2009-11-05

Which is more secure?

Which computer is more secure? "Mac!" says the dedicated Macintosh user. Or is it computers with the new Windows OS? Or are they both equally likely to have security problems?

There is a lot of debate in the security industry regarding which platform is more secure.

Many people assume that the Mac is so secure - perhaps because they have heard of people that have experienced security failures under Windows. Others say that the the Mac is just as insecure as Windows, if not more so.

The LanceJ Security Test

I propose the following simple test that can be used to measure which platform is more secure from the vantage point of the public.
  1. Buy a quantity of new, stock Windows 7 and Macintosh computers from a retailer. For example, buy 5 new Mac Minis and 5 new Windows 7 HP desktops from BestBuy.
  2. Distribute each of the sealed, boxed computers to a regular, randomly selected family. Give each of those families identical, stock internet access via, say, Comcast. Tell the families to set up the computers and use them in their homes.
  3. Collect the computers after a set amount of time - perhaps 6 months.
  4. Count the number of machines that have been compromised.
The platform with the fewer detected compromises was generally less likely to be a security problem to its user during the course of the study.

Limitations

Clearly such a study wouldn't measure all aspects of security. For example:
  1. It doesn't count compromises that are not or cannot be detected.
  2. It doesn't count potential OS vulnerabilities, phishing attack vulnerabilities, etc.
  3. It doesn't measure security compromises of the future.
Perhaps a security researcher could devise a way to accurately count these other data.

Other Approaches

Another simple approach to measuring "platform security" could be pursued by the general purpose "computer repair shop". As new customers come in, measure the number of computers requiring repair due to security failures. However, it seems that a research project based on "repair shop" data would be complicated. Should the age of the computers be considered? And how does one consider the flawed machines with non-security related failures?

Next Steps?

I'd be surprise if there haven't been security researchers that have performed this exact kind of test. After all, researchers spend the bulk of their time doing research and publishing. If you are pursuing such a research study, or if know of a recent study that performed a similar test, please post a link in the comments section.

No comments:


Share