I often write back that I use Windows and Linux on a daily basis -- and any of them can be secure or insecure. They then somehow take that to mean I'm a Windows zealot because I have the audacity to stand up for Microsoft every now and then.

Here's the plain truth: Malicious mobile code has been around since before Microsoft was a company, and it will be around long after they are a historical footnote. If Microsoft disappears, that won't stop mischievous hackers from writing rogue programs.

Real security solutions aren't as easy as replacing Windows with another alternative. Real security means persuasive authentication, loss of anonymity, less functionality, peer code review, and programmers learning security along with their first GOTO statement. End-users will have to accept that security means slower development times and more expensive products.

Yes, there are plenty of security problems to blame on Microsoft, but it's becoming harder to find new problems to point out. Remember when Gates missed the Internet, but a year later every Microsoft product around could talk to the Internet? The same thing appears to be happening with security now.

Two years ago, Microsoft made all their programmers stop programming and get secure code training. Secure coding and bug hunting are being built in to every programming process at Microsoft, from start to finish. And the results are showing: If you look at the statistics against XP Pro, Server 2003, SQL, and IIS, exploits are way down and security is up. How else do you explain that IE had fewer exploits this year than Firefox? How is it that only two of the top five most active exploits on the Internet are Windows-based? How many years has it been since a Windows worm did as much damage as Code Red, Nimda, or Slammer?