

EFF: Surveillance Self-Defense (SSD) - jesseendahl
https://ssd.eff.org/home

======
brianfinkel
"Avoid Microsoft products where possible." "Minimize the number of Microsoft
Internet applications you use." Are you kidding me? This advice is completely
outrageous on so many levels. Microsoft has made many mistakes, and they have
a whole lot of problems to fix, but for the love of god, the company is not a
piece of shit.

NO software is guaranteed immune to malware, and MS has done at least as good
a job of patching and securing their software as any vendor in the industry.

Given what they have to lose from vulnerabilities in their software, given the
resources they have committed to the challenge, and given their track record
thus far, I think it is clear that updated, regularly patched software from MS
is a very safe bet for security -- at least as good of a bet as sw from
anywhere else.

If you think that "avoiding MS products" will make you secure, you are
dreaming, and you are also missing out on all of the fantastic attributes that
make MS products desirable.

It has clearly become fashionable to bash MS at every turn, but these
otherwise interesting "security guidelines" take it to a whole new level.

~~~
nprincigalli
You're arguing passionately against propositions you made yourself. e.g.
nowhere there it says "MS is a piece of shit".

IMHO, saying things like

    
    
      Microsoft’s Internet Explorer and its email programs
      Outlook and Outlook Express are very difficult for even
      professionals to secure. Furthermore, adversaries tend to
      attack more popular platforms and applications.
    

Is a fair assessment. Can you point us to the MS bashing fest?

~~~
brianfinkel
My word choice is more colorful than the source, but I think it's a fair
characterization of the message in the source material, and not a proposition
I am making myself.

For EFF to issue a sweeping recommendation that users should "avoid Microsoft
products where possible" is completely ridiculous and might cause many
readers, if they believe EFF to be credible, to conclude that Microsoft is a
piece of shit. After all, it would be pretty shitty for a major software
company with tens of thousands of employees, many of whom are brilliant, and
$2B per month in earnings, to be completely unable to deliver software that
does not so imperil users that the general advice is for them to avoid using
the products at all. So, given its implications, I think the advice given by
EFF is just outrageous.

Saying that IE and Outlook are difficult to secure is not in itself
inflammatory, except when coupled with the general recommendation to avoid
Microsoft. ANY Internet-connected software is difficult to secure and audit,
so why single out Microsoft? Are the other vendors that much better? I doubt
it. Can you show me some kind of real data demonstrating that products similar
in functionality to the latest versions of IE and Outlook are truly less
difficult to secure?

The argument that "adversaries tend to attack popular platforms" is common
sense but not useful, and no more compelling than saying "The vendor with the
largest installed base, the most smart developers, and the most cash, will do
the best job, over time, of securing their platform." In reality, the size of
the user base, and the size of the company, provide nothing more than a
rationale, as opposed to real information about the security of the platform.

So, in my opinion, EFF is not making a "fair assessment."

This is not you and me having a debate over beers at a bar. This is the EFF
saying, flat out, MS products are to be avoided, and one reason for that is
their popularity. For most people, this translates to, "Use a Mac instead.
They are inherently more secure and less of a target because they aren't as
popular." And while there are lots of great reasons to use a Mac, I think this
line of thinking is flimsy.

Finally, the MS bashing fest is totally pervasive. It's firmly in the
zeitgeist right now, and I totally object to the herd mentality it
demonstrates. Last week there was a much-debated post on HN by a company
indicating that an experienced .NET programmer is "ruined" and very unlikely
to be a good programmer in general.

There are absolutely valid criticisms of Microsoft. But when every jackass,
and "credible" sources, too, develop the reflex that Microsoft is shit, it
offends my sensibilities.

~~~
crpatino
No, Microsoft is no shit... but it does not offer very secure products. Get
over it!

MS's customer base is, in general, not very tech savvy. Also, I believe it is
not inaccurate to say that they see computers as "magic". You perform the
correct "incantation" and the magic just "works". So, the problem is not only
that they do not value security highly enough; they assign high value to a
number of features that makes security harder. Think in all the APIs available
to 3r party software to make fancier applications (that inter-operate with one
another). Think backwards compatibility. Think seemly smooth operation.

What happens with this situation, is that the brilliant developers at
Microsoft get a bunch of conflicting requirements, and (strong???) incentives
to compromise in those that do not add to the bottom line. Those brilliant
guys will burn themselves creating overly complicated solutions that are bond
to be wrong in very obscure ways. And this so, even granting the assumption
that they will make an honest effort to provide the best possible security
given the constrains mentioned before.

Do they care about security? Absolutely, otherwise they would've gone out of
business long ago. Is security their top priority? Not really. Are there any
better options, security-wise, than Microsoft? I'd bet pennies to dollars;
specially if those competitors do not fear trashing the intuitiveness of their
systems and making a hell of a learning curve to new users.

An most of the time, it is OK. Most people does not have important enough
information at their computers. They can afford the risks and may decide the
inconveniences to protect their systems are not worth the effort. But, as IT
professionals, it is highly irresponsible not to let them know what they are
getting into.

