Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Microsoft Security

Worms Jack Up the Total Cost of Windows 658

rbrandis writes "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday. "This is part of the carrying cost of using Windows," said Mark Nicolett, research director at Gartner. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology." "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site."
This discussion has been archived. No new comments can be posted.

Worms Jack Up the Total Cost of Windows

Comments Filter:
  • by Anonymous Coward on Thursday May 06, 2004 @01:38PM (#9075892)
    I'm switching back to the Commodore 64.
    • by GPLDAN ( 732269 ) on Thursday May 06, 2004 @01:58PM (#9076149)
      Stick uIP on your 64 and you too can join the fun! "I can DOS that machine in 4 packets!" "I can do it in 2!"

      http://www.dunkels.com/adam/contiki/links.html
    • by Cutting_Crew ( 708624 ) on Thursday May 06, 2004 @02:37PM (#9076551)
      no virus writer/hacker is going to spend all of its time to maybe interrupt 5% of the market share. in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows. think about if we really want linux to b/c the main O/S. in the end we are inviting more hackers to spend more time writing stuff for linux as well as windows. not so sure if that is good for the community..
      • by The Snowman ( 116231 ) * on Thursday May 06, 2004 @02:42PM (#9076616)

        in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows.

        And this would only infect people running Linux as root all the time who use email clients that execute scripts sent from complete strangers without telling them. Yes, people would write Linux viruses and worms (they already do), but the effect would be minimal at best.

        • Mmmm... that's not entirely true. Lately, a lot of virus writers have just been preying on the stupidity and gullibility of the average user. Hell, I got one of them zipped one day that practically had freakin' installation instructions... and people were STILL getting infected!

          However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox. The thing can still bind to a high port and zombify the machine for spammers, which is what the majority of viruses do as of late. On a desktop, there's no reason to believe that granny Gretchen won't do just that once she learns how to whip out chmod +x on everything's ass. The nice thing, however, is that if you're running in a corporate environment, you can isolate users to their own filesystems to protect them from doing stupid things like this. Yea, maybe they'll trash their own data, but at least they'll be isolated from critical system information and the network (excepting zombification... but you would be smart and block all those ports, right... you don't have chewy on the inside network security... right?). Great for corporate networks, FAR better than the Windows situation (Yea, I know.. you can use Active Directory, but that's not a native part of Windows). However, for desktop users at home... well... they'd still shoot themselves in the foot.

          Worms, on the other hand, are another story. First, patching a Linbox is often a matter of grabbing a patch a day or two after the vuln is known and slapping it into the system. Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something). Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.

          On top of that, Linux systems are not (currently) very homogenous. Part of what makes Linux a tantalizing target for manual attacks is that it's just damned hard to write malicious code that will work on a widespread number of systems. Unfortunately, as the dust settles and some companies really do start to take up the mantle of "desktop linux", that heterogeny may just go away for desktop users...

          The point is this: Linux CAN be much, much, MUCH more secure than Windows. However, Linux also does the same thing Unix does: "Look, you can make me secure if you want, but you can also use me to blow your toes off one at a time... YOU choose.. I'm not going to decide for you." A lot of geeks forget that. Linux is not inherently secure (OpenBSD is inherently secure... and I don't think it's going mainstream desktop like that any time soon), and it WILL happily let you shoot yourself and your nearby friends if you so choose. Desktop users at home will do just that. It does do some things inherently better, but it still won't protect the world from people who don't bother to learn anything at all about their new toy. You can code against stupid people, but your system isn't going to do much when you're done.

          • by IceAgeComing ( 636874 ) on Thursday May 06, 2004 @03:32PM (#9077174)
            However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox.

            By LinBox, do you mean Lindows or Linux? Lindows lets the user run as root by default, just like Windows, but Linux generally does not.

            So I didn't see the step where the running program gets root permissions, presuming you weren't talking about Lindows. Or are you saying that a user process can open ports without root-level permissions?

            Sincerely confused,

            --IceAgeComing

          • by liquidsin ( 398151 ) on Thursday May 06, 2004 @03:50PM (#9077368) Homepage
            to: you
            from: coed_hotties68@hotmail.com
            subject: superhotsexy screensaver

            Hi! My hot lesbian coed friends and I made this hot lesbian coed screensaver! To install it, just do the following in a shell:

            gzip -d /home/you/screensaver.tar.gz
            tar -xvf screensaver.tar
            cd screensaver
            ./configure
            make
            sudo make install (enter your root password)
            ./screensaver &

            hope you enjoy!

          • by stephanruby ( 542433 ) on Thursday May 06, 2004 @03:54PM (#9077424)
            Mmmm... that's not entirely true. Lately, a lot of virus writers have just been preying on the stupidity and gullibility of the average user. Hell, I got one of them zipped one day that practically had freakin' installation instructions... and people were STILL getting infected!

            It doesn't matter if only a very small minority of gullible users get infected. In the scheme of things, it doesn't cost the worldwide community that much. The cost becomes significant however when a significant percentage of the population gets infected.

            The problem with Microsoft is that it wants to remote control your box. It wants to know what you have installed and how you're using it. That's why Microsoft boxes are insecure, it's not because Microsoft isn't smart enough, it's because it's not in their interest to make your box too secure.

            • by MMaestro ( 585010 ) on Thursday May 06, 2004 @05:41PM (#9078341)
              It doesn't matter if only a very small minority of gullible users get infected. In the scheme of things, it doesn't cost the worldwide community that much.

              100 attacks each hitting 1000 computers does as much damage as 10 attacks each hitting 10,000 computers. True, small isolated incidents regarding virus attacks are insignificant in the grand scheme of things, but its not like Microsoft can leave it alone.

              For every kiddie script or virus variant out there, theres a hundred Joe Average users screaming at their computers. For every hundred screaming Joe Average users, theres 10 system admins having to go around and remove the virus, update their computers, and then give a lecture on how to prevent from something like this happening again (not that Joe Average will listen). For every 10 system admins running around needing to solve every virus problem, theres one programmer out there who has to come up with a program that bypasses the virus, seeks out the virus, and eliminates the virus. That and they have to figure out how it works, how it spreads, how can they get rid of it, if theres any clues as to who made it, etc.

              So like you said, yeah in the scheme of things one or two attacks doesn't cost the worldwide community much. Except for the fact that one or two of these types of incidents seem to happen everyday. Now if you'll excuse me, I have to download anti-virus protection for my parent's computer, install it, update it, run it regularly, then debate on whether its worth paying $200 for an official CD-key, scream at the fact that the computer slows to a halt due to new anti-piracy software methods, call up the company and complain, and then come back to Slashdot to post a 'Askslashdot' topic regarding the sheer amount of frustration of dealing with anti-virus programs as the 'system admin' of my house.

        • by homer_ca ( 144738 ) on Thursday May 06, 2004 @03:15PM (#9076999)
          You don't need root to run a mass mailing email worm. If you could convince a user to run a trojaned executable, regular user permissions will do just fine. It could even open a spam proxy backdoor without root. All you really need root for in network code is for raw sockets and to listen on low TCP ports (below 1024).

          Some email worms exploited an autoexecute from the preview pane bug in IE, but most of them were social engineering exercises in convincing the user to run the attachment. I think it's easy enough to launch an attachment in say Kmail or Evolution. The only challenge is delivering an executable that'll run on enough Linux machines (perl? bash? static binary?). The only reason we don't have a mass mailing Linux worm is because noone's tried it yet . It's not THAT hard.
        • by Anonymous Brave Guy ( 457657 ) on Thursday May 06, 2004 @05:13PM (#9078169)
          And this would only infect people running Linux as root all the time who use email clients that execute scripts sent from complete strangers without telling them.

          I don't know where to start discrediting your post.

          The "running as root" argument is garbage. Any privilege escalation vulnerability in Linux history (or any other history, for that matter) is an existence proof.

          The "without telling them" argument is garbage. The vast majority of viruses transmitted by e-mail are done so because the user did something dumb, not because of some long-fixed auto-execute vulnerability in a popular mail client. You wouldn't need root access to fall for something like that, by the way.

          You think a major Linux worm would have a minimal effect? Do you have any idea how many critical systems run on Linux these days? Hit Windows, hit the desktops. Hit Linux, hit the servers. Put your sysadmin hat on and tell me which is worse.

          Linux is not immune to security issues, and any claim that many eyes make for few bugs and thus OSS is fundamentally safer than Windows-based equivalents can be discredited with the slightest thought about reality rather than theory. Linux remains relatively safe because of the culture surrounding it, not because it's inherently flawless.

      • by Simon Carr ( 1788 ) <slashdot.org@simoncarr.com> on Thursday May 06, 2004 @02:47PM (#9076689) Homepage
        And they laid out some bad trouble. Virus writers DO do this, even if the marketshare is small. Remember Ramen? [sans.org]
        And of cours there's the Lion [symantec.com] worm, etc..

        It doesn't take a lot of computers to cause trouble, and no platform is wormsafe. Windows is prolific, of course, which doesn't help, but it's also got so many ways in. That's the real catalyst.

        Rule for ANY operating system; When the default install is weak, you'll see worms. The big catalyst for Ramen and Lion (I hate to say it) was in my observations default RedHat installs that had tonnes of services on by default.
        • by IANAAC ( 692242 ) on Thursday May 06, 2004 @03:27PM (#9077133)
          The big catalyst for Ramen and Lion (I hate to say it) was in my observations default RedHat installs that had tonnes of services on by default.

          But the newer or newest distributions generally have most things turned off by default now. And if you want to turn these services on, you are warned by the install program. It's a misconception that default installs are insecure now.

        • The difference (Score:5, Insightful)

          by fwarren ( 579763 ) on Thursday May 06, 2004 @04:24PM (#9077716) Homepage
          Ah but the difference is diversity.

          With Microsoft Windows you now get one family 2000-XP-2003 all which share the same security problems. So 94% of the compurters out there come with some really bad security settings and flaws. Some will patch, but by default most of those systems are insecure.

          If you don't like it, what do you do? Windows from Dell is as insecure out of the box as Windows from Compaq or Gateway, no choice, you can't buy a "safe" windows machine out of the box.

          On the other hand.......

          Default security in the Linux world is determined by the distribution. So if a distrubtion defaults to having a firewall, no insane file assocaitions for email and web browsing, limited services running, automatic security updates and practically forcing the user create and run a non root account. Then that distrubition will be pretty much virus free.

          What will happen is this

          Distribution A will have 12% share and gets infected 2% of the time

          Distibution B will have 14% share and get infected 2.5% of the time

          Distribution C will have 8% share and get infected 18% of the time.

          It won't take long for Distribution C to get a bad rep. Computer makers will no longer offer Distribution C, or will add "value" by fixing the defaults.

          To believe that Linux boxen will be as virus riden as Windows, you would have to belive that everyone will use Linux someday and that people will choose and stick with an insecure distribtuion.

          Unlike Windows or MacOS, if Linux ruled, there would be healthy compitition and consumers would have a choice of which OS they ran.
      • by swb ( 14022 ) on Thursday May 06, 2004 @04:02PM (#9077536)
        ...of problems with libc versions?
  • TCO (Score:5, Funny)

    by kajoob ( 62237 ) on Thursday May 06, 2004 @01:39PM (#9075908)
    The TCO for Windows for the vast majority of slashdotters however is still steady and holding at "free".

    I keed, I keed! ;-)
    • Re:TCO (Score:5, Insightful)

      by ILikeRed ( 141848 ) on Thursday May 06, 2004 @02:19PM (#9076388) Journal
      That leads back to the old joke - "It's only free if your time's worth nothing...."

      Talk about coming full circle....

      Actually, I think the TCO for most organizations to run Linux vs Windows is actually about equal. The difference being -
      What do you wish to invest your money in:

      + A quality, knowledgable IT staff who tailor solutions for your company and receive a decent salary and benefits in return
      or...
      + Bill Gates bank account
  • I can relate (Score:5, Informative)

    by Yi Ding ( 635572 ) <[yi] [at] [studentindebt.com]> on Thursday May 06, 2004 @01:40PM (#9075909)
    I work at a computer science department, and I'm currently compiling a CD of patches that people have to install before they get on the internet. Right now, the number of patches is nearing 30.
    • Re:I can relate (Score:5, Insightful)

      by Naffer ( 720686 ) on Thursday May 06, 2004 @01:44PM (#9075977) Journal
      Or you could make sure you activate your WinXP software firewall and get the patches directly from Windowsupdate. Putting an unpatched XP box on the internet without a firewall is almost as easy as finding and installing the viruses yourself.
    • Autopatcher (Score:5, Informative)

      by kajoob ( 62237 ) on Thursday May 06, 2004 @01:44PM (#9075979)
      Actually, Just install the latest service pack and then install Autopatcher [autopatcher.com]. It has all the updates, hotfixes, and some cool extras all rolled into one scripted install so you can just start the install and walk away. I've used it and I can say that it makes life a million times easier.

      There are versions for 9x all the way up to XP. You could fit everything onto one cd, and if you wanted you could even script that install. Thanks Autopatcher guys!

    • Re:I can relate (Score:3, Interesting)

      by dylan.ucd ( 612417 )
      So can I:

      Our lab is in a sad state because our windows server and its security patches: Patch the server, oracle breaks / don't patch the server, someone hacks it... so now while we scramble to find an alternative DB engine we have to apply/un-apply this patch when ever we want to do any work. thanks M$ for wasting our time.

      the end
      • Re:I can relate (Score:4, Insightful)

        by tofu2go ( 727555 ) on Thursday May 06, 2004 @01:53PM (#9076096)
        if you're using Oracle, it should be very easy to migrate Oracle to another platform, e.g. linux.

        it's much easier to change platforms than change databases i'd think. in most cases, to an application, the database IS the platform, more so than the operating system on which the database runs.
    • Re:I can relate (Score:3, Interesting)

      by aardwolf204 ( 630780 )

      I'm about to install SQL 2000 Server on a Windows Server 2003 machine. There is a vulnerability in SQL 2000 Server that allows the machine to be infected with the slammer worm [microsoft.com]. Unfortunatly I must install SQL and then each of the 3 service packs individually. I'm not safe from the worm until I get to the 3rd SP. My boss suggested that I simply disconnect the WAN connection but thats really not going to help me much when I'm trying to do this over the internet via Terminal Services (Its at a well known colo
  • Wow. (Score:5, Insightful)

    by Anonymous Coward on Thursday May 06, 2004 @01:41PM (#9075919)
    So insightful. Wow. Viruses raise TCO!!! What a revelation!!

