60 Minutes missed the elephant in the room

hacked first

It was reported here in CW that the official time was 10 seconds, the time it took to click on the link to the URL provided to the page with the exploit to compromise the Mac.

What OS was first to be hacked, in 30 seconds

Yeah, but what OS is being hacked every 30 seconds out in the real world?

not the linux model... no thanks

Microsoft isn't a distribution, and I doubt Microsoft cares for the responsibility and liability of distributing third-party software. Why would they even contemplate that?

It's a non-sequitur to suggest that the Linux centralized repository model is secure. Red Hat and Fedora last year had to shut down their repos because of a breach in security. Mirrors aren't inherently secure -- this was part of the problem for Red Hat.

Other similarly mature distros have other serious issues from time to time, such as Debian's OpenSSL problem last year due to the packager commenting out lines which made it trivially easy to crack encryption.

And that doesn't even get to the problem of the quality of the actual software in the repository. Some distros are more on the ball when it comes to keeping things updated, some drop the ball altogether. Some are so far out on the bleeding edge that they're constantly updating stuff. How is that any different from patching a Windows system?

The problem of users clicking on links and installing junk without much contemplation won't go away with some centralized repository. The user is the weakest link in the chain of security. That's true for Windows, OSX, and Linux. The difference between users of those systems is the naive assumption of the latter two that they're safe simply because they're not running the former. A properly run and patched Windows system will always be safer than a Linux or OSX system run as root and/or without updated software.

Er, so you do agree that a

Er, so you do agree that a properly patched system is required on windows, or any OS.

Exactly.

This is simply mindbogglingly difficult to achieve on any system without package management, and a single, centralised update system.

Lets suppose you have firefox, vlc, IE, quicktime, itunes and winamp, adobe, flash on windows.

The windows way is that you have microsoft updates which should take care of ie and windows itself.

Then another 5 different systems which may or may not check daily, (and you can't configure centrally anyway) so to know that you are patched at any point in time, you have to run 5 different updaters.

Oh, and some of them (yes you, apple) will try and install other programs that you don't even want!

It's chaos, and totally unworkable.

not different at all

Geez. It's really no different with centralized binary packaging in Linux. Look at the dependencies for virtually any small -- or what *should be* small -- application and how every possible option is set on so that you end up installing a ton of crud which then has to be managed.

Look at Debian Lenny's vim-nox for example. You don't *need* ruby or python or tcl -- vim compiles quite well without any scripting language support. But guess what you get when you do apt-get install vim-now. A lot more than vim without all the GTK garbage.

The problem with installing all that crap isn't with vim itself, though it's not immune to vulnerabilities. The problem is with all the extra bloat some packager decides you need because these distros want things to work for the widest possible target audience, which is fair in general but really goes against the myth that Linux can run on ancient hardware (just make sure you stay far away from most binary distros!). Users tend to download it all as-is anyway, don't they. So they're left updating all those other bits and pieces whether they actually use them or not. Their problems thus extend far beyond vim and its own security issues (look up ruby's patches last year -- critical -- and then look at the past issues for python and tcl).

As far as tools for notifying about things that need to be updated on Windows but isn't handled by Microsoft, there are free tools like Secunia PSI and some security suites like Kaspersky notify users of updates. It's not as if there aren't tools for all this in Windows or that it's as difficult to manage as you suggest. Whether most users even know to use such tools is beside the point because I can show you how the same problems plague the Linux side of the coin.

That's because the weakest link is always the user, not the platform. The platform can make it easier or more difficult to manage and keep secure, but human nature still gets in the way. That can come in the form of negligence, or incompetence (binary distros require the SAME level of blind trust that the packager knows what he or she is doing -- such as my earlier example of Debian's OpenSSL problem), or even the desire to be on the bleeding edge. I remember when more users were content with Debian Stable and am appalled at the number of people -- most of them ignorantly demanding the most recent versions without the benefit of testing -- opting now for Testing, Unstable, or Ubuntu (which is NOT an enterprise grade Linux distro). Users with that kind of mindset are in no position to lecture me or anyone about security or stability.