A symptom, more than a cause, really. I think GP's point was that the decision makers were more enamored with shiny things than the really important things, like keeping their customers' sensitive information secure. And in that, he is 100% spot-on.
I'm not sure that they're even related that much. They're obviously related to some extent. You don't have to spend money on the security / upkeep of a system you never put in place. But design decisions aren't (always) mutually exclusive to security context. It's not that someone is dumping all the budget in to buying flashy widgets with the knowledge that they won't be able to properly pay for the upkeep of that system.
The concept of flash over function does echo other issues though. It's much easier to spend X dollars on a site redesign and see what that budget paid for. All the technobabble (management tends to see our world as black boxes and technobabble) about what makes those changes exist can be easily ignored for the fact that management can identify and interact with that change. Ideally, spending Y dollars on the whole security process will provide little if any immediately visible change. Management is going to have a much harder time understanding what their budget paid for.
That's the challenge we've faced for over a decade. It isn't flash over substance. It's understanding what is required to do things properly. And what's more, that challenge applies even within IT itself.
Now I find it illuminating. It seems that too much effort is spent making Javascript animated menus and Flash sliding widgets and not enough effort is spent on patches, updates, and decent password policy. Corporate culture prioritizes pretty pictures to sell us more shit we don't need. Meanwhile our personal information - and therefore capacity to buy said shit - is in danger of being leaked.
The Javascript animated menus and Flash widgets are cheap. They're (largely) a one-time cost that is often subsidized by being the same underlying code being packaged and sold to multiple clients. Hire someone to deploy a customized CMS and voila - done.
Patching, updating, and enforcing standards is expensive. You have to hire people to constantly follow the process. Those processes take paid hours. If you're doing it right, you're hiring staff that aren't also implementing aforementioned systems serving menus and widgets. And to avoid down-time and (most) ugly surprises, it takes additional investment in infrastructure as well.
You're right in so far as organizations often get it wrong. But flashy widgets is not the reason.
WTF? Everything I wrote is pretty much self-evident.
Getting their unclass network breached is a freaking obvious problem.
Well, yes. Everything is pretty much self-evident except for the part that goes:
That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.
What's the motive for a controlled leak? What possible worse case scenarios. If you're going to invoke conspiracy, at least entertain us with one.
It is no secret that the military uses RSA tokens all over the place either. It is also no secret that RSA guards the source code at the heart of their authentication system pretty jealousy - not even including it in their SDK. And the idea that RSA tokens may now be duplicable due to the prior theft of that source was in the goddamn HEADLINE of the story here.
I agree for the most part. Although the big question is exactly what RSA's intrusion meant. We don't know how this intrusion endangered the SecurID product line. And that's the rub. IMHO, a security company shouldn't be leaving questions about their products like that unanswered.
Trying different PINs with the same token will cause a lockout, but will trying each token once with the same PIN? I'm pretty sure that would go unnoticed, especially if the attempts were made from different proxy servers to mask the source IP all being the same.
A combination of PIN and Token Code act like a password. A bad auth attempt is a bad auth attempt no matter whether you used the wrong PIN or gave the wrong Token Code (although the SecurID system will log when its noticed a correct token code and bad PIN or when the user might have transposed PIN and token code). So it doesn't much matter whether you're brute-forcing the token or the PIN - both will generate failed auth attempts and eventually bump up against any account lockout mechanism (which should be in place according to FISMA requirements).
Not necessarily. I seem to recall about a month or two ago a story came out about a serious compromise in RSA's systems which was said had potential to compromise most, if not all, SecureID devices out there.
Potential - yes. In so far RSA wasn't really being too frank about what was involved. So since the compromised involved the SecurID product in some way, who's to know exactly what's going on? The potential is there.
I recall when this story came out, I asked "Should we be concerned about this?" We use SecureIDs to get into the company network...
To which RSA assured everyone that they should be following "best practices" and maybe paying a lot more attention to failed authentication attempts. Yeah - thanks.
The possible implication here is that RSA has been far, far less forthcoming than they should have been about this incident. Which has me wondering if we really should be trusting their product in our own environment.
