The Hidden Cost of Using Microsoft Software 691
Glyn Moody writes "Detractors of free software like to point out it's not really 'free,' and claim that its Total Cost of Ownership is often comparable with closed-source solutions if you take everything into account. And yet, despite their enthusiasm for including all the costs, they never include a very real extra that users of Microsoft's products frequently have to pay: the cost of cleaning up malware infections. For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm, most of which was 'a £1.2m [$2million] bill in the IT department, including £600,000 [$1 million] getting "consultancy support" to fix the problems, which including drafting in experts from Microsoft.' To make the comparisons fair, isn't it about time these often massive costs were included in TCO calculations?"
Sadly, I don't agree. (Score:1, Insightful)
It's overhead. In other words, while it's true that malware affects closed-source far more frequently than OSS, that's just because CSS is far more commonly-used, and, therefore, makes a more tempting target. Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land. I love Linux (heck, "I'm rinsing in it now!"), and have used it as my primary desktop and server platform since '94, but bulletproof it ain't.
Cheaper to prevent than fix (Score:2, Insightful)
Can't (Score:5, Insightful)
In the long run this is a cost that need not be spent. There are alternative OS's and it's high time governments, of all entities, started using open alternatives. It's not just costing them in terms of being beholding to corporations like MS but in real dollars as well.
Re:Sadly, I don't agree. (Score:5, Insightful)
The question is not "Is Linux inherently as cheap as Microsoft". No. The question is, if we include all costs, including virus and other malware related costs, will Microsoft cost more than Linux.
Just as Microsoft is correct that when considering the real cost of 'free software', you have to include costs such as training, you ALSO have to consider the costs incurred due to malware.
Prediction (Score:3, Insightful)
This story thread will have an extremely large number of posts which are highly moderated, but contain very little original or useful information.
Re:You cannot use viruses/bugs as an example of co (Score:5, Insightful)
Yes, your complaint would apply if the entire world was considering switching from Microsoft to Linux. But when I advise my boss about the comparitive costs of using MS or of Linux, I would be foolish to refuse to include costs related to viruses simply because if in a mythical world where people used Linux more than MS then in that mysthical world the virus cost would be lower for Microsoft.
As a busineman, I must live in the real world and base my costs on reality, not your dream world. In reality, currently, Linux has lower virus related costs and I there MUST include the cost to deal with such problems when calculating the lifetime cost of software.
Re:You cannot use viruses/bugs as an example of co (Score:4, Insightful)
You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.
Citation needed? ;)
Seriously, some data would be nice.
Re:You cannot use viruses/bugs as an example of co (Score:5, Insightful)
I am not following your argument, since windows has a higher market share than FOSS solutions it is exempt from malware removal costs? I think the point of the article is that while CSS vendors tout that FOSS solutions are not 'free' in terms of TCO, they neglect this cost that affects them more heavily than the completion.
I don't think the reason behind them having the higher cost (higher market share) is relevant. It is a cost, and they have a disproportionately large percent of it, admittedly for a quite valid reason.
Re:Sadly, I don't agree. (Score:3, Insightful)
TFA is saying that the closed-source software costs more when operating costs are included in the total price tag. How much does industry pay for malware protection, virus protection, trojan protection, downtime from infection, and loss of productivity as a result of closed-source software? Those costs are relevant to businesses and should be considered.
Re:Cheaper to prevent than fix (Score:4, Insightful)
That would come out of a different Cost Center which requires pre-approval. The emergency CC is funded for..you know..emergencies and gets funded On The Fly when it is affecting the bottom line. You know what they say "It's easier to ask forgiveness than permission"
Re:You cannot use viruses/bugs as an example of co (Score:5, Insightful)
Probably because when the web server is IIS it's always the same operating system platform behind, which in turn means that as soon as a breakthrough occurs it's often easy to continue with the penetration.
On an Apache web server you can't tell what kind of platform it runs on, which means that an attack that works on one server may be completely useless on another.
There's hidden costs to everything (Score:5, Insightful)
Maybe the world still runs on Microsoft because the TCO difference just isn't high enough to justify the cost of switching. The cost of migration has to be figured into the TCO of the alternative, despite how unfair it sounds to do so.
Re:Sadly, I don't agree. (Score:2, Insightful)
This leads to all sorts of bogus cruft getting installed on machines by users who are without a clue with computer security, and simply don't know to install tools like NoScript or SiteAdvisor and to pay attention to the warnings they generate.
Linux's in general do not run normal users with superuser capabilities, which stops a lot of garbage from getting installed on machines in the first place.
Re:they must have stupid IT people (Score:5, Insightful)
Re:Sadly, I don't agree. (Score:5, Insightful)
Maybe it's a strength that Linux is used less. That results in a lower cost of ownership overall for organizations "right now". In the far future, this could change obviously, but nothing suggests that this cost will be larger than that of Microsoft implementations, not by any margin, not any time soon.
So, as fundamentally correct as your point may be, the story "beats" you because it points out that Closed Source is misrepresenting a lower TCO by not accounting for security issues with the entire solution.
Close source solution offers "skip over" the windows virus/malware problem, Open Source has a clear answer to it now, and likely in the future. Large contracts should be made evaluating these things thoroughly, and include a real assessment of the validity of these offers, and not just take Joe I.T. Contractor's word for it.
Re:You cannot use viruses/bugs as an example of co (Score:1, Insightful)
Please point out a recent remote exploit bug in IIS. As far as I know, there hasn't been one in years.
Re:Cheaper to prevent than fix (Score:5, Insightful)
This is a good point that I hoped someone would make. What is not explained in the article is that "Windows" isn't exactly the cause of the problem, but "Windows XP." If systems were maintained and upgraded per Microsoft's recommendations, Conficker would not have been anywhere near as big a problem. Say what you will about Windows Vista, if Manchester had upgraded their systems to Vista on the client side (or at the very least, not allowed users to run XP under Admin credentials), Conficker would never have been able to install itself.
I'm a big promoter of Open Source, but I work in a Microsoft shop where we still have all our desktops standardized on WindowsXP, but we never allow standard users to run as Admin, and we never had any problem with Conficker.
Migrating to Open Source would help a lot, but Manchester just needs better IT support (or more likely, better IT management) all the way around.
I have an idea (Score:5, Insightful)
Re:You cannot use viruses/bugs as an example of co (Score:1, Insightful)
so lets see, first you use the typical popularity argument and then follow it up with a personal anecdote.. This does not disprove the article's point. Whether it's due to popularity or bad engineering (or both!! who'd a thunk?), cleaning up after malware attacks IS a large expense when running a windows shop. AV is largely a snake-oil concept at this point. it catches some, but not all attacks, and it's expensive and taxing on clients. long gone are the days of simple, easily detectable boot sector and TSR hook viruses of MSDOS.
Windows is uspposedly DESIGNED for the non technical user though.. If it cannot withstand said abuse (by being maintainable and secure without simply reinstalling), then it fails in its purpose. Usually windows fanboys are the ones saying $NON_WINDOWS_OS is too difficult and that's why it'll never succeed. I have yet to find an OS as unfixable as windows once it gets mangled...and it allows this to happen so easily!
Re:Cheaper to prevent than fix (Score:3, Insightful)
First, As soon as one leak is plugged, virus writers can look for the next. Commercially speaking, the virus writers get paid when they find holes to exploit. Anyone can take time to do this. The individuals working to prevent viruses keep their jobs by plugging holes, but Symantec/McAffee/Trend Micro/ESET/Kaspersky/Your Vendor Here only has so many spots on the payroll for leak-pluggers.
Secondly, it's becoming increasingly common to have viruses mimic security software. Some of the latest crops of malware look incredibly similar to Windows security warnings such that even a reasonably computer literate person would have to take a hard look to be sure that they're genuine. Faking someone else's security warnings is significantly easier than proving that one is original in an irreproducible form.
Honorable mention goes to the bean counters. If the network director/consumer sees two packages, and one is $20 more expensive (or $20/seat more expensive), convincing people to pay extra for it becomes difficult. Even if one can prove that it genuinely does a better job, given the number of people who have let their subscriptions laps for months or years, convincing them to pay for the added security proactively, instead of a specialist reactively, is quite a challenge. Just look at how many people balk at paying for a backup solution before their hard drive bites the dust.
Re:Sadly, I don't agree. (Score:3, Insightful)
This is also the same reason that you don't see as many windows problems in a corporate environment: Because the users aren't administrators.
I recently switched my entire home network over to AD, and started making people actual AD accounts that are not local admins on their machines, and the number of problems that they're having has gone WAY down. Sure, they have to ask me whenever they want to do something like install software, but for the most part their system configurations are fairly stable -- they just do the same tasks day after day, they're not highly dynamic users who like to experiment with new and exciting software / hardware like I am -- besides, them having to call me insures that I have a certain degree of oversight as to what goes onto their computer, allowing me not only to support them better later on (since I know exactly what happened to their PC), but also allows me to preempt problematic software etc.
Re:Sadly, I don't agree. (Score:3, Insightful)
Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land. I love Linux (heck, "I'm rinsing in it now!"), and have used it as my primary desktop and server platform since '94, but bulletproof it ain't.
I think by bullet proof they mean mitigate stupid user and developer tricks which still happen in Linux but you have to try harder.
I mean the first thing I did when first trying out Linux in 1997 was to learn it while logged in as root because that was how you logged into Windows NT.
That said, I strongly disagree that OS usage is directly correlated to viable exploits on a device.
Take the iPhone for example. Its used by a lot of people but its nigh impossible to exploit simply because its locked down.
Now you sacrifice a lot of usability, but that is the price you pay in terms of security.
I mean if Microsoft Wrote an OS that would not allow the user or their programs to write to anywhere else except the user home directory and programs could not starup other programs or modify their files, then you would never see any other viruses again on the Windows platform.
Of course this would break all the legacy programs and you wouldn't really be running windows anymore in a sense... But wouldn't it be worth it? ;)
Re:Economy.. (Score:4, Insightful)
The problem is that for every penny they contributed in direct labor costs to clean up, there's probably at least as much wasted in employee downtime while services are unavailable.
If it wasn't for the fact that it was preventing staff from getting their work done, I doubt anyone would have spent $2 million to clean up Conficker.
I didn't RTFA, but it sounds like their total cost includes both the direct cleanup cost, and some of the indirect cost of paying people to be unproductive during the cleanup.
What about the other costs of AV? (Score:5, Insightful)
Re:You cannot use viruses/bugs as an example of co (Score:4, Insightful)
I am not following your argument, since windows has a higher market share than FOSS solutions it is exempt from malware removal costs?
Not that its exempt, its that should people target Linux as much, the figure would likely be the same.
