Leadership By Numbers :: Why it makes more and more sense to move away from Windows XP

Category Linux
Even though my company employs several email gateway systems (including a managed service), we still get spam. Which means, that our messaging group is still answering why spam is getting through all of our terrific, and expensive, defenses.

Over the last several months, spam has surged onto the Internet with a renewed system of distribution: botnets of compromised workstations. Unsuspecting workstations are being infected with a trojan virus that surreptitiously compromises tens of thousands of computers.

Secureworks has graphed out the details of the latest SpamThru botnet attack. What is interesting to me, is that most of these infected systems are local to the US, and most are running on the latest Windows XP service pack. I would have expected the US workstations to have better than average protection, and it is especially surprising that the systems with the latest service pack have the highest infection rate.

I think it's time to start considering an earlier retirement for Windows XP than most companies have planned. The clear choices are going to be Windows Vista, Macintosh OSX and Linux. The costs are going to be more complicated to measure because while Vista may be more expensive as a desktop OS, the upgrade costs will be less. But, now that the Macintosh runs on Intel hardware and can dual-boot into Windows, it offers an attractive alternative that might increase its marketshare. So, the Mac turns out to be a real possibility. Microsoft doesn't want to lose any desktop revenue to Apple (or anyone else) and, like any good poker player, it has played the game well by covering all bets with a Novell SuSE Linux alliance. Don't like the expense of Vista's license and its hardware requirements? Novell will sell you their Linux client at a fraction of the cost, and it is Microsoft friendly.

I'd like to think that the FOSS offerings of Ubuntu and others will make an impact on desktop computing. But, that would just as believable as Nintendo coming out with the cheapest game machine and trouncing its heavyweight competition. Oh, wait a minute . . .

Comments

2 - Well, I'm not so willing to insist that only unprotected, home machines are botnet candidates. Businesses (especially SMBs) get infected workstations and servers all the time. And while it's likely that Windows Vista will continue to be targeted for new security compromises, most of the analysts concede that Windows Vista has dramatically improved its security handling.

What I do see, is that no matter where there are Microsoft Windows systems, security is becoming the number one concern. That might seem like a truism, but a few years back “security” was more a topic grouped with disaster recovery than it was an immediate business concern.

Pretty much, everyone has given up one the idea that an insecure system can be hardened, which is what I see with the data from SecureWorks and others. The momentum will be to replace the OS with a better security model.

Working with the ISP to kill spam (and viruses, et al.) simply extends the hardening shell out to the distribution channel. It's not really an answer to the problem of an insecure OS. Besides, no ISP is going to be able to define malevolent packets with Solomon's wisdom. Which means, that an ISP is surely to be punished for denying mail which they incorrectly identified as dangerous or inappropriate.

What makes you think that the ISP is going to do better at stopping spam than the current array of spam agencies (e.g., Postini), firmware appliances (e.g., Ironport), and software solutions (e.g., Spamassassin)? I don't see it happening.

The next generation of OS is going to be sold on the basis of security, because the labor and system overhead is extraordinarily expensive to maintain the current systems. How many reviews of Windows Vista have spoken about huge productivity enhancements? Um, little to none. So, how's it going to be sold? As a nod to more Microsoft integration?

Expect to see the “sex sells” mantra replaced with “security sells.”

Posted by Jack Dausman At 10:02:28 AM On 11/29/2006 | - Website - |

1 - "I think it's time to start considering an earlier retirement for Windows XP than most companies have planned"

Companies? All those spam bots will be individuals. You could move every business/organisation owned machine to SecuresOS ImpenetrableVersion(tm) tomorrow, and it would have no effect.

You have to get home users to upgrade. And to be honest, that's not garaunteed to stop the problem anyway. Ill-educated users will click on anything, and often simply OK a message that they don't understand - unless the message is scary enough.

So even on Vista, you'll see spam bots. They'll be installed willingly by people that wanted to see the latest Paris Hilton nude pics (eugh!), or whatever alluring trick arrived in their inbox. IE Protected Mode will help more, by closing the long-overdue ActiveX hole in the security layer - but users will only use that if it doesn't break the websites they visit.

You want to get rid of spam bots? Go via the ISPs, not via the OS vendor. An OS upgrade won't work because the user is stupid. But if their ISP detects abuse and re-routes their traffic so that all they can see is a website that says "clean your machine!" and won't re-route them to a normal state until they've called them, then we'll see a drop.

Of course, ISPs don't want to do that to paying customers. So that's not going to happen.

And finally... An OS upgrade seems very harsh when the user is going to have to buy security (Anti-malware) software anyway, if they want to remain secure. Why add the extra expense of the OS on? Just putting decent anti-malware software on these machines would solve the problem far more easily and quickly, and be a far more effective use of people's time and money.

Dang. Should've made this a blog entry on my own blog, really...

Posted by Philip Storry At 03:37:58 PM On 11/28/2006 | - Website - |