Opinions from Burton Group's CEO and Research Chair
« What About Bob?, Part II | Main | The End of This Story? »
 | August 05, 2006 |
Can You Say "BackLash"?
It’s been interesting to watch the reaction to the Apple
MacBook security breach demonstration at the recent Black Hat conference. David
Maynor (who’s with SecureWorks) and Jon Ellch (a graduate student) showed how one
could exploit vulnerability in a MacBook’s wireless device driver to gain
control of the computer. I found a good, chronological breakdown of the events
behind the story by Jason D. O'Grady on ZDnet. According to O’Grady’s post,
Apple pressured Maynor and Ellch into using a third-party wireless adapter in
an attempt to diffuse the damage. In turns out that the flaw is in the default
drivers that come with a MacBook.
First, let me say this: It’s fair to say that the Mac (OS X,
in particular) has security advantages over Windows. I will stipulate that some
of those advantages come from better operating system architecture. But I think
it’s equally fair to say that some of those advantages come from simply not
having been so squarely in the line of fire. So when I see Apple's current round of TV ads that claim
viruses and other security problems don’t affect Macs, I
can’t help but think that some conniving coder somewhere is saying to his or
her television, “Oh yeah? Watch this.” (By the way, those ads are hilariously
lampooned here, but if you’re language sensitive, you might want to steer clear. Thanks to Diana Kelly for the link.)
As Macs gain in popularity, they will also gain the attention of folks who intend to do harm. These folks go where the money is, so to speak, and so when enough people use Macs, they’ll get much more serious about attacking Macs. (The same thing is happening to Firefox.)
In that light, one could argue that the ads are a disservice for the general populace. As this story on the E-Commerce Times site notes, Apple’s marketing campaign could easily leave less-security-savvy people thinking they don’t have to worry about security at all. And as some of us have learned the hard way, the illusion of security can be far worse than a known lack of security. When it comes to security, ignorance is not bliss. And in the case of the Mac, Apple may be setting itself up for a big backlash.
To wit, Maynor and Ellch pointed directly to Apple’s ads, and what they called Apple’s “security smugness” as direct motivation for the demonstration. (In other words, “Oh yeah? Watch this.”)
This quote from the eCommerce Times story provides more food
for thought:
“Out of the box, a Mac is more secure than Windows,” Scott Carpenter, director of security labs at Secure Elements, told MacNewsWorld.
“The problem is, Apple has been fostering a campaign telling consumers they don’t have to worry about security if they use a Mac. They are not any more or less secure about vulnerabilities in their code than Windows, but they like to pretend that they are,” he observed.
Noting that Apple has some smart security people on its staff, Carpenter suggested there might be “a behind-the-scenes war between them and marketing about the image a Mac should project.”
He voiced another big gripe about Apple’s approach to security: “Microsoft will tell you the criticality of a certain patch. Apple refuses to tell you if a patch is critical or not. It won’t even tell you if it is a fix to vulnerability or whether it is just a problem in the code. Their attitude is, ‘Just trust us.’”
