Macs' low popularity keeps them safer from hacking and malware

Easy pickins' aren't confined to software and OSes. Physical thieves go after easy targets, too. Pickpockets love crowds and wallets in hip pockets, for example. Even with CCTV everywhere people still try to knock over local convenience and liquor stores, break into cars in parking lots where they're harder to spot, and so on. Why should thieves do anything the hard way when easy, ubiquitous targets are everywhere?

Active X.

You say security by obscurity, I say Active X. That's the primary reason Windows is more susceptible to attack.

I seem to remember Macs having a terrible problem with viruses, prior to OS X. If anything, it was more prevalent than attacks on DOS and Windows. The Mac OS was obscure then, but it was easy to attack. And it was a problem. OS X is a far more robust OS than the prior OS, and the problems have been greatly curtailed. Some would say eliminated.

Your comments that Apple is slow to patch and has more vulnerabilities are true. The distribution of OS X contains a great deal of third party software and Apple coordinates many patches before issuing an update to their customers. There is a difference between vulnerable and being attacked.

I agree with Dave Lindhout. OSX is based on BSD which does not have as many vulnerabilities as you think, unless Apple has horribly broken the security model. Even system processes don't run with administrator or "system" privileges as they do on Windows machines. ActiveX has more holes than a piece of Swiss cheese and is the security problem with Windows. While Server 2008 and Vista are better than their predecessors, they still suffer from ActiveX vulnerabilities.

Actually, as I am one of the "die hard Mac-only fans" he discussed in his article, let's clear up a few misconceptions. There was no "discussion", he came to the forum, and told everyone there they were wrong. Period. Then got angry when nobody bowed at his feet. Truthfully, considering how rude and obnoxious he was in the forum, I quite amazed to find he really is who he said he was, as I did not think any professional person would act as poorly as he did in the forums. I fully expected it to be a snert advertising himself as Roger A. Grimes. Sadly, that is not the case. Several of the folks he describes as "die hard Mac-only fans" not only are not "Mac-only fans", many work in the industry with better credentials than he has, and most of us have other OSs along with Mac - which he chose to ignore, along with being rude and obnoxious to many of the posters. I'm one of the lower level as far as credentials, and I was network engineer for almost 20 years, and still have a couple Windows units in the house, along with 6 Macs. There were folks that have no only been in the industry longer and higher than he has, they also had to correct him several times on misconceptions of computer history. One of the things he posted was that Apple stole it's GUI from Xerox, something that was willingly sold by Xerox is noted and documented well in many areas. This is just one of many facts that he had completely wrong. Like having a reliable car, many of us simply prefer a system that works without constant babying. OSX is that, Windows is not. For me, I prefer any OS that isn't getting nailed on a minute-by-minute basis. I also used OS/2 for many years because it didn't get hit as much as Windows, and at the time, was much more adaptable and usable than Apple's OS. You can say that it's only because Apple doesn't have the market share Windows has, but their market share has risen drastically, yet there is no correlating rise in the malware hitting Apple systems. If you're going to use a theory, at least make sure it's a workable theory. Using the example another commenter used, there is CCTV in both convenience stores and banks, yet thieves rob convenience stores much more than banks. Do you honestly think it's only because there are more convenience stores? BTW, before congratulating him on an unbiased article, try doing other research as his article is extremely biased.

