OSNews

Why do you get more bugs because you sell better?

Many of those bugs seems to be "oh this is a bug in program xxx which can also run on os x."

First of all, I'm an Apple user, and I'm far from rabid - so please do not gross generalisations of a large section of consumers; for me, sure, I own an iPod, a MacBook and AEBS, but nothing else. They were purchased on the basis that it did what I want rather than any sort of slick marketing (considering that Apple's marketing in NZ is almost non-existent).

As for too rabid, I don't know what forums you hang out, but Apple users are persistently the first ones out there to launch a jihad on Apple if there is the slightest flaw in products. I mean, heck, there was a person whining because the sides of the MacBook weren't bevelled enough! there was another complaining that the brightness isn't perfect. If these were regular PC users they would moved on and thing, "oh well, its to be expected".

Oh, and as for your laptop being a lemon - that's a side effect of mass production, there will always been faults - ring up Apple and get it repaired or replaced. Yes they test it, but damage could have occurred during transit. Life moves, and the world continues spinning. Apple isn't immune to the occasional lemon being shipped.

Come on. You know that's not true. While you may not be quick to exhibit the famous "Apple fanboy" attitude, you really can't deny that the majority (even on this site) are quick to be very vocal about anything that may put Apple even in the slightest bad light. They are fanatics, in every sense of the world, and it is intellectual dishonest for you to deny that.

You seem to be the one being "intellectually dishonest" here. Replying to something one feels to be not entirely correct does not make one a "fanboy". If that were the case then everyone quick to reply to a negative comment about Vista would be a Vista fanboy.

I also use a Mac and I do reply to a number of assertions that I feel are not justified about Macs. I suppose you will call me a fanboy, but that does not make it the truth. I do like my mac, but I also like my other computer running BSD and Linux. This is being posted via my BSD installation. I spend a lot of time using it.

Anyway, to get to the point, while the article does provide some interesting statistics it only provides part of the information needed to determine how secure an OS really is. If you remember MS recently came out with a study that they said proved IE was more secure than Firefox. http://www.heise-security.co.uk/news/99955 They used the same metric to make that claim, the number of reported vulnerabilities. But interestingly, when you looked at the time that critical vulnerabilities went unpatched IE was not even close to being as secure as Firefox.

What we now need is the same information about the OS vulnerabilities. How long was each OS in an insecure state from the critical vulnerabilities and were there any exploits in the wild during this time? People believe what they want regardless of the facts. You will probably dismiss me as a fanboy for that very reason. All I can say is that it has been my experience that security on a Windows machine has been more of a problem than it has been on any other OS I have used in recent years.

On philmug.ph, the posters can be rather quick to turn mean and ugly for little to no reason. One of the head moderators, Adel Gabot, once wrote an article about how Mac users were morally superior to mere peecee users since they actually PAY for the software they use, unlike the unwashed masses who buy pirated CDs.

Like there aren't any bootleg CDs for Mac software.

Much as I love Macs, I really can't stand Apple, or other Mac users sometimes.

Edited 2007-12-21 15:24

How is that any different to the 'open source zealots' who post how they're morally superior because they insist that all the software they use is open source?

Any zealot when taken to the extreme causes idiots to run amuck, but check out Macrumours, Appleinsider, Arstechnica - because philmug.ph means nothing in the grand scheme of things, its a small site with hardly any users - its the equivalence of someone pointing to my blog and making conclusions about a whole set of people off one website.

Look through the websites I've provided, check the Mac sections, and you'll find that when things are anything but perfect, the most rabid of fanboys will come out and be the first to abuse Apple.

PS. Check who is saying that Leopard is broken - I can assure you, it isn't the newly converted.

Edited 2007-12-22 00:50

They're who I might have to deal with in real life, face to face. Maybe they just horrible netiquette or what not.

There's a certain sMUGness some Mac users have, and yes it's probably a vocal minority like Linux/BSD zealots. Doesn't help with my headaches.

Please. Nobody has put in better processes to ensure secure software - see Microsoft Security Development LifeCycle.

Microsoft learnt their lesson years ago and as the processes they have put in place have taken root so the security of their software has improved. Apple ignored the lessons of Microsoft until recently and is starting to pay for it despite their small market share. Apple only recently (1 year ago) advertised for a security expert i.e. someone to head up their security efforts. Hopefully Apple can get their quality up before their users start suffering because of their short sightedness.

I don't CARE which one has better security frameworks or anything as I am a Linux user myself. All I was saying that one can't realistically determine absolutely anything from those numbers for the reasons I already explained. You can't prove me right with those numbers, but you can't prove me wrong either..

