0

According to Symantec it would seem that security flaw + patch in 5 days = result. Certainly compared to the average 140 days it takes Microsoft to patch a vulnerability it’s to be applauded, but only with one hand. 5 days is 119 hours and 55 minutes too long in my book. In the wise words of singing tech gurus Tavares (or Take That for our younger readers) ‘it only takes a minute girl, to infect your PC’. Well, I might have taken liberties with the lyrics, but no more than security vendors take with the integrity of my data, resources and identity whenever product exploits emerge.

I’m not advocating, for even that single minute, that a rushed solution is any solution at all. However, I’m not prepared to join the throng of gushing commentators eager to praise the speed with which this patch has been released. Words such as remarkable and masterful have been bandied about, even the totally ridiculous ‘break neck speed’. Sorry Symantec, but I’ll argue until the cows come home that 5 days is not an acceptable length of time for a vendor of the size and stature of yourself to leave customers in a security threat limbo. The Microsoft comparison doesn’t hold water; the products are poles apart in complexity and lines of code alike. A better metric would be that of OopenBSD and SSH, for whom a day is considered a long time for a patch to get into the upstream distribution chain, a few hours is the norm.

Would you leave the door to your office unlocked for a week while a new lock can be found that fits it, working on the principle that if nobody knows it’s unlocked then nobody will break in? Of course not, you’d shore things up the best you can while waiting for the lock to be delivered. Yet Symantec seems happy with the time taken to release this patch, on the understanding that there were no known attacks that could exploit the flaw. Sometimes, well often actually, the naivety of the IT security market leaves me gob-smacked.

If you are a business customer, the patch (which ahs to be downloaded and applied manually) to update the stack overflow flaw in Client Security 3.0 and 3.1, and AntiVirus Corporate Edition 10.0 and 10.1 can be downloaded from Symantec. But only if you are an English language customer, others have to wait even longer their patches to become available. Home users need not panic as the Norton range was not caught up by this particular hole.

Oh, and wish me luck: I’ve made it down to the finals of the UK ‘IT Security Journalism’ awards. Of three entries in the ‘Best Security Feature’ category, one is all my own work and another co-authored by myself. I’ve also managed to get down to the final three writers up for the overall ‘IT Security Journalist of the Year’ title. The winners will be announced at a lunch ceremony in London on 11th July, so keep your fingers crossed for me!

5
Contributors
13
Replies
14
Views
11 Years
Discussion Span
Last Post by 'Stein
0

Now there's an opinion I wholeheartedly agree with! Not that I have even thought of using Symantec's bloated, intrusive, complex-because-that-makes-it-seem-powerful security products in a few years (and haven't missed them one bit), but gloating, gladhanding and backslapping over a creeping-speed fix for a flaw with such major damage potential, from a company that wants their customers to pay and pay and pay, again and again, for their products? Ludicrous! Unacceptable! For the kind of money they're asking, and the breadth of their market reach, someone needs to be working 24/7 to make sure that when ANY flaw is discovered, it is patched within hours, not days, if not minutes.
If I were a corporate mover-and-shaker (which is probably why I'm not, LOL) a company would get only one chance to leave me open like that, and Symantec would just have had theirs. By the time they rolled out their patch, I'd already be rolling out trials of another company's product.

Shame on you tech journalists for lauding this as some kind of record speed recovery! You are doing your readers a severe injustice by conditioning them to accept this inadequate response. And the childish pseudo-argument that this compares favorably to a Microsoft fix is along the same lines as the excuse I gave my parents for wanting to do something stupid: "All the other kids are doing it." It's ignorant and irresponsible to think that, just because it may take Microsoft some many days longer to fix a flaw, that Symantec (or any other company) is therefore excused for taking (like Davey says) "only" 119 hours too long. I wouldn't be paying Microsoft for a Symantec product, so such a comparison is entirely irrelevant, and I'm not going to deal with Symantec according to what Microsoft does!

If consumers (corporate or home) don't start stridently demanding better from companies who suck in a goodly portion of a billions-of-dollars market, we will absolutely never get anything better. In fact, I submit that the fact that this botched situation, if it doesn't result in any significant loss of business for Symantec, will eventually make things worse, as consumers will be lulled into paying more and more for less and less.

Hey, Toulinwoek

0

and of course you could do SOOOO much better yourself.
Ever considered it might take time to find, fix, test, and distribute something?

Anyway, the figure mentioned for Microsoft is completely incorrect. They frequently release fixes for problems that noone ever knew about.
The problem is that tons of people fail to keep their systems up to date, leading to the average time between release of a fix and installation at clients to be very long. But you can't blame Microsoft for that as they give customers the mechanism to automate that process, an mechanism many people refuse to use for some unfounded fear that Microsoft uses it to "spy on them" or something.

0

In this case, it would have been impossible to have kept a system "up-to-date", since it took days before the capability was available.

...and no you're dead wrong, I could not have done better myself; in fact I would have done far worse because I would not have known where to even begin. That's why companies are paid for their products, because none of us (not even you) can do everything ourselves (if we could, there'd be no need for any of us to have any money, right?). I pay a company so that I have the right to expect better than that. If I don't get it I take my business elsewhere. If consumers would hold those who take their money to higher standards, there would be better products and services. Then, if it were IMPOSSIBLE for them to have done better, we'd know. Right now, it's your opinion against mine, and we both, I'm sure, think we're right. It's a pointless debate, I'm just not going to stand for it and you can hande it as you like.

This isn't about Microsoft, it's about Symantec and the simple fact that what should have been done in a vastly shorter time wasn't. It wasn't Microsoft's fault (this time).

Oh, and I should apologize for the mild sarcasm; I usually resist responding in kind.

0

if it isn't about Microsoft, then why did you bring in the usual anti-Microsoft griping in your original post?

You're the one bringing Microsoft into it...

0

I didn't. The first post mentioned that someone had compared Symantec's response to that of Microsoft. I was simply agreeing that such a comparison isn't relevant.
Given the relative complexities of Windows versus Norton Antivirus, I would not be as disdainful if Microsoft took 5 days, or even a bit longer, to fix soomething. Microsoft has its flaws, serious ones too, but in this case they are not the issue. When they are, I'll criticize them just as honestly.

0

quote from jwenting
But you can't blame Microsoft for that as they give customers the mechanism to automate that process, an mechanism many people refuse to use for some unfounded fear that Microsoft uses it to "spy on them" or something.

Considering all the updates I've been getting recently titled 'Windows Genuine Advantage validation tool' I think some of those fears might be quite well founded.
I know my copy of windows is legal. I don't need to download monthly checks to find out if it's suddenly changed.

0

tough luck. If people weren't so eager to help pirates to license keys there'd be no need for such tools.
And remember that all it does is check whether your license exists on a list of known pirated licenses (which is what the updates are). No data is ever transmitted from your system.

0

I doubt that piracy will ever go away. There are some rock solid ways to prevent it, but those methods are prohibitively expensive (for many vendors), and as long as software vendors continue to charge equally prohibitive prices for their products, piracy will thrive and the technology thereof will improve along with everythng else. Just as the anti-malware software vendors have no vested interest in ridding the Internet of malware, and household pest controllers have no vested interest in getting rid of your roaches (if you have any, of course), so the companies that produce anti-piracy technology have little vested interest in REALLY stopping piracy; they'd be out of business if they did. I have said before, and yes, I heard some very sensible and reasonable arguments to the contrary, but I still just can't overcome the feeling that no software is worth more than perhaps two or three hundred dollars, at the VERY most. I just can't see it.

Now, I am not saying piracy is acceptable, but my God, from rumors I have heard (unsubstantiated by Microsoft), the flavor of Windows Vista I would likely purchase is going to cost upward of $500! That is absolutely, positively, unmitigatingly ridiculous!! I can easily see how someone would want to take a chance with pirated software rather than pay that, and even though Microsoft claims that pirated versions will somehow be crippled, I have every confidence (misplaced though it may be) that whatever method they have to make that happen will be popped, just as product activation for XP was popped within about 5 days, according to what I heard.

Personally, I run a legitimate copy of Windows, and I have no intention otherwise, but I just feel that the cost of software is spiraling out of control, and that (and the fact that the anti-piracy folks need something to do) says to me that, if one looks hard enough, one can find and run just about anything one chooses for either free or at least at a price more reasonable than what the publisher intends.

0

If you have any idea of the cost of creating and supporting a software product on the scale of Windows you'd not call the pricing prohibitive.

Sadly most people have no clue about such cost, thinking software costs next to nothing to create and nothing at all to distribute and support, and that thus the entire price they pay is pure profit for the software manufacturer (I've seen people claim high and low that a copy of Windows XP should cost only €1 as that's the price of a CDR and thus Windows XP costs only €1 to produce...).

