NYT Security Tip - Choose Non-Microsoft Products

Giorgio Maone writes "The New York Times article 'Tips for Protecting the Home Computer' follows a story we recently discussed about the proliferation of botnets, and contains some statements which may sound quite unusual from mainstream press, especially if targeted to home users: 'Using a non-Windows-based PC may be one defense against these programs, known as malware ... Alternative browsers, like Firefox and Opera, may insulate users ... NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC'."

So Markoff Doesn't Care for Microsoft

[eldavojohn (898314)]

... some statements which may sound quite unusual from mainstream press, especially if targeted to home users: 'Using a non-Windows-based PC may be one defense against these programs, known as malware ...

I don't find it that unusual. I mean, I recall a bunch of articles in other newspapers talking about and recommending Firefox. I've also read many magazines & seen television news on the lack of viruses on an Apple.

I must admit that initially I was a bit humored by the idea that a New York Times author had a right to caution me about computer usage. But when I looked up his credentials [wikipedia.org], he seems to be a qualified and experienced tech writer who probably has good advice for the general public. Granted, his last recommendation: "Don't click if someone offers you something too good to be true. It is." worries me that people may be wary of certain open source projects but in the end, I'd agree that I'd tell my sister and friends just not to install anything and to ask me for specific links to programs that solve problems or fill needs.

In the end, it's a very short article and doesn't provide a very comprehensive picture of security for a home user. You may think its news that Mr. Markoff decided to push people away from Microsoft but he's only telling you the facts about the numbers. You won't have as many problems with Linux but there's no way your daughter's iPod will work with iTunes Music Store on your computer anymore. If he wanted to make this a notable article, he should have delved into trade offs and better coverage of issues.

So Markoff doesn't like the benefits of running Microsoft software. So what?

Re:So Markoff Doesn't Care for Microsoft

[DJ Rubbie (621940)]

In the end, it's a very short article and doesn't provide a very comprehensive picture of security for a home user. You may think its news that Mr. Markoff decided to push people away from Microsoft but he's only telling you the facts about the numbers. You won't have as many problems with Linux but there's no way your daughter's iPod will work with iTunes Music Store on your computer anymore. If he wanted to make this a notable article, he should have delved into trade offs and better coverage of issues.

While we all want people to run Free Software (at least a Free OS) all the time, it's just not practical right now. His advice could mean, use a Mac, which is what I have been recommending to people I've fixed computers for, despite the fact that Linux/BSD/GNU may be better for the long run. iTunes works with Mac, so does quite some other programs (not talking about DirectX games). The common sentimental for people who switched from Windows XP to OS X is usually, why did I used that crap before? Especially when they went to a Windows based computer for whatever reason. I recently got my mother set up on a computer (who never used one before) and I installed Linux, and she thought it was easy enough to use. For a non-power user who just casually browse the web, email, maybe Skype for VoIP, Linux is good enough. For people who are used to proprietary software and not wanting to change, OS X might be a better choice.

Re:So Markoff Doesn't Care for Microsoft

[fyngyrz (762201)]

Let me put it to you this way: I sell Windows software for a living. Not Mac-ware. Not yet. . Still, I recommend to everyone I know that they get a Mac. I can't, in good conscience, recommend Windows. Malware, yes, that's certainly a huge problem. DRM issues in Vista are another (such as degrading audio if unsigned.) Ridiculous license terms are another (no virtualization for home? Change your hardware, lose your authorization? ridiculous!) Constant reboots and restarts are another. Incorrect configuration out of the box is another - not just privileges, but what is running and what is not, what is turned on and what is not. As near as I can tell, the key Microsoft OS policy is "Wreck the user's day. Every day."

Re:

[RobertLTux (260313)]

easy way to have the Luserbase understand how to tell if a free program is good/safe

1 GPL /uses Sourceforge as a mirror farm (+points)
2 not GPL but has a Linux version or has source downloadable (+half points)
3 site has massive ads and or flash based ads (- double points)
4 site mentions in a positive way Gator/Claria Bonzi buddy weatherbug or any of the KOS programs (warm up the BGF9000 and pick up a QD glyph)

Re:So Markoff Doesn't Care for Microsoft

[Helldesk Hound (981604)]

> So Markoff doesn't like the benefits of running
> Microsoft software. So what?

