≡ Menu

Why engaging with the Mac community over security is a hopeless task

Rich Mogul talkes about his "Curious Relationship With Apple And Security" and what he wants to do in the future:

"Actively engage with the Apple community, give Apple credit for what they get right, and point out where they get things wrong while educating Mac users. This hopefully gains me enough credibility that they can’t simply dismiss me as anti-Apple and I can help the Mac community pressure Apple for needed change."

Good luck with that, Rich. The problem with talking to the Apple community at large is that there’s far too many people – usually, ironically, people who haven’t used the Mac for more than a handful of years – who believe that the fact that "there is no malware for the Mac" means it must be perfectly secure.

They simply refuse to believe the "security through obscurity" line which states that the Macs low market share helps it safe, by reducing the opportunities for malware to be effectively spread. As the Mac is a small target, it’s simply not efficient to write a virus for it. This is largely because they have an outdated view of what malware is produced for – they simply don’t understand that a lot of malware is produced not for kudos but for profit, and when you’re going for profit it makes more sense to hit the biggest possible market (ie Windows.

Neither do they understand that a large chunk of modern malware exploits the least-secure part of any system: the user. Most malware which is successful over a longer term doesn’t target a security loophole initially, but attempts to get access to a user’s system via social engineering.

And the notion that Windows Vista’s security model might be as secure as the Macs (if not more so) will be met with either blank, uncomprehending stares or outright hostility. It doesn’t matter that it’s true.

So Rich, my advice is simple: just don’t bother. You’re only going to get 1500 flaming comments whenever you dare to utter the "heresy" that the Mac might not be perfect.

UPDATE: Clarified my point about "security through obscurity", by which I mean the Mac’s low market share reducing vectors for malware spreading, rather than the platform itself being "obscure" and unknown to malware writers.

UPDATE 2: I’m in the middle of transfering this blog from TypePad to WordPress, which means that I’ve now exported all the posts and comments from here to the new place. As this post is still getting comments, I’ve decided to temporarily close comments while the DNS switches over, so nothing gets lost in the move. Once the DNS has switched, comments will be back. Sorry for the interruption – if you really want to comments desperately, you can find the WordPress version of this post here.

Comments on this entry are closed.

  • Terrin

    Mac users do not worry about security because it has never been an issue for them. As such, why would they worry? That is no way to live your life. If viruses start to get released into the wild, people might start to worry.
    Moreover, Mac users tend to ignore most security people because they are disingenuous. For instance, they like to claim Macs are only more secure based on their market share. While a smaller market share certainly offers some protection, there are genuine design decisions that make Macs safer then various versions of Windows especially those predating Vista.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Well done, Terrin, you qualify as EXACTLY the type of user I’m talking about.
    NO serious security analyst I’ve ever seen has said that the Mac is ONLY more secure because of its low market share. No one doubts that the underlying architecture of OS X, in common with all credible versions of Unix, gives it an advantage over Windows XP and prior.
    However, they’re also completely correct in pointing out that the low market share has been a major contribution in the lower attention that the Mac has had in the past, and that’s contributed significantly to the lack of malware on the platform – something that you yourself admit. That means they’re not being “disingenuous” – they’re just not pandering to the platform’s cheerleaders.

  • http://www.geise.com PXLated

    But Ian, Terrin has it right in that Mac users are not going to worry (or even pay attention) until something serious happens. And I think he’s also right in the statement “why should they”.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Hi PXLated – I agree with you on the first part. I don’t think that Mac users will worry until they get bitten – and that, of course, means that they’ll get bitten harder.
    And that’s why they should worry about security. If a nasty piece of spreading malware was released, it would go through the Mac community like wildfire because of the lack of security awareness. No one in the Mac community, for example, thinks twice about opening attachments in email because “there’s no Mac viruses”. Windows users, with years of experience of taking security a bit more seriously, usually know better.

  • http://www.the-wabe.com/ Rob Menke

    The other problem the Mac community has is demographics: the average Mac user tends to be better educated, wealthier, and more informed than their PC brethren.
    It makes them more lucrative, but more difficult, targets.
    Social engineering “hacks” confuse MacOS users, because they cannot see why anyone would fall for such obvious ruses. Joe Sixpack on his Wal-Mart PC might fall for a PayPal phishing e-mail, but the average Mac user is aware of what dangers lurk on the Internet. Security researchers cannot do anything about these kinds of attacks, so they’re irrelevant to the conversation.
    The automated attacks — those taking advantage of flaws in the operating systems — are more interesting. The “security through low marketshare” myth says that MacOS users are less likely to come in contact with other MacOS users, therefore limiting propagation.
    I call bull.
    First off, “birds of a feather”: Mac users tend to congregate. Their systems actively seek out each other with technologies such as Bonjour and WiFi. It would be relatively easy (and more discreet) to use such a locating technology rather than blindly spraying packets on the hope of finding a new vector.
    Second, there have been numerous cases where systems with even smaller marketshare have been attacked: Linux on iPods, VxWorks on an off-brand router. Granted, it’s unlikely that these efforts were pecuniary-driven, but they exist nevertheless.
    The only place limited marketshare comes into play is the availability of systems for the malware industry to use for testing. It’s unlikely you’ll find many Macs oversees in Eastern Europe, where most criminal malware seems to originate. Unfamiliarity with the platform might limit virus development, but not propagation.
    The difficulty about talking security with MacOS users is twofold: first, there have been numerous episodes of “crying wolf,” where year after year analysts have predicted the coming storm of virus attacks; second, the tone of researchers assume that MacOS users are as incompetent in securing their systems as their Windows counterparts.
    The “educating Mac users” of Rich’s posting has the same tone of arrogance and desperation that guarantees that the Mac community will (incorrectly) view him as yet another security researcher trying to remain alive as the well of Microsoft’s flaws dries up. It’s all in the approach, really.

  • PacNW

    Mac OS X is an OS developed for *specific* hardware. Windows is not. That flexibility is an inherent risk on any platform.
    Mac users are indeed complacent and frequently security ignorant due to the low occurrence of breaches over the years. However, I would ask for 1 example of a breach/virus/trojan that has been capable and has brought Mac OS X (any final version) completely to its knees and killed usability of the target system. *That* is where people get their confidence from. A mac might sustain damage, it might slow down, you might be able to find it easily on a network, but historically they do not die en masse, nor are they breached so invasively like their windows-based counterparts. Just because you can get into a machine doesnt mean you can get anything worthwhile.
    Yes, windows is a larger target, but let us not forget that the resources available via MS etc to secure and protect Windows are equally large or larger. Now that the “macs cost more” argument has gone the way of the dinosaurs (at least for anyone up to date) and more people begin to use the platform there will be more resources available to it. Most “techies” forget. A larger userbase not only ensures a larger target, it also ensures a larger development investment in securing that OS. Maybe for apple users, the glass is half full… at least for now.

  • E.J.

