« a thot... | Main | To quote George Carlin: »

FTC investigate Apple's product Security? Um...no.

In a recent Computerworld article republished on Macworld.com, Ira Winkler called for the FTC to "...investigate Mac security."

While I appreciate Ira's frustration with Apple from a security POV, his call for the FTC to investigate Apple's marketing claims as a way to somehow force Apple to do what he wants with regard to speed of patching the OS strikes me as odd, in a "I'm going to burn down the barn to make you fix the house" kind of way. (It's a weak analogy, but so is Ira's point.)

First, let's be clear on one thing: When it comes to Apple's refusal to clearly and openly communicate about things like security holes with its customers, I share Ira's frustrations. It is astoundingly annoying, as someone who is responsible for a Mac-based network, or really, any network with Macs on it, to deal with Apple about such things. Whether it's Apple's abysmal speed in patching the DNS hole behind last year's security brou-ha-ha, or the current Java hole, Apple is one of, if not the worst OS vendor when it comes to patching vulnerabilities in a timely manner. Ira's frustration here is fully justified, and shared by many, many sysadmins. Furthermore, Apple still, even after the DNS debacle of 2008, insists on treating things like security fixes as though they were the next iPhone. Apple will not, even for customers with thousands of Macs, give out information that everyone else already knows about!

To paraphrase an argument I used long ago with another vendor, Dantz, about their overweening need for secrecy about everything: Apple, we know you're going to patch Java. We know the patch you're going to use. If we want, we can even get the patch ourselves. There is no secret here. None. You are protecting nothing with this refusal to communicate with your customers and you are hurting yourself in the way you handle stuff like this. This is fact, by the way. I know quite a few Mac sysadmins who removed Mac OS X from any machine that faced the public internet in 2008, because they were tired of living in uncertainty until Apple could be bothered to apply the patch that everyone else already had, and couldn't bother to even give them a rough idea of when the patch would be released. That's future hardware and OS licenses that Apple has essentially lost forever, solely because they refused to take the minimal step of communicating about a widely known, non-secret issue with their customers.

Again, Ira's frustration and anger with Apple's refusal to communicate with its customers about their delays in security updates is legitimate, understandable, and shared.

However

The idea that somehow, getting the FTC to investigate claims made in advertising will "force Apple to patch faster" is ludicrous if not laughable. For one, all the FTC could do, at most, is maybe make Apple write a check, and change the advertising. Re-read that last part: change the advertising. That's it. The FTC cannot force Apple to patch faster. They can fine Apple, sure. But Apple has what, $30 billion US in the bank? The FTC couldn't begin to legitimately fine Apple a large enough amount to make it really hurt, Apple could get that kind of fine overturned in a second. Secondly, all Apple would have to do is stop "overstating the security of the OS".

Of course, the FTC would first have to prove Apple is doing this, and this is another shoal that Ira's ship of good intentions runs aground on. The fact is, Apple can, with trivial ease show, that in spite of their delays, Mac users are in fact, less at risk from actual malware attacks than Windows users. Relative platform security has nothing to do with this, it's all about frequency of attack. Right now, to be honest, Windows Vista/Windows Server 2008 have, in many ways, a better security posture than Mac OS X. Microsoft is, without doubt, faster to patch, far nicer to work with on security issues, and so much better than Apple about communication that adjectives fail me.

But it's like living in a more secure bunker that's under constant 24x7 attack vs. a less-secure bunker that maybe takes a shot a couple times a year, and you can see it coming for the most part. As others have said, there is security and there is safety, and they are not in fact the same. Is Mac OS X more secure than Windows? If you restrict the argument to Vista/Server 2008, probably not. If you throw in what the vast majority of Windows customers are using, namely XP and Server 2000/2003, then that answer isn't as clear. Is Mac OS X safer than Windows? Based on real-world results, the answer is clearly yes. You are going to be attacked less on a Mac. Period. That may change one day, but for now, the weaker walls of Mac OS X don't matter, because no one is lobbing shells at it.

Should Apple patch faster, and communicate better? Without doubt or hesitation, yes. Is the FTC the way to force Apple to do so, and is it even capable of doing so? Without doubt or hesitation, no to both. Sorry Ira, but you need to rethink that argument.

Categories: Mac Matters

Posted by John C. Welch at 20:04 | Permalink

Comments

Warning for Notes users: The commenting system uses HTML.
I know this will be scary for some of you, especially Notes fans. However, open standards, rah-rah.
If you want to use less-than or greater-than signs, or other similar characters that HTML reserves,
you'll simply have to learn to do it the HTML way. Luckily, HTML is kind of popular, no matter what
your re-educators have told you, and you can easily find help on the intertubes.