It's easy to draw the conclusion you have drawn if you continue to muddy the waters by conflating "attacked" with "exploited". Windows is attacked constantly for two reasons: it's ubiquity and its vulnerability. It's everywhere and it's an easy target. But you can't throw up your hands and simply act as though this is beyond your control and anyone else in the position of market leader would suffer the same fate. It's a weak analogy and it isn't the truth. Let's take the ubiquity first. The ubiquity of Windows is thought to offer such a large pool of potential targets that it becomes attractive to those who would, for instance, want a botnet or would steal sensitive information such as credit cards. The first aspect of this argument, size is a weak one. A big botnet is better than a small one, but a small one is still very useful. But how big is small? There are millions and millions of Linux/BSD (OS X is basically BSD) computers connected to the Internet, which, if successfully exploited (not simply attacked) would create a powerful botnet indeed. If I were building a botnet I would much rather have a bunch of high performance Linux/BSD servers, connected to fat pipes and easily administered remotely at my 24/7 disposal than an equal or larger number of Windows boxes. Additionally, if I were only interested in stealing data, It seems to me that there is probably more valuable information stored on Linux/Unix/BSD servers out there than on Windows. The return on effort for successfully EXPLOITING a Linux/BSD/Unix would be more than worth the effort on the part of malware criminals. But the fact is, the efforts simply don't pay off. The BSD/Linux/Unix boxes are inherently more secure and the software that one compiles in these operating systems can be made far more secure than Windows by using PAM libraries and taking advantage of the work done by the NSA. Why is Windows so vulnerable? Windows is vulnerable to exploitation because it rests upon an architecture than never anticipated the Internet and Microsoft has found it impossible to maintain backward compatibility and simultaneously move away from the isolated, single user security weaknesses built in to the design of Windows. Its neglect of security borders on the criminal. As a professional software developer, I would be held liable for damages if I ever delivered such vulnerabilities to a client, but the world takes this abuse from Microsoft like a battered spouse who is late with dinner. Apologists such as this author think we've simply had it coming. The argument that should non-Windows platforms grow in popularity they would see a rise in "attacks" is hard to document. I would say that all machines and all websites are "attacked" frequently, but getting attacked means very little. Getting exploited means a lot. And there's a huge difference here. I would certainly be annoyed, and maybe unnerved if I found someone trying to jimmy my locks, but if the would-be burglars are repeatedly frustrated, I wouldn't change my locks. In fact, we have seen a dramatic increase in the popularity of OS X, Linux and the BSDs in recent years, but we haven't seen a comparable increase in exploitation, actually we've seen the opposite because these systems continue to build on an already strong foundation and Windows tries to play catch up. Exploitation of OS X/Linux/BSD is hard, and even when successful yields very little because of the security capabilities and restrictions within the users' accounts. In Windows, almost everyone is an administrator and most software written for Windows, by commercial developers and by in-house developers, rely upon administrative rights because they have historically been indistinguishable from the typical user. If you can get into an OSX/Linux/BSD box you can't do very much. If you can get into a Windows box, you've pretty much gained free reign of the machine. This we have seen far too many times. Counting vulnerabilities is dubious. All vulnerabilities are not created equal for many reasons, including what I explained above. What's more, there are true vulnerabilities that Microsoft refuses to acknowledge and refuses to fix. Recently in this very magazine it was demonstrated step by step how to reveal SQL Server user passwords using typical software developer tools. This is possible because SQL Server stores passwords as plain text in memory! Microsoft has stated that they don't see this as a problem and will not correct it. Instead, SQL Server makes companies vulnerable to disgruntled employees and consultants - at the very least. When transferring Microsoft files from OS X to Windows I have seen Office mistake user account settings for formatting issues. Office doesn't understand basic security concepts. Taken together, architectural issues which yield huge benefits for little effort, widespread vulnerability and exploitation, blatantly insecure user and software configuration that exposes the core of the system to abuse, a dearth of security options such as PAM libraries and a callous disregard for obvious security short comings demonstrates to me that Microsoft doesn't know what it's doing when it comes to security. It's hard to see how things will get better when so much is so wrong. As long as these facts are ignored and spurious arguments are put forward, such as this author's, the economy will continue to suffer billions of security related costs each year and thousands of people will suffer the agony of identity theft or at least the inconvenience of lousy security on their computers. Drawing a line from most popular to most exploited is an old and lazy argument. What needs to be answered by Microsoft's defenders is why are Windows exploitations so much greater than its market share? There are answers to that question, I've given some of them here, but unfortunately for everyone, none of the answers are very good.

Roger, you wrote: the first PC virus, the 1982 Elk Cloner, was a Mac virus. That's impossible, because the Mac wasn't released in 1984. Did you think no one would notice such a bold lie?

Here's one: The fact is, in every instance where the non-Microsoft product is more popular than the Microsoft product, the non-Microsoft product is attacked more. QuickTime and iTunes is exploited more often than Windows Media Player. Can you cite any source that claims QuickTime is more popular than Windows Media? Not according to this chart: http://www.websiteoptimization.com/bw/0903/ As recently as March of 09, Windows Media Player was still at the top of the rankings.

As dass points out in his apparently deserved diss, it is a combination of easier targets and greatest numbers that make attackers set pointers to windows systems in order to max out the greatest mileage for their efforts. Despite a better recent effort, there is still a lot of low hanging MS fruit out there. That said, none of the other systems are inherently secure either, but offer relatively less housekeeping headaches as well as positive product features that that lead many experienced users, including MANY security people, to switch to other platforms.

Roger's a paid microsoft hack who doesn't care about letting facts get in the way of spreading his fud.

These comments read like they're not about operating systems, but operating religions. Whatever inaccuracies or misstaements were in the article, it hardly sounded like a Microsoft advertisement. Geez, these are computers, and there is no "one god." We should all focus on keeping Microsoft and Apple on the straight-and-narrow, and alerting the field to dangers (like how about my enterprise secure iPhone. Just as I have blasted Microsoft for years (most recently over Office what I would like to "shred to 'ribbons'"), someone should take a bite of the Apple. If the original Mac wasn't priced to mac-simize profits, we would be a mac-centric world. At least they learned the lesson with iPhone pricing, but please tell your ad agency that a Mac is also a personal compuer (PC).

My reaction would be - yeah, and so what? If a platform is attacked less, it's attacked less. Whether that's due to inherent security or lesser market share doesn't really matter in a practical sense. You can still reduce your exposure by running the platform that's attacked less. Of course you shouldn't become complacent and think you don't have to follow sound security practices just because your chosen platform tends to fly beneath the radar, but as long as you keep your head on straight about it, life is more serene running the less exploited platform. In my shop, we ran NetWare for many years while others migrated to MS, and still do (though the time has finally come to start moving to OES2), and we remained unaffected while waves of MS-specific exploits took down the servers of colleagues in other shops who ran Windows. Is NetWare inherently more secure? Probably not in the IP world - nevertheless, none of our servers were ever compromised or exploited in any way, in part because no one attacks NetWare. I run linux at home for the same reason. Life can be a bit less stressful by simply getting out of the way of the line of fire - which, yes, is directed mostly at the predominant platform. So go ahead and run Windows and draw the fire away from me, I love that. I'll stay with the minority platforms and enjoy the low profile it provides.

