8 comments

[ 0.19 ms ] story [ 33.5 ms ] thread
"Avoid Microsoft products where possible." "Minimize the number of Microsoft Internet applications you use." Are you kidding me? This advice is completely outrageous on so many levels. Microsoft has made many mistakes, and they have a whole lot of problems to fix, but for the love of god, the company is not a piece of shit.

NO software is guaranteed immune to malware, and MS has done at least as good a job of patching and securing their software as any vendor in the industry.

Given what they have to lose from vulnerabilities in their software, given the resources they have committed to the challenge, and given their track record thus far, I think it is clear that updated, regularly patched software from MS is a very safe bet for security -- at least as good of a bet as sw from anywhere else.

If you think that "avoiding MS products" will make you secure, you are dreaming, and you are also missing out on all of the fantastic attributes that make MS products desirable.

It has clearly become fashionable to bash MS at every turn, but these otherwise interesting "security guidelines" take it to a whole new level.

Avoiding microsoft will not make you secure, but using microsoft products will make you more vulnerable.
Avoiding Internet Explorer will certainly make you more secure. Unfortunately, Microsoft's response time before vulnerability disclosure and fix is unacceptable.

http://www.webdevout.net/browser-security#delay

Very interesting data, but how does it demonstrate that MS is, as of now, any slower at addressing vulnerabilities than any other vendor? The report is more than two years old (it says the data is from Feb 2009), and it is based on vulnerabilities discovered over the life of each product. That puts MS at an obvious disadvantage because it includes their "slow start" in fixing a host of early vulnerabilities, while excluding their more recent efforts, which are surely more respectable.

Do you know of any data covering 2009 to now? That would be more useful.

You're arguing passionately against propositions you made yourself. e.g. nowhere there it says "MS is a piece of shit".

IMHO, saying things like

  Microsoft’s Internet Explorer and its email programs
  Outlook and Outlook Express are very difficult for even
  professionals to secure. Furthermore, adversaries tend to
  attack more popular platforms and applications.
Is a fair assessment. Can you point us to the MS bashing fest?
My word choice is more colorful than the source, but I think it's a fair characterization of the message in the source material, and not a proposition I am making myself.

For EFF to issue a sweeping recommendation that users should "avoid Microsoft products where possible" is completely ridiculous and might cause many readers, if they believe EFF to be credible, to conclude that Microsoft is a piece of shit. After all, it would be pretty shitty for a major software company with tens of thousands of employees, many of whom are brilliant, and $2B per month in earnings, to be completely unable to deliver software that does not so imperil users that the general advice is for them to avoid using the products at all. So, given its implications, I think the advice given by EFF is just outrageous.

Saying that IE and Outlook are difficult to secure is not in itself inflammatory, except when coupled with the general recommendation to avoid Microsoft. ANY Internet-connected software is difficult to secure and audit, so why single out Microsoft? Are the other vendors that much better? I doubt it. Can you show me some kind of real data demonstrating that products similar in functionality to the latest versions of IE and Outlook are truly less difficult to secure?

The argument that "adversaries tend to attack popular platforms" is common sense but not useful, and no more compelling than saying "The vendor with the largest installed base, the most smart developers, and the most cash, will do the best job, over time, of securing their platform." In reality, the size of the user base, and the size of the company, provide nothing more than a rationale, as opposed to real information about the security of the platform.

So, in my opinion, EFF is not making a "fair assessment."

This is not you and me having a debate over beers at a bar. This is the EFF saying, flat out, MS products are to be avoided, and one reason for that is their popularity. For most people, this translates to, "Use a Mac instead. They are inherently more secure and less of a target because they aren't as popular." And while there are lots of great reasons to use a Mac, I think this line of thinking is flimsy.

Finally, the MS bashing fest is totally pervasive. It's firmly in the zeitgeist right now, and I totally object to the herd mentality it demonstrates. Last week there was a much-debated post on HN by a company indicating that an experienced .NET programmer is "ruined" and very unlikely to be a good programmer in general.

There are absolutely valid criticisms of Microsoft. But when every jackass, and "credible" sources, too, develop the reflex that Microsoft is shit, it offends my sensibilities.

No, Microsoft is no shit... but it does not offer very secure products. Get over it!

MS's customer base is, in general, not very tech savvy. Also, I believe it is not inaccurate to say that they see computers as "magic". You perform the correct "incantation" and the magic just "works". So, the problem is not only that they do not value security highly enough; they assign high value to a number of features that makes security harder. Think in all the APIs available to 3r party software to make fancier applications (that inter-operate with one another). Think backwards compatibility. Think seemly smooth operation.

What happens with this situation, is that the brilliant developers at Microsoft get a bunch of conflicting requirements, and (strong???) incentives to compromise in those that do not add to the bottom line. Those brilliant guys will burn themselves creating overly complicated solutions that are bond to be wrong in very obscure ways. And this so, even granting the assumption that they will make an honest effort to provide the best possible security given the constrains mentioned before.

Do they care about security? Absolutely, otherwise they would've gone out of business long ago. Is security their top priority? Not really. Are there any better options, security-wise, than Microsoft? I'd bet pennies to dollars; specially if those competitors do not fear trashing the intuitiveness of their systems and making a hell of a learning curve to new users.

An most of the time, it is OK. Most people does not have important enough information at their computers. They can afford the risks and may decide the inconveniences to protect their systems are not worth the effort. But, as IT professionals, it is highly irresponsible not to let them know what they are getting into.

Microsoft is fair game here, not just because their products are often insecure, but because they are the biggest target of exploiters. I think it is fair advice.