Daniel Eran Dilger in San Francisco
Random header image... Refresh for more!

Are Macs more Safe than Secure? No

GetaMac

Daniel Eran Dilger

Everyone seems to get lost in their own words when talking about security and Apple. The Daring Fireball recently cited security blogger Dennis Fisher, who insisted it was “demonstrably false” to say there were not “any virus attacks on Macs.” However, rather than pointing out what a horrible pile of trash Fisher’s article was, John Gruber praised it (apparently to be nice) and then got lost in his own semantics on the subject. Sometimes you need to say “he’s wrong, here’s why.”

Instead, Gruber wrote, “That [blogger's article] probably sounds like clueless trolling to many of you reading this but it’s not, and it highlights an important distinction. Security is about technical measures, like the strength of the locks on your doors and windows. Safety is about the likelihood that you’ll actually suffer from some sort of attack.”
.
Safety or Security?

Let’s first briefly wade through the semantics. In the dictionary that ships with Mac OS X, security is defined as “the state of being free from danger or threat” and safety is similarly defined as “the condition of being protected from or unlikely to cause danger, risk, or injury.” Security comes from the Latin securitas or securus “free from care” while safety comes from salvitas or salvus meaning “safe.”

So if there were any real nuance of difference between being safe and being secure, then security would have the edge in meaning “feeling safe”, while safety could be said to imply actually “being safe.” You can have an impressive but flawed security system making you feel safe when you’re really at serious risk, and you can terrorize yourself about hypothetical security vulnerabilities when in reality there may be few actual dangers. Typically however, safety and security are interchangeable.

Given all that, it’s too bad Gruber didn’t instead describe how completely bat-nuts Fisher’s predictably ignorant screed was, and why stereotyping 25 million Mac users as being a lockstep group of same-thinking automatons who comprise a giant strawman dubious of his own mortality is a tired way to begin one’s attempt to say something interesting about security in relation to Apple. Fischer presents himself as a security expert, so this isn’t some run of the mill CNET blogger giving the predictably sensationalized, anti-Apple click bait rant.

The Difference Between Security and Safety

Real World Security on Macs and Windows

The real discrepancy that needs to be pointed out between security on the Mac and Windows is that while Microsoft has recently invested more into building a fancy security infrastructure in the Vista version of Windows that most Windows users don’t actually use, Mac users continue to both feel safer and to actually be safer in the sense of being “free from danger or threat,” whether that threat might relate to:

  • malicious data loss
  • machine downtime
  • ID theft and related fraud
  • the stealing of sensitive data
  • the nuisance of adware
  • lost PC resources used to serve a spambot network
  • lost PC resources used to run protection software.

There is clearly no immediate or impending threat to Macs, and there is little in the way of market forces or that wishful thinking pundit invention of “hacker pride” that will result in something to turn Macs into the disaster that has dogged Windows since the late 90s. Fischer’s capacity for speculating a scenario where Macs fall prey to virus attacks is not the same as Macs actually being at any risk of being attacked by viruses.

No amount of highly publicized security contests (where one of the half dozen men on earth who track Mac security vulnerabilities arrives and shuts down the contest with a prepared exploit that has no value outside of such a contest) changes that fact.

There are currently no viral threats on the Mac to worry about; the only malware anyone has yet reported for the Mac are ham-fisted efforts to trick users into manually authorizing software installations that do bad things. This short list of “malware” is simply not a real world risk to users, and certainly is not even close to being anything like the problems that plague Windows, no matter how much sensationalistic emphasis the tech press attempts to frost over reality with.

Trying to equate things on the Mac and Windows behind words that lack much meaning is like trying to equate a hangnail with an ebola virus infection by calling both “health issues.”

InfoWorld Publishes False Report on Mac Security

Inventing a Problem for your Solution

Will the risks facing Mac users gradually change as the Mac installed base grows? Apparently that can’t happen fast enough for the anti-virus companies who want to sell Mac users unnecessary software. Their pundits love to equate low risk, self-injury actions that are unlikely but possible on a Mac (and impossible to stop with security software) with high risk, difficult to escape from events that are routine on Windows and can be addressed by their lucrative security software subscriptions. This is straight up misinformation mixed with fear, uncertainty and doubt to defraud the public.

For example, nearly everyone is claiming that:

  • Downloading iLife warez that pretend to be stolen software
  • from a non-trusted source
  • assigning it privileges to install on your system
  • and then finding that you have installed a background process that does something ugly, which that you can trivially remove

is the same as:

  • Trying to use Windows to browse the web and use email
  • finding that you’ve been automatically infected with adware and viral malware without knowing it
  • then finding that your PC is also self replicating attacks or sending spam on to other systems
  • then realizing that Microsoft’s design of the Windows Registry makes it difficult to clean malware out
  • then noticing how much of your CPU capacity is being used to protect you from all of these threats via malware and virus scanners
  • then finding out how expensive it is to spend hours cleaning up the mess yourself, or alternatively paying some Nerd Patrol $300 to “diagnose” that your PC is hosed.

They are not the same, and only a liar would keep suggesting that Mac and Windows users face the same dangers and threats. If you’re paying attention, you’ll notice that those who keep suggesting this almost always work for an anti-virus company working to make money off of Mac users. This shouldn’t require any help in dot connection.

Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller

Fischer Price

How exactly Fischer benefits from regurgitating a bunch of tired misinformation about Mac security I don’t know, so I’ll assume there was more incompetence than malice involved. From his first paragraph, he insists that the idea of there not being virus attacks on the Mac is “demonstrably false” by linking to his site’s own paraphrasing of a ZDNet report, which left out the original article’s statement that the discovery in question “is not currently spreading in the wild.” Fischer also saw no reason to cite the article’s hype deflating paragraph, which stated:

Excluding such notable OS X pieces of malware such as last year’s ARDAgent-based trojan exploiting a local root escalation vulnerability in Mac OS X 10.4 and 10.5, the rest of the newly discovered OS X malware continues relying on social engineering tactics (fake codecs such as CodecUpdate.v1.18.dmg; License.v.3.411.dmg etc.) in order to spread.

Fischer’s conclusion that Macs are somehow now under virus attacks (just not in the wild, and only if they install prototype trojans and activate Apple Remote Desktop first) is just plan irresponsible.

Fischer then suggests that the plague of Windows Powered spambot networks was some ancient problem related to Outlook, which he only seems to concede may have inconvenienced someone in a former life in another universe. “But the game now is about owning the machine itself,” Fischer claims, entirely without bothering to explain why, or without recognizing the difference between different types of attack and different targets.

One might as well say that car break-ins used to be a problem, but now everyone steals money by setting up a Ponzi Scheme, because that’s what you hear around in the newspapers lately. In other words, don’t worry about your car being stolen, but be terrified about investing money, because that’s far more dangerous apparently, at least when pundits are making up harebrained logical fallacies.

Ask Enderle!

Oh but it gets worse. “This has led to the inevitable debate over which new OS will be more secure, Snow Leopard or Windows 7,” Fischer insists. He then hauls out “analyst Rob Enderle” who according to Fischer, unsurprisingly, “puts his money on Windows 7.”

I wonder if that’s because Enderle a paid shill who will put his money anywhere you pay him to put it? Enderle is the same guy who read my article explaining why Windows 7 was headed toward the same fate as the Zune for similarly copying Apple’s strategy despite lacking Apple’s circumstances and position, and cited it to mean that Apple was helping to make Windows 7 better.

