[Am-info] E-mail virus picks up speed

Roy Bixler rcb@bix.org
Sat, 4 Jan 2003 21:51:04 -0600 

On Sat, Jan 04, 2003 at 10:13:38AM -0800, Mitch Stone wrote:
> I'm familiar with the countering arguments, but I tend to shy away from 
> the more technical rebuttals, as I've found that most people don't 
> understand them, and those that do, will claim I'm promoting "security 
> by obscurity."

To me, "security through obscurity" is the way that Microsoft would
prefer to handle security issues.  Many of the Windows security holes
have been found and reported by 3rd parties.  Some of these 3rd
parties, since they figured that Microsoft would ignore them
otherwise, went public with their findings right away and others went
public after reporting to Microsoft first and not being satisfied with
the responce.  Also, many of the reports described how to exploit the
security hole they report.  This makes Microsoft unhappy since there is
some time that elapses between the report and the fix, which leaves
their users vulnerable.

Microsoft's answer is that they don't want any security hole reported
until a fix is available and they also do not want exploit details
published.  It's basically "here's a potential security problem, our
assessment of it and a patch to fix it; publishing further details may
be harmful, so just trust that our assessment is accurate and our
patch works."  And, if they never fix a security hole, then it should
not be publicised.  That, in my book, is security through obscurity.

So I think the people you are trying to convince are confused between
"security through obscurity" and "security through diversity".  They
think you are talking about the former and, if you were, they would be
correct.  "Security through obscurity" is really not much security at
all.  "Security through diversity" is what you're really arguing.

> The debate will often come down to whether one or 
> another alternative OSs are inherently more secure -- and I'm prepared 
> to admit that the case is probably unprovable.

Well, it would be hard to prove that one OS is inherently more secure
than another so why not focus on practical aspects of the question
instead?  How many security holes were reported for MacOS this year,
how severe were they, how quickly were they fixed, etc.?

> As for "security by obscurity," I'm still trying to figure out what's 
> wrong with it. I want security, and I really don't care if I get by 
> religiously correct means or otherwise. If the MacOS market share 
> should miraculously quintuple, then we can test the "security by 
> obscurity" theory -- but until then, I'm happy to have it by whatever 
> means.

*nod*

> But as I said, this completely pragmatic argument seems to be a dog 
> that won't hunt. I know only a handful of people who've even considered 
> throwing over Windows for the Mac because they were tired of fighting 
> off virus attacks and security breaches. Personally, I think this is 
> Apple's single best sales argument right now, but even they don't seem 
> to want to use it.

If they're unwilling to give up Windows, then using alternatives to
Outlook and Internet Explorer would improve their security by a fair
margin.

> That tells me something -- thought I'll be darned if I know precisely 
> what.

My guess is that they're gun-shy and just consider it too awkward and
difficult to market the relative security of their product.  It would
be getting into technicalities and, instead of those, they would
rather emphasise the ease-of-use, good looks, hipness, etc. of their
product.

R.