Comments on: Why engaging with the Mac community over security is a hopeless task

By: Histrionic

Histrionic — Sun, 20 Jan 2008 17:57:38 +0000

“I’m sorry, but you’re wrong. It’s trivial, if I get you to run a file, for me to then email that file to everyone in your address book. Address Book even includes a handy API which allows me to pull that data out of it. This is exactly the mechanism which Microsoft found caused massive amounts of malware to be spread when the same was true of Outlook – and they finally closed that particular hole a couple of iterations ago.” The difference, of course, is that no Mac e-mail application (current, or past that I’m aware of) actually executes anything attached to mail messages. This was not true for Outlook versions on Windows until Microsoft did learn a lesson and turned off the automatic execution of attachments. This is different than having the user run something; of course, user should be able to run programs or scripts, unless a system administrator or system policy prevents that. (Note that Leopard has improved parental controls / application launch restrictions, that are now kernel-deep. And they are tied to Open Directory for network-wide management.) So, to have something e-mailed out from a Mac, the user would have to manually run or be otherwise tricked into running code. That’s not impossible, of course, but automation by itself is not a vulnerability. At least, not more than letting me run rm or Safari is. Mixing data and executable code is always a potentially dangerous proposition, though. That’s what happened between e-mail and address books on Windows, and it’s bad. It’s why I was really annoyed when Omni Group made it easy to attach and automatically run AppleScripts in OmniGraffle documents. I’m sure there are other examples of such a thing, on various platforms and software.

By: Ian Betteridge

Ian Betteridge — Sat, 19 Jan 2008 20:34:33 +0000

Ross: “Correct me if I’ve overlooked something, but none of the commenters so far has claimed that the Mac is “perfectly secure.” ” We’ve seen people argue that there are no malware for the Mac. We’ve seen people argue that there are no transmission vectors which work for the Mac. And we’ve seen people argue that, even if one machine got infected, there would be no way malware could spread. That certainly sounds like a perfectly secure system to me, or at least as perfect as it’s possible to imagine.

By: Ross Carter

Ross Carter — Sat, 19 Jan 2008 20:04:31 +0000

I agree there’s no evidence that Mac users are smarter than PC users. This Mac user confesses to not being terribly bright. After all, I’m posting a comment on a blog article. Ian, your article makes two points, which I shall quote verbatim: “The problem with talking to the Apple community at large is that there’s far too many people – usually, ironically, people who haven’t used the Mac for more than a handful of years – who believe that the fact that ‘there is no malware for the Mac’ means it must be perfectly secure.” “You’re only going to get 1500 flaming comments whenever you dare to utter the ‘heresy’ that the Mac might not be perfect.” Both of these sweeping generalizations are easily dismissed. You don’t state what you consider “far too many people.” One? 1500? Ten percent? Correct me if I’ve overlooked something, but none of the commenters so far has claimed that the Mac is “perfectly secure.” I’ve seen “secure enough” and “more secure [than Windows]” but not “perfectly secure.” In fact, as an Apple user since 1985 I have never heard anyone claim that the Mac is perfectly secure. So how about it–can you identify these claims that the Mac is perfectly secure? You’ll need a lot of examples, because you’ve claimed that “there’s far too many.” It’s hardly sufficient to reply, “Look in the comments above . . . . Sounds pretty much a claim of perfection to me.” I looked in the comments and I read statements like “Nothings perfect,” “it doesn’t mean . . . that the Mac has some kind of perfect security,” “I’m not saying Macs are perfectly secure,” “Obviously, no system is perfect,” and “Is OS X perfect in this regard, not a chance.” In contradistinction we have one uncited comment that “sounds pretty much” like someone claiming perfection “to me.” If that is sufficient to comprise “far too many people” then you are far too sensitive. Your second claim is that one is only going to get flaming comments after claiming that the Mac is not perfect. Again, your own commenters have proved you wrong. You got some flames, and you got some respectful comments pointing out that reasonable minds may differ. And the flames should not come as a surprise considering your use of inflammatory expressions like “they simply refuse to believe,” “the Mac is a small target,” “they have an outdated view,” “they simply don’t understand,” “blank, uncomprehending stares,” and “heresy.” Do you expect Mac users not to take that personally–especially when you generalize about “the Apple community at large?” This discussion apparently is grounded in different conclusions regarding the reason for the small amount of Mac malware. You tout the old canard about a direct correlation between market share and malware share. Opponents cite structural differences such as OS X’s protected kernel. Oddly, no one has yet pointed out that both positions are theoretical explanations for an observed phenomenon. Correlations do not prove causation. You don’t know why Mac malware is so rare. Nor do I. The only people who know why malware gets written are the people who write the malware. If all the malware writers swore an awesome oath that they avoid OS X because of market share, you could make your claim. And if those writers swore that they avoid OS X because it is inherently more secure, you would presumably relinquish your claim. That would be evidence–not dispositive evidence, but at least some evidence. But we don’t have any such evidence, dispositive or not. At least I’ve never seen any cited in the long history of this debate. The closest thing to objective fact I’ve seen is the observation that even in areas where Microsoft does not hold the majority of market share (such as web servers and database servers), it still has the most malware. I object to anyone’s purporting to read the collective minds of malware authors, just as I object to anyone’s purporting to say what Mac users think, or Linux users think, or Chevy owners think, or teenagers think. If you want to argue citing evidence, by all means do so. But if you propose to argue citing mere opinion about what motivates people whom you do not know, you must expect that people are going to call your bluff. One commenter–the one you identified as “EXACTLY the type of user I’m talking about”–said that “Mac users tend to ignore most security people.” I wish he had said “ignore most Windows security people,” because that statement, if true, is quite understandable. I appreciate your concern, Ian, and I understand that you only have Mac users’ best interests at heart when you helpfully urge that we “should worry about security.” But, thank you very much, I prefer to listen to advice from real Mac experts rather than PC apologists. When they say I need to install protective software, I’ll install it. As for your advice, thanks but no thanks.

