« On a more serious note... | Main | Installing and Setting up Nagios 1.2 on Mac OS X Server 10.3.5 »
For a long time, the Mac community has believed that because the relative size of the Mac population is small, that this lack of size is a defense against an attack. The logic goes something like this: Since the overall Mac population is so small compared to the Windows population, Macs are not that interesting to virus writers.
Well, as the Witty worm showed, a small population is no defense against a devastating attack.
On March 8th, 2004, eEye Digital Security discovered a vulnerability in ISS's BlackICE/RealSecure products. On March 9th, ISS released a patch for the vulnerability.
On March 18th, eEye published a high-level description of the vulnerability. 36 hours later, Witty was released into the wild.
Within 45 minutes, every vulnerable machine was infected, about 12,000 machines in total.
Witty is a scary story for a number of reason.
First, it was destructive. Not only did it create copies of itself by generating 20,000 packets with random IP addresses and sending those packets out to infect more hosts, but it then found a random point on the hard drive, and overwrote whatever data was there with 65K of data from the iss-pam1.dll to that point. Once that was done, the process was repeated until a reboot, or the machine crashed. As a side effect, this had a self-limiting effect on the number of times the worm could reproduce further, although this was small comfort to those who were infected and lost data.
However, there are some other factors here that make Witty a particularly ominous example of viral code. First, instead of starting from a relatively small number of hosts, Witty spread outwards almost simultaneously from 100 to 110 hosts. Considering the packet count, and allowing for at least two rounds per host, that means within seconds of its release, there were over 2,000,000 packets probing other hosts for the vulnerability. This number is exacerbated by Witty's size:
Witty was also bug-free. That means that someone tested it. It also means that the core worm engine was probably done, and just waiting for the right vulnerability to be used well in advance of the BlackICE vulnerability announcement.
Witty was not some dork with a virus kit from a h@xx0r site spreading the love of Anna Kournikova. It was written by someone who knew what they were doing, was patient enough to wait for the right opening, and, importantly, didn't care about the vulnerable population size.
Witty only attacked computers running unpatched versions of BlackICE firewalls. It was released ten days after a fix for the vulnerability was issued. It only infected 12,000 hosts, but it did so in 45 minutes, or 4.45 hosts per second. If there were enough hosts, and assuming perfect antivirus signature update and use 48 hours after release, that's 768,960 computers infected and probably dead within two days.
It's illogical to assume that Witty was a fluke, no matter how comforting that thought may be.
Witty showed that:
- Not all virus writers are goofy kids doing the modern-day version of vandalizing mailboxes
- Not all internet virii are annoying, or only concerned with denial of service
- There is no patch management system in the world fast enough to prevent this level of attack
- A small population is no defense against attack
Even on a Mac
Posted by John C. Welch at 23:29 | Permalink
Comments
If a commited individual with much better than average programing skills and an intimate knowlege of both Unix and Mac OSX really wanted to he could exploit a known vulnerability. To propagate at the speeds you claim are possible using only vulnerable Macs he would have to be very good and very familiar with Mac OSX and very pissed off at Apple and have a vulnerability to exploit. Since most OSX machines have auto update on, most Mac programers love the Mac and most vulnerabilities are patched quickly that's a lot of stars to line up to get a significant infection to happen. Let's look at the score right now. Windows 120,000 viruses and counting Mac OSX Zero. It could happen but it won't.
Posted by: Al | September 25, 2004 10:32 AM
Actually, if the malware is written correctly, and for the right exploit, AV, Firewalls, and IDS, or any combination thereof won't help at all. Look at CodeRed. It's attack vector was port 80, and it was a very simple HTTP request. Firewalls DON'T block port 80. IDS generally don't bother dealing with HTTP GETs, and AV signatures are such a poor way of dealing with an Internet based attack. I bet any sufficiently sophisticated malware can replicate itself to virtually every vulnerable machine within a day of release. Too fast for AV signatures to be written and distributed.
SQLSlammer's spread was equally rapid. If anything it was TOO efficient at random IP scanning. SQLSlammer managed to overwhelm the ARP caches of high-end network equipment while doing it's scans. It would have spread even faster if the Infrastructure (Cisco switches & Routers, Extreme Switches, etc) could have held up under the load.
Wait until a scannner/worm gets written by a savvy geek who knows a bit about Internet routing infrastructure! It will likely use BGP information and published Bogon lists to limit the scanning to just *in-use* and neighboring IP ranges. No more time wasted scanning for random IP's. Zero hour to complete infection of every available/vulnerable host in well under 15 minutes. Maybe as few as 10 minutes. Only massive Autonomous Network disconnects ala SQLSlammer will prevent infection... but I doubt anyone will figure that out in time.
