The Hidden Cost of Using Microsoft Software 691
Glyn Moody writes "Detractors of free software like to point out it's not really 'free,' and claim that its Total Cost of Ownership is often comparable with closed-source solutions if you take everything into account. And yet, despite their enthusiasm for including all the costs, they never include a very real extra that users of Microsoft's products frequently have to pay: the cost of cleaning up malware infections. For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm, most of which was 'a £1.2m [$2million] bill in the IT department, including £600,000 [$1 million] getting "consultancy support" to fix the problems, which including drafting in experts from Microsoft.' To make the comparisons fair, isn't it about time these often massive costs were included in TCO calculations?"
Hear hear! (Score:5, Informative)
Re:You cannot use viruses/bugs as an example of co (Score:5, Informative)
You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.
Re:they must have stupid IT people (Score:2, Informative)
Really? You are allowing an infected machine to remain on the network with only a free firewall protecting the rest of your corporate network? Pulling a stunt like that would probably get me fired. It's not a matter of how technically sound the solution seems to be - it's a very high ongoing risk factor to the stability of the rest of the network.
As if the idea wasn't intrinsically bad enough, he said that he puts the free firewall on that box itself! What's to prevent the malware from simply deactivating or circumventing the firewall? Malware has proven itself able to deactivate all kinds of software -- Windows Update, A/V, etc. -- what makes your free firewall so special?
Seriously, disinfecting PCs without reformatting them can be a PitA, but it's still possible. Stop being so lazy / stupid.
Re:they must have stupid IT people (Score:3, Informative)
Agreed that it's foolish. Some moron is bound to plug his thumb drive into it at some point, and spread the crap everywhere.
Still, we very seldom have viruses on our windows network, and the ones we get are all installed "accidentally" by stupid users, and they never spread because the network is well partitioned, and well configured.
If you're still having virus problems at that level NOW, there is something seriously wrong with the way your IT infrastructure is set up.
Re:There's hidden costs to everything (Score:2, Informative)
I meet your cost and raise you the cost of regular hardware upgrades necessary to continue running Windows. When XP came out, 256MB was plenty, now with the updates and everything, 1GB is cramped. When it came out, a Pentium 3 667Mhz was plenty, now a multicore multi-Ghz is needed. This too has to be taken into the TCO.
Re:You cannot use viruses/bugs as an example of co (Score:5, Informative)
You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.
Citation needed? ;)
Seriously, some data would be nice.
http://uptime.netcraft.com/up/today/requested.html [netcraft.com]
Re:Sadly, I don't agree. (Score:3, Informative)
Re:Sadly, I don't agree. (Score:2, Informative)
There is so much software out there that simply won't install correctly if the user is not an administrator, I don't even try any more...
And of course, this does nothing for the bulk of Windows home users, running Windows XP. These are the principal vectors of most malware...
Re:It's more secure because of RPM/DEB (Score:2, Informative)
You're essentially complaining that "being root lets you do stupid things". This is a given, and this is why we don't run as root all the time. I can't think of any distributions that don't make you log in as root (or use sudo) by default in order to install things via apt/yum/whatever.
Re:You cannot use viruses/bugs as an example of co (Score:2, Informative)
Mods: That wasn't trolling. It is technically incomplete, but isn't meant to detract from the conversation. Please don't use the mod system in this way. Cherish your points and use them to make /. a better place.
As to the comment at hand, doesn't the greater perceived vulnerability of MS Windows offerings make for a more costly patching infrastructure? You can say 'if you keep up with security patches', just so long as you're willing to acknowledge and compare that cost. Are you?
The cost of OutLook (Score:1, Informative)
There's an airport in Indy that has two men on payroll, specifically to rebuild Outlook as a messenging-agent, every week when it takes a dump. This is needless, especially since Zimbra's done so very well on wide rollout.
Can you imagine trying to hire two people because Postfix goes down every couple of weeks? Unheard-of. But people will do anything for Microsoft.
And we're not even figuring-in the cases where a man loses $30,000 removed from his bank account, and spends six YEARS trying to get it back, becauase of malware.
Malware is very, very expensive. And Microsoft is quite the petri dish for growing such problems.
Don't tell me that, when Linux gets big enough, it'll have 2,000,000 viruses out in the wild, too. That stable of viruses was grown because it's done in closed-source and/or to cause people to buy support.
Linux, now, is larger than Apple, and still has less infections and malware trouble. I don't see a time when TWO MILLION viruses will be tolerated by the Linux brotherhood.
Re:Sadly, I don't agree. (Score:3, Informative)
No, the primary strength of Linux is that it is not attempting to cluelessly
pander to the "normal user". Apple panders to this sort of user but it tries to
be smart about. Microsoft tries to pander to this user and f*cks it up. If Linux
tries to follow Microsoft's lead in some sort of stupidity, there will be enough
users bellyaching that it's a really bad idea. Who's there to send up the red
flags in Redmond?
The Mac is a pretty good demonstration of the idea that you don't have to
be an idiot to accomodate "idiots".
Much of Microsoft's trouble comes from violating principles that were beaten
into your head if you were computing online in the 80s.
