Follow Slashdot stories on Twitter


Forgot your password?
Microsoft The Almighty Buck

The Hidden Cost of Using Microsoft Software 691

Glyn Moody writes "Detractors of free software like to point out it's not really 'free,' and claim that its Total Cost of Ownership is often comparable with closed-source solutions if you take everything into account. And yet, despite their enthusiasm for including all the costs, they never include a very real extra that users of Microsoft's products frequently have to pay: the cost of cleaning up malware infections. For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm, most of which was 'a £1.2m [$2million] bill in the IT department, including £600,000 [$1 million] getting "consultancy support" to fix the problems, which including drafting in experts from Microsoft.' To make the comparisons fair, isn't it about time these often massive costs were included in TCO calculations?"
This discussion has been archived. No new comments can be posted.

The Hidden Cost of Using Microsoft Software

Comments Filter:
  • Only Proprietary? (Score:3, Interesting)

    by Nemyst (1383049) on Tuesday June 30, 2009 @03:41PM (#28533533) Homepage
    I don't want to sound like a detractor of free software (I actually favor FLOSS as much as I can), but it's not like Linux doesn't have any malware written for it. Sure, it's to a lesser degree, but it's still there and I'm not sure the costs of removing them are systematically calculated into the TCO either.
  • Other hidden costs. (Score:5, Interesting)

    by Z00L00K (682162) on Tuesday June 30, 2009 @03:44PM (#28533573) Homepage

    The change of the user interface in Office 2007 is one huge hidden cost. It was done to make things "easier" with the result that old users instead have to re-learn the user interface completely and have a really hard time to do even the things that were simple before.

    And some things that was easy in the old Office version is now really cumbersome. The style handling in Word is one example that can make the blood pressure rise.

  • by SatanicPuppy (611928) * <> on Tuesday June 30, 2009 @03:46PM (#28533603) Journal

    What the hell were they doing paying $2.5 million to clean up a worm? Seriously? Hell, you could have paid the guys who wrote it 2 million to exclude your IP range in the fricking code, and saved 500k!

    Governments have got to get their crap together on this stuff. When that worm hit corporate here, in luddite central, the number of effected machines was under 30...For the entire corporation! And that's with all properties connected by a corporate WAN.

    That they had that level of infection is inexcusable. Shows that they're just wasting money right and left and getting nothing but a crap product.

  • by maxume (22995) on Tuesday June 30, 2009 @03:57PM (#28533783)

    You are confused. At this point, the typical 'hacker' works on whatever systems he thinks he can make the most botnet money from.

  • by sofar (317980) on Tuesday June 30, 2009 @03:59PM (#28533813) Homepage

    Not necessarily, it points out that consultants (often independent companies) are wrongly evaluating software contract offers.

    That's a big problem, not just for Microsoft, but especially for large organizations and the companies that evaluate these offers for them. No bashing there.

  • by malevolentjelly (1057140) on Tuesday June 30, 2009 @04:07PM (#28533929) Journal

    Last I heard, the most commonly hacked webserver was Apache/Linux. A secure legacy won't protect you forever... now that it's popular, the poor security practices in the platform are beginning to be exploited...

    I would say Microsoft is rather catching up and surpassing the linux platform in security, given the recent figures.

    There is almost no anti-exploit code in linux, anyway, so once you're through the security, you know exactly where you are and what you're doing. Microsoft has a tremendous advantage, having been targeted for years... their level of defense is now much higher. They withstand attacks the linux platform could never find the resources to repel.

    So the cost Microsoft has spent weathering this will reduce the TCO of all their users... and now they're even offering anti-virus software for free. I'd say they're doing fine.

  • Re:Economy.. (Score:4, Interesting)

    by gbjbaanb (229885) on Tuesday June 30, 2009 @04:12PM (#28533985)

    not just that but it affects the services provided. For example, I know of a police force that was infected by conficker. It got everywhere. The consensus is that the company providing the mobile data interfaces was the original source of infection (but you cannot prove where conficker came from, its pervasive), and for a long while the officers on the beat had to use their handsets as mobile phones - no data, so no event updates and no communication with the CAD system.

    I don't know the cost there, but they had con-sultants in from Microsoft to help clear the mess up and they weren't cheap. The infection lasted for 2 weeks, and they had reduced service for several weeks after that.

    That's just for Conficker. Remember storm, sql slammer, I love you?

  • by fermion (181285) on Tuesday June 30, 2009 @04:18PM (#28534099) Homepage Journal
    Way back when, MS got itself into businesses by being cheaper than Unix. Seriously. I worked on a vertical application solution and the MS solution was cheaper than 1/3. For a small business, this was significant. We had no problem paying the money, as we were going to make money, but there seemed little reason to be little reason to spend the money just to get the (declining) industry standard solution. Add to this that, at that time, MS OS was a reletively simple structure and basically any minimal competent person could set it up, the MS solution would end up being an order of magnitude cheaper.

    Fast forward. MS only produces complicated behemoths. To this day MS Windows has not completely understood it is a network OS(perhaps 7 will do it). It is no longer the case that a part time person can keep 20 machines running. And when something does happen, it can be very difficult to fix. A single event can require a complete reinstall of the OS. I've made mistakes of going to a wrong web site and had this happen on a completely up to date machine. I have allowed untrusted parties to run my MS machines and have had significant damage caused within the hour. MS machines are the dependable work horses they once were. It now requires a significant infrastructure to keep MS machines a production. The best case scenario is to treat each machine as a RAID, keeping data off the machine, and using a standard HD disk images. Doesn't this sound like the pre-MS days of the so-called inefficient mainframe. MS is worried about this and has began a defensive campaign against IBM.

    I would argue that MS machines are now, overall, as expensive and inefficient as the Unix machines were when ATT tried to save themselves with the introduction of this machine []. This does not mean that MS does not have value, at least to legacy customers, but it may not be the best choice for startups, as Unix was the not the best choice in the late 1980's.

    I can point to an exact time, around 2000, when MS became too expensive to use. It was a time whem MS would accuse paying customers of theft. Force customer to undergo intrusive and expensive audits. Require support staff to be redirected from supporting the customers need to make a profit, to the MS need to make a profit.

    In light of this, I think we are going to see non-MS solution, just like we say non-ATT and non-IBM solutions. The biggest impediment to this is the easy supply of reliable naked PCs with full support to the SOHO owner. I think some companies, like Gateway, made a mistake in continuing to hook their saddle to the MS bandwagon instead of providing *nix solution for common business problems. In many cases, smart firms buy solutions, not an OS.

  • by Nicolas MONNET (4727) <nicoaltiva AT gmail DOT com> on Tuesday June 30, 2009 @04:19PM (#28534109) Journal

    Windows has file permissions, too. Thats not the issue. The issue is more RPM/DEB and the fact that most users can install all they need through a trusted channel (yum/apt).

  • by morgan_greywolf (835522) on Tuesday June 30, 2009 @04:26PM (#28534207) Homepage Journal

    You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

    Citation needed? ;)

    Apache is far more popular: Netcraft confirms it! [] Attacks, on the other hand, are probably about equal, though, IME, security hardening Apache on *nix is far easier than security hardening IIS on Windows.

  • by BikeHelmet (1437881) on Tuesday June 30, 2009 @04:30PM (#28534269) Journal

    It's well known that huge organizations leave stuff unpatched for long periods of time. Wasn't it reported that the US Air Force took something like 6-12 months to roll out patches? They got a unified version of XP from Microsoft to simplify patch deployment time down to 60 days.


  • by wheeda (520016) on Tuesday June 30, 2009 @04:31PM (#28534285)
    The company I work for tried switching. I really sucked. I submitted countless tickets to the IT department to fix printing and pdf. Yes linux can print some stuff. Yes linux can open some pdfs. But doing out of the ordinary things like trying to print an A3 pdf landscape apparently rarely gets tested. Not being able to set printing defaults across all applications really is stupid (ubuntu). I would have gladly paid the microsoft tax out of my own pocket just to get the satisfaction of actually being able to get some of the most basic functions of my electrical engineering job done.
  • by snowraver1 (1052510) on Tuesday June 30, 2009 @04:42PM (#28534451)
    Further to that, has more views than google. Also, what the hell is
  • by drsmithy (35869) <drsmithy AT gmail DOT com> on Tuesday June 30, 2009 @04:43PM (#28534463)

    This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.

    The user is the single biggest security hole in any system. On what basis do you justify ignoring that ?

    I'm sick of hearing this argument, only a complete tool would believe it. *Nix systems are inherently more secure, due to its security model (file permissions, groups, no admin rights, etc), [...]

    The Windows permissions system is both more comprehensive, and more secure, than traditional UNIX security.

    [...] and to the fact that it literally forces you to not be a complete moron (security wise) while using it.

    Quite the opposite. The most common way to get around security "annoyances" in UNIX is to run stuff as root. Root - by definition - completely bypasses the entire security system.

    Furthermore, because of the variety of software that can be installed on each box, only the most common programs (apache, nginx, ssl, ssh, etc) would be effective targets to attack, limiting the areas an admin needs to cover.

    So, just like Windows you mean ?

    Due to the above, there are only certain attacks that would be effective to a *Nix system. Off the top of my head, this leaves: privilege escalation, man-in-the-middle, and social engineering (a problem everywhere, regardless of OS).

    So, just like Windows then ?

    In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.

