What a difference a decade makes. When Microsoft Corp. (Nasdaq: MSFT) dismissed the validity of a Windows NT password-breaking program about 10 years ago, it typified that company’s arrogant attitude about its security flaws. Now, despite signs that the Mac’s rising popularity is luring more hackers, Apple Inc. (Nasdaq: AAPL) is conveying the same arrogance about software safety.
I remember when L0pht Crack, a password auditing application, was released by L0pht Heavy Industries in 1997. The program was essentially a brute force password cracker that took advantage of the password vulnerability in LanMan, an authentication protocol (it's now obsolete) for Microsoft Windows.
At the time, a dismissive Microsoft spokesperson said something to the effect of, “Who has time to perform a brute force attack?” The remark completely ignored the fact that computers perform brute force attacks, not any individual. Most passwords could be cracked in a few hours on a typical PC. Microsoft was either ignorant, arrogant, or had its proverbial head in the sand with regard to security. Now, it looks as if Apple is taking on the same attitude.
The popularity of Apple's iPods, iPhones, and Mac computers is starting to attract a growing number of malicious hackers who want to exploit the vulnerabilities of Apple’s software. Zlob spyware, DNSChangers, and other malicious programs targeting Mac OS are on the rise, according to a 2007 Data Security Wrapup issued by F-Secure Corp. , an Internet security company. And, as recent news reports show, the vulnerability hunters are successful.
Many people probably aren’t aware that the first significant PC virus targeted Apple computers. Personally, the first computers that I hacked were Macs. L0pht Heavy Industries, which became infamous for publishing Windows-based attacks, also sold the Whacked Mac Archives that contained a wide variety of exploits for Macs.
While there were always viruses and hackers targeting Macs, reports about these attacks were few and far between. Few hackers cared enough about Macs to waste their time on them. This was not because Mac operating systems and software were coded so well, but because hackers were more interested in targeting Windows.
In 2002, security flaws forced Microsoft to put more emphasis on making its software safe from malicious intruders. The company’s clueless security attitude came to a stop. While there will always be vulnerabilities built into software, we are now seeing significantly fewer weaknesses from Microsoft applications.
Now, Apple is demonstrating gross ignorance with regard to security. I have to admit that I hate those “Get a Mac” versus PC ads. They’re definitely cute, and I like the actors, but these commercials mock legitimate security concerns. For example, one commercial shows a security bodyguard who doesn’t allow the actors representing the PC and the Mac to talk directly to each other. Not only is the commercial inaccurate in the way the interaction is technically handled, it mocks the valid point that communications on the Internet can be dangerous to all systems, including Macs
The most egregious example of Apple’s conceit is when it shipped iPods containing a Windows virus. It is pathetic that something like this happened. It demonstrates that Apple had poor security controls embedded in its manufacturing process. Even worse was Apple’s public stance, basically blaming Microsoft for its own failings: “As you might imagine, we are upset at Windows for not being more hardy against such viruses…”
The fact that iPods contained a Windows virus implies that Apple has to use PCs in its iPod manufacturing process. What does that say about the robustness of Macs as a whole if Apple, or its subcontractors, have to use PCs during the installation of software onto iPods? I think the practice speaks for itself.
I wouldn’t normally criticize Apple so much. As I have stated many times before, all software has vulnerabilities. There will also be periodic problems in manufacturing. However, Apple has taken the position that its products don’t have security concerns. The only people that guarantee security are fools or liars. Just as Microsoft deserved criticism for being so arrogant about security concerns, now it is Apple’s turn.
What a difference a decade makes.
— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us
The problem with your "facts" is that they have no source. I can say that OS X has at least 100 million users but if I can't provide some sort of proof it simply shouldn't be accepted at face value. Simply, facts without proof cannot be accepted as facts.
"and while you would likely respond with something referring to your numbers providing some factual basis for your comments or some other such nonsense"
I can see what the level of discourse is here. "Facts are nonsense. I have my opinion and because it's mine it's true." I'll not be wasting further time on intellectual midgets.
Zeke, your facts can be dismissed as opinion and conjecture just as easily as mine can be, and while you would likely respond with something referring to your numbers providing some factual basis for your comments or some other such nonsense, I can just as easily point out that, unless you are the authoritative source for such numbers, I need some kind of proof more than just your word. Then again, it doesn't really matter anyway. The number of users doesn't really matter. The fact that nobody cares about OS X because it isn't as visible a target as Windows does. This link clearly shows that Apple has around 7.3% of market share, hardly enough to justify a front-page article, while Windows maintains over 90% of market share.
