Germany pays to fix Microsoft users' computers

The German government has allocated a secret budget to fund call-centers to help Windows users whose PCs are infected with malware. Microsoft's support costs are thus being borne at taxpayer expense.

I can understand why a government would want to create anti-malware programs. After all, malware's costs could easily exceed the cost of this program (think of the social cost of identity theft).

But the state could intervene in other ways. For example, it could establish penalties for software vendors whose users have their identities stolen, where those vendors don't offer this kind of service, forcing companies to internalize the cost of the security vulnerabilities they're responsible for.

Yes, it's not clean-cut (who's responsible for the recent SSL bug -- the OS vendors? The free software project?) and how it would apply to a free software project like GNU/Linux is unclear. But surely there's a more equitable solution than simply offloading the expense of cleaning up software vendors' messes on the taxpayer.

This approach raises a number of concerns. First, it leaves the software manufacturers out of the equation. Therefore, there will be little incentive to write secure code, as the cost of additional support will be passed (at least partly) to the government. Second, it also discourages the users from switching to more secure products. Both aspects can be interpreted as a direct subsidy for Microsoft. The timing of the initiative could also not be better: last week Microsoft's Internet Explorer, the attack vector number one, lost its leadership in Germany to rival Firefox. Additionally, the plan establishes questionable practices for IT security. Malware infections are seen as something inevitable, which is definitely not the case.

Microsoft to Get Malware Bailout in Germany (via /.)

(Image: Screenshot Test, a Creative Commons Attribution photo from yahnyinlondon's photostream)

Previously:

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: german • Technology

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

zio_donnie

i think that actually it’s a pretty good idea. that’s what taxpayer money IS for, to buy a better life for you. that’s why you pay for the police and the fire brigade.

microsoft or whoever is not going to write more secure or insecure code because of this, as i imagine that the germans are not going to patch every vendor’s software. i guess they’ll just try to fix the most gaping internet holes to protect their citizens. vendors will be still liable for their flawed software pretty much like automakers are liable if they sell cars that explode. civil protection is not a free pass to sell dangerous products.
zio_donnie

First, it leaves the software manufacturers out of the equation. Therefore, there will be little incentive to write secure code, as the cost of additional support will be passed (at least partly) to the government.

The goverment has already a role in determining what a manufacturer should or should not produce. there are laws about it and there is no need to be new ones or something specific for the software industry. if a product is dangerous it’s illegal. if it is faulty the manufacturer is liable and should replace or repair it. defining “faulty” in an OS is tricky but surely patches can be seen as repairs. Goverment awareness campains and call centers are nothing new. think of all the call centers about drugs, deseases, street safety etc. IT security is just another concern that needs adressing.

Second, it also discourages the users from switching to more secure products. Both aspects can be interpreted as a direct subsidy for Microsoft.

that’s easy to solve. the goverment should have standards. say you cannot file for your taxes through an insecure browser. if you want to file something online or interact with an official site you should have one of the goverment approved secure software. and i bet that all players would do whatever it takes to get goverment approval like a CE sign or something. if there was such a policy everybody would follow including banks and so on.

i don’t see the Microsoft subsidy here. no one thinks that driving lessons are a subsidy to the automakers that offload the education of using their vehicles to the taxpayer. microsoft windows and office are a de facto standard that everyone uses and an apple call center would not be of much use would it?
SamSam

Although we may fine a building contractor if the building is clearly outside of code, we don’t fine them for each and every fire that the fire department puts out. Taxes pay for the fire department.
starbugtwo

I always wondered why we have to buy antivirus and firewalls for windows products. Shouldn’t they be responsible for protecting their customers from malware and the like?

There are some free ones out there (I use avira and comodo…any other suggestions would be appreciated), but it’s the OS that vulnerable. Why do we pay $100′s of dollars for something that can be easily broken?

I’m aware windows has it’s own protection, but I’m often told it’s not enough. Do they own McAfee?
- zio_donnie
  
  actually no. when you buy an OS you should get an OS no media player, no browser, no antivirus, nothing, bundled with it. what apps you need you can install for yourself. free apps or paid ones your choice.
  
  Also, bundled MS software like IE, Windows Firewall, WMP etc suck and are full of security holes and they should either cease to exist or sold separately. i always hated bundles. so does the EU btw.
  
  And neither is or should be Microsoft liable for your computing habits. Every tech savvy hipster blogger likes to bash MS for everything but a large percentage of computer viruses and malware spread due to human error and not due to obscure security exploits. I don’t use neither a software firewall nor an Antivirus and i am malware free since forever. Software vendors should be liable for security issues that permit exploits without user consent.
  
