"Security alert! A vulnerability in Mac OS X HTTP protocol handling makes possible denial of service attacks and arbitrary code execution."
"Oh no," you think. "This sounds bad. Is my Mac unsafe? Worse yet, is my entire network at risk?"
The reality is that "safe" is a relative term, both in the real world and on the Internet. Is it safe to get in your car and drive to the QuickieMart? Modern cars have seat belts (they didn't always), crumple zones, and airbags, but they don't guarantee that you won't be injured in a crash. Over time, the addition of these features has made cars incrementally safer, but their level of safety is still relative. You can't point to one car and say, "That one is absolutely safe, and that one absolutely isn't."
The same is true of computers and networks. An online banking site is expected to be more secure than the average Britney Spears fan blog, but the reality is that both are probably reasonably difficult to hack, even for a technically savvy user. But at the same time, both are potentially vulnerable to a malicious cracker.
The problem with security bulletins (well, one of the problems, anyway) is that they tend to redirect our attention to arcane technical details and away from common sense precautions. In most cases, there is greater risk of "social" security breaches than technical ones. Have you ever written down a password on a Post-it and stuck it to your monitor? Have you ever had users share a user account name and password, or sent passwords via normal email? These are potentially much greater threats to your security than the vast majority of vulnerabilities that could - in theory - be exploited to assault your network.
Another problem is that Internet security advisories can be hard to understand, sometimes even for well-trained network and system administrators. Often this is because the problem being reported is so obscure and technical that only a specialist could understand or respond to it. So, while this fact makes it difficult for many of us to determine the severity of a problem, or whether or not it even applies to our situations, it is more important to realize that more practical, almost intuitive issues generally pose a more significant threat to your network security.
Most of us make the choice to drive cars because the benefit outweighs the risk. We connect our computers to the Internet for the same reason. We do our best to manage the risk, of course, but ultimately the responsibility is ours. Software vendors have a responsibility to provide software that is fundamentally stable and secure, of course, but just like a car, it is up to the end user to use the software responsibly.
If a car accelerates through the back of some poor guy's garage when he hits the brakes, or a gas tank explodes when a Ford Pinto is rear-ended, the public rightly expects the company responsible to correct the problem. But the vast majority of accidents can be attributed to drivers, other cars on the road, or conditions outside of anyone's control, not to fundamental flaws in the engineering of the cars. Again, the analogy applies to computers and networks; most real-world security vulnerabilities could be addressed by users applying basic security measures.
Practical Precautions -- Here are five easy examples of the common-sense precautions I'm talking about:
When cars first began to be used widely, their limited top speed minimized the risk of driving them. As they have become more powerful, and the roads have become more congested, the risks have increased and drivers have had to exercise more skill and care to get around safely. Similarly, as we increasingly rely on universally available and networked computer systems, and as ever more critical information is kept on these systems, we must be better about basic precautions, spending our time on them, rather than on worrying about the latest possible exploit.
Airbags are a great safety feature, but you still need to pay attention to the road.
[John O'Fallon founded Maxum Development [2], makers of Rumpus, a popular FTP and Web file transfer server. He has been developing commercial software for Apple computers for 25 years.]
[1]: http://www.takecontrolbooks.com/passwords-macosx.html?14@@!pt=TRK-0044-TB865
[2]: http://www.maxum.com/