Mac botnet: Who's at fault?

Moderated by Jason Hiner | April 16, 2012 -- 07:00 GMT (00:00 PDT)

Summary: At least 600,000 Macs were infected by the Flashback Trojan. Did Apple fail to protect its users? Or were users defeated by their own misguided fantasies of invulnerability?

Ryan Naraine

Ryan Naraine

Apple's fault

or

Users' fault

Christopher Dawson

Christopher Dawson

Best Argument: Apple's fault

Closing Statements

Apple needed this reality check

Ryan Naraine

A decade ago, in response to a string of debilitating network worm attacks, Microsoft implemented “Trustworthy Computing,” a major initiative aimed at making the world’s most widely used operating system more resilient to malicious hacker attacks.  It worked. The security posture of the Windows operating system has improved and Microsoft’s security response process is now the standard that others -- like Adobe -- are copying.

Now it’s Apple’s turn.  The company must use the Flashback attack as a reality check and reject the security-by-PR approach that tricked its user base into complacency. Apple needs to take the security game seriously.  We are no longer in 2006 when Macs were deemed safe from attacks and cute commercials could be used to sell an operating system.  Flashback is the first major Mac botnet but you can bet there will be more.  Apple cannot afford to ignore the lesson of Flashback.

 

 

Users have the power

Christopher Dawson

There are many reasons that we use and love our Macs so passionately. First and foremost is a nearly flawless user experience. Apple has, without a doubt, set the bar for great software integrated seamlessly with hardware that is at once elegant, artful, and totally usable.

None of that, however, is worth a hill of beans if using Apple products means exposure to malware that the  company ignores without a media frenzy. Of even greater concern, though, is a user base blissfully unaware of security issues without said media frenzy. Sure, we should be able to expect our OS vendor of choice to proactively address security issues. But if we don't back up those expectations with our pocketbooks, Apple will never take the same leadership role in security that they have in hardware and software design (or, for that matter, that Microsoft did when users began to walk away).

 

It's squarely on Apple's shoulders

Jason Hiner

What I really liked about this debate is that it got past all of the hype and scare tactics that always surround big security incidents and tried to get at the real threats and provide users with some actionable tips for dealing with current and future security threats on Macs. Chris was right on the mark about the fact that users who own Apple products have had a false sense of complacency for too long and they need to demand better security practices from Apple, and move to other products if security is important to them and Apple doesn't deliver any meaningful improvements in its security practices.

Ultimately, we have to place the onus for the Flashback Trojan squarely on Apple's shoulders. The company dragged its feet for almost two months in getting out a security patch, and once it did, it released it quietly in the background without alerting users. These are not the practices of a company that is serious about running a highly secure platform that is accountable to its users. That's why Ryan clearly wins this one.

Talkback

127 comments
Log in or register to join the discussion
  • Not mutually exclusive?

    "Did Apple fail to protect its users? Or were users defeated by their own misguided fantasies of invulnerability?"

    Probably a bit of both. Although I'd hold Apple more accountable.
    CobraA1
    Reply Vote I'm Undecided
    • Although . . .

      Although the real fault actually lies with the one who wrote the botnet to begin with. Let's not forget the real criminal in all this. Apple and users can take actions to protect themselves, but ultimately we really need to work on tracking these people down and shutting down their operations. Otherwise, they'll just keep coming back for more.
      CobraA1
      Reply Vote I'm Undecided
      • True ...

        As long as there is greed in the world, people will continue to look for ways to beat their neighbor out of that is rightfully theirs!
        M Wagner
        Reply Vote I'm for Apple's fault
      • 49 day delay is Apple's shame, but obviously only *twice* clueless people

        ... could get infected:
        1) they had to believe that Flash does not update itself -- even though it does, and does it quite visibly;
        2) they had to believe that Flash update should be on some weird non-Adobe site.

