There are more, but let's look at these six for now.

Now, let's combine this claim with the "Apple users are hipsters" and "Apple hardware costs too much". If virus writers are in it for the money, and all that money comes from advertising in one form or another, then landing malware on OS X would deliver the perfect demographic to many advertisers. If you could guarantee that young hipster, counter-culture computer users with too much money would be seeing these ads, you'd have advertisers at your door with wheelbarrows full of hundred-dollar bills. Given that fact, it must not be worth the effort required to compromise OS X, at least for now.

On the flipside to this argument, there are thousands of examples of malicious code targeting Windows systems that cannot be monetized. I'd love to know how anyone besides the anti-virus companies are making any money from the ANI vulnerabilities flying around.

Don't be fooled -- wowexec will be with us for a long time, and with it, the ghosts of hackers past.

My reasons for using OS X have nothing to do with marketing. As soon as it stops meeting my needs, I will move on to something that does. My reasons are more substantial than "it's just so cool and refined": Instant-wake from sleep, a native POSIX OS, native X11, vim, perl, php, MySQL, Apache, high performance, minimal security worries, a plethora of OSS applications, all running seamlessly with Photoshop and Microsoft Office, all without a sizable performance penalty from anti-virus software. Why wouldn't I use it? My big workstations are Linux, my laptops and DAWs are OS X. It's a mix I find to be constantly available, reliable and powerful enough to handle what I can throw at it. Computers are tools, after all.

I'll be getting into this debate more in the coming weeks, so stay tuned.

Posted by Paul Venezia on April 14, 2007 01:35 PM

April 09, 2007 | Comments: (0)

The Myth of Apple's Insecurities

TAGS: Systems

In case you missed it, there's a virus for the iPod. Yep, that's right, your MP3 player is a veritable hotbed of virus activity -- but only if you're running the iPod Linux distribution, and only if you take great pains to make the virus function, since it doesn't really work. We can argue about whether or not this code actually constitutes a virus, but that's not the point I'm trying to make.

The point here is that if it has a CPU, hackers will try to break it, and virus writers will try to write a virus for it. Given that there are probably only a few hundred -- maybe a thousand -- iPods running Linux out there, the fact that someone took the time to write this virus, or malicious code is an example of why Apple detractors clamoring that Macs aren't a target due to the lower market share are all wet. I ranted on MOAB two weeks ago, pointing out that most of their bugs were either local exploits or issues within third-party applications, and there has never been a virus in the wild for OS X, much like there's never been one for Linux. The difference isn't market share, it's the foundation of the operating systems. Given that most virus authors and hackers are in it for the ego, don't you think that there would be a huge incentive to be the first one to write a widespread OS X, Linux, or FreeBSD virus?

If an OS is built on shaky ground, everything layered on top will suffer. This is the position that Microsoft is in now. Apple was in this very position at the end of the last century. They decided to start over, providing a clear upgrade path and supporting legacy applications on the new platform. OS X was developed from BSD and NeXT, built on a foundation that dates back twenty years or more, with the OS base code freely available for download, yet there have been no significant security vulnerabilities in OS X. This isn't due to market share, this isn't due to lack of attention, this is due to proper coding and development. That isn't to say that there are no chinks in Apple's OS armor -- there definitely are -- but the foundation is solid, therefore those chinks aren't likely to destroy the whole shebang. The same is true of Linux, and most UNIX-derived operating systems.

Microsoft OSes began with no security. Windows 95 through ME had varying levels of front-end password-based security bolted on at some point, but it was hardly layered through the entire OS like UNIX. They weren't multi-user environments so interprocess security wasn't seen as an issue, and remote exploits were all over the place since they weren't built for network use. The NT base of Windows 2000, XP, and now Vista provided a much better security model and had some multi-user roots, but had to carry the burden of compatibility with code written for the original, completely insecure Win95 base. Simply put, Microsoft had the chance to beat Apple to the punch and make a giant leap back in 1997 or so, killing off the existing Win32 platform in favor of an NT-based client and server that did not have to run legacy applications natively. They didn't, and we are still paying the price for it today. Even if you're not running an MS OS, most of the spam in your mailbox came from zombie Windows systems in the control of spammers.

I also don't buy into the whole "Mac users are sheep" thing. You wouldn't have gotten me near a Mac before OS X. I didn't like the UI, I didn't like the hardware, and I certainly didn't like the IP stack. It was great in the 80's and early nineties, but by the time OS 9 was released, it was a joke. Way too many features had been bolted on the side, duct-taped to the rear, and glued on everywhere else. Apple had to rebuild their entire OS. They did, with a huge helping of public code vetted over the decades and proven secure and reliable. Microsoft didn't. They're faced with massive-scale exploits like the spreading ANI vulnerability. That affects every Microsoft OS, server and workstation alike, across the board. This gives us a glimpse into the code shared between generations of Microsoft OSes, and it's not a pretty view.

As Henry Spencer said, ""Those who don't understand UNIX are condemned to reinvent it, poorly."

Posted by Paul Venezia on April 9, 2007 07:46 AM