Macbook vs. PC in China

[imron]

Macs are simply considered safer, because there are less Mac users than Window users.

A common misconception that is not true.

Macs are more secure because they are built on a more secure operating system - namely the BSD variant of Unix. Out of the box, they make a clear distinction between power users and limited users, and everything a user can do/change without needing to input their password/switch to a super user, is restricted to their own settings and home folder.

Compare this to Windows XP, where by default the user is the administrator. Yes, Windows XP can be made to operate more safely, by running as a limited user, and this alone prevents a large number of viruses and malware, however it is worth noting that this is not the default behaviour and is not the way that the majority of XP users have their machines configured. It's also worth noting that even when running as a limited user in Windows XP, you still have access to the documents and settings folders for all the other users on that computer (including the administrator) unless that person has explicitly configured their folders to be private (contrast this again with OSX/Unix, where users are limited to their own home directories). Vista has made improvements in this regard, but there are enough XP boxes out their that still make this a problem.

Then you have other aspects such as clearly defined boundaries by which applications communicate with each other. Compare this to Microsoft, which tries to tightly integrate all of its separate products together. For example, the way IE was tightly integrated with the underlying operating system which was done so that Microsoft could use its monopoly to wipe out the competition (Netscape) while arguing to the DoJ that IE was an integral part of the OS and couldn't be removed. Although things are improved in later versions of IE, with sandboxing and the like, this tight integration has been a nightmare for Windows in terms of both the security and stability of the OS.

Then we have Outlook and Outlook Express, and the idiocy of allowing scripting in emails, not to mention tightly-coupled scripting between Outlook and other Office programs such as Word, that that allowed macros in Word documents access to a user's address book and the ability to send emails. Then there was the feature that hides the file extension for registered file types, so a mass-mailing script file that was actually loveletterforyou.txt.vbs appeared to be a text file called loveletterforyou.txt -- the list goes on and on.

What it comes down to is that Microsoft has a history of trying to tightly integrate all of its products together, and that has usually happened without any thought to the security implications of doing so.

Anyway, I'm not trying to say that Macs don't have security problems, or that no-one can hack into Macs (they can and do). However, it requires a great deal more skill to do so for a Mac/Unix machine than it does for Windows, and people with those skills are usually gainfully employed with high salaries, and aren't the types to write viruses.

It may well be that when the number of Mac users increase, the attractiveness of the user base will cause spammers and the like to spend serious money on developing viruses and trojans. In the meantime however Macs have less viruses not just because they have a smaller user-base, but also because they are built on a more secure foundation than Windows and because it requires considerably more skill to write a Mac virus than it does to write a Windows one.

[peekay]

As a former committer to the FreeBSD project (which OSX userland is based-upon) -- and a current information security consultant -- I can say categorically that Macs are not inherently secure or even realistically "more secure" than modern Windows.

In fact in many areas Apple is way behind Microsoft when it comes to security. Also there is a growing threat of browser-based exploits which renders all systems equally vulnerable, regardless of the underlying OS.

Users should always practice "safe computing" such as running their computers behind a router/firewall, always be aware of phishing scams & don't download random programs / codecs / drivers from the internet.

And yes I'm a Mac user in China.

ps. "Virus" (malware) writers make a lot of money. Crime does pay, unfortunately.

[renzhe]

As a former committer to the FreeBSD project (which OSX userland is based-upon) -- and a current information security consultant -- I can say categorically that Macs are not inherently secure or even realistically "more secure" than modern Windows.

This may be true for a committed and capable hacker with a plan, but I'd maintain that writing a "nimda"-like worm is orders of magniture more difficult for a BSD system than for Windows.

The default MacOSX mailer doesn't automatically execute Office macros, for example. That alone is HUGE.

[Senzhi]

This may be true for a committed and capable hacker with a plan

Unfortunately, in the internet crime business they all are.

[peekay]

Timely article:

http://news.cnet.com/8301-1009_3-10154662-83.html

Interestingly: "China unseated the U.S. as the country hosting the largest number of malicious Web sites for the first time last year."

