[Am-info] E-mail virus picks up speed

[Roy Bixler]

On Sun, Jan 05, 2003 at 08:40:13AM -0500, Erick Andrews wrote:
> On Sat, 4 Jan 2003 21:51:04 -0600, Roy Bixler wrote:
> >So I think the people you are trying to convince are confused between
> >"security through obscurity" and "security through diversity".  They
> >think you are talking about the former and, if you were, they would be
> >correct.  "Security through obscurity" is really not much security at
> >all.  "Security through diversity" is what you're really arguing.
> 
> [...]
> 
> I understand your distinction now, which is fine, but I think many others
> may be confused, that is, I can't recall the term "security through diversity".

To tell you the truth, I just made it up because a distinction does
need to be made in the case that Mitch brought up.  After all, I
wouldn't consider a Mac an "obscure" system and nor would I consider
alternate programs to Outlook like Eudora obscure.  Also, obscurity or
not, that really misses the point.  In the worst case, you may be
trading the insecurities of the Microsoft programs for an equally
insecure replacement but surely your replacement will have different
insecurities and this will reduce the overall effects of virii and
worms that go around.  If your replacement is more secure than the
Microsoft equivalent, that of course is better.

I would like to save use of the term "security through obscurity" for
cases like Microsoft's approach to security disclosures.  A variant on
this is sometimes people purposely deploy systems just because they're
obscure and the system's insecurities are (relatively) unknown.
Therefore they feel that they can ignore the issue of security, which
is a dangerous attitude to take.  In both cases, it boils down to
security through ignorance which, while it may enhance perceptions of
security, it won't actually enhance security.  In fact, it could well
reduce security.

> To me, MS viruses and worms are obscure:  they just won't "run" on my 
> system.  They're native to MS systems.

That's a good example of "security through diversity" or whatever
equivalent term you want to coin.

> "Security through obscurity" is generally bantered about with not much
> definition.

That's the problem with that phrase.  It's too overloaded and that
promotes confusion.

>  And though I like the phrase "security through diversity", I doubt
> it has much currency.

If you can find another way to reduce the ambiguity of the phrase
"security through obscurity", go for it!

R.