Article is about various enterprise security features - not about getting security fixes to your operating system. These are more about logging, analytics over the logs and more control on the workstation configuration and different security policies.
These are tools that can increase security for an organization that has resources to properly deploy, manage and monitor them. IMHO they don't do much unless you have people who can dedicate time to dig into them.
Providing the storage and processing capacity on the cloud costs money, so it is difficult to bundle them with reasonably priced perpetual operating system license. There's also a lot of competition on this space.
Many many millions for a chatbot that slurps your emails or an integrated web browser that reports to the mothership, but no room in the budget for proper EDR because cloud storage. I just don't buy this argument at all.
Security costs money to constantly keep up, requires teams to be allocated 24/7 to test for vulnerabilities, keep track of malware out in the open, etc.
It costs money to make things secure, moreover its one of the major features which enterprise is actually willing to pay good money for, or else they’ll go for lower tier.
I get how it sucks that not everyone gets great quality security for no or low cost.
But this is a world where most people do not respect software developers work, where most b2c consumers are happy to pay $10+ per DAY on a cup of coffee but not willing to spend $10 on a software PER MONTH, that they use everyday that improves their life and work.
Idk, it takes effort for people to keep apps uptodate with OS upgrades, maintain libraries, fix bugs, fix security issues, keep battery usage low, improve performance, support a 110 different screen sizes with different android and ios version, desktop apps, web browser, whatnot.
Yes you need to pay for work, if it was cheap to have great security, some other software would have already started winning all enterprise deals.
It takes money to keep software running, microsoft would have been happy to get the PR boost from offering great security for free for everyone, they must have figured people wont upgrade to higher offerings if they do that. They already give a lot of great tools away for free.
Someone needs to pay for the work, its not like the software is that expensive, its nominal in most cases, especially if you look for good deals.
Im saying it as someone who hates microsoft uses linux and stays away from any major microsoft product except github.
You're arguing that security shouldn't be free, while the article is arguing that security shouldn't be a paid add-on to a service for which you already pay a lot of money.
Did you even read the article or at least open it, or are you just mindlessly jumping on the Microsoft hate bandwagon? The security topic on the article is not about Windows here.
And even if it were, absolutely all operating systems have security holes most people and the manufacturer isn't are of, aka zeros days. Even Linux has backdoors the community is shocked to uncover by accident from time to time.
If we expect all software to have zero security vulns, nobody would ever write any software and we should all go back to using typewriters and messenger pigeons.
> where most b2c consumers are happy to pay $10+ per DAY on a cup of coffee but not willing to spend $10 on a software PER MONTH
You can see where the money goes for the first, planting and farming, physically transporting beans across the world, processing them, physically making and handing you the coffee.
Bits in a screen that someone just comfortably typed and then pressed a button to ship is not as valuable. On the other hand, even if you can charge much less for it, you can charge it to everyone in the world for pretty much zero additional cost. So I wouldn't complain with the tradeoff.
I pay ~$200 USD for a Windows 11 Pro license, usable for the life of the machine if it's an OEM license and for as long I live if it's a retail license. That's basically nothing over a sufficiently long timeframe.
I pay $70 annually for Microsoft 365 (read: Microsoft Office), that's ~19 cents per day. That's practically nothing.
Commercial licenses are more expensive, but businesses will have bigger budgets to match.
I guess what I'm trying to say is: At some point you'll come off better just admitting you're a cheapskate who doesn't want to pay for software.
I agree, but would add this: I think turning buying an operating system into a push-your-luck video game with serious, real-life, negative consequences is bad. Average consumers (and many contractors) are not equipped to evaluate the risks they are taking on with this stuff, and the marketing puffery is impossible to decipher even for people who do this for a living.
You can be mad at human nature or you can try to understand it. The peoples of the world didn't decide to start an anti software cabal and fake less willingness to pay. So if they do have less willingness to pay, how do you explain it without a useless mental crutch like "they are too cheap"?
Of course there's many costs, datacenters aren't free. The point is what a normal consumer psyche is going through during the purchasing moment.
If you don't want to pay for software, that's fine because that's your money and your prerogative.
But if you are feeling a need to lay out excuses to justify yourself, that is just pathetic to witness. Just say you aren't paying for software rather than claiming programming isn't valuable work.
As for normal consumers, they just pay up and go about their day: A fair price for good software that satisfies their needs and desires. There are more people out there buying Windows and Office than there are people freeloading off of Linux and LibreOffice (and much less people who "pay" for Linux and LibreOffice by contributing back).
"cheapskate", "freeloading" - you're not really hiding your contempt for people that don't want to pay for Microsoft products. There's a myriad of reasons why companies, public institutions like governments and universities pay for Microsoft, and it's not 100% based on merit.