That's the way it works for most businesses, but not the way it works for government agencies.
As Lockmart is the largest corporate member of the military industrial complex, things are little bit different in this case. There are national security implications to both lockheed being hacked and to RSA tokens being duplicable. That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.
Ahhh - the language of conspiracy. We know we're in for some really good non-information as soon as "Lockmart" and "military industrial complex" are uttered. Yes - serious implications for Lockheed's compromise (psst - not the first time). Serious implications for RSA tokens being duplicated - definitely. Then we'll just play "I've got a secret" and end it with vague mention of "all kinds" of spin and unnamed scenarios. That should be enough to get lots of head-nodding from the anti-military political crowd and other conspiracy theorists.
Perception and memory are interesting aspects of human psychology. It doesn't have to involve intentional deception to get inaccurate accounts. Eye witnesses do not always provide trustworthy accounts of situations - especially when they only have a limited view of the situation. Bias can greatly skew interpretation of events. And then add on several decades of distance between the event and the retelling of the story to allow some details to fade and become fuzzy and the biased perceptions to remain the only pieces of memory.
No matter how many people speak out the "truth", there have been so many wildly different stories and claims that everything automatically gets tagged as bullshit in everyone's mind.
It's a pity that said calling of bullshit doesn't happen more often.
Well, yes. We should just ignore history. After all, today's in-use technologies, political conflicts, and possible conspiracies had nothing to do with what happened in the past.
It's always interesting to watch the line of thought play out with this general subject. Secret aeronautical experiments during the Jet Age / Space Age / Cold War? No. Wait a second. Something just doesn't add up here. Extraterrestrial visitors crashing on our planet? Hey now - we might be on to something!
Surgically altered pilots flying bleeding edge technology in to the heart of US air space just to screw with people sounds like a nice combination of UFO mythos. Occam's Razor indeed.
But in these crazy times, in for a penny, in for a pound. Instead of just letting people opt-out of being scanned (no reason not to, since the devices are only reaching a few percent of travelers anyway, and even an illiterate petty criminal can explain why they're worthless for stopping terrorism), they're trying to push the issue with the also ineffective but highly titillating federally-funded full body massage.
Wait a second. You might be on to something. I might be more willing to deal with the security check if it involved a security inspection performed by a legitimate masseuse. I mean... sure... the expense. But it's not like anyone's really paying attention to that. And a nice massage might help one relax and deal better with all the delays. And we'd be "secure". Or at least as "secure" as we are now.
Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security.
I have a hard time completely dismissing privilege escalation. There is still some value in being able to separate user data from the system proper - if only to make clean-up easier. But I do completely agree with the overall lesson here. An overly simplified view of security might very well overlook the fact that there's still a lot of value with operating in the context of an unprivileged user. And as such, users should remain wary whenever they're acting outside the boundaries of their local environment.
It strikes me that this is a subset of the dancing pigs problem. The promise is that computing is being made easy. And in doing so, the end user gets all manner of over-simplified, friendly (or frightening) messages wanting their rubber-stamp to do various unknown black-box things. Whether you promise dancing pigs or protection from evil hackers, it comes down to the same thing. Present the proper dialog box and end users are likely to accept it.
This is a problem that won't be solved by more dialog boxes. At some point, the user needs to be exposed to some level of the complexity of their environment and hopefully given enough information and skepticism to make reasonable decisions.
...admitting guilt to something that, before the DMCA, wouldn't even be considered a crime...
There are indeed many things in life that were not illegal until they were.
That is actually a fundamental concept in law - whether one has inherent rights and law adds restrictions or whether one's rights are expressly granted by law.
Sun would probably still be around if Schwartz hadn't run it into the ground by trying to give away a whole bunch of stuff for free in hopes that someone was going to want to license a proprietary version of their software (which was never going to happen). McNealy was a fucking idiot for putting The Schwartz in command.
