Windows OneCare Live: Has the world gone mad?

[aidanjt]

Think about this logically, Microsoft, writes Windows, customers pay Microsoft for Windows, Windows has tons of security holes, bugs and stability issues, Microsoft patch at a leasurely rate, and now Microsoft wants $50 per year to patch up the holes that Microsoft themselves make with this "OneCare Live" thingy..

Am I the only person who thinks this is insaine?.. I can understand 3rd parties requiring subscription fees for their products (to a certain degree). But Microsoft.. I mean come on, is it not enough paying £100 odd for your operating system, then the company you bought this operating system from says "oopsy, we have a few problems with the operating system you bought from us, give us (yet) more money and we'll fix it for you (maybe)".

I'm not a Linux zealot, but I'm becoming more and more disgruntled with Microsoft, and quite frankly it's getting to the stage where the safest way to conduct network transactions is with anything that isn't Microsoft.

[Moby-Dick]

Onecare is AV software? - whats insane about purchasing that ?

my god you mean everything isn't for free ? the horror of it all.

Security patches are still free from windows update. I think you need to get your facts right before you slip of that soap box and hurt yourself.

[nichomach]

OneCare is a combination of AV and firewall, indeed the sort of stuff that you'd normally pay an AV vendor like Symantec/Norton or McAfee for. MS are not charging for security updates; OneCare is a new and separate product. If they bundled it with Vista, then they'd have the same ongoing expenses that AV companies charge subscription fees to cover (AV engine and definitions updates, firewall rules updates and updated threat detection) with no income from it. Also, they'd probably get done for anti-competitive practices, since they'd be freezing AV and firewall vendors out. OS fixes and updates are still free as Moby says, and if you don't want to buy OneCare, use AVG or Avast or something.

[aidanjt]

Originally Posted by Moby-Dick

Onecare is AV software? - whats insane about purchasing that ?

my god you mean everything isn't for free ? the horror of it all.

Security patches are still free from windows update. I think you need to get your facts right before you slip of that soap box and hurt yourself.

I don't think you're getting the point, Microsoft are entirely responsible for the holes that worms, viruses, malware, and spyware exploit to infect systems. Yet Microsoft expect the users of their operating systems to pay them to shield off the netnasties that are a byproduct of their poor software engineering. I never denied that security patches were free, I simpily stipulated their patching rate is leasurely at best. That is a fact.

[Moby-Dick]

So no one is allowed to make money from IT security ? as all software ( in oyur ideal world ) should have all be perfect to start with ? I mean if we didn't have people who'd exploit weaknesses in software, we wouldn't need a firewall at all ?

You make it seems as if only microsofts products have holes in them ?

as nico said , if they budled this with windows they'd be accused of anti competative behaviour. You are free to choose what ever security software you run , be it open source or otherwise. I'd like to think that the MS offering will have some advantage , but superiority doesn't always disctate market forces ( for example I cant see this being huge in the enterprise secotr - but it looks a viable alternative to the home products )

When is you own perfect operating system due to be released by the way ? I assume you could do it better and will be demonstrating this ?

[autopilot]

Actually aidanjt, i am with you on this one (sort of). I can see it from both side's, but i think its a little odd. There is going to be a serious confict of interest i think. There is nothing wrong with buying AV/Security apps from third party companies, but this is a Microsoft product desgined to protect us from holes in other microsoft products. If microsoft were better and faster at patching Windows vunrabilties, we would need it.

It's a stange logic, but ultimately there is nothing wrong it really. I would like it better if it was free, but I guess microsoft need the money

[aidanjt]

Linux has a grand total of 7 viruses, all of those which require root privilages to infect, so guess how many infect Linux boxes there are. Perfection is impossible, but good software engineering practices cuts down on holes, patching holes as and when they are discovered. I'm just one person, Microsoft has thousands of programmers on its payrole.

We'll see how Vista fairs in security, but I wont hold my breath as Microsoft seem more interested in tarting up the UI than the core system.

I'm not arguing that Microsoft would be torn into the courts faster than you can blink if they offered it for free. I just feel that its adding insult to injury.

[camalbitboy]

I too can see both sides of this one.

I mean whilst Microsoft are at fault for a lot of the holes in their software, they aren't at fault for all of them. I mean if you go and download an email with a script in it that wipes yuor hard drive thats not MS's fault. Thats why you pay AV people to spot, track, and defend against these things. Can't blame MS for wanting some of the action on that.

I can see a conflict of interests with MS producing AV/firewall software. If they can flog a subscription for a firewall to prevent attacks like buffer overruns etc, they aren't going to be too worried about correcting the underlying code, keeping you paying that subscription.

All depends on how cynical you are I spose.

[aidanjt]

Originally Posted by camalbitboy

I mean whilst Microsoft are at fault for a lot of the holes in their software, they aren't at fault for all of them. I mean if you go and download an email with a script in it that wipes yuor hard drive thats not MS's fault.

