The real reason we shouldn't depend on Microsoft for security

The real reason we shouldn't depend on Microsoft for security

Summary: There is no question in my mind that Microsoft is getting security right and that this means there's trouble ahead for third party security providers.  But is Microsoft's technical prowess enough to justify using its security solutions in lieu of those that come other providers?

TOPICS: Security

There is no question in my mind that Microsoft is getting security right and that this means there's trouble ahead for third party security providers.  But is Microsoft's technical prowess enough to justify using its security solutions in lieu of those that come other providers? Or should you forget comparing capabilities and instead focus on how a potential conflict between the needs of Microsoft's partners and the needs of its customers could interfere with your best interests (securitywise, that is)?

About three quarters of the way into last week's Dan & David Show, we have a sound bite of Symantec CEO John Thompson explaining why it makes sense for users to turn to third party security providers instead of relying on Microsoft to secure their systems.  By the time Vista ships, Microsoft will be including in the operating system, offering for download, and offering as Internet-based services a variety of security offerings that go head to head with the offerings of companies like Symantec and McAfee thereby drawing the viability of third party offerings into question.  In that sound bite, Thompson said:

When you have a monoculture, a true monoculutre, a single attack could wipe out literally millions and millions if not tens of millions  things and people.  And we truly have created in the desktop world, a monoculture and therefore, diversity in the security platforms that ride on top we think is of great value in protecting that infrastructure.

In a subsequent interview of Thompson, my colleague Dan Farber quotes Thompson as follows:

"Our only concern is whether Microsoft will play fairly," Thompson said. "If they deliver their classic portfolio, we can compete. However, if do something unfair, it will be difficult to compete against them. We have other venues for making our point."

Thompson is clearly on the defense and trying a variety of different messages to see which one sinks in.  But, in light of recent revelations regarding the launch of MTV's Urge and how it works hand in hand with Microsoft's Windows Media Player 11, there's probably a much better way to pitch the viaibility of third party security companies and it has to do with the conflict of interest that results from Microsoft's involvement in facilitating invasive DRM techniques -- techniques that Microsoft's own anti-malware technologies are designed to stop. 

Microsoft is between a rock and a hard place.  In partnering with MTV to provide a nearly frictionless and pristine user experience that works across Microsoft's digital rights management technologies, is it obligated to let that partner's practices slip trough its own anti-malware dragnet, even if those practices are normally ones that Microsoft's technologies would stop dead in their tracks?  As fellow ZDNet blogger Ed Bott wrote, by consenting to MTV's licensing terms, you are also consenting to let MTV do all sorts of things that you'd never let anyone else do to your PC.  Things that even Microsoft says its anti-malware is designed to thwart. This is not  to say that Microsoft won't or can't come up with some acceptable solution in the case of MTV.  Perhaps some friction will be added somewhere so the end-user has to approve of any software updates that MTV sends down the pipe.  I'm sure Microsoft has a lot of options.

But who would you rather rely on for your security? The company that has to some how resolve that conflict of interest between its partners and end-users, or the company that doesn't have that conflict?  Perhaps this is what Thompson was alluding to in his reference to desktop monocultures.  But, if he and other security companies really want to make their case, then it's better to give specific examples like this one. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Who would *I* rely on?

    Myself. I know what security companies and programs are out there. I know how to protect my machine. Whether I am an expert in security or not is not a factor. I do know better than to just click through something and agree to it without reading it. When was the last time anyone actually bothered to read a EULA? Not a whole lot of people do. They don't want to be bothered with taking the time. I think that is chief amongst the mistakes that anyone can make, whther they know computers or not. Some people assume thaat they know so much that they shouldn't have to read it. Some people just don't have enough patience to take the time.

    As for Microsoft's security measures, I will have to take a look at them and make an informed decision based on my own opinions. Not what anyone else tells me I should do. I don't trust Symantec as far as I can throw them. I don't much care for McAffee either. I know there are other things out there and I know where to look for them. I am not saying that everyone does but an informed person can sometimes get more out of what they get then someone who just point and clicks all of the time.
    • Reading EULAs

      As people have brought up over and over again - if you unwrap the software, you can't bring it back. And to read an EULA, you need to try and install the software (its not printed out in the manual). Sounds like chicken and egg to me! I REFUSE to install this software that I already paid for, because I don't agree to the EULA. Yeah, right.
      Roger Ramjet
      • And anyone who really read

        a EULA would never install any software anyway. I've never seen one that wasn't horrifying. (One of the reasons why I run linux.)
    • The user didn't have an option to agree to the Sony Rootkit