    Ahem. This is -1, Redundant. No shit viruses/worms raise TCO. This is the case for ANY operating system, not just windows. Of course, the homogenous nature of Windows makes it a lot easier for worms to affect machines in a wide range. But we'd still need to take precautions with any system in use.

    • Re:Wow. (Score:5, Insightful)

      by Ytsejam-03 ( 720340 ) on Thursday May 06, 2004 @01:56PM (#9076131)
      Of course this isn't news to the /. crowd. What is news is that this information is coming from a Gartner researcher, which means that some of the pointy-haired management types out there might actually pay attention to it.
  • by Gr8Apes ( 679165 ) on Thursday May 06, 2004 @01:41PM (#9075921)
    This is news? This wasn't included in TCO estimates before? (Actually, that would be news, but not the kind I'd want blasted out to the world about me!). Seriously, how can "common maintenance" NOT be included in a TCO estimate? Isn't that the major ongoing part of TCO? Geez....
    • No, this is only factored in the TCO of a competing product.

      To run Linux in your company, you need a system administrator that knows Linux, someone that will cost you money.

      To run Windows, you don't need a tech savvy administrator, and he will be much, much cheaper. At least that is what they told you 2 years ago.

      Of course those who actually believed that are now paying the price.
      • by OwlWhacker ( 758974 ) on Thursday May 06, 2004 @02:32PM (#9076506) Journal
        To run Windows, you don't need a tech savvy administrator

        Darn right!

        and he will be much, much cheaper.

        Cheaper to hire, but he'll more than likely cost the company a packet in the long run, like so many Windows administrators that neglected to apply (let alone test) the latest Windows patches. When the network is down, a non-savvy administrator would more than likely have considerably more trouble getting it up again.

        Downtime costs money, but so many people don't seem interested in changing their ways to save it. One has to wonder if TCO is anything worth bothering about anyway, especially with the laid-back approach many companies take to securing their systems.

        An administrator like this will more than likely help your company remain vulnerable to all of the latest worms and virii, and probably has the server(s) running at a minimal rate of efficiency, not to mention that in a state of crisis such an administrator would probaby have to call somebody out to help them (which again costs money).

        Of course those who actually believed that are now paying the price.

        And are apparently 'happy' to continue on their reckless paths.

        Shocking behavior.
    • by jdreed1024 ( 443938 ) on Thursday May 06, 2004 @01:49PM (#9076050)
      This is news? This wasn't included in TCO estimates before?

      Yes, this is news. And it's good news. In case people missed it, this is from the Gartner group. This is the holy tome of PHBs. The way and the light. Gartner says jump, and the PHBs jump, you better believe it. And after years of saying the Windows is the way and the light, they're finally acknowledging that poor security costs money. It's recommendations like this, more than anything else, that will move companies from Windows to Linux.

      • by john82 ( 68332 ) on Thursday May 06, 2004 @02:03PM (#9076197)
        And after years of saying the Windows is the way and the light, they're finally acknowledging that poor security costs money. It's recommendations like this, more than anything else, that will move companies from Windows to Linux.

        Because we all know there's no such thing as viruses, worms, trojan horses, etc in the Linux world. Right?

        Poor security costs money. Period.

        So does flawed thinking. This is not a Windows-only issue. And if you think it is, you are as guilty of myopia as the PHBs you cite. Gartner said jump, and you jumped. You're just jumping in a different direction.
  • by buht ( 738798 ) on Thursday May 06, 2004 @01:41PM (#9075923)
    An when Linux gets exploited, the people fix it for free and very quickly. Then the next person to download this FREE system is a-ok.

    Thats just plain sexy.
    • An when Linux gets exploited, the people fix it for free and very quickly. Then the next person to download this FREE system is a-ok.

      What? No. If/when Linux hits the mainstream desktop, it will have the same problems.
    • As does Microsoft, the patches exist, and just like Linux, the time required to apply even a single patch to multiple PC's is not small.

      You are right that after a Linux hole is fixed, future Dlers are protected, that does little to help those already installed. Do you want to talk your mother through doing a kernel update rebuild, just to protect her from a new Linux hole? I prefer having mine go to windowsupdate.com, far easier IMO.
    • by GPLDAN ( 732269 ) on Thursday May 06, 2004 @01:51PM (#9076072)
      I wonder if Gartner or anyone else does any serious quantitative study of the true "value" of having a new distro via the net.

      If I go to download Fedora or Debian via ISO images, and burn them, I often have a maintained distrobution that is very young. Less than a month old.

      If I go and buy Windows XP via Amazon and have it delivered next day, I still have an OS image which is over a year old, even the new one that rolls up SP1.

      I don't have to make a CD up with 30+ patches on it, before it is safe to plug my machine on a network.

