Darel Rex Finley in 888

Security-Through-Obscurity Redux — The Best of Both Worlds

2014.03.05   prev     next

IN the 1990s and early 2000s, Microsoft Windows ruled the tech world. If you wanted to be on the platform where all the interesting software development was, then you wanted to be on Windows. But it was a double-edged sword, because that’s also where all the malware was, all the big malware problems.

If you wanted to get away from malware, you could get a Mac. But then you weren’t leaving just the malware behind; you also were leaving most of the interesting software. So you had to choose: Do I want to have all the best software, but also deal with all the worst malware? Or do I want to kind-of get away from both — and be on this obscure platform where neither of those things is happening to a strong degree?

And a lot of people in tech — including noted tech security experts — said that Apple had achieved “security through obscurity” on the Mac. And as the Mac started doing better and better over the 2000s, these same people confidently predicted that the Mac would start to suffer a malware wave, and would wind up in the same boat as Windows, having a lot of the same trouble as Windows, because the Mac wasn’t so obscure any more.

Wrong

It’s apparent that something was very wrong with that thesis, because here we are today in 2014, and the Mac malware wave never happened, despite the platform being more popular than ever. And the malware problem on Windows — though still far-and-away worse than on the Mac — has toned down quite a bit, even though there are still tons of Windows PCs in use, that malware authors would love to target.

But the most interesting thing that’s happened, in terms of the whole security-through-obscurity theory, is in mobile.

Best

Apple revolutionized mobile platforms with iOS (iPhone, iPod touch, and iPad). And they didn’t just create best-selling hardware — they created a revolutionary, ultra-vibrant, third-party, software platform like none other ever seen.

But malware on iOS? Virtually non-existent. In the typical quarter, malware tracking companies report the number of new iOS attacks as literally zero.

Apple somehow has captured the best of both worlds: An industry-dominating software platform...but malware-free.

Worst

Meanwhile, the only other strong mobile platform, Android, somehow has managed to create the worst of both worlds. In terms of third-party apps, Android is very much analogous to the ’90s Mac niche environment: Yeah, there’re apps, but nothing like on iOS.

Malware, on the other hand, thrives on Android. Well over 90% of mobile malware is for Android (the rest of it seems to be for Symbian), and Android malware appears to be growing exponentially.

How Did It Happen?

There are two critical keys to understanding why this happened. To grasp the first one, we must ask ourselves the question: Is Android a single, unified platform? It’s promoters very much like to call it one (as in: counting any shipped device that runs any version of Android, in order to arrive at “80% market share”), but the truth is that Android is unified in some ways, and not in others.

All the ways that Android is not a unified platform — screen size, UI, hardware specs, fragmentation, poor version update support, etc. — make it a very bad platform for third-party app development.

But all the ways that Android is a unified platform — same kernel, same API, same ease of user tinkering and unknown-source software installation, etc. — make it a very good platform for malware authors, who couldn’t care less about the UI or the storage capacity or any of that stuff. They just want to make malicious code that can get on the device, stay there, and do something bad in the background.

Meanwhile, iOS is a unified platform in all the ways that are good for third-party app developers (common UI and hardware specs), and in the ways that are very bad for malware authors (tight, central control of what gets on the device).

And the second key to why things turned out the way they did in mobile: The whole security-through-obscurity theory was false in the first place. The fact that Windows got the virtuous, developer-user-developer-user cycle working for it, but also was so poorly designed as to be a malware author’s field day, was just a coincidence. Windows’s malware mess was a function of its technical design (or lack thereof) — not its popularity.

The security-through-obscurity thesis is predicated on the cynical, defeatist belief that malware authors can compromise any system just because they want to. With iOS, Apple clearly has shown that not to be the case.

 

Update 2014.04.08 — Mogull and Dai Zovi seem to have backed off on the impending Apple malware stuff in recent years, but the folks at Beta News somehow haven’t kept score of anything. Derrick Wlodarz, from just a couple days ago:

“The Apple myth: Why security through obscurity isn’t security”

“My girlfriend was on the prowl for a new vehicle ... she wouldn’t think of ditching her safety belt, no matter how safe the cars claim to be. ... Likewise, sizable portions of American society lives out in rural areas ... they most likely still use locks on all of their doors ...”

