Daring Fireball on commercial malware vs commercial non-malware

First, apologies for the hideous title the post, but I couldn’t really think of a better way of putting it. Commenting on my previous post on Mac security, John Gruber asks:

“But, and I’ve argued this before, it doesn’t explain why the Mac has, effectively, none. If it’s true that malware developers who want to make money will only write software for the vastly larger Windows market, then why doesn’t the same logic apply to non-malware commercial developers? “

This is an interesting question, but the answer is fairly simple: distribution methods differ. Let’s look at the differing scenarios.

You’re a legitimate Mac developer, and create “Wongo!”, a lovely little widget for the Mac. You create a web site, post about it in a blog, people come and buy it. You send out a few review copies, it gets reviewed, and lots more people buy it. Word of mouth spreads, more and more people come to your site and buy it. Eventually, you’re the Bill Gates of Mac software.

Now, for malware. You write a nasty trojan for the Mac, disguised as, say, a codec required to view porn. You upload it to a dubious site, where a relatively small percentage of people in general go. Of the people who see it, only 5% will ever be able to run it. Of that 5%, most won’t bother downloading it at all. You can’t advertise, or send out review copies, or – in fact – promote your “product” in any way. No one who downloads it is going to write blog posts about how amazing it is, recommend it to their Mac-using friends, or write letters to Macworld urging them to review it.

Compared to commercial software, Mac malware is like a small niche product which few people will ever encounter, and which you’re not allowed to promote. What’s more, it will never get any word-of-mouth coverage, positive blog posts, or reviews.