You will probably get your wish, as there are people working on a secure boot using UEFI (modern replacement for BIOS) and the sort of cryptographic integrity validation you are talking about: https://lwn.net/Articles/447381/ (subscription required, but free from 23 Jun 2011)
This can be used for good (if you own your own keys, you can compile and install your own kernel etc) or bad (if the hardware vendor or OS vendor owns the keys, you have no way to install anything else, i.e. you have a Tivoized system).
Be careful what you wish for... There's a good chance that in a few years' time, new PCs that come with Windows will make it cryptographically impossible to install a new OS. Only if the UEFI allows you to disable this secure boot feature will you be able to do anything beyond Windows.
Linux IMA (Integrity Measurement Architecture) is a separate project, in kernel 2.6.30+, that does similar things within Linux based on TPM: http://linux-ima.sourceforge.net/ - again, the ownership of the keys is critical.
Unfortunately ZFS support in Linux is userland only due to licensing issues. It may not have encryption yet either - however you could run TrueCrypt on top of a ZFS volume (like an LVM logical volume), bypassing the ZFS filesystem part.
http://boingboing.net/2011/05/05/wall-street-journal-2.html - The WSJ site has (or had) basic security holes. These may now be fixed but with this degree of incompetence and the difficulty of writing truly secure web apps, there may well be other holes.
How is it incompetent for the Malawi government to stockpile food against famine? The incompetence or willful negligence was on the part of the IMF, stopping the government from taking reasonable steps to prevent its people from starving to death.
One example is that the IMF stopped Malawi from stockpiling grain, and many people died of starvation as a result:
"... when in 2001 the IMF found out the Malawian government had built up large stockpiles of grain in case there was a crop failure, they ordered them to sell it off to private companies at once. They told Malawi to get their priorities straight by using the proceeds to pay off a loan from a large bank the IMF had told them to take out in the first place, at a 56 per cent annual rate of interest. The Malawian president protested and said this was dangerous. But he had little choice. The grain was sold. The banks were paid.
The next year, the crops failed. The Malawian government had almost nothing to hand out. The starving population was reduced to eating the bark off the trees, and any rats they could capture. The BBC described it as Malawiâ(TM)s âoeworst ever famine.â There had been a much worse crop failure in 1991-2, but there was no famine because then the government had grain stocks to distribute. So at least a thousand innocent people starved to death.
Jane McGonigal has written some great stuff about how and why gaming can be not only engaging but good for your level of engagement with life, friends, family.
It's not just posture, it's also hours worked per day, timing/duration of breaks, etc. I know someone who worked 36 hours solid at the end of a project with 16 hour days for weeks, and got RSI quite badly. The posture was only one factor there.
Absolute rubbish. Typical ergonomic advice is to keep your wrists at a natural angle, whereas keeping your wrists on the table forces the hand to be bent somewhat backward. Something like this: http://www.flickr.com/photos/onekell/2570138754/
There's debate about whether wrist pads that support the wrist are a good or a bad thing.
I've always had crashes with Evolution even in 8.04, whereas Thunderbird is quite stable and featureful.
I had a lot of problems upgrading from 8.04 to 10.04, including kernel modesetting causing recovery mode to fail (very hard to turn off the framebuffer and I never got this to work), random hangs/freezes (didn't have these on 8.04), keyboard mapping completely broken for VNC (due to upgrade config file leftover), printing not working (due to Upstart faililng to start CUPS). This was just 2 weeks ago, so the LTS had had 1 year to stabilise...
I think the lesson is that Ubuntu releases are really quite flaky for many people, so you should expect to spend a few days debugging them in some cases. Clean installs tend to work better. However, Ubuntu is still ahead of where it was a few years ago in user interface, design polish, and features - it's just that stabiliy has suffered.
It's disappointing that the LTS is so problematic, I suspect the teams are not able to spend enough time stabilising that compared to working on new features for the 6 monthly releases.