I know there are flaws in Windows operating systems. I didn't say there weren't. I'm not saying that one operating system is superior to the other. What I AM saying, which is a BLATANT re-statement from the author, is that Apple is sitting in their office yelling "lalalalala" as loud as they can with their fingers in their ears regarding security concerns in their software.
Tim, thanks for the links.
BTW, I have hunted and been a target shooter for years and have never shot anyone.
"BTW, I have run OS X since version 1.0 on 4 Mac desktops and 2 Mac laptops with just a simple router firewall, no anti-virus, no malware blockers, and no problems."
I run well over a hundred miles a year and I have yet to break my leg.
Well, Splowman, I gave facts to back up my arguments. You, however, have simply done the equivalent of putting your fingers in your ears and chanting "Is not!" You have restated the author's basic position backed up with nothing but opinion and conjecture.
BTW, I have run OS X since version 1.0 on 4 Mac desktops and 2 Mac laptops with just a simple router firewall, no anti-virus, no malware blockers, and no problems.
Unfortunately, you are showing the same "ignorance" by basically saying that it can't happen. It's widely understood that in order for Windows (of any flavor) to be as secure as it can be there is a need for virus protection, a firewall and regular updates. Neglecting any of these parts puts the consumer at risk.
The only reason OS X hasn't been hacked isn't because of the AMAZING security but because nobody cares to hack something that so few people use. 30 million users is substantial, but still a distant second or third to Windows or the pile of various Linux flavors available. If someone hacks Windows to pieces you hear it at the top of the hour as a headline. If someone hacks OS X it's an endnote to the day, maybe.
The day OS X becomes the most-used operating system is the day it recieves its first security patch for a virus. To think this will never happen just makes you, as you put it, ignorant.
I can't wait for the day when all my pc-mocking mac-owner friends are going crazy over viruses and their antivirus slowing their macs down!
I would love for a virus-free World, but it's not going to happen. Why don't have a balance between Macs and PCs? I expect that hackers will continue to get attracted to macs, eventually creating another problem to those mac users.
P.D. I must say I don't hate Apple or Mac, but I just hate how every Mac user mocks PC without looking in the mirror first. Apple has a worst monopoly than Microsoft had! Microsoft only controlled software, Apple has both.
Either this author is woefully ignorant about Apple's OS X, or he's being disingenuous. He first drags out the "security through obscurity" myth. By conservative estimates OS X has at least 30 million users, and that number is growing at 20% to 40% per year. That, in itself, says that OS X is not obscure. However, it's not just a numbers game. OS X is the "Apple" of every hacker's eye. Where's the glory in hacking Windows when it's hacked several times a day? The author of the code for the first REAL virus for OS X would be instantly legendary, since no (repeat, ZERO) actual viruses for OS X exist in the wild today.
This brings us to the author's second mistake (or fib, take your pick). There presently exist exactly ZERO self-replicating viruses in the wild for OS X. Contrast that with the 130,000 and counting such viruses for Windows. A handful of trojan horse executables, and "proof of concept" viruses that exist only in labs, have been hyped by various computer security companies over the last 3 years in the hopes of selling anti-virus software to Mac users. These companies see a declining market as more people switch to Mac OS X from the virus riddled Windows platform, and they see that in order to survive they are going to have to convince Mac users that their products are necessary and useful. Some examples they cite are "proof of concept" attacks, which assume wildly rare and coincidental conditions under which such an attack would be successful. One such attack would be successful only if a person were already running AIM when the attack occurred, and it could only replicate through a bluetooth connection, limiting its effectiveness to devices physically located within about 6 feet. Another "virus" required the user to manually download the executable, unzip it, install it using an administrator password, and then run it. This is hardly the kind of thing brought to mind when the author calls it a virus. True viruses self-install and propagate uncontrollably across networks. Another fib, or just ignorance on the part of the author?
The author cites viruses that did work on Macs 10 years ago. That was a totally different and now obsolete OS. Mac OS X is a brand new OS from the ground up, based on BSD Unix. Windows Vista, on the other hand, still runs DOS components and is still vulnerable to the same attacks as it was 10 years ago. This brings us to the issue of understanding how things work. The author goes to great pains to point out that he thinks Apple misrepresents the Windows security process in its commercials. While not entirely accurate, it is a fair representation of the Windows security strategy, which relies on the user to determine whether certain operations should be allowed. There's nothing wrong with that strategy. Indeed, OS X uses the same strategy when it requires an administrator password for the installation of any executable code. The problem arises with the frequency of required authorizations and the types of transactions to which they are applied. The inherent insecurity of Windows and its registry require numerous authorizations. This constant and repeated nagging has driven many Vista users to abandon it.