        Otherwise, getting this trojan would be impossible.
        DDERSSS
        Reply Vote I'm Undecided
      • DeRSSS still spreading dangerous misinformation

        Flashback would infect macs even if the user did not do something stupid. Regular sites were infected by the drive-by exploit which would infect any visiting macs.
        honeymonster
        Reply Vote I'm for Apple's fault
      • Honeymonster still spreading dangerous misinformation

        @honeymonster: no regular websites ever hosted this infection. This particular botnet software used Trojan tactics that would bait people into going to some link with "Flash update" (hence the name).

        You could never get infected visiting any regular site (ZDNet, CNN, et cetera).
        DDERSSS
        Reply Vote I'm Undecided
      • .nu services

        Most of the servers that flashback reports back to are .nu domains. The companies who host these web sites should police their services for terms of services violations. Go after the criminals, not the victims.
        BradMacPro
        Reply Vote I'm Undecided
      • You can blame cyber crims....

        ...but with Apple now encouraging (almost to the point of REQUIRING) users to log into icloud for everything across the whole range of Apple devices, I would be targeting Macs too as getting access to an Apple ID would gain me access to information on that person's iPhone, iPad, and all iOS devices without even hacking into any of those idevices.
        Apple has put ALL their user's data in one huge basket and that is a very dangerous trend.
        This is before you even argue about the merits of Apple's security measures in their OSes. Or the fact that Apple has sold their users a false sense of security thus the users lower their guard. Couple that to the fact Apple is the SLOWEST to offer security updates and you can bet that Apple users will be targeted by crims because Apple set up the ideal environment and infrastructure for hackers.
        Crims are opportunistic. You can blame crims but Apple is largely to blame for setting up the opportunity.
        No organisation, not even Apple's billions, has enough resources to shut down cyber crime significantly. The money is better spent in improving security and educating users.
        warboat
        Reply Vote I'm for Apple's fault
      • @warboat

        [i]"...but with Apple now encouraging (almost to the point of REQUIRING) users to log into icloud for everything across the whole range of Apple devices, I would be targeting Macs too as getting access to an Apple ID would gain me access to information on that person's iPhone, iPad, and all iOS devices without even hacking into any of those idevices.
        Apple has put ALL their user's data in one huge basket and that is a very dangerous trend."[/i]

        First, just because you use a Mac does not mean you have to use iCloud but of course I am sure you actually know that. Second, isn't Google putting all the customer information into one place in the same way that Apple is. Do you have an issue with Google doing this or is it like so many other statements you have against Apple, it's only an issue because it's Apple and not somebody else?
        non-biased
        Reply Vote I'm Undecided
    • Enough Blame to go Around. Twice!

      Count me as a vote for both Apple and users sharing the blame. Apple is a victim of its own success, plying the vision that Macintosh is easy to set up, easy to learn, easy to use, and easy to own. Well, with mechanical devices such as cars, furnaces, and especially computers, ownership includes an element of informed maintenance.

      The users who are drawn to Macintosh tend to be non-technical people, and a huge element of that attraction is the belief that you can use Macintosh and own it, problem free, without needing any technical smarts. And so, these people willingly and enthusiastically buy into the Macintosh Mystique.

      And so, you end up with a huge Macintosh user base that enshrines beliefs such as Macs don't get viruses (or other malware), and which have no understanding of file and directory fragmentation, the prospect of hardware failures (e.g., bad blocks on a disk), the high failure rate of today's SSDs, or even things such as a tested and proven data backup/recovery strategy.

      It could be said that in some ways, Apple and its users deserve each other: Those who so want you to believe in heaven, and those who are so willing to believe there is one.

      FWIW, I was a rabid MacZealot for over a decade. I still have several Mac, but my main computer by a wide margin is a Windows XP PC. I don't think Macs are crap. I believe Apple has created a solid niche for a certain type of computer user. But I also believe that even that kind of user is best served to have a moderate level of knowledge and understanding about the machine they operate, and how to maintain it properly.
      SteveMak
      Reply Vote I'm Undecided