Talkback: Is Apple really better at security than Microsoft?

Mr. Grimes makes excellent points, although I'm not sure how appropriate it is to discuss hacking mainframes and minis from dumb consoles in the Internet age. I have no doubt a hacker seated in front of any of my Windows, GNU/Linux, or Mac OS X machines would have no difficulty taking over the machine, especially since I leave bootable CDs on the shelf (and one can assume hackers have a bootable USB thumb drive in pocket).

What I do disagree with is the "OSes are not dumb, people are" argument. Social engineering as an attack vector is highly effective with any system, secure or not. But if I wanted to attack a mainframe or mini, I'm quite sure it would be more fruitful to attack a Windows PC with client access to a secure server.

One could get the impression that all OSes are equally cruddy. That's not true; what is left unsaid is that Microsoft's haphazard system architecture makes that platform the most vulnerable of all computer systems in use today. In particular, the Microsoft ActiveX component of the Microsoft Internet Explorer browser simplifies remote hacker access to Windows system internals, a serious architecture mistake absent from other browsers and other operating systems.

For users unable to switch to more secure permissions-based OSes which at least limit the potential damage, it would be more responsible I think to recommend that they avoid using MSIE and in particular conducting any financial transactions with it, and switch to more secure (and more modern) browsers such as Firefox.

Sean DALY.

Is Apple really better at security than Microsoft?

Are You Serious?

let's compare:

* of the 200 osx security holes in the last 5 years, how many have been discovered in the wild?

ZERO.

cost to the economy?

ZERO.

* of the thousands of windows security holes in the last 10 years, how many have been exploited?

THOUSANDS.

cost to the economy?

BILLIONS.

(not to mention the TENS of BILLIONS due to other design flaws ... all the blue-screen-of death + the config futzing).

There is simply to factual or logical basis for comparing apples and ... well, you get the point :-)

only the dubious terms of software license - which release the creator from liability for damages - protects microsoft from a crippling class action lawsuit! ...

how is it that after enron is convicted there are new laws & people go to jail; bit after microsoft was convicted there are no changes in tort law nor any extra billionaires in jail?

and as for the utterly inane comparison of mac security under System 6 (versus System 10 decades later) ... all i can say is that anyone who understood how either of them was designed would realize how block-headed the comparison was ... it's like tricycles and jet-packs!

there is lot that apple could do to improve osx (using the same formal verification techniques used for hardware), but as it ships into users hands, it is nearly bulletproof.

i challenge people like grimes to prove otherwise with concrete examples.

I remember viruses during the old Amiga days. One of them was a little animation that would play on your screen while it would vibrate the stepper motor on your floppy drive to play a tune. Plus the damned thing would reside in static ram and if you turned it off the little animation would flip you off. You basically had to unplug the computer and leave it off for a few hours. I think the real reason why you didn't see viruses on PC's first was because their wasn't a GUI based operating system. Sure their were viruses then, but they were mainly scripts that would reformat your hard drive in DOS. It's only when the Mac OS came when you saw some interesting viruses.

The fact of the matter is that Microsoft made XP worse by leaving several ports open that should be off by default. There are several posts on the Internet from security experts that warned Microsoft about it before the product shipped, but they never fixed the problems.

So if you want to really see if Apple is better, compare the total number of viruses from both platforms and see who is better.

My goodness bud. As of today. Mac OS X runs on a Unix BSD base. Unix was invented in the 70s. MS-DOS was released in the 80s. What's more is that MS-DOS was never intended to be compatible with the Internet. No one knew that in the 80s we would be using the Internet primarily on computers. Microsoft saw the future of applications that allow you to type and compose and paint.

Unix was invented by two telephone companies. Unix was invented for networking (for the Internet). Now I realize that Mac OS 9 and back had some serious problems. They couldn't even fully multitask. Now, however, with Macs utilizing UNIX they are much more secure than either the old Mac OS or Microsoft's current XP. It puts Microsoft in an extremely sticky situation. The can't completely change their OS with Vista. If they changed it, then there wouldn't be any working third-party software at its release.

