Forgot your password?
typodupeerror

Does Sophos' Switch Argument Hold Water? 249

Posted by timothy
from the 40-lashes-with-a-willow-switch-story dept.

Wednesday's press-release-borne message from security firm Sophos that the best way for Windows users to compute untroubled (or less troubled) by malware is to switch to Mac OS X drew more than 500 comments; read on for the Backslash summary of the conversation.

Several readers pointed suspicious fingers at Sophos' motive for issuing the message in the first place; no one can call a company whose products are meant to offer "protection from viruses, Trojans, worms, spyware and spam" a disinterested party in evaluating OSes. Techguy666, for instance, writes "We use Sophos at our workplace. I also use other antivirus and antispyware — often to clean up the crap that Sophos doesn't find. Speaking as someone who's familiar with Sophos, I think it's curious that Sophos is telling home users to consider buying Macs. Go to Sophos' website and try to find a home user product ... They don't seem to promote any. If I were a conspiracy theorist, I would think this is a warning shot aimed at Microsoft because of MS's sudden focus on security, to the detriment of companies such as Sophos; send Microsoft's small clientele to the enemy &mdash it's no skin off of Sophos' corporate nose. ... They're talking to an audience that they don't serve or interact with."

(To this, an anonymous reader writes "Sophos has a number of fat contracts with institutes of higher learning, like mine. Every student has access to a fully licensed copy of Sophos if they so choose — available for Windows 98-XP, Linux, and OS X.")

A subtler gripe comes from Kope, who calls the metrics used by Sophos "misleading," and writes that "[s]aying that the most common malware only effects Windows, therefore Macs are more secure is simply bad reasoning. ... I'm sure that 'out of the box' Macs are better. But it's not 'out of the box' that I care about. My concern is level of security during actual operation. I have no problem believing that Macs are more resistant to malware, but this measure doesn't show that to necessarily be the case."

ZachPruckowski agrees that Sophos's claim is based on a "dumb study," but not that there's an easy line to draw between out-of-box and long-term use: "For 75 percent of the world, 'out-of-the-box' == 'during actual operation.' It's those people who get infected by malware. Don't expect users to do any extra work beyond going straight to Office or IE or their email app. Thus, 'out-of-the-box' is a pretty important state."

Whatever the company's reason for issuing what many Slashdot readers would consider the farthest thing from a discovery, no reader's comments seemed to cast doubt on the conventional wisdom that Mac users are at present far safer from malware than are typical Windows users — the reasons behind that situation, though, are hotly contested. One version of the story is that OS X, by dint of its design (including UNIX-style multi-user orientation and compartmentalization generally) simply can't help being more resistant to viruses and spyware; Windows intentional integration of operating system components has let security flaws in one small part of the operating system (such as Internet Explorer or Outlook) become flaws in all the others, too.

Reader cwgmpls, for instance, doesn't buy the argument that OS X is safe only because it's more obscure than are the various versions of Windows.

"Even if OS X is only 5% of all PCs in the world, surely there are a good number of hackers out there who would love to release an OS X virus into the wild, just to prove it can be done. Besides, the total number of OS X installs today is certainly greater than the total number of Windows installs that existed at the time the first Windows virus was released.

Most hackers don't need a huge number of installs to stroke their ego. The opportunity to prove that OS X is just as vulnerable as Windows should be more than enough to motivate someone to release an OS X virus into the wild. Yet no one has done it.

There must be more at work here than OS X's small market share. OS X must be inherently more secure than Windows to not have a virus in the wild six years after its release. Certainly there are enough hackers out there who would love to show their prowess by writing an OS X virus, even for the relatively small number of OS X installs that exist; but nobody has been able to do it yet."

Several readers assert that the real reason has little to do with the hardware or the software used by the rival camps, and is mostly an issue of user education and sophistication. Typifying this argument is reader WombatControl's (unsurprisingly contested) conclusion that "the Mac userbase tends to be a lot more savvy than the Windows userbase." His argument, in short:

"I'd hazard a guess that the vast majority of Windows malware comes not from the inherent insecurity of the Windows platform but from users doing dumb things. Someone who installs some stupid little weather applet and gets infected with spyware got infected not because of a flaw in the system, but because they didn't bother to determine whether or not the source of their software was credible or not. Even if they got a prompt like Vista and OS X present they'll still authorize the program. There's no patch that can be applied to a system to prevent stupid users from mucking it up. ...

Macs are more secure because Mac users have a much tougher stance towards crapware. Mac users tend to be much more technically proficient than the average. If that "zero-tolerance" policy changes, I'm not so sure we'll see an increase in the amount of malware targeting Macs.

