Does Sophos' Switch Argument Hold Water? 249
Wednesday's press-release-borne message from security firm Sophos that the best way for Windows users to compute untroubled (or less troubled) by malware is to switch to Mac OS X drew more than 500 comments; read on for the Backslash summary of the conversation.
Several readers pointed suspicious fingers at Sophos' motive for issuing the message in the first place; no one can call a company whose products are meant to offer "protection from viruses, Trojans, worms, spyware and spam" a disinterested party in evaluating OSes. Techguy666, for instance, writes "We use Sophos at our workplace. I also use other antivirus and antispyware — often to clean up the crap that Sophos doesn't find. Speaking as someone who's familiar with Sophos, I think it's curious that Sophos is telling home users to consider buying Macs. Go to Sophos' website and try to find a home user product ... They don't seem to promote any. If I were a conspiracy theorist, I would think this is a warning shot aimed at Microsoft because of MS's sudden focus on security, to the detriment of companies such as Sophos; send Microsoft's small clientele to the enemy &mdash it's no skin off of Sophos' corporate nose. ... They're talking to an audience that they don't serve or interact with."
(To this, an anonymous reader writes "Sophos has a number of fat contracts with institutes of higher learning, like mine. Every student has access to a fully licensed copy of Sophos if they so choose — available for Windows 98-XP, Linux, and OS X.")
A subtler gripe comes from Kope, who calls the metrics used by Sophos "misleading," and writes that "[s]aying that the most common malware only effects Windows, therefore Macs are more secure is simply bad reasoning. ... I'm sure that 'out of the box' Macs are better. But it's not 'out of the box' that I care about. My concern is level of security during actual operation. I have no problem believing that Macs are more resistant to malware, but this measure doesn't show that to necessarily be the case."
ZachPruckowski agrees that Sophos's claim is based on a "dumb study," but not that there's an easy line to draw between out-of-box and long-term use: "For 75 percent of the world, 'out-of-the-box' == 'during actual operation.' It's those people who get infected by malware. Don't expect users to do any extra work beyond going straight to Office or IE or their email app. Thus, 'out-of-the-box' is a pretty important state."
Whatever the company's reason for issuing what many Slashdot readers would consider the farthest thing from a discovery, no reader's comments seemed to cast doubt on the conventional wisdom that Mac users are at present far safer from malware than are typical Windows users — the reasons behind that situation, though, are hotly contested. One version of the story is that OS X, by dint of its design (including UNIX-style multi-user orientation and compartmentalization generally) simply can't help being more resistant to viruses and spyware; Windows intentional integration of operating system components has let security flaws in one small part of the operating system (such as Internet Explorer or Outlook) become flaws in all the others, too.
Reader cwgmpls, for instance, doesn't buy the argument that OS X is safe only because it's more obscure than are the various versions of Windows.
"Even if OS X is only 5% of all PCs in the world, surely there are a good number of hackers out there who would love to release an OS X virus into the wild, just to prove it can be done. Besides, the total number of OS X installs today is certainly greater than the total number of Windows installs that existed at the time the first Windows virus was released.Most hackers don't need a huge number of installs to stroke their ego. The opportunity to prove that OS X is just as vulnerable as Windows should be more than enough to motivate someone to release an OS X virus into the wild. Yet no one has done it.
There must be more at work here than OS X's small market share. OS X must be inherently more secure than Windows to not have a virus in the wild six years after its release. Certainly there are enough hackers out there who would love to show their prowess by writing an OS X virus, even for the relatively small number of OS X installs that exist; but nobody has been able to do it yet."
Several readers assert that the real reason has little to do with the hardware or the software used by the rival camps, and is mostly an issue of user education and sophistication. Typifying this argument is reader WombatControl's (unsurprisingly contested) conclusion that "the Mac userbase tends to be a lot more savvy than the Windows userbase." His argument, in short:
"I'd hazard a guess that the vast majority of Windows malware comes not from the inherent insecurity of the Windows platform but from users doing dumb things. Someone who installs some stupid little weather applet and gets infected with spyware got infected not because of a flaw in the system, but because they didn't bother to determine whether or not the source of their software was credible or not. Even if they got a prompt like Vista and OS X present they'll still authorize the program. There's no patch that can be applied to a system to prevent stupid users from mucking it up. ...
Macs are more secure because Mac users have a much tougher stance towards crapware. Mac users tend to be much more technically proficient than the average. If that "zero-tolerance" policy changes, I'm not so sure we'll see an increase in the amount of malware targeting Macs.
OS X does a great job of providing technical barriers against malware, but nothing can prevent malware that uses social engineering to do its work. Mac users are safer because they choose to be - but if you get a group of users who have no awareness of security and will blindly execute anything they come across, even if the system specifically tells them not to, that could change very quickly."
Several Windows users agreed with the thrust of this argument — namely, that no system is truly safe from a determined, malicious attacker unless users (or their trustworthy proxies) head off not just automated attacks, but social-engineering tricks that really have little to do with the OS a user is interacting with. Their approach is based on heading off malware.
Readers like snwod (a sometimes user of Mac, Linux, and Windows) offered a level-headed synopsis of this approach: "I run a good firewall/anti-virus combo along with using Ad-aware and the rest. I don't click on banner adds and I don't install strange pop-up programs. Pretty simple really." Result? "[I] haven't had a virus or malware problem in years."
To this line of reasoning, though, aphor says "My grandma's Mac isn't infected, and she clicks on everything! I'm calling bullshit. Please produce the infected Mac. One synthetic test does not make a real-world case. I run the system updater on my grandma's Mac about 3-4 times a year. That's probably 1/10th (liberal estimate) of the exposed vulnerability that a [Windows] box has."
Even if sophisticated trickery might fool any user, Savage-Rabbit thinks avoiding mechanically the more widespread script-kiddy attacks is nothing to sneeze at: "I bet there still is a fair number of Windows users who envy the Mac zealots for not having to waste their time pruning Norton/Panda/Macaffee/etc... anti-malware suites with monotonous regularity never mind the endless nag screens these anti-malware suites throw at you."
The status quo has a way of not staying that way in the long term, though, and reader spyrochaete contributed one of the several (and sane) cautions against hubris on the part of OS X users, though the same logic applies to Linux and other systems whose security may be real and considerable but is grounded in part on being a smaller target for online vandals and thieves than is Windows. As he writes, "They said the same thing about Firefox, but that's starting to change. Mozilla is fixing holes all the time and I'm starting to see ads that get through Adblock (stupid Mediaplex). This is just an article about security through obscurity — the best kind of security according to too many Apple fans I've talked to. ... Faith in obscurity means you'll be totally unprepared when disaster strikes."
Amen!
Thanks to all who took part in the discussion, especially those readers quoted above.
news? (Score:4, Insightful)
Spyware and spam will remain (Score:2, Insightful)
I believe the anti virus firms are doing normal users a service by keeping lists of known bad software and preventing its spread.
That software might come in from an exploitable hole in the OS or it can come just as easily by invitation through the front door because the user believed the catch line.
3 simple words: i love you have been enough in the past, what will it take in future...
Well grandma... (Score:4, Insightful)
Is OS X's attack surface smaller than Windows? Sure it is. Is it impervious to user stupidity? Absolutely not. No operating system is. Linux and OS X will probably eventually get there, and the complain we'll be hearing instead of M$ is teh fuxxorz will be well, what do you expect? users are stupid!!.
Just wait, and you'll get there eventually.
[This post is brought to you courtesy of the 300 million absolutely clueless Windows users who think it's OK to run executables in password-protected ZIP files that arrive in their inboxes with lead-ins such as "hello, teh info yuo requesteded is in the attachments". We can't wait for you to take them away]
The frustrating part... (Score:3, Insightful)
Re:Oh. (Score:2, Insightful)
Network effects (Score:3, Insightful)
Obviously it helps that there haven't been any worms on OS X, but in principle writing OS X viruses isn't technically difficult. Spreading them is.
In addition, Microsoft finally appears to be concerned about security, as demonstrated with XP2 and as will probably be demonstrated in Vista. So the security advantage of OS X is, I suspect, likely to dissipate over time. Still, I plan on using OS X for the foreseeable future.
Re:Well grandma... (Score:5, Insightful)
Hmm. I just realized that this is a potential problem -- a major potential problem -- with the OSX and now Vista (and, I believe, some Linux) GUI security paradigms. We're training people to be ready to enter their administrator passwords whenever they're prompted to. And Ma & Pa User won't know when this is a good thing. Especially when badly behaved programs like Adobe's suite raise dialog after dialog during updating. What's to stop EvilSoftCo from creating a program that, during its first-time startup, just creates a dialog box that matches the standard one, and gathers your password?
Hmm. Not great, methinks. Although surely someone must have thought of this already...
Maybe, but they're still right. (Score:3, Insightful)
I'm not really surprised that everyone supporting an illegal monopoly has been brainwashed, but it's still kind of sad.
No. really. . . (Score:1, Insightful)
the best way to avoid malware is (like abstinence is the best [most reliable] way to avoid pregnancy and STDs) is to stay off the internet completely and never install new software.
Best way to compute untroubled (Score:2, Insightful)
Or in a more general sense: the best way to be safer from viruses is to use a platform that is not the mainstream one. Mac OS X is one example of something that could be used. Also, Linux, Free BSD, Solaris and various other platforms would work.
Why some OSes are more resistant (Score:5, Insightful)
My thought is that there's three reasons Macs and *nixen have fewer viruses.
Re:Spyware and spam will NOT remain to be problems (Score:2, Insightful)
Re:Well grandma... (Score:3, Insightful)
"Even if OS X is only 5% of all PCs in the world, surely there are a good number of hackers out there who would love to release an OS X virus into the wild, just to prove it can be done. Besides, the total number of OS X installs today is certainly greater than the total number of Windows installs that existed at the time the first Windows virus was released.
Most hackers don't need a huge number of installs to stroke their ego. The opportunity to prove that OS X is just as vulnerable as Windows should be more than enough to motivate someone to release an OS X virus into the wild. Yet no one has done it.
Re:Well grandma... (Score:3, Insightful)
Perhaps not watertight, but not a sieve, either. (Score:3, Insightful)
The fact of the matter is that more people are going to believe a simple quantified statement than an abstract technical discussion; so Sophos is making the argument that will convince the most people, rather than an argument that would convince, say, the more technical folks on Slashdot.
Oh, you want the technical reasons? Okay, here goes my list:
Re:I would but... (Score:3, Insightful)
Install the free Aqua Data Studio database admin tool. [aquafold.com]
My parents would but they do not like change. They had enough issues upgrading from Windows 98 to Windows XP.
This is more a matter of social engineering. Some people fear change, while other are taught only applications, not resourceful thinking.
My brother would but he plays WoW and he is not texh savy to get OSX to run on his PC.
Take the same WOW cds and put into your Mac. Double-click the install icon. Did you forget that WOW (and pretty much every Blizzard title) is cross-platform?
Re:Well grandma... (Score:5, Insightful)
I proposed two years ago that Apple implement something similar. Create a special key combination that would be caught by the OS and passed to WindowServer, which would then spawn an alert if the app presenting the dialog was not authorised to. This is particularly useful for Keychain access, for example. I don't mind an IM program having access to my login details, but I do object to it having root access. When I install a new version of it, I have to enter my keychain password (which is my login password, by default) in a dialog box that (hopefully) the system presents, but I have no way of verifying that it is the Keychain subsystem that is going to get the password, not the application.
Intel switch resets clock on Mac viruses (Score:5, Insightful)
Well what happens now that the whole Mac architecture is shifting to Intel? It's substially harder (almost impossible) to write a buffer overflow attack that works on two different processor architectures. You have to choose which architecture your attack is going to execute code for.
So then if there are not enough Macs around to write exploits for today, it stands to reason that there will not be any significant Mac exploits until the number of mac users at least doubles from current figures, possibly even more.
Yes there are also attacks that attempt social engineering on a user but they often work in conjuction with more classic code exploits to gain more permission than they would have otherwise.
