Securitysplainin'

Isn’t it nice that so many people who are ostensibly not Mac users are still very concerned about Mac security? It’s sweet the way they look out for us.

(Stuck in) BetaNews’s Derrick Wlodarz is one of them.

“The Apple myth: Why security through obscurity isn’t security”

Turns out it’s a floor wax. Who knew?

My girlfriend was on the prowl for a new vehicle not too long ago, and decided on a Subaru. Not only do the company’s vehicles arguably receive some of the highest safety ratings in the States, but their policy of across-the-board all wheel drive is another nicety I love about them.

Across-the-board … except for the BRZ.

Already we see that Wlodarz’s relationship with facts is of the “eh, close enough” variety, and we haven’t even gotten out of the first paragraph.

Even so, she wouldn’t think of ditching her safety belt, no matter how safe the cars claim to be.

And computer security is exactly like a safety belt. It keeps you from flying through the monitor and splattering yourself across the Information Superhighway, forcing a loved one to identify a bucket full of your remains at the intermorgue. Or something. Rest assured, it’s dire and somehow related to automobiles.

Compared to his relationship with facts, Wlodarz’s relationship to similes is even more tortured.

Likewise, sizable portions of American society lives out in rural areas where crime and theft are almost unheard of. Yet they most likely still use locks on all of their doors, and keep them locked shut at night.

Translation: “Look, this piece is long. Really long. You might want to get a snack.”

So this begs the question: how has Apple gotten a free pass on the falsehood that its OS X (and now iOS) users just don’t need anti-malware software?

Uh, because of the relatively few number of exploits on its platforms and the almost utter uselessness of anti-malware software?

Note that Wlodarz quickly drops any further reference to iOS, probably because it’s arguably the most secure platform currently in existence and it holds that status without having any anti-malware software.

As an IT professional who has personally cleaned off numerous Macs each year for the past 2-3 years …

Since we’re dealing in anecdotes here, allow the Macalope to point out that he has not had a Mac-based virus for more than 15 years (knock on wood). Meanwhile, he knows “numerous” Windows users who brag about how fast they can wipe and reinstall everything on their machines when they get infected. So, anecdouché.

Apple’s done a great job coercing the last decade of Mac buyers that malware just doesn’t exist on Macs. Yet the evidence continually points in the opposite direction.

Yes, malware does exist on the Mac—the point is that not as much of it exists. That’s a fact. As a matter of fact, it’s a fact that’s pointed out at the top of the piece Wlodarz links to:

Before we begin, let’s make one thing really clear.

The malware problem on Mac OS X is nothing like as bad as it is on Windows.

Wlodarz doesn’t seem to know the actual definition of “security through obscurity”; he’s apparently conflated it with “security through minority.”

While the rest of the 2000s flew by with Apple picking up considerable batches of Windows converts, by 2010 the tide was starting to shift. Well known voices in the tech industry were starting to speak against the tide, like Alex Stamos and Mac security specialist Charlie Miller.

They asserted claims that took different means to an end, but concluded on relatively the same thing: Windows (Vista, 7) was finally a more secure platform than OS X.

It was. At the time, anyway. Since then, Apple has more fully implemented security enhancements such as ASLR and its own malware detection and removal. Now you find even the hackers of OS X claiming its security “is higher than other operating systems.”

While the infection risk on Macs isn’t nearly as prevalent as on Windows machines, the falsehood that Macs have always been malware free is anything but true.

Which would be troublesome if anyone had actually said that. Instead what Apple’s advertising said was that Macs don’t have the same level of problem with malware as Windows computers do.

… Microsoft isn’t hiding behind any security veils. Its transparency on security topics affecting its products should be lauded.

It should. Microsoft has a much better working relationship with the security community than Apple does. But, while Apple’s relationship and attitude toward security still needs work, it has been improving.

Eugene Kaspersky, CEO and founder of well-known security firm Kaspersky, said back in 2012 that Apple is roughly 10 years behind Microsoft in terms of security.

Kaspersky, maker of the Flashback removal tool that sent your user settings back to the stone age, is a perfect example of how putting your faith in anti-malware is a bust. And still Kaspersky laments how terrible it is that Apple won’t allow his company’s software on iOS.

Boo. Hoo.

Matt [Baxter-Reynolds of ZDNet] said it point blank: “The fact that this [goto fail SSL] code made it into production at all is a shocking indictment of Apple’s engineering team”.

It is. It is, however, hysterical that a similar bug sat in the “security through openness”-protected Linux for maybe ten years.

Wlodarz, like a number of Apple critics, is bent out of shape because the company advertises its platforms as being more secure. Well, practically speaking, they are (iOS definitely is). Not through some kind of magic, but because there are fewer exploits of their vulnerabilities. Recent releases of its software have more fully implemented security technologies and removed weak points like Flash and Java.

Are Macs still vulnerable to attack? Sure. But asking Apple to stop marketing a key advantage? Well, no. Sorry.

Subscribe to the Apple @ Work Newsletter

Comments