Upon further review, it was a bad analogy. The biggest flaw being the financial part. Forget I mentioned that.
What I was trying to get at is if one car company makes 90% of the cars out there, and the other 10% are made by a second company, and each has its own security features, which is the likelier target for those that want to cause widespread havoc?
Is that a little better? I’m really trying to keep this from becomming yet another flame was so I’m trying to word things very carefully. 
If Macs were so easy to exploit, and the security advantages nothing more than PR puffery, then human nature would drive a handful of motivated anti-Mac hackers to develop a rampaging Mac-destroying virus, “just to show those elitist Mac-heads.” The ensuing infamy this person would receive from his peers would be well worth the effort.
The fact that no such event has occurred is, IMO, rather telling about the security of MacOS X.
Or, to put it mathematically:
Number of Windows viruses and exploits = 50,000 and counting
Ratio of Windows computers to Mac computers = 20:1
Ergo, we should expect to see around 50,000 x 0.05 = 2,500 Mac viruses and exploits out there.
Actual number of Mac viruses and exploits seen in the wild = 0
(for MacOS X; IIRC, the “Classic” OS had about 80 exploits over its lifetime)
Ergo, even the numbers don’t support the “fewer viruses due to smaller marketshare” theory.
Cite for 0 mac exploits, please? Cert disputes that Mac OSX has no vulnerabilities. Also, if Macs were immune from viruses, why are there Mac AV products for sale, and why does Apple encourage their use?
Also, cite for 50,000 Windows exploits and viruses? Maybe if you’re counting every variant and every Microsoft product, but true Windows exploits are much fewer than that, and the number of Windows XP Pro exploits is smaller still. Unless you still want to hold up NT4 and Win95 vulnerabilities as evidence of crap code?
AndyMatts I, too, get frequent (monthly unless critical) automatic patches and updates, rated by criticality and impact, which I can either automatically install or install at my discretion, and I run XP. Microsoft provides it’s patches and updates for Windows, all bundled apps (Windows Media Player, IE, Outlook Express) and Office for free to everyone, including enterprises running thousands of workstations.
rjung,
I don’t buy your analysis. There seems to me to be no reason to expect that the exploits would be proportional with the number of systems out there.
I think you should skip any analogy at all because it doesn’t provide any actual data.
This is a situation where there is data, some cited already, much more on google, but I’m gong to skip that part of it.
Some things to consider:
Just because 2 different companies make products for similar markets does not mean those products have the same attributes (quality, reliability, security, internal organization of code, efficiency, etc. etc.). In my years of working with ERP systems, I have seen internals that range from absolute crap to elegant, well designed, stable and robust systems. And market share is typically in inverse proportion to quality of code. The better the code the smaller the market share. The systems with crappy code spent all of their time and money marketing and selling.
So I don’t think we can just assume that Apple and Microsoft produce code with similar reliability/security/etc. In my experience companies vary to a large degree.
Cert can talk about theoretical exploits all they want. I’m talking about genuine, real-world, headline-making, “OH MY GOD WE FINALLY HAVE A MAC VIRUS”-screaming rogue virus/worm/whatever, the kind of stuff that would send the Mac news community into a tailspin.
So Mac users don’t end up passing Windows viruses (especially MS Word viruses) to their Windows brethren. I don’t know of any Mac users who use that stuff, myself.
Oops, my bad. It’s not 50,000, it’s 60,000, at least according to this 2001 report, “Analysis of the Impact of Open Source Software” (PDF).
And that was in 2002…
That’s what the OP was claiming, a minor variation of the old (erroneous) “Macs are less insecure because there are fewer of them” argument.
Yes but you were trying to say that the data showed that the mac was more secure because mac was 5% of the market and had less than 5% of the exploits. That is bunk to me.
First, I have to say I’m shocked how well this thread seems to be going considering the topic. Thanks all for keeping it civil.
Since my OP was such an excercise in bad posting, let me throw in a secondary question that relates. It’s likely what I was trying to get at last night.