What benefits?

I am not totally convinced that automated silent virus/malware installation is a "benefit".

Re:So Markoff Doesn't Care for Microsoft

[by Anonymous Coward]

I am not totally convinced that automated silent virus/malware installation is a "benefit".

How about the benefit of being able to waltz into your local store (WalMart, Best Buy, whatever), pick up software or a peripheral device and see that it is supported and can run on your home machine?

For some people that's the only benefit they care about.

Noscript is one of the best reasons to run Firefox

[Beryllium Sphere(tm) (193358)]

The only usable way to control Javascript is site by site, and turning it off by default slashes a whole army of exploits out of your life. Every browser should have this functionality built in.

Re:Noscript is one of the best reasons to run Fire

[Nasarius (593729)]

NoScript is nice, but it could use a large default whitelist, something like the AdBlock Plus subscription options. It gets pretty tedious to allow every site manually, especially when some only break in subtle ways.

Re:Noscript is one of the best reasons to run Fire

[Bob54321 (911744)]

I use NoScript but my wife found it very annoying that all the sites she wanted to visit would not work without having to allow them first. I don't think recommending it to the average home PC user is very helpful because they will just think that it broke Firefox.

Re:Noscript is one of the best reasons to run Fire

[El Cubano (631386)]

The only usable way to control Javascript is site by site, and turning it off by default slashes a whole army of exploits out of your life. Every browser should have this functionality built in.

Amen to that. I use noscript and I have lost count of how many sites fail completely or outright refuse to load if JS is disabled. The number of sites which degrade gracefully is sadly quite small. If every browser had this, maybe web developers would finally get it through their thick skulls that JavaScript is best utilized to enhance the user's experience. Obviously, there are some exceptions, like AJAX applications and the like. It bugs me so much that I have never developed a site that did not degrade gracefully in the absence of JS. In fact, the only way the user would notice something was different was if they had first seen the site with JS and then later without or vice versa. Some of the worst offenders are the "major" tech companies. Try logging into Yahoo webmail with JS turned off to see what I mean.

Re:Noscript is one of the best reasons to run Fire

[Professor_UNIX (867045)]

Amen to that. I use noscript and I have lost count of how many sites fail completely or outright refuse to load if JS is disabled.

I love news sites that require you to turn on Javascript. I'll click on a link, the article will load and look absolutely fine and formatted just dandy for reading and then boom, a second or two later it'll redirect to some page saying "Javascript is required on this site" and won't even let me read the article. What on Earth would I need Javascript for in order to read TEXT on a page? The only thing I can think of is for them to handle their advertisements.

NYT is out of touch.

[twitter (104583)]

Not use Microsoft? That's unpossible! They must be Mac or Linux users and are completely out of touch because they don't have the problems in the first place.

Seriously, it's good to see the message getting out. Another widely read, "mainstream" source, the BBC, has said the same thing already, like this [slashdot.org]. Of course, everyone without a vested interest in M$'s welfare has been saying enjoying the same for years. Sooner or later, despite billions of advertising dollars and bullshit studies, people are going to get it and real OS choice will happen. Seeing this in the NYT makes me think this is sooner than later.

One thing, that's easy.

[twitter (104583)]

[using anything but M$] is a steep learning curve, and a lot of people think why bothered [sic].

So M$ shoved IE 7 down their throats as a forced update. Borat voice, "Is nice!" If you want a consistent interface instead of, "change for change's sake" use free software.

Back in the real world, my five year old girl is happy with Firefox. I like that her system does not have to be replaced every two years and that it does not catch porn spam or American Express pop ups. Mepis took me all of 20 minut

Nothing's more Fragnmented than M$ GUI.

[twitter (104583)]

I think your argument of "It's so simple a 5 year old can do it" is flawed for one big reason: The five year old isn't used to using IE.

You must have missed this article [informationweek.com]

, complete with screen shots about how inconsistent the M$ GUI has become. Just look at this screenshot [cmpnet.com]. I thought the differences between KDE, Gnome and other toolkits was bad but that's way off, M$ has no excuse for the fundamental differences seen in their own tools. Why would you ever throw a new user into that mess? The worst part is how frequently they change the interface, No one else does it more.

