John Gruber of Daring Fireball dares ask the question:
Why are Windows users besieged by security exploits, but Mac users are not?
Boiled down his answers are:
- Market-share is a factor, but there has to be some other explanation for the fact that Windows' market-share in malware vastly outstrips its market-share on the desktop
- There are fewer places to hide bad programs on the Mac
- Mac users are far less tolerant of programs that spread malware
I disagree with the first point. You can explain almost all of the relative safety in running Mac OS X with its low market-share.
Gruber:
This argument ignores numerous facts, such as that the Mac’s share of viruses is effectively zero; no matter how you peg the Mac’s overall market share, its share of viruses/worms/Trojans is significantly disproportionate.
In order to spread, viruses, worms and trojans rely on network effects. The value of a network grows as the square of the number of users. Therefore viruses, trojans and other malware are simply orders of magnitude more effective when targeted against a widely deployed platform.
Imagine you send the latest Mac-targetting email trojan to 100 random addresses. If you're lucky, three of them might be Mac users. If you're lucky, one of them might open the attachment, causing the trojan to be sent to all of the people in that person's address-book, most of whom will also be Windows users. Meanwhile all the Windows users will receive this attachment that they can't run, and get back to the person who sent it to them.
The trojan's just not going to get off the ground. The effectiveness of sending a Windows-targetting trojan is just several orders of magnitude higher. Even if your initial mail-out went only to Mac users, it would probably fizzle out after the first generation.
Even with spyware and adware that do not propagate over the network, the Mac is a small enough target that it is not worth tackling.
For packaged software, there are market segments. There's value in targetting a product at a small market, so long as the market wants the software, and the competition is perhaps less cut-throat than in the dominant market. That's why software exists for the Mac. Malware has no market segments, because people aren't looking to install malware. If someone has one piece of spyware installed, that doesn't mean they're not going to get another: on the contrary, it means they're more likely to install another. There's no value in targetting malware at a niche market.
I would dispute that there are fewer places for malware to hide on the Mac: I could think of some pretty interesting places you could hide programs in the Unix subsystem, or by playing tricks inside existing Application bundles. I would also dispute that any UI measures make the Mac inherently safer from malware: if you convince someone they really want to open that attachment, or download that "login application" they need to access the porn site, no amount of warning dialogs will make any difference.
I also dispute the "broken windows" theory, just on the basis that it's easy to assume ever-vigilance against something that has not yet shown any sign of existing. Communities exist in the Windows world to warn of adware-infested applications, but there's still just too many people who just want to get on the file-sharing network, and don't do their homework.
As Gruber says, even if market-share is the dominant reason for the Mac's relative security, this isn't a bad thing: since that share is unlikely to rise significantly, the Mac will stay safe from general threats.
What I'd like to add, though, is that there is still no room for complacency, because none of this keeps you safe from specific threats. Specific threats get no value from the network effect. If I want to get into your computer, I no longer care about the market-share of your operating system: the only target I care about is you.
Mac OS X is Unix ran as non-root. Harder to break, easier to fix.
How about the fact that Macs are just expensive. That means that there is less of a chance that when Mommy and Daddy buy their little script kiddie son a computer that it will be a Mac. It is a heck of a lot easier to write a virus for a machine that you have.
The type of people that own Macs are less likely to write viruses, at least before the Unix core.
Script kiddies are going to want machines that play games.
It may have less to do with just pure numbers and more to do with which machines the people who are more likely to have viruses own.
John Gruber and others are pure idiots. I am not insulting by the way, since only few people can openly lie about facts and come up with this ill logic. First of all, Amiga computers are more secure than Apple computers, because their market share is even less than Macs. Remember the recent trojans, John Gruber attempted to discredit the security companies and instead praised Apple which downplayed the importance of the security problem, but later he reverted himself. If you take a look at his rants you will realize that he is not a smart guy after all. He seems to be more like a mac user with some technical knowledge, not much though, and in addition he is quite ready to twist facts for his purpose. He mentions windows apologists!!! What is he? Fact finder? I also disagree that Mac users do not like shit, if they really didn't, then I don't think John Gruber would be here.
I disagree. While partisan, and while I think he is wrong on this particular issue, Gruber is an intelligent commentator.
Any blogger, myself included, can be caught having changes of opinion. Blogging is done in real-time, after all. Interpreting someone changing their point of view as hypocrisy is just a lazy debating tactic.
