I think it's the question of security by functionality. For example, a non-JS capable PDF reader. Automatically, you eliminate 99% of all PDF exploits. But people might ascribe this to their product being obscure. Sometimes, it's the simple lack of visibility. But sometimes it's the functionality that causes obscurity. Because if it's as good, then it ought to become popular - e.g. Firefox. It's virtually impossible to separate functionality from pure obscurity. Moreover, which ones dictates which? Do you choose obscure products? Or you choose functionality - and it happens to be obscure. Mrk
I voted moderately effective. I normally wouldn't prefer it as a model, say going with an OS without much security software but is non-Windows so you know it's targeted less. I'd rather have the tools to go along with my ability to harden and get a Windows OS closer to another one that's hard right out of the box. But as an XP Pro user (still), I am in some regards relying on this approach at this point, so I can't ignore it. I very well may even use it past it's EOL, and at that point I'll be relying on it even more-so. Right now XP isn't being targeted nearly as much as Vista/7/8, and that's good news for me. And if I limited my attack surface (greatly), it benefits me even more, which is why now more than ever I'm on that mission. Which is why when I see a tool like EMET I wonder to myself... is it worth taking on the surface of .NET FW v4 to use this thing to prevent exploits that probably will never find it's way onto an XP box not running Java, or coincidentally .NET FW in the first place? And ultimately decided that the answer to that was "No" in the end. Though I do look very forward to Open EMET, or any tool that does the same thing without adding attack surface. So I wish God-speed to LarryPepper on that...