I'll conclude with

with Microsoft applications, there's a feeling that, by and large, the only UI guidelines that Windows applications adhere to is "what we feel like." (I know Microsoft has a lot of UI guideline information, but since no one seems to follow any of it, I'm not sure what the point of it is.)

Uh oh

[neuro.slug (628600)]

I hear Steve Ballmer got the news while visiting a chair factory. Remember to duck and cover!

Using a non-Windows-based PC may be one defense...

[fyngyrz (762201)]

May be? MAY be? MAY BE?

<SARCASM>Sure, I have to worry about my Mac getting co-opted into a botnet 24/7, because we all know how many active threats there are to Macs! </SARCASM>

Man, talk about "understating the case."

The honest way to put it is that running Windows is the #1 way to get yourself into trouble. Adware, outright co-opting of your resources, virus problems... Windows boxes are insecure and risky, more so than any other machine, right out of the packaging.

You want security and simplicity of use? Mac isn't just "an" answer, it is the *only* answer. You want security and not too worried about simplicity? Linux or a Mac. You willing to re-work of all Microsoft's incorrect settings, patch all the browser vulnerabilities, play the target role in the hacker version of whack-a-mole, reboot your PC every few days because MS has discovered another severe vulnerability in their spaghetti code? Buy a Windows PC. Endless entertainment for puzzle solvers who don't care about their data security or computer availability. Been there, done that, found the solution, not going back.

Re:Wow! Talk about missing the point

[fyngyrz (762201)]

First you state that a Mac (presumably you mean the OS X operating system, as you use it in the same breath as Linux) is the only solution, and then only a few words later you state that Linux is a possibility as well

I see you are having reading comprehension problems. Read again. Slowly. You may be able to determine that those are two different statements, with two different sets of requirements.

This doesn't say much for your technical abilities. I have been highly successful in educating the lea

Microsoft Astroturf

[PavementPizza (907876)]

There's only been 9 comments on this story at the time of this writing, and yet the following tags are already up: "flamebait, nytfud, troll". These guys work fast, don't they? What's flamebait, trolling, or FUD about this article? Avoiding Microsoft products is a perfectly prudent move, if you can. Is it untrue to say that Mac and Linux users are safer on the internet than Windows users, or that Opera or Firefox users are safer on the internet than Internet Explorer users? Far from it. It's demonstrable fact.

You people just don't understand the paradigm

[straponego (521991)]

Microsoft wants to empower its users, and everyone else, for that matter. Don't you see how convenient it is that MS products execute treat every piece of data they ever come into contact with, no matter where it's from or whether it's a video, sound file, Office document, image-- whatever!-- as an executable? It's just like how you pick up every piece of garbage you see and put it in your mouth because it might be food. That's the taste of Freedom!

Anyone here watch Drawn Together?

[Progman3K (515744)]

This is where the animated characters take on faces like donkeys and go "well, DUH!!!!!!!"

On fark, They'd be paging Rick Romero...

NoScript is great, except...

[trawg (308495)]

.... probably 80%-90% of the websites I visit REQUIRE me to enable scripting before I can use things like navigation elements, which are a little crucial. Some of the more lame ones (like http://www.channelgo.com.au/ [channelgo.com.au]) actually successfully load all the content, then it detects I don't have Javascript, and redirects me to a page telling me I need to reenable Javascript!

I like the extra feeling of security I get using NoScript, but I'm pretty close to ditching it because the pain of having to enable and reload every website I visit just to do something like be able to click on an 'about' or 'FAQ' link is too much.

MS Should have put out Windows XP Second Edition

[Twillerror (536681)]

Windows really should have put out a new build of XP before releasing Vista. Just SP2 with a new installer that mimics Windows server 2003. If you've ever installed Windows Server 2003 it can be quite secure. It turns off all inbound connections until you can install patches. It turns off IE so you can't surf anything without explicity telling it you are ready to. Server 2003 was going down the right path, I'm not sure why they never ported some of these basics to a new XP back in 2004. I guess it's too late now.

