First off, I think it is cool that Charles Moore took the time to
reply to my column,
Apple and Baseball:
The Magic Lives On. It is nice to see that we are mostly in
agreement. I think the difference is in the words. While I still think
Apple has the magic (the ability to delight users, surprise experts,
and mystify analysts), I have to completely agree that the je ne
sais quoi quality is going away.
Security Through Obscurity
I am a weird guy who likes to find the right word to fit a
situation. And that brings me to Apple security. The popular phase is
to say that Apple has been using "security
through obscurity".
for me, obscure means little known or vague. I think as a security
argument for Apple this doesn't hold water. The Mac OS is based on BSD
(a.k.a. Unix), and there is also an open source component, Darwin.
Between these two and other sources, there are plenty of people outside
of Apple very knowledgeable about the inner workings of the operating
system.
These brainiacs around the world are certainly smart enough to find
one or
two holes in the Mac's security. The recent
CanSecWest security hacking contest showed that an avenue like the
Safari browser can be used to breach the Mac's security.
The argument for obscurity just doesn't hold up, and as time passes
by, several small attempts have be made to prove that people are just
as capable of creating viruses on the Mac.
Security Through Scarcity
Over time people have pointed to the fact that there are
not enough Macs to justify developing viruses. Another word choice
would be "security through scarcity". In other words, because the Mac's
market share was low, the incentive was low to reach the population of
Mac users. This would be a problem. A Mac computer spreading a virus to
other Mac computers wouldn't amount to as big as an
outbreak as those that happen on Windows PCs. There are millions
more computers that can be infected on the PC side.
This is a good explanation for lack of interest, but doesn't explain
the near zero level of problems.
Smug Mac Users
It is not just the criminals who want to infect computers; some
people will do things just to show they can. Here I think Apple was
smart for the first several releases of the Mac OS X - they didn't
push the no virus issue themselves. Sure, lots of us users were pretty
smug
about it, but Apple was quiet. Starting around the Tiger release, Apple
began to advertise this advantage. And still there were no outbreaks of
malware.
for a while we had the Mac community stopping
the "Write a Mac virus" contest to be the first to write a virus
for the Mac. I call this the "don't pee in your own pool" philosophy.
People knew that Macs were vulnerable, but why go out of your way to
make trouble? As long as we have a good thing, leave the virus writing
to the idiots on the PC side - Windows users put up with that kind of
crap every day. I am very much behind this approach.
Let the security folks report the flaws for Apple to fix and not
release their stupid proof of concept malware in the wild for criminals
and idiots to exploit.
This barrier is falling as the Mac's popularity increases. People
just can't stop holding contests like the
$10,000 Mac hack bounty or the
CanSecWest contest.
Despite all the promotions, we have few problems in the real world
outside of these contests. If you want to know why, the answer is
because of Microsoft - more on that next time.
