How to make your Windows machine more stable and secure

[Kintaro]

Linux isn't more secure by design, linux is totally braindead when it comes to design. No ACLs by default, everything's a one big hack, it's a wonder the OS works at all. With processes having to be suid for things to work, everything's pretty damn messy. Also, I laugh at your view that openbsd would be a champion of security. That's just ridiculous.

For an untrusted application to run in a users homedirectory, the user first has to let it be chmod +x in the first place. This leaves stack smashing flaws in user applications. The most common user applications are Mozilla Firefox and Mozilla Thunderbird. If you could trojan a user into installing a keylogger as an xpi or something, it would infect a few people. However if anything like that happens, and similar things have happened in the past, there are many geeks on standby that are going to view the code out of interest, and will see it.

That system is not perfect, and your right: no system is. Nonetheless I have had more problems that "just arise" on Windows then any other operating system. When my laptop was running Windows the network stack would fuck up and stop letting anything work with TCP, UDP, or anything important. Restarting the adapter would fix this, however often it would stop responding, the stupid little taskbar icon, the window for "repair", or even if I tried doing it by just disabling and renableing the adapter. Other bizarre crashes and other things kept happening.

As for the comeing Longhorn and .NET objects behind it: This is a new model to use, and will probably create problems. Microsoft will probably end up using a load of legacy code to save time on the release (Microsoft always do). The other things with new models is it will attract new security flaws, and ideas in the darker areas of computing. As for TCPA, it is the stupidest thing ever: It will allow users less control over there system. How the hell is that security? It is not security, its the biggest security hole I have ever heard of. What if someone does a man in the middle attack of the TCPA providers? Your fucked, and everyone else using it is as well.

Also I will point out that Microsoft Windows still has stupid methods of permissions, that are its biggest problems. Executables are executable via a silly file extension, which makes things MUCH easier for a hacker. Not only that but it hides in unsuspecting file extensions like .SCR for example.

Microsoft does not have anything that really compares to what runs on Linux, or what is being shipped with most good distros. Windows' shipped firewall is very backwards in most respects. With iptables you can put a lot more into the rules, you can restrict individual users, individual groups, and all kinds of stuff. Then there are things like snort which provide even better security because it actually looks at the data and works with that.

Then there is SELinux, which also comes with Fedora Core 3 and probably other distros. SELinux is a lot more versatile then even an ACL setup.

[Kintaro]

I can almost see us fifty years from now, trying to teach our grandchildren of the scourge that was Windows.  "Grampa, why did they get away with selling drink coasters for so much those days?"  To which, I'll reply, "those aren't drink coasters hun, those were once a great media format - a bridge between old analogue cassettes and the newfangled laser-based hypnoplayers of today - used to an unjust end by a corporation bent on world domination.  Fortunately, Linus Hood saved the day from their evil goons, and restored the media to its former glory."

According to SCO Linus Hood "stole from the rich and gave to the poor" as well.

[greatscot]

My two windows systems are both completely stable and secure. Haven't had any real problems with them, ever. I suspect windows is just too complex OS for you guys, so linux and such systems might be a better choice for your needs.

You never know what a closed source OS is doing behind your back. How do you know your Windows machine is secure? If I were a hacker, I would break into a machine and do it in such a way that the user never knew I was in, so I could use their machine to send email and spread viruses, worms and trojans without their knowledge. Windows is the best OS for such a thing because it is horribly insecure and sloppily coded by a corporation which cares nothing about its users.

I run rkhunter, chkrootkit, snort and tripwire twice daily. Probably overkill, but, when it comes to computer security, there is no such thing as overkill.

Your machine is probably rooted and you aren't smart enough to know it.

Here's a hint: There is no such thing as "completely secure".

Of course your aren't having any problems, a cracker needs your machine in order to do their evil bidding so they will make sure you don't have any problems. But, when they try to hack into fbi.gov or cia.gov (or any other site for that matter) via your machine, you're the one who will be visited by the men in black, not the cracker - since it is your machine that is being used for bad things and it is your machine that will be tracked. The cracker will know how to cover their tracks and leave you hanging to be the scapegoat.