You wrote: "There is one nagging fact that buttresses my claim. In the history of personal computing, with few exceptions, whatever is the most popular software in a particular category is also the most successfully exploited software." You seem to be pretty proud that your argument rests mostly on one claim. In the social sciences "triangulation" is used to have confidence in a conclusion--that is, to have multiple independent lines of inquiry that, if all support a hypothesis, give one greater confidence in it. A single fact, however, is no cause for great confidence or pride. Even less reason for confidence is your next claim, which is based on the notion of correlation being causation. As you may have heard, correlation is not causation. Even if most of the time ("with few exceptions") you are correct, the "probability" in your favor does not mean you are correct. If that is your argument, that is known as appeal to probability, a logical fallacy. Whether your thesis is right or wrong, you have made a poor and non-persuasive argument. Unfortunately, you have broadcast the conclusion of your poor logic to thousands of people who may swallow your conclusion without realizing that you might be horribly incorrect. A study of argumentation theory might improve the quality of your articles and quest for truth. If you act as a good role model, you might be able to help people to think better--whether thinking about IT or about other things of importance in their lives. In fact, wouldn't it matter somewhat if Unix-based operating systems are fundamentally different in design than Windows? Say what you will in favor of Windows, I lived through years of dealing with poorly designed, crash-prone Windows. So I personally experienced the "market leader" who had plenty of money to fix these problems but yet did not for years--and maybe still has not. It was paradoxical that a poor product had more market share. And so it may be that a relatively little-used product is of greater quality than the widely used one. Make whatever arguments you like, but please learn to avoid logical fallacies, construct better arguments and have a little more humility. Paradoxical situations exist, and it just may be that you are totally wrong about why Macs are attacked less. And why does Infoworld choose "Macs are safer because nobody likes them" for the title of the email sent out? Because it cares little about distinguishing between opinion and fact? Very disappointed.

Seems like all of us should take a deep breath. If we like ubiquitous processors (read personal computers), we might want to stop the silly arguments and realize that "cloud computing" is just another attempt to get all computing power into the hands of large corporations. If we don't pay attention, we will be arguing about nothing. If we don't simplify personal computers -- a lot -- we PC lovers will have lost, regardless of our brand. With 40 years of doing this stuff every day, I can say that my experience with Mac is that it is much simpler than any other to get most standard jobs done. I don't think it is good enough however, to win in the global competition we are really fighting. Lets stop arguing and get back to innovating.

I observe that the author's article is based upon specifically comparing Windows Vista as the most popular OS. I may be mistaken, but impression is that Windows Vista is the least popular OS and not widely adopted. That is not going to change. What might happen with Windows 7, "Vista fixed" according to Ballmer, remains to be seen. As the author points out, after more than 3 years Microsoft is about to fix Vista. Is this the kind of prompt updates that are the standard to beat? In the last 2 years Apple has successfully introduced 2 widely adopted OSes.

Perhaps it should be noted that OS X seems to consistently add new and imaginative vulnerabilities to the OpenBSD distribution upon which it is based. In the world of computing, monocultures are bad for security, just as they are bad for disease resistance in the biological world. OS X and Windows provide such breeding grounds. While often decried by those wanting the simplicity of a black-and-white world, Linux, (and Unix), diversity is a strength, not a weakness.

Thanks guys, I was tempted to do the point by point rebuttal, but that clearly is unnecessary. However, since Roger is a paid M$FT shill who doesn't let facts get in the way of his FUD, I would like to add another 2 cents.

It is frustrating that so many so-called security pundits have clearly never had any formal training in logic. Logic is such a useful tool when dealing with security issues. There is a formal logical error called, "Post Hoc Ergo Proptor Hoc", Latin for "after this fact, therefore because of this fact". It is usually listed first under the questionable causality category of errors. This article contains many excellent examples of this logical fallacy.

Quick recap: Attacks do not count, Exploits do. End users are not responsible for security, IT Pros and IT vendors are. One vendor publishes the software that hosts more different successful exploits, on more different platforms than any other vendor. I will leave it to the reader to figure out who that vendor is.

"Roger's Hacking Popularity Corollary" I think the problem is a more multi-dimensional than this ridiculously simple theory suggests. Mac users are different than Windows users - the mac comes with more applications, and users are less likely to head out onto the WEB to download applications that didn't come with OS, where Windows users often pickup malware. The Mac UI has been far more consistent over the years, users are not so easily fooled into installing things they shouldn't. Finally, Mac OS X was originally engineered more secure that Windows XP - "Pure and Simple".

Very good article that brings a fair point of view. Another opinion : Microsoft seems to integrate their applications to the OS (or have hooks to it), such as IE, Exchange, AD or many others, is going against the concept of the TOTAL ISOLATION between the applications and the OS. An OS should offer OS services to application developers. I don’t know all the Internals of Windows, but we can see there is a certain level of integration. Another old OS, OpenVMS offers Web services and that use the OS services (I know it's old, but I'm also using MACs), but there is no integration with the OS, so the risk to attack the OS is very limited. UNIX platforms are also following that model. Of course, you can still be vulnerable, but the OS is less vulnerable if you have that level of abstraction and less attractive to the vulnerabilities developers. To attack an application is less challenging… OS X is built on the top a UNIX, for me the isolation is there, so less vulnerable.

Very cute. I'm a 25 year IT professional who uses a variety of OS's - OSX, Linux, Windows, Z/OS. OSX is my favorite because it is the least intrusive - that is, it lets me work without being botherd. What does bother me is how "in the tank" Infoworld is with Microsoft. It isn't really annoying, because articles like this one are little more than troll bait - but it is quite boring. Boring enough that I rarely read IW articles anymore - they are predictable and little more than advertising screeds for their chosen vendors.

