Slashdot Mirror
Worms Jack Up the Total Cost of Windows
rbrandis writes "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday. "This is part of the carrying cost of using Windows," said Mark Nicolett, research director at Gartner. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology." "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site."
I'm switching back to the Commodore 64.
I work at a computer science department, and I'm currently compiling a CD of patches that people have to install before they get on the internet. Right now, the number of patches is nearing 30.
Ahem. This is -1, Redundant. No shit viruses/worms raise TCO. This is the case for ANY operating system, not just windows. Of course, the homogenous nature of Windows makes it a lot easier for worms to affect machines in a wide range. But we'd still need to take precautions with any system in use.
This is news? This wasn't included in TCO estimates before? (Actually, that would be news, but not the kind I'd want blasted out to the world about me!). Seriously, how can "common maintenance" NOT be included in a TCO estimate? Isn't that the major ongoing part of TCO? Geez....
The cesspool just got a check and balance.
At some point somebody (Windows apologist or not) is going to point to Longhorn as the solution to security problems. Is there hard data on whether or not worms have been increasing or decreasing (in frequency and effects) the past couple of years?
We know what problems they've caused and how the media's gone nuts over each virus, making things seem bigger and bigger. But some old viruses were much nastier, and I sure don't hear about those types of infections anymore.
-Rob
Marriage doesn't have to suck!
Most people rarely patch their computers until something happens. (Me being one of them) It's something that people really need to be aware of. Prevention is the key.
Actually, Just install the latest service pack and then install Autopatcher. It has all the updates, hotfixes, and some cool extras all rolled into one scripted install so you can just start the install and walk away. I've used it and I can say that it makes life a million times easier.
There are versions for 9x all the way up to XP. You could fit everything onto one cd, and if you wanted you could even script that install. Thanks Autopatcher guys!
Quidquid latine dictum sit, altum viditur
I know it isn't perfect, and I shouldn't even have to pay for a server to keep our MS stuff up-to-date, but it has saved us tons of time and hasn't given us any problems yet. Maybe we are an exception.
I struggled for days and days and all I got was this lousy sig.
These are some of the large-scale operations that were affected by the worm, some of the frantic preparing for the worm strike. I have never, ever believed for a second that the TCO for Windows is lower than e.g. Linux of BSD, past the first month of switching. Even with higher sysadmin costs, the overall increase in productivity equals this and then some. Christ, potentially sick people had to reschedule their CAT / MR exams because of a fucking Microsoft Worm (TM)?
How much more are we willing to up up with? I made two switches, first from Windows to Linux and then from Linux to Mac. The only thing I regret is not switching earlier.
Today, my employer lost 25 USD, since an article I wrote disappeared when Word crashed and I had to re-write it for one half hour. It seems the defaut Word behaviour in custom OEN installs that our IS get is to NOT autosave for recovery due to "performance issues"
Lower TCO my ass.
First they say you shouldn't use Linux. Now, they don't want us using Windows 'cuz of worms. Tell me, gartner, what should I do? Oh, that's right, you don't ever do anything. You just make stupid recommendations.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I wonder if Gartner or anyone else does any serious quantitative study of the true "value" of having a new distro via the net.
If I go to download Fedora or Debian via ISO images, and burn them, I often have a maintained distrobution that is very young. Less than a month old.
If I go and buy Windows XP via Amazon and have it delivered next day, I still have an OS image which is over a year old, even the new one that rolls up SP1.
I don't have to make a CD up with 30+ patches on it, before it is safe to plug my machine on a network.
If I worked at Redmond, and was thinking about this problem, I think what I may do is work an installation script that combines with the firewall - and keeps all inbound connections out until a "tunnel" is established to Windowsupdate, and all patches are applied before "releasing" the IP stack.
Many of these systematic advantages come from the fact that Linux doesn't need a license key to install the OS. If Microsoft gave Windows away, there would be 0-day distros on their website as well.
Differing discussions on if patches really do break Windows.
In my case, working with 10,000+/- clients, I have seen this on repeated occasions.
Various MS patches would break the following:
Novell client on 2k/XP (but not 98/95)
Some third party business-specific applications (stat software, database, etc.)
Video drivers (easily fixed, but still)
In one case, recently, it BSOD'd several NT boxes (the IE 6 security rollups)
Irritating to be sure, so on one hand, you need to patch immediately (or risk the wrath of a new worm/virus)
On the other hand, patching immediately can lead to loss of productivity
On the third hand (you do have three hands don't you?) you can't wait for an AV package to have the proper updates, as (to my viewpoint anyway) AV products should be the last line of defense, not the 1st.
On the fourth hand, training is key to clients, but as the saying goes, you can lead a luser to enlightenment, but you can't make them think.
I keep waiting for *seriously* damaging viruses to show up in the wake of the leaked (partial) source code to Windows 2000. That may be the last straw to many a business.
So rise up, all ye lost ones, as one, we'll claw the clouds.
Doesn't the O in TCO stand for Ownership? What exactly do you own with Microsoft products? Aren't you really just Licensing them?
My beliefs do not require that you agree with them.
Microsoft has priced themselves out of the market.
And it isn't the initial purchase cost. They could give away Windows and it would still be too expensive. Dealing with the virus du jour and the patch du jour is just too much anymore. Add to this (from recent Slashdot stories) large companies' estimates that half of all their Internet traffic was to/from Windows Update and the cost of maintaining Windows goes even higher.
Well, I quit. I am just done with patching Windows. All Windows machines are hidden behind a firewall (Linux based and I do patch it religiously; gee, there's been one critical patch in 1 1/2 years!), we don't use IE or Outlook and I only patch Windows when there are functionality problems.