    I don’t buy the security through obscurity line. People love to point out how smug Mac users are, and are just itching to have a ‘told you so’. Since many malware authors craft their wares just because they can, and for notoriety, you’d think that the first self-propagating piece of OS X malware would be a great prize to put on the mantle.
    The prize is too big of a target to be brushed aside by ‘obscurity’.

  • STL

    The Mac community does not have a problem.
    You in the security community have the problem and you recognize it as the following, The Mac community does not have to spend any money on your products and the Mac community knows it. To make the Mac community uneasy you deluge them with this security FUD.
    Mac market share has doubled in just a few years and still nothing, zero, zip.
    So Security community, you might as well stop the FUD. The Mac community is to smart to drink your Kool-Aid.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    PacNW:
    “Mac OS X is an OS developed for *specific* hardware. Windows is not.”
    Yes. It’s developed for PowerPCs. And Intel chips. Oh, and the iPhone. And Apple TV. Oh, and it’s based on Darwin, which has been ported all over the place. And includes QuickTime, and Bonjour, which are on both Mac OS X and Windows. And includes drivers for ATI graphics cards. And nVIdia ones. And Intel graphics…
    You get the point, I’m sure.
    “Just because you can get into a machine doesnt mean you can get anything worthwhile.”
    Actually, it usually does. Even without root privs – which some vulnerabilities allow you to get – I could erase everything in your home directory and send a copy of of a programme (looking like a JPG) which would do exactly the same to every contact in your address book, from your email address. Simple user privs in OS X allow you to do that.
    “Yes, windows is a larger target, but let us not forget that the resources available via MS etc to secure and protect Windows are equally large or larger.”
    Except, of course, the core of Windows – up till the launch of Windows Vista – was not built for security in the same way as OS X’s Unix underpinnings. And that means it’s cost a lot of money, and a lot of trouble, to make Windows as secure as OS X.
    Read “The Mythical Man Month”, by the way, and you’ll learn why throwing more money and more programmers doesn’t necessarily solve a problem.

  • http://www.technovia.co.uk Ian Betteridge

    Rob:
    “First off, “birds of a feather”: Mac users tend to congregate.”
    That’s irrelevant, of course. The majority of malware is transmitted by one of three vectors: email, file sharing, or faked up web pages. All rely on random visitors. You *could* create malware specifically targetted at Mac-users, by putting files on Mac-specific boards.
    But why bother? Remember that most malware these days is used to create botnets for spamming and other purposes – ie commercial or criminal, rather than “fun”. As I said above, you and many other Mac users have a old-fashioned view of malware and what it’s for now. It’s not worth making a botnet out of 6% (maximum, worldwide) of the market. Far more effective to target the other 94%.
    “Second, there have been numerous cases where systems with even smaller marketshare have been attacked: Linux on iPods, VxWorks on an off-brand router.”
    And there have been cases on the Mac too. OSX.RSPlug.A, the AutoStart worm, OSX/Leap.A, Inqtana, for example, or the regular dose of QuickTime exploits (including one which cause Linden Lab to advise users of Second Life to turn off QuickTime). That you don’t hear too much of them doesn’t mean they’re not around.
    “second, the tone of researchers assume that MacOS users are as incompetent in securing their systems as their Windows counterparts.”
    Unfortunately, I think it’s true that by and large this is true. I’ve certainly never seen any coherent evidence that Mac users are any smarter than Windows ones.

  • James Bailey

    Has it been a year already? It might even be over a year since you last brought up the particular meme–That the Mac is secure because of “security by obscurity.”
    I believe that last time you were predicting that something would hit “soon” because of–if I remember correctly–OS X being downloadable over sharing networks for stock PCs. How’s that working out?
    Once again, leaving Arty aside, obscurity plays no part in why OS X has had no widespread security breaches. Market share may play a part but not in the way you think but OS X is not obscure by any reasonable standard. The underlying kernel is open source and there are many zero day exploits for OS X published each year. None of those zero day exploits has lead to an outbreak of malicious software on OS X.
    As you correctly pointed out, malware is now a big criminal business. Few criminals write malware for noteriety as they did in the past. So, if you are a criminal, you are looking to see where the bang for the buck lies. Right now, without question, it lies in targeting Windows XP. You will get the largest number of bots or keyloggers or whatever else makes money by targeting XP. This is partly due to market share since there simply are more targets. But it has more to do with the problem that XP PCs are easy targets. Easy targets mean more money for less work. It isn’t hard to understand why criminals target XP.
    I don’t know if you’ve ever tried to help an average XP user maintain their PC but I have. What I find is appalling. Anti-virus software that is years out of date or disabled by lack of payment. Users still using unpatched IE 6 and allowing every Active X control free reigh. The IE toolbar so crowded that it takes up half the screen. The last PC I cleaned up couldn’t connect to the internet or so I was told. I hooked it up to my home network and immediately my network was bombarded with packets from the internet disconnected PC. Sure enough, IE couldn’t connect but something was. I wiped the machine, reinstalled SP2 and loaded freeware anti-virus/anti-spyware software. It might not be the best but it isn’t going to expire leaving the machine wide open for attack.
    Now, I don’t believe that you think the above scenario is unusual. There are millions of machines that are zombies. The problem is epidemic. This is what makes making malware for any other platform a complete waste of time for any criminal. Making malware for Windows XP is guaranteed to work where there is no such guarantee for OS X and there is no history of success on OS X either. For the criminals, it is not a religious argument, they just want the easiest target.
    I suspect we will have the same discussion next year, see you then.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    E.J.:
    “Since many malware authors craft their wares just because they can, and for notoriety…”
    Wrong. While lots of script kiddies exist who adapt existing code and tag it with their names, there is no base of existing code for the Mac – and, as they tend to lack skill (and experience of the Mac) that’s an issue.
    I recommend you read the section on “Why write viruses?” at http://www.viruslist.com/en/viruses/encyclopedia?chapter=153280553. As you’ll see,the most common reasons for writing serious malware are criminal: fraud, botnets, organised crime, extortion and theft. For all of those purposes, the Mac is simply not enough of a target to make it worthwhile.
    But really, you’re simply demonstrating that I’m correct – few Mac users understand the malware landscape. Their thinking is trapped in the era of CDEF.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    STL:
    “Mac market share has doubled in just a few years and still nothing, zero, zip.”
    As Wil Shipley put it when he offered a bounty for an OS X virus, “Let me be clear: not having had a virus is NOT the same as being immune to viruses.”