However, a huge amount of malware doesn't propagate by someone running an executable - these days it frequently uses exploits in browsers, Flash, PDF readers, etc. Simply visiting an infected website or opening a malicious PDF is enough to execute the malware on your machine. Exploit kits make it easy to set up a website that will try many exploits against the visitor, based on the browser and plugins they are using.
This infection model affects Mac, Windows, Linux, etc. While there are security architecture differences between OSs, the main reason Macs haven't yet got a big malware problem is that they haven't been targetted that much.
From something I wrote earlier - short version is that using Firefox/Chrome and a commercial antivirus on Macs is a good idea:
Here''s a survey of security experts, giving a fairly balanced view: http://news.cnet.com/8301-27080_3-10444561-245.html - they believe that the Mac is less attacked but less secure than Windows and that Safari is not very secure. Using Firefox or Chrome is probably a better bet on Mac. Chrome - http://blogs.techrepublic.com.com/mac/?p=667 - probably more secure than Safari, and it now does have Adblocking, Flash blocking and NotScripts (like NoScript but a bit painful to install.)
On Windows I generally recommend Kaspersky, who have good heuristic / proactive detection of zero days (the average signature AV only detects about 40-60% of in-the-wild threats). They do have a Mac version: http://www.kaspersky.co.uk/kav-mac-latest-versions
Due to the blended threats that attack first a PC and then your website, and increasing popularity of Macs particularly for web design, it's only a matter of time before a blended threat attacks Mac+websites.
Perhaps bombing the guests at a wedding, which has happened at least twice in Afghanistan, would count as civilian deaths for you? http://www.google.com/search?q=wedding+party+afghanistan - to be fair, there have also been suicide bombs at weddings in Afghanistan.
At least for Iraq, http://www.iraqbodycount.org/ has credible figures, and is quite conservative about how it counts deaths.
If you think there aren't real civilian deaths in Iraq and Afghanistan, you need to start reading news sites more widely.
Definitely - having too many tabs open in Firefox (50 plus) is really a killer, and Chrome is no better. Once the browser is taking over 500 MB, and often well over 1 GB, Windows will start paging out a large chunk of most programs and the whole PC starts slowing down.
On Windows, it really helps to run Process Explorer to find memory hogs and keeping an eye out to make sure that the "commit charge" memory usage is well below 100% of the physical RAM. Process Explorer is the single most important utility on any Windows PC - would be great if Linux had something as good as this. See http://technet.microsoft.com/en-us/sysinternals/bb896653 for Process Explorer - also lets you pause processes, see the process hierarchy, track I/O volume per process, find open files, etc.
Not true of all ThinkPads sadly - I had a ThinkPad 755 (486-based) that perished due to a flood of water coming down from the ceiling onto the keyboard.
In my first ever programming job, I spilt coffee into a disk drive - fortunately it was the drive for a 10 MB removable disk called a DEC RL02, which had been cunningly designed to route liquids around the outside and onto the floor - no damage done. (Such 10 MB disks were the height of technology at the time...)
Using password salt and multiple iterations of SHA-xxx is enough to defeat rainbow tables, particularly if you choose a non-standard number of iterations - see http://slashdot.org/comments.pl?sid=1987632&cid=35150388 for a bit more.
I'm willing to bet that 95% of all Windows passwords are 8 characters or less - even clueful users may think there's a limit to how many 14 character passwords they can remember, and of course they should not be re-used.
Since a given Windows box (particularly for servers) will have quite a few userids, you only need to crack one password to get a foothold for privilege escalation. However, a bigger issue is dictionary passwords - the Openwall team also wrote "passwordqc" which is a PAM module to check password strength when setting passwords.
On the salt - it doesn't need to be any more secure than the password hash. Both should have ACLs stopping anyone reading them, to defend against offline password crackers of all types. The salt just needs to be unique per userid, so that any rainbow table is useless and a brute force cracker must typically re-crack the hashes for two users with same password.
The solution to this is simple: just iterate the hash function many times so that the time to hash the password is (say) 300ms - unnoticeable to an interactive user, but significant for a brute force attacker. This is called password stretching, and is as important as salt.
See http://www.openwall.com/articles/PHP-Users-Passwords for a review of this and other password hashing issues - not just for PHP, this article gives the thinking behind phpass which is now used in Drupal, and has been reimplemented in other languages. phpass includes bcrypt() as an option but can work even with really old PHP versions that only have MD5. Just because MD5 and SHA1 have been cracked to some degree doesn't invalidate them for password hashing with salt and stretching.
Digression: Windows 7 still doesn't use salted passwords, which is why it's so easy to crack Win7 passwords given the hashed password, using Rainbow Tables - see http://en.wikipedia.org/wiki/Ophcrack - try the vendor's scarily good online password hash cracker for yourself...)
Most importantly: don't even think of implementing your own crypto code unless the above is very old news to you, because you WILL get it wrong - the examples of unsalted and unstretched passwords are only the beginning. Instead, search for a credible crypto library in your chosen language, and if necessary write a C wrapper so that your preferred scripting language can access a good C/C++ library such as Crypto++ - http://www.cryptopp.com/
Good points - much better to prevent a rogue admin than defend against one.
On the backups, I'd also strongly suggest an offsite network backup that operates by "pull" from your main servers, i.e. only the backup server admin can login to the backup server. That way if a rogue admin decides to delete critical data, they can't also delete the backups. The backups will need to go back many versions to guard against someone corrupting data or source code then waiting months or years. For Linux and even some Windows, rsnapshot is a great way to do pull backups using SSH key-based login.
Ultimately this model is still vulnerable to a really talented rogue admin who will simply trojan the SSH server on one of the main servers in order to break into the backup server.
Hence an offsite logging server that captures remote log events from all your servers is important - though really you would need some admins with read-only rights to this as well, and their logins could be captured by trojaning another server or a client system.
For the wider audience (I know you got this right): it's rogue not rouge (French for 'red', English for a type of makeup. This entertaining typo meme has been spreading a lot. The idea of malicious admins with rosy cheeks is entertaining though - would make them easier to spot at least,,,
Mod parent up - grabbing the whole encrypted password list is often surprisingly easy with SQL injection attacks, unfortunately. This is also how some spammers get email addresses from any site that records them and has a suitable SQL injection vulnerability.
Even when there is coverage for a specific virus/trojan, highly polymorphic ones are often not caught - for example the Zeus banking trojan, which steals from bank accounts while hiding the illicit transactions and resulting balance from the user, is missed in 77% of cases - http://www.darkreading.com/security/article/220000718/index.html
Upload time is not a big deal - I have about 30 GB uploaded to Mozy, over a 0.5 Mbps upload link. The main thing is to ensure the upload doesn't completely hog your upstream bandwidth, and that subsequent backups use block-level incremental technology, so only the actual data changed is sent.
Mozy and other online backup services are very effective, in addition to a local full system image (ideally to another server not a USB hard drive.) A USB flash drive is not very useful for backup, as it's far too easy for it to be stolen or damaged compared to an online backup - more useful to get a large hard drive and put that in another PC or server, then do a full system image to that.
One particular issue is web host control panels - of the major control panels (cPanel, DirectAdmin and Plesk), only DirectAdmin has IPv6 already, and many web hosts aren't willing to deploy a different control panel just to get to IPv6. Hence many websites simply can't go IPv6 easily until the ISP upgrades to the control panel, and in the case of cPanel, which is by far the most popular one, there is not even a roadmap date for v6. Same goes for Plesk apparently.
Perhaps a different IPv6 would have been better, but it's now a long way past the time where we could design, implement and deploy anything other than v6. Getting into IPv6 isn't necessarily that complex or difficult but there are many detailed steps to be taken, and it will be harder to do it in a rush - unfortunately most organisations, including ISPs and web hosts, will have to do it more quickly and expensively now.
Most of the blockers are now at the applications level.
So now we are using tunnels to get around NAT, which is used to get around IPv4 - a great demonstration of why it's easier and better to just upgrade to IPv6 and stop applying hack upon hack.
Slashdot Mirror
You will probably get your wish, as there are people working on a secure boot using UEFI (modern replacement for BIOS) and the sort of cryptographic integrity validation you are talking about: https://lwn.net/Articles/447381/ (subscription required, but free from 23 Jun 2011)
This can be used for good (if you own your own keys, you can compile and install your own kernel etc) or bad (if the hardware vendor or OS vendor owns the keys, you have no way to install anything else, i.e. you have a Tivoized system).
Be careful what you wish for... There's a good chance that in a few years' time, new PCs that come with Windows will make it cryptographically impossible to install a new OS. Only if the UEFI allows you to disable this secure boot feature will you be able to do anything beyond Windows.
Linux IMA (Integrity Measurement Architecture) is a separate project, in kernel 2.6.30+, that does similar things within Linux based on TPM: http://linux-ima.sourceforge.net/ - again, the ownership of the keys is critical.
ZFS has very good per-block checksumming and many other features, and now has encryption support, which should be in OpenIndiana (the non-Oracle fork of OpenSolaris): http://milek.blogspot.com/2010/10/zfs-encryption.html. ZFS is a combination of volume manager (like LVM), software RAID and filesystem. Here's a useful HOWTO on setup: http://hardforum.com/showthread.php?t=1573272
Unfortunately ZFS support in Linux is userland only due to licensing issues. It may not have encryption yet either - however you could run TrueCrypt on top of a ZFS volume (like an LVM logical volume), bypassing the ZFS filesystem part.
http://boingboing.net/2011/05/05/wall-street-journal-2.html - The WSJ site has (or had) basic security holes. These may now be fixed but with this degree of incompetence and the difficulty of writing truly secure web apps, there may well be other holes.
How is it incompetent for the Malawi government to stockpile food against famine? The incompetence or willful negligence was on the part of the IMF, stopping the government from taking reasonable steps to prevent its people from starving to death.
One example is that the IMF stopped Malawi from stockpiling grain, and many people died of starvation as a result:
"... when in 2001 the IMF found out the Malawian government had built up large stockpiles of grain in case there was a crop failure, they ordered them to sell it off to private companies at once. They told Malawi to get their priorities straight by using the proceeds to pay off a loan from a large bank the IMF had told them to take out in the first place, at a 56 per cent annual rate of interest. The Malawian president protested and said this was dangerous. But he had little choice. The grain was sold. The banks were paid.
The next year, the crops failed. The Malawian government had almost nothing to hand out. The starving population was reduced to eating the bark off the trees, and any rats they could capture. The BBC described it as Malawiâ(TM)s âoeworst ever famine.â There had been a much worse crop failure in 1991-2, but there was no famine because then the government had grain stocks to distribute. So at least a thousand innocent people starved to death.
Extracted from http://www.independent.co.uk/opinion/commentators/johann-hari/johann-hari-its-not-just-dominique-strausskahn-the-imf-itself-should-be-on-trial-2292270.html
Other examples: http://en.wikipedia.org/wiki/International_Monetary_Fund#Impact_on_access_to_food
Jane McGonigal has written some great stuff about how and why gaming can be not only engaging but good for your level of engagement with life, friends, family.
See http://www.amazon.com/Reality-Broken-Games-Better-Change/dp/1594202850 for the book, and particularly her "Practical Advice for Gamers" included in this page.
http://vimeo.com/16227360 is a great video of a talk she did that's entertaining as well as instructive, gives a flavour of the book I think.
I don't completely buy that gaming is completely positive, as excessive hours gaming can really be a problem, but she makes some good points.
It's not just posture, it's also hours worked per day, timing/duration of breaks, etc. I know someone who worked 36 hours solid at the end of a project with 16 hour days for weeks, and got RSI quite badly. The posture was only one factor there.
> If you have to lift your hand from the desk or wrist rest, then you are doing it wrong. It's that simple.
Wrong - see my answer to this mostly duplicate comment at http://yro.slashdot.org/comments.pl?sid=2136538&cid=36069878
> Wrists off table is BAD. It's that simple.
