Matasano Chargen - Latest Comments in Five Reasons To Ignore John Gruber’s OS X Security Punditry

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Mortimer Plantagenate — Fri, 18 May 2007 02:16:26 -0000

Mr. Ptacek, I envy your fight and humor. Back when this first was posted it seemed quite the hatchet job. It was a worthy cause and I hope the net respect for your views has grown as a result, I think it should. Your kung fu is remarkably strong, I've yet to see someone other than 37s really exploit home field advantage as effectively. Cheers

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Switcher — Fri, 20 Apr 2007 21:44:25 -0000

Are there any decent articles for decent OS X security practices?

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Majo — Tue, 27 Feb 2007 00:53:10 -0000

I don't know about the technical details you presented. Anyway, here are my additional thoughts on why there are much less virus on Mac.

To know why, one has to step into the mind of the malware creator. Why would I invest my time to write a malware knowing

1) It will propagate slowly: the chance to hit another Windows is 50-1 compared to Mac. The chance to infect the 3rd computer (from the 2nd infected one) is 250-1 in favor of Windows. Do the math and one can see why it make no sense to plant a spyware/ malware/ virus on a website to target Mac users.

2) Would be stopped before it reaches the mass to make the noise. Apple and Mac community have enough force to combat a few pundits. Compared to Windows, there are just too many of them for MS to catch up.

3) Nobody will pay me.

4) It will not give me instant fame (as somebody suggested). It will not cause any company, or financial institutes to shutdown (which guarantees me an instant headline). The worst it can do? Somebody can't turn on their Mac. The world still goes on.

5) Windows based computers are cheaper than Mac. I can get a pirated copy of the windows, a $200 bare bone computer and start playing with my malware "product". I am not gonna spend $3000 on a slick looking Macbook and try to kill it.

6) I get more "support" from the Windows virus creation community. :D Again, this has to do with the user base.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Eric Hall — Mon, 27 Nov 2006 01:00:16 -0000

I'm quite clear that there is malware for Mac OS X out there, and that we're going to see more of it. I'm actually a bit surprised we haven't seen a real virus/worm yet (I figured we'd have seen one by this last summer).

p.s. for those of you who aren't in the security space, why are you arguing with people who have been doing security work for a long time? Its like tell cryptographers that you can brew your own crypto algorithm that is 'unbreakable', or telling a karate blackbelt you can hit harder than she can, just 'cause you're futzing with it on the side. Either way you're going to lose.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Thomas Ptacek — Sat, 25 Nov 2006 20:29:14 -0000

And yet, somehow, irresistible.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Slartibartfast — Sat, 25 Nov 2006 19:38:35 -0000

It's amazing how annoying you are

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Thomas Ptacek — Fri, 24 Nov 2006 11:22:09 -0000

It's amazing how many sentences you can spend trying to "deduce" the fact that Macs are more secure without citing a single technical detail. You, also, have not read the post you're commenting on.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Ben Hoskings — Fri, 24 Nov 2006 01:53:33 -0000

"Either you think “it’s harder to write effective self-propagating code for OS X” is a simpler argument than “Windows malware authors don’t care about the Mac”, or you don’t know what Occam’s Razor is. Either way, you haven’t convinced anyone of anything."

You shouldn't use such a rude, condescending tone. In general, that is---but especially when you're wrong.

Occham's razor is often interpreted as 'the simplest theory is usually the right one'. That doesn't mean "the theory that can be described in a shorter sentence"; it means the one that requires the least number of assumptions and external conditions.

There are, in effect, no Mac exploits. This could be because

a) Writing Mac exploits is completely impossible,
b) Writing Mac exploits is sufficiently harder than for Windows machines that no one has done it;
c) Writing Mac exploits is comparably easy to or easier than writing Windows exploits, but no one has done it anyway.

Option (a) is reserved for the zealots. The argument is between (b) and (c).

