Lower Your Insurance Premiums: Use Linux

Several readers who declined identification have pointed out that this "article over at Interactive Week discusses J.S. Wurzler Underwriting Managers, one of the first companies to offer cracker insurance, charging clients 5 to 15 percent more if they use Microsoft Windows NT in their Internet operations. As insurance companies live and die by their statistics, this is a pretty significant move. The article also has interesting information about tech turn-over in Windows vs. open source shops." However, note that Wurzler is not the only company offering anti-cracking insurance, and the Big Names haven't yet followed this lead, even though they're apparently watching intently. Maybe "treating employees nicely" is at least as important a factor to consider.

Sometimes I wonder...

From the article:
"NT is more difficult to install correctly and keep up to date than Linux," Spafford said.

I'd say they're both difficult to install correctly, but that Linux is definitely harder to keep up to date. Despite what CmdrTaco et al like to say about apt-get, to update Linux still requires a fairly competent administrator who keeps up to date on patches and knows which one he or she needs to install. Owing to its manufacturer and the google-eyed media frenzy surrounding Microsoft products, NT bug updates get a lot more press coverage.

I think that in general, Windows' installers are much slicker than the half dozen I've played with for Linux. If Linux could improve one thing about their installers, it would definitely be driver support. The general lack of polish (or glitz as some may see it) of Linux systems puts off a generation of IT managers trough-fed by Microsoft.

Also, since [good] Linux sysadmins are in short supply, companies have to pay more in salaries and fiscal items like that than they would for similarly (if the two can be compared) qualified NT/2000 admins. The insurance savings may be negated by this - but if you can run (notice I don't say "get") a much more secure Linux system for the same price as a Windows NT/2000 server, then Linux is well on the way to competing.

Re:Sometimes I wonder...

[HamNRye]

To respond to your points in order:

Linux is harder to keep up to date. This is blatantly untrue. The truth of it is, that when MS released these monolithic SP's and hotfixes, many of them did more harm than good. W2k SP2 and Exchange server are a good example, as well as the still undocumented effect of running the March hotfix on a W2k machine running IE 5.5. While the SP2 problems were at least fixable with a paralell install, the march hotfix is non-fixable without reloading the OS. (Maybe this is why MS will still not claim it as a bug.)

The truth of it is, many shops WILL NOT install a service pack unless there is a specific bug they are looking to quash. Otherwise, the machine will stay at the service pack level that was available when the OS was first installed. Our SUN machines, on the other hand, are regularily patched without a reboot. (or a 2 hour frikkin' download) If the patch causes a problem, It can easily be removed. I could say the same for our SUSE servers, and our AIX servers.

And, while NT bug updates get more press coverage, is because the release sparingly, and then ask that you download a 105 MB patch. In addition, Microsoft will not document a Bug until it has the solution. This has led to severe holes going unpatched for months while it's customers are in the dark. *nix generally releases patches for individual files and programs, their patches are more timely, and much easier to install.

So, to keep it simple, patching an NT server means:
15 committee meetings to decide if we should really do this.
Full back-up of the server.
Install Service Pack and pray.

To patch the SUN boxen??
root# patchadd

Slick installers?? If that's how you choose an OS, you deserve what you get. While I'll admit that many of the Linux installers are nasty, I'll only use the installer once. (Insert rant about paralell installs and the sinking feeling that the 30th software package you installed is what's cusing the "Windows Protection Error")

And finally, if diamonds are in short supply, are emeralds as good?? Are the diamonds worth it? Yes, your usual Unix sysadmin costs more, but has also been in the industry longer, and stands a decent chance of actually knowing the system. Many NT admins are hired right out of the class and just thought, "Gee, computer guys make alot of money." And while many of them get past this stage, that's usually when they become Unix sysadmins. Also, UNIX sysadmins are generally asked to do more with the OS. Like shell scripting for starters. When NT admins have to know wscript, maybe we'll have better NT admins.

I mentioned securing port 139 about a month ago. I got "Port 139????"

Also, in closing, Win NT has too many "Script Kiddie" attacks suceed to be taken seriously. When a frikkin' Outlook worm is a billion dollar virus.... Unix may be vulnerable, but not to the average idiot. Look at the stupid Kornikova(SP?) virus. Two weeks into visual basic, and someone exploits the heck out of MS.

~Hammy
"Your leaving will fill the void that was created when you first came here."

Re:Sometimes I wonder...

[Asphixiat]

I disagree - as a normal user of Linux, I never had to "keep up to date", but as I am now a sysadmin I found it very easy - read slashdot every day :) - or if you want to be boring about it, join the security mail list for whatever dist you use (they all have them ;).

I have a lot of windows mates, and they all saw me and KDE - v.1 mind you - they liked it and wanted me to show it to them. Well most of them were pretty wishy-washy about it, but when they saw KDE v2 - they made me help them. So I gave them Mandrake, and refused to sit/look/help them install - just answered their questions (but like a guru-dude - replying with a question and making them figure it out ;) hehehe.

Anyhoo - Mandrake has answered both your FUD issues dude - install was commented on *everytime* - but hey - well all miss the penguins with v8 :( and hardware detection was *spot* on everytime. Oh and BTW - 2000's install is good, and hardware detection - not sayin this to avoid a flame - NT4's was crap on both counts.

Am I the only person worried...

...by the fact that this report about an insurance company charging a premium for use of NT gets turned into a headline that says that if you use Linux, you will pay less?

Re:Am I the only person worried...

[iomud]

I'm worried about the fact that you felt you had to be AC for fear of modding down because of your statements reguarding the contorting of the article, but such is the climate here at /.

Re:Why isn't MS-NBC reporting this?

[cduffy]

Anyway, I have some major issues with 1984 and I could go off on a political rant, but I won't. But, right now I'm in the middle of reading Snowcrash and I am coming to the opinion that the biggest threat to personal freedom is not the government, but big business. Business that seems to be above the law. Or just find ways to simply bypass the law with technological means. Which kind of explains it.

Except in Snow Crash, business can't use force. Business can't sieze your assets; business can't control where you go; business can't lock you up in a little cell.

Or, at least, they can't do those things without government's help or permission.

Government in service of business indeed a great threat -- but business alone is not. One can try to solve this problem either by restricting business, or by restricting government. I am utterly convinced that the latter is the better solution, and the former nearly impossible (and even if not impossible, the attempt makes enemies of those with the resources and the ability to make things with them... never a good thing).

Why should we let *anyone* assume those risks?

[alewando]

Insurance may work by spreading the risk across the collective population, but that's no reason to let the few bad apples spoil the whole barrel. If a small number of users are making it prohibitively expensive for others to be insured, then we must cut the cancer out at its roots.

We already deny insurance policies for smokers and sky divers. We already deny insurance policies to citizens of New Jersey. (Don't believe me? Read the fine print on any Geico commercial.) These individuals may exercise their rights in choosing to live the damnable lifestyles they live, but that doesn't mean we have to pay for it.

All rights come with responsibilities. Drivers aren't allowed to drive drunk, but that's what system administrators are doing every day by installing Windows. We have laws against this stuff for a reason. It's time to extend them to computers.

Re:Why should we let *anyone* assume those risks?

[Algan]

Dude, I'm offended. I live my damnable lifestyle in NJ. Let me tell you, I'd rather drive 200 miles up and down Garden state than 2 miles in NYC. It'll be safer.

You're right saying that Geico (and others) don't offer car insurance in NJ. But I think it's more related to the fucked up legislation we have here...

Oh, and one more thing... don't worry, you're not paying for my insurance. That's why I pay twice the amount I would have payed in another place... midwest for example...

Insurances are about statistics

[Karpe]

Of course there is much more to security then the operating system. But insurances are always based on statistics. They cannot really represent reality for every single case, but for the average case. That's why you pay more car insurance if you are a male, young driver, than an old woman even if you drive one day in a week and never passes the speed limit. What this article shows, probably, is that they gathered statistics and Linux servers had less security problems than NT. I think the credit is not only to the operating system, as you even say, the personel is also very important. But probably they are linked to the operating system as a statistic, that is, people who run Linux servers tend to be more security conscious sysadmins.

Re:Insurances are about statistics

[Malcontent]

Well the reason black people are convicted of more crmes may not mean that black people actually commit more crimes. Black neighborhoods are very heavily policed so your typical black teenager will get busted for smoking a joint in an alley while your typical white teenager smoking a joint in the park or in the woods will never get cought. Same with all kinds of minor offenses like shoplifting (clerks watch blacks much more closely), littering, loitering, jaywalking, speeding etc. White kids can hand out the circle K or dairy queen all night but black kids get busted for standing around the burger king.
Also consider the fact that even if white Kids are busted they are routinely let go of by the cops with a scare talk or calling the parents but the black kids are much more likely to get charged with crimes and the DAs are much more likely to seek more severe penalties for them (charging them with felonies instead of misdemeanors for example).

Statistics are one thing the reality is something else.

Re:Insurances are about statistics

[belroth]

While I don't disagree with you it sounds a bit too PC to be true. If left handed bluebearded women of 23 are more likely to have accidents then they should have higher premiums, and they will. Otherwise why should low risk groups subsidise high-risk ones?

Your post reminds me of 2 things, the story Harrison Bergeron by Kurt Vonnegut, and the introduction to It Makes A Fellow Proud To Be A Soldier by Tom Lehrer. In the intro Lehrer talks (in the 50s) about how the US Army has eliminated discrimination on grounds of Race,Creed,Colour or Ability.
----

Re:Insurances are about statistics

[loraksus]

If you actually drive, I'm sure that you'll agree that old women drivers are the worst drivers, this is closely followed by female teenagers and fuck-off male teenagers.

Imagine if women had to pay more insurance than men! Gasp! The oppression! The discrimination!

Bah (still pissed about paying $1800 a year for basic insurance while my parents can cover 3 cars with full coverage for about half. That and they don't have perfect driving records, I do.) Oh well, only 2 more years before I start paying somewhat normal rates.

The slashdot 2 minute between postings limit:
Pissing off hyper caffeineated /.'ers since Spring 2001.

Re:Insurances are about statistics

[gle]

Maybe the average woman tend to drive worse than the average man (this is still to be proven), they cause less car crashes, because they don't drive like crazy.
They cost less to the insurance company, so the insurance price is lower for them.

Re:Insurances are about statistics

[Kierthos]

Exactly. The correlation exists. Because young male drivers are more likely to be involved in accidents then older female drivers, the insurance rates for those young male drivers is significantly higher. (Ob note: AFAIK, the age range for the highest insurance rates is 16-25.) Likewise, because Windows machines are "easier" to crack, at least in terms of availability, then the insurance rates are higher. Think about it. Windows has how much market share compared to Linux? It's so much easier to find a Windows based system to exploit then a similar Linux system.

Couple that with the fact that most Windows systems are reliant not upon the sysadmin for fixes, but rather Microsoft, and you see the problem. (Whereas anyone with enough know-how can patch most of the problems with Linux machines.)

