Does Sophos' Switch Argument Hold Water?

Wednesday's press-release-borne message from security firm Sophos that the best way for Windows users to compute untroubled (or less troubled) by malware is to switch to Mac OS X drew more than 500 comments; read on for the Backslash summary of the conversation.

Several readers pointed suspicious fingers at Sophos' motive for issuing the message in the first place; no one can call a company whose products are meant to offer "protection from viruses, Trojans, worms, spyware and spam" a disinterested party in evaluating OSes. Techguy666, for instance, writes "We use Sophos at our workplace. I also use other antivirus and antispyware — often to clean up the crap that Sophos doesn't find. Speaking as someone who's familiar with Sophos, I think it's curious that Sophos is telling home users to consider buying Macs. Go to Sophos' website and try to find a home user product ... They don't seem to promote any. If I were a conspiracy theorist, I would think this is a warning shot aimed at Microsoft because of MS's sudden focus on security, to the detriment of companies such as Sophos; send Microsoft's small clientele to the enemy &mdash it's no skin off of Sophos' corporate nose. ... They're talking to an audience that they don't serve or interact with."

(To this, an anonymous reader writes "Sophos has a number of fat contracts with institutes of higher learning, like mine. Every student has access to a fully licensed copy of Sophos if they so choose — available for Windows 98-XP, Linux, and OS X.")

A subtler gripe comes from Kope, who calls the metrics used by Sophos "misleading," and writes that "[s]aying that the most common malware only effects Windows, therefore Macs are more secure is simply bad reasoning. ... I'm sure that 'out of the box' Macs are better. But it's not 'out of the box' that I care about. My concern is level of security during actual operation. I have no problem believing that Macs are more resistant to malware, but this measure doesn't show that to necessarily be the case."

ZachPruckowski agrees that Sophos's claim is based on a "dumb study," but not that there's an easy line to draw between out-of-box and long-term use: "For 75 percent of the world, 'out-of-the-box' == 'during actual operation.' It's those people who get infected by malware. Don't expect users to do any extra work beyond going straight to Office or IE or their email app. Thus, 'out-of-the-box' is a pretty important state."

Whatever the company's reason for issuing what many Slashdot readers would consider the farthest thing from a discovery, no reader's comments seemed to cast doubt on the conventional wisdom that Mac users are at present far safer from malware than are typical Windows users — the reasons behind that situation, though, are hotly contested. One version of the story is that OS X, by dint of its design (including UNIX-style multi-user orientation and compartmentalization generally) simply can't help being more resistant to viruses and spyware; Windows intentional integration of operating system components has let security flaws in one small part of the operating system (such as Internet Explorer or Outlook) become flaws in all the others, too.

Reader cwgmpls, for instance, doesn't buy the argument that OS X is safe only because it's more obscure than are the various versions of Windows.

"Even if OS X is only 5% of all PCs in the world, surely there are a good number of hackers out there who would love to release an OS X virus into the wild, just to prove it can be done. Besides, the total number of OS X installs today is certainly greater than the total number of Windows installs that existed at the time the first Windows virus was released.

Most hackers don't need a huge number of installs to stroke their ego. The opportunity to prove that OS X is just as vulnerable as Windows should be more than enough to motivate someone to release an OS X virus into the wild. Yet no one has done it.

There must be more at work here than OS X's small market share. OS X must be inherently more secure than Windows to not have a virus in the wild six years after its release. Certainly there are enough hackers out there who would love to show their prowess by writing an OS X virus, even for the relatively small number of OS X installs that exist; but nobody has been able to do it yet."

Several readers assert that the real reason has little to do with the hardware or the software used by the rival camps, and is mostly an issue of user education and sophistication. Typifying this argument is reader WombatControl's (unsurprisingly contested) conclusion that "the Mac userbase tends to be a lot more savvy than the Windows userbase." His argument, in short:

"I'd hazard a guess that the vast majority of Windows malware comes not from the inherent insecurity of the Windows platform but from users doing dumb things. Someone who installs some stupid little weather applet and gets infected with spyware got infected not because of a flaw in the system, but because they didn't bother to determine whether or not the source of their software was credible or not. Even if they got a prompt like Vista and OS X present they'll still authorize the program. There's no patch that can be applied to a system to prevent stupid users from mucking it up. ...

Macs are more secure because Mac users have a much tougher stance towards crapware. Mac users tend to be much more technically proficient than the average. If that "zero-tolerance" policy changes, I'm not so sure we'll see an increase in the amount of malware targeting Macs.

OS X does a great job of providing technical barriers against malware, but nothing can prevent malware that uses social engineering to do its work. Mac users are safer because they choose to be - but if you get a group of users who have no awareness of security and will blindly execute anything they come across, even if the system specifically tells them not to, that could change very quickly."

Several Windows users agreed with the thrust of this argument — namely, that no system is truly safe from a determined, malicious attacker unless users (or their trustworthy proxies) head off not just automated attacks, but social-engineering tricks that really have little to do with the OS a user is interacting with. Their approach is based on heading off malware.

Readers like snwod (a sometimes user of Mac, Linux, and Windows) offered a level-headed synopsis of this approach: "I run a good firewall/anti-virus combo along with using Ad-aware and the rest. I don't click on banner adds and I don't install strange pop-up programs. Pretty simple really." Result? "[I] haven't had a virus or malware problem in years."

To this line of reasoning, though, aphor says "My grandma's Mac isn't infected, and she clicks on everything! I'm calling bullshit. Please produce the infected Mac. One synthetic test does not make a real-world case. I run the system updater on my grandma's Mac about 3-4 times a year. That's probably 1/10th (liberal estimate) of the exposed vulnerability that a [Windows] box has."

Even if sophisticated trickery might fool any user, Savage-Rabbit thinks avoiding mechanically the more widespread script-kiddy attacks is nothing to sneeze at: "I bet there still is a fair number of Windows users who envy the Mac zealots for not having to waste their time pruning Norton/Panda/Macaffee/etc... anti-malware suites with monotonous regularity never mind the endless nag screens these anti-malware suites throw at you."

The status quo has a way of not staying that way in the long term, though, and reader spyrochaete contributed one of the several (and sane) cautions against hubris on the part of OS X users, though the same logic applies to Linux and other systems whose security may be real and considerable but is grounded in part on being a smaller target for online vandals and thieves than is Windows. As he writes, "They said the same thing about Firefox, but that's starting to change. Mozilla is fixing holes all the time and I'm starting to see ads that get through Adblock (stupid Mediaplex). This is just an article about security through obscurity — the best kind of security according to too many Apple fans I've talked to. ... Faith in obscurity means you'll be totally unprepared when disaster strikes."

Amen!

Thanks to all who took part in the discussion, especially those readers quoted above.

Slashdot now run by pointy-headed managers

This story-about-a-slashdot-story idea must have come from 'management'. Soon to be featured in Dilbert.

Re:Slashdot now run by pointy-headed managers

[vought]

At least this post is written in English and is comprehensible. Try making sense out of the "promote my blog" Apple non-post from earlier today.

I think Slashdot is in serious need of maturity. This is not 1998 anymore, and stories like the one I cited make this place look like it's run by 14-year-olds - the PowerPoint deprived intellectual partners of those pointy-headed fools we love to hate. Immature 14-year-olds who are failing English, at that.

What a joke this place has become - the commenters are as, uh, great as always, but the stories, editing, and crap that makes it to the front page are ridiculous. I mean, yay for the redesign, but pissing in a jeweled goblet doesn't make the piss taste better.

Out of the box is one thing

[Saven+Marek]

Out of the box may be one thing, but continuing use is something else.

Don't let anyone tell you macs have no malware, it's just not true. from Renepo the rootkit, to php worms that send out spam infecting message boards, to word macro viruses to the recent oompaloompa, they affect macs as badly as they can affect windows.

One thing that tells mac users they have fewer viruses is poor antivirus software. A friend of mine works in a mac shop and often people will come in with bizarre problems with their macs. No networking working, slow networking, random crashes, won't wake properly from sleep. Scanning with an antivirus package shows no viruses, yet a software reinstall fresh from scratch fixes many of those problems. What does that tell you caused the problems? Some malware running on the machine is what.

When mac software gets up to scratch in detecting the worms that are out there for macs, that is the only time people will get the truth about maleware infections. Sophos need to get off their ass and make something more worthwhile for macs and then we'll see who goes saying what about security.

news?

[Bakadan]

This isn't news. It's just pulp to get people riled up and screaming. Besides, it's nothing we haven't seen before.

Re:news?

[garcia]

Besides, it's nothing we haven't seen before.

Oh come on now. It's not like this exact story and many of the comments were just posted earlier this week or anything.

Well grandma...

[dedazo]

aphor's "Grandma" needs another 150 million or so people to join her in order for someone to develop an interest in creating malware for her operating system. Then it's all just a friendly "Please provide your root password" dialog away.

Is OS X's attack surface smaller than Windows? Sure it is. Is it impervious to user stupidity? Absolutely not. No operating system is. Linux and OS X will probably eventually get there, and the complain we'll be hearing instead of M$ is teh fuxxorz will be well, what do you expect? users are stupid!!.

Just wait, and you'll get there eventually.

[This post is brought to you courtesy of the 300 million absolutely clueless Windows users who think it's OK to run executables in password-protected ZIP files that arrive in their inboxes with lead-ins such as "hello, teh info yuo requesteded is in the attachments". We can't wait for you to take them away]

Re:Well grandma...

[rjstanford]

Disclaimer: I use Windows/UNIX/OSX. I like OSX, but even with IE7 on Windows I haven't been infected. So...

Then it's all just a friendly "Please provide your root password" dialog away.

Hmm. I just realized that this is a potential problem -- a major potential problem -- with the OSX and now Vista (and, I believe, some Linux) GUI security paradigms. We're training people to be ready to enter their administrator passwords whenever they're prompted to. And Ma & Pa User won't know when this is a good thing. Especially when badly behaved programs like Adobe's suite raise dialog after dialog during updating. What's to stop EvilSoftCo from creating a program that, during its first-time startup, just creates a dialog box that matches the standard one, and gathers your password?

Hmm. Not great, methinks. Although surely someone must have thought of this already...

Re:Well grandma...

[TheRaven64]

Microsoft are the only people who ever solved this problem sensibly, to my knowledge. On Windows NT, you were (I don't believe you are with XP, and it's an option with 2K) required to hit control-alt-delete before you entered your password. This key sequence sent a hardware interrupt which only something running in ring-0 (i.e. the OS) could catch. This meant that it was impossible to spoof the NT login box; as soon as the user hit control-alt-delete, control would be returned to the real login prompt (or a system dialog).

I proposed two years ago that Apple implement something similar. Create a special key combination that would be caught by the OS and passed to WindowServer, which would then spawn an alert if the app presenting the dialog was not authorised to. This is particularly useful for Keychain access, for example. I don't mind an IM program having access to my login details, but I do object to it having root access. When I install a new version of it, I have to enter my keychain password (which is my login password, by default) in a dialog box that (hopefully) the system presents, but I have no way of verifying that it is the Keychain subsystem that is going to get the password, not the application.

Re:Well grandma...

Poppycock.

Windows is running in protected mode at the login screen. Generating a hardware interrupt from ctrl+alt+del was a bios feature.

ergo, if you are running NT, 2K or XP then keyboard is handled by the OS rather than the bios and there is no automatic hardware interrupt. It only works in real mode!!!

Also, what if you are using a USB keyboard?

Piss off moderators.

Goddammit moderators, it's this kind of moderating that makes the problem worse. I run a mac house, and word macro viruses are the bane of my existence. Word is absolutely ESSENTIAL to our business, and currently no mac antivirus software properly rids a mac of word macro viruses, fullstop. We've been through them all, and over & over we end up with client documents coming in, infecting other client documents, leaving us sending out infected files.

It's not a nothing problem you can just sweep under the carpet with a quick moderation, people, it's going to come up and bite you in the ass, and bite HARD.

Don't be ignorant shits.

* swearing included so you can have a reason to mod me down. bah.

Maybe, but they're still right.

[spykemail]

Their motives were questionable. Their evidence was lacking. But they were right. No matter how much the Microsoft trolls talk the fact remains that there is far less malicious software for OS X, even if you take into account its relatively tiny market share. It's also more secure by design, no matter how many minor flaws they find they haven't even come close to what has been (and is currently) wrong with Windows.

I'm not really surprised that everyone supporting an illegal monopoly has been brainwashed, but it's still kind of sad.

Why some OSes are more resistant

[Todd+Knarr]

My thought is that there's three reasons Macs and *nixen have fewer viruses.

• It's partly the lack of market share. That's offset to a large degree by the extra l33t points accruing to the guy who manages to release the first malware to get widespread penetration into those "invulnerable" systems.
• It's partly user sophistication. Except that Macs are targeted at people who're even less sophisticated than Windows users, who don't want to deal with things like the problems added new hardware to a Windows system. You might be able to argue that a Linux or FreeBSD user's more likely to be a geek, but not a Mac user.
• It's in large part inherent system design. The basic design point: the seperation between ordinary users and the administrative user (root). That seperation means that, even if you do get infected with malware, the malware can't spread into the system itself. It can't tie into system libraries, it can't have itself started at system startup, it can't disable system services (like the firewall or the malware scanner) and it can't hide itself from the administrative user. This provides a two-layer defense similar to the layout of a medieval castle: once the attackers break through the outer wall, they have to start all over again breaking through the defenses of the inner keep (while being stuck in the yard between the keep and the wall, easy prey for the defenders in the keep). Changes in market share and declining user sophistication won't have any effect on this aspect of things.

My girlfriend's computer is infected...

[TexasDex]

...with anti-spyware programs!

She currently runs:

• a-squared
• xoft spy
• Ad-aware
• Windows Defender
• Symantec anti-virus corporate edition
• spybot S&D
• BigFix

and her computer runs almost as slowly as it would with a nasty case of malware. She doesn't want to uninstall any of the programs, so she has the cleanest, and possibly the slowest, windows XP machine I've seen. You just can't win. *sigh*

It's hard to measure what they are saying.

Well we're talking about relative amounts. I'm a linux zeolot that owns a few macs and loves them, just for the record.

When you talk about security things and security software people like to have numbers, it makes them feel good. Like the Snort IDS has 3000 signatures (I'm not sure what the latest number is but I imagine it's around 3k) or Norton AV detects 50,000 viruses where non-Norton AV may only detect 20,000 known viruses and some other IDS may only have 100 signatures. Does that make Snort and Norton AV better because they have bigger numbers? For certain types of audits it might be better but for real security it doesn't matter that much. At any given time you're probably only realistically concerned with a smallish handful of IDS signatures or viruses. The old "stoned" viruses for example (of which there are dozens of variants) simply aren't interesting or even terribly important today. This has a direct correlation to desktop security. Basically, the number of holes as a raw metric isn't so interesting, you're really concerned about the holes you have that people don't know about (or maybe they do) Fundamentally though, at any given time there are only a handful of interesting viruses that are active or interesting exploits that people are really using, big databases of them look better but don't mean much.

Mac OS X isn't built using some exotic technology (or maybe not exotic, Ada or Java would be exotic for an OS) that somehow creates fewer bugs. It's in C, C++ and Objective-C, not that different from windows. It has gone through some porting which might lead to better code and coding practices. Relatively speaking the bug densities should be fairly similar. Apple is different from MS in a somewhat larger way though, they don't have the same resources and so they probably generate a lot less code. They also have to please Steve and rather than adding feature after feature which has kind of been the MS way, they've taken a much more simple route. Less code is less bugs. More features probably does mean more bugs but I'm not sure I've seen that really established as a general truth anywhere.