What makes the MacOS so much better than Windows? And don’t give the one-off of being more secure. What makes it more secure?
And more importantly, if the MacOS is so superior to Windows, why don’t the big corporations use their systems?
These are honest questions as my job involves system security. DISCLOSURE: It’s Unix based running a Win98 shell program. Wouldn’t that make it closer to Mac being Unix-based? Why the Win98 involvement? There is nothing even close to Mac software installed on the systems.
I realize my posts here may ebb and flow. Again, I’m trying to get a more complete grasp on system security between the two platforms rather than figure out if one is better than the other.
It’s not entirely clear what it means for one OS to better than another, so let’s stick to security here. My Mac experience begins and ends with OS X, so I can’t say anything specific about earlier versions. And since OS X is basically a Unix shell, let me talk about Windows vs. Unix.
There’s a fundamental difference in design philosophy between Unix and Windows. When Unix was designed, the first consideration was security, and the entire OS was based on that. Ease of use was at best a distant second goal.
Contrast that with Windows, where the architects came up with a very user-friendly OS and then tried to figure out how to make it secure.
IMO, both decisions made sense based on the prospective markets for each OS. Unix was designed to run mainframes, and there security matters a lot. Windows was designed with the home PC user in mind, and there ease of use is very important.
I’m guessing money is the major factor somehow.
There is this big gap in the software you can get for macs vs PCs. Things like the outlook calendar do not have a good equivalent for macs. If the big company has custom applications they need to be ported to macs.
Do you have a cite for that one? As I recall, it usually takes months for Microsoft to issue fixes for things that are reported on the security-related message boards, while Apple usually has a fix up within a week or less. I use both platforms, and only have anecdotal evidence to go on, but it has always seemed that Apple’s response time is incredibly fast.
I can’t speak for open source since there is no one agency that is responsible for providing security patches, therefore response times vary widely.
JOhn.
More and more companies are moving to Macs. There’s an interesting blog out there about a firm that has switched entirely to Macs and how they’re dealing with the problem. It’s a good read. You can find it here
But the core issue is that PCs are perceived as a better value than Macs. Each individual unit generally costs a lot less (and we can argue why that is, but in my opinion, it’s a combination of using the cheapest components along with bulk purchasing of said components). However, most corporations find they have to replace their computers on a biannual basis (once every two or so years). Macs generally have a much longer shelf life, and generally have fewer problems with components going bad than PCs do, so while the perception is that PCs are cheaper, it may not match reality.
The other issue is, indeed, the software. Everyone in the workforce is used to working with the same tools, many of which are not available on Macs (the big one being Outlook, though there are rumors that MS is actually working on a Mac client for that). If a company already has a massive investment in MS tools, there’s little chance they’ll consider buying licenses for the Mac version of software they already are using.
I don’t understand what you’re saying here. There’s a version of Win98 that runs on top of Unix? Or are you saying that Macs are Win98 running on top of Unix?
JOhn.
Cost, interoperability, inertia, market share, raw number of software titles available, etc.
You kind of have to answer this question in two parts. First, you need to go back in time to when personal computers were in their infancy. Say you’re the guy in charge of purchasing decisions at some big company, way back then. A decision has just been made to get some large number of personal computers for some group or groups at your company. Let’s say, oh, a hundred computers, just to pick an arbitrary round number. You can buy from manufacturer A, who charges $2500 per machine, or from manufacturer B, who charges $2100 per. For 100 machines, that’s a $40,000 difference. Kind of a no-brainer. That the A machines are far easier to use and have this so-called WYSIWYG interface, and the B machines use some arcane thing called DOS that takes a lot more time to learn and is costlier, in manpower terms, on an ongoing basis, that’s all irrelevant. Forty thousand bucks is forty thousand bucks.