The last big Windows worm was quite a while ago. They are still alive thanks to the unaware. Windows has a lot of ports open compared to other machines mostly because it was designed to operate in a operate in an Active directory enviornment...and because RPC is overally relied upon. Yes you can get a virus delivered by email, but this is true of any OS where the user is running as root ( admin ( if the os even supports it ) ) and opens up an attachment. Windows users are bombared with viruses that Mac users get and can safely ignore...heck if you tried to run the exe it would just fail. Mail virsuses are getting less and less as well as email providers and spam firewalls are blocking them. A properly written virus ran on Linux or Mac OSx can get thru the protection. Linux and Mac OSx have had plenty of exploits to get a file install things.

While other OSes interact with each other, they don't quite do it with the built in way MS does. This is good for the end user and bad for security. SMB setup has gotten a heck of lot easier on Linux in the last few years, but compared to Windows it'll never be quite as easy. There are products out there like Groupware, but Active Directory is by far the simplest and most useful for setting up a small to massive network. Thousands of companies use it every day to share files and get work done. Install a printer from the active directory isn't super easy, but I ca'tn see a Linux product comparing.

Mac interaction with AD isn't that bad. I wish it had an Active Directory client from the get go, but my Mac users can print, share files, and a few other things okay. Nobody likes to mention that Windows file security is far more advanced then Linux's will be for quite sometime. The ability to permission a file to individual users at varying levels is absolutely crucial. It is a pain for my Mac users to have to remember their NT passwords and visit a NT machine to reset it every once in a while, but it is good enough so they can run Photoshop...with the Mac keyboard.

I won't be suprised to see a mac mode in Vista sometime soon. It wouldn't really be that hard for Windows to stick the file menu up on the top of the screen when a Window takes focus.

The fact of the matter that no ones wants to talk about is MS is becoming fairly secure if installed with it's patches and stuck behind a firewall. This is true of practically all OSes. The big problem MS has it that it doesn't update it's install disks and most of it's vendors don't update their freaking images. If I get a new Dell I would expect not to have to install a single patch that was over two months old, but alas they don't do that for you. Imagie you installed Redhat 3.0 and then put yourself on the network. I'm sure someone out there could right a worm for Redhat 3.0 right? There isn't one port in the default install with a buffer overflow issue? It be an interesting expierement to write worms for older versions of OSs and see how they take. My guess is that there are more Windows 98 boxes running today then RedHat 3.0 boxes ever ran.

The point is OSx or Linux get the marketshare that Windows has you'll see 1000's of older versions of the OS. As it sicks MAC users generally upgrade fast, and Linux users are practically religous about it outside of the server scope. And on the server side it is likely the machines are protected via firewalls.

The browser hole is getting plugged as we speak. Firefox, Opera, and IE are all plugging away. The big issues is that HTML and Javascript t

Ultimate Firefox Add-Ons for Privacy/Security

[Dark Coder (66759)]

As someone who actually AM worried about impending javascript exploits carrying trojans, I have within my Firefox the following Add-Ons (which comes pretty close to perfect security), but still requires a modicum of user awareness during web surfing.... The following Add-Ons are good for Windows, Linux and supposedly MAC OSX.

1. CookieSafe [mozilla.org]
2. Adblock Plus [mozilla.org]
3. Flashblock [mozilla.org]
4. httpOnly [mozilla.org]
5. SafeHistory [mozilla.org]
6. SafeCache [mozilla.org]
7. IDND [mozilla.org]
8. Link Alert [mozilla.org]
9. BlockSite [mozilla.org]
10. Master Password Timeout [mozilla.org]
11. no-referrer [mozilla.org]0
12. NoScript [mozilla.org]

Other useful support Add-Ons are:

1. SwitchProxy Tool [mozilla.org]
2. User Agent Switcher [mozilla.org]
3. Adblock Filterset.G Updater [mozilla.org]

For Linux users, I also have this useful add-on:

1. MediaPlayerConnectivity [mozilla.org]

Re:ah yes...

[Aurisor (932566)]

Funny, where I come from, we call that the "don't use insecure products" solution.

Re:ah yes...

[cryocide (947909)]

The product is only as secure as its users. If the mainstream Windows userbase switched to Linux, they'd take their bad habits (neglecting security hole patches, installing supposedly-required software to view web pages, logging in as root by default, etc.) with them. Linux would be the new hot target for malware. The same goes for OSX or any other operating system. Sure, there would be fewer holes, assuming that people made sure to apply the appropriate security patches, but we're assuming again that they wouldn't take their bad habits with them again, aren't we?