The crapware point is an interesting one. Personally, since I've been Mac OS Xing it, my taste and tollerance has changed. I don't know that it's particularly more secure but I do expect things to work and I think I have a higher standard than I have in the past. I know on windows (which I don't use much) I've been less expectent of things working. In the wildwildwest days of Linux I got really use to v0.4 and 0.7 of various things working enough to get some stuff done. On OSX I pretty much demand that things work, I demand that apps are "good." (TM) There are some emotional things that may result in better security, I don't just willy-nilly install stuff, I like some vendors better than others, Apple for example has a track record of building really good software for OS X, I'm more likely to use their shit. Nagware is simply a no-go. To be completely honest, there isn't that much stuff that I really *have* to install on it to get it up and running and productive. I can't remember not "enhancing" a Linux install or windows install before it was "useable"

Maybe the other biggest thing and I couldn't back this up with real science anywhere, MS has a tremendous legacy to support. Simply removing DCOM or OLE or Active-X might fix a ton of security problems but windows wouldn't keep working. I think Apple may have learned some of those lessons form AppleTalk back in the day; I don't even know if you can make OS X do it, I really have no need.

The reason for sex

[Colin+Smith]

I'd have to use social engineering methods via e-mail or IM, and the majority of people in both mediums won't be using Macs.

There you go. The reason sex exist at all and why monocultures are dumb. Diversity and variation makes life very difficult for diseases.

In fact the security advantage of OSX isn't likely to dissipate all that much, a monoculture will always be more likely to spread diseases, all it takes is a single flaw and there are going to be plenty of flaws in millions of lines of code.

Let's take a look at the arguments.

The article and the thread still spout the same uninformed reasoning about why there aren't OS X viruses. Let's take a look at each of the bogus reasons.

"It's because there aren't many OS X machines."
Bogus. 4% might be a small percentage, but there are tens of millions of Macs out there. Not only that, Apple users tend to be smug and Apple itself puts out a constant vibe of superiority, plus a very visible chain of elitist boutique retail stores. Is there not a hacker on Earth motivated to take down those arrogant Mac users?
On top of that, with millions of OS X machines out there, the number of self-propagating viruses in the wild should be greater than zero. But the number is actually zero.
Surely something more than "security through obscurity" is at work here.

"Mac users are more sophisticated."
Bogus. Aren't Macs supposed to be the computer "for the rest of us," the non-technical, the artsy-fartsy, the writers, the musicians, the English majors? Those people are NOT technically savvy, yet they are the Mac's core users.
Macs have fewer viruses even though their users are not technically oriented and are not security savvy.

"All you have to do is trick a Mac user into entering their root password."
Bogus. The root user is not enabled by default in OS X. The non-technical users mentioned above are not going to know how to turn it on.
You might be confusing the root and administrative passwords, since there isn't that much of a barrier between the two in Windows.

The Mac is safer because of the nature of Unix architecture and Apple's own safeguards, not because of obscurity or user sophistication. There are things you can get away with in Windows, like certain e-mail-based viruses, that are simply not allowed in OS X. Mac OS X is not invincible, but clearly there are structural advantages to how OS X is set up for security.

Remember, the number of viruses in the wild for Mac OS X is not proportional to market share, user base sophistication, or anything. It's pretty hard to correlate the number of viruses to any single cause when the number is ZERO.

Intel switch resets clock on Mac viruses

[SuperKendall]

We all know a lot of exploits make use of weaknesses in code like buffer overflows to run the attackers code instead.

Well what happens now that the whole Mac architecture is shifting to Intel? It's substially harder (almost impossible) to write a buffer overflow attack that works on two different processor architectures. You have to choose which architecture your attack is going to execute code for.

So then if there are not enough Macs around to write exploits for today, it stands to reason that there will not be any significant Mac exploits until the number of mac users at least doubles from current figures, possibly even more.

Yes there are also attacks that attempt social engineering on a user but they often work in conjuction with more classic code exploits to gain more permission than they would have otherwise.

Re:Perhaps not watertight, but not a sieve, either

[TheRaven64]

Mach does very little in XNU (the OS X kernel). It handles threading, scheduling, and VM. Everything else is handled by IOKit (device access) or the BSD subsystem. The BSD subsystem is a weird hybrid, originally forked from 4.2BSD (I believe) and recently injected with NetBSD (in the Rhapsody era) and FreeBSD (more recently) code.