If Microsoft released the source code, or they were more proactive in putting out quality software, or they were quicker and more efficient at patching software in a timely manner, then the rates wouldn't be so high. But if they released their source code now, all it would do is create thousands of script kiddies exploiting the holes that someone else found first.

What Microsoft needs to do is take the time to put out proper software. But the chances of that happening are similar to the chances of a whelk surviving a supernova.

Kierthos

Re:Insurances are about statistics

[jesseraf]

on the other hand, aren't you really saying that it's the people, not the OS?
being completely objective, I think the above system to be true. It's more often the people who keep their networks secure, and not the OSes.
I honestly think it's more about the track record of the team that people should be basing insurance premiums on, and not the OS.

Ummm....

[sql*kitten]

... surely I can't be the only one to notice that this rather smug article was posted right next to one about SourceForge being compromised?

Just wondering.

Re:This is just plain silly.

[Christopher+Craig]

I can say with 99% certainty that your segfault problems on Linux are caused by system overheating and hardware failure. Linux (unlike Windows IIRC) does not try to recover from an invalid hardware state, so running at 90-100% usage for a couple days could easily have caused a fatal hardware error.

Re:MS creates the illusion of simplicity

[sheldon]

Hmm, sounds like he should have used the hotfix tool off Microsoft's website instead of Windowsupdate.

Windowsupdate isn't meant for servers.

Re:I wonder if NT's ease of use could be a culprit

[sheldon]

No they didn't. They subcontracted content caching out to Akamai in order to make their internet services much less prone to DNS attacks.

Re:I wonder if NT's ease of use could be a culprit

[sheldon]

Sigh... Your the type of person who gives MCSE a bad name. :(

I also have an MCSE I obtained a couple of years ago, and it's really quite simple to secure an NT box:

#1. Subscribe to NTBUGTRAQ.COM
#2. Read www.microsoft.com/security

Microsoft has provided tools which will notify you when security related hotfixes are released. They have provided tools to automate the installation of hotfixes, as well as automate the configuration of servers.

The DNS issue wasn't a bug in Microsoft's software. They suffered a DoS attack on their web servers, so they subcontracted with Akamai to protect against this. If you don't know who or what Akamai does, that's another problem with your paper MCSE.

What security through obscurity argument? Do you even know what that means?

I don't disagree that the lack of qualified admins is the problem. But the documentation and tools are out there, you just have to use them.

But my main point for responding... You shouldn't consider yourself a qualified admin, because you clearly are not.

MS creates the illusion of simplicity

[astrashe]

I don't know if the insurance price difference is justified or not.

But I think that part of the problem isn't with NT/W2K per se, but with the culture that surrounds MS sys admining. MS tries to make things simple -- and they often seem simple. It's easy to throw stuff up without thinking about it first. And one of the selling points that MS uses in comparisons with Unix/Linux is that W2K is easier.

On a certain level, that means that you get a sysadmin that went to Windows because Unix was too hard. That's a harsh overgeneralization, but I think there's some truth to it.

The problem is that security is hard on any platform. The issues are pretty similar. But if you keep telling people that all of you have to do is click on an icon to set things up, it's not surprising that people click on the icon, take the defaults, and don't think about locking things down.

Re:MS creates the illusion of simplicity

[0xA]

That's actually what I meant I figured everybody would understand the concept better if I said "MS has provided a security update tool that makes use of all the windows update services".

I guess that wasn't very clear but it was kind of late, I was too tired to think.

Re:MS creates the illusion of simplicity

[0xA]

Ms creates just that, the illusion of simplicity. I used to be a NT admin but have moved on to Linux and Solaris stuff for the past couple of years. I still have a very good friend that is a NT admin, as part of his job he looks after some IIS boxen. He got nailed by the Solaris/IIS worm a couple of weeks ago, here's what happened.

With W2K, MS has provided a security update tool that makes use of all the windows update services. My buddy is a really bright guy, he knows his stuff and is a good admin so he makes use of the tool on a very regular basis. The day before the worm struck he ran the security check because he became aware of this vulnerability, according to windows update his system was fine, the relevant patch had been installed correctly. The box got hit anyways.

We took a look and it looks like a subsequent patch or service pack had undone the fix on him. The is the exact reason he uses the windows update service, it is supposed to keep this from happening. Now not only does MS give the hollow illusion of an effective admin tool, they make it difficult (read damn near impossible) to manage patches, hotfixes and service packs without it. MS's security bullitens are lame by any other vendor's standards. They rarely contain a decent amount of information about the problem, other hotfixes that can affect it or how to test for the vulnerability.

I just can't get over some of the stuff that NT admins put up with. They get the buffer overflow of the day, a hotfix that manages to unplug a bunch of old holes and no detailed information from the vendor on the problem! Even the qualified and effective admins like my friend don't stand a damn chance up against those odds.

Re:MS creates the illusion of simplicity

[loraksus]

if you make the servers easy enough for a monkey to administer, then you will have monkeys administering your servers.

The slashdot 2 minute between postings limit:
Pissing off hyper caffeineated /.'ers since Spring 2001.

Re:Idiotic

[ergo98]

I mean no disprespect, but on average, people who do not understand how computers work, or how security works into the networked envirnment, would choose windows. There is no reason why windows cannot be as secure as a well locked down linux system, it is just less likly.

I will agree with this if talking about firms with enormously secure, and the reality is that most firms that would actually pony up for "cracking" insurance will be of this calibre: They usually have top notch IT departments. The small shops that account for the overwhelming majority of compromises seldom would get insurance.

Re:Idiotic

[ergo98]

I mean no disprespect, but on average, people who do not understand how computers work, or how security works into the networked envirnment, would choose windows. There is no reason why windows cannot be as secure as a well locked down linux system, it is just less likly.

Sorry for the repost but I forgot to put &amplt rather than &lt... ;-)

I will agree with this if talking about firms with &lt 100 employees. In that case it is completely true that often Windows is simply what happens to be installed so it is turned into the network infrastructure. However there are a lot of very large companies with very intelligent IT departments that have incredibly secure Windows 2000/NT networks with complete IPSec/SMB signing, Kerberos, certificate authentications, etc. As you mentioned and I will attest, 2000 can be enormously secure, and the reality is that most firms that would actually pony up for "cracking" insurance will be of this calibre: They usually have top notch IT departments. The small shops that account for the overwhelming majority of compromises seldom would get insurance in the first place.

Re:Idiotic

[ergo98]

Excellent points, however the fundamental of my position was that saying that the primary decision of the security of a firms infrastructure is what operating system they use is like (and I'll bring this up because there are several other car analogies) giving car insurance based upon the diameter of the tires. I am absolutely certain you could draw a correlation in some bizarre way between different tire sizes and insurance claims, however to use that as the foundation basis for insuring would be quite silly. Just because there is a correlation of something doesn't mean that it's a relevant correlation, or the most pertinent correlation, especially in something as complex as security.

If I read "...and furthermore shops that had installed the latest 2000 hotfixes had their premiums dropped 60%" then it would be credible. The security difference between a shop where the admins keep on top of the systems and one where they don't is huge and decisively paints a picture of the organization. The OS chosen does not (despite the patting on the back by the Linux community it's amazing how often I see scans for Linux vulnerabilities...).

Idiotic

[ergo98]

What a ridiculous concept. The security of an infrastructure is far more the people and dedication to keeping on top of issues more than it's the operating system. The recent Solaris/IIS worm took advantage of a year old hole to compromise IIS 5 servers, just as the portmapper/BIND/RPC/POP2/etc. Linux exploits take advantage of ancient (in computer time) and long since fixed holes. Of course it takes a grossly incompetent sysadmin to fall prey to any of these, but unfortunately there are many of those out there.

If there is such a thing as "cracking insurance" (I mean by real insurance firms that aren't just trying to get headlines by making a ridiculous policy) it would be based upon the manpower skills, policies, and possibly the use of outside agents to test the security. The idea that Linux=Secure and NT=Insecure is absurd and simplistic.

Re:Idiotic

[ibbey]

What a stupid, stupid analogy. I could agree if you had compared it to the engine-- I mean, the OS is arguably the engine of the computer (at least as far as the software side of things). Of course the problem with this analogy is that it counters your point. My neighbor with the 500 horsepower big block 428 (or whatever) likely has higher insurance rates then I do with my 1.9 liter 88 horsepower engine. Does that mean he's a worse driver? No. But statistically, he's more likely to have claims so he gets the higher rates.

One important thing to keep in mind, nowhere in the article did it say that this was the only determining factor. Odds are, this is only one of several questions they ask you in determining your rates. And, I imagine based on your answers, it's possible for someone running Unix to pay more then someone else running NT. The fact that this isn't specifically specified in the article does not mean that it isn't true. This is a general article, not in depth journalism. Understanding the difference between fluff press & in depth reporting is a good skill to have.

Re:Idiotic

[ddmckay]

It's no more or less idiotic than auto insurance that charges you more for a sports car and less for a Volvo. The insurers don't take into account the skill of the driver just the frequency that a certain type of vehicle requires the insurer to pay out. If the NT versus Linux difference helps to determine when the insurer will have to pay out then they will use it to determine the rates.

Re:Idiotic

[Datafage]

Liability insurance will go up for a bigger engine, too, so it's not just replacing the car. Take it from an 18-year-old with a 5.7 liter IROC-Z...

-----------------------

Re:Idiotic

[4of12]

>And, I imagine based on your answers, it's possible for someone running Unix to pay more then someone else running NT.

If software costs are any indication, I have generally come to expect to pay more for Unix {hardware,software,personnel} due to the niche market effect and the economies of scale that favor the virtual lock on the marketplace enjoyed by win32.

Indeed, give that:

• Outfits running, say, a Sun E10000 with 64 processors are big sites with big budgets for top of the line hardware.
• And, behind their Web server somewhere is a database whose value, if compromised, would be much larger than that of the database behind the typical NT web server.

I would expect UNIX insurance to cost more, even if other statistics indicated that, for whatever reasons, they were compromised less often than an NT box.

Those big UNIX boxes hide more behind them; they simply have more to lose.

Linux, OTOH, (and OpenBSD even more so) would remain the most affordable to insure since they're used by small outfits characterized by:

1. Extreme cost consciousness
2. High technical expertise

and, as a strong correlation of the first, probably a not-so-valuable database hiding behind a formidable phalanx of protection that is all out of proportion to the value of what they're protecting (kinda like the ratio between the Russian military and Russia:).

Re:Idiotic

[belroth]

You're overlooking something re: insurance.
It's not just the likelihood of accident that determines premium, a significant factor is the cost of parts and labour - if a big engine costs more to fix it will cost more to insure, regardless of accident probability. That's not to say that the likelihood of accident sin;t a factor - it obviously is, it's just not the only one.
----

Re:Idiotic

[tookish]

"What a ridiculous concept. The security of an infrastructure is far more the people and dedication to keeping on top of issues more than it's the operating system."

That's absolutely true. That's why it's only 5-15% more expensive, because the operating system is only one aspect. If it was all about the operating system, the price difference would be significantly more.