The best thing you can do is format your hard drive, install Linux and learn how to use it properly. Once you learn about Linux, your eyes will be opened to exactly how horrible Windows is and you will be glad you got rid of all M$ products.

[greatscot]

I refuse to use software that is written and/or distributed by a corporation who was caught red-handed trying to fake evidence in a court of law. That tells you how underhanded they are and how much they think that lying and fraud is "ok". The only reason M$ still exists today is because they have enough money to buy off the immoral people who work for the US gov't.

And the only reason they have all that money is because Windows users are stupid enough to buy their products.

[muzzy]

I refuse to use software that is written and/or distributed by a corporation who was caught red-handed trying to fake evidence in a court of law. That tells you how underhanded they are and how much they think that lying and fraud is "ok". The only reason M$ still exists today is because they have enough money to buy off the immoral people who work for the US gov't.

And the only reason they have all that money is because Windows users are stupid enough to buy their products.

I read about this and found it unclear what was really going on. The only proof for fraud was that the titlebar of a window didn't change. Why do you yell fraud, when it could've been just incompetence?

[muzzy]

I run rkhunter, chkrootkit, snort and tripwire twice daily. Probably overkill, but, when it comes to computer security, there is no such thing as overkill.

Your machine is probably rooted and you aren't smart enough to know it.

Obviously I cannot be 100% sure my windows is clean, but neither can you. I run VICE, RootkitRevealer, and some of my own stuff every now and then. I've never found anything.

The best thing you can do is format your hard drive, install Linux and learn how to use it properly. Once you learn about Linux, your eyes will be opened to exactly how horrible Windows is and you will be glad you got rid of all M$ products.

I know linux, and it's a horrible mess. Just because the source is available doesn't make it any better technically, it's just a matter of freedom. Yeah, I value freedom and that's good stuff about linux, and I hope all of the computing industry will head to move free direction. Some of the things I dislike about proprietary software is that I'm not supposed to fix them, and I'm not supposed to ask the authors about their design and implementation decisions. If I do, they'll likely threaten to sue. This however isn't just a Microsoft issue, it's got to do with the whole industry.

[muzzy]

Now you've left the realm of user-land and entered geek territory. Most users aren't going to be able to do that.

I thought reading sourcecode was geek territory already. Also, your use of the term "user-land" is slightly confusing since it typically means something different than what you imply.

Linux isn't more secure by design, linux is totally braindead when it comes to design. No ACLs by default, everything's a one big hack, it's a wonder the OS works at all.
Doth the pot sayeth unto the kettle: "Thou art black"? Sounds like a Linux-ignorant statement to me. Furthermore, didn't you already concede that maintaining backwards compatability was a source of problems for Win-*? Doesn't doing that make Win-* just as much a "hack"?  :p

The backwards compatibility solutions in windows are indeed a hack, however the whole linux kernel is one big hack. I've had a plenty of lovely experiences regarding it. Few years ago at work, I had to investigate how to let processes keep more files open. Turned out, the constant that defined it in the kernel was redefined in userland as a different value, but only if you included the headers in a specific order. No explanation whatsoever for this was provided anywhere. They've fixed that since then, but all sorts of various kludges exist all over the place.

What comes to security design, there's very little of that anywhere. The overall design is the old *nix design, of filesystem defining the access right, with suid bits set for applications that need greater access. Capabilities came at some point but I'm not aware of them still being used. Regarding the suid, it'd be more secure to have one central database of what's suid and what's not, so nobody's going to create a suidroot shell under some obscure directory and hide it there. And don't you tell me that there are security solutions to detect these, when you were pointing out the existance of security industry being implication of insecure design in Windows

Tell me, why are high level applications written in a low level languages?
For speed. I have a couple of projects up at SourceForge: FurCoder and FurCoderCXX. The one and only difference between them is that the former was coded in Ruby, while the latter is a C++ app. Both do exactly the same thing; both use the FOX GUI toolkit for graphics. However, FurCoderCXX is a helluvalot more responsive. There is no waiting for the GUI to update, as this happens with no noticeable lag. The Ruby app takes a couple of seconds to update.

