"Let's hope more Apple Mac owners are also learning to take important security steps -- such as installing antivirus protection."
This is the worst possible step to take.
When I switch someone over to Mac I take the opportunity to recalibrate how they see their computer as secure. I teach them to be more aware of what they are doing and how potential viruses could infect them. I find this is 100x more effective than installing antivirus software which is shit most of the time and instills a fake sense of security.
I had a family member who would always click "OK" whenever a window popped up in Windows or would blindly enter in their password because they figured Windows was just annoying them. When they got their Mac I taught them that whenever OS X opened up a window asking for their password or asked them if they really wanted to open up a file, they should freak the hell out and be 100% sure of why that box appeared. I actually got a couple of phone calls from them asking if certain popups were OK. Sure this was annoying at first but after a week or two they started to understand why these things were happening.
The great benefit of changing their way of thinking and making security a priority was that when Flashback hit I told them that disabling plugins was one of the best ways to prevent from being infected and they immediately accepted this.
Macs are not 100% secure. No one should be under any delusions of this. But teaching people why they are not secure is the solution. Not hiding behind POS antivirus software.
All the noise the media is doing around this case is to actually drive a demand for antivirus software for Mac. You don't see any article mentioning installing software from trusted sources (like Mac App Store), digital signing, configuring firewall, keeping software up to date, etc. Their whole point is to compare the Mac platform to the Windows one, so they can conclude that installing antivirus software is the obvious choice.
The article is basically an advertorial. It could have provided helpful information and quoted security researchers who don't stand to gain financially. Instead it assembles quotes from vested interests who imply that their product is necessary.
You don't see any article mentioning installing software from trusted sources (like Mac App Store), digital signing, configuring firewall, keeping software up to date, etc.
Do you see anyone mentioning that when it comes to Windows-based articles? If not, why complain that it's not mentioned here?
Great solution. This is the right attitude toward security in any case, Mac or PC. You can't neglect safe driving just because your car has air bags, yet I see that exact problem on computers with anti-virus all the time.
Macs actually do make it easier because they have a pretty good track record of not "crying wolf" with things such as password prompts or security warnings. Most of the pop-ups are justified and infrequent.
Macs have never been 100% secure. No computer is. Apple pulling this marketing has nothing to do with a reduction in security and everything to do with covering their legal butts as their platform becomes more popular and more targeted. It's still the user's responsibility to keep themselves safe in the end, even with a decently secure OS.
Sophos and Kapersky like to allude that their software provides all the protection a user requires. Which I agree is the wrong way to approach security. They have also alluded to the idea that their software would have protected systems against the flashback malware, which is of course false.
Tediously, antivirus software provides a consistent vector into a machine, indeed as seen on Windows, the antivirus software is merely a consideration for the virus writer.
10.8 will feature a number of security enhancements which make the statement 'Apple is starting to take security seriously', an understatement designed to deliberately instil a sense of doubt.
Two such examples are the improved kernel address space layout randomisation and the new signed-only code default aka 'gatekeeper'.
> "Let's hope more Apple Mac owners are also learning to take important security steps -- such as installing antivirus protection."
> This is the worst possible step to take.
What?
He's recommending security steps, i.e. layers. What you wrote (education) is another layer. Users need anti-virus too.
Recommending anti-virus as a layer is not the worst possible step to take. It's a better step than having an uneducated user with no anti-virus. It's not as good as an educated layer with anti-virus.
As a side note, much of the software available for the Mac is "download from some http website that your friend recommended". Also not ideal, which is where the Mac Store is meant to come in.
I agree that calling it "the worst possible step" is an overstatement but antivirus has a huge irremovable drawback: it's basic operating principle is "enumerating badness", a known security antipattern.
I agree, nothing is as secure as a well-aware user. I removed a virus for someone last week and when I asked her why she didn't have antivirus software installed, she said "Oh, Cox has their own antivirus running through the wires."
...Cox provides a free antivirus that you can download. But that sense of security that both ISP's and antivirus companies provide is the reason so many people still get infected.
What you post is fascinating, that is why I am asking all these coming questions.
Are you able, in good conscience of course, to point out antivirus software that would not qualify as "POS"?
Do you think that installing said not-"POS" antiviral software would be constructive or a big no no, at any given time ? (if they really exist and based on your own deep behavioral security know how, of course, that would be of great validity)
This "switch" you talk about, is it restricted to members of your family that you refer to in your post, and if so, are they older than you, or younger than you ? Is it a quick process ? Is it a deep life/computational altering moment for the intervened party? Do tell :)
Do they follow your "plugins off" recommendations to the letter, or do some of the "switchy's" stray from the path at times ?
Thank you in advance. Any and all details you post would be very helpful to enable a complete picture to be formed. For deep insight is only a post away, at last.
