BusinessWeek columnist propagates discounted ‘Apple Mac security via obscurity myth’

“[Analysts] do agree on one area where Apple has an advantage: Security. Macs are targeted by viruses and hacking attacks far less often than machines running Microsoft’s Windows simply because there are fewer of them around. Computer criminals strive for maximum impact, so they pay less attention to the relatively small number of Mac users,” Arik Hesseldahl writes for BusinessWeek.

“While Microsoft struggles to build firewalls, anti-spyware, and anti-virus technology into Windows, Mac users are for the most part untroubled by these annoyances, and that’s a point it could press, says Richard Forno, a principal consultant with KRVW Associates, a computer-security firm in Alexandria, Va. ‘I’m seeing more and more people in the security business using Macs and saying they trust them and don’t have to cope with viruses and other hassles,’ he says. ‘I just wish Apple would market its security as a key feature to corporate customers.’ Of course, the more popular Apple machines become, the more likely they are to be targeted by hackers and virus writers,” Hesseldahl writes.

Full article here.

MacDailyNews Take: The idea that Windows’ morass of security woes exists because more people use Windows and that Macs have no security problems because less people use Macs, is simply not true. Mac OS X is not more secure than Windows because less people use OS X, making it less of a target. By design, Mac OS X is simply more secure than Windows. Period. For reference and reasons why Mac OS X is more secure than Windows, read The New York Times’ David Pogue’s mea culpa on the subject of the “Mac Security Via Obscurity” myth here.

Hesseldahl is the same writer who wrote for Forbes back in June 2003, “Naysayers have been calling for Apple’s demise for years. But Apple not only has survived but thrived, it seems, at least partially by the sheer force of Jobs’ will and his ability to maintain the ferocious loyalty of Apple’s users, who still account for 10% of the world’s computer users, while its sales usually account for about 3% to 5% of the world global PC market.”

So, if Macs account for 10% or so (some say as much as 16%), then, according to Mr. Hesseldahl himself, Macs aren’t “obscure” at all. Therefore, the Apple Mac platform’s ironclad security simply cannot logically be attributed to obscurity.

There are zero-percent (0%) of viruses for the Mac OS X platform that should, logically, have some 10-16% of the world’s viruses if platforms’ install bases dictated the numbers of viruses. The fact that Mac OS X has zero (0) viruses discounts “security via obscurity.” There should be at least some Mac OS X viruses. There are none. The reason for this fact is not attributable solely to “obscurity,” it’s attributable to superior security design.

Still not convinced? Try this one on for size: according to Apple, there are “close to 16 million Mac OS X users” in the world and there are still zero (0) viruses. According to CNET, the Windows Vista Beta was released “to about 10,000 testers” at the time the first Windows Vista virus arrived. So much for the security via obscurity myth.

Arik Hesseldahl’s email address is:

Related MacDailyNews articles:
Hackers already targeting viruses for Microsoft’s Windows Vista – August 04, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005
ZDNet: How many Mac OS X users affected by the last 100 viruses? None, zero, not one, not ever – August 18, 2005
Intel CEO Otellini: If you want security now, buy a Macintosh instead of a Wintel PC – May 25, 2005
Apple touts Mac OS X security advantages over Windows – April 13, 2005
97,467 Microsoft Windows viruses vs. zero for Apple Mac’s OS X – April 05, 2005
Apple’s Mac OS X is virus-free – March 18, 2005
Cybersecurity advisor Clarke questions why anybody would buy from Microsoft – February 18, 2005
Security test: Windows XP system easily compromised while Apple’s Mac OS X stands safe and secure – November 30, 2004
Microsoft: The safest way to run Windows is on your Mac – October 08, 2004
Information Security Investigator says switch from Windows to Mac OS X for security – September 24, 2004
Columnist tries the ‘security through obscurity’ myth to defend Windows vs. Macs on virus front – October 1, 2003
New York Times: Mac OS X ‘much more secure than Windows XP’ – September 18, 2003
Fortune columnist: ‘get a Mac’ to thwart viruses; right answer for the wrong reasons – September 02, 2003
Shattering the Mac OS X ‘security through obscurity’ myth – August 28, 2003
Virus and worm problems not just due to market share; Windows inherently insecure vs. Mac OS X – August 24, 2003

