Not universe.. galaxy..

I'd draw a small distinction between a country itself and the idiots running it. But this guy is one prize moron for sure.

That blanket statement that is simply not true. A security researcher who finds a flaw sometimes makes a binary patch available along with their disclosure. Applying such patches is risky because they are untested, and lack peer review, and the researcher might lack insight into the design of the software they're patching. Speed of deployment depends on whether the flaw is found in an app or service or the kernel (it affects the amount of vetting required). If you're running a stock kernel (eg. ubuntu and many other distros do that) you need to wait for a patch from canonical -- mainline's patch won't work. Etc. etc. etc.

My dear friend, this is why you can never trust the synopsis -- the devil is truly in the details. There are ASLR implementations, that are wholly ineffective, moderately effective, and extremely effective. There are ASLR/DEP implementations that ship with the OS from scratch and there are versions that got shoe-horned in later with Service Packs. So the exact date depends on how you count. Suffice it to say that both have ASLR, and that's a good thing for everyone. ASLR is a very big deal btw. Let me know if you're curious as to why.

Code signing is so incredibly important it isn't even funny. Let's say you received an update notification for some kernel module, and now you applied the update. Without code-signing, that very act might have compromised your system. Let me explain: This update went through many hands before it got to you:
1. the vendor/person that created the update (how do you know this person is trustworthy and will not put something nefarious like a keylogger in the patch?)
2. the repository it was updated to (how do you know this repostory was not hacked, and this patch was not compromised before you downloaded it?)
3. the mirror for that repository (how do you know this mirror was not hacked, and this patch was not compromised before you downloaded it?)
4. your package manager s/w downloaded the patch from the mirror (how do you know actually hit the mirror, as opposed to a spoof that supplied you with a nefarious patch?)
5. finally made it to your machine, and continues to live on your machine (how do you know that *after* you applied the patch and used it many times, it was not compromised by some malware?)
Answer to all of this is code-signing! By verifying the signature, we can trace the person that created the patch. Therefore the creator can be made accountable for putting malware in it. By verifying the signature, we also verify that since the patch was created and signed by the creator it has not been altered (aka compromised) -- which guards against 2, 3, and 4. For point 4, if you're loading a module and you verify the signature everytime, then you know if it got compromised after the fact (after you applied it to your machine). This can be a critical step -- kernel integrity is a huge deal -- even if the rest of your system gets compromised, as long as your kernel is good you might still have a chance to recover. By verifying the integrity of every kernel module you load, you make sure your kernel's integrity is intact. This is still not the whole story on code-signing -- but hopefully you're getting the picture. None of this is science fiction btw. This shit actually happens. Don't let that link worry you though. As I mentioned earlier, your linux boxes are uninteresting to hackers on the internet at large so are unlikely to be attacked. Kernel.org is obviously an interesting and high-visiblity target, hence it will get attacked from time to time, hopefully unsuccessfully almost all of the time.

There absolutely is interest. Read up on the isolation techniques used in the OLPC (one laptop per child) project. It's fair to think of that as sandboxing on meth+HGH. The basic idea (behind sandboxing in general, not the OLPC implementation) is that if a process gets compromised, the damage is restricted to that process and that process only. The version you see in OLPC is a very powerful idea. Apple hired the dude behind that as their cheif security officer. If they're implementing that, a round of applause would be in order.

Point conceeded long time ago. As I said, if you prefer not dealing with this hassle, and are using Linux to get away from it, you made the right choice! But it just doesn't support the claim about Windows being intrinsically insecure (which is what I meant by 'why give Windows shit')..

I have not dismissed the idea even once. I have not changed the subject even once. You're reaching a non-sequitur conclusion.

Let me address this as directly as possible. I don't know the outcome because I don't run Windows without AV. Getting infected is not my idea of fun. I am not an interesting target however, and my machines are always patched, and I'm not a novice, so I suspect I would be fine for quite a long time. I do have some sort of anecdotal evidence however worthless it might be, but since you insist, I will present it -- ever since I have been on Vista or Win7, I cannot even remember getting a notification from my AV that something is infected. If I had ever been infected, I would have gotten a notification. That tells me I might have actually survived these last 4 or 5 years without AV (not that I care to try). However: this is anecdotal evidence -- maybe I lied, maybe my memory is bad. Plus, I'm not a novice so I have a better idea of what's trustworthy and what isn't. So even when I answer this question in the most direct manner possible, it doesn't say much. There's also the highly subjective question of what is a 'significant' amount of time? But the conclusion you're drawing is still incorrect. Your conclusion is "this is clear evidence the basic security of the Windows OS is completely ineffective.". As I pointed out, the flaw could lie in a third party app, a third party driver, a third party service, and could have been delivered via an attachment, an infected USB stick, an audio CD (yes, really), an ipod you plugged in, and a bunch of other avenues that have nothing to do with the OS (the OS might not even be compromised). So if malware can get onto your machine by exploiting s/w that has nothing to do with the OS how do you take that as "clear evidence the basic security of the OS is completely ineffective"? This is the disconnect right here. I am not changing the subject. I am not dismissing your point that as a user you don't effing care -- you merely want to be safe. I am telling you straight-up, that your logic is not adding up. The kernel integrity could be intact even after the malware gets into your system (depends on the malware, of course). If your kernel integrity is good, your AV should catch the malware and remove it. You yourself dismissed code-signing as nothing to brag about. OSes contain code-signing precisely to verify kernel integrity (among other things). You call that uber-important feature "not worth bragging about" and then you say "the basic security of the Windows OS is completely ineffective". How, how, for the love of god, how does that add up?

