Better security through obscurity? Think again

When attackers look for vulnerabilities, they target popular software. Why bother chasing flaws in applications that few people use?

That’s why one of my best friends runs a third-party application instead of Adobe Acrobat Reader to open and read PDF documents. Another friend runs the Maxthon browser to stay out of the way of exploits that target more popular browsers.

Does running less popular software really reduce risk? Yes, it probably does a little bit. But most of us don’t pick what software we run purely because of security. We pick software and hardware based on features, familiarity, support, and so on. The world’s most secure software programs usually rank among the least popular, even when they are free and very functional.

Alternative bits

For instance, I’m a big fan of OpenBSD. Security comes first with this operating system, and it has had far fewer publicly discovered bugs than any other, yet it languishes in relative obscurity. On desktop computers, Linux/BSD/Unix systems have consistently claimed only 1 to 2 percent of all operating systems. Flavors of BSD make up a very small percentage of that small percentage—and OpenBSD’s slice is positively minuscule. 

I’m starting to run Qubes OS, a supercool, hypervisor-driven OS designed to allow fairly strict security domain isolation. Dr. Daniel J. Bernstein creates some of the most secure free software on the planet, including Qmail and DjbDNS, and they’re barely used. Qmail is a very secure email server, yet you’ll be hard-pressed to find information on it dated later than 2007. Its popularity peaked at around 5 percent of SMTP servers in 2007, and in the cloud age, it has probably shrunk a great deal more.

That said, in most cases you’ll give up features and support when you choose obscure software. If it came out with new, interesting features as quickly as popular competitors did, it wouldn’t be obscure anymore.

Then there’s the support issue. Years ago I got tired of my mother constantly infecting her Windows XP box, so I decided to switch her to Xubuntu (the interface is fairly close to that of Windows). I installed a secure browser, an email program, even Solitaire (which she so enjoyed). I made everything as easy as or easier than Windows XP had been. I even installed VNC so that I could do remote support.

I didn’t get many calls from her until she asked me to reinstall Windows XP. I asked why, and she said that none of her friends whom she relied on every day to answer questions could help her. Also, she couldn’t install software that her friends were using. I’m a huge open source proponent and fan, but anyone who tells you that open source software is easier to work with is smoking something.

A better way

Do I really expect you to adopt obscure software? Nope. By definition, few people do. The fact is, bugs in popular software aren’t the problem—it’s the failure to patch those flaws promptly, along with susceptibility to social engineering.

It’s been that way for nearly a decade. Most hackers and malware are successful not because of new vulnerabilities, but because of vulnerabilities for which patches were released a long time ago. If you patch your software in a timely manner and don’t get tricked into running something you shouldn’t—or giving away your logon credentials—you are very unlikely to get exploited. This is regardless of the operating system you’re running or the software you’re using.

Most of the time, obscure software isn’t exploited because hackers aren’t trying. Whenever I’ve been part of a team reviewing software code touted as “supersecure,” it’s usually full of critical bugs that could have been easily exploited.

Obscurity or security?

On the other hand, we know Microsoft Windows is a very popular attack target, but 99 percent of the time exploits stem from people either being tricked into running a program they shouldn’t or because someone turned off or ignored default patching mechanisms. Android and iOS users usually get exploited only when they run apps not from trusted app stores.

Windows and Apple have some of the best security of any software, period! They both contain literally hundreds of security mechanisms and tools (memory protections, anti-buffer-overflow protections, disk encryption, host firewalls) that either do not exist in the more obscure competitors or are not enabled by default.

Want to prove me wrong? Load a brand-new version of Windows or OS X, hook it to the internet, and accept the default options during install. Don’t do anything else. Do the same with Linux or your other “secure” operating system. Wait a few months. Then count which has the most outstanding, unpatched, publicly known vulnerabilities. I think you’ll be surprised.

What you’ll find is that the popular operating systems have about the same number as Linux operating systems, although your Linux distro may or may not have updated its critical vulnerabilities by itself. The same is true of the very popular applications: They may have lots of bugs each month, but if you allow them to automatically patch themselves, then they will have about the same number of outstanding publicly known vulnerabilities as the more obscure alternative.

Patch like you should and avoid downloading or executing malware, and your risk should be virtually the same. That’s pretty much all it takes to keep your computing experience pure and secure.