By: Ian Betteridge

Ian Betteridge — Sat, 19 Jan 2008 18:17:40 +0000

James: “While various blogs and technical news sites may be taking the researchers words out of context…” Bingo. “A quick search of CNET and ZiffDavis will suffice.” I did say “serious” But seriously, there’s a difference between security researchers and security commentators, and another difference between both those groups and Windows advocates. As I’m sure you know. And now it’s time for dinner, so I’m posting this and running!

By: James Bailey

James Bailey — Sat, 19 Jan 2008 17:02:37 +0000

"I don't know of a single security researcher or serious commentator who would claim that market share is the only reason that the Mac has remained relatively malware-free." While various blogs and technical news sites may be taking the researchers words out of context, I've read that view many, many times. If you insist, I'll go find some examples. A quick search of CNET and ZiffDavis will suffice. Like the ignorant Mac users who believe that OS X has been sprinkled with some magic pixie dust that makes it immune to malware, there are many more (market share makes this true) Windows advocates who believe that the sole reason that OS X has had zero outbreaks is because of market share. Again, a quick perusal of various comment threads on the above mentioned sites will bear this out. I would have to say the prevalence of security commenters saying that market share is the only reason for the lack of OS X malware is much higher than the number of OS X users who post the opinion that they are magically immune.

By: Ian Betteridge

Ian Betteridge — Sat, 19 Jan 2008 16:12:58 +0000

Jonathan, I think that’s a superb idea – thank you.

By: Jonathan

Jonathan — Sat, 19 Jan 2008 15:00:05 +0000

Btw, one thing that I would encourage you and other writers on Mac security to do would be to include (either as a linked article or as a footnote in every article) a few of the basics for your readers, so that anyone who is unaware of potential holes in their day-to-day routines at least can learn something new. It gets tiresome reading these articles then seeing that the writers assume that all their readers already know how to be more secure. Educate as well as pontificate. E.g.: 1. Always create a new Admin account for your Mac for the sole purpose of obtaining an admin username and password that is different to your current one, then make your own day-to-day user account a Standard, non-admin account, so that you are always prompted for an admin username and password whenever anything tries to alter your system or the /Applications directory. 2. Download and use ClamXav to monitor your downloads and mail attachments folders 3. Don’t install newly downloaded apps directly into /Applications (as this will lead you to inputting an admin un and pw – see 1. above) and instead use ~/Applications as the install destination. It doesn’t protect your user account, but it does reduce the risk to other accounts and will also cause any apps to request a un and pw if they attempt to do something to the system (therefore flagging a potential threat). 4. Switch off the “Open in Safe applications” option in Safari or its equivalent in other browsers. There is no such thing. 5. Use strong passwords for everything (a mix of alphanumerics and non-alphanumerics when possible – some websites won’t allow non-alphanumerics, alas). 6. Make sure Keychain Access asks for your keychain password for disclosure of all passwords it is storing. 7. Turn on your firewall. 8. Use common sense – don’t blindly install everything and anything. If something asks you to input a password or to provide access outside your firewall, think about why it is doing that before providing it. 9. If a password entry dialogue pops up and you don’t know what it is for, don’t put your password in (e.g. if that .dmg or JPEG or quicktime codec you just downloaded and opened had a payload). 10. Read the additional information on Apple’s websites when downloading Security Updates (that is, click the link in Software Update that tells you more) – you might not understand it all, but it is better to be aware of the thrust of each flaw than not to be. Etc.