[renzhe]

You have to love security reports like that:

- All Linux versions ever released put together: 10%

- All MacOSX versions ever released put together : 10%

but:

- MS Windows 2000: 5%

- MS Windows 2000 SP1: 4%

- MS Windows 2000 SP2: 3%

- MS Windows XP Personal: 5%

- MS Windows XP Professional: 3%

- MS Windows XP Enterprise SP1: 1%

........

[peekay]

Are we discussing the same security report? I'm not sure what those percentages mean as they're not in any part of the report that I can see?

[renzhe]

The reports says this:

Apple OSX Server - 14.3

Apple OSX - 14.3 (these two are most likely exactly the same bugs)

Linux kernel - 10.9

Solaris - 7.3

Win XP - 5.5

Win 2003 - 5.2

Win Vista - 5.1

Win 2000 - 4.8

Win 2008 - 4.1

Apple is counted twice, all Linux is counted together, but every version of Windows is counted separately.

That's deception, pure and simple.

[peekay]

Take a deep breath, let your biases aside, and read the report again.

There is a good reason why the numbers are represented as percentages. It doesn't matter if the same Apple bug might be counted "twice", because it's then divided by the two listed versions. In fact one single Windows bug might be similarly counted five times in the tabulation, one for each version of Windows listed.

You know, 2/2 == 5/5. Simple math.

The reason the versions are broken up that way has to do with the way vendors report vulnerabilities, not because of (as you claim) "deception" from IBM. Why would IBM care to deceive you or anyone else, anyway?

[renzhe]

You are talking about the top table, where the vulnerabilities are averaged. I was talking about the bottom table.

But still, such a number is hardly meaningful because it doesn't tell you how vulnerable you are if you are running a given version of an operating system (for example, whether you're safer running the later Mac or the latest Vista). It's not that IBM is deceiving people, it's just that reports like this one are often misleading if they are interpreted to mean anything else than the sum of vulnerability reports.

The report itself states that the severity and patch availability for the vulnerabilities is not taken into account. Which is the most important factor.

[peekay]

No, like you I'm taking about the bottom table, or more specifically, Table 7: "Operating Systems with the Most Vulnerability Disclosures, 2008" on Page 40 of the actual report.

And contrary to your statement, the (106-page) report goes into very detailed discussions on severity ratings (including pros and cons of CVSS scoring) AND patch availability issues.

Personally I'm more interested in parts of the report which mention China, now that China is the #1 malware hoster. It's not clear for me if Chinese-hosted malware still primarily target people in the West or if there's a growing trend of malware directed within China domestically (or both.)

[renzhe]

I was referring to the article linked, which states "to add that report does not list which vendors and operating system platforms had the most unpatched vulnerabilities.", not the 106 page report that I cannot find linked on that page.

But we're not only getting off-topic, but I suspect that we don't really disagree on basic issues. Every operating system is vulnerable, and every user should be educated about security issues and patch their system regularly.

It's just that I feel much safer about patching my Linux daily than waiting for a large patch every 6 months.

[gato]

Here's a link to the full IBM report:

http://www-935.ibm.com/services/us/iss/xforce/trendreports/

The IBM X-Force Trend and Risk Report

The report notes of the emergences of more exploits based on Adobe Acrobat Reader and Flash, something to watch out for. There is also a mention of a widespread exploits that preys on a flaw in Quicktime.... But most exploits are still focused on Internet Explorer and ActiveX.

Personally I'm more interested in parts of the report which mention China, now that China is the #1 malware hoster. It's not clear for me if Chinese-hosted malware still primarily target people in the West or if there's a growing trend of malware directed within China domestically (or both.)

Malware are very prevalent on Chinese websites. The best and easiest defense is stop using Internet Explorer. I would only use Internet Explorer on Chinese websites if I absolutely, absolutely have to.

[Xiwang]

A friend of mine had a lot of bad pixels on his Mac notebook computer and just had it repaired at the service center in Beijing with no problems. The Mac was purchased in Beijing and had an international Apple warranty.

The repairs took less than a new week and included a replacement of the computer LCD screen. He was very happy with the result.