Sun would probably still be around if they had recognized Linux for what it was and embraced it earlier. They could have become a top-tier Linux vendor with Solaris as the step-up niche. Instead, Linux chipped away at their market driving Solaris in to a niche anyway. Eventually, Sun began to give away (more) things with strings attached - neither committed to being entirely proprietary or open. And they produced hardware that COULD have made them competitive in the Linux market if they had only marketed the damned things.
Sun screwed up but giving away stuff wasn't even the beginning of it.
I don't remember the predictions requiring a certain percentage marketshare increase. They simply predicted that Unix(-like) platforms were gaining users and thus malware would be all over them.
The underlying premise for such predictions was always market share.
Though, frankly, I don't recall any predictions specifying hard terms. What I do recall are predictions such as "if Linux becomes popular, then it will have a lot of malware". If people were saying that it would be in 10 years, then either they had a very optimistic outlook of how Linux would develop, or did not understand the issue.
How much users have Unix(-like) platforms gained since 10 years ago?
At the most fundimental level, popularity was a point. But there wasn't a prediction of X% market share being a tipping point. It was always simple increased popularity drawing the attention of malware authors. And indeed, there WAS additional malware. It just didn't bloom in to the predicted plague.
As for increased number of Unix/Unix-like users... good question. Linux has always been hard to track. But Apple posts numbers sales numbers. In May 2010, it was estimated that Mac OS X had a 7.83% market share. Forrester claimed a count of 1.2 billion personal computers in that time period so the Mac user population was about 93.96 million. Those numbers have increased over the last year.
The question is still the same: why would you target those machines, even if they are significant, if you can target 10x as much for the same money spent?
The only counterargument is that there is currently a lack of competition for botnets and such on OS X and Linux, so that raises the ROI somewhat. I don't know how it all stakes up, but I'm pretty sure that, given the current ratio, targeting Windows desktops is still way more profitable, and will likely remain so for years to come.
Why does it have to be either or? Sure - Windows is a nice big target. It's also a well-known target full of other players, anti-malware, dedicated support, etc. If the Unix install base is so ripe for the plucking, a big chunk of a smaller pie would fit nicely in to one's botnet along with all the usual victims.
The recent OS X malware story has been, frankly, blown out of proportion. This is largely because of a a stark contrast between it and Apple's rosy marketing materials (which strongly imply that there is no threat of malware on OS X, period), so most people focus on that, and there's a lot of downright gloating. But, rationally speaking, the threat of malware on OS X, while non-zero, is still minuscule. A clueless person is much more likely to get infected running Windows than OS X. So, yes, I stand by my assertion that OS X is "too small to worry about".
Too small to worry about yet still being targeted - I stll find that an interesting dichotomy. I do agree that the threat is blown out of proportions and so are the continued predictions of doom. Indeed - complacency would help bring about said doom. We should watch carefully. But I don't see any evidence to support that this is any sort of tipping point.
10 years later, the market share of Windows on the desktop (= where users are clueless and install random crap) is still 90%. So it's no surprise that not much has changed.
I don't remember the predictions requiring a certain percentage marketshare increase. They simply predicted that Unix(-like) platforms were gaining users and thus malware would be all over them.
Most malware is written to get money. Even if you can write it for some platform, it may not make economic sense to do so - if the effort of writing it is the same for both platforms, but for one you can hit 10x as many users on average than on the other, why would you target anything but the most popular one?
Malware is (mostly) a business. True enough. Market share has to play a part. But the install base of alternative platforms do offer some significant numbers even if those numbers represent a very small slice of market share. The problem is, malware on those platforms do not survive. So yes - there's little return for investment in targeting them.
Of course - this is the same old debate. Just as we've heard doom-and-gloom for 10+ years, we've heard about market share being the sole savior of alternative platforms. Yet here we have another example of malware targeting a platform that is, according to some, too small to worry about. And here we have yet another prediction of doom and gloom. When it fails to appear, we'll hear about market share again.
I'm inclined to believe that the situation is much more complex than it is being portrayed in this thread or in the parent's predictions.
You're acting like this is the first case of MacOS malware. It's not. Another data point is hardly the flood we've been warned of.
It is, however, worth noting. It is worth watching. And it is worth seeing how this plays out. But I would be careful about extrapolating too much from it.
