Mary Jo Foley at Microsoft Watch has an interesting report on a rumored security subscription service from Microsoft, code-named “A1”:
Microsoft’s anti-virus/anti-spyware strategy is taking shape. Sources say Redmond’s prepping a fee-based bundle, which could go beta soon.
Publicly, Microsoft continues to be cagey about packaging and pricing plans for its anti-spyware and anti-virus solutions. But privately, Microsoft has begun informing partners of its plans for a security subscription service code-named “A1,” according to developers who requested anonymity.
Microsoft bought anti-virus vendor GeCAD in the summer of 2003, and anti-spyware maker Giant Company Software last month. As to how it plans to deliver these technologies, Microsoft has declined to give specifics. How/when/if it will repackage GeCAD’s technology remains uncertain. Ditto for Giant’s — although according to the Windows enthusiast site Neowin, Microsoft is expected to field its first anti-spyware beta based on Giant’s technology this week. Neowin said the anti-spyware beta is code-named “Atlanta.”
Microsoft officials have said the company is planning to make some form of its anti-spyware product available as a free tool. But that isn’t the ultimate plan, partner sources said.
Well, I’ve said it before and I’ll say it again: Microsoft should make this service as powerful as possible and not charge a dime for it to anyone. It’s part of the cost of doing business. Selling security software is ethically wrong for two reasons: 1) It involves making a conscious decision to expose some of your customers to greater risks than others, based on their ability to pay; 2) It encourages the security software vendor to overhype threats to encourage people so they’ll be stampeded into paying up.
I’m sure someone at Microsoft is saying something like, “Well, we’ll provide a free security offering that will provide basic protection to everyone, and we’ll just charge extra for bells and whistles.” That’s nonsense. Security should be considered a core feature, not an add-on.
Spread the word. Make some noise. Now is the right time to convince the folks who are making these decisions to do it the right way.
Ed Bott 
Ed, I’m not sure I totally agree with you here, although I do agree in part. If, in fact, Microsoft is providing adequate basic security for free and seeking to charge extra only for bells and whistles (which not everyone may need or want — see below), I have no problem with that, pretty much for the same reason that I have no problem with Microsoft’s decision to provide only a basic defragmenter tool, or a basic disk cleanup tool, or a basic registry editor tool, or a basic backup tool, or (because we are talking here about security) a basic firewall. I think you have a much stronger case if, in fact, the core product is actually unsafe and Microsoft is charging extra to secure it. Now THAT, I agree, would be a conflict of interest.
I am most sympathetic to your point about third party vendors (and, for that matter, various computer magazines) overhyping security threats in order to sell their anti-spyware products. But these vendors are no different from the other quacks of cyberspace who are hawking all kinds of software (or registry tweaks) to deal with all types of mostly non-existent problems (e.g. memory management software, registry tweaking software, cookie crumblers (some people think cookies are spyware(!)), ad nauseum).
The real problem here is (1) some people don’t regularly update their core Windows software (especially SP2) and (2) they don’t educate themselves on how to avoid getting the crud on their machine in the first place. An ounce of prevention is worth a pound of cure — or dozens or hundreds of dollars in anti-spyware software that themselves often cause more problems than they solve. I regularly do these two things, and I don’t use anti-spyware software on my machine except for what comes with Trend Micro 2005 — but I never get spyware. The only product I have ever used or needed to check for or remove spyware is Ad-Aware — and it is free. And when I do, I never find any on my machine.
Ken, let me disagree with you by saying that’s not a fair comparison; that is, comparing system utilities such as defrag or backup is not in the same category as security. Selling insecure software is like selling a car with a design flaw people and property get injured and in the end, everyone pays. Customers trust the seller is offering a product that won’t blow up in their face, in this case with regard to the known weaknesses of Windows and IE.
But not including it for free with Windows, Microsoft is sending the message that “We could secure Windows, but we choose to soak the customer on this one.” Not a good PR move. Again, imagine the auto dealer telling you, “We could include a fuel pump that doesn’t catch fire, but we’d rather charge you extra after the sale for one that doesn’t.”
#2: I’m not sure we actually disagree. I’m trying to draw a distinction between safe and unsafe, on the one hand (where I agree with you and Ed), and safe and even safer with a few more bells and whistles on the other hand (where I don’t have a problem with Microsoft charging for bells and whistles).
Yes, but when it comes to securing the OS against attack and malware, where would you draw the line between basic security and extras? I can see where MS would not offer (nor want to) an robust solution like Norton, but MS can alter the source code where no third-party ever could.
Like you, Ken, I spend every other day cleaning my system since I surf and download a lot, and it gets old.
I think it is possible for an OS vendor to sell two different variants of an OS, with differing security levels. Sun, for example, did this with Trusted Solaris (vs plain ol’ Solaris), and it was not considered unethical.
Whether such a move by MS is in the same category, depends on just how they do it.
“Like you, Ken, I spend every other day cleaning my system since I surf and download a lot, and it gets old.”
Then you’re not surfing responsibly! Websites worth their silicon won’t install anything on your machine. I haven’t had any malware show up for a long time, and I certainly surf and download a lot – but I won’t visit disreputable sites, and check into those I’m not sure about.
I agree that MS are not responsible for protecting us from some scumbag’s malfeasance. However, those of us who are responsible for keeping thousands of machines happy know better – SOMETHING needs to be in place to keep the less-savvy user from breaking his or her PC. I just don’t know if it’s something that should be down to Microsoft.