« Wireless Networking and Airport | Main | Stupid Mac OS X Server 10.3.9 update bug and probable fix »

Yes, I know, it's a rather challenging title, but...well, he is. A great honking prat of a publicity hound, and even though I do know better, I'm going to give him some of what he wants...attention.

However, it remains to be seen if he'll enjoy the experience.

Ol' Jack's been in the news a lot lately. First, there was this little bit of idiocy: DV Forge Virus Prize 2005 Yes, the “I bet you can't make a virus” contest, recently rescinded. Let's take a look at that original press release, shall we? It was a challenge to create a virus that could infect Mac OS X, because according to Jack Campbell,

Symantec Corporation has recently released information to the press suggesting that they believe that the Mac OS X platform is at substantial risk to a new virus infection, and that the principal reason that OS X presently has zero in-the-wild virii is simply the lack of interest by virus coders, due to the platform's comparatively small market share,“ says DVForge CEO, Jack Campbell, ”We recognize that assessment as complete nonsense, and, we have chosen to make a challenge that is interesting enough to grab the attention of any malicious coder... $25,000 worth of interesting. I happen to believe that Apple should be offering this prize. But, since they have not, I will. On behalf of knowledgeable Mac users everywhere, I am putting my money where my mouth is.

Okay, so if you read the report, you realize that it's not a hysterical “MACS ARE GONNA DIEEEEEEEE!!!” thing at all, although Jack the Prat would like you to believe that. But he's good at misleading people for his own gain. Just ask Macintouch or Your Mac Life. The report is a long, detailed look at all internet vulnerabilities between 4 July and 4 December 2004. If you don't need to read it, it's some dry stuff, but since Jack's having a stroke over it, let's take a look at the report, which Jack really doesn't think anyone will do. (As we'll see, he really doesn't want anyone to look at it in detail either, since he'd playing to the ignorant.)

Of course, he's wrong if he thinks no one will read this thing. As my upcoming slogan says, “Argue with me”. I live for this. That, and it's kind of my job. One minor point: I'm not a Symantec fan. Their Mac software has been an unending flow of buggy and dangerous to your data excrement since HFS+ came out, and I'll never voluntarily buy a Symantec product again. Be that as it may, they did a good job on this report, and their Security Response site is a valuable resource. They didn't deserve what Jack and some other sites who should know better are trying to do to them.

First of all Apple doesn't even show up in the report until page 9, and a graph of documented browser vulnerabilities. Safari's barely a blip on it, totaling at most, what looks to be like 5 vulnerabilities, and if you keep up with these things, that's about right. Hardly alarmist. Safari's had some vulnerabilities. So have Gecko - based browsers. Big deal. They don't overstate it. They present the numbers, as a report of this nature should. I think my UK readers should be angrier since they live in the most infected country on the planet. That'll teach them to get snarky about the pound.

Apple doesn't show up again until page 43, in the section on web browser vulnerabilities. Wow, how alarmist. Symantec talks about Safari, a web browser in a section on web browser vulnerabilities. Hardly Hearstian reporting. In fact, Symantec very responsibly states that:

Not every vulnerability discovered is exploited. As of this writing, there has been no widespread exploitation of any browser except Microsoft Internet Explorer. This is something that Symantec expects to change as alternative browsers become more widely deployed.

I guess Jack doesn't like it when a report points out the bleeding obvious, it's not as attention-getting. I bet he especially hates it when the report does so in a way that counters the hysteria he's trying to foment. Even worse for Jack's case that this report is an alarmist bit of claptrap is this section:

Over the last six months of 2004, there were no vendor-confirmed Safari vulnerabilities. This is somewhat surprising given the increasing popularity of Mac OS® X, which is in turn associated with the success of the iPod. In the first half of 2004, there were two vulnerabilities affecting Safari compared to a single vulnerability in the second half of 2003.

The number of Safari vulnerabilities reported so far is too low to suggest any trends. This may be due to an inability of researchers to find vulnerabilities, or it may simply be due to a lack of interest in the browser because of its recent entry into the market and subsequent limited deployment. However, Symantec believes that as the browser becomes more entrenched in the market and as more users deploy it, researchers will continue to find security vulnerabilities in Safari.

