The Hidden Cost of Using Microsoft Software

Glyn Moody writes "Detractors of free software like to point out it's not really 'free,' and claim that its Total Cost of Ownership is often comparable with closed-source solutions if you take everything into account. And yet, despite their enthusiasm for including all the costs, they never include a very real extra that users of Microsoft's products frequently have to pay: the cost of cleaning up malware infections. For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm, most of which was 'a £1.2m [$2million] bill in the IT department, including £600,000 [$1 million] getting "consultancy support" to fix the problems, which including drafting in experts from Microsoft.' To make the comparisons fair, isn't it about time these often massive costs were included in TCO calculations?"

Hear hear!

For example: The State of Vermont's Agency of Human Services just went through a similar exercise and I'm sure it cost them a fortune. The state is suffering financially as it is and yet, we haven't heard a WORD (there really isn't any investigative news in VT) about the outcome or how much it is costing

Re:Hear hear!

Yes and we all know how superior and knowledgable state-run lowest-bidder IT is compared with the rest of the security industry.

Really, people, most government agencies pay such crap IT salaries, all the people who have a clue aren't working for the state itself... they are the ones coming in as an outside consultant to clean it up for $2.5 million.

So why is it such a shock that a bloated, un-organized, underfunded, undertalented state agency got that bad an infection, and was not capable of fixing it themselves?

Yes, there are a lot of hidden costs to MS products. But if you're going to go the "malware" route, the best you can do is include the time & cost of installing preventative AV software. Patches should be automatic, but I have this sneaking feeling that most of those machines were waaay past due.

Or in other words, don't try to lump in the incompetence of the IT group with the product's hidden cost, no matter how tempting a target it might be. This article really is just Flamebait over and over again.

Re:Hear hear!

This is the same organization, btw, which insisted on writing IE-7 specific apps for their potential users (poorly written apps, at that) even with a series of outside vendors trying to push them to write to open standards. Their programmers would have none of it, of course. Surprise!

Re:Hear hear!

[peragrin]

here is the kicker you can't 100% trust MSFT patches. because of the way XP works, and has been allowed to work a patch my QA test fine but break a mission critical app that is written poorly. However because MSFT doesn't force developers to use the proper tools the app works without an update. I have had it happen to me several times. the patch auto downloads plugs the leak but from then on I can't use software that is necessary for my job.

There have also been several times where MSFT has rushed a patch and either sent out the wrong one(it happens), or the patch was flawed and crashed systems left and right.

This isn't strictly MSFT fault(it is only in the sense they are so laxed about patching things properly) but you can't trust auto updates you need to give them about a week to work out if there are serious issues.

Re:Hear hear!

The cost of cleaning (even if it is a "dangerous" Windows system) is also due to inappropriate/dangerous use of the computer by users/employees. As a malware researcher, I see too much use of pornogrophy, cracked software, social networking, P2P, "dumb" clicking, and other actions that would tend to make even the safest system (if there ever is one) dangerous.

Regards,

AC

Re:Hear hear!

[Ozymandias_KoK]

Why exactly is MS at fault for your admittedly poorly written yet mission critical app?

Re:Hear hear!

[M-RES]

I've experienced this on a number of occasions, and on one of those occasions it was MS who poorly WROTE the mission critical app - Explorer!

Re:Hear hear!

[intheshelter]

I disagree. While it MAY have something to do with incompetence on the part of IT, the fact is this Windows malware cycle is part of the TCO so it should be counted. Why should IT even have to be competent in patching a sinking ship like Windows. It's the swiss cheese of security in Windows that caused this issue in the first place.

Re:Hear hear!

[mcgrew]

It seems that the cost of malware might make up for the higher price of a Mac than a PC. I've never owned a Mac, I'd like to see a comparison there. It may be that "cheap" is more expensive than "expensive".

Patches should be automatic

I used to think that, and of course every security patch should be applied, but you should be careful with any Microsoft update, as I found out on my home machine a few years ago when I first got XP. The day I installed it, it worked fine. The next morning the modem was on the floor (damned cat) and it wouldn't connect to the internet.

XP refused to run a program that had come with my CD burner with a dialog saying that program made the system unstable (although I never had very many problems with stability with 98), but it wouldn't let me uninstall it, either. I set this particular problem aside to try and get online, and called my ISP's help desk. From what he could see the modem was fine, and he suggested that my network card had failed.

I made sure it wasn't just the cable and was set to go out and buy a card (they're only about ten bucks) and decided to reinstall Windows so I could get rid of the CD-burning software problem.

After I reinstalled windows, I could connect to the internet again. But the next morning it was broken again, and I suspected that Windows Update was hosing me, so I watched carefully and indeed, it was replacing my network card driver with a "new" version that hosed my internet connection.

Letting Windows update automatically is a very bad idea. Pay attention, you never know what they're going to break next.

Re:Hear hear!

[dyingtolive]

Wait a second. Its Microsoft's fault your apps are written poorly? Granted, transparency in their fixes might make that a little easier to predict, and autopatching is the work of the devil, but that still doesn't change the fact that your apps are written poorly. As an comparison to your situation, specific versions of wine fix some applications but break others. Now, you're going to argue that wine is not a good comparison because it's not system patches or something like that, but I would say that first off, it is as much system to the applications I'm running through it as your Windows OS is to your apps, and secondly, that this example is just the first one I could think of.


Also, if within your power, you should _really_ have a dev version of your mission critical apps incorporated into your QA test. Most of the serious clients for the company I work for (faceless worldwide provider of market data) have entire dev/testing sites they apply fixes to prior to doing anything to their prod stuff. Granted, you might not be talking millions of dollars in trading, but if its important enough to complain about, its important enough to try to do something about.

Re:Hear hear!

[catmistake]

Not sure who you are replying to... the OP?... your response seems to ignore the GP... Anyway, the slickest, smartest, best educated, highest paid cutting edge group of Microsoft IT guys on the planet still must waste man-years on anti-virus and malware on any Microsoft installation of notable size. I've been saying for years NT should be abandoned because of this extra built-in, and until recently ignored by MSFT, virus-tax. It wasn't necessary for it to happen, but it has. Time to abandon Windows, let it topple and burn. Sure, other OS's might be vulnerable too, but we'll worry about abandoning them when they're overrun with virus/malware (and sufferring from inherent poor security). But... where do we find an OS to replace Windows? Does such a thing exist that does such miraculous things like offer a desktop environment, web browsing, email, spreadsheet, word processing and calendar?

Re:Hear hear!

MS products have more malware problems because they are the biggest target...i.e. the most "cost-effective" platform for malware writers. If Penguine-ware were on as many machines, it would have as many malware problems. Only then, there wouldn't be a highly-paid and dedicated team of individuals working to develop and test updates to fix vulnerabilities in the OS. Fixes would be slower to deploy, less effective, and riskier.

Life's different when you're the big dog. The worst thing that could happen to BeOS, Linux, et al would be to "hit the big time" and actually capture a significant market share on ordinary users' machines.

Re:Hear hear!

[peragrin]

1) I said it wasn't strictly MSFT's fault. They do however provide the tools to do things in windows that a proper OS doesn't allow. These things are done not out of malice but obscene backward compatibility.

Second I don't write the mission critical stuff. someone else designs it and i am only a user. however they(not MSFT) have so screwed up the standard windows installer that it crashes 60% of the time by failing version checks with their own software.

I use OS X and Linux at Home. I have to maintain the Windows work computers up for day to day items( we have a part time IT dept) that means installing the softare, and dealing with things as the auto-updater breaks them.

You cannot use viruses/bugs as an example of cost

[Hubbell]

Due to the fact that windows has had a 90+% marketshare since the dawn of time, do you really think people are gonna waste time writing viruses for the 6 people using a mac or the 2 people using linux? No, they aren't. It's cost benefit analysis at it's finest, they're aiming for the larger audience, just as they are doing now with firefox which was claimed to be 893589023x more secure than IE, but as soon as it gained popularity the bugs/exploits came out of the woodwork like fucking crazy.

I personally use windows, and prefer windows, and since XP came out have never had a problem with it myself. The biggest problem with computers is they're technical machines which lend themselves to needing to have technical knowledge in order to use one safely/correctly....which the majority of people do not have.

I love /.

[godrik]

There is still no comments on the article and it is already tagged as troll! :)

Re:I love /.

there *are*

Sadly, I don't agree.

[Slartibartfast]

It's overhead. In other words, while it's true that malware affects closed-source far more frequently than OSS, that's just because CSS is far more commonly-used, and, therefore, makes a more tempting target. Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land. I love Linux (heck, "I'm rinsing in it now!"), and have used it as my primary desktop and server platform since '94, but bulletproof it ain't.

Re:Sadly, I don't agree.

[gurps_npc]

Your comment is 100% completely correct and also 100% completely irrelevant.

The question is not "Is Linux inherently as cheap as Microsoft". No. The question is, if we include all costs, including virus and other malware related costs, will Microsoft cost more than Linux.

Just as Microsoft is correct that when considering the real cost of 'free software', you have to include costs such as training, you ALSO have to consider the costs incurred due to malware.

Re:Sadly, I don't agree.

No one said Linux is "bulletproof". Don't try to change the topic.

TFA is saying that the closed-source software costs more when operating costs are included in the total price tag. How much does industry pay for malware protection, virus protection, trojan protection, downtime from infection, and loss of productivity as a result of closed-source software? Those costs are relevant to businesses and should be considered.

Re:Sadly, I don't agree.

[n4djs]

Linux would never have the same level of bugs as Windows, for one simple reason. The default user configuration on Windows in a home environment is that any user has administrative rights (which is not the case, by and large, in corporate environments). This is primarily due to the vast majority of Windows applications being unable to install correctly if the user does not have administrator capability.

This leads to all sorts of bogus cruft getting installed on machines by users who are without a clue with computer security, and simply don't know to install tools like NoScript or SiteAdvisor and to pay attention to the warnings they generate.

Linux's in general do not run normal users with superuser capabilities, which stops a lot of garbage from getting installed on machines in the first place.

Re:Sadly, I don't agree.

[sofar]

Maybe it's a strength that Linux is used less. That results in a lower cost of ownership overall for organizations "right now". In the far future, this could change obviously, but nothing suggests that this cost will be larger than that of Microsoft implementations, not by any margin, not any time soon.

So, as fundamentally correct as your point may be, the story "beats" you because it points out that Closed Source is misrepresenting a lower TCO by not accounting for security issues with the entire solution.

Close source solution offers "skip over" the windows virus/malware problem, Open Source has a clear answer to it now, and likely in the future. Large contracts should be made evaluating these things thoroughly, and include a real assessment of the validity of these offers, and not just take Joe I.T. Contractor's word for it.

Re:Sadly, I don't agree.

[Spike15]

This is also the same reason that you don't see as many windows problems in a corporate environment: Because the users aren't administrators.

I recently switched my entire home network over to AD, and started making people actual AD accounts that are not local admins on their machines, and the number of problems that they're having has gone WAY down. Sure, they have to ask me whenever they want to do something like install software, but for the most part their system configurations are fairly stable -- they just do the same tasks day after day, they're not highly dynamic users who like to experiment with new and exciting software / hardware like I am -- besides, them having to call me insures that I have a certain degree of oversight as to what goes onto their computer, allowing me not only to support them better later on (since I know exactly what happened to their PC), but also allows me to preempt problematic software etc.

Re:Sadly, I don't agree.

[vertinox]

Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land. I love Linux (heck, "I'm rinsing in it now!"), and have used it as my primary desktop and server platform since '94, but bulletproof it ain't.

I think by bullet proof they mean mitigate stupid user and developer tricks which still happen in Linux but you have to try harder.

I mean the first thing I did when first trying out Linux in 1997 was to learn it while logged in as root because that was how you logged into Windows NT.

That said, I strongly disagree that OS usage is directly correlated to viable exploits on a device.

Take the iPhone for example. Its used by a lot of people but its nigh impossible to exploit simply because its locked down.

Now you sacrifice a lot of usability, but that is the price you pay in terms of security.

I mean if Microsoft Wrote an OS that would not allow the user or their programs to write to anywhere else except the user home directory and programs could not starup other programs or modify their files, then you would never see any other viruses again on the Windows platform.

Of course this would break all the legacy programs and you wouldn't really be running windows anymore in a sense... But wouldn't it be worth it? ;)

Re:Sadly, I don't agree.

Not only that, but if we're going to consider future potential TCO, we must also realize that *if* Linux becomes more of a target for malware due to increased popularity, while that one part of the TCO increases, at the same time the training part of TCO will go down. Obviously it is impossible to tell if they will balance each other or not, as it is all conjecture at this point and thus largely irrelevant anyway.

Re:Sadly, I don't agree.

[drijen]

Parent poster is full of crap.

 

Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land.

 
This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.

 
I'm sick of hearing this argument, only a complete tool would believe it. *Nix systems are inherently more secure, due to its security model (file permissions, groups, no admin rights, etc), and to the fact that it literally forces you to not be a complete moron (security wise) while using it. Furthermore, because of the variety of software that can be installed on each box, only the most common programs (apache, nginx, ssl, ssh, etc) would be effective targets to attack, limiting the areas an admin needs to cover.

 
Due to the above, there are only certain attacks that would be effective to a *Nix system. Off the top of my head, this leaves: privilege escalation, man-in-the-middle, and social engineering (a problem everywhere, regardless of OS).

 
 
In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.

Re:Sadly, I don't agree.

[ckaminski]

Except you forget: you can boot a clean Linux machine in a second - you can't CD-boot Windows, or boot it from a read-only drive. Architecturally, Linux is better designed to repel attacks in the first place.

Re:Sadly, I don't agree.

[dbcad7]

I don't think so.. Here's why.. users are lazy, and this is the biggest vulnerability.. With most Linux distributions, software is distributed by the "distro" (usually through repositories) .. This is the easy way.. The hard way is installing from outside this source and making it work.. the really hard way, is compiling from source... Now since most users are lazy, it's generally going to come from the distro repo where it has gone through many eyes and testing before it was available.. The other difference is executables.. If someone emails me something like a script, it requires extra effort to make it executable.. again laziness prevails in Linux's favor.

Re:Sadly, I don't agree.

[DAldredge]

http://en.wikipedia.org/wiki/Windows_Preinstallation_Environment

Re:Sadly, I don't agree.

[tixxit]

That is no longer true. Windows Vista & 7 both default to a limited user, not admin. I've been using Linux for my OS for 8 or so years, but you gotta give credit where credit is due.

Re:Sadly, I don't agree.

[ckaminski]

Exactly how much usability are you actually losing with the iPhone? I'd wager a whole hell of a lot less than you think.

Re:Sadly, I don't agree.

[DragonWriter]

In other words, while it's true that malware affects closed-source far more frequently than OSS, that's just because CSS is far more commonly-used, and, therefore, makes a more tempting target. Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land.

Even granting, for the sake of argument, that Linux would be as badly impacted (in terms of cost to users to deal with malware, not in terms merely of the total attempts to deploy malware) as Windows were it as popular, that is irrelevant to the cost to individual entities deciding which they should use, since no individual entity's decision to use or not use Linux is likely to take it from its current actual popularity to near the popularity of Windows (or, OTOH, stop it from being on the order of the popularity of Windows).

Re:Sadly, I don't agree.

[Tawnos]

Shouldn't any company, investing in any solution, consider regular virus/malware checks and security audits? Just because a company chooses to go open source doesn't change their responsibility to check for viruses/exploit (though rare, still possible). Especially when considering large scale deployment for a company, the responsibility to check the system's sanity is still important enough that a vendor's solution will/should need to be purchased for either system.

Re:Sadly, I don't agree.

[Spike15]

That is no longer true. Windows Vista & 7 both default to a limited user, not admin. I've been using Linux for my OS for 8 or so years, but you gotta give credit where credit is due.

I was going to point this out, but any mention of "Vista" and some positive trait causes the anti-M$ masses to start foaming at the mouth and quickly lose coherency, and I wanted to avoid that.

Personally I used Windows Vista from the time it went Gold to the time the Windows 7 RC came out, and never regretted the switch from XP to Vista. In the same way, I've never regretted the switch from Vista to 7. Microsoft has been on a "roll" of late, in my opinion. Everything they're pumping out seems to be of the highest quality. I say this not only with relation to 7, but also having taken a look at Server `08, Forefront TMG, Silverlight...

Attempting to remain somewhat apropos here, UAC is also a really excellent innovation, allowing even Administrators to keep themselves somewhat in-line. Sure, it takes a bit more of a trained eye than just getting user privileges and not being able to elevate yourself, but having to hit "Continue" whenever something tries to do something that could be construed as malicious sure makes you think. The way they've trimmed UAC back in 7 is also a godsend -- taking a fundamentally good idea and making it better (the irritation factor of Windows Vista UAC always overrode the fact that it was fundamentally a good idea). It's also exceptional in AD shops, because you (as a Domain Admin / Local Admin), can allow users to perform admin-only tasks without circuitous methods, like exiting and using "Run As..." or just logging the user off and logging in as yourself.

Re:Sadly, I don't agree.

[drsmithy]

Linux's in general do not run normal users with superuser capabilities, which stops a lot of garbage from getting installed on machines in the first place.

No, Linux simply does not have the ignorant home user demographic that Windows does.

Not running as root is, at best, a minor bump in the road. There's very little that a malicious program might want to do, that it cannot do as a regular user.

Re:Sadly, I don't agree.

[Yaa+101]

Only Linux is not used less, Linux is used for almost every platform that includes a microprocessor, from PCs to embedded stuff to gadgets etc...

Re:Sadly, I don't agree.

[sofar]

they should, and I expect companies like redhat, novell etc. to include auditing and monitoring in their service contracts.

Re:Sadly, I don't agree.

[n4djs]

What a joke! I just tried this on my wife's Vista laptop. Your two options for account creation are 'administrator' or 'standard account', with 'standard' being the first defaulted choice. The only problem with this is that you can't install software at all with the standard account. Good luck with trying to install Microsoft Office from a standard account...
There is so much software out there that simply won't install correctly if the user is not an administrator, I don't even try any more...
And of course, this does nothing for the bulk of Windows home users, running Windows XP. These are the principal vectors of most malware...

Re:Sadly, I don't agree.

clearly you've never seen the ubuntu forums. or gentooisrice.

Re:Sadly, I don't agree.

[drsmithy]

I mean if Microsoft Wrote an OS that would not allow the user or their programs to write to anywhere else except the user home directory and programs could not starup other programs or modify their files, then you would never see any other viruses again on the Windows platform.

Of course you would. Why wouldn't you ?

Re:Sadly, I don't agree.

[Sir_Lewk]

Well for starters I can't multitask, build and run my own applications (without jumping through hoops), run non-Apple approved software, etc...

Sure for the tasks phones are normally expected to do it might be great but you really can't expect to reasonably lock down a computer to the same degree and be left with something acceptable.

Re:Sadly, I don't agree.

[jayme0227]

First, the cost to individuals that end up with viruses and malware is probably similar across platforms if experience/expertise level is considered. Idiots tend to do stupid things that cause them to get more viruses. Idiots tend to use Microsoft products because they don't know anything else. Microsoft looks bad comparatively to other platforms.

If you consider the number of viruses or malware problems experienced by MS users with technological proficiency along the lines of a typical Linux user, however, you would likely see that there are far fewer problems than a "typical" user would experience. Although there would indeed be an increase in malware over those using Linux, however it would not affect TCO nearly as much since these more proficient users would be more likely to identify and fix the issue before it became serious.

Second, in the case of large corporations or governments, they almost have to use Windows for a whole host of reasons: The limited technical proficiency of their employees, the need for consistency across a whole spectrum of systems, the need for third party support, etc. Obviously this becomes to a vicious cycle, but if that cycle were to ever be interrupted and a new business standard was adopted, that standard would likely have just as many problems with malware as Microsoft does now.

Overall, Iâ(TM)d have to say that, yes, Microsoftâ(TM)s TCO goes up comparably to other platforms because of issues with malware. You have to consider, though, that as people adopt other platforms, those other platforms have to deal with an increasing cost of malware, much as Apple is starting to experience with the growth of the Mac OS.

Re:Sadly, I don't agree.

[drsmithy]

This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.

The user is the single biggest security hole in any system. On what basis do you justify ignoring that ?

I'm sick of hearing this argument, only a complete tool would believe it. *Nix systems are inherently more secure, due to its security model (file permissions, groups, no admin rights, etc), [...]

The Windows permissions system is both more comprehensive, and more secure, than traditional UNIX security.

[...] and to the fact that it literally forces you to not be a complete moron (security wise) while using it.

Quite the opposite. The most common way to get around security "annoyances" in UNIX is to run stuff as root. Root - by definition - completely bypasses the entire security system.

Furthermore, because of the variety of software that can be installed on each box, only the most common programs (apache, nginx, ssl, ssh, etc) would be effective targets to attack, limiting the areas an admin needs to cover.

So, just like Windows you mean ?

Due to the above, there are only certain attacks that would be effective to a *Nix system. Off the top of my head, this leaves: privilege escalation, man-in-the-middle, and social engineering (a problem everywhere, regardless of OS).

So, just like Windows then ?

In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.

A Windows machine run by a competent administrator is just as difficult to infect or attack as a similar Linux machine.

Re:Sadly, I don't agree.

[BobMcD]

I'd like to know your opinion on Vista's efforts to borrow that infrastructure. Does it get your seal of approval due to the security model upgrade?

Also are you comparing administrative competency? Are we assuming that all Linux users are Smart(tm) and all Windows users are not? If so, why?

Personally, I agree with you, but seemingly not because your logic is sound.

Re:Sadly, I don't agree.

[BobMcD]

How much of this is enabled by the free-as-in-beer nature of the software, as opposed to the kernel running underneath it?

Re:Sadly, I don't agree.

[Sparky+McGruff]

If Linux (or any other platform) gains in popularity so much that it becomes the target of most viruses, then the "cost of training" will go down, because every high school and community college will be showing their students how to use Open Office on Linux... and MS software would become "niche software" that requires extra training.

Re:Sadly, I don't agree.

[Phu5ion]

UAC is also a really excellent innovation, allowing even Administrators to keep themselves somewhat in-line.

Except UAC isn't a MS innovation. Privilege elevation has existed long before MS decide to start taking security seriously.

Re:Sadly, I don't agree.

[tixxit]

That's because you misunderstand how UAC works. An Administrator under Vista only means that they are able to run software as an Administrator. By default, all software is still run as a Standard user (unless give explicit permission by the administrator). The best analogy of an Administrator to the unix world is just a regular user who belongs to the wheel group.

Re:Sadly, I don't agree.

[Phu5ion]

Parent poster is full of crap.

Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land.

This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.

100% agree. The more people you have using the apps and eyes you have looking over the source means those obscure, deep defects become much more shallow and easier to fix. A situation MS can only dream of.

Re:Sadly, I don't agree.

[jedidiah]

No, the primary strength of Linux is that it is not attempting to cluelessly
pander to the "normal user". Apple panders to this sort of user but it tries to
be smart about. Microsoft tries to pander to this user and f*cks it up. If Linux
tries to follow Microsoft's lead in some sort of stupidity, there will be enough
users bellyaching that it's a really bad idea. Who's there to send up the red
flags in Redmond?

          The Mac is a pretty good demonstration of the idea that you don't have to
be an idiot to accomodate "idiots".

            Much of Microsoft's trouble comes from violating principles that were beaten
into your head if you were computing online in the 80s.

Re:Sadly, I don't agree.

[adamstew]

http://www.ubcd4win.com/

Windows booting from a read-only CD drive. I use it often.

Re:Sadly, I don't agree.

[recoiledsnake]

No one said Linux is "bulletproof". Don't try to change the topic.

TFA is saying that the closed-source software costs more when operating costs are included in the total price tag. How much does industry pay for malware protection, virus protection, trojan protection, downtime from infection, and loss of productivity as a result of closed-source software? Those costs are relevant to businesses and should be considered.

What the hell does 'closed-source' software have to do with malware and all things you listed? Those depend more on popularity than FOSS or not. For example, check FireFox 'infected' with spyware http://i.d.com.com/i/dl/media/dlimage/14/92/50/149250_large.jpeg

Debian servers attacked http://news.zdnet.co.uk/security/0,1000000189,39118062,00.htm

"This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours," the posting read.

Attackers compromised four servers, including those responsible for maintaining the project's bug tracking system, mailing lists, Web, Common Versioning System (CVS), security downloads and others.

RedHat/Fedora itself being attacked http://www.pcworld.com/businesscenter/article/150212/hackers_crack_into_red_hat.html

The last two examples are almost the equivalent of Windows Update being attacked and distributing malware, which hasn't happened (yet).

How can you claim that 'closed-source software' is the cause of all the ills you mentioned?

Re:Sadly, I don't agree.

[Repossessed]

There's a problem with the theory that Linux will have as many viruses as Windows if it becomes more popular. Namely, Linux is currently the most popular webserver, despite this windows based webservers have far more malware.

Linux webservers do get hacked too, showing that they're a priority target, just not as many viruses.

You also have to factor in that Linux is a diverse ecosystem, windows is not as much, all products essentially the same. That makes writing a virus that will hit all Linux boxes a lot harder than one that will hit all windows ones.

Linux will certainly develop a malware problem as it grows, but it will never be as bad as Windows has it.

Also, from the perspective of TCO, as Linux becomes popular enough to have a malware problem, it will also decrease the cost of training.

Re:Sadly, I don't agree.

[JoeMerchant]

that is run by a competent administrator

This would be the key to any secure system. It is also possible to run Vista securely, but nobody does because that would require "training" the users more than we are used to. Linux is more secure by default, Linux users are more accustomed to running in a secured environment, etc.

Is the Linux security model "better" than the Vista one? I think that's a 99% subjective question. Subjectively, I find it easier to run Linux securely than Vista, and more importantly, it is easier to do things securely in Linux than to do them insecurely, in most instances. In Vista the opposite is often true - far easier to run in Administrator mode than to hassle with reconfiguring something to work properly in a secure way.

But, if you have a competent administrator and well trained users (both as common as Blue Moons on Thursdays), then Vista can be run just as securely as Linux, but then, well trained Linux user/administrators are also quite rare, in the real world.

Re:Sadly, I don't agree.

"privilege escalation" is what it's all about. Most of the nastiest bugs to hit windows were from getting your code run at a higher authority than you are supposed to have. Your counter argument is saying that Linux does not have any access violations. Nobody designs systems to have exploitable bugs, they're completely unrelated to how strict the security model is.

Re:Sadly, I don't agree.

[gbarules2999]

Maybe it's a strength that Linux is used less.

Question for people smarter than me: If Linux is on 80% (or so) of servers out there, you'd think there'd be viruses like crazy for Linux, right?

Re:Sadly, I don't agree.

[jimicus]

Please don't get me wrong - a lot of people have replied (rather nastily IMO) - these are questions which I would like to see an answer to and aren't intended as sarcasm.

I'm sick of hearing this argument, only a complete tool would believe it. *Nix systems are inherently more secure, due to its security model (file permissions, groups, no admin rights, etc),

How exactly is a full ACL-based permissions system less secure than the "user, group, world" security model used in traditional Unix?

The implementation may suck in some cases, but we're talking about something that's inherent here, not a foible of the implementation.

Furthermore, because of the variety of software that can be installed on each box, only the most common programs (apache, nginx, ssl, ssh, etc) would be effective targets to attack,

There are three main forms of malware in the world - viruses (spread with minimal human intervention), worms (spreads with no human intervention whatsoever, generally takes advantage of a software bug) and trojans (requires a human to spread it).

A quick look on Symantec's website shows that the latest security issues are almost exclusively worms and trojans - neither of which Unix offers any intrinsic protection against.

In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.

Same is true of Windows, though a competent Windows administrator is perhaps rather harder to find amongst the enormous number of people who claim to be Windows admins.

Re:Sadly, I don't agree.

[NoOneInParticular]

Your entire argument hinges on the assumption that an OS is a natural monopoly. This is flat-out false: Google doesn't need to run Windows to serve search-results, banks don't need to run Windows to perform transactions, people don't need to run Windows to create and share documents.

What is more likely happen if Linux comes out on top is that there will be several companies that will provide distributions that will all be different, but which all will function and (god forbid) interoperate. If such a thing comes to pass, the single attack vector for malware writers dissappears, and they will have to work significantly harder to get a smaller payoff. You know that little thing, free market? The one we almost got rid off in our desire to serve the corporate overlords?

Re:Sadly, I don't agree.

[gbarules2999]

You forget about the Linux server market, where Linux is number one, and this fact hasn't upped the amount of viruses whatsoever.

Re:Sadly, I don't agree.

[nxtw]

Take the iPhone for example. Its used by a lot of people but its nigh impossible to exploit simply because its locked down.

Bullshit. What exactly is all this about? And this?

What do you think jailbreaking is? Older firmware could even do it over the Web.

A while back, there was even a bug that let anyone bypass the lock screen (and the password).

Re:Sadly, I don't agree.

Why would you want to attack upstream, when it is proven simpler to attack downstream on a windows client?

Re:Sadly, I don't agree.

[sofar]

There are, but vastly outnumbered by the number of possible attacks on the typical windows desktop system.

Windows desktops are not just an easy target, they're more diverse, numbered and aren't all run by Joe Hacker.

Exploiting one windows system means you can exploit maybe billions worldwide. Exploit one linux box and you have the technology to maybe exploit a few thousand more at best. Diversity interestingly here makes Linux inherently more secure.

Re:Sadly, I don't agree.

I don't know much about WinPE I'm afraid. Does it run advanced pre-installed applications like Photoshop and *CAD and is it able to include most of the features needed by a user in a safe read-only environment? If not I wouldn't compare it to a Linux live CD though I could still see it being very useful.

Re:Sadly, I don't agree.

[KingMotley]

I would try and make an argument against what you've said, but history has already proven you wrong, so I won't bother.

Re:Sadly, I don't agree.

[Kral_Blbec]

But they are the only ones that have been flamed for it. I dont really see much difference between having to use sudo everytime you want to do something vs the UAC prompt, yet Ubuntu is lavished for how security is thanks to sudo and Vista was trashed for being inconvenient.

Re:Sadly, I don't agree.

[sexconker]

No, the question is "What costs can we add up on one side to make the other side look better?".

When you really consider ALL costs, they're pretty equal. You could cut the bias in the article (or any of MS's ad campaigns about cost of ownership) with a dull melon.

Re:Sadly, I don't agree.

[ckaminski]

Windows PE is NOT, I repeat, NOT Windows. You cannot run normal Win32 applications in it.

A Knoppix or Ubuntu boot CD it is not.

Re:Sadly, I don't agree.

[ZarathustraDK]

How can you claim that 'closed-source software' is the cause of all the ills you mentioned?

If the code is open then everyone can find and fix vulnerabilities, not just a comparably few developers who just happen to be working on that aspect of a given program. Sure, Microsoft may be big, but their bug-triage is sorely lacking when compared to popular open source projects, they simply lack the (authorized) manpower to do that sort of thing.

Re:Sadly, I don't agree.

[ckaminski]

Okay, aside from the multitasking bit, if we restrict ourselves to the corporate environment, if you had something like an App Catalog for your company, you lose none of the flexibility of locking the system down in an iPhone-like fashion.

Re:Sadly, I don't agree.

[Beat+The+Odds]

You forget about the Linux server market, where Linux is number one, ......

Wow... that's quite a surprise that Linux is number one in the Linux server market....

Re:Sadly, I don't agree.

[drsmithy]

Question for people smarter than me: If Linux is on 80% (or so) of servers out there, you'd think there'd be viruses like crazy for Linux, right?

No.

Re:Sadly, I don't agree.

[dave420]

Not necessary. Windows' and Linux's capabilities overlap, but are not the same. Some things can be done only on Windows, some only on Linux. That means if a company has to do something only possible on Windows, it's a damn sight cheaper to run Windows than Linux. In that case, it's a choice between 'make money' and 'stare at a blank screen'. I'm not saying that's what every company will face, or even most. Just some. And for them Windows is a no-brainer, and infinitely cheaper.

Re:Sadly, I don't agree.

[Sir_Lewk]

Agreed, don't most organizations already attempt to do basically that though? Where exacly is the failure point?

Re:Sadly, I don't agree.

[Rockoon]

You say that now, but if Linux was a market as big as windows, then there is absolutely no chance that repositories will be able to hold all the software people want, nor is there any chance at all that all those eyes you are talking about will look at all the source, and further there is no chance in hell that you are going to get the source to even half the stuff people will want.

A very simple case in point is that a whole hell of a lot of Ubuntu users are right now, as we speak, running with a sourceless binary blob from nvidia. The entire ethos of "FOSS" goes right out the window when something is cool or slick, and thats already the case with the current "dedicated" linux crowd.

Throw into the mix the mob of people that is Windows and you will find that your cute "FOSS" shit will be a minority, that very little that a user runs will come from a repository, and that the repositories themselves will be flooded with more than the dedicated boys can handle.

Remember that the people who you need to start running Linux in order to achieve a majority share are not developers, don't know what programming is, and have no care at all about any of that. They will not be Contributors to FOSS in any way, shape, or form. They will only be Consumers, and after they go through the trouble of download something, they are going to make it run no matter how obviously it is malware. They will learn about sudo and then they will use it.

The real problem is that of the billion computer users on the planet, 99 out of 100 of them really dont give a fuck about security, and don't even understand what it actualy means to give a fuck about security. Linux doesnt address this problem at all, and to be quite honest.. Linux shouldnt even be trying to entice these people because they will only ruin it.

Re:Sadly, I don't agree.

[RightSaidFred99]

'wheel' group? What is this, 1987? Who still uses the wheel group?

Re:Sadly, I don't agree.

[RightSaidFred99]

Begging the question. Linux is not on 80% of the servers out there.

Re:Sadly, I don't agree.

[someSnarkyBastard]

Actually I thought the figure was around 50% (+/- 10%) but yes, you would. If I were going to create a massive botnet, Google's server farms (which run Linux) would be a massive windfall if I could root them. Hell, even if I just managed to tweak a few web pages to run malicious code, if the site gets enough traffic, I could make bank. Imagine Slashdot or Google serving drive-by downloads for example, scary thought isn't it?

Re:Sadly, I don't agree.

[someSnarkyBastard]

You might see a few viruses, similar to how many viruses are out in the wild against Linux (almost none) but without systemwide access, a malicious program cannot do nearly as much damage. The virus cannot modify system files as easily, cannot add itself as a system service or cron job as easily, and cannot subvert system processes to spread as easily. All of these things are still doable even when running as non-root, but they require much more work. You would first need to find a privilege escalation exploit in order to jump to root as opposed to just getting the system to execute your payload file and running as root automatically.

Re:Sadly, I don't agree.

You forget about the Linux server market, where Linux is number one

Linux is number one in the Linux server market?? Wow! How's Windows doing in the Windows server market?

Re:Sadly, I don't agree.

[ajlisows]

In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.

I'm going to agree with you on much of what you said, but I would like to point out the term "Competent Administrator" as a major issue here in terms of a business environment.

I'm going to go out on a limb and assume that most of the people who become proficient enough with a *nix system to get hired as some type of administrator at a company are going to be somewhat passionate about working with computer systems....spending time/have spent time at home learning how things really work. This should lead to them being at least somewhat competent.

Windows Admins? Not necessarily. I've worked with people that ranged from "Help Desk" to "Senior Network Engineer" whom I have no idea how they managed to get a job in IT or why (Actually the why is obviously, they heard it payed well) they even wanted to. They didn't know much and didn't care to learn anything more. Utterly incompetent. I had one "Senior Network Engineer" that told me at one time he didn't even have a computer at home...and he left his work laptop at work.

If we saw Linux suddenly grab 40% of the corporate desktop market, you'd end up with some positions filled by these types of people. It would still be more secure than Systems run by incompetent Windows Admins but certainly less secure than having most of the systems run by reasonably competent Linux Admins.

Re:Sadly, I don't agree.

[man_of_mr_e]

Yes, you can. But let's just assume you're correct. There are other options also.

http://www.nu2.nu/pebuilder/

This is, by definition, designed to run win32 applications from a CD.

Re:Sadly, I don't agree.

[CaptainZapp]

How can you claim that 'closed-source software' is the cause of all the ills you mentioned?

Where exactly did he say that?

You sir, are a contender for the bad strawman of the day award.

Re:Sadly, I don't agree.

[badpazzword]

That's because you have UAC disabled.

Re:Sadly, I don't agree.

[badpazzword]

>A Windows *Enterprise* machine run by a competent administrator is just as difficult to infect or attack as *any* Linux machine.

There, fixed it for you.

Re:Sadly, I don't agree.

[drsmithy]

You might see a few viruses, similar to how many viruses are out in the wild against Linux (almost none) but without systemwide access, a malicious program cannot do nearly as much damage.

Why not ? What common malware behaviour do you think can't be done as a regular user ? More importantly, what makes you think the malware can't fool the user into elevating it's privileges through some basic social engineering ?

The virus cannot modify system files as easily, cannot add itself as a system service or cron job as easily, and cannot subvert system processes to spread as easily.

Users can create their own scheduled jobs and startup programs. This is true on both Windows and Linux. What sort of "system process subversion" do you think most malware is using to spread ?

All of these things are still doable even when running as non-root, but they require much more work. You would first need to find a privilege escalation exploit in order to jump to root as opposed to just getting the system to execute your payload file and running as root automatically.No, you don't, because for 99% of the things malware might want to do, it doesn't need elevated privileges at all. For the 1% of stuff it does want to do, a simple "please elevate me" dialog box will probably be far more successful than attempts at privilege escalation exploits.

Re:Sadly, I don't agree.

[jabjoe]

Please read: http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/ Most of it is still relevant. The consequences of security model used must be taken into account in any cost analysis.

Re:Sadly, I don't agree.

[RivieraKid]

Some things can be done only on Windows, some only on Linux.

Only because it hasn't already been done - not because it can't be done.

Re:Sadly, I don't agree.

[RivieraKid]

Actually, that's still the case, except now you have to click OK before you can install your shiny new malware. Windows 7 is far worse - by default, many MS provided executables bypass UAC with no indication of whats happening. Standard DLL injection techniques mean that any code can run with no UAC prompts at all. This is even worse than XP - at least there was no pretense of protection in XP, with Windows 7 people will assume they are protected when they are not.

Re:Sadly, I don't agree.

This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.

You are under-estimating the destructive abilities of idiots. Even when there is no way to do damage, they still find a way.

Re:Sadly, I don't agree.

[vertinox]

What common malware behaviour do you think can't be done as a regular user ?

My point was to restrict the user so that the virus can't do any damage either.

Re:Sadly, I don't agree.

[drsmithy]

My point was to restrict the user so that the virus can't do any damage either.

How ?

Re:Sadly, I don't agree.

[Gilmoure]

What kind of support ticket request system do you have set up? Also, being family members, what sort of response time/resolution time to you use with them?

Re:Sadly, I don't agree.

[mcgrew]

Microsoft tries to pander to this user and f*cks it up.

Lilly Tomlin: "We're the [monopoly] phone company. We don't have to."

Re:Sadly, I don't agree.

"Is the Linux security model "better" than the Vista one?"

I think so. While both a Vista or Ubuntu machine can be set up securely, the Linux machine allows far fewer possibilities for the non-admin user to destroy the system, while still allowing the user to set up a personalized desktop.

Re:Sadly, I don't agree.

[metaforest]

This gross hypothesis that some how the installed base affects malware creation on a particular platform is fundamentally flawed.

From MacOS V4.x through V9.x there were many thousands of active viruses and trojans developed for the platform, and it's market share was significantly LESS than MacOS X's market share today!

What changed? Pre- OS X versions were inherently, wide frakin open. There was virtually no security. In fact it was common practice for game software to gather system information at run time, catalog all resources it wanted to use, and then stomp on the OS and take over it's resources. This was trivially easy to do.
It was so easy to exploit pre-OS X Macs that many application developers would modify the OS resources in the system folder and other applications behind the user's back, which caused truly heinous conflicts.

Now we have a situation where OS X has been in the market place for almost as long as pre- OS X versions and still there is not a single wild exploit reported....

User sophistication doesn't wash either. Mac end users are, if anything, LESS sophisticated than typical windows users.

There is simply no credible evidence that MacOS X is more secure due to it's minority market status. However there is plenty of historical evidence that Pre-OS X Macs had a comparable number of wild exploits that were equally as disruptive and contagious, as the exploits on Windows based systems.

While my argument does not prove that OS X is more secure, in light of the history of the platform it offers considerable circumstantial evidence that it might be.

Re:Sadly, I don't agree.

[DAldredge]

This isn't digg or reddit so please at least read the link and do some research before you make statements like that. If you had done that you would never have posted what you did.

Re:Sadly, I don't agree.

[cbhacking]

Lets see...

• Windows has file permissions.
• Windows has groups.
• *Nix has admin rights - you just typically don't use them. No version of Windows released in the last 5 years has even the default account running with Admin privileges either, and even before that the installer suggested creation of additional accounts, which defaulted to standard user permissions.
• Linux does nothing at all to "literally force" me not to run as root 24/7, never update, turn off my firewall, run sshd on the default port, and set my root password to "password1." Your claim to the contrary is ridiculous.
• Damn near every Linux box has X11 (one of two flavors) and Firefox installed. Most even have Adobe Flash. Many will have Thunderbird and/or Pidgin. Most will also have KDE or GNOME running, either one of which have a number of network-enabled applicaitons. It's certainly not as homogenous as Windows but it's not that hard to find a program that your target runs (even if the "target" is simply a randomly selected IP address). Also, there's the kernel itself.
• Windows has security measures that are almost nonexistent in Windows (though OpenBSD has them) such as DEP and ASLR. This means that even if you find a vulnerable program, it is extremely difficult to execute an attack. On Linux a trivial shellcode injection that overwrites the return address works fine.

Re:Sadly, I don't agree.

[recoiledsnake]

How can you claim that 'closed-source software' is the cause of all the ills you mentioned?

Where exactly did he say that?

You sir, are a contender for the bad strawman of the day award.

Here. Bolded it for you.

TFA is saying that the closed-source software costs more when operating costs are included in the total price tag. How much does industry pay for malware protection, virus protection, trojan protection, downtime from infection, and loss of productivity as a result of closed-source software? Those costs are relevant to businesses and should be considered.

And you're the winner of the irrelevant and dumb usage of logic memes award.

Re:Sadly, I don't agree.

[tixxit]

Well, a number of recent BSD systems I've used use it.

Re:Sadly, I don't agree.

There is an implicit assumption here that attack vectors wouldn't be cross-platform in this sort of environment. If open source based OSes became the dominant player, you'd have issues with common code bases - even if one variant is skinned differently, etc.

A great example of this is the 'Ping of Death' attack that came out in the 90s - it worked on a wide variety of platforms because everyone (including Microsoft) had adopted BSDs TCP/IP code stack, and they shared a common vulnerability.

Now, this was a very simple vulnerability that only resulted in a DoS against the specific machine. A more successful worm/etc would then need to place itself on the machine, perform priviledge escalation, etc.

But we shouldn't necessarily assume that if we had a fragmented OS market that it would necessarily result in less successful malware in all cases.

First Thoughts...

[geeper]

"Oh my god, not this AGAIN!!"

Re:First Thoughts...

[Voyager529]

"Oh my god, not this AGAIN!!"

Since when does a bowl of petunias have a Slashdot account? Did the sperm whale get one before or after you?

Re:First Thoughts...

On the internet, no one knows you're a potted plant?

Re:First Thoughts...

Genius! If only we could mod stuff to +6!

Only Proprietary?

[Nemyst]

I don't want to sound like a detractor of free software (I actually favor FLOSS as much as I can), but it's not like Linux doesn't have any malware written for it. Sure, it's to a lesser degree, but it's still there and I'm not sure the costs of removing them are systematically calculated into the TCO either.

Re:Only Proprietary?

[eyepeepackets]

Oh really? You make it sound as though it's a comparable situation between Windows and Linux as regards malware. I'd like to see you substantiate this claim with some solid data with a clear comparison between the platforms. Otherwise, I suspect you of being nothing more than a glib, sideways-talking astroturfer.

Re:Only Proprietary?

[morgan_greywolf]

Tbere is theory and then there is reality. How likely are you to encounter that Linux malware? Properly admined, not likely. On Windows? The odds are near 100%, no matter how effective your system administration skills are.

Re:Only Proprietary?

And you can name this malware please? Please list them. Then let's do a side by side comparison.

Nice FUD.

Re:Only Proprietary?

[Aphoxema]

Tbere is theory and then there is reality. How likely are you to encounter that Linux malware? Properly admined, not likely. On Windows? The odds are near 100%, no matter how effective your system administration skills are.

Nonsense, I have never once ever had a virus or trojan or anything. That's why I've never had to use an antivirus.

Re:Only Proprietary?

Of course, if open source solutions like Linux became truly popular, then the folks that spend their hours writing viruses for Microsoft would simply turn their attention to Linux. It's the cost of being successful.

Re:Only Proprietary?

Yeah...... It's just the ratio of successful malware affecting windoze compared to affecting GNU/Linux is something along the lines of 500 000 000 : 1 or so. It really doesn't make a difference in the TCOs, except on the one side suggested. So please, don't act like a pin head here.

Re:Only Proprietary?

[the_womble]

Linux has a lot less malware. The effect on TCO of counting it would be negligible. That is not true of Windows. Therefore, ignoring it favour Windows.

If we are going to pick and choose what to ignore, lets ignore retraining costs and one-off transition costs. I wonder who will have the lower TCO then?

Re:Only Proprietary?

[Runaway1956]

Pardon me, my young friend, but I believe you are being dishonest. I believe that you are saying that you run Windows, and that you run absolutely no security software at all, and that you have NEVER had any sort of malware problems. If I've misunderstood you, then the rest of this post has little value for you.

In my own personal experience, I've taken possession of a totally dicked up Windows box, formatted, installed Windows from CD, installed a few apps from CD (avast included) then connected to the internet for updates. Within ten minutes, the machine was infected with yet more malware. Within ten minutes. Apparently, some botnet just happened to scan the block of IP addresses that I was in, and took advantage of one exploit or another. But, within ten minutes, long before I had any opportunity to complete updates, it was infected. (Lesson learned was to download AV and updates on a clean machine BEFORE installing Windows.)

Anyone who tries to convince the world that he runs a naked installation of Windows, and routinely browses the internet without viral infections is simply lying through his teeth.

Re:Only Proprietary?

Care to back that up with numbers?

According to wikipedia, the number of viruses etc. written for Linux is 863.

I really cannot see a meaningful comparison of security in this respect between Windows and FOSS.

(Yes, I know Linux is a subset of FOSS, but you see my point).

Re:Only Proprietary?

[Braino420]

Anyone who tries to convince the world that he runs a naked installation of Windows, and routinely browses the internet without viral infections is simply lying through his teeth.

Or connects through a firewall...

Re:Only Proprietary?

[charlieman]

Real world companies use NPV (Net Present Value) instead of TCO. The only reason they make comparisons in TCO terms is because free software wins in NPV.

Re:Only Proprietary?

That's funny... in 7 years of using Linux I've never once gotten a single piece of malware.... I've also never even heard of a malware outbreak for Linux.

Re:Only Proprietary?

[bill_kress]

Man you need to seriously have your system evaluated if you are relying on a firewall alone to prevent attacks. Virtually useless--many entry vectors exist that bypass firewalls easily, and if one of your co-worker's machines are infected, then you have no firewall!

I absolutely refuse to do anything involving my financial information on a PC since I noticed how difficult it was to detect root kits.

Re:Only Proprietary?

[pyrrhonist]

In my own personal experience, I've taken possession of a totally dicked up Windows box, formatted, installed Windows from CD, installed a few apps from CD (avast included) then connected to the internet for updates. Within ten minutes, the machine was infected with yet more malware.

I call bullshit. The only way that you could have accomplished this is to purposely disable the Windows Firewall and connect the machine directly to the internet.

That's just stupid, no matter which operating system you're using.

Re:Only Proprietary?

[Informative]

I recognized your post as being funny.

Troll! What's wrong with kids these days?

Re:Only Proprietary?

Examples or references please? The only virus/malware i've had to deal with on linux is the crap that Symantec has managed to convince sysadmins to install:

http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2005110716014248

Re:Only Proprietary?

[Runaway1956]

Nope. Windows firewall runs by default on XP SP2, if you'll recall. I did NOT disable the firewall. 100% clean install, all default values, nothing changed. I installed Avast before connecting, and ten minutes later, the connection slowed to a crawl. Another few minutes, Avast alarmed out over infections, but failed to clean them.

No bullshit.

http://www.computing.net/answers/windows-xp/bizarre-virus-after-fresh-install/80205.html

It WAS a dialup connection, so there was no hardware firewall, just Windows own software firewall. On my own machines, under the same circumstances, I would have installed Tiny Firewall, but I was unwilling to "pirate" Tiny for a third party.

Re:Only Proprietary?

Ohhh please. People say this and I haven't seen it. Where is this malware?

Re:Only Proprietary?

It's cheaper to re-install the damnd thing. You don't have to buy extra licenses, or buy licenses that allow you to install it multiple times.
I'd be able to clean an entire enterprise system in one day, as long as they have sufficient backups. And it'd be at 1/1000th of the cost.

Re:Only Proprietary?

[ammorais]

Of course you haven't. âHow would you know how much your machine is a Trojan paradise without an antivirus.

Re:Only Proprietary?

[Braino420]

Man you need to seriously have your system evaluated if you are relying on a firewall alone to prevent attacks

My post was simply refuting the parents clame that it was impossible to run a clean computer without anti-virus. I can also come up with situations where a firewalled computer can be compromised, but that isn't the point. Average Joe User behind a home router browsing regular sites w/o ActiveX and not opening executable attachments probably won't have a problem.

Virtually useless--many entry vectors exist that bypass firewalls easily, and if one of your co-worker's machines are infected, then you have no firewall!

All of which require the person inside the firewall to do something. That thing should not be done. In other words, some type of social engineering is needed to trick the user into running the untrusted software. No security system is immune from social engineering, even the precious anti-virus. I would recommend at least a software firewall in the co-worker case.

Re:Only Proprietary?

Yea, but linux malware will all be located in the .wine directory.

That's a lot cheaper than cleaning up malware on windows machines.

Re:Only Proprietary?

[TheSunborn]

There most likely were no windows firewall when he installed. They first included it with SP2.

And it's almost imposible(Newer seen it done) to install a Windows XP SP1 and then upgrade to SP2 before you get a virus. Been there, failed at doing that, had to do an other reinstall where I first burned SP2, many more patches, and an independent firewall to cd, just to install windows, apply patches and then reinsert network cable.

But now I run Linux so I don't have that kind of problems anymore.

Re:Only Proprietary?

[Aphoxema]

Sigh... either I'm good at sarcasm or not good enough...

Re:Only Proprietary?

[someSnarkyBastard]

Only until he downloads a trojan or his web browser runs a malicious script...

Re:Only Proprietary?

[pyrrhonist]

And it's almost imposible(Newer seen it done) to install a Windows XP SP1 and then upgrade to SP2 before you get a virus

Turn on the firewall.

Re:Only Proprietary?

[pyrrhonist]

Nope. Windows firewall runs by default on XP SP2, if you'll recall. I did NOT disable the firewall. 100% clean install, all default values, nothing changed.

You had to have changed something. Either you had filesharing enabled, you configured an exception rule, you configured ICS, or Avast disabled the firewall.

A properly configured Windows Firewall (even pre-SP2) doesn't have any issues rejecting inbound traffic.

Re:Only Proprietary?

[Runaway1956]

There is still something that you apparently miss: Windows has vulnerabilities. Note, from my posts, that I didn't bother to try cleaning up the infection. I didn't even bother to identify it. Bandwidth died, Avast alarmed out, the machine became unresponsive. It was infected, and I didn't want to mess with it, so I deleted the partition and started all over.

Humor me. Let's work backward in time, alright? Vista was released, in part, to correct or patch vulnerabilities in XP SP3. And, XP SP3 was released to patch vulnerabilities in XP SP2. XP SP2 was released to patch XP SP1. And so forth.

Having stated that my fresh install of XP SP2 was infected immediately after connecting to the web, you declare that XP SP2 was a safe operating system, and that stuff like that isn't possible. Or, at least impossible for a "properly configured" system.

Then, why does MS waste their time trying to make their OS more secure, if it is so secure that SP2 couldn't be compromised, out of the box?

Really, you're not making any points here - this is foolish. I know what I did with that machine, I know the firewall was turned on, I know that I had an antivirus installed. I also know that I felt secure in the knowledge that crackers and script kiddies don't waste time scanning lame-ass dial up networks. All the same, the machine was hijacked in front of my eyes. You may believe it, you may dismiss it, but you can't win an argument in which you accuse me of "changing something". Fresh, out of the box installation, hijacked. You can google for more accounts of similar experiences - or not, as you choose.

Re:Only Proprietary?

[mpe]

Of course, if open source solutions like Linux became truly popular, then the folks that spend their hours writing viruses for Microsoft would simply turn their attention to Linux. It's the cost of being successful.

Assuming that it is equally easy to write malware for Linux as it is for Windows. Something which does not appear to be the case due to various factors including security models (as actually implemented) and "Linux" is a far more diverse target than "Windows".
Even when Microsoft software is in the minority, such as IIS, it still appears to be a popular target for malware.

Re:Only Proprietary?

[pyrrhonist]

There is still something that you apparently miss: Windows has vulnerabilities

There is still something that you apparently miss: Every Operating System since the dawn of time has vulnerabilities.

Humor me. Let's work backward in time, alright? Vista was released, in part, to correct or patch vulnerabilities in XP SP3. And, XP SP3 was released to patch vulnerabilities in XP SP2. XP SP2 was released to patch XP SP1. And so forth.

...and going back further Berkley patched vulnerabilities for the Morris worm. This is pointless.

Having stated that my fresh install of XP SP2 was infected immediately after connecting to the web, you declare that XP SP2 was a safe operating system, and that stuff like that isn't possible. Or, at least impossible for a "properly configured" system.

That's right. One of the things I listed was exposed, and that's how they cracked you.

Then, why does MS waste their time trying to make their OS more secure, if it is so secure that SP2 couldn't be compromised, out of the box?

Why does OpenBSD waste their time trying to make their OS more secure, if it is so secure that 4.4 couldn't be compromised, out of the box?

Really, you're not making any points here - this is foolish.

No, you're just so blinded by zealotry that you won't accept the fact that maybe you did something wrong.

I know what I did with that machine,

Did you follow NIST's or SAN's advice for machine configuration?

I know the firewall was turned on,

Did you look at the exceptions?

I know that I had an antivirus installed.

You said that it flagged the attacks. Did the antivirus installation disable the firewall in favor of using its own buggy implementation?

I also know that I felt secure in the knowledge that crackers and script kiddies don't waste time scanning lame-ass dial up networks.

All networks are hostile.

All the same, the machine was hijacked in front of my eyes. You may believe it, you may dismiss it, but you can't win an argument in which you accuse me of "changing something".

Okay, fine, you didn't change anything. Was ICS enabled? What was in the exception list? Was file sharing turned on? These are obvious things to check.

Fresh, out of the box installation, hijacked. You can google for more accounts of similar experiences - or not, as you choose.

All of which have one of the issues that I previously listed wrong with them.

The Windows Firewall when properly configured deflects inbound attacks just fine. Any successful attack is due to improperly configuring the machine.

But whatever, you're trolling, so were done here.

Re:Only Proprietary?

I don't want to sound like a detractor of free software (I actually favor FLOSS as much as I can), but it's not like Linux doesn't have any malware written for it. Sure, it's to a lesser degree, but it's still there and I'm not sure the costs of removing them are systematically calculated into the TCO either.

The degree is so much lesser that I run my Linux machines without such things as an antivirus software for many years (almost a decade now, since RH6.2), and none of them was ever infected. While my Windows machine did manage to get ill, despite the up to date A/V running on it.

Let's talk about real world threat levels, not a real one versus a hypothetical one.

Re:Only Proprietary?

[morgan_greywolf]

Average Joe User behind a home router browsing regular sites w/o ActiveX and not opening executable attachments probably won't have a problem.

And no Flash. And UPNP turned off on his home router. And JavaScript turned off or Firefox with NoScript.

In fact, your scenario is increasingly looking like an edge case by the second.

Re:Only Proprietary?

[Golddess]

That same Average Joe User is probably using Adobe's PDF/Flash viewers, not knowing or caring about any alternatives, so yeah, I'd say they still have a problem.

Now that's not to say that Adobe is the only third-party product that introduces vulnerabilities. iTunes/Quicktime, Silverlight, even the browser itself can introduce additional attack vectors that completely negate the "I don't run ActiveX, I don't execute unknown email attachments, and I'm sitting behind a router, therefore I'm perfectly safe" argument.

Re:Only Proprietary?

[Braino420]

In fact, your scenario is increasingly looking like an edge case by the second.

Again, here is the point: "My post was simply refuting the parents clame that it was impossible to run a clean computer without anti-virus." Edge case or not (although I still think not).

Re:Only Proprietary?

[Braino420]

That same Average Joe User is probably using Adobe's PDF/Flash viewers, not knowing or caring about any alternatives, so yeah, I'd say they still have a problem.

You act as if every site that is using those formats is acting maliciously. It's simply not true. Even in the rare case a mainstream site would be attacked, you would find out about it within a day and be able to take action. Not a big deal and definitely not common.

I've run anti-virus before; it got very old scanning my computer and having the thing freak out over some simple tracking cookies and never a virus. No thanks. I guess some people just go to cooler websites than me.

Re:Only Proprietary?

Ok - I'm no MS or IBM or Open Source advocate - I "swing" both ways. However, one of the reasons business don't like to adopt Linux is that the names of these technologies just aren't sexy enough... who wants to tell their CEO that they need to FLOSS? What kind of an acromyn is that? Geeky enough? Every time I see that name I want to strap some suspenders to my pants and hike them up to my tits then tape my Polo glasses with duct tape and grow a mullet. The Open Source community should take some marketing lessons and stop naming their software after their pets or personal hygiene tools and come up with sexier names to sell their ideas to their potential pimps or customers. The one with the brains doesn't always wear the pants - or hold the wallet - and most pimps and customers are already set in their ways. Hate to break it to you.

Re:Only Proprietary?

[Golddess]

I didn't mean to sound like I thought every site was malicious, but to me it sounded like you were trying to say that as long as you don't run ActiveX, don't execute unknown email attachments, and are sitting behind a router, then you are 100% safe from bad things happening to you.

Re:Only Proprietary?

[bill_kress]

The post, IIRC said someone with a computer that is used to browse the web.

If he didn't, then you could be right, but if there is an assumption they are on the web then all bets are off. There have been dozens of exploits in all sorts of types used by browsers--some that really shouldn't be vulnerabilities at all.

I've seen 2 or 3 in the last couple years that could be triggered just by visiting a web site--from then on, assume you are root kitted.

Also, I'm not saying that running AV software will make it perfect either--none are good at finding root kits last time I checked--none seem to even try.

Re:Only Proprietary?

[WuphonsReach]

You act as if every site that is using those formats is acting maliciously. It's simply not true. Even in the rare case a mainstream site would be attacked, you would find out about it within a day and be able to take action. Not a big deal and definitely not common.

There are quite a few more maliciously defaced sites out there then you'd expect. Most of these attacks rely either on server exploits (SQL injection, PHP exploits, whatever) or weak password security (attacking FTP accounts). Once the attacker is in, they then slip injection code (javascript, a link to a hostile website, opening up a PDF in a background window, loading a hostile Flash object) whose purpose is to attack the visitor's machine and to plant code.

We're not typically talking the mainstream / first tier websites. These attacks are typically more oriented at the hundreds / thousands / millions of second tier websites (recipes, hobbies, pets, health, etc). Sites that you might not even remember going to visit after you find out that your machine has been compromised. Places where the site owner does not have the expertise to properly secure their site.

At the moment, it's a race to the bottom. Will browser makers be able to eliminate infections via Javascript / Flash / PDF before the users revolt and start blocking all JS/Flash/PDF by default? At which point, the only advertising that will work; will once again be DHTML, animated images, or plain text.

Re:Only Proprietary?

Ah, you took a machine running services that are designed to be open to the world (and so have default firewall exceptions), and wonder why it was rooted when those services have known malware. Something tells me you don't know what the hell you're doing, but feel like blaming Windows anyway. Next time you go to help someone out, make sure you tell them before hand that you are incompetent, but you'll attempt to help them anyway.

Re:Only Proprietary?

[thetoadwarrior]

If you're running windows then there is a fair chance that you don't realise you've been infected. Especially if you're not running software to check for it.

Re:Only Proprietary?

[thetoadwarrior]

And a firewall stops stupid co-workers from importing viruses from their home computer via USB and external hard drives? Where can I buy this magical firewall?

Re:Only Proprietary?

[Braino420]

There are quite a few more maliciously defaced sites out there then you'd expect.

How do I quantify that? I'm not saying it's impossible, I'm fully aware that it can indeed happen. I'm just saying it's improbable if the right precautions are taken, and none of those precautions have to be anti-virus software.

Well, I was originally saying that "Runaway" could have been perfectly safe from any remote exploits if he had been behind a home router. I then got alot of replies talking about the user being inside a firewall and still vulnerable to other exploits and all sorts of hypothetical situations, which is valid, but also outside any point I was trying to make. Although I do think such concerns are overrated even sans anti-virus(again, when the right precautions are taken).

Re:Only Proprietary?

Name one, just fucking one!

I am SO sick of this "Linux also have malware" crap. Of course malware is possible on Linux - it's just a program. But I have yet to see one single "Linux virus / worm" take down a LAN or a campus lab -- but I have seen hundreds of Windows boxes die with various malware shit.

So yes, it is possible to have a Linux virus.... but it HAS NOT HAPPENED YET, SO NO COST!!!!

Fuckwit.

Economy..

[bigattichouse]

Makes me wonder how much the latest crop of "storms" like Conficker have contributed to the economy?

Re:Economy..

[Dynedain]

The problem is that for every penny they contributed in direct labor costs to clean up, there's probably at least as much wasted in employee downtime while services are unavailable.

If it wasn't for the fact that it was preventing staff from getting their work done, I doubt anyone would have spent $2 million to clean up Conficker.

I didn't RTFA, but it sounds like their total cost includes both the direct cleanup cost, and some of the indirect cost of paying people to be unproductive during the cleanup.

Re:Economy..

[gbjbaanb]

not just that but it affects the services provided. For example, I know of a police force that was infected by conficker. It got everywhere. The consensus is that the company providing the mobile data interfaces was the original source of infection (but you cannot prove where conficker came from, its pervasive), and for a long while the officers on the beat had to use their handsets as mobile phones - no data, so no event updates and no communication with the CAD system.

I don't know the cost there, but they had con-sultants in from Microsoft to help clear the mess up and they weren't cheap. The infection lasted for 2 weeks, and they had reduced service for several weeks after that.

That's just for Conficker. Remember storm, sql slammer, I love you?

Re:Economy..

[Ajaxamander]

Google "Broken Window Fallacy."

Re:Economy..

[bigattichouse]

Actually, I was thinking more on the reverse side, the cost to the economy, not the "boon" . I should have changed that to "contributed to the economic collapse and/or slowed recovery"

Re:Economy..

[Ajaxamander]

Whew. I was worried there for a second :). Concur. Would love to see some other factors (like this) tallied in terms of overall dollars lost a la this NYT article:

http://www.nytimes.com/2009/06/10/business/economy/10leonhardt.html?_r=1&hpw

Re:Economy..

I love you too.

Cheaper to prevent than fix

[TPJ-Basin]

Instead of spending $2 million to *fix* virus issues, why not hire smarter people to *prevent* virus issues? I'm sure doing so would be much cheaper.

Re:Cheaper to prevent than fix

[ArhcAngel]

That would come out of a different Cost Center which requires pre-approval. The emergency CC is funded for..you know..emergencies and gets funded On The Fly when it is affecting the bottom line. You know what they say "It's easier to ask forgiveness than permission"

Re:Cheaper to prevent than fix

[Bourbonium]

This is a good point that I hoped someone would make. What is not explained in the article is that "Windows" isn't exactly the cause of the problem, but "Windows XP." If systems were maintained and upgraded per Microsoft's recommendations, Conficker would not have been anywhere near as big a problem. Say what you will about Windows Vista, if Manchester had upgraded their systems to Vista on the client side (or at the very least, not allowed users to run XP under Admin credentials), Conficker would never have been able to install itself.

I'm a big promoter of Open Source, but I work in a Microsoft shop where we still have all our desktops standardized on WindowsXP, but we never allow standard users to run as Admin, and we never had any problem with Conficker.

Migrating to Open Source would help a lot, but Manchester just needs better IT support (or more likely, better IT management) all the way around.

Re:Cheaper to prevent than fix

[Z00L00K]

Why not hire nastier people taking care of people behind botnets?

Re:Cheaper to prevent than fix

[Voyager529]

There's no saying that your solution isn't employed. The problem is that in this game of cat-and mouse, the mice have two advantages: manpower and social engineering.

First, As soon as one leak is plugged, virus writers can look for the next. Commercially speaking, the virus writers get paid when they find holes to exploit. Anyone can take time to do this. The individuals working to prevent viruses keep their jobs by plugging holes, but Symantec/McAffee/Trend Micro/ESET/Kaspersky/Your Vendor Here only has so many spots on the payroll for leak-pluggers.

Secondly, it's becoming increasingly common to have viruses mimic security software. Some of the latest crops of malware look incredibly similar to Windows security warnings such that even a reasonably computer literate person would have to take a hard look to be sure that they're genuine. Faking someone else's security warnings is significantly easier than proving that one is original in an irreproducible form.

Honorable mention goes to the bean counters. If the network director/consumer sees two packages, and one is $20 more expensive (or $20/seat more expensive), convincing people to pay extra for it becomes difficult. Even if one can prove that it genuinely does a better job, given the number of people who have let their subscriptions laps for months or years, convincing them to pay for the added security proactively, instead of a specialist reactively, is quite a challenge. Just look at how many people balk at paying for a backup solution before their hard drive bites the dust.

Re:Cheaper to prevent than fix

[maxume]

A well patched XP system was probably never vulnerable to the network propagation of Conficker (tough to say exactly, but Conficker wasn't spotted until the patch had been out for a couple of weeks).

Re:Cheaper to prevent than fix

[MightyMartian]

I'm kind of curious here. Are these guys actually running workstations outside of AD domains? I mean, group policies have been around since the olden days on Windows server platforms, and a well constructed group policy that simply denies the capacity to install software can probably eliminate many of the worms, spyware and the like. Not all of it, of course, which is why anti-virus is still necessary, but if you have a large network and you don't have it locked down, then you're either cheaping out and getting home versions of XP (and even these can be locked down, though it's a lot more of a pain to distribute registry entries than to the GPO mechanism do it), or your IT guys should be fired.

Re:Cheaper to prevent than fix

[venom85]

Exactly. This is the part that gets me. While I'm not disputing that there are costs involved in malware containment or prevention, they should not be nearly as high as the main article describes. If Manchester had simply patched its computers when the patch was released, they never would have this problem with Conficker to begin with. The article says that it hit the city in February, a full FOUR MONTHS after the patch was released. There's simply no excuse for that. I work in a giant corporate machine, and even we get patches pushed out to 10's of thousands of Windows machines faster than that. The cost of prevention is far lower than the cost of reaction most of the time. So while I agree that it's a cost that needs to be factored in, I have a very difficult time believing that it's as high as some of you are making it out to be.

Keep in mind, patching systems to prevent exploits is not something that is limited to Windows either. It's something you should do for ALL operating systems, regardless of the security model or other factors. If you aren't keeping your Linux install and FOSS software updated, you're putting yourself at risk just the same as on a Windows system. Don't ever fool yourself into thinking otherwise.

And for the record, I'm a Linux user (and a huge fan of Linux to boot) as well as a Windows user. So this isn't coming from someone who doesn't like Linux. I'm simply attempting to give it a more objective viewpoint.

Re:Cheaper to prevent than fix

[MightyMartian]

If this is a Windows network, then why isn't Active Directory and GPOs in place, so that even if your dumbest user goes "I guess I need that anti-virus software 'cause that page tells me so", they can't bloody well install anything.

The network I run has several public-access computers. They're all running Windows SteadyState, which allows me to very tightly lock down even Vista Home Basic machines. Everything else is running AD policies that do the same thing.

To my mind, what we have evidence of is an inept IT department, or at least management that's overriding a not-so-inept IT department. I have put my foot down to my superiors on a couple of occasions about not enabling administrative or power user rights, explaining to them that A) it's dangerous and leaves open serious vulnerabilities and B) that's what you pay me to do.

Re:Cheaper to prevent than fix

[gilesjuk]

True, but there's often a balance between having machines locked down and having them usable. This is where Windows often struggles, some software just doesn't behave in a locked down environment.

When you buy some Windows software you can never quite be sure what you need to have locked down, activeX can be a risk but block the registration of activeX controls and you can prevent the software working.

Re:Cheaper to prevent than fix

[Locutus]

the problem is, when hiring people for administering Microsoft software, they are screened and rated on how muscular the index finger is.
 

LoB
 

Re:Cheaper to prevent than fix

[jimicus]

You would be amazed - and, I guarantee, disturbed at some of the total morons in this world masquerading as sysadmins.

The thing is, it's hard to spot them in the hour or so that's available in a typical interview, and a large number of IT managers don't know how to spot them once they've got the job.

Re:Cheaper to prevent than fix

Amen to that. However, as an IT that was involved in the cleanup and prevention, I must say that there is no perfect solution for mass deployment of critical patches in a corporate environment.

Truth is, conficker was incredibly easy to clean up when an infection did occur. All of the information/software/patches needed to contain and remove the virus were freely available.

To say that Manchester needs better support/management doesn't do justice to the underlying issues. Laziness and willful ignorance. Good job Manchester, hope you guys have replaced that support staff.

Re:Cheaper to prevent than fix

[jmorris42]

> The thing is, it's hard to spot them in the hour or so that's available in a typical
> interview, and a large number of IT managers don't know how to spot them once they've got the job.

That second part is the problem because if the Manager had a clue he could indeed spot the ones that only have paper in lieu of actual skills. It isn't that hard to ask a couple of real world questions. It isn't that much harder to set up a real world test. Seriously, if I were tasked to hire admin types on a regular basis I'd cook up a set of virtual images and keep em stashed somewhere. Put a couple of non-obvious problems in that virtual net based on things that have actually happened in my setup and see if they can really fix them. Total open book test with Google allowed since they can have those on the real job. Total worst case cost, even if the task gets delegates to minions who pad the time is a few thousand in labor. Avoid hiring one idiot and you are in the black on the investment.

Re:Cheaper to prevent than fix

[DMoylan]

> if Manchester had upgraded their systems to Vista on the client side...

so they would have spent the money instead on licences of vista? that's a saving! plus most likely having to have their custom software rewritten to run on vista. more expense. plus retraining for staff to use vista. again more expense. plus if they are like any government agency i've had dealings with all the hardware would need replacing to be able to run vista.

Re:Cheaper to prevent than fix

[Bourbonium]

That's what Enterprise Agreements are supposed to address. If you have a Microsoft Enterprise License or Software Assurance for your OS and applications, you pay a lot less than you would if you purchased individual or OEM licenses to upgrade these components. Hardware is another matter, of course, but we replace that as our warranties expire, and all our current desktops are Vista Ready (even though we're running XP Pro). Transitioning from XP to Vista isn't all that hard, and most of my users have Vista on their home computers now, so they wouldn't have any problem at all. Office 2007 does pose some training issues, and there is some significant costs there, but nothing on the order of what Manchester paid to clean up Conficker.

Believe me, I've butted heads with management over these issues since Vista came out, and they're very reluctant to upgrade, despite all the advantages offered by the new releases. I'm also conducting a proof of concept test to persuade them to let us install a Linux enterprise application server on our VMWare cluster to save money on a major application that has a rock solid Open Source alternative, and I'm going to be bruised and bloody by the time it's over, but my IT philosophy has always been pretty agnostic when it comes to the underlying OS. The right tool for the right job, and if the best tool is free, I'm going to push for that. Times are tough, and we have to be careful with every penny we spend on IT resources.

Re:Cheaper to prevent than fix

[Voyager529]

True enough, but everything above still applies to home users, in which case corporate group policy is a moot point.

Re:Cheaper to prevent than fix

[someSnarkyBastard]

Amen to all, mod parent up.

Re:Cheaper to prevent than fix

[mpe]

Instead of spending $2 million to *fix* virus issues, why not hire smarter people to *prevent* virus issues? I'm sure doing so would be much cheaper.

It most likely comes down to political will. Hiring people to make sure things run smoothly often tends to be seen as an excessive cost. If they are doing their jobs "nothing" will happen. Whereas fixing when things go badly wrong is an "emergency" where cost is not an issue.
Even if the result is to rebuild a "house of cards" for more than it would cost to replace it with something more substantial.

Re:Cheaper to prevent than fix

[JAlexoi]

Guess you don't work in a heterogeneous environment even if it's standard OS is Windows.
There are a lot of applications that require admin privileges. And a lot of MS patches do break a lot of things.
If you are a big enough shop, then you will know that before you push the patches to your users th IT dept needs to test the patches with all standard software for a LOT of depts. And you financial dept will not have the same standard software as your sales.

Re:Cheaper to prevent than fix

[mpe]

True, but there's often a balance between having machines locked down and having them usable. This is where Windows often struggles, some software just doesn't behave in a locked down environment.

If the "supported" method is to give the user(s) admin privs then it is likely to be a challenge to find out if it's really just an issue of a few files/registry keys which need permissions changing.

Re:You cannot use viruses/bugs as an example of co

[WilyCoder]

You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

they must have stupid IT people

[alen]

i've worked in a MS environment for a long time and have seen a few virus infections. not once have we called in any consultants to clean up. in the worst case we have an old NT server that is infected but has to remain operational. solution was to put a free Firewall on it, block all traffic except for a few people that need access to it. still infected, but the virus can't get out. everyone else gets pulled off the network and cleaned up using the normal suite of AV and free tools availalble

Re:they must have stupid IT people

[captaindomon]

Really? You are allowing an infected machine to remain on the network with only a free firewall protecting the rest of your corporate network? Pulling a stunt like that would probably get me fired. It's not a matter of how technically sound the solution seems to be - it's a very high ongoing risk factor to the stability of the rest of the network.

Re:they must have stupid IT people

[Spike15]

Really? You are allowing an infected machine to remain on the network with only a free firewall protecting the rest of your corporate network? Pulling a stunt like that would probably get me fired. It's not a matter of how technically sound the solution seems to be - it's a very high ongoing risk factor to the stability of the rest of the network.

As if the idea wasn't intrinsically bad enough, he said that he puts the free firewall on that box itself! What's to prevent the malware from simply deactivating or circumventing the firewall? Malware has proven itself able to deactivate all kinds of software -- Windows Update, A/V, etc. -- what makes your free firewall so special?

Seriously, disinfecting PCs without reformatting them can be a PitA, but it's still possible. Stop being so lazy / stupid.

Re:they must have stupid IT people

[SatanicPuppy]

Agreed that it's foolish. Some moron is bound to plug his thumb drive into it at some point, and spread the crap everywhere.

Still, we very seldom have viruses on our windows network, and the ones we get are all installed "accidentally" by stupid users, and they never spread because the network is well partitioned, and well configured.

If you're still having virus problems at that level NOW, there is something seriously wrong with the way your IT infrastructure is set up.

Re:they must have stupid IT people

[sofar]

"we'll let this nuclear bomb just explode and make sure there's no one near it."

Nice attitude :)

how do you guarantee your data on that box to be secure if you know it's been compromised? I hope you do not work for any company that I use services from :o

Re:they must have stupid IT people

[RKThoadan]

If he meant real Windows NT 4.0 (or earlier) than the thumb drive isn't an issue. NT doesn't have support for them without quite a bit of work. It's an ugly solution, but given the requirements and resources available it works. .

I would hope they are looking for a more secure long term solution though. At the very least it is possible to manually remove almost any piece of malware if you are willing to dig deep enough. It sure isn't easy though, and doing it without interrupting service is even harder.

Re:they must have stupid IT people

[Finallyjoined!!!]

Have you tried plugging a thumb drive into an old NT Server box? Which hole would you put it in?

The last NT Server box I trashed had 2 PS/2 ports, a VGA port, a parallel port & 2 serial ports. Network port was an add-on card... USB - wassat?

Re:they must have stupid IT people

It's people like this that make it so easy for viruses to spread.

Re:they must have stupid IT people

[jimicus]

Seriously, disinfecting PCs without reformatting them can be a PitA, but it's still possible. Stop being so lazy / stupid.

It's physically impossible to offer a cast iron guarantee that all the malware is gone unless you boot off a known-good CD and do as a bare minimum a checksum comparison of every executable, every library with known good copies (Notwithstanding the known collision issues with MD5). Anything less and there's the risk that the malware has affected the very libraries you're going to use to read all these files and calculate all the checksums.

This is probably overkill for a PC with a single, simple infection but for a heavily infected PC I wouldn't think twice. By the time you've done all that, it's going to be quicker to rebuild the PC. If your users aren't saving all their data to a server which gets regular backups, you deserve all you get anyway.

Re:they must have stupid IT people

[alen]

nice thing about old crappy 10 year old servers is that you can't plug anything in there

Re:they must have stupid IT people

[Penguinshit]

no kidding. In 2005 the multinational I worked for got run through by a worm before patches were released by Corporate. I immediately air-gapped my whole unit, cleaned and applied the required patch individually before allowing a machine back on my "LAN" (coordinated between two separate locations) and then kept my unit air-gapped until Corporate guaranteed me they were clean (which they weren't, as my honeypot later proved...). Fortunately for me I had already swapped out my mission-critical servers to Linux so I was mostly dealing with workstations. My unit functioned at 90% even while air-gapped (corporate email was out but the users took it in stride). My after-action report was circulated and the event figured in my promotion. My predecessor was much more passive and cavalier which is why he was my predecessor and not colleague.

Re:they must have stupid IT people

[godrik]

Unless they use a bios based virus such as the one presented here : http://it.slashdot.org/article.pl?sid=09/03/23/1248214 . I know this one is a prototype, but I still find it relevant.

Can't

[jav1231]

MS can't include these into calculations for obvious reasons. They must proceed as if such vulnerabilities don't exist in order to market their product. What's funny is they don't want you to either. They want to hold themselves up as either "just as good as" the next guy or make excuses for their lack of security.

In the long run this is a cost that need not be spent. There are alternative OS's and it's high time governments, of all entities, started using open alternatives. It's not just costing them in terms of being beholding to corporations like MS but in real dollars as well.

Re:Can't

Its unfair to claim this as a cost of using MS software.
My network of Windows XP 2003 and 2000 servers wasn't riddled with Conficker.

This is plain the cost of skimping on technical IT Staff

Re:Can't

Here's the thing. If you install any modern version of Windows from XP on then out of the box the OS will have automatic updates and a firewall in place. If left in this default configuration those machines would almost certainly not have been infected by Conficker. Now, there's plenty to berate MS about and there's many good reasons to change the default firewall and automatic updates settings of Windows (I certainly do). Nevertheless, when someone does so and they do not have proper systems in place to get necessary security patches applied in a timely manner and put in place other security systems in order to compensate then the fault lies with the user/company not with MS.

Other hidden costs.

[Z00L00K]

The change of the user interface in Office 2007 is one huge hidden cost. It was done to make things "easier" with the result that old users instead have to re-learn the user interface completely and have a really hard time to do even the things that were simple before.

And some things that was easy in the old Office version is now really cumbersome. The style handling in Word is one example that can make the blood pressure rise.

Re:Other hidden costs.

[T-Bone-T]

I'm sorry you have a hard time learning. I do more now than I ever did because it is so much easier to use.

Re:Other hidden costs.

That's just silly. People complained about Office 2007 for a few weeks and surprisingly they figured out most things. And it is funny you should even bother mentioning this. What about KDE 3.5 to 4.0, what about all the weird quirks in Gnome/Nautilus changes.

In all fairness, people will eventually give up and just not bother with things they can't do and either find a different way or stick with the old software. This applies to both Windows and Linux.

Re:Other hidden costs.

The change of the user interface in Office 2007 is one huge hidden cost. It was done to make things "easier" with the result that old users instead have to re-learn the user interface completely and have a really hard time to do even the things that were simple before.

What I find interesting is that Microsoft's TCO claims depend on retraining costs, yet they seem to put the retraining cost for Office 2007 at zero.

You can't switch to OpenOffice because it will be so expensive to retrain your users, but you can switch to Office 2007 with low TCO?

And in line with the subject of this discussion, does Word 2007 still eat large documents the way earlier versions of Word used to? One of the major advantages touted for OpenOffice is "it doesn't eat your files." As a specific example, the master document feature is not recommended.

Re:Other hidden costs.

[westlake]

The change of the user interface in Office 2007 is one huge hidden cost.

The simplest response to this may be to look at the sales charts at Amazon.com.

It's fair to assume that most of these users are on their own - no help desk to call for support. Their time. Their money.

1 Office Home & Student 918 Days In The Top 100
3 Office Home & Student Mac. 596 Days
9 Office Standard Full Version 903 Days
10 Office Small Business Upgrade 562 Days
16 Office Pro Full Version 481 Days
19 Office Small Business Full Version 387 Days
23 Office Pro Full Version 917 Days
24 Microsoft Office Mac Media Edition 230 Days

Software Best Sellers in Business & Office

Re:Other hidden costs.

compare that to *every* interface in FLOSS software being different. Microsoft at least publishes a user interface spec that the majority of developers want to follow to make their software feel familiar to new users right from the start.

Re:Other hidden costs.

Style handling is a million times easier in Office 2007. First, you can preview the style without actually applying it. Then it's unobtrusive but your most common styles are always present. And finally you can break it out really easily & have them floating like you would with the various styling toolbars in painting tools.

Re:Other hidden costs.

Hidden costs in Microsoft Office have been around a lot longer than that. Many places I work for have traditionally done their manuals in Word. Every new release of Word required some amount of reformatting. Anything more complicated than simple business letters will not display/print/edit the same in any other version of Word than the one it was created in.

Re:Other hidden costs.

[recoiledsnake]

I am sure this applies to FOSS as well. For example, the change from KDE 3.x to 4.x.

Re:Other hidden costs.

[asg1]

Seriously?? This was modded +5?? If you consider that learning something new is a hidden cost, then this applies to ALL software which releases new versions... not just Microsoft's. Check your bias at the door next time.

Re:Other hidden costs.

This is one of the hazards of progress. I personally believe that the Office 2007 interface is far more user friendly. The functions in Office are easier to find and the preview abilities make them easier to use. That being said, it is does make life more difficult for people that have gotten used to a particular interface. I can't help but wonder, should a company try to innovate in order to improve their products, at the possibility of alientating current users, or should just continue to do everything the same way so people don't have to adapt to change.

The style handling in Word is one example that can make the blood pressure rise.

You are the first and only person I have heard complain that styles were easier in the older versions of Office. If anything the style handling was the most improved aspect of '07

Re:Other hidden costs.

It takes 5 minutes to figure out how the ribbon works. If you can't do it any quicker, you don't need to be using a computer as part of your job description.

Re:Other hidden costs.

For the little I've used it, I don't like the new ribbon interface, but I agree that the new interface is not a big barrier to usability. However this:

The simplest response to this may be to look at the sales charts at Amazon.com.

Is ridiculous as evidence of the usability of the Office 2007 GUI. Most individuals buy MS Office because that is what they have to use at school or work - it has nothing to do with any vote on GUI usability.

Re:Other hidden costs.

[Informative]

You sound like you work in MS marketing. Not the only reason being that if you don't have a hard time learning then you should have been competent with the previous UI as well.

I do more now than I ever did because it is so much easier to use.

That's cute. Do you do soap commercials too?

Re:Other hidden costs.

[T-Bone-T]

The old ui was kind of scary and hid some of the features. I was pretty good with the old interface but the things you could do weren't quite as obvious or easy to use. Just because I've got something good to say doesn't mean I work for Microsoft. They do get stuff right occasionally.

Re:Other hidden costs.

[Anonymous+Struct]

This might be true for you, but I can tell you first hand we have a ton of users who had Office 2007 foisted on them, and they have not been more productive. They've had to relearn things they were already doing efficiently. And frankly, if any of them were being held back in their work by the old Office interface, I'd eat my hat, because that argument is ridiculous bullshit. If you took all of the quarter and half-seconds they 'lost' by fighting with the horrible old interface (which they've been using forever and can navigate like the backs of their hands), and added them up over all the years they've worked for the company, you still wouldn't outweigh the time they've lost just in the last three months relearning the new interface (not to even mention the wasted time our support team has spent in helpdesk tickets helping them figure it out).

It was a useless change that we paid for in both licensing and man-hours to implement, and it has cost us budget dollars and productivity that we're never going to get back. It's just that simple.

Re:Other hidden costs.

[ajlisows]

I'll tell you what....I actually have grown to like the Office 2007 Interface. I've been using it for over two years now so I get confused using older versions of Office.

I am certainly in the minority though. Most of the people at the Office I work at simply have not adjusted even after using it for an entire year. They absolutely despise it. The amount of time that I have spent showing people where things are (Not to mention department "Power Users") showing other users where things are has been outrageous.

If they felt they needed to do this, I think their big mistake was not easing the users into this type of menu. At least for one release of the software have both available or something. It has been an enormous hidden cost for the company I work at and I would imagine for a lot of other companies that use the Office Suite.

fw;dr

[iamhigh]

Flame War; Didn't Read

But seriously, 2 MILLION to clean up some viruses? I need to move to Manchester and become a consultant!

Re:fw;dr

[MrLogic17]

Flame war indeed.

A properly configured business Microsoft network doesn't get malware infections. (Spam filter, firewall, non-work sites blocked, anti-virus, desktops running as non-admin)

An improperly configured *nix network can be hit by malware. Nuts, even Macs with a wide-open unrestructed Internet connection are going to get into trouble.

Therefore, your TCO for malware is dependent on the ability of your friendly local admin - not the OS.

Re:fw;dr

[dAzED1]

and you don't see that there is a differential there, that subby is suggesting should be included in TCO outlays?

Re:fw;dr

[Daniel+Dvorkin]

Admins have to work so much harder to protect a Windows network than they do to protect a *nix network that the two aren't really comparable. It's like looking at two patients, one who has a papercut and one who has brain cancer, and saying, "Their chances for recovery only depend on the skills of the doctor."

Re:fw;dr

[gad_zuki!]

Right, we dont blame the victim here. Sure the patch came in October and Conficker spread in January. No siree, we cant blame their IT dept for slacking, its all someone else's fault.

Re:fw;dr

[bursch-X]

It's the downtime that give corporations the biggest headaches. If you have to clean the whole company for viruses, you often can't afford running even one machine potentially infecting all the others back while you're cleaning, so the whole company might come to a grinding halt. Considering this 2 Mio. might be realistic.

Every dog has its day...

[greatica]

Linux will have its malware day when it becomes more popular. Broken interfaces, poor documentation, mediocre support, incompatibilities up the wazoo, but dang...I bet it's secure as hell.

Re:Every dog has its day...

[nicolas.kassis]

Troll much?

Re:Every dog has its day...

Did something change since the last time I seriously used Linux? The Gentoo docs and support were pretty good, but for any given package it was a crapshoot.

Re:Every dog has its day...

You are a shallow ass. The truth is painful for you, so you label the delivery man a troll and feel better. Though he wasn't entirely correct, as Linux will never become popular.

Re:Every dog has its day...

You were also using Gentoo...not exactly the beginner's Linux, now is it?

Troll article yes, but

[SatanicPuppy]

What the hell were they doing paying $2.5 million to clean up a worm? Seriously? Hell, you could have paid the guys who wrote it 2 million to exclude your IP range in the fricking code, and saved 500k!

Governments have got to get their crap together on this stuff. When that worm hit corporate here, in luddite central, the number of effected machines was under 30...For the entire corporation! And that's with all properties connected by a corporate WAN.

That they had that level of infection is inexcusable. Shows that they're just wasting money right and left and getting nothing but a crap product.

Re:Troll article yes, but

[Finallyjoined!!!]

Ha! you have no idea what goes on in Government/Local Government IT. I have a friend in the Civil Service, employed full-time, traveling around the UK, upgrading Senior Civil servant's PCs from Wfw3.11 to w2k, yes win2000, in two thousand and bloody nine!!

I have a drinking acquaintance who works in IT, for the "DWP", whose idea of a technical challenge is mapping a sodding network share. Fine you may say, but mapping a share is a full days work for the indolent, technically challenged, overpaid twat.

2 million squids to clean 40 or 50,000 local government PC's. I wouldn't like the contract.

PS I wonder what the effect on the affected machines was?

Re:Troll article yes, but

[jd]

It actually sounds dubiously cheap. There are something like 88,000 students at the universities in Manchester, and probably close to ten times that in the whole of Greater Manchester. (The population in each is around 440,000 and 2.2 million respectively.)

So even if we ignore ALL the costs involved in cleaning up the computers for University and school staff, the city council, the civil service, and all other Government-related facilities, we're looking at $4 per incident.

The REAL cost to Manchester will obviously depend on the exact fraction of machines infected and the exact number of people with machines running Windows in the first place, but a saner estimate of costs would be closer to $40 per incident, and about 1 non-student incident per student incident.

This would give you a cost 80 times greater than the estimate given. You won't find it in any single financial account, because it's incredibly distributed, but it still gets paid for by the same people in the end whether it's on one statement or 2.2 million statements. It's just better-hidden on 2.2 million statements.

If we use Manchester's estimate and assume it applied to the whole country, then Britain as a whole forked over $60 million to clean up the worm. If we use my estimate, it'd be closer to $4.2 billion. Not that it matters which it is, really, it's far far too much in either case.

You're absolutely right that it's inexcusable, and I'd love to know why it was anything like so high. The regional and national computing centres are in Manchester, the University of Manchester has one of the best computing departments on the planet and GMING means that infections should have been easy to identify, trace and block.

With the kinds of resources that COULD have been thrown at the problem, Manchester has really no excuse for there ever having been a problem at all.

Re:Troll article yes, but

[Finallyjoined!!!]

Yabbut. Local govt & the uni's are not connected.........

Wish they were. Imagine students, studying IT, getting paid to remove crap from numpty Civil servants PCs? Ooooh the irony.

Irony is like steely. OK it really isn't.

Re:Troll article yes, but

Government IT workers are for the most part the bottom of the barrel.

Re:Troll article yes, but

"Hell, you could have paid the guys who wrote it 2 million to exclude your IP range in the fricking code, and saved 500k!"

Give me the adress there! (Spoken in true Austrian-German accent).

Re:Troll article yes, but

The bulk of the losses seem to be due to non payment of traffic fines caused by the infection and its cleanup.

The vast majority of the Manchester Evening News' readers were more concerned about the traffic laws which led to the fines in the first place, and were very happy indeed that proprietry software had led to them not having to pay the fines.

This is a typical comment -

Best news of the day. We need a jobsworth virus being unleased on all local authority computer systems.

I'm afraid I can't see Manchester's citizenry in favour of introducing software which would lead to them having to pay up for traffic offences for which they already feel aggrieved.

Re:Troll article yes, but

[averner]

But can you imagine the effects in the long term? It's like making a habit of paying terrorists who hold hostages. You don't pay the bad guys to set things straight, otherwise they'll have an incentive to ruin them even more in the future.

It's fun to dump on MSFT

[Trip6]

An article with a clear agenda against MSFT. See other posts debunking the extra costs and MSFT-only slant.

Re:It's fun to dump on MSFT

[sofar]

Not necessarily, it points out that consultants (often independent companies) are wrongly evaluating software contract offers.

That's a big problem, not just for Microsoft, but especially for large organizations and the companies that evaluate these offers for them. No bashing there.

Re:It's fun to dump on MSFT

[bloodhawk]

The problem is this sort of disaster is not a contract or TCO problem that has anythign to do with MS or Linux, it was a poor IT management problem. They got hit a full 4 months after patches were released. What this article should describe is how incredibly poor IT and patch management leads to increased IT costs and messy public disasters, this is not a MS excusive problem, if you think an unpatched linux server is safe then I have a bridge I would like to sell you.

Prediction

[93+Escort+Wagon]

This story thread will have an extremely large number of posts which are highly moderated, but contain very little original or useful information.

Re:Prediction

[Daniel+Dvorkin]

I'm trying to decide if it's funny or terrifying that your post almost immediately got modded up to +5. ;)

Re:Prediction

[maxwell+demon]

You mean, posts such as yours? :-)

Re:You cannot use viruses/bugs as an example of co

[gurps_npc]

Wrong. Just because there is a logical REASON for Microsoft to have more viruses/bugs than Linux does NOT mean that you should not include such costs when considering whether or not to use Linux.

Yes, your complaint would apply if the entire world was considering switching from Microsoft to Linux. But when I advise my boss about the comparitive costs of using MS or of Linux, I would be foolish to refuse to include costs related to viruses simply because if in a mythical world where people used Linux more than MS then in that mysthical world the virus cost would be lower for Microsoft.

As a busineman, I must live in the real world and base my costs on reality, not your dream world. In reality, currently, Linux has lower virus related costs and I there MUST include the cost to deal with such problems when calculating the lifetime cost of software.

Re:You cannot use viruses/bugs as an example of co

You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

Citation needed? ;)

Seriously, some data would be nice.

Re:You cannot use viruses/bugs as an example of co

I am not following your argument, since windows has a higher market share than FOSS solutions it is exempt from malware removal costs? I think the point of the article is that while CSS vendors tout that FOSS solutions are not 'free' in terms of TCO, they neglect this cost that affects them more heavily than the completion.

I don't think the reason behind them having the higher cost (higher market share) is relevant. It is a cost, and they have a disproportionately large percent of it, admittedly for a quite valid reason.

Re:You cannot use viruses/bugs as an example of co

[Spike15]

I was about to come in here and post something almost identical to what you said.

I'm kind of upset that I don't have mod points so I can't mod what you said insightful. It's 100% true. People who bash Microsoft for malware are total uninformed idiots, and they make themselves look it by bashing Microsoft thusly. I work in IT, in a 100% Windows shop (the only non-Windows we have is ESX running under multiple Windows installs) and we simply do not have any problems with any form of malware, at all. It's all about taking precautions. I guarantee you that no matter what OS you run, you're going to run into problems if you don't take precautions to protect your software from malicious code.

Sure, you may cut down on these malicious code problems by switch to a non-Windows platform (the smaller the market share the logically fewer malware coders for that platform), but you also have to take into account the downside of using software et al. that isn't innately and intrinsically compatible with what 90%+ of people are running. Of course you can bring up examples of inter-compatibility and interoperability, but the fact-of-the-matter is, is that nothing plays as nice with Windows as Windows. SAMBA doesn't play as nice with AD as Windows does, and WINE doesn't run Windows apps as well as Windows does.

As for these people cleaning up Conficker...talk about a bad example! The vulnerability that Conficker takes advantage of has been patched for what...8 months now? People really still have or are getting this worm? Big shops are still allowing their computers to get this worm? I wouldn't be complaining about the malware or the cost of removing it, I'd be firing the IT department en masse and finding people who aren't totally incompetent -- I have a mother who is totally computer-illiterate -- she can't even open files on her own -- and she doesn't have Conficker because I set her Windows updates to do themselves automatically.

That is how easy THAT is. Considering you anti-M$ people like to accuse the people in Redmond of throwing FUD around, you sure are happy and obvious about being total hypocrites, aren't you?

Right

[dedazo]

To make the comparison fair, maybe a comparison (pardoning the redundancy) between the companies that don't patch and have no meaningful data security policies in place and those who do would be indicated. I say that because Conficker went live in November of last year, and the out of band patch was available in October. A replay of the other ones where a patch has existed well before the exploit was seen in the wild - in fact in the case of (I think Slammer) the exploit was based on what the patch was fixing.

This is especially meaningful in the case of companies who have control over their users' PCs, rather than home users that need to be bothered with letting Windows Update run in the background and help them patch their boxes occasionally. We all know how much of a bother that can be.

Re:You cannot use viruses/bugs as an example of co

[Z00L00K]

Probably because when the web server is IIS it's always the same operating system platform behind, which in turn means that as soon as a breakthrough occurs it's often easy to continue with the penetration.

On an Apache web server you can't tell what kind of platform it runs on, which means that an attack that works on one server may be completely useless on another.

Another Argument for SaaS

Another argument in favor of SaaS applications like http://www.hyperoffice.com. Keeping out viruses in the vendros responsibility and cost, not yours.

There's hidden costs to everything

[caywen]

Maybe the world still runs on Microsoft because the TCO difference just isn't high enough to justify the cost of switching. The cost of migration has to be figured into the TCO of the alternative, despite how unfair it sounds to do so.

Re:There's hidden costs to everything

[downix]

I meet your cost and raise you the cost of regular hardware upgrades necessary to continue running Windows. When XP came out, 256MB was plenty, now with the updates and everything, 1GB is cramped. When it came out, a Pentium 3 667Mhz was plenty, now a multicore multi-Ghz is needed. This too has to be taken into the TCO.

Re:There's hidden costs to everything

What if this mindset were applied to other things? Do you think that we shouldn't bother moving to alternative-fuel cars because it'll be too expensive to change our fuel distribution infrastructure? Do you stick with a more expensive cell provider because it's too difficult to learn how to use a new phone? Do you drive a car for 25 years because it's too hard to learn where all the buttons are in a new one?

Re:There's hidden costs to everything

What about the cost of migration to Vista or Windows 7?

Re:There's hidden costs to everything

It's interesting in the article relating to the City of Munich, that they found the TCO (for them) to use Linux would in fact be higher than Microsoft, but the cost of vendor lock-in was considered to be a high enough TCO factor, it outweighed monetary savings.

  Governments and businesses mave have different priorities, but the issue and costs of vendor lock-in are important when calculating TCO also.

  With a move towards storing everything electronically (even Government documents like tax forms), consider a DMS full of documents in a format that is no longer supported by the vendor... and the headaches that eventuality would cause.

Re:There's hidden costs to everything

The cost of NOT migrating should be figured into the TCO as well!!!

"Opportunity costs" is one of the basic concepts of Economics 101.

Re:There's hidden costs to everything

Your granny will never switch to Linux because she'll get bitched out by 1000 angry fanboys when she asks for help because she doesn't know the 20 steps to get her wireless modem working on her Linux laptop.

Re:There's hidden costs to everything

[Locutus]

except that when there is a large migration from Windows to Linux then Microsoft comes in and sometimes spends tens of millions keeping them from migrating. Only in a few cases have the migrating parties given MS the finger and continued with their Linux migrations and those were so large that it's a multi-year project and people tend to forget about those quickly. The world still runs mostly on Microsoft because the PHB's feel safe and they are bombarded with reasons why Microsoft is great by Microsoft funded research. And the belief that nobody gets fired for picking Microsoft. They may put the company in the red with all the expenses of that choice but it won't get blamed on the CTO or down that chain. IMO
 

LoB
 

Re:There's hidden costs to everything

What fresh bullshit comes out of your mouth! Trying running Ubuntu or Red Hat or any other Linux desktop setup without the hardware you claim Windows requires. Hint, it'll be shit.

Re:There's hidden costs to everything

[nsteinme]

Are you kidding me? Insightful? Migration (out of Microsoft's pocket) is a one-time cost, while the savings from not purchasing "software licenses" adds up year after year. It's just like buying a hotel or a piece of land that gives returns year after year for a one-time fixed cost (economy jokes aside).

Re:There's hidden costs to everything

or we can continue repeating the FUD and lock out the competition.

Re:There's hidden costs to everything

Actually no the cost of migration should not be included in the the TCO. The TCO should be complete but migration is not included. The cost of migration should be divided by the TCO delta and considered an ROI timeframe.

Re:There's hidden costs to everything

[jmorris42]

> I meet your cost and raise you the cost of regular hardware upgrades necessary to continue running Windows.

Sorry but our side pissed away that advantage years ago. Now it takes as much hardware to run a current Linux/UNIX desktop as it does to run Windows Vista. OO.o is a total pig and Firefox gobbles RAM like popcorn. The current desktops chew through CPU cycles like they assume everyone has a multi-core monster and 3D is rapidly going from cool eye candy to required. Think I'm joking? GNOME is working on remaking the desktop with clutter, a GL based system.

If anything Windows XP is the option to keep old hardware in service these days.... that is until errata stops. But at least errata IS still available for XP, try to find a linux distribution that is still issuing bug fixs for a version old enough to run on the machine you were talking about, a Pentium 3 667Mhz with 256M memory. RHEL 2.1 would have run fairly well on that machine but it is EOL. RHEL 3 will install on that machine but you won't enjoy running Firefox or OO.o on it unless you add memory. But you better enjoy it fast because it goes EOL next year. I am aware of no other major distribution still in errata support that will run on that machine. The current versions of the popular (Ubuntu, Fedora, etc.) ones won't even install.

Had we kept the focus on small and nimble we would have had a much better shot when our chance for a major breakout finally came in the form of the netbook. But we had no hardware advantage and Microsoft was willing to take a hit on the license fee to eliminate that advantage.

Re:There's hidden costs to everything

The world would be a better place. If your assumptions are correct, then YES. If I would spend more time re-learning stuff I already can do using my cost per hour, and that's greater than the savings I would receive, then YES. See previous, if everything else remains the same, but it doesn't. As a car gets older it typically becomes less dependable, then you have to figure out how much less dependability would cost me in time, money and *MY* reliability. But as I said, if those other things didn't matter, and everything else is equal, then YES.

Re:There's hidden costs to everything

What about the cost of migration from XP to Vista/7?

Re:You cannot use viruses/bugs as an example of co

Please point out a recent remote exploit bug in IIS. As far as I know, there hasn't been one in years.

I've seen it

Labor to image a PC: 10 minutes

Time to actually image and install software: 1 hour, unattended

Time spent explaining to a user that they should NOT install WeatherBug right after I re-image them for installing WeatherBug: until I ran out of breath

Time spent explaining to a user that imaging will not cause them to lose the contents of drive U: in one case, a 30-minute lecture followed by weeks of her refusal to allow anything to be done to "her" PC, causing her to then claim that my refusal to solve her problem cost her 60 hours of productivity from a barely-working PC.

Re:I've seen it

[wampus]

Why can your users install shit on their workstations? Would you replace Windoows with a Linux desktop and give your users root?

I have an idea

[joeytmann]

How about patching your systems in a timely manner so you don't have to suffer through these reactionary costs? The patch for the exploit conficker used was released in Nov 08. When did conficker start spreading around, Jan 09? Just saying.....

Re:I have an idea

[genghisjahn]

If I had mod points I'd throw 'em your way.

Re:I have an idea

[cyberfr0g]

me too /redundant

Re:I have an idea

[Anubis+IV]

Of course, some companies, not saying names here, have a reputation for releasing patches that introduce more bugs than they fix, even if they haven't done much to earn that reputation in recent years. IT veterans are like elephants though: they never forget. Plus, when you have mission critical systems that need to be online 24/7, scheduling downtime to install a software patch sometimes needs to happen weeks or months in advance (I'm not suggesting this is good practice, just that it does happen), and two months doesn't seem unreasonable if a company wants to take a wait-and-see approach to whether or not a patch is safe to deploy.

Re:I have an idea

What if one of your legacy applications that you rely on is broken by one of the Microsoft patches, causing you to disable updates until you resolve this between the original vendor and Microsoft?

Re:I have an idea

[Evildonald]

The perfect response to a bullsh*t KDawson article like this. I know slashdot has a self-confessed linux bias, but it doesn't mean they need to make themselves look like a$$hats.

Re:I have an idea

[joeytmann]

Oh I agree with you on the fact that some companies have a poor reputation in patch releasing. But if you are that concerned about it affeting your mission critical systems, you should have a testing platform that you can install patches on. All I am saying is with a little planning/prep work most if not all of outbreaks like this could be averted/minimized.

Re:I have an idea

[Threni]

Those costs are just bullshit anyway. They've clearly found people who'll milk them for every penny they can, just like loads of public sector establishments in the UK (universities, hospitals etc). I hear about it first hand, all the time. There are layers of management who just provide pure negatives - they don't have the first clue what they're doing, they get taken out for lunches and cricket matches etc and sign up to whatever shit comes there way, and then badly manage developers who have to work late, under stress, to get stuff done. Those guys are the ones who want a share of the millions of wasted pounds.

Re:I have an idea

[venom85]

I posted earlier before I got to yours, but it was October 2008 for the patch and November 2008 for Conficker. You are correct though, that the patch was out before the malware. Had they patched on time, or even a month later, they'd have been fine. This is an example of a very poor IT model, not poor security in Windows. Therefore it is not a good example for the TCO of using MS products. If you show me a company/organization that patches on time, has a good IT model, good network design, etc., and the cost is still significantly higher than FOSS, then I'll listen. Until then, quit bashing on MS for the fun of it.

Re:I have an idea

That was my first thought. Pay your IT guys a reasonable amount so you can afford good ones and avoid the whole hassle. That's something that is a constant across all operating systems / software variants.

Re:I have an idea

OK

and then we have to switch the discussion to the hidden costs of fixing or rolling back from Microsoft's updates!

Re:I have an idea

[usacomp2k3]

My thought exactly.

Re:I have an idea

[ArsonSmith]

So you are now doubling the TCO of windows?

Re:I have an idea

[DaveWick79]

At this point those "IT veterans" have to make the calculated choice of risk - whether to introduce issues because of a patch which can be easily rolled back, or introduce a virus which could have been prevented by the patch, which takes hundreds of hours to clean up.
Ultimately, regardless of OS, any software patch could potentially introduce issues and in a corporate environment, should be tested before applying them to the entire user base. It isn't that complicated, anyone waiting 2 months to apply a patch is just lazy.

Re:I have an idea

[drsmithy]

Plus, when you have mission critical systems that need to be online 24/7 [...]

If any single system needs to be online 24/7, your architecture is broken.

This is true regardless of what your OS is.

Re:I have an idea

Then if your IT admins are not complete incompetents and are doing there job properly they would take appropriate preventative measures to allow the unpatched machine to continue working without exposing your organisation to risk, really there is no excuse. The patch and workarounds and ways to block exploitation of the patch had been out for months by the time they got hit, only incompetence and poor It administration can be blamed for widespread infection in any company or gov department.

Re:I have an idea

I was going to say this too. We only had a 6 month warning and even then we had at least a solid month warning that something was stirring in the wild. Laziness of companies to patch exploits doesn't equal increased TCO. It means you're wasting money on your Admins and you need ones not afraid to do their job. I guess job security equals not patching things in time and I'm sure a lot of admins do this...

Not going far enough

TJMax and subsidieries was hit with 10 million in fines just from one state, and has had to pay for numerous stolen cards. Estimates are that the WIndows based system that they used to file Applications cost them around 40-50 MILLION DOLLARS. Turns out that it was more than what their IT was costing them from one year. What do you bet that they still have idiots there pushing Windows?

Re:Not going far enough

[joeytmann]

An idiot is an idiot....no matter if he is pushing Windows or not.

Overhead of Running AV and Such

[smist08]

Add to the TCO, the lost productivity because computers running MS Windows, are so much slower because of the overhead of AV software, anti-spybot, anti-adware, popup blockers and such. Every packet that comes and goes from the network and/or disk is scanned several times. Its amazing how fast a Windows computer can be if you turn all these off (and how quickly it will become infected).

Re:Overhead of Running AV and Such

[Locutus]

sssssssssssssssssssh, you're gonna make trouble with talk like that. Stay in line and keep quiet and all will be good and taken care of. Be a good little lemming.
 

LoB
 

Re:You cannot use viruses/bugs as an example of co

so lets see, first you use the typical popularity argument and then follow it up with a personal anecdote.. This does not disprove the article's point. Whether it's due to popularity or bad engineering (or both!! who'd a thunk?), cleaning up after malware attacks IS a large expense when running a windows shop. AV is largely a snake-oil concept at this point. it catches some, but not all attacks, and it's expensive and taxing on clients. long gone are the days of simple, easily detectable boot sector and TSR hook viruses of MSDOS.

Windows is uspposedly DESIGNED for the non technical user though.. If it cannot withstand said abuse (by being maintainable and secure without simply reinstalling), then it fails in its purpose. Usually windows fanboys are the ones saying $NON_WINDOWS_OS is too difficult and that's why it'll never succeed. I have yet to find an OS as unfixable as windows once it gets mangled...and it allows this to happen so easily!

Re:It is the hacker's mentality.

[maxume]

You are confused. At this point, the typical 'hacker' works on whatever systems he thinks he can make the most botnet money from.

Yeah, we should count the TCO

[wubti]

Microsoft is driving the planet to ruin with its wasteful high carbon footprint. All those employees driving and flying to work just for Micorosoft... While FOSS is typically done from the home office... no driving involved. You can include linux as part of your Company's "Green" initiative!

A data point

[rkeene517]

A a single data point, I spent an hour cleaning the K worm off my laptop after a co-worker lent me his memory stick to transfer a file. Cost - An hour of pay plus the frustration of directly not getting important tasks done.

Re:You cannot use viruses/bugs as an example of co

[h4rr4r]

This is totally offtopic, cost is the only thing this is about, not why that cost exists.

Re:You cannot use viruses/bugs as an example of co

I find it hard to compare Apache IIS and XP Linux because generally they are targetting a difference audiences.

Re-loading / Registry problems larger

[frith01]

As many have pointed out, proper virus protection and lock down policies will keep those issues down.

However, re-imaging needed due to registry corruption, debugging software issues on "identical" machines that works in one instance and not another, and many other windows specific maintenance tasks should all be considered part of the over-head that does not exist for a linux installation.

Re:You cannot use viruses/bugs as an example of co

Alright... do you see a ton of enterprise level applications and/or large target websites which run Apache? I am willing to bet that most high priority targets use IIS. I am not saying all websites out there who are a 'high priority' target (Banks and what not) use IIS but there is probably more of them since they put trust in Microsoft. Just like people buy IBM products, because they trust IBM.

But on the plus side...

[gov_coder]

Your system administration is automagically outsourced to china and russia for free!

Last time I checked...

[johosaphats]

Last time my boss bought software, he wasn't concerned about fancy things like TCO, ROI, or whether the software he was buying actually did anything that was useful to us whatsoever. He thought it looked pretty, and that was all the criteria he needed to go on.

What about the other costs of AV?

[goltzc]

My company was hit pretty hard by the conficker virus. It took a lot of users offline for days. The cleanup effort included bringing in a small army of consultants to help fix the issue. After everything was cleaned up and ready to go, IT's response to the outbreak was to kick our Virus Scanner into some crazy ultra cautious mode. The end result of that is 50% of my cpu is being used up by my virus scanner constantly and opening an app or compiling something in eclipse takes substantially longer than it used to. The fact that virus scanning software decreases worker productivity by tying up substantial system resources should be part of the TCO as well.

Re:What about the other costs of AV?

I'd like to see the 'hidden cost' of having workers in the company that are dumb enough to click random attatchments. Seriously. Some people have the IQ of the rubber plants that decorate the office. There should be zero reason to have computers connected to the net that do not immediately apply patches within the hour/day. If your computers are so mission critical that you wait weeks/months/year to deploy a patch then you have no business hooking into the net.

This hidden cost of using microsoft software (or any other kind for that matter) should have been about how users cost you more then the software ever will.

Re:What about the other costs of AV?

[b4dc0d3r]

Between AV scanning and the constant background Update checks, and I should have said "among" because there are other little things as well - my notebook is unusable for an hour every day.

A reboot takes 25 minutes. That's not a typo.
Shutting down takes 5-10 minutes and starting up in the morning takes 15-20 minutes.

That's going from a usable system to off and to a usable system. I'm not talking about until the desktop comes up, because it's still unusable at that point.

My biggest complaint is that disk I/O is a noticeably big resource hog. "System Idle Process" could be at 95-97% but I can't click on anything because somehow disk I/O is happening. It's not the CPU, just waiting for turns on the disk. At that point I can't do anything. I can't even launch Task Manager to see if it's a CPU spike.

My only resolution has been to write a VBScript that uses WMI to set all update processes to low priority, all virus scanning processes to low priority, and turns off Windows Update, and kills the local SMS proxy. Reboot still takes 20 minutes because a lot of junk happens over our retarded network, but at least I can click around in things. It's in the startup folder and takes 10 minutes until it even runs, but by the time I can click on something it has made life significantly easier for me.

I can't tell you how many meetings I've missed the beginning of, even though Outlook is already running and everything is cached offline, because I click on the calendar (or the reminder window) and nothing happens for 15 minutes. THAT should be calculated in TCO.

Oh sure, blame my local IT guys, but I feel it's Windows design that's the fundamental problem. Virus scan, updates, and the scheduler, with possibly disk access routines all part of the problem. My home notebook doesn't have these problems.

Re:What about the other costs of AV?

[achenaar]

Aaaaaaaaaaaand, the terrorists have won.
Neat innit? How this sort of threat looks and quacks just like all the others and garners the same response.
Interesting really.

Re:What about the other costs of AV?

[TheQuantumShift]

I think that's the best part. Everybody running A/V, Firewall, Access Control, Blacklists, Whitelists and everything in between? You are? And you still get viruses? Someday it's going to come out that all this "security" is snake oil. Use a firewall, educate your users, and update your systems. Let your CPU cycles get something useful done.

Re:What about the other costs of AV?

[XMode]

This would be the same antivirus that failed to pick up conficker in the first place would it?

Re:What about the other costs of AV?

SUNBELT VIPRE, What is this conficker thing???

Re:What about the other costs of AV?

[gilgongo]

My company was hit pretty hard by the conficker virus. It took a lot of users offline for days. The cleanup effort included bringing in a small army of consultants to help fix the issue. After everything was cleaned up and ready to go, IT's response to the outbreak was to kick our Virus Scanner into some crazy ultra cautious mode. The end result of that is 50% of my cpu is being used up by my virus scanner constantly and opening an app or compiling something in eclipse takes substantially longer than it used to. The fact that virus scanning software decreases worker productivity by tying up substantial system resources should be part of the TCO as well.

OT, but don't forget that if anti-virus scanning software actually worked, you wouldn't have the damn virus in the first place! I'm going to get modded to troll hell for this, but really: anti-virus software is about as close to a total con-job as it's possible to be without actually going to jail.

Not mentioned

[Tawnos]

For slashdot readers, the not so hidden cost of using microsoft software is the stream of FUD coming from editor kdawson.

Re:You cannot use viruses/bugs as an example of co

[plague3106]

I am not following your argument, since windows has a higher market share than FOSS solutions it is exempt from malware removal costs?

Not that its exempt, its that should people target Linux as much, the figure would likely be the same.

Also, if you keep up with security patches (like you should, regardless of OS), it becomes a non-issue. This is really just FUD aimed at MS, using 2001 "MS is insecure" arguements which are no longer true today.

Re:Still Better than Linux

You are absolutely correct!

Oh yeah

[C_Kode]

Oh yeah? What about all the time I spend clicking that little update button that keeps popping up on my Ubuntu Desktop? Huh? What about that! That takes away from my .... um, web surfing time! :P

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

Last I heard, the most commonly hacked webserver was Apache/Linux. A secure legacy won't protect you forever... now that it's popular, the poor security practices in the platform are beginning to be exploited...

I would say Microsoft is rather catching up and surpassing the linux platform in security, given the recent figures.

There is almost no anti-exploit code in linux, anyway, so once you're through the security, you know exactly where you are and what you're doing. Microsoft has a tremendous advantage, having been targeted for years... their level of defense is now much higher. They withstand attacks the linux platform could never find the resources to repel.

So the cost Microsoft has spent weathering this will reduce the TCO of all their users... and now they're even offering anti-virus software for free. I'd say they're doing fine.

Re:You cannot use viruses/bugs as an example of co

[Spike15]

This is totally offtopic, cost is the only thing this is about, not why that cost exists.

Of course that is what it is about on a fundamental level, but you have to look deeper into the problem(s). For example, why was this problem experienced? The answer is, is that it's because the IT staff obviously were not on top of the maintenance of the computers. Rolling out Windows Updates is not a difficult task, computers can be set to do it themselves, or you can use a centralized roll-out system like WSUS.

This is relevant because the exploit that Conficker takes advantage of was patched by Microsoft in October 2008. The first variant of Conficker was not even discovered until November 2008, so any IT shop that stayed on top of their updates should've never even experienced a window-of-opportunity to be infected.

The moral of the story here is that bad IT practices lead to costly mistakes. This is true under Linux or Windows or any other OS, and therefore this is a bad example, and that's why discussion of the reasons for the cost existing are relevant, since the reasons that the cost exists negates any argument against Microsoft stemming from this particular "example".

Re:You cannot use viruses/bugs as an example of co

[plague3106]

Uh, no its not. Would it be fair to include the cost of frequent breakdowns of Hondas because you're including all those that fail to do even basic maintence? No, you wouldn't include those costs, because you're not properly maintaining the car.. just like malware is spread by people not maintaining their computers.

TCP

[trb]

I think there should be a new calculation:

TCP - Total Cost of Pwnership

Re:TCP

[Opyros]

There already has been.

Re:TCP

[trb]

D'oh. New idea will cost you extra.

Microsoft incompatibility costs too

[Dan667]

They are all but forcing a rollout of IE8, but it is not compatibility with Sharepoint. Don't know how many times I have watch this happen, but there is nothing you can do about it. At least with Open Source you could go in and fix it yourself.

Re:Microsoft incompatibility costs too

[recoiledsnake]

T. At least with Open Source you could go in and fix it yourself.

And have a lot of fun merging in the constant security updates and version upgrade changes.

Re:Microsoft incompatibility costs too

[Dan667]

You could submit the patch to the project, smarty.

Re:Microsoft incompatibility costs too

[badkarmadayaccount]

Upstream merges, meet recoiledsnake. recoiledsnake, meet upstream merges.

Re:It is the hacker's mentality.

[ckaminski]

Which means: write an exploit for EVERYTHING on CERN's list, no matter what the platform.

Re:You cannot use viruses/bugs as an example of co

[ground.zero.612]

You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

Citation needed? ;)

Seriously, some data would be nice.

http://uptime.netcraft.com/up/today/requested.html

Preventing water damage.

[Ungrounded+Lightning]

Instead of spending $2 million to *fix* virus issues, why not hire smarter people to *prevent* virus issues? I'm sure doing so would be much cheaper.

Instead of spending $20,000 to fix water damage, why not hire a contractor to patch the holes in the roof and walls where the rain gets in?

When you have enough holes in the roof it becomes cheaper to re-roof than to patch.

When you have enough holes in the roof, walls, window frames, floor, foundation, etc. it becomes cheaper to tear down the house and replace it with a tighter, better built one.

The issue raised by the article is whether the "Windows/Microsoft apps" and "Linux/FOSS apps" houses meet that last criterion.

It's instructive that the issue of whether the new house can hold the family ("Is Linux Ready For [whatever]?) is no longer in doubt - thanks to service organizations like IBM's. The debate has moved from whether Linux can do the job to whether it does it cheaper.

Re:It is the hacker's mentality.

[ckaminski]

Did I say CERN? I mean CERT. Gar... damn brain isn't working today. I blame IBM WID-6.1 and that crazy guy asking for Smalltalk support.

Also, don't forget virus scanners slowing down.

[mr_java66]

Also, don't forget virus scanners slowing down your system.

Re:You cannot use viruses/bugs as an example of co

http://www.search-this.com/2007/06/27/microsoft-iis-vs-apache-who-serves-more/

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:You cannot use viruses/bugs as an example of co

[dedazo]

I'm sorry you were modded troll, but maybe you didn't express your point correctly. Let me give it a try.

One of the companies I consult for has something like 30,000 desktops. They were not affected by Conficker in any way shape or form. In fact, I think they were bitten by the "anna kournikova" thing back in 2000 or 2001, and never again had any problems with worms or viruses.

How is this possible? I don't know. Maybe some common sense was involved.

But the premise of this article is that this company - and indeed, every other company in the planet that uses Windows but doesn't have these problems - should factor into their operation of Windows a "hidden" cost that simply does not apply to them.

That's clever, isn't it? It's a great argument, assuming you have the IQ of a sponge to begin with.

Re:You cannot use viruses/bugs as an example of co

[ragethehotey]

since it's universally agreed upon that users / admins had plenty of time to patch the systems before conflicker hit, does this mean I should include the cost of water damage to my possessions when I leave my windows open during a hurricane that I knew was coming?

Re:You cannot use viruses/bugs as an example of co

1. Don't post in reply. If you do, you can't moderate in the same topic.
2. Moderation isn't to suppress ideas with which you don't agree. There is no "-1 Disagree", nor is there a "-1 Wrong" moderation.
3. Think. Seriously. This post belies your sloppy thinking in at least three ways.

Re:You cannot use viruses/bugs as an example of co

Well, so long as netcraft confirms it...

Re:You cannot use viruses/bugs as an example of co

[namoom]

One other thing to note here is that this is not just a comparison of OS look at MS office vs openOffice, you will still get the viruses inherent with the OS but you are using open source. ur organization has used multiple open source apps to our success saving the company hundred of thousands, but we have also chosen some open source "free" products that we put so many cycles into that we paid literally 10 times the cost of the closed source product

Re:You cannot use viruses/bugs as an example of co

[koreaman]

What the fuck are you talking about, you fucking idiot? It makes perfect sense.

i must point out....

[kevinroyalty]

that I do IT support for MANY small businesses. a lot of them don't want to pay for properly keeping their malware/virus software up-to-date and healthy. the result is infection, and the cost to clean it up. So, my point is a lot of these costs are brought on by the businesses themselves and these costs should not be in any calculation against or for any platform. you can put the cost into the "stupidity" column if you wish :)

Re:i must point out....

[turbidostato]

"you can put the cost into the "stupidity" column if you wish :)"

But then do not forget that "Linux is difficult and you will need very expensive sysadmins, but Windows is easy and even a drunk monkey can manage it". When your clients don't want to pay for hardening their systems they do because they already payed for Microsoft products and they were sold on Microsoft products because they are simple and functional, so their "stupidity" is a direct output from the fact they are using Microsoft. You can put the cost into the "stupidity" column if you want it but don't forget that the "stupidity" column still does sum up to the TCO of choosing Microsoft by design.

Re:i must point out....

[kevinroyalty]

It was not my intention to turn my point into a MS vs Linux debate. I think we all know how productive that can be :) It doesn't matter what platform you use - there will be vulnerabilites (a/v, backup, etc) that must be addressed. A lot of businesses of any size seem to think they won't be affected so they don't want to invest in a proper solution. they get bit, then b*tch about the cost of making it right. Had they properly invested in the protection in the first place, they never would have been bitten. Kevin

does require expensive support staff

[fermion]

Way back when, MS got itself into businesses by being cheaper than Unix. Seriously. I worked on a vertical application solution and the MS solution was cheaper than 1/3. For a small business, this was significant. We had no problem paying the money, as we were going to make money, but there seemed little reason to be little reason to spend the money just to get the (declining) industry standard solution. Add to this that, at that time, MS OS was a reletively simple structure and basically any minimal competent person could set it up, the MS solution would end up being an order of magnitude cheaper.

Fast forward. MS only produces complicated behemoths. To this day MS Windows has not completely understood it is a network OS(perhaps 7 will do it). It is no longer the case that a part time person can keep 20 machines running. And when something does happen, it can be very difficult to fix. A single event can require a complete reinstall of the OS. I've made mistakes of going to a wrong web site and had this happen on a completely up to date machine. I have allowed untrusted parties to run my MS machines and have had significant damage caused within the hour. MS machines are the dependable work horses they once were. It now requires a significant infrastructure to keep MS machines a production. The best case scenario is to treat each machine as a RAID, keeping data off the machine, and using a standard HD disk images. Doesn't this sound like the pre-MS days of the so-called inefficient mainframe. MS is worried about this and has began a defensive campaign against IBM.

I would argue that MS machines are now, overall, as expensive and inefficient as the Unix machines were when ATT tried to save themselves with the introduction of this machine. This does not mean that MS does not have value, at least to legacy customers, but it may not be the best choice for startups, as Unix was the not the best choice in the late 1980's.

I can point to an exact time, around 2000, when MS became too expensive to use. It was a time whem MS would accuse paying customers of theft. Force customer to undergo intrusive and expensive audits. Require support staff to be redirected from supporting the customers need to make a profit, to the MS need to make a profit.

In light of this, I think we are going to see non-MS solution, just like we say non-ATT and non-IBM solutions. The biggest impediment to this is the easy supply of reliable naked PCs with full support to the SOHO owner. I think some companies, like Gateway, made a mistake in continuing to hook their saddle to the MS bandwagon instead of providing *nix solution for common business problems. In many cases, smart firms buy solutions, not an OS.

Re:does require expensive support staff

you should be totaly incompetent if you need more then 1/3of a normal day to run network of 20 computers. It should be no problem for anyone whoo spent 1-2 years administrering network to handle 20-30 users, router, firewall, web server and email. get yourself another job. Like managing venture funds - they need more talks and no skills.

Re:does require expensive support staff

[ajlisows]

It is no longer the case that a part time person can keep 20 machines running. And when something does happen, it can be very difficult to fix. A single event can require a complete reinstall of the OS. I've made mistakes of going to a wrong web site and had this happen on a completely up to date machine. I have allowed untrusted parties to run my MS machines and have had significant damage caused within the hour. MS machines are the dependable work horses they once were. It now requires a significant infrastructure to keep MS machines a production. The best case scenario is to treat each machine as a RAID, keeping data off the machine, and using a standard HD disk images. Doesn't this sound like the pre-MS days of the so-called inefficient mainframe.

I assume you are talking about this in terms of the corporate environment. In that case, why would you not keep data off the machine and use a standard disk image? Users keeping data on their machines is a problem. That data is generally inaccessible to other people that may need it and more importantly, is a hard drive failure away from being gone forever. I think most corporations strongly discourage keeping data locally.

Not having some disk imaging software if you are managing any number of machines is crazy. You certainly do not want to use the default installs of Windows that are sent to you by the desktop manufacturers so you want to have disk images anyway. Most of the client manager's out there also allow you to transfer files and install select software packages as part of the imaging process. To think that any decent sized company has someone sitting there loading Windows from scratch just seems wrong.

Realistically, if the IT staff needs more than say...75 minutes to take a computer, transfer files, drop a new image, and install needed software on it they are doing something wrong. Because of this it is more effective from a perspective of the cost of an IT Employee's time to do it that way instead of troubleshooting a bizarre issue that could take them several hours to fix. Yeah, that is a crappy way to approach troubleshooting from the point of view of someone who likes to get into the nuts and bolts of a system and I would prefer to find a fix to problems instead of just dumping an image, but it is sensible from a cost of ownership point of view.

Re:does require expensive support staff

[mpe]

And when something does happen, it can be very difficult to fix. A single event can require a complete reinstall of the OS.

Which may well not solve whatever the actual fault is thus needing to be repeated.

It now requires a significant infrastructure to keep MS machines a production. The best case scenario is to treat each machine as a RAID, keeping data off the machine, and using a standard HD disk images.

Which requires both time and additional software to manage. Probably another thing which might not make it to a TCO "study".

Re:does require expensive support staff

[Bent+Spoke]

All the above is true. However, it ignores one factor: inertia. Non-MS solutions must also counter the inertia of the widespread conventional wisdom of the MS way is the only way.

Dumn

I appreciate that free software is great. It does 95% of what most people want and does it for free. What more could one want?

But so much about this "article" is invalid. It does nothing but hurt the credibility of the author.

You don't need to make spurious arguments to bolster the argument for free software.

It's more secure because of RPM/DEB

[Nicolas+MONNET]

Windows has file permissions, too. Thats not the issue. The issue is more RPM/DEB and the fact that most users can install all they need through a trusted channel (yum/apt).

Re:It's more secure because of RPM/DEB

[HeronBlademaster]

You're essentially complaining that "being root lets you do stupid things". This is a given, and this is why we don't run as root all the time. I can't think of any distributions that don't make you log in as root (or use sudo) by default in order to install things via apt/yum/whatever.

Re:It's more secure because of RPM/DEB

Fedora with package kit. After the admin allows you the first time, that privilege can be saved so that user can always install signed packages.

Re:It's more secure because of RPM/DEB

[colinrichardday]

Yes, RPM/DEB are nice, but how do I disable the execute bit on a JPEG file in Windows?

Re:It's more secure because of RPM/DEB

[HeronBlademaster]

But you provided the key to that problem yourself. I'll quote you so it's clear:

so that user can always install signed packages.

(Emphasis added.) Presumably your average porn site won't be trying to get people to install a signed package, and presumably your repository admins aren't going to be signing packages containing viruses.

Re:It's more secure because of RPM/DEB

[someSnarkyBastard]

yes, that's part and parcel of being root, with great power comes great responsibility so be careful throwing those rm -f's around. However, most folks who either run their own system or administer an enterprise server know this (hopefully) Windows gives root access to computer-illiterates and lets them have said ultimate power to fsck the entire system up 24x7. By comparison, most modern distributions either require you to retype the root password every time you run su -c "foo" or give a 5 minute grace period as with sudo. Hell, several distributions, such as Fedora, completely disallow graphical root login, you cannot even open a graphical program like gedit as root, you either need to use a command-line editor (cue vim/emacs/nano flamewar) or sudo. Point being is this, Linux is far more restrictive with how much you get to use super-user powers than Windows.

Re:You cannot use viruses/bugs as an example of co

Maybe it's just you?

Getting real

[onyxruby]

First, you have to take into account that costs such as the cleanup cost likely could have been readily avoided simply by having tight computer security standards to begin with. That expense had as much to with the security vs user convenience issue as it did with Windows. Any environment can be made insecure by caving to user desires regardless of the operating system in use.

A properly locked down windows environment can be fairly secure, the problem is that users can no longer use their computers the way they want to and they complain. User complaints such as those typically win out until such time as convenience starts to cost real money for cleanup. The cost of incompetence or catering to users should not be factored into any cost case for any product.

Think outside IT, to something like shipping oil overseas. The fact that a single given ship has an incident that costs tens of millions of dollars to cleanup because the captain was incompetent and ran aground does not take away from typical shipping costs at all. It simply shows the cost of administrative or managerial incompetence. If you want a true cost comparison you need to compare sites that follow best practices for the industry and look and see what their costs are.

Understand I am /not/ saying that Microsoft would / is the cheaper product, but comparisons that include incompetence are misleading at best.

Re:You cannot use viruses/bugs as an example of co

[rodrigoandrade]

>as soon as a breakthrough occurs it's often easy to continue with the penetration.

Does IIS scream and moan during this penetration??

Re:You cannot use viruses/bugs as an example of co

[Foredecker]

How about supplying some data for that super broad statement.

Also, we're talking bout client systems here, not servers.

Re:You cannot use viruses/bugs as an example of co

[zx-15]

I don't get it, what prevents the attacker to try every recent vulnerability on that host, and he even guess some information about operating environment based on server replies it's not like this hasn't been done before. I suppose your criticism is valid but, if the attacker is serious about breaking into a system running apache he's probably got some exploits for more common operating system anyway, so this makes things a little bit difficult, but not by much.

Re:You cannot use viruses/bugs as an example of co

[BagOBones]

I wish I had some mod points right now.

what is the cost of responsibly using anti-virus?

[Latinhypercube]

c'mon. everyone and his dog knows to use anti-virus. it isn't microsoft's fault it's the most widely used and abused os.

Re:You cannot use viruses/bugs as an example of co

Drop the friggin' troll mod you buncha Linux fan boy a$$hats. These articles nauseate me to no end. When are you clowns gonna realize Linux is a solution looking for a problem. Windows has its problems and so does Linux. If and when Linux gains market share it will receive its fair share of attention from malware writers. The poster is right- you can't use viruses as a cost of ownership. If you can, then I am going to count all those driver issues with Linux I had in the past as part of the cost. While I'm at it I'll include the number of times I had to RTFM because some j@ck0ff didn't have the courtesy to provide a pointer- you know who you are!

Re:You cannot use viruses/bugs as an example of co

[Sir_Lewk]

You cannot use viruses/bugs as an example of cost

Sure you can. The reasons why these viruses and bugs are a greater problem for windows are debatable and irrelevant. It doesn't really matter if it's because of their massive market share, it still costs the user to clean up just the same. We are not trying to be fair, just realistic.

Re:You cannot use viruses/bugs as an example of co

[morgan_greywolf]

You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

Citation needed? ;)

Apache is far more popular: Netcraft confirms it! Attacks, on the other hand, are probably about equal, though, IME, security hardening Apache on *nix is far easier than security hardening IIS on Windows.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:It is the hacker's mentality.

[camperdave]

Hackers target Microsoft software only because it is much more popular than non-Microsoft software.

It probably goes a little deeper than that. Most malware writers, because of the popularity of Microsoft software, probably cut their teeth writing programs for Windows. They may know the Microsoft APIs backwards and forwards, put put them on a linux box and it might take them an hour just to get "Hello World" working. Everyone knows the HKML\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry entry, but what is the linux equivalent?

Are you crazy?

[sonciwind]

It's the freeware that most commonly spreads viruses and Trojans. The article does not attribute the cause of these problems to Microsoft at all. Did confiker get distributed by installing Microsoft products? No.

Re:Are you crazy?

[AstronomicUID]

Does conficker get "installed" at all in non-Microsoft operating systems?

Re:Are you crazy?

[sonciwind]

That doesn't automatically make it Microsoft's fault. If your Mom gets raped, is it your Mom's fault? All operating systems and software have some kind potential weaknesses. Microsoft happens to be the big target. But, I'm sure you already know this. It's Microsoft's fault for having software that is so great it out numbers all other software 10 to 1 in popularity?

Re:Are you crazy?

[AstronomicUID]

That wasn't my point. I'm just trying to point to the fact that there is a saving associated with avoiding Microsoft products.

not so accurate

[binaryseraph]

You know, we give a lot of flack to Microsoft for their crap OS's and products. And yes, there are a lot of security holes and threats that crop up- but this is because it is the most popular OS on the market. Were any other OS to suddenly take that share I can assure you we would see an increase of viruses and exploits in those systems. Its not like Microsoft is creating these viruses, nor are they responsible for their replication (as much as I would like for them to be). This comes down to computer users with either malicious intent or ignorance to the dangers of computing.

Don't have any Karma but...

[FatJuggles]

I'll say it anyway. Man, shut the f*ck up already!

I get that this is Slahdot and bitching is a way of life here, but can we please just put this shit to rest. People use whatever technology is good for them. Each has costs, each has benefits, each has security issues, each has usability issues, each has moron users, each has technical users that can hack it to make it work, each is attacked by criminals to exploit, each can be used by governments where they see fit, each can be used by non-profits where it fits, and each can cost whatever the f*ckin' money it wants, each can be bought by whomever in a box, DVD, flash drive, ftp, torrent, or whatever...

I like to see lists of how your use of it has benefited you..."I use it and I like it because I can do x,y, and z which is what I needed" This shit of, "your dick is small so we can't really talk about my man-boobs" argument is starting to annoy me.

Re:Don't have any Karma but...

[turbidostato]

"People use whatever technology is good for them."

Wrong!!! People use whatever technology they *think* is good for them. That's what marketing is for.

"Each has costs, each has benefits, each has security issues, each has usability issues, each has moron users, each has technical users that can hack it to make it work, each is attacked by criminals to exploit, each can be used by governments where they see fit, each can be used by non-profits where it fits, and each can cost whatever the f*ckin' money it wants, each can be bought by whomever in a box, DVD, flash drive, ftp, torrent, or whatever..."

Which is far long to say each share the same costs, which is the very point of the article.

Re:You cannot use viruses/bugs as an example of co

[BikeHelmet]

It's well known that huge organizations leave stuff unpatched for long periods of time. Wasn't it reported that the US Air Force took something like 6-12 months to roll out patches? They got a unified version of XP from Microsoft to simplify patch deployment time down to 60 days.

Yikes!

Re:You cannot use viruses/bugs as an example of co

[wheeda]

The company I work for tried switching. I really sucked. I submitted countless tickets to the IT department to fix printing and pdf. Yes linux can print some stuff. Yes linux can open some pdfs. But doing out of the ordinary things like trying to print an A3 pdf landscape apparently rarely gets tested. Not being able to set printing defaults across all applications really is stupid (ubuntu). I would have gladly paid the microsoft tax out of my own pocket just to get the satisfaction of actually being able to get some of the most basic functions of my electrical engineering job done.

ALL software has "hidden costs"

[musicalmicah]

Excel crashes, Exchange has quirks, Apache conf files can be a headache, and 75% of the operating system installs I've done have resulted in some level of headaches, whether Windows or Linux. Most human beings don't have the time, skills, or inclination to deal with these problems. While I've never witnessed this Windows vs. Linux argument happen in a fair and non-evangelical way, I think acknowledging that these costs exist for all software is a first step.

Re:ALL software has "hidden costs"

[guyfawkes-11-5]

Excel crashes, Exchange has quirks, Apache conf files can be a headache, and 75% of the operating system installs I've done have resulted in some level of headaches, whether Windows or Linux. Most human beings don't have the time, skills, or inclination to deal with these problems. While I've never witnessed this Windows vs. Linux argument happen in a fair and non-evangelical way, I think acknowledging that these costs exist for all software is a first step.

Yes. I use both, and found the same. Linux may be more secure, but can be difficult to set up, especially for a noob told to RTFM. Windows, less secure, but a helluva lot easier to setup!

Millions in lost revenue.

[Ungrounded+Lightning]

But seriously, 2 MILLION to clean up some viruses?

According to TFA a lot of that was things like lost revenue from traffic tickets that died because a deadline passed while they couldn't be processed and penalties for delayed payment of obligations.

Re:You cannot use viruses/bugs as an example of co

[MooUK]

No, it submits passively.

Re:It is the hacker's mentality.

[maxume]

Yah, but you start with the exploits that will give you access to the largest number of systems and work your way down.

Exploits of web/cgi programs seem pretty frequent (and I have seen those systems used to then attack desktops).

Re:You cannot use viruses/bugs as an example of co

[zieroh]

I expect your shop is 100% Windows precisely because you're too macho to accept the many good reasons why a shop that is 100% anything makes you vulnerable.

Your arrogance will be your downfall.

Re:You cannot use viruses/bugs as an example of co

http://news.netcraft.com/archives/web_server_survey.html

Re:You cannot use viruses/bugs as an example of co

Ahem..
Plese go look up fingerprinting, both active and passive, and revise "you can't tell what kind of platform it runs on".

Thanks

It's more than just those costs

[HangingChad]

Malware and virus cleanup do cost money, but there are other costs routinely left out of cost estimates. I've seen enough of them to know.

- Cost of anti-virus software. The reps will claim that's a wash because you still need A/V software for Linux. BZZZT. You still need a firewall and scanner for email attachments but not software to guard every workstation on your network. If you use corporate Gmail, Google does a pretty good job screening out the email nasties. All for $50/user per year. Cheap compared to Exchange.

- The cost of patch testing. The time it takes to research and test patches before they're rolled out. And the cost of spending hours in the MS knowledge base researching why X stopped working on Wednesday only to find something was hosed by automatic updates. You have one expense or the other, sometimes both.

- The cost of CALS. That's one that used to really chap my undies. It wasn't enough to pay for the software, then you had to buy a license so other people can use it.

-The cost of training. Which, ironically, is one of the things MS throws up as a hidden cost of switching to Linux. Every couple years you'll be going back to class for...something.

Some of those might have changed since I left the last MS shop...I hope so anyway. Life is so much calmer, less complicated and less expensive in a non-MS environment, you have no idea until you try it.

Re:It's more than just those costs

[hesaigo999ca]

Are you enjoying your environment?
Linux, or Mac?

Re:It's more than just those costs

[HangingChad]

Enjoying the peace and quiet a great deal.

Ubuntu on the desktops, CentOS on the server side. The field people are still using Windows laptops. The only Windows desktops are kiosks for a couple Windows only apps which we could virutalize, but what's the point? We had the old Windows boxes laying around, why not use them?

But we're not going to replace them with another Windows box, either. When they're dead, they're gone.

Re:It's more than just those costs

[MightyMartian]

- The cost of CALS. That's one that used to really chap my undies. It wasn't enough to pay for the software, then you had to buy a license so other people can use it.

Not just the cost of CALs, but the cost of figuring out Microsoft licensing rules. I got nailed on a SAM review because I'd bought a 5 CAL pack and configured them as user CALs on a Server 2003 install licensed via Software Assurance. I was told "those have to be installed as device CALs or you have to buy five new CALs".

It's fucking insane, or much more likely, designed specifically to trip people up so they have to go and buy the same goddamned thing again. In my case, I just switched it to device CALs as they requested and got on merry way. I didn't tell them that I'm putting together a Samba file server for our document storage needs, and that will free up about 20 CALs of the appropriate kind, so it's not likely, unless we get substantially bigger, that I'll ever need to buy a Windows Server CAL again.

Re:You cannot use viruses/bugs as an example of co

[Bemopolis]

waitasec... #4, www.bing.com, runs on *LINUX*? Man, the kool-aid in Redmond must SUCK.

Self-fulfilling prophecy

[XanC]

You've done your part!

Re:You cannot use viruses/bugs as an example of co

[maxwell+demon]

If you know that you tend to forget closing your windows, then yes, that damage should be included in your considerations. For example, while you may generally value windows which can be opened higher than windows which cannot, you might nevertheless decide to put a window which cannot be opened at the room where your computer resides, because then you cannot forget to close it, thus preventing potential damage to your computer.

Money to be saved today, possibly long-term also

I agree there would be a virus/malware problem in Linux, possibly approaching the severity we see in Windows today, but only if the majority of users switch to Linux. Until they do (and maybe EVEN IF they do), there is money to be saved by avoiding the MS-based viruses and malware. Although all platforms are vulnerable, the frequency of attack is predictably higher on Microsoft systems (and we have all known this for YEARS). I would go so far as to say the cost of virus mitigation exceeds the cost of training users on a new OS.

Re:You cannot use viruses/bugs as an example of co

[jedidiah]

"hacked" and "infected" are worlds apart.

This is the difference between your personal server being
rooted and the entire internet being brought to it's knees.

It's like the difference between needing to go to the hospital
because someone decided to stalk you and then shoot you versus
getting some plague like disease for going out in public.

Being hacked generally requires personal attention on the part of
some conscious assailant rather than just some automated bit of
malware exploiting some fundemental design flaw in the software
you're using. ...and there is "anti-exploit" code in Unix. It's probably been
around longer than the comparable "code" in DOS and Windows. The
fact that Unix is a harder target and it's users are intolerably
smug doesn't mean they aren't thinking about the problem.

Re:You cannot use viruses/bugs as an example of co

[zieroh]

The answer is, is that it's because the IT staff obviously were not on top of the maintenance of the computers. Rolling out Windows Updates is not a difficult task, computers can be set to do it themselves, or you can use a centralized roll-out system like WSUS.

You've failed to address one of main reasons why "big shops" don't get updates out in a timely manner: The need for updates must be carefully balanced against the likelihood that updates are going to disrupt mission critical systems.

As an IT guy, you should probably know this. Maybe your systems aren't so critical, and you can afford to believe the absolutist tripe about how it's the IT staff's fault for not getting the update out in time. IME, the real world is rarely so black-and-white, and keyboard badasses that make grand pronouncements are rarely worth listening to.

Re:You cannot use viruses/bugs as an example of co

[snowraver1]

Further to that, bing.com has more views than google. Also, what the hell is tooooop.net?

Re:You cannot use viruses/bugs as an example of co

[BobMcD]

Mods: That wasn't trolling. It is technically incomplete, but isn't meant to detract from the conversation. Please don't use the mod system in this way. Cherish your points and use them to make /. a better place.

As to the comment at hand, doesn't the greater perceived vulnerability of MS Windows offerings make for a more costly patching infrastructure? You can say 'if you keep up with security patches', just so long as you're willing to acknowledge and compare that cost. Are you?

this is stupid

"For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm"
so they spent extra 2.5 millions because they don't turn on windows update, and now they blame microsoft?

Yes,yes,yes

[hesaigo999ca]

Yes, its about time we include these extreme costs for keeping a bad or insecure environment working...
I work exclusively on windows with .net at work, and I am constantly reminded of the daftness of it all,
having all these extra security measures and application, to narrow down chances of getting any viruses or malware etc.

Sure there are some rootkits and viruses for linux, but between you and me, how many compared to windows.
As for the costs of admins for linux, yes...they might be higher, but when you compare how much it costs to bring in techs all the time because windows was scrapped or some server lost its boot sector, etc, etc...they lean towards linux and not windows in terms of cost efficiency.

I try talking to management about linux in a vmware environment to get used to it, and let them experience, the basic equivalency between both worlds...but there is always that linux is too complicated movement...I keep using what they want...
although if ever they did change over to linux, then we would have to get an euqivalent to Visual Studio for linux, because this is the best tool from MS that is a full monopoly to date.

I would love to see some c++ borland suite try to tie in all different modules for creating in house development that allows you to tie into your office suite, etc... as well students are coming out by the thousands trained with .net where as regulr c++ or python or php, they tend to be fewer than....so until this changes ....the movement will stay M$...unfortunately.

Re:Yes,yes,yes

[night_flyer]

> Sure there are some rootkits and viruses for linux, but between you and me, how many compared to windows.

and if Linux had the majority of the market share, they would have the majority of the viruses.

Viruses are written for the greatest impact.

Re:Yes,yes,yes

[Requiem18th]

> Sure there are some rootkits and viruses for linux, but between you and me, how many compared to windows.

and if Linux had the majority of the market share, they would have the majority of the viruses.

Viruses are written for the greatest impact.

Virus can be written for Linux it doesn't mean they'll get anywhere. The security model of Linux/BSD is way superior to Windows. Fact is, if every business desktop and server changed to something other than Windows most virus writers would quit the job because it would be too much pain for too little gain.

Re:Yes,yes,yes

[msclrhd]

http://gizmodo.com/373779/linux-last-man-standing-in-pwn-2-own-thunderdome

Re:Yes,yes,yes

[hesaigo999ca]

Thank you, at least someone else who feels the same way about linux vs. windows overall.

Cannot use Hubbell as an example of intelligence

[Runaway1956]

To claim that Window's insecurities aren't part of the true cost of Windows is genuinely dishonest. If you run Windows, and you DO NOT invest in security measures, you are a complete and utter fool. If you run Windows and you invest in inadequate security measures, then you are a mere run of the mill fool.

Any mission critical computer with sensitive information on it has to have expensive security software installed, and it must be supervised and monitored frequently. It is EXPENSIVE to keep a Windows machine "secure".

Only the basest of MS fanbois will say the same about *nix. Granted, only an idiot would set up a *nix machine without setting up a firewall, permissions, and other accepted security measures. But, an idiot can indeed manage to set a box up, and to run it for extended periods of time without problem, because *nix has a lot of security BUILT INTO IT. (Well, as long as our idiot doesn't run as root all the time - nothing can save an idiot from himself if he disregards ALL security measures.)

Re:You cannot use viruses/bugs as an example of co

[jedidiah]

There's one big fat gaping hole in your argument.

Not everyone is comfortable with changing their systems on a whim.
They believe in little things like "testing" and "change control"
and they aren't going to just "throw something in" cowboy style.
Other stuff might break... important stuff.

So you can't always assume that end users are able to participate
in an endless cycle of changes to their important software.

In general, products should not be sold broken.

Re:You cannot use viruses/bugs as an example of co

Not that its exempt, its that should people target Linux as much, the figure would likely be the same.

On what basis can you draw that conclusion? Is "being a target" as a result of "market share" the reason that Microsoft has so many exploits? Do you believe that even a portion of the exploits were due to poor development? Don't take my response to mean that I don't think Linux won't have an increase in discovered exploits, but making the conclusion that it would "be the same" is a bit of a leap without anything to base it on.

Mij

Re:You cannot use viruses/bugs as an example of co

plague3106 (71849) posts:

Not that its exempt, its that should people target Linux as much, the figure would likely be the same. Also, if you keep up with security patches (like you should, regardless of OS), it becomes a non-issue. This is really just FUD aimed at MS, using 2001 "MS is insecure" arguements which are no longer true today.

And Sir_Lewk (967686) posts:

So how much does Balmer pay you to troll here? Or is it just that your only technical qualifications are an MSCE and, feeling self-concious and unsecure about this, you need to troll for microsoft to give yourself a feeling of job security?

I think it's clear who the troll is. At least plague3106's post was relevant to the discussion and a valid opinion. Your post was just a stupid cliched personal attack.

The cost of OutLook

[WheelDweller]

There's an airport in Indy that has two men on payroll, specifically to rebuild Outlook as a messenging-agent, every week when it takes a dump. This is needless, especially since Zimbra's done so very well on wide rollout.

Can you imagine trying to hire two people because Postfix goes down every couple of weeks? Unheard-of. But people will do anything for Microsoft.

And we're not even figuring-in the cases where a man loses $30,000 removed from his bank account, and spends six YEARS trying to get it back, becauase of malware.

Malware is very, very expensive. And Microsoft is quite the petri dish for growing such problems.

Don't tell me that, when Linux gets big enough, it'll have 2,000,000 viruses out in the wild, too. That stable of viruses was grown because it's done in closed-source and/or to cause people to buy support.

Linux, now, is larger than Apple, and still has less infections and malware trouble. I don't see a time when TWO MILLION viruses will be tolerated by the Linux brotherhood.

Re:The cost of OutLook

[gubol123]

I call bullshit. We have have around 400,000 Outlook installation. We have seen hardly any issues. Whole MS office support staff is around 6 engineers.. Come on....

Re:You cannot use viruses/bugs as an example of co

[mea37]

That's a bit myopic.

Sure, you can advise your boss that his TCO will be lower on account of malware if he goes with Linux. I'm not even saying it's a bad idea.

Of course, so can everyone else who picks up on this meme.

And as that argument sways more users toward FOSS, the cost/benefit for malware writers will change. Maybe we hit an equilibrium point that's less prone overall than today's monoculture, but there are reasons I doubt it. (I think the concerns of monoculture are overstated when the opponant is intelligent rather than random; and I think business will always push toward a monoculture anyway.)

Based on the information available today, predicting the future-looking TCO associated with exploit of software bugs on one platform vs. another is futile. With MS we have a track record from which to say "not good"; for FOSS we have no reasonable track record. So to me, that's background noise. I'd love to see an experiment to collect good data on the malware cost of FOSS.

This would work itself out if we had real competition on security among software vendors - which is why I don't say it's a bad idea to advise switching toward a 2nd vendor be that a FOSS solution or anything else. But it's hard to make that scale in the business world without interoperability, and the players in the market don't want to risk becoming commodities. Good luck.

Even better - imagine a world where the customer doesn't bear the cost of the vendor's mistakes. I know, crazy...

Re:You cannot use viruses/bugs as an example of co

[Bert64]

Then most users need simpler devices. Windows is far too complicated for the average user to keep securely connected to the internet.

Re:You cannot use viruses/bugs as an example of co

Is Microsoft's Bing being hosted through Linux?!

4 1893 www.bing.com 33 104 37 Linux unknown Akamai Technologies

Re:Viruses proportional to installed user-base

The Microsoft TAX!!!!!!!

Re:You cannot use viruses/bugs as an example of co

[ichthus]

You mean like Google, or Amazon? Or, are they too high-profile?

Pedantic

[mcrbids]

Douglas Adams' bowl of petunias thought "Oh no, not again". "Oh my god" was not part of the petunias' thoughts because it's widely known that petunias are, by and large, atheists.

Re:Pedantic

[LoyalOpposition]

While that might be true in "this" lifetime, it wasn't in previous ones.

-Loyal

Re:Pedantic

[SpooForBrains]

Although since the Petunias were actually the (briefly) reincarnated form of Agrajag, whose every life was cruelly ended in some way by Arthur Dent, that particular bowl of petunias would certainly have more of a reason to reconsider their theistic position, given the evidence of a. reincarnation and b. a cosmically evil sense of humour in control somewhere.

Re:You cannot use viruses/bugs as an example of co

[wampus]

Believe it or not, there are a whole lot of Microsoft users and some of them like their products. Automatically assuming someone is a shill because they speak positively about Windows is just plain retarded.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:You cannot use viruses/bugs as an example of co

[KingPin27]

Interestingly enough I've worked on systems that have software interface that claims to be APACHE while serving up IIS pages --- I hardly trust info being served up about web servers -- http://www.evolt.org/node/60160

Re:You cannot use viruses/bugs as an example of co

[Darkness404]

Ever heard of a mass Apache exploit that was exploited in the wild? I doubt it. But ever heard of Code Red? There has been no massive exploit of Apache systems in the way that MS systems have been routinely compromised with the various worms such as Code Red, Nimda, and Code Red II.

Cleaning up Conficker?

It's funny. I followed the instructions at trendmicro.com which involved stopping the dnscache service via the command-line and running a web-based scanner. For an enterprise where Internet access might compromise the domain, you could have used Trend Micro's retail products.

Still, it wasn't very hard.

--Sam

What? Bing.com using linux?

[140Mandak262Jamuna]

The netcraft link shows Bing.com using linux. Really? Quite surprising. Microsoft wants to take on google, and it could not/would not do it with windows boxes?

Re:What? Bing.com using linux?

[jimicus]

No, Microsoft use Akamai as a frontend to most of their major websites.

Re:What? Bing.com using linux?

[turbidostato]

"No, Microsoft use Akamai as a frontend to most of their major websites."

And so letting know their client-base that if they need to reach for massive public Microsoft is not up to the challenge... you know what happens to Caesar's wife.

Malware is beside the point

[loudmax]

The cost of malware is beside the point. MS has improved security in their product tremendously over the past several years. It's now possible for a competent admin to run a secure Windows server. But the social cost of a monopoly software vendor is larger and the price is more deeply hidden. For a typical small business that wants to run an office suite that's interoperable with their customers and vendors and perhaps some piece of third party software that's relevant to their line of business, there just isn't much choice. Their options are:

  * Macs (since MS supports their office suite on Mac), but they have a single hardware vendor and few options for commercial third party software.
  * Open source, which is great for those of us who understand the technology, but not everyone wants to do that for a living. And commercial third party software options are even fewer.
  * Microsoft.

So for a small business, the choice to go with the dominant software is pretty obvious. The thing is, the overall benefits of using MS software have little to do with technical merit. MS is better at some things and worse at others. By far and large, their main advantage is they control so much of the ecosystem.

The cost here is born by society. MS software may be far better than it was a decade ago, but to think that the market is better served by a single vendor than by competitive free enterprise is to ignore centuries of economic history. So an individual business may save money by going with the flow, but the economy overall suffers from the lack of choice.

Re:You cannot use viruses/bugs as an example of co

[Bert64]

But Apache has always had a much higher marketshare than iis, and has been around longer... IIS has improved in recent years, but look at the stats on attrition.org when that defacement mirror shut down in 2001, iis had about 25% market share but accounted for something like 60% of website defacements.

These days apache does generally count for more defacements, but is also still the most popular server... The stats dont say how sites were hacked, wether its a bug in the webserver itself, some other way that someone got access to the underlying os, or bugs in web based applications....

most php applications are hosted on apache because apache hosting is widely available cheaply, and php is extremely easy to learn which encourages people with very limited abilities to write php code, much of which is extremely poor... learning other languages such as aspx or jsp is harder and the hosting costs more so you tend to have less apps written by total novice programmers.

Re:You cannot use viruses/bugs as an example of co

this is indeed the problem when you have windows

Re:You cannot use viruses/bugs as an example of co

[jedidiah]

A car WEARS OUT.

The oil in a Honda is a physical thing. It will break down chemically over time due to age and heat.

What is the comparable process in a computer?

There isn't any.

There's no good reason for the system software to require "maintenance"
to deal with bit rot. The only reason "maintenance" on software is
required is because it is sold to the customer BROKEN. This is why Microsoft
software gets infected with malware.

This notion that Linux or MacOS doesn't get hit due to lack of "popularity"
is just a self serving dellusion that Lemmings tell themselves to avoid
acknowledging the truth that they've been conned and duped and continue to
be conned and duped and don't see a good alternative.

Many of the older computing platforms were rife with malware because they
provided a suitable breeding ground for malware. Large numbers had nothing
to do with it. This is a historical fact that Lemmings continue to try to
gloss over any time they claim that malware is about "popularity".

A Honda is built not to implode at 60,000 miles. This is why you can drive
one for 300,000 miles. Your level of dedication to the product really doesn't
have that much to do with it.

Windows is no Honda.

Re:You cannot use viruses/bugs as an example of co

[techno-vampire]

Also, if you keep up with security patches

With Microsoft, patches are sent out once a month, with very rare exceptions. That means, if a security issue is found on Patch Tuesday and fixed 24 hours later, it's not made available until next month. With Linux, patches are sent out as soon as they're ready, not on a fixed, arbitrary schedule.

Re:You cannot use viruses/bugs as an example of co

[zonky]

They might well be serving bing regionally through Akamai's web application accelerator. So bing runs on IIS at microsoft, akamai serves to customers on their edge platform.

Cart before the horse...

[bugnuts]

MS Windows has so many worms and such because it is a prime target, and the malware criminals get the biggest bang for the buck by targeting it. FOSS OS's have several proof-of-concept worms and such, but it's not the same thing because the user base and different OS versions make malware and worms bear far less fruit.

When you consider a single operating system designed to run on many types of machines and has a high adoption rate, a single bug can make many machines vulnerable. E.g. Windows. FOSS OS's are not a single operating system... it's more like 50 different OS's and distributions running on many types of machines from FPICs to 10,000 node supercomputers. This, combined with the low cost:benefit for malware authors targeting 50 OS's instead of one, makes the infection rate very low. So comparing Windows to many different OS's (as if it's a single competing OS) is not a fair comparison.

If at some point the unheard of became true and everything went to FOSS we'd have the same issues we have with Windows. One or two FOSS operating systems would become most prevalent, and thus, would also become the new targets. Suddenly, the TCO would go up significantly for free software.

Although it's true that the TCO may be higher for Windows, the reasoning of the summary's conclusion is ass-backwards. The TCO will go up on any OS that has a very high adoption rate, because the attacks will be proportional to the number of users. I strongly suspect that the cost of malware cleanup is a constant, weighted by the adoption rate of the particular software. There may be some other factor such as community involvement in reporting and fixing issues, but then you have people donating free time which flies under the TCO radar.

Be aware, I'm no windows apologist. But the original cost of your software doesn't matter for the TCO considering cleanup costs; what really matters is how big a target it is. Use something obscure and present a useless target, and your cleanup costs will generally be lower.

Re:You cannot use viruses/bugs as an example of co

[jedidiah]

> Would it be fair to include the cost of frequent breakdowns of Hondas
> because you're including all those that fail to do even basic maintence?

No, but if you are comparing a Ford to a Honda it is VERY fair to include
the costs of repairs you will be subjected to by the Ford DESPITE the fact
that you take it to the dealer for EVERY recommended maintenance item.

It is also VERY fair to include the cost of buying and entirely new Ford
because the first Ford DIED while the Honda is still chugging along and
hasn't even required it's first major repair yet.

Re:You cannot use viruses/bugs as an example of co

I'm the curious AC from above.

I don't see "list of attacks is here, list of owned machines is there"... What is that Netcraft link supposed to mean? Yes, we all know that Apache is more popular, but I'd like to know about which web server is more secure - one running Apache, or one running IIS. I can't find that data ANYWHERE.

Re:You cannot use viruses/bugs as an example of co

Linux
-Less Viruses
-Free

Microsoft
-Ease of Use

You may spend less on fixing the once in a while bugs, but you will spend more on training, any development, and conversion.

While Microsoft is still evil, it is alot more useful and quicker to complete tasks. I am sorry I love C# and hate Java and PHP. Microsoft just currently has majority of the better solutions.

Additionally majority of applications that work on Linux will work on Windows, but the reverse is not always true.

The route problem is that you have poor programmers at microsoft, and poor IT maintaining system.

Re:You cannot use viruses/bugs as an example of co

[krewemaynard]

http://uptime.netcraft.com/up/today/requested.html

http://uptime.netcraft.com/up/graph?site=www.bing.com You have GOT to be kidding.

Re:You cannot use viruses/bugs as an example of co

[Runaway1956]

Citations? Yes, yes, yes, a *nix box can be broken into. Of course it can - anything that one man builds can be broken by another man. But - citations that *nix boxes are "commonly" broken into? Evidence that more *nix boxes are hacked than Windows boxes are?

Until citations are presented, you'll pardon me for thinking you are spouting some foul smelling substance that should be ejected at the other end of your digestive tract.

Re:You cannot use viruses/bugs as an example of co

[gurps_npc]

Actually, I am being cynical, not myopic.

I believe that the majority of corporate bosses are too stupid to pick up on this meme for the foreseeable future.

I am sure that in 30 or forty years it may become a problem, but by that time I will have retired.

In addition, many of the "costs" Microsoft calculates are in fact dependent on Linux being less poopular than MS. If everyone is using Linux, then the costs to retrain etc. will NOT be present.

No, Microsoft is not allowed to put in tons of "Linux is not the primary system people know" costs and then exclude the "Linux is not the primary system people write viruses for" costs.

Not to me at least.

Anonymous Coward

Let's say I hire an Architect and a Building Contractor to design & build me a building, and then the doors & windows on that building won't keep people out when locked, or the building keeps crumbling apart, or catching on fire; What do I do? I first direct the Architect and/or Building Contractor to fix their deficiencies in the design or construction of the building. If they cannot or will not do so, then I take them to court and ask for compensation including putative damages for my losses due to a defective building. Software makers need to be held to the same standard. Until done, we will continue to get buggy, incomplete, insecure, and just down right broken software delivered to use every day.

Re:You cannot use viruses/bugs as an example of co

If a great majority of Honda owners do have a cost due to frequent breakdowns and Toyota users don't for whatever the reason, then why wouldn't you include at least some portion of that cost in the comparison.

We aren't talking about some small shop here and there. A great majority of the Windows user base does spend a lot of resources on this issue (preventative and reactive). As an average Windows user, you are targeted a lot more, and you do need to expend far more resources to deal with this issue. I don't really see the discussion point.

Re:You cannot use viruses/bugs as an example of co

[phantomcircuit]

Fingerprinting is absurdly far from perfect.

Most if not all load balancers are linux which means a fair number of sites running IIS appear to be on linux when you do TCP/IP fingerprinting.

Re:You cannot use viruses/bugs as an example of co

[Richy_T]

So now for the TCO of Windows, we have to also include the cost of a team of crack security experts who are on hand to install, evaluate and remediate security patches on a near immediate turnaround. Right you are.

Re:It is the hacker's mentality.

[Chrono11901]

well that depends on the Linux distro....

Re:You cannot use viruses/bugs as an example of co

[bertoelcon]

Due to the fact that windows has had a 90+% marketshare since the dawn of time, do you really think people are gonna waste time writing viruses for the 6 people using a mac or the 2 people using linux? No, they aren't. It's cost benefit analysis at it's finest, they're aiming for the larger audience, just as they are doing now with firefox which was claimed to be 893589023x more secure than IE, but as soon as it gained popularity the bugs/exploits came out of the woodwork like fucking crazy. I personally use windows, and prefer windows, and since XP came out have never had a problem with it myself. The biggest problem with computers is they're technical machines which lend themselves to needing to have technical knowledge in order to use one safely/correctly....which the majority of people do not have.

Since XP came out, really thats all? SHIT, I have been using a keyboard longer than I have a pencil. You really should check all sides before you get stuck on one or another being almighty. Playing devil's advocate really could atleast give you a basis for fanboish arguments, since there are certain parts done better and far worse on the other sides.

Re:You cannot use viruses/bugs as an example of co

[Khyber]

"The oil in a Honda is a physical thing. It will break down chemically over time due to age and heat.

What is the comparable process in a computer?

There isn't any."

MECHAINCAL HARD DRIVE FAILURE. CAPACITORS POPPING FROM HEAT AND AGE.

What were you saying?

Hidden cost of hiring the wrong people

I worked at a major company with thousands of windows desktops when one of these big worms hit. Exactly one machine was infected and it was only because someone had violated policy and hooked up their personal laptop to the network. Two people were automatically paged, they cleaned up the mess from home and increased the surveillance on the network.

The key thing was this company hired top notch security and admins and let them do their job.

This is really the cost of hiring unqualified people just because they MCSE's and the like. In many aspects of business, this is the correct thing to do, because the law protects you. In the case of your infrastructure, this will protect you from stock holder lawsuits, but it doesn't make you look good.

Re:Hidden cost of hiring the wrong people

[turbidostato]

"The key thing was this company hired top notch security and admins and let them do their job."

Do you think they went for free or at a cost? And do you think that once hired everything was done or that such a staff needed counseled further costs on antivirus/malware fees and appliances, on test environments, on hours to develop and test proper policiesIf at a cost... don't you think proper all these things should be added to the TCO of the solution?

"This is really the cost of hiring unqualified people just because they MCSE's and the like."

Isn't it Microsoft's slogan that it's very easy to manage and competent technicians cheaper than their unix colleages and is it not the MSCE the very approved means from Microsoft to mark a valid professional for its products? Oh, and by the way, does Microsoft give MSCEs for free now, or are they at a cost too?

Re:You cannot use viruses/bugs as an example of co

[JoeMerchant]

The "real world" cost I find most annoying in dealing with software licenses is the human bandwidth cost of dealing with software licenses. The fact that an expense is involved launches all sorts of machinery within the company, requiring input from accounting, legal, management, etc. to determine which is the best choice, are we wasting money here, etc. Compound this with vendor's menu of selections that have to be considered, explaining the menu options to each concerned player, etc. etc. Then, if it is a renewable license, there's the annual annoyance of paying for the update, do we still need it? do we have to do accounting to the licensor? sales calls from the vendor, etc. When it's free, it's free - use it, or not. Simple decision, tons of hours saved simply because money is not involved.

There are other factors involved in deciding which software is "best" for a particular need, but if a "free" software will do the job adequately, it is saving several man days per year to use a "free" software as compared to having to turn the crank on the money machine.

Other hidden costs...

[Bert64]

These studies often fail to take many things into account...

One of the most common security issues i see with windows based networks, is a lack of patching for third party apps... A lot of places install the windows updates these days, but then they have ancient versions of various third party apps like av tools, remote management software, adobe acrobat etc... There is no single integrated way to update everything like there is on linux.

There is also the cost of third party apps which are needed on windows but come by default with linux distributions (and are therefore easily updated as part of the distro too, reducing patching effort)..

Linux also makes it easier to remove unwanted default apps, a smaller install will have less things that need patching and thus reduce the burden of testing and deploying patches.

Then there are various standards that you might need your network to comply with, such as PCI, where there are various requirements such as having remote logging for all devices... linux supports syslog out of the box, as do 99% of networking devices, windows doesn't and requires (often expensive) third party software. A lot of these standards are orders of magnitude cheaper to achieve with linux than windows.

Re:You cannot use viruses/bugs as an example of co

[bertoelcon]

waitasec... #4, www.bing.com, runs on *LINUX*? Man, the kool-aid in Redmond must SUCK.

Microsoft doesn't want bing.com to get attacked by the same malicious entities everything else they run does?

All arguments here are irrelevant

[aarenz]

The real issue is when there will be full lines of software available for Linux or other operating systems. How much does it cost me to run 2 OS's in an environment because I can not find software that will run on Linux to perform my corporate functions that are industry specific. The real cost will come out when all software uses browser based interfaces. Until I can get all of my applications covered by software that can run on Linux, I would have to hire two sets of staff to support the two systems and then a whole new team to keep the interaction between the two of them stable. If most people spent as much time planning a windows environment as is spent with a Linux environment, things would be a lot more stable. The quick and dirty installs of Windows are the problem. If you checked, you would probably find that nearly all corporte Windows installs have the common user escalated to local admin for ease of support. If all Linux users ran their browsers and other applications as root, the same world will eventually arrive, a bunch of unsupportable crap.

I am done ranting now, move along, no more to see here.

Re:Cannot use Hubbell as an example of intelligenc

[Khyber]

"To claim that Window's insecurities aren't part of the true cost of Windows is genuinely dishonest. If you run Windows, and you DO NOT invest in security measures, you are a complete and utter fool."

I must be the smartest fool on the planet, then, because I haven't had any infections in several years and there is no protection on my XP machine - no firewall, no anti-spyware, no anti-malware, no anti-virus. I don't even have a registry cleaner.

Worst issue I get is a poorly designed cd crack making some of my legit "insert disc to play" games not function properly.

Not an inherent cost of Windows

[Loki_1929]

This is not a hidden cost of Windows, but a hidden cost of having ignorant admins and/or management. If you're spending $2.5 Million cleaning up a virus infection, you've done something terribly wrong along the way. Most machines in most places of business maintain the same software day-in and day-out. Those machines should either be booting via write-protected remote images or using something like SteadyState to keep everything running perfectly. The servers should have correctly created permissions and security which make viral infections nearly impossible. The rest of the machines should be locked down with policies, limited privilege accounts, and software providing protection from infections. They should also be regularly imaged (as in nightly to a SAN/NAS/etc).

That's just the common sense little stuff. There's plenty more that could be done as well, but just the above will all but guarantee you never see a multi-million dollar cleanup bill regardless of your choice of OS.

Re:Not an inherent cost of Windows

[Kenja]

Yup, more or less the way it (should) work.

That being said I've run into stupid people. One CFO was pissed off that my email system wouldn't let him open an attachment in an email from his 'friend' so he brought in his own lap-top, plugged into our network, used his own email client to pull down the corporate mail and open the attachment. The resulting virus went through the whole network zeroing out any file ending in .doc, .xls, .c, .cpp, etc. Took all night to restore from backups.

I've also had a Unix (solaris) server be compromised and used to host German DVDs. Nothing interesting, just crap like dubbed versions of "I know what you did last summer".

Re:Not an inherent cost of Windows

[mpe]

This is not a hidden cost of Windows, but a hidden cost of having ignorant admins and/or management.

They are somewhat linked in that Windows was sold of the premise of not needing "expensive admins". Thus you typically end up with a complete mess.

Most machines in most places of business maintain the same software day-in and day-out. Those machines should either be booting via write-protected remote images or using something like SteadyState to keep everything running perfectly. The servers should have correctly created permissions and security which make viral infections nearly impossible. The rest of the machines should be locked down with policies, limited privilege accounts, and software providing protection from infections. They should also be regularly imaged (as in nightly to a SAN/NAS/etc).

This is so radically different from the way that Windows is typically used that replacing Windows with something else probably wouldn't be any more shocking for the users (and management).

Re:Not an inherent cost of Windows

[Loki_1929]

That's where you get into router-based anti-virus/anti-malware, IPsec on individual machines (protects you from the rest of the network and the rest of the network from you), VLANs, etc. You can really go to extremes with a lot of other stuff, but you start killing usability once you go too far. That said, attempting to restrict the CFO's actions on the machines he's using and is responsible for probably isn't a great approach. He'll simple bypass whatever restrictions are put in place (which he did in your example) and open up new attack vectors to the network (which he also did). So long as his machine is locked down with solid and up-to-date antivirus, he's VLAN'd off from anything he doesn't need, his server access is as isolated and permissionless as possible, and you've got recent images of the machines he's using regularly, let him blow the thing up as much as he wants.

If he's doing it regularly enough, start filing weekly or monthly reports on areas where IT's time is spent handling preventable issues and keep track (as much as possible) of how much time is being spent poorly along with suggestions to reduce that waste. If the leading "preventable maintenance" (or whatever workplace politics sensitive term you want to use) is the CFO's own stupidity, perhaps it will spur some realizations and/or change. It not, at least you're covering your own arse when the CFO is complaining to the rest of the upper management about how his computer is always down.

Another way to approach it from a design/prevention standpoint is to sit and ponder on how much damage any given person could do (outside the IT administration) if they went nuts and wanted to do as much harm as possible. Ponder how much trouble you could cause if you sat at their computer(s) and did everything bad you possibly could using only their access/permissions. At that point you can really start seeing areas where they have access to stuff they'd never need in a million years. Does the receptionist whose entire job is to answer phones and make coffee have access to the financial database? Why? Do the sales guys have access to support docs? Why? Maybe there's a good reason they do in either or both cases, but ask the questions (to yourself if you know). When users only have the access they actually need to do their jobs (and 99 times out of 100 in every company I've ever seen, everyone has vastly more access than they need) and are locked out of everything else, the chances of a major problem from things like viruses/spyware/malware/trojans/rogue employees/etc are reduced by orders of magnitude.

And if things aren't set up right at a company where you're working, but you're tasked with fixing the chaos which invariably ensues, make it a point to reform the little stuff first (access/configuration for those lowest on the totum pole) since management won't care and then work through a plan that fixes problems in ascending order of impact for the managers who are most likely to kick up a fuss. Look at where you are, come up with a realistic ideal design, and then plot a course that takes you there. Free time to work on that is tightest at the start when you're stuck sorting through the disasters of poor IT infrastructure design, but every step toward the ideal will help with that. For the secretaries who can't help but spyware up the machines every day with flash games and such, SteadyState will solve 90% of their self-inflicted problems with a simple reboot. Train them to do that before calling you and you'll already be leaps ahead of where you began.

Doing consulting for a lot of different companies and institutions, I've turned a lot of regular customers into customers who virtually never call up with a problem that requires much effort. They'll add new things, update things, and occassionally break something minor, but they just don't have the "omgomgwe'retotallydownpleasepleasehelpusrightthissecondorwe'lldie!" panic attack inspiring support requests anymore. I've found that whatever platform you choose to use, sane infras

Re:Not an inherent cost of Windows

[amotion]

So, having such knowledgeable admins that can maintain a Windows user base in such an advanced way should not be included in the TCO for Windows??! What is your definition of TCO then? Just buying the thing off the shelf?! And what happens when you include the users' frustration of having to use such a bogged-down machine (where for example you would have trouble listening to your music, using your favorite text editor or web browser) in the calculation of the TCO? I bet that even if Linux had to be paid for, it would still have a lower TCO!!

Re:Not an inherent cost of Windows

[kencoe]

This is not a hidden cost of Windows, but a hidden cost of having ignorant admins and/or management. If you're spending $2.5 Million cleaning up a virus infection, you've done something terribly wrong along the way.

But there is an important point to be made there, as well. Microsoft advertises the large number of Windows admins available, and warns of the increased cost of using "specialist" admins for *nix environments. If they are basing their TCO studies off of these admins, then the "ignorant admin" cost as you call it IS part of the TCO which is not being considered. Microsoft put themselves in this spot when they modeled their certification into an advertising campaign for the number of admins rather than a way to certify the best technicians when they were competing against Novell 4.3. The author's point still stands.

Re:You cannot use viruses/bugs as an example of co

You don't have to be paid by Microsoft to defend them. You don't even have to like their products at all. You just have to be sick and fucking tired of cock sucking, mother fucking Linux Zealots and Flamboyant FOSStards like you, who have to label everyone who threatens your superiority complex as a troll. Stop being a pussy.

Real Money vs. Wishful Thinking

[neomunk]

I'm sorry, but the savings you get from hiring inexpensive (read: incompetent) staff is being reflected in Microsoft's TCO calculations (represented by charging more for *nix admins). If you want to ignore the costs of malware, you're going to have to REDUCE the costs of malware, and that's going to increase the cost of staff, as they will need to be better trained, and thus, more expensive.

Your arguments come across to me as someone who wants to do something they know has a significant chance of failing, but only count the successes when someone asks how well that something works. Malware is a real cost, and by that I mean costs real money. All the foot stomping in the world isn't going to pay these real costs, so counting how much it's going to cost (or at least estimating on past experiences) when planning your budget is the only rational way to do things. You might get away with proclaiming that malware costs just don't count in some Marketing department some where, but if you went to Accounting with that same line, they'd point and laugh at you.

Re:Real Money vs. Wishful Thinking

[plague3106]

I'm sorry, but the savings you get from hiring inexpensive (read: incompetent) staff

Sorry, that's a fail. Inexpensive != incompent. A compentent Windows admin would have had the conflicker patch installed before it became widespread (as we did here).

I can develop software cheaper on windows not because I'm incompetent, but because the Windows platform offers more productive tools.

Re:Real Money vs. Wishful Thinking

[neomunk]

Now you're just shilling, and you're doing it with that "edgy" attitude that indicates you watched too much powerpuffgirls as a child.

It's cool, I won't get in the way of your little crusade to take on facts while wielding your mighty ability to use the word fail as a noun. You can make up all the personal anecdotes you'd like about your uber-cheap uber-skillful programming, I'm just going to wander back over into the real world, where the malware problem is almost exclusively a Windows issue.

Have fun with your "more productive" tools, and if you keep sprinkling that mixture of fairydust and powdered unicorn-horn your Windows installations will be secure forever.

Re:Real Money vs. Wishful Thinking

[plague3106]

Now you're just shilling

Oh, forgive me for simply stating my experiences... which also happen to match reality, BTW.

you're doing it with that "edgy" attitude that indicates you watched too much powerpuffgirls as a child.

What's a matter, you don't have actual point? Not that its relevent, but I was already an adult by the time that show came out.

It's cool, I won't get in the way of your little crusade to take on facts while wielding your mighty ability to use the word fail as a noun.

Ok, so you have no point.

You can make up all the personal anecdotes you'd like about your uber-cheap uber-skillful programming, I'm just going to wander back over into the real world, where the malware problem is almost exclusively a Windows issue.

Ha, the real world is using Windows largely because it is cheaper. The reason malware isn't a problem in your little linux world is that its pretty much not being used. Apple runs more computers than Linux does.

Have fun with your "more productive" tools, and if you keep sprinkling that mixture of fairydust and powdered unicorn-horn your Windows installations will be secure forever.

Aww poor baby? Did I hurt your little feelings while you sit there in your mom's basement just wishing the world knew how really leet you are? Don't worry, reality will set it once (if?) you move out of her basement.

Actually...

2.5 million is certainly due to the incompetence of the IT department, when you need external consulting to take a worm of a PC something had gone wrong with your education as IT technician.

Re:You cannot use viruses/bugs as an example of co

[jimicus]

Probably heavily locked-down desktops and even more heavily restricted internet access (basically none whatsoever; HTTP is allowed through a proxy that requires a username and password and doesn't allow access to the whole web).

This is quite possible to do in a company of such size because you can usually divide your staff into groups that match up quite well with their responsibilities and grant access accordingly, blocking everything else.

But most of the worlds' companies aren't 30,000 desktops. When you're dealing with a much smaller organisation, the amount you can lock things down is generally much reduced - and the ease with which someone who doesn't like a locked down desktop can scream at someone senior enough to get the lockdown overridden is far greater.

Re:You cannot use viruses/bugs as an example of co

[DeadChobi]

We, the undersigned, do hereby agree with this post and would move forward in our support of it.

Re:You cannot use viruses/bugs as an example of co

[squizzar]

There's no good reason for the system software to require "maintenance"
to deal with bit rot.

Did you read what he said? I know car analogies are a route to certain doom, but I think you may be avoiding his point. When I write a piece of software that's it done. I don't expect to come back a week, or a month or even years later and find that it's seized up. It should work exactly the same as it did the last time. I have performed the same tasks on my PC at work day in day out for years, so why has it gone from me using the startup time to put the kettle on and the time to login and check my emails to brew my tea in the morning to the startup time being longer than all that and my tea being cold by the time it's ready? There is no reason. I don't download tonnes of crap, I don't visit porn sites. As far as I can tell there is no malware or virusses on my PC so why has it slowed down? Contrast my Linux PC and laptop at home which have operated in a consistent and reliable fashion for years, across entire distribution upgrades etc. There is no good reason for this behaviour, which is what the GP was stating.

And before you make any further ill thought out comments consider this: There are many systems that have run 24x7, processing vast quantities of data, and have done so for years on end with next to no problems. Whilst having the redundancy and quality of hardware used to provide high availability computing is unnecessary for most users, it does show that software that is capable of performing these feats can be developed. The issue then is why Windows is so very far from providing anything like that level of stability

An ounce of Prevention

[Intrusive_Rogue]

Every OS should be covered by AV and kept up to date with latest patches / versions etc. If an organization is caught with it's pants down because of poor Security practices or insufficient malware protection that is not any OS mfg's fault. All OS's "should," have protection and update policies. When they're not followed that is a poorly run IT organization, not a hidden cost of an OS.

Re:An ounce of Prevention

[Leiterfluid]

It's amazing how many times that this is considered a Microsoft problem when in reality its an organizational problem. Most companies are unwilling to invest in proper training and implementing solid security practices until an attack occurs. While its easy to pick Windows-based malware as a prime example of why organizations should shift from closed-source to open-source technology, the fact of the matter is that the problem is with how the network environments are managed. By locking down user desktops, implementing anti-virus, anti-malware, and anti-spam solutions, in addition to inline IDS or IPS technologies, there is no reason something like this should be infecting any organization. I run multiple Windows PCs, and I don't have viruses running around rampant on my networks.

Re:An ounce of Prevention

[turbidostato]

"Every OS should be covered by AV and kept up to date with latest patches / versions etc."

Yes. And on top of that, proper security policies should be enacted and the users properly trained on their equipment usage.

And all of these comes at a cost that sums up to the TCO of the solution.

And that's exactly the point of the article.

Re:An ounce of Prevention

[dbIII]

It's amazing how many times that this is considered a Microsoft problem

That's what happens when none of the malware will run on any other platform.

Also the nasty thing with definition based protection is that you are completely unprotected from each new breed of malware for the first few days of it's existance - some poor sod has to get it first before the rest are protected.

Server Vs. Desktop

[ChronoFish]

TCO On the desktop is significantly different than TCO on the server.

On the server you would (should) be less likely to have to worry about trojans, malware, viruses, etc. This is because the "server" is *typically* not used to read email, surf for porn, or buying shoes from some random fashion website. I'm sure there are examples of this...but in general....at least in the shops where I've worked, the servers saw very little face time (as in an operator at the keyboard). On the server side, both *unix and MS have hack issues as highlighted in other posted comments (probably the biggest threat due to the social engineering aspect of hacking). But actual server viruses are rare. Net-Worms are a concern (code-red) but then again there are worms and "script-kiddie kits" on both sides.

The desktop is a different story: virus, bugs, malware, etc is rampant - especially in the MS world (but still exists in the *unix including OSX). Of course the TCO of the desktop is just one measurement. Embedded document objects (Excel, visio, paint directly into word, powerpoint, etc) may be vital to your workflow. While OpenOffice is a great alternative, it's not a drop in replacement for all cases - and that might be an immeasurable sacrifice.

Unix on the server side / Windows on the desktop (my preference) leads to it's own share of interoperability issues. They can be resolved - but not if you don't have the knowledge - and knowledge is costly (and adds to TCO).

-CF

Re:You cannot use viruses/bugs as an example of co

[cant_get_a_good_nick]

yadda yadda MS has 90% market share so that's the reason it has malware yadda yadda

I absolutely hate this argument. It assumes such a simplicity, that the only consideration that people pick for coding a virus is marketshare of the target. Of course it's one consideration, but not the only. It,. more importantly, seems to want to wash Microsoft's hands of the problem, meaning nothing will get fixed. There are a lot of things MS can do to help the situation (and in their defense they have done some) but saying "it's because they own the desktop, nothing to see here, move along" doesn't help anyone. Including you, when your net is down because some Conficker DoS.

The problem with Microsoft is just how damn easy it is to write a virus, at least in the old days. Microsoft had a system (Windows + Explorer + Outlook) which:

• made the default action (doubleclick) depend on extension
• made the default actions for executable to execute
• made the extension hidden by default
• extended this behavior from a local, somewhat safer environment (the desktop) and pushed on to email, which is totally untrusted.

This is the essence of all VB email viruses. This bad design had absolutely nothing to do with marketshare, just made the impact much more widespread.

Also, they allowed HTML email to hit activeX, which means an untrackable email can execute code just by you opening the mail. It's the Goodtimes virus, but for real.

I personally use windows, and prefer windows, and since XP came out have never had a problem with it myself. The biggest problem with computers is they're technical machines which lend themselves to needing to have technical knowledge in order to use one safely/correctly....which the majority of people do not have.

An analogy would be that "cars are complicated now, with computers and stuff, and people need to be expected to know all that tech stuff to operate safely, so we can let them explode or catch on fire if people are not paying attention 100% of the time, because it's really their fault if the car blows up when you cross the yellow line"

Again, simplicity in argument. YES stuff is complicated, but there are a lot of things you can tie down by default. MS is driven by checkbox marketing, the more features the better. This blows up when people have a financial incentive to exploit those features.

Microsoft products have no other price

[HannethCom]

No really, Microsoft says it so it must be true.

Price of training every two years that a new Microsoft product comes out? But open source software comes out with new versions faster.

So what if the open source software doesn't undergo major changes for no reason. You still have the price of retraining from moving from Microsoft products to open source.

Bugs, what bugs? No Microsoft product have any show stopping bugs. BTW, that new feature you requested will be in the next version(tm).
(Legal: Next version is not a binding contract and just refers to some future version of the software which may, or may not be the next release. Microsoft reserves the right to cease production of this product line at any time with out implementing said feature)

Re:You cannot use viruses/bugs as an example of co

[slack_justyb]

Rolling out Windows Updates is not a difficult task

True but I would like to consider the line just before that one...

The answer is, is that it's because the IT staff obviously were not on top of the maintenance of the computers.

This statement slaps directly in the face of what Microsoft touts as their big advantage. Ease of manageability. In fact, they say that it is 60% the TCO of servers. See blue pie piece.

In fact what does Microsoft think Ease of manageability means? See first gray bubble

With a piece of software that just sooooooo easy to keep running, why do entire IT department fail to be "...on top of the maintenance of the computers?"

Trust. Microsoft's automatic updates not haz it, to use the lolcatz of our times. People don't trust Microsoft's updates. They fear it will break what they have going. slight pause It may, it may not, but that's not the point. The point is that the ease of manageability argument fails when we subscribe to your idea of...

it's because the IT staff obviously were not on top of the maintenance of the computers.

We can either say that IT departments need to spend due diligence with updates and security announcements with Microsoft products. (much like Unix and Linux IT departments,) or we can say that Microsoft has issues with security and trust which leads to an environment that breeds ripe servers for malware attacks.

In the end, one of these two options will cost an IT department money. True, this article looks at it from the latter point of view, but say we look at it from the first point of view and what do we have? The TCO rising because the "ease of manageability" is reduced, the two being inversely proportional per Microsoft. So even if Microsoft does patch whatever exploit it is that we are questioning, the trust is not there from the end-users and that cost something as human as it may sound.

Re:You cannot use viruses/bugs as an example of co

[neomunk]

I'm very curious as to whether that shop you mentioned fits within Microsoft's "TCO" calculations. I'd be willing to be that the company you're talking about goes far above and beyond what Microsoft says an outfit of that size and function should cost. Yes, it is possible to secure a Windows working environment, but as soon as you do you start to find that the other arguments Microsoft relies upon begin falling down. As soon as you start to build effective security your system starts to get harder to maintain compatibility, it starts to get more expensive to hire/train staff, and it starts being less user friendly.

This is just my personal experience matched up to yours, and it's worth just as much (nearly nothing). You want to know the real truth of the matter? Step the anecdotes back for a second and look at things more generally. HOW much is spent per year by businesses in general (not your pet data point) cleaning up malware? HOW much business is lost before it can be cleaned up properly? These numbers are so obnoxiously larger than the 0 you're subtly suggesting that I find the "IQ of a sponge" comment amusingly ironic.

Re:You cannot use viruses/bugs as an example of co

[cant_get_a_good_nick]

Most of apple appears to come from Linux because of Akamai. A quick traceroute didn't show akamai for me, but that doesn't mean tht Linux is an accelerator and not the main website.

Office suites too

[dandart]

As much as OOo is now the standard, many people still use MSOffice, because it's what they're trained with. Doesn't that double the cost of the software too? And sod you security nuts, ANYTHING is more secure than windows, except perhaps a mac. Jeez, conficker... Antivirus being necessary, no repository, more people being ignorant and downloading dodgy software... I admit mainly PEBKAC but still they (security companies) charge you for decent extra security. But that's just good business!

Re:You cannot use viruses/bugs as an example of co

[GNious]

Akamai runs linux ... Still expecting that Bing runs some kind of Windows

Re:It is the hacker's mentality.

[mR.bRiGhTsId3]

Even moreso, it depends on which desktop environment. I think KDE keeps its autorun scripts under .kde while everyone else keeps them somewhere under .local.

Re:Viruses proportional to installed user-base

When windows will allow software installation without the need of administrator / system then I will agree with you. Windows starts with one basic flaw and they need to get rid of the "SYSTEM" user.

Re:You cannot use viruses/bugs as an example of co

[dimeglio]

Maybe you include the cost of insuring a car against theft in the TCO. I do. Samething could be done with malware. Malware authors are attempting to "steal" your money (using DDoS, client information, credit card numbers, etc.) through the Internet. Using certain type of systems would add to the cost of this insurance.

The question should be: if you were an insurance company against malware damages, what would be your premiums for IIS vs APACHE vs other? Assuming they each are managed by diligent IT professionals. Actuaries would need to be involved but my guess is MS systems would cost more.

Obvious troll...

... is obvious.

Re:You cannot use viruses/bugs as an example of co

[pherthyl]

Just because you don't get it doesn't mean everyone else doesn't get it.

Not Really...

[EXTomar]

....but you are close. It isn't that "virus-making community is proportional to the installed user-base" as much as "developers are proportional to the quality of tools" where "virus-making community" is simply a subset. Given the tools for free you can get for Microsoft and the quality of documentation and debuggers you are going to have an easier time making software in general than you are going for Linux or Mac where "malware" is simply a subset. The weakness in Windows has always been they have too many ways software can modify system resources with easy to access tools and documentation. Since I don't believe hiding the tools or documentation is the correct course of action nor does it promote user interaction which is ultimately the use of any machine I'm left with believing that the reason why Windows has a lot of virus is the system.

Re:You cannot use viruses/bugs as an example of co

[dhfoo]

Easy, http://www.microsoft.com/technet/security/advisory/971492.mspx

Have a nice day!

Re:Viruses proportional to installed user-base

This old reply always appears in response to stories about viruses... and its most effective counter is still a single word:

Apache.

What software runs most servers on the web? Apache. What web server gets hacked the most? I'll give you three guesses, and it ain't Apache.

Conficker was patched

So it really should be 'The Hidden Cost of Hiring People Who Don't Apply Patches'

Re:You cannot use viruses/bugs as an example of co

[nxtw]

Never heard of a mass exploit, but I've seen a few Linux systems with rootkits. Always unpatched at the time of infection.

Code Red and Nimda infected systems using already patched vulnerabilities.

Re:You cannot use viruses/bugs as an example of co

1. It's patched.
2. It only affects webdav which is disabled by default
3. webdav is an extension of IIS, not IIS itself. I wouldn't say a vulnerability in PHP is a vulnerability in apache.
4. it's not a remote execution exploit. all you can get out of it is access to some page you might not have been previously allowed. considering webdav is only really used for exchange, this probably isnt a huge deal.

Re:You cannot use viruses/bugs as an example of co

The issue then is why Windows is so very far from providing anything like that level of stability

The only places where Windows cannot provide exactly the same stability and security as your *nix flavor of the month are 1) Shops that don't implement or enforce basic security and operating procedures and 2) *nix fanboy fantasies.

Re:You cannot use viruses/bugs as an example of co

[Spike15]

While what you say is true of large changes, like, for example, Internet Explorer 6, I have very, very rarely (I would say "never") seen it be true for a small security update.

I know for a fact that large software updates, such as version changes or service packs, can break compatibility. Recently the big talk of my office has been which departments of the company we can push to IE7, and which must stay with IE6 because the web-based apps that they use break with IE7. But we don't have any "DON'T PUSH KB######!!!!" I have personally rolled out many PCs and when I do the Windows Updates for them after they boot up, I put everything on them except Internet Explorer 7/8, and they run fine.

However, I recognize your point. Our IT budget here is quite generous, and we're allowed to remain pretty state-of-the-art, with very robust software and hardware solutions. However, this is a story about a Conficker infestation rolling out EIGHT MONTHS after the patch that nullified Conficker's attack vector was released. When Conficker was discovered 7 months ago, or even when it was making headlines only "a few" months ago, why didn't these people say "jeez, MAYBE we should test that ONE security update?" and then do it?

Re:You cannot use viruses/bugs as an example of co

[hairyfeet]

You see, Linux guys, it is like this Apache and all those other web enabled Linux boxes are run by guy like my buddy Glenn, who actually patch, read security updates, learn about the latest malware, etc. Compare that to Windows where it is being "administered" by those like Velma. Say hi Velma (Hi Y'all!)

You see, Velma has a BFF Kim, who is what we call in the PC repair biz a 'click whore" in that she'll click on ANYTHING, spam attachments, chain mail, you name it. And you will NEVER convince Velma that anything coming from her BFF Kim is bad. If the email "from" her BFF Kim tells her to turn off the AV and open this password protected .zip, what do you think Velma does? If you think she leaves that email alone you are wrong...dum dum dum...DEAD wrong. Nope, Velma will turn off ALL your security measures and then go "oops" when she hoses the system. because Velma is cute and everybody loves Velma she will get away with it too. Say bye Velma (Bye Y'all!)

But not to worry Linux users, if you get all these state and local governemnts, which are filled with Velma's and PHB managers, onto Linux instead of Windows, then your good friends at the Russian Business network and their friends in China and Nigeria will be sending Velma and her friends "Happy_Puppy.sh" with nice and easy to follow instructions on how to run it. And run it they will. Because I don't give a flying fart how good Linux security is, it still can't save you from PEBKAC. Trust me on this, for I know of which I speak.

Re:You cannot use viruses/bugs as an example of co

And bing is running on linux?

Businesses rely on this...

[npoczynek]

I had an interview at Geek Squad back at the beginning of summer. I didn't do well - and I'm rather glad. One of his questions was what I thought of free software. Being a naive young lad who has never worked in sales, I foolishly stated my position. I told him that I think it has a lot of advantages, and have often used free alternatives and/or open source software. His response to this - "How hard would you work for free?" It was a little shocking how he completely disregarded the benefits of the free software community. He then made it very clear that Geek Squad employees who mention free software to customers are often at risk of being fired. I can only imagine that this "hidden cost" referred to in TFA is far from hidden in the eyes of places like Best Buy. If people knew about all this cool free stuff that was out there, who would you rip off? Where would you find spyware-infested PCs that you can charge an arm and a leg to fix?

Re:You cannot use viruses/bugs as an example of co

[geekboy642]

Careful, your Microsft uniform is showing. Ratchet back the shilling for a couple posts, then try it again more carefully. Also, "Windows anti-exploit code is insane" is not an approved meme. We don't want people thinking Windows drools on itself, now do we?

Re:You cannot use viruses/bugs as an example of co

[Spike15]

"People" is a pretty vast generalization. I, personally, do not fear Microsoft Update, in fact I trust it entirely. In my experience (and I know people here will disagree) Microsoft has been on top of trying their best to keep their operating system secure. Most large vulnerabilities that make it out into the wild and terrorize people have been patched LONG BEFORE.

Conficker was first observed in the wild in November 2008. Its vulnerability was patched in October 2008. Had the entire world been on top of their Windows Updates Conficker would've been a non-issue. Instead we have this biggest worm infection since SQL Slammer.

Oh, and speaking of the infamous SQL Slammer, it, too was patched before it was first exploited on a wide scale. SIX MONTHS BEFORE to be exact. People have said that SQL Slammer's effects were somewhat similar to the effects of the Code Red Worm...

So since we're talking about the Code Red Worm of 200, which exploited IIS, why don't we mention that much like Conficker, a patch had been available the month before the widespread exploitation took place?

Geez, my distrust for Microsoft Updates is swelling just talking about all this proactive patching they've done, and how it could've averted such cyber-tragedies IF ONLY PEOPLE USED IT...

Re:You cannot use viruses/bugs as an example of co

[saleenS281]

Of course, we'll completely ignore caching services like Akamai which cause netcrat to report a website's true server incorrectly ;)

Re:You cannot use viruses/bugs as an example of co

[PPH]

Yeah, I've heard of Code Red. Back at a major corporation I used to work for, we got hit. Bad.

I was admin on half a dozen *NIX boxes running Apache when another admin noted the strange URLs hitting his server logs. So we all checked and found hundreds of unique IP addresses of infected NT systems trying to pass it on. Later, this number woud grow to thousands. Several of us took it upon ourselves to grep|sort|cut out a list of IP addresses and forward them to our computing security department for further action.

Some of the admins of affected systems claimed that 1) they were up to date on all "applicable" patches and 2) they could not possibly be infected, as their systems were dedicated SQL Server hosts, not running IIS (so no IIS patches need be applied). It turns out that at some point, they had enabled their web admin interfaces and, as a result, that had started IIS (quietly, in the background, without their knowledge). Worse yet, it was started in some default configuration that left their systems wide open to all sorts of unauthorized manipulation. It took several weeks of around the clock effort on the part of the NT administration staff to clean the mess up.

I did have my own fun with it. One of my systems ran Apache on Linux with Samba (server and client). I wrote a CGI with the name and path of the Code Red URL request. It returned a 404 response through Apache (as would a standard Linux system), but I had it generate a WinPopup message sent back to the offending system to the effect that it was compromised.

Re:You cannot use viruses/bugs as an example of co

According to IDServe, Bing is running on AkamaiGHost. That's after getting an error on the hostname then querying using the returned IP address.

The hidden cost of more adoption

[ithellion]

What about the hidden cost of more malware written for linux as adoption increases? Haha

Re:You cannot use viruses/bugs as an example of co

First, that a vulnerability in WebDav, not IIS really. Secondly, it can only be exploited in IIS 5.1, which is the windows XP version of IIS. No serious host is going to be serving pages from XP, nor would they leave WebDav enabled.

Re:You cannot use viruses/bugs as an example of co

[AmberBlackCat]

If you want to throw out ideology, then people like me have to consider the fact we can print with any version of Windows, but my common Canon printer doesn't work with Linux. Or the fact my Nvidia graphics hardware works with Windows but not with Linux. Little things like that are a bigger deal than virus cleanup, because they affect you every single day. Try factoring inability to switch screen modes and the inability to print any document into the total cost of doing business with Linux.

TCO of OSS

[mjayde]

Let's look on the other side of the coin, and imagine the TCO of OSS.

Can you imagine a medium-scale business environment switching from Microsoft to the OSS available today?
I can see an unbounded amount of wasted employee time of people futzing around attempting to fix operator-errors on a linux desktop machine, even after the acclimation period.

It would be nearly impossible for finance to record that amount down on paper.

Re:You cannot use viruses/bugs as an example of co

[uglyduckling]

Your post might give the reasons why there are more viruses for Windows (although I would dispute your explanation) but the reality is that for whatever reason, Windows has much more of a problem in this area. One of the things that it routinely done in TCO calculations is to factor in the cost of 'retraining' users to use a different OS than Windows and a different office package to MS Office. That retraining is only required because of the MS market share. If it's fair to factor in those costs (which wouldn't be an issue if MS didn't hold a dominant/monopoly position) then it's definitely fair to factor in the virus/malware costs (which you claim are also because of their dominant position).

The hidden cost of a Linux dominated world

[Totenglocke]

There's one thing that everyone is overlooking. If linux would become the dominant OS, there would be a hidden cost - many of us IT people would no longer have jobs fixing / maintaining MS systems. I love linux and have tried to get several people to switch to it, but I actually like businesses using Windows because it means job security.

It's kind of like a conversation we had at work the other day - every IT guy hates idiot users who can't check their email without having to call IT for help, but at the same time if it wasn't for most people being so incompetent when it comes to technology, many of us wouldn't have a job anymore.

Re:The hidden cost of a Linux dominated world

[sofar]

http://en.wikipedia.org/wiki/Parable_of_the_broken_window

Re:The hidden cost of a Linux dominated world

[jp10558]

While MS maintains great levels of IT employment, I think you may be overstating the case a bit. I do suppose it depends on where you fall in the IT world, but even if you didn't have to show the user yet again how to check their e-mail, there is a case to be made that you'd still have to initially set up the e-mail, set up and deploy the computer, maintain the physical and logical network, etc. Most businesses still have janitors, even though I would guess most employees are capible of cleaning their areas, it's not the most efficient use of their time.

At the higher levels, there's all sorts of things to do by specialists to keep IT people busy for the forseeable future.

At worst, I expect we'll continue to see consolidation like we already see into specalized companies that contract out time (or independant contractors) for multiple other compaines so those companies, or units of large corporations, can focus on their core competencies.

Re:You cannot use viruses/bugs as an example of co

[jmorris42]

> This is really just FUD aimed at MS, using 2001 "MS is insecure" arguements which are no longer true today.

Totally man, we haven't had a Windows malware event so bad broke out into the mainstream media in years.

Oh sorry, my bad, we have. The patches fly out at about the same pace as they did in 2001. Different subsystems get targeted as the cat and mouse game goes on but since Windows is still a big blob of poorly documented, closed source and for the most part insecure code the game isn't likely to end soon.

That said, had a look a major Linux distro's errata firehose lately? So lets not get too smug. Yes I realize a Linux distro covers a much larger universe that includes server software, office suites and development tools. But compare apple to apples, say Firefox to IE and we still have work to do. Which is currently safer? Well I'm not posting this from Windows.

Re:Cannot use Hubbell as an example of intelligenc

[Penguinshit]

and your g4m3z machine has no Internet connection or you are intentionally misrepresenting your XBox.

Microsoft's tech "support" costs....

[gestalt_n_pepper]

Microsoft's tech "support" costs are truly one of the largest hidden costs of ownership. Assuming you can get a human on the phone at Microsoft, you're frequently directed to the wrong person, the wrong automated telephone system with inappropriate choices, the wrong department, the wrong planet... Spent 3 hours this weekend trying to get my temporary Vista Enterprise software (temporary 30 day solution) downgraded to Home Premium, which I legitimately own without having to reinstall everything. I was trying to be honest. After 3 hours, I just gave up, got online and hacked the registry to turn off notifications. 3 hours, 4 tech "support" personnel in India, 5 different, useless phone systems and .....nothing. Microsoft's eventual demise will be their own fault, plain and simple. Windows used to make my life easier. Those days are long gone.

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

Microsoft has no dress code.

PEBKAC

[InsertCleverUsername]

Looking for a Better OS?

How about better users and better sysadmins? Seriously, sysadmins ought to have some liability when they aren't doing their due diligence. There was a critical patch that would have prevented Conflicker released way back in October.

That's kind of short-sighted, don't you think?

[holophrastic]

Including malware cleanup is simply short-sighted. Certainly it's a cost, and if we were all to agree that MS Office has more malware problems than OO, then this point stands valid; but only for now. The problem is that next year, what's to say that OO doesn't get more malware? Or that MSO doesn't get less? And if we were all to suddenly agree that OO is better, and MSO is worse, and we all immediately switch to OO, and MSO is no more, then OO now has more malware problems than the non-existent MSO.

So it's a valid point that is no longer valid after its conclusion is fulfilled.

Besides, there are plenty of things with fewer problems that offer fewer benefits. In the business world, unlike the consumer world, it isn't always cost or benefit, and even value doesn't always hold. Sometimes, a business needs one particular benefit, and the costs are simply irrelevant. That's the business, plain and simple.

Re:You cannot use viruses/bugs as an example of co

Thank you for that! Don't Nimda and Code Red go back to something like 2001? Those arguing against your point maybe need to update their argument ... maybe their software too. I think IIS has undergone a couple of major releases since then ... 8 years is a long time in this biz, things have changed including marketshare numbers.

But, the others may have a point: dollars are dollars. If you spend them on one where you wouldn't on the other, it counts against the first. The issue isn't whether MS is better or worse than the others, but what costs more. Making matters worse is that in large organizations you hire many knowledge workers (folks who will be assigned a computer) for skills that do not guarantee that they are also technically competent to care for their machines, data and software. Instead, the organization takes that on ... at a price.

The funny thing is (and this is consistent with your rationale) that as FOSS picks up marketshare, you are right, their software will become a more attractive target and -- if they really succeed -- the argument that FOSS costs less to secure will likely evaporate because whether a programmer works for MS or a FOSS team, he or she is fallible.

TCRL: Total Cost of Ruined Lives?

[Requiem18th]

TFS only mentions the cost of cleaning Windows from malware, what about the cost of the malware attack itself? Personalities stolen, bank accounts emptied, privacies destroyed, files lost in locked hard disks or simply fubared.

I'd add that to the TCO of Windows too!

Re:You cannot use viruses/bugs as an example of co

[pfleming]

The poster is right- you can't use viruses as a cost of ownership. If you can, then I am going to count all those driver issues with Linux I had in the past as part of the cost.

Then you would be right in line with everyone else who already counts driver issues against *nix. You aren't changing anything - you are merely repeating the party line regarding "difficulty of use". I think the quote, "*nix is user friendly, it's just picky about who its friends are," applies here.

What hidden cost?

[CherniyVolk]

I suppose people think that complexity is some how better or more indicative of truth... because why are we trying to battle on these obscure money-lenders' rationale of governing costs of software? It's simple, linux is downloaded for free, and to get Windows alone is what.. 199.95? Oh, and how much for Photoshop? Oh, maybe add Maya, and then perhaps some VM software? Because, we all know that Windows by itself, out of the box, is rather limited. Add in a full blown development environment... oh, yes and Microsoft Office I presume yes?