Also, if you keep up with security patches (like you should, regardless of OS), it becomes a non-issue. This is really just FUD aimed at MS, using 2001 "MS is insecure" arguements which are no longer true today.
Re:Sadly, I don't agree. (Score:3, Insightful)
Parent poster is full of crap.
Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land.
This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.
I'm sick of hearing this argument, only a complete tool would believe it. *Nix systems are inherently more secure, due to its security model (file permissions, groups, no admin rights, etc), and to the fact that it literally forces you to not be a complete moron (security wise) while using it. Furthermore, because of the variety of software that can be installed on each box, only the most common programs (apache, nginx, ssl, ssh, etc) would be effective targets to attack, limiting the areas an admin needs to cover.
Due to the above, there are only certain attacks that would be effective to a *Nix system. Off the top of my head, this leaves: privilege escalation, man-in-the-middle, and social engineering (a problem everywhere, regardless of OS).
In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.
Re:Not going far enough (Score:3, Insightful)
Re:Sadly, I don't agree. (Score:4, Insightful)
Comment removed (Score:2, Insightful)
Re:You cannot use viruses/bugs as an example of co (Score:1, Insightful)
I'm sorry you were modded troll, but maybe you didn't express your point correctly. Let me give it a try.
One of the companies I consult for has something like 30,000 desktops. They were not affected by Conficker in any way shape or form. In fact, I think they were bitten by the "anna kournikova" thing back in 2000 or 2001, and never again had any problems with worms or viruses.
How is this possible? I don't know. Maybe some common sense was involved.
But the premise of this article is that this company - and indeed, every other company in the planet that uses Windows but doesn't have these problems - should factor into their operation of Windows a "hidden" cost that simply does not apply to them.
That's clever, isn't it? It's a great argument, assuming you have the IQ of a sponge to begin with.
Re:Cheaper to prevent than fix (Score:3, Insightful)
I'm kind of curious here. Are these guys actually running workstations outside of AD domains? I mean, group policies have been around since the olden days on Windows server platforms, and a well constructed group policy that simply denies the capacity to install software can probably eliminate many of the worms, spyware and the like. Not all of it, of course, which is why anti-virus is still necessary, but if you have a large network and you don't have it locked down, then you're either cheaping out and getting home versions of XP (and even these can be locked down, though it's a lot more of a pain to distribute registry entries than to the GPO mechanism do it), or your IT guys should be fired.
Re:I have an idea (Score:3, Insightful)
Re:I have an idea (Score:2, Insightful)
Re:You cannot use viruses/bugs as an example of co (Score:4, Insightful)
Re:Cheaper to prevent than fix (Score:2, Insightful)
Exactly. This is the part that gets me. While I'm not disputing that there are costs involved in malware containment or prevention, they should not be nearly as high as the main article describes. If Manchester had simply patched its computers when the patch was released, they never would have this problem with Conficker to begin with. The article says that it hit the city in February, a full FOUR MONTHS after the patch was released. There's simply no excuse for that. I work in a giant corporate machine, and even we get patches pushed out to 10's of thousands of Windows machines faster than that. The cost of prevention is far lower than the cost of reaction most of the time. So while I agree that it's a cost that needs to be factored in, I have a very difficult time believing that it's as high as some of you are making it out to be.
Keep in mind, patching systems to prevent exploits is not something that is limited to Windows either. It's something you should do for ALL operating systems, regardless of the security model or other factors. If you aren't keeping your Linux install and FOSS software updated, you're putting yourself at risk just the same as on a Windows system. Don't ever fool yourself into thinking otherwise.
And for the record, I'm a Linux user (and a huge fan of Linux to boot) as well as a Windows user. So this isn't coming from someone who doesn't like Linux. I'm simply attempting to give it a more objective viewpoint.
Re:Sadly, I don't agree. (Score:2, Insightful)
Linux's in general do not run normal users with superuser capabilities, which stops a lot of garbage from getting installed on machines in the first place.
No, Linux simply does not have the ignorant home user demographic that Windows does.
Not running as root is, at best, a minor bump in the road. There's very little that a malicious program might want to do, that it cannot do as a regular user.
Comment removed (Score:4, Insightful)
Re:Sadly, I don't agree. (Score:3, Insightful)
Only Linux is not used less, Linux is used for almost every platform that includes a microprocessor, from PCs to embedded stuff to gadgets etc...
ALL software has "hidden costs" (Score:2, Insightful)
Re:You cannot use viruses/bugs as an example of co (Score:5, Insightful)
I expect your shop is 100% Windows precisely because you're too macho to accept the many good reasons why a shop that is 100% anything makes you vulnerable.
Your arrogance will be your downfall.
Re:You cannot use viruses/bugs as an example of co (Score:2, Insightful)
Ahem..
Plese go look up fingerprinting, both active and passive, and revise "you can't tell what kind of platform it runs on".
Thanks
Re:You cannot use viruses/bugs as an example of co (Score:5, Insightful)
"hacked" and "infected" are worlds apart.
This is the difference between your personal server being
rooted and the entire internet being brought to it's knees.
It's like the difference between needing to go to the hospital
because someone decided to stalk you and then shoot you versus
getting some plague like disease for going out in public.
Being hacked generally requires personal attention on the part of ...and there is "anti-exploit" code in Unix. It's probably been
some conscious assailant rather than just some automated bit of
malware exploiting some fundemental design flaw in the software
you're using.
around longer than the comparable "code" in DOS and Windows. The
fact that Unix is a harder target and it's users are intolerably
smug doesn't mean they aren't thinking about the problem.