The author overlooks some basic characteristics of the two OS platforms. Windows security is mostly at the system level. Once an intruder gains access he has the ability to change the registry and the OS itself without further restrictions. OS X was recently certified as a standard version of Unix. Under the Unix OS (and OS X) each file has locks (permissions) attached to it that permit various classes of users to have access at various levels. A file can be designated with "read", "write", and "execute" permissions for the owner of the file, but all others can be restricted to only "read" or "execute". Security in Unix is defined at the file level, not the system level. Once an intruder breaks into a user account on a Unix system he has access only to those files, and only to those operations on those files that the user account has. This is why banks and credit card companies rely on Unix as an OS. The single largest data compromise in the credit card industry exposed millions of card holders information to crooks. It did not happen on a Unix system. It occurred on a Windows server. Either the author is unaware of these facts, or they don't support his agenda.
Again, either he's uninformed or he's being dishonest.
Thanks for this post, it's a good thing that you're drawing attention to this situation. As Mac penetration increases, it becomes more worthwhile for hackers to write viruses and such for Mac OS, it's where popularity backfires. Apple cultivates a 'better-than-the-rest' image which of course is marketing, not an accurate representation of the state of affairs. As you rightly state, no OS is invulnerable to outside threats.
I'd like to address this marketing strategy of Apple some more. You criticize the 'I'm a mac and I'm a pc' ads. The particular 'security' commercial according to you not only features a misrepresentation of communication between computers, but also does not take the eminent dangers seriously in this communication. Honestly, I do not understand why this upsets you so much. I don't know how many commercials you've seen before, but I reckon almost all advertising misrepresents things...it's marketing! Moreover, this won't be the first ironic commercial 'mocking' serious issues, why is there a problem with that now? So to be frank, I wouldn't hold this particular ad against Apple and use it as an example to structure your argument.
Furthermore, you say that "The fact that iPods contained a Windows virus implies that Apple has to use PCs in its iPod manufacturing process." Based on this assumption you draw a rather bold conclusion on the robustness of not only Mac OS, but also Apple in general and all subcontractors involved in the iPod. But wait a minute: does the fact that a .exe file ended up on an iPod automatically imply that it has been written on a PC as part of the iPod manufacturing process? It's not that .exe files don't show up in a Mac, you just can't execute them. But even then: isn't it rather logical that for a device that can also run on Windows, as a manufacturer you would want to do some testing in Windows? How on earth can this "speak for itself" to support your these that Apple is arrogant?
So I share your concern, but would like to discuss your argument.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
While I try to think that one should never be happy with the misfortunes of others, it is satisfying to see that Albert Gonzalez was sentenced to 20 years in prison for basically masterminding the compromise of more than 100 million credit cards.
I am surprised a recent news story is not getting more attention. In short, Iran took down 29 Websites the government said were operated by Iranian dissidents, supposedly backed by CIA operations intended to destabilize the country. The government arrested 30 people assumed to be affiliated with those sites.
Given what I do, I felt compelled to watch the CNN special, Cyber Shock, which featured a simulated cyber-attack against the United States. As I watched I wanted two things: a bullet in my head, and the return of Dick Cheney's take-charge governance style.
In his recent Congressional testimony, Dennis Blair, the U.S. director of national intelligence, stated that the U.S. is "severely threatened" by cyber attacks and that the recent Google (Nasdaq: GOOG) attacks should serve as a wake-up call.
I keep telling people that if they do everything right, they will be generally secure. I like to think I do everything right myself to minimize the likelihood of being hit by malware. I avoid going to unusual sites. I don’t click on links in strange emails. When reading normal emails, I verify any embedded links, just in case.
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things' Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
An email from Ukraine teaches us that perhaps those who complain about the Internet just haven’t figured out how to spam people’s inboxes with requests for pens and balloons… or something.
There's a public-policy war on copyright that nobody is winning, and inconsistencies in viewpoint and interpretation seem to be multiplying. We need to step back and think our policies over again, or we risk having a strategy that fails everyone.
Ultraviolet is an industry-wide attempt to standardize video content delivery across multiple platforms. Apart from the fact that it’s based in the cloud, relies on the DRM system, and isn’t backed by Apple… it sounds great!
The FCC's Sixth Broadband Report has a hidden secret. But here’s a hint: The regulatory body plans to regulate broadband as a telecommunications service.
Once defined by epic journeys, planning, and maps, the phrase "on the road" takes on new meaning in a digital age, where we can make all our decisions using our connected devices en route.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
