2007-11-15
Platform risk and platform (in)security
One of the perennial arguments between Mac people and Windows people is whether or not Macs are better than Windows machines for staying safe on the Internet, and if they are, why this is so; not infrequently, the debates get quite heated. I think that one reason for this is that people confuse the concepts of platform risk and platform (in)security, and thus miss something important:
Risk is not the same as insecurity.
(Here, a platform's risk is the likelihood that people using it will be successfully attacked; a platform's security or insecurity is how hard it is to create a successful attack.)
In particular, a platform can (currently) be less risky without being more secure, and vice versa; a more secure platform can still be more risky. The distinction between low risk and high security matters partly because risk levels can change radically over time without any change in the platform itself, so if you confuse low risk for high security, you are risking a severe problem if the risk level changes (for example, if someone targets you specifically). And similarly, just because you have a secure platform does not mean that you don't have to worry about attacks.
I suspect that there are at least two reasons that this confusion persists. First, it's natural to feel that the two must be strongly related, although this is not necessarily so. Second, it's hard for most people to really know how secure something is, while risk is essentially an observed fact (how much malware is there, how common in the wild is it, and so on) that anyone can see. It's thus very tempting to use your intuition to extrapolate from the observed facts to a conclusion about a system's security.
(This entry was sparked by reading the comments on this Matasano Chargen blog entry.)