Now fast forward to now. You’re that same guy, in charge of purchasing for the now much bigger company. The company is growing, more employees coming on board all the time, each needs a computer. Now, even if you could be convinced that that $400 difference per machine would be more than made up for by increased productivity – or heck, even if you saw that the A machines are now the ones that are cheaper – your hands are pretty much tied. You’ve got all these Windows boxes already. Your IT staff is trained to address Windows problems. You don’t need the hassle of having to purchase and maintain two versions of every piece of software used at your company. You want to be sure that all the computers can talk and play nice with each other. You can be sure that the vast majority of new employees will be familiar and comfortable with Windows, and so will be able to sit down on the first day of their job and get to work, rather than having any amount of re-learning of computer usage. Again, it’s pretty much a no-brainer.
Hey, I’m a staunch Mac user, at least in my personal life. I’ve owned eight Macs over the years for my home use, and there’s no question in my mind that the Mac and Mac OS X is superior to a PC running Windows in every possible way. I’ve talked in person and on these boards to Mac-haters, and they’re all just wrong.
Nevertheless, the reality is clear: If you’re buying computers for a big or small company, the rationale for buying a Windows box is overwhelming. Unless you have employees that have a specific need or desire for a Mac, like graphic designers or artists or musicians or movie makers, you just can’t justify getting Macs. Sad but true.
Now, in a year or two, when you can buy one box that can run both Mac OS and Windows natively, that all could change . . .
Someone else earlier talked about how Mac is slow getting updates and patches out. My updater runs every week (set at that timeframe by me), and I’ve had frequent security updates. I’m not saying Windows doesn’t or is untimely (though they have been very much so in the past), I’m disputing that Apple is.
What makes one better than the other? Ease of use, speed, ability to use features, ease of support, I find all of those in favor of the Mac, currently, and my Mac machine isn’t latest generation, unlike my PC at work.
Why does one assume that the best always wins in the market? Contrary to what some fanatics might say, Microsoft wasn’t in the anti-trust bullseye because of jealousy. They used their leverage because of anti-competitive practices. They didn’t want to face all the opponents in the marketplace, they did all they could to insure there wasn’t a chance to evaluate side by side.
Let’s flip this on it’s head… ask an IS department why they don’t use Macs? Invariably the answer will come back about “the standard”. Tucker was run out of the auto business despite making a better car, Beta lost out to VHS despite being technically superior because some big dogs arbitrarily decided they wanted to use the VHS as a standard.
I don’t feel that’s an honest standard of evaluation.
I’ve always found Netscape superior to IE. When you do things like charge your end-user for a Windows license for every machine they have, and state that’s how many they have to buy, all or nothing, what are the odds those distributors will go out and purchase additional software? When you bundle your browser so it can’t be removed, what are the odds that people will go out of their way to use another? When you take something that is supposed to be a cross-platform standard, and make it intentionally buggy or inoperable with people using products that are not yours, does the marketplace serve as an objective criteria?
There were business decisions that allowed to Windows to gain market share that weren’t predatory in nature, to be fair.
Apple has always tightly controlled the OS and machine bundle, allowing for third party licensing for only a very brief period of time when OS 8 was standard for them.
That allowed greater profits for them on both the box and the OS sales.
I’m not sure that Microsoft had any say over who could make the machines they run on, but they hitched their wagon to the more widespread, business-used IBM standard, which later grew into the massive and competive market.
Smart business decision, but you don’t get the perfect glove fit that Apple’s control over both pieces allowed… hence the apparent dichotomy of being a better running duo, but being a smaller market share.
Kind of like this - what’s better, Bell’s beer (pick your favorite variety), Sam Adams… or Budweiser. Which dwarfs the other two despite it’s mediocrity? Again, market share isn’t necessarily linked to quality.
Agreed. We should expect a larger proportion of exploits to be targeted at Windows than the OS market share would indicate, because infiltrating a Windows system is more valuable than infiltrating a Mac, due to network effects. Every system you successfully exploit can be used as a stepping stone to more easily exploit other systems, and that makes it exponentially easier to amass, say, a botnet of 1000 Windows boxes than an equally sized botnet of Macs.
