This story has expired from The Register's archive. You can now find it at its original location on the Forbes.com website: http://www.forbes.com/facesinthenews/2005/05/13/0513autofacescan01.html?partner=theregister.
CommentComment Microsoft's announcement that it will enter the AV market next year, with initial trials starting next week, could be a sign of many things to come, says SecurityFocus's Kelly Martin. There's an old Canadian saying about a salesman who is so good at sales and marketing that he can "sell ice to an Eskimo" - and although Eskimo is an outdated term, it doesn't sound the same to replace the text with our respected native Canadian Indians. The joy in such a saying is simply with the idea that one can be convinced to buy something he really doesn't need, provided he is persuaded enough that the product's benefits are real and outweigh the cost - not an easy task. Note that it doesn't matter if the benefits are actually real or not, a consumer just has to believe they are. We knew it was coming. Microsoft's entry into the anti-virus market is slated for next year, according to a Microsoft announcement yesterday and an article published today in the New York Times. The focus seems to be on a subscription service, one that will include updates for both spyware and viruses. Will this really shake up the security industry, as Microsoft spokespeople have begun to suggest? I wrote about Microsoft's entry into the anti-spyware market once before. Since the $2bn spyware cottage industry is exclusively a Microsoft problem, I still find it appalling that they would market new software to patch their own product's weaknesses. It seems an awful lot simpler to just fix the problems in IE. But IE is free, and there's not a lot of incentive to do so except to the extent that the lack of security results in lost customers. People who use Firefox don't have spyware issues, for example (although there are a few noted exceptions). That being said, I have to admit after months of use that even in Beta 1, Microsoft's Anti-Spyware application it's a good product - and that there's a certain amount of comfort in cleaning a typically infested Microsoft computer with Microsoft's own branded technology. That's in addition to using one or two other free anti-spyware products, of course. It has an excellent interface and nightly updates configured by default. I hate to say it, but the other anti-spyware apps could learn a little bit from Microsoft UI design. With Microsoft entering the anti-virus market, we now have to ask ourselves basic questions around the issues of trust, honesty and integrity from a company known to have predatory marketing practices, where the fine line of walking along a legal tight rope takes precedent over any ethical or moral higher ground. Can you really trust Microsoft exclusively to protect your computer from security threats? What is their track record thus far in addressing security concerns in a timely manner? There are also many technical questions surrounding their forthcoming entry into the AV market as well, but since SecurityFocus is owned by Symantec Corp I'll sidestep the issue altogether. Here at SecurityFocus we do everything we can to keep it as an independent news and information site, which includes publishing Symantec criticism and product vulnerabilities, but our critics would love to see a typical Symantec AV rant. Our readers deserve more than that. Instead, I'm going to try to peer into the future and predict how Microsoft's big move into AV might play out to their own advantage in their licensing models, and how they'll continue to dominate their markets, down the road. At first glance, Microsoft's move to a subscription based AV model appears to just play catch-up to everyone else, whether it's McAfee, Trend, Sophos, CA, Kaspersky, or Symantec. I believe there's much more at play, however. A consumer based subscription model for the Windows operating system itself may very well be in the works -- one that would offer advantages on several fronts: security, thwarting piracy, forcing users to upgrade, and providing a more predicable revenue stream for the company. Instead of buying Windows and then subscribing to an anti-virus service, you subscribe to both at the same time and get all software and security updates that are available. One could argue that Microsoft's licensing is already subscription based for some of its largest customers, and I wouldn't disagree. Enterprise Agreements are already commonplace, and despite the high costs, they provide great flexibility to large corporations involved with long term planning and lifecycle management. Adding in a new product to a given licensing agreement, whether it's SMS or Microsoft Office or soon, Microsoft AV, becomes merely another line item on the spreadsheet. This licensing approach has never made it down to the consumer level, however, where a significant revenue stream of several billion dollars exists today - and all the major AV companies compete for a slice of this. It would be a small step for a consumer to go ahead and license Windows XP Secure Edition on an annual basis: a piece of software providing not just anti-virus and anti-spyware updates, but also security updates, new product features and software upgrades to Windows itself. Waiting five years for an upgrade to Windows on the desktop might