OS X does a great job of providing technical barriers against malware, but nothing can prevent malware that uses social engineering to do its work. Mac users are safer because they choose to be - but if you get a group of users who have no awareness of security and will blindly execute anything they come across, even if the system specifically tells them not to, that could change very quickly."

Several Windows users agreed with the thrust of this argument — namely, that no system is truly safe from a determined, malicious attacker unless users (or their trustworthy proxies) head off not just automated attacks, but social-engineering tricks that really have little to do with the OS a user is interacting with. Their approach is based on heading off malware.

Readers like snwod (a sometimes user of Mac, Linux, and Windows) offered a level-headed synopsis of this approach: "I run a good firewall/anti-virus combo along with using Ad-aware and the rest. I don't click on banner adds and I don't install strange pop-up programs. Pretty simple really." Result? "[I] haven't had a virus or malware problem in years."

To this line of reasoning, though, aphor says "My grandma's Mac isn't infected, and she clicks on everything! I'm calling bullshit. Please produce the infected Mac. One synthetic test does not make a real-world case. I run the system updater on my grandma's Mac about 3-4 times a year. That's probably 1/10th (liberal estimate) of the exposed vulnerability that a [Windows] box has."

Even if sophisticated trickery might fool any user, Savage-Rabbit thinks avoiding mechanically the more widespread script-kiddy attacks is nothing to sneeze at: "I bet there still is a fair number of Windows users who envy the Mac zealots for not having to waste their time pruning Norton/Panda/Macaffee/etc... anti-malware suites with monotonous regularity never mind the endless nag screens these anti-malware suites throw at you."

The status quo has a way of not staying that way in the long term, though, and reader spyrochaete contributed one of the several (and sane) cautions against hubris on the part of OS X users, though the same logic applies to Linux and other systems whose security may be real and considerable but is grounded in part on being a smaller target for online vandals and thieves than is Windows. As he writes, "They said the same thing about Firefox, but that's starting to change. Mozilla is fixing holes all the time and I'm starting to see ads that get through Adblock (stupid Mediaplex). This is just an article about security through obscurity — the best kind of security according to too many Apple fans I've talked to. ... Faith in obscurity means you'll be totally unprepared when disaster strikes."

Amen!


Thanks to all who took part in the discussion, especially those readers quoted above.
This discussion has been archived. No new comments can be posted.

Does Sophos' Switch Argument Hold Water?

Comments Filter:
  • by Saven Marek (739395) on Thursday July 06, 2006 @05:30PM (#15670936)
    Out of the box may be one thing, but continuing use is something else.

    Don't let anyone tell you macs have no malware, it's just not true. from Renepo the rootkit, to php worms that send out spam infecting message boards, to word macro viruses to the recent oompaloompa, they affect macs as badly as they can affect windows.

    One thing that tells mac users they have fewer viruses is poor antivirus software. A friend of mine works in a mac shop and often people will come in with bizarre problems with their macs. No networking working, slow networking, random crashes, won't wake properly from sleep. Scanning with an antivirus package shows no viruses, yet a software reinstall fresh from scratch fixes many of those problems. What does that tell you caused the problems? Some malware running on the machine is what.

    When mac software gets up to scratch in detecting the worms that are out there for macs, that is the only time people will get the truth about maleware infections. Sophos need to get off their ass and make something more worthwhile for macs and then we'll see who goes saying what about security.
  • Re:I switched (Score:3, Informative)

    by larkost (79011) on Thursday July 06, 2006 @05:52PM (#15671133)
    On the last you might want to look into PDF Equation [metaquark.de]. If you then need it in jpeg (or PNG) format, then Preview.app can help you out with that.

    And a crash a week is too much. You probably have something gone wrong there.. like bad memory or a peripheral that is not happy.
  • by devjj (956776) on Thursday July 06, 2006 @06:19PM (#15671348)
    Umm.. no. Check out a lot of major tech conference, especially in OS and Rails circles. You would be surprised how many geeks use Macs. You'd be even more surprised to hear why. Hint: It's got nothing to do with malware.
  • by Anonymous Coward on Thursday July 06, 2006 @06:31PM (#15671426)
    The article and the thread still spout the same uninformed reasoning about why there aren't OS X viruses. Let's take a look at each of the bogus reasons.

    "It's because there aren't many OS X machines."
    Bogus. 4% might be a small percentage, but there are tens of millions of Macs out there. Not only that, Apple users tend to be smug and Apple itself puts out a constant vibe of superiority, plus a very visible chain of elitist boutique retail stores. Is there not a hacker on Earth motivated to take down those arrogant Mac users?
    On top of that, with millions of OS X machines out there, the number of self-propagating viruses in the wild should be greater than zero. But the number is actually zero.
    Surely something more than "security through obscurity" is at work here.

