This interesting article from Elinor Mills about PC and Mac security contains a wealth of interesting commentary (read: flame/fanboy fodder) from a variety of expert sources.
Worth reading the whole thing but some points from the article:
- There are a number of points about social engineering attacks being prevalent and these are platform agnostic. There’s a dichotomy between the perception that Macs are safer, and the reality of attacks and frequency across users of either platform.
- PCs are attacked more frequently so Macs may be safer because there are less of them. There are a couple of things in that. Firstly, that’s really another way of saying ‘security by obscurity’ which – as at least one of the commentators points out – is not really any security at all. There will come a point where Macs will become more interesting to malware creators and then things “will quickly turn bad for Mac users”.
This quote (which I hope is balanced enough to be representative of the article) sort of sums it up:
Technologically speaking, PCs are a little more secure than Macs. Macs have a larger attack surface out of the box (Flash, Java, support for a million file formats, etc.) and lack some anti-exploitation technologies found in PCs like full ASLR [Address Space Layout Randomization]. This means Macs have more vulnerabilities and it's easier to turn a vulnerability into an exploit on the platform. Despite the fact it is less secure, paradoxically, Macs are actually safer to use for most people. This is because there simply isn't much risk of being exploited or installing malware.
The comment on Flash is interesting in view of Adobe’s comments on such matters.
So where am I going with this? There are two things to think about:
1. Engineering Practices
Who do you trust to handle a zero-day vulnerability in terms of the engineering practices to deliver patches? You could huff and puff and say “Huh! Not Microsoft” but actually I don’t see any criticism of Microsoft’s efforts from the commentators. In fact they’re making contextual recommendations about safety (Mac because there’s less of them) because it seems that the reality is that none are ever truly safe. (Some of the commenter’s called BS on this suggesting malware share should equal market share but of course that’s denying the economics at play here: why target 5% when you can target 95% means that view will be skewed?).
Moreover, I was amused that when asked for commentary, from Microsoft the author got the “director of Windows client and enterprise security”. From Apple she got told to go and look at a flashy ad that said “Mac OS X doesn’t get PC viruses”.
2. “Social Engineering”: unified attacks that are platform agnostic
So then, in thinking about attitudes towards handling security problems I was astonished by this article in which the Googlies say (of the forthcoming Chrome OS):
I guess the thing that I've learned from traditional OSes is, if you look at how that goes wrong, is that users tend to have a very hard time managing it.
We have over 200 Googlers using this every week, and we tend to just inflict a new build on them and see if they use things more or less, and we just iterate from there.
If you contrast that with the Web model, the Web mostly takes the view of "you shouldn't be able to do anything bad from a Web application." Which mostly serves the Web really, really well. You cruise the Web without worrying too much about badness lurking out there. It's not 100 percent true, because of malware and browser exploits and stuff like that, but for the most part you just cruise the Web and don't sweat it too much.
Um, I don’t remember having malware, viruses and so on until I plugged my CAT5 cable in and joined the internet (I often heard of viruses on floppy disks but never actually got one). But I guess the test group of 200 Googlies are highly representative of the mass-market. With this level of naivety what would happen if there was a vulnerability? Perhaps there’ll be a community forum with a 48-Hr wait for an official response.
Regardless of whether the argument is about security or risk, I think that the point is that any vendor needs to work to educate the end user of both of those arguments. What I think we’re actually seeing in the case of Apple is risk used as a selling point, and in the case of Google, a zealous over-confidence in stuff they just don’t know or care about.
Subscribe