I'm missing how this is irresponsible or not true. They list numbers of vulnerabilities, and point out that the low number is surprising. That seems to be a good thing, if you ask me. They even say it may be because researchers (Note that in this report, “researchers” includes bad guys looking for holes to exploit as well as good guys trying to stop them) can't find any vulnerabilities. Read that again, and hear another bit of Jack's case falling into nothingness. Even the last sentence doesn't say that there will be more attacks or Mac virii. It says that Symantec believes that as Safari becomes more popular, researchers will find security vulnerabilities. Not “This will happen, but we believe it will”. So they aren't guaranteeing anything, but saying they think it will happen. As taking a risk goes, that's right up there with saying you predict tension in the Middle East. Jack's not looking too swift here, but that's nothing new.

The next section states:

So far, nearly all reports of vulnerabilities exploited in the wild against browsers are associated with Microsoft Internet Explorer. While there have been few, if any, credible reports of attacks against Mozilla, Mozilla Firefox, Opera, or Safari in the wild, it remains to be seen whether these browsers will live up to the expectations that many have for them.

This strikes me as being more responsible, not less. There are a lot of people who think that if they use a browser that isn't IE on Windows, that they're magically invulnerable to all attacks. They're wrong. This statement is saying that the !IE browsers are going to have to do a lot of work to live up to that belief. Okay, seems reasonable.

The next mention of Safari is here:

As was stated in the previous section, there were no Safari vulnerabilities disclosed between July 1 and December 31, 2004. Furthermore, there were no high-severity vulnerabilities found in Safari in the previous six-month period. In the last six months of 2003, the lone Safari vulnerability was rated high severity. The average severity of Safari vulnerabilities (of which there are only four in the entire vulnerability database) is within the high severity range, though it is skewed by the small sample set and the presence of a single
high-severity vulnerability.³⁷

The bug that note 37 refers to is here: http://www.securityfocus.com/bid/7518, which was fixed long ago. Remember, they're talking about h2 2003, over a year ago.

But it's on page 78, under the heading “Emerging Security Concerns for Mac OS” that we see what has Jack in a tizzy. Now, some context, which Jack couldn't be bothered to provide, because Jack doesn't like context, it makes him look like the prat he is. This is a subsection of a section that starts on page 75 entitled “Future Watch”, and whose opening paragraph says:

The previous sections of this report have discussed Internet security developments between July 1 and December 31, 2004. This section of the Internet Security Threat Report will discuss emerging trends and issues that Symantec believes will become prominent over the next year. These forecasts are based on emerging data that Symantec has collected during the current reporting period. In discussing potential future trends, Symantec hopes to provide organizations with an opportunity to prepare themselves for rapidly evolving and complex security issues.

In case that's not clear, Symantec is saying in this section that they are about to attempt to give IT and other folks some educated guesses at what may happen in the next year. They're pretty clear that this section is a guess, not a prediction or a guarantee. It's a pretty educated, and well-stated guess, but a guess nonetheless, and that it's based on things they've seen thus far. Jack kind of left that out of his little rant in his challenge. Of course, so did Wired, CNN, and about everyone else who reported on this. So let's analyze this section in detail.

Generally speaking, the Macintosh® operating system has been relatively immune to malicious activity, particularly compared to other operating systems like Linux and Microsoft. With the introduction and popularity of Mac OS X, however, Apple® Computer has become a target for new attacks and vulnerabilities. With a newly designed operating system based on a BSD-UNIX lineage, Mac OS X has begun to not only capture the attention of users but of vulnerability researchers as well.

Over the past year, Symantec has documented 37 high-severity vulnerabilities in Mac OS X.¹⁰⁸ These vulnerabilities have been confirmed by the vendor, which, in the Apple case, almost always means that the company has released a patch. The appearance of a rootkit¹⁰⁹called Opener in October 2004,¹¹⁰ serves to illustrate the growth in vulnerability research on the OS X platform. Additionally, multiple remote and local vulnerabilities¹¹¹ have been disclosed that affect both the server and desktop versions of OS X.

