[Cryptography] best practices considered bad term
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Feb 5 22:09:43 EST 2015
Ãngel González <angel at crypto.16bits.net> writes:
>We can perform a quick and not extremely accurate comparison looking at:
>
>http://www.cvedetails.com/vendor/26/Microsoft.html
>http://www.cvedetails.com/vendor/49/Apple.html
>
>On 2014, 376 vulnerabilities were found in Microsoft products, compared to
>286 in Apple ones. So not so distant as you seem to expect -and in fact in
>2012 an 80% more of vulnerabilities were found in Apple products than in
>Microsoft ones-
It may be accurate in terms of comparing two numbers, but it doesn't say too
much about actual vulns present because it ignores externalities. If no-one
cares about your product (even if it's riddled with vulns), you'll look good
on a compare-the-numbers scale because you'll have no (apparent) vulns while
your competition will have many. The AV industry has a rule of thumb that a
product is uninteresting to attackers until it reaches about 5-10% market
share (there's no point in expending any effort to own a product with 2%
market share when you can go for Windows with 95% or whatever market share).
Once you cross this threshold you start drawing the attention of attackers,
and your apparent vuln. count explodes. This is what happened to Apple around
about 2011.
>Funnily, on 2015 Apple already has 48 vulnerabilities, while Microsoft only
>10. Too early to predict anything, though.
That's because Apple's now a target (although still not nearly as big a target
as Microsoft).
Peter.
More information about the cryptography
mailing list