TCO is bullshit. Windows has a price tag greater than 0. No matter how complex or convoluted you get, no matter how many lawyers with fantasy rationale obfuscating the obvious, no matter what is said or how it's said... any price on Windows is always going to be more expensive than free.

Cost of operation? How much wasted time do you think has been put into trying to figure out mundane tasks in Office 2007? Might as well be a completely new product, Open Office which clearly is a different product is more familiar to a previous Office user than 2007 is. TCO accounts for "training" as their defense? They are shooting them in the foot. I mean, you always have "training" with new software. Sometimes you have it with just bug-fixes or upgrades. Some of us, it might only be "familiarizing", but others who are so dead set in a routine to complete a task will struggle for sure.

What is it, about TCO, is relevant, useful.... real? Keep that to yourself, I've read all the garbage. Bottom line is there's really nothing governing this bullshit "TCO" philosophy, any more in favor of Microsoft than any other software or product for that matter. The real fact is the real numbers. 199.95 for retail Windows. And then tally up all the numbers that would make your "Windows" installation, and all the third party software, "legal". There's your real cost, there's the obvious cost.

How much do you think it would cost to have a legit Windows box? 5,000 USD total in software costs?

No, better yet. How much would a Windows box cost, purchasing all of the commercial software available that would enable the Windows user to do what the typical Linux installation can do? I mean, I have photo editing software, 3D renderers galore... office suites, every server imaginable, VM software, conversion tools... jesus my box is Linux... nuff said. My Windows box would break the bank paying for and installing only a fraction of the capabilities in commercial software.

Now, site wide licenses, think organization size... thousands of desktops... niche market functionality... dear god. TCO is the least of your worries it seems.

Re:What hidden cost?

[King+InuYasha]

Well put! I wondered when somebody would pull something like this out of their hat.

My Linux box runs:
Fedora 11
OpenOffice
Blender
VMware Workstation ($190)
GIMP
Apache/PHP/MySQL/PgSQL
Mono & MonoDevelop
GNU compiler collection toolkit
Qt & GTK+
Firefox 3.5
Opera
VLC
CrossOver Linux Professional ($80)

With all those applications, adding in the $1000 cost of my computer hardware, I only had to buy a license for VMware ($190) and since I play games to, I opted for CrossOver Linux Professional too ($80). Only $1210.

Now, lets compare that with comparable systems in Windows:
Windows Server 2008 w/ 5 CALs ($840)
Microsoft Office 2007 Ultimate ($680)
3ds MAX ($3500)
VMware Workstation ($190)
Adobe Photoshop ($700)
IIS/ASP.net/PHP/MySQL/PgSQL (Included with OS cost)
Visual Studio 2008 Professional ($800)
Qt
Internet Explorer 8 & Firefox 3.5
Opera
Windows Media Player & VLC

Now, with that system, adding in $1000 hardware cost, would total to be about $7710. Now, you could cut some of these costs by replacing them with cross-platform open source versions, like 3ds MAX with Blender and Photoshop with GIMP, which would be $2510. Cutting out Office 2007 and replacing it with OpenOffice would bring it down to $1830.

In the end, the initial cost of ownership is quite a bit higher for a Windows based system over a Linux one. But, that is to be expected, given that Windows isn't free. And on a Windows based system, its much more likely they will buy the software suggested on the list that would bring it to about $7710, rather than compromise and cut it down. If you needed Microsoft's SQL Server 2008 Standard, that would set you back at least another $2000 or at most $6000.

Additionally, if you wanted to bring the initial software cost to zero on a Linux box, you could use Sun's xVM VirtualBox instead of VMware Workstation. I picked VMware because it was the best. Also, some of the Windows software, like Photoshop, might be usable under Linux when combined with either CrossOver or Wine in addition to video games.

Re:What hidden cost?

[King+InuYasha]

Oops, also, to drop the initial software cost on Linux to zero, you could use Wine instead of CrossOver Linux.

Re:You cannot use viruses/bugs as an example of co

[msuarezalvarez]

Well, ask with everything, you need to know what you are doing. Configuring a printer to default to A3 is not exactly rocket science using CUPS, for example...

Re:You cannot use viruses/bugs as an example of co

[colinrichardday]

The route problem is that you have poor programmers at microsoft, and poor IT maintaining system.

What? They can write something as basic as route?

Re:You cannot use viruses/bugs as an example of co

[webweave]

BOGUS ARGUMENT! "As you sit in front of your keyboard all computers look the same so they must all have the same problems." Well viruses/bugs are a cost of life if you choose to run windows and even if you don't. The hidden cost of someone else running windows should also be evaluated, it happens when you have to clear tons of spam and virus laden files from your non-windows server caused by windows computers. Windows is dragging down the entire internet. Ever have to wait a day for your mail because you mail queue has ten million windows computers generated spams? Should I just send the bill to Micro-Soft?

I manage a number of small workgroups, all have linux servers but the clients vary, all nix, all mac, mixed mac/windows, all windows. Guess which group I make the most money from? Guess which groups I hardly ever talk to? Windows is not easier, not cheaper and not more secure. Windows is more ubiquitous but that is changing.

As a professional I'd rather make less than have to work on windows, thankfully I actually bill more per hour doing not windows support because 90% of my competition can only work on the windows side. Larger marketshare = thinner margins?

You were hit hard, but WHY? You can stop it... apk

"My company was hit pretty hard by the conficker virus." - by goltzc (1284524) on Tuesday June 30, @04:04PM (#28533883)

Whose fault is that? You CAN prevent it, you know (from striking even), by doing a few simple things, such as what is listed here:

http://it.slashdot.org/comments.pl?sid=1159209&cid=27178753

----

Regarding "stalling" CONFICKER specifically:

( From http://www.xtremepccentral.com/forums/showthread.php?s=265edfd9cff2fd6ef1993571b23d1598&t=28430&page=3 )

----

"A.) STALL SERVER SERVICE (if you don't need a LAN/WAN to connect to & all you do is hit the internet on a single standalone machine)...

AND

B.) It recommends you stall out indiscriminate usage of javascript also!

Between those 2 measures (&, possibly ,b>ALSO, a HOSTS file that stops access to this CONFICKER worm's control servers -> http://forums.opendns.com/comments.php?DiscussionID=3043 which leads to said list here -> http://www.f-secure.com/weblog/archives/Downadup_Domain_Blocklist_February.txt )?

Hey... YOU TELL ME, lol, IF it works, or not..."

----

It'll work... addtionally blocking ACL (access control lists) access to the autorun.inf files in the root of you drives helps also (vs. how it spreads from USB sticks etc. et al).

(Do all of the above, especially if you don't need to be sharing disks/folders/files from your system to users over the public internet or a local LAN/WAN (saving CPU cycles, RAM, &/or other forms of I/O as well you would be otherwise wasting because you are not using what the server service provides, file & print sharing), & it quite literally (@ least theoretically) should "PROOF YOU" vs. this worm).

APK

P.S.=> That was regarding the /. article titled (from near when this worm was discovered):

New Conficker Variant Increases Its Flexibility:

http://news.slashdot.org/article.pl?sid=09/02/20/239229 [slashdot.org]

on 02/20/3009 here on this website... apk

----

And, it works...

Heck, you CAN do without the server service, as a workstation on a LAN/WAN even (because iirc, workstation service allows for MOST of what you'd need anyways), & have full access to its services, like the internet for example, if you wish!

(HOWEVER - If you have to share files/folders from said system? THEN, you'll NEED the server service active!)

Otherwise? Not really - server service is NOT required, but you might have to apply your OWN updates though as an end-user minus the server service running, as stalling server service removes accessible shares & such that SERVER service provides!

(Which might adversely affect SMS & like updating from a central source in a work LAN/WAN environs (that'd be up to you & the user(s) in question though, & what your + THEIR needs are in such a situation)).

APK

P.S.=> I put that out, originally @ xtremepccentral.com, & later here on /., because it works, on many levels!

I did so, almost @ the time it began "blowing away" systems all over the place... because it worked!

Common-sense should have told you, as an administrator (assuming THAT is your role, or that of a network tech/engineer) that those were the simple steps to take (along with detectors to signal a removal candidate, but you never or should NEVER have seen it in the 1st place, if you did the above steps to your Windows NT-based machines)... apk

Re:It is the hacker's mentality.

[ckaminski]

I've had my Linux systems compromised twice, and my Windows systems twice. I use a far larger number of Windows hosts, but I'm living proof that Linux is under assault in the wild. Granted, all of my Linux and Windows exploits were because of poor patch discipline...

sanity

[overcaffein8d]

if Sanity was money, microsoft products would cost even more

Why not patch? Patches are free from Microsoft.

Isn't it about time folks start downloading and applying free patches from Microsoft. The worm would have never infected the machines had the exploits been patch several months before (when the patches were available).

Re:You cannot use viruses/bugs as an example of co

[turbidostato]

"You cannot use viruses/bugs as an example of cost due to the fact that windows has had a 90+% marketshare since the dawn of time"

So what? Next time I go to the market I'll tell the casher: "You won't really try to bill me my food, will you? Coz, you see, more than 90% of the people eat to survive since the dawn of time so that means by Hubell's rationale that then it comes somehow for free!

The author didn't go into *why* malware is basically a Windows-only cost but that as for today it *is* basically a Windows-only cost. Are you going to deny such an obvious fact? You can tell, if you want to, that if tomorrow a different OS takes the place of Windows, then malware will focus on it, all well and good -although still only an hypothesis, but the fact is that *today* malware makes for a significant part of the TCO of Windows-based, and Windows-based only platforms and it's wise for CIOs and the likes to take this into account when planning.

Benchmarks with AV-software, too

[rainer_d]

Benchmarks comparing PCs with Windows and other OSs should be forced to run with AV-software installed - because that's the normal use-case.

Everything else silly.

Re:You cannot use viruses/bugs as an example of co

[koreaman]

I would assume businesses would be careful to only purchase hardware compatible with whatever operating system they are using.

Re:You cannot use viruses/bugs as an example of co

[turbidostato]

"I don't get it, what prevents the attacker to try every recent vulnerability on that host"

Time.

"it's not like this hasn't been done before"

Yes... when you aim for a specific target; not when all you want is bots or just old plain wreaking havoc.

"if the attacker is serious about breaking into a system running apache he's probably got some exploits for more common operating system anyway, so this makes things a little bit difficult, but not by much."

Security is both a theoretical activity and a reality exercise. Much of the time, specially regarding non-targeted attacks, "a little bit difficult, but not by much" means in reality "secure enough".

Re:Viruses proportional to installed user-base

People keep bringing this up but it just plain isn't true. Look at the installed base of Apache vs. IIS. Why is IIS more heavily exploited then? There is hole number 4 million in your theory.

Re:You cannot use viruses/bugs as an example of co

[Vancorps]

While yes, a certain amount of money should be allocated for things like AV software I have to wonder why so many companies are having such problems. To be honest, I've spent 20 minutes in 5 years cleaning up viruses on my network and most of that was because a fellow admin no less decided that he needed to install a codec from an untrusted website to watch a stupid video.

Of course I can't protect my network from people with the same level of access as I but the rest don't have any issues and a few are even the type to not only reply to spam but actually buy stuff!

Seems to me the issue is less about what OS I'm running on the back-end or the front-end and more about proper setup. While I do employ both Linux and Windows in my network playing to both of their strengths. If I have additional time to implement a project that I can accomplish on Linux then the odds are I will since I won't have to pay licensing fees but when new deployments are in crunch-time I'll often lean on Windows as I can setup new technologies and software faster in Windows environments due to differences in philosophies.

I was setting up PHP 5.3 on a CentOS box today and I can tell you that it's not friendly given that it hasn't hit the repositories yet. In fact the latest version from the official CentOS repository is PHP 5.1! There are a number of dependencies to resolve especially surrounding the php-mysql extensions. With Linux you tend to set and forget only returning to do updates. Setting takes longer than with Windows but the added time of reboots with Windows means that over the long term Linux will come out ahead which is why I run Oracle on Linux.

The modern world is wonderful though since I have virtualized most of my infrastructure where it makes sense so both Windows and Linux end up taking the same amounts of time to do anything since the software tends to do most of the work for me.

Disappointing post considering the title

[Vexorian]

I got disappointed here. Sure malware costs and whatever, but dows' supporters will always pull the excuse that it is because of market share. Which is pointless. It could have some small even when considering the dominance of windows in the malware marketshare is much large than the raw market share r, i.e: Desktop Macs sure as hell don't have 3% of the malware. Yet even assuming windows' malware friendliness was solely caused by marketshare if it was truth then it means that the huge marketshare for windows is inconvenient and a great solution would be to migrate the industry into one that can have seriously many OS vendors and options and each has from 0 to 35% marketshare.

I got disappointed because when reading the title I thought this post was going to be about the REAL BIG cost of using Microsoft software. Security is one thing but they have been improving (you got to accept it). The real issue is the LOCK-IN, and THAT is a giantic hidden cost of MS software, I wish some serious publication could analyze and denounce it cause seriously, malware costs are not a big deal and pro-MS groups will always just use their giantic, excessive marketshare as an excuse for it.

Re:You cannot use viruses/bugs as an example of co

[turbidostato]

"does this mean I should include the cost of water damage to my possessions when I leave my windows open during a hurricane that I knew was coming?"

Well, water damage doesn't have a cost tag, it goes for free. What does have a cost is recovering from damage. And then, of course you should include your recovering costs: the fact that the damage was because your idiocy can mean your insurance probably won't cover such costs but it certainly won't mean you'll recover for free; you can ask your bank account if you don't believe me.

And then, do you know what the "T" in "TCO" means? Exactly: that even idiocy must enter the equation.

easy fix use your backups

[RobertLTux]

since its just good practice to have a backup system why wouldn't you
1 fail your primary and switch to the backup
2 upgrade your primary
3 revert to your now upgraded primary
4 upgrade your backup
5 Profit!!

Re:You cannot use viruses/bugs as an example of co

[Vancorps]

I think he means that it won't even display properly. I printed a Southwest boarding pass with my Ubuntu setup and the PDF looked fine on my screen but when I printed it printed everything but my seating number which was A12 no less!

I copied the PDF to a Windows box and it printed just fine. The little things like that the parent was referring to. This is common with Ubuntu though. I would not say Ubuntu is a good platform for desktop deployment in a company though. SUSE is a better choice there as their software packages are designed to support corporate users unlike the hobbiests that Ubuntu targets. I've never understood the people that think Ubuntu is easy. I can hack my way around it just fine but when a kernel update suddenly stopped my netbook from being able to use wired networking things got dicey real fast! In the end I had to get a custom compiled kernel until 9.04 came out addressing the issue for real. Ubuntu releases are all about using the public to test. I like it because it gives me relatively easy access to the latest software tools even though that access means some of those tools won't work quite right until the next point release.

Bullshit.

[Risen888]

Fine, let's see where that goes. Let's make up some numbers (hey, you started it). Let's say that Windows has 90% marketshare, Mac 9% and Linux in its various flavors a cumulative 1%.

Okay, now let's say there are 1000 Windows viruses (we're making this up, remember, the actual number is certainly many times that, but 1000 divides well). Okay, 9% of 1000 is 90, and 1% is 10. Can you provide a link to 90 Mac viruses, or 10 for Linux? Hell no you can't.

"But Ris," you bleat, "that's unfair! The number of exploits would certainly be in geometric proportion to marketshare!"

Yeah, I've heard that one before too. So to even the playing field, can you even name one virus that targets Linux? Just one? I mean, even if it holds 1% marketshare, 1% of the world's computers is several million people, there must at least be one virus out there that somebody's written to at least prove it could be done and shut all us self-righteous Unix pricks up, right? One?

Bueller? Bueller?

Re:You cannot use viruses/bugs as an example of co

[turbidostato]

"And as that argument sways more users toward FOSS, the cost/benefit for malware writers will change."

But if that's the case, it will be *then*, not *now*.

"for FOSS we have no reasonable track record. So to me, that's background noise."

For me, having about 200 Linux systems, both servers and PCs my "background noise" says "malware-related costs to-date: zero". Surely my manager will say "but, hey, let's inflate this number since making our real numbers out of our real bills to get our real TCO would be a bit myopic, you know".

"imagine a world where the customer doesn't bear the cost of the vendor's mistakes. I know, crazy..."

Not so crazy: that's the world as of today: the customer does never bear the cost of the vendor's mistakes; it bears the cost of its very own mistakes... choosing the wrong providers, for instance.

Re:You cannot use viruses/bugs as an example of co

[Vancorps]

This is probably the first legitimate point I've seen in response to this. This is why I abandoned VMWare and went with Xen Server now that it is free.

The mal-ware argument is pretty moot in my mind as a properly administered network doesn't have a real problem with it. I haven't have a virus outbreak here beyond a fellow admin getting his own box owned in the five years I've been managing this network and our users are as clue-less as they come. Yes, the basic cost of AV software should get factored into TCO but malware clean-up? Even if we were having a problem with it, drive images make redeploying a box take a matter of minutes and those are minutes I don't even have to spend at the machine since I can do it all remotely with just a few clicks. The cost there would be the users lost productivity but that is why I'm moving into a VDI type environment for my end-users. Then downtime would negligible.

Honestly, all of the things you do to protect yourself from hardware failure often also protect you from virus damage so the cost is going to be the same regardless of platform of choice. I've got my automation in both Linux and Windows so both worlds are good. Now if only Apple played nicer. I basically have to buy completely separate tools to automate them which bugs the hell out of me.

Re:You cannot use viruses/bugs as an example of co

[turbidostato]

"Not that its exempt, its that should people target Linux as much, the figure would likely be the same."

So, since if Linux were as popular as Windows it would be affected for malware recovering costs as high as Windows, we don't have to consider malware-related costs in a comparation. OK, I'll take it, even if that's just an untested hypothesis.

But now you will have to do the same:
* Costs related to hardware incompatibilities? Not. Were Linux as popular as Windows, hardware support would be there, in the stock kernel.
* Costs related to retraining? Not. Were Linux as popular as Windows, well... it would be as known as Windows.
* Costs related to hiring the rare Linux knowledgeable admin? Not now: being Linux popular brings as many admins as on the Windows side.

And then, in the end, open source is *still* free of licensing costs (both direct and indirect due to expended hours on the corporate money-printing mill).

ms is "Secure enough" if you do it right

[smash]

Put in a WSUS server, use it (WSUS is free, for fucks sake). Roll out AV everywhere, keep it updated. Get an admin to put in slightly less retarded group policy than default, and don't let users run as admin (would you let them run as root all the time??).

Are there holes? Sure. But you don't get bitten by 99% of them if you follow any sort of basic security policy...

Re:You cannot use viruses/bugs as an example of co

Actually, it's a known and provable fact that HDD operations will fail sometimes, that memory bits will be switched, and even CPUs will throw out the wrong numbers. Why? Cosmic Rays perhaps. Sheer chaos. Bad power supply. Heat buildup due to dust. What, you say these are all hardware problems, and that you were talking about software problems? But wait, hardware can mess up software. Sad, but true.

So, no, your analogy isn't as good as you think.

Besides, most software problems I see on computers come not from broken systems but from users. Much like the folks who drive with the parking brake on, or who ride the clutch. And if Microsoft tried to lock things down so that the stupid users couldn't do that, the tech-users would bitch and moan about it. Which is just what happened in Vista. Oh my.

Re:You cannot use viruses/bugs as an example of co

[turbidostato]

"I work in IT, in a 100% Windows shop (the only non-Windows we have is ESX running under multiple Windows installs) and we simply do not have any problems with any form of malware, at all."

Don't you deploy antivirus on your systems, neither servers nor desktops? Do you think those antivirus go for free and that don't take away maintenance resources? Do you think those antivirus never threw any compatibility problem with any other service? Do you think they don't take up hard disk, RAM and CPU?

"I guarantee you that no matter what OS you run, you're going to run into problems if you don't take precautions to protect your software from malicious code."

And I agree 100% with you. It's about what the relative costs for those "precautions" are with regards to the platform. I'm not like you and my "house" is not 100% windows but about 90% Linux 10% Windows and I can tell you a significant difference does in fact exist.

"As for these people cleaning up Conficker...talk about a bad example! The vulnerability that Conficker takes advantage of has been patched for what...8 months now?"

So you want to talk about "real world" when it fits to your argument but avoid it when you don't like it?

"I wouldn't be complaining about the malware or the cost of removing it, I'd be firing the IT department en masse"

So you feel it's proper to talk about costs regarding compatibility issues basically maliciously provoked by Microsoft itself as a lock-in strategy (we are talking about "real world" after all) but you think firing your entire IT staff, hiring new ones, training them and hoping they'll be any better than the old ones will come for free, did I get it?

"she doesn't have Conficker because I set her Windows updates to do themselves automatically."

Ok, now I get it: your mother PC is the nearest you've been to a corporate environment, or else you'd never talk about automatic Windows updates as a solution.

"That is how easy THAT is."

Yes: filtering your facts in order to reach to simple solutions that won't account for all the "corner cases" of your real scenario is always easy. It's only that it's irrelevant too.

Re:You cannot use viruses/bugs as an example of co

[turbidostato]

"The only reason "maintenance" on software is required is because it is sold to the customer BROKEN."

Or the environment changes
Or the requirements change

"This notion that Linux or MacOS doesn't get hit due to lack of "popularity" is just a self serving dellusion"

Or it amounts as only a partial explanation.

Who the heck modded this insigthful? Does "insightful" means "it holds my side, everything else is moot" now?

Re:You cannot use viruses/bugs as an example of co

[Lord+of+Hyphens]

Bad example: nVidia is actually one of those vendors who actively release drivers for platforms other than Windows. And not just Linux, but FreeBSD and Solaris too!

Re:You cannot use viruses/bugs as an example of co

[AmberBlackCat]

I'm no business woman but I would have assumed they'd purchase hardware that meets their needs, as opposed to hardware that meets the needs of one of the several operating systems they're considering. For what it's worth, my children do fine with Linux most of the time. They're mainly online for social networking, music, and videos. So Firefox and the Flash plugin satisfy most of their needs. They just can't sync the iPods.

Re:You cannot use viruses/bugs as an example of co

From your theory you will also get a router's fingerprint when you scan a webserver's port behind it, right? *WRONG*

Re:You cannot use viruses/bugs as an example of co

[turbidostato]

"One of the companies I consult for has something like 30,000 desktops. They were not affected by Conficker in any way shape or form. In fact, I think they were bitten by the "anna kournikova" thing back in 2000 or 2001, and never again had any problems with worms or viruses.
How is this possible? I don't know. Maybe some common sense was involved."

Have you stopped to think that maybe it was not only "common sense"? That it might be some money involved too? That maybe the "kournikova experience" meant some heads were cutted off and new more senior ones were hired and trained and payed at higher rates; that new expenditures in antivirus, security appliances, more man-hours in maintenance, procedure approvals, testing deployments and staff education were incurred and that all those things might came at a price tag, surely at a cost percieved as lower than the "kournikova incident" but still at a very real and undenyable cost?

"That's clever, isn't it? It's a great argument, assuming you have the IQ of a sponge to begin with."

Sorry, I was a bit unattendant... it's your argument and IQ the ones you are talking about?

RTFA

[shutdown+-p+now]

The Manchester study is very low on detail. But from what I can see, it's just a bunch of incompetent admins which did not install security updates in time. Here's a blog post by the leader on the Manchester City Council which mentions the worm problem. It's dated 03/03/2009, and says that the delay between this post and the previous one was (among other things) because of dealing with the worm. Previous post on the same blog is from 16/02, so presumably they got hit by the worm somewhere in February 2009.

Now let's look at other dates. Conficker itself first appeared in the wild in November 2008. The patch for the vulnerability was already available out-of-band in October 2008, and had since long been rolled into the normal updates. The publicity after Conficker hit was also quite significant, and missing it - especially as an admin - is really inexcusable. But even if one does, so long as they were making regular updates, they would be fine. So, apparently, they weren't doing that.

Now, do you really think that running any OS, with no security updates being applied for 3 months (at least!), is a smart thing to do?

Re:You cannot use viruses/bugs as an example of co

[Kaboom13]

If you allow yourself to get stuck with shitty software that breaks if you sneeze at it, then yeah, patching is a problem. The conficker patch didn't break a single thing at any of our customers sites, we tested and deployed it on all of them in less then a week with 0 issues. MS has gotten a lot better in recent years about testing their updates thoroughly. If you have software that is getting broken on a regular basis by updates, it's probably because the software was a piece of shit to begin with. If it's an internal app, fire your current development team (or at least the management) and get someone who knows how to make a maintainable Windows program that follows MS's guidelines. If it's a vendor app and they dont have solutions for you within a week, much less a month, for such a critical vulnerability, you need to migrate to an alternative as quickly as possible. Testing updates before deployment is always wise, regardless of the platform (and any linux desktop that doesn't have things break by updates occasionally I would like to see). If your testing process takes several months on a critical vulnerability being exploited in the wild, your process is fucked up beyond belief. Leaving a critical vulnerability unpatched for an extended period of time is rolling the dice, regardless of the OS.

It may not be the IT staff's fault, but is definitely the organization's fault. Either their IT staff is incompetent, or underfunded, or too restricted by bureaucracy. If you want to enter the relative cost and difficulty of testing and deploying patches into your total cost of ownership, that's fair. But blaming the cost of this conficker on MS is like blaming a break in on your front door manufacturer when you left the lock they provided unlocked.

Re:Cannot use Hubbell as an example of intelligenc

[drsmithy]

But, an idiot can indeed manage to set a box up, and to run it for extended periods of time without problem, because *nix has a lot of security BUILT INTO IT.

Like what ?

Re:You cannot use viruses/bugs as an example of co

[drsmithy]

I absolutely hate this argument. It assumes such a simplicity, that the only consideration that people pick for coding a virus is marketshare of the target.

It does nothing of the sort.

When you can come up with a single good reason why market share is NOT a significant factor, let me know.

Re:You cannot use viruses/bugs as an example of co

It goes farther than that. In some industries, you cannot distribute security updates until they're proven safe. (Ask Pfizer about that....)

Re:You cannot use viruses/bugs as an example of co

[Arthur+Grumbine]

Believe it or not, there are a whole lot of Microsoft users and some of them like their products. Automatically assuming someone is a shill because they speak positively about Windows is just plain retarded.

I am intrigued by your ideas, and would like to subscribe to your newsletter.

Actually, I agree with you but I found the above response more likely to get me modded up, until I destroyed that likelihood with this admission...

Re:You cannot use viruses/bugs as an example of co

[slack_justyb]

Yes and Microsoft's automatic update also brought us wonderful things like IE7 which, YMMV, broke three intranets that I know of in the area in which I live.

But you're missing the point still. Microsoft touts ease. These problems should fix themselves with "ease."

If it won't fix itself with this ease that they sell managers then, I suppose, that they shouldn't market that as the strongest point of Windows.

Head over to Apple and you'll see the same slogan about their server offer. But I'm getting off topic here.

Point being is that something isn't adding up in the world of Microsoft server. They sell that the system will run and that it's the easiest thing since slicing bread. In fact I can send you some of the material that they send to my company if Microsoft's web site doesn't sell you on that point. However, the reality of it is that it is not running forever and ever as they say, it is not as easy as they paint, it is not as compatible as the make out, and it sure as hell isn't as secure as they sell. At some point this is costing someone, somewhere. The idea is if it ain't the security, then why are morons running the show on the server? It may be because Microsoft is telling managers that morons can make this software work. "you may know them as paper MCSEs" Either it's security or the hyped marketing?

Re:You cannot use viruses/bugs as an example of co

Why? Are you happy? Are you Sad, angry, or what? Did you want something modded up or down? WHO THE FUCK KNOWS BECAUSE YOU DIDN'T EXPRESS IT. Instead you bitched about it and added nothing to the discussion.

Your kind is one of the reasons Firefox has to be so fucking fast.

You can avoid much malware by not being admin

[Edgester]

I love Linux, but I have seen a properly run MS network where the users don'es have administrator rights. We have next to no malware problems. so in defense of MS, it can't be included in the TCO because you can avoid it by proper security. The problem is that so many apps assume that normal users are admins, so that makes restricting users very painful.

Huh?

This is news, how, exactly?

Re:You cannot use viruses/bugs as an example of co

[BuckaBooBob]

There are alot of apache attacks out there... it is the dominant webserver... but if your out to pick some fruit.. IIS still has plenty of fruit thats so close to the ground that you don't even have to reach to get at it.. where in apache.. you need a ladder to reach any of the fruit left there.. Plus IIS is a sure sign of an admin that is under the impression MS can make secure software its kinda like a kick me sign...

 

Re:You cannot use viruses/bugs as an example of co

[DrgnDancer]

It makes perfect sense:

Statement: Linux is less virus prone than Windows, thus affecting the TCO of Windows negatively. THis has not been considered in most TCO calculations.

Counter Statement: The only reason Linux is less virus prone than Windows is that Linux is less popular than Windows and less of a target.

Counter to the Counter: I don't care WHY Linux has fewer viruses, it has fewer viruses. I live in a world where Microsoft is likely to continue to be far more popular than Linux for quite some time. Therefore it's likely to stay a smaller target and a lower virus OS for some time.

Re:Cannot use Hubbell as an example of intelligenc

[Runaway1956]

Permissions, primarily. As I sit here in front of my Debian/Ubuntu machine, my user name is "guy". I can do nothing outside of my home folder. I can't infect another user's files, can't touch any system file, can't touch root's folder. There is no C:\Program Files - meaning that I don't have write permissions to ANYTHING outside my home folder. If I wish to install a program on this machine without becoming root, I can install it to my home folder. In such a case, the program has no write permissions outside my home folder. Using any programs that root has installed doesn't give me write permissions even to that program's folder - any data that the program needs to save to my profile, history, or whatever is written inside my own home folder. In fact, I don't have access to all the programs that root has installed. I have to become root to use things like Wireshark properly, or to use the package manager.

With Windows, a limited user has to ActiveX among other things. A limited user can save files to various places outside his home folders, unlike *nix. While the Windows Administrator can lock down a lot of Windows system files, he can't prevent even a limited user from making changes and/or writing files that might be booby traps lying around waiting to be executed by a more privileged user.

While NT variants of Windows are vastly superior to Win9.x in that they actually HAVE a security model, that model doesn't compare with that of any *nix system.

Until I type in my password for sudo or root, I have fewer privileges on Debian than I would have on a limited account on Windows. I can't even open an internet connection - root does that at bootup with a script.

And, to be perfectly honest, I don't NEED privileges very often. I could probably run this account for the next year without becoming root, and manage to do everything I wanted to do, except for testing new programs and updating.

Re:You cannot use viruses/bugs as an example of co

[StuartHankins]

Not this strawman argument again.

Microsoft products have a long history of virus, worm, and bug problems for lots of reasons. One of which is the inability of anyone knowledgeable to review the code quality or to patch security holes. It's a closed-source system and in many cases its defaults leave vital processes vulnerable to attack. Many problems are not solved with an OS-level fix, i.e. buffer overruns. (That was actually quite funny, one unanticipated time when "buffer overruns" and "IE" are in the same sentence and it doesn't involve a Microsoft patch. But I digress.)

Linux systems have been around sufficiently long -- and are in so many things you use each day -- routers, switches, VOIP systems, firewall systems, servers, smartphones, PDAs, palmtop computers and more -- that the track record has been established. The NSA has given Linux its blessing, and recent competitions to try and break SELinux have proven uninteresting. By design it's a more secure system, and because of the quantity and quality of people looking at the code it's able to achieve a higher standard of security.

If you're going to try and hack some user desktops go ahead, Linux hasn't made inroads into the desktop like Windows has. It's the design flaws of Windows to require anitvirus software just to keep the thing alive. But, on the other hand, if you want to try and hack my network, it's protected by a Linux firewall appliance. Note which OS I use when security and stability matters?

Re:You cannot use viruses/bugs as an example of co

[StuartHankins]

Have you seen the MS security bulletins released so far this year? Literally every product has had multiple critical, must-patch-now, privilege escalation bugs. Massive showstoppers. We've spent huge amounts of money upgrading our network just so we can apply the latest MS patches across the WAN.

It must be drugs. That or you are a troll.

Re:You cannot use viruses/bugs as an example of co

[StuartHankins]

In this case, obvious lack of knowledge regarding Microsoft products -- when that's the whole point of this topic -- should result in "troll" or "overrated" moderations. That's how Fight Club works.

err...

Re:You cannot use viruses/bugs as an example of co

[ragethehotey]

And then, do you know what the "T" in "TCO" means? Exactly: that even idiocy must enter the equation.

This is actually incredibly insightful, I never really thought of it this way.

It's the hidden cost of computerization...

[sam0737]

not MS in particular.

Re:You cannot use viruses/bugs as an example of co

[darkpixel2k]

waitasec... #4, www.bing.com, runs on *LINUX*? Man, the kool-aid in Redmond must SUCK.

What's even weirder is that the top 5 servers with the highest uptime are all Windows 2000.

I haven't touched Windows 2000 in probably 5 years, and I've been trying to avoid Windows at all costs for about 4 years....so someone educate me on this: Isn't Windows 2000 unsupported when it comes to security updates? I had a friend tell me a few years ago that his employer (some-mega-corp) had to pay Microsoft over $5,000 just to get them to develop a version of the DST patch for their old Win2k/Exchange2k corporate mail system...

Wouldn't those Windows 2000 servers be a *huge* target?

Re:You cannot use viruses/bugs as an example of co

Sounds to me like something a shill would say!

Re:You cannot use viruses/bugs as an example of co

[darkpixel2k]

>as soon as a breakthrough occurs it's often easy to continue with the penetration. Does IIS scream and moan during this penetration??

That's disgusting. But it did remind me of our morning coffee ritual when I worked for an ISP. We'd all be getting coffee from the machine, and someone would spout off with "I like my coffee like I like my women..." then they'd follow it up with something like "hot and goes down easy" or "dark and bitter", etc...

The only time I ever shot hot coffee out my nose was when one of the techs walked up and slightly changed the mantra to "I like my women like I like my Microsoft webservers...insecure and full of holes waiting to be exploited."

He's kind of a sick fucker. You'd like him.

Re:You cannot use viruses/bugs as an example of co

[darkpixel2k]

not when all you want is bots or just old plain wreaking havoc.

On that note, I'm somewhat surprised more bots don't attempt to fire of 'dd if=/dev/null of=/dev/sda'. Probably because it's very unlikely to get root privs--but that would be a horrible mess. I've tried that on a live box that we had just replaced. Linux ran for a long time before we figured out it was hosed...

And on that note, I'm glad Microsoft doesn't include a command like 'dd' in a Windows install.

Re:You cannot use viruses/bugs as an example of co

[darkpixel2k]

First, that a vulnerability in WebDav, not IIS really. Secondly, it can only be exploited in IIS 5.1, which is the windows XP version of IIS. No serious host is going to be serving pages from XP, nor would they leave WebDav enabled.

How about:
No serious software company builds a webserver for a workstation OS.
or
No one would ever run IIS on a $120 copy of Windows XP when they could go out and spend $800 for Windows Server.

Interesting

[CaptainTux]

It always baffles me how supposedly good tech people can jump on whatever bandwagon happens to be popular at the time. Take, for example, the 'Let's Hate Microsoft' one that currently seems to be all the rage.

I've been involved with computers since I was 9 years old (I'm 34 now) and I've used Windows since its very earliest version. When I was a noob, I got viruses and was hit by just about every worm that went around. Then, I took the time to learn about good computing habits, proper security, and sensible practices.

On my Windows XP systems I don't run an AV at all, I run Internet Explorer 8, I use Outlook, and all the other supposedly 'deadly' things that make Windows so insecure and dangerous. I occasionally will download an AV and anti-malware programs 'just to be sure' always expecting to find stuff. You know what? I never do!

In the last five to eight years, I have *never* had a virus or worm hit my computer. I don't get spyware, I don't have popups all over the place, and I don't have those ungodly messes of toolbars that you see many Windows users having on IE. Why? Because I took the time to learn proper security, best practices, and don't do stupid stuff. I also keep my system patched.

The fact is that a properly patched, secured, and managed Windows system is just as secure and stable as Linux. So then, why does it seem so many Windows systems seem to fall under the crush of malware?

Users.

Look at the statistics. For most of the major viruses and worms that have been out in the last few years, Microsoft has often had a patch available for the vulnerability they exploited before the software was in the wild. Sometimes, they've had patches available for months or even years. Yet users who listen to the anti-Microsoft drivel of 'they're trying to sneak stuff on your computer' become so paranoid that they choose to either turn off auto-update or they 'selectively' choose 'safe' updates without a good understanding of what the others do. The upshot is that they, through their actions, leave their systems vulnerable.

Now, to be totally fair, I'm also a Linux user (desktop and server Ubuntu and a few Fedora systems) and they are pretty rock solid. But it's easy to say how secure you are when you're in the minority and nobody cares enough to really attack you by writing malware for your platform. Linux also tends to attract a more sophisticated and technically savvy user base than Windows so it's a bit dishonest to compare the two. If all Windows users suddenly migrated to Linux and brought their computing practices along with them, guess what? We'd see a LOT of problems with Linux systems too. So, no, comparing isn't totally honest. But, if we are, we can *easily* find examples of vulnerabilities that were exploited in *nix software and used to own systems.

The simple fact is that *no* operating system, Windows or otherwise, is secure until you choose to make it secure. It doesn't magically happen. USERS have to take the initiative to be proactive about their systems.

It's very popular to jump on the "Let's hate on Microsoft" bandwagon. Everyone seems to be doing it. I've run into a lot of people who told me "Oh I wouldn't use Windows if you paid me. It's crap" yet when I asked them what exactly their complaint was they would mumble something about 'security' but couldn't go into any details. Why do you think that is? It's because they didn't *know* any details! They just heard the rhetoric and thought spewing it forward made them seem knowledgeable and cool.

It doesn't. It makes them sound stupid and uninformed.

So consider this: next time you want to talk about how much you hate Windows, ask yourself this: why do *you* personally hate it? Have *you* had bad experiences with it or have you just read all the hype and made your decision based on that? Have you educated yourself about proper system care and management?

If not, look into it. I think you'll find Microsoft is doing a pretty bang up job with security these days. The chants of 'Linux is going to OWN Windows' are fading away.

I love Linux but I can't say I hate to see the zealots go.

Hmmm

[madcat2c]

They do know that malwarebytes is free right? $30 bucks if you want it to monitor the pc?

Re:Viruses proportional to installed user-base

[godrik]

mmm, I am not sure it is only a matter of number of machine you can infected. But a cost/efficience analyze such as in "one hour of work, how many machine could I infect". My point is that if there was twice much Linux than Windows but requires ten times more effort to infect them, you'll probably stick with infecting Windows since it is more efficient.

Re:You cannot use viruses/bugs as an example of co

[aztracker1]

Perhaps you could present something more relevant to today..? Also, how much customer info has been exposed under various insecure systems over the years on given systems? There's a lot more damage from being hacked than from a typical worm. And there are plenty of people who break into *nix systems.

I know a lot of redhat (6?) ops that were hacked around that same era. Also, a worm does not equal pwning a server.

Re:You cannot use viruses/bugs as an example of co

Comparing software to a car is apples to oranges. A car doesn't interact with anything and is completely self contained given proper maintenance. If there is something wrong with it, you don't have some jihadist overseas trying to tires fall off as you drive down the highway. Software on the other hand has to interact with hundreds of things, many of which were written by third parties. If software companies put out software that was perfect and worked with everything, no one would be able to afford it, you'd never be able to upgrade it, and you all stupid people in the world would need to be shot. Getting software to work properly isn't that hard and time consuming until you start adding functionality, backwards compatibility, and idiot proofing. Finally, You have to keep in mind the people writing the spyware are getting paid alot more than the people fixing it.

Re:You cannot use viruses/bugs as an example of co

[godrik]

Is this information really pertinent ? It is the summary of the most requested website through netcraft as far as I understand. if you look at the highest uptime recorded by netcraft at http://uptime.netcraft.com/up/today/top.avg.html then you only see IIS servers. High uptime rhymes with stability. There is certainly an explanation (security update may requires reboot or stuff like that). But it makes me wonder if the stat is relevant. Someone ? Any clue ?

Re:You cannot use viruses/bugs as an example of co

[aztracker1]

OSX has been hit, there's a couple pretty significant botnets in OSX, and it probably has a lot to do with a relatively consistant platform, with relative popularity.

Re:You cannot use viruses/bugs as an example of co

At the risk of sounding like I work for Dilbert's company, we have a product demo and training machine that is serving pages using XP. Tomcat is the server, so it's not quite as bad, but still...

No, I didn't do it, and I'm charged with fixing it. But we did it. Has SQL server for the user data, too.

Re:You cannot use viruses/bugs as an example of co

[dbIII]

Trust me on this, for I know of which I speak.

Perhaps not:


Ring ring.
I.T. support here.
Hi, this is Velma - I just got this attachment in the mail called "Happy_Puppy.sh" and it told me to do "chmod+x Happy_Puppy.sh" and change SElinux to disabled by editing "/etc/selinux/config" but I need the root password for that. Can I have the root password please?


