SuSE Linux, it installs SuSE Firewall. When I want to uninstall it, a whole list of other items that "depend on" this SuSE Firewall pop up, hindering its removal.
      The best thing I can do is "disable firewall", but it still remains installed (mostly a set of scripts to manipulate a very complex set of iptables rules that never gets loaded because it is disabled).

      Also, are you sure "security" and "optional components" would
      • by Coryoth ( 254751 )

        When I install SuSE Linux, it installs SuSE Firewall. When I want to uninstall it, a whole list of other items that "depend on" this SuSE Firewall pop up, hindering its removal. The best thing I can do is "disable firewall", but it still remains installed (mostly a set of scripts to manipulate a very complex set of iptables rules that never gets loaded because it is disabled).

        I think the important point here is that in many ways SuSE is closer to an OEM than it is to Microsoft. They don't exclusively build

        • by pe1chl ( 90186 )
          My point is that the SuSE Firewall is a SuSE product, other products are available that do the same thing, yet you cannot uninstall it because other parts of the system have been coded as "depend on" SuSE firewall (and not "a firewall").

          I know it is possible to remove it, but the same is true for Internet Explorer. You only need to know how, and you must have a real intention to go forward with it. It is not like you have a free choice to select the firewall you want (or decide to work without one, e.g. b
          • by Coryoth ( 254751 )
            I'm just saying that it is relatively easy to pick a version of Linux remarkably similar to SuSE that doesn't have SuSE firewall. Find me the opportunity to readily pick a version of Windows that doesn't have IE and I don't think I would be at all concerned about IE's integration into a version of Windows.
          • You're mistaken. Take a look at the assertion you object to: "with Linux you are free to choose ... and with Windows you are not". And before that you come with an example of bundling in SuSe, one of many Linux distributions. You are free to choose SuSe, Fedora, Debian, Ubuntu, Knoppix, Mandriva, Slackware, LFS, Etcetrix, Etcetrix, Etcetrix. This freedom of choice invalidates whatever point you're trying to make here. To spell it out: bundling is okay, monopolistic bundling is not.
    • Re: (Score:2, Funny)

      by Amendt ( 802679 )
      "We are the borg, we will assimilate you" If only the EU could stand up to Steve's hurling of chairs. :)
    • The problem is (Score:2, Informative)

      by Sycraft-fu ( 314770 )
      That things will stop working. Programs rely on the presence of these enriched tools. You can see this with the EU's Windows XP N edition. People found that all sorts of things stopped working, games wouldn't play videos and such. Why? Well if you remove Windows's video playback engine, anything that uses it for video playback will stop playing video.

      Same is true of IE. To actually remove IE, and not just the executable (which you can delete if you want) you have to remove the HTML rendering engine. That me
      • Re: (Score:3, Insightful)

        by Sloppy ( 14984 )

        Programs rely on the presence of these enriched tools.

        Gentoo solves this problem with virtual packages that fill generic slots. For example, I have to have a system logger installed, but there are a variety of loggers to choose from.

        People would turn off a whole bunch of stuff without knowing what it is, and then cry because their programs didn't work and blame MS.

        It's really not all that hard to make an application display an informative error message. I've done it lots of times. :-) But let's suppo

        • Re: (Score:3, Informative)

          by Sycraft-fu ( 314770 )
          Have you done user support for the average user? If anything isn't precisely how they expect it's a pretty major problem. You have to remember that this would incur a rather large cost of MS as they'd need to provide the phone operators to take all these calls and they really couldn't get away with charging for them. Well that opens up a new problem in that people will start calling about support issues that aren't related. The way it works with support is that if you are on the phone, anything and everythi
      • MS help files are HTML, and if there's not an engine to render them, then they can't work.

        There are at least two possible solutions to this:

        • First: Allow help to be rendened in any "browser";
        • Second: Don't use html for help. I prefer the above option.
    • For example: I go to install Windows from scratch. On the installation screen, i get a list of components...