"Macs contain no special, secret security sauce that makes them more attack-resistant than Windows Vista (which was released in November 2006). Macs and OS X do not contain a single computer defense mechanism that the competitors do not already have or haven't had longer." Nice deflection by combining Vista and "competitors". The majority of the global installed base of Windows computers run XP, not Vista. And Macs that run Mac OS X are inherently more secure than the tens of millions of XP systems that still log in as admin by default.

In what way do Secunia's statistics back up your claims? Secunia treats almost every different variant of Windows as a separate product and all versions of Mac OS X (including server) as a single product -- and even then, Mac OS X shows fewer vulnerabilities over time, and fewer unpatched vulnerabilities than Windows Vista ALONE. Here are the urls -- check them yourself: Mac OS X: http://secunia.com/advisories/product/96/?task=statistics (131 vulnerabilities in six years, 5% unpatched or partially patched.) Windows Vista: http://secunia.com/advisories/product/13223/?task=statistics (69 adviseries in three years, 13% unpatched or partially patched.) Windows XP Professional http://secunia.com/advisories/product/22/?task=statistics (234 advisories in six years, 13% unpatched or partially patched.)

I'm another participant of that stock board Mr. Grimes claimed was "Apple only", which I will also confirm, was incorrect. But Mr. Grimes had the audacity to barge on in, having all the subtlety of Jesse Jackson crashing a KKK meeting. He announced himself as an MSFT employee, didn't bother to hide his identity or credentials, and promptly decided to stomp around like the deity he thinks he is. I could have seen Mr. Grimes approach that internet board a little more successfully and have meaningful arguments and discussions, even though the place he chose to do it was a STOCK discussion board, not a technical board (there's an Apple User's Board and even an iPhone board on that stock information website). Instead he came in like a Texan slinging a flaming sledgehammer to someone's forehead. SO WHAT DID YOU EXPECT, MR. GRIMES? To be greeted in the streets with roses? Yeah, right. As another person stated here in the comments, I'm not an "Apple only" fan boi, either. I probably go even further back than Mr. Grimes does for total computer experience (I used punchcards), but I hardly ever use that as a reason to infuriate the natives. I even have nearly 20 years of experience on IBM AS/400's, a system that Mr. Grimes knows. But I don't dare waltz in and slap the locals with taunts of "Ha-ha, AS/400's disks can't be directly addressed by an end-user!". But Mr. Grimes didn't prove anything by barging into an internet forum that he probably KNEW contained fans loyal to Apple products and went stomping all over them. You catch more flies with honey, not steamrollers. Whether they were loyal for the right reasons or the wrong reasons was ignored immediately by Mr. Grimes' attitude.

I recommened reading "Security Report: Windows vs Linux" by Nicholas Petreley, once executive editor of the InfoWorld test center. It includes a section debunking "The Safety of Small Numbers" myth, the idea that Linux and unix systems are safer because there are fewer targets. This section makes several points; one of the most effective is the comparison of Apache vs Microsoft IIS. There are three times as many Apache isntallations, but IIS has the most problems. A quote: "None of the top 50 web sites runs Windows or Microsoft IIS. So if it is true that malicious hackers attack the most numerous software platforms, that raises the question as to why hackers are so successful at breaking into the most popular desktop software and operating system, infect 300,000 IIS servers, but are unable to do similar damage to the most popular web server and its operating systems?" I recommend reading the whole thing if you enjoy technical content.

My main debate with the Mac-only fans is over Mac's true security. See, I know that Macs are attacked less than Windows because they are less popular. Pure and simple. Uhh, BULL and SHIT. 20+ million active users is target-enough for anyone. To say nothing of the princely laurels bestowed on the first hacker to EVER successfully exploit Macs in the wild. How do you know what you know? If Macs are attacked less, is the only conclusion that there are "only" 20+ million of them? What is the largest DDOS attack on record? How many PCs were used to make it happen? How many PCs does it take to launch a fairly successful one? The First Person Ever to Exploit Mac OS X would go down in HISTORY. You know it. I know it. Everyone does. That's enough enticement for anyone. I was going to say "nice try". But really? Mom says it's not nice to lie.

I dont think anyone has bothered to google any of this, but he is right about the first computer virus being Elk Cloner,but it was out in 81 not 82, you might know it as Rother J. It infected Apple Dos 3.3 and after the 50th use the Elk Cloner virus would manifest. Use your research tools people, Im 20 and i found that in 2 seconds, and some of you says he was wrong, and other the blab of windows being worse then bsd or mac. the point of the article is the true and honest fact that MAC AND OTHER SMALLER OSes ARE LESS TARGETED THEN WINDOWS AND OTHER POPULAR PLATFORMS. I've grown up in a family of programmers and ITs, and none of them would argue that fact. mac, linux, and bsd, ect. all have just as many available security holes as windows, ect. but the truth is that windows, oracle (btw i know oracle isnt a OS), ect. dominate the market, there for its a bigger target with more available data to steal. Hell walmart and officemax both use windows for their OS and im sure MANY other companies do aswell. and btw, there are mac OXS exploits out there, its not invulnerable or to good for exploitation. Research people, Research then comment...

Maybe Mr. Grimes has taken a lesson on journalism from Randall Kennedy.