There's no suggestion that the operating system is the only determining factor, just that it's one determining factor.

"The obvious mathematical breakthrough would be . . . an easy way to factor large prime numbers"

Re:Idiotic

[gle]

What a ridiculous concept. The security of an infrastructure is far more the people and dedication to keeping on top of issues more than it's the operating system.
...
The idea that Linux=Secure and NT=Insecure is absurd and simplistic.

So, does it mean the insurance statistics have now proven that MS admins are morons who can't make their boxen secure?

Re:Idiotic

[Sell0ut]

I mean no disprespect, but on average, people who do not understand how computers work, or how security works into the networked envirnment, would choose windows. There is no reason why windows cannot be as secure as a well locked down linux system, it is just less likly.

Also, the number of systems used needs to be taken into consideration. If there are 50 NT servers running IIS, and 10 linux running rpc.mountd, who would you charge the higher premium on?

Re:Idiotic

[oconnorcjo]

It is simple statistics. Insurance companies look for indicaters to risk/reward. They are looking to find the best way to have a client pay more in the long term (on average) than they would have to pay out for any given incident. What a ridiculous concept. The security of an infrastructure is far more the people and dedication to keeping on top of issues more than it's the operating system.

The reason Linux probably gets lower rates, is because on average, the people who use it are more security concious and technically astute in comparison to win32 admins. Insurence companies DON'T CARE WHY there is a diference. They probably just fed statistics into a computer and gave these results. Just like men at age 24 have higher rates then women at age 21 for car insurence- statistics. It has nothing to do with any individual driver.

Re:Idiotic

[tulare]

The security of an infrastructure is far more the people and dedication to keeping on top of issues...

I really couldn't agree with you more. Which is precisely one of the issues addressed in the article (Did you read it?)

Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software, where turnover can exceed 33 percent per year. That turnover contributes to another problem: System administrators are not implementing all the patches that have been issued for Windows NT, Wurzler said.

While I think you're absolutely right that "Linux=Secure and NT=Insecure is absurd and simplistic" I also think that that particular argument is a straw man: a better way to put it might be:
Linux, due to the fact that the source code is open to anyone interested in looking at it and fixing it, and due to the ease with which it can be upgraded, and due to the generally higher level of expertise of system administrators who prefer to use it, is inherently fairly secure, on average.
Windows NT, due to the fact that Microsoft chooses to protect it's business interests, does not disclose its source code, and due to the difficulty people find in upgrading it, and also due to the generally lower level of expertise and experience in system administrators who prefer to use it, is inherently not very secure, on average.

Big systems get the same rate as small

[Sangui5]

Just because your big valuable database has a large loss potential doesn't mean that you get a worse insurance rate.

The difference is in the amount you pay, not the rate.

The article says that a hacking policy costs about $4,000 for $1,000,000 of coverage per year. That means that if you pay them $4000 a year, and get hacked, costing you 15 billion in revenue, they pay you 1 million. If you get hacked and you loose $1.75 in revenue as a result, you get paid $1.75. If you feel that your losses are likely to be on the order of 1 billion, then you can buy 1 billion dollars of coverage for 4 million a year. That 4 million isn't exact, but will be more or less based on risk factors including but not necessarily limited to operating system choice.

So repeat after me, insurance rates and insurance costs are not the same. Indeed, simply because they have more to loose, a big site is likely to be better protected than a small one. Now, the insurance company can measure this in different, more direct, ways, so they probably don't charge you different rates based on sheer size alone. But just because a site has a lot to loose doesn't change the rate.

Re:Use Linux?

[Zico]

Oh, I'd agree with you on that, but Slashdot's reasoning seems to be a bit lacking. First off, people creating new systems aren't going to be buying NT. If they're going the Windows route, they'd be buying Win2K. So, this article doesn't affect those people.

Now, if I'm already using NT and don't want to be subjected the extra fees imposed by this pissant company(*), I'd have to switch operating systems. Except that switching to Linux isn't going to be getting me any bigger insurance discount than if I switch to Win2K. So how is this an incentive?

Anyway, I just found it amusing that the marketing arm of VA Linux (read: Slashdot) would post this now, to take away the heat from the SourceForge fiasco. Maybe some people out there remember that The Register ran a story about the exact same thing over a month ago. (You gonna tell me that scads of people didn't submit it then? If so, I've got a secure RedHat server sitting on some New Jersey beachfront property to sell you ;) ).

(*) Why would I refer to them as a "pissant company?" Well, how many insurance agencies are you aware of that have only eight employees? I think everyone here is grown up enough to admit that we'd have never heard of these guys either if not for this one particular policy, a policy that nobody else in the insurance biz seems to be moving to.

Cheers,

Re:Use Linux?

[Zico]

Yes, and Java 1.2 is somehow called Java 2. Everybody knows that Win2K is the successor to NT4 in the NT line, but nobody except possibly the same people who say "M$" ever calls it NT instead of Win2K, 2000, Windows 2000, etc. When someone says NT, they're talking about NT4 and earlier. If they're including Win2K, they say NT-based. Anyone can argue semantics about this, but we're talking about real-world usage here.

Cheers,

Use Linux?

[Zico]

Sorry, but I don't think the whole eight employees of Wurzler has much of a say-so when it comes to reality.

Besides, why is Slashdot still fighting over Windows NT, the focus of this article? It's about 5 years old now, I'd think that Slashdot would be more worried about Windows 2000.

Also, it doesn't seem the article's author has done much comparing of security patches offered for holes on company web sites, since he chose to only mention NT's, even though there are a lot more for Debian 2.2 and RedHat 7.x, when you take into account how long they've been out. Oh well, what can one expect from Ziff Davis journalism?

Cheers,

Re:Use Linux?

[Darby]

First off, people creating new systems aren't going to be buying NT. If they're going the Windows route, they'd be buying Win2K

I would disagree with this. I used to be the webmaster for a 5000 person company which is a division of a really huge company. My arch nemesis was the head of the Novell/NT group. He would not allow me to install Samba on my Sun development web server to allow my develpers access to the box. His reasoning being essentially that it wasn't an MS product.
The point of that being that he is a gung-ho MS supporter and very good at that end of the house. They have been doing extensive testing of Win2K and his take on it is that Win2K pro is a good workstation and that the server version is an utter piece of shit. They will not be deploying it any time soon in any production situation.
---CONFLICT!!---

Re:Use Linux?

[Fjord]

The reason the article is concerned with NT and not 2000 is because they are an insurance company that insures actual systems. There has not been a massive migration to 2000. Even at my work, we have 2000 on the workstaions, but are still using NT 4 for the PDC and exchange servers.

The fact that NT has been out for 5 years and is correllated with claims is a major strike against it. If it's fundamental to the OS, then they had 5 years to patch it and haven't gotten it right. If it's because people don't know how to administrate properly, they have had 5 years to develop those skills.

This kind of thing may convince people to migrate to Linux or *BSD when they do move off NT.

Re:Use Linux?

[mgkimsal2]

Windows 2000 *IS* NT. When my 2000 box boots up it proudly displays 'based on NT technology'. NT5 kinda just morphed into Windows 2000 for the millenium marketing potential, imo.

Re:Use Linux?

[NutscrapeSucks]

Zico -- your argument would be more persuasive if there was a fundamental difference between NT4/IIS4 and W2K/IIS5. But there really isn't and you are informed enough to know that.

Now, the ActiveDirectory and other security enhancements are nice, but really don't apply to a external webserver. Another concern is that Microsoft didn't decide to aim to be a real 'enterprise' level vendor until sometime after NT5/IIS5 froze. Which means that the new regime of taking security and coding issues very seriously probably won't really rear it's head until IIS6 ships. (Unix vendors went through this same process, just about 5 years earlier than MS.)

Re:Use Linux?

[oliveloaf]

You need to realize that there are many companies out there that STILL use NT, I would hazard a guess that MOST windows servers are NT still.

Ease of Use bites you on the bum...

[maroberts]

..if this is true, I think it may come down to commitment. Unix/Linux sysadmins seem to actually love and are committed to their OS, whilst for NT advocates people it's an on the surface liking.

Secondly, Unix encourages you to play with the nuts and bolts, whereas the closed nature of Windows programs does not encourage exploration. Therefore when things do go wrong, a Unix sysadmin knows where the Usual Suspects may be found and can get things back up quick, whereas a Windows admin is busy phoning MS support.

Thirdly, it may come down to ability. I'm under the impression that to truly claim to be a Unix sysadmin you really have to know your Unix, and thus only the best get to go for such jobs. I have a fairly shallow knowledge of how most things hang together under Unix, but there's no way in hell that I'd claim my knowledge is deep enough to sysadmin Unix systems for a corporate entity, where hacking threats and downtime are serious issues. Whereas an NT admin waves his MCSE qualification around and gets the job regardless of how good he is at it. I'm under the impression that the best use for such a qualification is as toilet paper.

N.B. Before I get flamed, I do know there are some very good, professional, experienced NT admins out there; its just that you guys seem to be hidden from view by the not so good masses.

A different aspect of lowering insurance premium

[Skapare]

There's yet another aspect to lowering insurance premiums in business by switching from Microsoft products to Linux or BSD. As Microsoft moves more and more to coupling your software license registration with particular hardware, that could mean that if your hardware is stolen, you may have to buy another copy of the OS and all the applications, when you buy a replacement PC. If you expect the insurance to cover that added cost, you can expect the premiums to go up with it, too. And if you think Microsoft will readily make exceptions for stolen hardware, then I think businesses will catch on and claim hardware as stolen when in fact it is just sold off to recyclers or employees (who will likely continue using the software if it's from Microsoft).

LMAO

[Black+Parrot]

Yeah, it's a shame that the "liberal elite" insurance industry doesn't support the "conservative just-plain-folk" at Microsoft.

--

Re:This is just plain silly.

[Black+Parrot]

> Despite what these people say, most of the crap that they've been flinging around is just plain baseless. I'll be called a "Microsoft shill" or an "astroturfer", but truth is truth: Microsoft's latest server offerings are extremely secure, scalable, and reliable.

Not to imply that I believe you or anything, but you fit the stereotype to a 't': once MS finally does produce an OS that's stable, scalable, and secure, they'll brag their asses off over finally providing the most rudimentary services that an OS is supposed to provide, and that they should have been providing since day one. They'll probably even claim that they invented those concepts.

--

Keep it in focus folks..

[mindstrm]

This isn't about 'which OS is better' or 'which is more secure'.

Its about statistics, and about more than just the OS.
They found, in their studies, that linux-based shops tended to have less security problems than NT based shops, due to a combination of software, better trained and happier employees, etc.. so they did what insurance companies do.. they said 'if you use linux, we will give you a cheaper premium'.

A real-life example of the same thing.
Auto insurance in Alberta, Canada. If you are under 25, and especially if you are a male under the age of 25, insurance is expensive.
Once you are over 25, it gets much cheaper.
Now... I've been driving since I was 16, and never had an accident. Does this insurance policy imply that I am somehow incompetent? Certainly not... they're just playing at statistics. 80% of their costs come from male drivers under the age of 25, so they make those drivers pay more. Period.