      This already exists in the unattended install (SIF) files in the [Components] section, you just have to know which components to turn off. You can find a list of all the components in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur r entVersion\Setup\Oc Manager\Subcomponents. We use this to not install games, MSN, and a few other odds and ends. It probably wouldn't be hard at all t
    • Re: (Score:3, Informative)

      by linebackn ( 131821 )
      And for those that recall what got them in trouble a while back with Windows Media Player could have easily been solved by adding:

      [_] Windows Media Player

      to the installer and add/remove screen. But what did they do? They they got all snotty and created "Windows Reduced Media Edition", a "special" version of Windows completely without WMP (not an option - just none).
  • One Microsoft Way (Score:3, Interesting)

    by Doc Ruby ( 173196 ) on Tuesday September 12, 2006 @01:05PM (#16089574) Homepage Journal
    Microsoft spends most of its time producing new OS features in collaboration with other vendors. DRM, drivers, APIs all designed to make MS OSes work better with the rest of the products people will buy. That takes much longer, and more code, than the rest of the OS does.

    But its "security" features are MS only. Of course that must be to protect the MS "near monopoly", always its #1 priority. Since the security market is neither very profitable nor already dominated by MS, I expect that their "security" also protects revealing other serious defects of the OS. Whether more monopoly protection, unnecessary security problems, or just bad coding. Therefore I don't see Microsoft opening those facilities for the EU before Vista is released, if ever.
  • by Noryungi ( 70322 ) on Tuesday September 12, 2006 @01:06PM (#16089583) Homepage Journal
    Here is my take on it:

    • Some european companies (F-Secure/Finland, Panda Software/Spain, etc) are involved in anti-virus protection and provide security products for Windows.
    • Microsoft Vista is going to integrate a lot of security products -- anti-virus is just one -- that will squeeze these european companies out of a market.
    • The above action can be qualified as "unfair competition" and "monopoly abuse" by the European Commission, since Microsoft owns... what? 97% 98%? of the market.

    The logical conclusion of the European Commission is that Microsoft should not incorporate these security features in Vista.

    To make sense of this decision, you have to remember that the European Union was based, as far as the economy is concerned, on the idea of "fair competition" meaning that monopolies should be banned, and major companies (or states) cannot squeeze smaller competitors out of a market. Whether the squeeze is due to state protectionism, unfair tariffs or a dominant position -- which is the case here -- is irrelevant.

    So, yes, it sounds ridiculous and bureaucratic at first sight, but it makes economic sense. And it may even provide better products in the end (I don't trust Microsoft products anyway).
    • In fact after you install it, it whines at you to get some. MS will sell you some, Onecare live, though it's not a particularly good deal pricewise. However installing any AV makes it happy, it doesn't want it's own, it just wants any AV app.
    • "The logical conclusion of the European Commission is that Microsoft should not incorporate these security features in Vista."

      Even if one were to conclude that this is fair, the problem is that European Commission won't be explicit about what can or cannot be included. If the commission wants to get into the requirements business they should at least accept the responsiblity that goes with it rather than effectively saying to MS "Go ahead and implement it and we'll sue you if we don't like it".
    • Sounds like the "Broken Window" fallacy dressed up for the technology age.
  • by Churla ( 936633 ) on Tuesday September 12, 2006 @01:08PM (#16089602)
    They are trying to push MS into a no win situation.

    A) MS doesn't include as complete and inclusive security as possible. This leaves the doors open for third party security developers, it also leaves the door open to the OS for malevolent people who will take advantage of the fact that many people won't think to add a product later for security.

    B) MS includes all the security they can, possibly making it so that people don't need third party software for security. BAM new anti-trust action because they aren't being fair to people who made a living covering bad MS security architecture in a previous version and aren't being given an equally bad architecture to help "protect" for a profit this go around.