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    James – hi, glad you’re still around!
    “I believe that last time you were predicting that something would hit “soon” because of–if I remember correctly–OS X being downloadable over sharing networks for stock PCs.”
    Don’t think that was me, as I don’t remember the stuff about OS X being downloadable. My memory’s not what it was though, so you may be right! I think it was longer ago than that, too.
    “How’s that working out?”
    Well, I wasn’t too far off. There was, after all, OSX.Leap.A, which Jason O’Grady – not a man to spread FUD – described as “a near miss for Mac users”.
    “I don’t know if you’ve ever tried to help an average XP user maintain their PC but I have. What I find is appalling. Anti-virus software that is years out of date or disabled by lack of payment.”
    Oh god yes. In fact I’m about to have that every experience this week end, with my elderly in-laws. One of whom thinks that installing *two* anti-virus programmes is somehow “safer”.
    Actually, you’ve made me that I need to clarify my post: when I talk about “obscurity”, I’m referring strictly to the fact that the Mac’s lower market share makes it less economically viable to create malware for it, in exactly the scenarios you describe. I’m not referring to malware writers not knowing the Mac – although, as I mention above, that helps cut out the amateurs and script kiddies.
    I’ll make an amendment, so it’s clearer.

  • STL

    Ian
    Do a favor for your elderly-in-laws like I did mine several years ago. Help them pick out and buy a Mac in place of their PC. They will be free from the $tranglehold of the security community, have a much friendlier OS and when you visit you can enjoy them rather than having to spend so much time updating their security barrier.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Oh, we’ve already decided that the next machine they get will be a Mac – we just haven’t told them yet! :)

  • http://veggiedude.com Tony Martin

    Four years ago, I had my trip to China cancelled because my wife and several of her relatives got scared of SARS. I was not scared because and I thought they were totally knee jerk and stupid. Kinda like the author of this article.
    You see, I knew the risks were so small to get SARS. So far, only a few dozen in China had died of SARS, and yet, 36,000 Americans had died of the flu that same year. PERSPECTIVE does wonders. Also, my family members all eat meat, and meat kills over 5000 Americans each year (because of eColi, we are not talking the others risks such as cancer, heart disease, etc which adds up to a higher figure), yet they were afraid of SARS that only killed one American so far.
    So I would like to know if this author is vegetarian. And if not, why?
    I suspect, like so many who do eat meat, he is willing to gamble the risk of death.
    Kinda like how Mac users know the risk of a virus attack is minuscule, and when it did happen, the odds of being affected are so small, they know they can prepared for it when it does happen to someone else.

  • Jonathan

    One of the reasons why security researchers will get grief over articles and comments like this is that you are tarring too many Mac users with a very broad brush+. Yes, there are plenty of Mac users who are complacent or ignorant of security issues or, much worse, downright blinkered* (far too many of that last category it has to be said and, christ, they need a smack about the head to make them wake up). However, you ignore the fact that there is a very significant proportion of Mac users that are fully aware of the security issues, either because they have been watching the blood bath that has gone on in the Windows world for long enough for it all to have seeped in or because they were formerly Windows users but got sick to death of being a part of it and switched to escape. However, they just don’t feel the need to go around shouting about it.
    I also fail to see how Mac users can’t be aware that there are at least some security issues with their platform… it isn’t as though the majority don’t see every Security Update, of which there have been a lot over the OS X years, when they appear in Software Update (given that it is on by default and shows you that you are needing to install or have installed one). Some of them might even click the link to the website that describes exactly what has been patched and why (I know I do).
    I also have doubts that any successfully written malware that could propagate – either through outstanding delivery to lots of people at once or by jumping from Mac to Mac – would spread like wildfire in the Mac community unless it came from Apple themselves (*cough* the first standalone OS X iTunes installer that wiped hard drives with a space in their name *cough*) because, unlike Windows users, the “obscurity” of the platform means we actually communicate with each other a heck of a lot more and in a far more cohesive fashion. If there were a successful exploit, news of it would be out within moments of its discovery, thus limiting the damage it could do because that news WOULD spread like wildfire. E.g. oompah loompah.
    I’ll finish off by paraphrasing Wil Shipley, “Not worrying about security issues is NOT the same as not knowing about them… or not being careful about what you do”.
    + The other is that, sadly, there are a lot of very vocal nut-jobs out there who will lay into people for the merest hint of criticism against Apple. But why pay any attention to them at all? They are NOT the majority, they just shout the loudest. Ignore the idiots.
    * Though how this differs to Windows users, I fail to see… I don’t see that much of a drop in successful exploits of Windows over the past few years, even with all the security improvements that have been made. If all or the vast majority of Windows users were as conscious of malware as you imply (and lord knows why the hell they are not!!), then surely there would be very, very few problems anymore, especially if it is because social engineering is the main vector of attack. On a side note, frankly, it still shocks me how many Windows users I read in forums stating that they don’t bother with anti-malware apps because they “run a tight ship and know what they are doing” or that they are OK because they use Firefox and not IE, etc.

  • jbelkin

    I’m presuming you’re either a) a PC user b) a worrywart or c) work for a company that a majority of their earnings comes from selling security and “security apps.”
    Because on the Mac side, you are the guy who is claiming that fluoride is pointing our internal fluids – we ignore you because we don’t believe you. It’s THAT SIMPLE.
    Why.
    Zero evidence.
    And by zero evidence, I mean, after 7 years and 35 MILLION users of OSX.
    Zero malware.
    Zero spyware.
    Zero virus.
    Zero trojans.
    Zero worms.
    If I left off anything, it’s because, the thing is ZERO and we have no idea what it is.
    Yes, you might find it hard to believe but it’s like running a hysteric campaign against hypothermia in … RIO.
    We can’t hear you because the warm surf is so loud.
    The obscurity thing is 100% false that you so proudly triumph because you have nothing left to try and use. Are there versions of Windows servers that get infected with less than 30 millions users? Of course. So, where’s your obscurity there? And that obscurity benchmark has been moved from 2 million users in 2000 to now 35 million users – still obscure?
    To be polite, you are barking up the wrong tree because we have ZERO rabid dogs on this island. We have no hypothermia because we on the Mac equator. You choose to live in the Andes, that’s fine but you have things to worry about that we don’t.
    If you’re the panicky type, that’s fine – a Pc system is perfect because with infections everyday, you can keep up your worrying.
    For those who don’t want to be on a first name basis with Symantec or Mcaffee, it’s just different here in Mac world. You can do all your worrying for us because we don’t. I know you don’t believe us but that’s the difference in living in the tropics and living on a desolate icy mountain.

  • Joe S.

    The vast majority of Windows users do not have a clue. Spare me the overblown generalities. The vast majority of Windows users are not “Techies”. They barely know how to make a new folder. I work in a large corporation & see evidence of this everyday. If Windows users are so savvy about security…why is security a major issue on Windows as opposed to other OS’s? It’s either the OS itself or it’s users. Nothings perfect, but the Windows user myth is just pure BS.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Jonathan:
    “One of the reasons why security researchers will get grief over articles and comments like this is that you are tarring too many Mac users with a very broad brush+.”
    Well, I think if you look at the comments here you’ll see why the broad brush appears. Yes, there are plenty of Mac users who take security seriously. Unfortunately, I don’t see them posting comments saying “yes, you need to be careful.” All I see is commenters like the ones here, saying “it’s no problem, the Mac is immune”.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Jbelkin:
    “I’m presuming you’re either a) a PC user b) a worrywart or c) work for a company that a majority of their earnings comes from selling security and “security apps.””
    I’ll stop you right there, because unfortunately for your thesis I’m none of the above. I’m typing this on the MacBook Pro that I own personally, and am lucky enough to work on a Mac too. I’m the least worry-prone person in the world. And I’ve never worked for a security company in my life.
    So I’m afraid you might just have to rethink your presumptions and prejudices. But you won’t, of course, because that would require thinking instead of just reacting in a knee-jerk way to anything that doesn’t fit your world-view.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Joe S:
    “The vast majority of Windows users do not have a clue.”
    Evidence? You know that you’ll get a PhD if you can actually prove that Mac users are smarter than Windows ones.

  • http://www.technovia.co.uk Ian Betteridge

    Oh, and incidentally, for those like Jbelkin who think I’m some kind of Thurrot: I’ve been a Mac user and owner pretty much constantly since 1986.

  • RM

    I may just prove Ian’s point with this comment, but the fact is that I don’t quite get his point. About 30% of my acquaintances have Macs and the rest PCs, and whereas not a single solitary one of my Mac toting friends has described a bad security experience, most, if not all, of my PC-toting friends have. So it is far more difficult to get Mac folks worked up about security than it is PC folks. It is a discussion that just doesn’t fit in our universe. I don’t prentend to know why there is this difference, but anecdotally most of my Mac friends are more computer savvy, and certainly more aware of the dangers, of all sorts, of the Internet. Maybe this is because the Mac community was disproprotionately early embracers of the internet, maybe it is because they are smarter, don’t really know. A theory that occurs to me is that people choose Macs because they know what they want a computer to do for them (i.e., are more savvy about the range of uses of computers), whereas people choose PCs because a techie friend (probably someone working in a tech support department of a corporation) recommended it to them. This makes the Mac community dispporportionately aware about the risks to their computer. Just speculation on my part.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    RM:
    “About 30% of my acquaintances have Macs and the rest PCs, and whereas not a single solitary one of my Mac toting friends has described a bad security experience, most, if not all, of my PC-toting friends have. So it is far more difficult to get Mac folks worked up about security than it is PC folks.”
    And that’s entirely understandable, and just human nature – and it’s as true in the Windows world, too.
    But of course, what it doesn’t mean is that the Mac has some kind of perfect security (which I know you’re not arguing, but many people do).
    I think the reasons that people choose a Mac or PC are many and various. In the old days, people bought PCs because that was what they used at work, they were familiar with it, and they could take work home. People bought Macs because they were designers or worked in other aspects of publishing.
    I used my first Mac in 1986 and realised that it was the future, and even ended up working at Apple for a bit (something which cured me forever of the idea that Apple is some kind of corporate Utopia – they’re the same collection of good, bad and ugly as everyone else). And the vision of a computer which is astoundingly easy to use, and that just makes you smile when you use it is still what keeps me on the Mac.

  • Rob

    Mac users are justified in believing that simply owning a Mac is all the security they need.
    I have used Macs as far back as the Classic and have yet to encounter anything that requires Antivirus software. To me, that equals security built in.
    I’m not saying Macs are perfectly secure, but they are safe enough, safer even than any version of windows with antivirus software.
    When the need arises only then will I consider fixing what I expect my computer to do on its own.
    PS. If market share has anything to do with security, explain why there were dozens of viruses for Vista even BEFORE it was released? Before it had any marketshare? I believe the installed share of OSX is very comparable to the installed based of Vista.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Hi Rob.
    “I’m not saying Macs are perfectly secure, but they are safe enough, safer even than any version of windows with antivirus software.”
    Stats on vulnerabilites suggest otherwise.
    “If market share has anything to do with security, explain why there were dozens of viruses for Vista even BEFORE it was released? Before it had any marketshare?”
    Actually, there weren’t. The reports at the time about a piece of malware called Danom, which in fact targeted Monad, not Vista itself. Of course, there would be very good reasons to work on a Vista virus even with a low market share, as it’s fairly certain that within a few years it will be the dominant PC operating system (it’s already ahead of Mac OS X).
    It’s worth noting that according to Panda Software’s list of the 10 most widely-spread malware, not a single one can infect a Windows Vista machine, even without anti-virus software. McAfee currently lists two known examples of malware for Windows Vista, versus seven for Mac OS X. It’s fairly safe to say that, in terms of security, on that basis Vista matches OS X.

  • http://www.technovia.co.uk Ian Betteridge

    Incidentally, don’t take the above as any kind of endorsement for Vista. While its security has improved dramatically, it’s still not got the “wow” factor that you get with a Mac – and it’s sluggish as hell.

  • Martin Kelly

    In reference to a few of the above comments.
    MAC’s have been described as the FisherPrice version of PC’s, and my experience of MAC users is that the general understanding of the computer (the OS level etc and not applications) is almost non existant which is no less than the average PC user.
    As malware and viruses etc do not advertise themselves to the user, I bet my bottom dollar that there is a high percentage of people with trogans, malware etc on their MAC but because of the lack of AV they will never know and continue in the belief that MAC is safer.
    Even though MAC OS is very stable and does “the job” well the existance of loop holes in the OS can not be ignored and once a MAC virus hits the headlines, then and only then will the dream that MAC is safer be burst.

  • Rob

    “Vulnerabilities” are not the same as security breaches in the real world.
    What is the current number of actual viruses in the wild for Vista? THERE ARE ZERO VIRUSES FOR MAC. Mac OSX is about 7 years old, Vista is less than one. I’d say the stats are in Mac’s favour.
    Security software companies like to point out vulnerabilities but proof of concepts and tests cannot spread. AV companies are the only ones that benefit from spreading FUD. In any other industry this is called a conflict of interest.
    Mac users continue to be happy with the FACT that there are ZERO VIRUSES for Mac OSX. If there are none then nobody can be “walking around infected and not know it”.
    At this point the Mac’s security track record does not warrant the use of AV software.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Rob -
    “‘Vulnerabilities’ are not the same as security breaches in the real world.”
    Indeed. But I wasn’t talking about vulnerabilities. I was talking about actual, proper malware. According to McAfee – which, it should be noted, sells AV software for both platforms, so really doesn’t have an axe to grind in one direction or another – there are two piece of malware in existence which affect Windows Vista, and seven for Mac OS X.
    But, as you rightly say, Mac OS X malware is rarely if ever encountered in the wild – and the same is true for the existing Windows Vista malware.
    The reason is simple: neither OS has enough machines in the field to make transmission the easy process it is targeting previous versions of Windows. Send out OS X malware via email (the most effective method) to 1000 people, and you’re only likely to hit fifty or sixty Mac users, of whom perhaps five would take the bait and get infected. Probably less. If you try other transmission methods, such as a dupe file on a file sharing service, it will be even less effective.
    That makes the Mac very inefficient as a transmission target for malware – and the same is true of Vista.
    This is why what malware for both platforms that gets created is rarely if ever seen in the wild. The low market share ensures that 95% of the machines which ever encounter a Mac virus can’t be infected by it – because they’re running Windows or Linux.
    Now, if you were writing a piece of malware for money, which would you choose? Writing something where 95% of the machines it encounters could be infected – or one where only 5% could be infected? I think the answer is obvious – and explains, in part, why malware writers remain relatively uninterested in the Mac.
    “At this point the Mac’s security track record does not warrant the use of AV software.”
    The same is true of Windows Vista. Now, would you run Vista without AV software? I know I wouldn’t.

