The Hidden Cost of Using Microsoft Software

Glyn Moody writes "Detractors of free software like to point out it's not really 'free,' and claim that its Total Cost of Ownership is often comparable with closed-source solutions if you take everything into account. And yet, despite their enthusiasm for including all the costs, they never include a very real extra that users of Microsoft's products frequently have to pay: the cost of cleaning up malware infections. For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm, most of which was 'a £1.2m [$2million] bill in the IT department, including £600,000 [$1 million] getting "consultancy support" to fix the problems, which including drafting in experts from Microsoft.' To make the comparisons fair, isn't it about time these often massive costs were included in TCO calculations?"

Only Proprietary?

[Nemyst]

I don't want to sound like a detractor of free software (I actually favor FLOSS as much as I can), but it's not like Linux doesn't have any malware written for it. Sure, it's to a lesser degree, but it's still there and I'm not sure the costs of removing them are systematically calculated into the TCO either.

Other hidden costs.

[Z00L00K]

The change of the user interface in Office 2007 is one huge hidden cost. It was done to make things "easier" with the result that old users instead have to re-learn the user interface completely and have a really hard time to do even the things that were simple before.

And some things that was easy in the old Office version is now really cumbersome. The style handling in Word is one example that can make the blood pressure rise.

Troll article yes, but

[SatanicPuppy]

What the hell were they doing paying $2.5 million to clean up a worm? Seriously? Hell, you could have paid the guys who wrote it 2 million to exclude your IP range in the fricking code, and saved 500k!

Governments have got to get their crap together on this stuff. When that worm hit corporate here, in luddite central, the number of effected machines was under 30...For the entire corporation! And that's with all properties connected by a corporate WAN.

That they had that level of infection is inexcusable. Shows that they're just wasting money right and left and getting nothing but a crap product.

Re:It is the hacker's mentality.

[maxume]

You are confused. At this point, the typical 'hacker' works on whatever systems he thinks he can make the most botnet money from.

Re:It's fun to dump on MSFT

[sofar]

Not necessarily, it points out that consultants (often independent companies) are wrongly evaluating software contract offers.

That's a big problem, not just for Microsoft, but especially for large organizations and the companies that evaluate these offers for them. No bashing there.

Re:You cannot use viruses/bugs as an example of co

[malevolentjelly]

Last I heard, the most commonly hacked webserver was Apache/Linux. A secure legacy won't protect you forever... now that it's popular, the poor security practices in the platform are beginning to be exploited...

I would say Microsoft is rather catching up and surpassing the linux platform in security, given the recent figures.

There is almost no anti-exploit code in linux, anyway, so once you're through the security, you know exactly where you are and what you're doing. Microsoft has a tremendous advantage, having been targeted for years... their level of defense is now much higher. They withstand attacks the linux platform could never find the resources to repel.

So the cost Microsoft has spent weathering this will reduce the TCO of all their users... and now they're even offering anti-virus software for free. I'd say they're doing fine.

Re:Economy..

[gbjbaanb]

not just that but it affects the services provided. For example, I know of a police force that was infected by conficker. It got everywhere. The consensus is that the company providing the mobile data interfaces was the original source of infection (but you cannot prove where conficker came from, its pervasive), and for a long while the officers on the beat had to use their handsets as mobile phones - no data, so no event updates and no communication with the CAD system.

I don't know the cost there, but they had con-sultants in from Microsoft to help clear the mess up and they weren't cheap. The infection lasted for 2 weeks, and they had reduced service for several weeks after that.

That's just for Conficker. Remember storm, sql slammer, I love you?

does require expensive support staff

[fermion]

Way back when, MS got itself into businesses by being cheaper than Unix. Seriously. I worked on a vertical application solution and the MS solution was cheaper than 1/3. For a small business, this was significant. We had no problem paying the money, as we were going to make money, but there seemed little reason to be little reason to spend the money just to get the (declining) industry standard solution. Add to this that, at that time, MS OS was a reletively simple structure and basically any minimal competent person could set it up, the MS solution would end up being an order of magnitude cheaper.