Not being exactly a Ruby programmer, I can't take guesses at what might be going on, but "couple of seconds" sounds like it's not just Ruby's fault. Highlevel languages can be just as fast as C++, for example Ocaml has been claimed to generate code that rivals Intel's C++ compiler.

So what? The W3C sets standards for HTML. We all know how reliable MS has already proved to be when it comes to making Inter-nut Expl-Horror compliant to standards.  :rolleyes:  Perhaps they will do better with .NET and the ECMA, but I'm certainly not going to bet on that.  :p

HTML standards leave much for interpretation, while the CLR doesn't do that. The "problem" you will be seeing is same that happened with java, Microsoft will implement their proprietary packages and will encourage people to develop against them. This means that these applications will not run on other systems until someone reimplements the said packages.

How to fight this? Make sure someone else provides plenty of useful packages for .NET, ofcourse. There's gtk# already as a replacement to Windows.Forms, and hopefully others will follow.

Regarding your comment about application providers, I agree that the idea of them is somewhat flawed, but not as horrible as you'd think. Can you imagine buying for a linux shell, where someone else takes care of the software upgrades and patching and stuff? Yeah? Why is the same thing with windows any different? Obviously there's a slight difference in balance here, but if application service providers and application developers are isolated from each other, it could just work.

[Kintaro]

What comes to security design, there's very little of that anywhere. The overall design is the old *nix design, of filesystem defining the access right, with suid bits set for applications that need greater access. Capabilities came at some point but I'm not aware of them still being used. Regarding the suid, it'd be more secure to have one central database of what's suid and what's not, so nobody's going to create a suidroot shell under some obscure directory and hide it there. And don't you tell me that there are security solutions to detect these, when you were pointing out the existance of security industry being implication of insecure design in Windows

PAM.

Good distros all use it.

[muzzy]

Oh my, I'm replying to a lot of people now, am I not? Well well, here I go again...

For an untrusted application to run in a users homedirectory, the user first has to let it be chmod +x in the first place.

Ohyeah. Since linux apps are so hard to install, there won't be an issue of running untrusted applications. Or if they're ran purposedly, they're being trusted huh? Nice way to get out of the real issue

If you could trojan a user into installing a keylogger as an xpi or something, it would infect a few people. However if anything like that happens, and similar things have happened in the past, there are many geeks on standby that are going to view the code out of interest, and will see it.

Will these geeks also go clean up everyone's systems? Didn't think so. When something like that happens in windows, there are various anti-virus companies and a lot of geeks as well to check it out. That doesn't make the problem go away, it's just another step in the security process, you still need to recover from the infection. How do you get the infected people to fix their systems? The problem is same that exists with windows. It's only a bigger problem in windows because windows is more popular.

That system is not perfect, and your right: no system is. Nonetheless I have had more problems that "just arise" on Windows then any other operating system. When my laptop was running Windows the network stack would fuck up and stop letting anything work with TCP, UDP, or anything important. Restarting the adapter would fix this, however often it would stop responding, the stupid little taskbar icon, the window for "repair", or even if I tried doing it by just disabling and renableing the adapter. Other bizarre crashes and other things kept happening.

Hardware or driver issue. I cannot see how this is different from using linux and running a proprietary driver. Due to how modern operating systems are designed, drivers have a little bit too much freedom to operate. I have a kind of "dream OS", which would involve a Xen-like approach of separating the guest OS and host OS, with drivers being in the simple host OS layer. And here, the drivers would run under some sort of JIT VM, bytecode, so they couldn't crash the damn system. Well, one can dream. Perhaps in future, once the .NET implementations get stronger, this kind of approach will become viable as well.

