Tuesday, January 26, 2010


I promised that this would not be the risk de jour blog but that I might use something topical to make a bigger point. Aurora is such an event.

No less than the nation states of France and Germany have suggested that, in response to the vulnerability exploited in Aurora, their citizens should not use Internet Explorer. Now never mind the fact this was a multi-element attack of which the IE vulnerability was only one part. Never mind that most IE7 and IE8 browsers are not vulnerable and that IE6 is seven years old. Never mind that the attack was aimed at a very small number of very high value targets. Never mind that many of the individual targets did not take the bait. Never mind that MS was promising an out-of-cycle patch. Never mind that if the attacker can get the target to take the first bait, i.e., the link in the e-mail message, the browser vulnerability is only nice, not necessary.

Nation states were giving security advice to all their citizens. And it was the wrong advice. The right advice was "don't take the bait."

One of the tests of the Principle of Proportionality is that if the remedy is worse than the problem, you are doing something wrong. Now for most of us, not using IE is not a big deal. But two whole countries? Who were not even on the original target list? And it was only marginally reducing what was already a vanishingly small risk for most of the citizens.

Now I admit, the governing class loves little as much as it likes fear. It just makes the rest of us so much easier to govern. "I am from the (French) government, and I am here to protect you from Chinese hackers. " The government should not be one's first choice for security advice. Indeed it isn't. Most of their citizens did nothing. Most waited for the MS update. Most are still not taking bait. Doing what the government suggested did not reduce the risk of most of those who are still taking bait.

Aurora is a classic case of security over reaction.

No comments:

Post a Comment