David Harley wrote:
>> Facinating. Think of how secure DOS and CP/M are by this standard.
>
> My daughter had an exquisitely safe laptop made by Vtech.
Rich started this by saying that he believes some software is weaker,
and some is percieved as weaker. And that popularity has nothing to do
with security.
I agree with his first two points, I disagree with the other two.
While there are always security vulnerabilities to be found, someone has
to look for them. If your goal is stealth, you will likely develop a
0day, or try to hide in some fashion.
But let's be honest folks, very popular software and especially
mono-culture software (Windows, Adobe Acrobat, Cisco IOS, etc.) have a
lot of risk attached to them being famous.
Consider the early days of Internet Explorer vs. Mozilla. While Mozilla
has better code in my opinion (anybody has better code than IE!), it was
targeted significantly less than IE. Then, when it became popular it
started getting targeted much more often.
The same goes with the Mac and OS X. As the Mac becomes more popular it
becomes a rich target for the mass exploitation of worms, etc. and
criminals start targeting it. I have often claimed that the Mac's day is
coming, and it's almost fully here.
Adam O'Donnell has a very interesting game-theory based presentation on
the Mac angle.
So yes, security by obscurity does work, folks. Once again, it does. But
it doesn't hold water as the only strategy.
Saying that a software's popularity has no impact on how often it is
exploited by the mass-exploitation devices is inane.
Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