Apple will get more and more threats. YES. But it won't get as many as Microsoft. The OS has been around longer. I feel for you guys who have to run virus-protection this and spyware-protection that.

Who really cares.

Windows: Install an anti-virus program and a firewall.

Mac: Turn on the firewall.

Move on with your lives. Don't be so damn paranoid.

Mac is safer than Windows, not more secure. But that's only because there's more money in attacking Windows. Let's see ... fewer than 5% of all computers are Macs, more than 95% are Windows. So, assuming both user communities are equally gullible, attacking Windows provides over 19 times the return of attacking a Mac.

Put it another way. If you are willing to forgo 95% of your income, I will willingly accept it. But I'm not willing to share my income with you, so I'm going to employ all of the security tools and tricks that are practical.

For the record: my Macs at home have firewall, A-V, and a few other security tricks. Which makes tham almost as well protected as the Windows machine I have at work which have the same protections plus a few extra "enterprise" layers that filter out crud before it reaches my desktop. At home, I don't have the budget for the extra boxes to run (really expensive) "enterprise" security tools. So I rely on those "few other security tricks" to do that extra crud filtering at my desktop.

BTW, my job title includes the words "Security Admin." Paranoia is a professional asset, but firewalls and A-V are cheap speace of mind solutions even for a Mac user.

Nobody can guess if Apple will do a better job at fixing security than Microsoft, but everyone can imagine they will. Apple has the experience of seeing Microsoft's arrogance in treating its clients. Let's hope this is enough to get Apple to work with the Unix community to fix problems.

The one thing we can foresee is that Microsoft is closed-source and bugs have to be fixed by them. OSX shares a common thread with Unix which is constantly maintained, tested and probed by million of people.

In the end I run my Mac with a firewall included in the package but I run once in a while when I absolutely have to my PC with a firewall, anti-virus and a lot of precaution. The fun in PC usage is ZERO. The fun in using my Mac is HIGH.

Don't forget that the only Apple OS's that had viruses were those with NO memory protection. Mac OS before Mac OSX was wide-open--even page zero where all the system's data is kept was unprotected. Early Mac programs expected this which is why they had to run under their own environment (classic) under OSX. Windows has the same problems as the early versions of Mac OS.

It all comes down to context and awareness. You should be aware of your exposure to any threat, based on the context in which your systems are running. That holds true for all platforms. Given the recent state of hightened awareness...I'd say Apple is doing a very good job when it comes to disclosing security issues in their products (or responding to discoveries from others) as well as remediation of such issues.

I dispute the subtle implication that the AS/400 (iSeries, i5, whatever they're calling it now) is "as" vulnerable as a PC. The OS/400 object-oriented design precludes certain programmatic hacks like buffer overflows and data malformation. Granted, it's possible to crash a service, even if you couldn't execute arbitrary code.

HOWEVER, Grimes makes valid points regardless of an OS's particulars. Which point seems to be that you must be proactive about enabling and beefing up your OS's security features. Every OS will be as safe as a public restroom toilet seat if you don't take prudent precautions. Assume nothing.

Is Apple really better at security than Microsoft? Surely you jest!

Let's see -

100,000+ viruses (trojans, spyware, malware, etc) for Windows
0, Zip, Nada viruses (trojans, spyware, malware, etc) for Macs.

And please don't retort with the 'Security thru Obscurity' Myth. No one believes it. [Besides the numbers don't work. For example, if Macs have a 5% market share they should also have 5% of the viruses. Obviously they don't]

Simply put, Grimes is full of it. InfoWorld should be ashamed to employ a writer who writes such drivel under its banner. In 1986, the year that Grimes claims to have gotten into security, the dominant computer platform available to the average user was the IBM PC or compatible running PC/MS-DOS. The Macintosh was just two years old. Windows was used primarlily to multitask DOS applications. The Apple ][ was on the decline. Without question, the IBM PC/compatible/PC/MS-DOS platform had more viruses. I have never seen a count of the Apple ][ viruses, but that number added to the 26 or so Mac-exclusive viruses cannot approach the number of MS/PC-DOS viruses in the wild in 1986.

