A couple of stories have hit the headlines this year concerning the huge cost that some UK Local Governments incurred when dealing with malware attack on their Windows machines. If you missed them, Manchester City Council had a single USB infected with the infamous Conficker worm and it cost them -- brace yourself -- £1.5m (US$2.4m) of which £1.2m (US$1.9m) was spent on IT, of which a staggering £600,000 (US$980k) went on consultancy fees including money to Microsoft. A while later, Ealing Borough Council were hit with a cost of £500000 (about US$800k) when they were also hit by a single USB stick containing conficker. Some in the industry tweeted and blogged this as being a "hidden cost of using Microsoft Windows". In the ensuing discussion, many pointed out that the high cost was really due to the lack of a proper patching and disaster recovery policy at the council. So which is right? Is dealing with malware a hidden cost of using Windows or of a poor IT strategy?
Even the most ardent Windows fan can't really argue with the fact that their favourite OS has a significantly greater number of malware threats against it than any free software OS will have. The popular reason given for this is the high proportion of Windows boxes makes for a tempting target for the people behind the malware. This is a reasonable argument but it cannot be taken as the only defence here. If the number of installs is proportional to the number of threats, why have we not seen even a small increase in the number of malware threats against free OS? After all the number of Internet-facing GNU/Linux and *BSD machines around now measures considerably higher than the number for say five years ago. Even allowing for the fact that the percentage of desktop machines using a free OS may not have increased (and I don't believe that's a valid argument anyway), the actual number of machines is likely to have increased. Yet we do not see malware writers increasingly targetting free OS users.
The fact is that the more vulnerable the system, the more tempting a target it makes for malware writers
No, any sensible analysis will also consider that the high number of malware products for Windows may also result from its vulnerability to them. After all, if you are looking to break into a house, you'd surely choose the one with the open window, wouldn't you? The inherent security built into the way Unix-style systems are designed leads to fewer exploitable vulnerabilities in the first place. The open nature of free software also means that even small vulnerabilities tend to be spotted and patched quite quickly. The fact is that the more vulnerable the system, the more tempting a target it makes for malware writers. If that same system has a high proportion of users then so much the better but the numbers argument alone doesn't stand up if you ask me.
It has been argued that -- particularly in the case of Manchester City Council -- a weak patching policy and process is the real reason behind the cost of dealing with malware. Ealing Council were (in September 2009) still "planning to upgrade to Windows XP". Taking my house-breaking analogy, this argument is like saying that leaving your window open is asking for trouble. Generally I agree but there are two issues here. The first is that you (the house owner) did not leave the window open. Rather the house builder installed the windows in such a way that they could be opened easily from the outside and worse: the walls and door are exactly the same! Permit me to switch analogies but if you are constantly plugging your fingers in to plug holes in the dam, you will eventually run out of fingers. The second issue is the idea that the applying the patch somehow secures your Windows system. It doesn't. It just fixes that hole in your house. The house-breaker will now just try to find another one and you enter the game of hoping the broken window is spotted by the builder before the house-breaker and that the builder notifies you and supplies a patch in time.
Permit me to switch analogies but if you are constantly plugging your fingers in to plug holes in the dam, you will eventually run out of fingers
To be fair the second part there applies to any OS, not just Windows but the truth is that with a free OS, it's not just the builder (or his employees) who are looking for vulnerable windows, it's every other house-owner. Better still those other house-owners can not only spot the weakness but - if they have the skills - provide a fix.
It could be reasonably argued that the prevalent type of malware attack focuses on data rather than system access. All those lovely bank accounts and identities are the reason behind the popularity of phishing attacks. These are accompanied by worm-ridden e-mails which turn infected machines into zombies that send out more e-mails tempting users to log into a fake version of their bank. Phishing e-mails are not specifically targetted at Windows users, I get lots of them (all caught by my free software spam filters of course) and I am sure you do too. But the worms are targetted at Windows machines, mostly for the reasons I've given above. While Microsoft have said that Windows 7 is the most secure Windows yet, they do say that every time and yet the number of malware threats against Windows continues to increase. The usual arguments to guard against these threats are to patch, user anti-virus software and firewalls and educate your users. Sounds like a sensible policy but is that also because it's become so matter-of-fact (in the Windows world at least) that we accept it as normal? Ask what anti-virus software to use on a Windows mailing list and you'll likely start a flame-war over which is best. Ask the same question on a GNU/Linux list and you'll likely have most people tell you not to bother.