    "Mac users are more sophisticated."
    Bogus. Aren't Macs supposed to be the computer "for the rest of us," the non-technical, the artsy-fartsy, the writers, the musicians, the English majors? Those people are NOT technically savvy, yet they are the Mac's core users.
    Macs have fewer viruses even though their users are not technically oriented and are not security savvy.

    "All you have to do is trick a Mac user into entering their root password."
    Bogus. The root user is not enabled by default in OS X. The non-technical users mentioned above are not going to know how to turn it on.
    You might be confusing the root and administrative passwords, since there isn't that much of a barrier between the two in Windows.

    The Mac is safer because of the nature of Unix architecture and Apple's own safeguards, not because of obscurity or user sophistication. There are things you can get away with in Windows, like certain e-mail-based viruses, that are simply not allowed in OS X. Mac OS X is not invincible, but clearly there are structural advantages to how OS X is set up for security.

    Remember, the number of viruses in the wild for Mac OS X is not proportional to market share, user base sophistication, or anything. It's pretty hard to correlate the number of viruses to any single cause when the number is ZERO.
  • by TheRaven64 (641858) on Thursday July 06, 2006 @06:55PM (#15671574) Journal
    Mach does very little in XNU (the OS X kernel). It handles threading, scheduling, and VM. Everything else is handled by IOKit (device access) or the BSD subsystem. The BSD subsystem is a weird hybrid, originally forked from 4.2BSD (I believe) and recently injected with NetBSD (in the Rhapsody era) and FreeBSD (more recently) code.

    The fact that Mach was designed with security in mind is why no one sane used it. Mach checked port rights on every message send, which made a Mach system call and order of magnitude slower than a BSD system call. While people might be willing to sacrifice 10-20% of their power for security, 90% is too expensive. This was exacerbated by the fact that Mach required a lot of context switches to get anything done. On OS X, this is irrelevant. The entire XNU kernel runs in a single address space, losing the memory protection benefit that a multi-server Mach-based OS (like Mach/HURD) gains. In addition, Mach messages are only used at the Mach layer (and for a few low-performance things, like notifying the GUI of kernel-related changes), removing this benefit.

  • Equation to jpg (Score:3, Informative)

    by astrosmash (3561) on Thursday July 06, 2006 @06:59PM (#15671590) Journal
    I still can't figure out how to get an equation to pretty print to a jpg on a mac

    Create your equation in either Grapher.app or the Equation Editor tool that comes bundled with Appleworks. (Equation Editor is more powerful and flexible and has a certain classic charm, but it's very old and a little clunky. Grapher is newer and easier to use).

    Select and copy the equation to the clipboard. Open Preview.app. Select File->New (or hit Cmd+N); this creates a new document containing the image in your clipboard. Select File->Save As (or Cmd+Shift+S) and save as the filetype of your choice.

    You can also paste equation as PDF directly into TextEdit, or Pages, or OmniOutliner, or any other fine application.

  • by vertinox (846076) on Thursday July 06, 2006 @07:03PM (#15671610)
    So there is no way possible for Mac user without proper tools (which he dont have and dont want to use) to identify and report any intrusion.

    Huh? What's wrong with typing "netstat -a" and "ps -aux" in the console?

    Thats all the tools I need to detect unathorized connections and programs.
  • Re:Well grandma... (Score:3, Informative)

    by Todd Knarr (15451) on Thursday July 06, 2006 @07:27PM (#15671749) Homepage

    Actually my approach is simple and requires a minimum of IQ points: "Everything you need to do that needs administrative access is on the "Administration" menu. Anything else is trying to trick you.". That's a nice, simple black-and-white rule that's easy for the average user to get their head around, much easier than the rules needed under Windows. This neatly gets them out of the habit of OK'ing every dialog they find because they don't run into that many extraneous dialogs that have to be dismissed. Those seem to be a Windows-specific artifact.

    This even works for Web-based stuff.
    User: "But what if my browser prompts me to install something?"
    Me: "Did you pick an item off the "Administration" menu?"
    User: "No."
    Me: "What did I just say about that, then?"
    User: "It's trying to trick me."
    Me: "And what do you do?"
    User: "Click the "Cancel" button."
    Me: "You're learning."
    I swear, sometimes I think Windows is just plain neurotic the way it keeps asking for permission and confirmation all the time. Linux, *BSD and OSX aren't afraid to tell an application "No you can't do that.", why does Windows insist on making so sure an app really truly shouldn't do something dangerous?

  • by toadlife (301863) on Thursday July 06, 2006 @08:10PM (#15672011) Journal
    "It's partly the lack of market share. That's offset to a large degree by the extra l33t points accruing to the guy who manages to release the first malware to get widespread penetration into those "invulnerable" systems."