Re:You cannot use viruses/bugs as an example of co (Score:5, Insightful)
The answer is, is that it's because the IT staff obviously were not on top of the maintenance of the computers. Rolling out Windows Updates is not a difficult task, computers can be set to do it themselves, or you can use a centralized roll-out system like WSUS.
You've failed to address one of main reasons why "big shops" don't get updates out in a timely manner: The need for updates must be carefully balanced against the likelihood that updates are going to disrupt mission critical systems.
As an IT guy, you should probably know this. Maybe your systems aren't so critical, and you can afford to believe the absolutist tripe about how it's the IT staff's fault for not getting the update out in time. IME, the real world is rarely so black-and-white, and keyboard badasses that make grand pronouncements are rarely worth listening to.
this is stupid (Score:1, Insightful)
"For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm"
so they spent extra 2.5 millions because they don't turn on windows update, and now they blame microsoft?
Cannot use Hubbell as an example of intelligence (Score:5, Insightful)
To claim that Window's insecurities aren't part of the true cost of Windows is genuinely dishonest. If you run Windows, and you DO NOT invest in security measures, you are a complete and utter fool. If you run Windows and you invest in inadequate security measures, then you are a mere run of the mill fool.
Any mission critical computer with sensitive information on it has to have expensive security software installed, and it must be supervised and monitored frequently. It is EXPENSIVE to keep a Windows machine "secure".
Only the basest of MS fanbois will say the same about *nix. Granted, only an idiot would set up a *nix machine without setting up a firewall, permissions, and other accepted security measures. But, an idiot can indeed manage to set a box up, and to run it for extended periods of time without problem, because *nix has a lot of security BUILT INTO IT. (Well, as long as our idiot doesn't run as root all the time - nothing can save an idiot from himself if he disregards ALL security measures.)
Re:You cannot use viruses/bugs as an example of co (Score:3, Insightful)
There's one big fat gaping hole in your argument.
Not everyone is comfortable with changing their systems on a whim.
They believe in little things like "testing" and "change control"
and they aren't going to just "throw something in" cowboy style.
Other stuff might break... important stuff.
So you can't always assume that end users are able to participate
in an endless cycle of changes to their important software.
In general, products should not be sold broken.
Re:You cannot use viruses/bugs as an example of co (Score:2, Insightful)
That's a bit myopic.
Sure, you can advise your boss that his TCO will be lower on account of malware if he goes with Linux. I'm not even saying it's a bad idea.
Of course, so can everyone else who picks up on this meme.
And as that argument sways more users toward FOSS, the cost/benefit for malware writers will change. Maybe we hit an equilibrium point that's less prone overall than today's monoculture, but there are reasons I doubt it. (I think the concerns of monoculture are overstated when the opponant is intelligent rather than random; and I think business will always push toward a monoculture anyway.)
Based on the information available today, predicting the future-looking TCO associated with exploit of software bugs on one platform vs. another is futile. With MS we have a track record from which to say "not good"; for FOSS we have no reasonable track record. So to me, that's background noise. I'd love to see an experiment to collect good data on the malware cost of FOSS.
This would work itself out if we had real competition on security among software vendors - which is why I don't say it's a bad idea to advise switching toward a 2nd vendor be that a FOSS solution or anything else. But it's hard to make that scale in the business world without interoperability, and the players in the market don't want to risk becoming commodities. Good luck.
Even better - imagine a world where the customer doesn't bear the cost of the vendor's mistakes. I know, crazy...
Re:You cannot use viruses/bugs as an example of co (Score:5, Insightful)
Believe it or not, there are a whole lot of Microsoft users and some of them like their products. Automatically assuming someone is a shill because they speak positively about Windows is just plain retarded.
Re:Sadly, I don't agree. (Score:2, Insightful)
UAC is also a really excellent innovation, allowing even Administrators to keep themselves somewhat in-line.
Except UAC isn't a MS innovation. Privilege elevation has existed long before MS decide to start taking security seriously.
Re:You cannot use viruses/bugs as an example of co (Score:2, Insightful)
A car WEARS OUT.
The oil in a Honda is a physical thing. It will break down chemically over time due to age and heat.
What is the comparable process in a computer?
There isn't any.
There's no good reason for the system software to require "maintenance"
to deal with bit rot. The only reason "maintenance" on software is
required is because it is sold to the customer BROKEN. This is why Microsoft
software gets infected with malware.
This notion that Linux or MacOS doesn't get hit due to lack of "popularity"
is just a self serving dellusion that Lemmings tell themselves to avoid
acknowledging the truth that they've been conned and duped and continue to
be conned and duped and don't see a good alternative.
Many of the older computing platforms were rife with malware because they
provided a suitable breeding ground for malware. Large numbers had nothing
to do with it. This is a historical fact that Lemmings continue to try to
gloss over any time they claim that malware is about "popularity".
A Honda is built not to implode at 60,000 miles. This is why you can drive
one for 300,000 miles. Your level of dedication to the product really doesn't
have that much to do with it.
Windows is no Honda.
Re:Only Proprietary? (Score:3, Insightful)
Linux has a lot less malware. The effect on TCO of counting it would be negligible. That is not true of Windows. Therefore, ignoring it favour Windows.
