Using Windows for a Day Cost Mac User $100,000 (and it's not related to anything else totally)
-
, specifically Mac security.
Well, of course. I mean we all know he should have been using Linux.
-
I won't disagree specifically, but there are Linux viruses too... Less common than even Mac ones, sure, but they do exist. I only really skimmed over the article, but the clickbait headline really annoys the crap out of me. That kind of stuff encourages... acquaintances... of mine to blast them out in emails proclaiming the truth of The One True Jobs, and I have to point out what the article actually said. Meanwhile, though, in their mind Windows is already insecure, and Mac OSX is soooo much better. When really, this has nothing to do with OS, and everything to do with stupid user operating practices
That's probably a
post but meh I don't care
-
Now explain why that was stupid:
It's stupid because it's self-defeating advice. It's advice that if followed by everyone, stops being useful.
Mac and Linux are "safe" because few people use them. If more people start using them, the incentive to write malware for them increases, and they stop being "safe".
As has already been stated, the problem is he used an unsecured computer, not that he used a Windows machine. In a few months, the Mac they have in the house will also be infected because his kids and wife use it for porn.
Also, he used a shitty bank that doesn't use security tokens for corporate accounts.
-
Eh, fine, but none of you have shown that he was wrong or stupid. Especially for 5 years ago. You guys want to fool yourselves into thinking that, just wait, someday soon the criminals will be targeting stuff other than Windows. Still waiting for next Tuesday.
It's stupid because it's self-defeating advice. It's advice that if followed by everyone, stops being useful.
Don't protect yourself, or we're all doomed! Who is being stupid here?
As has already been stated, the problem is he used an unsecured computer, not that he used a Windows machine.
Yes. Because Windows machines are much more difficult. Look, we already know that his advice is to use a LiveCD for this stuff. It's even mentioned in this article.
In a few months, the Mac they have in the house will also be infected because his kids and wife use it for porn.
Did this actually happen a lot? Lots of documented cases of businesses losing money due to Windows malware. Again, especially in the time frame of the article.
Also, he used a shitty bank that doesn't use security tokens for corporate accounts.
Yes, like....all banks that were likely convenient to them. But you know, if we all started using these tokens, then the crooks would just wait outside our business and mug us. That's horrible security, because now you've jeopardized your physical safety, too! WHAT'S WRONG WITH YOU PEOPLE.
-
Your analogy is imputing racism where there isn't necessarily any.
Get over the damn race thing. That's my go-to analogy for correlation/causation because it's obvious and clear that it's wrong. Racism or otherwise is irrelevant to whether it's a good analogy for what you're saying.
Nevertheless, you're using something that's poisoning the well (racism).
I'm not equating your error with that error, I'm equating the steps used to get there. Racism is irrelevant, that's just a good example because it's clear and well-known.And it's wrong, to boot.
I disagree on that.I threw a silly statement mentioning several common fallacies
So what was the point of that statement, if it wasn't claiming that I'd made those fallacies? I am not psychic, if someone dismisses my point mentioning a bunch of logical fallacies and nothing else, what did I ought to think?you
noticedaddressed one of them.
What is with the perception around here that if you don't explicitly refer to every part of a post, regardless of whether you care to say anything about more than one point in it, you must have not read the rest?
-
That's my go-to analogy for correlation/causation because it's obvious and clear that it's wrong.
No, it isn't. Not on its own. Look, poison the well all you like, but stop whining about it when you get called out.
I disagree on that.
I know. That's because you're wrong.
So what was the point of that statement, if it wasn't claiming that I'd made those fallacies?
It was obviously ridiculous. I was saying your analogy was ridiculous.
What is with the perception around here that if you don't explicitly refer to every part of a post, regardless of whether you care to say anything about more than one point in it, you must have not read the rest?
I don't know, and I'm not sure what the mangled quote of mine is supposed to mean either.
It is fun watching Krebs troll you guys by using Windows in the headline 5 years down the road. Your emotional attachment is so strong.
-
Eh, fine, but none of you have shown that he was wrong or stupid. Especially for 5 years ago. You guys want to fool yourselves into thinking that, just wait, someday soon the criminals will be targeting stuff other than Windows. Still waiting for next Tuesday.
Well I'd be willing to bet there are a fair number of attacks, at least for OSX. Not so much for Linux, which is pretty strange actually, given how pervasive Linux machines are in the server world. Unfortunately, really detailed statistics on this kind of stuff aren't really available. All you really have is the number of attacks created, not so much the number of machines comprimised, number of 0-days, number of actual monetary loss, etc
The real issue I see with it is this:
A lot of the Windows attacks are honestly just repackaged prior attacks, targeting people like
@forgotmylogin1who haven't updated themselves. Attacking Windows like this takes very little effort, but on the flip side, it takes very little effort to protect yourself from over 90% of these attacks. We should be encouraging people to do this, not encouraging them to switch operating systems...