These are the people who click OK just to get the box to go away. No operating system is going to save them from themselves without removing the luxury of convenience they insist on keeping.

Re:ah yes...

[MoxFulder (159829)]

The product is only as secure as its users. If the mainstream Windows userbase switched to Linux, they'd take their bad habits (neglecting security hole patches, installing supposedly-required software to view web pages, logging in as root by default, etc.) with them. Linux would be the new hot target for malware. The same goes for OSX or any other operating system. Sure, there would be fewer holes, assuming that people made sure to apply the appropriate security patches, but we're assuming again that they wouldn't take their bad habits with them again, aren't we?

I disagree completely.

Windows makes it easy to practice these bad habits... default Administrator login, programs that don't work correctly when run without Admin access, ActiveX, etc. Contrast this with, say, Ubuntu... an excellent Linux distro even for newbies: by default the root account is disabled, when you want to do something system-alterating (e.g. temporarily gain root access), you have to put in your PASSWORD, not just click "Okay". The whole thing is so well-integrated that these password prompts aren't annoying or confusing. The system in general tries to explain to you what you're doing when it's something unusual.

Furthermore, most Linux distros are based on a central software repository which is supported, or at least approved, by the distro's developers. When you install open-source software from this repository, you can have confidence that you're not going to get spyware... and if you're running the stable distribution you can be pretty sure that you're installing software that has been thoroughly debugged as well--as opposed to some IE toolbar crap rushed out the door after a week's dev time.

I also think that Firefox 2.0 is far superior to IE 6 (haven't used 7 yet) in terms of alerting the user to potentially dangerous actions. When you install extensions, Firefox adds a 5-second time delay before you can click on "OK" to force you to actually read those stupid pop-up boxes. It detects suspicious obfuscated URLs, won't run downloaded executables without additional intervention, and checks HTTPS sites that improperly mix secure and non-secure content.

So I *do* think that PC security would improve substantially if the Windows userbase switched en masse to Linux. Granted, there'd be some of the problems with people doing stupid things and not reading warnings, but I don't think it'd just be same-old-same-old...

Re:ah yes...

[Da_Weasel (458921)]

I'm a firm believer in the theory that regular users need System Administrators. Maybe home users do too. If I could come up with a business model for a company that provided System Administrator services to home computer users i'd be rich!

You're so wrong

[chorltonian (887201)]

Compared with, for the sake of argument, Linux. I have no experience with OSX so can't comment.

1. Most OEM installations of Windows will have administrator as the default user, not requiring any logon at startup. In most Linux distros, you are disuaded or even cannot do this (e.g. Ubuntu), instead you work as a non-root user and sudo to do admin tasks.
2. Even with SP2 Windows XP enabled the infamous NetBIOS file and print services, just for one example. Nice summary of this and other "features" here [theregister.co.uk]
3. A Windows user can readily execute an EXE or VB script etc, e.g. a dodgy email attachment or download from a shady website, simply by double-clicking it from Explorer. Depending on the level of access to resources (see 1) the system may be totally compromised. In Linux by contrast, executing anything beyond what can safely be installed through the software repository requires knowledge of setting file permissions (and often how to build and install from source).
4. Similarly for ActiveX, given the user confirms they want to run it, the system is left totally open to abuse.

Small wonder all the spambots, key loggers, spyware and viruses out there in the real world live in Windows, right? Its not simply because of Windows' popularity, doesn't the Mac have 5-10% market share?

Re:ah yes...

[someone300 (891284)]

This isn't security through obscurity. Security through obscurity would be saying "I'm safe because I run Windows and it's closed source". This is the claim that uncommon software is more secure because there are less exploits. While untrue mathematically, the reality is that you are still currently less likely to be exploited when running Mac OS X or Linux since script kiddies don't really care about you so much (for the same reason game developers don't, incidentally).

Same is true for biological systems - diversity is a good thing as it is less likely to be infected with a disease. Genetic diversity implies a more robust "operating system" species that's harder to destroy. Remember all the hell around the blaster worm. Imagine that MS, Apple, RedHat, Ubuntu... only had 10% marketshare each... it'd be bad, but not nearly as bad as it was.

If you're talking about a focussed professional attack on a specific system: to be honest, the OS you're running is probably pretty insignificant; the chances are there's a simple admin error somewhere along the line.

