[powertower]

> My personal gripe was how poorly Microsoft thought about and handled security issues. My Linux computer is as far as I know virus free.

He is comparing Windows 95 to Ubuntu 11.04 (if you follow the link in that sentence)!

> They [devs] did not bother developing for other platforms because those platforms were economically irrelevant and the Microsoft developer tools worked.

Then he doesn't even make the connection to virus writers targeting Windows between 199x-200x.

> Windows security issues are everywhere and it did not need to be so.

Sorry, but that's mostly due to the desktop market size and Windows' share of it.

Everything after Windows XP had security at its core.

Blame the users who are clueless, that are emailing viruses to all their contacts, download Trojans and warez with backdoors, etc.

And again, he is comparing decades old MS OSs to latest versions of Linux and OS X.

> Nowadays nobody under thirty writes anything on Microsoft developer tools unless they are demented or brain-dead.

Completely false statement.

[archangel_one]

> > Windows security issues are everywhere and it did not need to be so. > Sorry, but that's mostly due to the desktop market size and Windows' share of it.

No, it's not. It's mostly due to Microsoft ignoring security for years because it wasn't important to them. They didn't have to have everyone running as root by default in all versions of Windows before Vista (AFAIK in XP Home you can't actually set up restricted users). They didn't have to have lots of open ports offering things like RPC to the world. They didn't have to have all files executable by default, based solely off the hidden part of the filename in AnnaKournikova.jpg.exe.

There are now supposed to be 300M Android devices worldwide, which is within an order of magnitude of Windows' numbers 10 years ago, and you don't see Android phones being compromised remotely within fifteen minutes of being connected to a network. There's no equivalent of Blaster or Sasser or anything close to that level.

It's partly due to Windows' market share that it got targeted so heavily, but those opportunities wouldn't have been there if they hadn't ignored security for so long.

[powertower]

I think you've missed the point on multiple fronts...

> and you don't see Android phones being compromised remotely within fifteen minutes of being connected to a network.

Again, why do you (and others) keep comparing today's Linux/Android/OS X OS with a 10-15 year old Windows OS.

Windows security has been at its core since after XP, and by all knowledgeable accounts is just as good as Linux's ... as long as you know how to use it / deal with it. Today 95% of the problem is clueless Windows admins, and bad user decisions.

As far as my own experience goes, I've ran Windows 3.1, 95, 98, 2000, XP, Vista, and all the rest never having been compromised. So it is possible at least.

What you're doing is the same when people complain about IE 6 vs. the latest version of Chrome...

IE6 came out in 2001, and at that time was the most standards-compliant and feature full of all the browsers on the market (well, except for IE 5.5 for MacOS).

> They didn't have to have everyone running as root by default in all versions of Windows before Vista (AFAIK in XP Home you can't actually set up restricted users). They didn't have to have lots of open ports offering things like RPC to the world. They didn't have to have all files executable by default, based solely off the hidden part of the filename in AnnaKournikova.jpg.exe.

Of course they had to do all that. The Windows users back then were generally not very savvy and anything that got in their way was a disaster waiting to happen. Also it was a different time. Even today most Windows home users don't even understand the file-system with it's drives, devices, directories, subs, and files. And you wanted them to understand user security and how it plays with applications that they ran? No.

> but those opportunities wouldn't have been there if they hadn't ignored security for so long.

I guess they should have gotten a time machine to the future to pull all that work and knowledge back to the past. Windows XP should have been based off Windows 7.

My point is that what is possible today, was not possible 10, 15, or 20 years ago both from a tech and user point of view... Just because someone can do OS security good today, dosn't mean you can blame someone else for not doing it good decades ago.

[archangel_one]

> Again, why do you (and others) keep comparing today's Linux/Android/OS X OS with a 10-15 year old Windows OS.

You argued that Windows was targeted solely because of its high market share. I'm drawing a comparison to another platform with high market share; there simply wasn't anything comparable ten years ago. And it is not obvious to me that it's not a valid comparison; Microsoft were a huge company who had been developing Windows for fifteen years at that point. Android is a lot younger, so you could just as well expect it to be less mature and therefore less secure.

And yes, I know it is possible to run it without being compromised. You obviously knew what you were doing; millions, even tens of millions of others didn't know and wound up with their computers zombified into botnets. That wasn't all because of their ignorance; there were times when a newly installed XP machine would be compromised less than fifteen minutes after being connected to the internet, which wasn't enough time to install the patches it needed. That can't be considered that user's fault, especially when they've just sat through half an hour of being told how they're installing The Most Secure Version Of Windows Yet!

> Of course they had to do all that. The Windows users back then were generally not very savvy...

Now you are missing my point. Microsoft didn't have to do anything. They could have built an operating system that was harder to use but more secure. I contend that it's even conceivable that they could have built an operating system that was roughly the same for ease of use, but still more secure; maybe they'd have been slower to market or had to compromise elsewhere. The point is that security was not a priority for them for years, they obviously just weren't that concerned. That may ultimately have been the right path for them, because they arguably didn't pay a high price really, but I don't personally consider it the technically best course.

