Sure, I appreciate it costs a lot to put things right.

"damaging their brand."

How can you damage Microsofts brand any more than it already is? I don't think most people buying Microsoft buy it because of the brand. Which is why I don't think OS vulnerabilities particularly cost them in lost revenue.

You are, of course, wrong. Enterprises all over the world buy Microsoft for the security.

I'm not sure what that has to do with whether it costs Microsoft money to handle Vista zero-day. It clearly does.

"Enterprises all over the world buy Microsoft for the security."

Like I said elsewhere, "Management by manager". It's when you put decisions in the hands of the least prepared to make them.

The people that buy into other platforms for "security" are misinformed, and I say this as an inveterate Mac user who ships software on Debian VMs.

A good acid test for whether someone is talking out their ass about security: they make smart-ass comments about Microsoft. It's getting harder and harder to find reputable security researchers who haven't done work for Microsoft.

Security is a more complex terrain than that Microsoft vs. Free Software space people keep insisting to drag the discussion into. Dragging it into this place is a straw man.

A straw man compounded to your ad hominem is not up to the usual standards here.

It is possible for you to hire people to secure an open platform from the ground up. It is up to Microsoft to secure Windows from top to wherever they think the cost exceeds the benefit for them. That's a key difference - it doesn't matter how much effort you spend securing Windows, if you are not Microsoft, you can never be sure of the results until you find them out the hard way.

Yes. I do like Free Software and I use it extensively. I also use Sun, Oracle, IBM, SAP, PeopleSoft and, from time to time, even recommend MS SQL Server when it makes sense. It would, however, be insane to simply disregard Microsoft's software appalling security record or to oversimplify it as a Free vs Evil dichotomy. It's not.

It's just that Microsoft seems to spend more money promoting their wares than properly checking and securing them. Security seems to be grafted on instead of built into.

And, for the other argument, of security issues arising only from adversarial conditions and not bugs, that's simply incorrect. Software that's correct should not have holes like unchecked buffers that allow code injections. And it's not only Microsoft who's guilty here - just about every product I use seems to have fallen for this one in a given point in its history. Still, the fact others face it does not make Microsoft's products more secure. Like I said, it's a more complex issue than this false dichotomy.

As for more sophisticated attacks that rely on memory access patterns, memory protection mishandling, improper erasure and so on, well... If the processor is not, itself, correct, you can't really expect the software to cover all the holes - only the possible ones.

I read this comment 3 times, up and down, and I can't find an assertion about security in it that is (a) based in any kind of fact or (b) falsifiable in any way with any facts I can bring to the discussion.

Suffice it to say that I'm not a Microsoft "astro-turfer", and you're just flat out wrong --- and not only wrong, but actually making things up out of whole cloth. "More money promoting their wares than properly securing them". I'm surprised you feel comfortable making claims like that. In any case, I'm sure you'll never be convinced either way, so, enjoy the last word.

I can't remember accusing anyone specifically of being an astro-turfer. I only noticed a tendency of any comment critical of Microsoft having a more than average likelihood of being downvoted, something I already noticed years ago, when Digg was intersting. This topic seems to bring out a certain amount of passion in the audience, myself included.

There are two statements you can try to falsify: "It is possible for you to hire people to secure an open platform from the ground up" and "It is up to Microsoft to secure Windows from top to wherever they think the cost exceeds the benefit for them". As for the third, "Microsoft seems to spend more money promoting their wares than properly checking and securing them", it's an impression and, as such, subjective. The "seems" is there because they do spend a whole lot of money in promoting their software and the "properly" is there because it doesn't matter how much they spend, the results are still pitiful, as the mountain of spam in my inbox and the constant onslaught of botnets on my clients (no - my trade is software, but my code has passed more security audits than I can remember) demonstrate so eloquently. Their programs seem to be improving with every release, true, but there is still a long way until I would entrust my data to them.

But that's just my opinion.

>The people that buy into other platforms for "security" are misinformed

While I don't doubt what you say, isn't there something to be said about the fact that more attacks are targeted at Microsoft's platform than, say, OS X? While Vista may be more secure, isn't there still a higher chance of getting nailed by a security flaw in Vista than OS X purely because more people are attacking the former?

For my mom, yes. OS X is "safer" (though no more secure) than Win7.

For Bank of America, no way. As soon as Bank of America standardizes on OS X, we'll have Summer '03 all over again.