Absolute rubbish. Typical ergonomic advice is to keep your wrists at a natural angle, whereas keeping your wrists on the table forces the hand to be bent somewhat backward. Something like this: http://www.flickr.com/photos/onekell/2570138754/
There's debate about whether wrist pads that support the wrist are a good or a bad thing.
To get some accurate information, see this FAQ: http://www.rsiprevention.com/rsi_faq.php
It's not just posture in any case - total hours worked per day, taking breaks away from the keyboard, and stress management are also very important.
I've always had crashes with Evolution even in 8.04, whereas Thunderbird is quite stable and featureful.
I had a lot of problems upgrading from 8.04 to 10.04, including kernel modesetting causing recovery mode to fail (very hard to turn off the framebuffer and I never got this to work), random hangs/freezes (didn't have these on 8.04), keyboard mapping completely broken for VNC (due to upgrade config file leftover), printing not working (due to Upstart faililng to start CUPS). This was just 2 weeks ago, so the LTS had had 1 year to stabilise...
I think the lesson is that Ubuntu releases are really quite flaky for many people, so you should expect to spend a few days debugging them in some cases. Clean installs tend to work better. However, Ubuntu is still ahead of where it was a few years ago in user interface, design polish, and features - it's just that stabiliy has suffered.
It's disappointing that the LTS is so problematic, I suspect the teams are not able to spend enough time stabilising that compared to working on new features for the 6 monthly releases.
You make a valid point, but Safari seems to auto-open certain "safe" files in the case of this crimeware kit: http://www.securitynewsdaily.com/new-malware-goes-after-mac-users-0747/
However, a huge amount of malware doesn't propagate by someone running an executable - these days it frequently uses exploits in browsers, Flash, PDF readers, etc. Simply visiting an infected website or opening a malicious PDF is enough to execute the malware on your machine. Exploit kits make it easy to set up a website that will try many exploits against the visitor, based on the browser and plugins they are using.
This infection model affects Mac, Windows, Linux, etc. While there are security architecture differences between OSs, the main reason Macs haven't yet got a big malware problem is that they haven't been targetted that much.
From something I wrote earlier - short version is that using Firefox/Chrome and a commercial antivirus on Macs is a good idea:
Here''s a survey of security experts, giving a fairly balanced view: http://news.cnet.com/8301-27080_3-10444561-245.html - they believe that the Mac is less attacked but less secure than Windows and that Safari is not very secure. Using Firefox or Chrome is probably a better bet on Mac. Chrome - http://blogs.techrepublic.com.com/mac/?p=667 - probably more secure than Safari, and it now does have Adblocking, Flash blocking and NotScripts (like NoScript but a bit painful to install.)
See http://www.readwriteweb.com/archives/apple_quietly_updates_mac_anti-malware_feature.php for some comments - the OS X actually has malware detection built in, showing that Apple thinks there is something to protect against. Mostly Trojans at present. Here's a list of OS X malware: http://www.iantivirus.com/threats/
ClamXav may be OK, but Clamav, the underlying tool, is generally nowhere near as good as a commercial antivirus based on tests â" see http://en.wikipedia.org/wiki/Clam_AntiVirus#Effectiveness for a summary.
On Windows I generally recommend Kaspersky, who have good heuristic / proactive detection of zero days (the average signature AV only detects about 40-60% of in-the-wild threats). They do have a Mac version: http://www.kaspersky.co.uk/kav-mac-latest-versions
Mac reviews mention Intego as good: http://theappleblog.com/2010/02/04/antivirus-software-on-your-mac-yes-or-no/ and http://www.macworld.com/article/51438/2006/06/antivirussw.html (old review but includes ClamXav). Sophos is a reputable tool on Windows, which has a free Mac version: http://nakedsecurity.sophos.com/2010/11/02/anti-virus-mac-free/
Due to the blended threats that attack first a PC and then your website, and increasing popularity of Macs particularly for web design, it's only a matter of time before a blended threat attacks Mac+websites.