-
It is fun watching Krebs troll you guys by using Windows in the headline 5 years down the road. Your emotional attachment is so strong.
I don't give a Belgian dam. I just called out your logical fallacy, because logical fallacies offend me regardless of what I think about the point they're being used to support.
-
Well I'd be willing to bet there are a fair number of attacks, at least for OSX.
OooooKayyyyyy...any documented cases of businesses losing thousands of dollars to them?
A lot of the Windows attacks are honestly just repackaged prior attacks, targeting people like @forgotmylogin1 who haven't updated themselves. Attacking Windows like this takes very little effort, but on the flip side, it takes very little effort to protect yourself from over 90% of these attacks. We should be encouraging people to do this
Yes, this is all true. But it's easier to enforce discipline on a particular activity (banking with a LiveCD) than always keeping the machines up to date, never going to dodgy things on the internet, etc.
not encouraging them to switch operating systems..
Which isn't really what's happening here. @CarrieVS, look, we found a real strawman!
-
-
*Pats @Boomzilla on the head*
-
OooooKayyyyyy...any documented cases of businesses losing thousands of dollars to them?
sloosecannon:
No, see point regarding statistics. I could counter-point and ask you for the same regarding Windows. The statistics just don't actually exist...
Yes, this is all true. But it's easier to enforce discipline on a particular activity (banking with a LiveCD) than always keeping the machines up to date, never going to dodgy things on the internet, etc.
True, but is that what the headline (which is probably the only thing people read anyways) says?Which isn't really what's happening here. @CarrieVS, look, we found a real strawman!
Again - I get this from the headline:You totally should switch to OSX from Windows, because it's insecure and this guy lost a lot of money
What the article says beyond that is irrelevant
-
someday soon the criminals will be targeting stuff other than Windows
They already are.
@boomzilla said:Don't protect yourself, or we're all doomed! Who is being stupid here?
You, it seems, since no one else said "Don't protect yourself"?Look, we already know that his advice is to use a LiveCD for this stuff. It's even mentioned in this article.
You mean this quote?But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.
The advice is to use a Live CD or a Mac. The dedicated bit helps, but a dedicated Windows machine, or a "Live CD" of Windows, would be just as safe. Safety is a result of your habits, not your platform. Mixing the two up leads to worse security.
But you know, if we all started using these tokens, then the crooks would just wait outside our business and mug us. That's horrible security, because now you've jeopardized your physical safety, too!
You can just call the bank and tell them to issue a new security token.
-
OooooKayyyyyy...any documented cases of businesses losing thousands of dollars to them?
Does "buying thousands of dollars worth of overpriced machines" count?
-
It's kind of confusing, because there are multiple ways to look at causality for non-trivial events.
-
-
No, see point regarding statistics. I could counter-point and ask you for the same regarding Windows. The statistics just don't actually exist...
The blogger in question had run a series of articles about the phenomenon. I don't recall them on other systems, though there may have been some. There definitely weren't any from users who use LiveCDs.
You can go all blakey-stupid and demand some peer reviewed thing to believe anything here, but all I'm asking for is a single anecdote (which, you'll note, is really not even an argument against his main advice).
True, but is that what the headline (which is probably the only thing people read anyways) says?
And it's not really wrong, either. Obviously, the problem was that the computer was insecure. Why was that? Well, Windows PCs were notorious and much more likely to be targets for this sort of thing.
Someone like @CarrieVS would read a statement like this and assume we hate Windows and like to blame it because of some other prejudice (at least, that's how she'll describe us). Other M$ defenders are more interested in tu quoques than dealing with the reality.
You totally should switch to OSX from Windows, because it's insecure and this guy lost a lot of moneyWhat the article says beyond that is irrelevant
And if he had done that for banking, it's probably even true!
-
Someone like @CarrieVS would read a statement like this and assume we hate Windows and like to blame it because of some other prejudice (at least, that's how she'll describe us).
-
You can just call the bank and tell them to issue a new security token.
Which is all totally irrelevant to my troll and the article in question.
The advice is to use a Live CD or a Mac. The dedicated bit helps, but a dedicated Windows machine, or a "Live CD" of Windows, would be just as safe. Safety is a result of your habits, not your platform. Mixing the two up leads to worse security.