become a thing of the past; consumers could enjoy new Microsoft features as they trickle out. Imagine upgrading your entire operating system to a new version using Windows Update automatically. You get new anti-virus features, a more secure operating system, better spyware protection, and support for USB 3.0 as well as other features. It's convenient, easy, and simple. It addresses the security issues of a typical user in one fell swoop. Basically, you buy your new computer, take it home, and your subscription to Microsoft Windows Secure Edition starts that very day. Having worked in enterprise software licensing myself, I've always seen subscription based licensing as the holy grail of licensing models. Microsoft has been extremely successful with their volume and enterprise licensing agreements, but they have little to no experience with subscription based licensing at the consumer level. My prediction: watch for their forthcoming AV product to signal a major shift in the licensing of Windows itself, in several variants, at the consumer level - because it's so easy for them to take that small, extra step. After all, there are a few more billion dollars at stake. How this plays out from a monopoly prospective, however, is anyone's guess. Remember that legal tight rope, the recent EU ruling, the DOJ, and a little company called Netscape? You can bet every AV company is now watching Microsoft's moves very, very closely. Copyright © 2005, Kelly Martin has been working with networks and security for 18 years, from VAX to XML, and is currently the content editor for Symantec's independent online magazine, SecurityFocus. Related stories MS punts all-in-one security and backup service Firefox loses its shine Trend Micro boosts anti-spyware defences with Intermute buy IE7 details leak onto web MS and security: good effort but no cigar Microsoft compensates blocked Dutch web firm Gates: security concerns propel IE7 launch Banking Trojan disables MS Anti-Spyware
Software houses can check whether the code they develop has copied even just one snippet of code from any of 38 million open source files, using a new product that relies on source code 'fingerprinting' to reduce the risk of getting sued. The product from San Francisco-based Palamida promises to give customers a full understanding of the origin, version, location and licence of open source and other third party code in their software products and applications. While open source software can be used in commercial products, vendors must comply with the licence terms. The risk of misuse was highlighted last month when the UK subsidiary of security software firm Fortinet settled a lawsuit over its alleged non-compliance with the terms of the General Public Licence (GPL), which underpins the distribution of most open source software. So any software house need to be aware of what third party code has been used in development projects. Palamida's product checks for copying by searching against its massive database of open source files, pulled from 40,000 of the most commonly used open source projects. CEO Mark Tolliver says his company's database is the world's largest and that its product, IP AMPlifier 3.0, reduces software compliance efforts "from weeks to hours." Annual subscriptions are not cheap: pricing ranges from $50,000 to $250,000, depending on the size of the buyer. This gets you software to scan for binary, source code, images, icons, text documents and XML, checking whether any of your resources were in fact cut 'n' pasted from elsewhere. It is looking for fingerprint matches – which can be given away by project names, licenses, licence texts, licensor information, project release numbers, or any of its billions of source code snippets. The company says its Knowledge Repository is many terabytes in size. But a compression algorithm is applied to put this on a size more manageable for storing on the customer's system. "We specifically designed the software to work behind our customers' firewall because early feedback from customers indicated that this is an incredibly sensitive area for them, and they would certainly feel uncomfortable about 'sending' their code to any server outside their firewalls," a company spokesperson told OUT-LAW. "The only communication the customer has with Palamida is that we send updates of the Compliance Library to the customer." Susan McKiernan, an IT lawyer with Pinsent Masons, the law firm behind OUT-LAW.COM, said: "There are only so many ways of writing the same instruction – so there is a good chance that software like this will flag matches where there has been no copying. There is no infringement if two people happen to write identical code independently – it's only a problem when one person copies another's work. But that is a common problem. So software like this may help with a firm's compliance efforts." McKiernan added: "It's a clear indication of straightforward copying when the comments within code are duplicated, or better still, the errors. And that, presumably, is what will ring the alarm bells in this product." See: Palamida Copyright © 2005, OUT-LAW.com OUT-LAW.COM is part of international law firm Pinsent Masons. Related stories Trend Micro boosts anti-spyware defences with Intermute buy Fortinet settles GPL violation lawsuit Hand over the code, judge tells IBM Putting lawyers into software development