Now pretend young male driver = NT shop, you get the same sort of thing.

Re:Just NT/Linux?

[the+eric+conspiracy]

I think that the human factor is much more important than the choice of OS. Anyone can put up an insecure box. A secure box takes vigilance to keep it secure.

If I was an insurance company what I would want to know is what the maintenance procedures for a site were, and see documentation that they were being followed.

The point about the technical competence and turnover rates is crucial given these issues - a shop that has low training and high turnover is just not going to have the adherence to proper maintenance methods that a shop with low turnover and skilled employees.

Re:Misleading slashdot headline

[odaiwai]

Also, you can automate your patching under *nix and patch many machines without leaving your desk. This is more complicated under NT.
In addition, if you patch an app under *nix, you probably just need to restart that app, not do a reboot.

dave

Re:This is just plain silly.

[mpe]

For the Win2k boxes (6 of them, total - 3 x from end, 2 x database, 1 admin/directory), each is set for daily reboots.

But you don't see this as a problem... Having to do this means that something at a rather fundermental level is badly broken. It might be your setup, it might be your setup, it might be your sysadmin, etc...

Re:This is just plain silly.

[Peter+H.S.]

It seems to me that Wurlzer has fallen victim to some of the FUD that has been spread by Linux advocates. [snip, a lot of linux bashing]

The problem is, that all statistical surveyes (for what they are worth) I've seen, all say that MS-based Internet servers, percentetwise are cracked more than their marked share would indicate. Much to my surprise, MS-Windows 2000 servers, are disproportionately more cracked, than even MS-WinNT 4.0.
Why it so, I really don't know; is it because; Sys-admins are insecure about applying hot-fixes (will the server come up again after the reboot?)
Skript-kiddies feels more at home on Win-servers?
Win+IIS are generally insecure products?
Windows servers, are generally runned by less competent/lazy people?
Companies running MS-solutions are to cheap to have a decent security policy?
A penguin ate the Hot-fix?
The insurance companies doesn't care why. They are just greedy bastards, who hates to pay out.

Look, if you want to use Linux or *BSD or some other non-mainstream OS
Take a look a www.netcraft.com : Linux is a mainstream Internet OS. Apache (OSS software) is by far the most dominating web-server around.

The way that America works is that people get together and work hard to put out a product, and then they sell it to people.
That exactly what this insurance company is doing; selling a product. Just be glad that it isn't a monopoly, so you can take your business elsewhere.

Go ahead and flame me
Ok. Flame, flame, flame.

[scorch-mode on]
You, sir - you are a MS zealot!!
[scorch-mode off]

Re:This is just plain silly.

[sirinek]

Yeah, no Americans have ever contributed anything to Linux or the BSDs.... pffft.

Hacker insurance will be well-used, I think.

[Trumpet]

Certainly, any large corporation should both secure themselves to the best of their ability, AND take out a policy.

Reading sites like CERT, l0pht and rootshell is never going to become useless, because at some point they will charge you so much for your coverage that you can no longer afford to remain in buisness. There will continue to be a need for security.

At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.

That will last just long enough for them to lose some truly critical data or buisness which will seriously impair their ability to operate. At that time, they will take the money their policy pays out to them and hire a team of badasses to come in and secure their network, because they can't afford to have that happen again, even if someone does throw money at them when it occurs. Money doesn't turn back the clock, at least not yet.

All you security consultants are safe, but you might want to lay in some ramen for the next few months if you just got off a four month vacation. ;)

Re:Hacker insurance will be well-used, I think.

[oconnorcjo]

At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies.

I highly doubt that. If a company spends money on security like this, it implies that they take security seriously- not the reverse. In order to take out a policy like this, a company must realize that security cracks are always a potential (thus why they took out such a policy) and will probably take the time to keep up on security issues.

Re:This is just plain silly.

[interiot]

This sounds like Microsoftie FUD astroturfing if I ever heard it. And another thing...

tough titty (as the kitty is reputed to have said.)

No, I'm not trying to be funny.
--

Re:Have you ever considered...

[Microlith]

...that NT shops get charged more because it's obvious they have the money to spend?
Either that or statistics show that NT has more security problems, which as bullshit as statistics are, this is what insurance companies live on.

...that Linux shops have low-turnover because GNU/Linux "admins" can't get jobs elsewhere?

Where'd you get that from?

...that your blatant and igornant anti-Microsoft bias only reinforces Slashdot's reputation as poo?

So what should they post, stuff espousing how they love microsoft, in spite of the things microsoft has done to prove they deserve a lot of the crap they catch? I know some of it (ok, a good bit of it) is BS, but from what the article says, it's obvious that it's not Slashdot making this call.

This is how it will change

[ddmckay]

While it's fun to talk about the technical merits of one OS versus another, I think the economics favor open source. Economics will win in the end. This article adds two interesting points to the economic part of the discussion, risk management via insurance and staffing.

One way businesses manage risk is to insure against loss. That's costly, so you do what you can to save on insurance costs. Hiring people is expensive. Boring stuff, I know, but think about how that fits into an overall cost picture for chosing an operating system for, say, an e-comerce site.

- Less costly operating system due to no licensing costs, no (or very low) initial purchase (the easy to spot costs we've heard about over & over again)

- An operating system that your hard to find technical people prefer to work with (it's cheaper to keep people than to hire new people)

- And add to that, lower insurance costs

It's not just "free" software anymore, it's a broad cost savings strategy. Bottom line stuff like this often makes business people change their minds about purchases they might otherwise have not thought about.

--ddm

Re:Just NT/Linux?

[radja]

You want fair from an insurerer? Insurers do profits, not fairness.

//rdj

Re:Discount for OpenBSD?

[Nailer]

If you're running OpenBSD, you don't need cracker insurance.

Er, no. If you're running OpenBSD in the default install, which few if any people do you don't need cracker insurance.

On the other hand, say you forgot to apply the FTP globbing patch to your OpenBSD FTP server, then you probably do.

New way to piss people off

[/Idiot\]

Piss your co-workers/compeditors/Granny off by 0wning their IIS boxes and emailing the logs to their insurance co...

"But wait... I run apache on my IIS"

"Dosen't matter" says the insurance co "we won't drop the bill until you put in a reliable TCP/IP stack"

oh well :-/

Re:I wonder if NT's ease of use could be a culprit

[selectspec]

Microsoft is good about getting security patches out, and generally all you need to do is install the patch. Rarely is some special configuration required. I agree that an experienced admin can secure a win2k box as well as a *nix box.

I believe that NT/Win2k's security problems come down to 3 issues:

• 1. Less Experienced Admins. Let's face it, *nix admins tend to have been around the block a little more (at least in my experience). Probably, this is due to the fact that unix is a little harder to use and understand. I'm amazed how lazy NT admins are. So many sites are cracked because they fail to update their software patches. This is probably due to a culture of "it works don't fuck with it" that most Windows users suffer from.
• 2. Feature Friendly. Microsoft loves features. Features are security risks. The security of your product will always be disproportionate to the size of the featureset. Microsoft embrases friendly, seemingly useful new technologies faster than the cinical *nix crowd. Look at VBScript. I can see years ago, somebody saying, "Hey lets make Pine and Emacs ReadMail parse Perl script in email messages!" Imagine the shock around that room! Services of course are always the security nightmare on any platform, and *nix can suffer from too many features too, but *nix services tend to be bare-boned, while Microsoft services tend to be rich banquets for the cracker.
• 3. Closed Development. Ok, here's the flame, but I think there is something to be said about this issue. Open Source development has just bugs and security hole issues. The difference is the education of the admins (so in a way this is like point #1.) *nix admins tend to know how a service works because the development community openly discusses the design principles involved. The community is not only aware of the featureset but the internals. With NT/win2k nobody knows shit (except a few losers at Dell and HP) until it is too late. In otherwords, with Microsoft you just have to take it on faith that their experienced engineers have worked out the issues. With *nix, I find it easier to have faith in the cadres of hackers working on Linux and BSD (not that they are better, there are just more of them).

Re:Discount for OpenBSD?

[bruns]

And people wonder why they get hacked. If you think you are invincible, you are just asking for trouble :)

Re:This is just plain silly.

[hub]

I think your are missing the point.

First, I have seen this in real life, NT looks easy to administer. As a side effect the IT directory decide that anyone can administer it. Wrong. That was the case when I was working in some company as a UNIX and network admin. We did ourself an audit of the publicly accessible web servers and we found that most of them were just a huge security hole: no patch, nothing. When we reported this to the person in charge of the machine, the person didn't even know how to patch it, etc. Security holes ranged from traditionnal buffer overflow to Front Page extension and clueless passwords. That make NT a dangerous toy. Note that most of the fix required a complete reinstall of the system as well. By default, UNIX boxes are most of the time more secure, and since to set it up you meed to have some knowledge it is unlikely to find them administered by clueless users.

Second: security holes statistics shows that NT has more holes discovered. This is a fact. NT can be secured, but it require a lot of work and good skills. People that can do this are more hard to find and more expensive than a senior UNIX admin.

Wurzler does not want to punish people. He wants to optimize his business profits, and for this, like many insurance, raise price based on risks taken. Afterall, doesn't Microsoft do the same: maximizing profit ? Isn't this the American way of life ?

Re: no it doesn't

[Drestin]

NT != W2K != XP. You completely missed the party as well as CIS class. NT4 is what this article is talking about (I actually contacted this company a few months ago, I am in MI, and knew of this crap back then). If you are using W2K he does not charge the premium. You'll notice how that little fact was convienently left out. Don't believe me? Call them yourselves, they're on-line and in the yellow pages.

Besides, it's IIS that has the biggest problems with vulnerabilities, NOT NT or W2K themselves. Ever heard of someone cracking into a NT box from within the network? Me neither. It's always some malformed HTML request taking advantage of some cool MS only feature IIS brings to the game.

NT means NT4. W2K is a new animal.

Re: Because it's a non-story?

[Drestin]

A tiny 8 person company in MI decides to try to make more money off the FUD on NT (they didn't mention W2K, which they do NOT charge more for. I called, did you?) - that's hardly newsworthy except on /. where anything MS is not only fair game but headline making!

Re: so Linux 2.4=Linux 1.0=Unix?

[Drestin]

W2K might have been based on NT technology but is such a massive rewrite that it's unfair and inaccurate to consider it the same as the 5+ year old NT4.

Is it fair that anytime we talk about Linux 2.4 that we can chide it for any faults and ommisions present in Linux 1.0? or just any Unix you can name cause Linux is JUST another Unix ... right?

Re:This is just plain silly.

[Rares+Marian]

Since when is Windows a mainstream server OS for Websites?

Fair's fair!!

[pompomtom]

All insurance companies do that.....