      If I worked at Redmond, and was thinking about this problem, I think what I may do is work an installation script that combines with the firewall - and keeps all inbound connections out until a "tunnel" is established to Windowsupdate, and all patches are applied before "releasing" the IP stack.

      Many of these systematic advantages come from the fact that Linux doesn't need a license key to install the OS. If Microsoft gave Windows away, there would be 0-day distros on their website as well.
  • by div_2n ( 525075 ) on Thursday May 06, 2004 @01:42PM (#9075939)
    I wonder if the cost of antivirus subscriptions has traditionally been included in the TCO studies out there comparing Windows and Linux. Somehow I bet not.

    • Antivirus software can also be compromised by viruses/worms. I will never again buy Norton products after having some kind of virus on my Win2K box that disabled Norton in the background, while making it appear that the antivirus software was working.

      This was a year ago. Maybe Norton has finally admitted that their product is vulnerable and has supplied fixes. At that time, there was no fix or admission of a problem.

  • by lpangelrob2 ( 721920 ) on Thursday May 06, 2004 @01:42PM (#9075946) Journal
    So here's what I'm thinking...

    At some point somebody (Windows apologist or not) is going to point to Longhorn as the solution to security problems. Is there hard data on whether or not worms have been increasing or decreasing (in frequency and effects) the past couple of years?

    We know what problems they've caused and how the media's gone nuts over each virus, making things seem bigger and bigger. But some old viruses were much nastier, and I sure don't hear about those types of infections anymore.

    • by budgenator ( 254554 ) on Thursday May 06, 2004 @04:16PM (#9077654) Journal
      My wild-hairy-assed guess is that the purpose of the virus-worm has changed significantly over the years. Originaly it was bragging rights about infecting individual machines, More recently it's about collecting 'bots for other purposes.

      Now somebody seems to be finding the vulerabilities, notifing MS and waiting for a preventative patch to be issued. About the same time as the patch is released, the vulerability is shown to a lackey script-kiddy along with some prototype exploit code. The lackey write the worm, by the time the worm is written, the clue-full have already installed the preventative patches, and the semi-clued are testing the patches.

      The Somebody in the back-ground doesn't want the clue-full to get infected, because they understand their systems, have forensic tools and will complain to and actively assist law-enforcement/intellegence agents. The semi-clued realy don't want to admit that they were caught with their pants down other than a few rants on /. They clean up their systems, and install the required protection soon the problem fades from the news; if law-enforcement/intellegence agents knok on their doors they can probably help some.

      The clue-less on the other hand are still vulnerable, and the somebody in the background comes in with a modified worm to capture their machine for his purposes, skimming credit-card numbers, relaying spam or something more sinister. While he's doing this the visable infection rate is decreasing and law-enforcement is looking for the lackey while the priority of the case decreases.
      Of course it's also posible I put my tin-foil hat on crooked this morning.
  • Not anymore... (Score:3, Informative)

    by ryanvm ( 247662 ) on Thursday May 06, 2004 @01:42PM (#9075949)
    Not anymore...
    http://www.internetnews.com/article.php/3317211 [internetnews.com]

    (It's a link to the story about Microsoft including antivirus software in Windows XP Service Pack 2.)
    • Re:Not anymore... (Score:5, Informative)

      by ptbarnett ( 159784 ) on Thursday May 06, 2004 @01:47PM (#9076014)
      (It's a link to the story about Microsoft including antivirus software in Windows XP Service Pack 2.)

      Read the article again. There's a footnote at the bottom:

      Corrects earlier version which incorrectly stated SP2 would include a built-in virus scanner. The offering actually includes a pop-up monitor that checks the settings of third-party anti-virus and firewall applications, and allows users to modify them if necessary.

  • Patching (Score:5, Insightful)

    by filtur ( 724994 ) on Thursday May 06, 2004 @01:43PM (#9075950) Homepage
    Most people rarely patch their computers until something happens. (Me being one of them) It's something that people really need to be aware of. Prevention is the key.
  • My Job (Score:5, Informative)

    by tverbeek ( 457094 ) on Thursday May 06, 2004 @01:43PM (#9075958) Homepage
    Lately about 1/3 of my job consists of dealing with Windows vulnerabilities. And there are four other full-time staffers here with the same job description. We're not especially well paid, but that sure adds up. And when you add in the downtime of the people whose computers we're fixing...
    • Re:My Job (Score:3, Insightful)

      by Luscious868 ( 679143 )
      Update your systems to Windows 2000 Professional or Windows XP Professional. Delpoy Software Update Services within your organization. When a patch is released, test it in a production environment, wait a week or so to see if there are wide spread problems with the patch reported. If all is clear deploy the patch via SUS. Problem solved. Very little work required on your part other than the testing. Very little downtime for your users, perhaps a reboot. Microsoft has made patching system very easy with SU
  • by Bill, Shooter of Bul ( 629286 ) on Thursday May 06, 2004 @01:45PM (#9075993) Journal
    Scientists confirmed today that water is indeed wet, Abraham Lincoin is dead, and the earth is round.
  • by b17bmbr ( 608864 ) on Thursday May 06, 2004 @01:46PM (#9076002)
    then the macs would be on many more corporate desktops. they are far esier to maintain and admin. but, businesses are pennywise and pound foolish. admin costs are not necessarily up front costs. so, bottom line bean counters can justify purchase from vendor A because of lower initial cost. also, don't count out the paper mill MCSE's that influence purchasing decisions.
  • TCO (Score:5, Insightful)

    by Wingchild ( 212447 ) <brian.kern@gmail.com> on Thursday May 06, 2004 @01:48PM (#9076028)
    heh. If you want to see the TCO for something increase dramatically, all you have to do is provide support for it over a long enough span of time that people feel comfortable in ceasing to learn.

    Perhaps one of the reasons that Linux has an inherently low TCO is because the users who have installed it, configured it, compiled it and made it run on their toaster have taken the time to read the docs. They're familiar with the hardware, the apps they run, the OS under the apps they run, and viola -- things run nicely.

    But in the Windows world? Everybody has a support line to call for absolutely everything. Almost every product offered has some form or another of support to it, to an extent that the people who are using these systems no longer have to use any mindshare whatsoever to get their stuff working. At your place of business a PC tech is waiting to coddle you. At your home you can call your ISP, call your PC vendor, call your OS manufacturer, call your application developer, call everybody in order to figure out what's wrong with the system. The suggestions they give you to fix it may seem arcane and strange, but if you follow them assiduously you have a 30 to 40% chance of getting things working... and if it doesn't work out, you can always call back 'til you get ahold of someone who really knows what's going on.

    Small wonder the TCO is so incredible. I can understand that worms have an impact on this number - hell, I've logged plenty of overtime hours securing machines against the latest potential threat (the Army is rather proactive in locking things down against explotation - with good reason). I've spent countless nights securing our systems against worms that use ports that are not open on our firewall. I've spent hours updating virus signatures and restoring systems lost because a user thought it was a fine idea to open up an encrypted zip file they received from someone they didn't know. I've spent many a fine weekend and holiday at work restoring people's email because they deleted without consideration for the fact that bringing it back takes serious time.

    My site would have far lower TCO if the users exercised a small, trifling fraction of their potential intelligence. Am I overestimating the abilities of the average human, here? :(

    sigh... *Lots* of things go into TCO. My overtime, paid to fix these kinds of problems, is a significant part of it at the site I work for. End of rant.
  • WOW! (Score:3, Funny)

    by pottymouth ( 61296 ) on Thursday May 06, 2004 @01:49PM (#9076048)
    What will these analysts discover next?

    I've been hearing rumors that MS products cost more than the open source alternatives too. But it's just a rumor...

    "Fate favors the bold"
  • by nordicfrost ( 118437 ) * on Thursday May 06, 2004 @01:50PM (#9076060)
    ...to not realize this. Look at the casualties:
    • #3 Finn bank Sämpo
    • German Post
    • The british coastguard
    • Korean postal
    • The CAT / MR scanners at a Danish hospital


    These are some of the large-scale operations that were affected by the worm, some of the frantic preparing for the worm strike. I have never, ever believed for a second that the TCO for Windows is lower than e.g. Linux of BSD, past the first month of switching. Even with higher sysadmin costs, the overall increase in productivity equals this and then some. Christ, potentially sick people had to reschedule their CAT / MR exams [www.ing.dk] because of a fucking Microsoft Worm (TM)?

    How much more are we willing to up up with? I made two switches, first from Windows to Linux and then from Linux to Mac. The only thing I regret is not switching earlier.

    Today, my employer lost 25 USD, since an article I wrote disappeared when Word crashed and I had to re-write it for one half hour. It seems the defaut Word behaviour in custom OEN installs that our IS get is to NOT autosave for recovery due to "performance issues"

    Lower TCO my ass.
  • by lorcha ( 464930 ) on Thursday May 06, 2004 @01:50PM (#9076065)
    First they say you shouldn't use Linux [slashdot.org]. Now, they don't want us using Windows 'cuz of worms. Tell me, gartner, what should I do? Oh, that's right, you don't ever do anything. You just make stupid recommendations.
  • by linuxtelephony ( 141049 ) on Thursday May 06, 2004 @01:51PM (#9076076) Homepage
    Sounds like they are trying to make yet more arguments against disclosure of problems. Either that, or an indirect comment on why proprietary systems could be better, if disclosure of problems were not allowed.

    "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely,"...

    We all knew these attacks were likely. Did their timing have something to do with the disclosure? Possibly. Would they have happened without the disclosure? Yes, I think they would have.

    The root of the problem, in this case, lies squarely with Microsoft, and the various design decisions they made implementing their OS and other products.
  • In related news... (Score:5, Insightful)

    by SoTuA ( 683507 ) on Thursday May 06, 2004 @01:52PM (#9076081)
    ...fixing things costs time.

    Seriously, though, it's good that stuff like that surfaces on PHB-radar range. Maybe somebody will ask things like "So why should *I* be taking all these measures because *your* software is buggy?" the next time the M$ rep comes in, hawking the latest and greatest from Redmond.

  • by foidulus ( 743482 ) on Thursday May 06, 2004 @01:53PM (#9076100)
    There are also a lot of secondary costs to windows worms as well. Increased network traffic affects those that do not even use windows(or those who are careful). Also, if a windows worm brings down a banking system, there is a cost again to innocent people who may not even use windows. Or for instance, if a supplier for a business goes down, then the buisness itself is adversely affected.
    Windows worms(and malware in general) do not just adversely affect windows users, they have the potential to harm society in general(though I don't agree with the figures that some of these anti-virus people put out, they are just looking for sensationalism to sell their products)

    Windows worms are everyone's problem, do your part to stop them!
  • by bigbigbison ( 104532 ) on Thursday May 06, 2004 @01:55PM (#9076118) Homepage
    Its interestig that they say it is the worms that cause extra work rather than the security holes. After all, if the security holes weren't there then the worms wouldn't work.
  • I have seen (Score:5, Interesting)

    by IWantMoreSpamPlease ( 571972 ) on Thursday May 06, 2004 @02:02PM (#9076187) Homepage Journal
    Differing discussions on if patches really do break Windows.

    In my case, working with 10,000+/- clients, I have seen this on repeated occasions.

    Various MS patches would break the following:

    Novell client on 2k/XP (but not 98/95)
    Some third party business-specific applications (stat software, database, etc.)
    Video drivers (easily fixed, but still)
    In one case, recently, it BSOD'd several NT boxes (the IE 6 security rollups)

    Irritating to be sure, so on one hand, you need to patch immediately (or risk the wrath of a new worm/virus)

    On the other hand, patching immediately can lead to loss of productivity

    On the third hand (you do have three hands don't you?) you can't wait for an AV package to have the proper updates, as (to my viewpoint anyway) AV products should be the last line of defense, not the 1st.

    On the fourth hand, training is key to clients, but as the saying goes, you can lead a luser to enlightenment, but you can't make them think.

    I keep waiting for *seriously* damaging viruses to show up in the wake of the leaked (partial) source code to Windows 2000. That may be the last straw to many a business.

  • Not Just Windows (Score:5, Insightful)

    by 4of12 ( 97621 ) on Thursday May 06, 2004 @02:02PM (#9076188) Homepage Journal

    Of course it is true that owning and operating a Windows computer costs more because of the need to keep current with patches, to test them and to apply them in a timely manner. Every sysadmin knows this even if their cost-conscious boss doesn't see this big picture.

    But, to be fair [and I'm no MS apologist - they need to be taken to task all over the place for lots of reasons], even if you run a MacOS X, Linux or even an OpenBSD system, there are implicit costs associated with maintaining those systems, too.

    Since the software cost for FOSS is zero, the single most important cost is this installation and maintenance. As such, it ought to be quantified.

    The advantage of doing this is that these kinds of costs are no longer swept under the rug and people can start asking more detailed questions about Windows maintenance costs in terms of sysadmin time- not just estimated costs of downtime on the business.

    Then maybe, too, people will start to ask questions about what kinds of implicit future costs they incurred via early decisions to use some vendor's application that locks their valuable business data inside a proprietary format.

  • by gosand ( 234100 ) on Thursday May 06, 2004 @02:04PM (#9076208)
    Doesn't the O in TCO stand for Ownership? What exactly do you own with Microsoft products? Aren't you really just Licensing them?
  • by Unnngh! ( 731758 ) on Thursday May 06, 2004 @02:15PM (#9076331)
    "...enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology."

    I see one bad thing and two good things here...anyone else with me? I mean, shouldn't we work our best to keep our environments 1) current and 2) as secure as we can afford to?

    The patches and the closed-sourcedness are, however, a PITA.

    As far as TCO goes, I see the same people just working more salaried hours to fix issues arising from bugs, etc. And they haven't had to have the admittedly more extensive training behind running a *nix environment.

  • Of course... (Score:4, Insightful)

    by The Spoonman ( 634311 ) on Thursday May 06, 2004 @02:18PM (#9076377) Homepage
    You could just install an SUS server, point all your clients at it and enable auto-update. Test the patches, put on SUS, play golf.

    It's things like this that make me wonder if the "TCO of Windows" is more likely the "TCO of having highly unqualified people working in your IT department who know how to spell XP, but nothing more than that". If you have idiots running your network, you're paying to throw money out the window (no pun intended).
  • I'll say it again (Score:5, Interesting)

    by Anonymous Coward on Thursday May 06, 2004 @02:19PM (#9076383)
    Microsoft has priced themselves out of the market.