I'm in the "Macs are better designed" camp (Score:5, Insightful)
No question in my mind. I'm not saying they are invulnerable. Heck, the community is so tight knit that if you could get something downloaded (say that MacSaber program a few weeks ago) and put something in it, you could get the virus out there. It may be found fast, but you got it out there and by then you may have done damage.
That said, if I were to run MacSaber for the first time (or some little game or widget or whatever) and I suddenly got a box asking for my root password, you can bet I would be stopped dead in my tracks. You just DON'T SEE those boxes unless you are doing system updates or installing software like Office. If you just download a program and double click on it and get that, you have to wonder what it's doing.
Now before I switched last year, I had a PC and I ran AV and all that stuff, but it never did any good. The fact is I had a clue and could have run with nothing but my firewall and been fine. You are not guaranteed to get malware on Windows. But let's talk about my little sister and my parents. They download stuff. And since they don't know where the reputable sites are, who to trust, which programs are good, etc... they find that stuff easily. Every time "the computer is broken", it is almost inevitably malware. That or they turned something off I installed they shouldn't have (Disk Keeper, for example, which is practically required to run Windows IMHO). Same thing with neighbors I help. Even if they are somewhat savvy and can use the computer and install hardware, it still happens to them. It's pathetic. There have been viruses that you just have to preview in Outlook to get your OS infested. That is just plain bad design.
After using my Mac, it is clear to me that any idiot who sits down and uses a Mac day to day is less likely to end up with Malware. From the root prompts, to the fewer security holes, I think there is a clear reason for this divide. Mac users are not smarter. There is a very sizable portion of them that are just like introductory Windows users. They do the same stupid things. The fact they aren't ravaged by malware says something.
Now I won't deny that the Mac's market share has played a part, you'd be an idiot not to. However, I think the virus-in-the-wild count for OS X (hint: 0) means something. It means instant fame for the first person to make a good virus for OS X. You get it out there, even if it doesn't do much but change people's wallpaper or whatever and you get your name EVERYWHERE. Slashdot, Digg, all the Apple sites, the mainstream computer media (PC World, et all). That is a REAL tempting target. Let's not forget that every time a story like that gets published, it is just someone publishing a big bulls-eye on the Mac. But the market share helps with the pop-up ad problem. How many ads do you see on the 'net that look like a Windows dialog box telling you "Your computer is infected, click here". Guess what, people do. In my house people do, my neighbors have. It tricks 'em. Most people on a Mac wouldn't be fooled by that (just because it looks different). So that kind of thing does make a difference. That report the other day that 80% of users can't tell the difference between a real toolbar and a picture of one was scary.
Macs aren't immune. The OS is better designed.
As for Linux, it's better designed too, but it also has some other influences (for example, it would be tough to make a virus that worked reliably across different kernel versions and distro configurations). But again, there are SO MANY Linux servers out there that there must be enough run by idiots that if it was just as bad as Windows we would see a reasonable number of viruses out there (ie.. more than next to none).
There was a report in my PC World today (I think it was) that was basically scare tactics about viruses ("10 Myths That Make You Vulnerable" or some such). The one about Macs and Linux being safe really made me mad. While they are not immune, Windows for the average computer user is a leaper colony compared to running Mac or Linux.
Re:Slashdot now run by pointy-headed managers (Score:5, Insightful)
I think Slashdot is in serious need of maturity. This is not 1998 anymore, and stories like the one I cited make this place look like it's run by 14-year-olds - the PowerPoint deprived intellectual partners of those pointy-headed fools we love to hate. Immature 14-year-olds who are failing English, at that.
What a joke this place has become - the commenters are as, uh, great as always, but the stories, editing, and crap that makes it to the front page are ridiculous. I mean, yay for the redesign, but pissing in a jeweled goblet doesn't make the piss taste better.
Re:Why some OSes are more resistant (Score:3, Insightful)
I don't find this argument convincing.
These days, I believe the bulk of viruses and worms and malware are created by spam and DDoS guys. Spam is big money, and DDoS is either blackmail or spite. These aren't the same adolescent guys trying to show how cool they are, these are people who want to control millions of zombies.