Just cause it hasn't bit you in the ass don't mean others aren't getting pwned. I personally haven't seen a bug on my windows machines since 99 but I wouldn't be foolish enough to say infections aren't rampant, I see them every day. Since there isn't something like MSRT on Mac frankly we have NO idea how badly the infections have already spread, and with Apple in full cover up mode we frankly may not know for months or maybe even a year or more.
Amazingly enough - we had some idea of the world of malware before Microsoft introduced MSRT. We don't need official word from Apple to get some insight as to what's going on in the world.
I also find it disingenuous to claim larger numbers due to an attempt to hide those numbers. What you're linking to is Apple not wanting to get engaged in the activity of malware removal. Whether that is appropriate or not on Apple's part could certainly be up to debate. But I find it hard to see this as deceptive on Apple's part. And while there is certainly going to be a surge in MacDefender cases, nothing so far indicates any real numbers much less perspective.
But just because Apple refuses to say the word doesn't mean it isn't spreading. On the contrary I would argue that the reason Apple refuses to say the word is it is spreading quickly and they are trying to do damage control. For all we know this may be the first mac "Code red" style nasty, we simply won't know until someone gathers the data.
Code Red was something entirely different. But at the face of it - could this be the beginning of increased targeting of the MacOS platform? Perhaps. But it is too early to tell.
What has protected Macs and Linux in the past is that malware writers like all criminals are naturally lazy creatures, and there was plenty of low hanging Windows machines to snatch. Now that Android is popping up everywhere and the malware guys are starting to realize Macs=money I have NO doubt things are gonna change, just as I have seen Windows malware going from exploit based to third party to social engineering. Times change, targets change, and I have a feeling so many have bought the "Macs don't get malware!" meme that until some really nasty bugs hit Mac guys are gonna be easy pickings. I've already seen it myself, with having to argue with a customer who swore up and down his Macs couldn't possibly be infected even as the DNS Changer bug was redirecting everything.
The problem is, we've heard this same thing for the past 10+ years. The malware is coming. Just you wait. 10 years later, the flood has yet to materialize.
That's not to say that everything not-Windows is immune. Quite the contrary. There has been malware targeting other platforms to include MacOS and Linux. They just don't do well. And thus, those platforms continue to avoid being low-hanging fruit. There has to be a change other than just "oh hey - we CAN target these other platforms!"
So far I find it easier to distinguish window titles than windows - they often look too similar (a terminal with hostname1 often looks like hostname2 - I do colour code hostnames for live, staging, etc but I don't do different colours for each host;) ) . So stuff ilke Scale or Windows 7's preview isn't as helpful to me. Windows 7's textual window title preview is helpful (esp when I often have about 30 task buttons (email, IM, explorer, putty, cmd, rxvt, remote desktop, editor, etc * multiple instances of each and it starts to add up!), So far it still is faster for me to switch windows than to keep closing and relaunching/reopening them later.
I find that I end up with a lot of window tittles that are similar enough to make them a usually poor choice for distinction. Oddly enough, I have an easier time looking at all my terminal windows and going "oh - that looks like what I was doing" even if the text is too small to read well. Although it doesn't always work. And there are times where my window tittle has changed to a directory path that makes it stand out. So there's no set rule I go by. Which is why I keep a task bar as well as scale (and I have a "everything on this desktop" and a "everything on all desktops" key combos).
Just curious how would you do that on GNOME/KDE or whatever your desktop environment is (I think "awesome" or something can probably do it)?
Off the top of my head, I'd run one app per virtual desktop and use keybindings to switch desktops. Of course, that pales in comparison to something like awesome wm. And honestly - I haven't really given it much thought as I've never been using screen and thought to myself "I need this sort of thing for my entire desktop environment.":)
Slashdot Mirror
A symptom, more than a cause, really. I think GP's point was that the decision makers were more enamored with shiny things than the really important things, like keeping their customers' sensitive information secure. And in that, he is 100% spot-on.
