Why, oh why, didn't I become a government contractor?!?
Have you looked at what the government pays lately? There is a reason that this stuff happens. In Washington State, at least, government pay grades are about 1/2 to 2/3 of what you can make in the private sector for the same work. If you consult, you can easily make 3 times what the government pays.
As far as I know, every monopoly from 14th century button makers to the RIAA eventually meet up with a disruptive technology and whoosh out the door goes the monopoly. More often than not, those companies that were monopolies don't survive that transition very well.
Tell that to the descendents of Standard Oil http://en.wikipedia.org/wiki/Standard_Oil/. You know, Exxon, Amoco, Marathon... I'm still waiting on the disruptive technology.
Microsoft has an 80% gross profit from sales. They have huge funds to spend on R&D expenses/investment. They have come to dominate most of the markets they target, and their leadership team is still young and vigorous. You may not like Ballmer, but he certainly isn't getting lazy or weak. Bet against them if you want to, but I think you're engaged in wishful thinking. Their track record is pretty damn good, whether you like them or not.
My bet is, if Linux continues to grow in desktop share, MSFT will release a distro of their own. You heard it here. You guys may not be old enough to remember when MSFT got Internet religion, and how fast they turned that company. Could it be the Winsome Windy release? Redbuntu?
Why? It's hardly unique to MSFT. It's called walking the customer up the demand curve. There are abundant examples in the marketplace, from new cars, where to get a 50 dollar stereo you have pay 800 dollars, to electronics. Bushnell, for example, sells laser range finders. The low end model measures out to 400 yards, the high end model measures to 1500 yards. They have the same case, the same optics, the same guts, but the 1500 yard model costs a lot more, because the consumer will pay more. Selling a crippled version lets Bushnell provide a lower value product to the customers than don't want to pay for, and perceive they don't need, the more expensive product's additional capability. Marine electronics is another area where this is common.
There are lots of things to take issue with about Vista, but the versioning scheme is just business, and not even particularly nefarious business. If you don't like it, run XP, or your favorite distro. I'll never own Vista, but it's not because of their product packaging choices.
I don't have the numbers to prove it, however, I'm guessing that Microsoft's efficiency is starting to approach that of the U.S. military's
MSFT made 14 billion dollars in net income on 51 billion dollars in sales in 2007. That's 27% net, after tax, income. Pre tax operating income is 35% of sales. Very few financial observers are going to think that MSFT is wasteful or inefficient, or that they are in danger of foundering on the rocks of Linux, when they shit out money like that.
To provide some contrast, GE made 12% net profit in 2006, and is widely regarded as one of the more reliably performing large companies out there.
My understanding is that the original reason for banning cellphone use in the air was not based on a concern for the plane's electronics, but rather than the switches on the ground did not have the capacity to handle the rapid switching between cells that jet based users would require. Apparently this is no longer the case, and hasn't been for several years, as the 9/11 passengers using cell phones proved.
This may be another case of a rule that once made sense, that no-one wants to revisit.
So if a.jpeg file transits your router with a name like FG23456.jpg, you want to be accountable for it's content if it happens to show lil' 13 yr old Tiffany doing the nasty? How will you know? How -can- you know? This sounds like it imposes a requirement for content analysis that is well beyond the ability of even top notch IT shops to implement. I don't see how it's even reasonable to discuss. Carried to the logical conclusion, it makes wireless carriers liable for know what the contents of every endpoint on the internet are, and for analyzing and interpreting the contents of every packet transiting their network. If that requirement is imposed, it would have to mean very heavy filtering of wireless traffic, possibly to the level that would make wireless connections infeasible.
Methinks the author of TFA isn't as experienced as he would have us think he is. $25,000 will only buy about 120 hours of any reputable senior consultant. The big firms will need about $400/hr. IBM properly realizes that they can't deliver any value for the budget, and is not wasting the author's time or theirs.