  • Rob

    First AV companies are not taking sides, they win as long as everybody lives in constant fear. My argument is that this kind of software is not necessary on Macs. I have helped many a friend uninstall buggy AV software, it is much more trouble than it’s worth.
    If you send a trojan to a Mac user by e-mail or otherwise, if the recipient falls for trick they still cannot infect anyone else. On windows the act of opening that mail guarantees that everyone in your contact list will get infected. This is why no viruses are written for the Mac.
    Also for such a new OS, Vista has a disproportionate share of malware. You are comparing a 7 year old OSX to the latest Windows OS. The proper comparison is between ALL Windows OS’ since 2000 and Mac OSX.
    No matter how you look at it, the Mac record speaks for itself.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    So Rob… you’re saying that a company which has no Mac product has an interest in what Mac users think about security? I’m sorry, but that makes no sense. F-Secure has no potential financial gain by reporting on anything that happens on the Mac.
    “If you send a trojan to a Mac user by e-mail or otherwise, if the recipient falls for trick they still cannot infect anyone else.”
    I’m sorry, but you’re wrong. It’s trivial, if I get you to run a file, for me to then email that file to everyone in your address book. Address Book even includes a handy API which allows me to pull that data out of it. This is exactly the mechanism which Microsoft found caused massive amounts of malware to be spread when the same was true of Outlook – and they finally closed that particular hole a couple of iterations ago.
    “Also for such a new OS, Vista has a disproportionate share of malware. You are comparing a 7 year old OSX to the latest Windows OS.”
    Two per year of its existence versus one per year of Mac OS X’s. Hardly “disproportionate”.
    “The proper comparison is between ALL Windows OS’ since 2000 and Mac OSX.”
    So you want to include malware which cannot run on Vista and that cannot infect anyone running it in your comparison between the security of Mac OS X and Vista? Again, that simply makes no sense. I know that you want to defend your position to the death, but retreating into absurdity isn’t a good idea.

  • Rob

    I suppose it is premature to say that Vista has a disproportionate share of viruses but if the Microsoft track record holds true, Windows-2014 will be no better than Windows XP.
    As for comparing security track records, you have to compare the same time bracket for the OS. Either you compare the Vista to Leopard or you compare the record for Windows since 2000 to Mac OSX since 2000.
    You have to compare apples to apples. End users see this and that is why the argument for AV doesn’t hold true for the Mac world.

  • LdeB

    I’d be interested to see what would happen if all of the people who have commented saying ‘Macs are immune’ were to install anti virus software…

  • Stu

    “But of course, what it doesn’t mean is that the Mac has some kind of perfect security (which I know you’re not arguing, but many people do).”
    Do you have any links to some of the “many” people who argue the Mac has perfect security? Personally I’ve yet to see or meet anyone who claims perfect security – yet I’ve seen stacks of posts like this that claim “many” mac users believe this.

  • revscat

    “So Rich, my advice is simple: just don’t bother. You’re only going to get 1500 flaming comments whenever you dare to utter the ‘heresy’ that the Mac might not be perfect.”
    Who claims this? The infamous Fanboy, which I have heard endless complaints about but have never actually encountered?

  • Ken

    I guess it may be that talking to me about Mac security is a hopeless task.
    What do you want us to say??????????????? Mac user since 1988, Windows since Windows 95.
    I got a Mac virus in 1991, I think. Clicked on an graphics attachment from a hospital that I was doing an ad for, and it opened a jpg that was obscene as I remember. Restarted the computer and it was gone, that was that.
    With 35 million of us out there, it is just to simple (and logically inaccurate) to say that we are just too dumb to know that we must have spyware, malware, viruses, trojans.
    If they were there, there would have to be some harm, some sign of it. I understand that there are some things that will harm individual Excel files, etc, but I have never seen one of them, and have seen nothing that would affect the system itself. That was a Micosoft appplication issue. I have had literally nothing in the 5 years I have used OSX. The system does not slow over time.
    What do you want us to say???????????
    My XP computer at work, part of a 6,000 machine network in a school system is being maintained for security every night and weekend. Tney don’t give us details, we only find out about “issues” when they happen about once a week, during which the “system is down”for 20 minutes to half a day. I can’t give details because we are not told about those.
    Obviously, no system is perfect, but……………..I have been working on computers from mainframes on down since 1980. If there is a problem, there will be evidence and harm.
    I work anywhere from 6-10 hours a day on a computer of one kind or another.
    What more can I say?? What more would convince you?

  • Ian Betteridge

    Hi Revscat,
    This will be a short response, as I’m typing this on my iPhone, but please look in the comments above for some claims about there being zero malware for the mac, and how its impossible for malware to spread. Sounds pretty much a claim of perfection to me.

  • Jonathan

    Posted by: Ian Betteridge
    “Well, I think if you look at the comments here you’ll see why the broad brush appears. Yes, there are plenty of Mac users who take security seriously. Unfortunately, I don’t see them posting comments saying “yes, you need to be careful.” All I see is commenters like the ones here, saying “it’s no problem, the Mac is immune”.”
    Which is precisely why I put in a footnote saying you should ignore them. They might be blinkered idiots and you might hear a lot from them, but it is merely because they shout, scream and wail very loudly whenever their world view is threatened. The majority of people who will nod sagely at the thrust of what you have written – those that already know that the Mac is far from immune to malware – just don’t go around shouting, screaming and wailing in vast numbers in threads like this in the same way that the other blinkered, idiotic lot do (for starters, we’re as sick to death of reading their drivel as anyone else is and try to avoid participating in anything where it happens). What it doesn’t mean though, is that the security conscious Mac user doesn’t exist and are not a significant proportion of the Mac using populace.
    Posted by: LdeB
    “I’d be interested to see what would happen if all of the people who have commented saying ‘Macs are immune’ were to install anti virus software…”
    Probably “oh fuck” but not for the reason you are thinking, but rather because most Mac anti-virus software has caused many, many more problems with OS X for its users than any of the known malware that exists for the platform and that is a tragic truth. People who might consider using anti-virus software are put off by the abysmal track record on the Mac platform of the people producing it. Fortunately, there is one exception which is ClamXav, largely because of its simplicity and the fact it performs only a few tasks (file scanning, folder watching, quarantining) and does it reasonably well. This is also the reason why I recommend any Mac user to install it and set it to watch your downloads and Mail attachments folders at the very least… fwiw, no viruses detected so far – not even an MS Office one.