I'm not sure that they're even related that much. They're obviously related to some extent. You don't have to spend money on the security / upkeep of a system you never put in place. But design decisions aren't (always) mutually exclusive to security context. It's not that someone is dumping all the budget in to buying flashy widgets with the knowledge that they won't be able to properly pay for the upkeep of that system.
The concept of flash over function does echo other issues though. It's much easier to spend X dollars on a site redesign and see what that budget paid for. All the technobabble (management tends to see our world as black boxes and technobabble) about what makes those changes exist can be easily ignored for the fact that management can identify and interact with that change. Ideally, spending Y dollars on the whole security process will provide little if any immediately visible change. Management is going to have a much harder time understanding what their budget paid for.
That's the challenge we've faced for over a decade. It isn't flash over substance. It's understanding what is required to do things properly. And what's more, that challenge applies even within IT itself.
Now I find it illuminating. It seems that too much effort is spent making Javascript animated menus and Flash sliding widgets and not enough effort is spent on patches, updates, and decent password policy. Corporate culture prioritizes pretty pictures to sell us more shit we don't need. Meanwhile our personal information - and therefore capacity to buy said shit - is in danger of being leaked.
The Javascript animated menus and Flash widgets are cheap. They're (largely) a one-time cost that is often subsidized by being the same underlying code being packaged and sold to multiple clients. Hire someone to deploy a customized CMS and voila - done.
Patching, updating, and enforcing standards is expensive. You have to hire people to constantly follow the process. Those processes take paid hours. If you're doing it right, you're hiring staff that aren't also implementing aforementioned systems serving menus and widgets. And to avoid down-time and (most) ugly surprises, it takes additional investment in infrastructure as well.
You're right in so far as organizations often get it wrong. But flashy widgets is not the reason.
WTF? Everything I wrote is pretty much self-evident.
Getting their unclass network breached is a freaking obvious problem.
Well, yes. Everything is pretty much self-evident except for the part that goes:
What's the motive for a controlled leak? What possible worse case scenarios. If you're going to invoke conspiracy, at least entertain us with one.
It is no secret that the military uses RSA tokens all over the place either. It is also no secret that RSA guards the source code at the heart of their authentication system pretty jealousy - not even including it in their SDK. And the idea that RSA tokens may now be duplicable due to the prior theft of that source was in the goddamn HEADLINE of the story here.
I agree for the most part. Although the big question is exactly what RSA's intrusion meant. We don't know how this intrusion endangered the SecurID product line. And that's the rub. IMHO, a security company shouldn't be leaving questions about their products like that unanswered.
Trying different PINs with the same token will cause a lockout, but will trying each token once with the same PIN? I'm pretty sure that would go unnoticed, especially if the attempts were made from different proxy servers to mask the source IP all being the same.
A combination of PIN and Token Code act like a password. A bad auth attempt is a bad auth attempt no matter whether you used the wrong PIN or gave the wrong Token Code (although the SecurID system will log when its noticed a correct token code and bad PIN or when the user might have transposed PIN and token code). So it doesn't much matter whether you're brute-forcing the token or the PIN - both will generate failed auth attempts and eventually bump up against any account lockout mechanism (which should be in place according to FISMA requirements).
Not necessarily. I seem to recall about a month or two ago a story came out about a serious compromise in RSA's systems which was said had potential to compromise most, if not all, SecureID devices out there.
Potential - yes. In so far RSA wasn't really being too frank about what was involved. So since the compromised involved the SecurID product in some way, who's to know exactly what's going on? The potential is there.
I recall when this story came out, I asked "Should we be concerned about this?" We use SecureIDs to get into the company network...
To which RSA assured everyone that they should be following "best practices" and maybe paying a lot more attention to failed authentication attempts. Yeah - thanks.
The possible implication here is that RSA has been far, far less forthcoming than they should have been about this incident. Which has me wondering if we really should be trusting their product in our own environment.
That's the way it works for most businesses, but not the way it works for government agencies.
As Lockmart is the largest corporate member of the military industrial complex, things are little bit different in this case. There are national security implications to both lockheed being hacked and to RSA tokens being duplicable. That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.