The economics of consulting firms are such that you have to charge about 3 times the payroll cost of your staff to cover your costs and make some money. So, if you have a reasonably experienced consultant, who makes $120k a year (which is lowish in the bigger markets), you need to bill that person at $360k a year. Figure 70% utilization, or about 1400 hours a year, and you have to bill the guy at at least $250/hr. That's the economics of the big firms. The only ecosystems in which those firms can deliver value commensurate with their cost are the large client organizations. Hence, they quite rationally focus on them. I won't offer an opinion as to whether they can in fact deliver to that value - that depends on the team, the people, and the problem.
This leaves a significant market out there which can be served by sole proprietor consultants for $100-150/hr. The author needs to go find himself one of those folks, and quit whining. If he had a business head on his shoulders, as he insists that he does, he'd be able to figure that out. Since he can't, I'm not sure I'd view him as likely to move up in the world to those larger firms, and I suspect that the vendors have figured him out as a weak player. I have never had trouble getting vendor focus when working in small firms, so it isn't impossible.
It's certainly healthy for job security, but it ought to be a firing offense. There is a group in my company right now who is literally rewriting a working system from scratch, even though we have working, debugged, solid code that does exactly what they need it to do, because it comes from outside their group. "Would you guys like some code that does that?" "Nope, we write our own." "Why?" "Because." "Would you like to see the requirements docs we used?" "Nope, we'll write our own." "Why?" "..." A production system is being delayed for three months while they do this.
It's very clear what they wanted. They demanded an open standard in order to even enter the bidding. The government caved, and so Google doesn't need to win the bidding in order to win. See http://seattlepi.nwsource.com/business/342160_googleauction04.html This way they get to play, and they don't need to build and manage a network. Best of all, the consumer wins, too.
Thanks for laying that out. I don't know what makes this so hard for people to get/do. Come up with 3 to 5 words of something that means something to you, separate with some punctuation, and make sure it's around even only 20 characters, and it should take a million machine botnet something like 10^21 years to crack, assuming the 45/tries a second metric. eg., "IHave7FavoriteFl()wer&" should be good for something like the remaining life of the universe. (3.6*10^27 years, by my calculations)
Even so called security professionals seem to have trouble with this. One of my favorite gripes is the security team at my new employer, who insist on forcing us to use 8 to 10 character passwords, no more, no less. They demand a numeral and a special character, which actually reduces the search space substantially. I am prone to setting up passwords for people like "Eagles~In*Trees" which is easy to remember, and tough to crack, but they won't let me any more, forcing us to issue things like "sFg#8Jk@", which the user promptly writes on a sticky note and pastes to the monitor so they won't forget it.
I'm also computer support for my mother. she got a Mac laptop this fall. Unfortunately, I'm not a Mac guy, and she wanted me to get it to print on the printer connected to the PC. After an hour of dinking around, I figured out how to see the HP laptop, and the computer attached to it. After another bit, I was able to get print output to it (needed to have Windows printing set). However, I was unable to get the correct printer type to show up so that I could get it configured. I downloaded drivers from HP and installed them, to no avail. The Mac insists on sending postscript and only postscript. Only PS printers will show up in the device list, and I couldn't ever find the OfficeJet driver. I'm much more computer savvy than the average droid, and this was beyond non-obvious. So much for "It just works"
She got this because my sister the computer illiterate told her that Macs are easier to use. For Mom, easier to use means having free support available from her eldest son, and that isn't happening. I told her that I couldn't figure it out, and went back to the dinner table. She now has a $3000 bookend (she replicated her software when she got it).
So do a fair amount of republicans, including Bill Richardson (former gov of New Mexico) and William F. Buckley. This is because people who understand economics understand that prohibition increases usage and harm, and decreases our ability to manage abuse. Specifically, many people of all political stripes would like us to rethink our silly war on (some) drugs, just as we think it might be reasonable to rethink our silly War on Terror .
It is a little known, but quite well documented fact that the US did not have a significant cocaine abuse problem before we chose to make cocaine illegal and therefore hideously profitable. The Pure Food and Drug act of 1906 pretty much killed the patent medicine industry, as when people that products contained cocaine and morphine, they largely quit using them. See www.adrugwarcarol.com for details and citations.
And even if marijuana was -good-, admitting it would mean that the government has been wrong for 80 years, that would send the wrong message, and that would be -bad-.
A good friend of mine gets direct relief from his muscle spasms caused by MS, directly from smoking pot, for which he has a prescription. How does my getting high on the stuff invalidate his relief?
You, sir, are one of the willfully, cruelly ignorant masses that cause our perverse war on drugs to continue to damage the world.
That sounds good to me, but I'm no expert, just someone who worries about these things for my own shop. The only thing you didn't talk about was the sensitivity of the data on the server. What you described gives me the paranoid willies, but I get those pretty easily.:-) If credit card numbers and SSN's aren't going through the server, you're probably in a reasonably safe position. If you have sensitive stuff on the db, well, then maybe you're not. It sounds like it's the customer's problem, and that you've taken prudent measures. If you (or the customer) got sued, I could see an opposing counsel making hay out of you not having the firewall, but I think I agree with your analysis that you've taken solid steps to protect the asset.
I dunno. Any 500 dollar firewall would let you filter access to this port to allow only approved IP's to access it, which should usually be the web application server. I have to come down on the side of believing that that there are very few good reasons, if any, to expose the DB to a random access. While you are correct that perfect security is an elusive goal, this is a pretty easy hole to plug.
Your protest that this just moves the attack vector is a bit of a red herring, IMO. If you have a web application, of course you have risks in the web server and the middleware. Exposing your DB server just adds another risk point that is more straightforward and requires fewer skills to attack. That changes your risk points from 2 to 3. At the risk of being simplistic, I suggest that 2 is better:-)
My friend, I have said nothing about the law enforcement implications. I merely was attempting to educate you and others about the relative role of my employer in the overall transaction flow. The actual information content in these transactions is pretty minimal, and isn't going to be as useful as transaction dumps from the merchant systems, which would actually break out what was purchased. Visa and ATM transactions don't contain line item detail, and thus cannot be used to determine whether your are purchasing garbanzo beans or grenades.
I'm quite aware of the data relationships between our customers, their customers, and my company. I do data analytics systems for those groups, and specifically predictive behavioral models for some of our customers. The input data we use comes from those customers, not our systems. Account numbers are certainly sensitive information, and we guard them with security measures that sometimes border on the absurd. However, we see a lot less of your personal data than you might imagine. I never see SSN's, for example, and only rarely phone numbers and addresses.
I'd also caution you on relying on using a privacy statement as system documentation. Privacy statements are written by legal teams, which rarely see any of what the business actually does.
First, personally identifable information has a pretty precise meaning in the industry. It associates you with information that can be used to access your information. You're correct in that the account number is pretty sensitive, but it's not there gratuitously - it's the core of what is going on. What isn't there is your name, address, phone number, social security number, secret question, etc. It's only the information needed to process the transaction. These latter pieces are what you really want to be concerned about, as they can be used to assume your identity. Your credit card number/bank card number can't be used to do that. It can only be used to attempt a transaction.
Second, First Data doesn't do credit reporting. Credit reporting is done by Transunion, Equifax, and Fair Isaacs, among others. They in turn receive information from various credit issuers about your payment status, which information you agreed to release as part of your credit agreement. We don't have -anything- to do with that. The information comes from your card issuer/bank.
The actual bill creation is a separate process from the purchase transaction processing. This is done in a variety of different ways, by a variety of different companies. It is the responsibility of the card issuer, but many if not most of these outsource to various processing houses. To be honest, I don't know whether we do any of that, but I doubt it.
Actually, we only process about 52% of the transactions. (Disclosure, yup, that's where I work). We don't issue the plastic, that's done by the bank. We (and others) run ATM and credit card processing systems that make the transactions happen. In those transactions, no data comes across the wire about the goods purchased, or -any- information about you other than the merchant, time and date information, transaction amount, and your card number. Actual data about the goods purchased, etc, is maintained in the merchant's systems, and we don't see it. Actual data about you is retained by the account owner (your bank or your card issuer). We don't see any of that, either. We have -nothing- to do with credit issuance.
