Mac's better than PC's for security? An analogy to possibly debunk.

[duffer]

Here it is Mac lovers. Debunk this analogy.

*Note, I've used both and in the past 10 years or so haven't seen an awe-inspiring difference between the two. I've been using both platforms since the mid-80's*

Here's the analogy:

Company A makes 100,000 cars per month. There are security steps to prevent theft. If any of the cars are stolen, they can be used to make money for the crook by chopping it. (Think identity theft)

Company B makes 5,000 cars per month. Again, security features are in place. If those cars are stolen, the crook makes as much money at the chop shop. (Again, think ID theft.)

Now pretend you're a crook. You want to make the money, but the security is a problem.

Do you look for flaws in the security of Company A? Or Company B?

You have a 5:1 ratio, with the same payoff for each theft. Where do you concentrate your efforts?

[GomiBoy]

Quote:

Originally Posted by duffer

You have a 5:1 ratio, with the same payoff for each theft. Where do you concentrate your efforts?

Make that a 9:1 ratio, and you're right on...

Also, add in some other bits to your analogy:
All of maker B's parts are made within the same plant, and are custom made to only fit maker B's cars.

Maker A cars are actually made by factories A1, A2, A3, and A4, each of which is privately owned (not by Maker A). Maker A only provides the blueprint on how to assemble the cars, as well as guidance on how the cars components should be built, but has no real control over their final configuration.

It's not a 100% analogy, but it's closer to the real situation...

[duffer]

Quote:

Originally Posted by duffer

You have a 5:1 ratio

Damnit, that's 20:1 ratio

[Mangetout]

I don't really understand the analogy at all; if the crook makes the same amount of money at the chop shop, regardless of the type of car, then why target one company's cars at all? Why not just steal the first one you find?

[Sage Rat]

Quote:

Originally Posted by Mangetout

Why not just steal the first one you find?

Different security measures to be equipped against.

[GorillaMan]

Poor analogy on many levels - not least because most attacks on Windows have nothing to do with financial gain.

How about this?

- Car A has 90% of the market. Early models were particularly easy to break into, and many owners have not taken advantage of upgraded security, and some don't even lock the doors. Even the latest models have potential problems. Once inside, pretty much everything works as you tell it to, at the push of a button. Information about how to get into these cars is very easy to find on the Internet.

- Car B has 9% of the market. It's very difficult to break into or to take full illicit control of.

Which do kids bother finding out about how to steal, and which do they then go joyriding in?

[Sage Rat]

Theoretically, Mac is based on a Unix background--so even though the Mac platform is small, the history of the design and at least some of the code has had lots and lots of years to be secured, plus used by some very big corporations who have a much bigger payout if you break their system--even though there are fewer of them than individual users.

Of course, really most Microsoft errors are issues of them tying all of the applications together and trying to make things user friendly by things happening automagically. And all of that stuff will be at the height of new and coolness for every release regardless of the OS. So for the regaular user, probably both platforms are about equally crackable on that level (just given the newness of the code.)

Now if Mac was running on big mainframes, serving up webpages and such--the Unix background might give it an edge. But, it doesn't.

[DSeid]

I can't say much about whether or not the Mac OS is really harder to break, but I think that fewer try to break into it and not because "that's where the money is."

Microsoft is percieved as the system of "the Man", of the establishment, and Macs are percieved as the system of the artists and of scientists and of a slightly anti-establishment crowd. Hackers want to bring down the establishments status quo. Where's the fun for a geeky misfit in attaking artists, scientists and other misfits? You want to beat the bullies at their own game.

[GomiBoy]

There have been tons of studies of vulnerabilites in Windows vs. Mac vs. Linux.

Some links:
CERT

Information Week Small Business Pipeline

Everyone has vulnerablities. And the vulnerabilities for Linux and Mac (OSX is based on open source Linux kernels) are on the rise.

Of course, the hard-core Anti-Microsoft element discounts these studies for a variety of reasons, but I won't get into that particular religious battle if that's OK.

[Sage Rat]

Quote:

Originally Posted by GomiBoy

OSX is based on open source Linux kernels

[nitpickin'] OpenBSD not Linux. [/nitpickin']

[GomiBoy]

Quote:

Originally Posted by Sage Rat

[nitpickin'] OpenBSD not Linux. [/nitpickin']

Sorry, you're right.

One last point - vulnerabilities are everywhere. Yes, Microsoft products still have more exploits, but that's due to easily explained reasons. And Microsoft's time to fix vulnerabilities is actually faster than open source or Mac.

[RandomLetters]

Ummm, can I bring up a comparison of the open source web-server program Apache vs Microsoft IIS? Apache is running roughly trice the number of webservers on the net, including some very important ones like Google, or the Straightdope itself. Yet, MS IIS is hacked much more often than Apache. You'd think those nefarious hackers would break into Apache site more often, if Microsoft's code quality was just as good as the open-source stuff.

[GomiBoy]

Quote:

Originally Posted by RandomLetters

Ummm, can I bring up a comparison of the open source web-server program Apache vs Microsoft IIS? Apache is running roughly trice the number of webservers on the net, including some very important ones like Google, or the Straightdope itself. Yet, MS IIS is hacked much more often than Apache. You'd think those nefarious hackers would break into Apache site more often, if Microsoft's code quality was just as good as the open-source stuff.

Cites on the number of Apache servers vs. MS IIS servers?

I could argue that the vulnerabilities in MS IIS is due to more application compatibility than Apache, and that the MS IIS code is not written / compiled per processor / implementation like Apache is as well...