    People complain that MS releases insecure OS products, then complain when they want to include more security features?!? bah

    I won't even get into how Apple is bundling everything they can under the sun into OS X when the same actions by MS would be tantamount to kicking the interwebs dog.
    • by tokul ( 682258 ) on Tuesday September 12, 2006 @02:18PM (#16090267)
      ...and aren't being given an equally bad architecture to help "protect" for a profit this go around.

      Antivirus does not make OS secure. It only tries to patch insecure OS. If Microsoft makes OS secure, EU commission and antivirus companies can't argue about it. If own antivirus solution is bundled instead of securing OS, it looks like monopoly abuse. It is possible that Microsoft is trying to help users, but company is known to use its market position against competitors. Any bundling will look suspicious.

      Apple is bundling everything ...

      Symantec is still selling NAV for Mac. I think Apple does not bundle antivirus.

  • Fair Play (Score:4, Insightful)

    by Ajehals ( 947354 ) <a.halsall@pirateparty.org.uk> on Tuesday September 12, 2006 @01:09PM (#16089628) Homepage Journal
    Just because this request to ensure a "level playing field" is focused on security makes it no less valid than if it were aimed at other elements integrated into the operating system.

    I Agree that i microsoft is integrating security products into its vista operating system that would enable it to enter markets where it has not got a large hold (i.e. Anti virus - where it is the main driver but not the main supplier...) and by virtue of its desktop OS monopoly becoming dominant in that market, then thats wrong. Especially if these integrated products are add ons masquerading as core operating system components.

    It would be fine if Microsoft ensured that their Operating system was sufficiently secure not to require any additional software, but not to include a load of features in the operating system that ensures its system security sotware becomes dominant.

    If it wants to sell these bits seperatley (reduce the cost of the OS and sell the security bits as additional extras) thats all fine too then those of us who use the OS can choose - but lets make it clear that selling a vista version with them in and one without at the same price is the same as integrating them in the first place....

    This becomes an even bigger issue if the Microsoft Security products / components are written to take advantage of elements of the OS that other providers cannot gain access to (either due to lack of documentation or through some other means). That would give rise to the same interoperability issues as we have seen previous law suits attempt to resolve.

    In short if MS want to secure their OS thats great, if they want to simply wipe out any external security providers to gain an extra revenue stream in the future (by say later charging for the components initially included for free), or become dominant in that area so as to play down securty vulnerabilities in their products thats not. After all would you buy your antivirus from the same guys who seem incapable of preventing their OS being succeptable in the first place?

    Last point - If microsoft are in the business of supplying both the OS and the security software (and additional services such as one care) doesnt that leave a rather nasty potential conflict of interest?
  • by FractalZone ( 950570 ) on Tuesday September 12, 2006 @01:10PM (#16089648) Homepage
    From what I have been reading, Microsoft is designing Vista in such a way as to make it difficult for products that compete with whatever token security schemes Microsoft is planning to foist upon its hapless user base to be installed and/or run properly. Microsoft should make any and all APIs necessary to implement alternative (read: better) security solutions for Vista public. If it doesn't, I think it is fair to say that Microsoft is once again using proprietary standards/code to stifle the competition. That seems like a clear anti-trust violation, given Microsoft's technically undeserved but nonetheless practical monopoly of the commercial desktop PC operating system market.

    Like most things that Microsoft touts as benefiting the user (think Windows Genuine (Dis)Advantage, DRM, and the "recommended" options on various configuration pages), whatever so-called security Microsoft puts into Vista will undoubtedly profit Microsoft first and the user as a mere afterthought, assuming that Microsoft can think up a good marketing gimmick to scare users into paying for it.

    I'm still planning on not wasting money on yet another overpriced, under performing piece of Microsoft Buggy Bloatware, namely Vista. Ubuntu Linux is working well for me and doesn't seem to suffer from the gaping security holes most major Microsoft products (Windows, Office, and IE) are infamous for.

