Does Sophos' Switch Argument Hold Water?

Wednesday's press-release-borne message from security firm Sophos that the best way for Windows users to compute untroubled (or less troubled) by malware is to switch to Mac OS X drew more than 500 comments; read on for the Backslash summary of the conversation.

Several readers pointed suspicious fingers at Sophos' motive for issuing the message in the first place; no one can call a company whose products are meant to offer "protection from viruses, Trojans, worms, spyware and spam" a disinterested party in evaluating OSes. Techguy666, for instance, writes "We use Sophos at our workplace. I also use other antivirus and antispyware — often to clean up the crap that Sophos doesn't find. Speaking as someone who's familiar with Sophos, I think it's curious that Sophos is telling home users to consider buying Macs. Go to Sophos' website and try to find a home user product ... They don't seem to promote any. If I were a conspiracy theorist, I would think this is a warning shot aimed at Microsoft because of MS's sudden focus on security, to the detriment of companies such as Sophos; send Microsoft's small clientele to the enemy &mdash it's no skin off of Sophos' corporate nose. ... They're talking to an audience that they don't serve or interact with."

(To this, an anonymous reader writes "Sophos has a number of fat contracts with institutes of higher learning, like mine. Every student has access to a fully licensed copy of Sophos if they so choose — available for Windows 98-XP, Linux, and OS X.")

A subtler gripe comes from Kope, who calls the metrics used by Sophos "misleading," and writes that "[s]aying that the most common malware only effects Windows, therefore Macs are more secure is simply bad reasoning. ... I'm sure that 'out of the box' Macs are better. But it's not 'out of the box' that I care about. My concern is level of security during actual operation. I have no problem believing that Macs are more resistant to malware, but this measure doesn't show that to necessarily be the case."

ZachPruckowski agrees that Sophos's claim is based on a "dumb study," but not that there's an easy line to draw between out-of-box and long-term use: "For 75 percent of the world, 'out-of-the-box' == 'during actual operation.' It's those people who get infected by malware. Don't expect users to do any extra work beyond going straight to Office or IE or their email app. Thus, 'out-of-the-box' is a pretty important state."

Whatever the company's reason for issuing what many Slashdot readers would consider the farthest thing from a discovery, no reader's comments seemed to cast doubt on the conventional wisdom that Mac users are at present far safer from malware than are typical Windows users — the reasons behind that situation, though, are hotly contested. One version of the story is that OS X, by dint of its design (including UNIX-style multi-user orientation and compartmentalization generally) simply can't help being more resistant to viruses and spyware; Windows intentional integration of operating system components has let security flaws in one small part of the operating system (such as Internet Explorer or Outlook) become flaws in all the others, too.

Reader cwgmpls, for instance, doesn't buy the argument that OS X is safe only because it's more obscure than are the various versions of Windows.

"Even if OS X is only 5% of all PCs in the world, surely there are a good number of hackers out there who would love to release an OS X virus into the wild, just to prove it can be done. Besides, the total number of OS X installs today is certainly greater than the total number of Windows installs that existed at the time the first Windows virus was released.

Most hackers don't need a huge number of installs to stroke their ego. The opportunity to prove that OS X is just as vulnerable as Windows should be more than enough to motivate someone to release an OS X virus into the wild. Yet no one has done it.

There must be more at work here than OS X's small market share. OS X must be inherently more secure than Windows to not have a virus in the wild six years after its release. Certainly there are enough hackers out there who would love to show their prowess by writing an OS X virus, even for the relatively small number of OS X installs that exist; but nobody has been able to do it yet."

Several readers assert that the real reason has little to do with the hardware or the software used by the rival camps, and is mostly an issue of user education and sophistication. Typifying this argument is reader WombatControl's (unsurprisingly contested) conclusion that "the Mac userbase tends to be a lot more savvy than the Windows userbase." His argument, in short:

"I'd hazard a guess that the vast majority of Windows malware comes not from the inherent insecurity of the Windows platform but from users doing dumb things. Someone who installs some stupid little weather applet and gets infected with spyware got infected not because of a flaw in the system, but because they didn't bother to determine whether or not the source of their software was credible or not. Even if they got a prompt like Vista and OS X present they'll still authorize the program. There's no patch that can be applied to a system to prevent stupid users from mucking it up. ...

Macs are more secure because Mac users have a much tougher stance towards crapware. Mac users tend to be much more technically proficient than the average. If that "zero-tolerance" policy changes, I'm not so sure we'll see an increase in the amount of malware targeting Macs.

OS X does a great job of providing technical barriers against malware, but nothing can prevent malware that uses social engineering to do its work. Mac users are safer because they choose to be - but if you get a group of users who have no awareness of security and will blindly execute anything they come across, even if the system specifically tells them not to, that could change very quickly."

Several Windows users agreed with the thrust of this argument — namely, that no system is truly safe from a determined, malicious attacker unless users (or their trustworthy proxies) head off not just automated attacks, but social-engineering tricks that really have little to do with the OS a user is interacting with. Their approach is based on heading off malware.

Readers like snwod (a sometimes user of Mac, Linux, and Windows) offered a level-headed synopsis of this approach: "I run a good firewall/anti-virus combo along with using Ad-aware and the rest. I don't click on banner adds and I don't install strange pop-up programs. Pretty simple really." Result? "[I] haven't had a virus or malware problem in years."

To this line of reasoning, though, aphor says "My grandma's Mac isn't infected, and she clicks on everything! I'm calling bullshit. Please produce the infected Mac. One synthetic test does not make a real-world case. I run the system updater on my grandma's Mac about 3-4 times a year. That's probably 1/10th (liberal estimate) of the exposed vulnerability that a [Windows] box has."

Even if sophisticated trickery might fool any user, Savage-Rabbit thinks avoiding mechanically the more widespread script-kiddy attacks is nothing to sneeze at: "I bet there still is a fair number of Windows users who envy the Mac zealots for not having to waste their time pruning Norton/Panda/Macaffee/etc... anti-malware suites with monotonous regularity never mind the endless nag screens these anti-malware suites throw at you."

The status quo has a way of not staying that way in the long term, though, and reader spyrochaete contributed one of the several (and sane) cautions against hubris on the part of OS X users, though the same logic applies to Linux and other systems whose security may be real and considerable but is grounded in part on being a smaller target for online vandals and thieves than is Windows. As he writes, "They said the same thing about Firefox, but that's starting to change. Mozilla is fixing holes all the time and I'm starting to see ads that get through Adblock (stupid Mediaplex). This is just an article about security through obscurity — the best kind of security according to too many Apple fans I've talked to. ... Faith in obscurity means you'll be totally unprepared when disaster strikes."

Amen!

---

Thanks to all who took part in the discussion, especially those readers quoted above.

Piss off moderators.

[Anonymous Coward]

Goddammit moderators, it's this kind of moderating that makes the problem worse. I run a mac house, and word macro viruses are the bane of my existence. Word is absolutely ESSENTIAL to our business, and currently no mac antivirus software properly rids a mac of word macro viruses, fullstop. We've been through them all, and over & over we end up with client documents coming in, infecting other client documents, leaving us sending out infected files.

It's not a nothing problem you can just sweep under the carpet with a quick moderation, people, it's going to come up and bite you in the ass, and bite HARD.

Don't be ignorant shits.

* swearing included so you can have a reason to mod me down. bah.

Re:Spyware and spam will remain

[varmittang]

Spyware and Spam would be a maybe, but so far the Mac or Linux/*nix computers don't have any, only Windows. And what happens is a computer gets infected with malware/spyware, and then it becomes a spam bot. But if a computer can be made safe from getting malware first, which again Mac and Linux/*nix are, then spam operators wont have any spam bots, and hopefully we can then track down the sources of spam a lot easier to the server of the spammer. And yes, there are stupid users, my parents are a couple of them. But hey, got them a Mac and didn't need to worry after that. Hell, I came home from school one weekend and my dad was telling me he had trouble opening an attachment. I laughed because it was a virus and he couldn't get it to work after getting it in an email. He has become smarter about it but he sometimes just wants to click away.

Re:Network effects

[99BottlesOfBeerInMyF]

Obviously it helps that there haven't been any worms on OS X, but in principle writing OS X viruses isn't technically difficult. Spreading them is.

This is true for all OS's. It is the propagation mechanism(s) that are the hard part. Most malware by infection number is not spread as trojans. Especially, most is not spread as trojans not disguised as data. With Windows, it is easier to disguise a program as data and it is easier to find a remote vulnerability to exploit. As you mentioned, it is also easier to find targets to propagate, but in this day and age of worms with many different propagation techniques built in, it would be easy to add another to attack macs as well as Windows machines, were such a vulnerability easy to find and exploit.

In addition, Microsoft finally appears to be concerned about security, as demonstrated with XP2 and as will probably be demonstrated in Vista.

There is a difference between "concerned" and doing what the hundreds of screaming security experts have been asking you to for ages. XP SP2 still runs RPC on a network port, even when it is a local service. It still runs the Web browser in privileged space. It still hides file extensions by default. Sure they've made a few improvements, but they are merely convenient, minor hacks. The main thing they ahve done is, the same as every other new OS release, announced that this time it is super-duper secure in every paper, interview, and industry rag they can in the hopes that some idiots will believe it this time too. It worked.

the security advantage of OS X is, I suspect, likely to dissipate over time.

That depends upon if Apple stands still on the security front (they don't have a big problem now so they might) or if they move forward and implement some of the new security technologies being pioneered in secure Linux variants, OpenBSD, and Solaris. MS is not quite standing still, but they are close and only grabbing fruit so low hanging it has been rotting on the ground for years. Apple is an unknown quantity.