Inherently: existing in someone or something as a permanent and inseparable element, quality, or attribute. Security as a permanent and inseperable element of _____ OS? Semantics can buy you some leeway, but not that much!

The tone of written words is often open to interpretation. The tone in my head while typing all this was a that of an intense and engaging conversation over a cup of coffee. Any terseness results from lack of time.. Any exasperation results from my frustration at my failure to get through to you.. Expletives are due to my terribly foul mouth.. I sometimes even use them as terms of endearment..

Your posts weren't all rainbows and unicorns, btw -- you recall taking a pot-shot at me about not being a linux user or something?

I have no reason to blame users, or loathe or love them. I don't blame them for getting infected either. It's important to note that viruses can get into a machine through user interaction, and that user's interactions could have defeated defense mechanisms without knowing it. That's not the same as saying that a user is at fault -- they simply might not know better. I have nothing but sympathy for people in that situation -- there's no reason they should have to educate themselves on such matters. That doesn't mean the OS is piece of rubbish either. The truth is much more nuanced. Sometimes the OS does it's best, the user does their best, yet the attacker still wins. You, my friend, are the one looking to blame someone (in this case, microsoft and windows). I am the one saying stuff along the lines of "Use whatever OS you want. You don't need any justification. If you choose Linux to avoid dealing with AV's you made the right choice" etc. etc. Go back and read my posts -- I have not said anything negative about any OS, or any user, or any application etc. I merely supplied facts and reasoning, mixed in with some frustration at your refusal to see reason.

I am not Bill Gates, or anything like him, nor I do not represent M$ (is that the correct spelling, or is that an attitude problem on my part?). If you dislike me, I suspect, its only because I called you out. If you recall, you made a really egregious claim about Linux lacking some critical security measures. Did I not set the record straight there as well? You then minimized the importance of those features. Didn't I attempt to rectify that as well? Misinformation is misinformation..

100% wrong. The whole point of a security flaw is that you can exploit it to do something you were not supposed to be able to. See the latest Linux advisories here. Don't bother looking at the whole list -- just skim through the ones at the top intended for Debian. In the descriptions do you see the words "execution of arbitrary code", "privilege escalation", etc.? As the name suggests, the first type of flaw allows you to run any code you want (but in the context of the process you compromised). The second type gets you root. The combination means you own the box. This is true for all OSes. These flaws exist everywhere. Nothing is intrinsically secure or insecure. People write exploits for these flaws on Windows. They don't do it for Linux.

Unbelievable.
- ASLR and DEP do exist in Linux. It's your first line of defense against buffer overruns.
- Sandboxing does exist in Linux as well.
- Code signing does exist in Linux (that's not the full story on code-signing in Linux, but it'll do for the purpose of this conversation).
Did you just ask me if I'm familiar with Linux??? How can you be so wrong, about such basic things, and yet argue so much? This is unbearable. The worst part is that you're talking out of both sides of your mouth by first claiming that Linux is intrinsically secure, and then boldly stating that it does not have extremely key security measures that are expected at the kernel level.

Finally some context. As I asked many many posts ago (see the comment RE cash registers) what was the point of this example then? These are obviously fixed-function machines. It's like arguing with an indolent child...

No to the speed thing. I use what my company provides. I do recommend 'efficient' AV software regardless. If you're running some piece-of-crap AV why give Windows shit about it?

MSE is fee. MSE will be built in to Win8 for free. That was the point of TFA, to which you replied "who cares". Answer: obviously, you do.

I have gone to such extreme lengths to answer in detail, and you accuse me of this. I hope you at least have the seed of an idea that there is no such thing as an "inherently secure OS". Effectively secure -- possible. Inherently secure -- nobody's figured that out yet.