The 'affiliates' of KKR are similar the legal vehicles put in place when KKR purchased us. There's not a lot that is nerarious going on there. KKR purchased us because they think they can make us more efficient and resell us. My guess is that they are correct.
It's quite possible to configure Windoze to prevent these infestations. It's a pain in the ass, to be sure, but it can be done. My company works with the large banking corporations, and they all to a one have their machines locked down so that users can't install squat, which prevents this problem fairly well. It's at quite the cost of user convenience, but it can be done. In these same corporations, it's also a pain in the ass to get anything done on the linux machines that we install, because the same measures are taken there as well - install a slimmed down version of the OS, and drag your heels hard when users want to add any application other than vi and ls.
Linux can be quite secure, but most of the fanboiz forget that you all have the root password in your hip pocket. If (or when) Linux were to become the dominant consumer environment, these problems will migrate to linux, because the essence of a consumer machine is that the consumer has admin rights to it. Uneducated admins are the problem, not the OS they happen to be running.
My company delivers software on RHEL. We use CentOS extensively at customers and internally. I don't need access to support, but my customers often do. CentOS reduces my costs and our customers' costs and gives me a warm fuzzy that I'm using something close to what my customers use, if they are on RHEL. I'd actually prefer to use Fedora, but Fedora and CentOS differ enough that our installer won't run (due to a bug in Install anywhere).
CentOS is definitely driving incremental RHEL business, in my experience. It certainly keeps me in the RHEL camp.
Slashdot Mirror
Why, oh why, didn't I become a government contractor?!?
Have you looked at what the government pays lately? There is a reason that this stuff happens. In Washington State, at least, government pay grades are about 1/2 to 2/3 of what you can make in the private sector for the same work. If you consult, you can easily make 3 times what the government pays.
You get what you pay for.
As far as I know, every monopoly from 14th century button makers to the RIAA eventually meet up with a disruptive technology and whoosh out the door goes the monopoly. More often than not, those companies that were monopolies don't survive that transition very well.
... I'm still waiting on the disruptive technology.
Tell that to the descendents of Standard Oil http://en.wikipedia.org/wiki/Standard_Oil/. You know, Exxon, Amoco, Marathon
Microsoft has an 80% gross profit from sales. They have huge funds to spend on R&D expenses/investment. They have come to dominate most of the markets they target, and their leadership team is still young and vigorous. You may not like Ballmer, but he certainly isn't getting lazy or weak. Bet against them if you want to, but I think you're engaged in wishful thinking. Their track record is pretty damn good, whether you like them or not.
My bet is, if Linux continues to grow in desktop share, MSFT will release a distro of their own. You heard it here. You guys may not be old enough to remember when MSFT got Internet religion, and how fast they turned that company. Could it be the Winsome Windy release? Redbuntu?
But the version game is unacceptable
Why? It's hardly unique to MSFT. It's called walking the customer up the demand curve. There are abundant examples in the marketplace, from new cars, where to get a 50 dollar stereo you have pay 800 dollars, to electronics. Bushnell, for example, sells laser range finders. The low end model measures out to 400 yards, the high end model measures to 1500 yards. They have the same case, the same optics, the same guts, but the 1500 yard model costs a lot more, because the consumer will pay more. Selling a crippled version lets Bushnell provide a lower value product to the customers than don't want to pay for, and perceive they don't need, the more expensive product's additional capability. Marine electronics is another area where this is common.
There are lots of things to take issue with about Vista, but the versioning scheme is just business, and not even particularly nefarious business. If you don't like it, run XP, or your favorite distro. I'll never own Vista, but it's not because of their product packaging choices.
