More on Security Randomness

It's been almost three weeks since I last wrote here...I'm pretty bad. But I'm taking a week off from video games, so I may end up writing more in the next few days. Then again, maybe not.

I wanted to say some more about that security stuff my last post was about. AJ got me reading the entire comment chain, and it was pretty interesting. There was a lot of excuses from Mac lovers, some thoughtful responses, plenty of gleeful finger pointing from PC users, plenty of Mac people saying "fine, fine, we were inferior this time around. But will you please stop with the gloating?", and finally PC users saying "No way! We've put up with your gloating for years. Take some yourselves." All of that is beside the point.

I did think it significant what the comment stream revealed about attitudes among the various users. Many people thought the contest wasn't fair because the Macbook didn't have it's firewall on. But guess what, that's the configuration out of the box. Now, when I originally thought of writing this follow-up (a few weeks ago), I was going to start by conceding that windows probably does have more bugs and security holes. But while doing some research for work today, I ran across this article. There's a link at the top to the original report that goes into the methodologies, in case you don't trust the nice graph right there. But the graph is the thing. I mean, look: in the first year OSX 10.4 had 157 security vulnerabilities and 116 were fixed. The various Linux distributions had hundreds. Windows XP had 119 vulnerabilities, and 65 of them were fixed. Vista had only 66 vulnerabilities, and 36 of them were fixed.

Now, the full report mentions that this isn't some absolute measure of security, which is correct. But it's the only area where we've actually got solid data, and they show that prevailing opinion is actually completely backwards! I find that rather curious. Not that Microsoft doesn't have major things to fix in their whole business architecture, but they are getting the security thing right.

Now, the primary points I'm getting at don't really have to do with that. I was just astounded to find that the point I was prepared to concede turns out to be completely wrong. The point I want to get at is the security culture surrounding the various Operating Systems.

Windows users are pretty good any more. We've long thought our machines are the most insecure piece's of junk around (even thought that looks untrue now), so we tend to be good about running antivirus software and turning on firewalls. In fact, windows has a built-in firewall that's turned on out of the box, and comes with a free 90-day subscription to Norton antivirus, with it running out of the box. OSX has a firewall, but it is deactivated out of the box. As far as I know, it also has nothing in the way of antivirus software.

Likewise, Microsoft is good about doing security updates. They have a regular release schedule, and they even have a tool once a month that scans for and removes the most common worms, trojans, and bots. Apple's security policy started out with trying to ruin the careers of security experts who find and report vulnerabilities. They've advanced from there, but they seems to exist more on the hype of "we're invulnerable" than any actual plan to deal with vulnerabilities.

What's most dangerous about that attitude is that it gives the user a false sense of security. It's been said that the weakest link in computer security is between the monitor and the chair, and that's rather true. Like I mentioned before, windows users have a bit of paranoia now. On the other hand, most Mac users I know do not take any steps beyond the automatic ones. Have you turned on your firewall? Do you run antivirus software? Even if there's aren't attacks yet, it's the same as how, when I was learning to drive, I learned to check around my car before changing lanes. Guess what? I'm from a small town. Paso has three, maybe four roads that are two lanes each way, and no roads larger than that. So that wasn't a particularly useful habit for me there. But I moved to southern California, and those habits have kept me from getting into auto accidents. Likewise, you Mac users should build good security habits now, before your platform starts getting targeted.

Seriously, I'm perfectly fine with you using your Macs. That whole "Apple is hip" vibe got annoying sooo long ago, but that's rather beside the point. Rather, believe the stats other than any hype, and develop good security habits, no matter your OS.


PS: I also found out today that Vista does address space layout randomization. That makes all those buffer overflow attacks much more difficult. OSX 10.5 has what seems to be a stepping stone on the path to ASLR. In any case, it's pretty cool that the companies have started to finally do it.