I haven't used antivirus software in well over a decade and I will no longer instruct anyone to install it. I have had no good experiences with antivirus software and from what I have read over the last decade they seem to stop only the most flagrantly obvious viruses out there. These same viruses are easily stopped by teaching safe browsing techniques and running web browsers that auto-update with plug-ins disabled. Antivirus software gives at best a false security blanket.
I've advised dozens of friends and family members over the years. The ages range from 12-80. It is typically not a quick process because everyone has questions. But I see this as a good thing because that is how you learn. I try not to ever give them the answer and just step them through the process. Most of the time they come across the solution themselves they just need someone nodding their head to get that confidence to continue. I'm not sure if it is a life-altering moment for them.
Only had a couple switchers so far and I have had no complaints. Plug-in blocking in Chrome is so seamless that they don't see it as a hassle at all when they realize how it protects them.
I think enabling better computing, independently of entry level know-how, to be something that sometimes has amazing effects. That is why I asked if you had that happen.
I still remember when a neighbour came by and explained to me some Basic on the spectrum and how that led to me wanting to buy a motorola assembler book some years later. And how that turned me to being interested in softice and all that came later... that is why I asked.
I mostly like v8 because it runs three.js stuff crazy fast.
Sorry, I haven't followed this discussion, so this may be offtopic, but...
If your family or friends are using Windows, then Microsoft Security Essentials is free and absolutely fantastic. Speaking from personal experience, it's far better than AVG for example. (AVG bogs down the system; Essentials manages to maintain an active scan with almost no overhead.)
I've just had absolutely no good experiences with antivirus software. I can count on my hands the number of times they blocked an actual virus in my life. And those times were way back in the days when I was young, naive and using Limewire.
I've found that if you've gotten infected while following my teachings then no virus scanner would have stopped it.
Most of my friends and family do use Macs however so they is not as ubiquitous antivirus software for Mac.
>> When I switch someone over to Mac I take the opportunity
Why only after switching? Is it not simpler to teach them these before switching? Wonder how much effect it will have if they did all those things regarding being careful clicking buttons and protecting personal information without switching.
The problem was that they were so ingrained with the Windows experience that they were resistant to change. They had their way of doing things and whenever I presented them with alternatives they would refuse to change, no matter how I presented it. Textbook examples were things like switching from Internet Explorer 6 to Firefox. They just would refuse to adapt.
When I switched them over to Mac they treated it like a newborn baby. They wanted my input on everything. They were so much more receptive to change because they had never used a Mac before.
Human beings are just so resistant to change and when they were learning how to use a computer in the 90s the user experience could be really grating. It seems like they just latched onto what worked and refused to let go.
Whoever introduced computers to these folks probably wasn't careful to tell them what to be careful about. As long as people mess with the local computer, it's possible to recover (in most cases) But being on the internet is whole other thing.
I wouldn't necessarily blame Microsoft here. If anything, I feel much more comfortable letting my dad use windows 7. Microsoft massively improved their Security record after a few embarrassing incidents with Windows XP.
My only message to my dad was: as long as you don't download anything, it's relatively easy to stay away from viruses.
I was trying to not make the post have a "Mac is better" tone but it was difficult.
Most of the people I've advised learned on Windows 95 or 98. Those were horrible UX days and helped formed a lot of bad habits.
I've never had to switch someone to Windows and I've always wondered what sort of experience it would be. Coming from OS X I think they would have a better understanding of "the basics" but I wonder how this teaching style would apply to someone using Windows for the very first time.
According to Sophos U.S. senior technology consultant Graham Cluley, this is a sign that Apple is starting to take security seriously. "I view the changes in the messages pushed out by their marketing department as some important baby-steps," he wrote in a blog entry.
The idea that the removal of technical falsehoods from Apple marketing copy represents a watershed moment in their attitude toward the security of their customers' computers is based upon a bar set remarkably low.
That means the bar is glued to the floor. OS vendors should be looking to help their users have a more secure experience, not finally getting around to stop lying about security through obscurity as a positive feature because they're no longer obscure enough.
> not finally getting around to stop lying about security through obscurity as a positive feature because they're no longer obscure enough.
That isn't what happened. It used to be true, now it's not so they changed it. Security through obscurity was a positive feature, there is little denying it.
Just because it wasn't going to last doesn't make it positive and just because you think it's not something they should be touting doesn't make it a lie.
> OS vendors should be looking to help their users have a more secure experience
For the record, Apple has been working on OS X anti-malware since 2009 when Snow Leopard was released. It was a pretty cursory effort yes, but considering Microsoft hadn't even released MSE yet at that point it's still not bad.
Marketing and engineering are two different departments. Just because someone is writing dumb copy about security in the marketing department doesn't even begin to indicate how engineers are tackling security issues in practice.
In other words, Apple is both helping users to have a more secure experience (what do you think Gatekeeper is for?) and rolling back their boastful copy now that it's no longer true.