I don't have the numbers to prove it, however, I'm guessing that Microsoft's efficiency is starting to approach that of the U.S. military's
MSFT made 14 billion dollars in net income on 51 billion dollars in sales in 2007. That's 27% net, after tax, income. Pre tax operating income is 35% of sales. Very few financial observers are going to think that MSFT is wasteful or inefficient, or that they are in danger of foundering on the rocks of Linux, when they shit out money like that.
To provide some contrast, GE made 12% net profit in 2006, and is widely regarded as one of the more reliably performing large companies out there.
My understanding is that the original reason for banning cellphone use in the air was not based on a concern for the plane's electronics, but rather than the switches on the ground did not have the capacity to handle the rapid switching between cells that jet based users would require. Apparently this is no longer the case, and hasn't been for several years, as the 9/11 passengers using cell phones proved.
This may be another case of a rule that once made sense, that no-one wants to revisit.
So if a .jpeg file transits your router with a name like FG23456.jpg, you want to be accountable for it's content if it happens to show lil' 13 yr old Tiffany doing the nasty? How will you know? How -can- you know? This sounds like it imposes a requirement for content analysis that is well beyond the ability of even top notch IT shops to implement. I don't see how it's even reasonable to discuss. Carried to the logical conclusion, it makes wireless carriers liable for know what the contents of every endpoint on the internet are, and for analyzing and interpreting the contents of every packet transiting their network. If that requirement is imposed, it would have to mean very heavy filtering of wireless traffic, possibly to the level that would make wireless connections infeasible.
Methinks the author of TFA isn't as experienced as he would have us think he is. $25,000 will only buy about 120 hours of any reputable senior consultant. The big firms will need about $400/hr. IBM properly realizes that they can't deliver any value for the budget, and is not wasting the author's time or theirs.
The economics of consulting firms are such that you have to charge about 3 times the payroll cost of your staff to cover your costs and make some money. So, if you have a reasonably experienced consultant, who makes $120k a year (which is lowish in the bigger markets), you need to bill that person at $360k a year. Figure 70% utilization, or about 1400 hours a year, and you have to bill the guy at at least $250/hr. That's the economics of the big firms. The only ecosystems in which those firms can deliver value commensurate with their cost are the large client organizations. Hence, they quite rationally focus on them. I won't offer an opinion as to whether they can in fact deliver to that value - that depends on the team, the people, and the problem.
This leaves a significant market out there which can be served by sole proprietor consultants for $100-150/hr. The author needs to go find himself one of those folks, and quit whining. If he had a business head on his shoulders, as he insists that he does, he'd be able to figure that out. Since he can't, I'm not sure I'd view him as likely to move up in the world to those larger firms, and I suspect that the vendors have figured him out as a weak player. I have never had trouble getting vendor focus when working in small firms, so it isn't impossible.
It's certainly healthy for job security, but it ought to be a firing offense. There is a group in my company right now who is literally rewriting a working system from scratch, even though we have working, debugged, solid code that does exactly what they need it to do, because it comes from outside their group. "Would you guys like some code that does that?" "Nope, we write our own." "Why?" "Because." "Would you like to see the requirements docs we used?" "Nope, we'll write our own." "Why?" "..."
A production system is being delayed for three months while they do this.
Sheesh.
It's very clear what they wanted. They demanded an open standard in order to even enter the bidding. The government caved, and so Google doesn't need to win the bidding in order to win. See http://seattlepi.nwsource.com/business/342160_googleauction04.html This way they get to play, and they don't need to build and manage a network. Best of all, the consumer wins, too.
Thanks for laying that out. I don't know what makes this so hard for people to get/do. Come up with 3 to 5 words of something that means something to you, separate with some punctuation, and make sure it's around even only 20 characters, and it should take a million machine botnet something like 10^21 years to crack, assuming the 45/tries a second metric. eg., "IHave7FavoriteFl()wer&" should be good for something like the remaining life of the universe. (3.6*10^27 years, by my calculations)
Even so called security professionals seem to have trouble with this. One of my favorite gripes is the security team at my new employer, who insist on forcing us to use 8 to 10 character passwords, no more, no less. They demand a numeral and a special character, which actually reduces the search space substantially. I am prone to setting up passwords for people like "Eagles~In*Trees" which is easy to remember, and tough to crack, but they won't let me any more, forcing us to issue things like "sFg#8Jk@", which the user promptly writes on a sticky note and pastes to the monitor so they won't forget it.
