ryochiji's blog
Brought to you fresh from the depths of Ryo Chijiiwa


 
Powered by IlohaBlog
Section: All | News & Politics | Geek Stuff | Devel | Non-existent Life | Random | Food! | Life |

Archives: 2003 > 09

Tue, September 16, 2003

On Security

I spent the bulk of this morning updating OpenSSH on my server, a task which was greatly complicated by the fact that RPMs weren't available for a while, and once available, I got caught in dependency hell. At the end, I just compiled new binaries and did some switcheroos.

Anyway, that got me thinking about the whole "which OS is more secure/insecure?" question. I've heard people claim that the various free UNIX variants had just as many vulnerabilities as Windows, and were thus just as insecure. I don't think that's true, but for the sake of argument, let's say the number of vulnerabilities are the same. Does that make them equally secure/insecure?

Well, let's take a look at a hypothetical situation. Let's say there's OS A with 10 known vulnerabilities, and OS B with 20 known vulnerabilities. Which is more secure? OS A, right? Wrong. It turns out OS A with a 95% market share has 20 known exploits, while OS B with a 2% market share has none. Chances are, you'll be safer using OS B.

Let's try again. Who's safer. Me in t-shirts and shorts in an unlocked house, or someone in full kevlar armor in a locked house with boarded windows. Ah, not so simple is it? If the guy lives in Compton and he's pissed off a gang, he'll probably be dead in a day or two while I'll be sipping coffee blogging about not so important things.

The point is this. Overall security is a measure of how prepared you are in relation to the risks you face. To improve security, you can either protect yourself better, lower the risks, or do both. Either way, you can't just look at the level of protection to determine the level of security you have.

So far, I've been talking about computers, but the same way of thinking applies anywhere where there's risks. Like, "homeland security". There've been polls asking "are we safer", but that's just missleading. If the question was "is it harder to hijack a plane today than it was 2 years ago", I think the answer is definitely "yes". So the level of protection has increased. Well, how about the risks? Are there people who still hate the US? Yes; in fact, probably more now than 2 years ago. So are we safer? It's hard to say.

Government officials would claim that we are inherently more vulnerable because we have an open society. That's a lot like saying "servers are inherently more vulnerable because they have open ports". The solution, according to our government, is to unplug the thing from the network; close what's open, and you'll be safe. But they're completely ignoring the other factor: risk. Lower the risks and you won't have to close anything. If people didn't hate us, we could be open as we want (and have been for over 200 years) and still be safe.

So which is it going to be? Would we rather close society or stop pissing people off? Unfortunately, our government's stance on this seems clear...

posted in News & Politics at 14:26* [536 comments | View | Add Comment ] [] []


Ryo Chijiiwa

I'm a biologically Japanese, culturally American, Germany-raised, socially liberal, politically independent, gun-totin', code writin' dude. My life is currently sponsored by Google.
www.flickr.com
This is a Flickr badge showing public photos and videos from ryochiji. Make your own badge here.
©Copyright 1998-2002, Ryo Chijiiwa
All material on this website, unless otherwise stated, may be copied in part or whole, provided that due credit is given and a link or URL to the page or this site is provided. Contact the webmaster here.