Years-Old Conficker Worm Still a Threat

RedEaredSlider writes "The Conficker worm is still a threat, even though it is more than two years old and nobody has used it in a botnet attack yet. The problem is that so many machines are infected (largely because many don't realize it) and it's such a flexible piece of malware."

The real issue:

[Isaac+Remuant]

The Average User is still a threat in his path to ignore one and all security measures.

Re:The real issue:

[clarkkent09]

The real issue: software industry releases insecure products and blames ordinary users for not being IT security experts which is what it takes to be truly secure.

Re:The real issue:

[causality]

The real issue: software industry releases insecure products and blames ordinary users for not being IT security experts which is what it takes to be truly secure.

The bar could be raised far higher than it is now without even beginning to approach expertise. That's the part that is often underappreciated.

"Truly secure" in an absolute sense is rarely if ever attained by anyone, and almost never necessary. What you really need to achieve is "unprofitable to compromise". It's security in a relative sense and much more realistic.

I don't really disagree with your assessment of the average quality coming from the software industry. The users are not typically blamed for that, even though they're collectively responsible for creating a market where shoddy quality sells. That responsibility is indirect and spread out among large numbers of people.

The users are more often blamed for not even trying to protect themselves, for not making even a token effort to understand the risks. That decision is more immediate and individual. For this reason average users are often characterized as stupid.

I'm personally more inclined to believe that they could do better if they wanted to. I've seen the mentality many times because there is such an overabundance of examples (and not just in computing). It's not stupidity in the normal sense, though you could call it a kind of stupidity because it tends to act against one's own interests. It's more like an intellectual laziness combined with an entitlement mentality which insists that things like security must always be "someone else's problem" even though it won't be "someone else" who suffers any insecurity.

Like any entitlement mentality it has to have an excuse to function, to seem like a believable position one does not wish to abandon. In this case it's the excluded middle: the notion that users are either drooling idiots or highly skilled experts with no intermediary states. That enables the afflicted to respond to recommendations for how they may improve by becoming offended instead of assessing the feasibility of the suggestion. The intellectual laziness component comes from institutional schooling's lesson that learning is hard and full of toil and cannot be a joyful process of discovery and fascination.

You combine those things and you get a user who is nearly impervious to even the most basic, most easily understood advice especially concerning topics like security. Even when it's in their own interests to listen to it. Even when implementing it would be easier than their current practices. The rest of us get a degraded Internet in the form of spam and DDoS attacks and worse that so many compromised machines facilitate, thanks to network effects.

The case against the mentality of the average user has a solid foundation, primarily because most of them could choose differently.

Re:The real issue:

[1s44c]

The real issue: software industry releases insecure products and blames ordinary users for not being IT security experts which is what it takes to be truly secure.

Microsoft released the insecure product involved. They didn't ask for or get the approval of the whole software industry before doing so.

Re:The real issue:

[1s44c]

"Truly secure" in an absolute sense is rarely if ever attained by anyone, and almost never necessary. What you really need to achieve is "unprofitable to compromise". It's security in a relative sense and much more realistic.

"Truely Secure" is attained by me. I have a windows 2000 server that all the crackers in China and Russia working together could not get into unless they physically took the hardware apart. I simply unplugged the network port.

Re:The real issue:

[vlueboy]

Like any entitlement mentality it has to have an excuse to function[...] : the notion that users are either drooling idiots or highly skilled experts with no intermediary states. [...] becoming offended instead of assessing the feasibility of the suggestion. [...] intellectual laziness [...] schooling's lesson that learning is hard and full of toil and cannot be a joyful process of discovery and fascination.

^-- THIS! a perfect example that a statement can hit many nails in the head with the same blow. Since IT is an illogically successful mix of magic and mystery to older people, they think we are all doctors doing things they can't bother to DISCOVER, as you said. When we push and prod them forward with things like "read this and follow the simple steps" and "never use THAT browser or you'll waste yet another afternoon of my time to clean up after you", they're too lazy to listen, and are offended that we're "too smart" and "too educated."

Encouraging them to follow me by saying I'm self-taught and that my degree in CS didn't enhance my career path towards "home desktop support" at all, they only get quiet and confused. They respond that, regardless of the not-so-important education, they "can't be expected" to "know" all this stuff I managed to teach a normal person called "myself" and that I was born specially to fix their problems when they're behaving stupidly by conscious choice. Even the guys in India reading support scripts to handle US tech support calls know that they must accept the script's "material" as true, allowing anyone who has ears to use it as a tool. Average Joes can't even make that step toward understanding their tech. They're disgusted at the thought of having to learn to use MORE tools because in 1st-World countries like the US, you pay laborers to do that for you (3rd-World countries a friend's friend fixes your PC in exchange for food or favors).

To these people IT is just another blue-collar labor to handle those tools. That's not different from the stereotypical bias that that a secretary was the only person expected to touch a typewriter, and that they did nothing else all day. I'm awaiting a similar correction in mainstream mentality akin to whatever suddenly drove everyone to become their own typist, to the point that you're no longer employable in the mainstream USA without both self-typing skills and basic knowledge of Win32 GUIs.

Re:The real issue:

[MadKeithV]

I raise you one box that doesn't actually have any components inside it. Totally secure, it can't even be hacked with physical access to the machine!
In other words, it may work for you, but for the vast majority of people a (secure) computer that's not attached to the network is about as useful as a bicycle is to a fish.

Re:The real issue:

[BlackSabbath]

Hi clarkkent09!

Did you check out that clip of Natalie Portman eating hot grits?
You can download it here.

Of course you'll probably need to install the Conficker codec to watch it but believe me its worth it!!!

Cheers,
Lady Field Marshall Idi Amin Gaga.

Re:The real issue:

I think you're both wrong and right.

Not really wrong. Look, IT is like any other field. I takes a lot of time and effort to become an expert, and a lot of us have lives to lead and jobs to do doing something else.

"they think we are all doctors doing things they can't bother to DISCOVER,"...

It's like I work in an office and I am not expected to fix the plumbing. I could learn to do so, of course, but I have to spend 8 hours a day plus doing something else. It isn't people feeling entitled, it's just that we all have a load of demands on us all day long and not everybody will be interested in the same things as you. Hey, you couldn't be bothered to DISCOVER how to sew your own clothes, you're just an idiot! That sounds silly, don't it?

Yes, users can do a lot of simple things to enhance their security a bit, but remember, if you are reading this site you are probably pretty inclined to find out stuff about how your computer works to begin with. To a lot of people it is a tool, an appliance, a means to an end. To people on /. they are often a means in itself.

I bet there are loads of things you'd call an expert for, even if you like to tinker with things, and loads of things you just expect to work -- I mean, after all, you expect your Internet service to work, right? If I said you were an entitled mentality dummy because you wouldn't go learn how to service the router that's buried out there on the corner and wasting the time of the service rep from Verizon or whomever you'd say that was kind'a dumb. Its the carpenter who complains that people don't all just know to bring a stud finder, level and building inspector with them whenever they buy a house. Or the car mechanic who wonders why just everyone doesn't do a full-on brake change and lube job in their garages, 'cause after all then he wouldn't have to clean up after people who let the oil get full of gunk and score the pistons.

Now, again, to beef up the security you needn't be an expert, but I think the problem is that too often, the things we need to do are a pain, frankly. In my job I have to publish stuff on the web, and there are loads of things I am probably doing wrong, security wise. But I need to do my job. I can't spend what would add up to many extra hours doing something else -- and it does add up. A few minutes here, a few there, and pretty soon you have wasted an hour or more and got nothing done.

Take passwords. Most people have to remember a lot of them, so they use the same one. Bad security, but what the hell else are you supposed to do? I have something like a dozen accounts and I try to be better about it, but if I want to have any hope of memorizing the things I end up going to the same well a chunk of the time. The "forgot password" function can be time consuming if you had to use it every day. To get my job done I find myself behaving in a "stupid user" way, but it's mostly because I need to get my job done and can't dick around with the IT side.

As for users tolerating bad software, the issue there is just that most users don't know how to tell good software, especially since a lot of it works most of the time. Buyers do not have complete information. Just try getting a straight answer out of Microsoft -- or any other software company.

Re:The real issue:

[hairyfeet]

I'm sorry but that is bullshit. I have to deal with those user 6 days a week and frankly as long as they have control over their box they WILL do whatever they please, security be damned. It is the classic dancing bunnies problem and I don't care which OS you use they WILL blow right through your security measures if they want to see the bunny.

I have had a customer open a password protected zip file with me standing there telling them its a virus "because this was sent to me by my BFF Kim and she wouldn't do that" and if you think Linux or any other OS would do better allow me to submit for your consideration How to write a Linux virus in 5 easy steps using the same social engineering which causes the vast majority of infections on Windows.