  • Brichpmr

    Some of us who run XP SP2 for 8-10 hours a day and also run Leopard understand that no system is immune to malware. I run Intego’s VirusBarrier X5 on my Macs because I received a Word macro virus back in the Mac OS7 days (brought it home on a floppy from the Win 95 PC). That experience taught me that I don’t want to spread any malware to Windows colleagues even if it won’t harm a Mac…better to be armed and educated than to be unprepared when/if the malware landscape goes bad on the Mac.

  • James Bailey

    Ian, you wrote:
    “Well, I wasn’t too far off. There was, after all, OSX.Leap.A, which Jason O’Grady – not a man to spread FUD – described as ‘a near miss for Mac users’.”
    OSX.Leap.A a near miss? It didn’t even work in the majority of cases. It was trivial to remove without even running software other than the Finder. It was script kiddie stuff, not the dangerous malware that criminals are apt to use. OSX.Leap.A (oompa-loompa) was never a real threat–no software like it would be.
    But let’s take it at face value and assume that a more clever variant could have been produced–a variant that criminals would find useful. Would they have made money using it? It doesn’t seem likely to me.
    It was trivial to remove even by a novice. Just use the Finder to delete some files. Could it have been hidden better? Maybe, but so far I haven’t seen how something os OS X can really hide outside of a rootkit. Installing a rootkit takes admin privileges. Some poor users might give those privileges but after a very short time, word would go out and admin installation would be much less likely.
    The vulnerability was patched by Apple in short order and the actual mechanism used is now deprecated in Leopard and only available to admin users. How long would Leap.A have been a threat? Less than a month if I remember correctly for the patch. Of course the threat would have been much shorter as word went out to the Mac community about what was happening and users stopped installing it. It had no mechanism for automatic installation–the most dangerous kind of worm.
    Now contrast this with a Windows XP worm. Once installed, it is complicated to remove because Windows has many places for malware to hide that aren’t user accessible. Many Windows users generally don’t trust Microsoft and don’t install patches in a timely fashion. The latest malware that uses Quicktime to spread also uses a MDAC vulnerability that was patched by Microsoft years ago. http://blogs.zdnet.com/security/?p=704
    There are concrete examples of why OS X security is better. A locked down Windows XP PC can be very secure but that is irrelevant since most Windows PCs are not locked down. By contrast most OS X PCs are–by default. Is OS X perfect in this regard, not a chance but it is probably good enough.
    You wrote:
    “Oh god yes. In fact I’m about to have that every experience this week end, with my elderly in-laws. One of whom thinks that installing *two* anti-virus programmes is somehow ‘safer’.”
    Again, this makes the point. OS X isn’t secure because of market share but because the malware can’t be installed as easily nor hide as well as in Windows XP. If (when) Windows XP market share hits 25% or so, there will still be many virus attacks on it despite the low market share because it is easy and because the malware already exists. Windows is a victim of its own past problems.
    Which leads to the next point. Even though Vista is far more secure than XP it is still going to be a huge target. That is because of the past problems with WIndows security and the fact that the infrastructure is already there. It takes more than a vulnerability to make a successful outbreak, it takes the infrastructure to deploy and subsequently exploit the target. The payloads of Windows already exist but they are largely missing on OS X outside of the simple script kiddie shellcode. Even if VIsta is more secure, it will take many failures before the current crop of criminals gives up and decide to attack another platform. I doubt Vista can take the level of scrutiny it is going to get in the coming months as it replaces XP on most PCs.

  • CW

    Isn’t the underlying point of this article that a monoculture is as bad in computing as it is in nature? With Windows having some 90% of the desktop market it makes creating a botnet ridiculously easy.
    Any organisation that was really wired up to security would deploy a variety of platforms – Solaris on Sparc, Windows/Linux/Mac Desktops, Linux servers where appropriate etc.
    I’ve seen a whole University get taken down because *everything* ran on Windows. One student with an infected laptop in one of the halls was all it took….

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    James wrote:
    “There are concrete examples of why OS X security is better. ”
    Of course, I agree with you completely. But this post isn’t about whether Mac or Windows security is better: it’s about why Rich Mogul was wasting his time in trying to talk seriously about Mac security.
    I’m glad to see, though, that some commenters have come along to point out that there *are* Mac users who take security seriously. It’s heartening to hear.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    CW: “Isn’t the underlying point of this article that a monoculture is as bad in computing as it is in nature? With Windows having some 90% of the desktop market it makes creating a botnet ridiculously easy.”
    This is a very good point (although it’s not really the one I was making). The more people that use a platfom, the greater the liklihood that a piece of malware could spread effectively, thanks to the numbers of similar machines it could encounter.

  • Daniel P

    Wonderful. Anyone who disagrees with the author is simply proving him right. That makes for such a well balanced, informed debate.
    The biggest reason why Windows has such problems with malware is Microsoft itself, who left wide open doors all the way around VBA (used by Outlook and Office) and ActiveX (Internet Explorer) in a rushed, panicky display of programming designed to destroy their competition and is roughly akin, on the security front, to putting the contents of Fort Knox in a field.
    Admittedly, it’s much much better now, but it took them ten years to patch it this far and the malware authors have walked all over them in the meantime. The miserable securty in VBA is the reason that – What? About 90% of all viruses now? – are email viruses. And also why I spent five years with no virus scanner at all on my PC since I was secure in the knowledge they would simply bounce off Thundrebird. Which they did.
    Vista appears to be much better. I’ve yet to hear of a big virus outbreak on Vista.