    A Windows machine run by a competent administrator is just as difficult to infect or attack as a similar Linux machine.

  • by Darkness404 (1287218) on Tuesday June 30, 2009 @04:52PM (#28534605)
    Ever heard of a mass Apache exploit that was exploited in the wild? I doubt it. But ever heard of Code Red? There has been no massive exploit of Apache systems in the way that MS systems have been routinely compromised with the various worms such as Code Red, Nimda, and Code Red II.
  • by 140Mandak262Jamuna (970587) on Tuesday June 30, 2009 @04:53PM (#28534615) Journal
    The netcraft link shows using linux. Really? Quite surprising. Microsoft wants to take on google, and it could not/would not do it with windows boxes?
  • by Anonymous Coward on Tuesday June 30, 2009 @04:58PM (#28534703)

    I'm the curious AC from above.

    I don't see "list of attacks is here, list of owned machines is there"... What is that Netcraft link supposed to mean? Yes, we all know that Apache is more popular, but I'd like to know about which web server is more secure - one running Apache, or one running IIS. I can't find that data ANYWHERE.

  • by NoOneInParticular (221808) on Tuesday June 30, 2009 @05:38PM (#28535149)
    Your entire argument hinges on the assumption that an OS is a natural monopoly. This is flat-out false: Google doesn't need to run Windows to serve search-results, banks don't need to run Windows to perform transactions, people don't need to run Windows to create and share documents.

    What is more likely happen if Linux comes out on top is that there will be several companies that will provide distributions that will all be different, but which all will function and (god forbid) interoperate. If such a thing comes to pass, the single attack vector for malware writers dissappears, and they will have to work significantly harder to get a smaller payoff. You know that little thing, free market? The one we almost got rid off in our desire to serve the corporate overlords?

  • by npoczynek (1259228) on Tuesday June 30, 2009 @06:01PM (#28535381)
    I had an interview at Geek Squad back at the beginning of summer. I didn't do well - and I'm rather glad. One of his questions was what I thought of free software. Being a naive young lad who has never worked in sales, I foolishly stated my position. I told him that I think it has a lot of advantages, and have often used free alternatives and/or open source software. His response to this - "How hard would you work for free?" It was a little shocking how he completely disregarded the benefits of the free software community. He then made it very clear that Geek Squad employees who mention free software to customers are often at risk of being fired. I can only imagine that this "hidden cost" referred to in TFA is far from hidden in the eyes of places like Best Buy. If people knew about all this cool free stuff that was out there, who would you rip off? Where would you find spyware-infested PCs that you can charge an arm and a leg to fix?
  • Re:Only Proprietary? (Score:3, Interesting)

    by charlieman (972526) on Tuesday June 30, 2009 @06:04PM (#28535413)

    Real world companies use NPV (Net Present Value) instead of TCO. The only reason they make comparisons in TCO terms is because free software wins in NPV.

  • by PPH (736903) on Tuesday June 30, 2009 @06:07PM (#28535453)

    Yeah, I've heard of Code Red. Back at a major corporation I used to work for, we got hit. Bad.

    I was admin on half a dozen *NIX boxes running Apache when another admin noted the strange URLs hitting his server logs. So we all checked and found hundreds of unique IP addresses of infected NT systems trying to pass it on. Later, this number woud grow to thousands. Several of us took it upon ourselves to grep|sort|cut out a list of IP addresses and forward them to our computing security department for further action.

    Some of the admins of affected systems claimed that 1) they were up to date on all "applicable" patches and 2) they could not possibly be infected, as their systems were dedicated SQL Server hosts, not running IIS (so no IIS patches need be applied). It turns out that at some point, they had enabled their web admin interfaces and, as a result, that had started IIS (quietly, in the background, without their knowledge). Worse yet, it was started in some default configuration that left their systems wide open to all sorts of unauthorized manipulation. It took several weeks of around the clock effort on the part of the NT administration staff to clean the mess up.

    I did have my own fun with it. One of my systems ran Apache on Linux with Samba (server and client). I wrote a CGI with the name and path of the Code Red URL request. It returned a 404 response through Apache (as would a standard Linux system), but I had it generate a WinPopup message sent back to the offending system to the effect that it was compromised.

  • by Anonymous Coward on Wednesday July 01, 2009 @05:21AM (#28539955)

    The table you provided does not say anythimg about the popularity of Apache. (or IIS)

    It shows how often Netcraft was asked about the state of a certain server. This could mean that Apache owners are more paranoid to know whether their machine is up. This could mean nothing at all.

    It certainly does NOT mean that had 1893 search requests in the last 30 days and had 1068. These numbers just show how many times somebody typed the server into Netcraft's "What's that site running?" window.

    What is it about statistics that makes people so confused??

FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background.