  My guess is that the Germans are trying to educate in order to resolve and eliminate the human errors more than become a patch factory for Microsoft. It may seem like they are doing MS a favor but i think its just because 90% of the people use windows so its only normal they help them with what they use.
Piscean

Microsoft doesn’t install malware on computers, tax payers do. It doesn’t seem unreasonable for tax money to be used to help them clean up their mess if they’re unable to do it themselves.
Anonymous

Leaving aside the “microsoft subsidy” debate, this also could be a good means of collecting some useful data on what sorts of malware problems people are seeing when. Could give useful trend information from individual, less-tech-savvy consumers to improve anti-malware education and software.
Anonymous

I don’t know how this turns into an automatic Microsoft slam. You can get malware (trojans) on any platform. All it takes is for someone to write it and then for a gullible user to click “ok” to a lot of things they shouldn’t click “ok” to.

I had to give instructions to a friend on how to get their data off a Mac and reformat after his kids downloaded that codec trojan to watch a porn video.

Trojan horses happen because of a problem with the user, not with the OS.
geewhiz23

Malware will never go away, no matter who creates the OS. It’s the users….you can’t fix stupid
Anonymous

Cory, you seem to have some serious misconceptions about the normal attack vectors that end up infecting Windows machines – OS vulnerabilities are very low on that list and IE vulnerabilities are not much further up.

Trojans lead the charge to infect machines – the only OS design that prevents that is one that prevents the execution of binaries all together – given the outrage to the original running application limit proposed for Win7 starter Edition of 3 applications at a time I could see people being all the more upset with 0 applications at a time. (incidentally calls that user account permission segregation, i.e. user and admin rights, would stop trojans are fairly ignorant of what can really be done in user land on any OS). The next culprits are third parties – Adobe with Flash and Acrobat, Apple with Quicktime (convinient that they can poke at windows malware in their ads when they are a leading cause of it), and Sun with their JVM. These are products that can be launched straight from a webpage and have horrible vulnerability records. MS has actually stemmed this quite a bit with the IE sandbox and DEP being on by default in IE 8, so the severity of vulnerabilities in these third party applications is lessened considerably not as a result of the vendor doing anything intelligent but because MS has gone out of their way to engineer around the weaknesses of third party code.

This isn’t 2001 anymore – Microsoft leads the industry in security engineering. There is not a single commercial or open source project that matches the effectiveness or robustness of the Microsoft SDL, which is why my own company is looking at that model to adopt. There is also not a commercial or open source project that is as OPEN about their security engineering practices either – I can go to the SDL website and see a huge amount of resources explaining what Microsoft does, from Threat Modeling, Fuzzing, manual and automatic source code review, testing, and so forth – Adobe and Apple certainly don’t have such a resource available (because they don’t actually do those things), Mozilla’s page doesn’t come close despite the fact that they had hired an ex-Microsoft employee (who has since left, Window Snyder) to design their security process, and so forth.

It may be popular to bash MS security, but it isn’t accurate. The vulnerability numbers certainly don’t support that conclusion, nor do the practices of MS relative to other development groups. Now granted we are all supposed to believe the ineptitude of the corporate behomoths and the wisdom of the common man, populism for the win after all, but I never found that trusting some random bias as the optimal way to evaluate knowledge.

Incidentally, do you believe that lock manufacturers, who to date are still horribly susceptable to bumping and other simple techniques, should cover all of the costs of police response to B&E? Should boeing be charged for the WTC cleanup and victim compensation because they didn’t do enough to secure the planes they manufactured? How much liability do you subscribe to those that do not provide absolute security in their products? Clearly if MS retained their engineering practices of 2001 liability would be entirely deserved – they had not taken either due care or due diligence in my opinion (being just a random security guy and not a lawyer who can speak more readily to liability as a result of such negligence, that being an opinion of only marginal utility)- but this is not 2001 and MS’s engineering practices now are the industry best practices that others endevour to achieve. You would be hard pressed to assert negligence if you could compel yourself to be even marginally informed on the matter.
sirdook

Yes, it’s not clean-cut … and how it would apply to a free software project like GNU/Linux is unclear.

Cory, you underestimate how huge this point is. The kind of liability requirement you’re imagining would make it effectively impossible for free software projects and for small players trying to break into the business. This is just the sort of liability large companies could afford to insure against, while providing a barrier of entry to new players.

I’m no Microsoft defender (though I do use their products, even while complaining about them), but there’s no such thing as a completely secure OS, and the kinds of vulnerabilities this program is likely to be effective for are the ones that have already been fixed. It’s just that users lack the information or skills to apply the fixes or seek out the third party software that will help. What’s inappropriate of government subsidizing the education of its citizens in this way?
Anonymous

If the government mandates software suppliers to deal with malware and bugs, and those software companies then hire support staff and/or build better products, then it is the software companies that are “creating jobs”.

If the government operates an anti-malware program and call center, it is the government that are “creating jobs”.

Clearly in an economic crisis when employment is low, government would like to be seen creating jobs.

Also, government anti-malware workers are most likely going to be members of a government union… very important if you are an elected official courting union support.
Anonymous

When Microsoft Vista came out protecting people from basic malware people complained like crazy, and now you want to make the operating system even more oppressive? If a person has turned off or turned down the security on their system, then no I don’t think Microsoft should be responsible for it.
Anonymous

“Microsoft’s support costs are thus being borne at taxpayer expense. ”

Why would dealing with malware be something that MS should support (for free)? Take some responsibility and don’t install every piece of crap software you run across.
OoOoOo

Still, this is the kind of thing a country can do for its citizens if it isn’t spending all their tax money on, I don’t know, sending more people to Afghanistan.

Don’t forget, German Health Care includes Spa Days.
LX

This legislation is yet in a planning stage. It is just another government attempt at controlling the internet. It will fail, just like the others, on the cash of the taxpayers.

And that fairy tale about the spa days, it is simply not true anymore, at least if you arent’t privately insured. Oh, and by the way, germany has some soldiers in Afghanistan, too.

Greetings, LX
Anonymous

Strange how people get so bent out of shape with Microsoft. You only pay a couple hundred bucks, and get to use their product for years, with use during many hours each day. Communication, work, study, entertainemt… it gets more used than the blender I bought.

Well, I guess we all complain about the weather.
iRoy

Wow, Cory its like being on /.
Its all Microsoft’s fault for the malware on their OSs?
Can’t be the users who install anything and everything without research can it?
Majority of malware is human installed.
- delt664
  
  This.
  
  I am not a big Microsoft fan, but lets save the outrage for when it is actually deserved. This is presented as Microsoft “offloading” security, patching and maintenance to the German govt.
  
  Microsoft offers Windows Defender, Windows Malicious Software Removal tool, KB updates/hotfixes/security patches, and now a trial of Forefront all for free. Microsoft has even made the decision to continue to offer support to non-genuine installations of Windows.
  
  The problem is when users are not intelligent enough, or downright too lazy to use them.
  
  I know its super-cool to hop on the bash Microsoft bandwagon, but how about some equal opportunity bashing – lets see some articles about the douchey stuff Apple does too.
Anonymous

In Germany you don’t get “spa days” with your health care. What you may get is a disease management course for things like neurodermitis or asthma if there is a medical necessity. You will get coverage of the medical part of the course, but you’ll have to pay your accomodation.

A trustworthy source is Heise (www.heise.de). They write that the BSI (office for security in IT) will offer a helpline for users who need help with cleaning up their computers. There is _no_ mention of Microsoft, nor is anything in the concept (read: Gedankenexperiment, not “plan”) specific to any one OS or software.

The concept talks about identifying bots by traffic patterns and offering users a warning about that. The article on heise.de explains at length that this would be impossible under current legislation.

It also talks about offering a website where malware removal tools could be stored centrally, free for all (including non-Germans, of course).

Whether or not testing your machine for malware would be mandatory is mentioned only as something that nobody had thought about. It is said, however, that not using a virus protection is similar to driving without functioning brakes.

The article also mentions one ISP who allready offers a call center where users can get help if they’re infected. If the ISP is notified by an abuse report that one of their customers is infected, they contact the user and offer help cleaning up the machine.

Sorry, BoingBoing, no scandal here and no venue for bashing “socialist Europe” either.
Anonymous

Is this service for any German citizens who own computers or for public sector machines only?

It would be an issue if Apple, Unix, Linux etc users were not supported at all on this hotline, if there’s a percentage of lines allocated to those systems as well I don’t see no problem.
thequickbrownfox

I used to help out people with computer problems on Neowin.net, before it was overtaken by right wing lunatics.

I currently help out at BleepingComputer.com, but the stupidity of most correspondents tends to be overwhelming.
Anonymous

“For example, it could establish penalties for software vendors whose users have their identities stolen, where those vendors don’t offer this kind of service, forcing companies to internalize the cost of the security vulnerabilities they’re responsible for. ”

Great idea. If my car ever gets stolen, I’ll just sue Ford.
macmichael

“Starting in 2010, ISPs will track down customers with infected PCs, e.g., by looking for communication with botnet controllers. These customers will then be directed to a special website offering advice on removing the malware. If this is unsuccessful (or the site is blocked by the malware), people will get access to a call center, where a staff of about 40 will try to fix the problem.”

So, is this the way it’s supposed to work? Or, do I just have a low opinion of the average Internet user?

To: W. User (iheartkittens@kittensaresocute.com)
From: Your ISP (ihaxxoryourcatz@bot.net)
Subject: You may have an infected computer.

Dear Customer,
Our records show that your computer is infected by dangerous spyware. Please go to this link, http://thisistotallyavirus.com/yourstupid.exe. Download the file when your browser asks, and then install it on your computer. Please disable any spyware detectors or antivirus programs before hand, as they may interfere with this very important installation.

This email and your attention to it is required by the Federal Office for Information Security.

WARNING: If you do not follow these directions, your personal information may be at risk.

WE thank you using our services,
Your ISP
Anonymous

I heard a rumour that the German government were also secretly subsidizing BMW, Mercedes & VW by providing ambulances for people who crash their cars.