Hidden cost of hiring the wrong people (Score:1, Informative)
I worked at a major company with thousands of windows desktops when one of these big worms hit. Exactly one machine was infected and it was only because someone had violated policy and hooked up their personal laptop to the network. Two people were automatically paged, they cleaned up the mess from home and increased the surveillance on the network.
The key thing was this company hired top notch security and admins and let them do their job.
This is really the cost of hiring unqualified people just because they MCSE's and the like. In many aspects of business, this is the correct thing to do, because the law protects you. In the case of your infrastructure, this will protect you from stock holder lawsuits, but it doesn't make you look good.
Re:Sadly, I don't agree. (Score:3, Informative)
Re:You cannot use viruses/bugs as an example of co (Score:2, Informative)
1. It's patched.
2. It only affects webdav which is disabled by default
3. webdav is an extension of IIS, not IIS itself. I wouldn't say a vulnerability in PHP is a vulnerability in apache.
4. it's not a remote execution exploit. all you can get out of it is access to some page you might not have been previously allowed. considering webdav is only really used for exchange, this probably isnt a huge deal.
Re:Only Proprietary? (Score:3, Informative)
Or connects through a firewall...
Microsoft's tech "support" costs.... (Score:4, Informative)
Re:Cannot use Hubbell as an example of intelligenc (Score:4, Informative)
Permissions, primarily. As I sit here in front of my Debian/Ubuntu machine, my user name is "guy". I can do nothing outside of my home folder. I can't infect another user's files, can't touch any system file, can't touch root's folder. There is no C:\Program Files - meaning that I don't have write permissions to ANYTHING outside my home folder. If I wish to install a program on this machine without becoming root, I can install it to my home folder. In such a case, the program has no write permissions outside my home folder. Using any programs that root has installed doesn't give me write permissions even to that program's folder - any data that the program needs to save to my profile, history, or whatever is written inside my own home folder. In fact, I don't have access to all the programs that root has installed. I have to become root to use things like Wireshark properly, or to use the package manager.
With Windows, a limited user has to ActiveX among other things. A limited user can save files to various places outside his home folders, unlike *nix. While the Windows Administrator can lock down a lot of Windows system files, he can't prevent even a limited user from making changes and/or writing files that might be booby traps lying around waiting to be executed by a more privileged user.
While NT variants of Windows are vastly superior to Win9.x in that they actually HAVE a security model, that model doesn't compare with that of any *nix system.
Until I type in my password for sudo or root, I have fewer privileges on Debian than I would have on a limited account on Windows. I can't even open an internet connection - root does that at bootup with a script.
And, to be perfectly honest, I don't NEED privileges very often. I could probably run this account for the next year without becoming root, and manage to do everything I wanted to do, except for testing new programs and updating.
Re:You cannot use viruses/bugs as an example of co (Score:2, Informative)
I don't really worry about people taking me seriously on slashdot...
SELinux is a retro-fitted Mandatory Access Control and Group Policy Scheme... that's it.
Windows has had fine-grained ACL's and group policies forever (especially accessible ones for the enterprise) and NT 6 has a very decent Mandatory Access Control system.
I am tired of Linux types acting like SELinux is magical and somehow anything more than bringing Linux to the security sensibility of MULTICS, which had MAC's back when UNIX was still basically a hacked up computer virus.
There's nothing offered in the retro-fitting solutions you've described that aren't available in NT 6. All I see is a deficiency in terms of anti-exploit code and a better use of NX-bit based technologies in NT.
Re:Hear hear! (Score:2, Informative)
Re:Cannot use Hubbell as an example of intelligenc (Score:3, Informative)
Permissions, primarily. As I sit here in front of my Debian/Ubuntu machine, my user name is "guy". I can do nothing outside of my home folder. I can't infect another user's files, can't touch any system file, can't touch root's folder.
So, just like Windows then ?
There is no C:\Program Files - meaning that I don't have write permissions to ANYTHING outside my home folder.
Regular users in Windows do not have write privileges to %PROGRAMFILES%. At least, not by default.
If I wish to install a program on this machine without becoming root, I can install it to my home folder. In such a case, the program has no write permissions outside my home folder. Using any programs that root has installed doesn't give me write permissions even to that program's folder - any data that the program needs to save to my profile, history, or whatever is written inside my own home folder. In fact, I don't have access to all the programs that root has installed. I have to become root to use things like Wireshark properly, or to use the package manager.
Again, just like Windows.
With Windows, a limited user has to ActiveX among other things. A limited user can save files to various places outside his home folders, unlike *nix.
Where ?
While the Windows Administrator can lock down a lot of Windows system files, he can't prevent even a limited user from making changes and/or writing files that might be booby traps lying around waiting to be executed by a more privileged user.
Of course he can.
While NT variants of Windows are vastly superior to Win9.x in that they actually HAVE a security model, that model doesn't compare with that of any *nix system.
Actually, that security model is superior to traditional UNIX. It is both more comprehensive and more capable.
Until I type in my password for sudo or root, I have fewer privileges on Debian than I would have on a limited account on Windows. I can't even open an internet connection - root does that at bootup with a script.I have no idea what you're trying to say with "open an internet connection", but rest assured a regular user in Linux can make outgoing network connections by defaut in pretty much any non-locked-down distro.
Re:You cannot use viruses/bugs as an example of co (Score:1, Informative)
That would explain why they haven't needed to reboot.