Using a Mac was still better security for the average guy than using Windows. Not in a theoretical sense, because yes, malware exists for all sorts of platforms, but in a real sense because they weren't being targeted.
His continual advice was to use a LiveCD. He also said that using a Mac for this was better than Windows. Which certainly used to be the case.
-
Does "buying thousands of dollars worth of overpriced machines" count?
I think it should.
-
security by obscurity is not security
Security by obscurity is not real security because obscurity will eventually fade. That doesn't alter the fact that until it does so, the obscure system might well be more secure than an equally badly designed system whose obscurity has already faded.
And regardless of how sound the theoretical technical arguments may or may not be, the simple fact is that right now in 2015 a family PC running Windows is more likely to be pwned than the same PC in the same household would be if it were running any desktop Linux distro.
This is not Windows' fault per se. It's simply the consequence of three self-evident facts:
-
Teenagers with local admin rights on their family Windows box, which is most teenagers with family Windows boxes, prefer to install software like video downloaders or messaging clients that they don't have to pay for.
-
Free-as-in-beer Windows software riddled with Trojan crap is much, much easier to find than free Windows-based software without bundled crap.
-
People who choose their own OS rather than just using whatever came preinstalled on their PC usually either have somewhat superior technical ability and therefore security awareness, or have ready access to somebody else who does.
Any Linux distro, where almost all of what runs on it comes from a small set of repositories curated and maintained by people most of whom are not primarily motivated by the endless upsell, is going to be less susceptible to having malware installed by its primary user than Windows - or, for that matter, than app-store-based systems run by commercial concerns.
Post-Vista versions of Windows are configured, by default, in a manner that's about as secure on a technical basis as a traditional Unix setup. The difference between commercial software and free software culture and norms, though, still gives free systems a genuine malware-resistance advantage.
-
-
The difference between commercial software and free software culture and norms, though, still gives free systems a genuine malware-resistance advantage.
QFT
Installation channels primarily used on Linux systems provide a small but significant buffer against malware. It's much harder to get an intentionally malicious piece of software into a proper repo than just getting it ranked decently on Google.
While I'm not a member of aluminium foil hat society (I even run
systemd, OMGWTFBBQ!), I do oppose the idea of binary installers becoming a norm on Linux. I'd rather have a unified packaging system and have everything go throughaptoryumor whatever than have custom binary installers all over the place. Because it is safer to use the repositories, if only just slightly.Of course, we then get to the can of worms that is Launchpad and
ppas... Which, while convenient, are getting into potentially dodgy territory...
-
Of course, we then get to the can of worms that is Launchpad and ppas... Which, while convenient, are getting into potentially dodgy territory...
And there's nothing stopping anyone from running their own repository, though I suppose the PPAs probably get some undeserved trust due to their host.
-
And there's nothing stopping anyone from running their own repository, though I suppose the PPAs probably get some undeserved trust due to their host.
And publicity, because they are easier to find due to the platform. Also, less work, no need to host stuff yourself, etc.
-
And there's nothing stopping anyone from running their own repository, though I suppose the PPAs probably get some undeserved trust due to their host.
And publicity, because they are easier to find due to the platform
The other thing that I think PPAs could do (someone can correct me if I'm wrong) is provide packages that they "shouldn't". So for instance, if I add your PPA so I can install TheAwesomes, you or someone who compromises your PPA can not only give a new version of TheAwesomes but could say "hey here's a new patched version of coreutils you should totally install it".
For this reason (both for security as well as in an attempt to avoid unintended unstable upgrades) I never leave PPAs enabled... I install what I want and then remove the PPA. This leaves me without updates to the installed software (and in some sense less secure than with a Windows-y solution to installing 3rd party packages), but that feels like the lesser of two evils.
-
someone who compromises your PPA can not only give a new version of TheAwesomes but could say "hey here's a new patched version of coreutils you should totally install it
Not entirely sure on that one. But worth checking out, even though it won't happen to me personally. I switched to Debian, so...
-
-
Huh? Isn't add-apt-repository basically the same thing?
Pretty much, yes. But PPAs are designed specifically for *buntus and derivatives and don't really work readily out of the box, other than some basic stuff. Dependency issues abound. So people pretty much avoid them on Debian.
I did miss a thing or two from there, but I found alternate sources. It just wasn't worth the hassle. I imagine most Debian users do the same.
-
If people do start doing personal banking with Linux, malware users will target Linux because that's where money is.
I do personal banking with Linux, but I don't think there will ever be enough people who do to make it worthwhile to port the malware.
And there's nothing stopping anyone from running their own repository
They'd have to compile programs from the source and figure out the dependencies. That would stop a lot of people.
