Thursday, August 24, 2006

Staying secure by getting out of the line of fire

Its difficult to know if a piece of software is more secure than another. Yet this doesn't stop anyone from hollering Trustworthy Computing! Unbreakable! Security in the SDLC! h0HO 0Wn3D j00! This fuels never ending debates, "Is Windows more secure than OS X?", "How about Firefox and Internet Explorer?" "IIS and Apache?". Lets face facts, all software has vulnerabilities, that is unless is has zero bugs. I don't think anyone buys that one. What matters to us all is, "How do I not get hacked?".

There are people who gauge hackability by the number of known vulnerabilities in a software product. "Hey! My OS has less had vulnerabilities than yours! Neener Neener Neeeeeener." C'mon, this metric isn't helpful as it fails to inform me about how likely I'd be to NOT GET HACKED. It could be that researchers are not looking for vulnerabilities in that product, vulnerabilities are counted in strange ways, people are not disclosing the issues, or a dozen other things. The reality is someone only needs a single vulnerability to exploit you and cause you to have a really bad day. The bad guys know that. What if we took a different approach, like...

Getting out of the line of fire.

The real deal is criminals are profit-driven and the cyber types are no different. They're in it the money. For them targeting the lowest common denominator of their victims makes the most sense. Sure, some hackers are after the fame of being the best or the first to hack a particular difficult system. These glory-driven types are not the ones you need to worry about. The 21 century crimes are fraud and identity theft. If you were a cyber-criminal, would you go after the product that has 95% market share or the 5% market share? Yah me to. Sorry Microsoft, that means you.

Mind you, security isn't the primary reason I choose to use OS X and Firefox. I use them because the software allows me to be more productive than anything else available. I have no use for something that is highly secure, but doesn't allow me to work proficiently by myself and with others. Sorry OpenBSD, that means you. Or something that is so far out of the way, that I can't get my work because there's no software. Sorry Amiga, that means you.

Do I think OS X and Firefox are more secure than Windows or IE? Yes, I "think" so. But I don't "know" for sure and the truth is I really don't care. What I do know is the chances of me getting hacked on my PowerBook vs. the next guy using a dude-your-getting-a-dell is night and day. I mean, PC users are in a war for control for their own machine. Who needs that headache!? Am I saying that by using OS X and Firefox I'm 100% safe. No way. Though I have got out of the way and decreased my chanced of getting hacked. That's what important.

Now watch, tomorrow some 0-day will own me and I'll be eating crow for the rest of 2006.

No comments: