What a difference a decade makes. When Microsoft Corp. (Nasdaq: MSFT) dismissed the validity of a Windows NT password-breaking program about 10 years ago, it typified that company’s arrogant attitude about its security flaws. Now, despite signs that the Mac’s rising popularity is luring more hackers, Apple Inc. (Nasdaq: AAPL) is conveying the same arrogance about software safety.
I remember when L0pht Crack, a password auditing application, was released by L0pht Heavy Industries in 1997. The program was essentially a brute force password cracker that took advantage of the password vulnerability in LanMan, an authentication protocol (it's now obsolete) for Microsoft Windows.
At the time, a dismissive Microsoft spokesperson said something to the effect of, “Who has time to perform a brute force attack?” The remark completely ignored the fact that computers perform brute force attacks, not any individual. Most passwords could be cracked in a few hours on a typical PC. Microsoft was either ignorant, arrogant, or had its proverbial head in the sand with regard to security. Now, it looks as if Apple is taking on the same attitude.
The popularity of Apple's iPods, iPhones, and Mac computers is starting to attract a growing number of malicious hackers who want to exploit the vulnerabilities of Apple’s software. Zlob spyware, DNSChangers, and other malicious programs targeting Mac OS are on the rise, according to a 2007 Data Security Wrapup issued by F-Secure Corp. , an Internet security company. And, as recent news reports show, the vulnerability hunters are successful.
Many people probably aren’t aware that the first significant PC virus targeted Apple computers. Personally, the first computers that I hacked were Macs. L0pht Heavy Industries, which became infamous for publishing Windows-based attacks, also sold the Whacked Mac Archives that contained a wide variety of exploits for Macs.
While there were always viruses and hackers targeting Macs, reports about these attacks were few and far between. Few hackers cared enough about Macs to waste their time on them. This was not because Mac operating systems and software were coded so well, but because hackers were more interested in targeting Windows.
In 2002, security flaws forced Microsoft to put more emphasis on making its software safe from malicious intruders. The company’s clueless security attitude came to a stop. While there will always be vulnerabilities built into software, we are now seeing significantly fewer weaknesses from Microsoft applications.
Now, Apple is demonstrating gross ignorance with regard to security. I have to admit that I hate those “Get a Mac” versus PC ads. They’re definitely cute, and I like the actors, but these commercials mock legitimate security concerns. For example, one commercial shows a security bodyguard who doesn’t allow the actors representing the PC and the Mac to talk directly to each other. Not only is the commercial inaccurate in the way the interaction is technically handled, it mocks the valid point that communications on the Internet can be dangerous to all systems, including Macs
The most egregious example of Apple’s conceit is when it shipped iPods containing a Windows virus. It is pathetic that something like this happened. It demonstrates that Apple had poor security controls embedded in its manufacturing process. Even worse was Apple’s public stance, basically blaming Microsoft for its own failings: “As you might imagine, we are upset at Windows for not being more hardy against such viruses…”
The fact that iPods contained a Windows virus implies that Apple has to use PCs in its iPod manufacturing process. What does that say about the robustness of Macs as a whole if Apple, or its subcontractors, have to use PCs during the installation of software onto iPods? I think the practice speaks for itself.
I wouldn’t normally criticize Apple so much. As I have stated many times before, all software has vulnerabilities. There will also be periodic problems in manufacturing. However, Apple has taken the position that its products don’t have security concerns. The only people that guarantee security are fools or liars. Just as Microsoft deserved criticism for being so arrogant about security concerns, now it is Apple’s turn.
What a difference a decade makes.
— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us
The problem with your "facts" is that they have no source. I can say that OS X has at least 100 million users but if I can't provide some sort of proof it simply shouldn't be accepted at face value. Simply, facts without proof cannot be accepted as facts.
"and while you would likely respond with something referring to your numbers providing some factual basis for your comments or some other such nonsense"
I can see what the level of discourse is here. "Facts are nonsense. I have my opinion and because it's mine it's true." I'll not be wasting further time on intellectual midgets.
Zeke, your facts can be dismissed as opinion and conjecture just as easily as mine can be, and while you would likely respond with something referring to your numbers providing some factual basis for your comments or some other such nonsense, I can just as easily point out that, unless you are the authoritative source for such numbers, I need some kind of proof more than just your word. Then again, it doesn't really matter anyway. The number of users doesn't really matter. The fact that nobody cares about OS X because it isn't as visible a target as Windows does. This link clearly shows that Apple has around 7.3% of market share, hardly enough to justify a front-page article, while Windows maintains over 90% of market share.