I don't CARE which one has better security frameworks or anything as I am a Linux user myself. All I was saying that one can't realistically determine absolutely anything from those numbers for the reasons I already explained. You can't prove me right with those numbers, but you can't prove me wrong either..

From my own experience, both as a programmer having to deal with security issues and as a sysadmin in my high school days (ugh...), it simply begs for me to scream: the security frameworks, locks, cryptographic engines, armors, patches, security advisories and everything else are, in terms of measuring security, completely irrelevant. It's exactly as it happens with planes: you can put eight engines on a pile of concrete. If they don't get the right fuel, are all placed so that they face each other and the only thing the pilot can control is the altitude, it won't fly.

We are talking basically about security on a desktop computer, or a small server, not a bank's server, not FBI's files (does anyone actually use OS X Server for huge datacenters and the like? I'm not calling OS X server dumb, I'm simply thinking in terms of where it's really relevant). In this case, the only relevant security test is placing Random J Idiot in front of the keyboard and let him surf the net, watch porn or whatever else he wants. The more secure computer is the one that still boots after three months, without sending broadcasting and browser histories over the Internet.

Yes, from a statistical point of view, this is very gross: it's a combination of how the system shields itself from dumb users, security by obscurity, low marketshare and so on. However, it still boils down to this: Mac users have very little malware to deal with.

Yes, in the long-term, they might (and, considering how OS X is more of a big hack than of a smart OS, there are serious chances that they will), but the future tense is essential to our discussion. Apple has to watch out for the bugs they might have -- and from the amount of bugfixes, it seems like they are watching out -- while Microsoft is still having to get rid of the bugs they already have.

On the other hand, I can't help seeing the mandatory receivers of the fsck off prize. This isn't Microsoft FUD, no conspiration, and certainly not a mind-twisting invention -- OS X has holes, which are more or less relevant, more or less critical and so on, which is really to be expected from something that comes loaded with a pile of open source software. What these people don't seem to understand is that a patched bug is no longer a security issues. An unpatched, yet-to-be-discovered bug is, however, a security issue.

I don't know how much security experts does Apple have and how good their security processes are.

But they certainly have brilliant engineers that know how to design good software that is not crap. They don't give root privileges to everybody like Microsoft did in XP. They don't determine if a file is executable just by looking at the extension of the file.

I'll take a Apple system over one from Microsoft any day, I've more confidence in the Apple engineers. Sure, they've security mistakes like anyone else, but their software is better suited to avoid "by-design" attacks.

Hahahahahahahahahahahahahaha

haven't laughed like that in ages!

Someone claiming that MS must have more secure software because of their "security policy"??! They've had a security policy since they started producing windows...what difference does it make? Even with this new policy, we still see products like Vista hitting the shelves. Not saying its bad but it has just as many vulnerabilities as XP.

I agree that this report means nothing. zilch.
MS dont report all their known vulnerabilities. I thought everyone was aware of this. Apple likely DO report them because they also likely FIX them too. MS fix their bugs but dont release them until the next service pack, which just happens to introduce a ton of new "features" and with it, new bugs.

Nothing new here. Funny that these numbers are still being posted even though the last 999999 times they were put on here, people said the same thing. its irrelevant, so Thom, please stop linking the same crap over and over.

"MS dont report all their known vulnerabilities. I thought everyone was aware of this."

Not that I'm saying you're lying or anything, but please provide proof for what you just said.

The fact the you think everyone is aware of it does not constitute proof. When source is not there, we just don't know what is in the patches/service packs.

All that matters and we know is assessing security by counting vulnerabilities is not a valid approach.

Edited 2007-12-21 16:50

yup, so the fact that you can now brick a laptop through activeX

http://computerworld.com/action/article.do?command=viewArticleBasic...

is a good example of MS improved security practices?

Yes. It is significant. Too many of the `arm chair` systems administrators on this website, from observation, believe in the all-in-one basket way of thinking.

Imagine an entire state college or university system, which generally locks into a single hardware provider or manufacturer, that has purchased HP servers and desktop systems. They come in one morning to find all the HPs have been bricked by a design flaw in the hardware, software or both.

Yes, it can happen to Apple and other hardware providers. I am not in denial.

The next thing you know the CIO, vice presidents, presidents, deans, department heads, faculty and a huge population of students want to roast your `Chest Nuts` over an open fire, a torch or anything else they can find. Your job is now history just because some engineer failed in quality control at a corporation; and you did not have the vision to use more than one brain cell.

The solution?

Try not lock yourself into just a single hardware or software provider. If everyone is thinking alike, then someone isn't thinking. Simplicity does not reduce vulnerabilities in the IT trade. Diversity increases success and sustainability.