66 Comments

  1. But MDN is not using logic.

    Yes there are 16 million OSX users, but of those 16 million, how many are Banks, corporations, government agencies?? These are the types agencies that hackers target, and for the most part Macs ARE obscure in the above mentioned.

    Hackers (most, not all) want exposure, they are not interested in bringing down personal users, graphic designers, musicians and grandmas… Until OSX makes it’s way into the corporate world, we are obscure..

  2. Ted,

    MDN’s logic is indisputable:

    “There should be at least some Mac OS X viruses. There are none.”

    Or at least one. But, in five years or so, there are zero viruses. Zero.

    Why? Certainly not because of obscurity.

  3. Security via obscurity is skewed. The Mac OS is well known enough — or, hardly obscure.

    The math doesn’t work. Windows has what user base and how many viruses? Mac has what user base and how many viruses? 80,000:0 doesn’t add up no matter the difference in user base. The only way to reconcile this would be if the Mac user base was zero.

    I’m not claiming that the Mac is inpenetrable. The answer is that A) Windows is easy and B) hackers love to hate Windows.

  4. Look I’m not defending MS or giving excuses for their shoddy OS. XP is in my opinion is a piece of crap just begging to be intruded.

    I know that OSX is more secure by design and I know that there have been no viruses to date. We’ve been fortunate. My point is simply that OSX is not immune. Apple knows this, we should too.

    16 million users or not, we are obscure when it comes to being a prime target for hackers.

  5. Security via obscurity has nothing to do with how many machines are connected at a time but how well the API of an OS is known and publicly available. Funny thing is that the only OS enjoying security via obscurity is Windows in that its API is not entirely public.

    This said, a virus to be effective has to be 1) able to infect (ie crack exploitable flaws on an OS, 2) reproduce itself, ie, take control of the OS itself, 3) automatically propagate, ie, not require any user intervention to infect other platforms.

    The fact that no OS is bullet proof concerning infection covers only 1) . Sure, any OS is just code and no one could conceivable say that it is immune to buffer overflows, to say one. Also OS X has those and are for the most patched with every security update. But 2) and 3) is what is inherently more difficult on Unix like platform than on Windows.

    2) concerns reproducibility. It should be well known that any Windows installation is a copy cat of another. This allows the virus to find exactly the same environment to infect on and on and on. Such copy cat configuration is way less probable on Unix platforms where the same services can be provided by different daemons, not active at all, different versions, etc. This accounts for peak infection rate on Windows of 60% or more and about 5% for Unix platform. On Windows the adagio ‘crack one crack them all’ holds. On Unix doesn’t.

    3) Automatic spreading. People could ‘not care how many permissions are required by the OS itself‘ as with the above poster but it is exactly this that undermines requisite 3) for a viral infection. A Windows installation does not require any permission. The OS is made so that any *internal* program is authorized to take full control of the machine and its API. On Unix there are many more *gates* – for so to say – before that is done. A virus that needs an operator physically to cooperate in order to be authorized at each step and propagate simply does not work, not even worth writing one.

    So yes, every OS can suffer from condition 1), ie have faults to be exploited. 2) and 3) are GRANTED on Windows, much less so on other platforms. BSDUnix is the one features and featured best security-wise rending 2) and 3) extremely difficult to achieve. This translate into being very difficult to write a virus that could spread exponentially as it happens on Windows.

    A virus writer could not care less how many machines are out there, but how many can be infected in the shortest period of time. And this has very little to do with market share, practically nothing.