Buckets,

pompomtom

It is a very real product

[BurritoWarrior]

As someone who has been through this, I assure you that major insurance companies do indeed offer this type of insurance. And as for simplifying the premium based on what OS you use, it goes much deeper than that. I spent two full days with the auditors going over everything from what OS we use to how many servers, what types of firewalls, where do we host, climate controls, how do we dispose of information (both paper and electronic), how much experience the staff has, etc., ad nauseum. The OS a company uses is just one TINY part of the overall pricing.

Misleading slashdot headline

[jacobcaz]

Comeon' they're not saying that WinNT isn't that much less secure or stable. READ PEOPLE:

• Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software, where turnover can exceed 33 percent per year. That turnover contributes to another problem: System administrators are not implementing all the patches that have been issued for Windows NT, Wurzler said.

The biggest reason is that unix nuts tend to be better trained (well duh) and that staying on top of patches is critical.

I know I could probably find some of my WinNT and Win2000 boxes that need patches - how about the rest of you? I don't run any critical systems on my NT stuff, I only use it for applications where MS has the edge.

-----

Re:Misleading slashdot headline

[Philbert+Desenex]

they're not saying that WinNT isn't that much less secure or stable

Wurzler doesn't have to say that, everybody already knows it: WIN2K is even easier to deface than NT.

Re:Misleading slashdot headline

[Ayende+Rahien]

IIS, it's an Application, user mode application.
Hot fixes for it require reboot.

Discount for OpenBSD?

[cperciva]

So what's the discount for running OpenBSD?

Oh wait, I almost forgot: If you're running OpenBSD, you don't need cracker insurance.

Re:Discount for OpenBSD?

[autocracy]

Let me discound that real quick. For going down to the grocery store, you can know nothing about your car other than the gas, brake, and steering wheel (and a few other details). Not how they work, just when to press them.

Play around in NASCAR, though, and you need to know about every bit of the car, straight down to aerodynamics and what part of the track to be on during a turn. EVERY detail matters, and you want it done your way so it will work.

Windows : consumer car :: Linux : stock racing car

So you're a karma whore, eh? For the right price, I'll be a karma pimp...

Re:Discount for OpenBSD?

[uninet]

Obviously, you haven't tried the SuPERB Linux distro - SuSE Linux 7.1. Now that's a great distro - easy to use, fast, and loaded with every package you can imagine.
SuSE Linux is the ultimate *nix desktop out there.

-Tim
-------------

Re:Discount for OpenBSD?

[vexHEX]

what most people seem to forget is that not everybody is good with a computer. Some people just do not learn, or are not smart enough to get it, or just plain do not wish to spend the time. This in my knowledge, is most people. ( I have work at a used computer store for quite some time, and yes, i too did not believe at first that some people would use a CDrom drive as a cup holder, but they do, they do!!!!!) so, my point being, the world needs people to dig ditches, does not mean that these people need computers. ( no offence to ditch diggers, I would do that too if it payed more then I make. ) But my point i think is clear. Rome was not built with just so-crates, and other like minded people. maybe this is too Neitchze of me to say, but, if they can not learn, screw them, we make money, we live off their money that they pay us to fix their computers. can you complain. Yeah, it is a pain to hear the some bitch day in and day out, ( can you install the whole internet onto my computer for me? ) so let them use MS. keep the real OS for people are into it. - point finished, rambling from here. BSD and linux ( PS, me no like "the linux" ) should not be about making some people money off the distro. they should be about making good OS's. whether payment is made or not. if you want to make an OS that will make you money, then start from scratch, make a cheep and nasty one that will make you money. what is so hard about that. why try to convert an OS that works well, into the enviroment that leave some many thing up for ambiguity. ok, i have lost interest, whatever....

Re:Discount for OpenBSD?

[hyehye]

Pretty easy, if you ask me. 2k doesn't even offer optional components. Post-install config is a bit more complex, owing to lack of drivers and the fact that Windows actually cares what order you install them in... by the way, what exactly was your point?

Re:Discount for OpenBSD?

[hyehye]

Mechanics shouldn't be the only people to drive cars. Linux isn't more stable if they can't install it.

That's a great way to put it. This may seem a little off-topic, but bear with me here. You shouldn't have to know the very guts of a machine to use it - that defeats the purpose of the machine, who's purpose is to make your life easier and give you more free time. But, of course, you should have enough respect for the benefit it provides, to learn how to change your oil and tires. Likewise, Linux and BSD have their obvious redeeming qualities, but none of that matters if the user can't get the system setup properly to see the performance in the first place. The need for systems that provide intelligent install and config systems, without dumbing down the experience in a few important ways, is great - but once again, the user must take enough responsibility to understand a few basic things about the technology that so greatly enhances his life. That which improves one's life must ultimately be appreciated.

So what does all of this have to do with intrustion insurance and the lower opensource rates? Simple. The more complex a system is, the more prone to failure it becomes. Operating systems that try to do everything for the user will always fail - there are simply too many possibilities and branches it must be aware of in order to manage itself. We don't yet have AI, and static code is incapable of handling the infinite number of configurations and situations an operating system will encounter. With systems that bring you much closer to the metal, you tend to be dragged (or to run of your own volition) toward learning more about the system. This leads to greater competency - the insurance rates should be better. It would be the same if UPS's drivers had better training than FedEx's.

Moderators on crack

[cperciva]

I know it's a bit odd to complain about my own post being moderated up, but...

That post was NOT informative. Funny, maybe. Insightful or troll, possibly. But there is no way that post can reasonably be classified as informative.

Re:This is just plain silly.

[Karellen]

A comment I read a couple months back on /. said it really well. It's not that Windows servers are run by lazy/incompetent admins, it's that lazy/incompetent admins prefer to run Windows. They don't have to get much of a clue to be able to walk into a company, say 'yes, I can admin an NT box' and bluff it. Bluffing on almost anything other than NT is Just Not Possible for more than a week IMO. (You might get away for a week saying you're finding your way around, if you're lucky).

Re:This is just plain silly.

[baba]

Chill out man, you may hyperventilate.

Or are you just trying to be funny?

Re:This is just plain silly.

[baba]

Sure man, I'm fond of free speech too...

...and free beer, software, love, etc...

Re:Mmm.... Trollicious.

[baba]

Add my two gallons while you're at it.

For a while it seemed like sanity may win out by moderating the post down as troll/flamebait. But then things went back to just buisness as usual.

Re:This is just plain silly.

[baba]

The point is that Wurzler is essentially rewarding people for using an OS whose scioeconomic philosophy is decidedly un-American.

Oooh, it keeps getting better. Yeah, these Linux zealots are all just a bunch of commies. I see it clearly now.

Have you ever considered...

[The_Messenger]

Have you ever considered...

• ...that NT shops get charged more because it's obvious they have the money to spend?
• ...that Linux shops have low-turnover because GNU/Linux "admins" can't get jobs elsewhere?
• ...that your blatant and igornant anti-Microsoft bias only reinforces Slashdot's reputation as poo?

Well? Have you?

--

Re:Have you ever considered...

[The_Messenger]

Yes, I am aware of the irony that in my hurry to post, I misspelled "ignorant". And yes, I am aware of the irony that I am using the word "irony" incorrectly.

--

Re:This is just plain silly.

[Woko]

I've got the feeling that I've just been trolled, but....

Your trying to tie nationalist sentiment to commercial reality. Fine, there's been plenty of campaigns to 'Buy back America', but there are plenty of American companies being assessed. In the end one American company has assessed that another American company produces products that may be slighly riskier than using another American company's products or using a free alternative.

Microsoft isn't the only American company that deserves to be supported by some grassroots 'Buy back America' scheme. I'm sure there are plenty of other companies that produce less risky products that could be supported.

The veterans fought for all of America, not just Microsoft.

---

What about Unix, Mac, etc. systems?

[swordgeek]

This article mentions:

Windows NT/2000
"Open Source" operating systems

What about shops using Solaris (available, but not open), HP-UX, AIX, IRIX, SCO, MacOS (pre OS-X), OS/2, and so on? Are they charged the same as NT or as Open Source(tm)?

My suspicion is that whoever wrote this article has no idea what open source means, other than 'not Windows.' I could be wrong, but it certainly sounds that way.

Computer failure insurance

[Animats]

There is such a thing. There's a section of the insurance industry that insures against machinery breakdown. The classic company in the field is The Hartford Steam Boiler Inspection and Insurance Company, founded in 1866 and still active. They've gone beyond boilers, although about half their business is still steam-related. They do some computer-related insuring, although that business is in its infancy.

One big problem is that many companies hate the intrusiveness of a machinery breakdown insurer. Hartford Steam Boiler won't insure something until their inspectors have been all over it and everything they want fixed has been fixed. Companies with well-run plants get great rates from Hartford Steam Boiler. Others get turned down.

The computer industry has succeeded in pushing failure costs onto their customers, rather than having to insure them. But that may not last forever. It was like that for boilers once, too.

Does anybody else find this amusing?

[SuiteSisterMary]

A story about some company saying that Linux is more secure that NT right above a story about sourceforge.net being compromised.

Re:I wonder if NT's ease of use could be a culprit

[SuiteSisterMary]

Especially when you have to install each and every sp + hotfix (7 or 8 so far) in the proper order.

This is no longer true. Microsoft has released a convenient utility called 'qfchain,' I believe, which allows you to run all your QFEs, run the utility, then reboot once.

Nice M$ Quote

[ufotofu]

Nice article. I thought Microsoft's spokesperson made a nice rebuttal, too:

We provide unparalleled support in the area of security.

Re:NT is way more secure and stable

[eviljason]

I have looked through the supposedly "stable" Linux code base several times. I have found malloc() statements that do not check for NULL! This is not stable. It is a toy OS. A mere trinket for hobbyists to use.

memory leaks here we come!

Failing to check the value returned by malloc is a bad idea. A very common bit of bad judgement that always irritates me, but how on earth would it create a memory leak? In C - probably not, in C++ - more likely (if exceptions and the pre-standard style of new are mixed)

If you are going to troll here, (and who doesn't these days?) please try to give those reading at 0 and -1 something interesting to read.

--

Just NT/Linux?

[compupc1]

I know this has been touched on somewhat in other comments, but I'll go ahead and post anyway.

Really, people. I wouldn't consider this article to be very indicative of the true stability of various platforms. For instance, Windows NT 4 is a very old NOS. It was released sometime around 1996. And guess what? It sucks in many ways. But most anyone that has used Win2k (I.E. NT 5) in either a workstation or server environment will tell you that is much more stable and secure.

And what of other *nix and open source operating systems? In general, I consider the BSD distributions to be far more secure than you standard, out-of-the-box Linux distibution.

It would be very interesting to see a breakdown of major OS/NOS systems, with a "security level" rating. I wouldn't consider any study noteworthy that didn't include all of the following: Linux, WinNT, Win2k, BSD, OS X, consumer Windows (9x/Me/XP), and proboably Solaris. It is completely unfair to lump all *nix systems together and all Windows systems together.

Thoughts?

Re:Just NT/Linux?

[compupc1]

If you read the article, you would note that they are mainly talking about Win NT 4. That was my whole point.

Re:Just NT/Linux?

