Reminds me of the children's book "The Little Red Hen"

Entities, whether individuals or companies/corporations, build what we like to use. Someone has to pay for their labors.

I repeat, those ads are not in the base operating system. They appear only in add-on applications that Microsoft "helpfully" includes in the ISO. It is not required that you use any of these, and indeed you can uninstall them if you wish (and get them back, at no charge, from the app store). And how is this different than Gmail putting ads in your browser? In both cases, you're paying for the bandwidth.

Who pays for the bandwidth to shove those ads down the device owners' throats?! Not to mention the CPU cycles and battery consumption, puh! Is that in the EULA or on the outside of the box when you buy it? Now you have to PAY to be spammed, gawd.

If it's not possible to offer a service in a secure way (as far as that's possible), maybe they shouldn't offer that service in the first place. But I'm the first one to admit that's not only a Microsoft problem, but a consequence of the way our society works.
But I'm no high Microsoft official (and not important at all, not more than any human being). I've only seen the consequences of the lack of security. So from my point of view I still say: security should come in the first place, even if that means not offering certain services.

That is too true. I remember my brother-in-law telling me about the volume of traffic Hertz (the car rental people) had. It was truly mind-boggling. And that was almost 20 years ago.
I guess we're stuck with things until sometime after the scientists get quantum computing up and running. Considering how long it took the computer to get where it is I'm never going to see it working. Much less on the Desktop.

In an ideal world, I'd agree with you. But the world isn't ideal; the majority of people are happy to trade security for speed. I'm a security engineer myself, and I see this happen all the time. I also understand the reality of the business situation. If the Account service allowed 32-character passwords, and 1/3 of users opted for that, the login time would increase dramatically. They have the simulation test results to prove it.

Yes, it's difficult to imagine some of these things. But you have to realize that the kinds of scale we're talking about here are very atypical for your average small business or even large enterprise. It was the same way at Amazon, where I also worked for a time. Amazon lights up the equivalent of a dozen new 42-U racks every single day. This kind of operational scale completely changes the way you think about everything, and forces a whole new set of tradeoffs and business decisions that just don't exist elsewhere.

I'm afraid there is still that kind of mentality. Many, many, probably a frighteningly high percentage of Users don't have a clue. It's the wild west out there.
I don't like the idea but I suspect that sometime things will get so bad that governments will step in with legislation. Similar to automobile legislation that make today's cars safer. I don't use and don't like Microsoft products, but they need to do a lot better job of security.

Bottom line reason for things like they are is simply greed. Even though it has been stated in less offensive terms here. Making a buck drives many choices. Microsoft engineers are some of the best in the world. But as noted, they don't run things.

I'm not an expert, but I think Microsoft made the wrong decision here. I see the problem you describe. But after years of helping people with computer problems, mainly caused by security problems, I really think Microsoft (and other companies) should let security prevail over other things.
That's one of the things I blame Microsoft (and a lot of other companies) for: they told people a computer and internet etc. are really easy. It's not only with passwords etc., but also with things like protecting against viruses, phishing, etc. If people was told from the beginning the internet is a 'dangerous' place, most people wouldn't mind if a login takes a few seconds instead of being lightning fast.
If you explain to people why the login takes a few seconds, that it's to protect their privacy, identity, bank accounts, etc., I think people would accept that.
I used to work for an organization that helped older people who just started with computers. You don't want to know how many did things like disabling updating antivirus programs, because they didn't understand it, or it took too long, or whatever reason. If I had explained why that was a very bad idea and they understood the dangers, almost everybody worked more secure. (There is a small bunch of idiots that shouldn't be allowed to even take the dust of a computer, but that's in every branch.)
If customers don't like that and in turn the selling department doesn't like it, I think security should always win.

Here's another example that's rather illuminating. For some time now, Windows Live ID passwords have been limited to a maximum of 16 characters in length. No one ever seemed to notice this until the transition from Live ID to Microsoft Account, when the dialog box specifically mentioned the maximum. A sh*tstorm of armchair quarterbacking arose, with condemnations coming in like gangbusters. Yet no one ever stopped to think why.

Well, I'll tell you why. Remember that the Microsoft Account service is used by every online property Microsoft has -- not only Hotmail and the consumer stuff, but also Office 365 and Azure (Microsoft's cloud services). During any given one-second time period, the Account service typically processes 150,000 logins. At various points in the day this might burst up to 250,000 logins. Look at that again: between 150,000 and 250,000 authentication attempts per second, every second of every day of every year.

So how do you build a system that can sustain 540,000,000 authentication attempts per hour? When my friend who built the service, one of the smartest security dudes I know, assembled a team to find a solution, don't for a moment think they arbitrarily pulled 16 out of their collective asses. People basically demand that login be instantaneous, and this is one of those moments where security engineers are faced with making unpleasant tradeoffs. Each additional character added to a password increases the amount of time required to compute the hash. But slow logins will make customers bail.

Now, one can make all the noise one wants about length being more secure than complexity -- and indeed, I am guilty of this myself. But after weeks of design reviews and thousands of simulation runs of various mechanisms, 16 characters was chosen as the maximum length the service could support without slowing down logins to the point where a zillion calls would start pouring into the help desks. A reasonable balance has to be struck between security and usability.

So yeah, this is the kind of stuff that a lot of critics just don't grok. Security at scale is really hard.

Keep it up with the explanations, SR. Your insights on Microsoft's actions in the times you were there are quite valuable, even to a Windows (7) user like me, though I don't boot into it all that often. (only to do Windows Updates and such).

You're arguments are very interesting, SteveRiley. I hated Windows Defender (or whatever it was called at that time) because it didn't work at all in the beginning. I used to clean up machines in that time. I didn't know there was a reason for working so bad in the beginning. (Don't know how it's working now, because I don't clean machines anymore.)
It's very interesting to read 'from the inside' about that kind of decisions. But if you're on a holy war against the devil called Microsoft, I guess it's not good for your heart to read your arguments, because you only want to read bad things. I absolutely don't like Microsoft as a company, but that doesn't mean of course everybody working there is a monster and a bad coder etc.
I don't like cars either. Living in Amsterdam, I would have a very hard time if I started to hate every driver.

Shimapan there's a few things I'd like to highlight about your comments towards Microsoft and Windows OS.

At the time of Windows 3.1 in the early 90's, Linux was in its infancy. There was no real alternative to Windows 3.1 except DOS (MS-DOS; PC-DOS; DR-DOS etc.) Also, when OS/2 was developed and released I believe that it was developed in part by Microsoft themselves for IBM.

And another thing, accusing the coders at Microsoft as being not very good for producing such bad software is not right. I am sure Microsoft will employ only the best coders, what I believe is at fault at Microsoft is the management dictating what and how software should be developed, the coders will not have an executive say on where the software is heading.

Don't blame the workers for the decisions of the management.

I'm rather perplexed at your reaction, Shimapan. I've posted accurate statements regarding motivations and actions with respect to the subject at hand, yet you seem unwilling to entertain ideas that don't align with your preconceptions. You make assertions without demonstrating that you possess the knowledge to do so (were you on the MS-DOS development team, and therefore knew their minds?). You attempt to bolster your argument with unrelated events but fail to grasp their history (the Longhorn reset was not the cause of Vista's delays, and occurred for reasons that you seem unaware of). You resort to childish name-calling to categorize a product whose very introduction was a serious risk to Microsoft's business partnerships (Defender had to launch with an initially narrow scope for a variety of complex business reasons) while continuing to present a factually inaccurate position (I still await your proof of the specific claim that Defender intentionally blocked Firefox).

Lest you think I'm simply shilling for the company, I call your attention to the several posts I've made here at KFN in which I criticize particular aspects of Microsoft's products or business practices. It is not a perfect institution -- no such thing exists. At the same time, certain of Microsoft's positions are sensible and entirely justified -- positions I will defend despite the termination of my job role during the 2009 layoffs. I would advise that you attempt to curb your disdain for a time and trade sweeping misinformed generalizations for a better understanding of the facts and of the scale at which a firm like Microsoft must operate. I'm happy to assist you with this at any time.

