Security through obscurity

Recently on a discussion board that I frequent, several members were hit by a nasty little virus that they got from an Adobe Flash ad.  The ads were served by a legitimate company and appeared on a legitimate web site, but malicious code was embedded in the third-party ads, presenting a malware notice for a “virus cleaner.”  Of course it was nothing of the sort, but rather an unpleasant bit of malware that wreaked havoc on users’ systems, taking hours to remove.

During the course of the discussion about this virus, it was noted that Macs were not affected.  A Mac user might see the initial notice (I did myself), but there was no danger to a Mac system.  This discussion quickly devolved to the usual back-and-forth between the rather smug Mac users and PC users who sneered that Macs were not really any safer than PCs, but rather protected only by “security through obscurity” since almost 100% of virus/malware threats do not affect Macs, rather than by any sort of computing moral high ground.

I am not going to get into a discussion about the relative advantages and disadvantages of the architecture of OS X and Windows as they relate to security.  Let us assume for the moment that OS X is inferior from a security standpoint and/or that Apple is lax about security threats (both arguments made by Mac detractors).  I would still argue that even if OS X has large, gaping security holes, the risk to its users is far, far lower than it is for PC users, even those protected by religiously updated anti-virus and anti-malware software.

Consider this analogy to real viruses that affect human beings.  Let’s say there is a very deadly, highly contagious strain of an Ebola-like virus causing a hemorrhagic fever.  In Scenario A, there is a vaccine for it that is usually effective.  In Scenario B, there is no vaccine or cure for the destructive virus, but it only affects hedgehogs.  Which scenario would you prefer?

Obviously, Scenario B is the way to go, if you have a choice.  Vaccines, whether against computer malware or actual living viruses, can fail.  If people choose not to get or update their vaccines/antivirus software, the population as a whole is at increased risk.  HHV (Hemorrhagic Hedgehog Virus), on the other hand, does not affect human beings, whether or not they take precautions against it.  While it may be security through obscurity, and could be viewed as dumb luck rather than any moral superiority in its beneficiaries, it is still a far better situation.

For Mac users, it’s a condition that may not last forever.  If Mac market share continues to increase, security threats undoubtedly will as well.  Even now, no computer user is immune to phishing scams, identify theft, and the like.  For the moment, though, flying under the radar, while perhaps not the most valiant of defenses, is a highly effective security strategy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: