Good point, but not ideal for everyone. Especially with IOMMU and an SSD, performance isn't so bad when it works. I haven't liked the overhead with this in the past though, plus no full disk encryption, (although I guess you could do it in the guest), and Windows security in general, and bad 3D drivers for the guest (compositing please), and anything that wants low level hardware access is out. So if you don't actually want to _use_ Windows it makes a pretty crummy hardware abstraction layer.

Windows security in general is better than Linux security in general.Unless you are running Grsec/PaX but hey i do not believe you do that on desktop.

Also you can still run EMET on Windows.

Sorry, I didn't really mean to say that Windows securtiy is inherantly worse, so I should probably rephrase. What I mean is I am more comfortable dealing with client security issues on Linux systems than with Windows. Of course you're right that I'm not running grsec patches.

I feel like I know how to reduce the attack surface a bit more easily on linux client systems. Most OEM Windows installations are pretty bad, so I would want to install Windows myself, sans crapware, and with unneeded built in services, apps and hooks and so on removed. If the bootloader was locked, I'm not sure whether I could reinstall the Windows OS of my choosing. Maybe these products have less crap on them though, since the OS image comes directly from Microsoft.

I didn't mean to refer to situations other than personal clients used by me, and I don't really have an opinion about this in general, except maybe: It depends... :)

> Windows security in general is better than Linux security in general.

Maybe. Have they fixed UAC not being security boundary [1] if you are on a default administrator account? It's hard to take them seriously when most software for most users still runs effectively under 'root'.

[1] http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

> Windows security in general is better than Linux security in general.

Can you elaborate on this or provide some sources?

Theo de Raadt of OpenBSD made a comment in this line recently. https://www.youtube.com/watch?v=OXS8ljif9b8&t=54

Pro and Enterprise versions of Windows 10 come with Bitlocker Drive Encryption, FYI.

Which is as trustworthy as mailing a copy of your HDD to the NSA directly.

We, as users, have no way of verifying what BitLocker does, if it has backdoors, etc.

We really need to differentiate between the two types of "security" when we're talking about them. Are you worried about your personal information being stolen? That's security. Are you worrying about being spied on? That's privacy. People generally aren't worried that the NSA will steal their personal information, run up their credit card bill, etc. They're worried that the NSA will see something that could be used against them in court, or used to target government actions against them in any way. Not to say that an NSA backdoor couldn't compromise both security and privacy, but this is a simplified view.

BitLocker is secure in that it keeps out the attackers. If it keeps out the NSA is a different story (one that is much harder to determine).

As someone from EU, if it was only NSA I would be mostly okay, but I can't trust NSA/USG to be competent enough to safeguard the private key controlling possible BitLocker backdoor from the Chinese and other governments running massive industrial espionage campaigns.