I wanted to post my personal thoughts on Windows OneCare, both as an employee of Microsoft/OneCare, and as a bona-fide geek (if you need any proof I'll show you my nmos/pmos tattoos sometime ;).

1. "The problem...and the fix" - many of your comments were criticisms that Microsoft was selling solutions to the problems that it caused. It's no secret that all software has bugs and vulnerabilities - and like other software companies, we are committed to building software as secure as we can make it and finding and fixing bugs as quickly as possible. But let's not confuse code defects (exploitable or otherwise) with malware, and methods of protection. Let me dive into an analogy for a bit to flesh out the thought - think home security. When you build a house, you also want to make sure that it's secure. You install locks on doors, make sure windows only open from the inside, put your valuables in a safe, etc. But whether or not the builders left any exploitable holes in their design, you aren't really protected without a security system. Let's break this system down:

Good = secure design for the house

Better = above + updates to the design of the house as exploits are made known + good security practices (e.g. key management - don't leave your key in the mailbox!)

Best = above + active security system and a police force/infrastructure.

• Alarm system (real-time scanning). In the event that some unauthorized entity enters into your house, an alarm will go off and the individual is immobilized until you decide whether to allow them to enter or not.
• Police with "most wanted list" (signature detection) - they know who the bad guys are and stop them before they get to you.
• Detectives/agents that update the "most wanted list" (malware investigators/signature updates) - this is critical in the security arms race, because the bad guys don't stand still. If you have an AV solution with out-of-date signatures, you're not protected against any threat that has been released since your last update (unless your heuristics are really good)
• Beat cops with good instincts (heuristic detection) - they can detect suspicious activity and stop some of the bad guys even before they're on the most wanted list.

2. "MS is charging for fixes to their own OS!" - this is not the case. Microsoft will continue to service their products with QFEs, SPs, etc. for free through Microsoft Updates. It's in our best interest to help protect all our customers this way, not just subscribers to one particular service. OneCare (among other things) simply makes things easy for consumers specifically by helping assist with the updating process from Microsoft Update as part of its active protection. As for the active protection piece, MS has long told users they need antivirus protection to be safe - even Windows Security Center in XPSP2 tells you that you're unprotected if you don't have an antivirus or firewall program installed and active.

3. "OneCare will take advantage with Internal APIs" - couldn't be farther from the truth. We take great pains to help ensure that we are competing fairly in the marketplace, and we plan to be a leader in PC care by making a great product that delights our customers. The OneCare service is built on top of the same public APIs available to all vendors.

Anyway, I just wanted to engage in the discussion and toss in my 2 cents. I invite everyone to give the product a shot (free @ www.windowsonecare.com [windowsonecare.com])and let me know what you think about it. I'll even put my money where my mouth is and pony up my email address: luke@windowsonecare.com - I'll respond to all the non-viagra mail you send me. ;)

Thanks,
Luke Abrams

Our customers have been asking us for months and we’re finally ready to share our pricing and licensing details.  When Windows OneCare Live goes final in the U.S. in June, the subscription service price will be $49.95 per year.  And here is more good news – many customers have told us they have more than one computer, and want OneCare’s security and system optimization features on all of them.  We listened.  For this same price, you’ll be able to install OneCare on up to 3 PCs per subscription!

We encourage you to take a look at what our competitors are offering – we’re confident that no one else is delivering a value like this for an “all-in-one” service on up to 3 PCs, like Windows OneCare Live.  Those of you that read the blog often know that we are somewhat obsessed with providing consumers a simple to use, comprehensive PC care service, and understand why we’re absolutely thrilled that we’ll be able to offer this service at such a great value.         

Throughout the development process we have depended - and continue to depend - on the feedback and input of our beta testers to improve the service.  We asked for your help and you engaged deeply with suggestions, comments, issues, recommendations, etc.  To reward you - our beta customers - for your invaluable efforts, we will be offering a special beta conversion price.  Beta customers who convert to being paid OneCare subscribers between April 1^st and April 30^th will be offered one year of service for only $19.95 – again, for use on up to 3 PCs!  We’ll remind you when this offer is live, and remember, beta testers can simply click on the “Purchase now” button within the main Windows OneCare window.