“[H]ow has Apple gotten a free pass on the falsehood that its OS X (and now iOS) users just don’t need anti-malware software? ... it really irks me that Apple still hasn’t admitted that this falsehood is endangering an entire slice of our computing society.”

Is that what irks you, Derrick?

 

See also:
Malware Isn’t About Total Control
&
Security Through Normalcy
&
Security Through Obscurity Redux — The Best of Both Worlds
&
Basic Reproduction Number

 

prev     next

 

 

Hear, hear

prev     next

Best Recent Articles

Method of Implementing A Secure Backdoor In Mobile Devices

When Starting A Game of Chicken With Apple, Expect To Lose

How I Clip My Cat’s Nails

Seasons By Temperature, Not Solstice

It’s Not A Criticism, It’s A Fact

Features (Regularly Updated)

A Memory of Gateway — news chronology of Apple’s ascendancy to the top of the technology mountain.

iPhone Party-Poopers Redux and Silly iPad Spoilsports — amusing litanies of industry pundits desperately hoping the iPhone and iPad will go away and die.

Embittered Anti-Apple Belligerents — general anger at Apple’s gi-normous success.

RSS FEED

My books

Now available on the iBookstore!

   

Links

Daring Fireball

The Loop

RoughlyDrafted

Macalope

Red Meat

Despair, Inc.

Real Solution #9 (Mambo Mania Mix) over stock nuke tests. (OK, somebody made them rip out the music — try this instead.)

Ernie & Bert In Casino

Great Explanation of Star Wars

Best commercials (IMO) from Superbowl 41, 43, 45, 46, and 47

Kirk & Spock get Closer

American football explained.

Sonos and Opalum — awesome sound stuff I saw at CEDIA.

TV: Better Call Saul; Homeland; Survivor; The Jinx; Breaking Bad; House of Cards; Inside Amy Schumer

God’s kitchen

Celebrity Death Beeper — news you can use.

Making things for the web.

My vote for best commercial ever. (But this one’s a close second, and I love this one too.)

Recent commercials I admire: KFC, Audi

Best reggae song I’ve discovered in quite a while: Virgin Islands Nice

Pinball Arcade: Unbelievably accurate simulation of classic pinball machines from the late ’70s through the ’90s, with new ones added periodically. Like MAME for pinball — maybe better.

d120 dice: You too (like me) can be the ultimate dice nerd.

WiFi problems? I didn’t know just how bad my WiFi was until I got eero.

Favorite local pad thai: Pho Asian Noodle on Lane Ave. Yes, that place; blame Taco Bell for the amenities. Use the lime, chopsticks, and sriracha. Yummm.

Um, could there something wrong with me if I like this? Or this?

