Worms Jack Up the Total Cost of Windows
rbrandis writes "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday. "This is part of the carrying cost of using Windows," said Mark Nicolett, research director at Gartner. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology." "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site."
An when Linux gets exploited, the people fix it for free and very quickly. Then the next person to download this FREE system is a-ok.
Thats just plain sexy.
-- The box said Windows 2000 or better... so I installed Linux
then the macs would be on many more corporate desktops. they are far esier to maintain and admin. but, businesses are pennywise and pound foolish. admin costs are not necessarily up front costs. so, bottom line bean counters can justify purchase from vendor A because of lower initial cost. also, don't count out the paper mill MCSE's that influence purchasing decisions.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
So can I:
Our lab is in a sad state because our windows server and its security patches: Patch the server, oracle breaks / don't patch the server, someone hacks it... so now while we scramble to find an alternative DB engine we have to apply/un-apply this patch when ever we want to do any work. thanks M$ for wasting our time.
the end
These are some of the large-scale operations that were affected by the worm, some of the frantic preparing for the worm strike. I have never, ever believed for a second that the TCO for Windows is lower than e.g. Linux of BSD, past the first month of switching. Even with higher sysadmin costs, the overall increase in productivity equals this and then some. Christ, potentially sick people had to reschedule their CAT / MR exams because of a fucking Microsoft Worm (TM)?
How much more are we willing to up up with? I made two switches, first from Windows to Linux and then from Linux to Mac. The only thing I regret is not switching earlier.
Today, my employer lost 25 USD, since an article I wrote disappeared when Word crashed and I had to re-write it for one half hour. It seems the defaut Word behaviour in custom OEN installs that our IS get is to NOT autosave for recovery due to "performance issues"
Lower TCO my ass.
I wonder if Gartner or anyone else does any serious quantitative study of the true "value" of having a new distro via the net.
If I go to download Fedora or Debian via ISO images, and burn them, I often have a maintained distrobution that is very young. Less than a month old.
If I go and buy Windows XP via Amazon and have it delivered next day, I still have an OS image which is over a year old, even the new one that rolls up SP1.
I don't have to make a CD up with 30+ patches on it, before it is safe to plug my machine on a network.
If I worked at Redmond, and was thinking about this problem, I think what I may do is work an installation script that combines with the firewall - and keeps all inbound connections out until a "tunnel" is established to Windowsupdate, and all patches are applied before "releasing" the IP stack.
Many of these systematic advantages come from the fact that Linux doesn't need a license key to install the OS. If Microsoft gave Windows away, there would be 0-day distros on their website as well.
I'm about to install SQL 2000 Server on a Windows Server 2003 machine. There is a vulnerability in SQL 2000 Server that allows the machine to be infected with the slammer worm. Unfortunatly I must install SQL and then each of the 3 service packs individually. I'm not safe from the worm until I get to the 3rd SP. My boss suggested that I simply disconnect the WAN connection but thats really not going to help me much when I'm trying to do this over the internet via Terminal Services (Its at a well known colo site). I wish there were a way to slipstream the service packs into the install like you can with XP. Does anyone have suggestions besides use MySQL?
Im dreaming ofa big bndwdth, That can resist the
Differing discussions on if patches really do break Windows.
In my case, working with 10,000+/- clients, I have seen this on repeated occasions.
Various MS patches would break the following:
Novell client on 2k/XP (but not 98/95)
Some third party business-specific applications (stat software, database, etc.)
Video drivers (easily fixed, but still)
In one case, recently, it BSOD'd several NT boxes (the IE 6 security rollups)
Irritating to be sure, so on one hand, you need to patch immediately (or risk the wrath of a new worm/virus)
On the other hand, patching immediately can lead to loss of productivity
On the third hand (you do have three hands don't you?) you can't wait for an AV package to have the proper updates, as (to my viewpoint anyway) AV products should be the last line of defense, not the 1st.
On the fourth hand, training is key to clients, but as the saying goes, you can lead a luser to enlightenment, but you can't make them think.
I keep waiting for *seriously* damaging viruses to show up in the wake of the leaked (partial) source code to Windows 2000. That may be the last straw to many a business.
So rise up, all ye lost ones, as one, we'll claw the clouds.
The reason so many viruses exist for XP deals more with the fact that XP still uses code that was vulnerable in 98 in some spots and that its just too damn easy to exploit. Make something hard and only diehard skriptkiddies will take the time to hack it, right now any jack or jane punk 11 year old can pretend to be a "hacker" and send out a virus, usually varients of the same virus.
But truth be told I quiet enjoy your idea of a more mixed OS base. The problem is programmers HATE it which is why you have more code written for Microsoft and less for Linux or OS X
"Slashdot, where telling the truth is overrated but lying is insightful."
Microsoft has priced themselves out of the market.