In one example, the Government of Quebec was successfully sued because of how it preferentially used Microsoft products _without allowing alternatives_ in their contract bidding process [0]
Leaning on "free software users are cheapskate freeloaders" and framing it like Linux is lower quality than Windows because of money spent is a reductive view - it depends entirely on what you use your computer for.
You should read to whom and what I am replying to first:
>Bits in a screen that someone just comfortably typed and then pressed a button to ship is not as valuable.
This is a guy who argues that programming is not valuable work compared to a cup of coffee, as justification for his refusal to pay for software.
That, as far as I'm concerned, is a cheapskate and a pathetic one at that.
Programming is valuable work and some programmers want to be compensated in coin for their work. Not all users will want to compensate in coin or even compensate at all. These are both fine. Devaluing the former to justify the latter is not fine, and is what I am attacking.
I don't argue it. The behavior of consumers shows it. I'm just noticing it and sharing my observation which you're free to disagree with, but I think digging on this rather than calling our customers cheap will only advance our cause. You should learn to separate the person from the argument.
I'm talking about general attitudes of consumers of software as a software developer that depends on people buying software to pay bills. You kept trying to make this about me personally not paying for software when you have no idea where I spend my money on - rather than address the fact that people do have less willingness to pay for software. Do you think you'll be more or less successful at selling your software if you understood your buyers more and call them cheap less?
I'm not sure from where you are concluding that people are less willing to buy software. Most people buy Windows, Office, Adobe's suite of programs, video games, and much more enough for there to be a burgeoning market.
Of course, I agree a lot of techies and especially the audience here (who aren't normal people for conversations like this) don't like buying software, nor selling them for that matter. Actually, sometimes I get the impression they hate the very concept of money, but I digress.
Security vulnerabilities are faults in the software product, in no other industry do we accept selling a faulty product, and then being forced to buy a subscription to have those faults fix.
Would we accept that a car that explodes if someone whistles a certain tune near it as "just a bug"? And also accept paying to patch that bug?
Cars are a poor example. There are some pretty wild safety issues in the car industry.
In the U.S., energy efficiency regulations are weak, so car companies push huge SUVs and light pickups as the "perfect" family vehicles. These things are massive and not crash-compatible with normal-sized cars. If a big SUV hits you, you're in more danger than if it was a regular station wagon. Plus, those off-road capabilities mean they can hop a curb and take out a pedestrian. And the insane height? It's a nightmare for visibility. You can't see kids or pets in front of you. That's led to some awful driveway accidents.
"Fully self-driving" cars aren't really self-driving, you still need to keep an eye on them, but the marketing suggests otherwise. A few self-driving cars occasionally emergency brake on a highway. Big modern touch screens in cars look sleek, tactile controls offer a safer and more intuitive way to adjust settings without taking your eyes off the road. Some cars such as the Fisker Ocean are unnecessarily unreliable, where the gear, brake, etc. system casually stop working while driving, asking you, the driver, to take a mental note of that and to please not shift gears for a while, for example.
And don't get me started on car lights. Why is it that brake lights and turn signals can both be red? Why is it that they can share the same light? It's a mess. Then there's the remote control features with garbage access controls. There's been cases where someone remotely turned off a car's engine while it was driving. Talk about a scary security vulnerability.
"Buy the new Red-Balloon-Special warranty package - when your car explodes and you survive, we'll send you flowers and red balloons straight to your hospital room, and a refurbished car will be waiting for you as you get released from hospital care. But wait, there's more - a free fire extinguisher is included, in one of five funky colors of your choice!"
I'd say that we're duty-bound, not to knowingly release insecure software, or at least, put big red "cigarette warning" labels on the packages.
If the only way we can make cheap software, is to make insecure software, then maybe we shouldn't be selling cheap software.
It's a conundrum. If we don't sell cheap stuff, someone else will, and eat our lunch.
That's one reason that a regulated industry is sometimes the only solution (an unpopular stance -as evidenced by the almost instantaneous reaction to this comment).
I wonder how this would look in a lawsuit. Claiming that a company is liable for security flaws in their software is a lot easier when the company sells solutions to those security flaws as a premium product.
politely disagree -- this framing misses an orthogonal component.. purpose.. a simple example is a desktop publishing app on a desktop computer. Minus complicated fringe cases, the purpose of the software and its setting are not really related to security in the way that communications on a network are related to security.
The furor and obsession with networked communication has obscured simplicity in so many cases.
Pretty much this. If you don't want to pay Microsoft a subscription for extra security, your are free to build you infra from scratch using a 100% FOSS stack and do your own security over it including hiring dedicated security experts to keep on it 24/7. See how much that will cost you.
The biggest problem with Microsoft's products is that they are insecure by default. Once you got that, You see it every where.
