I’m Better Than You…No Really: Lame Security Claims


This post comes from reading Jerry Fishenden’s blog entry about the issues of security and identity technologies. I find that Jerry is asking questions that echo my own about those topics. Recently I have been amazed at watching the Apple TV spots, where Apple does its best (very effectively I might add) to lampoon the dorky “PC” on the issue of viruses and spyware, while Apple’s cool dude “Mac” talks about being safe as long as you are on the Apple products. For years I have watched as the OSS community has insisted that collaboratively produced software is inherently more secure. I think both Apple and the OSS community are short-sighted and a bit irresponsible in their approach.


 


As Jerry points outs when speaking about security technologies,



“No wonder so many policymakers find it hard to make sense of the multitude of claims made about different technologies: it’s hard to distinguish between marketing and evidential issues, hard to separate hype from reality. And that’s for those of us in the industry long experienced with distinguishing between aspiration and sales claims versus evidence.”


I think it is counterproductive for anyone in the software world to differentiate on the topic of security by suggesting that someone else’s security stinks; it ends up sending the wrong message altogether. I’m fine with people saying that they are improving the security of their product or technology as it is all good to raise confidence for all consumers. Do you really think that you are more secure from viruses on the Mac than the PC? On Linux vs. Solaris? On anything connected to the Internet from anything else connected to the Internet? Is this because of the inherent quality of the technology you are using…or could it be other factors?


 


Let’s play around with this a bit.


 


Consider the room you are sitting in right now, reading my blog. I’d bet it would be a hell-of-a-lot more secure if it had no doors, windows, air vents, light or electrical sockets, or any other breach in the perfection of its walls. Of course, the functionality of the room would be rather degraded. Additionally, if you just had a beat-up old chair, a battered desk with coffee stains on it, and a sheet of paper with my inane musings in it…not much of an incentive for breaking and entering. But if, instead, your room had file cabinets with the personal information of 10,000 people and credit card and bank account numbers for all of them, suddenly the room becomes more interesting for those with nefarious intent. Or, it could simply be that the perfectly white walls of your room (even from the outside) are just too agonizingly tempting for someone who wants to spray-paint graffiti all over them.


 


Maybe you were really smart—when you put in your door, you made it double thick with seven locks and a police bar. Of course, those locks are only good if you remember to use them. Maybe, over time, it is just too much of a hassle to bring seven keys with you, so you only lock the one that lets you in and out most quickly. The possibility of greater security is there, but it comes into conflict with the usability of the room.


 


In essence, I’m trying to get to the fact that the quality of the target (that which is being protected) matters, as does the technology that is doing the protecting, as do the procedures of the people doing the protecting. This is hardly a new revelation in the world of security.


 


So here is my concern with all of this. People writing viruses are criminals (to me). People cracking into others’ systems are criminals (to me). These criminals are completely agnostic as to what system you are on and whose security technology you choose to use. If you have a completely locked down Windows system and follow all the guidelines, install all the patches, put in place great procedures (and actually observe them) – you will have a safer place in which to work and store your data. Same is true for a Mac, same is true for Linux, same is true for any other system.


 


I know I am naïve in this, and that my own company seeks to differentiate on the topic of security. I’ve been running Vista for the past 2 months, and it has made great strides on the security path (once you get used to how often it stops to ask you if you are sure you want a given piece of code to execute on the system). But, to me, all of the software and hardware providers should be linking arms and singing kumbaya on security. We all lose when consumers feel less safe. We all lose whenever there is another headline about Apple, Sun, Microsoft, or any other provider issuing some group of security packages.


 


Policy makers are under pressure to make the world safer for consumers. They want concrete answers to an issue that has no absolutes in it. If the Mac ads are successful in getting more people to buy their products, then they will undoubtedly become a more interesting target for those writing spyware and viruses and looking for security holes. I can’t guarantee the success of their products in the market, but I will guarantee that they will be attacked if they are successful.


 


Maybe then they’ll run an ad where “Mac” and “PC” and “Tux” get together and decide that the problem isn’t each other, it is the nincompoops who think it is cool to vandalize, spy, and steal.  


Comments (8)

  1. Jeroen Frijters says:

    Please stop to blaming the criminals, that solves nothing and is just as lame as the baseless claims of the Apple and Linux people that they are more secure.

    You know what happens here in The Netherlands when you leave your laptop in your (unlocked) car? The police will take it and when you come pick it up you will get a stern talking too! And rightfully so.

    Software needs to be made more secure (and users need to become more security conscious.)

    Wishing for a utopian world society where there is no crime makes you look childish.

  2. jasonmatusow says:

    Jeroen –

    I don’t often want to look childish, but I do want to learn so I welcome your feedback.