      At least in the case of Sony CDs last year, being a savvy computer user wouldn't have helped. This is why having security SW which is really on your team is so important.
    • Point and click

      You being of the other gender forces you to see things from a differant perspective.
      Males are hard wired to point and click
      Thats how we make babies .
      thats how we go to war.
      Thats how we watch the television.
      We point and click and ask questions later.
      We have no choice.
      We leave the choices to our women and after we are pointed in the right direction we click merrily onwards.
      as for being informed.
      My wife is continually informing me so therefore I
      must be informed.,I think
      Hold on I will just ask my wife
  • DRM is Spyware

    For all intents and purposes, iTunes and all other DRM programs are spyware. Therefore what purveyors and users of DRM systems are saying is that spyware is bad, except the ones we use. Therefore it is in fact a conflict of interest that you have companies both in the anti-spyware business, and DRM / spyware business.
    P. Douglas
  • DRM virus

    You KNOW its coming! Reverse engineer DRM to do what YOU want it to . . .
    Roger Ramjet
    • An alternative may exist

      There is a programme out there somewhere which I downloaded and managed to lose which enables one to install programmes and applications WITHOUT agreeing to the terms of the EULA.
      After all, one has to more than silly to agree to such a one sided agreement as the EULA but we all wish to use programmes we've bought, don't we?
      an email with directions to finding the anti-eula
      programme would be much appreciated.
      • Yes I know the software you speak of

        It's called Linux and Free Open Source Software.
        tracy anne
    • But don't talk about it...

      Lest you run afoul of the anti-circumvention provisions (
  • Another metaphor

    Relying on Microsoft for security is like relying on ATT for privacy.
    • Touche` Mr/Mrs. Stiennon, Touche`(NT)

      hehe ouch.
  • DRM=Security

    The only thing you can be secure of is that you have DRM.
    I can't help but wonder why no one mentions Microsoft purchasing the company that supplied one of the first DRM technologies that existed, to prevent copying of VHS tapes, a long time ago. It became a part of Windows. Now they are upping the ante. If you install the updates, you cannot play any cd on your computer unless it meets the windows DRM requirements.
    Microsoft is as bad as Sony, Apple, or any of the rest, if not worse.
    Down with Microsoft! Down with Sony! Down with Apple! Down with Crap!
    I trust them for security about as far as I can throw an elephant by the tail.
    Ole Man
    • In other words,

      DRM = Security, but not the end-user's security.
  • Microsoft Security Disaster

    I started late in the "beta" cycle for the OneCare thing -- that is about all you can call it.

    Installation on 2 machines was easy.

    Getting it to operate properly on either one of the two machines has been a disaster. We have spnt more than 20 hours trying to get these two installations to execute the security that was supposed to be provided by this application.

    I have never had so much trouble with any other program and there is no real fallback since we had to REMOVE all of the other (Norton) security programs we were using.

    Microsoft needs to take a hard look at how to maintain the operational capability of this application.
    • So you "removed" an old security package?

      Then installed another on the same OS install? Interesting how any issues must look like the problem is with the current software and has NOTHING to do with what you "removed".

      Consumer level security products are famous for completely FuBaring a system when you "remove" them. I'm sure the anti-MS boys around here will be able to come up with some reason why that's a Windows flaw (granted, the complexity of Windows allows it to happen, even if it's an honest mistake).
  • Live One Care

    I, like a fool, tried One Care and even paid for a year's subscription! Taking "advantage" of the Beta users' deduction. Then, the application came complete apart. I have NEVER had a "blue screen" with my XP machine. With One Care installed, I had EIGHT! Trying to work with "support" is a joke! My machine became SO unstable that I had to remove One Care AND Defender. I went back to Norton and haven't had ANY MORE problems. I wish there were a way to get my subscription cost back! But, with Microsoft, WHO am I kidding?!?
    • Worth a try

      Write them and tell them what you wrote here - that the product you bought didn't work, and you want your money back. Provide a reference to the relevant 'consumer protection act' or whatever it's called in the US.

      Write them again in a weeks time if they don't reply. Write them again with a copy to a consumer organisation or a national newspaper if they still don't reply. Letter number 3 usually does the trick.

      Just don't give up because they are big. They are big because you give them your money.
    • support options for One Care

      I realize I'm replying to something old but wanted to point out that support is available 24x7 from Microsoft for anything security related. I found a link that allows you to provide feedback for One Care as well:
    • you CAN get your money back

      If you paid using a credit card, then advise your credit card company that you returned/deleted the product and get the charged amount removed from your bill. Your credit card company wants YOU to be happy, they don't care about Microsoft. My various credit card companies do it for me all the time when I am not satisfied with any purchase of download product.