Enderle has been triumphantly discovering and lauding golden kernels of corn in Microsoft’s poop for years. And while he can spin anything in Microsoft’s favor in his frequent blog postings, he can’t actually manage to do anything to affect reality. His incessant demonizing of the iPhone ended up flaccid and impotent, and his efforts to advise Dell on how to deliver a killer new Windows Mobile smartphone in reaction were so ineffectual that the carriers ultimately told Dell to come back when they had a product that wasn’t boring.

For Windows Enthusiasts who can’t fathom Apple being successful and Microsoft failing, the only way to interpret the last decade is to insist that up is the new down and that success isn’t owning the future, but having monopolized the past. Let it go, folks.

Why Windows 7 is Microsoft’s next Zune

The Big Lie

Fischer then claimed that the reason why the dramatic expansion of Mac adoption over the last few years hasn’t had any impact on new Mac malware was only because “Windows dominates in the enterprise, which is where the most valuable data is. Ergo, that’s where the attackers go.” Oh really? Then why are “attackers” causing such a mess for home Windows users?

I’ve done a lot of antivirus and malware cleanup for a lot of computer users, and I’ve never encountered a PC that wasn’t chuck full of adware junk, but have never seen a Mac that had any significant infection from malware. It’s a pretty big lie to suggest that the plague of consumer malware which caused Microsoft to spend the first half of the decade working on patches to XP and spending much of its resources to develop a security infrastructure in Vista… simply didn’t happen.

The other reality is that, of the billion people who currently use Windows, only a minority actually use the patched and fixed editions Microsoft has recently released (which themselves are still not immune to viruses in the way these pundits like to suggest). The next article will look at what Microsoft is doing about that in its attempts to get people to adopt Vista under its new name: Windows 7.

Security is a complex topic

There are few useful generalizations to be made on the topic of security. Pundits, please stop saying that Mac users are all self-assured that their platform is “invulnerable” to viruses. Everyone I’ve talked to is aware that the Mac is a safer platform because there’s simply fewer existing problems and fewer reasons for anyone to want to introduce them.

There’s also far fewer old Macs sitting around which are connected to the network but without Software Update turned on, while the Windows platform is full of such dead wood fueling the viral forrest fires: all the old legacy Windows PC systems sitting around running cash registers or browsing the web in a cafe where nobody knows how to properly secure it.

I’ve earlier pointed out how Microsoft has itself participated and encouraged the adware/spyware business because it thought it could make money at it. The company also willingly attracts the kind of cheapskate consumers who are most likely to respond to the sorts of pandering adware offers that fuel viral malware. None of these problems are shared by Apple, meaning it’s not a safe assumption that the Mac’s success is fated to inherit Windows’ security crisis.

The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown

News media, please do your jobs.

In view of all of this, the most shocking and disappointing thing that can be observed about this mess is how the media is lapping up the near denial that Microsoft bears any guilt in regard to today’s multi billion dollar PC security crisis, that it should only be commended for taking some recent stabs at polishing up its tarnished security record, and yet how much attention goes into covering the wagging finger of “security experts” who chastise Apple for not doing enough to keep the Mac free from imagined threats that could theoretically exploit known vulnerabilities.

This seems creepily too much like the media’s approach to torture, where Dick Cheney is given a free pass for approving it, and yet somehow Nancy Pelosi as a legislator is vilified for not doing more than the executive branch to stop it, after being informed via classified reports she could not legally have taken public.

62 comments

1 Are Macs more Safe than Secure? No — RoughlyDrafted Magazine { 05.16.09 at 2:50 am }

[...] See the rest here:  Are Macs more Safe than Secure? No — RoughlyDrafted Magazine [...]

2 addicted44 { 05.16.09 at 3:09 am }

Great article…

I too was surprised by Gruber’s characterization, however, I figured that the security “expert” knew what he was talking about, since Gruber tends to be pretty sensible about things (I don’t like following and reading such obvious click-thru-bait and letting them make AdSense money off me).

I will admit, however, that Vista has more technical security features than Mac OS X. However, most of these are patches, overlying an ugly fundamental system (Registry…ugghhh….Glad I don’t have to deal with that junk anymore).

The problem is that MS tries to find technical solutions, while completely ignoring how users actually use their computers. For example, they use to ship a firewall, but turned off by default… How stupid is that? Vista isn’t immune to this either. UAC is necessary for Vista’s protection (and gives pretty decent security), however, MS made it so annoying to use that no one used it at all.

No matter how many security features an OS has, its worthless if the users are turning them off.

3 Are Macs more Safe than Secure? No » YoGoG.com { 05.16.09 at 3:27 am }

[...] Go to Source [...]

4 enzos { 05.16.09 at 4:29 am }

Great article, Dan! (Roughly drafted it is NOT, though it was Charles Ponzi not Ponzai).

Addicted. I think you miss the point. The networked computers where I work have lots of security and ITS people to run the latest AV. All except a few Macs, which have no AV at all and are only protected by the firewalls. So.. while the PCs get crippled and die (often with catastrophic data loss) on regular basis throughout the university (even in ITS), I feel safe (not smug, nor deluded) because there has *never* been a virus infection in any of the Macs (here, or elsewhere in the 20 years I’ve been using them). And if there were a dangerous Mac virus infection “in the wild” somewhere in the world it is very unlikely to have spread to my machine before I hear about it (prob. from gloating PC users).

Analogies, even if they look spot-on, make poor argument because they usually rely on a common fallacy of logic called “false vividness”. However, there is nothing falsely vivid in the parallel of living unencumbered in a safe environment versus living in a bunker in a war zone.

It’s not just a matter of safety through obscurity since the iPhone is also virus free. And in the days when there were nearly as many Macs as (non-business) PCs (e.g. in the early to mid 1990s) there were thousands of dangerous viruses for the PC but no pernicious ones for the Mac. In those halcyon days, whole universities and other (non-business) institutions in the USA and Oz had Mac-only networks. No obscurity there at all, and yet no damaging infections at all.

5 KA { 05.16.09 at 5:22 am }

@addicted44,

For example, they use to ship a firewall, but turned off by default… How stupid is that?

Ahem.

6 Sixth SenseS » Are Macs more Safe than Secure? No — RoughlyDrafted Magazine { 05.16.09 at 5:43 am }

[...] Original post: Are Macs more Safe than Secure? No — RoughlyDrafted Magazine [...]

7 KathyLee { 05.16.09 at 7:12 am }

“Enderle has been triumphantly discovering and lauding golden kernels of corn in Microsoft’s poop for years.”

Classic! I spit up my tea this morning reading that line! You can’t pull punches with these “experts” haranguing about Mac security/safety!

8 wirespot { 05.16.09 at 7:34 am }

Yet Gruber is essentially right. You have to understand that, for a computer security professional, paranoia is a top priority. For them, if a security breach is possible, that is a very grave issue. Granted, it may not be an issue in the real world for various reasons, but for the professional theoretical but entirely possible scenarios are important regardless of whether they’re actively exploited or not.

