Matasano Chargen - Latest Comments in Safety Vs. Security

Re: Safety Vs. Security

Mon, 28 May 2007 20:26:50 -0000

safety is security

Re: Safety Vs. Security

cygo — Mon, 11 Dec 2006 11:27:22 -0000

safety = security * exposure * malicious intent

is my diagnosis of your ill horse.

Re: Safety Vs. Security

Chris_B — Mon, 11 Dec 2006 00:16:07 -0000

"safety vs security" is indeed the most apt analogy I've see so far on this issue. I wouldnt say its the be all and end all since both words express conditions which cant be quantified, however this is a more reasonable way to talk about the issue. BTW IMNSHO, security is both a technological and human problem. To try and view it as strictly one or the other dont do no help at all.

dre,

I've heard that sort of windbaggery before about how OSX users are being targeted "everyday" but the fact remains, I have not seen any evidence of it at all. Once I see it I'm sure I'll change my tune.

Re: Safety Vs. Security

Dave G. — Fri, 08 Dec 2006 20:30:12 -0000

My issue with the 'security is a human problem' view is that it feels like a cop out on the technology side. If there is nothing a user can do to secure themselves because of a security vulnerability in their OS or third party software, that is not their fault. It shouldn't even be their fault that they visit an untrusted URL that knocks them around with clientsides, or they open a {insert file format} file.

But I do think you ask a good question about the relative awareness of the user communities of various OS vendors. Of course, I would just extend my analogy (and I do know how much Ivan loves the use of non technical analogies :)) to say that people that live in safer communities think about security less. If you live in a place that is unsafe, you tend to think more about security. People in big cities tend to be more aware of their surroundings, know where dangerous locations are, and watch people more closely.

Re: Safety Vs. Security

ivan — Fri, 08 Dec 2006 13:33:29 -0000

Jake, regarding you first paragraph:
"For example, if you drive a compact economy car, you know that you’re more vulnerable, and you drive accordingly. In other words, safety in an unsecured environment comes from knowledge."

No, I don't *know* that I am more vulnerable, I don't even assume so. Your statement about compact economy cars being more vulnerable than non-compact cars is based purely on *your* perception of the issue, it is not good enough for a rational assessment of a car's safety. In fact I could argue that driving a brand new, expensive, big fat car in the slums of Sao Pablo, Brazil under the stare of a lot of not very wealthy people armed with AK-47s is probably less safe than driving a 10 year old battered economy car. "Safety on an unsecured environment comes form knowledge".. knowledge of what? the tech specs of the car? the road? the neighborhood? what is, exactly, this "knowledge" that you talk about?

Which brings me to the second point: "more vulnerable" to what? You need to qualify the threat, the attacker, etc.

Ok, so leaving those clever and vivid analogies alone (neighborhoods, cars, c'mon some must come up with one about chicks!)...the one thing that I agree with is the "good security UI" remark but forced to think of it I would go further: the UI is not the problem, the human using it is the security problem. That sounds like a typical infosec community joke but I am serious about it:

Designing a good security UI is no less "academic" than designing a secure kernel, if the designers don't understand that security is a human problem and not a technical one and if the users have no security awareness and have no interest in acquiring it then all the rest is irrelevant. Secure design principles, SDLC, product's security features, vendor incident response, etc. are all telltale signs of the security consciousness of the OS vendor but the security of the OS is not solely controlled by its vendor. As a matter of fact it is mostly controlled by third party ISVs and, fundamentally, by the users of the OS. If they are not security conscious then it doesn't really matter what the OS vendor thinks, claims or does.

In that context, how do you see the security awareness of the user communities of the various OS vendors?

Re: Safety Vs. Security

Thomas Ptacek — Fri, 08 Dec 2006 09:59:48 -0000

Jake, the "Windows isn't more secure, it just has more features" claim is just a bromide. Firewalls and SSLs are just "features" of a secure network.

