Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Hidden Cost of Using Microsoft Software

kdawson posted about 5 years ago | from the badware-tax dept.

Microsoft 691

Glyn Moody writes "Detractors of free software like to point out it's not really 'free,' and claim that its Total Cost of Ownership is often comparable with closed-source solutions if you take everything into account. And yet, despite their enthusiasm for including all the costs, they never include a very real extra that users of Microsoft's products frequently have to pay: the cost of cleaning up malware infections. For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm, most of which was 'a £1.2m [$2million] bill in the IT department, including £600,000 [$1 million] getting "consultancy support" to fix the problems, which including drafting in experts from Microsoft.' To make the comparisons fair, isn't it about time these often massive costs were included in TCO calculations?"

cancel ×

691 comments

Hear hear! (5, Informative)

Anonymous Coward | about 5 years ago | (#28533495)

For example: The State of Vermont's Agency of Human Services just went through a similar exercise and I'm sure it cost them a fortune. The state is suffering financially as it is and yet, we haven't heard a WORD (there really isn't any investigative news in VT) about the outcome or how much it is costing

You cannot use viruses/bugs as an example of cost (0, Flamebait)

Hubbell (850646) | about 5 years ago | (#28533515)

Due to the fact that windows has had a 90+% marketshare since the dawn of time, do you really think people are gonna waste time writing viruses for the 6 people using a mac or the 2 people using linux? No, they aren't. It's cost benefit analysis at it's finest, they're aiming for the larger audience, just as they are doing now with firefox which was claimed to be 893589023x more secure than IE, but as soon as it gained popularity the bugs/exploits came out of the woodwork like fucking crazy.

I personally use windows, and prefer windows, and since XP came out have never had a problem with it myself. The biggest problem with computers is they're technical machines which lend themselves to needing to have technical knowledge in order to use one safely/correctly....which the majority of people do not have.

Re:You cannot use viruses/bugs as an example of co (5, Informative)

WilyCoder (736280) | about 5 years ago | (#28533549)

You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

Re:You cannot use viruses/bugs as an example of co (4, Insightful)

Anonymous Coward | about 5 years ago | (#28533643)

You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

Citation needed? ;)

Seriously, some data would be nice.

Re:You cannot use viruses/bugs as an example of co (5, Informative)

ground.zero.612 (1563557) | about 5 years ago | (#28533971)

You might have a point.... except that Apache is far more popular than IIS and yet IIS is the one routinely attacked.

Citation needed? ;)

Seriously, some data would be nice.

http://uptime.netcraft.com/up/today/requested.html [netcraft.com]

Re:You cannot use viruses/bugs as an example of co (5, Insightful)

Z00L00K (682162) | about 5 years ago | (#28533693)

Probably because when the web server is IIS it's always the same operating system platform behind, which in turn means that as soon as a breakthrough occurs it's often easy to continue with the penetration.

On an Apache web server you can't tell what kind of platform it runs on, which means that an attack that works on one server may be completely useless on another.

Re:You cannot use viruses/bugs as an example of co (1, Insightful)

Anonymous Coward | about 5 years ago | (#28533719)

Please point out a recent remote exploit bug in IIS. As far as I know, there hasn't been one in years.

Re:You cannot use viruses/bugs as an example of co (0)

Anonymous Coward | about 5 years ago | (#28533833)

I find it hard to compare Apache IIS and XP Linux because generally they are targetting a difference audiences.

Re:You cannot use viruses/bugs as an example of co (0)

Anonymous Coward | about 5 years ago | (#28533849)

Alright... do you see a ton of enterprise level applications and/or large target websites which run Apache? I am willing to bet that most high priority targets use IIS. I am not saying all websites out there who are a 'high priority' target (Banks and what not) use IIS but there is probably more of them since they put trust in Microsoft. Just like people buy IBM products, because they trust IBM.

Re:You cannot use viruses/bugs as an example of co (1, Interesting)

malevolentjelly (1057140) | about 5 years ago | (#28533929)

Last I heard, the most commonly hacked webserver was Apache/Linux. A secure legacy won't protect you forever... now that it's popular, the poor security practices in the platform are beginning to be exploited...

I would say Microsoft is rather catching up and surpassing the linux platform in security, given the recent figures.

There is almost no anti-exploit code in linux, anyway, so once you're through the security, you know exactly where you are and what you're doing. Microsoft has a tremendous advantage, having been targeted for years... their level of defense is now much higher. They withstand attacks the linux platform could never find the resources to repel.

So the cost Microsoft has spent weathering this will reduce the TCO of all their users... and now they're even offering anti-virus software for free. I'd say they're doing fine.

Re:You cannot use viruses/bugs as an example of co (0)

Anonymous Coward | about 5 years ago | (#28534013)

http://www.search-this.com/2007/06/27/microsoft-iis-vs-apache-who-serves-more/

Re:You cannot use viruses/bugs as an example of co (5, Insightful)

gurps_npc (621217) | about 5 years ago | (#28533631)

Wrong. Just because there is a logical REASON for Microsoft to have more viruses/bugs than Linux does NOT mean that you should not include such costs when considering whether or not to use Linux.

Yes, your complaint would apply if the entire world was considering switching from Microsoft to Linux. But when I advise my boss about the comparitive costs of using MS or of Linux, I would be foolish to refuse to include costs related to viruses simply because if in a mythical world where people used Linux more than MS then in that mysthical world the virus cost would be lower for Microsoft.

As a busineman, I must live in the real world and base my costs on reality, not your dream world. In reality, currently, Linux has lower virus related costs and I there MUST include the cost to deal with such problems when calculating the lifetime cost of software.

Re:You cannot use viruses/bugs as an example of co (-1, Offtopic)

flux00 (1580723) | about 5 years ago | (#28533937)

How do I mark this post down for not making sense? Why does this post have a 5?

Re:You cannot use viruses/bugs as an example of co (1, Offtopic)

ragethehotey (1304253) | about 5 years ago | (#28534039)

since it's universally agreed upon that users / admins had plenty of time to patch the systems before conflicker hit, does this mean I should include the cost of water damage to my possessions when I leave my windows open during a hurricane that I knew was coming?

Re:You cannot use viruses/bugs as an example of co (5, Insightful)

Anonymous Coward | about 5 years ago | (#28533655)

I am not following your argument, since windows has a higher market share than FOSS solutions it is exempt from malware removal costs? I think the point of the article is that while CSS vendors tout that FOSS solutions are not 'free' in terms of TCO, they neglect this cost that affects them more heavily than the completion.

I don't think the reason behind them having the higher cost (higher market share) is relevant. It is a cost, and they have a disproportionately large percent of it, admittedly for a quite valid reason.

Re:You cannot use viruses/bugs as an example of co (3, Insightful)

plague3106 (71849) | about 5 years ago | (#28533899)

I am not following your argument, since windows has a higher market share than FOSS solutions it is exempt from malware removal costs?

Not that its exempt, its that should people target Linux as much, the figure would likely be the same.

Also, if you keep up with security patches (like you should, regardless of OS), it becomes a non-issue. This is really just FUD aimed at MS, using 2001 "MS is insecure" arguements which are no longer true today.

Re:You cannot use viruses/bugs as an example of co (0, Offtopic)

Spike15 (1023769) | about 5 years ago | (#28533669)

I was about to come in here and post something almost identical to what you said.

I'm kind of upset that I don't have mod points so I can't mod what you said insightful. It's 100% true. People who bash Microsoft for malware are total uninformed idiots, and they make themselves look it by bashing Microsoft thusly. I work in IT, in a 100% Windows shop (the only non-Windows we have is ESX running under multiple Windows installs) and we simply do not have any problems with any form of malware, at all. It's all about taking precautions. I guarantee you that no matter what OS you run, you're going to run into problems if you don't take precautions to protect your software from malicious code.

Sure, you may cut down on these malicious code problems by switch to a non-Windows platform (the smaller the market share the logically fewer malware coders for that platform), but you also have to take into account the downside of using software et al. that isn't innately and intrinsically compatible with what 90%+ of people are running. Of course you can bring up examples of inter-compatibility and interoperability, but the fact-of-the-matter is, is that nothing plays as nice with Windows as Windows. SAMBA doesn't play as nice with AD as Windows does, and WINE doesn't run Windows apps as well as Windows does.

As for these people cleaning up Conficker...talk about a bad example! The vulnerability that Conficker takes advantage of has been patched for what...8 months now? People really still have or are getting this worm? Big shops are still allowing their computers to get this worm? I wouldn't be complaining about the malware or the cost of removing it, I'd be firing the IT department en masse and finding people who aren't totally incompetent -- I have a mother who is totally computer-illiterate -- she can't even open files on her own -- and she doesn't have Conficker because I set her Windows updates to do themselves automatically.

That is how easy THAT is. Considering you anti-M$ people like to accuse the people in Redmond of throwing FUD around, you sure are happy and obvious about being total hypocrites, aren't you?

Re:You cannot use viruses/bugs as an example of co (1)

h4rr4r (612664) | about 5 years ago | (#28533819)

This is totally offtopic, cost is the only thing this is about, not why that cost exists.

Re:You cannot use viruses/bugs as an example of co (1)

Spike15 (1023769) | about 5 years ago | (#28533933)

This is totally offtopic, cost is the only thing this is about, not why that cost exists.

Of course that is what it is about on a fundamental level, but you have to look deeper into the problem(s). For example, why was this problem experienced? The answer is, is that it's because the IT staff obviously were not on top of the maintenance of the computers. Rolling out Windows Updates is not a difficult task, computers can be set to do it themselves, or you can use a centralized roll-out system like WSUS.

This is relevant because the exploit that Conficker takes advantage of was patched by Microsoft in October 2008. The first variant of Conficker was not even discovered until November 2008, so any IT shop that stayed on top of their updates should've never even experienced a window-of-opportunity to be infected.

The moral of the story here is that bad IT practices lead to costly mistakes. This is true under Linux or Windows or any other OS, and therefore this is a bad example, and that's why discussion of the reasons for the cost existing are relevant, since the reasons that the cost exists negates any argument against Microsoft stemming from this particular "example".

Re:You cannot use viruses/bugs as an example of co (0)

plague3106 (71849) | about 5 years ago | (#28533935)

Uh, no its not. Would it be fair to include the cost of frequent breakdowns of Hondas because you're including all those that fail to do even basic maintence? No, you wouldn't include those costs, because you're not properly maintaining the car.. just like malware is spread by people not maintaining their computers.

