Security by asking the drunk whether he's drunk

Peter Gutmann pgut001 at
Wed Dec 24 06:34:53 EST 2008

Adam Shostack <adam at> writes:

>Thank you!  I hadn't seen this either, and it's exactly what I was looking

One note of caution with the statistics given on that page, those figures are
apparently as reported by the Malicious Software Removal Tool (MSRT) (see so they'll represent the
output of a basic malware removal tool (not a full-blown malware/AV scanner),
and since it's only run on up-to-date Windows systems with auto-updates (and
therefore security hotfixes and whatnot) actively applied (MSRT is itself
supplied via auto-updates) it's likely that the real situation is a lot worse
than that, i.e. a full-blown AV program might find even more malware, and any
system that's regularly running the MSRT and applying security updates is
going to be less malware-infested than a general random sample of systems.  So
while they're a (really scary, much, much worse than I thought) indicator of
how bad it is, it's likely that things are even worse than that.  I've written
to the person who wrote the blog entry to try and get clarification on some
issues raised there.

(Oh, and I assume people have seen Eddy Nigg's article on how easy it is to
get a certificate for a site belonging to someone else from a commercial CA,, which also made Slashspot earlier today).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list