Perhaps bombing the guests at a wedding, which has happened at least twice in Afghanistan, would count as civilian deaths for you? http://www.google.com/search?q=wedding+party+afghanistan - to be fair, there have also been suicide bombs at weddings in Afghanistan.
At least for Iraq, http://www.iraqbodycount.org/ has credible figures, and is quite conservative about how it counts deaths.
If you think there aren't real civilian deaths in Iraq and Afghanistan, you need to start reading news sites more widely.
Definitely - having too many tabs open in Firefox (50 plus) is really a killer, and Chrome is no better. Once the browser is taking over 500 MB, and often well over 1 GB, Windows will start paging out a large chunk of most programs and the whole PC starts slowing down.
On Windows, it really helps to run Process Explorer to find memory hogs and keeping an eye out to make sure that the "commit charge" memory usage is well below 100% of the physical RAM. Process Explorer is the single most important utility on any Windows PC - would be great if Linux had something as good as this. See http://technet.microsoft.com/en-us/sysinternals/bb896653 for Process Explorer - also lets you pause processes, see the process hierarchy, track I/O volume per process, find open files, etc.
Not true of all ThinkPads sadly - I had a ThinkPad 755 (486-based) that perished due to a flood of water coming down from the ceiling onto the keyboard.
In my first ever programming job, I spilt coffee into a disk drive - fortunately it was the drive for a 10 MB removable disk called a DEC RL02, which had been cunningly designed to route liquids around the outside and onto the floor - no damage done. (Such 10 MB disks were the height of technology at the time...)
Using password salt and multiple iterations of SHA-xxx is enough to defeat rainbow tables, particularly if you choose a non-standard number of iterations - see http://slashdot.org/comments.pl?sid=1987632&cid=35150388 for a bit more.
I'm willing to bet that 95% of all Windows passwords are 8 characters or less - even clueful users may think there's a limit to how many 14 character passwords they can remember, and of course they should not be re-used.
Since a given Windows box (particularly for servers) will have quite a few userids, you only need to crack one password to get a foothold for privilege escalation. However, a bigger issue is dictionary passwords - the Openwall team also wrote "passwordqc" which is a PAM module to check password strength when setting passwords.
On the salt - it doesn't need to be any more secure than the password hash. Both should have ACLs stopping anyone reading them, to defend against offline password crackers of all types. The salt just needs to be unique per userid, so that any rainbow table is useless and a brute force cracker must typically re-crack the hashes for two users with same password.
The solution to this is simple: just iterate the hash function many times so that the time to hash the password is (say) 300ms - unnoticeable to an interactive user, but significant for a brute force attacker. This is called password stretching, and is as important as salt.
See http://www.openwall.com/articles/PHP-Users-Passwords for a review of this and other password hashing issues - not just for PHP, this article gives the thinking behind phpass which is now used in Drupal, and has been reimplemented in other languages. phpass includes bcrypt() as an option but can work even with really old PHP versions that only have MD5. Just because MD5 and SHA1 have been cracked to some degree doesn't invalidate them for password hashing with salt and stretching.
Key derivation functions perform essentially the same operation as password stretching, see http://en.wikipedia.org/wiki/Key_derivation_function - there is an IETF RFC for this.
Digression: Windows 7 still doesn't use salted passwords, which is why it's so easy to crack Win7 passwords given the hashed password, using Rainbow Tables - see http://en.wikipedia.org/wiki/Ophcrack - try the vendor's scarily good online password hash cracker for yourself...)
Most importantly: don't even think of implementing your own crypto code unless the above is very old news to you, because you WILL get it wrong - the examples of unsalted and unstretched passwords are only the beginning. Instead, search for a credible crypto library in your chosen language, and if necessary write a C wrapper so that your preferred scripting language can access a good C/C++ library such as Crypto++ - http://www.cryptopp.com/
Good points - much better to prevent a rogue admin than defend against one.