Stop drinking the kool aid. It was never true. OS X was exploit central for years. It was only the BSD base that stopped it from being exploitable from the network. All the client side stuff Apple added for years was RCE-you-like.
Also a fundamental thing about security is the acceptance that security by obscurity is not a defensive measure. Genuine security doesn't rely on it. Smoke and mirrors might scare the wolves for a while but won't keep them away for long.
> For the record, Apple has been working on OS X anti-malware since 2009 when the sixth major release of OS X was released.
That's right, 5 major releases of the OS with no anti-malware effort, and it only became necessary for them to do it when it started to become an issue because people were getting owned.
> It was a pretty cursory effort yes, but considering Microsoft hadn't even released MSE yet at that point it's still not bad.
Don't even bother comparing it to Microsoft. The source operating system FreeBSD has been doing this for years before OSX even existed. Microsoft was doing security way before MSE. MSE was held back because it had the potential to damage industry partner relationships. If Apple releases an AV no-one cares. If MS releases a good enough AV product the AV industry jumps up and down because MS just stole their lunch.
> In other words, Apple is both helping users to have a more secure experience (what do you think Gatekeeper is for?)
Apple is not helping users to have a more secure experience. It's helping users to have a more controlled experience - the controller being apple. Gatekeeper is not a security measure, it's a tool designed to lock users into the Mac App Store. Do you really think that an App in the Mac App Store has no way of being malicious? Have you not seen what can be done by an app in iOS?
I'll be the first to point out that OS X was never _fundamentally_ more secure than Windows, and, to some degree was demonstrably _less_ secure than Windows 7.
But, " It was never true. OS X was exploit central for years." is hyperbole. The OS X platform has been remarkably free of exploits, for a system that didn't go out of it's way to enhance security.
I think most of us would agree that the greatest security feature of OS X was it's niche presence - just wasn't an attractive target, so nobody targeted it.
It was always true, and it was a tangible benefit. Your arguments rely on it being considered "genuine" security or an effective defensive measure. It's not. That doesn't make it false, or not a benefit to end users.
> and it only became necessary for them to do it when it started to become an issue because people were getting owned.
What were people getting "owned" (ffs, I thought this was HN?) by in Snow Leopard. Care to provide a real world example, because I know you're full of shit. There was no well known dangerous trojan/malware/virus for SL that had any notable number of infections. The anti-malware in SL was a preventative measure.
> Don't even bother comparing it to Microsoft.
Watch me. I don't care about the reasons behind it, the long and short of it is Apple introduced an anti-malware system in OS X before it was a big issue and Microsoft pushed it until 2012, long after they've had countless brutally utilized exploits.
> If MS releases a good enough AV product the AV industry jumps up and down because MS just stole their lunch.
So MS sold out their customers to please their partners? Yeah keep trying to spin that one. And I'M the one drinking the kool-aid.
> Apple is not helping users to have a more secure experience.
Yes they are. FFS, you don't even understand what Gatekeeper is. FYI, it's not just the Mac App Store. Do some research before you continue to run your mouth.
> Do you really think that an App in the Mac App Store has no way of being malicious?
Of course not. Does it have a much, much, much smaller chance? Absolutely. Is it far and away the most effective measure against malware besides not installing anything? Also true.
> Have you not seen what can be done by an app in iOS?
An App Store app? No I haven't, care to demonstrate?
Dropbox, Skype, and Microsoft Office being distributed through App Store would be a hallelujah moment for me beyond all other hallelujah moments.
A staggering number of people I meet either can't get the job done, are too intimidated to start, download some malicious garbage, get waylaid by virus scareware, have no idea how to get the app into /Applications, get frustrated with Auto-Start naggers, freak out on Sparkle update dialogs, or never figure out how to pin the app to the dock.
Mac App Store is the answer to a lot of questions nobody "in the know" has had to ask in a decade or three.
I wish to debate for a bit. You're technically right on so much of this but keep coming to Apple-sucks conclusions that I don't feel are warranted.
Let's grant this: if malicious code can start executing on OS X as a regular user, it's game over. There are so many ways through the floor it's almost trivial. (the presence of BSD tools being largely irrelevant since there were far easier ways in the door that are guaranteed to be installed)
And let's grant this: Apple has been very late in rolling out an explicit malware detection and removal systems.
And let's grant this: Microsoft understands what they're up against when it comes to security. Malware damaged the Windows XP install base to the point where it was necessary to stop production on their #1 moneymaker in order to rescue it.
I can't support your assertion that Gatekeeper is a power grab. The defaults on 10.8 allow any and all signed software bundles to be installed regardless of where they came from.
Mac App Store can at the very least "prove" that apps are only able to call public APIs, there's a minor but real financial and logistical barrier to entry, and developers and apps can be revoked. All apps must be sandboxed (for better and for worse) and updates must come through a known source.
