[powertower]

I think you've missed the point on multiple fronts...

> and you don't see Android phones being compromised remotely within fifteen minutes of being connected to a network.

Again, why do you (and others) keep comparing today's Linux/Android/OS X OS with a 10-15 year old Windows OS.

Windows security has been at its core since after XP, and by all knowledgeable accounts is just as good as Linux's ... as long as you know how to use it / deal with it. Today 95% of the problem is clueless Windows admins, and bad user decisions.

As far as my own experience goes, I've ran Windows 3.1, 95, 98, 2000, XP, Vista, and all the rest never having been compromised. So it is possible at least.

What you're doing is the same when people complain about IE 6 vs. the latest version of Chrome...

IE6 came out in 2001, and at that time was the most standards-compliant and feature full of all the browsers on the market (well, except for IE 5.5 for MacOS).

> They didn't have to have everyone running as root by default in all versions of Windows before Vista (AFAIK in XP Home you can't actually set up restricted users). They didn't have to have lots of open ports offering things like RPC to the world. They didn't have to have all files executable by default, based solely off the hidden part of the filename in AnnaKournikova.jpg.exe.

Of course they had to do all that. The Windows users back then were generally not very savvy and anything that got in their way was a disaster waiting to happen. Also it was a different time. Even today most Windows home users don't even understand the file-system with it's drives, devices, directories, subs, and files. And you wanted them to understand user security and how it plays with applications that they ran? No.

> but those opportunities wouldn't have been there if they hadn't ignored security for so long.

I guess they should have gotten a time machine to the future to pull all that work and knowledge back to the past. Windows XP should have been based off Windows 7.

My point is that what is possible today, was not possible 10, 15, or 20 years ago both from a tech and user point of view... Just because someone can do OS security good today, dosn't mean you can blame someone else for not doing it good decades ago.

[archangel_one]

> Again, why do you (and others) keep comparing today's Linux/Android/OS X OS with a 10-15 year old Windows OS.

You argued that Windows was targeted solely because of its high market share. I'm drawing a comparison to another platform with high market share; there simply wasn't anything comparable ten years ago. And it is not obvious to me that it's not a valid comparison; Microsoft were a huge company who had been developing Windows for fifteen years at that point. Android is a lot younger, so you could just as well expect it to be less mature and therefore less secure.

And yes, I know it is possible to run it without being compromised. You obviously knew what you were doing; millions, even tens of millions of others didn't know and wound up with their computers zombified into botnets. That wasn't all because of their ignorance; there were times when a newly installed XP machine would be compromised less than fifteen minutes after being connected to the internet, which wasn't enough time to install the patches it needed. That can't be considered that user's fault, especially when they've just sat through half an hour of being told how they're installing The Most Secure Version Of Windows Yet!

> Of course they had to do all that. The Windows users back then were generally not very savvy...

Now you are missing my point. Microsoft didn't have to do anything. They could have built an operating system that was harder to use but more secure. I contend that it's even conceivable that they could have built an operating system that was roughly the same for ease of use, but still more secure; maybe they'd have been slower to market or had to compromise elsewhere. The point is that security was not a priority for them for years, they obviously just weren't that concerned. That may ultimately have been the right path for them, because they arguably didn't pay a high price really, but I don't personally consider it the technically best course.

> My point is that what is possible today, was not possible 10, 15, or 20 years ago both from a tech and user point of view... Just because someone can do OS security good today, dosn't mean you can blame someone else for not doing it good decades ago.

I think this is where we fundamentally disagree. I don't see why you think security is only something that can be achieved now and why it couldn't be ten or fifteen years ago. In the Unix world, people have known not to run as root for decades; Microsoft chose to ignore that for a long time and ultimately have been forced to shoehorn it back in for Vista. They could have done that in XP, if not long before; it certainly had the capability for it, they simply cut that out of XP Home and chose bad defaults for XP Pro.

[powertower]

> And it is not obvious to me that it's not a valid comparison; ... Android is a lot younger, so you could just as well expect it to be less mature and therefore less secure.

There is a reason why PC games are so much more advanced in their design, graphics, and game-play today than they were 10-20 years ago.

By your logic, there is little reason why Crysis 3 should not have been developed 15 years ago. If they can do it now, and the product/market fit for it is good now, why not 15 years ago!

That's just not how it works.

> In the Unix world...

Different world, different people, different needs/wants.

Microsoft didn't ignore anything; they have maintained a billion users for more than a decade. And profited more than most companies with an increase in sales every single year. They did something right, more than they did something wrong.

Easy-of-use was a priority for them over security until after XP because...

1. It would have impacted their users negatively (do you remember the response due to the new security in Vista?... people couldn't handle a pop-up, couldn't understand privileges, etc).

2. There previous OSs started from a single-user standpoint and it's difficult to change that (and maintain backwards compatibility, 3rd party drivers and software, support, etc).

You make things seem so easy. That's not how it works.

[archangel_one]

No, that is a totally different thing, and a fairly ridiculous comparison. You clearly can't have Crysis 3 15 years ago because the computers weren't powerful enough. Please don't apply a bad metaphor and tell me that's my reasoning, because it clearly wasn't.

Security does not require computing power, it needs careful code. By your logic, OpenBSD would have been an insecure mess 15 years ago, and nobody's web server would be getting hacked today. That is not how it works.

[powertower]

I've pointed out how ridiculous it's to blame Windows 95 for not being what today OSes are.

Since that wasn't good enough, I then pointed out how ridiculous it would be to compare IE6 (circa 2001) with the latest version of Chrome (2012).

But that wasn't good enough either.

So in the most general of ways I gave you one even better, which BTW had a small part to do with PC performance and more to do with everything else.

> OpenBSD would have been an insecure mess 15 years ago, and nobody's web server would be getting hacked today.

Have no idea what logic you're talking about.

I think we'll just have to disagree.

[dredmorbius]

It's not a 10-15 year old version.

As of ~2008, a very competent technical friend and co-worker had fired up a virgin WinXP instance, on the corporate intranet, to access some HR website which was strictly MSIE only.

Within the 15 minutes that instance was live, it had been compromised.

Anecdata, from a mythical extraterrestrial at that. But I'll stand by that and his experience.