Now do you get some idea of what we are all talking about here?

Oh really

but it's not like Linux doesn't have any malware written for it.

Citation please. Funny last time I ran SpybotDS on a machine it scanned for over 500,000 known pieces of malware. What is there less than 10 for Linux?

In Linux IF a Users space does get infected it takes maybe 30 mins to clean it up compared to sometimes a full day cleaning a Windows machine. Add that to your TCO calculations.

Re:You cannot use viruses/bugs as an example of co

As an IT guy you would also be aware there is a world of difference between server updates and desktop updates, The majority of attack vectors are on the desktop from both bugs and bad users, pushing out updates to the desktop is not an onerous task and is rarely going to cause mission critical outages unless the IT staff are total plonkers. Our server patches can take 4-8 weeks to deploy due to testing, our desktop patches rarely take more than a few days to deploy and that is with 10k desktops and around 2.5k servers (lot of large internet farms). There has not been a major virus outbreak in many years that would not have been prevented with god patch management and proper network controls, my org got hit badly 9 years ago, this forced us to look carefully at patch management, since then we have had nothing but the odd isolated incident of users bringing in virus's that never got paast there desktop.

Re:You cannot use viruses/bugs as an example of co

[DeadboltX]

IIS is more common than apache on unmonitored, non-firewalled, home pc's, and thus a more suitable target for zombie botnet hoarding.

Re:You cannot use viruses/bugs as an example of co

[Daengbo]

Defacing a poorly written PHP app on Apache is just the same as hacking the same app on IIS. That's got nothing to do with the web server, and certainly nothing to do with the kind of exploit we're talking about here.
 

the poor security practices in the platform are beginning to be exploited...

Oh, yeah. Apache in a chroot, SELinux, and AppArmor make for poor security practices. Friggin' swiss chesse, that is!

Good luck doing anything further than exploiting the code in the web app. You're stuck serving drive-by downloads to unaware WinXP users.

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

Oh, yeah. Apache in a chroot [seaoffire.net], SELinux [beginlinux.com], and AppArmor [novell.com] make for poor security practices. Friggin' swiss chesse, that is!

Security retro-fitting is all lovely and all, but it's still POSIX. It's conceptually insecure and will never really stand to a concentrated attack.

Realistically, the platforms are similarly secure. Linux has never been terribly impressive security wise, comparatively. Just culturally.

Re:You cannot use viruses/bugs as an example of co

[dgatwood]

Which brings up the obvious question: why would any OS allow a user-space tool of any kind to perform writes to a block device for a drive with mounted volumes? There's no reason in the universe for an OS to allow that to occur. Similarly, there's no reason to allow writes to the block device for any mounted partition....

Re:You cannot use viruses/bugs as an example of co

[Daengbo]

Do you know anything about SELinux? IT's not retrofitting. It's in the kernel. There's no getting around it.

Vista was much more secure than XP, and Win7 is secure, as well, but Win7 already has an exploit in UAC that can't reasonably be fixed, and Win7's not even out yet.

I don't think you know what you're talking about. If you offered facts instead of hand waving and attempted Jedi mind tricks, people might take you more seriously.

Re:You cannot use viruses/bugs as an example of co

[darkpixel2k]

Which brings up the obvious question: why would any OS allow a user-space tool of any kind to perform writes to a block device for a drive with mounted volumes? There's no reason in the universe for an OS to allow that to occur. Similarly, there's no reason to allow writes to the block device for any mounted partition....

I think you miss the power of Linux.
A year ago, I had a linux box that was dying that *had* to stay up and running. (Why didn't they have a cluster or something?) I grabbed an identical machine, mounted the nfs backup share and did a 'dd if=/dev/sda of=/nas/machine.img'. I installed Linux on the identical machine (this was before the Ubuntu Live CD existed), mounted the nfs share and did a 'dd if=/nas/machine.img of=/dev/sda'. Then I did a 'reboot -n'. Aside from a few corrupted /tmp files, the machine booted without any problems and has been in service for a few years now.

Try restoring over top of a running copy of Windows.

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

I don't really worry about people taking me seriously on slashdot...

SELinux is a retro-fitted Mandatory Access Control and Group Policy Scheme... that's it.

Windows has had fine-grained ACL's and group policies forever (especially accessible ones for the enterprise) and NT 6 has a very decent Mandatory Access Control system.

I am tired of Linux types acting like SELinux is magical and somehow anything more than bringing Linux to the security sensibility of MULTICS, which had MAC's back when UNIX was still basically a hacked up computer virus.

There's nothing offered in the retro-fitting solutions you've described that aren't available in NT 6. All I see is a deficiency in terms of anti-exploit code and a better use of NX-bit based technologies in NT.

Re: Not true

As far as I know, Conficker can install itself even if you aren't in the "Administrator" group. I know a company where this has happened, and all active users were "Power Users" at most. I'm not entirely sure how Conficker "got in", but it spread to other clients via network. Doesn't the service being exploited run as SYSTEM, anyway?

Re:You cannot use viruses/bugs as an example of co

[jwhitener]

I've seen more than 1 automatic windows update break server software running on the system. I've also seen Solaris, various distro's of Linux, HP-UX, and countless other operating systems break software running on them when a patch is applied.

Because of that, any sane system admin will test patches before applying them. If you discover that a patch breaks mission critical software on your test systems, you cannot apply the patch. You must wait for either your vendor or Microsoft to come up with a resolution. In the meantime, the business must go on.

Given that it is a fact that Microsoft systems are targeted more often for viruses/worms, and given that it is a fact that some system patches will break software, I really do not understand how anyone could defend windows as servers in a serious business.

If I can't apply a patch on a unix system because it could break software, 9/10 times, it is some obscure bug that really isn't that big of a deal remaining unpatched for a month or so. If I can't apply a patch on a windows system, more often than not, it is a HUGE risk.

Mission critical, for me, means not having to patch often, and being able to skip patches from time to time.

Of course, if all you run is windows products, it generally OK as patches are largely tested across their product line. Try running anything custom or outside microsoft, and you run into trouble.

Re:You cannot use viruses/bugs as an example of co

[Haley's+Comet]

Not that its exempt, its that should people target Linux as much, the figure would likely be the same.

Are you taking into account that certain vendors (Linux distributions) are never synchronous in kernel/software versions? So that the hack/virus that worked yesterday may not work today? Or the flip side: the hack/virus that works on an update may not work in a previous version? This is the greatest reason, IMO, that viruses are not common in Linux systems. The fact that binary incompatibility [is/may be] there can be enough to discourage.

Hey, maybe they can just put their virus/malware/rootkit/botnet in CVS/SVN etc. so that we could compile it ourselves to ensure compatibility?

Re:Cannot use Hubbell as an example of intelligenc

[TheThiefMaster]

A limited user on Windows (since 2000 at least) can only write to his own folder too. Seriously. At least, as long as you're not stupid enough to use a filesystem that can't do permissions.

A "power user" gets program files write access so he can run crap old programs, and an administrator gets write access to nearly everywhere by default (a couple of places are locked to system accounts, which I'm not so sure I like).

Re:You cannot use viruses/bugs as an example of co

Your post might give the reasons why there are more viruses for Windows (although I would dispute your explanation) but the reality is that for whatever reason, Windows has much more of a problem in this area.

I must completely agree with this. In the same way that FOR LINUX - I do not care if it is the blame of the hardware manufacturers, or the blame of the kernel developers for the lack of drivers. Or that I do not care if it is the program developers or the unfriendliness environment for commercial apps.

FOR WINDOWS I do not care if it is the blame of the OS, or the blame of web developers or the blame of anti virus vendors, the fact remains that the system is more prone to crapware.

xtracto

Re:You cannot use viruses/bugs as an example of co

[IrquiM]

Not that its exempt, its that should people target Linux as much, the figure would likely be the same.

You do not understand Linux security, do you? It will increase, yes, but i doubt it'll "likely be the same".

Re:Cannot use Hubbell as an example of intelligenc

[IrquiM]

If you can claim that insecurities aren't part of cost of MS products, then we can claim that consultants are not a part of the cost of FOSS! :-)

I see no issues here!

Re:You cannot use viruses/bugs as an example of co

Actually, I do find that hard to believe. I am writing this on windows 7 on an Eee1000. I have to pause typing every few secoonds to let the computer catch up. The hard drive light is on constanly. This morning it wouldn't boot because I left an SD card in the slot. Although it appears to boot quickly it was 10 minutes after the desktop appeared before I was able to surf the web.

This same computer runs ubuntu like lightning.

Do people really like this stuff?

(this post took 5 minutes to write)

Re:You cannot use viruses/bugs as an example of co

[wiz_80]

I did have my own fun with it. One of my systems ran Apache on Linux with Samba (server and client). I wrote a CGI with the name and path of the Code Red URL request. It returned a 404 response through Apache (as would a standard Linux system), but I had it generate a WinPopup message sent back to the offending system to the effect that it was compromised.

I did the exact same thing! My Apache on HP-UX servers were fine, but the logs were overflowing with crud from Windows webservers. I also got to find all the test boxes under people's desks which they had not thought to tell me about. Adminning for a department of developers is *fun*.

I also started writing a tool to remote-fix the affected systems automagically, but gave up after I realized it would be more trouble than it was worth.

You have to ask?

TCO means Total Cost of Ownership, wasn't it? So what part of Total Cost isn't clear here?

Considering the fact you cannot possibly have thought about all possible costs and thus your TCO calculations are guaranteed to be off and meaningless might enlighten you. Maybe not your manager, even though that sort of thing is in his job description.

Yes, I think TCO is a sack of lies, why do you ask?

test

I run dual boot vista/ubuntu at home. There was a time a few years ago when I needed visual studio, sql server, etc installed. But now, I only use it for games (vista) and downloads (ubuntu). After I lost data from a hd crash 1 year ago I started to use gmail and office online (google docs). So I basically use whatever I feel like at the time. Both systems have antivirus installed, are updated constantly. Vista has also 3 antimalware, spyware apps running. At this point it makes little difference to a common user to use windows or linux. Both have achieved enormous complexity and require some level of knowledge to use. I do feel personally that Linux is becoming more easy to use and windows more complicated to use. Nevertheless, for experts on windows it doesn't make much difference. But It's my opinion that some MS products have evolved with intelligence and others are sinking rapidly in terms of easy of use. Right now, windows' reputation for being easy to use is their primary sell factor (to home users). Professionals use it because they have no choice. BUT, Ubuntu IS FREE. So that is a big deal.

Re:Cannot use Hubbell as an example of intelligenc

[drsmithy]

Permissions, primarily. As I sit here in front of my Debian/Ubuntu machine, my user name is "guy". I can do nothing outside of my home folder. I can't infect another user's files, can't touch any system file, can't touch root's folder.

So, just like Windows then ?

There is no C:\Program Files - meaning that I don't have write permissions to ANYTHING outside my home folder.

Regular users in Windows do not have write privileges to %PROGRAMFILES%. At least, not by default.

If I wish to install a program on this machine without becoming root, I can install it to my home folder. In such a case, the program has no write permissions outside my home folder. Using any programs that root has installed doesn't give me write permissions even to that program's folder - any data that the program needs to save to my profile, history, or whatever is written inside my own home folder. In fact, I don't have access to all the programs that root has installed. I have to become root to use things like Wireshark properly, or to use the package manager.

Again, just like Windows.

With Windows, a limited user has to ActiveX among other things. A limited user can save files to various places outside his home folders, unlike *nix.

Where ?

While the Windows Administrator can lock down a lot of Windows system files, he can't prevent even a limited user from making changes and/or writing files that might be booby traps lying around waiting to be executed by a more privileged user.

Of course he can.

While NT variants of Windows are vastly superior to Win9.x in that they actually HAVE a security model, that model doesn't compare with that of any *nix system.

Actually, that security model is superior to traditional UNIX. It is both more comprehensive and more capable.

Until I type in my password for sudo or root, I have fewer privileges on Debian than I would have on a limited account on Windows. I can't even open an internet connection - root does that at bootup with a script.I have no idea what you're trying to say with "open an internet connection", but rest assured a regular user in Linux can make outgoing network connections by defaut in pretty much any non-locked-down distro.

Re:You cannot use viruses/bugs as an example of co

[M-RES]

Try restoring over ANY copy of Windows! ;)

Migration costs are a one off.

Licensing and clean up costs go on for ever.

Re:You cannot use viruses/bugs as an example of co

[hairyfeet]

That's works fine in some giant corp, but what about an smb? What if Velma is the boss?

True story, my buddy Glenn nearly got fired out of a cushy admin job because he went over his PHB manager's head. Here is what the PHB told him-"You have NO RIGHT to tell me who I can speak to! I am YOUR BOSS and I ORDER you to let all my emails from Melissa through right this minute or YOU ARE FIRED!"

If the PHB had been the head, or if the guy above him wouldn't have had a brain? Glenn would have been out on his ass. The simple fact is you can't protect the stupid and the greedy from themselves, no matter how good your security is. That is why social engineering works. As long as the user wants to see the bunny unless you have given them a thin client with no rights at all they WILL see the bunny. They just don't care about security as much as they do the bunny. Again, that is human nature.

But if you think having all the Velma's of this world on Linux won't turn it into a malware invested swamp, sorry but your friends at the RBN and their friends in Nigeria and China simply haven't bothered writing for you yet. Windows has all the Velmas and they are easier to trick than a Linux admin. But if you bring them, they will come. Oh yes, they will come.

Re:It is the hacker's mentality.

[VulpesFoxnik]

Using initscripts should get the job done on most systems; however this requires root access.

Re:You cannot use viruses/bugs as an example of co

[JeffMurdoch]

If that means that Apache is more popular, then http://uptime.netcraft.com/up/today/top.max.html would mean windows is more stable?

Re:You cannot use viruses/bugs as an example of co

[drsmithy]

One of which is the inability of anyone knowledgeable to review the code quality or to patch security holes.

You mean apart from the thousands of people Microsoft employ specifically to do that ?

By design it's a more secure system, and because of the quantity and quality of people looking at the code it's able to achieve a higher standard of security.

What design is that ?

It's the design flaws of Windows to require anitvirus software just to keep the thing alive.

The only "design flaw" that requires an antivirus is the one sitting in front of the keyboard.

Re:You cannot use viruses/bugs as an example of co

[SpooForBrains]

Not to mention these comparisons rarely include training users to use Windows. In most shops it's just assumed that people will know how, and generally, they don't. They know the bare minimum required to be able to use email or hammer out a Word document.

I've never been in an organisation (ever) that has had a training programme in place for their Windows systems.

In fact, if you factor in the cost of training users to use the OS properly, then you also have to factor in the savings from then having users who know how to use their computers.

Re:You cannot use viruses/bugs as an example of co

The table you provided does not say anythimg about the popularity of Apache. (or IIS)

It shows how often Netcraft was asked about the state of a certain server. This could mean that Apache owners are more paranoid to know whether their machine is up. This could mean nothing at all.

It certainly does NOT mean that bing.com had 1893 search requests in the last 30 days and google.com had 1068. These numbers just show how many times somebody typed the server into Netcraft's "What's that site running?" window.

What is it about statistics that makes people so confused??

the hidden cost of malware

[viralMeme]

"It always baffles me how supposedly good tech people can jump on whatever bandwagon happens to be popular at the time. Take, for example, the 'Let's Hate Microsoft' one that currently seems to be all the rage"

Like where, what 'tech people', give samples .. and what has any of this got to do with the TCO of cleaning up Microsoft Malware?

Re:You cannot use viruses/bugs as an example of co

so someone educate me on this: Isn't Windows 2000 unsupported when it comes to security updates?

That would explain why they haven't needed to reboot.

Re:You cannot use viruses/bugs as an example of co

[JAlexoi]

A true story. Last time the IT department pushed a critical MS patch through to the users without testing, we had 2 departments sit idle for 3 days because their critical systems were down. We have another department solely on Linux, and they have less issues with those.

Another beat up

Im a consultant who does the vast majority of my (and my guys) work with the MS platform.

Open source is great, but the MS platform is good too, its just managed very poorly.

Without reservation i accept that MS documentation is poor... in some cases very very poor, but that doesnt change the fact that this doesnt happen in network run by competent admins. So many networks are run by absolute luddites who dont have the first clue about basic concepts - and whatever product they are running gets the blame for it.

MS doesnt help the situation, but comments like this are just a drum for the anti-microsoft crew to beat - nothing more.

Re:You cannot use viruses/bugs as an example of co

A comparable process for software, lets see:

1. The environment may change. Suddenly your server doesn't have to serve 100 clients but 1000 clients. Processes change and you have to modify the software configuration to match this. Noone ever expects a Honda to do anything else but drive from A to B.

2. Things outside the software can break. You can't write software that recovers from every kind of failure automatically.

3. People might deliver wrong input. A program can't always know if the input is wrong. Fixing the errors caused by that definetly requires human interaction. Like deleting wrong records from a database.

Really the main problem of software is user interaction. I have written software that works reliable for a decade. Because noone ever touches the computer it works on. They hardly know on which computer the software actually runs, they just see every day that it does its job.

Re:You cannot use viruses/bugs as an example of co

[dbIII]

Consider the middle of the example and the hoops that have to be jumped through to bypass security instead of the thing just suddenly running when you click on an attachment. That is the lesson. Remove all references to linux and apply it to any OS other than the Microsoft ones and you'll see similar barriers. Clicking on a box to get rid of it is normal behaviour on the Microsoft platforms and unfortunately changing system settings or bypassing security look very similar to normal behaviour to most users. On other platforms changing system settings or bypassing security present themselves differently and look like the rare events they should be which makes people nervous and ask for help if they don't know what is going on - which is exactly what you want if you want to keep malware off systems.

It's all moot anyway since malware is currently only MS Windows compatible. I've seen your argument that we'll all be buried under linux and mac and solaris viruses for about 15 years - and we're currently at a point where there are an incredibly large number of juicy targets for malware in the form of ADSL modems with linux on them. The popularity is there, so where is the malware? The answer is that it is all on the soft target until Microsoft take things seriously, which may well be soon since the malware plague is now well beyond the bounds of bad science fiction and is getting a lot of mainstream press.

solved linux printing with windows only printer.

[blackest_k]

I was a little intrigued by your Cannon problem, having hardware that isn't Linux compatible is a problem especially printers. Obviously you would choose a Linux/ OSX compatible for your next printer but you don't want to throw out your incompatible problem.

One way would be to run windows in a VM and then print in the VM, usb devices can be passed to the guest OS even if the host has no driver.

However I have an alternative (which might even work with a windows guest in a VM).

The simple answer is to print to file as pdf or postscript and then give the printfile to a windows PC to print the document, however that still requires someone to get on the windows PC and print the PDF.

Whats needed really is something running on windows which will automatically print the printfile, theres a number of pay options which would cost more than a Linux compatible printer but then I found this
http://www.lerup.com/printfile/descr.html

A free utility to automatically print files,

So print in Linux to file (probably printing to a file on a windows share) then then Printfile takes over on the windows side and prints the file out.

Networking printers isn't new but this is a useful twist.
hope you find it useful.

Re:You cannot use viruses/bugs as an example of co

[skolima]

A year ago, [...] (this was before the Ubuntu Live CD existed) [...] machine booted without any problems and has been in service for a few years now.

A year ago, before Ubuntu Live CD existed...

Re:You cannot use viruses/bugs as an example of co

you cannot infer that apache is more popular than IIS simply because more people have requested uptime stats for linux servers than for windows servers on netcraft.

unless you meant to say "apache is more popular than iis in terms of people requesting uptime data from netcraft".

for one thing, people running IIS clearly don't care about uptime, or they wouldn't be using IIS (*ducks*)

Thats a good sig....

[Barsteward]

"I like my women like I like my Microsoft webservers...insecure and full of holes waiting to be exploited."

Re:You cannot use viruses/bugs as an example of co

[plague3106]

Sure. But lets be fair, what's the cost to keep Linux fully patched as well?

The cost is exteremly minimal too; setup WSUS, set it to auto-approve all security updates, and a simple group policy change. No further costs needed.

This is the setup we run here, and conflicker was never even a concern for us. To be safe, we set a deadline to install the patch.. we picked the day before. Every computer in the company had the patch by the next day.

Re:You cannot use viruses/bugs as an example of co

[plague3106]

Fine. Show me where this has been a problem. I'm not so sure a rushed out patch is better than none at all either.

Re:You cannot use viruses/bugs as an example of co

[plague3106]

The problem today is people NOT KEEPING UP WITH PATCHES. Even the conflicker problem the patch had been available I believe for at least SIX MONTHS. Oh, and as I manage the patches here, I actually do read what they do. The overwhelming majority are LOCAL exploits.

Oh, and the "patches flying out" also include most MS products, not just the OS.

Finally... if you had a clue, you'd know that patch counts are a terrible way to measure the security / insecurity of a system, as they represent only known issues.

Re:You cannot use viruses/bugs as an example of co

[plague3106]

Ah, well since software isn't a physical thing, there should never be a need to change the software. That's why we still have the Linux kernel at 1.0, right? Oh wait, we don't, because we found better ways to do things, we've added more features, and oh the internet is a hostile place and people make mistakes. THAT'S why software needs maintence. The notion that software for some reason should not require maintence, when every other man-made thing does, is stupid.

Re:You cannot use viruses/bugs as an example of co

[plague3106]

When I write a piece of software that's it done. I don't expect to come back a week, or a month or even years later and find that it's seized up. It should work exactly the same as it did the last time.

See, this is where most of the people here go wrong. That's only true given the EXACT SAME IMPUTS. Personally, I don't see the value of a computer processing the exact same inputs day in and day out.. as that WILL give the same results, and why would we want THAT? No, we use computers to process NEW data all the time. New quotes, new engineering tasks, new radio signals, etc.

So yes, you can write it once and be done if there are no inputs. But most useful software operates on arbitrary data and that's where the complexity comes in. That's where the bugs show up. As an engineer, you can build a bridge that hold 100 tons, and KNOW it will hold less than 100 tons without any testing. Unfortunately, software isn't the same. A hidden edge case may present only for a small subset (or even single value) of data.

So yes, the bits don't rot, but the inputs are always changing and that's the challenge in building software. I'll also point out that invalid inputs are the very nature of exploits... that's where software typically fails.

Re:You cannot use viruses/bugs as an example of co

[plague3106]

Yes... you include basic maintence. So including the cost of keeping the system up to date is fair in both Windows and Linux. Counting the cost when you DON'T (as in, the cost of cleaning up conflicker because you FAILED TO DO BASIC MAINTENCE) shouldn't be included in either.

Re:You cannot use viruses/bugs as an example of co

[Hyppy]

The extra work associated with keeping a Windows-based business secure enough to not be affected by worms, viruses, and malware is not free.

Re:You cannot use viruses/bugs as an example of co

[BobMcD]

Odds are, however, you are using the 'crunchy shell' defensive practices that Windows requires. This is what I mean by 'incomplete'. You would not be as safe from Cornflicker without your perimeter because of the way WUS works.

On the other hand, while not recommended, it would be far more reasonable to run a group of linux boxes without those defenses. And, to be fair, I expect this to also be true of Windows 9, 10, or maybe 11.

That being said 'we did not get cornflicker' isn't likely to be a fair measure of the two OS'es.

Already asked at get the facts and ignored.

I asked this question about TCO many moons ago at the get the facts conference, to see if they had included this in their figures. Guess what? They avoided answering me directly but told me about what was included and quickly moved on.
So yes, TCO with malware appears to be far higher.

Re:You cannot use viruses/bugs as an example of co

Probably the best argument I have ever heard. I am a reasonable proponent of MS and *used* to believe in "yadda yadda MS has 90% market share so that's the reason it has malware yadda yadda". But, your counterpoint is very thoughtful and has helped me think better. Thanks!

Re:You cannot use viruses/bugs as an example of co

[mcgrew]

It turns out that at some point, they had enabled their web admin interfaces and, as a result, that had started IIS (quietly, in the background, without their knowledge). Worse yet, it was started in some default configuration that left their systems wide open to all sorts of unauthorized manipulation.

You make IIS sound like a trojan.

But..

Not that I'm a MSFT proponent, but...

As any OS grows in popularity, so does the malware. If people exercised common sense, most of it would never affect anyone.

And if we want to start hidden cost wars, the cost of doing installs and updates on linux probably offsets this one on MSFT. Mac I'm not familiar enough with to compare, but I'm sure it has it's holes.

Re:You cannot use viruses/bugs as an example of co

[mea37]

"Actually, I am being cynical, not myopic"

Oh, really?

"in 30 or forty years it may become a problem, but by that time I will have retired"

That's the definition of myopic.

"In addition, many of the "costs" Microsoft calculates are in fact dependent on Linux being less poopular "

I never said MS's TCO estimates were valid. What I'm saying is, it's wrong to answer a lie with a lie.

Re:You cannot use viruses/bugs as an example of co

[mea37]

"But if that's the case, it will be *then*, not *now*."

Exactly. LIke I said, myopic.

"For me, having about 200 Linux systems, both servers and PCs my "background noise" says "malware-related costs to-date: zero". "

Either you think the future will be exactly like the past, in which case computing may not be the field for you, or you didn't understand the point I raised.

"but, hey, let's inflate this number "

NIce straw man. What I said is, this metric is not valid for comparison because we don't have valid measurements for both sides of the equation. Accusing me of trying to "inflate the numbers" when I said no such thing shows considerable bias.

Re:You cannot use viruses/bugs as an example of co

Your arrogance will be your downfall.

Your faith in your friends is yours.

Re:You cannot use viruses/bugs as an example of co

[darkpixel2k]

A year ago, [...] (this was before the Ubuntu Live CD existed) [...] machine booted without any problems and has been in service for a few years now.

A year ago, before Ubuntu Live CD existed...

Sorry, I meant to say 'A few years ago'...

Re:You cannot use viruses/bugs as an example of co

[mea37]

"Not this strawman argument again."

Apparently you don't know what a strawman argument is. Unless of course you can point out where exactly I misrepresented an opponant's position so that I could attack a weaker argument than the one he or she was posing.

"lots of reasons. One of which is the inability of anyone knowledgeable to review the code quality or to patch security holes."

I wonder if you've actually interacted with any of Microsoft's technical staff. From your attitude, I'm going to guess not. (It may save you some trouble to know that "technical staff" does not mean "first line tech support".) I have on a number of occasions (mostly a few years back), and your characterization that they ahve nobody knowledgeable is laughable.

As for the rest of your comments... Citation Needed.

As you yourself point out, user desktops are a different environment from appliances and servesr. Show me a apples-to-apples comparison with each type of software being used in the same environment, or STFU.

Re:You cannot use viruses/bugs as an example of co

[ground.zero.612]

Perhaps.

Re:You cannot use viruses/bugs as an example of co

[gurps_npc]

I noticed you cut out the one sentence where I actually proved you wrong. Again, I bet most bosses will NOT listen. As for 30/40 years - If you seriously think you know enough about what software is going to be like in 30-40 years to base business decisions on it, then you should quit posting on Slashdot and spend your time working on more important things. Basing your business decisions on what happens this year instead of 5-10 years would be myopic. Basing your decisions on 15-20 years would be far-sighted. Basing your decisions on 25+ years might be prophetic. Trying to base your decisions on 30+ year, in this business is insane and arrogant = megamaniacal.

Caught this late, but have to mention...

[HerculesMO]

As a 'businessperson' who actually implements *nix and Windows systems (I do system design/architecture) it's generally a factor of productivity.

While people can argue the better points of Linux or Unix all they want, the simple fact is that there are higher costs associated with *nix than Windows as well. They don't apply to "viruses or malware" which is an impossible thing to measure. Honestly, if you look at the Secunia.org reports, Windows fares pretty well actually. Imagine if somebody used a DNS attack that was patched two years ago in every Linux distro -- who is to blame? The OS, or the admins?

That said, *nix has a high cost due to administration. It costs me more to bill a *nix SA than a Windows SA. That's how big enterprises work folks, you bill each department for the respective cost back to the business unit. When the business unit sees that the cost of labor for a *nix SA is say, $100/hour and a Windows SA is $70/hour, with a minimum of 200 working hours to implement, plus ongoing support costs -- they generally choose the Windows platform.

Sorry to the geeks out there, but my job is to inform business units on their options, potential benefits and downfalls. There are things Windows does great -- specifically we can build off Office APIs and deploy enterprise applications in a lightning quick manner, that complement the systems we are building or buying. *nix doesn't have that ability, almost everything we build is from the ground up, totally from scratch. That's a LOT of man hours, a LOT of code management, and oddly enough -- a higher cost.

You can do what you want in *nix, but it generally takes longer and costs more. The recurring costs are kind of pushed aside because if you are profiting from that system it pays for itself. However if you spend 2 or 3 months longer to get it off the ground for a *nix system, you've lost 2 or 3 months of PROFIT. That profit generally pays for the recurring costs and keeps your TCO much lower.

The inherent problem here is that people who are techies always look at the technology of *nix as superior -- and in many cases it is -- but forget the whole picture. It's not just about attack vector, or market penetration, or whatever else. We've never had an outbreak (17,000 desktops/laptops) once, because we maintain a strict change control methodology, don't give admin rights to people who don't need them, and ensure we are patching and deploying definitions in a timely manner.

If you fail to implement a proper security policy, fail to adhere to that policy, you are going to have disasters whether you have a *nix system or a Windows system. And for the Windows vs *nix arguments well... they are idiotic. Use the best tool for the job that you feel gives you the best TCO. Until *nix steps up its game and comes out with something better than OpenOffice for enterprise application deployment (want to know how fast we can deploy something to Sharepoint, have it integrate with Office 2007, and everybody be productive, versus *nix?) then this argument will relegate *nix as what I normally deploy to the backend (Oracle for us, generally), and Windows to the frontend.

Businesses work in dollars, not technical arguments. I'll use *nix tomorrow if I think that it will be more profitable in the long term. But when most of you here dismiss profit and turnaround, plus support costs, then the argument you're making is pointless.

Re:You cannot use viruses/bugs as an example of co

[hairyfeet]

The "popularity is there"? In what, cell phones? Linux has maybe 3% of the home market, if that. And ADSL modems are running a stripped down Linux kernel and usually little else. I can strip a WinNT kernel down to a little of nothing by using XPLite or server 2K8, but it really wouldn't be useful. You certainly can't compare an embedded kernel with a fully functional desktop. As for "suddenly running when you click on an attachment"? Windows has supported non admin users since the days of WinNT, most users CHOOSE not to run that way. Because by running as non admin you actually have to think a little and learn a little bit about how things work and how and when to use "runas", which BTW Linux needs to have similar functionality but doesn't have by default.

But I've found most users treat the PC like a toaster instead of actually caring to learn anything about it. They really don't give a flying fart about your security if it bugs them even for a second or two a day or gives them even the slightest grief, just look at how MSFT is having to add auto elevate to UAC to keep people from bitching about it. Because to them even "cancel or allow" was more than they wanted to deal with and if you look up UAC the most likely #1 hit will be how to turn it off.

I'm not saying MSFT is great or Linux doesn't have its uses, because it does. It is a great server OS, its intended function according to Red Hat and those that pay millions to maintain it, and it works great in embedded spaces. But for home users it is way more of a PITA than it is worth. When I build a box I set up XP so the user doesn't have to think. The AV/antispy is set to autoupdate and autoscan, patches apply themselves, nothing needs to be thought about at all and you know what? The only time I see a user of one of my builds bring back a box because they have gotten infected they have completely ignored all the warnings and did it anyway so they could see the bunny. The simple fact is you can only do so much if the user has installation rights. After all, I can give a user a stripped down BeOS and it will be 100% safe! Of course they won't be able to actually use it for anything, but hey, sometimes we have to sacrifice for security, right?

Re:You cannot use viruses/bugs as an example of co

[rantingkitten]

should people target Linux as much, the figure would likely be the same.

And you base this conclusion on what, exactly?

2001 "MS is insecure" arguements which are no longer true today.

Right. Windows is a bastion of security these days. Sure.

Re:Cannot use Hubbell as an example of intelligenc

[Runaway1956]

I seem to hear a parrot: "Just like Windows, AWWWK!" Really, the key words in your post are "I have no idea what you're trying to say" so I'll show you a picture. Note the controls I can place on a new user's account.

[IMG]http://i217.photobucket.com/albums/cc226/Runaway1956/permissions.png[/IMG]

In short, NO, IT IS NOT JUST LIKE WINDOWS!!

What the FUCK

I'm sorry, I despise Microsoft more than you do (don't doubt me).

However.

Cleaning up a malware infection is YOUR FUCKING FAULT. You, the stupid ass who infected yourself. Yes, you. The security and integrity of your PC and your data starts and ends with you. You, oh excuse me, I mean I, can run a fully secure Microsoft-based PC. If you can't, you suck, you're sad, get out of the industry, stop blaming other people for your lack of ability.

Idiots.
Guess which AV package I run? NONE.
Guess which anti-malware I run? NONE.
Guess which OS I have been running connected to the Internet for years and it's problem and infection free because of my secure habits? Microsoft Windows XP.
You fucking LOSERS! Learn how to run a computer and maybe you won't fuck your customers and industry in the ass!

Signed,
Not a Stupid Ass

Re:You cannot use viruses/bugs as an example of co

[plague3106]

Odds are, however, you are using the 'crunchy shell' defensive practices that Windows requires. This is what I mean by 'incomplete'. You would not be as safe from Cornflicker without your perimeter because of the way WUS works.

Oh, you mean doing smart things like having a firewall, locking users down, stuff like that? Stuff that you should be doing regardless of the OS, BTW.

WSUS ensures that we can distribute patches easily, and force them to install if needed. Short of the patch not being available (which would be a problem for any linux exploit as well), I fail to see how "the way WSUS works" would be a problem.

Windows isn't anymore inherently insecure than any other OS, nor do you need to do anything beyond what you'd be doing for any other OS. The problems with Windows are with Windows; its 1) Windows widespread adaption makes it the target of choice and 2) there ARE alot of bad Windows admins out there who aren't properly securing their networks properly. Don't blame the software for people problems.

Re:You cannot use viruses/bugs as an example of co

[BobMcD]

Oh, you mean doing smart things like having a firewall, locking users down, stuff like that? Stuff that you should be doing regardless of the OS, BTW.

Are you ignoring the point, or did you miss it entirely?

Again, you do that stuff to mitigate risk. Should that stuff fail, Windows boxes are at a greater risk due to a number of factors.

WSUS ensures that we can distribute patches easily, and force them to install if needed. Short of the patch not being available (which would be a problem for any linux exploit as well), I fail to see how "the way WSUS works" would be a problem.

WSUS fails. Frequently. Boxes drop out of the infrastructure, patches need manual attention, patches conflict with one-another, the product needs constant attention, and end-users need to adapt to the machines being frequently updated and rebooted.

If you're actually using it, as we are where I work, you know all this.

It IS better than what we used to have with Windows. It IS NOT better than the update system offered in, say, Ubuntu. It is also not a reason to assume that Windows is now somehow inherently more secure.

If you want to point at Microsoft's efforts and say 'more secure', aim for Vista or Windows 7. But WSUS does not address the design issues in, say, Windows XP. It simply can't.

Windows isn't anymore inherently insecure than any other OS, nor do you need to do anything beyond what you'd be doing for any other OS.

Which version? It makes a difference. What corporate culture? What's the skill level of the junior admin and/or the helpdesk staff?

Historically, windows makes you work harder for your security. This may be changing, but 'Windows' as a whole cannot yet support the claim you're making.

The problems with Windows are with Windows; its 1) Windows widespread adaption makes it the target of choice and 2) there ARE alot of bad Windows admins out there who aren't properly securing their networks properly.

Look at it this way - can you make a Windows platform completely secure without using another vendor?

How does the nature of that question make adoption an issue? Or admin skill?

Those ARE factors, but if you believe they're the only factors then your security decisions are based on flawed assumptions.

Don't blame the software for people problems.

I'm not blaming the software, I'm blaming the humans who designed it.

Re:You cannot use viruses/bugs as an example of co

[thePowerOfGrayskull]

ure, you may cut down on these malicious code problems by switch to a non-Windows platform (the smaller the market share the logically fewer malware coders for that platform), but you also have to take into account the downside of using software et al. that isn't innately and intrinsically compatible with what 90%+ of people are running.

You're missing the point. In the TCO "studies", these are all taken into account, and gleefully highlighted -- while the additional costs associated with viruses (including expensive subscriptions to enterprise antivirus solutions) are not taken into account at all. Just because this malware is targeted only at the most popular platform does not in any way negate its existence. If *nix became the most popular platform and started seeing the same issues, then that cost would ALSO have to be accounted for but -- but right now, it's not there.

As for these people cleaning up Conficker...talk about a bad example! The vulnerability that Conficker takes advantage of has been patched for what...8 months now?...-snip-

This doesn't change the fact that the cost is very real -- and that large organizations often cannot afford to immediately slap down the latest patch from MS without testing that can often extend for months beyond that patches release. It's clear to me that you're thinking of mom-n-pop shops where it's a simple matter to apply a hotfix. In the real world, where you have tens of thousands of desktops, you MUST be sure that any update, from any vendor, will not impact you in a major way. This means huge regression suites and - above all- time.

As for the rest - sorry, my eyes glaze over when you start insulting as a means of making your point. It's not worth replying to.

Re:Cannot use Hubbell as an example of intelligenc

[drsmithy]

In short, NO, IT IS NOT JUST LIKE WINDOWS!!

Yes, it is. Group Policy will allow you to enact those sorts of restrictions.

Re:You cannot use viruses/bugs as an example of co

[uglyduckling]

What's interesting to consider is the cost of migrating to OS X. Obviously the hardware is more expensive, but there's virtually no malware issue, and of course MS Office is available so most of the day to day stuff doesn't need any extra training. For small businesses, features such as Time Machine and extras such as MobileMe and 'Back to my Mac' may more than make up for the hardware costs for businesses that would use these features. The 'Genius Bar' people are annoying for techie users, but for most small businesses, the convenience of being able to take your Macbook to the nearest Apple store is great.

You sure can sudo gedit

[Nicolas+MONNET]

I do it all the time (never been a big fan of vi/emacs) to edit files through gvfs+sftp.

Re:You cannot use viruses/bugs as an example of co

[Darth_Burrito]

Insufficient counter example.

In server software, popularity is often correlated with stability and quality. A larger market share tends to mean a better and usually more secure product. Those that opt to use better products tend to be better admins or developers or whatever which can also have a positive effect on security. This is arguably even more true when comparing microsoft solutions which are known for nice GUIs to open source tools which are known for text based configuration and heavy customization.

On the desktop, the products with larger market shares are those products that have the least savvy users. When combined with the size of the market, this is clearly the best attack vector.

As an aside, when it comes to desktops, we are a windows shop. An executive (and a very smart one) with a joint appointment recently inquired about replacing his non-domain XP laptop (supported by other area) with a Mac machine managed through our group. One of the reasons he gave was that XP was so horribly slow and his Mac at home booted up so much faster, the implication being Microsoft sucked. I took a look at his laptop and found that there were 50+ startup programs listed in msconfig, almost none of which had anything to do with Microsoft or windows. Since the executive had administrator privileges, it was clear to me that his problems were largely self inflicted. I doubt 1/5th of the crappy startup programs had mac equivalents.

The exec's problem was not with malware per say, but in my experience, most desktop malware infections are caused by users and correlated with market share.

Re:You cannot use viruses/bugs as an example of co

[tmarthal]

That makes sense. Common sense is that they bought a site license from an anti-virus vendor.

So how much is that Norton/Symatec/?? license for those 30,000 computers? Is that part of the Windows TCO, the mandatory virus protection and lcoal system firewall?

An answer from most people running windows is that linux systems should also have anti-virus measures in place, but in my limited experience (only ~100 machines), that was never needed since rarely was root access given out to users.

Re:Cannot use Hubbell as an example of intelligenc

[Runaway1956]

This is getting rather silly.

I want a user locked down tight, so that he may ONLY perform two or three specific tasks, which are part of his job description. I want to ensure the he can't even play solitaire while on company time. So, I create his user account, require him to log in to a chrooted terminal, and he only has those two or three scripts that I make available. Nothing else. Zero interaction with any system files whatsoever - match that with group policy editor.

Yes - I've seen NT systems "locked down" to the point that the user only ever sees the screen from which he is supposed to do productive work. I've also seen unsophisticated immigrants with no technical training at all bypass the locks, to play solitaire on a production machine, and start up Internet Explorer. If ethernet had been connected, he could have downloaded any number of worms and trojans.

Nothing like that has ever happened on our *nix machines. When they are locked, they stay locked, simple as that.

Re:You cannot use viruses/bugs as an example of co

[Khyber]

Did you not read what I quoted? Do you have such critical thinking issues?

I only responded to part of his statement. The part that was pretty much bullshit -

"The oil in a Honda is a physical thing. It will break down chemically over time due to age and heat.

What is the comparable process in a computer?

There isn't any."

He said there is no comparable process to physical component failure in a computer from heat and age. THAT IS ABSOLUTE AND UTTER BULLSHIT and I pointed that out. I didn't respond to the rest of his statement for a reason.

Did you even graduate high school?

Re:Cannot use Hubbell as an example of intelligenc

[Khyber]

Wow, you're a fucking moron. Same games machine is what I use to post to Slashdot.