Edited 2007-12-21 17:46 UTC

The OP was on the subject of improved MS practices WRT security. The fact that an avenue like activeX allows for the bricking of a machine would suggest that not much has changed in practical terms concerning the security of MS based systems.

"Apple ignored the lessons of Microsoft until recently"


what are you talking about! apple built osx on top of BSD.... that along proves they DID learn for MSs mistakes! (did'nt MS build NT on top of a variant of cheese?)

The reasons, quite frankly, are irrelevant. I could care less why the security exploits exist. What I care about is whether Apple is doing anything to mitigate against similar risks in the future. But, clearly, getting defensive about quality issues -- as you're clearly doing here -- is counter-productive. You can pretend that quality problems don't exist but, in the end, the quality problems do exist. So, just acknowledge that Apple needs to focus more closely on this problem. That isn't FUD. It's simple common sense.

Umm...Why would I get defensive? I have said it several times that I am a Linux user and I don't even own a Mac.. Duh. I just said that one can't deduct anything conclusive whatsoever from such numbers: not against Mac OS X nor Windows. And no, I don't like Microsoft but I still do defend Windows too when someone tries to bend the truth or just plain spreads FUD. I just wish everyone did that regardless of what OS they run.

, consequently, it needs to focus on quality to reverse the trend.

Nope, it doesn't say anything about the quality of the underlying platform itself. There are just too many factors to consider when counting the numbers that it's impossible to just claim that one OS is better than the other just because it has had less security updates.

I saw the case many times at work, it's a question a minute before your screen is full a pop-up..

Sure, maybe pre-SP2.

For an unpatched XP vanilla machine placed on the internet, without opening Internet Explorer, the average time before the machine is exploited, is much less than a minute.

Thank you for your reply but sure I see SP2 boxes that have the same issues... (again without any third party tools). Don't get me wrong, Windows XP (never really used Vista) can be used in a secure way and can be a great system but it needs either some tweakings and/or third party tools and an educated users.

SP2 systems don't get hijacked "in minutes" is what I meant. Most people running SP2 systems that are infected are so because they blindly click things.

I ran my XP box without firewall for quite some time, nothing happened, but then my ISP blocks port 135 and maybe a couple of others for what that is worth. I've also ran without antivirus and antispyware for even longer with no huge issues, but then I don't download questionable programs of which I haven't heard earlier and so on..

Anyway it doesn't matter, people run with firewall and antivirus, and just because a bunch of people haven't decided to automaticate the process of owning macs doesn't make them more secure. It still suck if you are at a risk. I would actually much rather be turned into a drone of millions used to blackmail corporations or for DDoS attacks than having someone who actually cared about my machine and data own me.

Thank you for your response.

1) you had issues (your words "no huge" implies issues).
2)more important you seem to be some kind of educated user since you can detect "questionable programs".

Now you use an XP box without firewall, without AV nor AM and your not behind a router (we all now that when using a router this gives attackers more troubles) and still you never had issues... I'm sorry I don't believe you and even if you're right you certainly don't represent the vast majority of windows user I was refering to.

I'd noticed that too. The fact is, I have a virtually untouched (i.e. very little 3rd party software) OS X installation. I've enabled the Apache server, Windows and FTP file sharing and run both Safari and Firefox, and have never experienced any issues at all.

To be honest, I have not had too many issues with Windows XP SP2 either.

Java and flash comes with the OS on a mac thought... But yes, should probably be counted on Windows aswell since people use them anyway.

"Java and flash comes with the OS on a mac thought... But yes, should probably be counted on Windows aswell since people use them anyway."

Accept that Mac's JVM is made by Apple and includes extras like the Java-Cocoa bridge (now unsupported) that provides a larger attack surface. Windows JVM is made by Sun and contains no extra code regarding Windows API (which is what Sun sued MS over in the first place). So flaws in Mac's JVM can't be assumed to be present in JVMs of other OSes, since those flaws could be Apple's doing. And fixing the Mac JVM is Apple's responsibility, and Apple does fix their JVM via their Security Updates, while Sun is responsible for shipping updates for the Windows JVM.

(Side note: Windows doesn't ship with a JVM, though OEMs normally do bundle Sun's. And IIRC, XP has always shipped with Flash, though it's whatever the current version was as of 2001, so normally new XP users have to upgrade the Flash component to a modern version.)

Which Linux distro? Starting from which version number? Do we include all the server software also or just the default "desktop install"? Nuh-uh. That still wouldn't be comparable or fair towards any of the OSes in question.

"Which Linux distro? Starting from which version number? Do we include all the server software also or just the default "desktop install"? Nuh-uh. That still wouldn't be comparable or fair towards any of the OSes in question."