Let's see.. Back in roughly '88-'89 I've seen Mac virusses like nvirA and nvirB. Because of the way MacOS was build, it was relatively simple to stop unauthorised access to devices. One anti-virus program and it was done (can't recall the name now - not really important). Otherwise one would only write a virus limited to one single model Macintosh. The model you found a way for, to write directly to he hardware in stead of going through the toolbox - or even one level deeper.
At least, that's what I've found.

In the classic days, I believe it was at the end of '89 or halfway '90 (could be a couple of years later), there were some 35 known virusses for the Mac. And it stopped. I haven't seen more after that. Maybe it was because virusses which could really surpass anyting were too hard to write? I don't think market-share is relevant, because the market-share in education was sort of the other way round. And it seems that wizz-kids and the lot are the prime sources of virusses, or aren't they? Grown from the education-sector.

It was the MS-DOS era (with floppy-transmitted virusses), where GEM (or whatever name it carried was a first "true" graphical environment for PC's. Windows came alonge and we all know the rest. When wizz-kids discovered PC's and the ease to write virusses for it, guess what happened?
Anyone recall macro-virusses for a.o. MS-Word???
They could be carried form PC to Mac to PC without the lot of them being able to do any damage on the Mac (especially when it ran anti-virus, stopping unauthorised access to the internals).

A few years later, It 's also the era of the Mac webserver. And the Swedish contests to hack it straight from the box. With no success. Second run they got it - due to third-party software.

It's not that I say Mac's aren't vulnerable at all. Just looking at the results so far, it's time the anti-Mac suite or those tying to defend their precious Windows platform and justify their incomes, put a lid on it and have a real look at what they're working with all these years.

Or are you all trying to argue with results? Time and again?

To me it sounds just like those email-hoaxes you're encouraged to forward to the rest of your address-book - and the hurd follows. A lot of noise, no substance. Best to be ignored.
Ever tried to educate your co-workers/family/friends on that?
You can try to teach a pig to sing, but you annoy the pig and waste your time.

Be aware... a good policy on passwords/accounts etc. is a no-brainer. The weakest chain is the user - as always.
But a good policy doesn't make up for a worse design. Period.

My 2p worth

Paul

Sean DALY said: "... simplifies remote hacker access to Windows system internals, a serious architecture mistake absent from other browsers and other operating systems."

I don't think this is a mistake at all. It's been known and left as-is for so many years, it's now a desired design feature. Without it, there would be no billion dollar anti-virus market and all those IT employees.

Paul: Disinfectant. We ran it on 50 Macs. It was a champ. Free and it worked better than Norton. Frankly I think the reason virus stuff died down on the Mac is that you have to pay a premium to buy a Mac. If you're paying to join the exclusive gym - you're less likely to spray graffiti all over the place.

Of course Microsoft does themselves no favors by selling a hacker's paradise. Look at a product like Exchange - which could be Groupware - but is realy like selling someone a bucket of bolts and calling it a car. Sure - if you want to put all that together you can make a car. (Even worse - Active Directory - a huge bucket of bolts.)

This strategy of selling raw functionality instead of polished applications drives the entire community down into the bits.

Back in the Mac days we had integrated email, conferencing, etc. It ran on a little Mac SE.
No problems. Very lightweight. But now we have Exchange, only because everyone else has it.

In general I disagree with the "common knowledge" that Firefox or the Mac is "more secure" than IE or Windows. Its all in the application of these products.

There is a higher cost to join the Mac club, so there are fewer attacks. But they are there nonetheless. If you claim there are none, simply check out Mitre's CVE (Common Vulnerability) list. Is there a cost? Yes, but not so high as in Windows.

There are issues with Firefox as well as IE, so don't kid yourself there. How are you going to remove IE from Windows anyway? It's really not practical to remove IE since Windows relies on it.
What browser does your email kick off? That's what some malicious script will launch...

Its all a balance...