The fact that Mach was designed with security in mind is why no one sane used it. Mach checked port rights on every message send, which made a Mach system call and order of magnitude slower than a BSD system call. While people might be willing to sacrifice 10-20% of their power for security, 90% is too expensive. This was exacerbated by the fact that Mach required a lot of context switches to get anything done. On OS X, this is irrelevant. The entire XNU kernel runs in a single address space, losing the memory protection benefit that a multi-server Mach-based OS (like Mach/HURD) gains. In addition, Mach messages are only used at the Mach layer (and for a few low-performance things, like notifying the GUI of kernel-related changes), removing this benefit.

Re:Mac users are unable to identify hax anyway

[vertinox]

So there is no way possible for Mac user without proper tools (which he dont have and dont want to use) to identify and report any intrusion.

Huh? What's wrong with typing "netstat -a" and "ps -aux" in the console?

Thats all the tools I need to detect unathorized connections and programs.

I'm in the "Macs are better designed" camp

[MBCook]

No question in my mind. I'm not saying they are invulnerable. Heck, the community is so tight knit that if you could get something downloaded (say that MacSaber program a few weeks ago) and put something in it, you could get the virus out there. It may be found fast, but you got it out there and by then you may have done damage.

That said, if I were to run MacSaber for the first time (or some little game or widget or whatever) and I suddenly got a box asking for my root password, you can bet I would be stopped dead in my tracks. You just DON'T SEE those boxes unless you are doing system updates or installing software like Office. If you just download a program and double click on it and get that, you have to wonder what it's doing.

Now before I switched last year, I had a PC and I ran AV and all that stuff, but it never did any good. The fact is I had a clue and could have run with nothing but my firewall and been fine. You are not guaranteed to get malware on Windows. But let's talk about my little sister and my parents. They download stuff. And since they don't know where the reputable sites are, who to trust, which programs are good, etc... they find that stuff easily. Every time "the computer is broken", it is almost inevitably malware. That or they turned something off I installed they shouldn't have (Disk Keeper, for example, which is practically required to run Windows IMHO). Same thing with neighbors I help. Even if they are somewhat savvy and can use the computer and install hardware, it still happens to them. It's pathetic. There have been viruses that you just have to preview in Outlook to get your OS infested. That is just plain bad design.

After using my Mac, it is clear to me that any idiot who sits down and uses a Mac day to day is less likely to end up with Malware. From the root prompts, to the fewer security holes, I think there is a clear reason for this divide. Mac users are not smarter. There is a very sizable portion of them that are just like introductory Windows users. They do the same stupid things. The fact they aren't ravaged by malware says something.

Now I won't deny that the Mac's market share has played a part, you'd be an idiot not to. However, I think the virus-in-the-wild count for OS X (hint: 0) means something. It means instant fame for the first person to make a good virus for OS X. You get it out there, even if it doesn't do much but change people's wallpaper or whatever and you get your name EVERYWHERE. Slashdot, Digg, all the Apple sites, the mainstream computer media (PC World, et all). That is a REAL tempting target. Let's not forget that every time a story like that gets published, it is just someone publishing a big bulls-eye on the Mac. But the market share helps with the pop-up ad problem. How many ads do you see on the 'net that look like a Windows dialog box telling you "Your computer is infected, click here". Guess what, people do. In my house people do, my neighbors have. It tricks 'em. Most people on a Mac wouldn't be fooled by that (just because it looks different). So that kind of thing does make a difference. That report the other day that 80% of users can't tell the difference between a real toolbar and a picture of one was scary.

Macs aren't immune. The OS is better designed.

As for Linux, it's better designed too, but it also has some other influences (for example, it would be tough to make a virus that worked reliably across different kernel versions and distro configurations). But again, there are SO MANY Linux servers out there that there must be enough run by idiots that if it was just as bad as Windows we would see a reasonable number of viruses out there (ie.. more than next to none).

There was a report in my PC World today (I think it was) that was basically scare tactics about viruses ("10 Myths That Make You Vulnerable" or some such). The one about Macs and Linux being safe really made me mad. While they are not immune, Windows for the average computer user is a leaper colony compared to running Mac or Linux.