BBC News “ClickBack” program’s online column answers questions and comments from viewers on technology matters:
Henry Winckelmann from Oxford said:
I’m disappointed, but not particularly surprised, to see you reporting on potential security issues on the yet to be released Windows Vista. Isn’t it true to say that any such piece which does not refer to secure operating systems with a proven track record (such as Mac OS X) is simply encouraging ignorance in the computer-using population? Shouldn’t you at least state the obvious, namely that there are wildly better, well proven alternatives to the feature-poor, insecure code which finds its way out of Microsoft?
BBC’s ClickBack:
Welcome to the age-old argument about which is more secure – Windows, Linux or OSX.
Henry, if you are saying that Mac OSX has had less security attacks than Windows, then you are absolutely right. No-one has ever denied that.
The question has always been: Why? Is it because it is more secure? Or is it because fewer people try to hack Apple?
All the security experts we have spoken to say the same thing – whilst OSX is a beautiful piece of software, it is still a highly sophisticated operating system, and it still receives regular security patches, just like Windows.
Apple only has small percentage of the market, tiny compared to Microsoft, and the logic is that if you are going to write a piece of malware that goes after the most people, do you write it for OSX, which, according to Apple, has around 15 million users, or do you go for Windows, which, depending on whose numbers you use, has anything up to a billion users?
I think it is a fair argument.
Full article here.
[Thanks to MacDailyNews Reader “Mr Skills” for the heads up.]
MacDailyNews Take: Note first that ClickBack did not answer Mr. Winckelmann’s central question, to paraphrase, why did their report on personal computer security fail to mention the most secure PCs, Apple Macs?
Now, in their response, ClickBack asks whether Mac OS X is inherently more secure OR is Mac OS X more secure because fewer people try to hack it. The response is flawed. The real answer is quite simple: Mac OS X is inherently more secure AND Mac OS X is secure because fewer people try to hack it.
There are 19 million Mac OS X users according to Apple (Steve Jobs, WWDC 2006), not 15 million as ClickBack states. Regardless, this is certainly a smaller number than Windows users, but it is not a small number by any stretch of the imagination. The only small number is the number of Mac OS X viruses in the wild that have affected Mac OS X users: zero (0). The absence of a single virus, for over five years of Mac OS X’s existence, proves the platform’s inherent security. It is not without flaws, however: flaws that Apple routinely fixes before they affect users. Since fewer hackers are looking to exploit Mac OS X (and because Mac OS X’s Unix foundation is time-tested by decades of use), Mac OS X users are even safer.
Windows suffers such massive and ongoing security woes for the inverse reasons that Mac OS X avoids such issues: Windows is inherently insecure and Windows is insecure because many people try to hack it.
By design, Mac OS X is simply more secure than Windows. For reference and reasons why Mac OS X is more secure than Windows, read The New York Times’ David Pogue’s mea culpa on the subject of the “Mac Security Via Obscurity” myth here.
Related articles:
Apple Macs are far more secure than Windows PCs – September 26, 2006
Chicago Tribune falls for the ‘Security Via Obscurity’ myth – August 14, 2006
Oxymoron: Microsoft security – August 12, 2006
With exploits in wild, Microsoft Windows braces for yet another critical worm attack – August 11, 2006
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Ballmer analyzes Microsoft’s One Big Mistake, Vista… er, ‘One Big’ Vista Mistake – August 02, 2006
Symantec details more security holes in Microsoft’s Windows Vista – July 26, 2006
Symantec researcher: At this time, there are no file-infecting viruses that can infect Mac OS X – July 13, 2006
Sophos: Apple Mac OS X’s security record unscathed; Windows Vista malware just a matter of time – July 07, 2006
Sophos Security: Dump Windows, Get a Mac – July 05, 2006
What Microsoft has chopped from Windows Vista, and when – June 27, 2006
Security company Sophos: Apple Mac the best route for security for the masses – December 06, 2005
Apple: ‘Get a Mac. Say ‘Buh-Bye’ to viruses’ – June 01, 2006
Apple Macs and viruses: Fact vs. FUD – May 26, 2006
‘Mac security’ garbage reports continue to proliferate – May 10, 2006
ZDNet: Reduce OS X security threats – ignore security software – May 05, 2006
Unix expert: Mac OS X much more secure than Windows; recent Mac OS X security stories are media hype – May 03, 2006
Macs and viruses: the true story – May 02, 2006
Anti-Mac FUD machine shifts into overdrive – May 01, 2006
FUD Alert: Viruses don’t catch up to the Mac – May 01, 2006
BusinessWeek: Apple should hire security czar to combat uninformed media FUD – March 09, 2006
Spate of recent Mac security stories signal that Microsoft, others getting nervous – March 06, 2006
Mafiasoft: Microsoft to charge $50 per year for security service to protect Windows – February 07, 2006
Computer columnist: anti-virus software purely optional for Apple Macs, not so for Windows – November 01, 2005
Hackers already targeting viruses for Microsoft’s Windows Vista – August 04, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005
“less-targeted bulletproof vest doesn’t get shot”
The model doesn’t assume that Macs are “less targeted” it assumes that both platformas are equally targetted and equally vunerable, Yet the PC gets hammered and the Mac stays safe, and it’s all due the Mac being a small percentage of the installed base.