This entire site as a zip file — last updated 2017.11.02

Previous articles

The Ultimate, Simple, Fair Tax

Compassion and Vision

When Starting A Game of Chicken With Apple, Expect To Lose

The Caveat

Superb Owl

NavStar

Basic Reproduction Number

iBook Price-Fixing Lawsuit Redux — Apple Won

Delusion Made By Google

Religion Is A Wall

It’s Not A Criticism, It’s A Fact

Michigan Wolverines 2014 Football Season In Review

Why There’s No MagSafe On the New Mac­Book

Sundar Pichai Says Devices Will Fade Away

The Question Every Ap­ple Naysayer Must An­swer

Apple’s Move To TSMC Is Fine For Apple, Bad For Samsung

Method of Implementing A Secure Backdoor In Mobile Devices

How I Clip My Cat’s Nails

Die Trying

Merger Hindsight

Human Life Decades

Fire and the Wheel — Not Good Examples of A Broken Patent System

Nobody Wants Public Transportation

Seasons By Temperature, Not Solstice

Ode To Coffee

Starting Over

FaceBook Messenger — Why I Don’t Use It

Happy Birthday, Anton Leeuwenhoek

Standard Deviation De­fined

Not Hypocrisy

Simple Guide To Pro­gress Bar Correctness

A Secure Backdoor Is Feasible

Don’t Blink

Predictive Value

Answering the Toughest Question About Disruption Theory

SSD TRIM Command In A Nutshell

The Enderle Grope

Aha! A New Way To Screw Apple

Champagne, By Any Other Maker

iOS Jailbreaking — A Perhaps-Biased Assessment

Embittered Anti-Apple Belligerents

Before 2001, After 2001

What A Difference Six Years Doesn’t Make

Stupefying New Year’s Stupidity

The Innovator’s Victory

The Cult of Free

Fitness — The Ultimate Transparency

Millions of Strange Dev­o­tees and Fanatics

Remember the iPod Killers?

Theory As Simulation

Four Analysts

What Was Christensen Thinking?

The Grass Is Always Greener — Viewing An­gle

Is Using Your Own Pat­ent Still Allowed?

The Upside-Down Tech Future

Motive of the Anti-Ap­ple Pundit

Cheating Like A Human

Disremembering Mi­cro­soft

Security-Through-Obscurity Redux — The Best of Both Worlds

iPhone 2013 Score Card

Dominant and Recessive Traits, Demystified

Yes, You Do Have To Be the Best

The United States of Texas

Vertical Disintegration

He’s No Jobs — Fire Him

A Players

McEnroe, Not Borg, Had Class

Conflict Fades Away

Four-Color Theorem A­nal­y­sis — Rules To Limit the Problem

The Unusual Mo­nop­o­list

Reasonable Projection

Five Times What They Paid For It

Bypassable Security Certificates Are Useless

I’d Give My Right Arm To Go To Mars

Free Advice About Apple’s iOS App Store Guidelines

Inciting Violence

One Platform

Understanding IDC’s Tablet Market Share Graph

I Vote Socialist Be­cause...

That Person

Product Naming — Google Is the Other Microsoft

Antecessor Hypotheticum

Apple Paves the Way For Apple

Why — A Poem

App Anger — the Supersized-Mastodon-In-the-Room That Marco Arment Doesn’t See

Apple’s Graphic Failure

Why Microsoft Copies Apple (and Google)

Coders Code, Bosses Boss

Droidfood For Thought

Investment Is Not A Sure Thing

Exercise is Two Thirds of Everything

Dan “Real Enderle” Ly­ons

Fairness

Ignoring the iPod touch

Manual Intervention Should Never Make A Computer Faster

Predictions ’13

Paperless

Zeroth — Why the Century Number Is One More Than the Year Number

Longer Than It Seems

Partners: Believe In Ap­ple

Gun Control: Best Ar­gu­ments

John C. Dvorak — Translation To English

Destructive Youth

Wiens’s Whine

Free Will — The Grand Equivocation

What Windows-vs.-Mac Actually Proved

A Tale of Two Logos

Microsoft’s Three Paths

Amazon Won’t Be A Big Winner In the DOJ’s Price-Fixing Suit

Infinite Sets, Infinite Authority

Strategy Analytics and Long Term Ac­count­a­bil­i­ty

The Third Stage of Computing

Why 1 Isn’t Prime, 2 Is Prime, and 2 Is the Only Even Prime

Readability BS

Lie Detection and Psy­chos

Liking

Steps

Microsoft’s Dim Pros­pects

Humanity — Just Barely

Hanke-Henry Calendar Won’t Be Adopted

Collatz Conjecture A­nal­y­sis (But No Proof; Sorry)

Rock-Solid iOS App Stability

Microsoft’s Uncreative Character

Microsoft’s Alternate Reality Bubble

Microsoft’s Three Ruts

Society’s Fascination With Mass Murder

PlaysForSure and Wikipedia — Revisionism At Its Finest

Procrastination

Patent Reform?

How Many Licks

Microsoft’s Incredible Run

Voting Socialist

Darwin Saves

The Size of Things In the Universe

The Self-Fulfilling Prophecy That Wasn’t

Fun

Nobody Was In Love With Windows

Apples To Apples — How Anti-Apple Pundits Shoot Themselves In the Foot

No Holds Barred

Betting Against Hu­man­i­ty

Apple’s Premium Features Are Free

Why So Many Computer Guys Hate Apple

3D TV With No Glasses and No Parallax/Focus Issues

Waves With Particle-Like Properties

Gridlock Is Just Fine

Sex Is A Fantasy

Major Player

Why the iPad Wannabes Will Definitely Flop

Predators and Parasites

Prison Is For Lotto Losers

The False Dichotomy

Wait and See — Windows-vs-Mac Will Repeat Itself

Dishonesty For the Greater Good

Barr Part 2

Enough Information

Zune Is For Apple Haters

Good Open, Bad Open

Beach Bodies — Who’s Really Shallow?

Upgrade? Maybe Not

Eliminating the Im­pos­si­ble

Selfish Desires

Farewell, Pirate Cachet

The Two Risk-Takers

Number of Companies — the Idiocy That Never Dies

Holding On To the Solution

Apple Religion

Long-Term Planning

What You Have To Give Up

The End of Elitism

Good and Evil

Life

How Religion Distorts Science

Laziness and Creativity

Sideloading and the Supersized-Mastodon-In-the-Room That Snell Doesn’t See

Long-Term Self-De­lu­sion

App Store Success Won’t Translate To Books, Movies, and Shows

Silly iPad Spoilsports

I Disagree

Five Rational Coun­ter­ar­gu­ments

Majority Report

Simply Unjust

Zooman Science

Reaganomics — Like A Diet — Works

Free R&D?

Apple’s On the Right Track

Mountains of Evidence

What We Do

Hope Conquers All

Humans Are Special — Just Not That Special

Life = Survival of the Fittest

Excuse Me, We’re Going To Build On Your Property

No Trademark iWorries

Knowing

Twisted Excuses

The Fall of Google

Real Painters

The Meaning of Kicking Ass

How To Really Stop Casual Movie Disc Ripping

The Solitary Path of the High-Talent Pro­gram­mer

Fixing, Not Preaching

Why Blackmail Is Still Illegal

Designers Cannot Do Anything Imaginable

Wise Dr. Drew

Rats In A Too-Small Cage

Coming To Reason

Everything Isn’t Moving To the Web

Pragmatics, Not Rights

Grey Zone

Methodologically Dogmatic

The Purpose of Lan­guage

The Punishment Defines the Crime

Two Many Cooks

Pragmatism

One Last Splurge

Making Money

What Heaven and Hell Are Really About

America — The Last Suburb

Hoarding

What the Cloud Isn’t For

Diminishing Returns

What You’re Seeing

What My Life Needs To Be

Taking An Early Re­tire­ment

Office Buildings

A, B, C, D, Pointless Relativity

Stephen Meyer and Michael Medved — Where Is ID Going?

If You Didn’t Vote — Complain Away

iPhone Party-Poopers Redux

What Free Will Is Really About

Spectacularly Well

Pointless Wrappers

PTED — The P Is Silent

Out of Sync

Stupid Stickers

Security Through Nor­mal­cy

The Case For Corporate Bonuses

Movie Copyrights Are Forever

Permitted By Whom?

Quantum Cognition and Other Hogwash

The Problem With Message Theory

Bell’s Boring Inequality and the Insanity of the Gaps

Paying the Rent At the 6 Park Avenue A­part­ments

Primary + Reviewer — An Alternative IT Plan For Corporations

Yes Yes Yes

Feelings

Hey Hey Whine Whine

Microsoft About Microsoft Visual Microsoft Studio Microsoft

Hidden Purple Tiger

Forest Fair Mall and the Second Lamborghini

Intelligent Design — The Straight Dope

Maxwell’s Demon — Three Real-World Ex­am­ples

Zealots

Entitlement BS

Agenderle

Mutations

Einstein’s Error — The Confusion of Laws With Their Effects

The Museum Is the Art

Polly Sooth the Air Rage

The Truth

The Darkness

Morality = STDs?

