The bit that John Gruber didn’t quote from Rich Mogull

Posted on May 26, 2011 by Ian Betteridge

The bit that John Gruber left out of [his post][daringfireball] quoting [Rich Mogull on the Mac Defender malware][macworld]:

>Windows 7 is actually more secure than OS X

I wonder how many of John’s readers will pick up on that.

[daringfireball]: http://daringfireball.net/linked/2011/05/25/mogull
[macworld]: http://www.macworld.com/article/160098/2011/05/macdefender.html#lsrc=twt_macworld

This entry was posted in Macs, Microsoft. Bookmark the permalink.
  • http://andybold.me.uk Andy Bold

    Immediately followed by:

    “but the gap narrows every year. And there simply isn’t the same attack ecosystem for Macs, nor are we likely to see one develop”

    So I guess it all depends which piece of a quote makes the best soundbite…

  • http://www.technovia.co.uk Ian Betteridge

    The idea that OS X is on the wrong side of that gap, though, would be a surprise to a big section of the Mac community. Rich, like me, knows that as the size of the Mac target increases, so will the number of threats. From a post he did a couple of years ago:

    “There just aren’t as many exploits out there in the wild. Vista is more secure, but I find it unusable. This can, and will, change over time as Macs continue to rise in popularity and become a bigger target.”

    (http://securosis.com/blog/on-my-curious-relationship-with-apple-and-security)

  • Anonymous

    “The idea that OS X is on the wrong side of that gap, though, would be a surprise to a big section of the Mac community.”

    This has been a Microsoft meme from day one of Windows 7. A definite talking point from Microsoft.

    I am still not convinced that Apple achieved security through obscurity…

  • http://twitter.com/edbott Ed Bott

    “I am still not convinced that Apple achieved security through obscurity…”

    You might not be convinced of that. But Mogull, who is a security expert and knows the Mac platform intimately, is convinced that currently, Windows is more secure than OS X. The unspoken statement there is that both modern operating systems do a very good job with security. Most Mac owners have a distorted picture of the state of Windows security and thus skew the comparison.

  • http://www.technovia.co.uk Ian Betteridge

    Objectively, looking at the OS, it’s just true. Snow Leopard lacks stuff like address space layout randomisation, which makes it harder to exploit even if you can find a security hole. Snow Leopard introduced data execution prevention, thankfully, but that was late compared to MS. In terms of how the companies develop their OS’s, MS is also head and shoulders above Apple, through initiatives like Secure Development Life Cycle. This is one of the reasons why more security vulnerabilities per year are found on OS X than Windows now. 

    No serious, credible security specialist that I’ve read believes that the main cause of the Mac having less malware isn’t simply that there’s less Macs around. It’s not about “obscurity” in the sense of malware developers not knowing or understanding the Mac – it’s simply that the network effect doesn’t favour spreading malware on Mac. If you develop a piece of malware for Mac, 95% of the people who see that file are immune to it. Why would you bother? 

  • Anonymous

    Keep pumping the fear, uncertainty and doubt Ed…

  • http://www.technovia.co.uk Ian Betteridge

    Everything Ed says here is true, John.

  • http://twitter.com/piotwit Piotrowski

    “If you develop a piece of malware for Mac, 95% of the people who see that file are immune to it. Why would you bother?”So what difference is it going to make when “93% of the people who see that file are immune to it” ?

  • http://www.technovia.co.uk Ian Betteridge

    It’s an interesting underlying question – what’s the tipping point at which it’s actually profitable to write malware for a  small platform? I suspect there’s lots of variables –  for example, do you have an efficient method of distribution, such that “enough” susceptible people will see it? Can you hook into a particularly efficient meme, such that a majority of those susceptible will click?

    It’s about like direct marketing emails – you need a big enough data group to send to, but even with a small group you can increase your open rates and click through rates by making “the right” kind of email. 

  • http://twitter.com/edbott Ed Bott

    I believe the Adam O’Donnell article posited that the tipping point would be when Macs achieved 5-10% usage share on the Internet. I mentioned it here (direct link to page 4):

    http://www.zdnet.com/blog/bott/why-malware-for-macs-is-on-its-way/3243?pg=4 .

  • http://twitter.com/dngnmstr dngnmstr

    Absolutely.  And I think the point that a lot of the writers (Gruber, Mogull) are trying to make is that the tech press (and particularly the anti-apple/pro-MS press) are blowing the current state of the situation COMPLETELY out of proportion.

    Again, if pressed, Gruber, Mogull, Laporte, (and I) would all agree that users need to be vigilant.  They would agree that user education is something that is needed and that it should happen.  The problem that I, and Gruber, and Mogull, and others have is the FUD.

    The fact is, that as of May 2011, you are FAR MORE LIKELY to get a virus/trojan/malware/spyware/keylogger/bot on a windows machine than you are on a Mac.  You cannot debate that at all.  Is that because there are more dumb/uneducated/careless users on windows?  Partially.  Is that because for many, many, many years MS didn’t exactly make great strides in improving security?  Partially.  Is that because there are many, many machines running old-ass versions of Windows (XP/98/2000/etc)?  Partially.  Is that because the likelyhood of a Mac user to update their OS to the latest version (Snow Leopard) is far greater (and far cheaper generally) than it is for a Windows user?  Partially.  Is it because the PC market is so much larger than the OSX market that if you had 100 programmer hours, and 10,000USD to spend trying to “steal” some money or identities, you would be far more successful on a x86 platform than you would in the Mac ecosystem?  Partially.

    But the thing that Ed, and Ian, and others are getting banged on is NOT the fact that MacOS X is “immune to each and every virus/trojan/malware writer ever” or the argument for that statement’s truth or falsity.  It’s the fact that THATS not the argument anyone is making.  The argument is the one I made above.  As of 2011, with the current state of affairs, the MacOS is safer, and for the foreseeable future will continue to be so.  

    As for the tipping point?  That was the whole reason for the “trip back in time” postings that we saw.  Ed/Ian and many others have been saying the tipping point has arrived…  FOR YEARS.  Every time one of these malware/trojan things comes around, the same batch of folks come out and scream “OH MY GOD WE WERE RIGHT…  ITS TIME FOR MAC USERS TO ADMIT THEY HAVE IT JUST AS BAD AS US WINDOWS PEOPLE HAVE HAD IT(for 25 years)!”  And every time, the sane folks come around and say, “no, we’re not impervious, but the risk is STILL almost negligible” so “Pay Attention But Don’t Panic”.

  • http://www.technovia.co.uk Ian Betteridge

    “The fact is, that as of May 2011, you are FAR MORE LIKELY to get a virus/trojan/malware/spyware/keylogger/bot on a windows machine than you are on a Mac.  You cannot debate that at all. ”

    Depends what you mean by “get”. Are you more likely to encounter a trojan for Windows? Yes. Is it any more likely to be able to get installed on your Windows 7 machine than on a Mac? No – both rely entirely on you actively installing it.

    Are their more “dumb” users on Windows? No, not in my experience – because I’ve yet to meet a single Windows user who wasn’t aware that malware is an issue, and that doesn’t take appropriate precautions (ie. installing anti-virus software). I’m meeting a lot of Mac users, on the other hand, who are in complete denial over the idea that any precautions other than “common sense” is required.