When your chosen platform forces you to instruct users to do things in an entirely counter-intuitive way, you need to change your platform
Educating users in software-usage is a good idea. Educating them on the dangers of phishing e-mails is also a good idea. Educating them not to open an attachment from a source they thought they could trust is entirely counter-intuitive. Worms come as attachments in e-mails sometimes "sent" from an e-mail address you'll recognise. Users click them because our societies teach us to do so. A sealed letter addressed to you, with your bank's address on the back, drops onto your doormat. What do you do? You open it. Your telephone rings and your caller ID system tells you it's your bank, what do you do? You take the call. An e-mail arrives saying "please read the attached security notice" and the "from" address is your bank's. What do you do? Ignore it. As I said, counter-intuitive and there are other examples. Advertising for Windows tells us how easy it is to use things like USB keys, making life easier (apparently). Yet one of Manchester City Council's reactions to their Windows security nightmare was to ban users from using them. Indeed USB ports have been disabled on all the desktops. Already I can hear people nodding in agreement and part of me concurs but when you get to the point where your chosen platform forces you to instruct users to do things in an entirely counter-intuitive way, you need to change your platform. Where's the advantage of a system which claims to give you a "better connected way to do business" if it also provides a better connected way to attack you?
In the past I've argued against bringing cost into the pro-free software argument. That's largely because it detracts from the main benefit of free software - freedom. However the argument is frequently used against free software and acronyms like TCO abound among the FUD spreaders. This "hidden cost of malware" argument falls well within the TCO. If your chosen OS means you have to buy and install anti-virus software on clients and servers, hire more staff to patch and maintain it and pay through the nose to hire people to fix a problem caused by vulnerabilities in the OS then those things should be added to the TCO. One TCO argument against free software is usually that free software sys-admins cost more and another is that free software is harder to maintain. The second one, as I have described before, is a complete crock and the first is blown out of the water if using Windows means you need better trained (and more expensive) staff to maintain it properly. If Windows is so easy to use and maintain, and is so secure, why do we need anti-virus software?
Regardless of your software choice, a poor patching policy is a very bad idea if you value system integrity. But if you going to argue your case on TCO, Microsoft, don't then try to dodge talk of the additional costs for maintaining, patching and clearing a Windows-based system.
I am sure that many people will be thinking that Windows 7 is about to reduce the impact malware has on their systems. I hope they're right - if only for the sake of the millions Windows users who have to foot the bill when their vulnerable systems ae exposed. Experience tells me that "the most secure Windows yet" is still not a title to be proud of though.
Update: 1 December 2009
It seems Windows 7 may not have made much difference. Reports now abound that a recent Microsoft system update -- designed to increase security -- has the not-so-helpful effect of rendering the system unusable. According to one "expert" the "black screen of death" issue is down to an update which "...has the effect of invalidating several key registry entries if they are updated without consideration of the new ACL rules being applied,". So it seems that even if you do keep your Windows box patched and up-to-date you will still be losing money. Let's add that to the TCO then.
Further update: 2 December
In the interests of fairness, Microsoft have since denied that their updates affect the registry keys and are thus responsible for the black screens of death. Of course this kind of anti-malware vendor "speculation" could be seen as part of the problem of a system designed in such a way.
One final thing. When news of Conficker hit the headlines, the Windows world went on alert (well some of them did). For those whom the news didn't filter down to immediately, it was an expensive lesson waiting to happen. The free software world would have probably noted it (in case someone asked) and then got on with their jobs.