More security professionalism, please.

The Macalope responds to a post by David Maynor

David Maynor has come out in defense of Bill Gates’ recent comments that OS X is security swiss cheese and he churlishly derides the Mac community’s response.

In the post, Maynor reminisces that Apple’s “Get a Mac” ads were what got him into Apple security research last year. Is it just the Macalope or is that a little odd? As a child did he also run after Mean Joe Green with a Coke bottle, begging him to throw a jersey at him?

The thing that really upsets me about the Mac community going off on Bill Gates is that Apple does the same exact thing. Their “we don’t have security problems” commericals [sic] are the same thing as what Bill Gates said. If you want to be mad at Bill then hold Steve accountable for the same actions as well. The arrogant commericals [sic] Apple runs has done nothing but win them alot of researchers who are breaking their systems that would not have otherwise given them a second look.

The Macalope thought there was something strange about Maynor’s assertions here so he went back and watched all of the “Get a Mac” ads. Do you know how many of them discussed security?

One.

So, it’s not “commercials”. It’s “commercial”.

Why did David Maynor get so bent out of shape over one commercial? Seems a little absurd.

It’s also a little absurd that Maynor is trying to conflate Apple’s silly, funny ad with statements made by the founder and chief technologist of Microsoft to a Newsweek reporter.

Those things are not comparable.

But for grins, let’s pretend that they are and take a look at the relative truth behind each. Here’s the salient part of the “Get a Mac” ad entitled “Viruses.”

PC: Last year there were 114,000 known viruses for PCs.

Mac: PCs. But not Macs.

Is this true?

The year in question is 2005 and the data comes from a report from Sophos that says:

By December 2005, Sophos Anti-Virus was identifying and protecting against over 114,000 different viruses, worms, Trojan horses and other malware.

So, we can quibble over the use of the word “virus” to describe a host of malware, but it’s not really important to the argument. Sophos does, however, make a Macintosh version of its program, so maybe some of those are Mac viruses.

OK. Just how many Mac viruses are there?

According to Viruslist.com, 111. [CORRECTION: As noted in comments, this is the number of vulnerabilities, not viruses. The number of viruses is actually probably significantly lower which maybe helps proves the point about the Mac’s lower market share being its saving grace.]

Now you can look at the ad’s assertion yourself and decide if it’s “arrogant”, but the Macalope will note that Apple’s at least 99.9% correct here ((114,001 – 111) / 114,001). And it’s 100% correct if you just take it at face value – there are not 114,000 viruses for the Mac.

Maybe it’s the text Apple shows after you run the “Viruses” ad on the web that caused Maynor so much chafing. Let’s look at that.

114,000 Viruses? Not on a Mac.

Kinda covered that.

Mac OS X was designed with security in mind.

Well, that’s a piece of rather obvious fluff. Of course it was.

Windows just wasn’t built to bear the onslaught of attacks it suffers every day.

This is true simply be definition. Most viruses are written for Windows. An OS can’t “bear the onslaught” of a virus written to take advantage of one of its flaws. OS X was not “built to bear the onslaught” of the 111 viruses written for it.

A Mac offers a built-in firewall, doesn’t advertise its existence on the Net, and isn’t compromised within an hour of being turned on.

All undeniable fact.

Aaand that’s it.

Hmm.

Maybe it’s just the Mac guy Maynor doesn’t like. Some people don’t like him.

OK, let’s look at the primary security-related statement against the Mac in Gates’ interview.

Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally.

No. They do not. They didn’t even come out with one every day in the month of January. If Gates had said something more generic like “They keep coming out…” one might be inclined to cut him some slack, but he didn’t. He said “Every single day…” and that is false.

Gates does have something more of a point about upgradability and one can argue about who copied whose interface all day long.

But that’s not what Maynor’s talking about. He’s talking about security and it’s really not a contest. Apple’s ad is true and Gates’ comments are not.

Yet Maynor feels justified in giving props to Bill Gates for stickin’ it to the man.

He also expects howls of uproar over his assertion that Vista is more secure than OS X. Truth be told, Maynor’s far more qualified to make a judgement about that than the Macalope, but the horny one would point out that just because Vista’s more secure on paper, doesn’t mean that it will provide a more secure user experience. Windows is still and will continue to be the bigger target.