The argument is old and lame. It basically treats one number (market share) as the only relevant variable. Target markets (even of virus writers) break into categories. Easier to infect consumer computers? Porn site visitors? Corporate computers behind firewalls? We're pretty sure that a significant percent of the PCs sold went into environments where they could not be infected (at least easily) by virus writers, i.e. control systems, cash registers without software upodates or Internet But they skew the results. If the percent of systems sold is the only important factor, Vista or Windows 7 would not be targets until they exceed (apparently dramatically) the Macintosh installed base. In consumer and education sales Apple has significant market share. I see as many MacBooks on airplanes as PC notebooks, and definitely a much higher percentage of Macs on college campuses where many of the viruses and file sharing happened. Does the author think these markets aren't big enough to be a target? How about checking out the concept of "confirmation bias" i.e. "I believe something causes something so I only look deep enough at the evidence to confirm my belief (bias)." And lastly, theories are useful only if they can make predictions, (otherwise I have a theory that the Flying Spaghetti Monster, the father of all viruses, only inspires viruses against operating systems managed by Bill Gate's minions. I can fill a page with it.) So, what does this theory predict? If Mac OS market share hits some number, the virusites will start attacking? Windows 7 is safe until it hits 10% market share? 15? Give us some thing so we can put this in the "Interesting theory, not just an opinion to fill space" column of our journal.

Grimes accurately tells us that: "It was one of those self-perpetuating, boring Windows-versus-Mac flame wars". It was just that because that's what he came to start. First he announced that he works for Microsoft and just stopped by to tell us that Mac security is waaaay inferior to Windows. He then proceeded to conduct himself boorishly, as for example in this response to me: "You're a Ph.D, you're buff, and you are a trainer. How wonderful! Your mom must be super proud." I guess that response was easier for him than telling me why OSX has no security problems in the wild while the much less popular OS9 had many. Microsoft's security problems may reflect the quality of their security people. Flaming and trolling really don't enhance security that much, but perhaps they provide material for an article by someone with nothing else to say.

Still .. it seems to me that if you put 800 blue cars and 200 otherwise identical red cars in a parking lot and let 20 car thieves in - you'd wind up with more blue cars than red cars being stolen. Just my two cents.

It seems Microsoft has thrown up its hands and given up when it comes to security. With this logic, System Security is based solely on OS popularity. So when Vista/Windows7 becomes more popular than XP then Vista/Windows7 will be exploited more then XP. Regardless of what effort went into making the OS secure.

Ok. How does it feel, to escape the "Die hard Mac fanboys" you're referring to? Just so you can start a flamewar of your own? Who are you anyway? Never heard about you. I've been a certified FW-1 Consultant up to NG-AI with certification, I've run a company that was premium partner with Symantec, TrendMicro, and Checkpoint. I hold a MCSE certification, MSCD Sertification and lots of others. I've been programming C and assembly for Cisco IOS, plus engineered add-ons to commercial security solutions in C and C++. Despite my grandios experience with Microsofts Server line and desktop products I've been using OS X, while running Windows in a VM only when called for. This is a totally empty article, stating only your incompetancy in the field your head thinks it operates in. I've been up three days straight fixing a VPN hub between 17 locations only to find that it was a bug in the Exchange Server 2000 SP1. OS X is built around a BSD kernel, separating userland from kernel-space, and no matter what, a virus would never be able to destroy more than the data that the logged in user has access to. In a corporate environment, that should be limited to their terminal, and access to internal resources should only change hands via encrypted physical VLAN'S, and every router/switch should be configured with a separate packet inspector in front. This can be done in both Windows and Mac environments. It's not the client OS thats the problem. It's the incompetent security administrators.