[Mtgman]

Quote:

Originally Posted by GomiBoy

Cites on the number of Apache servers vs. MS IIS servers?

The canonical site is NetCraft's web server survey which uses a spider to check as many hosts/domains as they can find for server characteristics. Unless a fairly robust identity-scrubbing effort has been undertaken it is easy enough to tell which webserver is sending packets. It is usually in the headers in fact. It isn't generally a necessary piece of info and it is an extremely minor security risk to give out what type and version of webserver you are running, but it is often there nonetheless.

Enjoy,
Steven

[GomiBoy]

Quote:

Originally Posted by Mtgman

The canonical site is NetCraft's web server survey which uses a spider to check as many hosts/domains as they can find for server characteristics. Unless a fairly robust identity-scrubbing effort has been undertaken it is easy enough to tell which webserver is sending packets. It is usually in the headers in fact. It isn't generally a necessary piece of info and it is an extremely minor security risk to give out what type and version of webserver you are running, but it is often there nonetheless.

Enjoy,
Steven

Thanks; I wasn't doubting, just curious...

[Mangetout]

OK, how about *different* analogy?:

Manufacturer [Q] makes tins of chicken soup, he sells these only in south-facing stores on odd days of the week; Manufacturer [4] also makes chicken soup, but sells it in plastic pouches, two-for-the-price of one, by mail order... they both sell celery soup frozen in cartons, but manufacturer [Q] cross-promotes it with asparagus soup, whereas manufacturer [4] cross-promotes it with tomato, but only in stores with a red door, on the second Thursday of the month and only if you buy a loaf of bread at the same time.

I think that makes it a *lot* clearer.


Seriously though; no analogy is required here - it only obfuscates the facts - Windows is attacked largely because of its ubiquity; that its users are also often inexperienced or naive about security is also because of its ubiquity (i.e. because of the popularity of Windows, there are people who find themselves using it that probably shouldn't even be using scissors). There are other factors, of course, but dressing it up in analogies doesn't make it any simpler to grasp.

[Mtgman]

Quote:

Originally Posted by Mangetout

because of the popularity of Windows, there are people who find themselves using it that probably shouldn't even be using scissors

Someone should adopt this for a sig. I would, but I alomst never use them. I don't even remember what, if anything, is even in mine.

Enjoy,
Steven

[rfgdxm]

Quote:

Originally Posted by RandomLetters

Ummm, can I bring up a comparison of the open source web-server program Apache vs Microsoft IIS? Apache is running roughly trice the number of webservers on the net, including some very important ones like Google, or the Straightdope itself. Yet, MS IIS is hacked much more often than Apache. You'd think those nefarious hackers would break into Apache site more often, if Microsoft's code quality was just as good as the open-source stuff.

This proves nothing about security. Apache is Unix based. Likely this has more to do with efficiency than security. Unix lacks the code bloat of Windows. It just *works* better. It is nowhere as easy to use as Windows, but geek are comfortable with doing things command line. Geeks don't need a stinking GUI.

Personally, I have little doubt that Apache is actually more secure. Which may have a lot to do with the fact more crackers try beat MS security more often. However, the efficiency of Unix is sufficient to explain its popularity. Why would a sysadmin choose less efficient software?

[gazpacho]

Quote:

Originally Posted by rfgdxm

This proves nothing about security. Apache is Unix based. Likely this has more to do with efficiency than security. Unix lacks the code bloat of Windows. It just *works* better. It is nowhere as easy to use as Windows, but geek are comfortable with doing things command line. Geeks don't need a stinking GUI.

Personally, I have little doubt that Apache is actually more secure. Which may have a lot to do with the fact more crackers try beat MS security more often. However, the efficiency of Unix is sufficient to explain its popularity. Why would a sysadmin choose less efficient software?

Apache is not unix based. You can run apache on windows.

[AndyMatts]

Do Macs have vunerabilities? I'm sure they do. Are they as easy to hack as Windows? I'm rather sure they're not.

This "no one wants to hack Macs" is an old cannard. First of all, in the most recent underground hacking contest, they are giving 5 times as many points for hacking Mac based sites, so I'm sure that will give us a better idea of how vunerable they are.

As far as getting patches out, I get constant, regular, automatic security updates for my Mac.

Finally, let's remember that's what people have always said - "Windows gets hacked more because no one cares about Macs", and let's not forget the 1997 Crack a Mac contest, where a Swedish company put out a reward for anyone who could successfully infiltrate their site. No one was able to.

Now I realize the current OS has no relation to that one, but similar claims were made back then as to why Mac OS wasn't hacked.

http://db.tidbits.com/getbits.acgi?tbart=02166

[duffer]

Upon further review, it was a bad analogy. The biggest flaw being the financial part. Forget I mentioned that.

What I was trying to get at is if one car company makes 90% of the cars out there, and the other 10% are made by a second company, and each has its own security features, which is the likelier target for those that want to cause widespread havoc?

Is that a little better? I'm really trying to keep this from becomming yet another flame was so I'm trying to word things very carefully.

[rjung]

If Macs were so easy to exploit, and the security advantages nothing more than PR puffery, then human nature would drive a handful of motivated anti-Mac hackers to develop a rampaging Mac-destroying virus, "just to show those elitist Mac-heads." The ensuing infamy this person would receive from his peers would be well worth the effort.

The fact that no such event has occurred is, IMO, rather telling about the security of MacOS X.


Or, to put it mathematically:

Number of Windows viruses and exploits = 50,000 and counting

Ratio of Windows computers to Mac computers = 20:1

Ergo, we should expect to see around 50,000 x 0.05 = 2,500 Mac viruses and exploits out there.

Actual number of Mac viruses and exploits seen in the wild = 0
(for MacOS X; IIRC, the "Classic" OS had about 80 exploits over its lifetime)

Ergo, even the numbers don't support the "fewer viruses due to smaller marketshare" theory.

[GomiBoy]

Quote:

Originally Posted by rjung

Number of Windows viruses and exploits = 50,000 and counting

<snip>

Actual number of Mac viruses and exploits seen in the wild = 0
(for MacOS X; IIRC, the "Classic" OS had about 80 exploits over its lifetime)

Cite for 0 mac exploits, please? Cert disputes that Mac OSX has no vulnerabilities. Also, if Macs were immune from viruses, why are there Mac AV products for sale, and why does Apple encourage their use?

Also, cite for 50,000 Windows exploits and viruses? Maybe if you're counting every variant and every Microsoft product, but true Windows exploits are much fewer than that, and the number of Windows XP Pro exploits is smaller still. Unless you still want to hold up NT4 and Win95 vulnerabilities as evidence of crap code?

AndyMatts I, too, get frequent (monthly unless critical) automatic patches and updates, rated by criticality and impact, which I can either automatically install or install at my discretion, and I run XP. Microsoft provides it's patches and updates for Windows, all bundled apps (Windows Media Player, IE, Outlook Express) and Office for free to everyone, including enterprises running thousands of workstations.

[gazpacho]

rjung,

I don't buy your analysis. There seems to me to be no reason to expect that the exploits would be proportional with the number of systems out there.

[RaftPeople]

Quote:

Originally Posted by duffer

Upon further review, it was a bad analogy. The biggest flaw being the financial part. Forget I mentioned that.

What I was trying to get at is if one car company makes 90% of the cars out there, and the other 10% are made by a second company, and each has its own security features, which is the likelier target for those that want to cause widespread havoc?

Is that a little better? I'm really trying to keep this from becomming yet another flame was so I'm trying to word things very carefully.

I think you should skip any analogy at all because it doesn't provide any actual data.

This is a situation where there is data, some cited already, much more on google, but I'm gong to skip that part of it.

Some things to consider:
Just because 2 different companies make products for similar markets does not mean those products have the same attributes (quality, reliability, security, internal organization of code, efficiency, etc. etc.). In my years of working with ERP systems, I have seen internals that range from absolute crap to elegant, well designed, stable and robust systems. And market share is typically in inverse proportion to quality of code. The better the code the smaller the market share. The systems with crappy code spent all of their time and money marketing and selling.

So I don't think we can just assume that Apple and Microsoft produce code with similar reliability/security/etc. In my experience companies vary to a large degree.

[rjung]

Quote:

Originally Posted by GomiBoy

Cite for 0 mac exploits, please? Cert disputes that Mac OSX has no vulnerabilities.

Cert can talk about theoretical exploits all they want. I'm talking about genuine, real-world, headline-making, "OH MY GOD WE FINALLY HAVE A MAC VIRUS"-screaming rogue virus/worm/whatever, the kind of stuff that would send the Mac news community into a tailspin.

Quote:

Originally Posted by GomiBoy

Also, if Macs were immune from viruses, why are there Mac AV products for sale, and why does Apple encourage their use?

So Mac users don't end up passing Windows viruses (especially MS Word viruses) to their Windows brethren. I don't know of any Mac users who use that stuff, myself.

Quote:

Originally Posted by GomiBoy

Also, cite for 50,000 Windows exploits and viruses?

Oops, my bad. It's not 50,000, it's 60,000, at least according to this 2001 report, "Analysis of the Impact of Open Source Software" (PDF).

And that was in 2002...

Quote:

Originally Posted by gazpacho

I don't buy your analysis. There seems to me to be no reason to expect that the exploits would be proportional with the number of systems out there.

That's what the OP was claiming, a minor variation of the old (erroneous) "Macs are less insecure because there are fewer of them" argument.

[gazpacho]

Quote:

That's what the OP was claiming, a minor variation of the old (erroneous) "Macs are less insecure because there are fewer of them" argument.

Yes but you were trying to say that the data showed that the mac was more secure because mac was 5% of the market and had less than 5% of the exploits. That is bunk to me.

[duffer]

First, I have to say I'm shocked how well this thread seems to be going considering the topic. Thanks all for keeping it civil.

Since my OP was such an excercise in bad posting, let me throw in a secondary question that relates. It's likely what I was trying to get at last night.

What makes the MacOS so much better than Windows? And don't give the one-off of being more secure. What makes it more secure?

And more importantly, if the MacOS is so superior to Windows, why don't the big corporations use their systems?

These are honest questions as my job involves system security. DISCLOSURE: It's Unix based running a Win98 shell program. Wouldn't that make it closer to Mac being Unix-based? Why the Win98 involvement? There is nothing even close to Mac software installed on the systems.


I realize my posts here may ebb and flow. Again, I'm trying to get a more complete grasp on system security between the two platforms rather than figure out if one is better than the other.

[ultrafilter]

Quote:

Originally Posted by duffer

What makes the MacOS so much better than Windows? And don't give the one-off of being more secure. What makes it more secure?

It's not entirely clear what it means for one OS to better than another, so let's stick to security here. My Mac experience begins and ends with OS X, so I can't say anything specific about earlier versions. And since OS X is basically a Unix shell, let me talk about Windows vs. Unix.