Bottom line if the user wants to run it they WILL run it, and the only way to prevent that would be to take away ALL rights to the machine and make it into trusted computing. Now since trusted computing (or treacherous computing as RMS calls it) would take away all rights from the user and kill OSes that allowed the four freedoms dead we simply have to accept the fact that stupid is as stupid does.

Not to say adding security isn't a good idea, I'm personally switching my customers and family to Windows 7 and the file and registry virtualization along with low rights mode in Chromium does safeguard against things that don't require user action like JavaScript exploits and drivebys, but frankly nothing will stop the user actively installing malware if they are so inclined. And I can tell you that at my shop I'd say probably 85%+ of the malware on PCs is installed by the user themselves, either by using social engineering or by offering the user something they desire, such as free porn or software. All the security in the world isn't gonna help if the source of the infection is PEBKAC.

Re:The real issue:

[hesaigo999ca]

Now there is an underrated statement if i ever heard one

Re:The real issue:

[camperdave]

I raise you one box that doesn't actually have any components inside it. Totally secure, it can't even be hacked with physical access to the machine!

I have an axe that begs to differ.

Re:The real issue:

[harperska]

What amazing skill you have, that you were able to make this slashdot post with no active network adapter. Telepathic posting? Or perhaps having a network connection really is more important than you let on.

Re:The real issue:

[I8TheWorm]

Forget user, the Fortune 500 natural gas pipeline company I left in December got hit with Conficker last year. Their virus defs were WAY out of date, desktops were 100+ Windows updates behind, just a sad state of affairs. Of course, only IT people have admin access (a good practice... strange for that place though) so they cannot run their own updates.

I've heard they still don't have tape backups working properly, nor SCCM pushes to a second domain. And the Sr. Director of IT spent time "writing" (actually "borrowing") a project management dashboard in PHP and Javascript (mind you, the company has 4 dev teams, and there are dozens of PM Dashboard apps including some nice OSS packages) rather than address these issues.

It's not always the users' fault.

Re:The real issue:

[Deathlizard]

Don't have mod points today, but the OP is dead on.

You look at the Malware scene today, and the first things that better come to your mind is "Social Engineering" and "Trojan Horse". Just about every Malware writer worth their salt knows it's easier to hack the user over the OS. They know the below 4 laws really well and they are not afraid to use them against users.

Laws of Computer Stupidity
1) 99% of computer users do not know what they are doing.
2) Computer users do not read.
3) If a computer user can click on it, they will.
4) You can patch software, but you can't (legally) patch stupid.

Re:The real issue:

[sheehaje]

Luckily I am fully protected. I have Antivirus 2009, 2010, and 2011 now running all at the same time in addition to AntiVirus Lab 2009 and AntiH4x0r Millenium edition which my ex wife gave me a copy of last week.

No viruses will ever touch my machine.

Nobody should be surprised with that one

[damn_registrars]

The conficker worm exploits vulnerabilities on unpatched windows systems. If we were instead talking about a resurgence of the "iloveyou" virus or something of that nature, that would be a surprise. But conficker - as a worm - finds its own targets and infects on its own. And it will continue to do so as long as the writers of it find new holes to exploit in windows.

Just wait until Microsoft stops releasing security updates for Windows XP, then conficker will really have a chance to run wild.

Re:Nobody should be surprised with that one

Helo World

Re:Nobody should be surprised with that one

Just curious, but can we see the train at the end of the tunnel for XP yet?

98's final nail was Google Earth. People were entirely happy to run that sans MS support until then.

(Given, 98 ran better with the unofficial updates than the official ones. Perhaps it's different with XP. I didn't hang around to find out.)

Re:Nobody should be surprised with that one

[camperdave]

Stats say that XP is still on 50% of machines out there. There are plenty of places where XP is a corporate requirement, and the number of people with low end computers (hey, it cost $1600 when I bought it five years ago) that can't run Vista or Win7 is far from insignificant.

how novel

[gearloos]

A link to a story ridden with popups about a worm. Cmon /. you can do better.

Re:how novel

[Farmer+Tim]

Cmon /. you can do better.

[citation needed]

Re:how novel

[lennier1]

[car analogy needed]

Re:how novel

[get off my lawn]

If security programs dont get it right ...

