Some Mac users in denial on security?
Summary: Mac fundamentalists in denial on security?
commentary One thing ZDNet Australia managed to prove this week is any debate about OS X security will be heated.
Our inboxes were full of comments following the publication of Apple more secure than Windows NT?
Many Mac users disputed the arguments put forward in the story. In particular:
- The obscurity of OS X as an operating system explains why there has been a small number of security bugs reported in it
- The computer-maker's decision to switch to an Intel chipset will make it easier for malware writers to code exploits for OS X-based systems
This writer would like to revisit those claims.
Firstly, there is historical evidence to suggest that security through obscurity is a genuine phenomenon. According to Chris Wysopal, the co-founder and former CTO of AtStake (which was acquired by Symantec in 2004), the number of reported vulnerabilities is a horrible way to judge software security, especially for less popular software.
"NeXTStep had seven reported vulnerabilities over a seven year period from 1990 to 1997. This is a far smaller vulnerability count than OS X. Was it more secure? Hardly. No one cared," Wysopal said.
Given that modern malware is written for profit -- trojan programs designed to steal banking passwords a favourite -- an operating system with a 3.8 percent market share is hardly an attractive target.
Computer Associates' director of Content Research, Jakub Kaminski, believes the worm will turn, but he's not sure when. "Everything is about money. Someone will figure out that there are enough Macs out there that it's worth it."
Kaminski, who oversees virus research at CA's biggest virus lab, also agreed with the premise that the switch to Intel has done the bad guys a favour.
"The fact that they're using the same processor [as PCs] will definitely make things easier," he said. "The really bad guys ... they're using assembly. Someone who wrote [exploits] for Intel on PC will [find it] much easier to move to Mac."
He's not the only one who thinks so. Security expert and founder of the controversial Metasploit project, HD Moore, told ZDNet Australia that the switch to Intel did result in many type of vulnerabilities becoming easier to exploit.
"Lots of reasons for this, but the key ones are flexibility of x86 assembly and the independent i-cache/d-cache in PowerPC," Moore said via e-mail.
Moore is an authority on the subject. He has written a very comprehensive article on OS X PPC shellcode tricks. Shellcode is the assembly-coded software that allows hackers to meaningfully exploit security vulnerabilities.
Apple more secure than Windows NT also took issue with Apple's marketing strategy around security, suggesting the company is implying its products are more secure than others because of some sort of inherent superiority.
Well, it's happened again. In the wake of news that Apple shipped iPods pre-loaded with a Windows virus, the company put its spin machine into action, declaring on its Web site: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it".
It shows a lot of gall for Apple to take a poke at Microsoft, having just infected its users with a virus shipped on iPods. If history has taught us anything, using security in public relations campaigning and advertising is dangerous.
It backfired on Microsoft when the Redmond-based giant used NT 3.5's apparent NSA C2 security compliance to promote the product, and it backfired on Oracle, too. When the database-maker declared its products "unbreakable" in an advertising campaign in 2001, the deluge of security bugs that followed was nothing short of startling.
What's needed now is a rational discussion about security issues affecting Mac users. The truth is, there's a fringe element of extraordinarily loyal Mac users who refuse to acknowledge that trouble may be on the horizon, despite mounting evidence to the contrary and a significant hardware change with the switch to Intel.
Instead of getting bogged down in full-scale denial, let's start a rational debate. This isn't about Windows versus Mac, this is about keeping Macs safe from attackers by dragging the security issues affecting OS X into the open. It's time.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
it's time? It has been for 3 years already
On writing assembly code on x86: you still need on OS that is like swiss cheese security-wise. For example, the stack in Mac OS X is not executable (the usual attacks from buffer overflows)
Obscurity. Market pundits and spin Drs changed the original meaning into something related to market share. Wrong: security via obscurity has little to do on how many machines are around and all to do with how public and known are the OS APIs and KPIs. Windows enjoys much more from security via obscurity than any other Unix based OS, Mac OS X included. Can you download the source code for the whole Windows and study it? Right, you may with most of Unix OSes, Mac OS X include. Cannot be less obscure than that.
Infection: a Mac (vanilla installation) does not listen to ports, does not reply to port probes, does not advertise its presence on the net. Maybe on the horizon there will be malware using sociological scam but not the same sort of exponential wildfire infections as it happens on Windows: break into one, break into them all!
If it does not spread without user intervention and automatically just by having the computer online it is not a threat, it is a joke to fish for simpletons. True, many simpletons around: they will be a target in the Mac platform as well. But there is only so much an OS can do against "intel inside, idiot outside". Still, while on Windows external software can install themselves without user knowing it, such a thing is not possible on OS X. Additionally, on Windows any application work in the admin space (IE can trigger Outlook to execute code and do whatever). On Mac OS X this is just ludicrous: it just not part of how the OS works. So, even techniques proven on Windows for phishing are going to be more difficult to translate on OS X.
If you think only market share is going to change Mac OS X into another failure as Windows you are even more delusional than Mac fanboys who believe they are invulnerable. For the record though: I have NEVER met any Mac user believe that or claiming that. Can you point to some evidence ?
Windows on iPod production at external partners
Apple shipped tens of millions of iPod and only 25 (twenty-five) got a Windows virus? Well, that means Apple must have in place a fantastic Fort-Knox like security policies in place to only have 25 infected iPods out of tens of millions produced.
Any corporate business would simply LOVE to be that safe when using Windows. 25 PCs infected out of millions? Geezz, that would be "crackers we p0wnd you!"
The fact simply shows that the only valid way to avoid malware is to ban Windows entirely. How many billions are spent on (trying) to secure and keep safe Windows.
How many infection in one single year? Hint: much more than 25. Apple should teach other business on how to avoid Windows malware: they clearly know better.