There's a fundamental difference in design philosophy between Unix and Windows. When Unix was designed, the first consideration was security, and the entire OS was based on that. Ease of use was at best a distant second goal.

Contrast that with Windows, where the architects came up with a very user-friendly OS and then tried to figure out how to make it secure.

IMO, both decisions made sense based on the prospective markets for each OS. Unix was designed to run mainframes, and there security matters a lot. Windows was designed with the home PC user in mind, and there ease of use is very important.

Quote:

And more importantly, if the MacOS is so superior to Windows, why don't the big corporations use their systems?

I'm guessing money is the major factor somehow.

[gazpacho]

Quote:

And more importantly, if the MacOS is so superior to Windows, why don't the big corporations use their systems?

There is this big gap in the software you can get for macs vs PCs. Things like the outlook calendar do not have a good equivalent for macs. If the big company has custom applications they need to be ported to macs.

[jkusters]

Quote:

Originally Posted by GomiBoy

And Microsoft's time to fix vulnerabilities is actually faster than open source or Mac.

Do you have a cite for that one? As I recall, it usually takes months for Microsoft to issue fixes for things that are reported on the security-related message boards, while Apple usually has a fix up within a week or less. I use both platforms, and only have anecdotal evidence to go on, but it has always seemed that Apple's response time is incredibly fast.

I can't speak for open source since there is no one agency that is responsible for providing security patches, therefore response times vary widely.

JOhn.

[jkusters]

Quote:

Originally Posted by duffer

And more importantly, if the MacOS is so superior to Windows, why don't the big corporations use their systems?

More and more companies are moving to Macs. There's an interesting blog out there about a firm that has switched entirely to Macs and how they're dealing with the problem. It's a good read. You can find it here

But the core issue is that PCs are perceived as a better value than Macs. Each individual unit generally costs a lot less (and we can argue why that is, but in my opinion, it's a combination of using the cheapest components along with bulk purchasing of said components). However, most corporations find they have to replace their computers on a biannual basis (once every two or so years). Macs generally have a much longer shelf life, and generally have fewer problems with components going bad than PCs do, so while the perception is that PCs are cheaper, it may not match reality.

The other issue is, indeed, the software. Everyone in the workforce is used to working with the same tools, many of which are not available on Macs (the big one being Outlook, though there are rumors that MS is actually working on a Mac client for that). If a company already has a massive investment in MS tools, there's little chance they'll consider buying licenses for the Mac version of software they already are using.

Quote:

Originally Posted by duffer

It's Unix based running a Win98 shell program. Wouldn't that make it closer to Mac being Unix-based? Why the Win98 involvement? There is nothing even close to Mac software installed on the systems.

I don't understand what you're saying here. There's a version of Win98 that runs on top of Unix? Or are you saying that Macs are Win98 running on top of Unix?

JOhn.

[Roadfood]

Quote:

Originally Posted by duffer

And more importantly, if the MacOS is so superior to Windows, why don't the big corporations use their systems?

Cost, interoperability, inertia, market share, raw number of software titles available, etc.

You kind of have to answer this question in two parts. First, you need to go back in time to when personal computers were in their infancy. Say you're the guy in charge of purchasing decisions at some big company, way back then. A decision has just been made to get some large number of personal computers for some group or groups at your company. Let's say, oh, a hundred computers, just to pick an arbitrary round number. You can buy from manufacturer A, who charges $2500 per machine, or from manufacturer B, who charges $2100 per. For 100 machines, that's a $40,000 difference. Kind of a no-brainer. That the A machines are far easier to use and have this so-called WYSIWYG interface, and the B machines use some arcane thing called DOS that takes a lot more time to learn and is costlier, in manpower terms, on an ongoing basis, that's all irrelevant. Forty thousand bucks is forty thousand bucks.

Now fast forward to now. You're that same guy, in charge of purchasing for the now much bigger company. The company is growing, more employees coming on board all the time, each needs a computer. Now, even if you could be convinced that that $400 difference per machine would be more than made up for by increased productivity -- or heck, even if you saw that the A machines are now the ones that are cheaper -- your hands are pretty much tied. You've got all these Windows boxes already. Your IT staff is trained to address Windows problems. You don't need the hassle of having to purchase and maintain two versions of every piece of software used at your company. You want to be sure that all the computers can talk and play nice with each other. You can be sure that the vast majority of new employees will be familiar and comfortable with Windows, and so will be able to sit down on the first day of their job and get to work, rather than having any amount of re-learning of computer usage. Again, it's pretty much a no-brainer.

Hey, I'm a staunch Mac user, at least in my personal life. I've owned eight Macs over the years for my home use, and there's no question in my mind that the Mac and Mac OS X is superior to a PC running Windows in every possible way. I've talked in person and on these boards to Mac-haters, and they're all just wrong.

Nevertheless, the reality is clear: If you're buying computers for a big or small company, the rationale for buying a Windows box is overwhelming. Unless you have employees that have a specific need or desire for a Mac, like graphic designers or artists or musicians or movie makers, you just can't justify getting Macs. Sad but true.

Now, in a year or two, when you can buy one box that can run both Mac OS and Windows natively, that all could change . . .

[AndyMatts]

Quote:

Originally Posted by GomiBoy

Cite for 0 mac exploits, please? Cert disputes that Mac OSX has no vulnerabilities. Also, if Macs were immune from viruses, why are there Mac AV products for sale, and why does Apple encourage their use?

Also, cite for 50,000 Windows exploits and viruses? Maybe if you're counting every variant and every Microsoft product, but true Windows exploits are much fewer than that, and the number of Windows XP Pro exploits is smaller still. Unless you still want to hold up NT4 and Win95 vulnerabilities as evidence of crap code?