As for the comeing Longhorn and .NET objects behind it: This is a new model to use, and will probably create problems. Microsoft will probably end up using a load of legacy code to save time on the release (Microsoft always do).

I cannot see any problem with using legacy code here. Once the stuff works, portions can be rewritten to be "more pure" if desired. However since the .NET will create a completely new machine abstraction level, anything that goes underneath it is not an issue. It's just the machine implementation, and it can be changed anytime without affecting stuff above it.

The other things with new models is it will attract new security flaws, and ideas in the darker areas of computing.

I don't quite understand what you mean with this, are you saying that a beast you know is better than one you don't? Definitely there will be issues that need to be resolved, but with the VM being a single point of failure for many security related issues, you won't have to go running around patching all applications if a common security issue is found. It only has to be patched once, in the VM.

As for TCPA, it is the stupidest thing ever: It will allow users less control over there system. How the hell is that security? It is not security, its the biggest security hole I have ever heard of. What if someone does a man in the middle attack of the TCPA providers? Your fucked, and everyone else using it is as well.

You are making some wild assumptions here, and I think it's because of the TCPA FUD that's been going around. You know, pretty much everything TCPA does can ALREADY be done with software. You don't think so? See Xen and what it does: http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ ... this same approach could be used to implement a lot of the TCPA functionality. However, a hardware support on some level is needed to make things straightforward. What's I've read about TCPA, it seems to be damn good stuff, and I can't wait to get to play with it.

Also I will point out that Microsoft Windows still has stupid methods of permissions, that are its biggest problems. Executables are executable via a silly file extension, which makes things MUCH easier for a hacker. Not only that but it hides in unsuspecting file extensions like .SCR for example.

And if you unzip or tar x some file under linux, the executable metadata doesn't get propagated to the filesystem? Damn, it does. There you go. Ofcourse, the windows issue is that the metadata isn't for the OS, it's for the GUI. All files are potentially executables and you can CreateProcess() against even a .txt file.
However, the lack of metadata isn't the issue here. The issue is overloading of doubleclicking. In some cases, it runs the associated program. In some cases, it runs the file itself as a program. This isn't necessarily bad, but it requires user to know the difference, and in some cases, it gets relatively tough. Another example of the same issue is how command prompt overloads file execution. If you type a filename in cmd.exe, it first tries to CreateProcess() and then it tries to check for file associations and stuff. The problem is, CreateProcess() can start an executable no matter the filename. Try this: rename the extension of some exe to "txt", and try to run it in the command prompt. You'll see that it still runs it, since the extension resolution only happens afterwards.

So, the problem is overloading of different operations. This is definitely bad security, as seen elsewhere where it has happened. Another example of it would be Outlook's midi-executable hole that was found (and fixed) long ago. Attach an executable, and claim it has a .mid mime-type, then require it be played as a background sound. The implementation used some overloaded mechanism to process the file, that was able to do more than was required, and definitely more than was expected. Result: the damn file ran when mail was read.

I agree that this is bad design, however there's no going back in win32-land, since ShellExecute() and similar things are depended on by everyone. Getting to .NET is the ultimate solution to fix the mess, since that lets us drop the win32 crap behind.

Microsoft does not have anything that really compares to what runs on Linux, or what is being shipped with most good distros. Windows' shipped firewall is very backwards in most respects. With iptables you can put a lot more into the rules, you can restrict individual users, individual groups, and all kinds of stuff. Then there are things like snort which provide even better security because it actually looks at the data and works with that.

Obviously you're only comparing the things that you want to. The windows native kernel is superior to that of linux, except in some specific things. Unfortunately, these specific things are quite significant, but the windows kernel still compares pretty damn well to linux. Yeah, I'd like better networking mechanisms, too, that's one thing where linux wins. If you want a router that performs complex traffic shaping (weighted round robin, for example), there aren't really any alternatives than using linux/iptables/tc and friends. This might be the only reason I'll ever get a linux system running at home, but for now I haven't had such a strong need for a traffic shaper.

What comes to snort, I've found it gives way too many false positives to be useful at all. It'd take a year to configure it to only show sane things.