  • http://unlogica.com Blain

    Good old Artie. Sadly, we saw quite a few real examples of him here. The problem is that we’ve had a few blowhards on both sides. I suppose if we ignore those who never remembered Sevendust (I’ve actually seen a mac infected with that), let alone those that Disinfectant listed, and we ignore those who can’t tell an abbreviation from an acronym, and thus shorten Macintosh to MAC, some real dialogue can be done.
    I think that the market share issue should be considered a red herring. While I don’t debate that market share has a partial influence, it’s not the only factor, and it’s arguable that it’s not even a primary factor. If nothing else, it distracts from other factors, even factors that were caused by the market share but remain even as numbers change.
    For example: Version Tracker, MacUpdate, and Apple’s own software listing have become very reputable sources for knowing the reliability and origin of mac software. Contrast this with the sea of PC software sites, and the ease at which any program can gain a false credibility.
    ( See: http://successfulsoftware.net/2007/08/16/the-software-awards-scam/ )
    While small market share led to only a handful of mac software sites, growing market share will not dilute these sites’ effectiveness, as they have, as a side effect, become and will continue to be vital lookouts for advance warnings of malware and trojans. This is something that is lacking on the windows side. (Yes, I know of C|Net’s download.com. but even they get lost in google)
    On the other side of the coin, there have been some unintentional advantages that MacOS X enjoys that Windows cannot take part in simply because of legacy and backwards compatibility. There was a fad for trojan executables in emails to be a command file type. So the user would see “Yahoo.com” and think it was a link to the domain, not a program named “Yahoo”.
    The mac will not have this issue simply due to happenstance; Attached files can not be standard executables. A classic or cfm carbon app needs finder flags and a resource fork to run, a unix program would need the chmod x bit set, and a cocoa app is a bundle, which is a folder not a file. None of these transmit through as a simple attachment; they need to be zipped or otherwise archived, adding a step beyond clicking ‘OK.’*
    *The exception would be .zip files that allow for code execution when decompressing or .dmg files which can be crafted to crash the machine and possibly worse. However, these can be mitigated and read as nonexecuting data, unlike a .com or .exe file.
    The point is, simply pointing to market share numbers or security techniques do everyone a disservice because it ignores less tangible aspects that should be considered, and steals attention away from dangers that still remain. Regardless of operating system, users should be aware of the dangers of social engineering. And while mac users (myself included) tend to try various mac apps with reckless abandon, doomsday predictions of “The big malware” will be nowhere near as productive as simply referring users to trustworthy authorities.
    When a security researcher sees the mac community as something to ‘engage’ and views security simply by looking at what comes from 1 infinite loop, they will be viewed and treated as an ignorant outsider, perhaps rightfully so. What needs to happen is to approach the security as part of the health of the entire ecosystem. They need to view the situation from within, and understand the causes, past, present, and future, before accurate predictions and planning can be done.
    Then, maybe then, there can be hope.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Daniel P: “Wonderful. Anyone who disagrees with the author is simply proving him right. That makes for such a well balanced, informed debate.”
    Not at all. The only people who are demonstrating my point for me are those who come along and say “You’re wrong, I don’t need to think about security because there is no malware for the Mac, and even if there was, it could never spread.” People who come along and demonstrate they’re actually thinking about security and taking it seriously are the ones who are really posing a challenge to my post.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Blain: “While I don’t debate that market share has a partial influence, it’s not the only factor, and it’s arguable that it’s not even a primary factor.”
    I don’t think I’ve ever argued that it’s the only factor, and if I did I was probably feverish that day. Mac OS X is, and will likely always remain a more difficult platform for malware to target than Windows XP and prior. Arguably, Windows Vista is more secure generally – and some people who’s opinion I respect think that the development methodologies that Microsoft has introduced with Vista mean it will continue to be so. I’ll carry on using OS X, though, because it’s (a) good enough and (b) designed by people with some user interface sense, rather than a boatload of monkeys with spray guns.
    “While small market share led to only a handful of mac software sites, growing market share will not dilute these sites’ effectiveness, as they have, as a side effect, become and will continue to be vital lookouts for advance warnings of malware and trojans.”
    This is a very interesting point, and one where I hope you’re right – but suspect you may be wrong. As a counter example, I’d point to the explosion of Mac “news” sites over the past year. At least one I can think of specialises in “fighting the Mac’s corner” using what often amounts to misinformation or just downright lies.
    (I’m not even going to give the the extra Google juice of naming it – long time Daring Fireball readers may remember John Gruber taking it to task for a bullshit claim that all iPods had used OS X – a post which got him flamed in response.)
    This particular site gets lots of relativel high Google rankings, because of an effective campaign of garnering links – not because of the accuracy or quality of its content. In effect, it uses “The Dvorak Method” – say controversial things, stir up a lot of arguments, and you’ll get lots of links and traffic. This will push you up Google’s rankings.
    If the Mac community grows, it won’t remain as coherent as it is now. And that implies that sites which game Google will start to be the ones who get the most traffic – even if they’re not the best quality. Will the same be true of download sites, as it is in the Windows world? Quite possibly. I hope you’re right, and it won’t, but I suspect you might be wrong.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Blain: “The point is, simply pointing to market share numbers or security techniques do everyone a disservice because it ignores less tangible aspects that should be considered, and steals attention away from dangers that still remain.”
    And that, I think, is the same straw man that John Gruber laid down in his “So Witty” post. I don’t know of a single security researcher or serious commentator who would claim that market share is the *only* reason that the Mac has remained relatively malware-free. Compared to Windows XP and prior, as I’ve said here many times, it’s much more secure.
    But that doesn’t mean that buying a Mac is the only security prevention method you should take, just as “upgrade to Windows Vista” isn’t the complete solution to security for Windows users.
    And the issue that I’ve tried to highlight here is a substantial part of the Mac community, including many of its most vocal elements, refuse to engage with security as an issue beyond simply buying a Mac. They want to believe that simply owning a Mac means that malware is not and will never be a problem. They will say that there is no malware for Mac, and that even if there was there is no method by which it could spread. That amounts to saying “I never need to worry” – and as you undoubtedly know yourself, that’s simply wrong.

  • Jonathan

    Btw, one thing that I would encourage you and other writers on Mac security to do would be to include (either as a linked article or as a footnote in every article) a few of the basics for your readers, so that anyone who is unaware of potential holes in their day-to-day routines at least can learn something new. It gets tiresome reading these articles then seeing that the writers assume that all their readers already know how to be more secure. Educate as well as pontificate.
    E.g.:
    1. Always create a new Admin account for your Mac for the sole purpose of obtaining an admin username and password that is different to your current one, then make your own day-to-day user account a Standard, non-admin account, so that you are always prompted for an admin username and password whenever anything tries to alter your system or the /Applications directory.
    2. Download and use ClamXav to monitor your downloads and mail attachments folders
    3. Don’t install newly downloaded apps directly into /Applications (as this will lead you to inputting an admin un and pw – see 1. above) and instead use ~/Applications as the install destination. It doesn’t protect your user account, but it does reduce the risk to other accounts and will also cause any apps to request a un and pw if they attempt to do something to the system (therefore flagging a potential threat).
    4. Switch off the “Open in Safe applications” option in Safari or its equivalent in other browsers. There is no such thing.
    5. Use strong passwords for everything (a mix of alphanumerics and non-alphanumerics when possible – some websites won’t allow non-alphanumerics, alas).
    6. Make sure Keychain Access asks for your keychain password for disclosure of all passwords it is storing.
    7. Turn on your firewall.
    8. Use common sense – don’t blindly install everything and anything. If something asks you to input a password or to provide access outside your firewall, think about why it is doing that before providing it.
    9. If a password entry dialogue pops up and you don’t know what it is for, don’t put your password in (e.g. if that .dmg or JPEG or quicktime codec you just downloaded and opened had a payload).
    10. Read the additional information on Apple’s websites when downloading Security Updates (that is, click the link in Software Update that tells you more) – you might not understand it all, but it is better to be aware of the thrust of each flaw than not to be.
    Etc.

  • http://profile.typekey.com/ianbetteridge/ Ian Betteridge

    Jonathan, I think that’s a superb idea – thank you.