On the backups, I'd also strongly suggest an offsite network backup that operates by "pull" from your main servers, i.e. only the backup server admin can login to the backup server. That way if a rogue admin decides to delete critical data, they can't also delete the backups. The backups will need to go back many versions to guard against someone corrupting data or source code then waiting months or years. For Linux and even some Windows, rsnapshot is a great way to do pull backups using SSH key-based login.
Ultimately this model is still vulnerable to a really talented rogue admin who will simply trojan the SSH server on one of the main servers in order to break into the backup server.
Hence an offsite logging server that captures remote log events from all your servers is important - though really you would need some admins with read-only rights to this as well, and their logins could be captured by trojaning another server or a client system.
For the wider audience (I know you got this right): it's rogue not rouge (French for 'red', English for a type of makeup. This entertaining typo meme has been spreading a lot. The idea of malicious admins with rosy cheeks is entertaining though - would make them easier to spot at least,,,
Mod parent up - grabbing the whole encrypted password list is often surprisingly easy with SQL injection attacks, unfortunately. This is also how some spammers get email addresses from any site that records them and has a suitable SQL injection vulnerability.
Wrong.
Ed Vaizey is the minister responsible for this proposal: http://www.metro.co.uk/news/850896-new-porn-controls-for-children-on-internet-planned-by-government
Good summary and comment at http://www.longrider.co.uk/blog/2010/12/19/its-all-for-the-children/ - of course, once there is the precedent for blocking porn by default, it's then easy to block all sorts of 'undesirable' content, including Wikileaks etc.
Antiviruses catch only a declining percentage of malware, so you can't rely on them - see http://en.wikipedia.org/wiki/Antivirus_software#Effectiveness which shows that even in 2007 the average percentage caught was about 50%. Various independent tests confirm this, particularly for zero-day viruses (i.e. you must rely on heuristics in the AV product, not signatures). In 2007, 23% of infected PCs had up to date antivirus: http://www.pandasecurity.com/infected_or_not/ and http://www.pandasecurity.com/infected_or_not/panda_security_research/
Even when there is coverage for a specific virus/trojan, highly polymorphic ones are often not caught - for example the Zeus banking trojan, which steals from bank accounts while hiding the illicit transactions and resulting balance from the user, is missed in 77% of cases - http://www.darkreading.com/security/article/220000718/index.html
Upload time is not a big deal - I have about 30 GB uploaded to Mozy, over a 0.5 Mbps upload link. The main thing is to ensure the upload doesn't completely hog your upstream bandwidth, and that subsequent backups use block-level incremental technology, so only the actual data changed is sent.
Mozy and other online backup services are very effective, in addition to a local full system image (ideally to another server not a USB hard drive.) A USB flash drive is not very useful for backup, as it's far too easy for it to be stolen or damaged compared to an online backup - more useful to get a large hard drive and put that in another PC or server, then do a full system image to that.
One particular issue is web host control panels - of the major control panels (cPanel, DirectAdmin and Plesk), only DirectAdmin has IPv6 already, and many web hosts aren't willing to deploy a different control panel just to get to IPv6. Hence many websites simply can't go IPv6 easily until the ISP upgrades to the control panel, and in the case of cPanel, which is by far the most popular one, there is not even a roadmap date for v6. Same goes for Plesk apparently.
If you use cPanel, see http://forums.cpanel.net/f145/case-10334-make-cpanel-ipv6-compatible-35453.html and comment if you want to see IPv6.
If you use Plesk, see http://forum.parallels.com/showthread.php?t=102770
Perhaps a different IPv6 would have been better, but it's now a long way past the time where we could design, implement and deploy anything other than v6. Getting into IPv6 isn't necessarily that complex or difficult but there are many detailed steps to be taken, and it will be harder to do it in a rush - unfortunately most organisations, including ISPs and web hosts, will have to do it more quickly and expensively now.
Most of the blockers are now at the applications level.
So now we are using tunnels to get around NAT, which is used to get around IPv4 - a great demonstration of why it's easier and better to just upgrade to IPv6 and stop applying hack upon hack.