Some rather depressing reading here (http://www.windowssecrets.com/040923/). Some highlights:

About 1 in 12 e-mails carried viruses in the first six months of 2004
There are now 1,740 known, unpatched security flaws in Windows and other operating systems,
Spam exceeded 70% of all e-mail in July 2004
Phishing attacks are growing at a rate of 50% PER MONTH
More than 20% of PCs tested by PCPitstop have active in memory one or more programs the company defines as "spyware."
A single U.S. ISP, Comcast.net, sends 700 million spam messages a day

"There are now 1,740 known, unpatched security flaws in Windows and other operating systems,"

"...and other operating systems" ??

C'mon Evo, most of these vulns are in Windows, not Linux or BeOS or FreeBSD or whatever. And most Linux vulnerabilities are patched within hours of someone releasing a proof-of-concept, let alone a flood of real attacks.

Yup, Linux has security flaws, but an order of magnitude fewer.

Don't shoot the messenger - I was just quoting from the article :)

While I do agree with you, I also think people overstress the both the intrinsic security of Linux and the security problems of Windows. Linux is obviously not immune from bugs - just grab the Linux graphics library changelogs to see exactly the same kind of bugs as the one that has been exploited in Windows. They are fixed quickly, but actually doing anything about it "within hours" in practice involves recompiling something from sorce and is beyond all but fairly advanced users. I've had to do it a couple of times, and it's never been straightforward. For most people, it's a case of waiting for RedHat to build and repackage the fixes, and that can take a lot longer.

Many, if not most, of the recent widespread Windows problems have been perfectly avoidable - they involved well known problems where patches have been available for some time, and, more often than not, clicking on something to run it. Relatively few, I think, are simply from well-known but unpatched flaws - how many experienced Windows users get viruses, malware etc.? I've never had one, and (until I recently switched to Firefox) I was on the unholy Windows/IE/OE trinity. If it was so easy, then wouldn't I be seeing problems that I couldn't avoid?

The problem is really a social one - people don't maintain their computers - rather than a sofware one. The rapid response of the open-source community doesn't bring that much of a benefit if the patches aren't applied by the user. What I think is the main security advantage that Linux appears to have is just a result of it's very nature as an technophile's operating system: it's run by a more technical set of people, and they're more likely to configure a machine securely, and keep a machine patched when the updates appear. Move Linux into the mainstream and you're back to an mis-configured and unpatched operating system - just an open-source one, this time.

edit: that's not to say Windows is great - when Doom 3 has to have admin rights to run you know something is :mad: with your security architecture... :)

I'm not convinced that viruses and other security problems are more common with Windows OS just because it is more popular, though clearly it is a major factor. Microsoft push a lot of integration technologies (for want of a better word/expression) like ActiveX, Internet Explorer components within other apps, dynamic scripting across applications etc. More generally, the tight integration of the key Internet apps (email, browser) with the desktop operating system seems to be the primary course of a lot of problems these days. No other OS does this as much as Windows and perhaps this is one reason it has more problems.

Gotta agree with much of what you say Evo.

OTOH SuSE have their patches on line very quickly and you certainly do NOT have to recompile the kernel!

"Many, if not most, of the recent widespread Windows problems have been perfectly avoidable" - yes indeed. I'm religious (OK, obsessive) about patching and backup, reach the Web through FireFox and a Freesco hardware firewall router, use Norton AV and make sure it's updated, and run Ad-Aware, SpyBot and a big HOSTS file of banned sites. Plus a few other tricks. Download a lot of executables and images too. So far so good - last infection was from a BBS in the pre-Web days. Joe Sixpack and Granny Smith can't help being ignorant and you can't expect them to do all that.

But I don't need ANY of that crap with Linux - provided that I'm not running as root the damage that can be done is very limited. One of the real problems with Windows is that it does not effectively separate userspace from kernelspace - couple that with the fact that stacks of applications just don't work unless you run as Administrator and you have a big potential for trouble. It is actually possible to lock Windows up fairly tight, but you need to get quite savvy with group policies and cope with a passle of complicated permissions and it's a pain in the ass. At least Linux is pretty secure right out of the box.

Real security comes at the price of convenience - truly tight systems only run one or two apps., like a database and just won't do anything else.

"Move Linux into the mainstream and you're back to an mis-configured and unpatched operating system - just an open-source one, this time." I don't doubt it - one techie hardening an enterprise server is one thing, he ain't going to be there to tighten your Aunt Lucy's.

Evo,

The more Spam Emails the better! The sooner we hit critical mass on Spam, the sooner the ISPs and Internet Backbone will take steps to remove it and the propagation of Viruses, so we do not have to fight it at the PC level.

Right now too many PDUs are losing the battle.

Take Care,

Richard

I think alot of the problems may be down to the ease of obtaining the information needed as well as the fact that to run certain programs you have to be logged on as an administrator.
That is ok for those users with technical savey who can quite hapily run as mutiple users as necessary there are users however who struggle with the computing basics.
I work for a small software house and the number of people who complained after all passwords were forced to be in what is considered to be a strong format was rather high. i am currently looking in to how to write secure .Net applications, while I understand some of what is written I dont really understand where in the code the various attributes go. I am also having difficulty with the key management side of things as if several users need to encrypt/ decrypt the same date before it is stored in the database they will all need the same key, while it appears possible by using DAPI if they are all using the same PC I am not sure how its possible if they all use different PC's. I am personally looking to achieve a pass for 70-340 but still feel I have alot to understand before I can get there.
So if we in the IT industry cannot get the information we need to write secure applications what hope is there of PC's being secure?