A report released this week on AppleInsider details the Pwn2Own hacking contest results indicating that Apple computers are less secure than their WinTel counterparts, but ultimately safer.
“Insecure but safe” sounds like a contradiction when taken at face value. I’ve long been told, and frankly seen for my self that there is precious little malware floating around cyberspace that is targeted specifically to OSX. Apple’s own marketing touts their products as safer than Windows. In my opinion this a perfect example of the Mayberry Paradox.
Now the Mayberry Paradox isn’t something that has undergone peer review. It hasn’t been endorsed by the I.A.E.A., Underwriter’s Laboratories, and certainly doesn’t have the Good Housekeeping Seal of Approval. The Maberry Paradox, simply put is a term that I use to describe the baffling belief that an inherently insecure environment can be rendered secure by the sheer absence of perceived threats. That is to say that an environment with few, if any security controls can achieve some level of security through some type of isolation.
In the case of Apple, the powers that be have made a case that OS X can be called “secure” because of the relative handful of malware floating around. Is this fair? Are consumers being duped into a false sense of security? Although I do love me some shiny Apple goodness, I have to say that I feel somewhat cheated every time I hear these claims. In my consulting practice I ran into one CIO who summed it all up by saying, “people don’t do that here. We don’t have thefts, robberies, or too much crime at all.” Bear in mind that this particular engagement was an information security risk assessment and that the crimes he mentions are all location-based. The criminal has to actually be present in a physical form to commit the illegal act. Apple has taken a similar stance in that there is an assumption that because there isn’t much malware, that the platform must be secure. I think that a more honest approach would be to say that, “no our platform isn’t as secure as others, but there is much less risk in our vulnerabilities being exploited”. I suppose that wouldn’t sell too many MacBooks though, eh?
Those of you old enough to remember The Andy Griffith Show will know that Otis, the town drunk, would check in and out of the town jail using the key hanging on the wall. Aunt Bee could be found with the front door not just unlocked, but open to catch the evening breeze, leaving nothing but a simple screen door protecting her from the ravages of Mayberry R.F.D. Andy didn’t even carry a gun, while his deputy Barney was issued one bullet and required to keep it in his shirt pocket. Would you consider this environment “secure”? Probably not. Safe yes, but not secure.
I think for Apple the word “secure” has become a marketing term more than a statement of fact. Apple’s OS X is by no stretch of the imagination, “secure”. The same Pwn2Own contest that declared OS X secure witnessed OS X being hacked in 15 seconds. Not hours or minutes, but seconds. In the time that you have read this article my MacBook Pro could have been hacked a handful of times. Does that scream security to you? Perhaps worse, this year’s winner won last year as well indicating to me that there haven’t been any massive improvements from Cupertino.
I suppose despite all of the unwarranted hype about the security of OS X, there will still be folks like me that prefer the beach ball to the hour glass. Although my MacBook isn’t necessarily as secure as it’s Windows and Linux counterparts, truth be told, there isn’t that big of a threat out in the wild targeting my laptop. Sure that doesn’t guarantee security and frankly shouldn’t even allude to it, but in the end how much security do I need if I have relative safety. Ultimately that is either a business or personal decision. For me, I’m okay surfing with my proverbial pants down, it’s liberating.
The article at AppleInsider can be found at : http://www.appleinsider.com/articles/09/03/26/pwn2own_contest_winner_macs_are_safer_than_windows.html
I think your title is a little too optimistic. Just because they aren't under threat right at this moment doesn't mean that they never will be. The threats are out there and publicity about things like Pwn2Own are going to bring apple to their attention. Too bad Apple thinks they are living in Mayberry because that is a strategy for failure. Either Mayberry has to grow (gain market share) or it eventually gets overrun by its neighbours who are growing (nix, and windoze) and can do security better.
Security thru obscurity is fine only until the moment that the first scrip kiddie gets tired of fighting windoze antimalware and decides to try for the low hanging fruit, like an apple. The threats may start with script kiddies, but Apple won't have 20 years that it took the PC threats to go from script kiddies to spear phishing for big bucks profit (from Mitnik to now).
I can't disagree with anything you said about Apple. It may be relatively 'safe' without being 'secure' merely because of a comparative absense of threats.
I'm not sure that's necessarily what's going on in your example of the location-based threats, though. When the CIO says "people don’t do that here", he/she may be relying on controls that we don't normally consider in technology yet which are no less real and effective in their own way. Managers, even CIOs, often have trouble articulating the logic behind their confidence but I consider them the 'social' controls that protect the organization.
For example, everyone would acknowledge that good hiring and employee screening practices are important. If you hire honest, trustworthy people, you are at less risk than if you hire deadbeats and criminals. There is no guarantee that the hiree will stay honest but neither is there a guarantee that your antivirus will protect you from all possible malware. Good hiring practice is a layer in your organization's defenses.
In a small social environment, you can also benefit from the 'everyone knows your business' control. Aunt Bee doesn't have to lock her doors in part because if anyone steals something, the stolen goods will quickly be discovered and the responsible person identified. When discovered, the perpetrator is subjected to social punishments such as shaming or shunning. As any victim of schoolyard bullying can tell you, social punishments can be far more painful and influential than mere physical punishments.
I'll acknowledge that these are not controls that are well suited to large impersonal environments. Shunning, for example, will not have any significant effect on an outsider - not even the consultant who works for you but is outside your organization's social network. Nor will it much influence the worker who is already so disgruntled that he/she thinks the company "deserves" whatever he's about to do. Likewise, good hiring practices will not protect you from the thief or hacker. Social controls should never be your sole controls.
At the same time, it would be equally unfair to claim that those controls have zero mitigating value. Most people are basically good. Social controls can help your insiders to stay good and, in the right circumstances, can reduce some of the need for overt, intrusive and depersonalizing technological controls.
Post new comment