At the current date, OS X lacks certain very useful “blanket” security features that other platforms, including Linux and Windows, have. Instead, OS X relies on the excellent quality of its software and internal organization to keep things safe. While this is very nice, that’s not how a security pro thinks, having to be paranoid. In his eyes, no matter how the above OS X organization is, it’s still a single layer, which can be broken (and has) in any place. When that happens (and please, don’t say that it can’t or won’t, nothing is perfect) it pays to have another, and another, and another layer behind that.

Windows, being the Swiss cheese of security for so many years, has implemented these layers out of necessity. The Mac doesn’t, out of a sort of smugness about the quality of its front layer. From a security professional’s point of view, that smugness is the wrong attitude to have.

Because here we are today, when Microsoft has finally got around to polishing their front layer and main entry point, and since it already had all the other layers in place, the net result overall is better than on OS X.

I’m willing to bet that Apple is working as we speak on adding those missing features and layers to the next iteration of OS X, and when that happens OS X will once again be top hat. But today, from a security professional’s paranoid point of view, it’s easier, in theory, to break into OS X than it is to break into Vista or Windows 7.

All you need is one (1) entry point, in the form of one (1) poor-quality application. And there are thousands upon thousands of applications out there. Please don’t tell me you’ll ever be able to bet that all 100% of them are free of flaws. The moment you gain a remote entry point AND you manage to achieve priviledge escalation, you’ve got it made. And when that happens, on OS X there’s nothing else, because it wasn’t deemed necessary, because it happens so very seldom. Instead, on Windows it’s happened so very often that you will be “greeted” by a plethora of more security measures.

And that’s exactly what Gruber said (or tried to, given the whole semantic confusion). I hope I’ve been more clear than he has. :)

Also granted, right now, overall, Mac users enjoy a much nicer life, security-wise, compared to that of a PC+Windows owner. But that depends on many, many factors, one of which is the infamous one of OS X marketshare. But the thing is, the moment you start saying “it’s ok, there’s no immediate danger, no ongoing attack vector”, you’re only deluding yourself. The sensible thing to do is for Apple to add those security features (which they undoubtedly will) and squash the problem in its infancy. You don’t want to let it get to the point that it will become a problem. Because it will, at some point.

9 Per { 05.16.09 at 7:59 am }

@KathyLee

Yeah, it had me laughing out loud in the quiet study room at the university library! What a gem.

10 Per { 05.16.09 at 8:17 am }

I feel that I should point out that going back to Latin to draw conclusions about the current meaning of words is often misleading. I had an A in both Latin and Greek in high school (a little less than a decade ago) but I still manage to make an ass of myself in the game of ethymology. Connotations and denotations change through the centuries.

And while the dictionaries of yesterday prescriptive in the sense that they where a means for academics to teach the broader masses how to use words, today’s dictionaries are descriptive. This means that they are based on statistical analysis on how words are actually used by real people. I’m not trying to bash people who like to use the dictionary to correct others, I’m just saying that it’s becoming increasingly anachronistic.

11 Per { 05.16.09 at 8:18 am }

Sorry about spelling!

12 Rob Scott { 05.16.09 at 8:25 am }

Great article again Dan. I like Gruber but he can be a disappointment. Semantics aside, Macs are safer and (feel) more secure than Windoze because there are fewer to none existent attacks on the Macs.

This HP/ XP PC has gone down five times in four years twice by IE7 despite running Symantec Antivirus and IT patched (company PC) every time Micro$oft releases patches.

I feel safer in my neighborhood because there are fewer break-in, murders, etc. That is how I feel about Macs vs. PCs. I have burglars in my house but do not subscribe to a security company therefore we do not have alarms but I sleep with no worries, I go on holiday for weeks with no one watching my house and it is still to be broken iN. That is security and safety to me. Sure, my house/neighborhood is vulnerable like any other but we have not suffered from constant attacks and we are not a gated neighborhood.

In South Africa; gated and highly secured neighborhoods (e.g. Sandton) suffer more crime than none-gated unwatched townships e.g. Cosmo City. Having more hoops for criminals to just do not equate to a more secure/safer environment.

13 Joel { 05.16.09 at 9:46 am }

The reason Macs are “safer” is because they are based on BSD Unix. This was designed to deal with mutiple users. The numours secerity issues this caused have then been mitigated by design over the years for the secure system we see today.

Windows was originally a single-user system with mutliple-users bolted on as an extra feature back in the Windows 95 days. Security was then bolted on top of that for Windows Xp. Even more security was bolted on the top for Vista and Vista 2 (Windows 7).

The difference is that Macs are designed with security as a foundation. Window has it grafted on the top. Guess which is more secure…?

14 Joel { 05.16.09 at 9:53 am }

“I feel safer in my neighborhood because there are fewer break-in, murders, etc. ”

The analogy is this:

Mac is the apartment complex where all the residents only have keys to their own apartments. These same keys allow them to take junk to the rubbish room and the laundry but thats it. The janitor has keys to the junk room. Even if someone bribes the janitor he can’t access your apartment. Some of the apartment owners can go to the maintence room, but only after they ask the janitor for a key. And then he changes the locks after them.

PCs let the janitors and apartment owners have keys to everything and everyones apartment. He can go to the junk room and he can go to your apartment. And since everyone outside the complex knows him its quite easy to bribe him for his key. On Windows Xp any apartment owner can use the maintenece room when they want to, whenever. With Windows Vista and 7 there’s a big notice in the maintenece room telling them to be careful. And that’s it…

15 John Muir { 05.16.09 at 10:55 am }

I think Gruber just likes to feel that he’s not a “fanboy”. Stupid damn word and a dangerous idea. My bike has brakes and I keep them in order: I must be a brake fanboy! Quick: say something kind about crashes.

Ugh.

16 stefn { 05.16.09 at 11:18 am }

The obscurity argument is far more cogent than many allow. Assume for the moment that Macs are safer solely for reasons of obscurity. Fine. If so, won’t Apple remain at least relatively more secure for the foreseeable future? Windows advocates can’t have it both ways: they can’t trumpet the continuing dominance and success of Windows and then argue that it won’t remain more attack worthy. And doesn’t this mean that home users at least should be buying Macs?

* Now apply this thinking to potatoes as a food crop: Incas grew hundreds of varieties for thousands of years, while the Irish grew very few varieties and disease wiped these out a couple hundred years later. (And because the Irish were not allowed to grow much else, famine ensued.) Monocultural food crops are vulnerable. And so are monocultural OSes.

* Now apply this thinking to the emerging smartphone OS market sector: Viruses do not proliferate in the smartphone sector. Too many OS brands to make it interesting to the hackers. I do not hear anyone arguing that a monopoly in that market sector is a great plan for the future security of phone OSes.

That said, let’s listen to what we read. Why do some journalists speak so protectively about Windows security? “Getting better.” Or in so cautionary a manner about Apple? “Getting worse.” Exactly why are the Windows prospects so bright and the Apple prospects so dim? Will fighting off thousands of viruses become a simple thing for Microsoft? And will Apple keel over at the sign of a single, authenticated virus?

Both statements are delusionary. And worse than that is the fact that self identified tech experts continue to recommend Windows for HOME use. How do they sleep at night?

17 Rob Scott { 05.16.09 at 11:49 am }

OFF TOPIC:

There are readers/commenters like John Muir here Daniel that I feel can add a bit to RDM. Do not get me wrong, you are talented and you need no help, but RDM is bigger than even Daniel Eran Dilger.
You are a busy man and you have to provide for your family (and some of us have not contributed a cent to this site in years, not because we do not appreciate the content but because we feel there are better ways to appreciate Dan’s genius, like in well researched and constructed books (where is your iPhone book App???)! You must write a book Daniel!).
Also you don not post as frequent as some of us would like, that is why I would appreciate it if you were to invite some of your best readers/commetnters like John Muir to post in between your post.
In the Apple community RDM ranks as my number one site.

18 nat { 05.16.09 at 1:00 pm }

@Joel,

Brilliant analogy! I’m keeping that.

Dan,

Thanks for addressing Gruber’s analysis. When I saw what of Fischer’s argument Gruber had quoted, I expected John to give him some truth but to my surprise, he defended him. His comments even seem to lend themselves to security through obscurity when everyone knows is an exception, not a rule.

Gruber:

Microsoft has in fact implemented more advanced security measures in Windows than Apple has in Mac OS X, but that’s not surprising, because Windows is where nearly all the malware is.

And why is that?

19 John E { 05.16.09 at 1:26 pm }

everyone, including this article, keep ignoring perhaps the biggest vulnerability in the Windows world that feeds and maintains its massive malware infestation: pirate Windows in the second/third world. very likely much more than half of the PC’s in China, India, Russia, Brazil, etc. etc. are running on pirate copies of Windows, mostly XP. automatic security patch downloads from MS are not available to these PC’s, and so they are extremely vulnerable to every Windows exploit. MS’ efforts to thwart piracy with high-priced Vista (has it been pirated successfully?) that these user won’t every buy have the reverse effect of perpetuating this reservoir of a few hundred million poorly protected PC’s. add to that their likely use of other pirate software that may also be malware, and you have the security mess we are in today.

how to deal with this? MS has to give Vista/Win 7 Basic away for free. everywhere, worldwide. they do have a program in China to sell it for $25, but even that is too expensive to succeed. they need to flood the world with a much more secure and free OS that will displace the pirate Windows.

the actual cost of this to MS would be relatively small. its big money maker are OEM sales, not individual user PC upgrades. and all enterprise and nearly all consumers want a version of Vista/Win 7 with more features and are willing to pay a fair price for it.

until MS bites the bullet and does this, the global malware plague will never end.

20 deardeveloper { 05.16.09 at 3:19 pm }

Great article. What I think is ridiculous is how Vista was the worst Windows that Microsoft had ever made, and so they change it’s name, and suddenly it the best Windows that Microsoft has ever made. Really?

About your analogy on how the media has handled Dick Chaney and Nancy Pelosi. I think the problem people have is not that she didn’t make the issues public when she knew about it, but rather the hypocrisy of not objecting to it at the time, but when it was politically convenient, she wants everyone else locked up for it.

Obviously, the problem that many people have with Chaney is that they strongly oppose the EITs (an understatement), and they see him as the reason for it.

So what I’m getting at is that it isn’t really “news” that Dick Chaney supports EITs, but it is “news” that someone was possibly for it before they were against it, then wanted others locked up for being for it.

21 rbjnet { 05.16.09 at 3:25 pm }

I’ve been a Mac and Unix user and analyst for 20+ years. You’ve written an excellent article on the misconceptions of the security/saftey issues of Mac’s vs. PC’s. I only take exception to the Cheney/Pelosi comment at the end of the article. Political comment really has no place in this excellent technical piece.

Back to the PC/Mac subject – the company I work for uses lots of PC desktops and servers and is still running vintage 2003 OS’s on all of them. Beside’s requiring lots of tlc to keep them safe and secure there is no viable upgrade path for them.

22 danieleran { 05.16.09 at 6:35 pm }

Coining EIT as a euphemism for torture is nearly as bad as Fox’s “24,” which for years has romanticized the idea of torturing suspects who then reveal information that stops terrorist attacks. This entertainment-as-a-political-retraining-effort is simply disgusting.

Conservative groups are often up in arms about how sexy TV programming or violent video games has an impact on morality, but what about the completely false portrayal of torture on “24″? I think it has helped to significantly shift public opinion among boob-tubers who now have the idea that if the US doesn’t Bind-Torture-Kill brown people, then white people will die.

What’s the next bit of Nazi propaganda that TV dramas will sanitize for Americans to swallow: eugenics, genocide of minorities, blind nationalism, white superiority, political recruitment of religion to serve the state, removal of civil rights for gays and foreigners? Fox already has the jump on most of those things in its political entertainment shows.

23 bartfat { 05.16.09 at 7:25 pm }

i think everyone here is missing the point daniel tried to point out. that Macs are based on a secure foundation (UNIX) and it’s open source as well, which helps with its security. The heavily publicized vulnerabilities with Macs is in Safari and that’s because of CanSecWest and Charlie Miller. I think CanSecWest is a great thing to have, since vulnerabilities do have price tags attached to them, especially if they can remotely execute code, no matter what daniel thinks. So getting those vulnerabilities fixed is a good thing for everyone that uses that platform.

The funny thing that no one points out here, though, is that it’s NOT apple that is doing security through obscurity, but Microsoft. It’s Microsoft that has lots of code that’s probably cobbled together from various hacks and it’s proprietary, which means that no one else (legally anyway) can do a code review to check for vulnerabilities.

Come to think of it, the malware industry is doing Microsoft a favor by doing a code review… and it’s grading Microsoft rather badly.. while apple’s UNIX foundation is advanced by open-source volunteers ;) Although most of these vulnerabilities probably were fixed by Microsoft by various patches that weren’t downloaded by many users, some are simply the result of the proprietary nature of the OS, since no one can develop perfect code in that complicated piece of software. So the solution for Microsoft is to go… open source.. which can’t happen due to ideological reasons and because they might even reveal some treads on certain patents by a certain competitor…

24 Avon B7 { 05.16.09 at 8:37 pm }

I can’t help but feel that the references to security and safety in this article amount to nitpicking. JG does a fair amount of this himself but we have to accept that English is malleable to a certain degree and we are all perfectly capable of knowing how to interpret certain words when used in specific contexts. In an IT context, JG’s wording is perfectly clear as he himself outlined how there were to be taken. I think being pedantic on the issue doesn’t really add much to the article.

25 vg513 { 05.16.09 at 11:35 pm }

If you want to boil down to definitions, there are always discrepancies, but the first I found for “security” on my built-in dictionary is “the state of being free from danger or threat”. In this case, it appears that the use of security vs safety is, indeed, valid. Regardless of use, the intention is clear, and has been used by many.

Charlie Miller, the winner of this year’s Pwn2Own contest made exactly the same point as that attributed to Dennis Fisher according to an interview with Miller here: http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254.html . This guy is NSA and knows what he’s talking about.

Additionally, I have recently taken good security courses. While that doesn’t necessarily amount to anything, I have heard strong praise of M$’s serious tone regarding security and about their proactive nature. I asked Herbert Thompson (RSA 2009 Keynote: http://media.omediaweb.com/rsa2009/webcast.htm?id=4_1) what he thought of the above quote, and he said it seems spot on and went on to relate how much harder it is to exploit buffer overflows in the presence of technologies such as proper NX use and ASLR . . . unless I’m somehow horribly misquoting him, which I doubt.

Another good insight was gained when I talked with Andre Mintz, director of trustworthy computing at Microsoft. He related how when he was CSO at Reuters he was the one screaming at Microsoft for increased assurance of security, but even with that experience he sees the Microsoft position as very good despite his previous gripes.

I definitely feel safer on my mac, but eventually drifted a bit away from RDM as I realized I was a fanboy and started to view this blog as an arena for other fanboys to an extent with which I was not comfortable. I personally think this article is too far down that line, and will only be satisfied if Apple rolls out quality security mechanisms into the next release of OS X.

26 hylas { 05.17.09 at 2:01 am }

Got to agree here:

“… Gruber didn’t instead describe how completely bat-nuts Fisher’s predictably ignorant screed was, and why stereotyping 25 million Mac users as being a lockstep group of same-thinking automatons who comprise a giant strawman dubious of his own mortality is a tired way to begin one’s attempt to say something interesting about security in relation to Apple. Fischer presents himself as a security expert, …”

As well here:

” … There is clearly no immediate or impending threat to Macs, and there is little in the way of market forces or that wishful thinking pundit invention of “hacker pride” that will result in something to turn Macs into the disaster that has dogged Windows since the late 90s. Fischer’s capacity for speculating a scenario where Macs fall prey to virus attacks is not the same as Macs actually being at any risk of being attacked by viruses.”

Equating Mac and Windows on a security footing *is* silly.

The trouble with OS X was in the 10.2.x release. Some spots in latter releases that were fixed quickly enough.
“They” are gunning for us – but, at this point, it’s just sport.

Miller… Charlie Miller:

http://slashdot.org/comments.pl?sid=1233653&cid=27961231

The exploit(s) (subversionhack) is phenomenal and it *is* legacy, but as it is – now, it’s a piggyback install. Very much as you illustrate with the iLife graft, only serious. It has been break-in and plant when exploits exist (X-platform).

“Ask Enderle!”
Thank you so much, I can’t say enough bad things about this shill.

“News media, please do your jobs.”
Bravo! These guys are the new “Gang that couldn’t shoot straight”, the correlation to the corporatization of AM and FM radio of the past is so “in our faces”, like they follow each other around.

27 dalshar { 05.17.09 at 7:19 am }

I have a perfect example to demonstrate the gulf that separates Mac from Windows. I have a MacPro with MacOS 10.5.6 installed and have been messing about with the Windows 7 beta using the Sun VirtualBox to run it. For some unknown reason and at some time I cannot recall during the last fortnight I was on the web using IE and clicked on a site which to me at that time seemed innocuous but was not.
The next time I tried to run Windows 7 it would not even show me the desktop. There was a recursive window telling me that something BAD had been installed and asking me if it was OK to remove it. I clicked on OK and the little blue donut whirled around and then the window reappeared. I kept at this for about ten minutes. Then shut down Windows and then tried again. Same thing. Tried twice more then I gave up and re-installed the Windows beta. I had followed all of the recommended security measures except buying a security program, after all I have been using Macs since 1992 and have never had to buy any, so why should I do it for the new super safe Windows 7. Now I know what Windows users have to watch out for all the time.

28 harrywolf { 05.17.09 at 3:59 pm }

Are there any viruses out there in the wild for OSX?
Answer: NO.

What else needs to be said?

29 Shunnabunich { 05.17.09 at 4:29 pm }

@bartfat

“The funny thing that no one points out here, though, is that it’s NOT apple that is doing security through obscurity, but Microsoft. It’s Microsoft that has lots of code that’s probably cobbled together from various hacks and it’s proprietary, which means that no one else (legally anyway) can do a code review to check for vulnerabilities.”

Dan has pointed that out in a few of his articles, if I recall.

30 Neil Anderson { 05.17.09 at 5:24 pm }

The fake codec malware: in its Get Info window, the version reads “whocares”. :)

31 gus2000 { 05.17.09 at 7:40 pm }

I share many of Daniel’s liberal sensibilities, but I must admit to enjoying “24″ as a guilty pleasure. Jack Bauer does all manner of bad things, usually against his superiors’ wishes, and eventually pays a hefty price. I no more use that show as a social blueprint than I do “Nip/Tuck”, or let my porn convince me that I am entitled to fornicate with the girl that delivers the pizza.

Actually, most of shows I enjoy are on Fox (Simpsons, House, Bones, Fringe, Lie To Me, Terminator, etc.). Of course, Fox News is the funniest!

All that aside, I agree that many weak-minded viewers are influenced by entertainment, and that the Torture Apologists frequently cite the “ticking time bomb” as a justification.

Oh, and I just when I thought we’d get through an article without a political reference…here comes the “just one more thing” paragraph. Boom. lol

32 David Dennis { 05.17.09 at 8:58 pm }

As always, this was a great technical article. However, the political issue mentioned at the end deserves to be addressed.

My understanding is that waterboarding was only used on nice folks like KSM, the 9/11 planner, who has a long record of unbelievable savagery. I am sorry, but if you told me he was tortured I would probably cheer on the guys who did it.

I will not take a position on whether waterboarding is torture; there are reasonable arguments on both sides.

Traditionally, there has been a law of war; both sides have agreed to obey certain rules. For example, Nazis did not kill or mistreat American POWs and Americans didn’t kill or mistreat Nazi POWs.

Bin Laden’s guys have not followed those rules, and as a result I see no moral reason to treat their guys any better than they treat ours.

From all accounts, it appears that waterboarding may have given us intelligence that prevented attacks and in my view that fully justifies the acts. This is almost certainly why Nancy Pelosi acted as she did in 2001/2002, and I think she was right to do so at the time.

Now she is changing her position for the sake of political expediency, and trying to ruin the lives of the people who kept us safe.

You guys won the election. If you think there’s something we did wrong, fix it yourself. Find the policies that work instead of engaging in petty vindictiveness.

I think it’s educational and humorous to note that many Bush policies that were attacked by Candidate Obama are now embraced by President Obama. At this rate, Pelosi and crew are going to prosecute people for taking the same positions and performing the same acts as members of the current Administration.

And that would be truly disgraceful, full stop.

D

33 tzx4 { 05.17.09 at 10:26 pm }

As long as we have strayed a little off topic,

gus2000 . . . the sad thing is I read the Justice Scalia was in Europe not so long ago defending tourture and using 24 as a reference, as if it was some sort of reality.

David Dennis . . . So I get your argument, We need to become as evil and unprincipled as an adversary. I’d prefer we would be better. I trust that adhering to laws and principles is what (would) set this nation above others. I have read the Israelis don’t torture because it is an unreliable way to get true info. I have also read that we prosecuted captured Japanese “combatants” for performing water boarding on US captives.

34 deardeveloper { 05.17.09 at 11:23 pm }

danieleran:

You replied back to my comments and referenced the show “24″. I had actually never seen the show before, so I wasn’t familiar with what you were talking about. I googled the show and found that you can watch it online so I clicked on a random episode and watched it. Then I reflected back on your posting.

You wrote: “I think it has helped to significantly shift public opinion among boob-tubers who now have the idea that if the US doesn’t Bind-Torture-Kill brown people, then white people will die.”