Well, let's just go with Red Hat.
http://www.redhat.com/security/updates/

OK, to be more specific, let's go with Red Hat Enterprise Linux:
http://www.redhat.com/security/updates/errata/

There's a lot of distros listed on this page, so let's get even more specific, and go with RHEL Desktop Workstation (v. 5 client), which was released this year.:
https://rhn.redhat.com/errata/rhel-client-workstation-errata.html

Wow! Security updates a-plenty! And that's in less than one year. Makes both Windows and Mac look like Fort Knox by comparison. :p


Just for grins, let's look at an older distro, Red Hat Enterprise Linux WS (version 4), released in 2005 just to see how many security updates there have been over a longer period of time.
https://rhn.redhat.com/errata/rhel4ws-errata.html

Good Gravy!! I thought Linux was "Secure By Design". :p

Relax, Linvocates, just having a bit of fun.

Edited 2007-12-20 23:34

Windows and Mac look like Fort Knox by comparison. :p

That sounds interesting. In what universe, does number of security updates equate to security?

So, for example: Fort Knox installs/updates its security measures once a month (lets say). My garden shed has never changed its security. Ergo (using your reasoning) my garden shed is more secure than Fort Knox.

hmmm, I see your sarcasm detector was switched off when you read Mollyc's comment.

Why, the MS PR universe, of course...

Now, I don't see Linux mentioned in the article. Gee, I wonder how come we ended up on this off-topic subject? Oh, yeah, we were brought here by some infamous anti-Linux FUDsters who don't even understand that there is *much* more non-OS software installed with a default Linux desktop/server than there is on a Windows install.

Have no fear: the brave members of the Microsoft Defense Brigade won't let a mere technicality as truth stand in the way of their message...

That sounds interesting. In what universe, does number of security updates equate to security?

So, for example: Fort Knox installs/updates its security measures once a month (lets say). My garden shed has never changed its security. Ergo (using your reasoning) my garden shed is more secure than Fort Knox.

That's simply the best analogy I've ever read regarding this issue! It's rare that I crack up laughing when reading comments but that sure made my day ^^ Damn, I guess I gotta start keeping all my valuables in a cardboard box since it's so much more secure than any bank or vault available :3

Wow! Security updates a-plenty! And that's in less than one year. Makes both Windows and Mac look like Fort Knox by comparison. :p

Of course there'll be lots of security updates if you include the updates for _everything_... Besides, is lots of updates a good or a bad thing? I'd actually go for good thing cos IMHO that shows that atleast there's a lot of people all the time working to make sure that it is and stays up-to-date and secure. But that still is just an opinion, it's not a fact as such just can't be drawn from any number of updates. And as I said, it's unfair towards all the OSes in question to even compare them based on their number of security updates: it's perfectly clear that there will be quite a slew of updates all the time for OSS software just simply cos there's so much people working on them! Also the whole development model of those proprietary OSes vs. Linux is so fundamentally different that one can't really say anything definite when comparing them.

Geesh, I'd wish people would stop this utter BS of comparing OSes based on the number of security updates...IT SIMPLY PROVES NOTHING EITHER WAY! If one really _must_ compare OSes, do it based on their merits and features supported..

Sarcasm works best when you put real snark into it.

Just a helpful hint from me to you.

Exploits are malware are two different things. If you want to wreak maximum damage (which is the goal behind most virii) or want to set up a botnet for more commercial reasons, you are going to go after the operating system with the most users. Why would you make worm to attack 11% of the computers on the net, when you could make a worm that could hit 80%? This is not the first time someone has taken the time to point out to us how insecure the platform is (remember MOAB?) The fact of the matter is that at this point, Apple doesn't NEED to be secure. It is when the marketshare hits 20-30% that they need to start taking security seriously

The fact of the matter is that at this point, Apple doesn't NEED to be secure.

That's a cop-out and you know it. All OS software needs to be secure in the net-centric age.

Edited 2007-12-20 23:23

What's more, all security should be built from the ground up, by design, not by trial and error. If it's not meant to be broken into it should not be possible to do it.

"What's more, all security should be built from the ground up, by design, not by trial and error. If it's not meant to be broken into it should not be possible to do it."

In principle, you're right. Trial and error is not a orogramming concept.

But on the other hand, security is not a state, it's more a process. Complete security can only be achieved in disconnecting a PC from Internet connections and extraction of external media drives.

As you know from the UNIX world, OS developers did great jobs creating systems that are very safe by default. One concept here is "all closed by default, enable what you need" instead of "all open by default, close something when problems occur".