As for the argument that Apple is doing security by obscurity, I think they've been doing fine. To review the ways I know of to trash a Mac: Drive by web plugin attack, network attack, e-mail attachment attack, tricked into authenticating Installer.app.
I think we can all agree that all major OSes are a lot better about controlling ports open by default nowadays.
Web: Safari is sandboxed. Flash is sandboxed. Extensions are sandboxed and signed. All out of date flash plugins are purged automatically at system boot. Java has basically been disabled across the entire Mac ecosystem. In-line PDFs are handled by the OS.
Disk Mounter refuses to mount known bad .dmgs. Installer.app has a blacklist. Both of these update nightly. System Update will shortly match the default policies and cadence of Windows Update.
PDFs are handled by a sandboxed built-in App, short-circuiting the nightmare that is Adobe Acrobat Reader. There's no AutoRun concept for mounted volumes. ASLR at multiple levels is in use. Signed frameworks are in use. Etc, etc, etc.
I'd argue that a Mac out of the box being used by an novice operator is pretty well protected, with more to come. And these novice operators are the ones who do the most damage to software platforms by blindly installing shit. Apple's straightjacket provides better results for them.
Finally, iOS: the ivory-est of all ivory towers. Name an app that's done real-world damage, because I haven't heard of one.
OS X was very safe (I won’t dare to make any claims about security) for a long time exactly because PC viruses couldn’t touch it. That’s a real and practical benefit. OS X users didn’t have to deal with viruses. To an extent that is still true – but it has now also become true to an extent for Windows users: They also don’t have to deal with viruses any longer, even if they take no precautions at all (at least most of the time). So that advantage has disappeared and if Apple continues to move so slowly the balance might tip.
Still, I can’t find anything wrong with the marketing language they used.
If you include the difficult to remove "rogue antispyware" type programs as malware then yes, frequently. I haven't seen a real virus or trojan in the wild in years. I still see the "hijack your computer and extort money from you" kind all the time.
Wow! 10 years of only using computers operated and actively maintained by users who can stay up-to-date on security best practices. You made it from before XP until now without ever dealing with Windows malware! You're pretty damn lucky - I sometimes use computers that belong to laypeople :-(
It really doesn't take state of the art security, it just takes some healthy skepticism when browsing the web. If you know not to click on flashing red banners, you'll be okay. I went without antivirus for years, but now I just run MSSE in the background as it's so light. It's only alerted me to false positives so far, but they're few and far between.
I will say that if I'm suspicious of a file (say, a dll I had to go find from a shady site), I'll scan it over with a few tools before dropping it in a program folder.
... And not having Java loaded in your browser and/or using Internet Explorer. The number of CVEs related to Java file execution vulnerabilities astounds me on a monthly basis.
If you want to do one thing to ensure your machine stays secure, don't browse with Java enabled. I can't tell you how many countless sites our users find when a new Java vulnerability appears.
Malware writers seed countless sites with things like the Blackhole exploit kit on improperly protected blogs with decent search rank - landmines waiting for the next unsuspecting Windows user.
- signed "someone who has dealt with more infections than he cares for"
It is also possible that you are not aware of the malware in your machine. Many pieces of malware do not require any click whatsoever to install themselves--merely visit the wrong webpage. These types of malware also are typically smarter about hiding their tracks by not dogging the machine's performance, popping banner ads, etc.
To be fair, this was also the case with Flashback. No user action was required other than loading a web pages.
Nor is your claim that malware hasn't affected your life using Windows in the last 10 years. Even if it's actually true, it's at least a 4-sigma event.
I have a whole family of Windows users and none of them have gotten a virus in over the past decade. None of them except for me are very technically inclined either. However, they don't visit porn sites or pirate software either.
The last virus that I personally got was back during the Win95 days. It was the NY Boot Virus, which I got by accidentally leaving a floppy (which I got from someone at work) in the drive during boot.
Apple seem to be less interested in comparing themselves to MS and PCs in general these days.
In ~2005 their entire marketing was based around trying to sell you a Mac as a PC replacement "Your next PC should be a Mac".
I guess they are less interested now because it's a smaller % of their revenue and most of the people who would want/can afford a Mac are already giving them plenty of money so there's no desperate need to increase their market share in that area.
Microsoft has zero market share in the table market ("there is no tablet market, there is an iPad market"), and a very small share in the mobile phone market.
When you are #1 in a market, you don't do comparisons.
The Apple Stores are probably the best marketing the Mac can ever get. So it's better for Apple to spend money on the stores than on making TV ads for the Mac. And so they have: http://www.asymco.com/2012/06/25/the-face-and-the-brand/
It's pretty clear that the next Microsoft v. Apple war is being waged in the tablet market (the show is over for cellphones -- Apple won). Traditionally Microsoft hasn't done well at competing with Apple on their own turf (mobile, mp3 players, etc), but it'll be interesting to see what the Microsoft Surface means for all of this.
Apple won big in smartphones, but Android has a bigger marketshare. Competition between all smartphone vendors have made the customer the biggest winner in any case.
Of course it is relevant. A large Android market share keeps Apple on it's toes and as mrich said, consumers win. It also means that although Apple is winning by profit margins at the moment, they may not be in the future.
If Microsoft's Surface and/or Windows 8 RT take off, then we may see an increase in Windows Phone 8 marketshare. Why? Because of syncing, similar interface, possible app sharing, etc.
maybe. I've currently got an iPad and an Android phone, and i don't have any problems switching between two different mobile OSes. I initially bought an android tablet because i thought that syncing and app sharing consistent interfaces would be a big deal, but i sold it and bought an iPad because it's a better product. Having an iPad hasn't made me want an iPhone.
Also security on the whole has improved across all platforms.
When Apple began to market themselves as immune from 'PC viruses', the Windows platform was besieged in drive by downloads and massive, highly publicised infections.
I love the way the article only quotes two people, both from companies that sell antivirus software. Not that their views should ignored just because of who they work for, but their self-interest was clear.
The first suggests that Apple should be encouraging their users to install antivirus software. My understanding is that Apple's position is the opposite: 3rd party antivirus software on OSX provides so little extra security that it is not recommended. Does anyone know of a 3rd party antivirus application that would have stopped flashback?
The second suggests Apple should do more to support older versions of OSX. I view it as a positive, security-wise, that Apple does such a good job of keeping its OSX users current. Mainly it does this by making new versions affordable, but discontinuing support for old versions is an important part of that.
Installing antivirus tools helps prevent infection of your computer by viruses, and helps prevent your computer from becoming a host used to spread viruses to other computers. These tools quickly identify suspicious content and compare them to known malicious content.
Quoting the Snow leopard one since that seems to be the most recent. They've also used stronger wording in the past: "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult." and "Regularly check for viruses on your hard disk using an anti-virus program, especially if you download files from the Internet or share files with others."
While I agree that the state of AV software is generally rather poor and provides weak protection, I'd be surprised if the major AV choices didn't prevent a flashback infection at least by the time it had become commonly talked about.
"It doesn't get PC viruses" will, by definition, always be true. It's just not as relevant as it used to be, as Windows is much better in this regard today. If anything, this change is a nod to how the computing industry has moved on - using a Mac is no longer PC virus avoidance, but more "use this because it's great".
That said, most of the "virus" writers have turned to spyware and adware, and other scummy malware that demands money, and there is nearly none of this on OS X.
"PC" has been appropriated numerous times by vendors to mean a specific platform. In the times were personal computers were less-standardised "IBM PC" and later "PC Clones" referred to the platform and not "personal computer" specifically. This naturally led to Macintosh computer being referred to as Macs, even though they too are "personal computers".
The problem is that many people today don't understand the history of personal computing and that "PC" has an established history of meaning a specific mainstream platform. I think some mistakenly poke fun at Apple, as if they had invented the label 'PC' for their ad campaign. When actually Apple merely took advantage of this convenient, existing differentiator for their PC vs Mac ads.
Apple have been working references to other platforms out of their marketing materials for years. Comparisons are no longer needed when a company has found their publicly-held niche.
just asking seriously.. aren't Macs x86 now? Doesn't that distinction comes from the time when Macs used a totally different architecture (risc) based on something called Ironically "PowerPC"? I still can't see the difference now. Why then don't call Linux-PC or BSD-PC to others if based on the platform? I may be wrong, but the way I see it its just something anachronistic with an historical basis, but now just used for marketing purposes.
The early intel macs were "x86". The current line up is x86_64. Depending on who you ask in the industry this is called AMD64, Intel64, EM64T, IA-32e. This is the 64 bit platform as developed by AMD, it's not to be confused with Intels IA-64 as sold in "Itanium" chips.
No, in the context we are discussing, a PC is not a "personal computer", but what was called an "IBM PC compatible" (and subsequently by some a Wintel machine).
Few people use "PC" to mean personal computers in general, especially since for 99% of the people personal computers are all they know and encounter anyway, so no need to distinguish both Mac and PCs from, say, Mainframes and embedded systems....
That's why nobody got confused by the 3 year running "-I'm a Mac, -And I am a PC" ad campaign.
I think the only difference now is that Macs use EFI boot, and not BIOS boot and hence will only boot software with a EFI-boot compatible bootloader.
Once you get past that step a Mac works exactly like a "PC". Just like a "PC" works exactly like a Mac if you fake the EFI-boot via a custom BIOS-to-EFI bootloader on a USB-stick.
EFI is not exclusive to Macs. It was developed by Intel and has been deprecated in favor of UEFI.
Most UEFI images will have legacy support for BIOS services.
