The Hidden Cost of Using Microsoft Software 691
Glyn Moody writes "Detractors of free software like to point out it's not really 'free,' and claim that its Total Cost of Ownership is often comparable with closed-source solutions if you take everything into account. And yet, despite their enthusiasm for including all the costs, they never include a very real extra that users of Microsoft's products frequently have to pay: the cost of cleaning up malware infections. For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm, most of which was 'a £1.2m [$2million] bill in the IT department, including £600,000 [$1 million] getting "consultancy support" to fix the problems, which including drafting in experts from Microsoft.' To make the comparisons fair, isn't it about time these often massive costs were included in TCO calculations?"
Only Proprietary? (Score:3, Interesting)
Other hidden costs. (Score:5, Interesting)
The change of the user interface in Office 2007 is one huge hidden cost. It was done to make things "easier" with the result that old users instead have to re-learn the user interface completely and have a really hard time to do even the things that were simple before.
And some things that was easy in the old Office version is now really cumbersome. The style handling in Word is one example that can make the blood pressure rise.
Troll article yes, but (Score:4, Interesting)
What the hell were they doing paying $2.5 million to clean up a worm? Seriously? Hell, you could have paid the guys who wrote it 2 million to exclude your IP range in the fricking code, and saved 500k!
Governments have got to get their crap together on this stuff. When that worm hit corporate here, in luddite central, the number of effected machines was under 30...For the entire corporation! And that's with all properties connected by a corporate WAN.
That they had that level of infection is inexcusable. Shows that they're just wasting money right and left and getting nothing but a crap product.
Re:It is the hacker's mentality. (Score:2, Interesting)
You are confused. At this point, the typical 'hacker' works on whatever systems he thinks he can make the most botnet money from.
Re:It's fun to dump on MSFT (Score:3, Interesting)
Not necessarily, it points out that consultants (often independent companies) are wrongly evaluating software contract offers.
That's a big problem, not just for Microsoft, but especially for large organizations and the companies that evaluate these offers for them. No bashing there.
Re:You cannot use viruses/bugs as an example of co (Score:1, Interesting)
Last I heard, the most commonly hacked webserver was Apache/Linux. A secure legacy won't protect you forever... now that it's popular, the poor security practices in the platform are beginning to be exploited...
I would say Microsoft is rather catching up and surpassing the linux platform in security, given the recent figures.
There is almost no anti-exploit code in linux, anyway, so once you're through the security, you know exactly where you are and what you're doing. Microsoft has a tremendous advantage, having been targeted for years... their level of defense is now much higher. They withstand attacks the linux platform could never find the resources to repel.
So the cost Microsoft has spent weathering this will reduce the TCO of all their users... and now they're even offering anti-virus software for free. I'd say they're doing fine.
Re:Economy.. (Score:4, Interesting)
not just that but it affects the services provided. For example, I know of a police force that was infected by conficker. It got everywhere. The consensus is that the company providing the mobile data interfaces was the original source of infection (but you cannot prove where conficker came from, its pervasive), and for a long while the officers on the beat had to use their handsets as mobile phones - no data, so no event updates and no communication with the CAD system.
I don't know the cost there, but they had con-sultants in from Microsoft to help clear the mess up and they weren't cheap. The infection lasted for 2 weeks, and they had reduced service for several weeks after that.
That's just for Conficker. Remember storm, sql slammer, I love you?
does require expensive support staff (Score:5, Interesting)
Fast forward. MS only produces complicated behemoths. To this day MS Windows has not completely understood it is a network OS(perhaps 7 will do it). It is no longer the case that a part time person can keep 20 machines running. And when something does happen, it can be very difficult to fix. A single event can require a complete reinstall of the OS. I've made mistakes of going to a wrong web site and had this happen on a completely up to date machine. I have allowed untrusted parties to run my MS machines and have had significant damage caused within the hour. MS machines are the dependable work horses they once were. It now requires a significant infrastructure to keep MS machines a production. The best case scenario is to treat each machine as a RAID, keeping data off the machine, and using a standard HD disk images. Doesn't this sound like the pre-MS days of the so-called inefficient mainframe. MS is worried about this and has began a defensive campaign against IBM.
I would argue that MS machines are now, overall, as expensive and inefficient as the Unix machines were when ATT tried to save themselves with the introduction of this machine [corestack.com]. This does not mean that MS does not have value, at least to legacy customers, but it may not be the best choice for startups, as Unix was the not the best choice in the late 1980's.
I can point to an exact time, around 2000, when MS became too expensive to use. It was a time whem MS would accuse paying customers of theft. Force customer to undergo intrusive and expensive audits. Require support staff to be redirected from supporting the customers need to make a profit, to the MS need to make a profit.
In light of this, I think we are going to see non-MS solution, just like we say non-ATT and non-IBM solutions. The biggest impediment to this is the easy supply of reliable naked PCs with full support to the SOHO owner. I think some companies, like Gateway, made a mistake in continuing to hook their saddle to the MS bandwagon instead of providing *nix solution for common business problems. In many cases, smart firms buy solutions, not an OS.