But as to the specific point of this article, that a small population such as the MacOS is not as invulnerable or ignored as we would hope.. You are right. I think the best defence the MacOS has is generally well-written code. FreeBSD has an excellent security track record, and has only seen vulnerabilities with applications it shares with more common OSS (read: linux) applications. The SSH exploit of two years ago for example. Apple has been VERY good (especially when you compare to NeXT's track record!) of using up-to-date OSS code and releasing Security Updates very swiftly when exploits are found.
The REAL problem there is patch management, and that is a human issue, not a technical one. Curing human issues is fscking impossible and not within the realm of geekery. =)
--chuck
Posted by: chuck goolsbee | September 25, 2004 10:40 AM
unfortunately for would-be Mac virus writers, MacOSX requires entering a correct password before allowing any software (or virus) installation on the machine.
thus, potential virus need to be allowed entry by the user before getting installed.
that's enough to take a lot of steam out of any viral attack, and we're not even discussing the intricate difficulties of writing MacOSX-compliant virus software.
sorry,
Posted by: macmarts | September 25, 2004 11:58 AM
Actually no, OS X does NOT require a password for all installs. It only requires a password if you are attempting to access a directory your current authority level doesn't allow access to.
But if you are an admin, as all initial users are, you have full access to /Library/StartupItems/. An application run by a user with admin authority could easily add a startup item that on the next restart, performed any task it wanted, since startup items all run as root. At that point, nothing is stopping that code from doing whatever it wants, even deleting itself after it ran so there was no easy way to track it.
As far as writing Mac OS X software, well, that's rather easy to do. Doing something like Witty is hard, because writing hand - tuned assemble is hard. But rm -rf /* is really quite simple to write and run.
john
Posted by: John C. Welch | September 25, 2004 1:29 PM
First of all, only PC users believe the only reason Macs are mostly invulnerable is because of its market share. Very few Macs users believe that but that's not your real error.
However, your conclusion is completely backwards. Through your example, you clearly point out the superiority of Mac OS & Apple in avoiding CRITICAL FLAWS.
As you clearly note, it is not the size of the market or its user numbers but when something has CRITICAL FLAWS in it, that's when you have potential and actual problems - even if have as few as 12,000 users, when you design and implement something clearly flawed, disasters and problms are natural to occur.
Macs are simply more secure out the door both in hardware and software design and implementation. Sure, there are new holes being discovered and closed - and yet with 25 million active Mac users )of all OSes - other than a Word macros virus about 20 years, that's it (and all that did was scramble the header info so you had to open it in a text reader and delete those lines).
Even thouuh the Windows has faced literally a couple thousand attacks just since its last release 3 years ago and the Mac count stands at ZERO viruses. ZERO trojans. ZERO spyware, how much more proof do you need.
I know it's more comforting to believe that believe you backed and/or purchase the wrong computing platform but the simple facts and conclusions are as clear as you point out - when there is a critical flaw, it's vulnerable.
Macs are simply not critically vulnerable.
Is there a chance that a trojan, malware, spyware or virus could infect the Mac OS - sure - just like there are people who arer struck by meteroites or are killed by brown spiders - it happens but your odds are extremely remote. As you point out, it's not the size of the market but if your product is well designed.
Thanks for pointing out to us mac users why when you choose the best personal computng OS on the planet, you get the protection and security befitting such an OS - and that we can concentrate on using our computers instead of trying to guess which port to close or that random packets can invade our computer.
We sleep easier.
Posted by: jbelkin | September 25, 2004 9:21 PM
The lack of a successful attack is not the same as being invulnerable. i would say, that given the mentality of those writing virii, that the misplaced arrogance of Mac users is at some point going to be too choice to ignore. Who doesn't enjoy watching the arrogant fall.
Secondly, OS X had a critical flaw that was only patched WEEKS after it's announcement, namely the Launch Services bug. The fact that no one took advantage of that was luck, not "superior design". I don't run my networks based on luck.
So your supposition that OS X somehow avoids these is incorrect as well.
I'm fascinated by your inference that I somehow think that using OS X is a mistake, considering my background, unless you think that criticism == dislike, which is simply wrong.
But I don't buy, never have, nor will I ever buy into the third problem in your argument:
"Macs are simply not critically vulnerable."
That's just wrong, and acting as though it's correct is going to cause people a world of hurt. One thing I left out, (since it wasn't pertinent to the point) and it's a pretty scary problem that's just starting, is that organized crime is starting to view spam and virii as a profitmaking enterprise. So they're starting to fund malware writers.
john
Posted by: John C. Welch | September 26, 2004 1:50 AM
john said:
"I don't run my networks based on luck"
but that's exactly what you're doing if you
have any PC or server running any flavor of windows in your network.
if it is the case, YOU are running YOUR business based on luck.
...unless of course you don't run your computers on windows and you run them instead on unix/linux. if it is the case, your business is more secure.
a couple of years ago a website running on a MacOSX server launched a well-publicized contest where they would give away $10,000.00 US to whoever was able to hack their MacOSX server.
the contest ran for many months, gathering publicity as is went forward, and was terminated several more months later, without a winner.
their conclusion: either MacOSX is secure enough to fend off most hack attempts (their daily server logs were full with hack attempts), or else the trouble of hacking a MacOSX server is such that it is not worth $10,000.00 US.