MS has *no one* to blame for that than themselves only. At the time MS fudged together Win 3.1, there was already Unix, derivatives and other OSes which were fully multi-user and multi-threading-capable. There was also Os/2, which worked nicely in these regards. Sadly, the MS developers were way too dimwitted to grasp the concepts behind a proper multi-user-system and all that, and so they just happily continued their fudging. However, as with many other things they had done, this too came back later to bite them in the ass, and they had once more to deal with the consequences of their earlier incompetence.
This was especially bad after Windows XP, when they had to realise that their fudging had reached a critical mass, and they couldn't simply fudge on like that, as they had used to. They had to pull ther plug and do a code reset, which was the main cause of the countless delays during the creating of Vista. When they finally couldn't delay things any further, they released Vista, now almost three years late, but it was still an atrocious monstrosity, with many things half-finished and half-ass, poorly working (if at all), and stuff designed to annoy the user on top of that. There was a very good reason that Vista was the most hated OS right after the also abysmal ME.
It took MS then another three years to fix up the worst flaws in Vista and trun the bloody mess into a halfway-working OS. This fixed-up OS, which was only a minor upgrade (6.0 -> 6.1), and which was what Vista should've been in the first place, was then pompously announced as "Windows 7", with MS spending millions upon millions to continue to shove Windows down everyone's throats.

Any other company, where the quality of their products is even of the least concern, would've quickly went out of business, had they release garbage like ME, or at the very least after the release of garbage like Vista, which was insanely delayed on top of that. Not so MS. As everyone is *forced* to buy Windows with evey laptop and every pre-built desktop PC, they can do whatever they please and release the biggest garbage, and it will still not have any noteable inpact upon them.

You're talking about the flaming piece of garbage called "Windows Defender"? In various comparison tests with other anti-malware programs, it regularly placed last (just like its equally worthless bigger brother regularly placed last in comparison tests). But that's no surprise, after all it was never meant to be a proper anti-malware solution. It was only meant to keep programs MS didn't like out of Windows - programs like Firefox. Fort that, any Firefox installation Windows Dickfender could find was marked as "malware", in an attempt to stop Firefox from kicking Internet Exploder in the nuts. That however created a huge sh!tstorm, and MS was forced to change the malware detection and not detect Firefox as malware anymore.

Actually, the 11 years I spent at Microsoft were very influential in my career. I learned more about software security at scale than I ever thought possible. While Microsoft is certainly not mistake-free, it's also important to realize that the scale at which the organization has to work is unprecedented. Patching a billion machines is really, really hard.

I'd like to get you to reconsider your thinking for a moment. Remember that DOS and early Windows were single-user systems and had no network connections. Isolation -- of processes, programs or users -- simply wasn't a design requirement. An enormous third-party ecosystem arose in this environment. As Windows evolved into a multi-process, multi-user operating system, Microsoft published numerous guidelines for third party developers. One of those was to develop software that didn't require admin rights. But, unfortunately, few third parties paid attention. So the world ended up in this situation:

DEVELOPER: "Everything works as admin. Why bother changing? No one runs as non-admin anyway."

USER: "Everything needs admin. So I'll just keep using admin accounts."

Rock, meet hard place. No amount of cajoling on the part of Microsoft was effective at changing third party behavior. I tell you, the sense of frustration we felt in TwC was huge. We successfully changed the firewall in XP SP2 so that it would be enabled by default. We successfully integrated malware detection and removal into the operating system. We successfully got every single business unit to adopt a unified upgrade mechanism (the politics around that were beyond comprehension, but we did it) and we got it enabled by default. We fixed a lot of broken stuff, organizationally and technically. What we couldn't change was stuff outside our control: third party defaults.

The decision to implement UAC was not taken lightly, nor was it a mechanism to squeeze money out of people. Your characterization of it as a profit center is mistaken, and there is no such thing as "a special admin privilege key." When we asked third parties why they weren't writing for standard user, the response was essentially, "Only one percent of our customers care, so we aren't going to spend money on them, especially since they keep buying anyway." Faced with that reality, we had only one choice: get more of their customers to care. Financial incentives are wonderful motivators, and indeed, it worked. Customers started demanding that third parties write for standard user, or they would take their business elsewhere. When this happened, UAC prompts dropped off significantly. I'm not making this up: TwC gathered plenty of data to demonstrate that the expected outcome was precisely because of the intended reason.