Don’t be the weakest link


An interesting comment by Chris Evans, a Google security engineer for the Chrome browser, at the recent Pwnium 4 security competition in Canada. Commenting on their approach to security:

“Bad guys are fundamentally lazy, like the rest of us. They’re looking for the highest return with the least amount of effort.”
“They want the weakest link, and we will never have Chrome be the weakest link.”

There’s a lot to agree with in this approach, after all most predators tend to pick on the vulnerable (even serial killers) and you can often survive using the ‘slightly faster runner’ tactic (ie the old joke about surviving a tiger attack: “I don’t have to be the fastest runner, I just have to be faster than you.”)

But there’s another factor to this, and that’s opportunity size. Microsoft Windows was (and probably still is) a much more secure operating system than Mac. But the sheer size of the install base meant that Windows was always the preferred target. It was more difficult, but the rewards were much higher.

And with Chrome’s market share now dominant, they are going to be the preferred target for hackers, no matter how much weaker their competitors might be.

Are “bad guys fundamentally lazy”? Probably. But the really, really bad guys aren’t. They’re extremely hard working.

Add comment