Re:You cannot use viruses/bugs as an example of co (1, Insightful)

Anonymous Coward | about 5 years ago | (#28533775)

so lets see, first you use the typical popularity argument and then follow it up with a personal anecdote.. This does not disprove the article's point. Whether it's due to popularity or bad engineering (or both!! who'd a thunk?), cleaning up after malware attacks IS a large expense when running a windows shop. AV is largely a snake-oil concept at this point. it catches some, but not all attacks, and it's expensive and taxing on clients. long gone are the days of simple, easily detectable boot sector and TSR hook viruses of MSDOS.

Windows is uspposedly DESIGNED for the non technical user though.. If it cannot withstand said abuse (by being maintainable and secure without simply reinstalling), then it fails in its purpose. Usually windows fanboys are the ones saying $NON_WINDOWS_OS is too difficult and that's why it'll never succeed. I have yet to find an OS as unfixable as windows once it gets mangled...and it allows this to happen so easily!

Re:You cannot use viruses/bugs as an example of co (1, Insightful)

dedazo (737510) | about 5 years ago | (#28534031)

I'm sorry you were modded troll, but maybe you didn't express your point correctly. Let me give it a try.

One of the companies I consult for has something like 30,000 desktops. They were not affected by Conficker in any way shape or form. In fact, I think they were bitten by the "anna kournikova" thing back in 2000 or 2001, and never again had any problems with worms or viruses.

How is this possible? I don't know. Maybe some common sense was involved.

But the premise of this article is that this company - and indeed, every other company in the planet that uses Windows but doesn't have these problems - should factor into their operation of Windows a "hidden" cost that simply does not apply to them.

That's clever, isn't it? It's a great argument, assuming you have the IQ of a sponge to begin with.

I love /. (1, Troll)

godrik (1287354) | about 5 years ago | (#28533517)

There is still no comments on the article and it is already tagged as troll! :)

Sadly, I don't agree. (1, Insightful)

Slartibartfast (3395) | about 5 years ago | (#28533523)

It's overhead. In other words, while it's true that malware affects closed-source far more frequently than OSS, that's just because CSS is far more commonly-used, and, therefore, makes a more tempting target. Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land. I love Linux (heck, "I'm rinsing in it now!"), and have used it as my primary desktop and server platform since '94, but bulletproof it ain't.

Re:Sadly, I don't agree. (5, Insightful)

gurps_npc (621217) | about 5 years ago | (#28533563)

Your comment is 100% completely correct and also 100% completely irrelevant.

The question is not "Is Linux inherently as cheap as Microsoft". No. The question is, if we include all costs, including virus and other malware related costs, will Microsoft cost more than Linux.

Just as Microsoft is correct that when considering the real cost of 'free software', you have to include costs such as training, you ALSO have to consider the costs incurred due to malware.

Re:Sadly, I don't agree. (3, Insightful)

Anonymous Coward | about 5 years ago | (#28533659)

No one said Linux is "bulletproof". Don't try to change the topic.

TFA is saying that the closed-source software costs more when operating costs are included in the total price tag. How much does industry pay for malware protection, virus protection, trojan protection, downtime from infection, and loss of productivity as a result of closed-source software? Those costs are relevant to businesses and should be considered.

Re:Sadly, I don't agree. (2, Insightful)

n4djs (1097963) | about 5 years ago | (#28533699)

Linux would never have the same level of bugs as Windows, for one simple reason. The default user configuration on Windows in a home environment is that any user has administrative rights (which is not the case, by and large, in corporate environments). This is primarily due to the vast majority of Windows applications being unable to install correctly if the user does not have administrator capability.

This leads to all sorts of bogus cruft getting installed on machines by users who are without a clue with computer security, and simply don't know to install tools like NoScript or SiteAdvisor and to pay attention to the warnings they generate.

Linux's in general do not run normal users with superuser capabilities, which stops a lot of garbage from getting installed on machines in the first place.

Re:Sadly, I don't agree. (3, Insightful)

Spike15 (1023769) | about 5 years ago | (#28533807)

This is also the same reason that you don't see as many windows problems in a corporate environment: Because the users aren't administrators.

I recently switched my entire home network over to AD, and started making people actual AD accounts that are not local admins on their machines, and the number of problems that they're having has gone WAY down. Sure, they have to ask me whenever they want to do something like install software, but for the most part their system configurations are fairly stable -- they just do the same tasks day after day, they're not highly dynamic users who like to experiment with new and exciting software / hardware like I am -- besides, them having to call me insures that I have a certain degree of oversight as to what goes onto their computer, allowing me not only to support them better later on (since I know exactly what happened to their PC), but also allows me to preempt problematic software etc.

Re:Sadly, I don't agree. (1)

Jamie's Nightmare (1410247) | about 5 years ago | (#28533989)

The default user configuration on Windows in a home environment is that any user has administrative rights...

That was the default, but since Vista that has no longer been the case. It's also incorrect to assume that users won't elevate privileges on any system to install software they think is legitimate or useful to them.

Re:Sadly, I don't agree. (2, Informative)

tixxit (1107127) | about 5 years ago | (#28534015)

That is no longer true. Windows Vista & 7 both default to a limited user, not admin. I've been using Linux for my OS for 8 or so years, but you gotta give credit where credit is due.

Re:Sadly, I don't agree. (4, Insightful)

sofar (317980) | about 5 years ago | (#28533711)

Maybe it's a strength that Linux is used less. That results in a lower cost of ownership overall for organizations "right now". In the far future, this could change obviously, but nothing suggests that this cost will be larger than that of Microsoft implementations, not by any margin, not any time soon.