Ahhh - the language of conspiracy. We know we're in for some really good non-information as soon as "Lockmart" and "military industrial complex" are uttered. Yes - serious implications for Lockheed's compromise (psst - not the first time). Serious implications for RSA tokens being duplicated - definitely. Then we'll just play "I've got a secret" and end it with vague mention of "all kinds" of spin and unnamed scenarios. That should be enough to get lots of head-nodding from the anti-military political crowd and other conspiracy theorists.
She was on the daily show last week; she seemed pretty sane, even if her story doesn't... Judge for yourself.
Many authors are completely sane - including the ones who write fiction.
Perception and memory are interesting aspects of human psychology. It doesn't have to involve intentional deception to get inaccurate accounts. Eye witnesses do not always provide trustworthy accounts of situations - especially when they only have a limited view of the situation. Bias can greatly skew interpretation of events. And then add on several decades of distance between the event and the retelling of the story to allow some details to fade and become fuzzy and the biased perceptions to remain the only pieces of memory.
No matter how many people speak out the "truth", there have been so many wildly different stories and claims that everything automatically gets tagged as bullshit in everyone's mind.
It's a pity that said calling of bullshit doesn't happen more often.
Well, yes. We should just ignore history. After all, today's in-use technologies, political conflicts, and possible conspiracies had nothing to do with what happened in the past.
It's always interesting to watch the line of thought play out with this general subject. Secret aeronautical experiments during the Jet Age / Space Age / Cold War? No. Wait a second. Something just doesn't add up here. Extraterrestrial visitors crashing on our planet? Hey now - we might be on to something!
Surgically altered pilots flying bleeding edge technology in to the heart of US air space just to screw with people sounds like a nice combination of UFO mythos. Occam's Razor indeed.
But in these crazy times, in for a penny, in for a pound. Instead of just letting people opt-out of being scanned (no reason not to, since the devices are only reaching a few percent of travelers anyway, and even an illiterate petty criminal can explain why they're worthless for stopping terrorism), they're trying to push the issue with the also ineffective but highly titillating federally-funded full body massage.
Wait a second. You might be on to something. I might be more willing to deal with the security check if it involved a security inspection performed by a legitimate masseuse. I mean... sure... the expense. But it's not like anyone's really paying attention to that. And a nice massage might help one relax and deal better with all the delays. And we'd be "secure". Or at least as "secure" as we are now.
Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security.
I have a hard time completely dismissing privilege escalation. There is still some value in being able to separate user data from the system proper - if only to make clean-up easier. But I do completely agree with the overall lesson here. An overly simplified view of security might very well overlook the fact that there's still a lot of value with operating in the context of an unprivileged user. And as such, users should remain wary whenever they're acting outside the boundaries of their local environment.
It strikes me that this is a subset of the dancing pigs problem. The promise is that computing is being made easy. And in doing so, the end user gets all manner of over-simplified, friendly (or frightening) messages wanting their rubber-stamp to do various unknown black-box things. Whether you promise dancing pigs or protection from evil hackers, it comes down to the same thing. Present the proper dialog box and end users are likely to accept it.
This is a problem that won't be solved by more dialog boxes. At some point, the user needs to be exposed to some level of the complexity of their environment and hopefully given enough information and skepticism to make reasonable decisions.
Yes, yes. We hear this every single time there's Mac malware. You do realize that this isn't the first time, right?
...admitting guilt to something that, before the DMCA, wouldn't even be considered a crime...
There are indeed many things in life that were not illegal until they were.
That is actually a fundamental concept in law - whether one has inherent rights and law adds restrictions or whether one's rights are expressly granted by law.
Sun would probably still be around if Schwartz hadn't run it into the ground by trying to give away a whole bunch of stuff for free in hopes that someone was going to want to license a proprietary version of their software (which was never going to happen). McNealy was a fucking idiot for putting The Schwartz in command.
Sun would probably still be around if they had recognized Linux for what it was and embraced it earlier. They could have become a top-tier Linux vendor with Solaris as the step-up niche. Instead, Linux chipped away at their market driving Solaris in to a niche anyway. Eventually, Sun began to give away (more) things with strings attached - neither committed to being entirely proprietary or open. And they produced hardware that COULD have made them competitive in the Linux market if they had only marketed the damned things.