If we are going to pick and choose what to ignore, lets ignore retraining costs and one-off transition costs. I wonder who will have the lower TCO then?
Re:You cannot use viruses/bugs as an example of co (Score:4, Insightful)
I believe that the majority of corporate bosses are too stupid to pick up on this meme for the foreseeable future.
I am sure that in 30 or forty years it may become a problem, but by that time I will have retired.
In addition, many of the "costs" Microsoft calculates are in fact dependent on Linux being less poopular than MS. If everyone is using Linux, then the costs to retrain etc. will NOT be present.
No, Microsoft is not allowed to put in tons of "Linux is not the primary system people know" costs and then exclude the "Linux is not the primary system people write viruses for" costs.
Not to me at least.
Re:You cannot use viruses/bugs as an example of co (Score:4, Insightful)
There are other factors involved in deciding which software is "best" for a particular need, but if a "free" software will do the job adequately, it is saving several man days per year to use a "free" software as compared to having to turn the crank on the money machine.
Re:Sadly, I don't agree. (Score:1, Insightful)
No one said Linux is "bulletproof". Don't try to change the topic.
TFA is saying that the closed-source software costs more when operating costs are included in the total price tag. How much does industry pay for malware protection, virus protection, trojan protection, downtime from infection, and loss of productivity as a result of closed-source software? Those costs are relevant to businesses and should be considered.
What the hell does 'closed-source' software have to do with malware and all things you listed? Those depend more on popularity than FOSS or not. For example, check FireFox 'infected' with spyware http://i.d.com.com/i/dl/media/dlimage/14/92/50/149250_large.jpeg [com.com]
Debian servers attacked http://news.zdnet.co.uk/security/0,1000000189,39118062,00.htm [zdnet.co.uk]
"This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours," the posting read.
Attackers compromised four servers, including those responsible for maintaining the project's bug tracking system, mailing lists, Web, Common Versioning System (CVS), security downloads and others.
RedHat/Fedora itself being attacked http://www.pcworld.com/businesscenter/article/150212/hackers_crack_into_red_hat.html [pcworld.com]
The last two examples are almost the equivalent of Windows Update being attacked and distributing malware, which hasn't happened (yet).
How can you claim that 'closed-source software' is the cause of all the ills you mentioned?
Re:Sadly, I don't agree. (Score:3, Insightful)
There's a problem with the theory that Linux will have as many viruses as Windows if it becomes more popular. Namely, Linux is currently the most popular webserver, despite this windows based webservers have far more malware.
Linux webservers do get hacked too, showing that they're a priority target, just not as many viruses.
You also have to factor in that Linux is a diverse ecosystem, windows is not as much, all products essentially the same. That makes writing a virus that will hit all Linux boxes a lot harder than one that will hit all windows ones.
Linux will certainly develop a malware problem as it grows, but it will never be as bad as Windows has it.
Also, from the perspective of TCO, as Linux becomes popular enough to have a malware problem, it will also decrease the cost of training.
Re:Sadly, I don't agree. (Score:5, Insightful)
that is run by a competent administrator
This would be the key to any secure system. It is also possible to run Vista securely, but nobody does because that would require "training" the users more than we are used to. Linux is more secure by default, Linux users are more accustomed to running in a secured environment, etc.
Is the Linux security model "better" than the Vista one? I think that's a 99% subjective question. Subjectively, I find it easier to run Linux securely than Vista, and more importantly, it is easier to do things securely in Linux than to do them insecurely, in most instances. In Vista the opposite is often true - far easier to run in Administrator mode than to hassle with reconfiguring something to work properly in a secure way.
But, if you have a competent administrator and well trained users (both as common as Blue Moons on Thursdays), then Vista can be run just as securely as Linux, but then, well trained Linux user/administrators are also quite rare, in the real world.
Not an inherent cost of Windows (Score:4, Insightful)
This is not a hidden cost of Windows, but a hidden cost of having ignorant admins and/or management. If you're spending $2.5 Million cleaning up a virus infection, you've done something terribly wrong along the way. Most machines in most places of business maintain the same software day-in and day-out. Those machines should either be booting via write-protected remote images or using something like SteadyState to keep everything running perfectly. The servers should have correctly created permissions and security which make viral infections nearly impossible. The rest of the machines should be locked down with policies, limited privilege accounts, and software providing protection from infections. They should also be regularly imaged (as in nightly to a SAN/NAS/etc).
That's just the common sense little stuff. There's plenty more that could be done as well, but just the above will all but guarantee you never see a multi-million dollar cleanup bill regardless of your choice of OS.
Re:You cannot use viruses/bugs as an example of co (Score:5, Insightful)
yadda yadda MS has 90% market share so that's the reason it has malware yadda yadda
I absolutely hate this argument. It assumes such a simplicity, that the only consideration that people pick for coding a virus is marketshare of the target. Of course it's one consideration, but not the only. It,. more importantly, seems to want to wash Microsoft's hands of the problem, meaning nothing will get fixed. There are a lot of things MS can do to help the situation (and in their defense they have done some) but saying "it's because they own the desktop, nothing to see here, move along" doesn't help anyone. Including you, when your net is down because some Conficker DoS.
The problem with Microsoft is just how damn easy it is to write a virus, at least in the old days. Microsoft had a system (Windows + Explorer + Outlook) which:
This is the essence of all VB email viruses. This bad design had absolutely nothing to do with marketshare, just made the impact much more widespread.