Again, nothing alarmist here. In fact, it starts off by pointing out the historical immunity of the Mac OS to attack compared to other environments. It then points out how with OS X, Apple is now becoming a target for new attacks. This has been proven, and is undeniable. There's nothing here to say how much more vulnerable, and that could be a mistake, but in a report like this, that's not surprising. The fact is, Mac OS X is attracting more attention, and as things like the root kit have shown, not all of it is good attention. However, none of this is that surprising, nor is it incorrect or inaccurate.

The next paragraph talks about what Symantec has noted in the way of numbers of vulnerabilities over the last year, talking about 37 “high-severity” vulnerabilities. There's some links to the rootkit, aka Opener. (note 109 defined a rootkit: A rootkit is a collection of tools designed to allow hackers unfettered access to a computer system, often in a manner that avoids detection by others.)

This may be where some of the misunderstandings start. To a lot of people, none of them security types, most of these vulnerabilities aren't a big deal. So QuickTime Streaming Server dies, or you have to reboot. Big deal. Well, to network types, it is a big deal. To network types, almost any vulnerability that allows root access, even if there's no exploit is a big deal. We have to deal with “what if” a lot. In addition, servers that can't stay up, services that die, those are Very Bad Things. So while a home user may only consider something that wipes your hard drive to be critical, to a mail admin, a bug in Postfix like this one...

The sixth issue affects the Postfix functionality on Mac OS X 10.3.X desktop and server. This issue may allow an attacker to send mail without requiring authentication. This issue has been assigned CVE ID CAN-2004-1088 and is resolved in the attached security update.

...is a very big deal, because it would allow someone to turn your email server into a spam-bot. If you're ignorant of what is actually being talked about, (and past experience shows Jacko...sorry, Jack to definitely be a bit of an IT ignoramus), then Symantec looks to be blowing this out of proportion. But so far, they really aren't. They're pointing out that Mac OS X is not perfect by any means. That's just common sense, or at least it should be. Another paragraph that would look very different to a home user and a network admin:

Vulnerabilities in the Apple windowing system and development kit and in the Apple default Apache configurations are two of the nine vulnerabilities (not all of which were high severity) for which Apple released patches. The various OS X vulnerabilities allow attackers to carry out information disclosure, authentication bypass, code execution, privilege escalation, and DoS attacks.

This could be taken to mean that Symantec is insinuating that there's bad stuff happening RIGHT NOW, QUICK! GO BUY NAV!! While I'm sure that they'd love for Mac users to go buy Norton AntiVirus, (NAV), that's not what this says. It says that these vulnerabilities allow the mean people to do mean things. Nothing more, nothing less. It doesn't say, nor insinuate that anyone has done something mean, but that these vulnerabilities allow bad stuff to happen if they are left unpatched. That's the truth, plain and unfettered. Jack, and a lot of people need to start reading things as they are, not as they'd like them to be. Of course, then he wouldn't get all this juicy publicity.

On to the really popular paragraphs:

Contrary to popular belief, the Macintosh operating system has not always been a safe haven from malicious code.¹¹² Out of the public eye for some time, it is now clear that the Mac OS is increasingly becoming a target for the malicious activity that is more commonly associated with Microsoft and various UNIX-based operating systems. Symantec believes that as the popularity of Apple’s new platform continues to grow, so too will the number of attacks directed at it.

Well, this is correct. The Macintosh has not always been a safe haven from malware. In fact, in the System 6/System 7 days, it was a prime target. System 7 re-architected the Desktop functionality just to shut down some of the more popular virii. I remember not being able to use any disks from my school without the familiar sound of SAM screaming its bloody head off. So not only was the threat real, but it was real enough for Apple to create what was, in effect, a patch so that a malware vector would be eliminated.

Even into the Mac OS 8/OS 9 days, while the number dropped, it wasn't zero. Anyone remember the QuickTime worm? Yeah, that about sucked, didn't it. The last one of note pre-OS X was the Simpson AppleScript virus, which was kind of annoying, but that's about it.

Into Mac OS X, you've had none of the “infect your system without you doing anything” kind of virii, but trojan horses? They're there. The recent Opener rootkit? That was a trojan my friend. The very lame P2P Microsoft Office 2004 trial malware that wiped your home directory? Trojan. Both of those were in the last year or so, and they were the first attempts on OS X in a long while. So yes, that's an increase. So far, Symantec's technically correct on both points.