    I must admit that Microsoft has a lot of nerve, trying to exclude competitors from cleaning up the security disaster that Vista is expected to be, so that it can make users dumb enough to buy Vista also pay through the nose to fix flaws that wouldn't be there if Microsoft sold quality programs in the first place.
  • by Todd Knarr ( 15451 ) on Tuesday September 12, 2006 @01:13PM (#16089673) Homepage

    Bear in mind that the EU isn't saying that Microsoft can't include security software in Windows Vista. What they're saying is that MS can't include it in such a way as to exclude competitors. For example, take a firewall. If MS integrates their firewall into the network stacks at the physical-code level so that no other firewall can take over, that's not allowed. However, if MS adds hooks to their network stacks to allow other modules/drivers to tap in and filter packet traffic, and then implements their firewall completely using those hooks and makes it so you can replace the loading of MS's firewall modules with a third-party firewall's modules, that's perfectly fine. And for anyone who says this can't be done, I'd point out that Linux and *BSD implement their firewalls in exactly that manner so obviously it can be done.

    • Bear in mind that the EU isn't saying that Microsoft can't include security software in Windows Vista. What they're saying is that MS can't include it in such a way as to exclude competitors

      Right. That's what the EU is saying.
      However, where is it documented that Microsoft is actually building it this way? I've seen many, many other remarks on this, and no source for something that says MS is actually making it hard/impossible to use 3rd party tools.

      I'm NOT defending them, would just like a source for thi
      • Well, if MS were building things in a modular way, there would be zero problem complying with the EU request. The only reason I can think of for MS to have any problems is if they're continuing to design Vista to exclude competitors in those areas.

  • by icepick72 ( 834363 ) on Tuesday September 12, 2006 @01:30PM (#16089839)
    So I watched the /. community and European Union argue how insecure Windows is and how bad that is, and then I watched them argue how Windows is unjustly implementing security and shutting out competition. Obviously, Microsoft cannot win, ever.
    Sometimes I think the world is just full of dumb-asses. (sounds like a Jack Handy quote)
    • Re: (Score:3, Informative)

      by crabpeople ( 720852 )
      "Obviously, Microsoft cannot win, ever"

      They make decent mice. Shitty keyboards though.. DAMN YOU F LOCK!!!

  • by DoctorDyna ( 828525 ) on Tuesday September 12, 2006 @01:42PM (#16089962)
    It seems as though Microsoft is / will have it's security products built into Vista, and will most likely build them into the TCP/IP stack at some level. Here is what most people seem to be ignoring here, and it's pretty simple.

    As it always has been, you can choose to use or disable any part of any feature in Windows. As it sits now with RC1, you can enable / disable features at will. Wireless networking configuration is built into Windows XP, but as everybody here knows who has a wireless network device of some sort, upon driver / software installation, that application takes over the duties of the Windows feature, usually by default. I don't know why anybody would have a reason to think that this would be any different from having a firewall in the OS, which, at the request of the user (by way of installation) gets replaced by some other product. We'll leave the discussion about inferiority for another time.

    People really should stop talking about a feature of Vista as if its sure to be some set in stone incumberance, and it most likely will not be.

    Oh, but it's built into TCP/IP! Anybody here ever installed the Novell client in Windows? Ever see what it does to your network protocols? Microsoft has said time and time again that it is keeping with backwards compatibility, are we naive enough to think that this won't include clients, protocols, craptastic software firewalls and anti-virus-viruses? Not so much. For those of you that need to experience a Novell client install for yourselves, go ahead. It's uninstallable. http://download.novell.com/SummaryFree.jsp?buildid =l1o2uFAj23U~/ [novell.com]
  • EU: We want efficient security in your next release.
    MS: ...can we just double the fine?
  • The EUs complaints have always been about other applications like IE, Windows Media Player and and now the whole host of security programs that Vista will have like Defender etc. These go be installed by default and if there is no way to chose not to install them or in some cases like IE no way to remove them then MS is abusing its monopoly. IANAL but if MS did provide you options to remove these and not make various OS features dependent on them then the EU wouldn't have a problem.

    I agree that MS should ha

An elephant is a mouse with an operating system.