Also, they allowed HTML email to hit activeX, which means an untrackable email can execute code just by you opening the mail. It's the Goodtimes virus, but for real.
I personally use windows, and prefer windows, and since XP came out have never had a problem with it myself. The biggest problem with computers is they're technical machines which lend themselves to needing to have technical knowledge in order to use one safely/correctly....which the majority of people do not have.
An analogy would be that "cars are complicated now, with computers and stuff, and people need to be expected to know all that tech stuff to operate safely, so we can let them explode or catch on fire if people are not paying attention 100% of the time, because it's really their fault if the car blows up when you cross the yellow line"
Again, simplicity in argument. YES stuff is complicated, but there are a lot of things you can tie down by default. MS is driven by checkbox marketing, the more features the better. This blows up when people have a financial incentive to exploit those features.
Re:You cannot use viruses/bugs as an example of co (Score:2, Insightful)
Rolling out Windows Updates is not a difficult task
True but I would like to consider the line just before that one...
The answer is, is that it's because the IT staff obviously were not on top of the maintenance of the computers.
This statement slaps directly in the face of what Microsoft touts as their big advantage. Ease of manageability. In fact, they say that it is 60% the TCO of servers. [microsoft.com] See blue pie piece.
In fact what does Microsoft think Ease of manageability means? [microsoft.com] See first gray bubble
With a piece of software that just sooooooo easy to keep running, why do entire IT department fail to be "...on top of the maintenance of the computers?"
Trust. Microsoft's automatic updates not haz it, to use the lolcatz of our times. People don't trust Microsoft's updates. They fear it will break what they have going. slight pause It may, it may not, but that's not the point. The point is that the ease of manageability argument fails when we subscribe to your idea of...
it's because the IT staff obviously were not on top of the maintenance of the computers.
We can either say that IT departments need to spend due diligence with updates and security announcements with Microsoft products. (much like Unix and Linux IT departments,) or we can say that Microsoft has issues with security and trust which leads to an environment that breeds ripe servers for malware attacks.
In the end, one of these two options will cost an IT department money. True, this article looks at it from the latter point of view, but say we look at it from the first point of view and what do we have? The TCO rising because the "ease of manageability" is reduced, the two being inversely proportional per Microsoft. So even if Microsoft does patch whatever exploit it is that we are questioning, the trust is not there from the end-users and that cost something as human as it may sound.
Re:You cannot use viruses/bugs as an example of co (Score:3, Insightful)
I'm very curious as to whether that shop you mentioned fits within Microsoft's "TCO" calculations. I'd be willing to be that the company you're talking about goes far above and beyond what Microsoft says an outfit of that size and function should cost. Yes, it is possible to secure a Windows working environment, but as soon as you do you start to find that the other arguments Microsoft relies upon begin falling down. As soon as you start to build effective security your system starts to get harder to maintain compatibility, it starts to get more expensive to hire/train staff, and it starts being less user friendly.
This is just my personal experience matched up to yours, and it's worth just as much (nearly nothing). You want to know the real truth of the matter? Step the anecdotes back for a second and look at things more generally. HOW much is spent per year by businesses in general (not your pet data point) cleaning up malware? HOW much business is lost before it can be cleaned up properly? These numbers are so obnoxiously larger than the 0 you're subtly suggesting that I find the "IQ of a sponge" comment amusingly ironic.
Re:You cannot use viruses/bugs as an example of co (Score:2, Insightful)
Have a nice day!
Re:You cannot use viruses/bugs as an example of co (Score:4, Insightful)
Re:You cannot use viruses/bugs as an example of co (Score:3, Insightful)
> This is really just FUD aimed at MS, using 2001 "MS is insecure" arguements which are no longer true today.
Totally man, we haven't had a Windows malware event so bad broke out into the mainstream media in years.
Oh sorry, my bad, we have. The patches fly out at about the same pace as they did in 2001. Different subsystems get targeted as the cat and mouse game goes on but since Windows is still a big blob of poorly documented, closed source and for the most part insecure code the game isn't likely to end soon.
That said, had a look a major Linux distro's errata firehose lately? So lets not get too smug. Yes I realize a Linux distro covers a much larger universe that includes server software, office suites and development tools. But compare apple to apples, say Firefox to IE and we still have work to do. Which is currently safer? Well I'm not posting this from Windows.
What hidden cost? (Score:5, Insightful)
I suppose people think that complexity is some how better or more indicative of truth... because why are we trying to battle on these obscure money-lenders' rationale of governing costs of software? It's simple, linux is downloaded for free, and to get Windows alone is what.. 199.95? Oh, and how much for Photoshop? Oh, maybe add Maya, and then perhaps some VM software? Because, we all know that Windows by itself, out of the box, is rather limited. Add in a full blown development environment... oh, yes and Microsoft Office I presume yes?
TCO is bullshit. Windows has a price tag greater than 0. No matter how complex or convoluted you get, no matter how many lawyers with fantasy rationale obfuscating the obvious, no matter what is said or how it's said... any price on Windows is always going to be more expensive than free.
Cost of operation? How much wasted time do you think has been put into trying to figure out mundane tasks in Office 2007? Might as well be a completely new product, Open Office which clearly is a different product is more familiar to a previous Office user than 2007 is. TCO accounts for "training" as their defense? They are shooting them in the foot. I mean, you always have "training" with new software. Sometimes you have it with just bug-fixes or upgrades. Some of us, it might only be "familiarizing", but others who are so dead set in a routine to complete a task will struggle for sure.