Occham's Razor supports argument (b), because the only condition it requires is that Mac OS X is a sufficiently hard cracking target. Option (c) requires the complex and dubious condition that the hackers of the planet unanimously choose not to target it, despite the obvious gains (not to mention headlines) that would ensue.

But I think the point that most of us are trying to make is, sure, we're pretty confident that (b) is the correct argument. But in the end, whether it's (b) or (c), or indeed (a), or something else entirely --- who cares?

The point is, as Gruber said, "for whatever reason", at present, Macs simply do not get hacked. Windows suffers a constant onslaught, bad enough that a fresh, vanilla install is often owned in a matter of hours of being connected to the web, whereas I've NEVER done any security maintenance on any of my Macs, and I've NEVER had, seen, or heard of even a single piece of Mac malware. Microsoft is the world's biggest and richest software company, and yet in five years of WinXP exploits, they're only beginning to fix the problem. It's not just a swing in Mac's favour, it's completely and absolutely black and white, night and day.

Maybe that's just because there are more Windows machines around. I seriously doubt it, and I don't think that it's a position that can be logically supported. But even if it were, what we're trying to say is that the cause isn't really relevant here.

The proof is in the pudding.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Thomas Ptacek — Thu, 23 Nov 2006 18:37:40 -0000

I didn't say "absolutely friggin' nobody", Mac Zealot. I said "Windows malware authors".

Before you write your next comment, will you try to answer in your head the question, "Who am I trying to convince with these messages?"

If you're just writing to make yourself feel better, well, God bless you. But if there's some objective to this, rethink your tactics.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Michael Ströck — Thu, 23 Nov 2006 17:39:43 -0000

"Either you think “it’s harder to write effective self-propagating code for OS X” is a simpler argument than “Windows malware authors don’t care about the Mac”, or you don’t know what Occam’s Razor is."

Uhh, yes I do think so? It takes some pretty convoluted logic to assume that absolutely friggin' nobody cares about a mainstream OS _at all_.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Thomas Ptacek — Thu, 23 Nov 2006 14:44:35 -0000

Who are you talking to?

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Buster — Thu, 23 Nov 2006 12:08:08 -0000

Tom,

If you had read the actual post, you will see that I didn't address you. I am now. Notice the difference? That would be the reason I said "So many people" at the start of my post, instead of saying "Tom,". See? Just like that.

But I am glad you feel better now.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Thomas Ptacek — Thu, 23 Nov 2006 10:31:47 -0000

If you had read the actual post, you'd see that you took 5 paragraphs to repeat my conclusion, which I managed to say in 2 sentences. You also failed to address any specific point I made in the post. But I'm glad you feel better now.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Buster — Thu, 23 Nov 2006 09:07:51 -0000

So may people spewing about Occam's Razor and what not - let's blow all the smoke out of the room -

Point me to *one* hunk of code which will infect my Mac (no local hijinks, strictly download or web page, please!) without my knowledge, permission, or awareness *and* cause me to lose data *and* replicate itself to other Macs.

Short of producing this code, then the Mac is absolutely more secure, because there are bits of code out there for Windows which the above is very real. Either someone can come in via internet and tap dance all over my Mac, or they cannot. I don't care about theories, I want fact. I don't care about potential, I want reality. If you can't do that simple thing, then like it or not, you have lost the argument about which is the more secure system.

And let's pooh-pooh this notion that there is no payoff in malware for the Mac. The first person who successfully does to the Mac what happens to PCs on a daily basis will be a household name overnight. The first person to write a Melissa for the Mac will enjoy celebrity akin to being a rock star. If that isn't a powerful incentive, I don't know what is. Seems to me there's millions sitting on the table waiting to be grabbed by the right person.

If the Mac is less secure than Windows, then pony up the code, boys. Fame and fortune awaits the first to do, not to say. If there isn't any tangible real-world proof, the reality is the Mac is more secure. That is the evidence at hand, and anyone who wants to be taken seriously must admit it.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Donnie Brasco — Wed, 22 Nov 2006 14:43:18 -0000

@Rob,

Well as as Apple's market share improves, we're going to be moving into the high crime areas. So its appropirate that these issues start getting out into the open - so that they can get resolved before the "Windows Fanbase" starts knocking.

All the mistakes that Microsoft made have been openly scrutinized and discussed time and time again - a benefit for them because now that Vista's out, and it seems (at least they tell us) that they have learnt from the situation - and they may possibly have an advantage over Apple's operating sytstem. Time will tell in this regard.

The issue at hand really isn't that Mac OS is secure or insecure. It's just that fact that people who ideally should be educating themselves about the situation, people who allegedly have a far greater reach with the public than this blog probably has, people who could be the conduit for informing and educating their readers about what to do to protect themselves from nasty things happening, are quick to downplay the (verifiable) work done by others who are quite reputable in this field - with arguments that really aren't very strong. Not only is that annoying its downright disturbing.

And obviously the author of the post, who himself has made some contribution to the field, is upset about the situation and pointing it out for all to see.

The events that can lead up to a first big incident are already sliding into place and it would be nice to ensure that we're still in the old neighborhood we're used to. That's really the goal of all this work that's being done - after all an early warning is better than a late suprise.

I might also add that the first few chapters of Szor's book aren't really that technical and so you can pretty much get a useful exec summary from there. So I don't really see an excuse not to go through it.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Thomas Ptacek — Wed, 22 Nov 2006 10:19:14 -0000

Andy: MAC and privilege revocation is better than the C runtime arms race, and perhaps tied with managed code, in terms of security value.

If Apple ships an OS with pervasive least-privilege at the system call / OS subsystem level, they'll have something to brag about again.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Thomas Ptacek — Wed, 22 Nov 2006 10:17:34 -0000

Either you think "it's harder to write effective self-propagating code for OS X" is a simpler argument than "Windows malware authors don't care about the Mac", or you don't know what Occam's Razor is. Either way, you haven't convinced anyone of anything.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Rob — Wed, 22 Nov 2006 08:14:44 -0000

I think you're confusing theoretical security research (which is a technical speciality in which Gruber is no expert) and computer security in practice, which involves at least as much human interface and community/environment issues as it does technical detail. I don't keep my valuables in a safe and my door lock is not a pick-resistent seven-cylinder mushroom-pin Rabin (making me less safe than others), but I do live in a safe area and a community where any stranger would be a point of interest. I really am "safer" than someone living in a high-crime, weak-community area, despite technical arguments about my safe or lock.

My point is that Gruber's security commentary seldom focuses on "technical" arguments, although they are mentioned where they are relevant. The Mac is a low-crime area, which makes it a safer security environment than Windows (at least in terms of malware), and the Mac community's outright intolerance of all types of malware make the policing *much* better.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Michael Ströck — Wed, 22 Nov 2006 06:43:33 -0000

Thomas,

Of course you can continue accusing people of being unable to read, but it won't help your argument one bit. Occam's razor applies to security issues too, you know. Basically, there are two theories:

1) It's harder to write effective and self-propagating or user-propagated malware for OS X than for Windows.

2) Malware writers just don't care. Even though all it takes is one guy in his parents' bedroom, nobody has ever really tried.

I hope you realize why people do not really buy this argument. It has nothing to do with the security features of either OS. The reality is that OS X right now is more secure than Windows for the average user. That is an incontrovertible fact and that is all I am trying to say.

Nobody is saying that OS X is the panacea to all our security-woes, just see this project for example: http://kernelfun.blogspot.com/

They bring up some very real issues. I tried all of the three kernel panic problems they published and filed the crash reports with Apple for them. I expect them to get fixed way before anybody writes a workable exploit for them that does anything but crash the machine after the user clicks on the file.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Donnie Brasco — Wed, 22 Nov 2006 06:25:16 -0000

Ok. Now I read the Gruber article. That's really really embarrasing. How do people go about showing their ignorace in this field with such impunity?

I really suggest (if he is able to grok it anyway) he read chapter 3 of Peter Szor's: The art of Anti-Virus Research and Defence. Szor talks a lot about the dependencies that you need to get any malware rolling on any platform. There's always the critical mass issue. IMHO Mac does not have a critical mass of large quantity to make malware development worthwhile.

The economic perspective is also a very valid argument. Malware writing is like a business, complete with a cost-benefit ratio. I wouldn't write one where I know my chances of impact are low. Besides in today's world where there's a whole lot of malware written for profit, your "business manager" would probably slap you upside the head if you started harping about writing malware for a low penetration platform.

Gruber should realize that there is active research going on MacOS security. Even Matasano has produced some work on vulnerabilities on this platform. It's easy to predict that as MacOS gains critical mass (from more users) they will lose their "halo effect" to more determined efforts to circumvent their security. Anyway in a few years his smugness will be satisfied - beyond the SecureWorks incident.

Even when the emperor is wearing no clothes - the subjects have to remove their glasses.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Donnie Brasco — Wed, 22 Nov 2006 06:02:49 -0000

Patek is right. I'm not a an eWeek reader but I have read about my fair share of FUD while traversing the internet. And Gruber sounds like another FUD spewing machine.

It's a pity that this argument cannot be resolved in more layman's terms. It might reduce the amount of "smugness" in most Mac users. I'm a Mac user, I recommend it to all my friends but realistically why we enjoy so much "security" is because we're under the radar.

Of course MacOS does provide certain features that reduce the ability for malware to propagagte but its really the small number that is in our favor.

Here's an idea, perhaps a "month of Mac vulnerabilities" should be organized. Not necessarily to provide grist for enterprising attackers, but to provide an avenue to actually throw some spotlight to MacOS security research effort - it would also make a fairly decent go to area for restricting the statements of the unpublished i-know-a-lot-about-security-from-my-soapbox experts.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Andrew Jaquith — Wed, 22 Nov 2006 01:40:17 -0000

Tom, I'm going to steer clear of arguing one side of this or the other. But I am confused about why you chose to spend 2000 words pointing out something fairly obvious, namely that Gruber's got no mad skillz. I mean, your post was almost longer than TWO Yankee research notes, and almost as long as a report. Aren't you guys supposed to be shipping a product or something? ;)

On the subject of cherry-picking from future OSes, here's a Leopard cherry I am particularly interested in: Mandatory Access Control, taken from TrustedBSD. That's a confirmed feature in 10.5. I am very curious to see how this will work in a mainstream operating system; e.g., what they lock down, and where they cut corners for the sake of usability. I've heard rumors about ASLR also.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Thomas Ptacek — Tue, 21 Nov 2006 23:47:52 -0000

You didn't even read the post.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

Chris Betancourt — Tue, 21 Nov 2006 23:14:18 -0000

How amusing that you fail (refuse) to answer Michael Strock and instead reply by an insult. He states a fact. OS X exploits in the wild are nill despite 15 million users worldwide. None of your points really explain this, instead you try point out how vulnerable OS X is despite that fact.
Safety through indifference ? I really hope you're not naive enough to believe that, if OS X really was as vulnerable as your poor Granny's windows something would have come up by now but then again, you acknowledge it is not. Macs are much, much visible targets than Solaris.. but still nothing. I guess it must really annoy so called security people like you that so many OS X users have no interest, with reason, about your windows-centric field of work.

Re: Five Reasons To Ignore John Gruber’s OS X Security Punditry

lseltzer — Tue, 21 Nov 2006 22:02:16 -0000

I didn't want to make too much of the point about Java. I just hadn't heard about this specific decision for OSX. I certainly appreciate Thomas's point about managed code in Windows. In fact, if you learn to program now for Windows you are usually steered into a managed environment, either in VB.Net or C# or Java. You can still write sucky code in these environments but you aren't likely to make the system remotely exploitable. I must say I didn't appreciate the lack of similar binding tools for OSX and it just underscores the whole point that nobody cares about it; on Windows 3rd parties would write tools to make managed code first-class code if Microsoft weren't doing it.