-
If a straw man begs the question would you burn him just because he'd burn you?
KILLING ME WON'T BRING BACK YOUR GODDAMN HONEY!
... oh sorry. Wicker Man flashbacks.
-
They'd have to compile programs from the source and figure out the dependencies. That would stop a lot of people.
Yes, if you have something with lots of dependencies, you're in trouble. But even so, google and opera manage this, and if you want to distribute malware, you're going to want it to run in lots of places, so presumably you'll design it to not have difficult dependencies.
-
... oh sorry. Wicker Man flashbacks.
No problem. That made more sense than the actual response it got originally.
-
Ok, but what about the correlation between “entertainment machine used by non-technical people” and Windows?
-
if you want to distribute malware, you're going to want it to run in lots of places, so presumably you'll design it to not have difficult dependencies.
So that's why my malware that required a VBscript cross-compiler never took off.
-
Use a Virtual Machine. Only load it up when needing to take care of financial situations. It's what I do. I've loaded some light Linux distro and a FLOSS accounting software in a VM.
-
I do oppose the idea of binary installers becoming a norm on Linux.
Just build everything from source! (If you do this, you too will come to truly hate C++…)
-
I didn't say that. I only meant I'd prefer everything going through a repository system.
Also, a properly build package should be easy to build from source if you so desire in that case.
-
I didn't say that. I only meant I'd prefer everything going through a repository system.
The major problem with repository systems is that they're principally focused on delivering substantial, compiled packages that have relatively few, large releases. They don't work nearly so well with the continuous delivery approaches used in a lot of software development, and so can result in users having several software update delivery mechanisms fighting with each other. That's astoundingly annoying to users; a real usability killer. (I observed this directly the other week with Python, where attempting to get some software working with its supporting packages took all morning because everything insisted on installing versions that just wouldn't work with each other, some of which I had to be careful with because of other pieces of software that I didn't want to go through a process of applying major updates to…)
There's also the problem that it effectively precludes commercial software by locking out the distribution ecosystem. Some people who encourage repository systems think that this is a great outcome, and work very hard to try to drown out anyone who might claim otherwise. I'm not as opposed to commercial applications; I think they've got their place, particularly in entertainment applications (i.e., gaming) and specialised niches.
-
I didn't say that. I only meant I'd prefer everything going through a repository system.
"I hate access to commercial software! Fuck you Sony Vegas!"
-
I don't see why a repository is locking out commercial software. Doesn't Ubuntu have a store with commercial software sitting in a standard Debian-style repo? Proxmox has its own repo available to paying customers as well.
Also, Opera and Chrome have their own repositories that work well and use the same update system as everything else I have installed. And, once it's set up, I don't see how that's more work than building a fresh installer and / or adding the new version to your own, homebrew update system.
Repositories can distribute binary blobs. All I install are actually binary blobs, I don't bother with getting the source and recompiling everything, either. And I use closed source software, be it paid or free.
Actually, that's what Steam is, isn't it? It's a frontend for a repository of (mostly) games. Which makes it easier to use, and if a piece of malware is detected in one of the packages, it's easier to push an update and get rid of it simpler and faster.
Binary installers and custom updaters are much worse, IMHO. That's what gets you the mess that is java and flash updaters on Windows, constantly annoying people and asking for this or that, instead of just being pushed like something like Windows update.
-
I don't see why a repository is locking out commercial software. Doesn't Ubuntu have a store with commercial software sitting in a standard Debian-style repo? Proxmox has its own repo available to paying customers as well.
Well these magic solutions aren't working, because ain't nobody porting their commercial software to Linux.
Of course the fact that Linux development is an order of magnitude more difficult than any other platform, and the support costs similarly higher, oh and the Linux "community" is full of whiny assholes, most of whom believe software has no value, and they'd all pirate it anyway.
So of those 457385763285623e4w784t3u2y46 t123456tu23456 t2734rt76`1wq7t46r761252341 reasons to not put commercial software on Linux, maybe the repo thing isn't so bad. But Linux still sucks ass.
-
Of course the fact that Linux development is an order of magnitude more difficult than any other platform
And a big part of that is the distribution aspect. Mostly because there's no simple way to manage dependencies on all the different distros. Which is not something I see solved overnight. Maybe it won't be solved ever. But going through the distro's package manager does help greatly.
These days, covering
debandrpmpackages means you'll probably reach 99.9% of all potential customers on Linux systems. Other oddball distros which don't use one of those two packaging systems are the ones where most of the crowd that will never install anything not open source resides, so worrying about that, from (most of) the paid software developers point of view, is moot. And those are the only Linux based systems where custom binary installers really make sense.In a perfect world, there would be one packaging mechanism, and it would work. That's probably true only on OS X, if even there. Seeing this happen on either Linux or Windows (are there really reasons not to use MSI?) is something of a pipe dream. But I still believe going the package manager route is better for everyone.
-
And a big part of that is the distribution aspect. Mostly because there's no simple way to manage dependencies on all the different distros. Which is not something I see solved overnight.
Well it's been, what, 19 years? WHEN THE FUCK YOU GONNA GET AROUND TO IT?
-
It's called package managers. They work.
But they are apparently considered hostile for commercial software, because... reasons? For years, Sun/Oracle Java was not available in any kind of a repository (is it now? not sure). I have NFC why.
It's a pain there's not only one package manager out there so we can just use that and be done with it. But again,
debandrpmcover all the major distros almost anyone who's not a part of "clozed sourse is teh evulz guise!" is likely to use.
-
Well these magic solutions aren't working, because ain't nobody porting their commercial software to Linux.
That's untrue. Maybe they're not porting the stuff you're thinking about — there's a vast diversity of software out there, so that's quite possible — but it's definitely happening.
It's happening despite the distributions though.
Of course the fact that Linux development is an order of magnitude more difficult than any other platform
LIES! I do see that different platforms have different problems.
And a big part of that is the distribution aspect.
That's a trivial part. Most commercial developers have a great way of dealing with the distributions: they just ignore them, perhaps with a side order of “fuck them in their little star holes”. Instead, packaging an application with all its dependencies in one directory structure is done, and that actually works really quite well; all the authorised user has to do is to unpack the distribution somewhere beneath
/optand they're good to go. Or they are given a VM image; that works very well for anything complicated.A lot of the commercial software I see for Linux is actually deployed server-side, with clients being web-based (which is good for a bunch of practical reasons) but it's most definitely commercial software that runs on Linux. People make quite a bit of money from this sort of thing.
-
LIES!
Oh yeah? How do you make an app with native-looking windows and widgets on Linux? How many completely different UI layers do you need for that? (Hint: on every other OS, it's one.)
-
How do you make an app with native-looking windows and widgets on Linux?
I use a software library in my application, called a toolkit. That toolkit talks to the graphics engine (which is a user-space process on Linux instead of being in the kernel) and tells it to draw the UI. That UI looks native. Because the software library is written right, I take the same code and run it on Windows or OSX and it also looks native.
There's plenty of complexity, sure, but user code avoids virtually all of it.
Cross-platform UI libraries are genuinely difficult to write well, and Windows manages to edge out OSX as the most difficult platform to target. The Windows drawing layer isn't very nice in some weird ways — there are some places in the font engine where things are horribly wrong — whereas the OSX event handling layer is WTF-ridden. The big problems on Linux are more to do with real legacy boatanchors and idiot theme authors. And the font engine is also not nice.
Personally, the things that frustrate me most are the quality of the documentation on all platforms. MSDN appears to be great until you realise that it's actually a trap: it's all little bits of information, with nothing to really draw it together into something unified (particularly between API functions, the structures that you use with those functions, and the constants you use in those structures). Apple doesn't seem to believe in documenting anything other than the absolutely latest and greatest, which is really awful when you're doing long-term support (though the core of their docs are actually pretty good). And you'd better like Objective-C. Linux docs are good, or absent, depending on who wrote the code.
-
@Onyx said:
I didn't say that. I only meant I'd prefer everything going through a repository system.
"I hate access to commercial software! Fuck you Sony Vegas!"I dont' understand how this stuff works.FTFY
-
I use a software library in my application, called a toolkit. That toolkit talks to the graphics engine (which is a user-space process on Linux instead of being in the kernel) and tells it to draw the UI. That UI looks native. Because the software library is written right, I take the same code and run it on Windows or OSX and it also looks native.
So if the behavior of the 3 common windowing toolkits in Linux is so similar that a single codebase can target all three, why are there three of them?
Put another way: either you're lying, or Linux people have multiple competing GUI frameworks for literally NO REASON except to make things more complicated.
Or more likely, you have extremely low standards when it comes to GUIs, all your GUIs are fucking broken all the time, and you just don't give a shit because everything in Linux is so broken you don't even notice.
-
So if the behavior of the 3 common windowing toolkits in Linux is so similar that a single codebase can target all three, why are there three of them?
Because history, and the switching cost for moving between toolkits is really high.
Put another way: either you're lying, or Linux people have multiple competing GUI frameworks for literally NO REASON except to make things more complicated.
Or you just don't understand what the costs are because you're not as experienced as you think you are.