[compupc1]

Yes...I suppose I would agree that *nix administrators are in general more well trained than Windows administrators, so I can see your point.

Re:Just NT/Linux?

[fors]

If it is so secure how come it is leading in the race for defacements?

Re:Just NT/Linux?

[fors]

W2k has had more defacements as a percentage of installed base than any OS in history.

Didnt konw they offered insurance...

[Darth+Turbogeek]

Did not know insurance companies offered policies protecting against a hack attack.

Do they also offer insurance against a slashdotting?

Re:insurance will encourage *stronger* security

[sparkane]

At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.

No - all of those policies will demand that the purchaser maintain stringent security. Note that the Wurzel is charging more because it is harder to maintain security when using NT; this itself directly indicates that lax security is not encouraged. If/when these policies become widespread, every time there is a break-in, the insurance provider will conduct a study to make sure that the providee measured up to the security standard outlined in the service contract. If they are found not to have been up to the standard, the provider won't cover the cost of the break-in. Any other policy and they'd soon find themselves bankrupt.

MOD THIS UP

[sparkane]

This is a VERY interesting point. Imagine, a war between the premier provider of business software in the world against another industry bad boy, the insurance companies. Now THAT would keep me on the edge of my seat. Of course the insurance companies would win, but it would still keep me on the edge of my seat.

Re:This is just plain silly.

[loraksus]

I was going to flame you, but I'm gonna try not sounding like a anti-ms zealot.

Windows advocates are willing to admit that Linux has gotten better over the years .. why aren't Linux advocates prepared to admit the same thing about Microsoft?

OK. MS's offerings in the past have been shit, 95 was full of holes , 98 crashed continously.
NT4 was not really a server OS. Novell and *nix took the market by storm - how many hospitals were running on a ms base? Exactly - all were on novell and *nix.

Now MS brings 2k in. Ok, it's cool - I'd like to not reboot 8 times when I'm installing the last 8 hotfixes after installing the os, then doing the same shit after installing sp1, but hey at least
Its a shitload more stable than 9x/me, more secure (though it would be nice to be able to enable ip filtering on a per adaptor basis... sigh.)

You said "over the years" - which is exactly my point. The industry isn't going to make an overnight switch to something that is new - and, more importantly, relativley untested.

Naah, thought again about it. You're a dumb fucking hick. The link that you developed between vetran's faces and MS is totally fucked. Gimme some of that shit that you were smoking so that my party next week will be a little more exciting.

Maybe you just watched Pearl Harbor or something, but watch that patriotic rant - especially if you go to any arab countries. Keep in mind that everybody outside your country hates you.

Yay! lets firebomb tokyo again - from the outside in, so we get all those people toasty warm - and set up concentration camps for asians! Or let loose dogs and firehoses on those who have a skin color that is not white.

Yeah - lets also celebrate the day after we nuked two cities full of civilians - we woulda taken kyoto out (1 mill people, the nuke would of have been much more effective there) but the weather sucked! Yay america! innocent slaughter of civilians!

/. is anti-ms because of fucking trolls like you. I have no fucking idea how you got enough karma to post at +2.

The slashdot 2 minute between postings limit:
Pissing off hyper caffeineated /.'ers since Spring 2001.

Re:I wonder if NT's ease of use could be a culprit

[loraksus]

I'm with you on the Reboot thing. It is friggin annoying. Especially when you have to install each and every sp + hotfix (7 or 8 so far) in the proper order. If you're running active directory, DC with exchange server it takes you at least 2 min to reboot and login, and then do that again 8x. Break out the anti-acids.

NT Security is quite powerful - especially the relatively unknown command line commands. Which the MCSE teaches you precisely NOTHING about. Regedit classes are really short too.

As for documentation - I beg to differ - wk advanced server comes with quite a bit of documentation on all its features - very, very helpful - I was shocked. It is helpful - but also covers the basics (paper club) But if you include the online documentation from the ms website, you have quite a deal of information.

Also - if you make the OS, you know exactly which hardware was used, which hardware has no issues (and get the ms driver dudes to write approved drivers), which probably explains why their webserver is up 24-7-365. I'm sure they have a pretty much unlimited budget for that too. Besides, they are using data center, and I've heard really, really awesome things about that.

The slashdot 2 minute between postings limit:
Pissing off hyper caffeineated /.'ers since Spring 2001.

Re:I wonder if NT's ease of use could be a culprit

[loraksus]

that's nice. Somehow missed that. Thanks

The slashdot 2 minute between postings limit:
Pissing off hyper caffeineated /.'ers since Spring 2001.

It makes sense

[Medgur]

If I replace the stereo system in my car with a more powerful, more expensive system, the insurance company will increase my bill. How is this any different?

Windows NT/2000 may not be more powerful, but it is more expensive, and as a result it's more expensive for the insurance company to replace than an Open Source operating system.

So, why would you expect your premiums not to go up based on the expense of your system? Remember, the insurance company must have a sound finance model, and not recognize the actual expense of an insured item just doesn't fit in with sound thinking.

-Medgur

BTW-Excellent troll, not only did you bring in the typical anti-slashdot propoganda, but you even managed to bring in the "American Way" and veterans, all while fooling the moderators.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Interesting Comparison

[Dan+Jagnow]

...information about tech turn-over in Windows vs. open source shops.

So you either work in an open source shop or a Windows shop, eh? I'll have to notify my employer. We're violating the rules.

oh the irony..

[MSisNOT4Sale]

and the story right below this one

Developers: SourceForge Server Compromised

new story subtitle:

[sulli]

from the shoulda-bought-that dept.

Re:This is just plain silly.

[nekid_singularity]

Whoa, wtf does military service have to do with computer security? Its absurd to think that a large insurance company with college-educated actuarys would do something like this lightly, considering how popular MS is. They honestly belive that Linux is less likley to be hacked, but this is mostly because of the differences in the people who manage the networks.

Did I just slip into a parallel universe ?

[Billly+Gates]

I never would of thought to see a comment like yours on slashdot with the phrase "Microsoft's latest server offerings are extremely secure, scalable, and reliable" and see it get a five??

I guess sanity does exist at slashdot.

Re:I wonder if NT's ease of use could be a culprit

[Billly+Gates]

I only ran a release candidate of W2k so I am pretty much still an NT4 person. Perhaps I will take a look after my employer upgrades. I am a unix operator now so I guess this no longer applies to me. :-)

I wonder if NT's ease of use could be a culprit

[Billly+Gates]

I am a mcse (ok, here comes the flames) because I use to have a job supporting NT users and servers. I also know some linux and freebsd.

The problem is I really don't know how to secure an NT server. My mcse classes taught me nothing, other then how to setup a domain controller. I was told that NT was enterpise ready right out of the box unlike unix so it was already secure. I knew this was total bs. The thing is that there are a million resouces out there on how to secure Unix/Linux and all the configuration settings are stored in text files where you can edit them manually, but in NT its hidden in the registry. How many here actually know what the majority of the registry settings actually do? I found 1 or 2 books dealing with NT security at Borders so the situation is getting better as people discover what some of the settings are.

It would be nice to have future mcse or corporate training courses to have security methods in the circulum. Or even discuss several registry settings so we know a little more on how to customize NT. I believe NT may be secure if its done right. I believe the only time Microsoft's website was ever down was due to a linux(not NT) bug in their outsourced DNS servers. Microsoft uses a seperate company which uses linux for their DNS. I don't buy the security through obscurity arguement. Microsoft loves hiding things to make their products look easier and markets them to the average joe consumer. This may be good for home users but not bussiness users.

I remember a Microsoft semeniar where Bill Gates talked about non techie users installing NT to get work done and how great WIndows is because you don't need an admin to setup a server??

Perhaps thats the problem.

I can imagine the paper clip from MS word poping up whenever someone uses regedit in the WindowsXP.NET.

Basically the summary of problems are, lack of documentation, qualified admins, and the reboot problem is why NT is having some problems. The stability arguement is not that important considering bussinesses are using switches and clustering to make NT work. Got to love those clueless CIO's and phb's who insist on using NT over Unix. Well, if they want to pay 3x fold for an NT solution over a unix one, I guess thats their problem. :-)

Re:I wonder if NT's ease of use could be a culprit

[mech9t8]

There are *loads* of documents on the Microsoft technet site... from checklists to technical articles to searchable lists of downloads...

http://www.microsoft.com/technet/security/defaul t. asp

Yes, the source isn't available for figuring out your own hacks, but there's a plethora of information for system admins...

In general, it's pretty simple to secure Win2K sites. There are two cardinal rules: 1. Turn off everything you don't need, and 2. keep the patches up to date.

Number 1 involves finding out everything that's running - check your Services listing in control panel and find out what everything does, and turn it off if you don't need it. Use Add/Remove Windows Components to remove things like DNS servers or RRAS if you aren't using them.

Number 2 involves subscribing to the Microsoft Security Bulletin Service (http://www.microsoft.com/technet/security/notify. asp) and keeping a directory full of all applicable security patches (ie. post-SP2 patches) so you can apply them to new machines as you get them... use the QPatch tool to avoid a million reboots. You can also use the Technet site or corporate.windowsupdate.microsoft.com to download the applicable patches if you're just starting out.

After you're settled with those to, you can then go in to tweaking Security settings on files and the registry.... there are guidelines for that in the Technet site. And then, finally, if you want, you can dig into the registry. But really, to have a secure site, for the most part you can just do everything with the GUI.
--
Convictions are more dangerous enemies of truth than lies.

Not idiotic

[mgkimsal2]

Somewhat a response to ergo98's 'Idiotic' post, but somewhat separate... :)

First off, I thought I read about similar action by a London-based insurance company a few months ago - darned if I can find the URL just now tho.

Nowhere did the article say 'NT=insecure, Linux=secure'. This insurance company is doing what all insurance companies do, which is analyze their claims data and make assumptions, inferences, and policy changes based on this data. Of course inhouse skill, training levels, etc. all play into how secure a box or network is. However, according to this insurance company, their numbers are bearing out that it's more expensive to insure companies using Windows NT. Windows may be merely a symptom of a company that is lax about security in general - hiring inexperienced people, cutting security budgets, etc. But they have enough data to make a correlation between NT and higher insurance costs. (more claims? higher $ claims?)

Auto companies insuring cars will rate a sports car as a higher risk, even though it shouldn't happen that way. It's COMPLETELY down to the driver - just because I drive a red convertible sports car doens't mean that I *ever* speed, but statistically people driving red sports cars have higher accident rates, so they charge higher premiums for that car, because it's an indicator of risk. (Not sure on the specifics - I seem to remember red sports cars being higher, but could never afford one anyway, so it's a moot point for me!)

Interestingly, I was doing some work with an auto insurance company a few years ago that was looking at using people's credit ratings as a premium indicator - apparently, a credit rating is as good, or sometimes better, indicator of an auto insurance policy risk. Dunno if it's being phased in anywhere around here (Michigan) but I seem to remember the initial interest was stemming from research in California.