You keep on and on circumventing the simple fact that a virus can be contracted through an insecure service (not necessarily a part of the OS), an insecure application (not necessarily a part of the OS), and user interaction (not a part of the OS) among other methods. You said Windows (which happens to be an OS) had woeful intrinsic insecurity. Your conjecture of "relies almost entirely on additional protection" is plain nonsense. What do you think of ASLR / DEP / sandboxing/ Authenticode signing / etc are? The list is endless. Other OSes have introduced almost all these features years after Windows. I hate making overly general negative statements, so I'll stop with that, but please do some research for the love of god. You just keep on and on ingoring facts, and repeating simpleton lines ad-infinitum.

You're confusing security and obscurity here. The net effect is the same though. An OS that nobody cares to attack is likely to remain secure. If you haven't gotten the theme, I have not faulted your choice of OS whatever it might be -- I'm simply pointing out that your conjecture about Windows having brain-damaged security is wrong.

Oh my god.. install MSE and leave auto-updates on. That's it. Nobody is even asking you to do that much, because nobody is even asking you to run Windows. Just realize that your initial assertion was wrong. TFA was about MSE being included in Win8 by default. That reduces this to a no-op. But you'll still be citing 8 year old or 3 year old rants from random people that don't know jack.

I still don't understand how you think a firewall compensates for AV. Please, just answer this one question directly instead of avoiding it. This level of ignorance is unbearable.

Almost a fair point, but not quite. First of all -- bootup would be (for example) 32 seconds instead of 30 seconds (if even that). Second -- only when an active scan is running, will an AV slow things down. The default for an active scan should be around 3am, on a monthly basis (or something like that), when nobody is using the machine. If it runs when you're doing nothing, then why care? If the machine was off, and the scan didn't happen, it'll take place when it next gets idle cycles. Either way, no trouble to you. If you claim to notice a slow down when AV is not actively scanning, then that's your imagination at work.

Depends on your AV -- MSE, kaspersky etc. have very low footprints, to the point of it not being worth your time to track this.

MSE is free. MSE is being built into Win8 for free. Your original comment was "who cares". Apparently you do. Now do you begin to see why your comment was so fucking annoying? It added nothing to the conversation -- and was misleading/FUD to boot.

You're just living in the past here man. Auto-update. Don't bother to look again after that. Auto-update. Do you not apply the security patches on Linux or OS-X? Is this different than that somehow? What logic is this?

If you put an AV on them, you'd be able to surf the net fine. If you choose not to run AV, why not just run Linux and actually use those machines to browse? I just don't get people like you. You're taking such pride in such a stupid configuration, it beggars belief. And worse still -- you act like it proves something. It does not -- you don't have to use that dumb config -- you just choose to.

Security through oscurity my friend. When you say "hosts" I assume you mean you're hosting some service or site. If not, i.e. if these machines are Linux desktops, then, well, you're part of the 0.5% install-base that no attacker finds lucrative. Same case with the apps running on them. If it's a service, then your service/site is simply not interesting enough for anyone to attack it. It's really not that hard. Ask any hacker -- if you are interesting enough, you will get hacked no matter your OS. Until then, you remain disinteresting, so only untargeted carpet bombing is directed at you. If you choose Linux to avoid that, you made the right choice, because that means these carpet bombs are not designed for your OS. Using that as proof that Windows is somehow architecturally flawed is illogical. Using the fact that nobody attackes Linux as proof that Linux is "inherently secure" is equally illogical. Understand very clearly that I am not calling Linux insecure. I'm saying everything is insecure. Do you, or do you not get regular security updates on your Linux machines? What the fuck do you think those patches are for? Shits and giggles? On Linux though, you actually have the option of not even applying those patches, and you'll probably still be fine. Over time, you'll have many many unpatched, openly disclosed vulnerabilities on your system, but you'll still not be compromised. Why do you think that is?

You just happen to be wrong. You can call it an 'effectively' secure OS if you want -- because the net effect of nobody attacking it, is that it remains uncompromised. But "inherently" is simply the wrong word. Calling Linux (or OS-X, or Windows or anything) inherently secure is not supported by the facts. Calling Linux (or OS-X, or Windows or anything) inherently insecure is not supported by the facts either. Assuming that a not-interesting-to-the-world-at-large Linux box is likely to remain clean is supported by the facts. Assuming that a not-interesting-to-the-world-at-large Windows box will remain clean without AV is asking for trouble. It's really not that complicated.

Certainly not due to stubbornness on my part -- I'm just asking you to specify a design/architectural flaw instead of using dubious links (rants actually) from people who know nothing.