Re:ah yes...

[spykemail (983593)]

It's all about diversity! If everyone has the same exact program running under the same exact OS with the same exact security flaw one blackhat can ruin millions of people's day with one little hack. Nature knows how important diversity is, hell, economic systems are supposed to know it too. It's unfortunate that Microsoft continues to be allowed to operate as an illegal monopoly based in the United States.

Re:ah yes...

[Progman3K (515744)]

>>This isn't security through obscurity. Security through obscurity would be saying "I'm safe because I run Windows and it's closed source". This is the claim that uncommon software is more secure because there are less exploits. While untrue mathematically, the reality is that you are still currently less likely to be exploited when running Mac OS X or Linux since script kiddies don't really care about you so much (for the same reason game developers don't, incidentally).

I don't agree: I run Gentoo; since every app I run is compiled from source for the processor architecture I am running, some classes of exploits cannot target me because even if they knew which version of a given app I am running, they can't know precisely the layout of the binary because of the personalized compilation flags I use.

It doesn't rule out exploits, but it does make it a bit harder on them.
With Windows, most of the code you have running is the exact same binary for every x86 machine.

I guess that that is a situation where LINUX is making use of "security through obscurity" and Windows is incapable of doing the same.

Ironic, isn't it?

Re:

[a.d.trick (894813)]

Actually, it's more than just "security through obscurity". There are some nasty things that Microsoft products do that tend to get them into trouble (executing '.exe' files, ActiveX, etc) and makes their products more vulnerable.

Also "security through obscurity" is a valid practice, but it is not sufficient for good security. I don't tell strangers my computer's IP address (although, I'm pretty certain it would be useless to them and there are many ways to figure it out). The problem is when people are s

Re:

[maxwell demon (590494)]

I don't tell strangers my computer's IP address (although, I'm pretty certain it would be useless to them and there are many ways to figure it out).

Well, I'm quite open to everyone about my computer's IP address: it's 127.0.0.1 :-)

obscure, like published source code?

[twitter (104583)]

The old "security through obscurity" solution rears its head yet again..

Sounds like you bought the popularity lie [slashdot.org].

Re:obscure, like published source code?

[WilliamSChips (793741)]

I'd say that post wasn't very eloquent but it's true [linuxmafia.com]. If you're not smart enough to realize that modern Unices are more secure by design you haven't actually looked into things. They're not optimal(a capability system would be better) but they're better than that of any Microsoft solution. Nimda attacked Microsoft Windows servers. There is no equivalent to Nimda for Apache/Unix servers even though Apache/Unix servers are more common than Windows servers.

Re:ah yes...

[theshowmecanuck (703852)]

I don't think this is obfuscation. For the black hatters, it is more like the economics of mining precious metal. If you had several ore loads to choose from, and limited resources to mine them with, you choose the ore load with the richest deposits of gold. It doesn't mean the gold in either deposit is worth any less per ounce, it is just the economy of scale dictates that all other things being equal, you go where the most gold is. Why spend the time and effort to hack an OS that doesn't have 90% of the market share when there is such an OS?

I am sure that if enough people used Linux or OS X or brand X, and it became worth the effort, those OSs would be attacked for more. And Linux et al apps do have flaws that can be exposed (to say they don't would be very arrogant) and are routinely patched (how many megs per yum update if you wait a couple weeks?). And yes I know, in many cases the patching is faster, but the openings are still there, and more will be found if more black hatters start looking as much as they do with MS right now.

And by the way, obfuscation is a useful and valid tool when used with other security precautions. For example, a good firewall set up doesn't just block incoming connections to ports you want closed against port scanning, it will also drop the messages silently so that the sender doesn't have an indication that they actually reached something at that IP address. (TCP/IP allows the option to firewalls et al to tell the sender that the connection was refused. And some firewalls allow you the option to configure this.) A good firewall protects you by actively blocking packets and obscuring your computer. Much better than blocking and letting the sender know it was blocked. In that case the sender would have an IP address it knows for sure has something on the other end to work on. There are likely dozens of good uses of obfuscation (how about not letting others see your PIN when you use the bank machine? Even though you have the only valid card and are taking it with you, you still shouldn't show your PIN).

Re:ding!