The biggest threat OS X has seen recently is from the supposedly responsible members of the security world who seem to be trying to provide Microsoft cover and bring trouble to Mac users by publishing (and executing) OS X exploits.

All because they didn’t like an ad and got pissed off by some comments on Slashdot.

If you read Maynor’s post, you’ll notice that it would be very easy to pump up the volume of the snark in response. Maynor is not a very good communicator. He may be a very good security researcher, but he’s not a terribly good writer (yet, anyway) and history has proven that he’s not terribly adept at PR.

So the Macalope could just haul off on Maynor and we could all have a good time, laugh ourselves silly and go back to watching That Phone Guy. But keep reading. Let’s hear Maynor out.

Microsoft only changed when users demanded better security, and it’s only when the Mac community calls for similar protections that Apple will include them in products.

Here, dear readers, comes the glorious moment. That most special of after-school special moments.

Because you know what? Here, he’s right.

He’s absolutely, 100% right. No matter what crazy-assed things he’s said up until now, his final point is spot-on.

We, as Mac users, have been skating. We’ve been skating on the fact that no one writes exploits for the Mac. And as Apple becomes more and more of a household name, that will not stand.

This is not to say that Apple isn’t already working on security enhancements for OS X or that it will ever have as much malware as Windows. But while Apple has been attempting to leverage its historically good reputation, Microsoft has been trying to reverse its historically bad reputation by aggressively implementing new technologies that will make it harder to write exploits for Windows.

The Macalope wants OS X to be the most secure operating system there is, practically as well as theoretically, and there is certainly some evidence that Apple does not take security seriously enough. Maynor did not even mention the company’s flippant handling of the incident where it shipped iPods infected with a Windows virus.

That incident, by the way, was marked by a universal condemnation of Apple’s comment from Apple bloggers (including the Macalope) and suggestions that the company needs to take security more seriously, an inconvenient truth for Maynor who loves to rail against Mac zealots.

To be fair, some guy on Slashdot probably thought Apple’s comment was teh awesome so…

In general, the Macalope says the hell with David Maynor. Anyone who gets such a gigantic bee up his butt over a 30-second ad shouldn’t be taken seriously.

But at the same time the Macalope would really like to see Apple demonstrate that it does take security more seriously than as a marketing tool.

UPDATE: Maynor provides some clarification in a post that the Macalope agrees with in its entirety. He’s also taken exception to this post in comments.

UPDATE THE SECOND, ELECTRIC BOOGALOO: The blogstorm continues as Maynor responds to John Gruber’s brief post.

You are not mad that Microsoft’s latest Operating Systems out classes OSX hands down in the areas of security and anti-exploitation technology but instead one comment Bill Gates made to a reporter? Tell you what, when Microsoft starts running commercials that feature the Month of Apple Bugs then you have every right to complain.

This is really interesting. Maynor, who complains at great length in a previous post about how Apple’s Lynn Fox screwed him by issuing false statements to reporters, does not find Gates’ false statement to a reporter to be noteworthy. It is noteworthy. It’s noteworthy in the kind of way that you write a response to it on your blog. Not in the kind of way that you decide “Oh, yeah? Well, I’m gonna crack Windows!” and then you come up with an exploit but you screw up the delivery and devote months of your life to defending yourself and quit your job because you think your employer screwed you and finally decide to write a book about the whole affair.

In general, the Macalope expects more truth from a Newsweek interview than a commercial where actors are pretending to be computers, but maybe he’s just one of those craaaazy Mac zealots.

As for the first part, the Macalope’s not sure why this isn’t obvious to Maynor but it’s hard to get worked up over security and anti-explotation technology when there are so few exploits for the Mac. Your average Mac user has never, ever been a victim of malware. Ever. Once.

Is this thing on? Hello? Hello?

Of course, an ounce of prevention being worth a pound of cure, the Macalope would really like to see Apple implement some of the technologies Maynor is talking about and sooner rather than later. So he’s doing what Maynor suggests.

So there.

49 thoughts on “More security professionalism, please.”

  1. And you know Macalope … we all make grammar mistakes every now and then (sometimes we correct them). Did the 1st paragraph of Maynor’s invective make any sense at all? That blog entry would have had red all over it in high school english.

  2. “it’s only when the Mac community calls for similar protections that Apple will include them in products.”