Posted by: macmarts | September 26, 2004 12:51 PM
it's not luck at all...it's acknowledging the risks, and taking the necessary steps to handle them correctly. In the last year, we've had exactly no downtime or problems due to Virii or hacks.
It's definitely a LOT more work to secure Windows, but the implication that it's impossible is incorrect. And in many ways, particularly WRT to disk and file permissions, Windows, along with Novell and AFS have a far better model than OS X's Unix permissions. Which is one reason why Apple is incorporating ACLs into Tiger.
I'm well aware of those contests. They also had some interesting limitations on them that you aren't going to see in the real world. It was a neat test, but it was aimed at a very specific, easily defendable goal...changing a web page. It wasn't aimed at just killing the box.
I'm not saying a Unix - based OS isn't harder to hack, when properly set up. (There have been quite a few OS X boxes hacked when they weren't correctly set up. It's an OS, not a magic spell.) I'm saying that OS X is not invulnerable to attack, or bugs, and to act as though it is invulnerable is silly, and if you run a network, irresponsible.
john
Posted by: John C. Welch | September 26, 2004 3:03 PM
I think that your concluding point is well taken. It is worrisome because of the lack of publicized attacks, hacks and virii on the Mac platform relative to Windows and the calm that has induced on the general Mac population. I do not, however, see Apple resting on their laurels waiting for hackers and crackers to breach the walls before implementing a security plan. I think this is evidenced by the constant revisions and improvements being made to the core OS, Darwin.
Your first point and the title of the article is invalid, in my opinion. If you read magazine articles and reviews of Mac software, the security through obscurity myth is propagated by the Windows community. Seldom, if ever, do you read in a Mac magazine that Mac users are safer due to our smaller market share. Please don't put words in Mac users' mouths.
Posted by: Mark S | September 26, 2004 10:15 PM
I'm not. I've talked to any number of Mac users who promulgate that theory. I've also seen it mentioned by a number of Mac writers too.
Posted by: John C. Welch | September 26, 2004 11:39 PM
Wow. I guess it isn't that amazing due to what I said initially but it is naive, in my opinion. I, personally, have seen many more repetitions of that theory in Windows-oriented magazines as comments from the author or other pundits in that community speaking about (read: pooh-poohing) the Mac than from Mac magazines and pundits.
Posted by: Mark S | September 27, 2004 3:27 AM
Oh the Windows community uses it as justification...a bizarre, stupid justification, but justification nonetheless...
"See, we have more virii, we're COOLER! More people want to be LIKE US. We RULE you DROOL"
At the same time, I've seen mac people comment on it as though it's a nice side effect of a smaller community. That's probably true, but I've also seen it morph into some kind of defense against virii, which it is not, and a limited community can still be an attractive target.
john
Posted by: John C. Welch | September 27, 2004 7:04 AM
John,
I agree with most of what you conclude - Macs are NOT invulnerable, obviously. I had to deal with what measures to take for the SSH bug, along with several others. Those were bugs which a savvy, malicious programmer could have exploited to obtain root access remotely.
However, most people would be well-served to play the odds. The consultants have the skills (and time!) to lock down Windows to the point of being both as secure and yet still USEFUL as most *nix operating systems does not nearly cover the number of places such systems are needed. Therefore, most businesses (and home high-bandwidth users) would be well-served to avoid Windows like the plague it usually is.
We'd all be better off. The Windows users would be less likely to have their private information (ID, credit cards, network passwords, etc) stolen, and EVERYONE would have less zombie-spewed spam to deal with.
I think it's important to realize that we're not doing an analysis of Mac security in a vacuum. We've got to compare it with the alternative. When you do that, the choice is blindingly obvious: either spend years becoming a top-flight Windows security guru, or use Macs (and not be abjectly stupid in securing them).
Posted by: Krioni | September 27, 2004 8:48 AM
When are people going to stop thinking it's the Macintosh's small user base (as compared to Windows) but it's the way the operating system was built.
Windows was built upon a proprietary code base that is not modular. Both Linux and Mac OS X were built upon the 35 year old UNIX code base that is modular. While modularity isn't a key for success in creating a bug-free operating system, it is a good way to more easily track down and correct mistakes and patch bugs.
The fact that Internet Explorer is such an intergral part of Windows is a good portion of it's problems. Most of the vulnerabilities of Windows are because of Internet Explorer. And the fact that IE is integrated and NOT modular (or a separate application) means that ALL of Windows is vulnerable when IE is vulnerable.
Using a third-party browser (e.g., Firefox) is a good first step to reducing the malware threat on a Windows PC, it does not eliminate those risks. Even if you use Firefox, IE is still present. There is no way to uninstall it, although you can make it pretty much brain-dead by disabling ActiveX, JavaScript, third-party extensions, etc., while using Firefox.