    1) I do blame the criminals because I think it is rediculous that our society continues to romanticize the "hacker." They are vandals or worse and when someone looses all of their docs, family pictures, etc. it is devistating to them – equally bad for a business.

    2) I think all software vendors need to be more responsible in how we talk about these issues. That is not childish, nor is it easy. The factors of competition, development, sustaining engineering, quality, features…all make this tough.

    3) I agree that software needs to be more secure, I agree that users need to be more security conscious. Good statement.

    I think it is healthy to think aspirationally as it tends to establish goals that you can then work towards.

    Thanks again for the comment.

    Jason

  3. Niall says:

    That’s right, Jeroen, it’s the victim that’s responsible for the actions of the criminal. After all, they wouldn’t have done it if the victim hadn’t let them, so punish the victim and don’t waste time focusing on the criminal.

    Yes, we should all be more aware of the potential for crime to be perpetrated against us and act to minimise the chances. But as Jason says, no matter how secure you make yourself, as long as you have value, you will be a target to criminals. The only way to prevent crime from happening to you is to make the crime worthless to the criminal. This is how we end up in Jason’s example of a dingy room with nothing in it.

    So we either all live in said dingy rooms or we realise that while some crime can be avoided by actions of the potential victims, the existence of crime is due to criminals, not victims. Once you come to that realisation, you can begin to take action both to increase awareness in potential victims and against criminals.

    This applies to both technological and non-technological crime.

  4. tecosystems says:

    Jason: I understand, I’m pretty sure, where you’re coming from when you say "that the problem isn’t each other, it is the nincompoops who think it is cool to vandalize, spy, and steal." And I happen to agree with that…

  5. Jeroen Frijters says:

    Niall, the victim is not responsible for the actions of the criminal, but the victim is responsible for protecting himself. This is simply pragmatism, unfortunately there will always be crime, so you have to take that into account. I don’t like that any more than you do, but it’s a fact of life.

    Jason, I don’t see that romanticizing of hackers much any more, but I agree that it is important to get the message out that these people are serious criminals. However, at the same time we should not try to pretend that traditional law enforcement solutions are going to be very effective in the virtual world. The nature of international law makes this extremely unlikely for the foreseeable future. Improving software security and user awareness is a much more effective solution to the problem.

  6. jasonmatusow says:

    Jeroen –

    I totally agree about improving security solutions. In my posting I make the point that it is good for software producers to improve their security technology and to market that. I think it is irresponsible to attack others on their security and even worse to make the claim to consumers that if you use my stuff, you have nothing to worry about.

    Also, you are right about the limitations of laws designed to deal with physical world issues being inadequate for the types of crimes that are being committed in cyberspace. Things like jurisdiction become very sticky very quickly.

    Jason

  7. Wesley Parish says:

    I think the problem Microsoft has, is that it has just been so phenomenally successful, with at least 95 percent of all PC desktops running some form of MS Windows.  We know precisely why Microsoft has been so successful – several anti-trust trials later and the information is out there for all the world to see.  Be that as it may, the corners that were cut to get Microsoft that place in the sun, have inevitably come back to haunt it.

    I found, via osnews.com – hardly a blanket Anything-But-MS site, an URL for an article titled "If Only We Knew Then What We Know Now About Windows XP"

    http://www.washingtonpost.com/wp-dyn/content/article/2006/09/23/AR2006092300510.html

    I agree, not everything wrong with Microsoft Windows is Microsoft’s fault – a lot of it is to do with the message that its ISVs got – that you could write a program to only run as Administrator, and you’d be fine.  That it was alright to go out on the Internet as Administrator, that it was alright to … Mind you, I’ve had some of that MS Office training, on account of people insisting that I needed it, and there wasn’t a lot about prophylactic Websurfing in the course.  So the Microsoft-based training establishments need a kick up the ass.

    As far as criminalising matters like identity theft, malware deployment, etc, there is a legal framework already in place.    Various counter-terrorism efforts have at least established identity theft as a threat to the peace.  I’ve just had a number of spam misinforming me about "Botnets for Rent", and I do think I’m sick of it.

    Microsoft’s incorporation of the browser into the kernel – and swearing under oath that it was vitally necessary to do so – was a Stroke of Genius – NOT!

  8. Gus Bjorklund says:

    You make some good points, but:

    0) Some security issues are greatly aggravated by their design and feature sets. For example, the fact that many email tools will execute /code/ (such as Javascript) contained in a message is simply outrageous.

    1) All operating systems have bugs and security flaws but the fact remains that there are almost no viruses on Macs and Linux and the users of those systems /are/ safer than Windows users, at least for the moment.