So, as fundamentally correct as your point may be, the story "beats" you because it points out that Closed Source is misrepresenting a lower TCO by not accounting for security issues with the entire solution.

Close source solution offers "skip over" the windows virus/malware problem, Open Source has a clear answer to it now, and likely in the future. Large contracts should be made evaluating these things thoroughly, and include a real assessment of the validity of these offers, and not just take Joe I.T. Contractor's word for it.

Re:Sadly, I don't agree. (0)

Anonymous Coward | about 5 years ago | (#28533845)

Not only that, but if we're going to consider future potential TCO, we must also realize that *if* Linux becomes more of a target for malware due to increased popularity, while that one part of the TCO increases, at the same time the training part of TCO will go down. Obviously it is impossible to tell if they will balance each other or not, as it is all conjecture at this point and thus largely irrelevant anyway.

It is the hacker's mentality. (-1, Redundant)

reporter (666905) | about 5 years ago | (#28533721)

Hackers target Microsoft software only because it is much more popular than non-Microsoft software. The mentality of the typical hacker is that he gets a cheap thrill from injuring the most people. If his worm or virus caused $1 billion of damage and if a prominent newspaper like the "Wall Street Journal" published a story about the damage, then he would become orgasmic. Maximum damage -- and, hence, maximum orgasm -- is achieved by targetting the software that most people use.

This attitude is little different from that of a terrorist. The typical terrorist aims for maximum publicity. He craves it.

Re:It is the hacker's mentality. (2, Interesting)

maxume (22995) | about 5 years ago | (#28533783)

You are confused. At this point, the typical 'hacker' works on whatever systems he thinks he can make the most botnet money from.

Re:It is the hacker's mentality. (1)

ckaminski (82854) | about 5 years ago | (#28533965)

Which means: write an exploit for EVERYTHING on CERN's list, no matter what the platform.

Re:It is the hacker's mentality. (1)

ckaminski (82854) | about 5 years ago | (#28533987)

Did I say CERN? I mean CERT. Gar... damn brain isn't working today. I blame IBM WID-6.1 and that crazy guy asking for Smalltalk support.

Re:Sadly, I don't agree. (2, Insightful)

vertinox (846076) | about 5 years ago | (#28533821)

Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land. I love Linux (heck, "I'm rinsing in it now!"), and have used it as my primary desktop and server platform since '94, but bulletproof it ain't.

I think by bullet proof they mean mitigate stupid user and developer tricks which still happen in Linux but you have to try harder.

I mean the first thing I did when first trying out Linux in 1997 was to learn it while logged in as root because that was how you logged into Windows NT.

That said, I strongly disagree that OS usage is directly correlated to viable exploits on a device.

Take the iPhone for example. Its used by a lot of people but its nigh impossible to exploit simply because its locked down.

Now you sacrifice a lot of usability, but that is the price you pay in terms of security.

I mean if Microsoft Wrote an OS that would not allow the user or their programs to write to anywhere else except the user home directory and programs could not starup other programs or modify their files, then you would never see any other viruses again on the Windows platform.

Of course this would break all the legacy programs and you wouldn't really be running windows anymore in a sense... But wouldn't it be worth it? ;)

Re:Sadly, I don't agree. (1)

ckaminski (82854) | about 5 years ago | (#28534027)

Exactly how much usability are you actually losing with the iPhone? I'd wager a whole hell of a lot less than you think.

Re:Sadly, I don't agree. (3, Insightful)

drijen (919269) | about 5 years ago | (#28533909)

Parent poster is full of crap.

 

Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land.

 
This is the same as stating: "If linux had the number of users that microsoft windows had, it would be victim to the same number of viruses, malware, and general script kiddies" which is complete bullshit.

 
I'm sick of hearing this argument, only a complete tool would believe it. *Nix systems are inherently more secure, due to its security model (file permissions, groups, no admin rights, etc), and to the fact that it literally forces you to not be a complete moron (security wise) while using it. Furthermore, because of the variety of software that can be installed on each box, only the most common programs (apache, nginx, ssl, ssh, etc) would be effective targets to attack, limiting the areas an admin needs to cover.

 
Due to the above, there are only certain attacks that would be effective to a *Nix system. Off the top of my head, this leaves: privilege escalation, man-in-the-middle, and social engineering (a problem everywhere, regardless of OS).

 
 
In short, a Linux machine that is run by a competent administrator is MUCH more difficult to infect or attack than a Windows machine, and the parent is a moron.

Re:Sadly, I don't agree. (1)

ckaminski (82854) | about 5 years ago | (#28533917)

Except you forget: you can boot a clean Linux machine in a second - you can't CD-boot Windows, or boot it from a read-only drive. Architecturally, Linux is better designed to repel attacks in the first place.

Re:Sadly, I don't agree. (3, Insightful)

dbcad7 (771464) | about 5 years ago | (#28533921)

I don't think so.. Here's why.. users are lazy, and this is the biggest vulnerability.. With most Linux distributions, software is distributed by the "distro" (usually through repositories) .. This is the easy way.. The hard way is installing from outside this source and making it work.. the really hard way, is compiling from source... Now since most users are lazy, it's generally going to come from the distro repo where it has gone through many eyes and testing before it was available.. The other difference is executables.. If someone emails me something like a script, it requires extra effort to make it executable.. again laziness prevails in Linux's favor.