The fact that both of these are trojans is to be expected. The fact is, writing malware that needs no user action whatsoever has gotten harder, so malware writers are turning to trojans and social engineering to get their work done. In fact, the report notes that trojan incidents are on the rise. That would be what the laymen would call a big “Well DUH”.

But again, note what Symantec hasn't said yet. They haven't talked about virii. They have talked about malicious code. That's not alarmist, that's fact. There is malicious code targeted at Mac OS X. Jack can scream and cry and have a total BF all day long, but it's still a fact. Symantec is simply pointing that out, and pointing out, (correctly), that Mac OS X is, due to its growth, becoming more of a target for malware. No one sane can deny that.

Onto the next paragraph that everyone jumped on:

The market penetration of Macintosh platforms will be accelerated by the much lower priced Mac® mini, which may be purchased by less security-savvy users. As a result, the number of vulnerabilities can be expected to increase, as will malicious activity that targets them. However, it should be stated that while the number of vulnerabilities in Macintosh operating systems is expected to increase, they will likely be outnumbered by vulnerabilities in other operating systems for some time to come.

Symantec's saying that the Mac Mini's price makes it a more attractive computer for the cost - conscious, less tech - and security - saavy user. No foolin', really? Although I would argue that IT folks love it too, we aren't who it's targeted at. It's targeted at the low end buyer, and Symantec characterizing them as being less security - saavy is pretty darned spot-on. They then say that more people using the Mac OS means that more vulnerabilities will be discovered. Again, DUH. Not only is that to be expected, it's one of the reasons for using Open Source in Mac OS X to begin with. So that more people look at your work, and find bugs sooner. However, even in the last sentence, Symantec continues being ruthlessly reasonable by pointing out that even though the number of vulnerabilities will increase, the situation on the Mac is still going to be better than other platforms for a good while longer.

Pray tell Jack, what's the problem here? Again, there is none. Part of the problem is that this report was written for people like me, who run networks, not prats who run their mouths like Jack. If you read this report with a bit of real knowledge and experience, it's saying nothing new to the Mac IT manager. But, hey, Jack hadn't been in the press lately, and virii are always a good hot - button issue. So he jumps on this, distorts it, and gets a lot of press. Even looks like a hero, instead of the tool he really is for distorting this issue so badly. I guess he was bummed he couldn't get on the Terri Schaivo bandwagon.

That's it by the way. That's all the mention of Mac OS X in the entire report. A blurb on Safari in a section on web browsers, and a few, rather reasonable paragraphs on Mac OS X future possibilities in a Future Trends section. So if the report is so calm, what's the deal? Why did Jack, Cnet, Wired and the rest jump on it this way?

Well, for the not - Jack participants in this idiocy, it's called, “You never lose hit counts by pissing off Mac users”. If you selectively quote things, so that you get the MacMacs annoyed, your hit counts go up, and you can use that to attract new readers, advertisers, and you make what we in the trade like to call money. This shameless manipulation of MacMacs I get. It's fun, in a sick way. What I don't get is how they got away with doing it so transparently. For example, here's ZD Net Austrailia's quote from the Symantec report:

“Apple Computer has become a target for new attacks… The appearance of a rootkit ¹⁰⁹ called Opener in October 2004, serves to illustrate the growth in vulnerability research on the OS X platform… The various OS X vulnerabilities allow attackers to carry out information disclosure, authentication bypass, code execution, privilege escalation, and DoS attacks. Symantec believes that as the popularity of Apple’s new platform continues to grow, so too will the number of attacks directed at it,” the report said.

Here's the CNN Money version of the same paragraph:

The market penetration of Macintosh platforms will be accelerated by the much lower priced Mac mini, which may be purchased by less security-savvy users,“ the report said. ”As a result, the number of vulnerabilities can be expected to increase, as will malicious activity that targets them.

Finally, the Wired version:

The market penetration of Macintosh platforms will be accelerated by the much lower priced Mac mini, which may be purchased by less security-savvy users,“ the report said. ”As a result, the number of vulnerabilities can be expected to increase, as will malicious activity that targets them.