Not a beta user yet?  Don’t worry.  There’s still time to download the beta directly from http://ideas.live.com , but remember, April 30^th is the cut-off date to get on the beta and become a subscriber at this discounted rate.  If you don’t sign up with OneCare, we strongly encourage you to do two things. First, tell us why – we want to know how we can improve. And second, please be sure to subscribe to someone’s service.  Having up-to-date anti-virus and overall PC care protection is essential to keeping your machine safe and healthy.

As you can tell, we’re getting closer to final product availability and continue to get very helpful user feedback.  Your input is being heard – in fact we plan on delivering a beta refresh later this month. Please keep sending us your feedback – we love to hear your comments and truly appreciate your input.

Thanks again,

Yoav

There have been some interesting articles written over the past few days about our firewall policies - check out the following stories to see what's been said.

Security Pro News

CNet News

RealTechNews.com

WebProNews.com

In fact, Ben Edelman was kind enough to post a comment directly to the blog which challenged our policy to automatically allow signed applications through the firewall. And he asks a fair question. However, the key point I’d like to reinforce is, as mentioned in my previous post, a comprehensive security solution must be multi-layered. So, if signed malware happens to pass through the Windows OneCare firewall, our real-time anti-virus/anti-spyware scanning engine should block that application from deploying. As we have reported, Windows OneCare will soon add in anti-spyware capability, which will get updated continuously with new signatures that identify and block known suspicious programs.

So, let me say it again to be clear: if malware gets on to the system, whether it is signed or not, the Windows OneCare antivirus or anti-spyware solution should protect users from that exploit. The reason is, our virus and spyware signatures (policies containing “lists” of malware/spyware/adware) are not based on whether or not an application is signed. Rather, we make a separate determination regarding applications suspected of being either malicious, or falling into the category of spyware. (For more information, see: http://www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx)

Once an application is included in this list of “suspicious” or “known bad” programs, the Windows OneCare real time scanner will block that application from running. If this discussion centered on a firewall as the main and only protection tool, I would probably agree with those that have suggested an auto-allow policy is flawed. However, because we can be more nuanced in the manner and order in which we catch malware, it doesn’t require us to keep the firewall settings so locked down as to ensure nobody can access the network. The point is, we *want* users to be able to do whatever tasks they seek; if we can use anti-spyware, firewall, and anti-virus in an integrated way that is less likely to obstruct the user while still protecting them, then we've accomplished our mission.

This brings me back to one of the central themes I have often discussed on the blog, which is, effective security policy cannot be monolithic. The most secure computers are those that aren’t connected to the Internet. Unfortunately, you can’t do much with them. So, as soon as you establish a network connection, the race is on between security policy that is so restrictive that it prevents users from doing what they want, and a “nurturing” environment that helps guide users toward doing the right set of basics. In fact, there is research suggesting that usability can be more important to security than the policy itself. Here’s an article written by Peter Gutmann that touches on these issues, with a link to the abstract:

http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?tp=&arnumber=1492344&isnumber=32072

In the security community, we’ve always recognized that our security proposals come with certain costs in terms of usability. Traditionally, that’s the compromise we make to get security. But the market has ruled against us. Time and time again, our fielded secure systems are ignored, bypassed, turned off, or constrained to such a small part of the process that the security result is practically nonexistent. Even worse for our mental self-satisfaction, those systems that claim to deliver security to users simply don’t pass muster--they’re not what we’d like to think of as secure systems.

In the end, we believe a straightforward user experience alongside a layered defense of an inbound/outbound firewall with managed policy, and real-time scanning engine for both spyware and viruses, will protect the vast majority of users when these protection components are in a green state.