Nothing could be further from the truth. Margins are low over the life of the product.
Vista will have cost hundreds of millions to develop, figure in another hundred million or so to market and distribute the first few million copies alone.
Then the maintenance and support teams, which together probably cost well over a hundred million over the economic life of the product.
And of the purchase price a good portion is never seen by Microsoft at all. The store gets a big slice, the government an even bigger slice (taxes).
Of the $500 (where the heck you get that figure I don't know, but for a professional level version it's not much, over the 3-5 years you'll be running it that would amount to pennies per day) Microsoft might see (after taxes) only a hundred, maybe 200 at most.
Of that the majority goes towards recovering development and support cost, and most of the rest goes towards R&D for future products (just so the kiddos at /. can go on claiming Microsoft doesn't do any R&D).
Actual profit would be maybe $50 at most out of those $500, a 10% margin which though not bad is certainly far lower than the 90%+ margins a lot of punters think software companies make.

0

That's a very solid argument, and it's very similar to those I have heard before, and I still acknowledge that the arguments themselves are very sensible; however, I still just can't buy it, I'm sorry. It's similar to those who, in the face of personal experience and very reasonable explanations, just cannot accept the idea of the existence of God; no matter what you say, it just doesn't register with them (not trying to change the topic here, just making a comparison). I'm just not seeing it, and I have some development and support experience myself, so I'm not shooting totally in the dark here. Still, I admit I really don't know fully how it breaks down, but I'm not buying the thin margins argument at all.
Where I got that price from was a software download site I visit often, and the person who had listed those prices did say that they had not been confirmed (or even commented on) by Microsoft, so they are entirely rumor. What I heard was:

Home Basic - $256 USD
Home Premium - $511 USD
Vista Ultimate - $639 USD
Vista Business - $840 USD
Vista Enterprise - $1033 USD

Those prices are entirely out of line, in my opinion. Now, I'm not sure if the figures you used are estimates, and if they are, how accurate and realistic they are, but I'm not going to believe that it costs 4 times as much to make, market, distribute and support the Enterprise product as it does to make the Home Basic version! If those numbers are anywhere close to accurate, then they'd be losing money on the upgrade versions (surely it doesn't cost any LESS to make the upgrade version), and the vast majority of sales are very likely to be upgrades, right? Adobe, for example, sells Photoshop for $650, unless you're upgrading, in which case you get the exact same product for $170. Come on, how much does it cost to produce if they can stay in business (and thrive mightily, I might add) selling the majority of copies of that product for $170 dollars if it REALLY costs 90% of that $650 to produce it? The same math would have to apply to Microsoft; if it costs $450 to produce the Home Premium version, for example, they'd lose money selling the upgrade for $300 (which would probably be in the neighborhood of what the upgrade would cost).
Beyond speculation, I would think it should be relatively easy to check if Microsoft's profit margin, overall and per-product, is really 10%, which might be true, but I doubt it. Pennies a day you say? $500 over five years would be about three pennies a day. How about a several hundred million people paying three pennies a day into your coffers...that's a very, very tidy sum!

0

If you don't feel Windows is worth 3 pennies a day to you, don't whine but choose a cheaper alternative.
This is a free market economy where you have a lot of choice after all.

To many people it's well worth that, they quickly recover it in increased productivity or because they save a lot of frustration and thus get increased enjoyment from their private time.

Yes, upgrades are less expensive.
That's a customer incentive program, rewarding returning customers for their loyalty. It's not dissimilar to stores giving discounts to customers holding loyalty cards, those goods cost the store the same amount to purchase too.
And indeed the Home edition doesn't cost that much less to produce than does the Enterprise edition, maybe, IF you assume both sell the same number of units.
But they won't of course. The home edition is likely to outsell the enterprise edition by an order of magnitude, so the development cost is spread over a far larger number of units, reducing unit price faster than the development cost decreases.

Your fundamentally flawed arguments show that you lack a basic understanding not just of the software development process but even simple macro- and microeconomics.

0

Oh, now come the personal attacks. Why? Any why, just because I happen to have an opinion about something, that happens to differ from yours, do you have to call it whining? I'm not whining. This is why I don't like discussions with you; you are intelligent and kind for a while, then you resort to namecalling and personal attacks.
A company that loses money on a product in order to provide "customer incentives" won't be in business very long. Your point was that the retail prices of products yieded a 10% profit, you did not consider upgrade discounts in your figuring, now you're talking about spreading costs over other versions. In the example I gave about Photoshop, there are no versions over which to spread these losses. How can Adobe sell a $585 product (assuming 10% profit) for $170 and stay in business? They can't. Economics. macro/micro or whatever else, MUST conform to the laws of simple math. I admitted I wasn't sure how it all broke down, but you have not really answered the question of how a company can do this. But it's OK, you don't really have to. I happen to have a fondness for debating things, but I find it very distasteful when it gets to the place you so frequently go, so with all due respect, I will consider it a lesson learned, I apologize for even expressing an opinion, and I will have nothing further to say to you. I'm not angry, mind you, I just don't like this kind of attitude.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.