Greetings Bruce,
Sorry Bruce, but you must have misunderstood what I wrote. I was not talking about taking advantage of bad coding habits and outright mistakes. Bad programmers are everywhere. Most of the ones I work with can't program their way out of a wet paper bag. So there will always be opportunities. You cannot prove the absence of bugs ... Alan Turing.
What I was talking about was a deliberate decision by Microsoft to IGNORE the very standards that they had a hand in creating. In my humble opinion, their behavior is criminal.
For example, let's test the browser you are using right now. When you connect to a web site, your browser and the web server exchange a fair amount of information about each other. Your browser says, hi, I would like the file that matches this URL, and then supplies a list of file formats that it will actually accept, ... text, text/html, images, etc. The server then finds the file that both matches the URL and is listed as one of the file types that your browser will accept. The server then says to your browser ... here's the file you requested ... and it happens to be of type whatever ... and here it comes. A MicroSoft browser will IGNORE what the server says about the file types and will try to interpret the data as it comes from the web server, possibly executing code if it is possible. Argh. This is evil.
Now for a real test. Click on each of the following links. (I promise, no virus delivered, just a simple demonstration)
http://home.comcast.net/~tomsweekender/test.html
http://home.comcast.net/~tomsweekender/test.txt
The files are identical and contain the same text, a cut down index page from my very lame weekender web site. However, the Comcast web server hosting the pages will be telling your browser that the first link returns a file of data type text/html, while the second is just plain text. Web browsers like Firefox, Opera, Safari, etc will try to interpret the first link as a web page, and will display the second link as plain text, because that is what they were instructed to do. MicroSoft's Internet Exploder will interpret BOTH. So if the MicroSoft browser was explicitly told that it was getting plain text, why did it display it as a web page? It did something it should not have done. Had the file contained javascript, the code would have executed in Internet Explorer. This "I know better" attitude from MicroSoft is the biggest exploited virus delivery mechanism out there. MicroSoft products are a whole order of magnitude more dangerous because of this conscious design decision. And it's in everything they make ... browsers, e-mail clients, word processors, etc.
Use something else and you will be much safer.
If you really wanted to be safe, you would surf the internet as a non-privileged user running a Mozilla variant on an OpenVMS system as the hardware and OS enforce security standards and close up all of those bad programming holes. It's impossible to write a virus for VMS. But hey, most people can't spell VMS, and cannot appreciate the difference.
But, Yes, I absolutely agree, just because you use non-MicroSoft software on x86 hardware doesn't mean you are safe, just safer. You still have to do virus scans and keep your software up to date.Â
All of your recommendations are spot on.
Good backups are a must. Once a month I boot my Windoze laptop from a Knoppix Linux CD and rip a copy of the C: drive to a 1/2 terrabyte USB hard drive, boot blocks and all. Very fast, and easier to recover than a normal windoze backup.
Cheers,
Tom