Fulfilling the Moral Du­ty To Disdain

MustWinForSure

Choice

Real Design

The Two Rules of Great Programming

Cynicism

The End of the Nerds

Poverty — Humanity’s Damage Control

Berners-Lee’s Rating System = Google

The Secret Anti-MP3 Trick In “Independent Women” and “You Sang To Me”

ID and the Large Had­ron Collider Scare

Not A Bluff

The Fall of Microsoft

Life Sucks When You’re Not Winning

Aware

The Old-Fashioned Way

The Old People Who Pop Into Existence

Theodicy — A Big Stack of Papers

The Designed, Cause-and-Effect Brain

Mosaics

IC Counterarguments

The Capitalist’s Imaginary Line

Education Isn’t Eve­ry­thing

I Don’t Know

Funny iPhone Party-Poopers

Avoiding Conflict At All Costs

Behavior and Free Will, Unconfused

“Reduced To” Ab­sur­dum

Suzie and Bubba Redneck — the Carriers of Intelligence

Everything You Need To Know About Haldane’s Dilemma

Darwin + Hitler = Ba­lo­ney

Meta-ware

Designed For Combat

Speed Racer R Us

Bold — Uh-huh

Conscious of Con­scious­ness

Future Perfect

Where Real and Yahoo Went Wrong

The Purpose of Surface

Eradicating Religion Won’t Eradicate War

Documentation Overkill

A Tale of Two Movies

The Changing Face of Sam Adams

Dinesh D’Souza On ID

Why Quintic (and Higher) Polynomials Have No Algebraic Solution

Translation of Paul Graham’s Footnote To Plain English

What Happened To Moore’s Law?

Goldston On ID

The End of Martial Law

The Two Faces of Ev­o­lu­tion

A Fine Rec­om­men­da­tion

Free Will and Population Statistics

Dennett/D’Souza Debate — D’Souza

Dennett/D’Souza Debate — Dennett

The Non-Euclidean Ge­om­e­try That Wasn’t There

Defective Attitude Towards Suburbia

The Twin Deficit Phan­toms

Sleep Sync and Vertical Hold

More FUD In Your Eye

The Myth of Rub­ber­neck­ing

Keeping Intelligent Design Honest

Failure of the Amiga — Not Just Mis­man­age­ment

Maxwell’s Silver Hammer = Be My Honey Do?

End Unsecured Debt

The Digits of Pi Cannot Be Sequentially Generated By A Computer Program

Faster Is Better

Goals Can’t Be Avoided

Propped-Up Products

Ignoring ID Won’t Work

The Crabs and the Bucket

Communism As A Side Effect of the Transition To Capitalism

Google and Wikipedia, Revisited

National Geographic’s Obesity BS

Cavemen

Theodicy Is For Losers

Seattle Redux

Quitting

Living Well

A Memory of Gateway

Is Apple’s Font Rendering Really Non-Pixel-Aware?

Humans Are Complexity, Not Choice

A Subtle Shift

Moralism — The Emperor’s New Success

Code Is Our Friend

The Edge of Religion

The Dark Side of Pixel-Aware Font Rendering

The Futility of DVD En­cryp­tion

ID Isn’t About Size or Speed

Blood-Curdling Screams

ID Venn Diagram

Rich and Good-Looking? Why Libertarianism Goes Nowhere

FUV — Fear, Uncertainty, and Vista

Malware Isn’t About Total Control

Howard = Second Com­ing?

Doomsday? Or Just Another Sunday

The Real Function of Wikipedia In A Google World

Objective-C Philosophy

Clarity From Cisco

2007 Macworld Keynote Prediction

FUZ — Fear, Uncertainty, and Zune

No Fear — The Most Important Thing About Intelligent Design

How About A Rational Theodicy

Napster and the Subscription Model

Intelligent Design — Introduction

The One Feature I Want To See In Apple’s Safari.