It's more secure because of RPM/DEB (Score:5, Interesting)
Windows has file permissions, too. Thats not the issue. The issue is more RPM/DEB and the fact that most users can install all they need through a trusted channel (yum/apt).
Re:You cannot use viruses/bugs as an example of co (Score:2, Interesting)
Citation needed? ;)
Apache is far more popular: Netcraft confirms it! [netcraft.com] Attacks, on the other hand, are probably about equal, though, IME, security hardening Apache on *nix is far easier than security hardening IIS on Windows.
Re:You cannot use viruses/bugs as an example of co (Score:3, Interesting)
It's well known that huge organizations leave stuff unpatched for long periods of time. Wasn't it reported that the US Air Force took something like 6-12 months to roll out patches? They got a unified version of XP from Microsoft to simplify patch deployment time down to 60 days.
Yikes!
Re:You cannot use viruses/bugs as an example of co (Score:3, Interesting)
Re:You cannot use viruses/bugs as an example of co (Score:4, Interesting)
Re:Sadly, I don't agree. (Score:1, Interesting)
This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.
The user is the single biggest security hole in any system. On what basis do you justify ignoring that ?
I'm sick of hearing this argument, only a complete tool would believe it. *Nix systems are inherently more secure, due to its security model (file permissions, groups, no admin rights, etc), [...]
The Windows permissions system is both more comprehensive, and more secure, than traditional UNIX security.
[...] and to the fact that it literally forces you to not be a complete moron (security wise) while using it.
Quite the opposite. The most common way to get around security "annoyances" in UNIX is to run stuff as root. Root - by definition - completely bypasses the entire security system.
Furthermore, because of the variety of software that can be installed on each box, only the most common programs (apache, nginx, ssl, ssh, etc) would be effective targets to attack, limiting the areas an admin needs to cover.
So, just like Windows you mean ?
Due to the above, there are only certain attacks that would be effective to a *Nix system. Off the top of my head, this leaves: privilege escalation, man-in-the-middle, and social engineering (a problem everywhere, regardless of OS).
So, just like Windows then ?
In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.
A Windows machine run by a competent administrator is just as difficult to infect or attack as a similar Linux machine.
Re:You cannot use viruses/bugs as an example of co (Score:2, Interesting)
What? Bing.com using linux? (Score:3, Interesting)
Re:You cannot use viruses/bugs as an example of co (Score:1, Interesting)
I'm the curious AC from above.
I don't see "list of attacks is here, list of owned machines is there"... What is that Netcraft link supposed to mean? Yes, we all know that Apache is more popular, but I'd like to know about which web server is more secure - one running Apache, or one running IIS. I can't find that data ANYWHERE.
Re:Sadly, I don't agree. (Score:4, Interesting)
What is more likely happen if Linux comes out on top is that there will be several companies that will provide distributions that will all be different, but which all will function and (god forbid) interoperate. If such a thing comes to pass, the single attack vector for malware writers dissappears, and they will have to work significantly harder to get a smaller payoff. You know that little thing, free market? The one we almost got rid off in our desire to serve the corporate overlords?
Businesses rely on this... (Score:2, Interesting)
Re:Only Proprietary? (Score:3, Interesting)
Real world companies use NPV (Net Present Value) instead of TCO. The only reason they make comparisons in TCO terms is because free software wins in NPV.
Re:You cannot use viruses/bugs as an example of co (Score:3, Interesting)
Yeah, I've heard of Code Red. Back at a major corporation I used to work for, we got hit. Bad.
I was admin on half a dozen *NIX boxes running Apache when another admin noted the strange URLs hitting his server logs. So we all checked and found hundreds of unique IP addresses of infected NT systems trying to pass it on. Later, this number woud grow to thousands. Several of us took it upon ourselves to grep|sort|cut out a list of IP addresses and forward them to our computing security department for further action.
Some of the admins of affected systems claimed that 1) they were up to date on all "applicable" patches and 2) they could not possibly be infected, as their systems were dedicated SQL Server hosts, not running IIS (so no IIS patches need be applied). It turns out that at some point, they had enabled their web admin interfaces and, as a result, that had started IIS (quietly, in the background, without their knowledge). Worse yet, it was started in some default configuration that left their systems wide open to all sorts of unauthorized manipulation. It took several weeks of around the clock effort on the part of the NT administration staff to clean the mess up.
I did have my own fun with it. One of my systems ran Apache on Linux with Samba (server and client). I wrote a CGI with the name and path of the Code Red URL request. It returned a 404 response through Apache (as would a standard Linux system), but I had it generate a WinPopup message sent back to the offending system to the effect that it was compromised.
Re:You cannot use viruses/bugs as an example of co (Score:1, Interesting)
The table you provided does not say anythimg about the popularity of Apache. (or IIS)
It shows how often Netcraft was asked about the state of a certain server. This could mean that Apache owners are more paranoid to know whether their machine is up. This could mean nothing at all.
It certainly does NOT mean that bing.com had 1893 search requests in the last 30 days and google.com had 1068. These numbers just show how many times somebody typed the server into Netcraft's "What's that site running?" window.
What is it about statistics that makes people so confused??