I'm also computer support for my mother. she got a Mac laptop this fall. Unfortunately, I'm not a Mac guy, and she wanted me to get it to print on the printer connected to the PC. After an hour of dinking around, I figured out how to see the HP laptop, and the computer attached to it. After another bit, I was able to get print output to it (needed to have Windows printing set). However, I was unable to get the correct printer type to show up so that I could get it configured. I downloaded drivers from HP and installed them, to no avail. The Mac insists on sending postscript and only postscript. Only PS printers will show up in the device list, and I couldn't ever find the OfficeJet driver. I'm much more computer savvy than the average droid, and this was beyond non-obvious. So much for "It just works"
She got this because my sister the computer illiterate told her that Macs are easier to use. For Mom, easier to use means having free support available from her eldest son, and that isn't happening. I told her that I couldn't figure it out, and went back to the dinner table. She now has a $3000 bookend (she replicated her software when she got it).
So do a fair amount of republicans, including Bill Richardson (former gov of New Mexico) and William F. Buckley. This is because people who understand economics understand that prohibition increases usage and harm, and decreases our ability to manage abuse. Specifically, many people of all political stripes would like us to rethink our silly war on (some) drugs, just as we think it might be reasonable to rethink our silly War on Terror .
It is a little known, but quite well documented fact that the US did not have a significant cocaine abuse problem before we chose to make cocaine illegal and therefore hideously profitable. The Pure Food and Drug act of 1906 pretty much killed the patent medicine industry, as when people that products contained cocaine and morphine, they largely quit using them. See www.adrugwarcarol.com for details and citations.
And even if marijuana was -good-, admitting it would mean that the government has been wrong for 80 years, that would send the wrong message, and that would be -bad-.
A good friend of mine gets direct relief from his muscle spasms caused by MS, directly from smoking pot, for which he has a prescription. How does my getting high on the stuff invalidate his relief?
You, sir, are one of the willfully, cruelly ignorant masses that cause our perverse war on drugs to continue to damage the world.
For a good history of the legal process that resulted in pot being illegal, see http://www.adrugwarcarol.com./ For more general information, please see http://www.druglibrary.org/schaffer/, a truely impressive compendium of information on the topic.
Um, they walk you down the hall, unlock the door, shove you in, close the door, and throw away the key. cf Guantanamo.
Heck, just eat a Big Mac.
That sounds good to me, but I'm no expert, just someone who worries about these things for my own shop. The only thing you didn't talk about was the sensitivity of the data on the server. What you described gives me the paranoid willies, but I get those pretty easily. :-) If credit card numbers and SSN's aren't going through the server, you're probably in a reasonably safe position. If you have sensitive stuff on the db, well, then maybe you're not. It sounds like it's the customer's problem, and that you've taken prudent measures. If you (or the customer) got sued, I could see an opposing counsel making hay out of you not having the firewall, but I think I agree with your analysis that you've taken solid steps to protect the asset.
I dunno. Any 500 dollar firewall would let you filter access to this port to allow only approved IP's to access it, which should usually be the web application server. I have to come down on the side of believing that that there are very few good reasons, if any, to expose the DB to a random access. While you are correct that perfect security is an elusive goal, this is a pretty easy hole to plug.
:-)
Your protest that this just moves the attack vector is a bit of a red herring, IMO. If you have a web application, of course you have risks in the web server and the middleware. Exposing your DB server just adds another risk point that is more straightforward and requires fewer skills to attack. That changes your risk points from 2 to 3. At the risk of being simplistic, I suggest that 2 is better
My friend, I have said nothing about the law enforcement implications. I merely was attempting to educate you and others about the relative role of my employer in the overall transaction flow. The actual information content in these transactions is pretty minimal, and isn't going to be as useful as transaction dumps from the merchant systems, which would actually break out what was purchased. Visa and ATM transactions don't contain line item detail, and thus cannot be used to determine whether your are purchasing garbanzo beans or grenades.