Opening attachments in MS Office is insecure, because macros can access all files on the system and execute code willy nilly. Yes there is a button asking if you want to enable macros in the document. If a single user presses that button your org gets owned.
Yes, you can secure everything but 90% of admins don't do anything about it. They sprinkle anti-virus on top and call it a day. If it blows up then they couldn't do anything about it. Microsoft knows this.
While that suggestion is music to my ears (I've been using Linux/BSD on my private machines for over 20 years), for the overwhelming majority of users, that is not an option. Tons of applications are available only on Windows, and sometimes on macOS. I second-hand observed one case of a company trying to migrate from MS Office to LibreOffice only to realize that they were using add-ins for Office (something SAP-related, IIRC) that were/are not available for anything but MS Office.
Unless Microsoft themselves push for a (yet another) "year of the Linux desktop", I don't see it happening on a large scale. The other option would be for customers (large companies, government agencies) to demand for a change en masse and invest the money needed to make it happen, which I don't see happening in at least the next decade either, as much as I would love to see that.
EDIT: One more option I could think of would be for online security to become such a nightmare large corporations see their profits dwindle, both tech companies and "old school" companies who have become accustomed to using the Internet for their business. Imagine a world where you need to do a clean install each time you connected to the Internet to ensure no sensitive information is leaked and no malware infests your machine. A world where opening an email has become so risky people prefer going back to snail mail and fax. And so forth. I don't really see that happen either, but it seems slightly less unrealistic than the above scenarios.
> Imagine a world where you need to do a clean install each time you connected to the Internet to ensure no sensitive information is leaked and no malware infests your machine.
I've been using KDE Neon on my secondary box for years now, and overall it's been great, except for two points which still means it's a no-go for my primary desktop. With gaming on Linux now being in a great position, it's one down two to go.
First, and by far the most important, no RDP alternative with similar performance and functionality.
Second, I'm really fond of the full-disk backup I have running. I has saved my ass several times, allowing me to be back in action in less than an hour with minimal data loss, by simply swapping out the disk and restore.
I know there are some good backup options for user data, but I'd still need to reinstall all the data and re-tweak all the various configuration options etc which makes much more of a hassle to restore.
> Second, I'm really fond of the full-disk backup I have running. I has saved my ass several times, allowing me to be back in action in less than an hour with minimal data loss, by simply swapping out the disk and restore.
I've been thinking about running ZFS on root. I've been running ZFS on my NAS for ages and been very happy, but I've also seen many posts on the mailing list about people suddenly being unable to boot with ZFS root systems after some update. As much as I love ZFS, it's a very complex beast, and that makes me a bit wary using it in that role.
However in theory it would be great, I think. So I'm considering trying that on my secondary box soon.
MDE plan 2 is no assurance of security. There was an incident where Microsoft, in their infinite wisdom, pushed out definitions that caused the removal of many valid app shortcuts freaking users out that all of their apps were deleted. This is not an isolated incident. MDE makes sweeping changes to millions of machines that Microsoft appears to barely test at all.
Security features should be free or a lot cheaper. But compliance? Heck no. Customers with compliance requirements are the ones with some group demanding they prove that they're adhering to numerous (sometimes contradictory) policies. If they can afford to create all that red tape, they can afford to pay to comply with it.
Microsoft should have a variety of hardened images included on every Windows installation media.
After a hardened OS image is installed, it should not be left to the administrative user to figure out how to make one of the 100 most common Windows apps work with it. Instead, Windows should allow novice administrative users to say "allow Office 365 to install and run," or "allow Adobe Photoshop to install and run."
Then there should be a matrix where the administrative user can grant or deny permissions to each app. Do we give permission to Adobe Photoshop to phone home or not? I should be able to examine every packet and know exactly what is going on.
We need a law similar to the GDPR for local programs that forces software makers to annotate all network traffic traffic, and that always allows the user to disable security-weakening features.
Until we know exactly what our PCs are doing on the Internet, we have zero chance in the Information Security War.
Before someone says "that would help software pirates," know that it would be perfectly OK for a company to send a large encrypted block labelled "request for license authentication" and receive back another large encrypted block labeled "license activation."
Just using the virtualizing features Windows already has (and has had for years now) to provide application sandboxing in an accessible manner (think QubesOS) would go a long way. I'm not saying it's easy, but it's possible, and Microsoft certainly has the resources to pull it off. I cannot believe nobody at MS has thought of this yet.
(This could also be used to make backward compatibility less painful, which no doubt many MS programmers would appreciate deeply.)
These are tools that can increase security for an organization that has resources to properly deploy, manage and monitor them. IMHO they don't do much unless you have people who can dedicate time to dig into them.
Providing the storage and processing capacity on the cloud costs money, so it is difficult to bundle them with reasonably priced perpetual operating system license. There's also a lot of competition on this space.