See -- this is a key difference. I'm not bad-mouthing any OS, or promoting any OS, or any agenda. I'm just debunking a very outdated myth.

Who said it cannot last long? I merely said that you shouldn't even try this. Just be a little less stubborn and run AV. The outcome of this experiment is meaningless. Even if the OS is secure, you might be running a service that is not. You can contract a virus through ignorant user interactions. There are many ways of getting viruses that do not require compromising a security flaw in the OS. How do you not get this basic point??

Sure -- anybody defending Windows must have an agenda. Guys that writes articles title "Why windows security is awful" or "Why I hate Microsoft" are neutral third-party observers on the other hand.

You're effectively adjusting your definition for your own convenience -- you still cannot point out a design flaw. You need to point out a design flaw/architectural flaw to say that it's intrinsically insecure.

Regarding your links:

This is just a random list, compiled by someone on Wikipedia. From the article itself: In our context , "Security-focused" means that the project is devoted to increasing the security as a major goal. As such, something can be secure without being "security-focused." For example, almost all of the operating systems mentioned here are faced with security bug fixes in their lifetime. Regarding the highlighted part above: In who's content?

Again -- just a random list of OSes with certain certifications. What random criteria are you using when selecting these silly links??

And this is an example of the blind leading the blind. You're willfully misinforming yourself by listening to people who know nothing. The guy calls DLLs insecure. Are you familiar with a .so in unix? Do you know the difference between a .so and a .dll? Answer -- there is none. The guy calls Active-X insecure -- (this is repeated ad-infinitum by people who basically know nothing about security). First -- Active-X itself was not the problem -- the problem was that it was enabled by default, which enabled sites use it to load malicious plugins. Problem fixed a very long time ago. In addition there are active-x killbits updates pushed out regularly (no other browser's gets these updates for their respective plugin technology, fyi). There is no material difference between active-x and any plugin technology for any other browser (for example look up mozilla's npapi -- they are equivalent, and do the same thing, and you can write malicious plugins using either one). Lastly, there are even more nasty things in the pipeline (look up NACL from Google) -- if you don't fear that one, and you fear Active-X, you've really outsourced all your thinking to slashdot, and decided not to do any of it yourself. Not to mention sandboxing for active-x again -- so again, your link is outdated and wrong, and your objection is outdated.

Next, the guy objects to OLE. Again -- do you think the equivalent technology does not exist in unix? The guy complains about macros -- yes, any time you have a parser, it is a security risk. This is well-known. This is one of the reasons browsers are such a huge target -- because they are parsers first and foremost, and what they parse is untrusted. Do you still never use a browser?? It goes back to what I told you earlier -- the only way to stay 100% uncompromised is to never use a computer at all. Is your goal to actually get some work done? If yes -- select the best tool for the job, and then secure the tool as best you can. That tool could very well be os-x, unix, linux, whatever. But you're fooling yourself if you think that it can never be windows, and if you think that Windows has woeful intrinsic insecurity.

Lastly -- you seem to prefer to not merely point out the insecurity you're referring to. I don't have endless time to rebut these random links you find on the net (and you're really finding some stuff of incredibly dubious quality -- you seem to be willing to listen to anyone who will tell you "windows sux"). Please, when you reply back, do so with a specific architectural flaw that makes windows insecure, else I cannot make time to reply.

Being critical when your criticism is based on facts is not FUD. Being critical (woeful intrinsic insecurity -- remember) without a single piece of evidence to back it up and just mere conjecture remaining (why is Windows security "still so dependant" on firewalls and AV software) -- that's FUD.

I understand your reasons for using Linux. Even without those reasons, it's entirely possible that Linux is the best tool for whatever task you might have. And even without those reasons, and even if Linux is not the best tool for the job, you can still use Linux just because you feel like it, and nobody can/should be able to tell you to do otherwise. My point is merely this -- you said Windows had woeful intrinsic insecurity, and I contend that your view is incorrect and outdated. FUD is FUD no matter who is spreading it.

I'm familiar / comfortable with every OS there is.. I use Windows and Linux a lot more than OS-X though..

You're making a case that either Windows has "woeful intrinsic insecurity" or it is impenetrable. You don't see that there can be some shades of grey between those two stances? All OSes lie within those shades of grey. Show me an impenetrable OS, and I'll show you an OS with no external interfaces. You're also overlooking the fact that not all malware requires a security hole -- sometimes it just takes an uninformed user. So no -- at no point did I suggest that Windows should not require AV, and I don't understand how you can derive that from what I said.

Immaterial -- even if the machine got compromised eventually it would not prove your claim about "woeful intrinsic insecurity". Like I said -- many shades of grey between zero security and complete impenetrability. The world is not black and white like that.