By Simon Moores, 12 October 2005 09:00
COMMENT Regardless of whether you believe Microsoft is responsible for the poor state of computer security, even if Redmond now wanted to shore up Windows, it probably couldn't, says Simon Moores.
When, two years ago, Microsoft purchased Romanian antivirus vendor GeCAD as part of its Trustworthy Computing initiative, I warned the result might lead to a queue of antitrust lawyers gathering around the Capitol building in Washington, as the thriving and lucrative antivirus industry protested at the very notion of Microsoft including better security in its products.
Time has passed and the mutters of discontent seemed to have subsided following diplomatic expressions of co-existence with the Redmond giant from the largest antivirus companies.
However, this month, Europe decided the prospect of Microsoft marketing consumer security was an oxymoron that demanded further investigation, and the Brussels antitrust regulators have reportedly invited Symantec to volunteer its opinions on Microsoft's OneCare - a plan for a comprehensive, subscription-based consumer PC health check service that will offer automatically updated antivirus, anti-spyware and firewall protection.
There is, however, a moral slant on this story that makes me uncomfortable. In a rational world, a company such a Microsoft - which many would regard as directly or indirectly responsible for the mess we now find ourselves in - might reasonably be expected to offer inclusive measures that would make the Windows platform more robust from a security perspective.
Two years ago after a number of conversations with people at Microsoft, I was fairly satisfied that many in the Trustworthy Computing group would have been quite happy to bundle better and better security into Windows entirely free of charge. "The trouble is," one person told me, "that the antivirus industry would scream antitrust if we did. We would have to charge because the rules won't let us give it away free."
Whether Microsoft has changed its position and would now prefer to milk the consumer instead, I don't know - but I doubt it. In my own experience, Microsoft wants to be able to deliver the best possible security to the weakest link in its business - the millions upon millions of consumers who are unwittingly breeding tens of thousands of botnets and other nasties that threaten the economic fabric of the internet on a daily basis. But if I'm right, Microsoft can't because the law won't allow it.
In some ways, this is rather like saying that if you buy a new house, the builder is not permitted to make it burglar-proof. Of course you can have basic locks but double-glazing is certainly not permitted, neither is an inclusive burglar or fire alarm. You have to go to the aftermarket for these and perhaps pay through the nose on a subscription basis if you want any peace of mind.
Without a doubt, Microsoft, through previous antitrust actions which very nearly saw it broken up, has created a moral dilemma which the courts cannot easily resolve. Through vigorously protecting society against the risks of a software monopoly, the courts have unwittingly created something approaching a cartel of commercial security interests which run contrary to the interests of a billion or so internet users.
In theory, internet security should be free and transparent to the end user in much the same way as one takes for granted that one's television or telephone won't be hacked. But this is an industry now worth in excess of $20bn each year - and it's not one you can expect to be given away to the man in the street, or even Microsoft, without a fight.
Comments
There are 8 comments. Join the discussion
1. Simon
The logic is flawed, very badly !
There is nothing wrong with Microsoft bundling certain facilities into an OS, the problem is when they do so in support of a monopolistic approach to 'seeing off' the competition.
As for the secure house analogy, there would be nothing wrong with offering to fit secure locks and windows at a reasonable price. What would be a problem would be using a proprietry design of window so that other window suppliers were not able to provide windows on a level footing.
What IS going to happen is that vendors (not just MS) will bundle more and more functionality into the base products (such as secure locks and windows as standard) and the third parties will have to adapt their business/market accordingly.
To give an example, there used to be a market for MP3 playing software. Now there is no OS shipping without the inbuilt ability to play MP3s. The vendors of MP3 players have either disappeared or moved on to something else. Tough, but unless (as MS have pointed out in the past) we are prepared to put a halt to progress it is the way things are going to go.
To see how things change just take a look at the automotive world. There's still a number of suppliers of aftermarket accessories - but non of them are now selling indicator light kits, or heated rear window kits, or even (going back a bit further) side & headlight kits. All these parts are no standard on almost all new cars - just as many functions now done by extra software will get subsumed into the OS over time.
What we have to be on our guard about is the ability of a large player like MS to explicitely target a market and destroy all competition by the simple act of bundling (for free or at zero cost) it's own software, or by making it's own software the default unless the customer makes a concious decision to use something else.
And this is where I would not like to be sitting in judgement !
2. Richard
Third-party security businesses exists largely to overcome problems with Microsoft software:
Some "convenience" features in Microsoft Windows and their other software are inherently risky.
Other vulnerabilities stem from the complexity of these bloated programs.
When you buy a new PC you then have to spend several hours downloading patches and updates before actually using it. Throughout its life, it needs further regular patches and updates.
This is bad enough using broadband: It's hell using a dodgy pay-as-you-go dial-up connection.
No other industry would get away with such poorly designed products.
3. anonymous
Stating Microsoft cannot improve the security of the operating system is akin to stating the automobile manufacturers cannot design and build safer vehicles because it will adversely impact the auto repair and medical professions. The issue is not the improved security; it is how the improvement is obtained. Eliminating buffer overflow vulnerabilities is fine. Allowing only their proprietary solution at extra cost for addressing the buffer overflow defect in the product is not.
4. anonymous
The issue is not whether MS should or shouldn't have the proprietary edge over this mob of other Virus protection companies. The Windows product, intentional or not, is designed in a way that allows the problems to come into fruition again and again. Without giving a history lesson, for the interested reader I wish to point out just a single point. A good portion of viruses are born from the web, are executable files, and the user (most of the time the sole user) of that system unleashes it. Because of Window's security architecture, this virus has access to the most important system files on the system (in a common setup). This is where the problem lies. Despite this, MS has not restructured things to prevent this. Why? I can't imagine. It has, however, with an inferior product, spawned a mecca of wealth and output by indirecly creating this "cartel" of antivirus companies.
5. MattiasW
Anti-virus is good for security but not needed. It would be enough if Windows asked for a password before installing a program, just as the Mac does. The the bot wouldn't ever run.
Windows can already do this, but MS doesn't want to enable it by default, ask them why!
6. Marcus D. Hanwell
It would seem your analogy is wrong in the sense that Microsoft do not build the house, the PC manufacturers do and Windows is just another component. Most already bundle security products with their PCs, and people are free to choose who makes their PC for them just as they are free to choose where they buy their house.
There are also many more aspects to security than just antivirus and firewalls. They have been uninterested in these areas for many years and other companies have moved in to fill the obvious voids. Microsoft are able to compete with them, but shouldn't be allowed to force these companies out of the market because they have suddenly gained an interest in these market areas.
7. anonymous
Simon, sorry but you are wrong. Very wrong.
Car makers didn't add headlights, seat belts and indicators to cars just to put spares shops & makers out of business.
Microsoft can (and of course) should add anti-everything to their software if there is a danger of it having an accident, in the way a car has stop lights if there is a danger of a car behind shunting its rear.
The greedy AV writers have had a lot of jam over the years, so should stop whingeing.
Those car spares makers didn't complain about safety measures being built into cars, but then again, they probably didn't cause darkness, fog and collisions to happen in the first place... ;-)
8. Jamie
Microsoft is just a victim of its own success. Windows is no more or less secure that Unix, Linux, or Mac. The big difference is that it has the largest market which makes it th obvious target.
All OS's need Antivirus, All OS's need patching. In the automotive world when a new vehicle model is released, it is released with more than a thousand KNOWN faults and more come flooding in during the first few months. These are mostly fixed or 'patched' during the first service.
Microsoft only gets the bad press because its what you have got on your desktop at home and or the office.