That’s the interesting result.
“We aren’t even on the shallow part of the curve”
Plot the 2%, 3% 4%, 5% values above, you will absolutely see that you are on the shallow part of the curve. The compounding effect of even an extra percentage point of installed base is extremely significant.
“Maybe, but my point is that it’s not safer for the reasons most people put forward. It’s safer only because it’s an unpopular platform.”
Doesn’t matter. Safer is safer.
Mac users are safe. They are SO safe right now that it would take years of market share growth for any virus threat to be at all significant. (Assuming your theory is true.) That’s the fact on the ground.
Your math on the other hand is entirely hypothetical, as evidenced by the fact that the market share numbers you’re modelling have already been surpassed, with no ill effects.
“Doesn’t matter. Safer is safer.”
If you say so. The tough problem is if Apple succeeds you loose your safety. If they continue to muddle around with low single digit share, you keep it. That’s not good.
My main point is to rebut the assumtion of why Macs Today are more safe. Small installed base, with nothing else is sufficient to explain that safey.
In essence the PC guys are wearing bulletproof vests because they have too, the Mac guys are running around in tee shirts, thinking they’re bulletproof. Didn’t work at Wounded Knee, Won’t work today either.
“Your math on the other hand is entirely hypothetical”
The math is very concrete. Now you can argue with the assumptions, but you’ll still end up in roughly the same place.
“market share numbers”
Were not talking market share numbers, we’re talking installed base.
But in any case Apple still hovers around 2% worldwide market share.
Even if you were generous and said the installed base worldwide was 3%, you’d still come up with a very low rate.
“In essence the PC guys are wearing bulletproof vests because they have too, the Mac guys are running around in tee shirts, thinking they’re bulletproof. Didn’t work at Wounded Knee, Won’t work today either.”
This is demonstrably false.
The more apt analogy is that the PC guys are all walking around wearing 35 easily pierced black plastic garbage bags thinking that they are really wearing heavy bullet proof vests. Meanwhile, the Mac guys are walking around in military-grade body armor.
The key difference is that the PC guys are foolish enough to think that all their efforts with their plastic bags are actually protection while the Mac guys don’t spend any time on thinking about it because they know that their T-shirt is actually Type III body armor (protection against full metal jacketed rounds).
“If you say so. The tough problem is if Apple succeeds you loose your safety. If they continue to muddle around with low single digit share, you keep it. That’s not good.”
Maybe not. But it’s irrelevant to the average user, who is not trying to prove that Macs will one day reign triumphant, but just wants a computer that will not be vulnerable to malicious attacks for the non-obsolete life of his machine. Buy a Mac today, and that’s exactly what you’re getting.