AndyMatts I, too, get frequent (monthly unless critical) automatic patches and updates, rated by criticality and impact, which I can either automatically install or install at my discretion, and I run XP. Microsoft provides it's patches and updates for Windows, all bundled apps (Windows Media Player, IE, Outlook Express) and Office for free to everyone, including enterprises running thousands of workstations.

Someone else earlier talked about how Mac is slow getting updates and patches out. My updater runs every week (set at that timeframe by me), and I've had frequent security updates. I'm not saying Windows doesn't or is untimely (though they have been very much so in the past), I'm disputing that Apple is.

What makes one better than the other? Ease of use, speed, ability to use features, ease of support, I find all of those in favor of the Mac, currently, and my Mac machine isn't latest generation, unlike my PC at work.

Why does one assume that the best always wins in the market? Contrary to what some fanatics might say, Microsoft wasn't in the anti-trust bullseye because of jealousy. They used their leverage because of anti-competitive practices. They didn't want to face all the opponents in the marketplace, they did all they could to insure there wasn't a chance to evaluate side by side.

Let's flip this on it's head.... ask an IS department why they don't use Macs? Invariably the answer will come back about "the standard". Tucker was run out of the auto business despite making a better car, Beta lost out to VHS despite being technically superior because some big dogs arbitrarily decided they wanted to use the VHS as a standard.

I don't feel that's an honest standard of evaluation.

I've always found Netscape superior to IE. When you do things like charge your end-user for a Windows license for every machine they have, and state that's how many they have to buy, all or nothing, what are the odds those distributors will go out and purchase additional software? When you bundle your browser so it can't be removed, what are the odds that people will go out of their way to use another? When you take something that is supposed to be a cross-platform standard, and make it intentionally buggy or inoperable with people using products that are not yours, does the marketplace serve as an objective criteria?

[AndyMatts]

There were business decisions that allowed to Windows to gain market share that weren't predatory in nature, to be fair.

Apple has always tightly controlled the OS and machine bundle, allowing for third party licensing for only a very brief period of time when OS 8 was standard for them.

That allowed greater profits for them on both the box and the OS sales.

I'm not sure that Microsoft had any say over who could make the machines they run on, but they hitched their wagon to the more widespread, business-used IBM standard, which later grew into the massive and competive market.

Smart business decision, but you don't get the perfect glove fit that Apple's control over both pieces allowed... hence the apparent dichotomy of being a better running duo, but being a smaller market share.

Kind of like this - what's better, Bell's beer (pick your favorite variety), Sam Adams... or Budweiser. Which dwarfs the other two despite it's mediocrity? Again, market share isn't necessarily linked to quality.

[Mr2001]

Quote:

Originally Posted by gazpacho

Yes but you were trying to say that the data showed that the mac was more secure because mac was 5% of the market and had less than 5% of the exploits. That is bunk to me.

Agreed. We should expect a larger proportion of exploits to be targeted at Windows than the OS market share would indicate, because infiltrating a Windows system is more valuable than infiltrating a Mac, due to network effects. Every system you successfully exploit can be used as a stepping stone to more easily exploit other systems, and that makes it exponentially easier to amass, say, a botnet of 1000 Windows boxes than an equally sized botnet of Macs.

I also don't buy the argument that Windows is less secure because it was designed with user-friendliness in mind rather than security. Windows XP evolved from Windows 2000, which evolved from Windows NT, which was anything but user-friendly. It wasn't until Windows XP that the NT branch of Windows was marketed to home users.

And finally, while OS X is based on BSD, what matters isn't what kernel it's running, but what exploitable services and applications it's running. Windows exploits don't rely on holes in the kernel (which AIUI is pretty secure, having been based on VMS), they rely on holes in network services like IIS and user apps like IE and Outlook.

Quote:

Originally Posted by AndyMatts

Beta lost out to VHS despite being technically superior because some big dogs arbitrarily decided they wanted to use the VHS as a standard.

[nitpick] Actually, I'd say VHS won because consumers decided longer tapes were more important than better picture quality. [/nitpick]

[GomiBoy]

Quote:

Originally Posted by rjung

Cert can talk about theoretical exploits all they want. I'm talking about genuine, real-world, headline-making, "OH MY GOD WE FINALLY HAVE A MAC VIRUS"-screaming rogue virus/worm/whatever, the kind of stuff that would send the Mac news community into a tailspin.

Do you really expect a website called 'MacSurfer' to host news of problems with Macs?

Cert's vulnerabilities are real. Otherwise it would be liable for posting them. This is not theory.

Further reading:
The joys of security through obscurity...

Quote:

Originally Posted by rjung

So Mac users don't end up passing Windows viruses (especially MS Word viruses) to their Windows brethren. I don't know of any Mac users who use that stuff, myself.

Bollocks. You're saying no Mac users install AV?

Quote:

Originally Posted by rjung

Oops, my bad. It's not 50,000, it's 60,000, at least according to this 2001 report, "Analysis of the Impact of Open Source Software" (PDF).

And that was in 2002...

Like I said, if you count every variant of major viruses built, and if you count every Microsoft product, you get 60k exploits. But that includes IIS (which most people don't use at home), IE, Outlook, Outlook Express, Windows Media Player, as well as Win NT4, Win 2k, Win XP, Win 95, Win 98, and Win ME. I think if you count the same way for Mac OS and all it's variants and software used, you'd get a hell of a lot more than 0 exploits.

Basically, IMO, it boils down to this - the perception is that Windows XP machines are less stable than Mac machines. The fact is that this is not true anymore; both are equally stable if you do what you're supposed to with them...

Link to a good discussion about the difference between Mac and XP

Good commentary on one who switched from Mac to PC

[edwino]

I'm a Mac fan (I've said elsewhere that my work G5 is the best computer, hands down, that I have ever used). And we have AV at work (Norton, but to my knowledge it has never detected anything despite automatically running every night), so now you know a Mac user who uses AV.

IMHO, the number of viruses is a crude predictor. 1) There has been tremendous amounts of notoriety about Windows viruses and their creators, and this has spawned imitators. 2) The Windows security flaws are much easier to discover simply because the path of discovery has been walked before so many times and there are so many others on the path. 3) One can generally exploit a more naive user base (Kournikova.jpg attachments, for example) 4) Lots of the viruses work exactly the same way, just changed slightly to escape the current round of antivirus 5) Network effect 6) Now we can start talking about inherent flaws in the OS. FWIW, I think that Apple definitely has a leg up in #6, but again that is an opinion.

Windows has a big market share because the low end hardware is, and has always been, cheaper. IMHO, for market share, all of this talk about anti-competitive practices and so forth really only factors in before 1995. After 1995, computer companies started marketing in a similar fashion to kitchen appliances or televisions. It matters far less how well you toast the bread or how good of a picture it is for 90% of the people out there, just as long as it gets the job done. The major focus is price. And when you can go out and buy a decent eMachines for $499 with a monitor, and the cheapest Mac is $799 (the eMac -- I'm talking with a monitor), the eMachines are going to be a bigger draw for the people buying computers like they would buy a toaster. I also think Apple is not really going after this market, even with the Mac Mini. They are doing as well as they have ever done marketing to either scared entry level computer users with more money, people who want to get a Mac with their iPod, people sick of Windows, and Mac die-hards, etc. There is not a lot of margin in the Wintel PC hardware business and the fact that Apple is successful in theirs speaks volumes.

A more apt analogy, IMHO, car manufacturer A makes a car for $5k. This car immediately becomes a hit with 16 year olds just getting their license, who can buy this car after a summer working as a lifeguard, and 90% of them do so. Car manufacturer B sells a car for $10k that comes with more bells and whistles and more builtin safety devices, which is dramatically less popular with the 16 year old crowd. But we are all experienced drivers arguing which car works better for us, when it seems as if the vast majority of people getting into really horrible accidents are the inexperienced drivers.

Spyware and viruses are potholes and ice on the road. We know how to handle them and they rarely cause us permanent headaches. Inexperienced drivers in car A get in pretty horrific accidents because of them. Furthermore, they do grossly irresponsible things with their cars, like street racing, that we would never do. This OP argument can be rephrased as the following "What would the accident rate and injury rate be if we were to translate those 90% of car A 16 year olds into car B?" I don't think anyone has the data for this or anyone can extrapolate.

What would Macs be like if users were installing BonziBuddy and Gator or Kazaa or whatever? Or were just oblivious? We don't see many of the same defects in the Mac OS, but maybe that's because enough bullets haven't been fired at it. Or perhaps it is better. I don't think anyone can draw a conclusion either way.

[Nonsuch]

Quote:

Originally Posted by GomiBoy

Like I said, if you count every variant of major viruses built, and if you count every Microsoft product, you get 60k exploits. But that includes IIS (which most people don't use at home), IE, Outlook, Outlook Express, Windows Media Player, as well as Win NT4, Win 2k, Win XP, Win 95, Win 98, and Win ME. I think if you count the same way for Mac OS and all it's variants and software used, you'd get a hell of a lot more than 0 exploits.

Actually you wouldn't. Like rjung said earlier, there were about 80 or so Mac-specific viruses in the wild (not including MS Office viruses, the only virus I've ever been hit with in my Mac-using experience) back in the days of Classic Mac OS. Many of the vulnerabilities Apple patches in its security updates aren't in the low-level OS but in the higher-level services like QuickTime, Dashboard, Safari, iTunes, etc. Count 'em whatever way you want; there are NO exploits or viruses in the wild that affect today's Macs, and there were never many to begin with.

More than that, making a distinction between the operating system proper and the apps that are bundled with it and that everyone uses is pedantic and serves no useful purpose. Maybe a few geeks on Slashdot care whether the NT kernel is more secure than the Mach kernel; as far as everyone else is concerned, the platform, not the operating system, is key. Saying that most Windows exploits are actually due to Outlook or IE, and that therefore Windows is actually a very secure OS, is, IMO, bunk, since Microsoft specifically engineers them to function on Windows in a particular way; they form an integral part of the experience of using Windows (or at least factory-fresh, as-Microsoft-intended-it Windows). Ditto for the Mac; claiming that a hypothetical Safari exploit "doesn't count" because "it isn't actually hitting the OS" would be just making excuses.

(And BTW, you're goddamn right a site called "MacSurfer" would publicize a Mac virus. How else would users find out about it to protect themselves? The Mac user community is open and vibrant, with plenty of critcism of Apple's shortcomings and tips for making the Mac user experience even better.)

Quote:

Originally Posted by GomiBoy

Basically, IMO, it boils down to this - the perception is that Windows XP machines are less stable than Mac machines. The fact is that this is not true anymore; both are equally stable if you do what you're supposed to with them...

Are you intentionally shifting the argument from stability to security? No one's talking about which system crashes less, though I happily grant that a properly maintained Windows box is as stable as a Mac OS X box. If you in fact meant to write "security," you're wrong, or rather you're using the bland statement "if you do what you're supposed to with them" as though this means the same thing on both platforms, which it very much does not. You'd be crazy to run Windows XP without a robust anti-virus package, without regularly checking it for spyware, without at the very least getting a halfway-secure email client and browser. You can use a Mac in perfect safety without doing any of those things.

***

When it comes to the "vulnerability by popularity" argument, I think two people have definitively nailed it. The first is JX Bell from the recent Mad as Hell series:

Quote:

Originally Posted by JX Bell

When Microsoft (and their apologists) want to explain why they're OS seems to be a miserable piece of technology ridden with problems, they *deny* the existence of Security By Design, and say that the problem is because they are so wonderfully popular. They tell everyone that Security By Design doesn't exist and they'd be safe "if only they weren't so wonderfully popular!" They want you to believe only the gospel of Security By Obscurity.

But when Microsoft (and their apologists) want to explain how Longhorn will be better than the sucky situation now, suddenly Security By Design exists! Alleluia! Suddenly, you hear angels singing lofty ideas about "secure code" and "built with safety in mind". Microsoft leaders and evangelists swear Longhorn is a godsend because "security needs to be part of the design, not a bolt-on". Bill Gates had the chutzpah to tell the BBC that with Longhorn, he can personally promise no more malware ever again!

The truth is, and even Microsoft admits it, is that Security By Design is real. And Windows is an old product, poorly designed, repeatedly patched and patched and patched, with an incestuous tangle of subsystems that interact directly with each other and get full access to everything they need whenever they want to.

The second, the indespensible John Gruber:

Quote:

Originally Posted by John Gruber

Windows apologists have long argued that the only reason the Mac has been so strikingly free of security exploits is that it has such a smaller market share than Windows. [...] The reason this argument is so popular with Windows apologists is that it’s a convenient bit of rhetoric. They say it’s so, we say it’s not. You can’t get past this argument, because it can’t be disproven without the Mac OS actually attaining a Windows-like market share.

So, let’s concede the point, just for the sake of argument: OK, fine, if the Mac had the same market share as Windows, the tables would be turned and there’d be just as many Mac security exploits as there are Windows exploits today.

Now what? Given that the Mac is never going to attain a monopoly share of the operating systems market — that merely expanding its share to, say, 10 percent would be universally hailed as an almost-too-good-to-be-true success — isn’t it thus only logical to conclude that the Mac is forever “doomed” to be significantly more secure than Windows?

To be honest, I've tended to stay away from arguments like this lately. If someone asks what I like about using a Mac, I'll happily tell them, but I had given up crossing swords with Windows users. Then I noticed many people in my family whose 1.5-2 year old PCs were so infested with shitware they were becoming useless. A cousin of mine was actually considering throwing away a recently-bought PC and starting fresh with a new one. It angers me that there are people out there who've been browbeaten by endless viruses and and spyware attacks into thinking this is the best computing experience they deserve. It isn't.

[DrDeth]

Quote:

Originally Posted by Nonsuch

The second, the indespensible John Gruber:

"So, let’s concede the point, just for the sake of argument: OK, fine, if the Mac had the same market share as Windows, the tables would be turned and there’d be just as many Mac security exploits as there are Windows exploits today.

Now what? Given that the Mac is never going to attain a monopoly share of the operating systems market — that merely expanding its share to, say, 10 percent would be universally hailed as an almost-too-good-to-be-true success — isn’t it thus only logical to conclude that the Mac is forever “doomed” to be significantly more secure than Windows?"

.

You know, that is likely the most sane quotes I have read on this issue. I use a "PC", not Mac (I can't afford a MAC). But I still know that I have 3 Anti-spyware, two firewalls, and a anti-virus operating- and I am still scared of going to strange sites. I wouldn't have half that stuff if I had a MAC, nor would I be as worried.

BUT- the ingenuity of some of the Spyware out there is amazing. I have no doubt that if it was worth it to them, there'd be significant attacks on MACs. I wouldn't be suprised that the MAC OS would be harder to beat, and the attacks might be fewer and easier to block- but I have no doubt they'd be there. MAC users would have to have an Antivirus and a spywareblocker program, too. Maybe not to the level us Windows users have now, but they'd still have to have them.

[Mr2001]

Quote:

Originally Posted by John Gruber

Now what? Given that the Mac is never going to attain a monopoly share of the operating systems market — that merely expanding its share to, say, 10 percent would be universally hailed as an almost-too-good-to-be-true success — isn’t it thus only logical to conclude that the Mac is forever “doomed” to be significantly more secure than Windows?

Maybe, maybe not. If MacOS really is so much more secure, should we really assume it'll never be a real competitor to Windows, especially now that it'll be easy to run Windows apps on MacIntel with WINE?

If you get fed up with the crowds at a popular public beach and decide to go to a different, less popular one, that's fine. But if you start telling your friends to go there too, and they see that it's less crowded and start telling their friends, pretty soon you'll all be right back where you started.

[kanicbird]

The way I see it is:

The land of Windows is a vast and rich land which is currently under attack.. Defenses are there and Windows Land is currently in the state of war. Windows knows how to react and repel invaders. Unfortunatly there are many new imigrants who don't know nor understand their civil duty to also defend the great nation of Windows. These new immigrants are very attractive to attackers and are easy prey.


Then we have the Isle of Mac, which has never known a war, and have only had a few small squirmishes, nothing really to speak of. It is a peacefull place, and people can relax.

So the choice is do you want to live in the land under attack but successfully defending against it, or in the land where no real attack has ever happened, but could.

MHO is that MACS are less secure then windows, and would be much slower to react to a full scale attack due to inexperence, but also a much less attractive target.

That said once a wide scale Mac attack is made I suspect the door to be opened to regular Mac Attacks.

[Nonsuch]

Quote:

Originally Posted by Mr2001

Maybe, maybe not. If MacOS really is so much more secure, should we really assume it'll never be a real competitor to Windows, especially now that it'll be easy to run Windows apps on MacIntel with WINE?

Until you can buy a system preconfigured to boot both Mac OS and Windows (which you are never likely to be able to do), I doubt the new MacIntel boxes are going to change much. Some hobbyists will certainly get their Windows programs running, but I think the likes of WINE are beyond the ken of the average user.

Quote:

Originally Posted by Mr2001

If you get fed up with the crowds at a popular public beach and decide to go to a different, less popular one, that's fine. But if you start telling your friends to go there too, and they see that it's less crowded and start telling their friends, pretty soon you'll all be right back where you started.

With about a 3% installed base, it would take an almost Biblical upheaval to bring Macs even close to the ubiquity of Windows. Even if significantly more home users started switching to Mac, that would still leave the vast majority of businesses on Windows.

[Finagle]

Quote:

Originally Posted by ultrafilter

There's a fundamental difference in design philosophy between Unix and Windows. When Unix was designed, the first consideration was security, and the entire OS was based on that. Ease of use was at best a distant second goal.

I'm going to strongly disagree with you here. If you read a history of the development of Unix, I don't think you're going to see the word "security". Remember, the concepts of networking and even email weren't around when Unix was being developed. Now there might have been specific instantiations of Unix from UCB or CMU that emphasized security, but those came much later. As near as I can tell, the goals of the Unix operating system were flexibility, simplicity and, despite what you said, ease of use, at least compared to the existing operating systems of the day. The whole notion of pipes and I/O redirection connecting small simple utility programs was revolutionary at the time and still is largely missing from Windows and Mac OS (unless you dig down to the Mac OS Unix core).

Now VMS was designed as a secure operating system because of its intended role in financial transaction and other high risk systems. But that's neither here nor there.

As for why a Mac OS based on Unix is more secure than Windows (at least up until recently), it's probably based on a few issues. Bearing in mind that I'm not an expert on the subject, Microsoft a few years back made some decisions without considering the consequences and enabled scripts and programs to be executed very easily from Mail and other applications. They were trying to make it easy to administer machines remotely, allow users to easily view and execute attachments, write powerful macros, and do a bunch of things that all would have been fine except for the presence of evil-doers in the world. As it turned out, it was pretty much like leaving the keys to a candy store under the mat and hoping no one would look there.


The Mac OS-X operating system requires an explicit password before running installers and doing "system stuff". That alone reduces the amount of chaos that a virus can cause. I'd guess the kernel is more secure, benefitting from having a lot of eyes go over it over the years looking for exploits, but I don't know that for sure.

[Troy McClure SF]

As I've said before, MAC is makeup. It's not that hard.

I haven't run antivirus since I was running 6.0.7 on a Mac Classic with an 800K floppy drive, and it never found anything then, neither.

I'll echo rjung theory above, that l33t haxxors would love to stick it to us uppity, overconfident Mac n00bs, if only so we'd quit talking so damn much about how we don't have viruses.

Quote:

Originally Posted by Mr2001

But if you start telling your friends to go there too, and they see that it's less crowded and start telling their friends, pretty soon you'll all be right back where you started.

Not if all your friends have "a friend at work" who says the emptier beach has no parking lot, you have to bring your own sand, and that if you take any pictures there, you have to go back to that beach to see them. All this despite that said friend had only been to that beach once, a long time ago (in 1960).

[BlackKnight]

Man, I'm tempted to suggest a Dope hacking contest, but I'm afraid the mods wouldn't appreciate it.

[spectrum]

Quote:

Originally Posted by GomiBoy

Do you really expect a website called 'MacSurfer' to host news of problems with Macs?

MacSurfer posts headlines to any story submitted to them about Macs, whether the stories reflect well on Macs and Apple or not.

[gotpasswords]

Security by design, whatever that is...

With Windows, the default user is Administrator. Complete access to everything. The *nix equivalent is a user called root.

Whether you're root or administrator, you have full power to do anything on that computer. The programs you run also have full power. This includes anything you manage to click on and launch.

With OS X, the default user is just that, a user. The root user is disabled by default - you need to take a series of steps to enable the root account and access it. Compare that to probably 99% of home Windows PCs, where nobody bothers to create user-level user accounts and instead, run the PC full-time as Administrator.

[Declan]

Quote:

Originally Posted by gotpasswords

With OS X, the default user is just that, a user. The root user is disabled by default - you need to take a series of steps to enable the root account and access it. Compare that to probably 99% of home Windows PCs, where nobody bothers to create user-level user accounts and instead, run the PC full-time as Administrator.

You still have to check this, after running mandrake almost full time , I set up winXP pro , to run as a regular user , only to find out that the user account had admin permissions for everything, you have to create the user account ,and then turn almost everything off , just to get the same default user privileges in mandrake.

Declan

[ouryL]

Quote:

Originally Posted by Mangetout

I don't really understand the analogy at all; if the crook makes the same amount of money at the chop shop, regardless of the type of car, then why target one company's cars at all? Why not just steal the first one you find?

Oh, you mean the parts from luxury cars cost lest than parts from cheap ass economy cars?