[MillionthMonkey (240664)]

Does this mean the main stream is finally (slowly) catching on to the reality of choices? It would make my day if the world would wake up and realize that they have options when they sit down in front of a computer.

Users don't like having to make choices about the innards of their computer; they just want shit to work.

Re:

[MillionthMonkey (240664)]

If only I had realized this before Mr. Gates, I could be the multi-gazillionaire.

Actually, I think you still have some time!

Re:

[Divebus (860563)]

Then why isn't the world using a Mac?

They're slowly catching on but consumer's brains don't move as fast as the market. They still think Macs are stupendously expensive (they aren't) and they think Macs aren't "compatible" (whatever that means) and they think they'll be viewed as an alien outsider (which is happening less and less) and they think there's no software for the Mac (yeah, right!) and they don't think they can learn a Mac (it takes 10 minutes) and they don't think there's an alternative to the

Re:

[Babillon (928171)]

Most likely because people are cheap? Macs are prohibitively expensive in comparison to an equivilent PC (equivilent according to the enduser walking down the aisles of your local FutureShop).

Your average user doesn't know what they need a computer for, they just know they need it. So they'll just look at what the salesmen point them at, try to find something cheaper, and get it. They won't care whether or not it runs Windows or Mac (though if they think they're savvy they might swing towards one or the

Re:Alternative browsers = more secure?

[Frosty Piss (770223)]

We hear this suggestion all the time, but the reality is that the reason Firefox and Opera are "more secure" is that there are less people using them. Their market share isn't worthwhile to the commercial malware authors.

Is this really true? Anecdotal pronouncements like this never seem to come with any references. Everyone says the sky is firmly in place, but how many have looked up recently? It's falling at an amazing speed!

Think about it

[WindBourne (631190)]

The first part is simply google for crackers interviews and see what they say. They will always tell you that they go for what is easy. Why? Because a number of them are there to make money and time is money. If the systems were equally easy to attack, then yes, go after the most numerous. But when one has so many easy points, then you persue it rather than the ones that are difficult.

The 2'nd part is compare bank robberies to 7-11 robberies. Back in the 60's, banks were robbed. BWhy? because they were easy and had lots of money. But then in the 70',s the banks took actions and made it difficult. They still had the money, but it became very difficult to rob them. So the robbers turned to convinence stores who had say a thousand dollars (acceptable), and were easy. At first 7/11 ignored it, but then their ppl were being killed. So they made it very hard for robberies to get a thing. Now, banks and 711 are == difficult, so the robbers are back after banks. WHy? Because if you are going to risk it, then go for the big score. Interestingly, the banks now limit how much money is available to the tellers as well as every teller has a loaded stash.

So what does that mean for Windows vs. OSS. While Windows is easy to crack, everybody will hit it. If ever it becomes >= to *nix in terms of security, then *nix will be hit, because overall, there is much more money on the *nix systems. And if *nix and Windows become better than mainframes, then they will turn to there because there is REAL money.

Re:Think about it

[WilliamSChips (793741)]

In addition, in server space the numbers are much more even, and Apache/Unix servers outnumber Windows/IIS servers. Yet all the server malware is for Windows NT-based servers and not Apache/Unix based servers.

Heh

[Xenographic (557057)]

Don't you recognize his reasoning? It's not based on facts, it's based on the theory that both programs have bugs, therefore they must be just about as secure as the other.

Never mind the recent story that Firefox was vulnerable to a critical (one where "visit bad web page" == pwn3d), unpatched, published exploit for all of 9 days last year (IE was vulnerable for 9 months). This is called a "vulnerability window" and is an important part of any security assessment attempting to measure how secure bits of software are without having to rely on vendor claims. Obviously, that's too quantifiable for use with such a reasoning process. Then we have to reason about all the exploits that aren't public, as if people can silently exploit computers en masse with private exploits and no one will notice. Sure, if they're not interested in a botnet of random computers, they'll stick to targeting specific people and keep their exploits quiet, but that doesn't really impact the security of the population in general. It's also funny that people have this perception sometimes that they only visit "safe" sites. Even assuming they're not one of the porn viewing public, and that they never install smilies or screen savers (great way to get infected) or other such crap, that ignores that we've seen major advertising networks get compromised and serve up exploits. Not to mention the shady ad networks that do that deliberately...

