On the Soapbox

A recent report shows that snails that are left-"handed" have an advantage in encounters with right-"handed" crabs, whose claws are not as adept at opening the shells of left-"handed" snails (because of the orientation of the spiral). This reminds me of fencing, where fencing against lefties is more difficult because while lefties have plenty of experience fencing against opposite-handed opponents, righties do not face many opposite-handed opponents and thus do not have that sort of experience to draw from. Indeed, one of the tougher opponents in the class I took was a leftie. Anyway, one might describe this as an example of security through obscurity in the real world.

On that note, people who post comments on my blog will find that there is no spam protection. No e-mail address verification, no Turing tests to prove that you are human, no logins, and heck, I did not even bother to implement any simple heuristics under the hood (e.g., no looking for HTTP/1.0 requests, bad user agent strings, etc.). Despite this, I have yet to see a single piece of comment spam, even though, according to server logs, I have indeed been visited by bots and numerous attempts have been made. So why have all these spambots failed to infest my blog with comment spam despite my neglect to implement any sort of security? Apparently, these automated spambots are designed to target the common blogging platforms, and when they encountered my blog, they seemed to have a hard time with supplying valid entry IDs (even though they are hard-coded in a hidden field in the form). So by writing my own home-grown blogging platform, I have been spared comment spam through obscurity, which was very unexpected: I never realized until now that these spambots were so poorly programmed (which is good: we like spammers to remain incompetant).

Of course, this is similar to the Mac/Linux/UNIX security situation. While there are some architectural features that make these operating systems a little better than Windows XP SP2 in respect to security (and from the looks of it, most of these technical advantages will disappear with Vista), I strongly believe, for a number of reasons*, that the biggest contributing factor is the obscurity, which results in fewer attempts at breaches, fewer people searching for ways to breach security, and the creation of far fewer viruses/worms/trojans/etc. As such, I have always found it amusing that these communities try to convert users with the security carrot.

________________
* Despite the bad rap on Windows, the NT architecture is actually a fairly robust one--just look at how NTFS compares with other file systems. The security model is also very good on NT systems. The problems lie with the implementation: bugs and having many users run as the superuser. Having administered Linux servers in the past, I am also fully aware of the many vulnerabilities that other systems suffer. I could go into more depth, but I that is a story for another post.