    And it isn't the initial purchase cost. They could give away Windows and it would still be too expensive. Dealing with the virus du jour and the patch du jour is just too much anymore. Add to this (from recent Slashdot stories) large companies' estimates that half of all their Internet traffic was to/from Windows Update and the cost of maintaining Windows goes even higher.

    Well, I quit. I am just done with patching Windows. All Windows machines are hidden behind a firewall (Linux based and I do patch it religiously; gee, there's been one critical patch in 1 1/2 years!), we don't use IE or Outlook and I only patch Windows when there are functionality problems.

    Now, I know I'm gonna get a lot of flack from everyone here about "firewalls not being the final solution", "you gotta patch every day" yada, yada, yada. But the combination of a firewall, not using IE or Outlook and scanning ANY computer from outside before it is allowed on our LAN works for us. We weathered SQL Slammer, Blaster, Netsky, Bagel, Sasser, etc, etc with not one hiccup in our daily operation.

    The key here is not to trust Windows on the Internet. No, one step further: don't trust any Microsoft software on the Internet! Don't use it for e-mail, don't use it to browse the Web and never, ever hook up a Windows machine unprotected to the 'net!
  • by Animats ( 122034 ) on Thursday May 06, 2004 @02:24PM (#9076428) Homepage
    The "National Cyber Security Partnership" has issued a new report on computer security [cyberpartnership.org]. It focuses on how vendors can avoid responsibility for the defects in their products. The report suggests that the government weaken the Common Criteria for evaluating software security to conform to "commercial reality". The report suggests that the Government, at taxpayer expense, develop "code scanning" tools usable on existing software, thus deferring any action by vendors. There's no suggestion that vendors be held responsible for security flaws, or that any major changes, either technical or in business models. are required by vendors.

    Virus authors have nothing to worry about from this security group.

    Some excerpts:

    • While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a more secure out-of-the-box state for several years, depending on product release cycles. ...

      In conjunction with the above recommendations, the requirement for medium or higher assurance evaluations (Evaluation Assurance Level 4+ [EAL4+]) for commercial products should be dropped, since the stated reason for higher assurance evaluations by the proponents is the ability to do vulnerability analysis. Higher assurance evaluations for commercial software impose a cost burden that even the largest IT vendors cannot bear or should not bear; they do not substantially improve product security, but may result in vendors paying multiple times for the same evaluation in different markets. Furthermore, finding faults in software that has already shipped is far more expensive and less effective than giving vendors the tools to be used during the development process. ...

      In order to promote the evaluation of more products, the U.S. Government should help offset the expenses of CC evaluation through research and development tax credits or paying part of the evaluation costs.

    Whose side are these guys on?
  • by Jtheletter ( 686279 ) on Thursday May 06, 2004 @02:24PM (#9076439)
    "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely,"

    Predicting that multiple recently announced security flaws in windows will be exploited is like predicting the sun won't explode tomorrow.

  • Mastercard (Score:5, Funny)

    by Ennslaver ( 63375 ) on Thursday May 06, 2004 @02:30PM (#9076491) Homepage
    Windows XP Pro for 200 systems: $30,000

    Anti-Virus Software for Windows XP corporate: $7000

    The billing rate for 10 contractors to come out and clean your systems: 700$/hour

    Seeing the face of your CEO when you tell him linux is free: Priceless

    There are some things money is wasted on, for everything else there is linux.
  • by Phrite ( 728691 ) on Thursday May 06, 2004 @02:44PM (#9076640) Homepage
    I've endlessly heard the argument that if Linux were the standard OS, there would be just as many worms as there are for Windows. I have no idea why anyone could believe that. When you install a Windows machine, you can pretty much guarantee that ports 135/139 will be running, there are numerous services listening (ex. LSASS.EXE), and on a wide scale, there are thousands of machines with those open. But when you install a Linux/BSD system.. what ports are open? What services are running? Exactly. You don't know. There are soo many different variations durng install, and so many different versions and programs depending on the Distribution. You could not write a "Linux worm". All the worms in existance would target specific applications, such as Apache or WU-FTPD, not the operating system. Sure there could possibly be a kernel exploit, but there are so many different kernel versions. You would not hear headlines such as "Windows virus takes down UK Coast Guard". At most, you would hear "Apache exploit takes down a UK Coast Guard server".
  • an old saw (Score:5, Funny)

    by Bodhidharma ( 22913 ) <jimliedeka@gmai l . c om> on Thursday May 06, 2004 @03:17PM (#9077022)
    There are lies, damned lies and TCO numbers.
  • by Tim Ward ( 514198 ) on Thursday May 06, 2004 @04:25PM (#9077727) Homepage
    Dealing with burglars puts up the cost of Windows. I need to spend extra on secure frames, locks, sacrificial edgings, insurance policies ...

    I know! I'll just stop using Windows, and brick up the holes! That'll make my life better won't it!

Trap full -- please empty.

Working...