There is basically no difference between a modern Mac and a PC - except for Mac OS X, which can be run on "Hackintoshes".
Not if your (U)EFI firmware is capable of booting BIOS-booted operating systems as well as (U)EFI operating systems (like IBM System x Server Firmware).
So they appear to be moving over to "not being IBM PC compatible". Which is perfectly valid.
I never said that PCs are called PCs because they ARE IBM PC compatible, only said they are called PCs because in the past "IBM PC compatible" defined their category.
I have a floppy drive and my PC will run some old PC games that ran bare-metal (i.e. booted off the floppy). Macs by design, can't boot those.
Also it's a bit freaky that my disk from 1987 still works in a machine I built last-year. Some games assumed a 4.77MHz clock though, and I there's no turbo button, so they don't really work :(
Technically, since they don't use a PC BIOS. Plus, the "IBM PC compatible" as a specification hasn't been important since 199x.
The PC moniker for Wintel machines, while heralding from the "IBM PC compatible" era, it's used as a designator of the category of, well, PC-derived machines now, not as a technical spec. We mostly use the word Wintel for the respective thing now.
> The Mac is designed with built-in technologies that provide
> protection against malicious software and security threats
> right out of the box. However, since no system can be 100
> percent immune from every threat, antivirus software may
> offer additional protection.
I'm genuinely curious... are there viruses that spread in OSX?
Not trojans or whatnot that require users to click on files they shouldn't, but rather actual viruses that make use of vulnerabilities in OSX to spread from computer to computer, either via Internet or thumb drives or something?
In other words, if I always follow responsible practices (never opening files from untrusted sources), has there been any threat up through now that could compromise my OSX installation?
I think the recent Flashback.K qualifies to some degree. All you had to do is visit an infected webpage and the Java applet would walk onto your system. It would immediately ask for admin privileges, but due to the huge Java hole it would have your user privs automatically.
Since OSX enabled Java by default, and since responsible practices were no defense, this compromised enough Macs that it was proportionally comparable to the Conficker infection on Windows.
It's still useful to have though, and Apple makes it really easy to install. GlimmerBlocker, Maple, Processing and a few game clients I use need it. It does seem that the default is that "Enable applet plug-in and Web Start applications" is off by default (in the Java Preferences app; there's no mention in System Preferences).
In general, however, if you know you need Java and how to install Java as a dependency then in all likelihood you're savvy enough to avoid being infected.
Apple still ships Java; it's just not installed by default. When you run a Java app without having Java installed, you get a prompt to automatically download and install Java.
While some high-profile Windows malware has spread using genuine exploits, it's been a long time since this was a serious problem. The vast majority of Windows malware/crapware have been and still are just trojans (sometimes through very obvious pop-up ads and such).
There are functioning Microsoft Office trojans that can self-replicate through e-mail.
There was a largely harmless but extremely widespread trojan that did drive-by Java attacks on webpages.
Repeat the above for Flash vulnerabilities.
There was a largely harmless but extremely widespread trojan that masqueraded as a free antivirus package and guilt-tripped naive users into authenticating via Installer.app, the only programmatic way to get code onto a Mac.
Best practice in my reality:
- DO NOT INSTALL A VIDEO CODEC PACKAGE
- DO NOT RUN COPIED OR TORRENTED SOFTWARE
- Enable Firewall.
- Remove Adobe Acrobat Reader unless your PDF workflow absolutely requires it.
- Disable Java immediately. (uninstall it for extra credit)
- Make sure Flash is at the dead latest self-updating version and set to auto-update.
- Update all non-stock browsers to self-updating versions.
- Update Microsoft Office and allow it to check for updates weekly.
The recent major issue was a trojan that I didn't have.
>In other words, if I always follow responsible practices (never opening files from untrusted sources), has there been any threat up through now that could compromise my OSX installation?
I don't think so but I think you know that otherwise you would not be here. While this story has been posted recently, Apple has removed such articles on their site a few months ago.
The ID10T's, as some put it, should be on iOS. This is yet another reason why PCs should only be for professionals.
The real question to ask is not "Has there been?" but "Will there be?"
Given that Mac OSX is on the rise on the popularity scale I am almost dead positive we will see a lot of increase in malware for OSX, even remote attacks where the user will be infected even if he acts sensibly.
The risk of that happening to you though is fairly low. The risk of clicking something and then getting malware through that is way higher, from a risk point of view.
But of course going forward the vast majority of Mac users are going to be getting their software through the Mac App Store, and not downloading random programs off the internet. That plus the default GateKeeper config (that prevents unsigned code from being installed) will dramatically reduce the risk of the average user getting hit by trojans on the Mac platform.
Apple tried to claim Apple PCs were special, but it didn't remove the single biggest hazard to any claim of security.
PC means personal computer, which means a system owned by millions of people without the technical skill to assess whether or not that attachment (whether it's birthday_card.dmg or birthday_card.exe) really came from grandma.