In a recent Computerworld article republished on Macworld.com, Ira Winkler called for the FTC to \"...investigate Mac security.\" \n\nWhile I appreciate Ira's frustration with Apple from a security POV, his call for the FTC to investigate Apple's marketing claims as a way to somehow force Apple to do what he wants with regard to speed of patching the OS strikes me as odd, in a \"I'm going to burn down the barn to make you fix the house\" kind of way. (It's a weak analogy, but so is Ira's point.)\n\nFirst, let's be clear on one thing: When it comes to Apple's refusal to clearly and openly communicate about things like security holes with its customers, I share Ira's frustrations. It is astoundingly annoying, as someone who is responsible for a Mac-based network, or really, any network with Macs on it, to deal with Apple about such things. Whether it's Apple's abysmal speed in patching the DNS hole behind last year's security brou-ha-ha, or the current Java hole, Apple is one of, if not the worst OS vendor when it comes to patching vulnerabilities in a timely manner. Ira's frustration here is fully justified, and shared by many, many sysadmins. Furthermore, Apple still, even after the DNS debacle of 2008, insists on treating things like security fixes as though they were the next iPhone. Apple will not, even for customers with thousands of Macs, give out information that everyone else already knows about!\n\nTo paraphrase an argument I used long ago with another vendor, Dantz, about their overweening need for secrecy about everything: Apple, we know you're going to patch Java. We know the patch you're going to use. If we want, we can even get the patch ourselves. There is no secret here. None. You are protecting nothing with this refusal to communicate with your customers and you are hurting yourself in the way you handle stuff like this. This is fact, by the way. I know quite a few Mac sysadmins who removed Mac OS X from any machine that faced the public internet in 2008, because they were tired of living in uncertainty until Apple could be bothered to apply the patch that everyone else already had, and couldn't bother to even give them a rough idea of when the patch would be released. That's future hardware and OS licenses that Apple has essentially lost forever, solely because they refused to take the minimal step of communicating about a widely known, non-secret issue with their customers.\n\nAgain, Ira's frustration and anger with Apple's refusal to communicate with its customers about their delays in security updates is legitimate, understandable, and shared.\n\nHowever\n\nThe idea that somehow, getting the FTC to investigate claims made in advertising will \"force Apple to patch faster\" is ludicrous if not laughable. For one, all the FTC could do, at most, is maybe make Apple write a check, and change the advertising. Re-read that last part: change the advertising. That's it. The FTC cannot force Apple to patch faster. They can fine Apple, sure. But Apple has what, \$30 billion US in the bank? The FTC couldn't begin to legitimately fine Apple a large enough amount to make it really hurt, Apple could get that kind of fine overturned in a second. Secondly, all Apple would have to do is stop \"overstating the security of the OS\". \n\nOf course, the FTC would first have to prove Apple is doing this, and this is another shoal that Ira's ship of good intentions runs aground on. The fact is, Apple can, with trivial ease show, that in spite of their delays, Mac users are in fact, less at risk from actual malware attacks than Windows users. Relative platform security has nothing to do with this, it's all about frequency of attack. Right now, to be honest, Windows Vista/Windows Server 2008 have, in many ways, a better security posture than Mac OS X. Microsoft is, without doubt, faster to patch, far nicer to work with on security issues, and so much better than Apple about communication that adjectives fail me. \n\nBut it's like living in a more secure bunker that's under constant 24x7 attack vs. a less-secure bunker that maybe takes a shot a couple times a year, and you can see it coming for the most part. As others have said, there is security and there is safety, and they are not in fact the same. Is Mac OS X more secure than Windows? If you restrict the argument to Vista/Server 2008, probably not. If you throw in what the vast majority of Windows customers are using, namely XP and Server 2000/2003, then that answer isn't as clear. Is Mac OS X safer than Windows? Based on real-world results, the answer is clearly yes. You are going to be attacked less on a Mac. Period. That may change one day, but for now, the weaker walls of Mac OS X don't matter, because no one is lobbing shells at it.\n\nShould Apple patch faster, and communicate better? Without doubt or hesitation, yes. Is the FTC the way to force Apple to do so, and is it even capable of doing so? Without doubt or hesitation, no to both. Sorry Ira, but you need to rethink that argument.