Why should a scripting engine be embeded in an E-Mail client period? An E-Mail client is designed to fetch/send mail, organise the incoming mail, and allow the user to read the contents of an E-Mail.. Even if the marbles in your head rattle around and you somehow manage to justify a practical use of a scripting engine in an E-Mail client, you could never justify giving the engine write access to either E-Mail clients or Browsers.

I'm getting more synical as I get older :/

[ikonia]

aidanjt,

I suggest you start talking about these points in a more real situation, than just advocating linux on the virus argument.

1.) Microsoft has currently been the main desktop system for a LONG time now and has progressed its product and moved reasonably fast with new technologies. This means there is more potential to have holes, and yes microsoft is a weak security platform, but it does fix and give them out free to registered users.

2.) You can buy additional products to help protect your microsoft platform against these potential exploits, such as 3rd party antivirus and spy ware products. Microsoft is one company offering this additional protection, in the same way norton, mcaffee etc etc

3.) Microsoft has only a few main products - such as XP and Server 2003 that are still supported so there are going to be wholes in the older none support platofmrs, while the newer platforms are activly patched.

Now with that said.....lets take a look a the linux platform your suggesting.

1.) you are very correct on your virus comments with regard to linux, well done you. However. When you talk about Linux your really only talking about the kernel, so lets take a look at the security issues with just the kernel alone shall wel.
a.) a malicious backdoor was inserted into the 2.6 kernel, and was only picked up after release and quickly fixed, however this MASSIVE security exploit did get in.
b.) there are constant security updates to the kernel to either improve of fix security issues.

2.) Now lets take a look at the distrubution maintainers - which is what I think you "really" mean by "linux"

First distro - redhat Enteprise AS 4 - serious paid for enterprise class linux release.
Security holes
RHSA-2006:0199 Critical: mozilla security update
RHSA-2006:0200 Critical: firefox security update
RHSA-2006:0194 Moderate: gd security update
RHSA-2006:0160 Moderate: tetex security update
RHSA-2006:0184 Critical: kdelibs security update
RHSA-2006:0101 Important: kernel security update
RHSA-2006:0156 Moderate: ethereal security update
RHSA-2006:0159 Moderate: httpd security update

These are just examplesI counted over 60 (got fed up with counting) on page one just for Redhat AS 4

Now from Debian

DSA-965 ipsec-tools null dereference
DSA-956 lsh-server filedescriptor leak
DSA-947 clamav heap overflow (oooh look - antivirus product insecure)
DSA-941 tuxpaint insecure temporary file
DSA-935 libapache2-mod-auth-pgsql format string vulnerability

Again just a few random examples as I got fed up of counting them again.

The windows products are always more visible as the OS contains everything so the windows patch list will be 300 while linux will have 2 for the kernel 10 for KDE, 10 for apache, 3 for clamav etc etc so it looks much more weak and diluted away from the Linux name.

All OS's and components will contain exploits its how quickly the vendors put out fixes and how quickly and effectivly users can pick them up and apply them.

Linux is as insecure as windows if its not managed properly by the users and the distro maintainers.

Hard to believe this is coming from a none microsoft user, however I am none microsoft user whos doesn't jump on the "its cool to slate MS for security and have either poor knowledge of the alternate products or say things because its cool to say them"

[Moby-Dick]

You say conlicts of interest is MS , but what about other security vendors ?

whats to say that Norton ( for arguements sake ) pops a little banner about hos is has just prevented an "attack" on your system ( when the truth of the matter is that its far from that ?)

the boundary between cynicism and dogmatism is a fine one.

[camalbitboy]

Originally Posted by aidanjt

Why should a scripting engine be embeded in an E-Mail client period? An E-Mail client is designed to fetch/send mail, organise the incoming mail, and allow the user to read the contents of an E-Mail.. Even if the marbles in your head rattle around and you somehow manage to justify a practical use of a scripting engine in an E-Mail client, you could never justify giving the engine write access to either E-Mail clients or Browsers.

I'm getting more synical as I get older :/

I was thinking more along the lines of dodgy attachments etc. The point that i was trying to make is that there are other ways for viruses etc to get on your system than a straight Hack.
There are people in the world that if they find a disk in the street with "the worlds best pron and Elvis's long lost unreleased album" may well slap it in a drive without any thoughts as to what nasty's may be on it. I don't think that you can hold MS accountable for that, or the fact that they would like some of the money spent on programmes that can scan said disk and tell you that its got a trojan/multimillion selling LP on it.
Don't get me wrong, MS have left some massive holes in their programmes, and I am also suspicious as to how hard they will try to patch if they can get a subscription fee to cover mistakes instead. Mind you, they don't try particularly hard now, so what harm can it do

[Vini]

the one good thing ive read about one care (even after beta testing it since first release) is that the $50 fee will cover 3 pc's - licensing wise.

for me this is perfect.

i have 3 pc's (mine, dads and sisters)

if we get the direct conversion of $50 (£35) then its not bad for 3 pc's.

if we get crappy uk crappy uk crappy uk crappy uk crappy uk crappy uk crappy uk crappy uk crappy uk crappy uk crappy uk crappy uk £50 conversion. then it sucks. not because £50 is a lot to cover 3 pc's - but its a lot compared to the us rate!

crappy uk crappy uk

[badass]

Viruses have been around since home computers have. They just spread differently. The fact that microsoft software is targetted by the vast majority of it is neither here nor there. It is installed on the vast majority of systems. They are not selling a product to cover for their own holes, more the holes in most users heads when they open an attachment promising XYZ form someone that would never send them that.

[Moby-Dick]

As the T-Shirt used to say....."social engineering : theres no patch for human stupidity"

[aidanjt]

@ikonia: I have talked about these points in a real situation, addressing your additional points:

Originally Posted by ikonia

1.) Microsoft has currently been the main desktop system for a LONG time now and has progressed its product and moved reasonably fast with new technologies. This means there is more potential to have holes, and yes microsoft is a weak security platform, but it does fix and give them out free to registered users.

I'm well aware that Microsoft holds the desktop market, the mear fact that they jump on new technologies and deploy them before they are mature enough for safe use is a testiment to what I am saying here. I never once denied that Microsoft doesn't patch the holes discovered and distributes fixes freely, I'm stating they do so at a leasurely pace.

Originally Posted by ikonia

2.) You can buy additional products to help protect your microsoft platform against these potential exploits, such as 3rd party antivirus and spy ware products. Microsoft is one company offering this additional protection, in the same way norton, mcaffee etc etc

I'm more than aware of this as well, however my point is that Microsoft charging users to sheild the holes that their software contains adds insult to injury.

Originally Posted by ikonia

3.) Microsoft has only a few main products - such as XP and Server 2003 that are still supported so there are going to be wholes in the older none support platofmrs, while the newer platforms are activly patched.

exactly.

Originally Posted by ikonia

1.) you are very correct on your virus comments with regard to linux, well done you. However. When you talk about Linux your really only talking about the kernel, so lets take a look at the security issues with just the kernel alone shall wel.

I'm well aware that 'Linux' is just the kernel, I never made any kind of use of language that suggested otherwise. Recall my assistance with your linux issues. I'm not a Linux newbie jumping on the bandwagon against Microsoft, this has nothing to do with Linux, I mearly brought it up as an example. I could have brought up Solaris, BSD, OSX or any number of operating systems as an example, however I know Linux best so I opted to use it as an example.

Originally Posted by ikonia

a.) a malicious backdoor was inserted into the 2.6 kernel, and was only picked up after release and quickly fixed, however this MASSIVE security exploit did get in.

Note your use of 'picked up after release' and 'quickly fixed'. I'm not claiming every release of opensource software is perfect beyond reckoning, I havn't done so. However as soon as bad code is detected it has a patch submitted nearly the same time as the announcement.

Originally Posted by ikonia

b.) there are constant security updates to the kernel to either improve of fix security issues.

I would be deeply concerned if there wasn't. Linux developers take a pro-active aproach (auditing code, testing, correcting, deploying patches) to kernel security, I don't see how this is in any way negitive.

Originally Posted by ikonia

2.) Now lets take a look at the distrubution maintainers - which is what I think you "really" mean by "linux"

If I was discussing distributions in general I would use the term GNU/Linux to describe the kernel and it's supporting software to form a fully blown Operating System.
However you are incorrect in quoting 'Distribution' security announcments, distros only pull in source code from other projects to form an operating system, the issues are relivent to that particular project, the same version will have the same holes regardless of distribution. I never claimed opensource software to be flawless, but the turn around for security flaws is typically between minutes to a few days. Not months or years.

Originally Posted by ikonia

The windows products are always more visible as the OS contains everything so the windows patch list will be 300 while linux will have 2 for the kernel 10 for KDE, 10 for apache, 3 for clamav etc etc so it looks much more weak and diluted away from the Linux name.

And rightly so, a basic LFS consists of nearly a hundred seperate projects, each having their loyal, dedicated developers, all of which are putting in millions of man hours improving the software they love, and not asking you for a dime.

Originally Posted by ikonia

All OS's and components will contain exploits its how quickly the vendors put out fixes and how quickly and effectivly users can pick them up and apply them.

Exactly.

Originally Posted by ikonia

Linux is as insecure as windows if its not managed properly by the users and the distro maintainers.

Sorry, I plain disagree with you there. The architecture itself as a whole is systematically more secure. Linux was written from the ground up as a multi-user kernel, as goes the rest of its userspace components. Windows, and all its accompanying software started out life as a single-user enviroment. Something which is still very evident today.

Originally Posted by ikonia

Hard to believe this is coming from a none microsoft user, however I am none microsoft user whos doesn't jump on the "its cool to slate MS for security and have either poor knowledge of the alternate products or say things because its cool to say them"

I never made this a Linux vs. Windows comaprision/rant, my issue was with Microsoft asking users for additional money to sheild out the holes that Microsoft put in their own software.

Now can we stay back on topic?.. Is it morally, or even legally fair for a manufacturer to supply defective goods and ask additional payments to mask the flaws they produced?

I don't think it is, thats what my argument boils down to.