(If the Wired and CNN versions look identical, that's because they both parrot the same Reuter's feed story. Great journalism there guys. Nice fact checking. Way to be the mouthpiece.)

Now, again, the full paragraph from the report:

The market penetration of Macintosh platforms will be accelerated by the much lower priced Mac® mini, which may be purchased by less security-savvy users. As a result, the number of vulnerabilities can be expected to increase, as will malicious activity that targets them. However, it should be stated that while the number of vulnerabilities in Macintosh operating systems is expected to increase, they will likely be outnumbered by vulnerabilities in other operating systems for some time to come.

See how easy it is? By dropping one sentence, and ignoring context, we can completely misrepresent what the report said and implied. Isn't manipulating the lazy fun? Because that's what they, and Jack, were counting on. That we, the people who aren't them, are so lazy as to not bother to read the data they're quoting. I'm just cantankerous and ornery enough to not only do just that, but also spend a couple hours writing an article pointing out their misdeeds. I'm that kind of guy. Yes, I'm cackling as I do this. It's been a tedious week, I need the release.

But what about Jack?

Okay first, he's been engaging in a bit of proactive reputation - rebuilding. Jack's been involved in some seriously shady stuff before, (read Macintouch or listen to YML for details.) and this was suddenly a prime opportunity. People were angry. Outraged. Wired and CNN and the rest gave him a perfect set. All he had to do was spike it, and he did, with style. He set himself up as “Jack Campbell, ferreter of untruths, and challenger of evil corporate lies”. But don't kid yourselves. This is a cold, shameless manipulation of public sentiment, in the grand style of Hearst, McCarthy, Smathers, and a rich line of such amoral publicity hounds.

The best proof is in Jack's own words:

This challenge is to John Thompson, CEO of Symantec corporation, and is based on statements issued by his company in and in response to its Internet Security Threat Report, issued in March.“ said Jack Campbell, DVForge, Inc. CEO, ”The report and the several following statements issued by Symantec representatives very cleverly used vague assertions and innuendo to promote the idea that an in-the-wild, self-replicating virus that is effective against the modern Mac OS X operating system is possible, and is in fact a serious threat to Mac users. If anyone in my company made such dangerously erroneous public statements, I would fire them on the spot. Since I cannot fire anyone inside Symantec, I am specifically challenging Mr. Thompson to either produce scientifically valid evidence that such a Mac OS X virus is possible, or to publicly retract his company's claims.

Jack should not only be fired, but also get a kick in the arse for that kind of crap. I think a certain internet radio host would be willing to help me out with that too. Again, review the whole Mac OS X Section Jack is waving as his banner. Go ahead, I'll wait. Guess what word isn't there? That's right. Virus See, Symantec didn't say there was a virus. They didn't say there wasn't either. They said, basically, that as the Mac OS gets more popular, you're going to see more people trying to find vulnerabilities in it. They never talked about any actual implementation of an attack save the one we all know about, Opener. The report neither used “vague assertions” nor “innuendo” to promote anything. Jack's insistence that a Mac OS X virus is impossible shows that as an authority on technical issues, he's a great publicity hound. But if you're going to ask Jack about tech issues, ask the cat too, as a second opinion. I bet you get a better answer from the cat. Symantec doesn't set odds, they just say what is pretty obvious. The more people use OS X, the more bugs, and therefore, vulnerabilities you'll find in it. This has shown to be true over time with any OS, and Mac OS X blazes no new ground here.

Jack didn't do this because he cares, or because he's some bastion of integrity. He did it to be the good guy. He's got this company, DVForge, and this company sells stuff to Mac users. Jack knows one thing about Mac users. If you look like a good guy to them, they'll buy your crap. So, he looks like a good guy for standing up to “Teh Eeeeeevul Slimantec” and hopes that Mac users do what they always do, and buy his crap.

Don't fall for it. He's jamming you with noise so you can't see the truth.

Don't even take me at face value. I gave you the link to the report. Download it and read it. It's fascinating stuff, even for the non-Mac parts. It can be kinda dry too, so if you don't make it through the whole thing, I understand. But please, don't fall for Jack's shuck and jive. Prove that you're smarter than that, and that you too realize that Jack Campbell is a great honking prat.

Comments