Should we eliminate Windows? No! Why?! Because you think we're in a recession now? Think about all the service techs, technical support people, and PC computer companies that would go bankrupt because it is VERY PROFITABLE to service Windows computers. The customers always keep calling back with more problems!
Posted by: Aaron | September 27, 2004 9:47 AM
[Therefore, most businesses (and home high-bandwidth users) would be well-served to avoid Windows like the plague it usually is.
We'd all be better off. The Windows users would be less likely to have their private information (ID, credit cards, network passwords, etc) stolen, and EVERYONE would have less zombie-spewed spam to deal with.]
Well, I don't think it would make nearly as much of a difference. Mac OS X doesn't stop phishing. It doesn't stop people from signing up for spam. It's far better with spyware, which is good, but it's not going to stop human error, which causes a lot of ID theft.
It doesn't prevent you from sending unencrypted email, nor does it make your ISP offer encrypted email, so it doesn't stop someone with a sniffer and some shell skills from sniffing out whatever personal detail you send in emails, webmails, IM's, etc.
It's a common misconception that you somehow need to hack into a system to get sensitive info. Monitoring email traffic for a bank or a credit card company will get you just as good a result passively, which is far harder to detect.
I don't see what the OS choice does to protect you here.
[I think it's important to realize that we're not doing an analysis of Mac security in a vacuum. We've got to compare it with the alternative. When you do that, the choice is blindingly obvious: either spend years becoming a top-flight Windows security guru, or use Macs (and not be abjectly stupid in securing them).]
But in a sense, that's what you've done...you're looking at this as an OS issue. If everyone started using SSL more, kerberos more, used PGP to encrypt sensitive documents, used signed PDFs to prove origination and prevent hidden alteration, that would do as much to increase security as changing your OS.
You have to think securely at all stages, otherwise you end up like Nortel, who had a great firewall, but no protection against sales drones. They got hit with Code Red/Nimda internally, and had to drop power to their network to recover.
The OS platform is only one part of safe, secure computing.
Posted by: John C. Welch | September 27, 2004 10:21 AM
John,
I completely agree that Macs are not secure because of their small population. Perhaps it's a contributing factor, but by no means is it the most important. Thanks for firmly pointing this out--I think the Mac community needs to be reminded periodically.
On the other hand, I also agree with Mark S. that "security through obscurity" idea is largely a creation of the tech press (or the PC press to be specific) and is not widely accepted by the Mac community as legitimate. Yes, there will be some Mac users that will repeat it with zeal, but even a cursory examination of Mac Web sites would reveal that the concern for security is indeed quite a bit deeper. I really believe it to be more a convenient mechanism for PC users to feel better about the difficult state of security in the Windows universe.
I think the secret to Mac security so far might be that there are very few people in the Mac community with a sincere interest in harming the platform. We're very lucky that way. Perhaps being a small community, indeed, even the underdog, helps. It also helps that Apple has shown an interest in making the platform internet-secure from the beginning. Could any of this be said for Windows?
MB
Posted by: Mauricio Babilonia | September 27, 2004 10:27 AM
[Windows was built upon a proprietary code base that is not modular. Both Linux and Mac OS X were built upon the 35 year old UNIX code base that is modular. While modularity isn't a key for success in creating a bug-free operating system, it is a good way to more easily track down and correct mistakes and patch bugs.]
Actually, while Windows XP is proprietary and rather non-modular, the original version of XP, NT 3.1, was based on VMS, which, while proprietary, is *highly* secure, more so than Unix even. And definitely more reliable. even up through NT 3.5.1, it was stable, and quite secure. (before 4.0, EVERYTHING was outside of the kernel, so you could have your video drivers crash and burn, and it would keep running. Very nice.) With NT 4.0, MS made a lot of changes that opened up a lot of holes. It's also important to understand that even with XP, WIndows is still not truly a multiuser OS the way Unix/VMS/MVS are. It's still more of a single user OS with multi-user functions. This is why security at the console is really nonexistent by default. There's a lot of long term bad design decisions that have led to the problems with Windows. However, open source OS's are not magically proof against silliness. Take a count of all the Linux vulnerabilities for the various distros. That count is edging into Windows numbers.
[The fact that Internet Explorer is such an intergral part of Windows is a good portion of it's problems. Most of the vulnerabilities of Windows are because of Internet Explorer. And the fact that IE is integrated and NOT modular (or a separate application) means that ALL of Windows is vulnerable when IE is vulnerable.]
All modern OS's are going to have an embedded HTML engine. Whether it's IE, or KHTML, or WebCore, or Gecko. It's a requirement in a modern environment. If there's a monster whole in WebCore, there's a lot of OS X that's going to have major problems too. That's just part of the fun, but i do agree that the IE engine needs a LOT of security work, not just endless preference panes. Half the problem is that setting what should be a simple option (Don't let me get screwed too easily) is FAR harder than it needs to be in IE.
john
Posted by: John C. Welch | September 27, 2004 10:35 AM
[I think the secret to Mac security so far might be that there are very few people in the Mac community with a sincere interest in harming the platform. We're very lucky that way. Perhaps being a small community, indeed, even the underdog, helps. It also helps that Apple has shown an interest in making the platform internet-secure from the beginning. Could any of this be said for Windows?]
Honestly...I think that there's no fun in attacking OS X. I don't think there's the same unholy joy that being "The Best Pirate Ever" gives you from attacking Windows. For one, since so much of OS X is open source, it's kinda like attacking yourself. Secondly, what's the gain? Attacking Windows is like smacking that rich kid who always makes sure to rub your nose in how much money you don't have. Sure it's wrong, but damn, it feels goooooood. Attacking Mac OS X is like smacking that kid who has more money than you, but is always cool, lets people play with his toys, has kick ass parties, and picks up the check because he can, and he likes being nice, and really just wants to be one of the gang. I mean, you can, but you feel like a jerk when you do it.
Considering that ego and emotionalism are behind a lot of the Windows attacks, that could explain why Macs don't get violated, even when there's a known gaping whole with sample code.
john
Posted by: John C. Welch | September 27, 2004 10:51 AM
I wonder, if you really wanted to run a secure web server or other limited-task machine, would it be better to do it on an extremely obscure platform? Maybe a Mac System 7 machine, or an Amiga, or something else? It's an idea. Maybe not a good one.
Posted by: Derek | September 27, 2004 2:07 PM
It depends on how secure and what you need secured. If I need high-capacity, and Highest possible security, then for an OS, i'm using OpenBSD, or OS/400.
But that's just part of it. What's your web server setup? A secure OS and an insecure web server is still insecure. How secure are your CGIs? Are you using SSL? What's your password policy like? During one of the "Crack my Mac" contests, someone actually did crack the mac in question via a hole in Lasso on that box. So even though the OS was locked down, thanks to a hole in the CGI, it was all for naught.
The Witty Worm didn't exploit a windows vulnerability, it exploited a hole in a third party product, so windows really had nothing to do with it other than the OS that BlackICE runs on.
john
Posted by: John C. Welch | September 27, 2004 2:32 PM
Re: Security via Obscurity
As the witty worm illustrates, small numbers are no guarantee of safety. But while it may not be a guarantee, it's not nothing either.
Topeka, Kansas is not guaranteed safe from terrorism. But if Al-Qaida is going to set off a nuclear device in the US, do we really expect them to set it off in Topeka instead of Washington?
Even if OS X were as vulnerable as Windows, the motivation to attack it is less by a significant magnitude. If the motivation is profit or disruption, you attack the 90%+ OS. If the motivation is hostility to authority, you attack the 90%+ OS.
The witty worm is the exception that proves the rule.
If your job is to lock down systems as close to perfectly as possible, all of this is irrelevant. If you're speculating on the likelihood of OS X being hit by a wave of virii, this is quite relevant.
Posted by: Felix | September 27, 2004 3:02 PM
What was the motive in attacking a user base of 12,000?
john
Posted by: John C. Welch | September 27, 2004 3:30 PM
While I agree with the hypothesis (size is no defense) I think you'll need to bolster your evidence a bit if you want to get traction.
[It's illogical to assume that Witty was a fluke, no matter how comforting that thought may be.]
You don't back-up this claim with any evidence. By all accounts, Witty was a fluke unless you have more examples to show otherwise. It is illogical to jump to conclusions based on a single data point. :)
Posted by: Zoltan Grose | September 27, 2004 4:20 PM
"What was the motive in attacking a user base of 12,000?"
Like I said, witty is the exception that proves the rule.
Or to reuse my original metaphor, Topeka could certainly be struck by terrorists. After all, over a hundred people were killed by terrorism in Oklahoma City. But that's another exception that proves the rule.
I'm not really disagreeing with you on your most basic point. Obscurity does not guarantee safety.
But in terms of probability, obscurity is actually a pretty effective security tool.
If I'm trying to keep a file on my computer away from prying eyes, encryption is an obvious solution. But putting a misleading name on the file also has undeniable value.
Posted by: Felix | September 27, 2004 6:28 PM
obscurity only has value if the person attempting to access your data is using the method you're obscuring. So, if i'm looking for a file named "Annual report" and you call it "Letter to mom" then i'm going to have a tough time.
But if I know you use Word for office work, then I simply grab all your Word files, and bypass your obscuring method.
Or, i copy all the files in your home directory. Now, even changing the file type won't work, because i'm ignoring file types and names for location. Etc.
Obscurity is a crap shoot, and you win or lose big, but there's no middle ground.
As far as the point that Witty was a fluke, the general feeling in the security experts I've talked to was that it wasn't, but was more of a test case to see if it could be done.
Those folks are taking this seriously regardless of platform, and we're talking about folks that run OS X to avoid Windows problems.
john
Posted by: John C. Welch | September 27, 2004 8:57 PM
"Obscurity is a crap shoot, and you win or lose big, but there's no middle ground."
That's entirely true if obscurity is the only method you're using. But in combination with other methods, obscurity can be a valuable tool.
In other words, the Mac's small population is a defense against an attack, but it's obviously not the only defense necessary.
Posted by: Felix | September 27, 2004 9:57 PM
Zoltan says John Welch is "jumping to conclusions based on a single data point". I have no idea where Zoltan gets this idea. Welch is using about the most reasonable logic a person can use. It's very simple: viruses of all sorts have been around for years, so the Witty worm wasn't a fluke--it had many predecessors, regardless of its being written in assembly code. The computing industry hasn't seen just one virus in its history, hence there will be more, of all sorts, new and old-style. The author of the Witty worm won't neglect writing another one, possibly even more damaging, just to keep you comfortable, nor can you assume he won't tell his friends how to do it, nor is he the only clever assembly language coder in the world who might already know how to do it.
There's your evidence.
If one pronounces the Witty worm was a fluke, where's YOUR evidence? You haven't visited the future to see what happened. Nor are you making even barely sensible extrapolations based on past history.
Posted by: John Sawyer | September 28, 2004 2:08 AM
Al's comments at the top:
"To propagate at the speeds you claim are possible using only vulnerable Macs he would have to be:
very good"
Yes, he'd have to be good, but there are a lot of blackhat hackers that are also good programmers, and I don't think he'd have to be as good as you think.
"and very pissed off at Apple"
Not necessarily. From what I gather, most virus authors do it for a variety of other reasons: to see their digital "children" propagate as widely as possible; to impress their friends; to test their skills; to test the system, regardless of their feelings about the system; and, of course, to hurt people regardless of who produces the OS their victims use. Windows is popular among all these types due to its greater numbers, but the last type, the destructive virus author, is MORE likely to attack the Mac OS, at some point in the future, since the destructive type likes the idea of preying on people who thought they were safe.
"and have a vulnerability to exploit...most [Mac OS X] vulnerabilities are patched quickly"
Not quickly enough to prevent a lot of pain for a lot of people if they haven't taken steps ahead of time to protect themselves.
"Since most OSX machines have auto update on"
I fix Macs, and I check for this every now and then, and I'm starting to see more people turning this off. And, the default setting is to check just once a week.
"most Mac programers love the Mac"
So? A lot don't.
"Let's look at the score right now. Windows 120,000 viruses and counting, Mac OSX Zero. It could happen but it won't."
It always bothers me when people pretend to have visited the future and have come back to tell us what happened.
Posted by: John Sawyer | September 28, 2004 2:35 AM
Majority of arguments provided here are correct. Theoretically, OSX is not bullet-proof, and there is no such thing as invulnerable OS.
I have been using Macs for the past 8 years. I have also been using Windows, for longer than that. I have consistently spent significant amount of time patching/cleaning/fixing my Windows machines. Orders of magnitude more than fixing/cleaning/patching my Macs. Unless hacking trends suddenly and inexplicably dramatically change and completely reverse, I would say that, all technical and scientific arguments notwithdtanding, Macs will continue to be infinitely easier to maintain, support, secure. Gallons of ink (and bits and bytes) have been spent on debating what is the reason for this. For me, it is irrelevant. My eight years of working with two platforms in parallel tells me that Macs are better, Windows more hassle. This is enough for me to decide to continue to buy Macs for my personal use. Even if everything is reversed (the amount of virii and other security problems) for Macs becomes suddenly 120,000 and 0 for Windows, it would take me another 8 years to even the score. What are the chances of that?
Posted by: Predrag | September 28, 2004 9:10 AM
Historical context.
I only became a Mac user in 1994, but I had been a micro computer user since 1980. I remember in the late 1980's when virii first started to explode, that there were quite a few written for Macintosh. I seem to remember that originally, applications would modify their own data and resource forks to store preferences. This proved to be problematic because it made it easy for a virus to inject itself into an existing program. (Or maybe it made it hard for anti-virus software to detect.)
It has always seemed to me a weak argument that Mac's smaller market share protects them from attack. In the late 80's there were fewer absolute numbers of Mac's but there was virus development. Today with more Mac's there is almost no virus development. (When was the last Mac virus?)
At some point, in the late 80's early 90's, Mac's became much less afflicted. Almost to the point of zero. While on the Microsoft side, I generally assume that every home PC is infected. Why has this played out this way?
I think that it is a strange mix of technology, culture and savvy. Apple on average has made better security decisions, has a culture of people who are fond of their products, and users who are generally a little more technically proficient.
I believe that this indicates that Mac's will have far few attacks for the foreseeable future.
But the odds are high that we will have a major attack on Macs. John's point of how fast such attacks can spread is important. I personally believe that those hackers who do it for ego gratification are certainly looking at the challenge to be the FIRST to launch a major attack on the Macintosh platform.
Posted by: Lee Joramo | September 28, 2004 3:21 PM
"It has always seemed to me a weak argument that Mac's smaller market share protects them from attack. In the late 80's there were fewer absolute numbers of Mac's but there was virus development. Today with more Mac's there is almost no virus development."
Of course, the heyday of Mac virii development perfectly coincided with the height of Mac market share...
Posted by: Felix | September 28, 2004 5:19 PM
Here's one question that hasn't been asked.
Where are all of these virus's and worms then?
If we agree that size of the user base doesn't really matter, and that the Mac is vulnerable, which of course to a lesser extent it is. Then going purely by statistical methods, you would have to take the marketshare of the Mac, say 5%, and then take 5% of the supposedly 120,000 viruses and worms to get 6,000.
That's the approximate number the Mac should have. Give or take a couple of thousand.
So...
Where are they?
John, there must be some reason why we haven't seen this horde, despite the vulnerabilities that you mentioned. As you said, Witty came out within 48 hours. Several Mac vulnerabilities weren't fixed for weeks. One for months.
Possibly this guy/gal had it out for this company. I don't know.
But according to your reasoning (which I don't totally disagree with), we should have seen a large number by now.
Care to address this?
Posted by: melgross | September 28, 2004 11:49 PM
Without knowing every single virus writer, or even a bunch of them, that's impossible to say. But, based on what I see, i can make a supposition.
For example, a lot of the folks cracking windows use Linux or Mac OS X. There's an old saying, "Don't crap where you eat". If you're a evildoer, you want your time spent doing evil, not keeping evil from being done to you.
Apple, for being just as ruthless as any other multi-billion dollar multinational, never manages to piss off its customers as much as Microsoft. I know windows users who, even while dealing with the "patch du heure" are glad that Microsoft is feeling the same pain they are. A Mac user would be well...*offended* that someone would attack their platform.
the closest thing I can come up with is an old short story I read about a dude who invents and repairs things. In Gotham. For some very wierd characters. One who has a cave under a manor. One with a really creepy smile and bad skin. Another who waddles. But his shop is neutral ground. No fights touch it. No one attacks anyone there.
Maybe it's some unwritten "gentleman's agreement" regarding Linux and Mac OS X. With the low level source available, there's no real technical barriers. It just doesn't happen. I can't explain why, and for that reason alone, i don't trust it. There's always someone who will queer the deal, 'cause they're stupid, and when it happens, I don't want to be part of the initial casualty list any more than I have to be.
Posted by: John C. Welch | September 29, 2004 8:32 AM
[Apple, for being just as ruthless as any other multi-billion dollar multinational, never manages to piss off its customers as much as Microsoft.]
It might be in part because Microsoft has always put increasing their market share and crushing the competition above absolutely anything else. I disagree with the idea that Apple is on the same plane as Microsoft when it comes to sheer greed. As you so eloquently argued above, Apple is like the rich kid who realises there's more to life than money (however unlikely it may be that he or she would give up that wealth anytime soon.)
[For example, a lot of the folks cracking windows use Linux or Mac OS X. There's an old saying, "Don't crap where you eat". If you're a evildoer, you want your time spent doing evil, not keeping evil from being done to you. [...] Maybe it's some unwritten "gentleman's agreement" regarding Linux and Mac OS X.]
Perhaps so, but like melgross, one has to wonder where the exploits are. I'll repeat a question I've read elsewhere: given that there are plenty of people in the Windows world who hate the Mac and wish Apple would go away, why hasn't one, just one, taken the time to sit down and write at least one exploit to give the OS X platform a black eye? I don't want to make it sound like I'm daring someone to do this, and I hope it won't become some sort of self-fulfilling prophesy, but I just scratch my head at the thought of it. Am I overestimating the number of presumed Mac-haters? Do Mac-haters just lack initiative? Are black hats gentlemen?
I don't know any malware authors either, so I guess it's all idle speculation.
MB
Posted by: Mauricio Babilonia | September 29, 2004 11:51 AM
The article actually still makes the argument that Macs are LESS vulnerable. I am considerably less knowledgeable about computers than anyone I know, but it I found this blurb on a Quake site:
A "DLL" is a Dynamic Load Library file. It is a file type unique to the MS Windows environment and is not cross platform compatible (meaning that DLL files will not work on Macintosh computers or PCs using operating systems other than Windows).
If that is how the article's Witty worm works, in part at least, doesn't that still rule out Macs?
Posted by: Kevin | September 29, 2004 6:28 PM
[It might be in part because Microsoft has always put increasing their market share and crushing the competition above absolutely anything else. I disagree with the idea that Apple is on the same plane as Microsoft when it comes to sheer greed. As you so eloquently argued above, Apple is like the rich kid who realises there's more to life than money (however unlikely it may be that he or she would give up that wealth anytime soon.)]
Oh then you weren't around for Apple crushing Franklin and any other company that tried to make Apple II clones.
[Perhaps so, but like melgross, one has to wonder where the exploits are. I'll repeat a question I've read elsewhere: given that there are plenty of people in the Windows world who hate the Mac and wish Apple would go away, why hasn't one, just one, taken the time to sit down and write at least one exploit to give the OS X platform a black eye? I don't want to make it sound like I'm daring someone to do this, and I hope it won't become some sort of self-fulfilling prophesy, but I just scratch my head at the thought of it. Am I overestimating the number of presumed Mac-haters? Do Mac-haters just lack initiative? Are black hats gentlemen?]
Because doing one that isn't shut down immediately on the Mac is not simple. Don't get me wrong, Microsoft, through just sheer ignorance and stupidity made it a LOT easier to attack that platform.
But someone who can pull off a Witty doesn't care about the normal viral kits. The lazy ones aren't the worry. It's the black hats getting venture capital from the Russian Mafia that are the worrisome ones.
[A "DLL" is a Dynamic Load Library file. It is a file type unique to the MS Windows environment and is not cross platform compatible (meaning that DLL files will not work on Macintosh computers or PCs using operating systems other than Windows).
If that is how the article's Witty worm works, in part at least, doesn't that still rule out Macs?]
A DLL is just a shared code module, It's a specific name for them, but there are DLLs on all platforms, just not Windows DLLs. There are lots of shared code modules on the Mac. Frameworks, plugins, CGIs, etc, yadda, so that construct exists here too. As well, remember that one of the "Crack a Mac" contests was won by a guy who found a weakness in Lasso on WebSTAR prior to Mac OS X, and the Classic Mac OS was harder to crack *remotely* by orders of magnitudes.
All it takes is a boo-boo in the right framework or shared library, and you have your entry point, even if that weakness is in a third party application.
Posted by: John C. Welch | September 30, 2004 9:06 AM
Thanks to John and all posters for a thoughtful article and a great discussion. I just wanted to contribute a few points.
At some point John asked "what was the motive in attacking a user base of 12,000?" That's like asking why cops and security guards are more likely to get shot at when someone's committing a crime: ISS' BlackIce is explicitly gatekeeper software, protecting valuable resources. A small but focused target. You wouldn't target the Mac OS base for the same reasons, unless you had it in for DV editors and indie musicians! If Apple gets targeted it'll be for other reasons (see last paragraph).
For years, I worked as a network security guru for a bank. I'm painfully aware of how tissue-thin most computer security is, especially our internet infrastructure; it makes me queasy. Still, although creaky and Rube-Goldbergian, it continues to hold up; we haven't had a "true" catastrophe yet (despite many minor ones, despite some of the fiercest and most targeted not being publicized).
So how come? Some of it is just how we look at it. Like highway fatalities, network-based exploits are endemic, and overall users have come to accept them in a similar way, expecting some pain and suffering as the price we pay for convenience. But unlike a car crash, cleaning up after a computer catastrophe involves a lot less visceral death and destruction. If you're alive and healthy, you reinstall and move on. (... let's just say I'm not looking forward to net-enabled pacemakers.)
After all, ID theft aside, it's the data that matters. Looked at dispassionately, the internet is just another conduit for data loss -- like lightening, disk-head crashes or fat fingers. The appropriate remedy is platform-agnostic: backup, backup, backup.
Most individuals do take some measures to protect themselves, but not everything they possibly could (I'm no exception). Institutionally, the stakes get higher, so responsible people do more, implementing the heterogeneous layers of protection that John mentioned. This definitely helps. Different products by different vendors are tremendously valuable, and I think PC columnists who have recently praised the Mac are acknowledging that. Heck, even *Microsoft* has acknowledged that for some years now!
Macs are not invulnerable, but for now they're a lot better. As John pointed out, that advantage erodes once you add third-party code. As Mac users run more and more network-enabled shared-code apps (e.g. Java and Flash, or even MS Office), they'll be vulnerable to exploits that affect users on other platforms.
My gut tells me that when Apple is maliciously targeted, it's going to be at the music store infrastructure, not the OS level. Apple is the top dog there, so it attracts bring-down-the-mighty hackers -- and whatever the profit margins are, there's a LOT of revenue and financial data flowing through it, making it tempting for the crooks.
-Derek L.
Posted by: DDL | September 30, 2004 12:28 PM
First I like to thank for a good article.
As I read the comment from John about most users (including myself) are admin users. My question is, could it be an idea for a single user (as most Mac users are) to only log in as admin when doing updates etc. and use a more restricted user account for normal work?
Kent Svensson
Posted by: Kent Svensson | November 12, 2004 3:01 PM