From Tte Author: I wanted to thank everyone for responding and also take a few minutes and respond to some of the more interesting comments. I said Elk Cloner was a Mac virus. That was a mental slip. I, of course, meant Apple virus. I was there. I fought the virus. I know what it was. I’ve interviewed it’s author. It was just a mistake. I would like to apologize for saying that all the members of the Apple stock forum were Mac-only people. That was wrong. I, myself, like many of the board members run many different types of computers. However, I did mean to convey that most of the participants think Apple has little to no flaws and that no other computer company is innovative in the slightest. That would be a fair description of most participants. Not all, but most. >ActiveX is what makes Windows insecure. Roger: There have certainly been a lot of insecure ActiveX programs, but really ActiveX isn’t the big problem. ActiveX is simply a delivery mechanism to deliver other executable, client-native code. In almost all of the hundreds of cases it’s the native client code that was delivered by ActiveX packaging that was the exploitable component, not ActiveX, itself. Or put another way, more and more online programs, like Macromedia Flash, Adobe Acrobat, Quicktimes, etc. are now being delivered as native executables and not as ActiveX programs. And they contain many more vulnerabilities now than they did in their ActiveX representations. It isn’t ActiveX that is the problem. It’s the underlying native client code that was always the problem. It’s not to say that ActiveX, the delivery method, didn’t have problems. It did. But most of the problems reported with ActiveX aren’t “ActiveX” problems. I was accused of barging uninvited to a Mac stock forum and just trying to make everyone mad. First, I own many Apple products and Apple stock and I have been a member of the board and forum for years. I’ve never posted a single new thread about Mac vs. Windows security in the Apple forum. All of my security-related postings have been in response to other people’s prior posting saying untrue things about Mac security. No more, no less. I’ve been told that I was rude on the forums. I’m sure from hundreds of heated posts that anyone can find one or two sentences that aren’t the most gracious or artful. But I stand by any of my statements and if any are displayed in their entire context no one will think I was the original aggressor. If anyone writes I’ll be glad to send them the original posts in their entirety. >“One of the things he posted was that Apple stole it's GUI from Xerox” Roger: In response to someone saying that Microsoft stole the GUI from Apple, I said that Apple “stole” it from Xerox. There’s a reason that I put stole in quotes, and then explained how Douglas Engelbart invented the mouse and GUI (and other things in 1968). My whole point, which I explained in the thread was that Microsoft didn’t steal anything. >“It seems to me that there is probably more valuable information stored on Linux/Unix/BSD servers out there than on Windows.” Roger: I’m not sure of the validity of this statement, but either way it’s a moot point. First, I didn’t claim that computers with more valuable data were attacked more. If that was true, malware would target mostly mainframes and super computers. Crimeware is out to make financial crime in most cases and that just takes more people. In most cases the attackers and their malware don’t care about database data and the like. Some do, most don’t. >The BSD/Linux/Unix boxes are inherently more secure Roger: This is not true. The most popular versions contain far more vulnerabilities on average, than the Windows OS. OpenBSD and some of the most secure Linux Distros are exceptions, but most people don’t run those distros, exactly because they are too secure and thus user-unfriendly (in their eyes). Hence they follow my postulate. The most popular versions of BSD have the most attacks of all the BSD versions by the way, as compared to the least popular versions. > and the software that one compiles in these operating systems can be made far more secure than Windows by using PAM libraries and taking advantage of the work done by the NSA. Roger: First, I love PAM exploits. I use them to break into Linux, BSD, and Solaris systems all the time. Second, I’ve done years of Windows and Linux security work for the NSA (thru Foundstone). The NSA is no better at computer security on popular operating systems than anyone else. The NSA’s hardening guides have been wrought with errors. But let’s say you like the NSA. The NSA has more Windows computers than any other type of computer and since Windows XP, our default security configurations have been approved by the NSA. Not sure what that proves either way. I like the Center for Internet Security guides better anyway (www.cisecurity.org). >Microsoft has found it impossible to maintain backward compatibility and simultaneously move away from the isolated, single user security weaknesses built in to the design of Windows. Its neglect of security borders on the criminal. Roger: If Apple OS X has three times as many security vulnerabilities, patches slower, and frequently issues products with known, public, already patched exploits in them…how exactly is Microsoft the most culpable vendor here?? >In fact, we have seen a dramatic increase in the popularity of OS X, Linux and the BSDs in recent years, but we haven't seen a comparable increase in exploitation Roger: As popular as Macs have become over the last few years, overall growth really hasn’t been more than a few percentage points of the total market. Over the last two quarters of 2009, Apple actually lost marketshare worldwide. I don’t know what percentage of marketshare Macs would have to gain to become more popular attack targets, but I’d guess at least a third or something like that. Living below 15% isn’t going to get much attention when Windows is still running on over 80% of computers. Linux and BSD have lost marketshare, mostly due to Apple. >Exploitation of OS X/Linux/BSD is hard Roger: Is that why Dr. Charlie Miller hacks OS X every year in 10 seconds at CanSecWest? Ask any of the world’s leading hackers, who are experts (Dr. Charlie Miller, HD Moore, whoever) in both OSX and Windows hacking, ask them which is harder to hack from a purely technical perspective. They will never ever say Windows. The experts know better. Apple’s own security engineers cannot list one thing back to this posting of how Macs are technically superior in security to Windows. Send them this article and ask for a reply. I’m waiting. >In Windows, almost everyone is an administrator and most software written for Windows, by commercial developers and by in-house developers, rely upon administrative rights because they have historically been indistinguishable from the typical user Roger: True, but Windows Vista, that does not have this by default, has been out over three years. At what point will we stop pointing fingers at old technology that hasn’t been proactively sold for three years? And Windows Vista, which essentially has the same security protection as OS X does, on this particular feature (i.e. it asks the user to approve installs, etc.) is still exploited more than OS X, because more malware is made for Windows. >If you can get into an OSX/Linux/BSD box you can't do very much. Roger: I taught and developed Foundstone’s Ultimate Hacking and Advanced Ultimate Hacking courses for a few years, just before I went to work for Microsoft. We taught and showed how to hack everything, and everything was equally as easy. I can do everything I needed to do in OSX, Linux, BSD, Solaris, or whatever. There is no secret security sauce that protects any of those systems (with the exception of OpenBSD, which is more secure by default, but almost no one runs because of the same). >Counting vulnerabilities is dubious. All vulnerabilities are not created equal for many reasons Roger: I agree. So check your vulnerability databases…any that you choose and you’ll see that OS X and Linux both have more higher severity vulnerabilities, in pure numbers, than Windows, over the last six years. Windows has a higher percentage of critical severities compared to their own numbers, but the number of critical vulnerabilities is still significantly less than Linux and OS X. It just is. And vulnerability counts alone don’t mean everything, but they also don’t mean nothing. They mean at least something. >Can you cite any source that claims QuickTime is more popular than Windows Media? Not according to this chart: http://www.websiteoptimization.com/bw/0903/ As recently as March of 09, Windows Media Player was still at the top of the rankings. Roger: This is the best argument out of all the one’s made in the comments. If the statistics hold it would be the first successful refute of my statement. And I can’t necessarily argue with the source. Still, something doesn’t look right. Something like 300 million+ iPods have been sold. Tens of millions of iPhones have been sold. And tens of millions of iTouches, etc. Certainly some percentage of that is upgrades and replacements, but I have to think that most are still being used. I read the other day that 87% of all children have an iPod. Nearly every person I know does. So that’s hundreds of millions of Quicktime\iTunes users…on a daily basis, and yet the stat given only shows 50-60 million users. When I see people watching video…it almost always Youtube or some embedded video format. I don’t think I seen WMP playing video all that often, not in the last three or four years. I mean I’m sure it still happens a lot. But when you go over to a friend’s house or play video streaming on your own PC, how many of you are using WMP? Something with that stat of just 60 million Quicktime users doesn’t seem right. Maybe that’s only 60 million Quicktime users playing video off the Internet? Something different is being measured here than the whole active, installed base. I could be wrong, but even anecdotally it seems wrong. Heck, I think Microsoft would love for that stat to be true. >OS X is built around a BSD kernel, separating userland from kernel-space, and no matter what, a virus would never be able to destroy more than the data that the logged in user has access to Roger: BSD and Linux does a better job at separating user-to-user code in the same memory space, but not user from kernel code. Search any vulnerability database for BSD or Linux kernel exploits. They abound. Tricks for getting from user mode to kernel mode are just as prolific in the BSD and Linux world. I can use the same logical tricks for getting from one to the other. There are some exceptions where BSD and Linux does actually do better…OpenBSD, SuSELinux, etc…but they aren’t very popular as compared to the most popular versions. And some of the better memory protections that would do a better job of protection in the popular kernels are available, but they aren’t enabled by default and most people don’t enable them by default. >Who are you anyway? Never heard about you. Roger: I’m just a bum now, but I’m studying for my A+ and MCSE exams, and I hope to take my Cisco security exams one day. I’m pretty sure I can pass them with a little bit of studying and practice. Tell me more about those VLAN thingys. Roger: In closing, I didn’t say Macs were sucky computers. I didn’t say Macs were insecure computers. Macs are great computers for a lot of reasons. My only statement is that Macs do not contain any inherently stronger computer security or defenses than any of its popular competitors. Until someone can prove that statement wrong, I don’t see how my popularity argument can be wrong. I mean if isn’t a lack of popularity, then exactly what makes Macs get attacked less? What is the physical/logical mechanism that does all this super-dooper defending?