Ironically, when it comes to open vs. closed source, it's usually argued that open source helps make the vulnerabilities more public, so that puts things even more in Firefox's favor. So to argue that IE is even as secure as Firefox requires you to use ridiculous metrics touted only by PR departments in media releases.

So yes, it's true--Firefox does have bugs. There were even 9 days last year when you could've been 0wn3d by an unpatched exploit (assuming you haven't learned to use the noscript extension). But there's no way to hide the sheer magnitude of the difference: 9 days vs. 9 months. Yeah, they can improve. Maybe they'll even manage to do things a lot better. And maybe you can find a few things to quibble with in that story. But the fact is that Microsoft has a terrible security record. Period. No one else is perfect, sure, but let's call a spade a spade here instead of being distracted by a dirty hoe [wikipedia.org] :]

Re:Alternative browsers = more secure?

[maggard (5579)]

... the reality is that the reason Firefox and Opera are "more secure" is that there are less people using them.

No, the reality is most non-MS products are more secure by design.

The fact is that years ago MS adopted an insecure architecture, at the time was roundly criticized for this, and has spent the years since being every malware's convenient bitch.

It's not "'cause that is where the money is", it's "'cause the front door is open".

Furthermore playing the numbers games is a fool's contest: MS doesn't publish their problems. Other folks have partial lists (we can assume MS knows of more) and every so often MS deigns to fix some of their problems and release patches, but that in no way is equivalent of maintaining a public bug tracker. Oh, and don't for a moment delude yourself MS's public documentation covers a tenth of their errata, not even MS pretends that.

So please, next time you post, let it not be burping up this old, well debunked, trope yet again. As sad has /. has gotten recently the standard still remains well above the old smaller-target argument.

Re:While on the surface.....

[fyngyrz (762201)]

Sure, everything is exploitable, but some things are a lot harder to exploit than others, and both linux and OSX are poster children for this. To imply that OSX is, or ever will be, as vulnerable to hacks as Windows is puts you well into the "disingenuous" category, I'm afraid.

Microsoft would love everyone to think that OSX is just as vulnerable as Windows is, but the fact is, it isn't. It's a lot better organized operating system code-wise, and patches come swiftly and surely from Apple whenever anyone finds anything. Which is quite a contrast to Microsoft's approach, even if they do have a harder time patching Windows.

Re:

[fyngyrz (762201)]

Quite a sweeping statement, what is your evidence for this? You've read every line of the source code?

As a matter of fact, I've probably spent more time looking at Windows source than most people outside of Microsoft. I'm the developer of a major Windows application, easily in the top 1% in terms of complexity and sophistication and 100% compatible through considerable effort across the various large scale Windows platforms, not just the ones you're probably familiar with, but also including all three

Re:

[Chandon Seldon (43083)]

This claim that security holes are strictly an effect of popularity is blatantly wrong.

It's true that more security holes are exposed in popular software, but some software just has less security holes to be exposed. Building secure unix-like operating systems is a topic that a lot of people have put quite a bit of effort in to - for much longer than Windows has even existed. Both GNU/Linux and Mac OS X can take full advantage of that work, since they're Unix-like systems. Windows cannot.

Re:Marketshare != Bette Target

[Vancorps (746090)]

Your example is flawed as Apache is more targeted and more successfully hacked specifically because it is far more popular even though it can be much more secure. Link for your reading [theregister.co.uk]

I know you want your opinion to be right but the logic and the math works. Accept it and move on.

Re:Marketshare != Bette Target

[I'm Don Giovanni (598558)]

According to secunia.com, IIS6 is way more secure than Apache2.x. Hell, IIS 6 has a near-perfect security record. 3 flaws since it was released in Jan 2003, all fixed, none of them major. While Apache 2.x has had over 30 flaws, some critical, some unpatched or only partially fixed, during the same time period.

So I'm not sure what your point was. I don't know which of Apache and IIS is targetted more often. And I don't know which would be a more lucrative target (Apache serves more hosts, but IIS might serve "wealthier" hosts regarding commerce). But Apache is no more secure than IIS, so if IIS is targeted more often, it's not because it's less secure, but for some other reason (like maybe anti-MS fanboy hackers target IIS to make a political point of some sort).