The ewakest part inside the security chain resides between the chair and the mouse. :-)

And I have had a number of Windows computers since the release of XP and none of them have run Anti-Virus or Anti-Malware software and I've never had a problem with them... all this proves is that I'm a sensible user and know about the various security threats that exist.

In the real world however there are people (lots of people) who think "Oh, cool, look at this video player that lets me watch porn... I'll just type in my administrator password, my bank account number, my national insurance number...".

No, it proves that you have little green leprechauns guarding your household. Because I fail to see how the fact that you are "a sensible user" and "know about the various security threats" (wow) magically manages to protect your computers. Do you actually do something to protect them yourself? Do you take measures of some kind? What do you do, stand in front of the UTP wire with a baseball bat and look mean? Did you perhaps forget to mention that your ISP runs a tight firewall? Or that your computers are behind a router? Because otherwise, a naked XP SP2 on a public IP, no antivirus, no firewall, equals not your box anymore. If that's not the case, consider giving the little green men their due credit, dude.

Or that your computers are behind a router? Because otherwise, a naked XP SP2 on a public IP, no antivirus, no firewall, equals not your box anymore. If that's not the case, consider giving the little green men their due credit, dude.

Won't you people stop bashing XP when you yourself don't clearly have a clue? I am a Linux user first and foremost but I do use XP to play games (Linux sucks for gaming). I installed XP SP2, it had firewall on by default so no problems there..There is a router in my network but it was acting as a plain bridge so it means there was no NAT involved. I didn't install any security software on the machine either. It worked just fine for half a year before the hardware itself malfunctioned. Now, you're either saying I'm a liar or that I had some green leprechauns too? Nope, XP isn't as insecure as you claim. Sure it has it's issues but most of them are caused by the USER!

Well I sure stand corrected. If you say so it must be true. I must have dreamed about all those times I've seen XP boxes infected with my own eyes, after being connected directly to the net without a firewall and antivirus.

Yep, behind a router performing NAT. I do have a particularly good ISP however and they probably do run a very tight firewall... I wouldn't consider paying £20 a month to anyone that didn't.

Again though... what is it with people on this site and their attitudes? Are they just unable to put together a coherent argument or comment without being demeaning or acting like children? Pathetic!

Let me get this straight. You came out in public and said clueless things and still you are upset that someone would put you down for it? Why is that?

You think your ISP is running a firewall for you? Boy, are you delusional.

"And I have had a number of Windows computers since the release of XP and none of them have run Anti-Virus or Anti-Malware software and I've never had a problem with them..."

Sorry, I may tell you that this claim does not have any value because you simply cannot tell if you have any problem. Most malware works in the background so the user of the compromized PC does not notice anything - this is intended for the malware running in the background and doing its job.

Formalized: Security issue = { yes | no | can't tell }

Trinary logic.

Because "Windows" usually does not provide sufficient means of diagnostics you cannot gain any knowledge abozt what's goiing on inside your system. So it's not very educated to state "I have no problems" while you really don't know.

Compare it to a traffic light that you cannot see. It is either red or green, but without looking at it, you don't know in which state it is.

And man, viruses don't say "echo Looking for Sybille" anymore. :-)

" all this proves is that I'm a sensible user and know about the various security threats that exist."

No, this doesn't prove this statement, allthough it's completely possible that you are a sensible user with knowledge about security issues.

It proves that you cannot tell.

But it could also imply that you are a irresponsible user that does not care about how he is a threat to others on the Internet.

"I don't care. I have my dancing elephants, my porn video playing and I can download MP3 for free. Viruses? No, I don't have any." *ring* *ring* "Hello, Sir, this is the FBI. You've been conveyed to have running a file server that shares child pornography. May we have your PC for evidence please?" Oops...

In Germany, users of "Windows" got convicted because they did run an illegal file sharing system. They claimed to have no knowledge about this, but they were sure they had no virus or malware issues, because they didn't care.

I'm sure you know what I've tried to say.

As I said above, I am behind a router performing NAT, the only conceivable way a virus could take control of my computer is if I was to download a trojan or some ActiveX control. I use Firefox, and I rarely download any software.

I do know a little bit about network traffic analysis however, and my router does provide extensive logs... I am confident that there is no malware on my computer.

Regardless your point is valid... but even with Anti-Malware software installed you still don't KNOW that your system isn't infected. How long did Sony's rootkit hide out before someone discovered it? Your point also applies to ANY computer system attached to a puplic network... that means Linux and OS X too. So unless the users of those platforms are running Anti-Malware software even they can't be sure that their systems aren't infected. (And even WITH Anti-Malware software you STILL CAN'T be SURE).