Then there is SELinux, which also comes with Fedora Core 3 and probably other distros. SELinux is a lot more versatile then even an ACL setup.

There have been some funny kernel patches for linux around for quite a while now, but I hadn't seen any real distro use any of it. I hadn't heard that FC3 ships with it by default, and that definitely makes things interesting. With such patches, you can actually have a linux system that I'll admit is more secure than Windows. However, for now, I'll wait to see these things actually get more widely used.

[muzzy]

PAM

PAM definitely solves some problems, but only relating to user authentication. Why are there still so many suidroot apps on the system, and why are SSH vulnerabilities still remote root holes?

[Kintaro]

Ohyeah. Since linux apps are so hard to install, there won't be an issue of running untrusted applications. Or if they're ran purposedly, they're being trusted huh? Nice way to get out of the real issue.

Well this isn't a big issue for a Fedora User, all the applications come from a trusted source with apt-get. And on my server, it runs trustix which users a similar system exclusive to trustix called swup which uses gpg signed sources. However if any of the servers got cracked themselves.

Nonetheless, snort provides very advanced protection against all these vulnrabilities. Including even those for Windows if you run it on your router/firewall which is a bonus.

Hardware or driver issue. I cannot see how this is different from using linux and running a proprietary driver. Due to how modern operating systems are designed, drivers have a little bit too much freedom to operate. I have a kind of "dream OS", which would involve a Xen-like approach of separating the guest OS and host OS, with drivers being in the simple host OS layer. And here, the drivers would run under some sort of JIT VM, bytecode, so they couldn't crash the damn system. Well, one can dream. Perhaps in future, once the .NET implementations get stronger, this kind of approach will become viable as well.

Tried updating the drivers several times, and other things. However now that I have no Windows on my laptop, its not an issue, it is fine in Linux. It seems the kernel maintainers can differentiate between STABLE and UNSTABLE, Microsoft have given me a lot of unstable drivers in the past, so, not an issue.

Besides

SELinux > Microsoft.

[muzzy]

Well this isn't a big issue for a Fedora User, all the applications come from a trusted source with apt-get. And on my server, it runs trustix which users a similar system exclusive to trustix called swup which uses gpg signed sources. However if any of the servers got cracked themselves.

Apt is nice, but what if you want to install some third party cool monkey that will run around your desktop doing cool stuff? And don't tell me it's ridiculous that anyone would want such a thing, practice proves otherwise.

There will always be countless amounts of software out there that won't be in known repositories. Then you have to get it yourself, from untrusted source, assuming you want to run it in the first place. A lot of the time you can apt-get everything you need, and if you can't get your favourite text editor "pico", you only need to whine about it to your geek friends and they'll tell you to get "nano" instead.

Anyway, I've understood that "normal" users just tend to go around and try whatever software they can find. They'll download and run anything, to find cool stuff. If such people were to use linux, and knew how to do what they want to do, you'd have a security disaster right there and then.

Security isn't just something a system provides, it's more about the users than about the systems most of the time. Good systems enable users to make informed security decisions, but uninformed users can't make good security decisions no matter the system.

[jtpenrod]

I thought reading sourcecode was geek territory already. Also, your use of the term "user-land" is slightly confusing since it typically means something different than what you imply.

Here is what you said: "Bad experiences tend to be because something unexpected and frustrating happens. If you understand the system, there will be significantly less of such experiences."

What does this have to do with anything? Three years ago, these friends of the family bought a brand-new Sony Viao with Win-XP installed. They didn't really care what they were running until the wife lost two weeks' worth of work needed for her college graduation. XP ate the whole damn thing at 2:00AM the morning it was due at 8:00AM. Of course the professor wouldn't take: "XP ate my homework" for an excuse. She failed the course, and this delayed her graduation for six months. The day after, they practically begged me to install Linux on their system and show them how to use it. This, I did. So far, there have been no further incidents of this sort. How would their having a "greater understanding" make them more forgiving towards Win-XP? All they care about is that XP trashed valuable work at the worst possible time, and that Linux doesn't.