[jobst]

of course it still a problem, especially if you read what happened to me this morning....
Our sales directors computer (dell) has real trouble accessing the net (very very slow) whenever he tethers his laptop with his Galaxy S. I have the same laptop and phone but use Fedora14 and tethering gives me real good speed (considering) .... his is Win7 using Trend Micro (included when buying the dell) . When I turn Trend Micro off it performs well, loads the web-pages at the same speed as mine does.

So there would be no surprise to me if a lot of machine run without virus/internet security because those machine become a real hog/snail/whatever .... so users cant be bothered!

Re:If security programs dont get it right ...

[1s44c]

So there would be no surprise to me if a lot of machine run without virus/internet security because those machine become a real hog/snail/whatever .... so users cant be bothered!

I know that problem. People that turn off security updates because they are too important to be bothered with reboots should be kicked somewhere it hurts.

China loves Conficker

The college (part of a larger university, but separate for IT purposes) I work at in Beijing has a choice between two different free (Chinese produced) antivirus/antimalware products. The one that detects Conficker is on the computers of the people designated "sysadmins" (discussion for another day as to what qualifies as a sysadmin at this school) and any computer I am required to use as a function of my work (not including my personal notebook, which the admins aren't allowed near). The software that doesn't detect Conficker (or quite a few other 2+ year old baddies, in spite of being "up to date") is on everyone else' computer. As best as I can determine, this is to give the appearance of justifying the positions of the 5 sysadmins needed to support less than 50 computers (not including the lab computers which require minimal support because they suck so badly the students would rather go to an internet cafe to do their work, if they can't afford to use their own computers). Someone let me know when an opening at Tsinghua U. is available.

Re:China loves Conficker

[Kozz]

... this is to give the appearance of justifying the positions of the 5 sysadmins needed to support less than 50 computers (not including the lab computers which require minimal support because they suck so badly the students would rather go to an internet cafe to do their work, if they can't afford to use their own computers). .

I visited China a few years ago. Correct me if I'm wrong, but it certainly seems clear that it's part of the Chinese culture to prevent idle hands (for better or worse). It would seem that it is better to employ numerous individuals who each have possibly inadequate tools rather than a few with exceptional training and/or equipment -- above all, everyone's got a job, even if that job is next to mindless and minuscule, something that would never exist in the west. I get the feeling my karma will take a hit for this comment, though it's not intended to be a statement of superiority by any measure, it's just what I'd observed (and for what it's worth, nearly all the people/places I saw were wonderful).

Re:China loves Conficker

[bannable]

The "right to work" is more or less inherent in communistic societies. China may have converted to capitalism, but the indoctrination dies hard (see: eastern Germany.)

Re:China loves Conficker

[jamesh]

I think that the OP's point was that they are manufacturing a situation that requires more people rather than giving 5 people a job that one could do, which is more like the West than the East.

Guess which way is better?

Re:China loves Conficker

[operagost]

I wouldn't call China capitalist, being as the Party is the only "capitalist" in existence.

Still a threat?

[steeleyeball]

I was running Linux then, I'm running Linux now.... I have antivirus software so that it gets filtered out even if I'm not being infected.

Re:Worm?

[Dunbal]

So is my Windows box

i confirm this

[decora]

i know someone who works at a huge support center for a certain cellphone carrier. this person has informed me that they spend a good deal of their day telling people to shut off antivirus in order to get their "Modem Cards" (apparently the fashionable name amongst the masses) to work.

yay government

[decora]

in order to keep your job you have to keep your power base in the bureaucracy.
in order to keep your power base in the bureaucracy, you have to keep your budget.
in order to keep your budget, you need to keep it at the same, or higher, level as last years budget.
in order to do this, you have to snowjob any penny pinching meddlers into thinking it's absolutely necessary.

Re:Worm?

[Suki+I]

My current crop of laptops is not that old yet. Will get back to you ;)

Re:If you don't eat poo

[underqualified]

do you also think that this is the greatest layout ever?

Don't forget the anti-virus companies.

[khasim]

They have a vested interest in maintaining the status quo.

Not to mention plain incompetence on their part. Such as McAfee mistaking a core Windows file for a "virus" last year.

get off your ass

Conficker infected machines can be detected pretty easily using nmap.

nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d

Wouldn't be that difficult to randomly scan for machines using -ir flag and either black list them or somehow notify the owners. People on slashdot sit here and scoff that conficker is still around, or that users are just too dumb to help themselves. Maybe you should find some conficker-ridden machines and start helping some motherfuckers out.