    The days of writing malware just for fun are certainly not gone (and never will be), but do you really think the number of people doing it for fun are even remotely comparable to the number doing it for money? It seems for every virus that destroys/spreads and nothing else, there are a hundred others that are written specifically to recruit computers into botnets - which are then used for monetary gain. And that leaves out spyware of which none is written "for fun". OS X doesn't come with any daemons listening by default, so the ability to infect OS X machines without user interaction is virtually nil. Network based worms that infect vulnerable daemons are the only type of malware that are not hampered by the number of vulnerable hosts, so the only option in infecting OSX boxes is to get everyone to infect themselves via some form of social engineering. In order to lure people into infecting themselves, you have to reach them some way. How would you reach all of the OS X users on the net and then get them all to run your virus?

    "It's in large part inherent system design. The basic design point: the separation between ordinary users and the administrative user (root). That separation means that, even if you do get infected with malware, the malware can't spread into the system itself..."

    Malware need not "spread into the system" to take advantage of the system's resources. It only needs access to the user's home directory.

    "It can't tie into system libraries, it can't have itself started at system startup,

    I'm not sure what you mean by "tie into system libraries", but malware certainly does not need root to start itself up at system startup. Ever hear of crontab? ~/.kde/autostart? ~/.profile? ~/.shrc? The options for starting processes up at startup or logon in unix-type systems are plentiful.

    "it can't hide itself from the administrative user."

    For the competent, cleanup certainly is easier if malware is restricted to the user's home, but if your average non-techie desktop user is the administrator, I don't think it would be very hard to hide something from them.

    The only thing privilege separation does is protect the system from non-root users and non-root users from other non-root users. It makes sense because that's the only thing it was designed to do.

    Application sandboxing (SELinux, Novell's AppArmor, and Vista's Application ACLs) all come much closer to being the "silver bullet" everyone is looking for - at least in regards to protecting users from exploits, but the patch for stupid still eludes everyone.
  • by BrianWCarver (569070) on Thursday July 06, 2006 @09:29PM (#15672464) Homepage
    I have seen several dissing these new story+commentary summaries, but I have to say I like them a lot.

    I don't always get to read every last story on Slashdot (like some of the complainers, I suspect) and I even less often get to read a decent chunk of the comments. Having EDITORS filter through all that and pick out the gems saves me a lot of time and (hopefully) features the best of Slashdot.

    One personal note on the topic of malware.

    Personally, I've only ever been bitten by a hack on my Debian GNU/Linux server. Never had an OS X virus (on either my Powerbook G4, wife's iBook G3, or my new MacBook. Also never had a Windows virus, but I stopped using Windows completely in early 2000. (It's now back on my MacBook and scares me to death.)

    Admittedly, the server hack was my fault. I think it was an ssh dictionary attack that I wasn't watching for with fail2ban [sourceforge.net] or another monitoring/blocking service and I probably didn't have good passwords on that machine at that time, but nonetheless it illustrates that everyone's experience with malware is different. I happen to only have had trouble on arguably the most secure OS of the bunch--and then it was the result of poor user management of the system (due to inexperience). I think that's probably the sum of it in most cases: you can't account for what an inexperienced user may expose themselves to on ANY OS.
  • Re:Seenonslash (Score:2, Informative)

    by Anonymous Coward on Thursday July 06, 2006 @11:56PM (#15673149)
    try Seamonkey..really, it's better. Pages look better, load faster, stuff like that. You can just install the browser part if you want. It really is better than FF now. I run both back to back all the time just to check, every new stable release-Seamonkey wins hands down. FF has the press and all the bloated extensions, the things that can take the "small fast" browser concept they pushed into the humongous memory bloated hog that it is now. Plus, Seamonkey isn't dumbed down into kiddie candy land status in the preferences panel like FF is, and it has the "normal" one large URL window you can *read* and two buttons (go or search), instead of two tiny cramped URL windows. That part has always been a WTF? for me with FF, because it is clearly lame.

        Why the difference in rendering, etc, I cannot say, just "is" is all.
  • Re:Well grandma... (Score:3, Informative)

    by Anonymous Coward on Friday July 07, 2006 @08:11AM (#15674324)
    Poppycock.

    Windows is running in protected mode at the login screen. Generating a hardware interrupt from ctrl+alt+del was a bios feature.

    ergo, if you are running NT, 2K or XP then keyboard is handled by the OS rather than the bios and there is no automatic hardware interrupt. It only works in real mode!!!

    Also, what if you are using a USB keyboard?
  • Re:OT: Seamonkey (Score:2, Informative)

    by espinafre (973274) on Friday July 07, 2006 @11:52AM (#15675952) Homepage
    I'm using adblock and flashblock on Seamonkey, and they both work great. I didn't bother with a speelchecker, as my grammer is great, but I'm sure that would work liek a charm, too.

Profanity is the one language all programmers know best.

Working...