It's hard to measure what they are saying.

[Anonymous Coward]

Well we're talking about relative amounts. I'm a linux zeolot that owns a few macs and loves them, just for the record.

When you talk about security things and security software people like to have numbers, it makes them feel good. Like the Snort IDS has 3000 signatures (I'm not sure what the latest number is but I imagine it's around 3k) or Norton AV detects 50,000 viruses where non-Norton AV may only detect 20,000 known viruses and some other IDS may only have 100 signatures. Does that make Snort and Norton AV better because they have bigger numbers? For certain types of audits it might be better but for real security it doesn't matter that much. At any given time you're probably only realistically concerned with a smallish handful of IDS signatures or viruses. The old "stoned" viruses for example (of which there are dozens of variants) simply aren't interesting or even terribly important today. This has a direct correlation to desktop security. Basically, the number of holes as a raw metric isn't so interesting, you're really concerned about the holes you have that people don't know about (or maybe they do) Fundamentally though, at any given time there are only a handful of interesting viruses that are active or interesting exploits that people are really using, big databases of them look better but don't mean much.

Mac OS X isn't built using some exotic technology (or maybe not exotic, Ada or Java would be exotic for an OS) that somehow creates fewer bugs. It's in C, C++ and Objective-C, not that different from windows. It has gone through some porting which might lead to better code and coding practices. Relatively speaking the bug densities should be fairly similar. Apple is different from MS in a somewhat larger way though, they don't have the same resources and so they probably generate a lot less code. They also have to please Steve and rather than adding feature after feature which has kind of been the MS way, they've taken a much more simple route. Less code is less bugs. More features probably does mean more bugs but I'm not sure I've seen that really established as a general truth anywhere.

The crapware point is an interesting one. Personally, since I've been Mac OS Xing it, my taste and tollerance has changed. I don't know that it's particularly more secure but I do expect things to work and I think I have a higher standard than I have in the past. I know on windows (which I don't use much) I've been less expectent of things working. In the wildwildwest days of Linux I got really use to v0.4 and 0.7 of various things working enough to get some stuff done. On OSX I pretty much demand that things work, I demand that apps are "good." (TM) There are some emotional things that may result in better security, I don't just willy-nilly install stuff, I like some vendors better than others, Apple for example has a track record of building really good software for OS X, I'm more likely to use their shit. Nagware is simply a no-go. To be completely honest, there isn't that much stuff that I really *have* to install on it to get it up and running and productive. I can't remember not "enhancing" a Linux install or windows install before it was "useable"

Maybe the other biggest thing and I couldn't back this up with real science anywhere, MS has a tremendous legacy to support. Simply removing DCOM or OLE or Active-X might fix a ton of security problems but windows wouldn't keep working. I think Apple may have learned some of those lessons form AppleTalk back in the day; I don't even know if you can make OS X do it, I really have no need.

The reason for sex

[Colin Smith]

I'd have to use social engineering methods via e-mail or IM, and the majority of people in both mediums won't be using Macs.

There you go. The reason sex exist at all and why monocultures are dumb. Diversity and variation makes life very difficult for diseases.

In fact the security advantage of OSX isn't likely to dissipate all that much, a monoculture will always be more likely to spread diseases, all it takes is a single flaw and there are going to be plenty of flaws in millions of lines of code.

 

Re:Network effects

[mstone]

While I don't buy the simplistic "if OS X had as many users as Windows, OS X would have just as many viruses" argument, I do believe in the power of Metcalfe's law: the value of joining a network increases geometrically with the size of the network itself.

Personally, I think the best estimate for expected viruses should be: (installed base * attack surface)^2.

The (installed base * attack surface) value defines the number of potential network connections that malware writers can use, so that number should drive the expected value of the network in terms of attracting malware.

If OS X had the same attack surface as Windows, but still only 1/20th the installed base, I'd expect to see 400 times as many viruses for Windows as for OS X. If the two had equal installed bases, but the Windows attack surface was 20 times as large as the OS X attack surface, I'd still expect to see 400 times as much malware for Windows as for OS X.

The fact that we have something like 10,000 pieces of malware for Windows to essentially nothing for the Mac suggests that the (installed base * attack surface) value for OS X is somewhere around 1/100th of Windows's. Or possibly even less.

It's simple

[jav1231]

Sure, OSX could/can have viruses. Yes, Word on a MAC can introduce macro viruses. Yes, PHP exploits can run on a Mac. But folks, the proof is in the pudding. If you switch to a Mac, at least now, you will have less virus and malware trouble. It's a fact. Whatever the reason, it's a fact. And people should be doing it. I'm encouraging everyone I know to do it. I've spent countless hours rebuilding systems and/or cleaning them when I can see that if they had a Mac their problem never would have happened. Windows is a sloppy, virus nursery. Yes, OSX or even Linux may/will one day have their share of viruses but today, July 7, 2006 switching is the quickest way to rid yourself of virus and malware issues.