vulnerability and popularity (was: EBAY and AMAZON)

Owen DeLong owen at delong.com
Wed Jun 13 13:42:12 UTC 2012


On Jun 13, 2012, at 5:33 AM, Andrew Sullivan wrote:

> On Wed, Jun 13, 2012 at 07:55:37AM -0400, Rich Kulawiec wrote:
> 
>> If popularity were the measure of relative OS security, then we would
>> expect to see infection rates proportional to deployment rates
> 
> I don't buy that premise, or at least not without reservation.  The OS
> market happens to be a superstar economy.  On desktops and laptops,
> which still happen to be the majority of devices, the overwhelming
> winner is Windows.  Therefore, if you are going to invest in any
> product for which you want ubiquitous deployment, Windows is the first
> platform you aim for.  You only aim for the others if you're chasing a
> niche.
> 
> There is no reason whatever to chase a niche market if your goal is
> spewing spam, collecting credit cards, or whatever.  
> 
> Perhaps fortunately, we're about to have an empirical trial of these
> different possibilities.  If the above analysis is correct, then we
> should expect malware targetting iOS and Android in about equal
> proportions as those sorts of devices displace laptops and desktops as
> the majority (though there will be some bias and therefore lag in
> favour of Windows just because of the fact that people already have
> tools and techniques built around Windows).  If you're right that the
> primary issue is the fundamental security of the target, then perhaps
> we will not see that pattern emerge.
> 

If that were true, the webserver attacks would be aimed at windows
while the vast majority of them are aimed at IIS.

Attackers aim for the softest targets with sufficient numbers to get what
they want. When it comes to target hardness, Micr0$0ft builds porridge
in a world of thick sludgy oatmeal.

Owen





More information about the NANOG mailing list