Tag Archives: security

Can we please stop saying open source is more secure?

I’ve argued for a long time the "open source means more eyeballs means more secure" argument was complete bunk. I’m not particularly happy that the GnuTLS bug – which appears to have been there for up to nine years – has shown I was right. As John Moltz puts it:

This SSL bug may have been in the code for nine years. Please, tell me again that trope about how Mac users blindly think their computers are invulnerable to attack. And it’s not like it’s the only one the platform’s had.

The point is not how many eyeballs look through code (and as Watts Martin points out, no one looks through a lot of that old code). It’s the quality of the eyeballs which matters. If a hundred mediocre coders look through a bunch of code, they’ll never see the same issues that a single really good one will see. People aren’t functionally equivalent units of production.

As Steve Jobs put it:

"In most businesses, the difference between average and good is at best 2 to 1, right? Like, if you go to New York and you get the best cab driver in the city, you might get there 30% faster than with an average taxicab driver. A 2 to 1 gain would be pretty big.

"The difference between the best worker on computer hard-ware and the average may be 2 to 1, if you’re lucky. With automobiles, maybe 2 to 1. But in software, it’s at least 25 to 1. The difference between the average programmer and a great one is at least that.

"The secret of my success is that we have gone to exceptional lengths to hire the best people in the world. And when you’re in a field where the dynamic range is 25 to 1, boy, does it pay off."

Malware, the Mac, and the wolf

John Gruber’s delivered a list of previous claims that the Mac is about to succumb to malware real soon now under the title of “Wolf!

The analogy John’s making is that the pundits should all remember the tale of the boy who cried wolf. But, as my friend Graham pointed out, John’s missing something: at the end of the tale, on the last occasion, there actually was a wolf.

There is no such thing as a perfectly secure operating system. Sooner or later, there will be a wolf.

Enhanced by Zemanta

Dumb Windows users write dumb things about malware. News at 11.

Over at PC Pro, my old chum Chris Brennan is conducting a brave experiment. As an ardent Mac user, in the cause of science, he’s put aside his Mac and is living with Windows 7 for a while (catch up with his posts here.)

After a couple of weeks, a story about some Windows 7 security issue prompted him to install Microsoft Security Essential (free, not bad security software). He posted about the experience, and has promptly been jumped on by a bunch of sneering Windows folk, with comments like “totally pointless article” and “He’s clearly a Mac fanboy. Any further articles are totally pointless. He’ll choose a Mac no matter what windows 7 does.”

Now read his post, and there’s nothing there that’s actually wrong – and unlike some Mac commentators, Chris’ writing is entirely reasonable. He’s not jumping up and down and lying about security, which I’ve seen some Mac zealots do. But it appears Chris’ (entirely factually accurate) post has hit a raw nerve with some of the commenters there.

No matter what the reasons, malware is a problem for Windows users in a way which it just isn’t for Mac users. Now I’m largely on the side of the epidemiological theory: Macs are less of a target because there’s less of them, and because there’s less of them it’s much more difficult to spread malware. Malware is a lot like disease: it takes a critical mass of vulnerable people in a population before a disease can spread effectively.

But what the commentors have ignored is the key point that Chris is making: anti-virus software isn’t (and never will be) 100% effective, and different packages protect to different degrees. While Security Essential is a decent package, as PC Pro’s review points out, there are some kinds of malware against which it will offer little protection.

The point is this: if you’re a naive computer user, you need to know not only to install malware protection on Windows, but that not all packages are equal, and how to differentiate between them. Unless you read computer magazines avidly, you might not know any of this.

And that, in my book, is another reason just to get a Mac if you’re not a geek. The Mac’s lack of significantmalware might not last if it ever gets to 20, 30 or 40% installed base – but until it does, take advantage of the lack of worry.

Reblog this post [with Zemanta]

Oyster Card hack can be published

Oyster card hack to be published.

"In its ruling, the court said: ‘Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings’"

In other words, if you messed up and released something with a security hole in it, it’s your own silly fault and you’ll have to take the hit for it.

A marvellous ruling, that will actually be good for business in the long run, as it will discourage companies from promising to its customers that a system is secure purely because they think they can clamp down on any information about it that appears.