    Would you target 500 Millions machines when you know at best you may infect 50000 or 10 Millions machines when you know you will infect for sure 8 Millions?

  6. Hackers crave the ultimate high of cracking OSX, but it’s no good slaving for it when you’re likely to fail, so they satisfy themselves with cheap-and-easy thrills on Windows. It’s not obscurity that keeps Mac safe, it’s difficulty.

  7. As it has been said on and on and on in these threads, the “larger target best target” for viruses only holds if one believes that every OS is inherently as secure – or insecure – as all others. If that was true, then of course, the largest target is the best.

    Too bad this is not true. It is not true that Windows is as secure as others Oses, especially against Unices: it does not get to their ankles. Conversely, it is not true that other OSes are as vulnerable as Windows.

    Hence, what we have is that the largest target is at the same time the easiest and more vulnerable of all out there. It would still give greater return, in terms of absolute number of infected machines even if it was the smallest target.

    Is that SO DIFFICULT to understand?

  8. Ted sez…

    “Hackers (most, not all) want exposure, they are not interested in bringing down personal users, graphic designers, musicians and grandmas… Until OSX makes it’s way into the corporate world, we are obscure..”
    ———
    Your argument that the Mac is never attacked because hackers aren’t interested is a joke. Do you seriously think that there’s not a virus writer out there who wouldn’t give his left n-t to be the very first to bring down all us smug Mac users and be able to brag about it for the rest of his life? You aren’t living in the real world!

    It hasn’t been done simply because the guys who write viruses hasn’t been able to come up with one that will get through the built-in security. A sucessful virus attack would be a big feather in it’s author’s hat even if he didn’t take down more than 3 Macs! He would probably even be happy to go to jail over it just to be able to laugh at us.

  9. OS X platforms runs at SLAC, LBL, Los Alamos, Virginia Tech, CERN, KEK, Genome Research Labs, Max Plank Institutes, NASA, US Army, etc.

    Weird names for Retirement Homes.

    UHAHHAHAHOHOHHUAHAHAHHA

    personal users MY ASS!

    AAHAHHOHUHHAHEHAOH what a drone.

  10. Ralph,

    Actually you are not living in the “real world” if you think that OSX is completely immune.

    Yes, there probably are some virus writers who would love to wear the crown of first to write an OSX virus. Maybe some have tried and failed… I honestly do not know.

    I do know that OSX is not in the most visible places to make the maximum impact.. ie.. Major corporations, banks, government agencies etc.. In that sense, we are obscure.

    I’m not saying that it’s easy to get into OSX. I’m saying that it can be done.

  11. Ted: of course it can be done. There are even white papers on virus exploitable flaws – common to practically all Unices – for OS X.
    But that covers only requirement 1) as Seahawk up here explained.

    Who cares if you may infect ONE machine doing specific things if you cannot spread to others. Seahawk is known for having explained this in one sentence time ago:

    “If it cannot spread it is not a virus, it is a joke”.

    So yes, you may infect any Unix platform, OS X included, for example using root exploits. The issue is, good, than what? you knock on your neighbor and ask “Hi, may I sit in front of your Mac so that I can infect yours as well, you know, I wrote this virus but I have to input manually some commands to infect other machines”.

    Can’t you see the ridicule in it? Yes, it can be done. Nope, no automatic way to reproduce and spread effectively has been found so far. That is the reason for the 0%. That is the reason why even well conceived Unix viruses infect so few, so much so that it is a waste of time for virus writer to spend lots of efforts in cracking one Unix platform: they are faced with the question: “Now what? Got one, how to get a second?”

  12. In regards to Grandmas post:

    Laugh all you want.! Yes, I am aware that OSX platforms run at a few notable agencies like the 10 or so you’ve listed. And yes, there are probably another 20 or 30 that you have not mentioned. But compare that list to notable agencies and Fortune 500 companies that run Windows and talk about which would have a greater impact for a hacker to take down.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.