And it isn't the initial purchase cost. They could give away Windows and it would still be too expensive. Dealing with the virus du jour and the patch du jour is just too much anymore. Add to this (from recent Slashdot stories) large companies' estimates that half of all their Internet traffic was to/from Windows Update and the cost of maintaining Windows goes even higher.
Well, I quit. I am just done with patching Windows. All Windows machines are hidden behind a firewall (Linux based and I do patch it religiously; gee, there's been one critical patch in 1 1/2 years!), we don't use IE or Outlook and I only patch Windows when there are functionality problems.
Now, I know I'm gonna get a lot of flack from everyone here about "firewalls not being the final solution", "you gotta patch every day" yada, yada, yada. But the combination of a firewall, not using IE or Outlook and scanning ANY computer from outside before it is allowed on our LAN works for us. We weathered SQL Slammer, Blaster, Netsky, Bagel, Sasser, etc, etc with not one hiccup in our daily operation.
The key here is not to trust Windows on the Internet. No, one step further: don't trust any Microsoft software on the Internet! Don't use it for e-mail, don't use it to browse the Web and never, ever hook up a Windows machine unprotected to the 'net!
Virus authors have nothing to worry about from this security group.
Some excerpts:
-
While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to
comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current
and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a
more secure out-of-the-box state for several years, depending on product release cycles.
...
Whose side are these guys on?In conjunction with the above recommendations, the requirement for medium or higher assurance evaluations (Evaluation Assurance Level 4+ [EAL4+]) for commercial products should be dropped, since the stated reason for higher assurance evaluations by the proponents is the ability to do vulnerability analysis. Higher assurance evaluations for commercial software impose a cost burden that even the largest IT vendors cannot bear or should not bear; they do not substantially improve product security, but may result in vendors paying multiple times for the same evaluation in different markets. Furthermore, finding faults in software that has already shipped is far more expensive and less effective than giving vendors the tools to be used during the development process. ...
In order to promote the evaluation of more products, the U.S. Government should help offset the expenses of CC evaluation through research and development tax credits or paying part of the evaluation costs.
Why don't we all migrate over to the Mac OS-X and OpenBSD? Linux as well. (Oh - I forgot - Lawyers at SCO may be knocking at your door). Sure, people are clueless on how to best make use of some systems, but that's OK, there are plenty of /. ers who can probably use a little contracting work (if there are any jobs left after they all went to India). It would help the job situation, although it would be painful at first for the person doing the "migration", it would be better all around.
I'm dealing with fed up customers all the time, getting frustrated by having to patch so often, but they ARE wiseing up and starting to take the plunge.
To make it less painful, I find it much easier to setup a parallel system, keeping the older WinBlows systems operational, while slowly putting together their servers and work stations under either Linux or Macs, and using OpenBSD for all the server related work.
It means MORE JOBS here, especially for us Open Source affectionatos.
We've completed a few such "Migrations", and our clients are happy campers now. Of course we still find a need to deploy security patches, but they are much less often, and now becoming a lot more painless.
Hey man - don't shoot the messenger - it's just an idea, and we only have to convince the corporate Phat cats that parhaps M$ may NOT be the solution to all the worlds problems.
But the newer or newest distributions generally have most things turned off by default now. And if you want to turn these services on, you are warned by the install program. It's a misconception that default installs are insecure now.
You do realize that you don't need to stay logged in as root, right? The "su" or "sudo" commands, similar to MS Win32's "runas" command, are available to users (unless you apply additional security by limiting access via access and ownership permissions) so that they do not run as root. Unlike MS Win32 though, just about any process (actually can't think of any that wouldn't) can be run using "su" or "sudo" while logged in with your regular user account. If you need to display a GUI, simply add the "xhost +" (or a more limited argument to the "xhost" command) and your set.
The concept of running with as a priviledged account by default seems to be based on MS Win32 practices. Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary. I do think though that users converting from MS Win32 will likely continue that bad habit, but it's not a fault of the OS, just years of a limited OS.
Counterexample: MacOS X
Normal users aren't admins, but can have sudo access. When some installation requires elevated privileges, the user is presented with a dialog box for typing their password. It's considerably more convenient than having to log in as root, but doesn't let malicious code run at an elevated privilege level without the user knowing it.
"Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary."
It's not necessary with Windows either. The "run as" command has no problems running installers or other graphical applications.
Heck, I've installed service packs fine using "run as".
Not to mention the fact that you can set Windows Installer to automatically request administrator privelages.
Why is this any different from Linux?
When I was young and foolish, I bought MS Frontpage. I also have two computers running Windows XP (thinking of switching one to Mandrake, if I can manage it). Microsoft has refused to let me reinstall both Frontpage and their OS because they said I "reinstalled it too many times already."
I bought and paid for the crappy program, and now I can't even install it on my computer?
I'd like to see a few more lemon laws on softeware if they want to start treating IP as real property.
Heck, I'd like to see imported IP properly subject to tarrifs as well, thanks. I mean, if it is actually property and all...
You can't have it both ways.
___
It's the end of my comment as I know it and I feel fine.