This is why the standard pro-PC argument on this (which you are doing a pretty good job of pushing here) is actually not at all relevant to the point, which is not scoring a win in the Mac vs. PC brigade, but quite simply, if you buy either machine today, which will make you safer? That’s the real issue here, and it’s an issue on which you cannot win. Thus, your retreat into hypothetical future scenarios, which all assume with no evidence that Macs are not fundamentally better designed to be secure, something you CAN’T prove but which I have stipulated for the sake of getting at the real issue, namely: they are currently safer. Full-stop. And the lower you talk down the Mac market share numbers (by preferring worldwide to U.S., etc.) the longer a safe future they will enjoy, by your very own calculations.
Q.E.D.
“My main point is to rebut the assumtion of why Macs Today are more safe. Small installed base, with nothing else is sufficient to explain that safey.”
What if I agree? So what? How does this make my malware experience equivalent to a PC if I by say an iMac today and use it for the next three years? It doesn’t. My malware experience will be far superior, and nothing you have said here even addresses that core issue.
“Q.E.D.”
I dont think you know what Q.E.D means.
“computer that will not be vulnerable to malicious attacks “
You miss the point, it’s not that the Mac is not vulnerable. Lots of defects have been found with Mac OS X. The problem is that viruses need a population to effectively transmit themselves among and with Apple that’s not there.
“they are currently safer.”
No No No, again there you go with your strange definition of safer. it’s like you’re saying you’re safer driving around without a seat belt, because you personally havn’t had an accident yet. But when you do, where are you headed? Straight through the windshield.
“(by preferring worldwide to U.S., etc.) “
Viruses don’t care where your PC is located, they just care about the number of susceptible susceptible machines in the population which implies that you should consider worldwide numbers, not a few bright (if 3% share is bright) spots.
“if you buy either machine today, which will make you safer?”
The clear answer is the PC with good antivirus, because the Mac is a disaster waiting to happen. The PC has real protection from attacks, the Mac has none.
“Buy a Mac today, and that’s exactly what you’re getting.”
Again, as above, no you’re not. you’re getting the car without the seat belts.
Now here’s the kicker. The way for a virus writer to get around this pathetic Apple market share problem is to write a virus which will infect and propagate on both platforms.
“You’re fighting the wrong battle because you can’t”
If the Battle is to help Apple owners understand the myth of superior Mac security, then maybe you’re right.
“This is demonstrably false.”
What by showing that Mac OS X has never had an exploitable vulnerability? Prove away, because there’s a whole bunch of documented counterexamples.
“The more apt analogy is that the PC guys are all walking around wearing 35 easily pierced black plastic garbage bags thinking that they are really wearing heavy bullet proof vests. Meanwhile, the Mac guys are walking around in military-grade body armor.”
If you understood any of the above, then you’d see that installed base is enough to explain the effects you see. Even if the Mac and the PC were equally explotable then the PC would be exploted more. The PC probability of exploitability (per system) would have to be 45 times lower then that for a Mac to generate the same infection numbers.
“Mac guys don’t spend any time on thinking about it because they know that their T-shirt is actually Type III body armor “
They “know” this because they presumably read all those security advisories about how vulnerabilities have been found in the type of armor they have been issued with, but because they personally haven’t been at shot yet, “know” that they are invulnerable. So the beleive is based on wishful thinking, not fact.
“What by showing that Mac OS X has never had an exploitable vulnerability? Prove away, because there’s a whole bunch of documented counterexamples.”
You’re changing the subject. The less obtuse way of looking at this would be to prove that there has never been a virus, worm, keylogger, or other malware for OS X in the wild. That is all that matters in this debate. I think that is self-evident.
I know of no one that is arguing that there are not likely hundreds of vulnerabilities in OS X. In the same way, you would have to admit that there are likely hundreds of THOUSANDS of vulnerabilities in Windows. Most of the vulnerabilities in Windows have not been found just like most in OS X have not been found. Microsoft, being who they are, are simply inept at keeping those vulnerabilities from becoming widespread virus outbreaks. Apple, being who they are, jealously guards their reputation for having a secure OS and thus, hop on any vulnerability before it can become an issue.
This however, is not the discussion at hand and only people who are trying to defend the horrific track record of malware in the Windows world would take the tack of changing the subject to theoretical vulnerabilities. Windows is Swiss Cheese and there are no two ways around that reality. Trying to claim that OS X is just as vulnerable as Windows but virus-free only because it has a tenth the market share is a posit that has been fscked hundreds of different ways.