Now it could be that another episode has what your describing, but just per chance the episode I watched had 2 white guys and a white girl as the terrorists who were holding hostage and framing 2 “brown” (middle eastern & Muslim) brothers as the supposed terrorists who really wanted nothing to do with any evil plot. In the end, one of the two brothers ended up being a selfless hero that saved thousands of lives.

Overall the show was okay. I can’t see myself watching anymore of them though, just not my kind of show. Just for reference, the show was season 7, episode 22.

Just thought that might could help you with your generalizing.

But do keep up with the good fight! (the Mac one, I mean)

35 Joe Sa { 05.17.09 at 11:45 pm }

@ David Dennis.
I will not take a position on whether waterboarding is torture; there are reasonable arguments on both sides.

Cop out. Pure & simple. Make a choice. The rest of the world including the U.S. decided years ago. Water boarding is torture. No gray area there. The point that Bin Laden does not adhere to these conventions is shortsighted at the least. The point is the administration made legal justifications as to why this isn’t torture. What now protects our military in a war with another nation? In a sense you are saying that it is acceptable for our service people to be treated in this manner.

“From all accounts, it appears that waterboarding may have given us intelligence that prevented attacks and in my view that fully justifies the acts.

Really. Who’s accounts Dick Chenney & Fox News…Could you be more specific? I didn’t think so.
It seems to be coming to light that they were water boarding detainees to get false info. They needed someone to give them a link between Sadam & Al Qaeda to justify the war in Iraq.

This is almost certainly why Nancy Pelosi acted as she did in 2001/2002, and I think she was right to do so at the time.”

Speculation much? If she’s involved she should go down also but, she didn’t order the torture or set policy, another smoke screen. Are you trying to say to wrongs make a right (no pun intended)? What does that have to do with the legality of the subject & the people that put those policies into place. We were told that Abu Ghraib was just a few bad apples in the military. Seems that there was more to it than that & that these so called pro military , do anything for our soldiers administration left them twisting in the wind to save their own asses. Cowards. Cheney wanted to water board a high ranking Iraqi officer that was captured. This was after he was cooperating. That’s not a member of Al Qeada…that is a POW by your definition.

“No exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability, or other public emergency, may be invoked as a justification of torture … each state party shall ensure that all acts of torture are offences under its criminal law.” – Ronald Reagan

I think it’s educational and humorous to note that many Bush policies that were attacked by Candidate Obama are now embraced by President Obama. At this rate, Pelosi and crew are going to prosecute people for taking the same positions and performing the same acts as members of the current Administration.

Which policies are you speaking of?

36 addicted44 { 05.18.09 at 12:33 am }

“I will not take a position on whether waterboarding is torture; there are reasonable arguments on both sides.”

Fail. The US correctly prosecuted Japanese soldiers for War Crimes citing their use of Waterboarding in WW2. There is no argument here. All neutral entities (including Non-US ones) agree waterboarding is torture (and as I have said before, this is the US’s historical position).

“My understanding is that waterboarding was only used on nice folks like KSM, the 9/11 planner”

Well, so you are okay with committing crimes as long as it is committed on others, who may harm you, right? So how does that make you different from Al-Qaeda? Don’t forget. The Al-Qaeda justification is that the US army is taking over Muslim Holy land and killing Muslims, and since they are funded by US taxpayers, US taxpayers are fair game. Does that justify their crime of targeting civilians (i.e. terrorism)? Not according to me. However, using your logic, a crime is okay if its done to “bad” people. Anyways, this is just what has been released after a lot of haranguing. This does not even include programs like Rendition (including a Canadian Civilian, who successfully sued the Canadian govt. for handing him to the US who rendered him to a country where he was tortured, although he was innocent).

“From all accounts, it appears that waterboarding may have given us intelligence that prevented attacks and in my view that fully justifies the acts.”

And all those accounts are by people who either ordered, condoned, or committed these acts, since all records (which are probably tampered anyways) are classified, except a select few. What a shock that they say what they did or ordered was successful? That is exactly the point. Have an independent investigation, and we will know the truth of this matter. If its not true, then the whole discussion is moot. Even if its true, there are 2 points that need to be considered:

a) Just because you got info from torture, does not mean you couldn’t have gotten it otherwise
b) Even if you could have gotten the info, is that what you want to reduce your armed forces to? Lawless tyrants? What makes the US better than anyone else then, except the size of its army? I thought this was a constitutional country that prided itself on following the rule of law.

Finally, the ticking-bomb scenario…Worst case, in this situation you can torture the info out (you probably wont get correct info. Torture was invented to draw confessions, mostly false, and not get information) and then deal with the consequences. If it was indeed a ticking bomb situation, the Prez. has the power of Pardon for a reason.

Finally, Nancy Pelosi’s stupidity (and lack of statesmanship) is neither an argument for nor against torture, or anything else, except her position as a senator. Whats that got to do with anything?

I know. You keep thinking of this as a “Republicans vs. Democrats” issue, while ignoring the “US as a nation of laws vs. a lawless nation” issue.

The standard Fox News response is that this should not be done because the people behind it have bad motivations. Even if thats the case (which it isn’t) well, the motivations are irrelevant to the correctness of the investigation/prosecutions. Why don’t you address that instead of ad-hominems against supporters of investigations?

37 rogera { 05.18.09 at 10:07 am }

Hi Daniel,

You may have already seen this item on Computerworld but I thought your readers may like to read it. The full article can be seen at:

http://cwflyris.computerworld.com/t/5048620/3396968/191219/0/

but the following is an extract:

“Tight budgets, uneasy credit and layoffs, everywhere layoffs, were supposed to mean that “boutique” PC makers would be hit first and hardest. And that assumption was based on the “common knowledge” that Macs cost oh-so-much more than honest, hot-dog-without-yellow-mustard PCs. It’s been disproved six ways to Sunday, yet you keep hearing analysts talk this up as they fight traffic in their BMWs. (BMW seems to be holding it’s own, too, by the way.)

So, sorry CNet, Marketwatch and Rob Enderle. You are apparently going to have Apple to kick around some more. Enderle seems to be the Wrong-Way Corrigan of analysts. I think his most recent miss was the ex cathedra statement that iPod and iTunes will decline unless they act like Ruckus. And Ruckus is what now? Well, that’s part of my point. (Feel free to track Enderle and other sages at Wrong Tomorrow.)”

It seems that some writers are not paid shills of MS.

Cheers

Roger

38 nat { 05.18.09 at 11:10 am }

@David Dennis,

My understanding is that waterboarding was only used on nice folks like KSM, the 9/11 planner, who has a long record of unbelievable savagery. I am sorry, but if you told me he was tortured I would probably cheer on the guys who did it.

What makes him so savage? Considering your stance on savage treatment like water boarding, which Reagan’s DOJ prosecuted a Texas sheriff for, calling it torture numerous times, in U.S. v. Lee, I figured you would consider the 9/11 planner was a real bang up guy.

What is it? Fooled me once, shame on…

39 alansky { 05.18.09 at 1:41 pm }

Never before in my lifetime has there been so much biased reporting and ignorant crap masquerading as “news”. Everybody’s an “expert” and the public just laps it up. There should be a contest to settle once and for all who is really the dumbest: the readers or the writers.

40 Netudo { 05.18.09 at 3:33 pm }

Safe and secure are basically synonymous and I cannot grasp the difference. It feels like “safe” is a state and “security” is the will and what you have to do to achieve that state.