I also don’t buy the argument that Windows is less secure because it was designed with user-friendliness in mind rather than security. Windows XP evolved from Windows 2000, which evolved from Windows NT, which was anything but user-friendly. It wasn’t until Windows XP that the NT branch of Windows was marketed to home users.
And finally, while OS X is based on BSD, what matters isn’t what kernel it’s running, but what exploitable services and applications it’s running. Windows exploits don’t rely on holes in the kernel (which AIUI is pretty secure, having been based on VMS), they rely on holes in network services like IIS and user apps like IE and Outlook.
[nitpick] Actually, I’d say VHS won because consumers decided longer tapes were more important than better picture quality. [/nitpick]
Do you really expect a website called ‘MacSurfer’ to host news of problems with Macs?
Cert’s vulnerabilities are real. Otherwise it would be liable for posting them. This is not theory.
Further reading:
The joys of security through obscurity…
Bollocks. You’re saying no Mac users install AV?
Like I said, if you count every variant of major viruses built, and if you count every Microsoft product, you get 60k exploits. But that includes IIS (which most people don’t use at home), IE, Outlook, Outlook Express, Windows Media Player, as well as Win NT4, Win 2k, Win XP, Win 95, Win 98, and Win ME. I think if you count the same way for Mac OS and all it’s variants and software used, you’d get a hell of a lot more than 0 exploits.
Basically, IMO, it boils down to this - the perception is that Windows XP machines are less stable than Mac machines. The fact is that this is not true anymore; both are equally stable if you do what you’re supposed to with them…
Link to a good discussion about the difference between Mac and XP
I’m a Mac fan (I’ve said elsewhere that my work G5 is the best computer, hands down, that I have ever used). And we have AV at work (Norton, but to my knowledge it has never detected anything despite automatically running every night), so now you know a Mac user who uses AV.
IMHO, the number of viruses is a crude predictor. 1) There has been tremendous amounts of notoriety about Windows viruses and their creators, and this has spawned imitators. 2) The Windows security flaws are much easier to discover simply because the path of discovery has been walked before so many times and there are so many others on the path. 3) One can generally exploit a more naive user base (Kournikova.jpg attachments, for example) 4) Lots of the viruses work exactly the same way, just changed slightly to escape the current round of antivirus 5) Network effect 6) Now we can start talking about inherent flaws in the OS. FWIW, I think that Apple definitely has a leg up in #6, but again that is an opinion.
Windows has a big market share because the low end hardware is, and has always been, cheaper. IMHO, for market share, all of this talk about anti-competitive practices and so forth really only factors in before 1995. After 1995, computer companies started marketing in a similar fashion to kitchen appliances or televisions. It matters far less how well you toast the bread or how good of a picture it is for 90% of the people out there, just as long as it gets the job done. The major focus is price. And when you can go out and buy a decent eMachines for $499 with a monitor, and the cheapest Mac is $799 (the eMac – I’m talking with a monitor), the eMachines are going to be a bigger draw for the people buying computers like they would buy a toaster. I also think Apple is not really going after this market, even with the Mac Mini. They are doing as well as they have ever done marketing to either scared entry level computer users with more money, people who want to get a Mac with their iPod, people sick of Windows, and Mac die-hards, etc. There is not a lot of margin in the Wintel PC hardware business and the fact that Apple is successful in theirs speaks volumes.
A more apt analogy, IMHO, car manufacturer A makes a car for $5k. This car immediately becomes a hit with 16 year olds just getting their license, who can buy this car after a summer working as a lifeguard, and 90% of them do so. Car manufacturer B sells a car for $10k that comes with more bells and whistles and more builtin safety devices, which is dramatically less popular with the 16 year old crowd. But we are all experienced drivers arguing which car works better for us, when it seems as if the vast majority of people getting into really horrible accidents are the inexperienced drivers.