But let me summarize:
1. OS X is the juiciest target of all. The first person to get an OS X virus to propagate in the wild will become an immediate legend.
2. OS X is on tens of millions of computers, most owned by people who spend LOTS of money. Research shows that OS X users buy more online and at higher price tags than their Windows counterparts. Thus, monetary rewards are a major motivating factor. Furthermore, you can’t tell me that there aren’t hackers in the basement of some office building in Redmond, WA trying to crack OS X. A certain Washington software mogul would dearly love to shove a virus down the throat of a certain smug California hardware/software mogul.
3. No viruses exist for OS X which defies the conventional wisdom. There should be malware for OS X relative to its market-share. We know this because other OSs with even less market-share have more viruses than OS X. Yet, none exist for OS X despite the millions of machines that run that OS. Curious.
4. While it is true that burglars typically go after homes that are more easy to break into, some will go after those with locked doors if the reward is high enough. People attempt to rob banks all the time (usually unsuccessfully) even though they are highly secure and there are less of them than say for instance, a neighborhood full of poorly secured homes down the street. Why? Because they are of high value. The same is true for UNIX systems (both on the desks of wealthy OS X users and in financial institutions). If people are ignoring high value computer targets just because there are not that many of them (your argument) then it is the one place in all of society that evil people are ignoring. Sorry, I don’t buy it.
Bottom line, OS X has built-in security measures that do not exist for Windows. Add-on security measures in the Win world are largely useless because they are the equivalent of closing the gate after the wolves have gotten in. The best they can do is just keep all the slow wolves at the back of the pack from getting in.
I used to work at a university where we had lots of paid security gurus. Despite all their efforts, campus Windows machines with all the latest patches and updates would get infected, some even on their own desks. Why, because they can only react to yesterday’s virus not today’s.
Of course, they never had to do anything with OS X machines but still generally didn’t care for them. Why? because if the campus went all OS X, they would be out of a job.
And DoTheNumbers, your arguments are eerily similar to the ones I used to hear from them. Still, you are attempting a civil discourse and that is to be commended.
P.S. If you want to concede that the combination of lower marketshare, stronger security under the hood, and a company hell-bent on staying on top of vulnerabilities is what accounts for the lack of viruses for OS X then I’ll accept that and we can all move on.
“You’re changing the subject. The less obtuse way of looking at this would be to prove that there has never been a virus, worm, keylogger, or other malware for OS X in the wild.”
No it wouldn’t because by model shows you why although they exist, that they don’t survive well in the wild, and that installed base alone is sufficient to explain this.
“Microsoft, being who they are, are simply inept at keeping those vulnerabilities from becoming widespread virus outbreaks. “
Again the model shows that given equivalent competence, market share alone is sufficient to explain the faster spread on Windows, and that Microsoft has to be 45 times more competent than Apple at excluding threats to overcome the installed base barrier.
“-on security measures in the Win world are largely useless because they are the equivalent of closing the gate after the wolves have gotten in. “
Have you used any of these recently. These days most shoot the wolves as they attempt to enter the gate.
“Why, because they can only react to yesterday’s virus not today’s.”
Again, have you used any of this software recently. These days thay also look for, shut down and stop “Virus like” activity, even if no signature exists for that virus.
“because if the campus went all OS X, they would be out of a job. “
Again the model shows that low installed base is a sufficient explanation for lack of Mac OS X problems. If that were to change…
“lower marketshare, stronger security under the hood, and a company hell-bent on staying on top of vulnerabilities is what accounts for the lack of viruses for OS X then I’ll accept that and we can all move on.”
– Lower installed base can be shown to be enough.
– Microsoft and Apple both stay pretty much on top of vulnerabilities, and arguably because of the existence of antivirus software on the PC, PC vulnerabilities are plugged more quickly (usually within 24-48hrs) by the Antivirus/security software while a permanent fix is made.