Re:Sadly, I don't agree. (1)

DragonWriter (970822) | about 5 years ago | (#28534041)

In other words, while it's true that malware affects closed-source far more frequently than OSS, that's just because CSS is far more commonly-used, and, therefore, makes a more tempting target. Make no mistake: if Linux were as widely used as Windows, there would be bugs galore to be a-cleaning in Linux land.

Even granting, for the sake of argument, that Linux would be as badly impacted (in terms of cost to users to deal with malware, not in terms merely of the total attempts to deploy malware) as Windows were it as popular, that is irrelevant to the cost to individual entities deciding which they should use, since no individual entity's decision to use or not use Linux is likely to take it from its current actual popularity to near the popularity of Windows (or, OTOH, stop it from being on the order of the popularity of Windows).

First Thoughts... (5, Funny)

geeper (883542) | about 5 years ago | (#28533531)

"Oh my god, not this AGAIN!!"

Re:First Thoughts... (5, Funny)

Voyager529 (1363959) | about 5 years ago | (#28533587)

"Oh my god, not this AGAIN!!"

Since when does a bowl of petunias have a Slashdot account? Did the sperm whale get one before or after you?

Only Proprietary? (3, Interesting)

Nemyst (1383049) | about 5 years ago | (#28533533)

I don't want to sound like a detractor of free software (I actually favor FLOSS as much as I can), but it's not like Linux doesn't have any malware written for it. Sure, it's to a lesser degree, but it's still there and I'm not sure the costs of removing them are systematically calculated into the TCO either.

Re:Only Proprietary? (0, Troll)

eyepeepackets (33477) | about 5 years ago | (#28533997)

Oh really? You make it sound as though it's a comparable situation between Windows and Linux as regards malware. I'd like to see you substantiate this claim with some solid data with a clear comparison between the platforms. Otherwise, I suspect you of being nothing more than a glib, sideways-talking astroturfer.

Re:Only Proprietary? (1)

morgan_greywolf (835522) | about 5 years ago | (#28534037)

Tbere is theory and then there is reality. How likely are you to encounter that Linux malware? Properly admined, not likely. On Windows? The odds are near 100%, no matter how effective your system administration skills are.

Economy.. (1)

bigattichouse (527527) | about 5 years ago | (#28533543)

Makes me wonder how much the latest crop of "storms" like Conficker have contributed to the economy?

Re:Economy.. (3, Insightful)

Dynedain (141758) | about 5 years ago | (#28533877)

The problem is that for every penny they contributed in direct labor costs to clean up, there's probably at least as much wasted in employee downtime while services are unavailable.

If it wasn't for the fact that it was preventing staff from getting their work done, I doubt anyone would have spent $2 million to clean up Conficker.

I didn't RTFA, but it sounds like their total cost includes both the direct cleanup cost, and some of the indirect cost of paying people to be unproductive during the cleanup.

Re:Economy.. (3, Interesting)

gbjbaanb (229885) | about 5 years ago | (#28533985)

not just that but it affects the services provided. For example, I know of a police force that was infected by conficker. It got everywhere. The consensus is that the company providing the mobile data interfaces was the original source of infection (but you cannot prove where conficker came from, its pervasive), and for a long while the officers on the beat had to use their handsets as mobile phones - no data, so no event updates and no communication with the CAD system.

I don't know the cost there, but they had con-sultants in from Microsoft to help clear the mess up and they weren't cheap. The infection lasted for 2 weeks, and they had reduced service for several weeks after that.

That's just for Conficker. Remember storm, sql slammer, I love you?

Cheaper to prevent than fix (2, Insightful)

TPJ-Basin (763596) | about 5 years ago | (#28533545)

Instead of spending $2 million to *fix* virus issues, why not hire smarter people to *prevent* virus issues? I'm sure doing so would be much cheaper.

Re:Cheaper to prevent than fix (3, Insightful)

ArhcAngel (247594) | about 5 years ago | (#28533671)

That would come out of a different Cost Center which requires pre-approval. The emergency CC is funded for..you know..emergencies and gets funded On The Fly when it is affecting the bottom line. You know what they say "It's easier to ask forgiveness than permission"

Re:Cheaper to prevent than fix (4, Insightful)

Bourbonium (454366) | about 5 years ago | (#28533727)

This is a good point that I hoped someone would make. What is not explained in the article is that "Windows" isn't exactly the cause of the problem, but "Windows XP." If systems were maintained and upgraded per Microsoft's recommendations, Conficker would not have been anywhere near as big a problem. Say what you will about Windows Vista, if Manchester had upgraded their systems to Vista on the client side (or at the very least, not allowed users to run XP under Admin credentials), Conficker would never have been able to install itself.

I'm a big promoter of Open Source, but I work in a Microsoft shop where we still have all our desktops standardized on WindowsXP, but we never allow standard users to run as Admin, and we never had any problem with Conficker.

Migrating to Open Source would help a lot, but Manchester just needs better IT support (or more likely, better IT management) all the way around.

Re:Cheaper to prevent than fix (1)

maxume (22995) | about 5 years ago | (#28533843)

A well patched XP system was probably never vulnerable to the network propagation of Conficker (tough to say exactly, but Conficker wasn't spotted until the patch had been out for a couple of weeks).

Re:Cheaper to prevent than fix (1)

Z00L00K (682162) | about 5 years ago | (#28533731)

Why not hire nastier people taking care of people behind botnets?

Re:Cheaper to prevent than fix (3, Insightful)

Voyager529 (1363959) | about 5 years ago | (#28533777)

There's no saying that your solution isn't employed. The problem is that in this game of cat-and mouse, the mice have two advantages: manpower and social engineering.

First, As soon as one leak is plugged, virus writers can look for the next. Commercially speaking, the virus writers get paid when they find holes to exploit. Anyone can take time to do this. The individuals working to prevent viruses keep their jobs by plugging holes, but Symantec/McAffee/Trend Micro/ESET/Kaspersky/Your Vendor Here only has so many spots on the payroll for leak-pluggers.

Secondly, it's becoming increasingly common to have viruses mimic security software. Some of the latest crops of malware look incredibly similar to Windows security warnings such that even a reasonably computer literate person would have to take a hard look to be sure that they're genuine. Faking someone else's security warnings is significantly easier than proving that one is original in an irreproducible form.

Honorable mention goes to the bean counters. If the network director/consumer sees two packages, and one is $20 more expensive (or $20/seat more expensive), convincing people to pay extra for it becomes difficult. Even if one can prove that it genuinely does a better job, given the number of people who have let their subscriptions laps for months or years, convincing them to pay for the added security proactively, instead of a specialist reactively, is quite a challenge. Just look at how many people balk at paying for a backup solution before their hard drive bites the dust.

Preventing water damage. (1)

Ungrounded Lightning (62228) | about 5 years ago | (#28533979)

Instead of spending $2 million to *fix* virus issues, why not hire smarter people to *prevent* virus issues? I'm sure doing so would be much cheaper.

Instead of spending $20,000 to fix water damage, why not hire a contractor to patch the holes in the roof and walls where the rain gets in?

When you have enough holes in the roof it becomes cheaper to re-roof than to patch.

When you have enough holes in the roof, walls, window frames, floor, foundation, etc. it becomes cheaper to tear down the house and replace it with a tighter, better built one.

The issue raised by the article is whether the "Windows/Microsoft apps" and "Linux/FOSS apps" houses meet that last criterion.

It's instructive that the issue of whether the new house can hold the family ("Is Linux Ready For [whatever]?) is no longer in doubt - thanks to service organizations like IBM's. The debate has moved from whether Linux can do the job to whether it does it cheaper.

they must have stupid IT people (0, Flamebait)

alen (225700) | about 5 years ago | (#28533551)

i've worked in a MS environment for a long time and have seen a few virus infections. not once have we called in any consultants to clean up. in the worst case we have an old NT server that is infected but has to remain operational. solution was to put a free Firewall on it, block all traffic except for a few people that need access to it. still infected, but the virus can't get out. everyone else gets pulled off the network and cleaned up using the normal suite of AV and free tools availalble

Re:they must have stupid IT people (4, Insightful)

captaindomon (870655) | about 5 years ago | (#28533701)

Really? You are allowing an infected machine to remain on the network with only a free firewall protecting the rest of your corporate network? Pulling a stunt like that would probably get me fired. It's not a matter of how technically sound the solution seems to be - it's a very high ongoing risk factor to the stability of the rest of the network.

Re:they must have stupid IT people (2, Informative)

Spike15 (1023769) | about 5 years ago | (#28533741)

Really? You are allowing an infected machine to remain on the network with only a free firewall protecting the rest of your corporate network? Pulling a stunt like that would probably get me fired. It's not a matter of how technically sound the solution seems to be - it's a very high ongoing risk factor to the stability of the rest of the network.

As if the idea wasn't intrinsically bad enough, he said that he puts the free firewall on that box itself! What's to prevent the malware from simply deactivating or circumventing the firewall? Malware has proven itself able to deactivate all kinds of software -- Windows Update, A/V, etc. -- what makes your free firewall so special?

Seriously, disinfecting PCs without reformatting them can be a PitA, but it's still possible. Stop being so lazy / stupid.

Re:they must have stupid IT people (2, Informative)

SatanicPuppy (611928) | about 5 years ago | (#28533767)

Agreed that it's foolish. Some moron is bound to plug his thumb drive into it at some point, and spread the crap everywhere.

Still, we very seldom have viruses on our windows network, and the ones we get are all installed "accidentally" by stupid users, and they never spread because the network is well partitioned, and well configured.

If you're still having virus problems at that level NOW, there is something seriously wrong with the way your IT infrastructure is set up.

Re:they must have stupid IT people (1)

sofar (317980) | about 5 years ago | (#28533773)

"we'll let this nuclear bomb just explode and make sure there's no one near it."

Nice attitude :)

how do you guarantee your data on that box to be secure if you know it's been compromised? I hope you do not work for any company that I use services from :o

Can't (5, Insightful)

jav1231 (539129) | about 5 years ago | (#28533559)

MS can't include these into calculations for obvious reasons. They must proceed as if such vulnerabilities don't exist in order to market their product. What's funny is they don't want you to either. They want to hold themselves up as either "just as good as" the next guy or make excuses for their lack of security.

In the long run this is a cost that need not be spent. There are alternative OS's and it's high time governments, of all entities, started using open alternatives. It's not just costing them in terms of being beholding to corporations like MS but in real dollars as well.

Other hidden costs. (5, Interesting)

Z00L00K (682162) | about 5 years ago | (#28533573)

The change of the user interface in Office 2007 is one huge hidden cost. It was done to make things "easier" with the result that old users instead have to re-learn the user interface completely and have a really hard time to do even the things that were simple before.