Back to the point - it's not idiotic at all that an insurance company would use something like software choices to base premiums on. Those choices, statistically, will point to other info about the company that is relevant as well. There will always be exceptions to the rule, but statistically, these will prove out - if they don't, insurance companies won't adopt these. If the numbers work out, they'll move in this direction. It's simple numbers.

Re:This is just plain silly.

[VivianC]

Jon, As a person working in the insurance industry, I find this line very funny:

But what Wurzler is doing here is essentially punishing people (fining them, as it were) for making a responsible choice to use the products and services offered by one of America's most important flagship companies.

Now maybe the Open Source people will call you a Microsoft shill, but I would have to point out your ignorance of how the insurance industry works. Premiums are determined by risk factors. If you have more risk factors than someone else, you will be paying a higher premium. It is not a punishment or a fine.

Consider this, my little brother pays almost triple what I pay in a 6-month premium. We both drive cars from a flagship American company (Jeep). Is that fair? Should Congress investigate? Does it matter to you that he is single, twenty-one, male, lives in Chicago and has a DUI on his record and I'm married, thirty-two, male, live in the suburbs and have a clean driving record? It should. These are examples of risk factors. This is how the industry works.

Now, if studies have shown that Microsoft products are more open to attack than other systems for any reason, then that is considered a risk factor. If they (underwriters) find that Storm Linux is less secure than all the other distros (I'm not saying it is, just an example) then it would be logical to see Storm users paying more.

Spend a little time looking into how insurance premium rates are determined before screaming 'foul'.


Viv
-----------

Bulk insurance discount ?

[Rosco+P.+Coltrane]

What if I administer a network full of Windoze 95/98/whatever boxes without security upgrades or service packs of any kind, ... and the whole thing is firewalled by a Linux box, or a FreeBSD box ? do I get charged 15% more or not ?

If history repeats itself...

[raretek]

... a website defacement will one day "cost" 10 million dollars to the "victim" company. And, the insurance industry(disease?) will financially back draconian anti-hacking anti-personal rights laws, citing the latest website defacements "cost" as the need for such harsh measures, and after they've passed, they'll still up their rates. All the while, realizing huge profit increases every quarter, while publicly whining about any claims they do have to pay. Everyone will reason that they need insurance, and then you'll have this huge piece of garbage industry backing even more laws that walk all over our rights, when all anyone really had to do in the first place was stay on top of updates and exploits.

And in response to all this, what will our government do? Why, you fight beuracracy with more beauracracy, duh! We'll have the national hacker insurance oversight board, which will "fix" prices for companies, er, consumers, yeah, that's what they'll do, protect consumers, just like Californias benevolent insurance commision. Eventually, it will be mandatory to have such insurance to have a website for a as yet to be devised reason.

Poor predictable humanity, if you'd just look in the mirror occasionaly, you'd be able to realize why you're such easy pickings for the wolves.

Re:Perhaps they should base it on the admins

[MidnightLog]

In a way, they are basing it on the admin's. This quote sums it up well:

Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software, where turnover can exceed 33 percent per year. That turnover contributes to another problem: System administrators are not implementing all the patches that have been issued for Windows NT, Wurzler said.

I know if I wasn't going to be around in a couple of months it would be very easy to "forget" to download and apply each patch as it comes out. Its much easier to just wait for the next service pack. Not that this is a good attitude to have.

Perhaps they should base it on the admins

[Valgar]

Personally,
I think they should base this on the relative skill of the admin securing the system. As it is, most NT sysadmins I know/work with are utterly lacking in their ability to keep up to date on security patches/fixes etc.
Then again, I guess their rating is correct, NT is at a higher premium because all those paper waving MCSE's tend to have less security experience overall
(Yah it sounds like flamebait, but this is from my own experience)

Re:Perhaps they should base it on the admins

[MaxQuordlepleen]

As it is, most NT sysadmins I know/work with are utterly lacking in their ability to keep up to date on security patches/fixes etc.

Yeah, It does sound like flamebait but it's sadly been true in my experience too. The recent exploit that hit my employer's servers is case in point - the IIS patches to prevent it were 7 months old and had not been applied. When the inevitable happened, the admins mumbled something about "waiting for the service pack", and proceeded to apply 11 previously-unapplied patches to IIS.

*shudder* It's very unnerving to have the databases I am responsible for on these swiss-cheese servers...

Re:Perhaps they should base it on the admins

[MaxQuordlepleen]

The funny thing is I don't think we work at the same shop, unless you are in Canada.

I guess MCSEs are the same everywhere...

Re:Perhaps they should base it on the admins

[mech9t8]

In my experience, lots of Windows Admins tend to be non-geeks that took a course because getting into computers is a good way to make money. Knowledgable Windows users tend to go into programming/consulting.

OTOH, almost everyone who uses/admins *nix (and especially Open Source) is a computer geek who really likes and is generally interested in computers. So the level of sophistication, on average, for Linux admins would definitely be higher.

In my mind, Windows is just a version or two away from being truly adminstrable by non-computer-geeks... they've got most of the usability down, they just need a few more setup wizards and (most important) security wizards and an MSCE will be able to run a secure shop. And then the people with the computer smarts can do more thought-provoking activities instead of setting up identical workstations, setting up accounts, and fixing printers...

Linux is much further away from being accessible to people that just want to do their job and go home without thinking about it too much. And the non-thinkers are quite a large portion of the workforce. ;)
--
Convictions are more dangerous enemies of truth than lies.

Re:This is just plain silly.

[Kierthos]

Your last name wouldn't be Katz, would it?

How the screaming Hell(tm) is Linux un-American? Because you can get free copies of it? By that logic, anything I get for free down at Wal-Mart makes Wal-Mart un-American. Oh wait, Linus Torvalds isn't an American... I see how this delusion goes... He _must_ be a commie, having grown up that much closer to the old USSR that good old Bill Gates... yeah right...

And just how can an OS have a socioeconomic philosophy? And when was the last time that an American serviceman gave his life for his OS?

Kierthos
(normally I don't respond to such crapola, but I have way too much karma lately...)

Re:Well it had better be a never heard of exploit

[Kierthos]

You do know how insurance works, right? Odds are, this is an "at-fault" type of insurance, which means that it is probably very carefully delineated what the insurance company will pay off for. If the "minimum security standards" are met, and they still get cracked, the insurance company will pay out an amount dependent on the damages done.

However, if it is the fault of the company that is paying for the insurance, then the insurance company doesn't have to pay.

To liken it to car insurance, you would get paid if you were in an accident that was not your fault (someone else hits you, mechanical defect in the car, whatever), but you wouldn't get paid if you deliberately smashed the car into a tree.

Regardless of any of this, the rates that the insurance company sets (even regardless of what OS you're using) are based on actuary tables governing the chances that a system will get cracked. Odds are that most systems will never get cracked to the extent that an insurance settlement is required. Just as, odds are, most people that have auto insurance will never be in an auto accident. But they still have the insurance in case they need it.

Kierthos

Simple Questions Agents Should Ask...

[LauraLolly]

1) How frequently do you have a paid security audit from an outside firm? 2) What sites do you check for security patches and notices for your operating system, database, server software, and management software? 3) What internal risk training does your firm undergo? How frequently do non-IT people have to be refreshed? Are there live exercises? What is awareness within and outside of IT of social engineering attacks? 4) Can you please name the last five major published attacks that targeted a similar OS to yours? What have you done to secure against those attacks? 5) What do you do to keep your IT people pleased to work for you? Who are the people who do your data backups? What background checks were done on these people? What are you doing to keep them happy in their jobs? 6) What is the physical security of your servers? What prevents any person, even "authorized" from walking off with the actual server machines? Any company that can answer these questions will be much better prepared, and deserves AAA* rates.

Re:This is just plain silly.

[theman2]

hm...
when I was about to get my drivers license, I was pissed. It turns out that 18 year-old girls pay half of what I had to. I was outraged. Then, I got my license and drove way too fast =p
anyways, I never had any accidents (but quite a few tickets). The worst driver I have ever known was female. She managed to do a u-turn coming out of her driveway, ran into a tree and did $5000 worth of damage.
what is the point of this? Insurance companies go by statistics. A larger percent of males or, in the case, windows nt computers are a larger risk than linux computers. Who knows; maybe it is a result of the operating system; maybe it is a result of the difficulty of configuring linux servers (filter out the complete morons).
anyways, they are just looking at statistics and charging based on those. Stop bitching.
-theman2

ps: I admit to using windows 2000. I keep trying to install linux on my laptop, but can never get around support for different features. One of these days, I will probably become some bonehead winnt admin =)

Will this ease peoples reluctance?

[aoeuid]

Will this simply encourage people to use inferior products, knowing that they will receive large insurance settlements if they indeed ever are cracked?

It's kind of like when you need a new car but can't afford one. You leave it parked unlocked with the keys in the ignition, and hope it doesn't get stolen.

New price list

[jsse]

Dear Customers,

In order to enhance our services and better serve you, we will adjust the insurance fee a little bit if your company is using the following:
1) Windows 2000/NT +5%
2) Windows 98/ME +10%
3) IIS +15%
4) Exchange +20%
5) Outlook +25%
6) MSN services +30%
7) .NET +40%
8) DNS server on Windows +60%
9) Continue the Windows subscriptions - you must be an idiot, but also our premium customer +100%
Best Rgds,

Your savior

P.S. all % accumulative, per license.

Re:New price list

[Ayende+Rahien]

You got it wrong.

2) Windows 9x +150%

NT means Windows NT/2k/XP.....

[NDPTAL85]

Its pretty much common knowledge that when companies refer to NT on a corporate scale they mean servers using the NT kernel, which refers to all WinNT OS's, Win2k and WinXP. Sorry if you are late to the party. :)

How 'bout a hacked linux box?

[zerofoo]

The problem isn't NT, and if it was, Linux wouldn't be the solution. The insurance surcharge should be for LAZY SYSADMINS with little or no security policies. -ted

It will stimulate the developers

[rydstedt]

It gives the ones making the safer OS a strong selling point, and that's what really matters in the long run.

This is just plain silly.

[Consultant+Jon]

It seems to me that Wurlzer has fallen victim to some of the FUD that has been spread by Linux advocates. Despite what these people say, most of the crap that they've been flinging around is just plain baseless. I'll be called a "Microsoft shill" or an "astroturfer", but truth is truth: Microsoft's latest server offerings are extremely secure, scalable, and reliable. It seems to me that a lot of these OSS advocates have this "Windows 3.1" mentality about Microsoft. Windows advocates are willing to admit that Linux has gotten better over the years .. why aren't Linux advocates prepared to admit the same thing about Microsoft?

Look, if you want to use Linux or *BSD or some other non-mainstream OS to host your Web site, then great. That's your choice. But what Wurzler is doing here is essentially punishing people (fining them, as it were) for making a responsible choice to use the products and services offered by one of America's most important flagship companies. The way that America works is that people get together and work hard to put out a product, and then they sell it to people. It is particularly sickening that this news is being reported on Memorial Day, the day that we are supposed to be remembering the sacrifices that our servicemen gave for our way of life. The Wurzler bozos might as well spit in the collective faces of all of our country's veterans of war.