    The Mac community, by and large, doesn’t call for more protection because it feels the current protection is good enough. Not invulnerable to all possible harm but good enough. In the same way that in all the years since computers moved from displaying 256 colors to millions of colors no one has felt the need to demand billions of colors. Very little came out of the MOAB and, it seems to me, that Apple fixed the one serious bug that was revealed with reasonable speed.

    I think that what Maynor means by calling for more protection is paying people like him to solve problems most of us don’t have. What do you mean by saying Apple should “demonstrate that it does take security more seriously than as a marketing tool”?

  3. I’m thinking that if the virus that was on those iPods happened to be a Mac virus, then Apple probably would have cared. My opinion is that Apple does care about security, but just not Windows security.

  4. Rus – the Macalope stayed away from issues of grammar, spelling, awkward argument construction and poor use of metaphor (see the part about treating those who say OS X is more secure than Vista with the same disdain as you would a parking ticket).

    Marc – the Macalope’s point is that with jackasses like Maynor, Ellch and the MOAB people now running around trying to take down OS X, “good enough” is not going to cut it for very long. Do we really want a serious Mac infection like the Blaster virus? Cut it off at the pass. Apple couldn’t even issue a mea culpa about shipping infected iPods without trying to make it a joke.

    Dino – Apple shipped iPods with a virus that could infect its Windows-using customers. It can’t afford to not care about Windows security, at least as far as its involved in it.

  5. Good article, but I think, the Macalope went a little wrong at the end:

    “But at the same time the Macalope would really like to see Apple demonstrate that it does take security more seriously than as a marketing tool.”

    Apple actually takes security pretty serious, because they (re-)sell an anti-virus software with dotMac for the last couple of years.

    I don’t know about the Macalope, but since there is no malware for the Mac, I would say, that they are playing it really safe.

    And if there actually were viruses for OS X, I would be so bold assert, that Apple would integrate a virus protection into OS X itself, because our relationship as Mac users with Apple differs from the others guys by the fact, that we pay Apple money for the experience a working computer system( I don’t know what the heck the Windows guys pay Microsoft for). This experience can really be harmed, if there are 114.000 viruses and no decent protection at all. And I doubt that 3rd party developers are a good solution to security problems, because it seems to me that these people sell security “Mob-Style”.

  6. The path to the OS X kernel is through Parallels.

    During my initial Parallels experiments, I was doubly shocked when:
    (a) I ineptly managed to share my entire OS X drive with the XP VM
    (b) my VM was infected with a virus minutes after setup — behind a corporate firewall no less.

    If I was a black hat gunning for OS X, I’d start with Parallels.

  7. “We, as Mac users, have been skating. We’ve been skating on the fact that no one writes exploits for the Mac. And as Apple becomes more and more of a household name, that will not stand.”

    Are you repeating that old canard* about Mac’s security through obscurity? All this time I thought that Macs were secure by design, that even if people were trying to write exploits for the Mac, they just were not succeeding.

    * canard: a deliberatly misleading fabrication

  8. Seriously, is Maynor a teenager? I know a lot of accomplished hackers are really young-this guy sounds like a) he knows his way around an OS, and b) he’s about 17 years old.

  9. Murmillo – then you don’t think that the biggest reason Apple suffers far fewer incidents of malware is due to its smaller market share? The Macalope is forced to disagree with you.

    Selling virus software with .Mac is a band aid and the Macalope’s not sure what the situation is in Germany, but they no longer include virus protection software in the U.S. version of .Mac.

    And I doubt that 3rd party developers are a good solution to security problems, because it seems to me that these people sell security “Mob-Style”.

    The Macalope doubts that David Maynor is going to get any business from Apple on his own, but there is something of an air of extortion about how they go about this, isn’t there?

  10. * canard: quack! 😉

    What I particularly like about this post by the Macalope is his appreciation for the complexity involved in the current argument. It is *so* easy to fall into partisan positions yelling ya-boo at the supposed other side and the Macalope has deftly remained safely on his four rhetorical legs instead of falling into that quagmire.

    Our friend David Maynor is afflicted with a mean case of the “sounding like a jackass” syndrome, but that’s not to say we’d be any less clumsy playing silly ad hominem arguments against everything he happens to say. The Mac is only as secure as Apple make it, and although that is actually pretty good compared to the opposition as best the mountain of evidence can tell, it’s not perfect and will always require serious attention and effort in Cupertino if it is to improve or remain what it is.