> My point is that what is possible today, was not possible 10, 15, or 20 years ago both from a tech and user point of view... Just because someone can do OS security good today, dosn't mean you can blame someone else for not doing it good decades ago.

I think this is where we fundamentally disagree. I don't see why you think security is only something that can be achieved now and why it couldn't be ten or fifteen years ago. In the Unix world, people have known not to run as root for decades; Microsoft chose to ignore that for a long time and ultimately have been forced to shoehorn it back in for Vista. They could have done that in XP, if not long before; it certainly had the capability for it, they simply cut that out of XP Home and chose bad defaults for XP Pro.

[powertower]

> And it is not obvious to me that it's not a valid comparison; ... Android is a lot younger, so you could just as well expect it to be less mature and therefore less secure.

There is a reason why PC games are so much more advanced in their design, graphics, and game-play today than they were 10-20 years ago.

By your logic, there is little reason why Crysis 3 should not have been developed 15 years ago. If they can do it now, and the product/market fit for it is good now, why not 15 years ago!

That's just not how it works.

> In the Unix world...

Different world, different people, different needs/wants.

Microsoft didn't ignore anything; they have maintained a billion users for more than a decade. And profited more than most companies with an increase in sales every single year. They did something right, more than they did something wrong.

Easy-of-use was a priority for them over security until after XP because...

1. It would have impacted their users negatively (do you remember the response due to the new security in Vista?... people couldn't handle a pop-up, couldn't understand privileges, etc).

2. There previous OSs started from a single-user standpoint and it's difficult to change that (and maintain backwards compatibility, 3rd party drivers and software, support, etc).

You make things seem so easy. That's not how it works.

[archangel_one]

No, that is a totally different thing, and a fairly ridiculous comparison. You clearly can't have Crysis 3 15 years ago because the computers weren't powerful enough. Please don't apply a bad metaphor and tell me that's my reasoning, because it clearly wasn't.

Security does not require computing power, it needs careful code. By your logic, OpenBSD would have been an insecure mess 15 years ago, and nobody's web server would be getting hacked today. That is not how it works.

[powertower]

I've pointed out how ridiculous it's to blame Windows 95 for not being what today OSes are.

Since that wasn't good enough, I then pointed out how ridiculous it would be to compare IE6 (circa 2001) with the latest version of Chrome (2012).

But that wasn't good enough either.

So in the most general of ways I gave you one even better, which BTW had a small part to do with PC performance and more to do with everything else.

> OpenBSD would have been an insecure mess 15 years ago, and nobody's web server would be getting hacked today.

Have no idea what logic you're talking about.

I think we'll just have to disagree.

[dredmorbius]

It's not a 10-15 year old version.

As of ~2008, a very competent technical friend and co-worker had fired up a virgin WinXP instance, on the corporate intranet, to access some HR website which was strictly MSIE only.

Within the 15 minutes that instance was live, it had been compromised.

Anecdata, from a mythical extraterrestrial at that. But I'll stand by that and his experience.

[sp332]

Everything after Windows XP had security at its core.

Blame the users who are clueless, that are emailing viruses to all their contacts, download Trojans and warez with backdoors, etc.

I also blame MS for having insecure configurations by default. It's possible to secure a NT system quite well but there were a lot of compromises made in the defaults for convenience.

[kstrauser]

> Sorry, but that's mostly due to the desktop market size and Windows' share of it.

And yet, Unix/Linux had and has a much larger portion of the Internet-connected server market share but without the constant stream of critical vulnerabilities that Windows servers endured in the early 2000s. By your logic, Windows should have been a safer server choice because Unix servers were constantly falling to new attacks.

[powertower]

> And yet, Unix/Linux had and has a much larger portion of the Internet-connected server market share but without the constant stream of critical vulnerabilities that Windows servers endured in the early 2000s.

A couple of things...

1. I really don't know what the Linux server market share was in 2000 in comparison to NT server. Nor what the break-down of kernel vs user-space patches and vulnerabilities are. It also makes things much more complicated when you consider that the two were used pretty much in different situations and for different purposes.

2. That quote was in relation to the desktop/home-user market.

So I'm not going to go there as I don't want to compare apples to oranges, and on limited knowledge.

> By your logic, Windows should have been a safer server choice because Unix servers were constantly falling to new attacks.

How you're getting that from what I said makes no sense to me.

[rbanffy]

Just counting kernel security patches will give the wrong numbers. The "kernel" includes device drivers for every imaginable hardware component you can possibly run Linux with. In any real server, the security exposure is a fraction of that. If AMD processors require a patch, my Intel boxes will be safe. If there is an exploitable bug in my 3COM NIC, my Broadcom ones will be fine. In any running Linux machine only a tiny fraction of the kernel codebase is active and running.

It's really like adding all the vulnerabilities in the Windows kernel to the vulnerabilities of every device driver ever shipped in a box or made available on the web for every conceivable device you can buy.