If the Mac were just as insecure as Windows (which it inherently is NOT), regardless of “market share” or anything other bullshit term to take attention away from the truth, we would already have had some script kiddie somewhere, somehow, breaking a Mac for all the world to see.

And yet, we have silence. No hack from a h4x0r. No word from security companies.

Nothing, anywhere, that can take my machine, fresh out of the box, and after being online for a span of two whole minutes, be pwn’d by someone halfway around the world.

I can however discover the joy of that experience with any Windows box.

Why is it that so many people forget that the core of the Mac’s OS is a *nix? Why do people find it so hard to remember that a ginormous spine of the internet, UUNet, stands for Unix-to-Unix Network. Not Windows to Windows. Unix was already beefing up on network security before Windows even knew what the hell that was.

THAT is the main reason why any flavor of *nix has been, and will continue to be, more secure than any Windows box. Because it’s been attacked, beaten, hurt, melded, and massaged by hackers already interested in all its little holes. And the other side of the fence, the guardians of good code, have reacted with making *nix more reliable, more secure, and able to run like a workhorse better than most anything else out there.

Want a Windows network that’s as secure as an OS X network? Make it a closed loop. Don’t connect it to the outside world. You’ll be fine.

I realize that I am reading a lot between the lines, and conflating some of this with the maybe-maybe-not WiFi fiasco last year, but I read their actions like this:

“There was a WiFi flaw and Apple said it wasn’t a flaw and we said it was a flaw and they said nu-uh and we said uh-huh and then they went all and fixed the bug and said it wasn’t the same bug but that they had gone looking for a bug and found something different than what we had told them was the bug and so we didn’t get the cred’ we deserved and so, d00d, we are like totally going to mess with them this time because they’re all in to, like, you know, not giving credit for problems spotted or we’d have to hold onto all of this prime info-may-shun and then they’d fix it and not give us credit and we were like nun-uh.”

Which is perhaps debatable until Apple goes and fixes the first bug they mention, and credits them for it (which may just have been the most slick security PR act this year since it totally took the wind out of the argument), and then they don’t even update their site to reflect the fix.

And again, even if you granted them their argument about Apple, why did they do the same to the 3rd party apps? What did VLC or Colloquy or Omni ever do to these guys?

From my recollection of those arguments, there were usually 2 (major) camps regarding when to announce security flaws:

1) Announce them as soon as they are found, because the Bad Hacker D00ds probably already know about them and you can alert others and maybe it will force (insert vendor name here) to fix it more quickly.

2) Report it to the vendor with a time-limit as to how long you will hold off disclosing it. See #1 for potential problems with this method.

Most non-zealots (from my observations) leaned towards #2 unless there was something particularly heinous going on (i.e. flaw in IE which could reformat your hard drive) but for the more mundance “If you download this untrusted app/dmg/exe/zip and run it, bad things will happen” prior vendor notification always seemed like the right choice.

“(I think it was something in the attitude of “No we aren’t going to tell Apple about them first, no we aren’t doing to talk to 3rd parties first, no we aren’t going to recognize when someone posts a fix for a bug that we point out.” And then there was the frying balls part. - ed)”

I agree, in my opinion this is not the way to go about vulnerability disclosure. However, this isn’t an Apple specific issue, I recall years ago over on the NTBugTraq mailing list there was a massively heated debate as to whether potential exploits should be disclosed to the public straight away, vendors notified and after a passage of time the public notified or vendors notified and public not told until vendor announced a fix. It probably generated more discussion than any other topic.

“(I’d go even further that that. I believe that if you took OS X, patched as much as possible, and Windows XP, patched as much as possible, I think you would still find OS X to be more secure. Totally secure? No, of course not. But more secure. I could be wrong, but that’s the side of the table I’d put my money on. - ed)”

I use OS X for most of my personal computing, I’m writing this using it now. I totally agree that it is more secure (in fact I said that in my comment). However, that isn’t the real issue…..

“(Increasing? Why increasing? -ed)”

Because to paraphrase Bruce Schneier, security is not an event it is a process. I think that we have already agreed that OS X is secure but not necessarily totally secure. At the moment the majority of the effort is towards breaking Windows, especially now that Vista has launched with the sales pitch that it is “secure”. However, the more Mac users wave their red flag to say that they are immune to hacks the more likely the bulls that dissect systems for fun are going to see if it is true. At the same time, users of OS X may begin to believe the general view that their machines are secure and neglect the security in depth approach.

Perhaps I’m a pessimist but the last thing I want to hear are Windows advocates crowing over the hacked Mac in their hand. In order to ensure that we need to have a proper debate about security, both in the OS and wider in ensuring that more “general users” adopt a layered security approach.

