Recently both Blackberrys and Vista have come under attack for having huge security issues. Here is my take on the security vulnerability landscape.

Many security professionals like to preach the sky is falling. It makes headlines and gets people to buy more security products. Most security vulnerabilities only are effective if the user breaks one of the ten immutable laws of security. It is the “IF” factor that fuels the security industry and sometimes I think it draws too close a parallel to the insurance industry. The majority of security vulnerabilities found in computers are nullified if the safe computing practices are followed.

Don’t get me wrong, proper security practices are required, but the majority of the security vulnerability headlines have a large “IF” factor in order to be dangerous. For example, in order to be compromised by the newest Blackberry vulnerability, you have to be tricked into downloading and running the malicious code on your Blackberry. Also, the new Blue Pill vulnerability for Vista requires you to run it as Administrator. On the flip side, if you do run any of these malicious programs you are in deep trouble and they are almost impossible to discover and remove them. Security vulnerabilities are getting more dangerous but also they continue to rely more on the human factor to be a catalyst of the exploit.

Is there any hope?

I am positive safer computing days are ahead. Instead of building thicker and higher walls of security into our computing lives, a better model of trust is needed to take the massive explosion of computing to the next level. What is this model of trust? I am currently not sure but many are working on it. If you have any suggestions please drop me a line.

Until you can trust all the computing vectors in your life, keep your systems patched, practice safe computing and don’t get tricked in running software from a bad guy. As the first immutable law of security states, Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.