Charles , appearently John Gruber is very good at those lazy debating tactics. His rants is all about this small lazy debating tactics, calling opposing ideas "windows apologists". I think he writes well, but that doesn't make him any more credible than a good author with no knowledge about computers. The fact is that, on the net, you can become a celebrity if you are good at bashing stuff and if you are good at ranting. Check out maddox and you will see what I mean. His final touch is also quite nice, "mac users do not like shit". Only few self-absorbed , insecure mac users will enjoy these rants.
If you want to buy an Apple computer because it is less likely to be a target of viruses, that's fine and all good, but if you think that Microsoft is producing inherently insecure code, then that's quite big bullshit, and I don't like that, so that's why I raised my voice. Note that, I am using firefox and also use linux quite often, I know unix and linux extremely well, but let's be serious here, I don't like people shitting us, so I disagree with your assertion that he is intelligent. Changing his opinion on a recent hot issue is just one of the huge number of inconsistencies he has, and calling my one point "lazy debating tactic" itself lazy debating tactic. I can't go over each and every one of his inconsistent claims, I can't use this comment section to engage in a discussion with him, and more importantly I will not discuss with a random person on the net. He just rants without a clue, that's pretty much as I see it, and if you go to slashdot, you will find many more people who are better than him in this "intelligent" commentatorship.
Also, it is not just bloggers who change opinion, you are talking as if bloggers are a special type of human race. Believe me, bloggers are just like normal people, and every person change their opinion, and my non-existing tactic is neither lazy nor wrong, it simply proves that he is one of the slashdotters who simply rant and rant with many number of conflicts going nowhere.
Alex: I don't appreciate my blog being used as a launching-pad for ad hominem attacks on third parties. Ultimately, I don't care what you think of Gruber. If you want to get on a soapbox on matters that are only tangential to the point of my post, please do so in your own web-space, not mine.
Alex wrote:
> if you think that Microsoft is producing inherently insecure
> code, then that's quite big bullshit
Maybe they aren't producing "inherently insecure" code now, but ActiveX in it's initial form completely disregarded any security issues at all, and was widely leveraged by all sorts of malware. In combination with Outlook being designed to transport arbitrary code via email, a complete disaster.
Microsoft have realised they were shipping bullshit, and seem to have changed tack over the last year or two. But even Bill Gates can still point out several basic flaws in Windows XP - http://www.microsoft.com/mscorp/execmail/2004/03-31security.asp
Charles, I am not launching an attack to a third party, don't be too stupid. You are thinking that somehow your little blog on this huge internet is a great value to me and that the only way I can launch an attack to a third person which I don't care about is your blog. Just delete the damn comment.
Alan Green, no, some Apple users have been shipping too much bullshit and now people realize that, that's why people still switch to XP, not macs. There are too many number of idiots on the net, and they reduce the credibility of the net. Charles himself thinks that his blog is too important and that is the only place to launch an attack. Alan, just stick with Slashdot. Your credibility is pretty low as soon as you bash Microsoft. There are way too many idiots saying that.
Alex: There's a certain amount of chutzpah involved in posting a comment in which you first deny doing something you've demonstrably just done, and then take me to task for thinking things there's absolutely no sign of me having thought.
Perhaps you are in fact from a parallel universe, and this post crept through the wormhole from a totally different conversation? If so, I apologise to your other-dimensional self for the actions of my other-dimensional self.
In this world, though, you're coming across as increasingly shrill and irrational.
I'll leave the comments as they are: I might want to use them as an example some time in the future.
As someone who has always been forced to straddle both worlds (as a manager of graphics/printing), I have a long, stable relationship with both systems. I must admit that over the years this has meant that MIS has slowly taken over all of the Windows problems, (and as they phased Macs out of all but graphics,)I inherited all of the Mac support work. So far, my security problems with the Mac have been nonexistant. On the other hand, the Windows machines have melted numerous times. Market share is probably a large part of the picture but as someone who has seen the worst that can happen to both systems, I must say a Mac is a hundred times easier to troubleshoot and to fix. Now, they won't even let me touch the NT's. The sacred priesthood must be called, a small animal must be sacrificed, and above all, we must wait and wait.
Alex, with guys like you supporting Windows the future for Bill sure is rosy!