I know there are flaws in Windows operating systems. I didn't say there weren't. I'm not saying that one operating system is superior to the other. What I AM saying, which is a BLATANT re-statement from the author, is that Apple is sitting in their office yelling "lalalalala" as loud as they can with their fingers in their ears regarding security concerns in their software.
Tim, thanks for the links.
BTW, I have hunted and been a target shooter for years and have never shot anyone.
"BTW, I have run OS X since version 1.0 on 4 Mac desktops and 2 Mac laptops with just a simple router firewall, no anti-virus, no malware blockers, and no problems."
I run well over a hundred miles a year and I have yet to break my leg.
Well, Splowman, I gave facts to back up my arguments. You, however, have simply done the equivalent of putting your fingers in your ears and chanting "Is not!" You have restated the author's basic position backed up with nothing but opinion and conjecture.
BTW, I have run OS X since version 1.0 on 4 Mac desktops and 2 Mac laptops with just a simple router firewall, no anti-virus, no malware blockers, and no problems.
Unfortunately, you are showing the same "ignorance" by basically saying that it can't happen. It's widely understood that in order for Windows (of any flavor) to be as secure as it can be there is a need for virus protection, a firewall and regular updates. Neglecting any of these parts puts the consumer at risk.
The only reason OS X hasn't been hacked isn't because of the AMAZING security but because nobody cares to hack something that so few people use. 30 million users is substantial, but still a distant second or third to Windows or the pile of various Linux flavors available. If someone hacks Windows to pieces you hear it at the top of the hour as a headline. If someone hacks OS X it's an endnote to the day, maybe.
The day OS X becomes the most-used operating system is the day it recieves its first security patch for a virus. To think this will never happen just makes you, as you put it, ignorant.
I can't wait for the day when all my pc-mocking mac-owner friends are going crazy over viruses and their antivirus slowing their macs down!
I would love for a virus-free World, but it's not going to happen. Why don't have a balance between Macs and PCs? I expect that hackers will continue to get attracted to macs, eventually creating another problem to those mac users.
P.D. I must say I don't hate Apple or Mac, but I just hate how every Mac user mocks PC without looking in the mirror first. Apple has a worst monopoly than Microsoft had! Microsoft only controlled software, Apple has both.
Either this author is woefully ignorant about Apple's OS X, or he's being disingenuous. He first drags out the "security through obscurity" myth. By conservative estimates OS X has at least 30 million users, and that number is growing at 20% to 40% per year. That, in itself, says that OS X is not obscure. However, it's not just a numbers game. OS X is the "Apple" of every hacker's eye. Where's the glory in hacking Windows when it's hacked several times a day? The author of the code for the first REAL virus for OS X would be instantly legendary, since no (repeat, ZERO) actual viruses for OS X exist in the wild today.
This brings us to the author's second mistake (or fib, take your pick). There presently exist exactly ZERO self-replicating viruses in the wild for OS X. Contrast that with the 130,000 and counting such viruses for Windows. A handful of trojan horse executables, and "proof of concept" viruses that exist only in labs, have been hyped by various computer security companies over the last 3 years in the hopes of selling anti-virus software to Mac users. These companies see a declining market as more people switch to Mac OS X from the virus riddled Windows platform, and they see that in order to survive they are going to have to convince Mac users that their products are necessary and useful. Some examples they cite are "proof of concept" attacks, which assume wildly rare and coincidental conditions under which such an attack would be successful. One such attack would be successful only if a person were already running AIM when the attack occurred, and it could only replicate through a bluetooth connection, limiting its effectiveness to devices physically located within about 6 feet. Another "virus" required the user to manually download the executable, unzip it, install it using an administrator password, and then run it. This is hardly the kind of thing brought to mind when the author calls it a virus. True viruses self-install and propagate uncontrollably across networks. Another fib, or just ignorance on the part of the author?