Fast forward. MS only produces complicated behemoths. To this day MS Windows has not completely understood it is a network OS(perhaps 7 will do it). It is no longer the case that a part time person can keep 20 machines running. And when something does happen, it can be very difficult to fix. A single event can require a complete reinstall of the OS. I've made mistakes of going to a wrong web site and had this happen on a completely up to date machine. I have allowed untrusted parties to run my MS machines and have had significant damage caused within the hour. MS machines are the dependable work horses they once were. It now requires a significant infrastructure to keep MS machines a production. The best case scenario is to treat each machine as a RAID, keeping data off the machine, and using a standard HD disk images. Doesn't this sound like the pre-MS days of the so-called inefficient mainframe. MS is worried about this and has began a defensive campaign against IBM.

I would argue that MS machines are now, overall, as expensive and inefficient as the Unix machines were when ATT tried to save themselves with the introduction of this machine [corestack.com]. This does not mean that MS does not have value, at least to legacy customers, but it may not be the best choice for startups, as Unix was the not the best choice in the late 1980's.

I can point to an exact time, around 2000, when MS became too expensive to use. It was a time whem MS would accuse paying customers of theft. Force customer to undergo intrusive and expensive audits. Require support staff to be redirected from supporting the customers need to make a profit, to the MS need to make a profit.

In light of this, I think we are going to see non-MS solution, just like we say non-ATT and non-IBM solutions. The biggest impediment to this is the easy supply of reliable naked PCs with full support to the SOHO owner. I think some companies, like Gateway, made a mistake in continuing to hook their saddle to the MS bandwagon instead of providing *nix solution for common business problems. In many cases, smart firms buy solutions, not an OS.

It's more secure because of RPM/DEB

[Nicolas MONNET]

Windows has file permissions, too. Thats not the issue. The issue is more RPM/DEB and the fact that most users can install all they need through a trusted channel (yum/apt).

Re:You cannot use viruses/bugs as an example of co

[morgan_greywolf]

You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

Citation needed? ;)

Apache is far more popular: Netcraft confirms it! [netcraft.com] Attacks, on the other hand, are probably about equal, though, IME, security hardening Apache on *nix is far easier than security hardening IIS on Windows.

Re:You cannot use viruses/bugs as an example of co

[BikeHelmet]

It's well known that huge organizations leave stuff unpatched for long periods of time. Wasn't it reported that the US Air Force took something like 6-12 months to roll out patches? They got a unified version of XP from Microsoft to simplify patch deployment time down to 60 days.

Yikes!

Re:You cannot use viruses/bugs as an example of co

[wheeda]

The company I work for tried switching. I really sucked. I submitted countless tickets to the IT department to fix printing and pdf. Yes linux can print some stuff. Yes linux can open some pdfs. But doing out of the ordinary things like trying to print an A3 pdf landscape apparently rarely gets tested. Not being able to set printing defaults across all applications really is stupid (ubuntu). I would have gladly paid the microsoft tax out of my own pocket just to get the satisfaction of actually being able to get some of the most basic functions of my electrical engineering job done.

Re:You cannot use viruses/bugs as an example of co

[snowraver1]

Further to that, bing.com has more views than google. Also, what the hell is tooooop.net?

Re:Sadly, I don't agree.

[drsmithy]

This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.

The user is the single biggest security hole in any system. On what basis do you justify ignoring that ?

I'm sick of hearing this argument, only a complete tool would believe it. *Nix systems are inherently more secure, due to its security model (file permissions, groups, no admin rights, etc), [...]

The Windows permissions system is both more comprehensive, and more secure, than traditional UNIX security.

[...] and to the fact that it literally forces you to not be a complete moron (security wise) while using it.

Quite the opposite. The most common way to get around security "annoyances" in UNIX is to run stuff as root. Root - by definition - completely bypasses the entire security system.

Furthermore, because of the variety of software that can be installed on each box, only the most common programs (apache, nginx, ssl, ssh, etc) would be effective targets to attack, limiting the areas an admin needs to cover.

So, just like Windows you mean ?

Due to the above, there are only certain attacks that would be effective to a *Nix system. Off the top of my head, this leaves: privilege escalation, man-in-the-middle, and social engineering (a problem everywhere, regardless of OS).

So, just like Windows then ?

In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.

A Windows machine run by a competent administrator is just as difficult to infect or attack as a similar Linux machine.

