NYT Security Tip - Choose Non-Microsoft Products

Giorgio Maone writes "The New York Times article 'Tips for Protecting the Home Computer' follows a story we recently discussed about the proliferation of botnets, and contains some statements which may sound quite unusual from mainstream press, especially if targeted to home users: 'Using a non-Windows-based PC may be one defense against these programs, known as malware ... Alternative browsers, like Firefox and Opera, may insulate users ... NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC'."

So Markoff Doesn't Care for Microsoft

[eldavojohn (898314)]

... some statements which may sound quite unusual from mainstream press, especially if targeted to home users: 'Using a non-Windows-based PC may be one defense against these programs, known as malware ...

I don't find it that unusual. I mean, I recall a bunch of articles in other newspapers talking about and recommending Firefox. I've also read many magazines & seen television news on the lack of viruses on an Apple.

I must admit that initially I was a bit humored by the idea that a New York Times author had a right to caution me about computer usage. But when I looked up his credentials [wikipedia.org], he seems to be a qualified and experienced tech writer who probably has good advice for the general public. Granted, his last recommendation: "Don't click if someone offers you something too good to be true. It is." worries me that people may be wary of certain open source projects but in the end, I'd agree that I'd tell my sister and friends just not to install anything and to ask me for specific links to programs that solve problems or fill needs.

In the end, it's a very short article and doesn't provide a very comprehensive picture of security for a home user. You may think its news that Mr. Markoff decided to push people away from Microsoft but he's only telling you the facts about the numbers. You won't have as many problems with Linux but there's no way your daughter's iPod will work with iTunes Music Store on your computer anymore. If he wanted to make this a notable article, he should have delved into trade offs and better coverage of issues.

So Markoff doesn't like the benefits of running Microsoft software. So what?

Re:So Markoff Doesn't Care for Microsoft

[DJ Rubbie (621940)]

In the end, it's a very short article and doesn't provide a very comprehensive picture of security for a home user. You may think its news that Mr. Markoff decided to push people away from Microsoft but he's only telling you the facts about the numbers. You won't have as many problems with Linux but there's no way your daughter's iPod will work with iTunes Music Store on your computer anymore. If he wanted to make this a notable article, he should have delved into trade offs and better coverage of issues.

While we all want people to run Free Software (at least a Free OS) all the time, it's just not practical right now. His advice could mean, use a Mac, which is what I have been recommending to people I've fixed computers for, despite the fact that Linux/BSD/GNU may be better for the long run. iTunes works with Mac, so does quite some other programs (not talking about DirectX games). The common sentimental for people who switched from Windows XP to OS X is usually, why did I used that crap before? Especially when they went to a Windows based computer for whatever reason. I recently got my mother set up on a computer (who never used one before) and I installed Linux, and she thought it was easy enough to use. For a non-power user who just casually browse the web, email, maybe Skype for VoIP, Linux is good enough. For people who are used to proprietary software and not wanting to change, OS X might be a better choice.

Re:So Markoff Doesn't Care for Microsoft

[fyngyrz (762201)]

Let me put it to you this way: I sell Windows software for a living. Not Mac-ware. Not yet. . Still, I recommend to everyone I know that they get a Mac. I can't, in good conscience, recommend Windows. Malware, yes, that's certainly a huge problem. DRM issues in Vista are another (such as degrading audio if unsigned.) Ridiculous license terms are another (no virtualization for home? Change your hardware, lose your authorization? ridiculous!) Constant reboots and restarts are another. Incorrect configuration out of the box is another - not just privileges, but what is running and what is not, what is turned on and what is not. As near as I can tell, the key Microsoft OS policy is "Wreck the user's day. Every day."

Re:So Markoff Doesn't Care for Microsoft

[by Anonymous Coward]

I am not totally convinced that automated silent virus/malware installation is a "benefit".

How about the benefit of being able to waltz into your local store (WalMart, Best Buy, whatever), pick up software or a peripheral device and see that it is supported and can run on your home machine?

For some people that's the only benefit they care about.

Noscript is one of the best reasons to run Firefox

[Beryllium Sphere(tm) (193358)]

The only usable way to control Javascript is site by site, and turning it off by default slashes a whole army of exploits out of your life. Every browser should have this functionality built in.

Re:Noscript is one of the best reasons to run Fire

[Nasarius (593729)]

NoScript is nice, but it could use a large default whitelist, something like the AdBlock Plus subscription options. It gets pretty tedious to allow every site manually, especially when some only break in subtle ways.