– Stronger security, Historically Unix just hasn’t been shown to be intrinsically more secure. The continuing flow of vulnerabilities for Mac OS X tends to rebut the assumption that Mac OS X is intrinsically secure. If we accept that Macs are not invunerable, and that in fact that they have sufficient vunerabilities to effectively attack them we need to find another hypothesis to explain why they get infected less.
Interestingly the low installed base hypothesis predicts exactly the result we see.
Dothenumbers,
Your hypothesis is entirely bunk and I think you know it. We all see that you are reaching and we also notice that you have not understood the hundreds of articles that have shown that Windows is an amateurish mishmash of code that was never intended to be secure. Your assertion that virus software stops all the wolves before they get through the gate is also demonstrably false. The real world proves this notion to be rubbish.
As for this stretch:
“Interestingly the low installed base hypothesis predicts exactly the result we see.”
It does no such thing. A low installed base should predict some level of virus activity roughly equal to the amount of machines installed. Your hypothesis “exactly” DOESN’T predict this.
Here is a better and arguably more accurate statement:
“Interestingly the robust security of OS X hypothesis predicts exactly the result we see.”
You see, for a prediction to be prophetic it has to be something one might assert IN ADVANCE.” Looking around after the fact for something that is “exactly the result we see” based on one meager assumption would lead us to assert the following.
“There is a large piece of blue plastic with little holes punched in it surrounding the planet which is why the sky is blue during the day and there are points of light at night and interestingly, this is exactly the results we see.”
More to the point, you are asserting that, in essence, Apple engineers have recreated an OS from the ground up with no more security than Windows but, because they believed that it would never gain any significant market share, that they wouldn’t have to worry about it being secure.
Meanwhile, I am saying that Apple saw in the 90s that their OS would gain in popularity over time or die. They also saw that even though the MacOS had, at one time, as much market share as Windows, and still had less virus attacks, it needed to be reworked. They likely predicted that in light of the terrible security track record of Windows, they would need a more robust OS than their previous incarnations in order to survive this popularity.
In fact, this is what has happened. OS X has a large and growing market share and the OS is holding up quite nicely.
I predict that when Apple gains over 50% of the installed base, they will still have less successful attacks than Windows. Let’s come back here in a few years and see how my prediction has held up, mm-kay?
“
It does no such thing. A low installed base should predict some level of virus activity roughly equal to the amount of machines installed”
Again missing the WHOLE point. You need a critical mass for viruses to spread. you’re assuming it’s linear base on user base. It’s not.
“Interestingly the robust security of OS X hypothesis predicts exactly the result we see”
“More to the point, you are asserting that, in essence, Apple engineers have recreated an OS from the ground up with no more security than Windows “
No, I don’t think anyone would assert the Mac OS X was created from the ground up. If that’s your belief I’d suggest you know nothing about the technical underpinnings of Mac OS X, so shouldn’t even be joining this conversation.
“Your assertion that virus software stops all the wolves “
Did I assert that? I don’t think so. I wouold however state that these days most of the wolves get in through unguarded gates, or gates for which a wolf proof upgrade exists but has not yet been installed. And because of the user base, you only need a few percent to not be taking care, and you end up with large outbreaks. The model shows that Apple cuatomers can be careless, insecure and viruses will still not spread.
“I predict that when Apple gains over 50% of the installed base, they will still have less successful attacks than Windows. Let’s come back here in a few years and see how my prediction has held up, mm-kay?”
Sure, lets do that.
“It does no such thing. A low installed base should predict some level of virus activity roughly equal to the amount of machines installed”
Again missing the WHOLE point. You need a critical mass for viruses to spread. you’re assuming it’s linear based on user base. It’s not, and that’s the interesting result.
“Your hypothesis is entirely bunk and I think you know it.”
What particular assumption would you like to refute?
“Interestingly the robust security of OS X hypothesis predicts exactly the result we see”
Except that Apple’s long list of security patches shows that Mac OS X security is NOT intrinsically robust. So there must be something else at play here.
“More to the point, you are asserting that, in essence, Apple engineers have recreated an OS from the ground up with no more security than Windows “
No, I don’t think anyone would assert the Mac OS X was created from the ground up. If that’s your belief I’d suggest you know nothing about the technical underpinnings of Mac OS X, parts of which are over 30 years old, so shouldn’t even be joining this conversation.
“Your assertion that virus software stops all the wolves “
Did I assert that? I don’t think so. I would however state that these days most of the wolves get in through old gates, unguarded gates, or gates for which a wolf proof upgrade exists but has not yet been installed. And because of the user base, you only need 5%-10% not to be taking care, and you end up with large outbreaks. The model shows that Apple customers can be careless, insecure and viruses will still not spread.
“I predict that when Apple gains over 50% of the installed base, they will still have less successful attacks than Windows. Let’s come back here in a few years and see how my prediction has held up, mm-kay?”
Sure, lets do that. I’d bet for sure in 3 years there’s a much greater chance that Macs will face a major security issue that serves as a wake up call than Apple gets to 50% worldwide installed base.
“Again missing the WHOLE point. You need a critical mass for viruses to spread. you’re assuming it’s linear base on user base. It’s not.”
I agree that this is YOUR point. It is an entirely fallacious one but it is yours and who am I to take it away from you? I can only point out that your obvious unfamiliarity with the phenomenon of viruses (both biological and digital) is limited.
Ever hear of Ebola or HIV? These viruses spread on their own with no need of help from other viruses in order to spread. In fact, the very notion of needing MULTIPLE viruses combining together and somehow creating a “critical mass” in order to spread is gibberish, pure and simple.
A virus, to be a virus needs only a small population in order to spread but more importantly, it requires a WEAK population in order to spread. Furthermore, a virus takes advantage of both biological mechanisms in the host and the host’s lack of immunity to propogate. Neither of these factors have proven to be an issue in the OS X world.
Your hypothesis rests on a fundamental misunderstanding of how viruses replicate themselves. The clear reality is that OS X has so far proven to be virus-proof because it has high immunity AND no easily compromised mechanisms for the virus to propagate itself even if a single machine could be infected. Both of these factors are key to whether a virus (either biological or digital) can spread.
However, despite the analogy of computer viruses to biological ones, there is a major difference. As I said, biological viruses take advantage of the weak. There are really no weak OS X boxes out there. They are largely all the same and so a virus cannot simply prey on the less immune OS X machines like an Ebola virus would take advantage of a week human host as a jumping off point for a pandemic.
You claim (also without any evidence whatsoever) that minority market share gives OS X its edge. Some have pointed out that it doesn’t make any difference what gives OS X its edge. It has it, end of story. But as a beta tester of OS X in 2000 and user of OS X server even before that, I have noted that in those 7 years we have seen Windows viruses cost this country billions of dollars while the use of OS X would have saved a like amount. Yet, the scourge that is Windows spreads, largely because the IT world is full of idiotic Windows techs who think that all OSs are created equal and have managed to convince management sheeple of this.
This level of deceit and ineptitude in corporate, university and government IT circles will ultimately result in a massive attack by another superpower such as China on our computing infrastructure. We will rue the day we decided to put all our eggs in the rotting basket that is Windows.
Cheerio.
“Ever hear of Ebola or HIV? These viruses spread on their own with no need of help from other viruses in order to spread. “
You’re missing the point again, if these viruses can only infect a small percentage of the people they encounter, they can’t spread far.
What bit of that don’t you get?
“needs only a small population in order to spread “
Just do the numbers. A virus which can potentially infect 90% of the population will spread like wildfire. One which can potentential infect 2% only will be much more limited.
“fundamental misunderstanding of how viruses replicate themselves”
Again, point to which of the model’s assumptions are flawed. Don’t just keep flapping your gums with no substance. You clearly just don’t get it.
And that’s fine. Not everybody in the world can be intelligent and/or pick up new ideas quickly.
“There are really no weak OS X boxes out there.”
But there are vulnerable ones, All of them. what’s the difference between vunerable and weak in your mind?
“full of idiotic Windows techs who think that all OSs are created equal and have managed to convince management sheeple of this.”
The point is, the installed base differential is enough to explain the outcome. You don’t need other demonstratably false hypothesis like OS X is invulnerable to viruses.
Not securing Windows is part of Bill’s Revenge.