  • James Bailey

    “I don’t know of a single security researcher or serious commentator who would claim that market share is the *only* reason that the Mac has remained relatively malware-free.”
    While various blogs and technical news sites may be taking the researchers words out of context, I’ve read that view many, many times. If you insist, I’ll go find some examples. A quick search of CNET and ZiffDavis will suffice.
    Like the ignorant Mac users who believe that OS X has been sprinkled with some magic pixie dust that makes it immune to malware, there are many more (market share makes this true) Windows advocates who believe that the sole reason that OS X has had zero outbreaks is because of market share. Again, a quick perusal of various comment threads on the above mentioned sites will bear this out.
    I would have to say the prevalence of security commenters saying that market share is the only reason for the lack of OS X malware is much higher than the number of OS X users who post the opinion that they are magically immune.

  • Ian Betteridge

    James: “While various blogs and technical news sites may be taking the researchers words out of context…”
    Bingo.
    “A quick search of CNET and ZiffDavis will suffice.”
    I did say “serious” :)
    But seriously, there’s a difference between security researchers and security commentators, and another difference between both those groups and Windows advocates. As I’m sure you know.
    And now it’s time for dinner, so I’m posting this and running!

  • http://www.rosscarter.com Ross Carter

    I agree there’s no evidence that Mac users are smarter than PC users. This Mac user confesses to not being terribly bright. After all, I’m posting a comment on a blog article.
    Ian, your article makes two points, which I shall quote verbatim:
    “The problem with talking to the Apple community at large is that there’s far too many people – usually, ironically, people who haven’t used the Mac for more than a handful of years – who believe that the fact that ‘there is no malware for the Mac’ means it must be perfectly secure.”
    “You’re only going to get 1500 flaming comments whenever you dare to utter the ‘heresy’ that the Mac might not be perfect.”
    Both of these sweeping generalizations are easily dismissed. You don’t state what you consider “far too many people.” One? 1500? Ten percent? Correct me if I’ve overlooked something, but none of the commenters so far has claimed that the Mac is “perfectly secure.” I’ve seen “secure enough” and “more secure [than Windows]” but not “perfectly secure.” In fact, as an Apple user since 1985 I have never heard anyone claim that the Mac is _perfectly_ secure. So how about it–can you identify these claims that the Mac is _perfectly_ secure? You’ll need a lot of examples, because you’ve claimed that “there’s far too many.” It’s hardly sufficient to reply, “Look in the comments above . . . . Sounds pretty much a claim of perfection to me.” I looked in the comments and I read statements like “Nothings perfect,” “it doesn’t mean . . . that the Mac has some kind of perfect security,” “I’m not saying Macs are perfectly secure,” “Obviously, no system is perfect,” and “Is OS X perfect in this regard, not a chance.” In contradistinction we have one uncited comment that “sounds pretty much” like someone claiming perfection “to me.” If that is sufficient to comprise “far too many people” then you are far too sensitive.
    Your second claim is that one is _only_ going to get flaming comments after claiming that the Mac is not perfect. Again, your own commenters have proved you wrong. You got some flames, and you got some respectful comments pointing out that reasonable minds may differ. And the flames should not come as a surprise considering your use of inflammatory expressions like “they simply refuse to believe,” “the Mac is a small target,” “they have an outdated view,” “they simply don’t understand,” “blank, uncomprehending stares,” and “heresy.” Do you expect Mac users not to take that personally–especially when you generalize about “the Apple community at large?”
    This discussion apparently is grounded in different conclusions regarding the reason for the small amount of Mac malware. You tout the old canard about a direct correlation between market share and malware share. Opponents cite structural differences such as OS X’s protected kernel. Oddly, no one has yet pointed out that both positions are theoretical explanations for an observed phenomenon. Correlations do not prove causation. You don’t _know_ why Mac malware is so rare. Nor do I. The only people who know why malware gets written are the people who write the malware. If all the malware writers swore an awesome oath that they avoid OS X because of market share, you could make your claim. And if those writers swore that they avoid OS X because it is inherently more secure, you would presumably relinquish your claim. That would be evidence–not dispositive evidence, but at least some evidence.
    But we don’t have any such evidence, dispositive or not. At least I’ve never seen any cited in the long history of this debate. The closest thing to objective fact I’ve seen is the observation that even in areas where Microsoft does not hold the majority of market share (such as web servers and database servers), it still has the most malware.
    I object to anyone’s purporting to read the collective minds of malware authors, just as I object to anyone’s purporting to say what Mac users think, or Linux users think, or Chevy owners think, or teenagers think. If you want to argue citing evidence, by all means do so. But if you propose to argue citing mere opinion about what motivates people whom you do not know, you must expect that people are going to call your bluff.
    One commenter–the one you identified as “EXACTLY the type of user I’m talking about”–said that “Mac users tend to ignore most security people.” I wish he had said “ignore most Windows security people,” because that statement, if true, is quite understandable. I appreciate your concern, Ian, and I understand that you only have Mac users’ best interests at heart when you helpfully urge that we “should worry about security.” But, thank you very much, I prefer to listen to advice from real Mac experts rather than PC apologists. When they say I need to install protective software, I’ll install it. As for your advice, thanks but no thanks.

  • Ian Betteridge

    Ross: “Correct me if I’ve overlooked something, but none of the commenters so far has claimed that the Mac is “perfectly secure.” ”
    We’ve seen people argue that there are no malware for the Mac. We’ve seen people argue that there are no transmission vectors which work for the Mac. And we’ve seen people argue that, even if one machine got infected, there would be no way malware could spread.
    That certainly sounds like a perfectly secure system to me, or at least as perfect as it’s possible to imagine.

  • Histrionic

    “I’m sorry, but you’re wrong. It’s trivial, if I get you to run a file, for me to then email that file to everyone in your address book. Address Book even includes a handy API which allows me to pull that data out of it. This is exactly the mechanism which Microsoft found caused massive amounts of malware to be spread when the same was true of Outlook – and they finally closed that particular hole a couple of iterations ago.”
    The difference, of course, is that no Mac e-mail application (current, or past that I’m aware of) actually executes anything attached to mail messages. This was not true for Outlook versions on Windows until Microsoft did learn a lesson and turned off the automatic execution of attachments.
    This is different than having the user run something; of course, user should be able to run programs or scripts, unless a system administrator or system policy prevents that. (Note that Leopard has improved parental controls / application launch restrictions, that are now kernel-deep. And they are tied to Open Directory for network-wide management.)
    So, to have something e-mailed out from a Mac, the user would have to manually run or be otherwise tricked into running code. That’s not impossible, of course, but automation by itself is not a vulnerability. At least, not more than letting me run `rm` or Safari is.
    Mixing data and executable code is always a potentially dangerous proposition, though. That’s what happened between e-mail and address books on Windows, and it’s bad. It’s why I was really annoyed when Omni Group made it easy to attach and automatically run AppleScripts in OmniGraffle documents. I’m sure there are other examples of such a thing, on various platforms and software.