All PCs are vulnerable to users. I'm glad Apple figured it out a few years sooner than Microsoft did.
How do you figure that 'Apple figured it out a few years sooner than Microsoft did'?
I don't endorse Windows. But for all Windows' brokenness, Microsoft has not claimed invulnerability to viruses and has put a significant amount of effort into improving security from XP to today. The main reason it has had more trouble with malware is that it has been a much more popular platform, meaning that is where all the victims are.
Microsoft didn't make the same claims, but they showed the same lax attitude toward security for years. Apple only needed to see a few malware outbreaks to come to terms with reality.
From what I've seen inside of MS security trumps everything else. Want to change an API? You can't...unless it has a security issue in which case go right ahead.
Considering the effort that Apple marketing has made to make it clear that "Macs" and "PCs" are not the same thing, it would be very difficult to win a case, as Macs clearly don't getinfected by "PC" viruses.
Which is not to say that your stement is wrong - it is surprising that nobody has tried to sue, even if they would almost certainly lose...
This is somewhat of link bait. Yes, they changed the wording on their site, but what do you expect them to do in addition? Plan a press conference about the change? Have a press release? Of course it is "quietly"; Apple has product upgrades that they do not feel worthy of a press release.
Back to the subject: this possibly/partly is a response to the outcome of a complaint at an advertising complaints commission in the Netherlands (correlation is present, but the Dutch Apple site still had the original text while the US site had the updated text). They got the short end of the stick there, but the commission cannot do more than naming and shaming (https://www.reclamecode.nl/webuitspraak.asp?ID=76881&acC...)
Wow, I had no idea that they said stuff like that on their site. Even though it specifies "PC viruses," the average computer user doesn't understand the distinction. Just last night a relative mentioned how Macs don't get viruses (which I corrected).
To lots of people (myself included), "PC" means "personal computer" and include desktop and laptops from Apple.
However in the 1980s/1990s, there were "PCs" and "Macs". PC was anything running Windows (etc.) and a "Mac" was from Apple (i.e. a Macintosh). Apple (and many Apple fans) continue to use "Mac" instead of "PC". I've had Apple fans ask me if I use "a Mac or a PC?" (Since I use Linux, I don't know what to say :P)
The difference being that back in the olden days Macs used completely different processors etc while now Macs uses the same IBM PC compatible hardware.
Originally yes. With the release of the IBM PC the term was used to refere to the IBM PC or compatibles. Since IBM is no longer making PCs the descendants of the PC are referred to as Wintel or Windows machines. The term PC is slowly reverting to it's original meaning.
In the 90s I remember Apple calling HD space 'memory'. Does anybody remember when the stopped doing this?
"PC" is more or less synonym of a generic machine that runs Windows (much like it once stood for a generic machine that ran MS-DOS). It comes from "personal computer" but I think the IBM brand overshadowed the original meaning.
BTW, the PC I'm writing this on, while perfectly capable of booting Windows, never did it. It is, nevertheless, a PC and not a Unix workstation (despite its dual 64-bit processors, gigabytes of RAM, specialized graphics hardware and fast network).
Really? That must be why when they switched to Intel they touted the compatibility, and why the even offer a utility called "BootCamp" to easily run Windows on your Mac, with automatic re-partitioning, hw drivers, et al.
Well, they must be doing something right at Cupertino, because they really don't get viruses. Not theoretically of future-wise: practically.
99.9% of things reported (and even those are not that many to begin with) are trojans. So, Mac viruses are like the Yeti, they might well exist, but very few people have seen them in real life.
It's not just market share either. OS8/9 had several viruses with 1/5 the market share OS X has now.
If one considers that OS X is basically NeXTStep, and essentially a UNIX, do one really sees many viruses in UNIX systems? What I'm getting at is that the "administrator privileges by default", "can fuck with any file on the system" feature of Windows --up to Windows XP, which is where viruses really reigned, was not part of OS X from the beginning.
So, at worst, OS X since 10.0 was as secure as Windows Vista, which was not a swiss cheese OS like, say, Windows 98. Plus, OS X didn't have Active X, either, and used a custom PDF viewing (Acrobat is another common attack vector in Wintels).
Now, with the eviction of Flash and Java plugins as the default, and several other techniques (sandboxing, ASLR, signatures, etc), things will get even better.
>99.9% of things reported (and even those are not that many to begin with) are trojans
How is Flashback a trojan? Also what percentage of new Windows malware over the past few years do you think are "viruses" according to your definition?
Am I the only one sick of the pedantic quibbling and nitpicking over the word "virus" in every Apple malware story when everyone knows that viruses really mean modern malware in this context in general parlance and not really floppy bootsector or executable file viruses of the 90s? Anti"viruses" try to defend against all types of malware, so making a huge distinction here doesn't really help the discussion.