What is it, about TCO, is relevant, useful.... real? Keep that to yourself, I've read all the garbage. Bottom line is there's really nothing governing this bullshit "TCO" philosophy, any more in favor of Microsoft than any other software or product for that matter. The real fact is the real numbers. 199.95 for retail Windows. And then tally up all the numbers that would make your "Windows" installation, and all the third party software, "legal". There's your real cost, there's the obvious cost.
How much do you think it would cost to have a legit Windows box? 5,000 USD total in software costs?
No, better yet. How much would a Windows box cost, purchasing all of the commercial software available that would enable the Windows user to do what the typical Linux installation can do? I mean, I have photo editing software, 3D renderers galore... office suites, every server imaginable, VM software, conversion tools... jesus my box is Linux... nuff said. My Windows box would break the bank paying for and installing only a fraction of the capabilities in commercial software.
Now, site wide licenses, think organization size... thousands of desktops... niche market functionality... dear god. TCO is the least of your worries it seems.
Re:Hear hear! (Score:2, Insightful)
Yes and we all know how superior and knowledgable state-run lowest-bidder IT is compared with the rest of the security industry.
Really, people, most government agencies pay such crap IT salaries, all the people who have a clue aren't working for the state itself... they are the ones coming in as an outside consultant to clean it up for $2.5 million.
So why is it such a shock that a bloated, un-organized, underfunded, undertalented state agency got that bad an infection, and was not capable of fixing it themselves?
Yes, there are a lot of hidden costs to MS products. But if you're going to go the "malware" route, the best you can do is include the time & cost of installing preventative AV software. Patches should be automatic, but I have this sneaking feeling that most of those machines were waaay past due.
Or in other words, don't try to lump in the incompetence of the IT group with the product's hidden cost, no matter how tempting a target it might be. This article really is just Flamebait over and over again.
Benchmarks with AV-software, too (Score:3, Insightful)
Benchmarks comparing PCs with Windows and other OSs should be forced to run with AV-software installed - because that's the normal use-case.
Everything else silly.
Disappointing post considering the title (Score:3, Insightful)
I got disappointed because when reading the title I thought this post was going to be about the REAL BIG cost of using Microsoft software. Security is one thing but they have been improving (you got to accept it). The real issue is the LOCK-IN, and THAT is a giantic hidden cost of MS software, I wish some serious publication could analyze and denounce it cause seriously, malware costs are not a big deal and pro-MS groups will always just use their giantic, excessive marketshare as an excuse for it.
Re:You cannot use viruses/bugs as an example of co (Score:3, Insightful)
"And as that argument sways more users toward FOSS, the cost/benefit for malware writers will change."
But if that's the case, it will be *then*, not *now*.
"for FOSS we have no reasonable track record. So to me, that's background noise."
For me, having about 200 Linux systems, both servers and PCs my "background noise" says "malware-related costs to-date: zero". Surely my manager will say "but, hey, let's inflate this number since making our real numbers out of our real bills to get our real TCO would be a bit myopic, you know".
"imagine a world where the customer doesn't bear the cost of the vendor's mistakes. I know, crazy..."
Not so crazy: that's the world as of today: the customer does never bear the cost of the vendor's mistakes; it bears the cost of its very own mistakes... choosing the wrong providers, for instance.
Re:You cannot use viruses/bugs as an example of co (Score:3, Insightful)
"I work in IT, in a 100% Windows shop (the only non-Windows we have is ESX running under multiple Windows installs) and we simply do not have any problems with any form of malware, at all."
Don't you deploy antivirus on your systems, neither servers nor desktops? Do you think those antivirus go for free and that don't take away maintenance resources? Do you think those antivirus never threw any compatibility problem with any other service? Do you think they don't take up hard disk, RAM and CPU?
"I guarantee you that no matter what OS you run, you're going to run into problems if you don't take precautions to protect your software from malicious code."
And I agree 100% with you. It's about what the relative costs for those "precautions" are with regards to the platform. I'm not like you and my "house" is not 100% windows but about 90% Linux 10% Windows and I can tell you a significant difference does in fact exist.
"As for these people cleaning up Conficker...talk about a bad example! The vulnerability that Conficker takes advantage of has been patched for what...8 months now?"
So you want to talk about "real world" when it fits to your argument but avoid it when you don't like it?
"I wouldn't be complaining about the malware or the cost of removing it, I'd be firing the IT department en masse"
So you feel it's proper to talk about costs regarding compatibility issues basically maliciously provoked by Microsoft itself as a lock-in strategy (we are talking about "real world" after all) but you think firing your entire IT staff, hiring new ones, training them and hoping they'll be any better than the old ones will come for free, did I get it?
"she doesn't have Conficker because I set her Windows updates to do themselves automatically."
Ok, now I get it: your mother PC is the nearest you've been to a corporate environment, or else you'd never talk about automatic Windows updates as a solution.
"That is how easy THAT is."
Yes: filtering your facts in order to reach to simple solutions that won't account for all the "corner cases" of your real scenario is always easy. It's only that it's irrelevant too.
Re:Hear hear! (Score:3, Insightful)
here is the kicker you can't 100% trust MSFT patches. because of the way XP works, and has been allowed to work a patch my QA test fine but break a mission critical app that is written poorly. However because MSFT doesn't force developers to use the proper tools the app works without an update. I have had it happen to me several times. the patch auto downloads plugs the leak but from then on I can't use software that is necessary for my job.