Sun screwed up but giving away stuff wasn't even the beginning of it.
[Cue Wine compatibility jokes]
I don't remember the predictions requiring a certain percentage marketshare increase. They simply predicted that Unix(-like) platforms were gaining users and thus malware would be all over them.
The underlying premise for such predictions was always market share.
Though, frankly, I don't recall any predictions specifying hard terms. What I do recall are predictions such as "if Linux becomes popular, then it will have a lot of malware". If people were saying that it would be in 10 years, then either they had a very optimistic outlook of how Linux would develop, or did not understand the issue.
How much users have Unix(-like) platforms gained since 10 years ago?
At the most fundimental level, popularity was a point. But there wasn't a prediction of X% market share being a tipping point. It was always simple increased popularity drawing the attention of malware authors. And indeed, there WAS additional malware. It just didn't bloom in to the predicted plague.
As for increased number of Unix/Unix-like users... good question. Linux has always been hard to track. But Apple posts numbers sales numbers. In May 2010, it was estimated that Mac OS X had a 7.83% market share. Forrester claimed a count of 1.2 billion personal computers in that time period so the Mac user population was about 93.96 million. Those numbers have increased over the last year.
The question is still the same: why would you target those machines, even if they are significant, if you can target 10x as much for the same money spent?
The only counterargument is that there is currently a lack of competition for botnets and such on OS X and Linux, so that raises the ROI somewhat. I don't know how it all stakes up, but I'm pretty sure that, given the current ratio, targeting Windows desktops is still way more profitable, and will likely remain so for years to come.
Why does it have to be either or? Sure - Windows is a nice big target. It's also a well-known target full of other players, anti-malware, dedicated support, etc. If the Unix install base is so ripe for the plucking, a big chunk of a smaller pie would fit nicely in to one's botnet along with all the usual victims.
The recent OS X malware story has been, frankly, blown out of proportion. This is largely because of a a stark contrast between it and Apple's rosy marketing materials (which strongly imply that there is no threat of malware on OS X, period), so most people focus on that, and there's a lot of downright gloating. But, rationally speaking, the threat of malware on OS X, while non-zero, is still minuscule. A clueless person is much more likely to get infected running Windows than OS X. So, yes, I stand by my assertion that OS X is "too small to worry about".
Too small to worry about yet still being targeted - I stll find that an interesting dichotomy. I do agree that the threat is blown out of proportions and so are the continued predictions of doom. Indeed - complacency would help bring about said doom. We should watch carefully. But I don't see any evidence to support that this is any sort of tipping point.
10 years later, the market share of Windows on the desktop (= where users are clueless and install random crap) is still 90%. So it's no surprise that not much has changed.
I don't remember the predictions requiring a certain percentage marketshare increase. They simply predicted that Unix(-like) platforms were gaining users and thus malware would be all over them.
Most malware is written to get money. Even if you can write it for some platform, it may not make economic sense to do so - if the effort of writing it is the same for both platforms, but for one you can hit 10x as many users on average than on the other, why would you target anything but the most popular one?
Malware is (mostly) a business. True enough. Market share has to play a part. But the install base of alternative platforms do offer some significant numbers even if those numbers represent a very small slice of market share. The problem is, malware on those platforms do not survive. So yes - there's little return for investment in targeting them.
Of course - this is the same old debate. Just as we've heard doom-and-gloom for 10+ years, we've heard about market share being the sole savior of alternative platforms. Yet here we have another example of malware targeting a platform that is, according to some, too small to worry about. And here we have yet another prediction of doom and gloom. When it fails to appear, we'll hear about market share again.
I'm inclined to believe that the situation is much more complex than it is being portrayed in this thread or in the parent's predictions.
Uhhh when you have one of the Applecare reps saying things are getting worse here and you have Apple actively saying don't say the word or acknowledge malware infections? Then I don't think you have to worry about "its coming" as it is already here friend.
