: Help with security Argument
Nov 11th, 2004, 03:44 PM
Having this debate with someone about Mac OS X security and Win XP security. His argument is that Mac OS X only seems more secure because Windows has way more users, and if Mac OS X had the same number of users, they would have the same number of problems. Anyone have a good counter argument to that?
Nov 11th, 2004, 04:29 PM
That's typical WinZealot rhetoric. The next thing they'll say is that there's no software, and then no games. The fact is: an OS's security has nothing to do with how many people are using it, although it is a contributing factor. It's all about how much resources a company puts into it.
Consumer reports (http://www.macnn.com/news/26856) published an article called 59,940 reasons to reconsider Macs.
The Mi2 (http://www.mi2g.net/) recently announced (http://www.mi2g.net/cgi/mi2g/press/021104.php) BSD OpenSource/Macs were one of the safest computing platform:
Some folks had taken Mi2g to task, to which they retorted (emphasis mine):
If the market share of Microsoft Windows, Linux and BSD + OS X based computing environments is:
x%, which is much greater than y%, which is greater than z%, respectively,
then the absolute safety rankings can be easily derived from the breach percentages just released by mi2g:
at 25.19%, 65.64% and 4.82% respectively,
for Windows, Linux and BSD + OS X.
With this classical safety approach of breach percentage divided by market share percentage, as a measure of absolute safety and security, Microsoft Windows may come first (lowest absolute safety), Linux may come second, BSD plus Mac OS X may come third (highest absolute safety). [In absolute safety: low is good and high is bad.]
The mi2g Intelligence Unit does not agree with the classical approach because it is against the grain of common sense as observed by millions of computer users in the real world every day. Bigger the market share, bigger the risk profile of a given computing environment. More malicious malware writers target that platform and more hackers with honed skills and automated tools carry out their malicious activities. If the logic is robust and absolutely correct, then why do any users complain about not being able to find highly skilled Windows and Linux helpers or administrators as their computers come under hacker or malware attack; shift away from Windows to Apple Macs - in well chronicled cases to enhance productivity and minimise Downtime - for their desk tops; or from Linux and Windows to BSD platforms for their servers?
The simple reason for the mi2g Intelligence Unit disagreeing with the classical approach is that it is completely vendor centric and not user centric. The vendors may prefer the world market for computers to be looked at purely in terms of quantity of units sold and over simplify "absolute safety" down to market share sectors on a pie chart, where Microsoft Windows would dominate, followed by Linux and then BSD plus Mac OS X. The vendors assess their turnover and profits via the yard stick of units or licenses sold, so it makes sense from their perspective to think of the computing eco-system by the classical measure of quantity. But does the classical measure make sense from the users' perspective? No, it does not, and neither does it make any economic sense. For this reason, we recommend a relativistic approach which is time based and takes into account the adverse impact of high market share, system reliability, availability, maintainability and scalability within a 24/7 online computing environment as part of a network on which mission critical work may take place over an extended time period, say, a minimum of 12 months, the duration of our study.You can read the whole thing here (http://www.mi2g.net/cgi/mi2g/press/021104.php) and their response to the challenge here (http://www.mi2g.net/cgi/mi2g/press/feedback.php). And if you're feeling extra saucy, you can read their approach to definining safety here (http://www.mi2g.net/cgi/mi2g/press/051104.php).
Nov 11th, 2004, 04:33 PM
Hey Manny, thanks for putting that together. perfect. Enough said!
Nov 12th, 2004, 03:01 PM
The short answer:
There are more vulnerabilities with Windows vs pretty much any other OS because all Windows users are operating as the root user, all the time, and Windows integrates so many ways to get in by design because that integration sells software to business users. It's not an accident; it's deliberate.
If Internet Explorer is vulnerable, then Windows is vulnerable, for example. There currently is no way to disable IE even if you never use that browser without breaking the OS, and Microsoft wants it that way because it's the essence of their business model. Essentially, its how they make all of their money.
If something "sneaks" on to your Windows computer, either by stealth or by the user double-clicking the file, you're done.
Too late to call your friends; they're infected too, as long as your are on a network of any kind, including the internet or eMail.
Even if you discover, after the fact, that your address book is now being used to spread a virus (modern malware searches the entire Windows HD for eMail addresses; no address book required), what are you going to do? Email them? The "bad" email is there first.
This evil app now has root privileges (because they all do as long as any user is logged in) and can spread at will to other unsuspecting users, who are all root, etc.
Not possible on OSX, Linux, UNIX, what have you.
Now, the number of Windows users presents a nice target, no doubt about it. He's right to mention this to a degree, but it's a "Red Herring". **
The speed at which Windows infections spread is not possible on any other OS; even if a non-Windows OS machine was infected, the spread is impossible unless the next user "does something stupid". It simply cannot install without help from the user.
Quite simply, idiots on other OS's all over the world cannot click or type admin passwords fast enough to match what Windows can do by itself in a fraction of a second.
Because of this, any infection on these other OS's is known in a short time and users can take steps to prevent wide-scale infection.
Windows malware spreads "like wildfire". Connect a WinXP computer that doesn't have the latest updates to the web in order to get those updates, and your box is infected with the Sasser worm before you've downloaded the first 10 MB. It will then attempt to spread to others at the rate of 200 addresses per second. All this while you are attempting to prevent infection in the first place. You don't even know you're infected.
Malware on other OS's can send you a match but must wait for you to light it, if you ever do. Not the same thing.
No worldwide crisis, no sweet knowledge that the techno-peasants on Win98 are infected anyway and will continue spreading it for the next two years, no fame from the hints in your code that is now being studied by thousands of hundred-dollar-an-hour specialists. What's the fun in that?
There is very little to motivate a virus writer to create havoc if no havoc is possible. At best he can be known for "creating annoyance". Big deal. He'd probably give up and get a real job.
By the way, although OSX is relatively secure, the most secure widely used OS ever is OS9. You have to really work at it to make OS9 vulnerable to anything. Out of the box (default configuration), it's rock-solid, better than any OS ever used in a network environment.
** Red Herring: Def: a turning aside (of your course or attention or concern); "a diversion from the main highway"; "a digression into irrelevant details"; "a deflection from his goal".
[ November 12, 2004, 04:05 PM: Message edited by: gordguide ]