The backwards compatibility solutions in windows are indeed a hack, however the whole linux kernel is one big hack. I've had a plenty of lovely experiences regarding it. Few years ago at work, I had to investigate how to let processes keep more files open. Turned out, the constant that defined it in the kernel was redefined in userland as a different value, but only if you included the headers in a specific order. No explanation whatsoever for this was provided anywhere. They've fixed that since then, but all sorts of various kludges exist all over the place.

You make this sweeping generalization: "...the whole linux kernel is one big hack." You have nothing more substantial to back that up other than: "Few years ago at work, I had to investigate how to let processes keep more files open. Turned out, the constant that defined it in the kernel was redefined in userland as a different value, but only if you included the headers in a specific order. No explanation whatsoever for this was provided anywhere. They've fixed that since then, but all sorts of various kludges exist all over the place."

Key words here: "A few years ago...", and "They've fixed that...". This nullifies whatever point you thought you were making. One incident of some variable getting redefined, or someone's being less than diligent with their forward declares hardly damns the entire kernel as "one big hack". That's pretty weak.

Not being exactly a Ruby programmer, I can't take guesses at what might be going on, but "couple of seconds" sounds like it's not just Ruby's fault. Highlevel languages can be just as fast as C++, for example Ocaml has been claimed to generate code that rivals Intel's C++ compiler.

Ruby isn't the peppiest language out there. It has some bitchin' features, but those features slow it down. The idea that these interpreted languages can be as fast as C/C++ is just not right. They are not. To say: "Ocaml has been claimed to generate code that rivals Intel's C++ compiler." does not imply equality of speed.

Will these geeks also go clean up everyone's systems? Didn't think so. When something like that happens in windows, there are various anti-virus companies and a lot of geeks as well to check it out.

Yes, they will. So far as the turn-around time for Open Source and bug-fixes goes, Open Source is way ahead of Microsoft.

You are making some wild assumptions here, and I think it's because of the TCPA FUD that's been going around. You know, pretty much everything TCPA does can ALREADY be done with software. You don't think so? See Xen and what it does: http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ ... this same approach could be used to implement a lot of the TCPA functionality. However, a hardware support on some level is needed to make things straightforward. What's I've read about TCPA, it seems to be damn good stuff, and I can't wait to get to play with it.

So far, I'm witholding judgement on this. Like any technology, it's neither good or bad per se. However, I don't trust that Microsoft won't attempt to use this to lock out other soft and operating systems.

Regarding your comment about application providers, I agree that the idea of them is somewhat flawed, but not as horrible as you'd think. Can you imagine buying for a linux shell, where someone else takes care of the software upgrades and patching and stuff? Yeah? Why is the same thing with windows any different?

It's different precisely because no one is trying to lock you into Linux. Indeed, the Linux and Open Source communities have been far better about this than has Microsoft. You can run: Firefox, Mozilla, the GIMP, BASH, X, for starters on Windows. So far, this has been purely a one-way street. What Microsoft apps run natively on Linux?

[muzzy]

Here is what you said: "Bad experiences tend to be because something unexpected and frustrating happens. If you understand the system, there will be significantly less of such experiences."

What does this have to do with anything? (... story snipped ...). How would their having a "greater understanding" make them more forgiving towards Win-XP? All they care about is that XP trashed valuable work at the worst possible time, and that Linux doesn't.

So, how exactly did it happen? What went wrong? There's always an immediate reason for why everything happens. It could've been user error. Also, depending on what exactly happened, that data could've still been recoverable. I greatly suspect this wasn't fault of Win-XP itself, unless the filesystem just mysteriously went wookoo. Not knowing what really happened, I don't have further comments about the incident.

You make this sweeping generalization: "...the whole linux kernel is one big hack."

Yes, I didn't provide very good reasoninig. By same logic, your story above about Win-XP eating people's work is equally worthless.

