Stop drinking the kool aid. It was never true. OS X was exploit central for years. It was only the BSD base that stopped it from being exploitable from the network. All the client side stuff Apple added for years was RCE-you-like.
Also a fundamental thing about security is the acceptance that security by obscurity is not a defensive measure. Genuine security doesn't rely on it. Smoke and mirrors might scare the wolves for a while but won't keep them away for long.
> For the record, Apple has been working on OS X anti-malware since 2009 when the sixth major release of OS X was released.
That's right, 5 major releases of the OS with no anti-malware effort, and it only became necessary for them to do it when it started to become an issue because people were getting owned.
> It was a pretty cursory effort yes, but considering Microsoft hadn't even released MSE yet at that point it's still not bad.
Don't even bother comparing it to Microsoft. The source operating system FreeBSD has been doing this for years before OSX even existed. Microsoft was doing security way before MSE. MSE was held back because it had the potential to damage industry partner relationships. If Apple releases an AV no-one cares. If MS releases a good enough AV product the AV industry jumps up and down because MS just stole their lunch.
> In other words, Apple is both helping users to have a more secure experience (what do you think Gatekeeper is for?)
Apple is not helping users to have a more secure experience. It's helping users to have a more controlled experience - the controller being apple. Gatekeeper is not a security measure, it's a tool designed to lock users into the Mac App Store. Do you really think that an App in the Mac App Store has no way of being malicious? Have you not seen what can be done by an app in iOS?
I'll be the first to point out that OS X was never _fundamentally_ more secure than Windows, and, to some degree was demonstrably _less_ secure than Windows 7.
But, " It was never true. OS X was exploit central for years." is hyperbole. The OS X platform has been remarkably free of exploits, for a system that didn't go out of it's way to enhance security.
I think most of us would agree that the greatest security feature of OS X was it's niche presence - just wasn't an attractive target, so nobody targeted it.
It was always true, and it was a tangible benefit. Your arguments rely on it being considered "genuine" security or an effective defensive measure. It's not. That doesn't make it false, or not a benefit to end users.
> and it only became necessary for them to do it when it started to become an issue because people were getting owned.
What were people getting "owned" (ffs, I thought this was HN?) by in Snow Leopard. Care to provide a real world example, because I know you're full of shit. There was no well known dangerous trojan/malware/virus for SL that had any notable number of infections. The anti-malware in SL was a preventative measure.
> Don't even bother comparing it to Microsoft.
Watch me. I don't care about the reasons behind it, the long and short of it is Apple introduced an anti-malware system in OS X before it was a big issue and Microsoft pushed it until 2012, long after they've had countless brutally utilized exploits.
> If MS releases a good enough AV product the AV industry jumps up and down because MS just stole their lunch.
So MS sold out their customers to please their partners? Yeah keep trying to spin that one. And I'M the one drinking the kool-aid.
> Apple is not helping users to have a more secure experience.
Yes they are. FFS, you don't even understand what Gatekeeper is. FYI, it's not just the Mac App Store. Do some research before you continue to run your mouth.
> Do you really think that an App in the Mac App Store has no way of being malicious?
Of course not. Does it have a much, much, much smaller chance? Absolutely. Is it far and away the most effective measure against malware besides not installing anything? Also true.
> Have you not seen what can be done by an app in iOS?
An App Store app? No I haven't, care to demonstrate?
Dropbox, Skype, and Microsoft Office being distributed through App Store would be a hallelujah moment for me beyond all other hallelujah moments.
A staggering number of people I meet either can't get the job done, are too intimidated to start, download some malicious garbage, get waylaid by virus scareware, have no idea how to get the app into /Applications, get frustrated with Auto-Start naggers, freak out on Sparkle update dialogs, or never figure out how to pin the app to the dock.
Mac App Store is the answer to a lot of questions nobody "in the know" has had to ask in a decade or three.
I wish to debate for a bit. You're technically right on so much of this but keep coming to Apple-sucks conclusions that I don't feel are warranted.
Let's grant this: if malicious code can start executing on OS X as a regular user, it's game over. There are so many ways through the floor it's almost trivial. (the presence of BSD tools being largely irrelevant since there were far easier ways in the door that are guaranteed to be installed)
And let's grant this: Apple has been very late in rolling out an explicit malware detection and removal systems.
And let's grant this: Microsoft understands what they're up against when it comes to security. Malware damaged the Windows XP install base to the point where it was necessary to stop production on their #1 moneymaker in order to rescue it.
I can't support your assertion that Gatekeeper is a power grab. The defaults on 10.8 allow any and all signed software bundles to be installed regardless of where they came from.
Mac App Store can at the very least "prove" that apps are only able to call public APIs, there's a minor but real financial and logistical barrier to entry, and developers and apps can be revoked. All apps must be sandboxed (for better and for worse) and updates must come through a known source.
As for the argument that Apple is doing security by obscurity, I think they've been doing fine. To review the ways I know of to trash a Mac: Drive by web plugin attack, network attack, e-mail attachment attack, tricked into authenticating Installer.app.
I think we can all agree that all major OSes are a lot better about controlling ports open by default nowadays.
Web: Safari is sandboxed. Flash is sandboxed. Extensions are sandboxed and signed. All out of date flash plugins are purged automatically at system boot. Java has basically been disabled across the entire Mac ecosystem. In-line PDFs are handled by the OS.
Disk Mounter refuses to mount known bad .dmgs. Installer.app has a blacklist. Both of these update nightly. System Update will shortly match the default policies and cadence of Windows Update.
PDFs are handled by a sandboxed built-in App, short-circuiting the nightmare that is Adobe Acrobat Reader. There's no AutoRun concept for mounted volumes. ASLR at multiple levels is in use. Signed frameworks are in use. Etc, etc, etc.
I'd argue that a Mac out of the box being used by an novice operator is pretty well protected, with more to come. And these novice operators are the ones who do the most damage to software platforms by blindly installing shit. Apple's straightjacket provides better results for them.
Finally, iOS: the ivory-est of all ivory towers. Name an app that's done real-world damage, because I haven't heard of one.
OS X was very safe (I won’t dare to make any claims about security) for a long time exactly because PC viruses couldn’t touch it. That’s a real and practical benefit. OS X users didn’t have to deal with viruses. To an extent that is still true – but it has now also become true to an extent for Windows users: They also don’t have to deal with viruses any longer, even if they take no precautions at all (at least most of the time). So that advantage has disappeared and if Apple continues to move so slowly the balance might tip.
Still, I can’t find anything wrong with the marketing language they used.
Stop drinking the kool aid. It was never true. OS X was exploit central for years. It was only the BSD base that stopped it from being exploitable from the network. All the client side stuff Apple added for years was RCE-you-like.
Also a fundamental thing about security is the acceptance that security by obscurity is not a defensive measure. Genuine security doesn't rely on it. Smoke and mirrors might scare the wolves for a while but won't keep them away for long.
> For the record, Apple has been working on OS X anti-malware since 2009 when the sixth major release of OS X was released.
That's right, 5 major releases of the OS with no anti-malware effort, and it only became necessary for them to do it when it started to become an issue because people were getting owned.
> It was a pretty cursory effort yes, but considering Microsoft hadn't even released MSE yet at that point it's still not bad.
Don't even bother comparing it to Microsoft. The source operating system FreeBSD has been doing this for years before OSX even existed. Microsoft was doing security way before MSE. MSE was held back because it had the potential to damage industry partner relationships. If Apple releases an AV no-one cares. If MS releases a good enough AV product the AV industry jumps up and down because MS just stole their lunch.
> In other words, Apple is both helping users to have a more secure experience (what do you think Gatekeeper is for?)
Apple is not helping users to have a more secure experience. It's helping users to have a more controlled experience - the controller being apple. Gatekeeper is not a security measure, it's a tool designed to lock users into the Mac App Store. Do you really think that an App in the Mac App Store has no way of being malicious? Have you not seen what can be done by an app in iOS?