There are many points you didn't address, but I'll counter your responses one by one. I made the point that there was more valuable information to be had by exploiting the far more numerous Linux/Unix servers on the Internet than the far smaller number of Windows boxes. You were not sure it was a valid point and then dismissed it as moot. But it is valid because it it is true, Linux/Unix is more popular in this context and exploited less frequently and my point about value is a valid one because it goes to motive. Why is one system attacked more often than another? Because it's popular or because it's a vulnerable target that satisfies the motives of the criminal? It's the latter. If we are to assume that each body of websites, Linux/Unix based and Windows based, contained the same monetary value per server - further assuming that the value of the information on the server had no bearing on the choice of server operating system, the Linux/Unix population of servers is about twice as large as the population of Windows based sites and therefore would have twice the value. These sites are indeed more numerous (see http://news.netcraft.com/hosting-provider-server-count, section titled, "How does it pan out in practice"), so it's a real world example as far as that goes. I don't think there are any good stats to back me up, but I would conjecture that the real value in this body of servers, which is nearly twice as large as the Windows population, contains even more than twice as much value because the stability of Linux/Unix makes it the more likely choice among people who have to ensure that trading and commerce systems are up and running all the time. There's a reason knowledgable professionals who have to host lots of sites choose Linux/Unix and Apache instead of IIS/Windows. Hmmm... IIS has been in second place and got it's rear end exploited to the point where it lost all credibility... The point that more value would be had by crimeware writers is only moot if you ignore the reality of the situation. Crimeware writers (love the term), like all crimnals, have to have a motive and an opportunity. The motive is to steal data that is worth money, information about getting money or the money itself. If, as you maintain, the perpetrators want access to more people to further their schemes, the way to get to the most people, and to their information, is to attack the Internet facing Linux/Unix servers that contain this treasure. The fact is that despite the obvious benefits and the larcenous motivation, Linux/Unix doesn't offer much of an opportunity. They have a much harder time penetrating these servers than they do penetrating and compromising Windows servers and Windows desktops. Real thieves rob banks because that's where the money is, but it's hard to stick up a bank. Small time crooks knock off liquor stores because they're easy, not because they're numerous. Though each one offers a small haul, as the saying goes, "they make it up on volume". Linux/Unix boxes are like banks and Windows is like a corner liquor store. It's easy to knock off a Windows box, that's why it happens all the time. In the Internet facing server world, Windows is not the most popular system, but it is exploited far more often than Linux/Unix. Windows is second place in use, first in exploits despite motivations that should produce an opposite result, but for the lack of opportunity. I could stop right here, but I'll go on. Linux/Unix is indeed inherently more secure. You allow that OpenBSD and some secure Linux distributions are in fact inherently more secure, but you neglect to recognize that OpenBSD and the Security Enhanced Linux distributions are much more a matter of default configuration "out of the box" than any significant differences in the code base. There is nothing, absolutely nothing, that stops my FreeBSD box from being as secure as OpenBSD or SE Linux if I want it that way. Yet, though not as secure as OpenBSD, out of the box my OS X or FreeBSD don't need to be installed disconnected from the Internet or be burdened with expensive anti-malware - ever. Windows, out of the box is vulnerable, plain and simple and there are significant expenses and performance compromises that must be made to make Windows adequately secure. CISecurity.com even cautions that properly securing a Windows box to its Enterprise standard requires extensive expertise and will result in capability and performance compromises. That's unacceptable. PAM exploits are few and far between. About two out of three of them are local vulnerabilities and in each case I could find they were patched almost immediately. All one has to do is download the modified code and recompile the applications that depend on it (for those Windows-only folks, this is really no big deal). Try that with a Windows or Microsoft vulnerability, like the SQL Server blunder I wrote about or the broken kerberos implementation, and see how far you can get. The NSA is responsible for some great security work on Linux/Unix (http://www.nsa.gov/research/selinux/index.html). It's the source of the Security Enhanced Linux distributions you defer to in your response to me, so I don't know why you allow for the exceptional and inherent security of Security Enhanced Linux and then disparage the very organization whose efforts and contributions created the very system you recognize as being exceptional. But I've read how when you come across inconvenient facts you tie yourself into knots trying to dismiss them (e.g. your Apache versus IIS article in 2005). I'm sure the NSA, like most organizations use plenty of Windows on their desktops, but they're certainly not using Windows for any critical systems, as would seem evident from the web site cited above: "End systems must be able to enforce the separation of information on confidentiality and integrity requirements to provide system security. Operating system security mechanisms are the foundation for ensuring such separation. Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation..." The result of NSA's work was an architecture and mechanism for mandatory access controls that were thrown over the wall to the Linux/Unix communities and are now available. They are available to everyone, so these capabilities are indeed inherent to the system, they are part of it and become part of everything that runs on it. Because of the closed nature of Windows, and Microsoft's backward compatibility problems, this work can't be or at least hasn't been incorporated into Windows and is not available to users of Windows to compile into their 3rd party and custom software. So again, the very same Linux/Unix version that you recognize as being exceptionally secure are exactly that way because of the work done by the NSA, which you later disparage. It makes my head spin to read your comments, really. If Apple/Linux increase their marketshare by a few percentage points (though I think it was actually more than that), it represents something like at least a trebling of their share. An increase made up mostly by people without a sophisticated IT support structure, the very kind of people who are most vulnerable on Windows - home users thrown to the wolves - and yet Apple users have had no viruses and no worms in the wild. None. A trebling of market share should have led to a significant increase in exploits - especially among these users - but it didn't because popularity has nothing to do with exploitation. Vulernability is all that matters. Dr. Miller's successful exploitation of Safari was under controlled circumstances in a competition that even the director of Microsoft's security group , Jeff Jones, considers to be unrealistic. He says that CanSecWest "simplifies security to the point of uselessness" and that it shows that under the right circumstances any machine can be broken into. I don't think that's a controversial conclusion. He doesn't read too much into the PWN2OWN results and suggests that we shouldn't either. Maybe that's because, unmentioned in most of the media's breathless accounts, Microsoft's junk got owned just as quickly. For a detailed account of the contest and some of the errors in its coverage go to http://roughlydrafted.com/2009/03/19/mac-security-researcher-wins-pwn2ow.... One thing that is pointed out is that Miller claimed to have complete control of the machine in 10 seconds (he only did it that quickly once, not every year as you incorrectly assert). Complete control of the box is only possible if the user was logged in as root, which vanishingly few Linux/Unix users do since so much software on those platforms won't even run for root. More likely, he "owned" the computer per the rules of the contest. The rules state that "owned" is defined as "executing code in the context of the browser process". That's a pretty narrow definition of "owned". Besides, Leopard has a sand box for such things, greatly reducing the possible damage. Windows 7, not so much. I can't see how, short of social engineering, he could have gotten real control of the box in 10 seconds. Several seconds would have been spent by the user opening Safari, clicking the link and then Miller gaining control. There simply isn't enough time left to escalate privileges or coax a root password from the user. As for Dr. Miller, here's what he says about running anti-virus software on his Macs, "If I was worried about attacks, I would use it, but I'm not worried." You don't have to wait any longer. You asked me why I think Microsoft is the most culpable vendor. It's because they should know better and they control the platform that all other vendors build upon. Instead of responding to the arrival of networks and the Internet by adapting their architecure, they wasted time fighting browser wars so we could suffer through countless exploits with IE, they diverted resources to thwarting Java, they engaged in anti-competitive monopoly abuses, they failed to innovate on anything while they spread FUD about alternative operating systems and worms chewed away at their customers' computers making anti-virus software companies household names. Because they had the largest market share, they had the greatest responsibility to make sure their systems were safe to use. They didn't and they still don't do the basic work to make sure that people and companies using their systems can be as confident as they need to be. They continue to ignore real vulnerabilities (SQL password I cited, kerberos' broken implementation, UAC weaknesses), continue to compromise performance and continue to cost everyone time and money because they don't know what they are doing - and neither do the shills who apologize for them in articles and on forums. So there it is: security advantages are inherent to certain systems, again there's no connection between popularity and vulnerability, NSA's assessment of operating systems and their work on Linux/Unix is actually quite good - as you recognize without realizing it, Millers supposed triumph and his views on the relative safety of OS X turn that mountain into a mole hill and finally, why I think Microsoft is the most culpable vendor when it comes to security. I think I covered all your points.