    Artie MacStrawman may love chuckling to himself in every Starbucks he passes by, opening every email attachment and running from every dodgy .dmg he can find for his own amusement, but let’s try to be balanced here. Real world security is never to be taken for granted, even when the invective being mouthed by the polemicists every corner of the media tends to foster makes your hackles rise and gives you the unfortunate case of … “sounding like a jackass” syndrome too!

    Class act, Macalope. If only you were the mainstream tech press.

  11. Mr. Blister has a very good point. In addition to weak protections from Parallels in protecting an OS X disk, there are still unanswered questions about the security of the virtualization technology used. For more information on the potential problems, do a google search for “blue pill”.

    google: Blue Pill

  12. I should point out that I’m not accusing Parallels of anything. The problem may be with the virtualization technology in general and the lack of native OS support to control access to the virtual machine monitor (VMM).

    I would feel much better if Apple wrote the VMM and not Parallels or VMWare.

  13. “In general, the Macalope says the hell with David Maynor. Anyone who gets such a gigantic bee up his butt over a 30-second ad shouldn’t be taken seriously. ”

    But its ok to get upset about a comment one man made to a reporter? Classy.

  14. The Macalope wrote:
    “This is not to say that […] OS X […] will ever have as much malware as Windows.

    Anyone who can predict the security future should become a security consultant.

    I’ve done security consulting before, and I have no idea whether Mac OS X will or won’t ever have as much malware as Windows at some indeterminate point in the future. What I *CAN* say is that right now, it doesn’t. And it doesn’t by a really wide margin (1000:1). When you’re defending yourself, it’s your CURRENT security exposure that counts, not some abstract future one.

    Let me put this in a very concrete way:
    If Windows had only 111 pieces of malware a year, there wouldn’t be a Windows security problem.

    Now, is 111 perfect? No. Is it pretty good? It depends. Any single piece of malware could be devastating, but if you’ve only got 111 of them to defend against, that’s a lot smaller problem to address than 114,000.

  15. Meester Macalope…

    I agree with Murmillo. While security through obscurity is indeed unsafe and untrustworthy, I certainly don’t think it’s the primary reason that OS X hasn’t been hit with viruses. See the contest put on by the developer of Daring Fireball last year. There’s money to be made hitting even a small market of computers, not to mention sheer notoriety of being the first generator of a true (self replicating, operational) virus on OS X. Don’t think that the only people trying to hack OS X are grey hats like MOAB and Maynor. There’s got to be some black hats trying it, and they’re not doing so well.

  16. David: the Macalope spent all of a half an hour on his post about Gates and maybe a couple on his post about your defense.

    How many hours did you spend getting into Apple security?

  17. Murmillo –

    I don’t know about the Macalope, but since there is no malware for the Mac, I would say, that they are playing it really safe.

    Bill Scott –

    All this time I thought that Macs were secure by design, that even if people were trying to write exploits for the Mac, they just were not succeeding.

    Guess what, there is malware for the Mac. The Macalope said: “OK. Just how many Mac viruses are there? According to Viruslist.com, 111.”

    To be fair, Viruslist is only counting the number of vulnerabilities (111, according to them) found in Mac OS X, Apple and third party apps in 2005 and 2006. Viruslist is also listing malicious programs targeting the Mac, like Leap.A, Inqtana, etc. but you would be hard pressed to find 111 “viruses.” Yet there are vulnerabilities, and it’s demonstrably possible to write malware exploiting these vulnerabilities. The published exploits were mostly proofs of concept with no malicious payload but should Apple rest on its laurels and assume that things will never get worse?

    If Apple takes security so serious, why do they remove BSD security features like heap and stack randomization? Just asking.

  18. I’ve done security consulting before, and I have no idea whether Mac OS X will or won’t ever have as much malware as Windows at some indeterminate point in the future.

    That’s a fair point, BobG. But if you look at the motivation behind writing a piece of malware, the Macalope’s gotta think that hackers are looking to get the biggest bang for their buck. Assuming the Mac will not make more than incremental gains in market share for the foreseeable future it seems reasonable to surmise that Windows will continue to bear the lion’s share of malware.

    But, no, the Macalope doesn’t have a crystal ball.

    (He does know some people who do, but they don’t like to lend them out.)

  19. Apple isn’t resting on its laurels and assuming things will never get worse. If they did that, we wouldn’t have about a billion security updates every year. I’m not really certain how they could be doing much better, other than a scheduled update day like MS has (which is actually pretty nice). Considering the people finding the highly publicized bugs aren’t giving them to Apple first, well… how’s this for a scenario?

    “Your car door’s unlocked, but I already told that to about 30 guys down the street looking to get a new radio. Good luck, you slacker.”

  20. About half an hour till I found my first bug then I realized OSX was wide open and untouched space for security researchers.

    OK. You’ve obviously spent a bit more time on it since then, certainly in defending yourself.

    But what, specifically, was it about the ad that cheesed you off so badly? Is there something wrong with what the Macalope’s written above about it actually being true (and Gates’ comment being false)?

    You keep writing that Apple’s ad said “We don’t have security problems”. That’s not what the ad said. It said the Mac doesn’t have the large number of viruses Windows does. What is incorrect about that?

  21. To me it is not so much the question of ‘is there malware for OS X’? as it is ‘what will happen when there IS malware for OS X’? This is, by far, he more important question and deals with what is called Defense In Depth. That is, when designing security you should assume that there is an adversary out there banging on your door and then decide how best to deal with it.
    So, if we assume that there is (or will soon be) malware targeting OS X — then what? Well, part of the security needed is isolation between applications. One application should not be able to destroy or update another without the user getting involved. Especially the browser. It should not be able to do things like open the address book or email client without the user’s intevention. To me this is where OS X (and Linux) are much better than Windows.
    While convenient, the Windows philosophy of deep and automatic integration between applications (and the OS) is really the main reason security is such a problem there. I have often thought that if Microsoft would just turn off those links (or at least have the application get your permission) prior to dinking with other applications then that would help considerably. However, I’d bet that it would also break a huge number of existing business applications that assume deep, automatic integration between the IE libraries and other applications.
    What I really hope (and thus far have seen to be true) is that Apple learns from this and never builds in the ability for applications like Safari to automatically invoke other applications without the user’s involvement. If Apple keeps OS X applications balkanized (IMHO), then the impact of any future malware will be minimal.

  22. As a response to the Macalope and “As I See It”, I would like to that I believe that the insecurity of Microsoft’s systems isn’t based on what security features Microsoft builds into their system, but in the wide open doors, witch they call features.

    My all time favorite of these is when they added VBS-auto-execution to Outlook Express. Or the RDP-flaw, witch made you vulnerable to worms by just being connected to the internet. In this time (Windows 98), when the old Mac OS had also to fight with viruses(a bit), Microsoft gave the former “Malware-Hobbyist” a really good chance to become the industry they are today.

    And yes, the Macalope is right, this industry always aims for the biggest market and yes I was wrong, Apple doesn’t bundle the anti virus software with dotMac anymore, not even in Germany.

  23. Just in case no one has already made note of this: I think the real issue isn’t how many exploits there are, but how easily a process can be made hard-to-find and/or hard-to-remove. So what if you can get malware onto somone’s computer — if it’s quickly found and removed, and quickly defeated by anti-malware software, then you wasted your time. Hackers would love to infest the Mac with malware, but it’s a big waste of their time to try.

    If Vista has fixed the problem of hard-to-find and hard-to-remove processes, then it might indeed be more secure (or about as secure) as the Mac — once all those 2000/XP machines get updated, or more likely replaced.

  24. “But its ok to get upset about a comment one man made to a reporter? Classy”

    So, your words and opinions on a blog should be taken just as seriously as Bill Gates’ words and opinions in a national magazine?

    Suddenly its all becoming much more clear :p

  25. Feel free to email me if you want quicker responses.

    What upset me about the commercials is two fold.

    The first thing that came to my mind is that Apple was doing exactly what Bill Gates did: challenge the hacker community to prove them wrong. I remember the first time I saw the virus ad was during David Letterman. I thought at first it was a spoof or a joke then bolted upright when I realized that it was a real commercial. Apple had just thrown down a gauntlet and it wouldn’t take long for malicious individuals to answer. The first bug I found in a Mac only took about half an hour because I had the framework already built and setup to do wifi fuzzing. Other vendors who have taken this “we have the best security” stance ended up with pie in their face. Oracle and their unbreakable campaign anybody? Even Microsoft looked bad doing this before. I advised Microsoft at a lecture that telling people the Xbox 360 was going to be unhackable at launch was the worst thing to do, people who otherwise wouldn’t spend twp seconds on it will go and find problems just to prove you wrong.

    If you are curious about wifi fuzzing Metasploit has added this functionality, there is an article for an online magazine called Uninformed discussing how to do it as well as an article I wrote for securityfocus.com on how to do it.

    The second is that the Apple advertisement made it appear that catching a virus was the worst thing that could affect a user in the security arena. How many typical users know the difference between malware, exploits, viruses, and even stuff like rootkits and botnets. It’s all the same to them. Every tried to explain to someone they have spyware and get a response like “ooooohhhhh you mean I have, like a virus?” I can’t count the number of people I talked to after those commercials that actually felt that OSX had no security problems because they didn’t have any viruses that affected them. I worked for a major security vendor at the time and the PR people even agreed, “Macs don’t have security problems because they don’t have viruses”. There is a huge difference between a virus and an exploit that takes advantage of vulnerable code. For instance almost all of the major Windows based worms you have ever heard of like Blaster, Sasser, Zotob, Slammer, etc…were not viruses but were self propagating worms that spread via exploitation of vulnerabilities. When I saw the ad I felt like Apple was playing a sleight of hand trick with the truth about what the risk is to the user. This is something I have come to find out Apple does often; I call it a narrowly true but broadly misleading statement. The advertisement would not have been so bad if OSX made use of the same kind of anti-exploitation technology that Linux, OpenBSD, and now even Vista has for armor. That would mean that if someone did find a vulnerability you couldn’t take advantage of it. Now it is still pretty trivial.

    I have heard no less that 200 iterations of the argument “I have had a Mac for (insert time here) and never had a security problem” today. That great, I have had Windows boxes for over 10 years and never gotten a virus or compromised by a worm or botnet. In fact the only machine I ever had that has been compromised was a Linux shell server back in 1999 where the hacker guessed one of the user’s password via ssh bruteforcing. I only mention this because people are finding vulnerabilities in OSX now. MoAB #1 could have been used to break into OSX remotely and I feel that promoting the idea that there is nothing to worry about because OSX doesn’t have viruses is just irresponsible.

    A commercial that would have been better and not upset me for my second reason would have been something like “OSX is not as affected by hackers as Windows is” or even “bad people can’t do bad things to OSX as easily as Windows”. They are true statements but don’t delve into ambiguous definitions or terms that end users are sure to confuse or use interchangeably. I suppose they didn’t go this route because they wanted to use the “144,000 windows virus number” as it would scare some people into buying a Mac.

    “Jeez that sure is a lot of viruses.” *credit card swipe at Apple store*

  26. Dear Macalope !

    I am certain that David has made mistakes in handling/presenting the WLAN matter,however that does not make him a jackass.
    As far as I can tell his main points are:
    -)Steve Jobs gets away with BS that Gates never can dream of (getting away with 🙂 ).
    -)All the “it´s more secure” speak on Apple´s side is an open invitation to hackers to prove them wrong.
    -)OS X(as of 10.4.8) is (on paper,by concept) less secure then Vista.

    As much as I like Apple´s products,I have started to tend to agree with him now.(Mostly as to point 3,the other 2 are glaringly obvious.)
    I have done some (major) research on the state of OS X´s security,because I have a “double” vested interest: I am a user of OS X and am developing (long way ahead…) a piece of software that relies heavily on the frameworks and system libraries(etc..) that Apple provides.It also requires a secure environment.
    I define a secure environment as having multiple lines of defense.
    Currently (unfortunately) OS X does not have them (particularly with default settings )in many cases.

    So,is there a point to my rant?
    There sure is; let´s end the various feuds between mac bloggers and a couple of security experts and ask ourselves three basic questions:
    -) Is the average Mac user secure currently?
    -) How do “our” security features stack up against other available operating systems? (After all we all like to compare MacOS to other OSes feature wise.)
    -) What type of security threats are there?
    -) Judging from points 2 and 3 what does that mean for the future.

    Probably not as entertaining as picking apart the non Enderles and Dvoraks but very valuable to our community.

  27. David – that’s the best explanation I’ve heard of your reasoning to date. If you’ve published as thorough an explanation elsewhere, the Macalope has missed it.