Now, I know I'm gonna get a lot of flack from everyone here about "firewalls not being the final solution", "you gotta patch every day" yada, yada, yada. But the combination of a firewall, not using IE or Outlook and scanning ANY computer from outside before it is allowed on our LAN works for us. We weathered SQL Slammer, Blaster, Netsky, Bagel, Sasser, etc, etc with not one hiccup in our daily operation.
The key here is not to trust Windows on the Internet. No, one step further: don't trust any Microsoft software on the Internet! Don't use it for e-mail, don't use it to browse the Web and never, ever hook up a Windows machine unprotected to the 'net!
Virus authors have nothing to worry about from this security group.
Some excerpts:
-
While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to
comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current
and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a
more secure out-of-the-box state for several years, depending on product release cycles.
...
Whose side are these guys on?In conjunction with the above recommendations, the requirement for medium or higher assurance evaluations (Evaluation Assurance Level 4+ [EAL4+]) for commercial products should be dropped, since the stated reason for higher assurance evaluations by the proponents is the ability to do vulnerability analysis. Higher assurance evaluations for commercial software impose a cost burden that even the largest IT vendors cannot bear or should not bear; they do not substantially improve product security, but may result in vendors paying multiple times for the same evaluation in different markets. Furthermore, finding faults in software that has already shipped is far more expensive and less effective than giving vendors the tools to be used during the development process. ...
In order to promote the evaluation of more products, the U.S. Government should help offset the expenses of CC evaluation through research and development tax credits or paying part of the evaluation costs.
Windows XP Pro for 200 systems: $30,000
Anti-Virus Software for Windows XP corporate: $7000
The billing rate for 10 contractors to come out and clean your systems: 700$/hour
Seeing the face of your CEO when you tell him linux is free: Priceless
There are some things money is wasted on, for everything else there is linux.
Insightful my.. eh... derriere.
So free beer is only free if you don't consider your time drinking it worthless? Next time I'll tell the waiter he owes me 3 bucks for that half hour - the price of that beverage.
I play around with linux in my free time.
Seriously, time = money only from nine to five.
in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows.
And this would only infect people running Linux as root all the time who use email clients that execute scripts sent from complete strangers without telling them. Yes, people would write Linux viruses and worms (they already do), but the effect would be minimal at best.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Mmmm... that's not entirely true. Lately, a lot of virus writers have just been preying on the stupidity and gullibility of the average user. Hell, I got one of them zipped one day that practically had freakin' installation instructions... and people were STILL getting infected!
However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox. The thing can still bind to a high port and zombify the machine for spammers, which is what the majority of viruses do as of late. On a desktop, there's no reason to believe that granny Gretchen won't do just that once she learns how to whip out chmod +x on everything's ass. The nice thing, however, is that if you're running in a corporate environment, you can isolate users to their own filesystems to protect them from doing stupid things like this. Yea, maybe they'll trash their own data, but at least they'll be isolated from critical system information and the network (excepting zombification... but you would be smart and block all those ports, right... you don't have chewy on the inside network security... right?). Great for corporate networks, FAR better than the Windows situation (Yea, I know.. you can use Active Directory, but that's not a native part of Windows). However, for desktop users at home... well... they'd still shoot themselves in the foot.
Worms, on the other hand, are another story. First, patching a Linbox is often a matter of grabbing a patch a day or two after the vuln is known and slapping it into the system. Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something). Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
On top of that, Linux systems are not (currently) very homogenous. Part of what makes Linux a tantalizing target for manual attacks is that it's just damned hard to write malicious code that will work on a widespread number of systems. Unfortunately, as the dust settles and some companies really do start to take up the mantle of "desktop linux", that heterogeny may just go away for desktop users...
The point is this: Linux CAN be much, much, MUCH more secure than Windows. However, Linux also does the same thing Unix does: "Look, you can make me secure if you want, but you can also use me to blow your toes off one at a time... YOU choose.. I'm not going to decide for you." A lot of geeks forget that. Linux is not inherently secure (OpenBSD is inherently secure... and I don't think it's going mainstream desktop like that any time soon), and it WILL happily let you shoot yourself and your nearby friends if you so choose. Desktop users at home will do just that. It does do some things inherently better, but it still won't protect the world from people who don't bother to learn anything at all about their new toy. You can code against stupid people, but your system isn't going to do much when you're done.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Yeah, actually: "Let's go!". I mean there is one thing that really annoys me in all this TCO stuff.
I work as a sysad in a huge german company and whenever I say "Linux" they answer "retraining cost".
C'mon, I KNOW my users now for almost 5 years and I can guarantee you the vast majority of them got never ever trained on their machines and will never be. They are totally clueless most of the time and only a few use more than two or three apps throughout the day. After upgrading them to XP they didn't even recognize a difference. It just can't be that hard to move them over to a Gnome or KDE desktop. We had a 18year old for practice here for two weeks who knew nothing about PCs except browsing the Web with IE. He installed Knoppix on a machine, and the only time he asked during install was when the drive had to be partitioned.
Bah, I just can't believe the fairytale of trainingcost anymore. As if companies would train their staff... They just replace them if they find someone else who does the same job in less time, regardless if it was just that one could use Words serial-letter features and the other had never heard of it...
from: coed_hotties68@hotmail.com
subject: superhotsexy screensaver
Hi! My hot lesbian coed friends and I made this hot lesbian coed screensaver! To install it, just do the following in a shell:
hope you enjoy!
do not read this line twice.