I'm quite aware of the data relationships between our customers, their customers, and my company. I do data analytics systems for those groups, and specifically predictive behavioral models for some of our customers. The input data we use comes from those customers, not our systems. Account numbers are certainly sensitive information, and we guard them with security measures that sometimes border on the absurd. However, we see a lot less of your personal data than you might imagine. I never see SSN's, for example, and only rarely phone numbers and addresses.
I'd also caution you on relying on using a privacy statement as system documentation. Privacy statements are written by legal teams, which rarely see any of what the business actually does.
First, personally identifable information has a pretty precise meaning in the industry. It associates you with information that can be used to access your information. You're correct in that the account number is pretty sensitive, but it's not there gratuitously - it's the core of what is going on. What isn't there is your name, address, phone number, social security number, secret question, etc. It's only the information needed to process the transaction. These latter pieces are what you really want to be concerned about, as they can be used to assume your identity. Your credit card number/bank card number can't be used to do that. It can only be used to attempt a transaction.
Second, First Data doesn't do credit reporting. Credit reporting is done by Transunion, Equifax, and Fair Isaacs, among others. They in turn receive information from various credit issuers about your payment status, which information you agreed to release as part of your credit agreement. We don't have -anything- to do with that. The information comes from your card issuer/bank.
The actual bill creation is a separate process from the purchase transaction processing. This is done in a variety of different ways, by a variety of different companies. It is the responsibility of the card issuer, but many if not most of these outsource to various processing houses. To be honest, I don't know whether we do any of that, but I doubt it.
Actually, we only process about 52% of the transactions. (Disclosure, yup, that's where I work). We don't issue the plastic, that's done by the bank. We (and others) run ATM and credit card processing systems that make the transactions happen. In those transactions, no data comes across the wire about the goods purchased, or -any- information about you other than the merchant, time and date information, transaction amount, and your card number. Actual data about the goods purchased, etc, is maintained in the merchant's systems, and we don't see it. Actual data about you is retained by the account owner (your bank or your card issuer). We don't see any of that, either. We have -nothing- to do with credit issuance.
The 'affiliates' of KKR are similar the legal vehicles put in place when KKR purchased us. There's not a lot that is nerarious going on there. KKR purchased us because they think they can make us more efficient and resell us. My guess is that they are correct.
It's quite possible to configure Windoze to prevent these infestations. It's a pain in the ass, to be sure, but it can be done. My company works with the large banking corporations, and they all to a one have their machines locked down so that users can't install squat, which prevents this problem fairly well. It's at quite the cost of user convenience, but it can be done. In these same corporations, it's also a pain in the ass to get anything done on the linux machines that we install, because the same measures are taken there as well - install a slimmed down version of the OS, and drag your heels hard when users want to add any application other than vi and ls.
Linux can be quite secure, but most of the fanboiz forget that you all have the root password in your hip pocket. If (or when) Linux were to become the dominant consumer environment, these problems will migrate to linux, because the essence of a consumer machine is that the consumer has admin rights to it. Uneducated admins are the problem, not the OS they happen to be running.
If you RTFA and check the references, you'll see that Firefox and Opera are now being exploited as well.
My company delivers software on RHEL. We use CentOS extensively at customers and internally. I don't need access to support, but my customers often do. CentOS reduces my costs and our customers' costs and gives me a warm fuzzy that I'm using something close to what my customers use, if they are on RHEL. I'd actually prefer to use Fedora, but Fedora and CentOS differ enough that our installer won't run (due to a bug in Install anywhere).
CentOS is definitely driving incremental RHEL business, in my experience. It certainly keeps me in the RHEL camp.