Unless you have been in my house and know my system setup, I'd suggest you shut the fuck up, otherwise I'll continue to make you look like an absolute idiot.

I don't own an XBox. I don't buy into pay for online play bullshit. I already paid for the game and you want me to pay again to use advertised multiplayer features? Fuck you.

Re:You cannot use viruses/bugs as an example of co

[StuartHankins]

"Anyone knowledgeable" was meant in the context that any able person could access the code to improve it.

And no, I've had very poor response from Microsoft Support over more than 20 years. I wrote my first commercial software -- used by some local H&R Block branches to process payroll -- 28 years ago. I go back to the time when Microsoft gave away their development kits to try to gain marketshare, before OLE was a concept.

As an example of Microsoft's technical support prowess, I give you 2 examples in the past 6 months: Recently it took over a month between HP and Microsoft to figure out why our "supported" EVA 4400 configuration was not working correctly under Windows 2000. Guess what? They don't know why it doesn't work. We did multiple clean installs on new BL460c's and had to reformat and reinstall Windows Server 2003 for the SAN to work. Online resizing? It's in the documents as a feature but it doesn't work even in 2003.

Another example of this supposed prowess: We wanted to migrate from Exchange standard 2000 to Enterprise 2000 (we have a very significant number of CALs that we did not want to repurchase -- it would have been more than $80K wasted). Microsoft could not help. Many Many Many calls were placed and emails exchanged. We ended up having several consultants bid the job but because of their pricing all were rejected.
I'm sure there are some knowledgeable people at Microsoft, but they either don't share their knowledge very well or they don't work in email or phone support. The lack of ability for the company to share information -- when information is the heart and soul of Microsoft -- shows their lack of attention.

Now imagine that you're doing a code review. Feel any better now? What's that you say, you still don't understand?

Then get off my lawn. You don't have the experience to discuss this or you'd be aware of these types of issues. Go back to your help desk job, dream big and work hard and come back to me in about 10 years when you've grown some scruff on your chin.

Re:You cannot use viruses/bugs as an example of co

[StuartHankins]

Microsoft's relatively tiny number of developers have proven time and time again they are not smarter than the average bear, and they cannot prevent attacks and privilege escalations. As an example, lookup any widespread virus infestation and you'll most likely find Windows as the host OS which fails security.

If you don't understand the difference between treating processes like the logged in user and running them with less privs, I don't have enough digital ink to save you. Do some research before you spout off like that, it sounds ridiculous. And a 5-digit ID! What is this world coming to?

While users may cause viruses, most of the largest viruses were spread through Windows and Windows software design flaws, most of them through Microsoft software. Take the privilege issues when previewing an item in Outlook / OE for example. Take launching a browser with system privs by default. Really, look at any of the infestations which have occurred in the past and you'll find a sloppily implemented security practice (or no security thoughts at all) in Microsoft software to blame in the majority of cases.

Will someone tell me why in 2009 we're still seeing so many priv escalations and buffer overflows?

ha

where ever stupid people use a computer
worms will follow

The horny dumb computer man will always click nakedchix.exe

Re:Cannot use Hubbell as an example of intelligenc

[caluml]

Make your browsing even safer.

/bin/su -
adduser -m ff
visudo # you'll need to work this bit out for yourself.
exit
xhost local:
sudo -H -u ff firefox &

Re:You cannot use viruses/bugs as an example of co

Uhm, where are you getting your figures? Seems like IIS has been doing a better job of keeping up on everything. (Figures from secunia.com which seems about as neutral as I can find)

IIS 7 has only had 1 advisory and it was patched, http://secunia.com/advisories/product/17543/
IIS 6 has had 6 advisories and they were all patched, http://secunia.com/advisories/product/1438/
IIS 5 had 17 advisories and all but 1 were patched out, http://secunia.com/advisories/product/39/

Apache 2.2 has had 11 advisories and 2 remain unpatched, http://secunia.com/advisories/product/9633/
Apache 2.0 has 39 adviseries, and 4 are unpatched, http://secunia.com/advisories/product/73/
Apaches 1.3 has 21 and 1 is unpatched. http://secunia.com/advisories/product/72/

Re:Cannot use Hubbell as an example of intelligenc

[Penguinshit]

Now who looks like an idiot?

Re:You cannot use viruses/bugs as an example of co

[sjames]

Or, more to the point: http://news.netcraft.com/archives/web_server_survey.html

The second graph and the table below it tell the story. IIS has never been as popular as Apache.

Re:You cannot use viruses/bugs as an example of co

[sjames]

Actually, Linux has plenty of anti-exploit code. Since 2000, it has gained SELinux, AppArmor, randomized address space (including random stack address), non-executable stack, etc.

The pieces are there for much greater security, but aren't commonly used, such as logs that cannot be deleted except by booting single, etc.

Windows is the low hanging fruit of the exploit world, but Linux (and other Unix systems) tend to be high value targets. Nevertheless, it's the Windows boxes that end up joining the spammer's bot armies.

Re:You cannot use viruses/bugs as an example of co

I am not following your argument, since windows has a higher market share than FOSS solutions it is exempt from malware removal costs?

Not that its exempt, its that should people target Linux as much, the figure would likely be the same.

Also, if you keep up with security patches (like you should, regardless of OS), it becomes a non-issue. This is really just FUD aimed at MS, using 2001 "MS is insecure" arguments which are no longer true today.

Bull. If bad guy X could break into a unix system for the same effort as windows they would, and often they do. This crap logic about how if it was more popular it would be more vulnerable- is just that, crap. One has nothing to do with the other.

Not doing your job....

[DrRiAdGeOrN]

I hate to say it, but if you got hit by large amount of Conficker and are in IT, you weren't doing your job. It might be excusable if you have remote users who never come into the office, but for in-house systems it should have been a non-issue. NMAP scans and checking your system management console for applied patches would have taken care of you, and not waiting till the last minute.

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

Windows is the low hanging fruit of the exploit world, but Linux (and other Unix systems) tend to be high value targets. Nevertheless, it's the Windows boxes that end up joining the spammer's bot armies.

You're talking about home Windows clients maintained by random people running as administrator at all times.

You obviously don't know much about the NT security model, so talking enterprise level NT security would be a waste of time.

Let me give you a quick guide:

SELinux is just a retro-fitted security model. It's a Mandatory Access Control scheme, like what was available in MULTICS in the 60's. Same with AppArmor.

This same technology is available in NT, they call it Mandatory Integrity Control.

Furthermore, Windows has a much stronger Address Space Layout Randomization system... only the most patched-up hardened versions of Linux are even competitive with NT 6 on this front... and they're still inferior.

It's undisputed that NT 6 is more well defended from a direct hacker attacker, specifically remote takeover by hackers because of its more effective anti-exploit code, specifically ASLR.

However, by practice, Windows home users are more likely to be engaging in risky behaviors and running as administrator, etc. If Linux was A) Popular, B) Compatible between distributions, and C) Generally run as root by its users, we'd see the same sort of viruses and exploits. Unix is preserved from this by its lack of popularity on home computers and its security through obfuscation with its incompatibility. So some of its greatest weaknesses become strengths on the apparent security front. If Ubuntu ever breaks 1%, it'll likely become a honeypot for remote exploitation, as Mac will soon be.

An enterprise running a well maintained top-to-bottom NT system will be much more secure against direct attack... not to mention cheaper to maintain. Just look at Microsoft...

Somehow, all the freetards in the world want to hack them and oddly no one succeeds. What you've given me up there is just words, really. You think it's more secure because that's what "people say". If you looked at the comparison of number of deployments vs. successful attacks, NT 6 would dominate.

Re:You cannot use viruses/bugs as an example of co

[sjames]

That's an important and nearly intrinsic cost for Windows (I suppose they COULD declare it to be free beer, but I doubt it).

A very nice thing about Linux is that you never have to re-install to add a service to it. Pick a distro and go with it. If you need to add a capability later, just install the packages. You never get told "Sorry, but this only runs on the SuperServer deluxe special edition".

If you need to rebuild a server, the OS never actively fights you (and accuses you of being a thief).

Re:You cannot use viruses/bugs as an example of co

[Xtifr]

Automatically assuming someone is a shill because they speak positively about Windows is just plain retarded.

Without commenting on whether it's actually "retarded" or not, I'd like to point out that if Microsoft didn't have so many paid shills, then maybe people wouldn't be quite as quick to assume that fans are paid shills.

In fact, in general, if Microsoft were more prone to act ethically and legally, people might not be so quick to assume that the things they do are unethical or even illegal. And you might want to remember: people know you by the company you keep.

Re:You cannot use viruses/bugs as an example of co

[sjames]

That cannot be overstated! Until MS 'innovated', the very idea of a virus you could catch just reading email was ludicrous!

Likewise, catching a virus by opening a document was out of the question.

It's not as if nobody spoke up at the time, but MS laughed it off and assured people it wouldn't be a problem.

This "runas" thing? - been there since 1991

[dbIII]

when to use "runas", which BTW Linux needs to have similar functionality

You keep bringing this up so I'd better address it. In environments such as gnome and KDE you get a similar behaviour to what you see on a Mac - a box pops up with a message telling you the program name that needs to run with elevated privelages and asks you for your password. It's a pretty rare event as it should be since things that are not making major configuration changes really have no business running as root. If you step back from the graphical environments on the command line you have "sudo" and "su" which has been in unix environments BEFORE MS WINDOWS EVEN EXISTED. The command "su rumsfeld" is exactly the same as "runas rumsfeld" - but in most cases you'd really only want to change to root which is the default. Stepping back to the graphical interfaces the system knows you can only run the thing you just clicked on as root so it asks you for a password and then goes off and does it - just like on a Mac.
So there's your answer, it had "runas" in 1991 when the shell was first ported over and the ancestor of that shell had it twenty years before. You don't see it very often since linux, BSD etc grew out of the idea of a networked multiuser system with the idea the normal user could do anything apart from muck about with major configuration settings as distinct from the MSDOS approach. You usually only need to use the "runas" frequently due to stupid programming choices (eg. one of my electrical engineers dabbles in dotnet and sticks his config files on the root of the system drive - so you need to run his stuff as Admin), there is so much software that really does not need to have Admin rights simply because it is written with an MSDOS mindset and not a WinNT mindset. The programs that actually need to do some sort of system task are relatively rare so it should be a fairly rare task (eg. as normal user kick off some sort of manual malware scan that needs to look everywhere - or powerdesk to do something weird with video settings).

Re:This "runas" thing? - been there since 1991

[hairyfeet]

Sorry, but I'm afraid you are mistaken. it may work that way in OSX but NOT in Linux. Let me give an example to show you. Lets say I have to edit a conf file, because say my monitor isn't detected correctly (Linux monitor detection IMO sucks but that's another story) so i go find the file through the file manager. I open it, nothing asks for any password. I edit it...hey so far so good, right? Then I go to save.....guess what happens? I can't because the fricking permissions won't let me!

I'm sorry, but that is just fucked up. if I can't edit without permission then don't let me open the damned thing! Is that so hard? At least Windows hides files and folders it doesn't want you to edit. With Linux I can get anywhere with the file manager, i can open and edit anything with the file manager, but I can NOT fricking save!

And please don't bring up CLI anything, okay? As long as Linux requires ANY CLI you will stay a teeny tiny niche of a niche OS. Sorry, but nearly all my Windows customers, and nearly all my OSX using friends don't even know a CLI exists for their OS. Hell you could remove CLI support from the Windows users and they would never know the difference. Have you had to use CLI to set up your machine? Have you had to use CLI to fix a problem or edit anything? If you have you have just proven why Linux isn't ready for home users. Because they will NEVER ever use CLI. You can go on and on until you are blue in the face about how much easier it is, they just don't care. It is GUI or nothing.

And since I have yet to try a Linux, including the latest Ubuntu, where I didn't end up needing to call up Bash for something I can say with certainty that Linux is just not ready. Linux guys can carp about 'freedom" or monopolies, but the users don't give a crap. There is a REASON why MSFT owns 90%+ of the Netbook market now, and it ain't no big conspiracy. It is because XP is "clicky clicky" and GUI everything. It is also a breeze to support compared to Linux. If you were an OEM, which would be easier? Having your tech support trying to walk the user through a bunch of Arcane Unix commands in an unfamiliar CLI environment that makes the user very uncomfortable, where if they screw up they can hose the whole damned OS, or having your tech support say "Google name of device XP driver".

I'm sorry, but there is no contest. Linux doesn't have the drivers for a good 80% of the items I see in Walmart, Best Buy, and Staples, it doesn't have a GUI for every job, there is no stable ABI for smaller companies to write device drivers for, hell I could go on all day. On servers it rocks because millions of dollars are being spent by the likes of Red Hat and Oracle to make it so. expecting the myriad of drivers required for home users to be written by some guy in his basement is just ridiculous. if someone spent the millions that is spent on Linux server support on Linux desktops then Linux would have a real shot of taking on OSX and Windows, but I just don't see that happening. Until then I have to give the customers what works and won't bankrupt me with after sale support. And that is Windows. Sorry, No Sale.

Re:This "runas" thing? - been there since 1991

[dbIII]

With Linux I can get anywhere with the file manager

No you can't, you need execute permission on a directory to get to it.

i can open and edit anything with the file manager

No you can't, you need read permission on a file to do that.

Then I go to save.....guess what happens? I can't because the fricking permissions won't let me!

That is correct, you don't have write permission.

With respect Sir you have been throwing words around as if you know something about linux but unfortunately you have just shown there that you do not know the first thing students and new users are told about on any sort of unix based system - file permissions, one of the reasons malware would have to done in a very different way to damage *nix platforms. You have just stumbled into a different world you don't understand which is why you call for things such as "runas" WHEN IT HAS BEEN IN LINUX LONG BEFORE MICROSOFT NT4 CAME OUT WITH IT . Linux/solaris/bsd is different to MS Windows home versions and aimed at different purposes and is probably only starting to go the way you want with the pre-installed netbooks, but even then there will be differences to what you are used to.

Have you had to use CLI to fix a problem or edit anything?

Yes because I had to Admin MS Windows machines in the past and not everything is in the registry - a network scanner needed it for it's backend on an MS Windows server, doing a few things with MS Exchange needed it, some things with domain trust, adding routes and probably a few things I can't remember at the moment.

Linux doesn't have the drivers for a good 80% of the items I see in Walmart, Best Buy, and Staples

So on a paticular day the bargain bins have things in them that someone with very limited knowlege of linux thinks there are no drivers for while the situation on the opposite side of the world is totally different? I politely gave you the benefit of the doubt for what appeared to be a bare faced lie last time and here you are with it again - but now I'm aware that you don't really know what you are talking about so have to assume that the number is made up even though it (items in a bargain bin) is not a paticularly relevant sample to back up any sort of argument and is completely contrary to what I observe on the shelves.

I'm sure you are quite knowlegable about many things, but please at least attempt to be honest instead of leading people astray with bullshit when you don't have a clue. Anybody that tells you any sort of *nix is the same as MS Windows or can be picked up in a weekend by MS Windows users is lying - things are done differently often for good reason, and in some cases things are annoyingly complicated. If it was all the same there would never be a reason to change platforms. Personally I think arguing about the OS is rubbish and what is important is the applications that run on the top - if those applications will only run in one OS that is what you use. You obviously have much stronger feelings to the extent where you prepared to baldly state "Sorry, but I'm afraid you are mistaken" in the face of something right out of the f*ing textbook and make up lies to win arguments with strangers. I doubt that linux will hurt your business in any way so you don't need to be so paranoid about it - the danger on the horizon is online application stores from Microsoft, Adobe etc but people will still be buying hardware locally.

Re:You cannot use viruses/bugs as an example of co

[dgatwood]

I grabbed an identical machine, mounted the nfs backup share and did a 'dd if=/dev/sda of=/nas/machine.img'.

Read what I posted again. I didn't say anything about not allowing reading from a mounted volume's block device. I've done that as part of disaster recovery situations on more than one occasion. What I said was that I can't contemplate a use for overwriting a partition while it is mounted, and more to the point, I'd give it about a 0.01% chance of making it through before causing a kernel panic somewhere in the filesystem code.... It's utterly nuts.

Show me a useful example in which /dev/sda comes after the "of=", please. I'm really not convinced that such an example exists. At best, the only very narrow reason would be to allow updating the partition table without booting from another volume, and even that could very trivially be incorporated into the kernel. In fact, by doing it in the kernel, you could have other sanity checks like not allowing you to change the size or position of a mounted partition but allowing unmounted partitions to be modified freely.

Re:You cannot use viruses/bugs as an example of co

[dgatwood]

Wait, I misread that. You seriously overwrote a machine while it was running and it worked without the running OS exploding in flames? That's bordering on miraculous. Was this before the kernel implemented buffer caching at all? :-D

Either way, you could do it just as easily and much more safely by booting that clone machine with an install CD and dropping to the command line. Installing an OS on the clone machine, booting off that installed volume, and then overwriting your root partition is entirely the wrong way to solve that problem.

Re:You cannot use viruses/bugs as an example of co

[darkpixel2k]

Wait, I misread that. You seriously overwrote a machine while it was running and it worked without the running OS exploding in flames? That's bordering on miraculous. Was this before the kernel implemented buffer caching at all? :-D

Either way, you could do it just as easily and much more safely by booting that clone machine with an install CD and dropping to the command line. Installing an OS on the clone machine, booting off that installed volume, and then overwriting your root partition is entirely the wrong way to solve that problem.

I honestly didn't expect it to work. If the replacement machine exploded on boot, I would have told the customer 'tough luck, we have to take your production machine offline for an hour or so'.

I was flat-out amazed that it worked. It's probably due to the fact that the machine had a decent chunk of memory and all it was doing was serving pages. I think the only writes to the local disk were apache logs and the syslog.

Re:You cannot use viruses/bugs as an example of co

[Eristone]

"Anyone knowledgeable" was meant in the context that any able person could access the code to improve it.

And no, I've had very poor response from Microsoft Support over more than 20 years. I wrote my first commercial software -- used by some local H&R Block branches to process payroll -- 28 years ago. I go back to the time when Microsoft gave away their development kits to try to gain marketshare, before OLE was a concept.

Care to say what system you were writing your software on? That'd put you as a developer back in 1981 selling commercial software...

As an example of Microsoft's technical support prowess, I give you 2 examples in the past 6 months: Recently it took over a month between HP and Microsoft to figure out why our "supported" EVA 4400 configuration was not working correctly under Windows 2000. Guess what? They don't know why it doesn't work. We did multiple clean installs on new BL460c's and had to reformat and reinstall Windows Server 2003 for the SAN to work. Online resizing? It's in the documents as a feature but it doesn't work even in 2003.

So it was Microsoft's fault that you couldn't get your HP SAN to work with Windows 2000 (an at this point unsupported OS)? Was it an iSCSI or FibreChannel connection and who's drivers were you using? Shouldn't you have been calling HP up to support this? The online resizing - this is a feature of the SAN, no? Again, shouldn't you be speaking to HP to solve this issue?

Another example of this supposed prowess: We wanted to migrate from Exchange standard 2000 to Enterprise 2000 (we have a very significant number of CALs that we did not want to repurchase -- it would have been more than $80K wasted). Microsoft could not help. Many Many Many calls were placed and emails exchanged. We ended up having several consultants bid the job but because of their pricing all were rejected.

So what you're saying is that you were too cheap to spend the money on a server so you could install Exchange 2000 Enterprise Edition and then move mailboxes from the Standard Edition server to the Enterprise edition server (using the extremely simple option of "move mailbox" in AD Users and Computers) and no one at Microsoft was going to walk you through this for Exchange 2000 without charging you? Or is there something you neglected to mention about this particular project that makes it a bit more complicated than this? (for instance there's a clustered install perchance? Or some custom apps hanging off Exchange? Your internal staff should have been able to handle this project without a call to Microsoft...)

I'm sure there are some knowledgeable people at Microsoft, but they either don't share their knowledge very well or they don't work in email or phone support. The lack of ability for the company to share information -- when information is the heart and soul of Microsoft -- shows their lack of attention.

Frankly, it sounds like you are just bitching because you didn't want to write a check for services. Even Linux consultants aren't free for enterprise apps.

Now imagine that you're doing a code review. Feel any better now? What's that you say, you still don't understand?

Then get off my lawn. You don't have the experience to discuss this or you'd be aware of these types of issues. Go back to your help desk job, dream big and work hard and come back to me in about 10 years when you've grown some scruff on your chin.

Hmmph. You might want to start collecting your Social Security check there, gramps. So far everything you've said could have been handled by a competent in-house IT staff.

Wow, try again

[cbhacking]

Umm, WTF??

Program Files (and similar) are not user-writable by default. They are owned by TrustedInstaller and are writable by Administrators, but not by standard users. Users can read, list contents, and execute; that is it. Same for ProgramData (roughly equivalent to /etc; system-wide config files). Among other things, this means that apps which write to their install folders (and some do, though they shouldn't) won't work correctly as a standard user. Installing to a subdirectory your own profile will usually work so long as the application doesn't try to make any global changes (HKLM registry, Windows folder, etc.) although some Windows installers will check the current user and error out if non-Admin.

Your claim about "can't prevent even a limited user from making changes and/or writing files that might be booby traps lying around waiting to be executed by a more privileged user" is complete bullshit. Even ignoring the defaults (where you don't have write permission to the global program files or data at all) NTFS permissions are far more versatile than classic Unix systems have; it is certainly possible to prevent write access to any user on any file, if you are Administrator (you can even prevent SYSTEM from modifying the file if you want, though an Administrator can take control and overwrite permissions for any file - just like root). Heck, if you want, it's possible to permit append but not overwrite or delete.

Linux users on most distros can write to /tmp. The sticky bit on the directory makes this matter less but it's certainly not true that you can't write *anythere* outside your home directory. Usually, an external device will also be mounted writable by users.

Re:You cannot use viruses/bugs as an example of co

[dgatwood]

I would expect hot cloning a live machine to mostly work, ignoring the obvious damage to hot files like logs. The part that I would expect to fail miserably was hot overwriting the standby machine, which presumably wasn't doing anything at the time or I'd expect you to have gotten a panic the first time anything tried to even do so much as an opendir on /.

Re:Cannot use Hubbell as an example of intelligenc

[drsmithy]

This is getting rather silly.

It was silly from the beginning when you started spewing ignorant crap.

I want a user locked down tight, so that he may ONLY perform two or three specific tasks, which are part of his job description. I want to ensure the he can't even play solitaire while on company time. So, I create his user account, require him to log in to a chrooted terminal, and he only has those two or three scripts that I make available. Nothing else. Zero interaction with any system files whatsoever - match that with group policy editor.

Limited user + Mandatory profile + execution restriction GPOs.

Yes - I've seen NT systems "locked down" to the point that the user only ever sees the screen from which he is supposed to do productive work. I've also seen unsophisticated immigrants with no technical training at all bypass the locks, to play solitaire on a production machine, and start up Internet Explorer. If ethernet had been connected, he could have downloaded any number of worms and trojans.

And I've seen Linux systems hacked in minutes. I guess that means Linux sucks, right ?

Re:It is the hacker's mentality.

[jp10558]

I think it might be easier and as effective to use cron...

Re:You cannot use viruses/bugs as an example of co

[drsmithy]

Microsoft's relatively tiny number of developers [...]

How many developers are actively and meaningfully contributing to Linux ?

[...] have proven time and time again they are not smarter than the average bear, and they cannot prevent attacks and privilege escalations.

Evidence ?

As an example, lookup any widespread virus infestation and you'll most likely find Windows as the host OS which fails security.

Most "virus infestations" don't occur due to failings in OS level security. They occur due to end user actions and application vulnerabilities.

If you don't understand the difference between treating processes like the logged in user and running them with less privs, I don't have enough digital ink to save you.

I understand it quite well. Unlike you, I like to actually understand something before mouthing off about it.

While users may cause viruses, most of the largest viruses were spread through Windows and Windows software design flaws, most of them through Microsoft software. Take the privilege issues when previewing an item in Outlook / OE for example. Take launching a browser with system privs by default. Really, look at any of the infestations which have occurred in the past and you'll find a sloppily implemented security practice (or no security thoughts at all) in Microsoft software to blame in the majority of cases.

Thanks. I was a little unsure up until here whether you had a clue. Now I know you don't.

Re:You cannot use viruses/bugs as an example of co

[sjames]

You obviously don't know much about the NT security model, so talking enterprise level NT security would be a waste of time.

citation needed

In other words, it sounds like you believe anyone skeptical of Windows (or even believes other choices to be reasonable) 'obviously' doesn't know anything about it, therefor you are a genius, QED.

You make a lot of statements, but provide no detail (where the devil is). Care to try again? I merely asserted that Windows boxes are the low hanging fruit. There are a LOT of poorly maintained Windows boxes out there. That is a direct result of MS training people (however unintentionally) that they should run as Administrator and (intentionally) that they need no technical knowledge to use and maintain Windows.

I do find it humorous that you see MAC as inadequate when applied to Linux but somehow virtuous when applied to Windows (several years later). It's just as much a retrofitted old idea from Multics in NT. In both cases, I'd say it was retrofitted because it was a useful idea. I am glad to hear that MS has finally addressed the shatter attack.

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

That is a direct result of MS training people (however unintentionally) that they should run as Administrator and (intentionally) that they need no technical knowledge to use and maintain Windows.

Microsoft has been advising users not to run as Administrator for as long as they've been doing multi-user systems, actually... but users prefer the single user system model, since it's simpler. UAC came from the realization that people were just going to run as Adminstrator anyway. It had to be locked down. In Windows 7, it's pretty smooth at this point.

I do find it humorous that you see MAC as inadequate when applied to Linux but somehow virtuous when applied to Windows (several years later). It's just as much a retrofitted old idea from Multics in NT. In both cases, I'd say it was retrofitted because it was a useful idea. I am glad to hear that MS has finally addressed the shatter attack.

I don't care when the features showed up. It isn't relevant. They are competing now and they are competing with NT 6. The point is that you can't just razzle-dazzle me with names of Linux features and expect me to be impressed. You're not talking about SELinux, you're talking about MAC. It's not NX bit, it's DEP, it's not anti-exploit code, it's ASLR. These are generic security features supported in many systems.

The fact of the matter is that Microsoft is doing a great job implementing some of these features. They're doing a better job than the unix people are in many cases. And just because they didn't exist before didn't mean you couldn't run a rock solid and secure NT system. The mighty infallible UNIX security model is a joke and it always will be as long as you have POSIX support... at least Microsoft has control over their architecture, so their system doesn't have to be built on 1970's technology and ideas-- I mean, just look at PowerShell, a fully object oriented CLI/Shell that uses objects instead of strings. See? Progress.

If they're able to get equivalent security model out of their system and offer sane driver API's, proper and documented use of the PCI/PC Specification, correct ACPI, modern graphics technology, usable sound, superior development tools, and a usable office solution, then the license costs should be simply moot. So I need a properly maintained network with an admin or two? All my employees will be more productive. I think the TCO argument is well in the bag here.

UNIX systems are and always have been a nightmare, especially for the regular workstation user. Maybe it'll be a different case when the UNIX world figures out how to write a proper GUI. The last complete and usable desktop solution offered by that community was CDE, and it's really aging now.

So you can argue better theoretical security several years ago... why would that convince me to inflict the terrible terrible productivity applications from the open source world on my workplace? Where's the rest of the TCO picture, here? Every single one of the employees are more expensive than almost all the software licenses combined.

Re:You cannot use viruses/bugs as an example of co

[sjames]

Microsoft has been advising users not to run as Administrator for as long as they've been doing multi-user systems, actually... but users prefer the single user system model, since it's simpler.

By not offering anything sudo like until UAC, they pushed customers to prefer the simplicity of always running as admin. People didn't like having to log out and log back in every time something needed Admin privileges.

In what way do you find the Posix security model a joke? Particularly with ACLs and the other extras added?

As far as names, you claimed that Linux had nothing to prevent exploits, and I named several things included in Linux to prevent exploits.

Personally, I found CDE to be an abomination. KDE or Gnome are much better.

Re:You cannot use viruses/bugs as an example of co

[cant_get_a_good_nick]

When you can come up with a single good reason why market share is NOT a significant factor, let me know.

My apologies for my lack of clarity. My frothing at the mouth must have shorted my keyboard.

Of course its a significant factor. Even more now with always connected Internet. (There was a good book on Scale Free Network theory called Networks, but with a name that generic, too hard to find in Amazon).

But over and over i've heard microsoft apologists, when presented with a virus report, state bring up marketshare, with the implied "well the only reason is the marketshare". BS. I still remember the unconnected mac and windows 3.1 days. Windows had a 90% desktop share, but about 99.999% of viruses. Windows had tens of thousands of viruses, Mac OS 6/7? About 8 I think, and rarely found in the wild. By the marketshare argument, and with no connection to the internet which would make the 90% even more beneficial (because of Scale Free Network effects), there should be a closer ratio.

Even though i agree that marketshare would casue people to write for Windows, let's have some counterarguments for that:

• Hacker A decides to go after Macs because there's more fame in Mac hacking.
• B goes for macs because owners tend to have more money.
• Hacker C is an MS fanboi and wants to take down some black turtleneck smugness.
• Hacker D realizes mac users are complacent and don't have 2 or 3 antivirus products chewing up CPU 24/7.

Is the argument "Windows has 90% of marketshare so will have more viruses" invalid? No. It has real roots. I am objecting to it being used as some blanket excuse, that Windows has a higher marketshare and we should just accept viruses as a result and not blame poor design/coding practices.

And props to your userid. I lurked too much before signing up, and i'm stuck with a 6 digit userid :(

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

By not offering anything sudo like until UAC, they pushed customers to prefer the simplicity of always running as admin. People didn't like having to log out and log back in every time something needed Admin privileges.

Run as Administrator was around in XP, actually. Probably before, also. UAC is an extra layer of security for people running as adiminstrators.

In what way do you find the Posix security model a joke? Particularly with ACLs and the other extras added?

The shared memory architecture is inherently insecure. A skilled attacker can DMA all over the system and use the generic and non-obfuscated architecture to do whatever he pleases.

As far as names, you claimed that Linux had nothing to prevent exploits, and I named several things included in Linux to prevent exploits.

Are most linux users using SELinux? I found it rather restricting. It's not unlike using a locked down windows machine. Optional security doesn't assure all users of the platform benefit from it, same problem as Windows.

I was saying that the anti-exploit code is inferior, like the DEP and ASLR... and I stand by tthat. It is. The notion of Linux security is merely de facto based on the small userbase. If it ever became even remotely popular, the facade would collapse.

Personally, I found CDE to be an abomination. KDE or Gnome are much better.

Right, but imagine your workplace needed consistent documents and the ability to create graphics and such. Practical groupware... etc. For any task that requires attractive and functional documents and media, I can't think of a single UNIX application that is even competitive with the commercial Mac/Windows alternatives. Inferior tools means less productive employees and ugly documents, this erodes the professional quality of documents and opresentations within a workplace, making your business appear shoddy. It's not worth it.

Re:You cannot use viruses/bugs as an example of co

[sjames]

The shared memory architecture is inherently insecure. A skilled attacker can DMA all over the system and use the generic and non-obfuscated architecture to do whatever he pleases.

I'm not sure what you mean here?!? DMA is a hardware function. non-root processes cannot even touch (or find) the dma control registers. Processes most certainly do NOT share a common address space though that may map a common space into their own (possibly not at the same address) It's not as if one process can just decide to share address space with another. It has to have appropriate permissions.

I am familiar with runas, but it requires the Administrator password (rather than your own) and doesn't have a good way to restrict what the non-admin users may runas.

SELinux can be configured to be a straitjacket or can be rather open. Most who use it do so in the targeted mode where most operations are in the unrestricted domain. The difficulty is in configuring it properly. Efforts are in motion on several fronts to come up with easier to configure and use enhanced security.

I agree that users don't benefit from optional security if they turn it off. That is true no matter what the OS.

As for productivity apps, I find Gimp and OpenOffice to be quite adequate for various office activities. Of course, honestly, in anything from legal documents to memos, they would do well to use a simple text editor (Wordpad or vi for example) and get their spelling, grammar, and composition right!

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

I'm not sure what you mean here?!? DMA is a hardware function. non-root processes cannot even touch (or find) the dma control registers. Processes most certainly do NOT share a common address space though that may map a common space into their own (possibly not at the same address) It's not as if one process can just decide to share address space with another. It has to have appropriate permissions.

I am more talking about linux than I am about POSIX, now that I think about it. It's how something as big as linux slides into that model. Most assumptions on the hardness of the UNIX security model are based on classical BSD or UNIX, which are tiny systems running little more than network, tty, and tape drivers. The reality is that there are massive sound, multimeda, and usb subsystems with interfaces in userspace ten times larger than every internal interface of a classical unix kernel. Linux has hundreds of system calls, hell some of its subsystems do. It's a real victim of the monolithic kernel, with putting such a large block of code in one address space. Essentially, it's supermassive and much of it is ridiculously low quality. A skilled attacker with the source code (they have it ;)) can simply exploit a poorly written driver and take over a DMA engine.

Besides, you certainly don't need admin privileges to create processes, listening sockets, or just plunder browser caches for personal information and passwords.

So, UNIX is not inherently insecure in its pure form. But linux, as an implementation, is too much ground to cover.

Don't even think to mention Windows in that respect, either, because it doesn't really have a monolithic architecture. It's more architecturally secure as a massive system because it more resembles a microkernel architecture, which is easier to manage and protect.

So, you can have a secure UNIX system and a secure monolith, but linux really outgrew the model where that was secure from remote attack and exploit. It's just spackle upon spackle avoiding known exploits at this point, but in reality it's hanging over an endless abyss of unknown exploits.

And I am quite familiar with the open source "alternatives," but they really don't compare. They just don't. You can site license commercial software for a few grand and save every one of your employees minutes of work each day, hours at times... and all the while end up with better products. It adds up and makes the final cost really moot. If the free product offered suboptimal functionality, it will hurt you enterprise in a fashion that's difficult to conceive.

Re:You cannot use viruses/bugs as an example of co

[sglines]

Bing uses Akamai for caching. Akamai uses Linux.

Re:You cannot use viruses/bugs as an example of co

[sjames]

The debates on the monokernel could go on forever. On one hand, it does mean that a security error in a driver can have larger consequences, but on the other, it doesn't mean there is such a flaw. Most of the drivers funnel their interaction with userspace through well tested and defined functions. That's why porting the kernel to a new architecture doesn't involve re-writing all of the drivers.

Meanwhile, MS broke the NT security model by moving the GUI into ring 0. Their arguments for doing so and why it wouldn't be a problem are very similar to the arguments in favor of Linux being a monokernel.

NT's VMS heritage of having a unique interface for every little thing expands it's surface area considerably. It doesn't much matter if you can't exploit the network interface directly by attacking the filesystem, if you get the filesystem, everything else is just a reboot away.

Meanwhile, although not called that, Linux has made a few moves into micro-kernel (for example, fuse).

I also wouldn't characterize the security fixes in the kernel as spackle. Things like that tend to be fixed right. The various subsystems also tend to get considerable review and periodic cleanups.

As for source availability, it also means that Linux receives thousands of independent security audits on a regular basis.

As for the licensing, I find that the various Linux distros not caring about licenses, keys, serial numbers, and "authenticity" saves a great deal of time and occasionally saves the day. It's all much easier when your OS doesn't figuratively look at you sideways always sustpecting that you're a thief who just hasn't been caught yet.

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

The debates on the monokernel could go on forever.

Actually, the debate is over. Only amateur developers and CS undergrads argue in favor of monolithic kernels... a modern kernel is a microkernel. The NT kernel is more of a microkernel than even Microsoft wants to admit it is... I've seen the code.

Meanwhile, MS broke the NT security model by moving the GUI into ring 0. Their arguments for doing so and why it wouldn't be a problem are very similar to the arguments in favor of Linux being a monokernel.

NT 6 has userspace video drivers... in fact, the entire WDDM is in userspace, so I am not sure that I would consider their GUI to still be in the kernel.

I also wouldn't characterize the security fixes in the kernel as spackle. Things like that tend to be fixed right. The various subsystems also tend to get considerable review and periodic cleanups.

Have you ever seen the linux kernel code? It's a giant childish mess with no semblance of fore-thought or architecture. It's basically organically grown. The majority of the code comes in from random Chinese outsourcing firms and is briefly glanced at by a large poorly organized team of mediocre developers. It shows in the code. Have you ever been on a linux kernel security mailing list? It's practically a comedy piece because of all the hilarious obvious security exploits that pop up on a regular basis. I guarantee you the people who will break your system are much much more knowledgeable than anyone wasting their time developing it.

As for source availability, it also means that Linux receives thousands of independent security audits on a regular basis.

Yes, thousands of eyes on thousands of little pieces of the system. And yet, it lacks any sort of organization or architecture, so everything is just going in a thousand different directions. In reality, there are probably about 20-30 real security experts in the entire linux community who have to pay attention to the unmanaged work of a thousand developers working on snippets of code. With the inconsistency of the driver API's and the number of eyes looking different directions, I would say sneaking an insecure driver into the kernel would be like sneaking a stick of dynamite into a supermarket. Who's paying enough attention to notice?

It really draws to mind the 1,000,000 monkeys on typewriters writing Shakespeare. A million amateur developers will not create a cohesive system, the best kernels are written and maintained by a small number of people with a strong adherence to a firm design ideal. It's a fantastic example of Quality vs. Quantity.

Besides, any UNIX kernel, no matter how clean, can best be summed up as a "giant collection of hacks." Nothing more.

As for the licensing, I find that the various Linux distros not caring about licenses, keys, serial numbers, and "authenticity" saves a great deal of time and occasionally saves the day. It's all much easier when your OS doesn't figuratively look at you sideways always sustpecting that you're a thief who just hasn't been caught yet.

Yes, IT deals with the licenses during the installation and deployment. It's not the users' problem after that. I would hardly call this an issue vs. unexpected and undocumented behavior.

Re:You cannot use viruses/bugs as an example of co

[sjames]

Have you ever seen the linux kernel code? It's a giant childish mess with no semblance of fore-thought or architecture. It's basically organically grown. The majority of the code comes in from random Chinese outsourcing firms and is briefly glanced at by a large poorly organized team of mediocre developers. It shows in the code. Have you ever been on a linux kernel security mailing list? It's practically a comedy piece because of all the hilarious obvious security exploits that pop up on a regular basis. I guarantee you the people who will break your system are much much more knowledgeable than anyone wasting their time developing it.

I'm definitly going to have to call you on that one! Have you ever seen the kernel code? Do you have any idea who writes it? It's certainly not "Chinese outsourcing firms". I have to say, you've swerved from confrontational styled argument to troll or flamebait at this point.

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

I take it you've never seen professional system code, then? If you're curious about that, I think QNX's code is now browseable. Even opensolaris might be a better example.

The code in the Linux kernel does not meet the quality standards of any commercial system code I've seen. In short, it's a total mess. It's archaic, hackish, and just plain ugly.

Re:You cannot use viruses/bugs as an example of co

[dedazo]

I'm very curious as to whether that shop you mentioned fits within Microsoft's "TCO" calculations.

I don't know what they do beyond any other company I've worked for/at. They run their own internal WU server, the corporate XP images have AV, IE8 is customized to use their proxy, a few company-specific apps installed, you have no admin rights and that's it. What in that list would you consider to be above and beyond what MS recommends, or particularly expensive? More to the point, which of those things would you not do if the roles were reversed and all these were Linux machines?

get harder to maintain compatibility, it starts to get more expensive to hire/train staff, and it starts being less user friendly.

Compatibility in what sense? And the hire/train thing is a no starter on either side. Their desktop folks have this stuff down to a science. User friendly? I don't get that. These are people who use Office and a web browser, that's it.

HOW much is spent per year by businesses in general (not your pet data point) cleaning up malware?

I'd imagine it's a lot, especially if you let it through to begin with. Duh?

I find the "IQ of a sponge" comment amusingly ironic.

Oh, that wasn't for you.

Re:You cannot use viruses/bugs as an example of co

[dedazo]

Probably heavily locked-down desktops and even more heavily restricted internet access (basically none whatsoever; HTTP is allowed through a proxy that requires a username and password and doesn't allow access to the whole web).

Yes, voodoo magic.

This is quite possible to do in a company of such size because you can usually divide your staff into groups that match up quite well with their responsibilities and grant access accordingly, blocking everything else.

So you're saying that the folks in HR can browse porn, but the ones in IT can't?

When you're dealing with a much smaller organisation, the amount you can lock things down is generally much reduced

I don't see how that's the case. If you do it right you can scale your solution from 10 to 10,000 machines.

Sorry, but I don't think you understand how this works out there in the real world.

Re:You cannot use viruses/bugs as an example of co

[jimicus]

I'm doing it out there in the real world!

IME, most smaller organisations don't divide responsibilities up in quite such a cut and dried fashion, which means that dividing up computer functionality is made a lot harder.

The thing I found that helped more than anything wasn't actually locking the PC down beyond recognition. The thing I found was configuring the company-wide antivirus so that it always starts at boot and cannot be disabled by the end user. You'd be amazed how many people who really don't understand IT have read nerdy "I don't need no stinkin' AV" comments in forums and decided that if some person they've never met before doesn't need it, neither do they.