I'm not saying that the lack of market share is the only thing OS X has going for it, security wise, but I think market share contributes much more to the motivation of malware makers than "leet points".
Re:Well grandma... (Score:3, Insightful)
Re:I'm in the "Macs are better designed" camp (Score:2, Insightful)
That is a most excellent observation
Re:I'm in the "Macs are better designed" camp (Score:3, Insightful)
Well that is one of the arguments about asking the user questions. When you ask the user too much, they just say yes. I've done that and gotten into trouble once or twice. When Windows constantly asks "Are you sure you want to delete this shortcut", "Are you sure you want to show all files", "Are you sure you want to download from this site", "Are you sure..." you learn very fast to just say yes because it is too much of a hassle. The only thing those dialogs did was annoy me. When they added them to OS X after downloading files, guess what I started doing... pressing "Yes" to EVERY ONE when it asks if I want to automatically open the file (I later turned it off because I didn't want it to open some kinds of files). In Vista, MS has added dialogs to ask for your root password when something interesting is about to happen (like updating Windows). The danger is that if they show this too often, users will just learn to type and go, and not think.
The first time or 3 a new computer user gets a prompt from Windows "Are you sure..." they STOP AND READ. The problem is that they quickly learn that Windows asks about everything. When you almost never see the dialog, or only see it when you initiate and action, then when it happens elsewhere you STOP AND READ.
If you don't show these dialogs enough, you get in trouble (because you aren't protecting the user). If you show them too much, you get in trouble (because the user ignores them). You have to strike the balance, and OS X has done a good job at that so far. We'll see how MS does in Vista (I haven't tried it, and don't have any reason to).
Re:Piss off moderators. (Score:3, Insightful)
Two thoughts:
- its Word, an MS program. Kinda amusing to see people assert that Macs are as bad as Windows because an MS app is rediculously un-sandboxed.
- these people HAVE to trade doc files. Its business. Still, its business folks who continue to insist that they must use Word. Its not the OSes problem, its a complete social engineering problem. They're practically sharing
Word macro viruses are not a fault of the OS, they're a fault of the application. A Microsoft Application.
I use Windows, I'm not a Mac zealot or anything, but cmon
Historically, even tho I spent two years of my life reformatting Macs because of word macro trojans, I never saw it as a flaw in the OS but rather a flaw in Word. Most techs I knew saw it that way too.
Nobody is arguing that OSes can get fucked up. They're arguing that surfing the internet in the more 'sandboxy' environment of the web is safer on a Mac than a PC. Even THEN, nobody would argue right now that its safer on a Mac, they're just arguing about the reason. Thats why the parent got a Troll. He wasn't really contributing to the dicussion about *why*, he was just pointing out that Macs can get infected. Thats a pretty trollish thing to say, because it seems to hint at an agenda based on personal experience. Like I said, I fought with that shit for 2 years, on the worse laptops ever created (the 5300s) and I still never felt that it was an OS issue.
Its very simple to me
Hey, one other thing; malware isn't a virus, and its important to distinguish between them when discussing exploitability. Lots of malware don't do anything more special than what major corperate software does in order to 'integrate' with the OS. Microsoft just bends over backwards to provide that integration
Re:Out of the box is one thing (Score:3, Insightful)
> What does that tell you caused the problems?
It tells me that your friend is not a competent Mac-Technician. A re-install might be the preferred way to fix a Windows sytem, but it is almost never necessary to reinstall a MacOSX-Box.
I've used OSX since public beta and have at least a little experience in fixing OSX-boxen.
> What does that tell you caused the problems? Some malware running on the machine is what.
And it tells me that you're jumping to conclusions.
I haven't seen any rootkit in the wild yet and I don't consider a php-flaw some OSX-related problem because it is nothing that comes pre-activated/installed on your box.
A different beast are Word-Macro-Viruses on OSX - at least theoretically - though even those seem to be close to irrelevant still.
If you like it or not, OSX is extremely secure against outside attacks - inherently and out of the box.
And given the fact that anybody who'd write and publish an efficient OSX-worm would be famous, I highly doubt that OSX is just "safe because of the low market share."
k2r