The author cites viruses that did work on Macs 10 years ago. That was a totally different and now obsolete OS. Mac OS X is a brand new OS from the ground up, based on BSD Unix. Windows Vista, on the other hand, still runs DOS components and is still vulnerable to the same attacks as it was 10 years ago. This brings us to the issue of understanding how things work. The author goes to great pains to point out that he thinks Apple misrepresents the Windows security process in its commercials. While not entirely accurate, it is a fair representation of the Windows security strategy, which relies on the user to determine whether certain operations should be allowed. There's nothing wrong with that strategy. Indeed, OS X uses the same strategy when it requires an administrator password for the installation of any executable code. The problem arises with the frequency of required authorizations and the types of transactions to which they are applied. The inherent insecurity of Windows and its registry require numerous authorizations. This constant and repeated nagging has driven many Vista users to abandon it.
The author overlooks some basic characteristics of the two OS platforms. Windows security is mostly at the system level. Once an intruder gains access he has the ability to change the registry and the OS itself without further restrictions. OS X was recently certified as a standard version of Unix. Under the Unix OS (and OS X) each file has locks (permissions) attached to it that permit various classes of users to have access at various levels. A file can be designated with "read", "write", and "execute" permissions for the owner of the file, but all others can be restricted to only "read" or "execute". Security in Unix is defined at the file level, not the system level. Once an intruder breaks into a user account on a Unix system he has access only to those files, and only to those operations on those files that the user account has. This is why banks and credit card companies rely on Unix as an OS. The single largest data compromise in the credit card industry exposed millions of card holders information to crooks. It did not happen on a Unix system. It occurred on a Windows server. Either the author is unaware of these facts, or they don't support his agenda.
Again, either he's uninformed or he's being dishonest.
Thanks for this post, it's a good thing that you're drawing attention to this situation. As Mac penetration increases, it becomes more worthwhile for hackers to write viruses and such for Mac OS, it's where popularity backfires. Apple cultivates a 'better-than-the-rest' image which of course is marketing, not an accurate representation of the state of affairs. As you rightly state, no OS is invulnerable to outside threats.
I'd like to address this marketing strategy of Apple some more. You criticize the 'I'm a mac and I'm a pc' ads. The particular 'security' commercial according to you not only features a misrepresentation of communication between computers, but also does not take the eminent dangers seriously in this communication. Honestly, I do not understand why this upsets you so much. I don't know how many commercials you've seen before, but I reckon almost all advertising misrepresents things...it's marketing! Moreover, this won't be the first ironic commercial 'mocking' serious issues, why is there a problem with that now? So to be frank, I wouldn't hold this particular ad against Apple and use it as an example to structure your argument.
Furthermore, you say that "The fact that iPods contained a Windows virus implies that Apple has to use PCs in its iPod manufacturing process." Based on this assumption you draw a rather bold conclusion on the robustness of not only Mac OS, but also Apple in general and all subcontractors involved in the iPod. But wait a minute: does the fact that a .exe file ended up on an iPod automatically imply that it has been written on a PC as part of the iPod manufacturing process? It's not that .exe files don't show up in a Mac, you just can't execute them. But even then: isn't it rather logical that for a device that can also run on Windows, as a manufacturer you would want to do some testing in Windows? How on earth can this "speak for itself" to support your these that Apple is arrogant?
So I share your concern, but would like to discuss your argument.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
When Comcast Corp. (Nasdaq: CMCSA, CMCSK) voluntarily took action to proactively remove infected users from its networks, I applauded because I think ISPs should try harder to protect customers.
For years, I have advocated that Internet Service Providers (ISPs) be responsible for taking proactive steps in mitigating infected subscriber computer systems. While I never said that ISPs were responsible for the infections, they are enablers for criminal activity. But ISPs have so far hidden behind the law that makes them publishers -- and not responsible -- for the actions of their subscribers.
A few months ago, I wrote about the backlash, including death threats, incurred by a local political group when it posted comments online equating President Obama to Hitler. While the group tried to distance itself from the individual (its president) whose comments drew ire, I commented that the group should suffer repercussions as well as the individual. After all, the group provided the venue for the offensive comments.
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year? Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
In order for banks to grow, they'll first have to start by retaining their standing client bases. To do this will require better customer service and more transparency. Banks are meeting these needs through more automated commodity services and mobile banking applications.
Data is at the heart of any financial services firm, but analyzing that data in real time, and making decisions and predictions based on that data, is where the future is – whether that is customer data, trading data, or even risk management data.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