Re:Noscript is one of the best reasons to run Fire

[Bob54321 (911744)]

I use NoScript but my wife found it very annoying that all the sites she wanted to visit would not work without having to allow them first. I don't think recommending it to the average home PC user is very helpful because they will just think that it broke Firefox.

Re:Noscript is one of the best reasons to run Fire

[El Cubano (631386)]

The only usable way to control Javascript is site by site, and turning it off by default slashes a whole army of exploits out of your life. Every browser should have this functionality built in.

Amen to that. I use noscript and I have lost count of how many sites fail completely or outright refuse to load if JS is disabled. The number of sites which degrade gracefully is sadly quite small. If every browser had this, maybe web developers would finally get it through their thick skulls that JavaScript is best utilized to enhance the user's experience. Obviously, there are some exceptions, like AJAX applications and the like. It bugs me so much that I have never developed a site that did not degrade gracefully in the absence of JS. In fact, the only way the user would notice something was different was if they had first seen the site with JS and then later without or vice versa. Some of the worst offenders are the "major" tech companies. Try logging into Yahoo webmail with JS turned off to see what I mean.

NYT is out of touch.

[twitter (104583)]

Not use Microsoft? That's unpossible! They must be Mac or Linux users and are completely out of touch because they don't have the problems in the first place.

Seriously, it's good to see the message getting out. Another widely read, "mainstream" source, the BBC, has said the same thing already, like this [slashdot.org]. Of course, everyone without a vested interest in M$'s welfare has been saying enjoying the same for years. Sooner or later, despite billions of advertising dollars and bullshit studies, people are going to get it and real OS choice will happen. Seeing this in the NYT makes me think this is sooner than later.

Nothing's more Fragnmented than M$ GUI.

[twitter (104583)]

I think your argument of "It's so simple a 5 year old can do it" is flawed for one big reason: The five year old isn't used to using IE.

You must have missed this article [informationweek.com]

, complete with screen shots about how inconsistent the M$ GUI has become. Just look at this screenshot [cmpnet.com]. I thought the differences between KDE, Gnome and other toolkits was bad but that's way off, M$ has no excuse for the fundamental differences seen in their own tools. Why would you ever throw a new user into that mess? The worst part is how frequently they change the interface, No one else does it more.

I'll conclude with

with Microsoft applications, there's a feeling that, by and large, the only UI guidelines that Windows applications adhere to is "what we feel like." (I know Microsoft has a lot of UI guideline information, but since no one seems to follow any of it, I'm not sure what the point of it is.)

Using a non-Windows-based PC may be one defense...

[fyngyrz (762201)]

May be? MAY be? MAY BE?

<SARCASM>Sure, I have to worry about my Mac getting co-opted into a botnet 24/7, because we all know how many active threats there are to Macs! </SARCASM>

Man, talk about "understating the case."

The honest way to put it is that running Windows is the #1 way to get yourself into trouble. Adware, outright co-opting of your resources, virus problems... Windows boxes are insecure and risky, more so than any other machine, right out of the packaging.

You want security and simplicity of use? Mac isn't just "an" answer, it is the *only* answer. You want security and not too worried about simplicity? Linux or a Mac. You willing to re-work of all Microsoft's incorrect settings, patch all the browser vulnerabilities, play the target role in the hacker version of whack-a-mole, reboot your PC every few days because MS has discovered another severe vulnerability in their spaghetti code? Buy a Windows PC. Endless entertainment for puzzle solvers who don't care about their data security or computer availability. Been there, done that, found the solution, not going back.

Microsoft Astroturf

[PavementPizza (907876)]

There's only been 9 comments on this story at the time of this writing, and yet the following tags are already up: "flamebait, nytfud, troll". These guys work fast, don't they? What's flamebait, trolling, or FUD about this article? Avoiding Microsoft products is a perfectly prudent move, if you can. Is it untrue to say that Mac and Linux users are safer on the internet than Windows users, or that Opera or Firefox users are safer on the internet than Internet Explorer users? Far from it. It's demonstrable fact.

You people just don't understand the paradigm

[straponego (521991)]

Microsoft wants to empower its users, and everyone else, for that matter. Don't you see how convenient it is that MS products execute treat every piece of data they ever come into contact with, no matter where it's from or whether it's a video, sound file, Office document, image-- whatever!-- as an executable? It's just like how you pick up every piece of garbage you see and put it in your mouth because it might be food. That's the taste of Freedom!

Ultimate Firefox Add-Ons for Privacy/Security

[Dark Coder (66759)]

As someone who actually AM worried about impending javascript exploits carrying trojans, I have within my Firefox the following Add-Ons (which comes pretty close to perfect security), but still requires a modicum of user awareness during web surfing.... The following Add-Ons are good for Windows, Linux and supposedly MAC OSX.

1. CookieSafe [mozilla.org]
2. Adblock Plus [mozilla.org]
3. Flashblock [mozilla.org]
4. httpOnly [mozilla.org]
5. SafeHistory [mozilla.org]
6. SafeCache [mozilla.org]
7. IDND [mozilla.org]
8. Link Alert [mozilla.org]
9. BlockSite [mozilla.org]
10. Master Password Timeout [mozilla.org]
11. no-referrer [mozilla.org]0
12. NoScript [mozilla.org]

Other useful support Add-Ons are:

1. SwitchProxy Tool [mozilla.org]
2. User Agent Switcher [mozilla.org]
3. Adblock Filterset.G Updater [mozilla.org]

For Linux users, I also have this useful add-on:

1. MediaPlayerConnectivity [mozilla.org]

Re:ah yes...

[Aurisor (932566)]

Funny, where I come from, we call that the "don't use insecure products" solution.

Re:ah yes...

[MoxFulder (159829)]

The product is only as secure as its users. If the mainstream Windows userbase switched to Linux, they'd take their bad habits (neglecting security hole patches, installing supposedly-required software to view web pages, logging in as root by default, etc.) with them. Linux would be the new hot target for malware. The same goes for OSX or any other operating system. Sure, there would be fewer holes, assuming that people made sure to apply the appropriate security patches, but we're assuming again that they wouldn't take their bad habits with them again, aren't we?

I disagree completely.

Windows makes it easy to practice these bad habits... default Administrator login, programs that don't work correctly when run without Admin access, ActiveX, etc. Contrast this with, say, Ubuntu... an excellent Linux distro even for newbies: by default the root account is disabled, when you want to do something system-alterating (e.g. temporarily gain root access), you have to put in your PASSWORD, not just click "Okay". The whole thing is so well-integrated that these password prompts aren't annoying or confusing. The system in general tries to explain to you what you're doing when it's something unusual.

Furthermore, most Linux distros are based on a central software repository which is supported, or at least approved, by the distro's developers. When you install open-source software from this repository, you can have confidence that you're not going to get spyware... and if you're running the stable distribution you can be pretty sure that you're installing software that has been thoroughly debugged as well--as opposed to some IE toolbar crap rushed out the door after a week's dev time.

I also think that Firefox 2.0 is far superior to IE 6 (haven't used 7 yet) in terms of alerting the user to potentially dangerous actions. When you install extensions, Firefox adds a 5-second time delay before you can click on "OK" to force you to actually read those stupid pop-up boxes. It detects suspicious obfuscated URLs, won't run downloaded executables without additional intervention, and checks HTTPS sites that improperly mix secure and non-secure content.

So I *do* think that PC security would improve substantially if the Windows userbase switched en masse to Linux. Granted, there'd be some of the problems with people doing stupid things and not reading warnings, but I don't think it'd just be same-old-same-old...

Re:ah yes...

[Da_Weasel (458921)]

I'm a firm believer in the theory that regular users need System Administrators. Maybe home users do too. If I could come up with a business model for a company that provided System Administrator services to home computer users i'd be rich!

Re:ah yes...

[someone300 (891284)]

This isn't security through obscurity. Security through obscurity would be saying "I'm safe because I run Windows and it's closed source". This is the claim that uncommon software is more secure because there are less exploits. While untrue mathematically, the reality is that you are still currently less likely to be exploited when running Mac OS X or Linux since script kiddies don't really care about you so much (for the same reason game developers don't, incidentally).

Same is true for biological systems - diversity is a good thing as it is less likely to be infected with a disease. Genetic diversity implies a more robust "operating system" species that's harder to destroy. Remember all the hell around the blaster worm. Imagine that MS, Apple, RedHat, Ubuntu... only had 10% marketshare each... it'd be bad, but not nearly as bad as it was.

If you're talking about a focussed professional attack on a specific system: to be honest, the OS you're running is probably pretty insignificant; the chances are there's a simple admin error somewhere along the line.

Re:ah yes...

[spykemail (983593)]

It's all about diversity! If everyone has the same exact program running under the same exact OS with the same exact security flaw one blackhat can ruin millions of people's day with one little hack. Nature knows how important diversity is, hell, economic systems are supposed to know it too. It's unfortunate that Microsoft continues to be allowed to operate as an illegal monopoly based in the United States.

Re:ding!