Microsoft have failed its customers big time on this issue.
Oh dear...seems like Patrick the Gimp is feeling the heat...
2: Meaningless discussions about NeXTStep are just that, meaningless. He's just pulled one example out of his b*m, one that fits the proposition. Well, here's another one for you, the exception that disproves the rule.. OpenBSD ! Secure right out-of-the-box and how popular is it?, how much market share has it got ?????
If I just want to hold up an example of an OS with low vulnerability count and say "It's low because no-one cares" that is IDIOCY!!! Pick embedded realtime OS's then...the whole world runs on them...oh, I'm sorry..you don't understand what I'm talking about, do you Patrick...go buy a book.
3:Assembly code....first off, that's cr*p, most writers out there are using off the shelf trojan/virus toolkits and secondly, Big endian, little endian...if you can't port your 'sploit code from x86 to PPC and back in 20 minutes then you're an idiot, in which case you're not using assembler, in which case you're using a toolkit, so see the first point.
See how it works Patrick ?
Metasploit framework...very good piece of kit, but taken totally out of context. What?, MR Bad Hax0r is going to nmap your PC and then run metasploit against it/..possible but highly unlikely...he's going to get his bots to spam you with emails containing executables or links to pages that will host code to trivially pwn your Windoze box THROUGH IE/OUTLOOK and ACTIVEX/WSH etc etc etc ad infinitum.
It's just this simple....the script kiddies see a smaller number of tough Mac and *nix machines floating around in a sea of wide open Windows boxes. If you look at high value assets like servers then the majority run on other-than-Redmonds OS's. ' Course those guys would like to get into them..even into the 20% of desktop users machines that don't run Windows..but they can't, they're too much bother. Why worry when you can bust open 1000's of Windows machines all day long?? It's like trying to steal Porsches, it's just too hard unless you've got specialist knowledge. That doesn't mean Porsches are immune to theft, it just means that 99% of thieves will pass it over in favour of the Commodore with the keys in the ignition just down the road.
Lets just repeat that for you Patrick... n-one says MAc or Linux or whatever is immune to hax, just that it's SO MUCH HARDER IT"S BEYOND THE SKRIPT KIDDIES, understand? All decent crackers use Linux or Unix or similar anyway, even THEY don't use Windows. Man, even the old l0pht guys didn't even reference Windows systems except as prey.
Nice second try Patrick but you really have to do better than that. Make sure that CV is polished up !
enjoy.
well said !
Typical FUD, if you can't kill the message, try to kill the messenger.
Windows is garbage any way you look at it, and shows no sign of changing soon.
openbsd vuln count
I think this shows that people care more about OpenBSD security then they cared about NeXTstep security.
But my point is low vulnerability count alone is not a useful measure of security.
BTW, I have both OS X and OpenBSD machines. My NeXT got sold quite a while ago. :)
I deny that
Oh, and by the way, if obscurity equaled security then iron clad Vista wouldn't have had 2 announced viruses in the first week of BETA testing with a few hundred thousand install base.
I deny that
Oh, and by the way, if obscurity equaled security then iron clad Vista wouldn't have had 2 announced viruses in the first week of BETA testing with a few hundred thousand install base.
Yes, sorry, should have explained that a bit more..
My OpenBSD point was that there's no denying the security of that particular flavour of OS and look at it's vuln count, a lot higher than 7.
I agree with your points.
You want a debate?
Both the iPod virus and the TikiWiki vulnerability were not the fault of OS X or entirely Apples fault.
1. The TikiWiki runs under PHP and is a third party app, it runs on just about every server out there. It could have been a Sun Solaris box that hosted the universities little Windows Malware problem.
2. The iPod infection was small and isolated. It did not happen in an Apple shop but in an overseas third party manufacturer who had an infected Windows computer that somehow managed to get attached to every ipod for testing or a disk image for the ipod was created using this Windows computer that was infected. Yeah, it's embarrassing to Apple, but it's their outsourcing that caused the problem.
3. That little wireless vulnerability that was published some time ago turned out to be a third party wireless card in a Mac laptop and not an Apple Aircard. The hackers claimed they could do the same to the Aircard, but never proved it. Apple did an extensive audit, found some minor things that should be fixed and released a patch immediately. But those hackers never hacked an Airport card and now it's likely no one will as Apple further hardened their code.
4. The latest hype of an OS X virus, Symantec calls Macarena, just shows how uninformed the computer media really is... The virus is a toy, it's not even really worth discussing. It needs to get to executables to infect which are inaccessible if one is not running as an admin. Unlike Windows, you can actually run OS X without admin rights and everything works like it should. http://www.symantec.com/security_response/writeup.jsp?docid=2006-110217-1331-99
I am not discounting your assumption that Apple's reduced market share keeps the virus writers from targeting OS X. But even if OS X was heavily targeted, there would still be fewer vulnerabilities and Apple would certainly fix them faster then Microsoft! Microsoft still has several unfixed vulnerabilities that are still wide open.
BTW, there's more Internet servers running Unix/Linux variations then Windows servers. They have much greater server market share then Microsoft Windows, yet you don't see a lot of those servers getting hacked or infected! At least not like Win2k/Win2k3 is hacked and infected on a regular basis. Perhaps the reason is because the SysAdmins have to actually know what they are doing in order to admin Unix/Linux... Far too many Win2k3 certified engineers running around without a single clue as to what they are doing.
well said too!
Do I think i am safe? I paid 99.95 for netbarrier and virusbarrier. bring it on! I am more safe using OS X than using windows. FOR WHATEVER REASON, whether is OS obscurity or you name it. Apple is gaining momentum whether they like to admit it or not. It is the Mercedez Benz, its excellency in computers. Thats the bottom line.
aircard