And some things that was easy in the old Office version is now really cumbersome. The style handling in Word is one example that can make the blood pressure rise.

fw;dr (5, Funny)

iamhigh (1252742) | about 5 years ago | (#28533583)

Flame War; Didn't Read

But seriously, 2 MILLION to clean up some viruses? I need to move to Manchester and become a consultant!

Every dog has its day... (0, Troll)

greatica (1586137) | about 5 years ago | (#28533595)

Linux will have its malware day when it becomes more popular. Broken interfaces, poor documentation, mediocre support, incompatibilities up the wazoo, but dang...I bet it's secure as hell.

Re:Every dog has its day... (1)

nicolas.kassis (875270) | about 5 years ago | (#28533707)

Troll much?

Re:Every dog has its day... (0)

Anonymous Coward | about 5 years ago | (#28533799)

Did something change since the last time I seriously used Linux? The Gentoo docs and support were pretty good, but for any given package it was a crapshoot.

Troll article yes, but (3, Interesting)

SatanicPuppy (611928) | about 5 years ago | (#28533603)

What the hell were they doing paying $2.5 million to clean up a worm? Seriously? Hell, you could have paid the guys who wrote it 2 million to exclude your IP range in the fricking code, and saved 500k!

Governments have got to get their crap together on this stuff. When that worm hit corporate here, in luddite central, the number of effected machines was under 30...For the entire corporation! And that's with all properties connected by a corporate WAN.

That they had that level of infection is inexcusable. Shows that they're just wasting money right and left and getting nothing but a crap product.

It's fun to dump on MSFT (1)

Trip6 (1184883) | about 5 years ago | (#28533615)

An article with a clear agenda against MSFT. See other posts debunking the extra costs and MSFT-only slant.

Re:It's fun to dump on MSFT (2, Interesting)

sofar (317980) | about 5 years ago | (#28533813)

Not necessarily, it points out that consultants (often independent companies) are wrongly evaluating software contract offers.

That's a big problem, not just for Microsoft, but especially for large organizations and the companies that evaluate these offers for them. No bashing there.

Prediction (3, Insightful)

93 Escort Wagon (326346) | about 5 years ago | (#28533617)

This story thread will have an extremely large number of posts which are highly moderated, but contain very little original or useful information.

Right (1)

dedazo (737510) | about 5 years ago | (#28533673)

To make the comparison fair, maybe a comparison (pardoning the redundancy) between the companies that don't patch and have no meaningful data security policies in place and those who do would be indicated. I say that because Conficker went live in November of last year, and the out of band patch was available in October. A replay of the other ones where a patch has existed well before the exploit was seen in the wild - in fact in the case of (I think Slammer) the exploit was based on what the patch was fixing.

This is especially meaningful in the case of companies who have control over their users' PCs, rather than home users that need to be bothered with letting Windows Update run in the background and help them patch their boxes occasionally. We all know how much of a bother that can be.

Still Better than Linux (-1, Troll)

Anonymous Coward | about 5 years ago | (#28533677)

For all the talk and the BS, Linux is still a very sub-standard operating system compared to Windows.

Unless you enjoy typing nonsensical commands to accomplish simple tasks, Linux is not for you.

Save yourself the aggravation and use a real Operating System like Windows or OS X.

Re:Still Better than Linux (0)

Anonymous Coward | about 5 years ago | (#28533911)

You are absolutely correct!

Smart Customers (0, Troll)

r45d15 (1543669) | about 5 years ago | (#28533685)

These costs are only included in TCO calculations by smart customers, the other customers trust corporations like Microsoft, because they are dumb and/or bribed.

Another Argument for SaaS (0)

Anonymous Coward | about 5 years ago | (#28533695)

Another argument in favor of SaaS applications like http://www.hyperoffice.com. Keeping out viruses in the vendros responsibility and cost, not yours.

There's hidden costs to everything (4, Insightful)

caywen (942955) | about 5 years ago | (#28533697)

Maybe the world still runs on Microsoft because the TCO difference just isn't high enough to justify the cost of switching. The cost of migration has to be figured into the TCO of the alternative, despite how unfair it sounds to do so.

Re:There's hidden costs to everything (2, Informative)

downix (84795) | about 5 years ago | (#28533891)

I meet your cost and raise you the cost of regular hardware upgrades necessary to continue running Windows. When XP came out, 256MB was plenty, now with the updates and everything, 1GB is cramped. When it came out, a Pentium 3 667Mhz was plenty, now a multicore multi-Ghz is needed. This too has to be taken into the TCO.

Re:There's hidden costs to everything (0)

Anonymous Coward | about 5 years ago | (#28533923)

What if this mindset were applied to other things? Do you think that we shouldn't bother moving to alternative-fuel cars because it'll be too expensive to change our fuel distribution infrastructure? Do you stick with a more expensive cell provider because it's too difficult to learn how to use a new phone? Do you drive a car for 25 years because it's too hard to learn where all the buttons are in a new one?

I've seen it (0)

Anonymous Coward | about 5 years ago | (#28533735)

Labor to image a PC: 10 minutes

Time to actually image and install software: 1 hour, unattended

Time spent explaining to a user that they should NOT install WeatherBug right after I re-image them for installing WeatherBug: until I ran out of breath

Time spent explaining to a user that imaging will not cause them to lose the contents of drive U: in one case, a 30-minute lecture followed by weeks of her refusal to allow anything to be done to "her" PC, causing her to then claim that my refusal to solve her problem cost her 60 hours of productivity from a barely-working PC.

