Sadly most of that advice will only work for those that work in IT directly. For those that use IT as a tool in the box to get something else done, or as a internet appliance, most of the suggestions will not fly. They will just hit yes on every UAC, and approve every outgoing connection.
Sure, but instead of throwing our arms up and accepting defeat, initiatives like Decent Security are trying to move the needle away from "insecure by default".
I'm trying to do the same thing with developers. :)
I wonder if science is doing us a disservice here. I get the feeling that just a single vulnerability (no matter how complicated it may be to exploit) is enough to claim "fundamentally insecure". Meaning that we are looking at the topic like we are trying to disprove a scientific hypothesis.