[MillionthMonkey (240664)]

Does this mean the main stream is finally (slowly) catching on to the reality of choices? It would make my day if the world would wake up and realize that they have options when they sit down in front of a computer.

Users don't like having to make choices about the innards of their computer; they just want shit to work.

Re:Alternative browsers = more secure?

[Frosty Piss (770223)]

We hear this suggestion all the time, but the reality is that the reason Firefox and Opera are "more secure" is that there are less people using them. Their market share isn't worthwhile to the commercial malware authors.

Is this really true? Anecdotal pronouncements like this never seem to come with any references. Everyone says the sky is firmly in place, but how many have looked up recently? It's falling at an amazing speed!

Think about it

[WindBourne (631190)]

The first part is simply google for crackers interviews and see what they say. They will always tell you that they go for what is easy. Why? Because a number of them are there to make money and time is money. If the systems were equally easy to attack, then yes, go after the most numerous. But when one has so many easy points, then you persue it rather than the ones that are difficult.

The 2'nd part is compare bank robberies to 7-11 robberies. Back in the 60's, banks were robbed. BWhy? because they were easy and had lots of money. But then in the 70',s the banks took actions and made it difficult. They still had the money, but it became very difficult to rob them. So the robbers turned to convinence stores who had say a thousand dollars (acceptable), and were easy. At first 7/11 ignored it, but then their ppl were being killed. So they made it very hard for robberies to get a thing. Now, banks and 711 are == difficult, so the robbers are back after banks. WHy? Because if you are going to risk it, then go for the big score. Interestingly, the banks now limit how much money is available to the tellers as well as every teller has a loaded stash.

So what does that mean for Windows vs. OSS. While Windows is easy to crack, everybody will hit it. If ever it becomes >= to *nix in terms of security, then *nix will be hit, because overall, there is much more money on the *nix systems. And if *nix and Windows become better than mainframes, then they will turn to there because there is REAL money.

Re:Think about it

[WilliamSChips (793741)]

In addition, in server space the numbers are much more even, and Apache/Unix servers outnumber Windows/IIS servers. Yet all the server malware is for Windows NT-based servers and not Apache/Unix based servers.

Heh

[Xenographic (557057)]

Don't you recognize his reasoning? It's not based on facts, it's based on the theory that both programs have bugs, therefore they must be just about as secure as the other.

Never mind the recent story that Firefox was vulnerable to a critical (one where "visit bad web page" == pwn3d), unpatched, published exploit for all of 9 days last year (IE was vulnerable for 9 months). This is called a "vulnerability window" and is an important part of any security assessment attempting to measure how secure bits of software are without having to rely on vendor claims. Obviously, that's too quantifiable for use with such a reasoning process. Then we have to reason about all the exploits that aren't public, as if people can silently exploit computers en masse with private exploits and no one will notice. Sure, if they're not interested in a botnet of random computers, they'll stick to targeting specific people and keep their exploits quiet, but that doesn't really impact the security of the population in general. It's also funny that people have this perception sometimes that they only visit "safe" sites. Even assuming they're not one of the porn viewing public, and that they never install smilies or screen savers (great way to get infected) or other such crap, that ignores that we've seen major advertising networks get compromised and serve up exploits. Not to mention the shady ad networks that do that deliberately...

Ironically, when it comes to open vs. closed source, it's usually argued that open source helps make the vulnerabilities more public, so that puts things even more in Firefox's favor. So to argue that IE is even as secure as Firefox requires you to use ridiculous metrics touted only by PR departments in media releases.

So yes, it's true--Firefox does have bugs. There were even 9 days last year when you could've been 0wn3d by an unpatched exploit (assuming you haven't learned to use the noscript extension). But there's no way to hide the sheer magnitude of the difference: 9 days vs. 9 months. Yeah, they can improve. Maybe they'll even manage to do things a lot better. And maybe you can find a few things to quibble with in that story. But the fact is that Microsoft has a terrible security record. Period. No one else is perfect, sure, but let's call a spade a spade here instead of being distracted by a dirty hoe [wikipedia.org] :]

Re:While on the surface.....

[fyngyrz (762201)]

Sure, everything is exploitable, but some things are a lot harder to exploit than others, and both linux and OSX are poster children for this. To imply that OSX is, or ever will be, as vulnerable to hacks as Windows is puts you well into the "disingenuous" category, I'm afraid.

Microsoft would love everyone to think that OSX is just as vulnerable as Windows is, but the fact is, it isn't. It's a lot better organized operating system code-wise, and patches come swiftly and surely from Apple whenever anyone finds anything. Which is quite a contrast to Microsoft's approach, even if they do have a harder time patching Windows.