Anyone who who would write Mac viruses has to have an awful lot of time on their hands, and a hell of a grudge against Apple. 'Nuff said. ---Marty, who has owned 3 different Macs in 10 years
I'm a graphic designer and I choose a Mac for obvious reasons. It's true, using a Mac for browsing the net or using PtP programs is virutually hassle free when compared to using them on Windows. There is less software available when it comes to PtP, but it's much more safe when it comes to malware and viruses. Really, if I had the money to build a PC I'd only use it for games. Games are really the only software that doesn't have an OSX version available. Not that software for the Mac is on par with a PC, it's just that most of the important and useful programs have Mac versions these days.
With a PC I run spyware programs nearly everyday and almost always find 10 to 30 running. And if you want to have some topnotch anti-virus software that offers an additional program to protect against it...well that's just more resources to get chewed up (and it's bad enough with the anti-virus software alone).
The main problem with Macs is that you can't build your own machines and there's almost no competition when it comes to pricing. You either buy it new from Machintosh, other legal vendors, or buy a used machine. This would drive me insane if Mac's weren't built well - I couldn't imagine buying a new machine every two years. But as far as malware and viruses - Macs and Linux are your best options.
macosx has a large number of local and remote vulnerabilities, many of which have been disclosed and patched, but many that have NOT. I have dozens of ppc exploits here.
the reason macintosh is seen as more secure is the same reason a TOASTER is seen as more secure -- there are less of them on the internet, and the less popular something is, the less incentive developers have to build tools and exploits for the platform. I have had 0day remote root exploits for osx in the past (AppleFileServer anyone?) before there were patches available, but what good does that do?? there are no worthy targets and good luck scanning the entire internet for apple machines - what serious person actually uses those little toys? oooh ooh I got root on a flimsy calculator with good graphics, oooh.
osx is UNIX. unix has design and implementation flaws, in every case. OpenBSD is one of the most proactively secure unix on the planet, and they have suffered remote root flaws in bootp, openssh, apache, ftpd. However, openbsd and osx camps are equally guilty of a little white lie -- they disable all network services by default (now they do anyway) and then claim their default install is secure. What a crock of sht. Secure until the user surfs to a webpage exploiting their browser. Secure until the user turns on even the most basic services.
If you are going to compare the relative security of a platform with others, keep in mind that less exploits DOES NOT EQUAL less security holes. It usually just means the os is less deployed, less available, or ultimately, less people care about it. (and not all exploits are public!)
If osx gains popularity and is more widely deployed, then you can bet there will be windows-level security flaws, bug of the week, or bug of the day, bug of the hour.
another thing to consider, is that all these other OS have been cutting their teeth in the real world, and have been constantly improving - but have the burden of legacy support. OSX comes in as a newbie, years after people have been paying attention to security ***important_point_just_made*** and so of course osx 2004 is going to be laughing windows2000 out of the water. but compare windows 2003 with osx from even 2002. for every bug you can name for win2003 i can name a more serious one for macos from previous years. so people compare ORANGES WITH ORANGES. yes windows has a bad track record, but its a hundred times more popular and more widely deployed, a more attractive target, have some perspective.
nice my last post was censored. (at least, it hasn't appeared yet).
i did want to add regarding the comment that there are less places to hide things on a mac -- haha, so you take a daily romp through every nested directory in every part of your filesystem every day? please? you probably haven't looked at /usr/sbin/ardgbd today. is it what you think it is, or a binary i installed on your box?
also i've got some kernel rootkits for osx that might interest you if you think everything is so visible on a mac. "hiding places" - there are only as many as the attacker has skill. if some piece of code runs on your machine, "hidding places" is so deeply irrelevant that its not even funny.
"M": Your post wasn't censored, your browser probably just had the old version of the page cached.
I'd also suggest reading the article that heads this page, in which I make most of the points you seem to be trying to make, except without all the "I'm a l33t z3r0 d4y hax0r" stuff.
Charles Miller: i was talking to the macos zealots, not you. you said you disagreed with the first point of three, and then went into some detail. i also addressed point two, which was a nonissue (places to hide malware). you and i are in basic agreement one the first point and i liked the way you spelled out a scenario of the email-borne worm.
i find it 0dd that whenever someone talks about security where they are clearly coming from extensive (excessive?) background, that others will accuse them of grandstanding or using elitespeak, even when they have not. yes i have more hacking skill that you, so what? I didn't bring it up once in my posts, you did. got a jealousy issue? or something to hide?