Mac's better than PC's for security? An analogy to possibly debunk.

duffer · June 17, 2005, 8:35am

Here it is Mac lovers. Debunk this analogy.

Note, I’ve used both and in the past 10 years or so haven’t seen an awe-inspiring difference between the two. I’ve been using both platforms since the mid-80’s

Here’s the analogy:

Company A makes 100,000 cars per month. There are security steps to prevent theft. If any of the cars are stolen, they can be used to make money for the crook by chopping it. (Think identity theft)

Company B makes 5,000 cars per month. Again, security features are in place. If those cars are stolen, the crook makes as much money at the chop shop. (Again, think ID theft.)

Now pretend you’re a crook. You want to make the money, but the security is a problem.

Do you look for flaws in the security of Company A? Or Company B?

You have a 5:1 ratio, with the same payoff for each theft. Where do you concentrate your efforts?

GomiBoy · June 17, 2005, 8:59am

Make that a 9:1 ratio, and you’re right on…

Also, add in some other bits to your analogy:
All of maker B’s parts are made within the same plant, and are custom made to only fit maker B’s cars.

Maker A cars are actually made by factories A1, A2, A3, and A4, each of which is privately owned (not by Maker A). Maker A only provides the blueprint on how to assemble the cars, as well as guidance on how the cars components should be built, but has no real control over their final configuration.

It’s not a 100% analogy, but it’s closer to the real situation…

duffer · June 17, 2005, 9:01am

Damnit, that’s 20:1 ratio
:smack:

Mangetout · June 17, 2005, 11:05am

I don’t really understand the analogy at all; if the crook makes the same amount of money at the chop shop, regardless of the type of car, then why target one company’s cars at all? Why not just steal the first one you find?

Sage_Rat · June 17, 2005, 11:08am

Different security measures to be equipped against.

GorillaMan · June 17, 2005, 11:13am

Poor analogy on many levels - not least because most attacks on Windows have nothing to do with financial gain.

How about this?

Car A has 90% of the market. Early models were particularly easy to break into, and many owners have not taken advantage of upgraded security, and some don’t even lock the doors. Even the latest models have potential problems. Once inside, pretty much everything works as you tell it to, at the push of a button. Information about how to get into these cars is very easy to find on the Internet.
Car B has 9% of the market. It’s very difficult to break into or to take full illicit control of.

Which do kids bother finding out about how to steal, and which do they then go joyriding in?

Sage_Rat · June 17, 2005, 11:16am

Theoretically, Mac is based on a Unix background–so even though the Mac platform is small, the history of the design and at least some of the code has had lots and lots of years to be secured, plus used by some very big corporations who have a much bigger payout if you break their system–even though there are fewer of them than individual users.

Of course, really most Microsoft errors are issues of them tying all of the applications together and trying to make things user friendly by things happening automagically. And all of that stuff will be at the height of new and coolness for every release regardless of the OS. So for the regaular user, probably both platforms are about equally crackable on that level (just given the newness of the code.)

Now if Mac was running on big mainframes, serving up webpages and such–the Unix background might give it an edge. But, it doesn’t.

DSeid · June 17, 2005, 12:06pm

I can’t say much about whether or not the Mac OS is really harder to break, but I think that fewer try to break into it and not because “that’s where the money is.”

Microsoft is percieved as the system of “the Man”, of the establishment, and Macs are percieved as the system of the artists and of scientists and of a slightly anti-establishment crowd. Hackers want to bring down the establishments status quo. Where’s the fun for a geeky misfit in attaking artists, scientists and other misfits? You want to beat the bullies at their own game.

GomiBoy · June 17, 2005, 12:43pm

There have been tons of studies of vulnerabilites in Windows vs. Mac vs. Linux.

Some links:
CERT

Information Week Small Business Pipeline

Everyone has vulnerablities. And the vulnerabilities for Linux and Mac (OSX is based on open source Linux kernels) are on the rise.

Of course, the hard-core Anti-Microsoft element discounts these studies for a variety of reasons, but I won’t get into that particular religious battle if that’s OK.

Sage_Rat · June 17, 2005, 1:22pm

[nitpickin’] OpenBSD not Linux. [/nitpickin’]

GomiBoy · June 17, 2005, 1:27pm

Sorry, you’re right.

One last point - vulnerabilities are everywhere. Yes, Microsoft products still have more exploits, but that’s due to easily explained reasons. And Microsoft’s time to fix vulnerabilities is actually faster than open source or Mac.

RandomLetters · June 17, 2005, 1:50pm

Ummm, can I bring up a comparison of the open source web-server program Apache vs Microsoft IIS? Apache is running roughly trice the number of webservers on the net, including some very important ones like Google, or the Straightdope itself. Yet, MS IIS is hacked much more often than Apache. You’d think those nefarious hackers would break into Apache site more often, if Microsoft’s code quality was just as good as the open-source stuff.

GomiBoy · June 17, 2005, 2:06pm

Cites on the number of Apache servers vs. MS IIS servers?

I could argue that the vulnerabilities in MS IIS is due to more application compatibility than Apache, and that the MS IIS code is not written / compiled per processor / implementation like Apache is as well…

Mtgman · June 17, 2005, 2:14pm

The canonical site is NetCraft’s web server survey which uses a spider to check as many hosts/domains as they can find for server characteristics. Unless a fairly robust identity-scrubbing effort has been undertaken it is easy enough to tell which webserver is sending packets. It is usually in the headers in fact. It isn’t generally a necessary piece of info and it is an extremely minor security risk to give out what type and version of webserver you are running, but it is often there nonetheless.

Enjoy,
Steven

GomiBoy · June 17, 2005, 2:22pm

Thanks; I wasn’t doubting, just curious…

Mangetout · June 17, 2005, 2:23pm

OK, how about different analogy?:

Manufacturer [Q] makes tins of chicken soup, he sells these only in south-facing stores on odd days of the week; Manufacturer [4] also makes chicken soup, but sells it in plastic pouches, two-for-the-price of one, by mail order… they both sell celery soup frozen in cartons, but manufacturer [Q] cross-promotes it with asparagus soup, whereas manufacturer [4] cross-promotes it with tomato, but only in stores with a red door, on the second Thursday of the month and only if you buy a loaf of bread at the same time.

I think that makes it a lot clearer.
Seriously though; no analogy is required here - it only obfuscates the facts - Windows is attacked largely because of its ubiquity; that its users are also often inexperienced or naive about security is also because of its ubiquity (i.e. because of the popularity of Windows, there are people who find themselves using it that probably shouldn’t even be using scissors). There are other factors, of course, but dressing it up in analogies doesn’t make it any simpler to grasp.

Mtgman · June 17, 2005, 2:27pm

Someone should adopt this for a sig. I would, but I alomst never use them. I don’t even remember what, if anything, is even in mine.

Enjoy,
Steven

rfgdxm · June 17, 2005, 2:46pm

This proves nothing about security. Apache is Unix based. Likely this has more to do with efficiency than security. Unix lacks the code bloat of Windows. It just works better. It is nowhere as easy to use as Windows, but geek are comfortable with doing things command line. Geeks don’t need a stinking GUI.

Personally, I have little doubt that Apache is actually more secure. Which may have a lot to do with the fact more crackers try beat MS security more often. However, the efficiency of Unix is sufficient to explain its popularity. Why would a sysadmin choose less efficient software?

gazpacho · June 17, 2005, 3:41pm

Apache is not unix based. You can run apache on windows.

AndyMatts · June 17, 2005, 4:35pm

Do Macs have vunerabilities? I’m sure they do. Are they as easy to hack as Windows? I’m rather sure they’re not.

This “no one wants to hack Macs” is an old cannard. First of all, in the most recent underground hacking contest, they are giving 5 times as many points for hacking Mac based sites, so I’m sure that will give us a better idea of how vunerable they are.

As far as getting patches out, I get constant, regular, automatic security updates for my Mac.

Finally, let’s remember that’s what people have always said - “Windows gets hacked more because no one cares about Macs”, and let’s not forget the 1997 Crack a Mac contest, where a Swedish company put out a reward for anyone who could successfully infiltrate their site. No one was able to.

Now I realize the current OS has no relation to that one, but similar claims were made back then as to why Mac OS wasn’t hacked.