Similar to what I've seen.

[khasim]

It would seem that it is better to employ numerous individuals who each have possibly inadequate tools rather than a few with exceptional training and/or equipment -- above all, everyone's got a job, even if that job is next to mindless and minuscule, something that would never exist in the west.

When you think about it, it makes sense. They have lots of people. It's more cost efficient to use man-power for most tasks than it is to train one person in specialized equipment.

You get lots of people working and the maintenance costs are almost zero. People at a construction site were moving materials around in a wheelbarrow made of old bicycle wheels (one without a tire).

How much would it cost to fix that wheelbarrow when it broke? Now compare that to fixing a forklift.

Meanwhile, they all have jobs and are getting paid and can buy food.

Re:The real issue: Users do matter.

[Isaac+Remuant]

Dude, At least, In my company. Mails were sent providing patches and explanations of how to deal with the conficker virus. How to treat your removable drives, etc.

Few listened and we were annoyed for some months by each infected computer. Somehow, the virus managed to get into the network and lot of employees wasted valuable time reinstalling their OSes only to be infected immediately for not taking the necessary measures (being offline, patching).

WGA/pirated copies of Windows

[jroysdon]

One problem is the low-end users who have systems they have bought from a "friend" which turns out to have a WGA-failing pirated copy of Windows. Windows Updates refused to allow it to be patched, leaving it to sit there waiting to be infested.

What Windows needs to do with WGA is give a grace period (60 days?) and warned if you do not get this copy legally licensed within X days then it will stop working (just like beta demo copies). After that time, have it just start up, explain the error and shut back down after 60 seconds. Not popular, but it would keep the bad machines offline. It would force the users to either get legit Windows installs which would have patch support, and/or they'd move to Linux which would also have patch support.

Re:WGA/pirated copies of Windows

[Kakari]

Except of course the various reasons why that won't happen - MS would rather have people using Windows than get paid for all the copies[citation needed]; patches will be made for the shutdown trigger[citation needed]; oh and security patches still happen on WGA failing machines. (It's the 5th question down).

OK, so the last one isn't a reason why MS won't do what you suggest, but it is important because even invalid copies aren't left unpatched - that would be disastrous.

Re:WGA/pirated copies of Windows

One problem is the low-end users who have systems they have bought from a "friend" which turns out to have a WGA-failing pirated copy of Windows. Windows Updates refused to allow it to be patched, leaving it to sit there waiting to be infested.

Bzzt, Wrong.
WGA only prevents optional updates being installed not security patches. (It only prevents installing Internet Explorer 7/8/9, Windows Media Player 10/11, etc). Microsoft knew that would be stupid from the beginning so they never tried it.

They did toy with the idea of preventing Service Pack 3 from installing without WGA [but not the individual patches themselves] but I don't think they went through with that due to the outrage from the security community about how that would harm everyone else not just the person who couldn't install it.

Re:WGA/pirated copies of Windows

Nice try, but WGA does not prevent you from installing security updates.

Re:WGA/pirated copies of Windows

[FreelanceWizard]

This is not true.

"The Automatic Updates feature is not affected by the WGA validation check. Therefore, you can use the Automatic Updates feature to make sure that you receive critical Windows updates."

Only some updates are marked as "genuine only," and this doesn't include security updates (which are all critical).

Re:WGA/pirated copies of Windows

[symbolset]

If you think carefully about this you may be able to discover a solution to your problem that doesn't involve changing things that are beyond your control or influence. The answer is implied in the question.

Re:WGA/pirated copies of Windows

[antdude]

You can still get critical updates through XP's Automatic Updates.

Still no threat to Linux, Android, iOS or BSD

[symbolset]

Yeah, I know. Redundant. I'll get my coat.

Re:The real issue: Users do matter.

[dave562]

What kind of company do you work at where they can't afford an IT professional to coordinate a virus cleanup? A Conficker clean up is something a $30 an hour network tech can handle if given the right instructions, time and leeway to take care of it.

Long tail

[symbolset]

I'm thinking 2020, 2025 before it sinks below 10%. Still the number one OS in the world, by a long margin.

Windows 98 is still putting more hits than WP7.

Re:The real issue: Users do matter.

[clarkkent09]

Mails were sent providing patches and explanations of how to deal with the conficker virus.