There have also been several times where MSFT has rushed a patch and either sent out the wrong one(it happens), or the patch was flawed and crashed systems left and right.
This isn't strictly MSFT fault(it is only in the sense they are so laxed about patching things properly) but you can't trust auto updates you need to give them about a week to work out if there are serious issues.
Re:You cannot use viruses/bugs as an example of co (Score:3, Insightful)
Microsoft products have a long history of virus, worm, and bug problems for lots of reasons. One of which is the inability of anyone knowledgeable to review the code quality or to patch security holes. It's a closed-source system and in many cases its defaults leave vital processes vulnerable to attack. Many problems are not solved with an OS-level fix, i.e. buffer overruns. (That was actually quite funny, one unanticipated time when "buffer overruns" and "IE" are in the same sentence and it doesn't involve a Microsoft patch. But I digress.)
Linux systems have been around sufficiently long -- and are in so many things you use each day -- routers, switches, VOIP systems, firewall systems, servers, smartphones, PDAs, palmtop computers and more -- that the track record has been established. The NSA has given Linux its blessing, and recent competitions to try and break SELinux have proven uninteresting. By design it's a more secure system, and because of the quantity and quality of people looking at the code it's able to achieve a higher standard of security.
If you're going to try and hack some user desktops go ahead, Linux hasn't made inroads into the desktop like Windows has. It's the design flaws of Windows to require anitvirus software just to keep the thing alive. But, on the other hand, if you want to try and hack my network, it's protected by a Linux firewall appliance. Note which OS I use when security and stability matters?
Interesting (Score:1, Insightful)
I've been involved with computers since I was 9 years old (I'm 34 now) and I've used Windows since its very earliest version. When I was a noob, I got viruses and was hit by just about every worm that went around. Then, I took the time to learn about good computing habits, proper security, and sensible practices.
On my Windows XP systems I don't run an AV at all, I run Internet Explorer 8, I use Outlook, and all the other supposedly 'deadly' things that make Windows so insecure and dangerous. I occasionally will download an AV and anti-malware programs 'just to be sure' always expecting to find stuff. You know what? I never do!
In the last five to eight years, I have *never* had a virus or worm hit my computer. I don't get spyware, I don't have popups all over the place, and I don't have those ungodly messes of toolbars that you see many Windows users having on IE. Why? Because I took the time to learn proper security, best practices, and don't do stupid stuff. I also keep my system patched.
The fact is that a properly patched, secured, and managed Windows system is just as secure and stable as Linux. So then, why does it seem so many Windows systems seem to fall under the crush of malware?
Users.
Look at the statistics. For most of the major viruses and worms that have been out in the last few years, Microsoft has often had a patch available for the vulnerability they exploited before the software was in the wild. Sometimes, they've had patches available for months or even years. Yet users who listen to the anti-Microsoft drivel of 'they're trying to sneak stuff on your computer' become so paranoid that they choose to either turn off auto-update or they 'selectively' choose 'safe' updates without a good understanding of what the others do. The upshot is that they, through their actions, leave their systems vulnerable.
Now, to be totally fair, I'm also a Linux user (desktop and server Ubuntu and a few Fedora systems) and they are pretty rock solid. But it's easy to say how secure you are when you're in the minority and nobody cares enough to really attack you by writing malware for your platform. Linux also tends to attract a more sophisticated and technically savvy user base than Windows so it's a bit dishonest to compare the two. If all Windows users suddenly migrated to Linux and brought their computing practices along with them, guess what? We'd see a LOT of problems with Linux systems too. So, no, comparing isn't totally honest. But, if we are, we can *easily* find examples of vulnerabilities that were exploited in *nix software and used to own systems.
The simple fact is that *no* operating system, Windows or otherwise, is secure until you choose to make it secure. It doesn't magically happen. USERS have to take the initiative to be proactive about their systems.
It's very popular to jump on the "Let's hate on Microsoft" bandwagon. Everyone seems to be doing it. I've run into a lot of people who told me "Oh I wouldn't use Windows if you paid me. It's crap" yet when I asked them what exactly their complaint was they would mumble something about 'security' but couldn't go into any details. Why do you think that is? It's because they didn't *know* any details! They just heard the rhetoric and thought spewing it forward made them seem knowledgeable and cool.
It doesn't. It makes them sound stupid and uninformed.
So consider this: next time you want to talk about how much you hate Windows, ask yourself this: why do *you* personally hate it? Have *you* had bad experiences with it or have you just read all the hype and made your decision based on that? Have you educated yourself about proper system care and management?
If not, look into it. I think you'll find Microsoft is doing a pretty bang up job with security these days. The chants of 'Linux is going to OWN Windows' are fading away.
I love Linux but I can't say I hate to see the zealots go.
Re:Sadly, I don't agree. (Score:3, Insightful)
How can you claim that 'closed-source software' is the cause of all the ills you mentioned?
Where exactly did he say that?
You sir, are a contender for the bad strawman of the day award.
Re:Only Proprietary? (Score:3, Insightful)
You act as if every site that is using those formats is acting maliciously. It's simply not true. Even in the rare case a mainstream site would be attacked, you would find out about it within a day and be able to take action. Not a big deal and definitely not common.
I've run anti-virus before; it got very old scanning my computer and having the thing freak out over some simple tracking cookies and never a virus. No thanks. I guess some people just go to cooler websites than me.