Well, theoretically they DO get viruses --but practically they don't.
All those past false alarms, touted to high heavens, were trojans. And they aren't even that many, at that. The one genuine virus like thing --which still wasn't a virus as it needed you to visit specific webpages-- infected like 100,000 Macs.
So, assuming ~ 20M Macs, 99.5% of the Macs out there haven't got any virus, ever. And with better OS X support for security (from better address space randomization to sandboxes to gatekeeper, etc), even fewer will get any in the future.
Geeks are quick to point the possibility of virus on Macs (or Linux, for that matter), but in practical terms it's like pointing the possibility of being hit by a thunder. It can happen, it even happened at some people, but normal people shouldn't be that worried about it.
If you disagree, please answer: should Ubuntu users also invest in an Linux antivirus? Because theoretically a virus can also happen there...
It's not the "lack of market share", either. OS 8/9 used to have tons of viruses with a 5 times less marketshare than OS X. Heck, even Amiga/Atari used to have plenty of viruses back in the day, with an insignificant amount of users, and NO actual monetary incentive (no web back then, no credit card details, no bots even).
Of course, are "viruses" the problem on PCs anyway? Or are trojans the problem everywhere? Viruses are hard to write, since you need several exploits, to get them to both install and spread. Trojans just need one.
While Apple's install base is steadily growing, I still think they have a significant advantage in obscurity that grants them security.
i.e. Why do virus-writers target Windows? Sure, it has the largest install base, but Windows also runs a lot of servers and embedded systems. These two things are the real jackpots. What's taking control of one person's computer compared to taking control of a server with credit card information or a system running a billboard in Times square? Apple doesn't do embedded systems and their servers, while some do exist, are exceedingly rare.
Is security through obscurity enough though? That depends on who you are and how interesting your data is.
What do you mean by obscurity? Which level of the system are referring to? You seem to indicate that Windows is somehow open. Can you explain what you have in mind?
I said what I meant by "obscurity" and I did not say anything about Windows being open, but I'll restate things in other words in case it clears things up.
OSX and iOS are used predominantly to run personal computing devices. In addition to PC's, Windows also runs a significant number of the world's servers (although Linux dominates here) and embedded systems (see http://www.microsoft.com/windowsembedded/en-us/windows-embed...). Despite OSX and iOS gaining significant market share, virus-writers may still find that the sweetest targets are disproportionately running windows. OSX and iOS are more "obscure" in the sense that they don't run many of the systems virus-writers want to target.
Most vulnerabilities are unrelated to the actual OS stack and exploit other stuff. In that particular case is even wrong to say it was a "Mac virus", since it was a Java exploit and could have affected any system with Java installed. The point is that it remained unpatched for too long on Apple's Software Update.
OS X != FreeBSD. It has a bunch of userland tools that are ported over from FreeBSD, and IIRC a large part of the network stack is from FreeBSD, but that doesn't mean OS X itself is FreeBSD.
Good to see Apple not contributing to the "Macs can't get viruses," "Macs can't get spam" misinformation any longer. Users need to learn to defend themselves, not just rely on the OS, which can't really protect users from phishing attacks. Reminds me of this post: http://news.ycombinator.com/item?id=4004154
This is a great step. I am personally pretty hateful of Apple's decisions as far as hardware lockdown and restrictive use, but it's a tradeoff they offer customers and many consider it a good deal.
That aside, being more security minded as opposed to claiming immunity for marketing purposes is a fantastic move and one to be applauded by the tech community.
Being immune to PC viruses used to be a great advantage. You can talk about theoretical possibilities all day long, in practical terms the difference used to huge. Apple’s marketing exploited that – and why shouldn’t they?
Microsoft, however, has improved massively and that advantage is just not longer there. PC viruses still don’t affect OS X – but they also don’t affect any modern Windows very often.
This is the worst possible step to take.
When I switch someone over to Mac I take the opportunity to recalibrate how they see their computer as secure. I teach them to be more aware of what they are doing and how potential viruses could infect them. I find this is 100x more effective than installing antivirus software which is shit most of the time and instills a fake sense of security.
I had a family member who would always click "OK" whenever a window popped up in Windows or would blindly enter in their password because they figured Windows was just annoying them. When they got their Mac I taught them that whenever OS X opened up a window asking for their password or asked them if they really wanted to open up a file, they should freak the hell out and be 100% sure of why that box appeared. I actually got a couple of phone calls from them asking if certain popups were OK. Sure this was annoying at first but after a week or two they started to understand why these things were happening.
The great benefit of changing their way of thinking and making security a priority was that when Flashback hit I told them that disabling plugins was one of the best ways to prevent from being infected and they immediately accepted this.
Macs are not 100% secure. No one should be under any delusions of this. But teaching people why they are not secure is the solution. Not hiding behind POS antivirus software.