In Spanish we use the same word “seguro” for security, safe, sure, trustworthy and certain. The only exception I can think of is “to be safe” which translates to “estar a salvo”, and not “estar seguro” which means “to be sure”.

Anyway, Macs are more secure because the design is simple and does not goes into unnecessary complexity. There are few places where a virus can hide its proceses and the fact that few stuff is run as root, helps a lot.

Have you tried working in a Windows PC without administrative privileges? It is almost imposible.

41 Netudo { 05.18.09 at 3:39 pm }

BTW, I like very much the PC character from the commercials. That nice, cute and troubled PC!
I like the fact PC and Mac are pals.

42 tundraboy { 05.19.09 at 11:21 am }

It is downright scary how apparently normal folk have somehow convinced themselves that torture isn’t torture and even if it is, it’s okay to use it on some people. This is how badly our society has miseducated our children. Even scarier, I bet there is a big intersection between the people who endorse torture and the people who proudly proclaim that they have a ‘personal relationship with Jesus’.

43 stefn { 05.19.09 at 12:34 pm }

@ alansky
Can you provide a list of writers whom you consider expert? I’m always up for good technical journalism.

44 anonymous500r { 05.19.09 at 6:01 pm }

I don’t think the security issues that Windows faces are part of it’s fundamental design – rather it’s the users. User’s who have no idea – for example – that they’re running Windows with an account that has the capability to destroy the entire machine for example. Users who think that their PC is infected with a virus because “it’s running like a dog” when actually it’s their anti-virus software running an unnecessary scan. Because this doesn’t happen by default on the Mac, users are less likely to do unsecure things – so Windows can be secure but only if there are people around who know how to secure it.

45 addicted44 { 05.20.09 at 9:38 am }

“I don’t think the security issues that Windows faces are part of it’s fundamental design ”

Well, arguably Vista, and consequently Windows 7 have better fundamentals. So in that regards you may be right.

However, a large part of the problem stems from the fact that most Windows Users were trained in the Windows 95-98-ME era, when the OS’es were designed for single user use, as opposed to UNIX (which is what Mac OS X is) which was designed for multi-user use right from its inception in the 70′s…

So users have received poor fundamental training from MS itself, convincing them to use their computers in a poor fashion.

Also, if you don’t have that anti-virus software scanning in the BG, your computer will be infested with viruses…

46 anonymous500r { 05.20.09 at 10:55 am }

Fair pint addicted44 – but I can provide anecdotal evidence. For example – I have had my Windows computer running for over a year with not a single sign of malware – WITHOUT a malware scanner. My dear old Ma only managed to keep her computer in a working state WITH a malware scanner for around 6 months. Difference? I’d say so. Yes, the fundamental components of an Operating System do matter – and yes the NTFS file permissions are flawed and Internet Explorer 7 is insecure and blah blah blah – but if the users know nothing of security and unquestioningly open everything they download, use an outdated web-browser and don’t allow their OS to update itself then they will be infected regardless of whichever OS they run. The majority of people who know nothing of computers run Windows, those who care about their computers are more likely to choose a Mac or Linux box.

Also, let’s not forget what Microsoft HAS achieved – Windows is entirely graphical – top to bottom. The only form of Text UI that exists in Windows is so you can run scripts on startup. In Unix (that means Mac) I have to resort to command-line every 2 days or so – to fix the things they broke in Safari 4 for example – and on my Linux box I use the shell every day. Mac OSX pretends to be a truly graphical, easy-to-use operating system – but it still requires you to go to the shell to set exotic priviledges and settings. In Windows however – I can’t even remember the last time I touched the shell. So a small, inconsequential victory for Microsoft.

47 addicted44 { 05.21.09 at 1:40 am }

@anonymous500r…

You are way off with the GUI comment thing… You don’t “need” to resort to the command line to “fix” the Safari thing. Apple just hasn’t exposed that functionality to regular users. They are giving you the ability to make significant changes to Safari, but are limiting it to advanced users, which is why there is no GUI option. In Windows, you cannot make exotic changes. When was the last time you were able to change the location of tabs in IE? (i.e., for e.g. top of the screen?). You are making no sense with this GUI crap you are talking about (btw, I will definitely choose command line commands to do stuff over having to mess with the Registry… I use to build and repair Windows boxes, and I know a thing or two about the registry)…

Also, you talk about your grandmom, but again, you make the wrong comparison… How about you hand your same grandmom a mac, and see if she gets a virus? She wont. There are no viruses on Mac OS X. At worst, if she is smart enough to download the iwork torrent (but stupid enough to download the torrent instead of the apple provided trial and enter the license key there) and then enter her system password, she will get a trojan…So maybe, it is Windows that is the problem here. You are just clever enough to avoid all the things that bring Windows down. Does not mean Windows doesnt have a lot of bad design decisions that brings it down…

48 PC to Mac: My Not-So-Genius Switch - Page 32 - Head-Fi: Covering Headphones, Earphones and Portable Audio { 05.21.09 at 1:56 am }

[...] Are Macs more Safe than Secure? No — RoughlyDrafted Magazine [...]

49 Netudo { 05.21.09 at 4:20 pm }

@addicted44

Well said! The fact we can access a shell in MacOSX isn’t a design flaw, but a feature.

This gives the Mac, the rare property of targeting all the user range: From newbies, moms and people who only demand web browsing and email; to scientists, power users and people whose their first thought for filtering data is a regular expression.

If you know Linux or any big brand of Unix, you will feel comfortable using MacOSX.

One thing I like about MacOSX is that it doesn’t treat me like an idiot. (if I plug a usb mouse, I expect it to work, not a balloon saying a mouse was discovered , configured and ready for use). At the same time, it lets me do some of the crazy stuff I can do with Linux, and if that wasn’t enough, it can run MS Office. (Which I’m displacing in favor of iWork but that’s other story.)

50 pritchet1 { 05.21.09 at 11:12 pm }

I wish I had seen this article before we went to press for the May issue of macCompanion magazine so I could have referenced it. David, I think you did a swell job. We did distinguish between Safe and Secure. We assumed Secure and made our conclusion accordingly. Then after we went to press, the lasted update to 10.5.7 and the security updates happened. So far, so good.

51 enzos { 05.22.09 at 2:16 am }

I recently had a scare with that monumental slug, MS Office 2008. ‘Upgraded’ from 2004 because of some problems I’ve been having with .docx files.. but then discovered that I couldn’t copy-paste-edit Chemdraw graphics embedded in PP and Word files opened in 2008 documents. Turned out the graphics were still editable (even after saving in 2008) but only by opening them in Pages / Keynote or newly reinstalled 2004.

Should have known MS would be advancing steadily backwards. Pre OLE, in Word 95, the graphics double-click-opened in a little Chemdraw (or whatever) window and got updated in place upon closing the little window.. EGO for Word worked great. Even Endnote was good then, small, snappy and nice to use actually (now it’s slow and buggy, does a hundred things I don’t need in referencing software, and looks as butt-ugly as most other peecee progams).

52 GwMac { 05.22.09 at 11:42 am }

Arguing over the semantics of safety vs. security really doesn’t enlighten the discussion. I would be far more interested in comparing specific key technologies that are used in Leopard/SL vs Vista/Win7. The latest Java flaw that is over six months old and Apple has still not issued a patch for does not reassure me. Apple always seems to be way behind on Java updates, sometimes over a year behind in releasing updates.

