Are Macs more Safe than Secure? No
May 16th, 2009
Daniel Eran Dilger
Everyone seems to get lost in their own words when talking about security and Apple. The Daring Fireball recently cited security blogger Dennis Fisher, who insisted it was “demonstrably false” to say there were not “any virus attacks on Macs.” However, rather than pointing out what a horrible pile of trash Fisher’s article was, John Gruber praised it (apparently to be nice) and then got lost in his own semantics on the subject. Sometimes you need to say “he’s wrong, here’s why.”
Instead, Gruber wrote, “That [blogger’s article] probably sounds like clueless trolling to many of you reading this but it’s not, and it highlights an important distinction. Security is about technical measures, like the strength of the locks on your doors and windows. Safety is about the likelihood that you’ll actually suffer from some sort of attack.”
Safety or Security?
Let’s first briefly wade through the semantics. In the dictionary that ships with Mac OS X, security is defined as “the state of being free from danger or threat” and safety is similarly defined as “the condition of being protected from or unlikely to cause danger, risk, or injury.” Security comes from the Latin securitas or securus “free from care” while safety comes from salvitas or salvus meaning “safe.”
So if there were any real nuance of difference between being safe and being secure, then security would have the edge in meaning “feeling safe”, while safety could be said to imply actually “being safe.” You can have an impressive but flawed security system making you feel safe when you’re really at serious risk, and you can terrorize yourself about hypothetical security vulnerabilities when in reality there may be few actual dangers. Typically however, safety and security are interchangeable.
Given all that, it’s too bad Gruber didn’t instead describe how completely bat-nuts Fisher’s predictably ignorant screed was, and why stereotyping 25 million Mac users as being a lockstep group of same-thinking automatons who comprise a giant strawman dubious of his own mortality is a tired way to begin one’s attempt to say something interesting about security in relation to Apple. Fischer presents himself as a security expert, so this isn’t some run of the mill CNET blogger giving the predictably sensationalized, anti-Apple click bait rant.
Real World Security on Macs and Windows
The real discrepancy that needs to be pointed out between security on the Mac and Windows is that while Microsoft has recently invested more into building a fancy security infrastructure in the Vista version of Windows that most Windows users don’t actually use, Mac users continue to both feel safer and to actually be safer in the sense of being “free from danger or threat,” whether that threat might relate to:
- malicious data loss
- machine downtime
- ID theft and related fraud
- the stealing of sensitive data
- the nuisance of adware
- lost PC resources used to serve a spambot network
- lost PC resources used to run protection software.
There is clearly no immediate or impending threat to Macs, and there is little in the way of market forces or that wishful thinking pundit invention of “hacker pride” that will result in something to turn Macs into the disaster that has dogged Windows since the late 90s. Fischer’s capacity for speculating a scenario where Macs fall prey to virus attacks is not the same as Macs actually being at any risk of being attacked by viruses.
No amount of highly publicized security contests (where one of the half dozen men on earth who track Mac security vulnerabilities arrives and shuts down the contest with a prepared exploit that has no value outside of such a contest) changes that fact.
There are currently no viral threats on the Mac to worry about; the only malware anyone has yet reported for the Mac are ham-fisted efforts to trick users into manually authorizing software installations that do bad things. This short list of “malware” is simply not a real world risk to users, and certainly is not even close to being anything like the problems that plague Windows, no matter how much sensationalistic emphasis the tech press attempts to frost over reality with.
Trying to equate things on the Mac and Windows behind words that lack much meaning is like trying to equate a hangnail with an ebola virus infection by calling both “health issues.”
Inventing a Problem for your Solution
Will the risks facing Mac users gradually change as the Mac installed base grows? Apparently that can’t happen fast enough for the anti-virus companies who want to sell Mac users unnecessary software. Their pundits love to equate low risk, self-injury actions that are unlikely but possible on a Mac (and impossible to stop with security software) with high risk, difficult to escape from events that are routine on Windows and can be addressed by their lucrative security software subscriptions. This is straight up misinformation mixed with fear, uncertainty and doubt to defraud the public.
For example, nearly everyone is claiming that:
- Downloading iLife warez that pretend to be stolen software
- from a non-trusted source
- assigning it privileges to install on your system
- and then finding that you have installed a background process that does something ugly, which that you can trivially remove
is the same as:
- Trying to use Windows to browse the web and use email
- finding that you’ve been automatically infected with adware and viral malware without knowing it
- then finding that your PC is also self replicating attacks or sending spam on to other systems
- then realizing that Microsoft’s design of the Windows Registry makes it difficult to clean malware out
- then noticing how much of your CPU capacity is being used to protect you from all of these threats via malware and virus scanners
- then finding out how expensive it is to spend hours cleaning up the mess yourself, or alternatively paying some Nerd Patrol $300 to “diagnose” that your PC is hosed.
They are not the same, and only a liar would keep suggesting that Mac and Windows users face the same dangers and threats. If you’re paying attention, you’ll notice that those who keep suggesting this almost always work for an anti-virus company working to make money off of Mac users. This shouldn’t require any help in dot connection.
How exactly Fischer benefits from regurgitating a bunch of tired misinformation about Mac security I don’t know, so I’ll assume there was more incompetence than malice involved. From his first paragraph, he insists that the idea of there not being virus attacks on the Mac is “demonstrably false” by linking to his site’s own paraphrasing of a ZDNet report, which left out the original article’s statement that the discovery in question “is not currently spreading in the wild.” Fischer also saw no reason to cite the article’s hype deflating paragraph, which stated:
Excluding such notable OS X pieces of malware such as last year’s ARDAgent-based trojan exploiting a local root escalation vulnerability in Mac OS X 10.4 and 10.5, the rest of the newly discovered OS X malware continues relying on social engineering tactics (fake codecs such as CodecUpdate.v1.18.dmg; License.v.3.411.dmg etc.) in order to spread.
Fischer’s conclusion that Macs are somehow now under virus attacks (just not in the wild, and only if they install prototype trojans and activate Apple Remote Desktop first) is just plan irresponsible.
Fischer then suggests that the plague of Windows Powered spambot networks was some ancient problem related to Outlook, which he only seems to concede may have inconvenienced someone in a former life in another universe. “But the game now is about owning the machine itself,” Fischer claims, entirely without bothering to explain why, or without recognizing the difference between different types of attack and different targets.
One might as well say that car break-ins used to be a problem, but now everyone steals money by setting up a Ponzi Scheme, because that’s what you hear around in the newspapers lately. In other words, don’t worry about your car being stolen, but be terrified about investing money, because that’s far more dangerous apparently, at least when pundits are making up harebrained logical fallacies.
Oh but it gets worse. “This has led to the inevitable debate over which new OS will be more secure, Snow Leopard or Windows 7,” Fischer insists. He then hauls out “analyst Rob Enderle” who according to Fischer, unsurprisingly, “puts his money on Windows 7.”
I wonder if that’s because Enderle a paid shill who will put his money anywhere you pay him to put it? Enderle is the same guy who read my article explaining why Windows 7 was headed toward the same fate as the Zune for similarly copying Apple’s strategy despite lacking Apple’s circumstances and position, and cited it to mean that Apple was helping to make Windows 7 better.
Enderle has been triumphantly discovering and lauding golden kernels of corn in Microsoft’s poop for years. And while he can spin anything in Microsoft’s favor in his frequent blog postings, he can’t actually manage to do anything to affect reality. His incessant demonizing of the iPhone ended up flaccid and impotent, and his efforts to advise Dell on how to deliver a killer new Windows Mobile smartphone in reaction were so ineffectual that the carriers ultimately told Dell to come back when they had a product that wasn’t boring.
For Windows Enthusiasts who can’t fathom Apple being successful and Microsoft failing, the only way to interpret the last decade is to insist that up is the new down and that success isn’t owning the future, but having monopolized the past. Let it go, folks.
The Big Lie
Fischer then claimed that the reason why the dramatic expansion of Mac adoption over the last few years hasn’t had any impact on new Mac malware was only because “Windows dominates in the enterprise, which is where the most valuable data is. Ergo, that’s where the attackers go.” Oh really? Then why are “attackers” causing such a mess for home Windows users?
I’ve done a lot of antivirus and malware cleanup for a lot of computer users, and I’ve never encountered a PC that wasn’t chuck full of adware junk, but have never seen a Mac that had any significant infection from malware. It’s a pretty big lie to suggest that the plague of consumer malware which caused Microsoft to spend the first half of the decade working on patches to XP and spending much of its resources to develop a security infrastructure in Vista… simply didn’t happen.
The other reality is that, of the billion people who currently use Windows, only a minority actually use the patched and fixed editions Microsoft has recently released (which themselves are still not immune to viruses in the way these pundits like to suggest). The next article will look at what Microsoft is doing about that in its attempts to get people to adopt Vista under its new name: Windows 7.
Security is a complex topic
There are few useful generalizations to be made on the topic of security. Pundits, please stop saying that Mac users are all self-assured that their platform is “invulnerable” to viruses. Everyone I’ve talked to is aware that the Mac is a safer platform because there’s simply fewer existing problems and fewer reasons for anyone to want to introduce them.
There’s also far fewer old Macs sitting around which are connected to the network but without Software Update turned on, while the Windows platform is full of such dead wood fueling the viral forrest fires: all the old legacy Windows PC systems sitting around running cash registers or browsing the web in a cafe where nobody knows how to properly secure it.
I’ve earlier pointed out how Microsoft has itself participated and encouraged the adware/spyware business because it thought it could make money at it. The company also willingly attracts the kind of cheapskate consumers who are most likely to respond to the sorts of pandering adware offers that fuel viral malware. None of these problems are shared by Apple, meaning it’s not a safe assumption that the Mac’s success is fated to inherit Windows’ security crisis.
News media, please do your jobs.
In view of all of this, the most shocking and disappointing thing that can be observed about this mess is how the media is lapping up the near denial that Microsoft bears any guilt in regard to today’s multi billion dollar PC security crisis, that it should only be commended for taking some recent stabs at polishing up its tarnished security record, and yet how much attention goes into covering the wagging finger of “security experts” who chastise Apple for not doing enough to keep the Mac free from imagined threats that could theoretically exploit known vulnerabilities.
This seems creepily too much like the media’s approach to torture, where Dick Cheney is given a free pass for approving it, and yet somehow Nancy Pelosi as a legislator is vilified for not doing more than the executive branch to stop it, after being informed via classified reports she could not legally have taken public.