The Secret of Mac Security Revealed

First off, I think it is cool that Charles Moore took the time to reply to my column, Apple and Baseball: The Magic Lives On. It is nice to see that we are mostly in agreement. I think the difference is in the words. While I still think Apple has the magic (the ability to delight users, surprise experts, and mystify analysts), I have to completely agree that the je ne sais quoi quality is going away.

Security Through Obscurity

I am a weird guy who likes to find the right word to fit a situation. And that brings me to Apple security. The popular phase is to say that Apple has been using "security through obscurity".

for me, obscure means little known or vague. I think as a security argument for Apple this doesn't hold water. The Mac OS is based on BSD (a.k.a. Unix), and there is also an open source component, Darwin. Between these two and other sources, there are plenty of people outside of Apple very knowledgeable about the inner workings of the operating system.

These brainiacs around the world are certainly smart enough to find one or two holes in the Mac's security. The recent CanSecWest security hacking contest showed that an avenue like the Safari browser can be used to breach the Mac's security.

The argument for obscurity just doesn't hold up, and as time passes by, several small attempts have be made to prove that people are just as capable of creating viruses on the Mac.

Security Through Scarcity

Over time people have pointed to the fact that there are not enough Macs to justify developing viruses. Another word choice would be "security through scarcity". In other words, because the Mac's market share was low, the incentive was low to reach the population of Mac users. This would be a problem. A Mac computer spreading a virus to other Mac computers wouldn't amount to as big as an outbreak as those that happen on Windows PCs. There are millions more computers that can be infected on the PC side.

This is a good explanation for lack of interest, but doesn't explain the near zero level of problems.

Smug Mac Users

It is not just the criminals who want to infect computers; some people will do things just to show they can. Here I think Apple was smart for the first several releases of the Mac OS X - they didn't push the no virus issue themselves. Sure, lots of us users were pretty smug about it, but Apple was quiet. Starting around the Tiger release, Apple began to advertise this advantage. And still there were no outbreaks of malware.

for a while we had the Mac community stopping the "Write a Mac virus" contest to be the first to write a virus for the Mac. I call this the "don't pee in your own pool" philosophy. People knew that Macs were vulnerable, but why go out of your way to make trouble? As long as we have a good thing, leave the virus writing to the idiots on the PC side - Windows users put up with that kind of crap every day. I am very much behind this approach.

Let the security folks report the flaws for Apple to fix and not release their stupid proof of concept malware in the wild for criminals and idiots to exploit.

This barrier is falling as the Mac's popularity increases. People just can't stop holding contests like the $10,000 Mac hack bounty or the CanSecWest contest.

Despite all the promotions, we have few problems in the real world outside of these contests. If you want to know why, the answer is because of Microsoft - more on that next time.