 
Yeah, and from your perspective as (I assume) an IT guy, that was sufficient. But from the perspective of a random employee for whom computer is just a tool to get their actual job done, dealing with patches and explanations about "worms" (or is it snails) is an annoying and time consuming distraction. Especially when there is one update or another asking you to install and reboot just about every day, forcing you to close and reopen all the programs you are using etc. Not saying that there is a perfect solution, just that blaming "dumb" users for everything is a cheap cop out.

Re:The real issue: Users do matter.

[Isaac+Remuant]

A goverment company in a third world country with 350+ employees and a lazy IT department (of which I'm not a part of).

That being said, the users have no regards for computer security. They care about their cars, their paperwork, the keys to the office, but always fail to recognize the vulnerabilities of a computer system.

Re:The real issue: Users do matter.

[smash]

End users getting/dealing with virus = fail of IT dept. Other employees are not employed to deal with IT issues. Expecting them to do so is an epic fail. It's not their job.

It's the embedded stuff

Real reason why some worms like this stick around forever? Because there are network printers and scanners that use XP or XP embedded (or god forbid 2000) in a partially locked down, unpatchable state. I had a client's company that kept having it reappear in their network, and while most computers were patched/updated enough to prevent casual infection by an A variant, inevitably a new computer that is being setup that had no patches or AV gets nailed. Eventually tracked down to a network connected scanner (maker unmentioned to protect the stupid), which had no means of a clean reset to go back to an untainted OS image. The client was loath to throwing the damn thing out, so they stored it somewhere, and eventually somebody hooked it back into the network and the process starts all over again. At least they were lucky that the network had restricted internet access through a proxy, so the worm couldn't update to a C variant or above. I believe they only recently put the scanner in a locked room...

Re:It's the embedded stuff

[Simon80]

5-10 years ago, the concept of putting Windows in products that are conventionally designed to actually work reliably was just a big joke to me, something that a few cranks were doing. Now it's just depressing to see how many different places it has weaseled its way into.

logic fail.

If the problem is boxes which haven`t had existing patches applied, how exactly does Microsoft ceasing to release more patches make this problem worse?

Re:logic fail.

[damn_registrars]

If the problem is boxes which haven`t had existing patches applied, how exactly does Microsoft ceasing to release more patches make this problem worse?

I guess I thought this was pretty obvious, but perhaps you haven't had a conficker infection run wild on you yet.

If a system gets conficker, the only way to clear the infection for good is to patch the OS for the vulnerability. The infection itself will eventually force the user to take action, because after a while the infected system will reach 100% CPU utilization as the system goes nuts trying to get commands from the botnet (even if it never finds any). On top of that the system will also take as much bandwidth as it possibly can, which will of course drag down the performance of the network it is on.

But when MS stops releasing XP patches, and the conficker authors find a new exploit after that point in time, then it is game over in terms of fighting infections on that system.

If only the subject line was long enough to

contain the whole post, we wouldn't have to split it into the comment as well.

Re:The real issue: Users do matter.

'...and a lazy IT department (of which I'm not a part of).'

I'm guessing that you're a part of the Department of Redundancy Department :)

Easy solution for dumb home users...

"Puppy Linux", it boots from a CD and gives a nice friendly screen, with a web browser (Firefox) and all the usual accessory programs. No worries at all about installing malware. It boots up fresh and perfect every time.

Re:Easy solution for dumb home users...

[camperdave]

I don't know about Puppy (although I suspect you can), but DSL linux can be booted from the network via PXE. You could run the machine without a hard drive, if you wished.

Re:Easy solution for dumb home users...

[hairyfeet]

Nice thought except for the fact it doesn't actually work and is therefor pointless, and your "solution" is just taking away the rights of the customer who will happily FIRE you and thus put you out of business! Why Linux users seem to think "the answer is always Linux" when frankly unless you are in a corporate environment the opposite is usually true is frankly beyond me, but your "solution fails on multiple points:

1.-The consumer level devices, such as AIO printers, PMPs like the iPod,etc don't actually work in Linux so to find a working device your clueless customers are gonna have to A)research like it is the SATs (correct answer:they won't, and when they get burnt it will be YOUR FAULT)) and B)jump through flaming hoops to keep most consumer level devices running because what works in kernel Foo usually won't in kernel Bar thanks to Linus constantly futzing with things (correct answer:they won't and again see YOUR FAULT) but don't believe me, go to bestbuy.com, walmart.com, and look for yourself. Last I checked you were looking at about 30% supported and with NO way to tell if a device is easy or CLI hell to get working.

