Monday, March 06, 2006

Glass houses

What is amazing is not the fact that it took a hacker less than 30 minutes to get root in the Mac security competition.

What is amazing is the fact that the people who launch these competitions don't ask some security professionals how common rooted Mac or Linux boxes are first. Sure there are a heck of a lot of owned Windows boxes on the Internet. But there are also a heck of a lot of Unix machines.

A constant refrain at the IETF is 'bad security is worse than no security'. The point being that bad security leads people to rely on a machine thinking that they are safe and the consequences of doing so can be worse than having no security at all.

Judging an operating system by the frequency of security patches is the worst possible approach to security. All the operating systems we use today are hopelessly complex from a security perspective. None are really designed for use on an open international network. We do not even fully understand the requirements for security on such a network yet.

It only takes one security hole for a good computer to be turned bad.

No comments: