said by scross:
Zero-day exploits may very well exist for every consumer-grade OS, but not many exist (if any at all, or for very long at all, generally) for enterprise-grade operating systems. (That's an old-school "alpha" term, BTW, which you may not understand. Many consumer-grade systems aspire to be - or even claim to be - enterprise-grade, too, but they rarely make the cut.)
Get over the attempted elitism, no one's buying. All of today's major OSs are enterprise grade. You may have to do some configuration based on the role, but they are all capable of being deployed in the enterprise.
said by scross:
And I stand by my market share statement. There were old-school systems out there that had plenty of market share well before Microsoft became the big dog, and they never suffered from the numbers and kinds of exploits that hit Microsoft from the very beginning - mostly because they actually cared about integrity and security (they had to; it was a requirement for them to even get in the front door) while Microsoft didn't want to know and didn't care (plus they came in through the back door, at least at first). Any concerns that Microsoft has for this now came rather late in the game.
I don't believe this is correct. Based on your comments, I'm going to assume you don't move much in pen testing/hacking kinds of circles. The cost of an exploit is based on several factors, but the two largest drivers (aside from age of the exploit and who you are) is the ease of deployment and target density (aka market share). You don't get as much for a SUSE Linux exploit that requires the user to execute a java applet than the same exploit on Windows 7. And, a Windows 7 exploit is worth more than a Windows ME exploit. The reason why no one does exploits for DEC Alphas isn't because the OS is so secure, but because it's not worth any money. If I pay you $20k for the exploit, I need to be able to deploy it, get marketable information from enough targets to sell before the exploit is told to the vendor and patched. It's all about the money.
said by scross:
One of the benefits of being an old fart vs. a young turk is that we generally have a wide range of experience and the benefit of historical perspective, which the young folks lack. For example, it just floors me that kids today equate "computer" with "PC", because they don't have an effing clue that any other computer type exists or has ever existed, or that for every PC out there there are easily ten times as many non-PC systems that they interact with on a daily basis, only these do their work quietly and invisibly, for the most part. But being in the business as long as I have means that I've worked on a lot of stuff - stuff that might make a young turk literally run away in fear and loathing (no joke, because I've seen this very thing happen, and it's a good way of separating the men from the boys).
I'm not quite sure if you're saying I'm a 'young turk' or just making a statement. I will say that you have me by a couple of years, but not really enough to make that much of a difference. When people think about security they more than often get really lost in the weeds and forget what security really is all about. Lets get out of the weeds for a moment and take a step back. Security is about managing risk. The most secure system is the one locked in a room without access and is powered off. Every step away from that is about managing the risk to gain in efficiencies. You can easily say that years ago everything ran on an IBM/VAX/WANG mainframe and was really secure. But truthfully it's just a straw man as the computing environment then isn't anything like it is now. In a way it's like saying a horse drawn carriage is more secure than a Ford Focus. One is pretty much isn't relevant now for more than a curiosity or in very specialized places. And, you simply can't use the same measure between the two.
Part of being in this industry means moving and changing with the environment. Having a historical perspective is a good, but I personally don't believe it's as valuable as you believe it to be. It's like me knowing how to program in Fortran. In today's world, it really doesn't matter unless I'm evaluating an application written in Fortran. The further back you go, the less relevant specific information is, and trending becomes more useful. We can go back a mere 15 years ago and look at the difference in centralized computing theory and security practices. Jump to today and we see what was a hard barrier between internal and external boundaries fade away. The effect of cloud based computing and SAS being adopted by business to handle core functions. Less internal IT staff and more vendors. The explosion of the internet with all the good and bad it's brought. Mobile systems in laptops, cell phones, and tablets. Wireless and remote access protections. Decisions around BYOD and security for managing data within those systems. The challenge of authentication and rights management across all of these federated systems. Support for thousand and thousands of different hardware pieces.
Personally I value honest objectivity in my employees over technology partisans. That objectivity is based on today's solutions, to meet today's challenges, across the enterprise with an eye on the market to see where vendors are positioning themselves for tomorrow's challenges.