Second your answer is to take away all rights from the user yet you seem to think because it is Linux that "makes it alright" somehow. Would you be happy if someone "did you a favor" and replaced your Linux with Vista? No? What about taking away root and refusing to give you control of your own PC "for your own good"? No? Then what makes you think others would find that solution acceptable in ANY way shape or form?

As much as it galls FOSS advocates Linux doesn't work for home and SMB users a good 90% of the time. That "user that just uses email and surfs" frankly doesn't exist anymore than the "Linux hacker" that doesn't even have a window manager and just does everything by CLI. There is ALWAYS one or more "must have" apps that have no equivalent on Linux be it games, functional drivers for their AIO printer, or in my area QuickBooks (which has a "free for home use" version and is crazy popular here) and taking the OS away from the user will just make them hate you and turn them (and anyone they talk to) away from FOSS in general.

I have found a MUCH better solution that foisting an unwanted FOSS OS which frankly in non corporate settings without a competent IT guy to support it is a royal PITA is to make the PC as close as I can to a "toaster with a screen" so that I do the thinking so they don't have to and in turn keeps my shop popular even by just using referrals. Things such as giving them Comodo AV which by default sandboxes all non whitelisted apps such as the browser to minimize the risk of infection, and using Chromium based Comodo Dragon in Vista/7 so that the browser runs in low rights mode. Using Filehippo update checker to alert them to out of date third party software, having Windows set for autoupdates, and showing them how to have separate user accounts for family members with low rights so that kids and relatives can't go installing "that great app they heard about".

By using my "do the thinking for them" strategy I've found I have cut down reinfection by a good 90% and have several PCs in the hands of "clueless home users" that are happily running virus free 5 years+ down the line. While I find Linux perfectly acceptable for some uses such as web servers, corporate workstations, and for emergency "use this if you break it on a weekend" LiveCDs the whole "Give them Linux and they'll thank you for it" is total bullshit. What actually happens is they hate you and FOSS because their apps no longer work, their devices no longer work, and unless you are intending to give them free tech support for the life of the machine the odds that the machine will be running with full driver functionality a year from now is virtually zip, with "CLI fixes" being needed to be

Re:The real issue: Users do matter.

[Quirkz]

What you say is true, but your cynicism may be a bit heavy handed. I mean, I think timecards, expense reports, and all-hands meetings are annoying and time-consuming distractions, but when accounting emails me and says they need an expense report I still do it, even though I'm a computer guy and not a money guy. Despite the fact that every single time I mess up at least one of their obscure accounting codes (5xxx72 is for travel, but 5xxx74 is for food, except if it's food when you're traveling, then it's 5xxx14, but not if you're in-state, then it's the regular food line item of 5xxxx05, and so on ....) they still send back my form with corrections and hope I can figure it out next time. And I work at a fairly friendly, competent company, but I'm still put through hoops.

There's sometimes a lopsided impression in companies that IT is an inconvenience if they "interrupt" other people's daily schedules, but when other departments have interruptive demands it's just "part of doing business." The truth, of course, is somewhere in between.

Re:The real issue:Limited Motivation for Security

Sure, Mcafee and other companies are motivated to provide security for the masses, but to what extent? They have to be or at least seem concerned or Consumers would go elsewhere to get what they believe is the most secure protection.

Dad comes home after a long day at his anti virus corp. and asks son or daughter, "what have you got for me?" He is handed 32 new viruses written to disk, collected from class mates.. Far fetched? I imagine not. Like dentist handing out candy as you leave the office.. Like classrooms full of 3rd grade Chinese kids whose sole purpose in school is to hack the US Pentagon and State Dept.. Far fetched? I imagine not..

Re:The real issue: Users do matter.

[RockDoctor]

A goverment company in a third world country with 350+ employees and a lazy IT department

Sounds about normal then. I did some work last year for a South Korean government department and every single memory stick that they tried to pass data to me with had some sort of virus on it. Don't know (or care) if it was Conficker or something else. It would seem that every one of their laptops was infected too - copy the data off a memory stick, clean and re-format it, re-load the data. 2 hours later, the stick is infected again. After a while, you stop wasting your breath.

Tanzania was much more advanced than South Korea.

I'd Be Worried, But...

[EddieRingle]

The entire time I read the article, I was thinking about this.