Spyware and viruses are potholes and ice on the road. We know how to handle them and they rarely cause us permanent headaches. Inexperienced drivers in car A get in pretty horrific accidents because of them. Furthermore, they do grossly irresponsible things with their cars, like street racing, that we would never do. This OP argument can be rephrased as the following “What would the accident rate and injury rate be if we were to translate those 90% of car A 16 year olds into car B?” I don’t think anyone has the data for this or anyone can extrapolate.
What would Macs be like if users were installing BonziBuddy and Gator or Kazaa or whatever? Or were just oblivious? We don’t see many of the same defects in the Mac OS, but maybe that’s because enough bullets haven’t been fired at it. Or perhaps it is better. I don’t think anyone can draw a conclusion either way.
Actually you wouldn’t. Like rjung said earlier, there were about 80 or so Mac-specific viruses in the wild (not including MS Office viruses, the only virus I’ve ever been hit with in my Mac-using experience) back in the days of Classic Mac OS. Many of the vulnerabilities Apple patches in its security updates aren’t in the low-level OS but in the higher-level services like QuickTime, Dashboard, Safari, iTunes, etc. Count 'em whatever way you want; there are NO exploits or viruses in the wild that affect today’s Macs, and there were never many to begin with.
More than that, making a distinction between the operating system proper and the apps that are bundled with it and that everyone uses is pedantic and serves no useful purpose. Maybe a few geeks on Slashdot care whether the NT kernel is more secure than the Mach kernel; as far as everyone else is concerned, the platform, not the operating system, is key. Saying that most Windows exploits are actually due to Outlook or IE, and that therefore Windows is actually a very secure OS, is, IMO, bunk, since Microsoft specifically engineers them to function on Windows in a particular way; they form an integral part of the experience of using Windows (or at least factory-fresh, as-Microsoft-intended-it Windows). Ditto for the Mac; claiming that a hypothetical Safari exploit “doesn’t count” because “it isn’t actually hitting the OS” would be just making excuses.
(And BTW, you’re goddamn right a site called “MacSurfer” would publicize a Mac virus. How else would users find out about it to protect themselves? The Mac user community is open and vibrant, with plenty of critcism of Apple’s shortcomings and tips for making the Mac user experience even better.)
Are you intentionally shifting the argument from stability to security? No one’s talking about which system crashes less, though I happily grant that a properly maintained Windows box is as stable as a Mac OS X box. If you in fact meant to write “security,” you’re wrong, or rather you’re using the bland statement “if you do what you’re supposed to with them” as though this means the same thing on both platforms, which it very much does not. You’d be crazy to run Windows XP without a robust anti-virus package, without regularly checking it for spyware, without at the very least getting a halfway-secure email client and browser. You can use a Mac in perfect safety without doing any of those things.
When it comes to the “vulnerability by popularity” argument, I think two people have definitively nailed it. The first is JX Bell from the recent Mad as Hell series:
The second, the indespensible John Gruber:
To be honest, I’ve tended to stay away from arguments like this lately. If someone asks what I like about using a Mac, I’ll happily tell them, but I had given up crossing swords with Windows users. Then I noticed many people in my family whose 1.5-2 year old PCs were so infested with shitware they were becoming useless. A cousin of mine was actually considering throwing away a recently-bought PC and starting fresh with a new one. It angers me that there are people out there who’ve been browbeaten by endless viruses and and spyware attacks into thinking this is the best computing experience they deserve. It isn’t.
You know, that is likely the most sane quotes I have read on this issue. I use a “PC”, not Mac (I can’t afford a MAC). But I still know that I have 3 Anti-spyware, two firewalls, and a anti-virus operating- and I am still scared of going to strange sites. I wouldn’t have half that stuff if I had a MAC, nor would I be as worried.
BUT- the ingenuity of some of the Spyware out there is amazing. I have no doubt that if it was worth it to them, there’d be significant attacks on MACs. I wouldn’t be suprised that the MAC OS would be harder to beat, and the attacks might be fewer and easier to block- but I have no doubt they’d be there. MAC users would have to have an Antivirus and a spywareblocker program, too. Maybe not to the level us Windows users have now, but they’d still have to have them.