I have an idea (5, Insightful)

joeytmann (664434) | about 5 years ago | (#28533749)

How about patching your systems in a timely manner so you don't have to suffer through these reactionary costs? The patch for the exploit conficker used was released in Nov 08. When did conficker start spreading around, Jan 09? Just saying.....

Re:I have an idea (1)

genghisjahn (1344927) | about 5 years ago | (#28533835)

If I had mod points I'd throw 'em your way.

Not going far enough (0)

Anonymous Coward | about 5 years ago | (#28533755)

TJMax and subsidieries was hit with 10 million in fines just from one state, and has had to pay for numerous stolen cards. Estimates are that the WIndows based system that they used to file Applications cost them around 40-50 MILLION DOLLARS. Turns out that it was more than what their IT was costing them from one year. What do you bet that they still have idiots there pushing Windows?

Re:Not going far enough (2, Insightful)

joeytmann (664434) | about 5 years ago | (#28533915)

An idiot is an idiot....no matter if he is pushing Windows or not.

Overhead of Running AV and Such (1)

smist08 (1059006) | about 5 years ago | (#28533771)

Add to the TCO, the lost productivity because computers running MS Windows, are so much slower because of the overhead of AV software, anti-spybot, anti-adware, popup blockers and such. Every packet that comes and goes from the network and/or disk is scanned several times. Its amazing how fast a Windows computer can be if you turn all these off (and how quickly it will become infected).

Yeah, we should count the TCO (0, Troll)

wubti (1434011) | about 5 years ago | (#28533795)

Microsoft is driving the planet to ruin with its wasteful high carbon footprint. All those employees driving and flying to work just for Micorosoft... While FOSS is typically done from the home office... no driving involved. You can include linux as part of your Company's "Green" initiative!

A data point (1)

rkeene517 (637993) | about 5 years ago | (#28533797)

A a single data point, I spent an hour cleaning the K worm off my laptop after a co-worker lent me his memory stick to transfer a file. Cost - An hour of pay plus the frustration of directly not getting important tasks done.

Re-loading / Registry problems larger (1)

frith01 (1118539) | about 5 years ago | (#28533837)

As many have pointed out, proper virus protection and lock down policies will keep those issues down.

However, re-imaging needed due to registry corruption, debugging software issues on "identical" machines that works in one instance and not another, and many other windows specific maintenance tasks should all be considered part of the over-head that does not exist for a linux installation.

But on the plus side... (1)

gov_coder (602374) | about 5 years ago | (#28533851)

Your system administration is automagically outsourced to china and russia for free!

Last time I checked... (1)

johosaphats (1082929) | about 5 years ago | (#28533867)

Last time my boss bought software, he wasn't concerned about fancy things like TCO, ROI, or whether the software he was buying actually did anything that was useful to us whatsoever. He thought it looked pretty, and that was all the criteria he needed to go on.

What about the other costs of AV? (5, Insightful)

goltzc (1284524) | about 5 years ago | (#28533883)

My company was hit pretty hard by the conficker virus. It took a lot of users offline for days. The cleanup effort included bringing in a small army of consultants to help fix the issue. After everything was cleaned up and ready to go, IT's response to the outbreak was to kick our Virus Scanner into some crazy ultra cautious mode. The end result of that is 50% of my cpu is being used up by my virus scanner constantly and opening an app or compiling something in eclipse takes substantially longer than it used to. The fact that virus scanning software decreases worker productivity by tying up substantial system resources should be part of the TCO as well.

Not mentioned (0, Offtopic)

Tawnos (1030370) | about 5 years ago | (#28533893)

For slashdot readers, the not so hidden cost of using microsoft software is the stream of FUD coming from editor kdawson.

Oh yeah (2, Funny)

C_Kode (102755) | about 5 years ago | (#28533927)

Oh yeah? What about all the time I spend clicking that little update button that keeps popping up on my Ubuntu Desktop? Huh? What about that! That takes away from my .... um, web surfing time! :P

TCP (1)

trb (8509) | about 5 years ago | (#28533949)

I think there should be a new calculation:

TCP - Total Cost of Pwnership

Microsoft incompatibility costs too (1)

Dan667 (564390) | about 5 years ago | (#28533963)

They are all but forcing a rollout of IE8, but it is not compatibility with Sharepoint. Don't know how many times I have watch this happen, but there is nothing you can do about it. At least with Open Source you could go in and fix it yourself.

Fail. (0, Troll)

cyberfr0g (2812) | about 5 years ago | (#28533975)

TCO is not calculated to include misconfigurations and improper use.

Viruses are not a function of the operating system but simply a result of misconfiguration and or improper use.

I look forward to the day when linux kids get hit with something really bad that is impossible to remove and results in massive $$ to clean.

If anything you should be happy that you haven't been properly targeted yet.

Also, don't forget virus scanners slowing down. (1)

mr_java66 (1079393) | about 5 years ago | (#28534009)

Also, don't forget virus scanners slowing down your system.

Viruses proportional to installed user-base (1, Insightful)

Absolut187 (816431) | about 5 years ago | (#28534019)

Obviously the effort of the virus-making community is proportional to installed user-base.

More people would create malware for Linux/Mac/etc if more people used those OSs.

To really prove that an OS is actually "more secure" than Windows, you'll need to put it on like 80% of computers worldwide to test it.

I'm not saying Linux is or isn't more secure. I'm saying that there will always be a security advantage in running a lesser-used operating system.

You could probably run Windows 3.1 and never get a virus.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...