Two important technologies that I believe Windows offers that OS X still lacks is GS Stack Protection for buffer overflow protection. The other is Vista has new defenses for a broad variety of memory manipulation attacks ranging from memory corruption errors to heap overflows. Named Address Space Layout Randomization (ASLR), the goal is to “shuffle” the address space deck so that common footholds are nearly impossible for attackers to find.

As far as I know Snow Leopard will still not give us any better defense for buffer overflows or randomizing memory space. One thing is for sure though, Apple cannot rest on it’s laurels. A few well publicized attacks of fortress Apple would seriously tarnish the brand considerably. I hope that Snow Leopard will ensure that Macs continue to be both safe and secure.

53 geoffrobinson { 05.22.09 at 12:48 pm }

The Bush administration kept Congress within the loop about a whole host of matters.

Now, when it is politically advantageous, Pelosi & co. claim to be shocked that gambling is going on at Rick’s cafe.

It’s sad. Plus, Eric Holder, Obama’s own attorney general, undermined the case that waterboarding is legally torture. Haven’t heard that about Holder? Probably not.

54 Joe Sa { 05.22.09 at 11:46 pm }

The Bush administration kept Congress within the loop about a whole host of matters.

no on really knows for sure, yet but you & Fox news do!

“Now, when it is politically advantageous, Pelosi & co. claim to be shocked that gambling is going on at Rick’s cafe.”

If they did…how does that take away from the fact that the Bush administration broke the law? People like you seem to deal in trying to blow smoke. “Pelosi & company” did not make policy under the Bush administration.

“It’s sad. Plus, Eric Holder, Obama’s own attorney general, undermined the case that waterboarding is legally torture. Haven’t heard that about Holder? Probably not.”

Could you elaborate, please? Maybe you should get your news from more than one source that seems to have a problem with fact checking.

http://www.npr.org/templates/story/story.php?storyId=99404524

http://www.marketwatch.com/story/holder-wont-condone-waterboarding

http://www.google.com/search?hl=en&client=safari&rls=en-us&ei=PXAXStyzA5eUMbbtgJ0P&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=Holder+undermines+waterboarding&spell=1

55 snookie { 05.23.09 at 12:57 pm }

I really didn’t get Grubers comment just based on the quoted parts of the article on Daring Fireball and I got it even less after reading the article. If this guy is a security expert I’m the Queen of England. His blog posting was sophomoric at best. He got slammed in the comments by me and others especially for quoting that clown Enderle. His attempts to defend himself in the comments section made him sound even more desperate, uninformed and anti-apple. I’ll never understand this insecurity and hatred of Apple. If you are willing to settle for Microsoft and cheap plasticky garbage computers with the cheapest components out of china this week then be happy with what you have. Great article as always Dan.

56 enzos { 05.23.09 at 7:37 pm }

snookie.. re. Apple bashing, a term from down my way –

Tall Poppy Syndrome (TPS) is a pejorative term used in Australia, New Zealand and Canada to describe what is seen as a populist, levelling social attitude. Someone is said to be a target of tall poppy syndrome when his or her assumption of a higher economic, social, or political position is criticised as being presumptuous, attention seeking, or without merit. Alternatively, it is seen as a societal phenomenon in which people of genuine merit are criticised or resented because their talents or achievements elevate them above or distinguish them from their peers.

57 João Gomes { 05.24.09 at 6:57 pm }

@GwMac: “The other is Vista has new defenses for a broad variety of memory manipulation attacks ranging from memory corruption errors to heap overflows. Named Address Space Layout Randomization (ASLR), the goal is to “shuffle” the address space deck so that common footholds are nearly impossible for attackers to find.”

I remember reading an article on AppleInsider about Snow Leopard which focused precisely on the addition of ASLR to OS X:

http://www.appleinsider.com/articles/09/01/16/road_to_mac_os_x_snow_leopard_64_bit_security.html

Also, a quick google search reveals that OS X 10.5 already has some form of protection in that front, too.

http://www.laconicsecurity.com/aslr-leopard-versus-vista.html

58 Derek Currie { 05.26.09 at 4:02 am }

Part of the general idea of propaganda, of which anti-Mac security FUD is an example, is to repeat one’s double-speak nonsense over and over and over such that, having heard it often enough, people begin to believe it is true. And sadly, we humans are capable of believing just about anything to be true.

The anti-Mac security FUD also bolsters the WinDroids (robotic followers of Big Brother Bill who drink the kool-aid without question) into believing their bad OS decision is a good OS decision, their bad hardware decision is a good OS decision, that a cheap Windows PC is more valuable than a more expensive Mac. Drink up me hearties, yo ho! The poison does its job and the nifty rhetorical lies make it all seem just fine.

Meanwhile in reality: There are no viruses for Mac OS X, no worms, no illegal spyware. There are only the 11 Trojan horses, which by definition require user error in order to infect a Mac. There is also no such thing as ‘security by obscurity’ on the Mac. You don’t compare 11 Trojans to over 200,000 malware for Windows and conclude this is because the Mac is obscure, at over 5% of the market, not unless you are deranged.

And no, I’ve never read or heard Mac users going around saying that Mac OS X is invulnerable, being snotty or arrogant about anything, or picking on Windows PC users unless they’ve been picked on first. It’s amusing how anyone can say anything with whole hearted conviction and yet it is utter rubbish.

If you’d like to keep track of actual, factual, real Mac OS X security, I attempt to do so over at my Mac-Security blog on Blogger:

http://mac-security.blogspot.com

59 javierbds { 05.26.09 at 6:03 pm }

First message, been reading you for a couple of years: you should collect your essays in a book!

I can’t help but feel that finding that your OS is a pain to secure is like finding your partner is cheating you … People deny it, devote time to self-healing, they may even tell friends their partners will do the same. Some will say things like “all [gender] are bitches” …

I had to leave my old OS many years ago when I found it bugged me by requiring constant attention … Life goes on, and OS X suits my needs (and taste).

60 geoffrobinson { 05.29.09 at 1:42 pm }

“Could you elaborate, please? Maybe you should get your news from more than one source that seems to have a problem with fact checking.”

I’m glad you are trying to be cute. Now, because you are trying to be snide I’m going to make you look foolish by elaborating:

http://article.nationalreview.com/?q=NjZkNGZiODM0YjNmODNkMWFhZDU5Mzk2ZDMwNGRmMDQ=

61 Derek Currie { 05.30.09 at 3:55 am }

Off Topic. <–This is how one designates comments that have nothing to do with the subject, which in this case is Macs.

Why is water-boarding being defended here? Why is the linked National Review article being used in defense of water-boarding. This is ridiculous in all respects:

“The CIA interrogators who questioned top al-Qaeda captives like Khalid Sheikh Mohammed and Abu Zubaydah intended no more harm to them than Navy instructors intended to their SEAL trainees.”

Right.

Can we please keep inane subjects and comments for elsewhere on the net?

62 geoffrobinson { 05.31.09 at 9:36 pm }

Water-boarding isn’t being defended. Liberal legal arguments were shown to be so much fluff.

Maybe this is why putting random political comments in a tech article should be kept to a minimum.

You must log in to post a comment.