On Thu, Apr 20, 2006 at 10:03:47AM -0400, Doug Koobs wrote:
> Khepri said:
> > peter osmar wrote:
> >
>
> >> have paid for Norton Internet security, that could not even prtect
> >> itself.
> >
> > Truthfully, that's prbably to be expected. Every hacker/spammer/hijacker
> > out there knows how popular Norton is and they write their garbage to
> > infiltrate it. More people running Norton equals more hits for them. If
> > you were using, say, AVG antivirus, and another companies spamware
> > killer, and anothers firewall, you'd probably end up being more secure
> > in the long run. The trick is the same...don't use what's advertised as
> > "the best"..Best=popular=bad guy target. Like painting a bulleyes on
> > your PC...:0
>
> Sounds almost like you are promoting "Security through Obscurity".
>
> http://en.wikipedia.org/wiki/Security_through_obscurity
>
> I'm no big fan of Norton or McAfee. However, one advantage of using the big guys is
> that if they are the main target of the hackers, they have (hopefully) found more
> holes, bugs, security flaws, etc in their products as a result of prior hacking
> activites.
While I agree that "security through obscurity" is generally a failing
security model in terms of security of the software itself (measured in
unpatched or unfound vulnerabilities and ease of exploitation), it does
account for a reduced volume of attacks per exploit and reduced number
of exploits likely to be developed per vulnerability. It's true that,
all else being equal, being a higher-profile target provides the
software vendor with greater opportunity to identify and fix software
vulnerabilities, but (unfortunately for the security of their software
and the peace of mind of their customers) they do not operate in a
single-variable vacuum.
Other changes in the software, if poorly planned or implemented for the
wrong reasons (bells and whistles, feature creep, tightly coupled
architecture, poor bug auditing, lack of security awareness in design)
can lead to new vulnerabilities being introduced even while old
vulnerabilities are wiped out. Additionally, to protect their
"intellectual property", corporate software interests are tending to
implement "features" that are designed to make it difficult or
undesirable for the end user to illegally copy, or even legally
uninstall, the software, to say nothing of increasingly stringent
controls on how the end user accesses virus definition updates to
prevent unauthorized access to online updating services -- and these
intellectual protectionism measures often bear the hallmarks of malware
themselves, thus potentially facilitating the propagation and operation
of malware that targets the security software.
In addition to all that, closed source software, by definition, does not
enjoy the "many eyes" benefits of open source software that provide
direct and indisputable benefits to vulnerability testing and patching:
while greater popularity can indeed make software a larger target of the
malicious security cracker (though not to as great a degree as security
through obscurity proponents would have you believe), greater popularity
also provides open source software a far greater advantage in the form
of a correspondingly greater pool of friendly developers vetting code.
This results in a higher percentage of vulnerabilities discovered and
fixed by friendly developers, particularly as compared with those found
and exploited by unfriendly security crackers. This also results in far
quicker turn-around times on patch development, testing, and
distribution for popular open source projects; it's no rarity for the
patch times for Linux kernel vulnerabilities to be measured in hours,
and for projects like Firefox to be measured in days, to be contrasted
with Windows and IE patches typically measured in months with the
shortest turn-around time ever from the moment of initial vulnerability
report having occurred earlier this year, at about a week and a half.
What's that? Why, yes, I do analyze software security trends for a
living (among other things).
-- Chad Perrin [ CCD CopyWrite | http://ccd.apotheon.org ] "A script is what you give the actors. A program is what you give the audience." - Larry Wall
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:01:44 EDT