From the article:

With growing sophistication, they are taking advantage of programs that secretly install themselves on thousands or even millions of personal computers, band these computers together into an unwitting army of zombies, and use the collective power of the dragooned network to commit Internet crimes.

These systems, called botnets, are being blamed for the huge spike in spam that bedeviled the Internet in recent months, as well as fraud and data theft.

Also:

(...) more than 80 percent of all spam now originates from botnets. Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period (...) that indicated that machines of the service providers’ customers had been woven into a giant network, with a single control point using them to pump out spam.

At the moment, I'm inclined to agree with the statement that the war is being lost against the botnets. All the software firewalls and virus checkers are just plasters on the wound, there still isn't any real attempt to address the underlying issues.

My personal choice is not to run Windows at all, for security reasons as well as a whole range of other issues. The Windows monoculture and a seemingly fundamental lack of inherent security in the product makes it open to such attacks. It is difficult to blame the end-users who are not security experts and shouldn't need to be to be able to connect their computers to the internet safely.

I'd have to agree with the NYT article. I really do think the war is lost. I almost look at the Internet as a war zone where one trusts nothing and suspects everything. For me escaping the Windows "monoculture" isn't a viable option as I have too much money invested in Windows based hardware and software. Plus I just don't have any real experience or knowledge in any platform other than Windows and I need to be able to support and develop on Windows for my livelihood.

With that said, I lock my home network down like a fortress. My defensive measures include: aggressive virus protection; multiple layers of routers firewalls (hardware and software); the banning of the use of MSIE, Outlook, instant messengers, etc.; and religiously applying software updates/patches. The problem is the security model I use to keep my systems safe is just way beyond the capabilities of the average user and it means I must sacrifice certain nifty pieces of functionality (e.g. no IM or many other "cool" Internet apps/utilities).

The fact of the matter is that the only ones who could really help reduce the impact is Microsoft and Internet service providers. They both need to look at the securing of individual consumer computers as not only a social responsibility, but an economic necessity. IE7, Windows Vista and ISP's providing security software at no extra charge may be a step in the right direction, but it is not enough. All software vendors need to place the need for security and avoiding common security pitfalls ahead of functionality. There also needs to be some sort of aggressive buy back program to get older computers running older OSes (e.g. Win98) off the Internet.

The following 3 messages were cut out to new thread by encyclo. New thread at: microsoft_windows_os/3211247.htm [webmasterworld.com]
9:17 am on Jan. 7, 2007 (utc -5)

[edited by: encyclo at 2:21 pm (utc) on Jan. 7, 2007]

back on topic :) NYT is about 3 years behind the world on this issue ..sure the number of zombies is getting bigger but thats mainly down to infection by those running peer to peer and that cant tell that most of their warez and ripped movies that they and their kids are downloading and exchanging via torrents are carrying payloads ..and you cant legislate against stupid people ( although if I ruled the world :)..

the rise in spam is also due to boxes coming with preinstalled joke AV's such as norton , panda etc and that most people still use IE and outlook ..

and the fact that the various anti spam legislation world wide was crafted to let more not less through while declaring itself to be protecting us from the dreck ..plus as spammers know ..the ROI works well enough to pay for the legislation to be twisted or neutered ..

doze itself would have had very few security problems as an OS if the browser hadn't been hooked so hard into the OS and if MS hadn't insisted on activeX ..

PDF's ..again whilst being very convenient methods of transfering "real page" type documentation with the added benefit of links in them also have always hooked so hard in to the underlying OS in order to do their display that the vulnerabilities were just laying around waiting to be targetted ..and JS is a lot more powerfull language than many realised when it's running on doze ..

as encyclo said the ideal would be to kick the Redmond habit entirely when one can ..what would help enormously would be if all PC machines came shipped with multi boot OS ..say XP and Ubuntu ( whoops drifted of into dreamland there ) ..with a health warning on the former .( then joe and jane six pack and their kids would at least have the equivalent of the option of putting on their seat belts before navigating the tubes ) .and if some major software houses such as adobe got writing product for linux ..

edit reason .fixed some typos

[edited by: Leosghost at 2:13 pm (utc) on Jan. 7, 2007]