As a footnote, on my 12 mile drive between my work and my home I can locate 150 wireless access points of which 79 are unsecured. If they are running Windows then they are at risk. If they are running OS X they are probably secure but unless we embrace the security debate and encourage people to discuss possible vulnerabilities this may not remain the case.

Of course this may bring us back full circle to whether MOAB was a genuine attempt to help!

(There’s a sentence I don’t hear nearly enough :-) - ed

it was what you learned personally and as I said, or at least tried to say, I agree with much of the post.

However a couple of responses to points raised;

“However, if one of the goals of the MOAB was to show to the average Mac user that OS X is horribly insecure, then the fact that 8 of them weren’t even OS X related, and the fact that most home users don’t really need to worry about the local exploits is not insignificant in the MOAB’s failure “

But was that one of the goals?

(I’m still not sure what the goal of MOAB was for, but at least part of it was to fry Mac users’ balls: See MOAB hacks for more - ed)

One of the criticisms of the response to MOAB is that the Apple community took it personally, as though it were some direct attack on all that was true.

(I think it was something in the attitude of “No we aren’t going to tell Apple about them first, no we aren’t doing to talk to 3rd parties first, no we aren’t going to recognize when someone posts a fix for a bug that we point out.” And then there was the frying balls part. - ed)

However the people behind MOAB had in November also done MOKB (month of kernel bugs) which covered Windows, Solaris, OS X, Linux and many more. That month has much in common with the latest month. Have they “attacked” Apple because they want to “scare” users or have they done MOAB to highlight that no OS is guaranteed to be secure? Will there be a MOSB or a MOLB later in the year? [obviously insert joke about YOWB :-)]

“How much safer is OS X than Windows?” You said “relatively” but I wonder if that is the right word.”

Interesting that you assumed my relative was with respect to Windows. In fact I think that the threats to OSs are not only a factor of their inherent strengths or weaknesses but also reflect their profile and how many people are spending time and effort targeting them. And of course their attackability (if that’s a word). The OS that runs my car is probably far more secure than OS X simply because there are less ways to attack it and fewer people trying to craft an attack. Windows is a massive target because it is a monstrous hack and there are thousands of people worldwide trying to break it. Linux probably falls somewhere close to OS X in the relativity scale.

(See John Gruber’s excellent Broken Windows post for a reply to that argument. - ed)

Your question though was how much safer is OS X than Windows? The problem with that question is that it isn’t that simple. I have both on my home wireless network and I am fairly confident that they are equally safe. That isn’t a function of either OS, it’s because they are behind multiple firewall layers and are both up to date in their patches. Both run Firefox with ad and script blocking add-ons. If you’re asking which is safer if handed out to a new user and exposed to the net in raw state then clearly OS X is more secure.

(I’d go even further that that. I believe that if you took OS X, patched as much as possible, and Windows XP, patched as much as possible, I think you would still find OS X to be more secure. Totally secure? No, of course not. But more secure. I could be wrong, but that’s the side of the table I’d put my money on. - ed)

But that isn’t the point I got from MOAB. The point I take is that OS X is more secure than Windows but that doesn’t mean it is impervious to attack.

(And I think most Mac users except Artie MacStrawman already knew that. So what was gained by it? Are there really any Mac users savvy enough to hear about the MOAB but not already know that OS X has flaws? And if so, can they actually take anything of real value away from the MOAB or does it all sound like a bunch of hokum? - ed.)

If all Mac users know this and take the other precautions such as securing the point of entry of their net connection then all is well. If Mac users continue to assume that their machines are totally safe and don’t cover the other angles then there is an increasing likelihood that they will be exploited.

(Increasing? Why increasing? -ed)

As for Bill’s ranting: I think it shows that Apple’s success is pressuring Microsoft. Bill still wants to live in a world where Linux and Macs sucks - he needs them to exist so Microsoft isn’t an monopoly, but wants them crippled so they can’t compete. Look at all the evidence coming out from the court case Microsoft is involved in and you will see plenty of clear examples of Microsoft wanting to punish Dell for offering Linux, and Microsoft employees thinking that they ought to talk with Apple about iPod/iTunes. Not to mention Microsoft employees who are have talked about wanting to buy Macs, and Microsoft .Net developers who saw Leopard and were blown away.

Let’s no delve into conspiracy theories when there is plenty of evidence as to what Microsoft has done.

Gates is clearly angry about all the times that Vista is being called a Tiger clone. And Leopard will be here soon.