Has anybody considered holding Congressional oversight meetings on these people? It's interesting how they are unwilling to increase premiums on Linux users to deal with security issues and source code forking and the other (very real) risks of using this OS. Instead, what they do is punish people for making the choice that has been proven time and time again to lower the total cost of ownership. Go ahead and flame me .. I'm just sick of the blatant anti-Microsoft bias that Slashdot displays time and time again.

Re:This is just plain silly.

[Consultant+Jon]

Or are you just trying to be funny?

No, I'm not trying to be funny. I'm just sick and tired of the liberal elite position of "bash the military" and "screw the veterans." I am proud to say that I answered my country's call in Operation Desert Storm, as did thousands of other brave Americans. I interpret Wurzler's inexcusable bias against Microsoft as a swipe at American values and at the things that this country stands for. I also have the right to free speech, as afforded me by the United States constitution. If you don't like it, tough titty (as the kitty is reputed to have said.)

Re:This is just plain silly.

[Consultant+Jon]

True, but that does not mean the people have to buy it.

I didn't say that they did. If there was another American company that offered similar software and services, people could buy that. That's not the point. The point is that Wurzler is essentially rewarding people for using an OS whose socioeconomic philosophy is decidedly un-American. On Memorial Day, I find it indefensible to be celebrating the basic ideas that hundreds of thousands of American servicemen have given their lives to defend the country against.

Re:This is just plain silly.

[alcmena]

But what Wurzler is doing here is essentially punishing people (fining them, as it were) for making a responsible choice to use the products and services offered by one of America's most important flagship companies.

No, what they are doing is changing their risk/reward assessment based on their research. Their research found that *nix was less prone to cracking, due to several listed factors. This is how insurance companies work. They figure out the chance of something bad happening and charge you accordingly.

The way that America works is that people get together and work hard to put out a product, and then they sell it to people.

True, but that does not mean the people have to buy it. The people can go buy a different product or no product at all. Same goes for the insurance companies. You can buy your insurance from Wurzler, you can buy it from someone else, or you can just shut the heck up and not buy it at all. That's how America works.

Re:This is just plain silly.

[alcmena]

The point is that Wurzler is essentially rewarding people for using an OS whose socioeconomic philosophy is decidedly un-American.

Funny thing that. I thought the American way was provide a better service for a better price and people will come. Where in there is the idea that it is un-American to charge more for servers Wurzler feels are at higher risk? Is it now un-American to try and protect your business by reducing risk? Maybe that explains the dot-com crash after all.

Odd though, I thought wrapping yourself in a flag and calling others commies went out of style years ago. I guess I was wrong.

Re:This is just plain silly.

[rseuhs]

Look, if you want to use Linux or *BSD or some other non-mainstream OS to host your Web site, then great.

Only 20% of Webservers are running Windows, the rest runs Unix with Linux being number one.

So if you run the number one OS you are running a non-mainstream OS?

Well, see subject.

Roland

Re:This is just plain silly.

[Asphixiat]

This aint America farm boy......this is the internet - we don't *want* to help America - know what else - there's more of us than you :)

Sleep tight :)

Asph

Re:This is just plain silly.

[m08593]

I'll be called a "Microsoft shill" or an "astroturfer", but truth is truth: Microsoft's latest server offerings are extremely secure, scalable, and reliable.

Windows 2000 finally delivers the kind of kernel that is necessary to build Internet services. But Microsoft still falls way short on many fronts:

• Windows 2000 is two years old, with lots of new APIs, administrative procedures, and protocols. Nobody has yet figured out all the security holes that that creates. It took people a few years to discover how poor VMS security was, even though initially VMS was touted as such a great system. In contrast, the Linux security and service model has two decades of practical experience behind it; people know how to make Linux systems secure.
• You cannot strip down a Windows 2000 system to its essentials like you can with Linux: a high performance Linux Internet server needs nothing more than the kernel, the server, and a few POSIX utilities.
• You cannot review the Windows 2000 system architecture or inspect its source code; how can you trust it? In particular given Microsoft's lousy track record?
• Microsoft markets Windows 2000 to novices, pretending that anybody can run a secure Internet server; they need to take the responsibility for their chosen target market. Linux is unapologetically unfriendly to novices when it comes to server installations.

With Windows 2000, Microsoft has finally addressed one necessary requirement for even playing in this market. But there are lots of other necessities where they still fall short. And as long as Microsoft has notions of world domination and one system fits all on their mind, I don't think they can succeed. In fact, even if Microsoft were to focus, I don't think it makes much sense for the industry to commit to their system: why pay a lot of money for Microsoft's proprietary system if you can get something cheaper and vendor neutral for less already?

Cracker insurance?

[thejake316]

As a white male, I'm not sure what they're trying to accomplish with their hate-mongering disguised as insurance, but I am sure that I'm offended. I'm guessing that Linux rates cheaper for so-called 'cracker insurance' because while setting a Confederate flag as desktop wallpaper or playing a Lynyrd Skynyrd mp3 are trivial tasks with a properly configured recent version of Windows, Linux's lack of an integrated GUI makes these activities somewhat more difficult for the average 'cracker.'

And when you call them fo get the money...

[Ayende+Rahien]

You get this reply:

Sorry, we won't pay.
There is a fix for the problem for which you've been hacked, and it was published before you were hacked, therefor, you've been hacked for your incompotence.
Keep on paying the insurance, though, you never know when you might need it.

Your truly,
Dogbert.

Re:Idiotic? Nope.

[Balinares]

What a ridiculous concept. The security of an infrastructure is far more the people and dedication to keeping on top of issues more than it's the operating system.

Yep. Precisely. Go read the article, and you'll see, right in the middle, a comment about open source systems admins being in average more experienced in their craft. As is very logical, since they often do it as a hobby to start with -- while I've never heard of Windows administration performed as a hobby.

Even if you leave aside the question of whether the Windows OS is as inherently secure as certain free alternatives, as long as it will be 'so user-friendly even a fool could use it', it will statistically be more likely to get compromised.

I find it amusing that Windows' main pro becomes a serious con in that light.

-- B.

I don't completely agree.

[catpyss]

I can definitely see the argument that Linux is as hard as Windows to install correctly. I agree if and only if you are coming from one perspective, and not the other. I am a UNIX sysadmin and have much more difficulty in Win32 environments.

Comparing Windows to Linux is misleading. The general OS of Microsoft to comare to Linux is Windows 2000, while "Linux" can mean any distro. The distros I use most are Red Hat and Debian. I can admit that applying an all-encompasing 'Service Pack' can be easier to some, however I find it offers the admin much less control and has a seemingly higher application break risk.

The Slashdot crew seems to really like apt-get as a update mechanism and I have to agree. It is Debian policy to repair and disclose all vulnerabilities and it has been my experience that they are wonderful at doing so. 'apt-get update ; apt-get upgrade' is extremely easy. Redhat's 'rpm -Fvh *rpm' can be less intuitive than an installer but again, it depends what you are used to and I have found it to be effective and have yet to be craked. (Knock on wood)

It may be true that good Linux admins are in short supply, but many efforts are underway to make it easier. Still, I would rather it be somewhat difficult and _correct_ than easier and less controlled.

Premiums are based on loss experience, not hype...

[InsMonkey]

Insurance companies have to file their rates with each states' department of insurance. They have to be able to justify from loss experience why they charge more for certain risk characteristics than for others. Unfortunately, they can't just charge more because MicroSoft is of the devil. What is interesting about this is that MS will definitely respond if they feel they are losing marketshare because of this. They will pressure the states AND the insurance companies to rethink this "discrimination". I would hazard to guess that ALL of the major insurance companies run MS exclusively (the one I work for does).

Re:Why isn't MS-NBC reporting this?

[azrix]

And don't forget, either, what "MSNBC" stands for:

The Microsoft National Broadcasting Comapny

If that doesn't put the fear of God in you, or at least bring loud cries of "Big Brother", I don't know what will.

Re:Why isn't MS-NBC reporting this?

[azrix]

Well, in a totalatarian system, the government is business. So, in a sense, Big Brother was also business.

Anyway, I have some major issues with 1984 and I could go off on a political rant, but I won't. But, right now I'm in the middle of reading Snowcrash and I am coming to the opinion that the biggest threat to personal freedom is not the government, but big business. Business that seems to be above the law. Or just find ways to simply bypass the law with technological means. Which kind of explains it.

But that's beside the point. I was trying to make a joke. Guess it didn't work. ;-)

Any company that can answer these questions:

[Flying+Headless+Goku]

1) has no need for insurance
2) has no money left for insurance
3) has no interest in compensation if their systems go down, because they were already completely "secured" from any use
4) has nothing on their systems worth cracking them for (see 3)
5) has been taken over by their security people, as is the fate of anyone who relies on mercenaries ("money is not the sinews of war")
--

OT: Fish Heads

[jonathanjo]

Dr. Demento: "I took a fish head out to see a movie, I didn't have to pay to bring it in."

Mr. Gates, forgive me for the off-topic rant on your sig, but I'm sick and tired of people misattributing this masterpiece. The song "Fish Heads" was written and recorded by Barnes & Barnes, and was credited as such on MTV (back when they had interesting content). Dr. Demento merely popularized the song by putting it on his compilation albums, just as he did with Weird Al's early works.

Back to your regularly scheduled discussion. ;{)>

Why isn't MS-NBC reporting this?

[6EQUJ5]

Huh. Maybe I'm forgeting what MS stands for in "MSNBC".

the servers, not the clients

[maxpublic]

From how I read the article the company is basing it's insurance rates on the OS running on the *servers*, not the *clients*. The clients could be running anything - even Windows - so long as the servers are running Linux. Given that, any whiner arguing that this 'forces' companies to teach their employees the oh-so-complicated Linux is a blooming idiot. It only does so for the sysadmins, who should be competent enough to master Linux-as-a-server with relatively little pain. If they aren't that competent then they need to be fired. But oh, perhaps that's part of the reason why NT is so easily compromised? It invites the hiring of morons? Any which way you cut it, the insurance company covers both possibilities - bad software *and* incompetent system administrators, all in one fell swoop. Rather canny, actually. Max

Well it had better be a never heard of exploit

[s4ltyd0g]

What self respecting insurance company would pay out if they could prove that the reason for the crack was due to shoddy security.

it's everybody's problem

[m08593]

Got to love those clueless CIO's and phb's who insist on using NT over Unix. Well, if they want to pay 3x fold for an NT solution over a unix one, I guess thats their problem. :-)

Unfortunately, it's everybody's problem. The money attracts more marketing and more product development. NT's problems get fixed by even higher-priced add-ons and alternatives disappear. The market is supposed to punish stupid companies like that, but if everybody's doing it, that doesn't help.

Linux and BSD are somewhat less susceptible to this because Microsoft can't just displace them: they get developed whether or not the developers make money with it. Consulting services for them, on the other hand, make money just like for NT.