You're acting like this is the first case of MacOS malware. It's not. Another data point is hardly the flood we've been warned of.
It is, however, worth noting. It is worth watching. And it is worth seeing how this plays out. But I would be careful about extrapolating too much from it.
Just cause it hasn't bit you in the ass don't mean others aren't getting pwned. I personally haven't seen a bug on my windows machines since 99 but I wouldn't be foolish enough to say infections aren't rampant, I see them every day. Since there isn't something like MSRT on Mac frankly we have NO idea how badly the infections have already spread, and with Apple in full cover up mode we frankly may not know for months or maybe even a year or more.
Amazingly enough - we had some idea of the world of malware before Microsoft introduced MSRT. We don't need official word from Apple to get some insight as to what's going on in the world.
I also find it disingenuous to claim larger numbers due to an attempt to hide those numbers. What you're linking to is Apple not wanting to get engaged in the activity of malware removal. Whether that is appropriate or not on Apple's part could certainly be up to debate. But I find it hard to see this as deceptive on Apple's part. And while there is certainly going to be a surge in MacDefender cases, nothing so far indicates any real numbers much less perspective.
But just because Apple refuses to say the word doesn't mean it isn't spreading. On the contrary I would argue that the reason Apple refuses to say the word is it is spreading quickly and they are trying to do damage control. For all we know this may be the first mac "Code red" style nasty, we simply won't know until someone gathers the data.
Code Red was something entirely different. But at the face of it - could this be the beginning of increased targeting of the MacOS platform? Perhaps. But it is too early to tell.
What has protected Macs and Linux in the past is that malware writers like all criminals are naturally lazy creatures, and there was plenty of low hanging Windows machines to snatch. Now that Android is popping up everywhere and the malware guys are starting to realize Macs=money I have NO doubt things are gonna change, just as I have seen Windows malware going from exploit based to third party to social engineering. Times change, targets change, and I have a feeling so many have bought the "Macs don't get malware!" meme that until some really nasty bugs hit Mac guys are gonna be easy pickings. I've already seen it myself, with having to argue with a customer who swore up and down his Macs couldn't possibly be infected even as the DNS Changer bug was redirecting everything.
The problem is, we've heard this same thing for the past 10+ years. The malware is coming. Just you wait. 10 years later, the flood has yet to materialize.
That's not to say that everything not-Windows is immune. Quite the contrary. There has been malware targeting other platforms to include MacOS and Linux. They just don't do well. And thus, those platforms continue to avoid being low-hanging fruit. There has to be a change other than just "oh hey - we CAN target these other platforms!"
Stepping on lawns also alienate the elderly.
No - that's the 1-Apple Cart. Wait. No, that's not it...
I, Robot.
So far I find it easier to distinguish window titles than windows - they often look too similar (a terminal with hostname1 often looks like hostname2 - I do colour code hostnames for live, staging, etc but I don't do different colours for each host ;) ) . So stuff ilke Scale or Windows 7's preview isn't as helpful to me. Windows 7's textual window title preview is helpful (esp when I often have about 30 task buttons (email, IM, explorer, putty, cmd, rxvt, remote desktop, editor, etc * multiple instances of each and it starts to add up!), So far it still is faster for me to switch windows than to keep closing and relaunching/reopening them later.
I find that I end up with a lot of window tittles that are similar enough to make them a usually poor choice for distinction. Oddly enough, I have an easier time looking at all my terminal windows and going "oh - that looks like what I was doing" even if the text is too small to read well. Although it doesn't always work. And there are times where my window tittle has changed to a directory path that makes it stand out. So there's no set rule I go by. Which is why I keep a task bar as well as scale (and I have a "everything on this desktop" and a "everything on all desktops" key combos).
Just curious how would you do that on GNOME/KDE or whatever your desktop environment is (I think "awesome" or something can probably do it)?
Off the top of my head, I'd run one app per virtual desktop and use keybindings to switch desktops. Of course, that pales in comparison to something like awesome wm. And honestly - I haven't really given it much thought as I've never been using screen and thought to myself "I need this sort of thing for my entire desktop environment." :)