I can see what you are saying and it is just proof of the switch of tactics.
HomePC's are taken over to setup botnets for either span OR to create a grid
HomePC's are not the real target (the real target is DDoS attacks again hte big servers all running LAMP)
before hand ppl would hack those main servers but their security is such that attackers have had to move the the weakest common-denominator and that is Windows.
Linux isn't experiencing attacks due to "security by obscurity", it is experiencing attacks which are unsuccessful. Do you really want my to post my sshd logs from the last month (running openssh - a *NIX-only server) to show that not only are their script-kiddies attempting to guess usernam & passwd but more sofisitcated attacks on my home server?
Firefox has actually quite a few sever vuln and those vuln appear on all platforms it runs on, there is proven contruction of remote code execution on a *NIX machine due to firefox, the difference however is *NIX forces the user to run as a restricted user and thus code-execution fails, on windows XP forces the user to run as Admin
Likewise Linux follows the UNIX philosophuy of one program to do one job very well, thus if a flaw exists in that one program it does not propogate (and hence why OpenSSL is one of the most peer-reviewed and patched libs there is due to its critical nature in SSH servers and its single point of failure possibility).Windows tries to go for super-processes, svchost is a prime example
multiple copies of this a spawned depending on the arguements, if a flaw exists on one part of the code the whole application is vuln. Likewise the integration of some key things right into the system (eg ie) exposes the system such if an exploit is found it becomes a root-exploit (the number of these are EXTREAMLY high for windows, not really for linux)
Yes Vista has done alot to try to sort out the idiocity of the end-user (where part of the problem lies) by forcing the user to run as restricted user but they went and screwed it up by not only implementing the UAC such that it can be disabled and thus allowing users to run applications with admin-priv!
All code is going to be vuln, thats a given (a recent study caused MS PR machine to say that windows is more secure because it had less patchs in a given time, I am more interested in those un-known flaws - linux is peer-reviewd [and I do some code-checking btw
] and thus more eyes to spot bugs) the point is what explioits result in root-access. THOSE process's that have to run as root get such a looking over by some top hackers (as well as Apple,IBM,Novell...) that potential points are spotted and fixed
shite there was a flaw in thttpd recently and when it got announced in the GLSA by the time I actually re-synced my repo (and I do every day) a patch already in-place, how long does it take MS to fix? Shite there is still 2 known zero-day exploits (in hte wild!!!) for word!!!
if you want to use windows thats fine, just please don't spread FUD that linux is more secure becuase if its limited use cause that just isn't right