    Your counter-example of only ever having been compromised on Linux is interesting but, statistically speaking, one has been historically far less likely to encounter malware on a Mac than on a Windows machine. The Macalope knows people who brag about how fast they can reinstall Windows and all their apps and data after being hit with spyware because they’ve had to do it so many times. Again, that’s anecdote, but the statistics bear it out.

    “I feel that promoting the idea that there is nothing to worry about because OSX doesn’t have viruses is just irresponsible.”

    OK. You’re entitled to that opinion, but your pedanticism on this point flies in the face of the entire history of marketing. At least you’re being consistent.

    “Jeez that sure is a lot of viruses.” *credit card swipe at Apple store*

    And is that person — presumably a switcher — now more or less likely to be affected by malware?

    Finally, again, while you may consider Apple’s ad “irresponsible”, to the Macalope it simply defies logic that it’s the same thing as Gates’ verifiably false statement. It’s more understandable now why — as a security researcher — it may have rubbed you the wrong way, but we’re comparing something that’s literally and directionally true but perhaps incomplete to something that is literally and directionally false.

    Oliver – the Macalope never called Maynor a jackass. Maybe some other things, but not a jackass.

  28. If Windows Vista has only 111 exploits written for it, I’d call it a vast improvement in security.

    Or even if Vista has only 111 vulnerabilities, that’s still an improvement.

    No matter how you count it, if Vista’s share of exploits or vulnerabilities were proportional to its market share relative to Mac OS X, that’d be an improvement.

  29. http://news.bbc.co.uk/2/hi/technology/6331959.stm

    “Microsoft’s Windows Live OneCare security tool was one of four products that failed independent tests carried out by the Virus Bulletin.

    The security testing group found that Live OneCare missed far more active viruses than any other program tested”

    “While Live OneCare did manage to spot 100% of the macro viruses it was tested against, it missed some wild viruses, polymorphic programs and file infectors.

    Live OneCare caught 99.91% of the known active viruses it was tested against. This left it vulnerable to 37 separate malicious programs.”

  30. So, let me see if I have this straight:

    A misleading (though not actually false) advertisement may result in the advertiser selling more of its product.

    That is a bad thing.

    A man who knows what is really true goes in front of the press and says things that are patently and provably false.

    That is okay.

    Did I miss anything? Dare I wear out a cliché? That looks like a comparison of apples and oranges.

  31. @David Maynor
    “This is something I have come to find out Apple does often; I call it a narrowly true but broadly misleading statement.”

    Welcome to reality. That’s called advertising.

    If you’re upset by “narrowly true but broadly misleading” statements, you must be upset over at least half the ads on TV. If you’re not, then that’s a nice set of blinkers you’re wearing.

  32. From comment 5430, above:

    “Oliver – the Macalope never called Maynor a jackass. Maybe some other things, but not a jackass.”

    From comment 5389, further above:

    “Marc – the Macalope’s point is that with jackasses like Maynor, Ellch and the MOAB people now running around trying to take down OS X, …”

    Not that I necessarily disagree with the idea that Maynor and the like are jackasses, but I can’t help myself.

    Unless the Macalope was being ironic or … something, and I missed it.

    It’s possible.

  33. Huh. Well, why isn’t DM out protesting ads that show SUVs driving vertically up the side of a snow-covered ice cube? Actually, just about all advertising is at least misleading. Most is pure BS.

    Sure, you can argue that advertising should be more honest. Good luck with that. Are the “Buy a Mac” ads more misleading than most? No. They ring true to at least one old fart with a lot of experience with both systems. I’ll testify under oath to twenty years of malware-free Mac usage – almost continually online the whole time. The rest of the ads are just funny in a cutesy-pie sort of way.

    Apple didn’t say bad things about Macintosh in a piece designed to compare their product favorably against the industry leader. A lie of omission? Sorry. That’s advertising.

    Bill Gates said things that were completely not true in a press interview. Not misleading, not questionable. Factually wrong. Either he was ignorant of the facts or he lied. Take your pick. Either way, in terms of integrity Apple comes out miles ahead in this one.

  34. Anal R. Etentive – Ack! The Macalope stands corrected! How quickly we forget.

    The Macalope thought it sounded familiar but he went back and searched the posts for “jackass” and didn’t see it in conjunction with “Maynor” but he forgot the search the comments.

    A thousand pardons. The Macalope has failed his Shaolin masters.