By: Ian Betteridge

Ian Betteridge — Sat, 19 Jan 2008 09:57:04 +0000

Blain: “The point is, simply pointing to market share numbers or security techniques do everyone a disservice because it ignores less tangible aspects that should be considered, and steals attention away from dangers that still remain.” And that, I think, is the same straw man that John Gruber laid down in his “So Witty” post. I don’t know of a single security researcher or serious commentator who would claim that market share is the only reason that the Mac has remained relatively malware-free. Compared to Windows XP and prior, as I’ve said here many times, it’s much more secure. But that doesn’t mean that buying a Mac is the only security prevention method you should take, just as “upgrade to Windows Vista” isn’t the complete solution to security for Windows users. And the issue that I’ve tried to highlight here is a substantial part of the Mac community, including many of its most vocal elements, refuse to engage with security as an issue beyond simply buying a Mac. They want to believe that simply owning a Mac means that malware is not and will never be a problem. They will say that there is no malware for Mac, and that even if there was there is no method by which it could spread. That amounts to saying “I never need to worry” – and as you undoubtedly know yourself, that’s simply wrong.

By: Ian Betteridge

Ian Betteridge — Sat, 19 Jan 2008 09:46:23 +0000

Blain: “While I don’t debate that market share has a partial influence, it’s not the only factor, and it’s arguable that it’s not even a primary factor.” I don’t think I’ve ever argued that it’s the only factor, and if I did I was probably feverish that day. Mac OS X is, and will likely always remain a more difficult platform for malware to target than Windows XP and prior. Arguably, Windows Vista is more secure generally – and some people who’s opinion I respect think that the development methodologies that Microsoft has introduced with Vista mean it will continue to be so. I’ll carry on using OS X, though, because it’s (a) good enough and (b) designed by people with some user interface sense, rather than a boatload of monkeys with spray guns. “While small market share led to only a handful of mac software sites, growing market share will not dilute these sites’ effectiveness, as they have, as a side effect, become and will continue to be vital lookouts for advance warnings of malware and trojans.” This is a very interesting point, and one where I hope you’re right – but suspect you may be wrong. As a counter example, I’d point to the explosion of Mac “news” sites over the past year. At least one I can think of specialises in “fighting the Mac’s corner” using what often amounts to misinformation or just downright lies. (I’m not even going to give the the extra Google juice of naming it – long time Daring Fireball readers may remember John Gruber taking it to task for a bullshit claim that all iPods had used OS X – a post which got him flamed in response.) This particular site gets lots of relativel high Google rankings, because of an effective campaign of garnering links – not because of the accuracy or quality of its content. In effect, it uses “The Dvorak Method” – say controversial things, stir up a lot of arguments, and you’ll get lots of links and traffic. This will push you up Google’s rankings. If the Mac community grows, it won’t remain as coherent as it is now. And that implies that sites which game Google will start to be the ones who get the most traffic – even if they’re not the best quality. Will the same be true of download sites, as it is in the Windows world? Quite possibly. I hope you’re right, and it won’t, but I suspect you might be wrong.

By: Ian Betteridge

Ian Betteridge — Sat, 19 Jan 2008 09:22:33 +0000

Daniel P: “Wonderful. Anyone who disagrees with the author is simply proving him right. That makes for such a well balanced, informed debate.” Not at all. The only people who are demonstrating my point for me are those who come along and say “You’re wrong, I don’t need to think about security because there is no malware for the Mac, and even if there was, it could never spread.” People who come along and demonstrate they’re actually thinking about security and taking it seriously are the ones who are really posing a challenge to my post.