Re: Safety Vs. Security

Chris W. — Fri, 08 Dec 2006 09:43:50 -0000

This is a great observation. Proper risk management is all about balancing security with expenses. Perhaps Apple is applying the appropriate level of resources to keep the risk of using OS X lower than the risk of using Windows.

As Dave says, Windows is in the middle of a huge U.S. city where many with criminal intent are close by and anonymous. OS X is way out beyond the suburbs. Not worth the criminals trip.

I think security people admitting they think the risk of using OS X is lower than the risk of Windows is a good step in engaging in meaningful dialog with Mac fans. But the Mac fans need to also admit that the risk is lower because the threat space is different between the two platforms.

Then we can move on to a security discussion. Topics such as, "What design decisions help make OS X or Windows more secure?" or "Is Apple using a secure SDLC approach to build its software?"

Looking at the security bugs that are found on a monthly basis in OS X I can't believe some Mac fans think the security of the platform is significantly better than Windows, but they do.

-Chris

Re: Safety Vs. Security

dre — Fri, 08 Dec 2006 08:45:23 -0000

if you make yourself a target, Mac OS X is not a safe place to hide behind. you become a target when an adversary decides you are one. it's that simple.

physical security with Mac OS X is usually non-existent. given the first scenario i had with setting up a local user on my brother's new shiny password-protected MacBookPro, i was able to create an adminstrator account and take my picture within 3 minutes. i simply booted into single user mode, followed the directions it gave right before the prompt, and ran System Preferences from the Applications folder.

your risk is also relational to what you have to lose. some phishing groups do indeed target Mac OS X ("everyday" according to Charles Edge - speaker at Blackhat, et al). in particular, organizations that use Mac OS X (entertainment companies, such as Hollywood A/V, cartoon, and gaming types that employ Pro Tools, Final Cut, Shake, etc) heavily and do big production stuff with them are very valid targets. As are security researchers and vulnerability assessors. Wink.

afaik, it's just as easy to upload embedded malware into a browser on Mac OS X as it is under Windows 95 (or Linux with grsecurity for that matter). who needs access to the OS when you have an OS-independent javascript zombie horde? since this is my argument, i propose that OS security is irrelevant as they aren't the targets anymore because they don't have much to lose. browsers (in combination with web application security) are highest at risk, and provide attackers the most gain.

Re: Safety Vs. Security

Jake — Fri, 08 Dec 2006 08:20:27 -0000

The most important feature to any security system is that it should be well understood by the users. For example, if you drive a compact economy car, you know that you're more vulnerable, and you drive accordingly. In other words, safety in an unsecured environment comes from knowledge.

The folks at Apple have worked hard on the Mac to make sure that it is comprehensible to users. This is a far cry from the much more elaborate security methods used in recent editions of Windows. Is Windows security better? Well, it has more features. But in terms of comprehensiblity, I have to wonder. The average user doesn't understand what makes the security system work. And when it rejects something, they don't understand why that happens either.

If you really want to talk about safety and security, you most confront what most of us engineers have known for ages: Most of the really chronic problem is sitting right there in front of the screen. Until we develop a good security UI, the rest of this problem is academic.

Re: Safety Vs. Security

Alex — Fri, 08 Dec 2006 07:02:51 -0000

Of course I'm partial, but I like to say that OS X isn't significantly more or less secure, it's just a much lower risk.

A big reason is what you're saying, we OS X users just don't see anywhere near the number of Threat Events as other operating systems. Why? Some of it has to do with controls ("how Mac OS X is architected", above), but most is because the threat community doesn't have the motivation yet.

Unfortunately for OS X, this isn't a good situation. If I had to write a corporate report on the subject, I'd have to flag this as what we call an "Unstable Risk Situation" - in that we're relying almost solely on a low frequency of threat events in arriving at a "low" or "very low" risk rating. A nominal increase in threat events will dramatically change the risk landscape. We can model that out, and the results for a big/all Apple shop aren't pretty.

Re: Safety Vs. Security

Amrit — Fri, 08 Dec 2006 02:36:09 -0000

As far as the whole Mac security thing goes, that is the best metaphor I have heard.