  35. The fact that Microsoft and many in the Windows community are getting so bent out of shape about Apple advertising speaks volumes. Before OS X, and arguably before the release of Tiger, MacOS simply wasn’t a threat. It was breathing its last.

    Now the mainstream press is discussing OS X in articles that are ostensibly about Vista. The IT press is saying that Vista is a great improvement that still doesn’t come out ahead of OS X.

    But the real thorn in their side is those commercials. I find the underdog tone taken by the new breed of Mac-bashers to be fascinating. They get bent out of shape about Apple’s advertising, crying foul and declaring that the ads aren’t truthful. But arguing factual points when discussing mass-marketing is like trying to pin Jello to a wall. Does anyone seriously believe that Windows was designed to empower potential, as the magazine ads would have us believe, or that buying an iPod will turn you into a fabulously hip dancing machine? Zune ads don’t mention the fact that Microsoft makes the device, so it must be that some clever, aggressive upstart company is behind the Zune.

    The fact that Gates actually acknowledged the ads simply shows their effectiveness, and Microsoft’s annoyance with them.

    Moving past marketing, I agree that comparing the number of vulnerabilities isn’t illustrative of reality. I invite security experts everwhere to contact any random 100 regular human beings who use Windows, and a random 100 Mac-using humans. Ask each how many times they’ve had to reinstall their OS in the last three years, how many times each week their work is interrupted by virus protection software notices, and how many hours they’ve spent cleaning up problems caused by security problems of any kind. All of this talk between security experts about how secure each OS is in the abstract is great and all, but most people aren’t security experts. How about focusing on real-world use by regular people?

    Any bets on how that would turn out?

  36. Right, uh, I know I’m totally out of fashion here, but…

    Does David Maynor matter? At all? About anything? Ever?

    Okay, cool… I was just checking…

  37. El Macalopo:
    >One.
    >So, it’s not “commercials”. It’s “commercial”.

    Au contraire, oh mythical one. There are TWO getamac ads about security.

    The recent one titled “Security” mentions Vista by name:

    http://movies.apple.com/movies/us/apple/getamac/apple-getamac-security_480x376.mov

    The older one titled “Viruses” mentions 114,000 viruses, but it looks dubbed in:

    http://movies.apple.com/movies/us/apple/getamac_ads1/viruses_480x376.mov

  38. Well, the Macalope is pretty sure they added that ad today. It’s not in Wikipedia’s list of ads and Wikipedia does have the other most recent set. It’s also not on the Unofficial Apple Weblog’s list of the most recent ads. Their list of the most recent is “Surgery, “Sabotage” and “Tech Support”. Apple’s page has “Security”, “Surgery” and “Tech Support”.

    While the Macalope finds it probably one of the funniest of the whole collection, it’s not exactly what he had in mind when he asked Apple to get serious about security.

  39. I would like to offer some food-for-thought that hasn’t been touched upon with this good debate.

    Who has the most to lose?

    My bet is on all the third-party security software companies and developers. There seems to be an ecosystem that is firmly in place with XP and not so much with OS X.

    This seems like a whole other can ‘o worms.

  40. The first thing that came to my mind is that Apple was doing exactly what Bill Gates did: challenge the hacker community to prove them wrong.

    So will Maynor now take Gates’ challenge? Because Gates definitely threw one out there.

  41. One thing that has struck me about this discussion is the simple assertion (and acceptance) of the idea that Vista has no known security flaws. Is this true? People must have been working on this. If it’s true, I need to upgrade every machine in my organization post-haste…

  42. I think what’s been lost (and the Macalope has found) in a lot of this Vista v. OS X security debate is that Vista has some kickass security and obscurity features that Apple should absolutely adopt (patent issues may prevent some of that). For instance, address space layout randomization. It’s not a guaranteed exploit solver, but my understanding is that it makes Vista immediately dramatically more resistant to a host of the common major attacks against XP. It’s just done. Yes, hackers will probably figure out ways to game ASLR, but it raises the bar. Apple doesn’t do ASLR. They probably should. They probably will.

    There’s a long list of neat security measures that Vista is built with and that it offers, and given that it’s inevitable that Mac OS X is cracked in a comprehensive way–that’s separate from how easy it is to vector the attack, something that Maynor doesn’t directly address–Apple is, I hope, stealing ideas from Vista.

    Interestingly, I think Allchin was emphasizing the positive in the security area, while Gates the negative.

Leave a Reply to David Maynor Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.