Re:You cannot use viruses/bugs as an example of co

[Darkness404]

Ever heard of a mass Apache exploit that was exploited in the wild? I doubt it. But ever heard of Code Red? There has been no massive exploit of Apache systems in the way that MS systems have been routinely compromised with the various worms such as Code Red, Nimda, and Code Red II.

What? Bing.com using linux?

[140Mandak262Jamuna]

The netcraft link shows Bing.com using linux. Really? Quite surprising. Microsoft wants to take on google, and it could not/would not do it with windows boxes?

Re:You cannot use viruses/bugs as an example of co

[Anonymous Coward]

I'm the curious AC from above.

I don't see "list of attacks is here, list of owned machines is there"... What is that Netcraft link supposed to mean? Yes, we all know that Apache is more popular, but I'd like to know about which web server is more secure - one running Apache, or one running IIS. I can't find that data ANYWHERE.

Re:Sadly, I don't agree.

[NoOneInParticular]

Your entire argument hinges on the assumption that an OS is a natural monopoly. This is flat-out false: Google doesn't need to run Windows to serve search-results, banks don't need to run Windows to perform transactions, people don't need to run Windows to create and share documents.

What is more likely happen if Linux comes out on top is that there will be several companies that will provide distributions that will all be different, but which all will function and (god forbid) interoperate. If such a thing comes to pass, the single attack vector for malware writers dissappears, and they will have to work significantly harder to get a smaller payoff. You know that little thing, free market? The one we almost got rid off in our desire to serve the corporate overlords?

Businesses rely on this...

[npoczynek]

I had an interview at Geek Squad back at the beginning of summer. I didn't do well - and I'm rather glad. One of his questions was what I thought of free software. Being a naive young lad who has never worked in sales, I foolishly stated my position. I told him that I think it has a lot of advantages, and have often used free alternatives and/or open source software. His response to this - "How hard would you work for free?" It was a little shocking how he completely disregarded the benefits of the free software community. He then made it very clear that Geek Squad employees who mention free software to customers are often at risk of being fired. I can only imagine that this "hidden cost" referred to in TFA is far from hidden in the eyes of places like Best Buy. If people knew about all this cool free stuff that was out there, who would you rip off? Where would you find spyware-infested PCs that you can charge an arm and a leg to fix?

Re:Only Proprietary?

[charlieman]

Real world companies use NPV (Net Present Value) instead of TCO. The only reason they make comparisons in TCO terms is because free software wins in NPV.

Re:You cannot use viruses/bugs as an example of co

[PPH]

Yeah, I've heard of Code Red. Back at a major corporation I used to work for, we got hit. Bad.

I was admin on half a dozen *NIX boxes running Apache when another admin noted the strange URLs hitting his server logs. So we all checked and found hundreds of unique IP addresses of infected NT systems trying to pass it on. Later, this number woud grow to thousands. Several of us took it upon ourselves to grep|sort|cut out a list of IP addresses and forward them to our computing security department for further action.

Some of the admins of affected systems claimed that 1) they were up to date on all "applicable" patches and 2) they could not possibly be infected, as their systems were dedicated SQL Server hosts, not running IIS (so no IIS patches need be applied). It turns out that at some point, they had enabled their web admin interfaces and, as a result, that had started IIS (quietly, in the background, without their knowledge). Worse yet, it was started in some default configuration that left their systems wide open to all sorts of unauthorized manipulation. It took several weeks of around the clock effort on the part of the NT administration staff to clean the mess up.

I did have my own fun with it. One of my systems ran Apache on Linux with Samba (server and client). I wrote a CGI with the name and path of the Code Red URL request. It returned a 404 response through Apache (as would a standard Linux system), but I had it generate a WinPopup message sent back to the offending system to the effect that it was compromised.

Re:You cannot use viruses/bugs as an example of co

[Anonymous Coward]

The table you provided does not say anythimg about the popularity of Apache. (or IIS)

It shows how often Netcraft was asked about the state of a certain server. This could mean that Apache owners are more paranoid to know whether their machine is up. This could mean nothing at all.

It certainly does NOT mean that bing.com had 1893 search requests in the last 30 days and google.com had 1068. These numbers just show how many times somebody typed the server into Netcraft's "What's that site running?" window.

What is it about statistics that makes people so confused??