How about the 2.6.x kernel tree, then? Weren't even branches supposed to be stable? I tried compiling 2.6.9 recently with scheduling and stuff, and even with days of debugging, I couldn't get it to work. When the scheduling stuff was compiled into the kernel, the network cards wouldn't get recognized anymore, or wouldn't just work. Reading around, I found I wasn't the only one having problem, and that 2.6.x had plenty of experimental crap in it. It wasn't a stable tree by any means. On my primary shell, we had an incident with bittorrent causing kernel panic on 2.6.x kernel, again google reported various similar incidents having happened to others. Mysterious bugs, all sorts of strange things going on.

My linux experience starts from around 1.2.x times, and I mainly administrated boxes during 2.0.x kernel tree. Back then, people were already bashing microsoft all around and moving to linux, although bsd system would've been a lot lot better choice for everyone. Well, Linus has been doing unbelievable job at having the damn thing working and keeping it together, but from my perspective I have to say it looks like one huge mess. I'd pay more attention to the more recent kernel trees if they actually worked.

Ruby isn't the peppiest language out there. It has some bitchin' features, but those features slow it down. The idea that these interpreted languages can be as fast as C/C++ is just not right. They are not. To say: "Ocaml has been claimed to generate code that rivals Intel's C++ compiler." does not imply equality of speed.

Dynamic languages don't need to be interpreted. Also, ocaml isn't just an interpreted language. It can be compiled to native code, and I know people who say it's really damn fast. No, I don't have personal experience, that's why I said it's been claimed so. Obviously, benchmarking against C++ compilers would suck because the two languages are just so different. However, let's make those comparisons anyway:

http://shootout.alioth.debian.org/benchmark.php?test=all&lang=all&sort=fullcpu

Go ahead, you'll see that ocaml ranks quite high in the list, even though you can question the methods of benchmarking. You'll also see that Ruby scores quite low

It's different precisely because no one is trying to lock you into Linux. Indeed, the Linux and Open Source communities have been far better about this than has Microsoft. You can run: Firefox, Mozilla, the GIMP, BASH, X, for starters on Windows. So far, this has been purely a one-way street. What Microsoft apps run natively on Linux?

So, wouldn't the best approach to solving the problem be user education? Software lock-in can be expensive, and businesses understand money. However, GNU is an evil empire when it comes to lock-in as well. Everyone's writing their "sh" scripts with bash syntax nowadays, m4 is backwards incompatible, gcc has language extensions that are widely used, etc. How are these not lock-in issues?

Also, how many GNU apps really run NATIVELY on windows? Don't a lot of them use the cygwin api wrapper to implement signals and *nix apis for them? I know there are a lot of native apps, but a lot of them aren't. For a long time, GIMP didn't use native widgets on windows either. It'd go on implementing its own damn scrollbars and buttons. Talk about bloat and inconsistencies.

[Calum]

I know linux, and it's a horrible mess. Just because the source is available doesn't make it any better technically, it's just a matter of freedom.

i have to disagree with you about this. the concept behind open source software is peer review.

basically, and i am sure you know this, if the source code is open, then potentially thousands upon thousands of people are looking over it, with a view to wiping out any holes, malware, inefficiencies et cetera. with closed source code like mswindows, only the microsoft developers get to see it, therefore only they get to bugfix it. thousands versus perhaps one floor (at the most i suspect) of nine-tofivers.

and there's my second point. these open source coders are all (well, mostly, this brings up the issue of companies contributing to GPL stuff because it benefits them to do so, which i will ignore for now since it does not weaken my point) doing it for the love of it, while the coders at microsoft are being paid a salary to do it. amateurs will naturally have a more personal interest in fixing bugs and making stuff work right. people who have to file paperwork and who will collect their paycheck whatever happens are less likely to be quite so ambitious and successful from the point of view of "good" code, in my opinion.

Basically, and i am sure you know this too, the whole thing is explained *perfectly* in ESR's book "The Cathedral and the Bazaar" which i cannot recommend enough, if you are not familiar with it already.