Linked by Eugenia Loli on Tue 1st May 2007 00:35 UTC
Privacy, Security, Encryption Dino Dai Zovi, the New York-based security researcher who took home USD b10000 in a highly-publicized MacBook Pro hijack on April 20, has been at the center of a week's worth of controversy about the security of Apple's operating system. In an e-mail interview with Computerworld, Dai Zovi talked about how finding vulnerabilities is like fishing, the chances that someone else will stumble on the still-unpatched bug, and what operating system - Windows Vista or Mac OS X - is the sturdiest when it comes to security.
Thread beginning with comment 235933
To view parent comment, click here.
To read all comments associated with this story, please click here.
Nelson
Member since:
2005-11-29

BECAUSE MAC HAS 2.86 PERCENT OF THE MARKET. That's why she has seen no malware or viruses. I can't speak for the no crashes though, my Windows PC hasn't crashed in a very long time.

If you're just using malware or viruses to gauge security then you're a fool.

Vista was just released, why are you comparing the experience of family members with certainly older versions of Windows (XP and back) and using it as evidence to support your point?

Vista has the improvements, not XP. So whatever experience they had with XP is irrelevant.

Security isn't solely about protecting the user from himself, it's about protecting the user and his data from outside attacks. Appearantly, Vista's built in technologies stop most of these attacks right in their tracks.

Reply Parent Score: 5

theTSF Member since:
2005-09-27

I am not sure if Vista has 2.86% of the market yet... Vista has improvements but we heard the same song and Dance from Microsoft about XP, I remember a contest where MS had a XP Box on the internet and asked people if they could hack it, and they couldn't during the allowed time. They had a similar concept with Linux and Linux got hacked.
Right now Vista is more secure then OS X just because the hackers haven't finishing studying it yet. Mac OS has been out for over a half a decade now. Hackers had time to learn about where OS X is weak and where it is strong.
RIght now most of us need to go by Experience with older systems it is the concept of fool me once shame on you, fool me twice shame on me. The general public has been shammed into using windows for a much larger percent of the population who should. In fair competition Windows Market Share would be around 40%, Linux 30%, OS X 25%, Others 5%. Still the market leader but it is to big for its size. So don't get so frustrated when people are weary about Vista Security clames.

Reply Parent Score: 3

glyj Member since:
2007-04-06

«Windows Market Share would be around 40%, Linux 30%, OS X 25%, Others 5%»

That's the point : the real problem is not that windows is the best (or not) OS around. The problem is that windows is near the monopoly state.


regards,
glyj

Reply Parent Score: 2

sbergman27 Member since:
2005-07-24

"""
BECAUSE MAC HAS 2.86 PERCENT OF THE MARKET. That's why she has seen no malware or viruses.
"""

This point usually gets lost in the noise, but what difference does it make *why* the malware is directed at Windows?

The *fact* is (and I don't think that anyone would dispute this) that the vast majority of malware *is* directed at Windows and Windows users.

I am intentionally avoiding the issue of which OSes have better defenses than others because that is irrelevant to the point I am making.

If you use Windows, the majority of malware is directed at you.

People keep saying "But that's only because it has the most market share" as though that changes this basic fact. It does not. And I wish people would stop acting like it did.

Regardless of the OS's intrinsic security fitness, if you run Windows you have a target painted on your back.

This is not an attack on Windows or its quality, though I do have my own thoughts on that.

There is also the implication that "If $INSERT_OS_HERE had Windows' market share then it would have the same problems".

Maybe... and maybe not.

But that is not important, because I don't think that any other OS ever *could* have that kind of desktop market share, and I suspect that few advocates of Linux, BSD, Mac, or Haiku would *want* to live in a world where one OS, even their own favored one, had such a stranglehold on the market.

Edited 2007-05-01 02:12

Reply Parent Score: 5

twenex Member since:
2006-04-21

Right on ;-)

Reply Parent Score: 2

archiesteel Member since:
2005-07-02

Thanks for bringing this important point up again. I've said this before, but somehow it falls on deaf ears among the MDB...

Reply Parent Score: 2

rayiner Member since:
2005-07-06

BECAUSE MAC HAS 2.86 PERCENT OF THE MARKET. That's why she has seen no malware or viruses.

I don't think marketshare even begins to explain the issue though. Malware is written for two reasons: for recognition and for profit. In the former case, you'd think getting a widely-distributed OS X virus would be good motivation. In the second case, OS X's market share may be only 3%, but it represents millions of computers. There should be enough profit potential in compromising OS X for us to have seen at least a couple of widely-distributed OS X viruses by now!

I can't speak for the no crashes though, my Windows PC hasn't crashed in a very long time.

I maintained a Win 9x machine that almost never crashed either. It's easy to do when its your own machine and you can babysit it. Not so easy to do when you put it in front of somebody who abuses it.

If you're just using malware or viruses to gauge security then you're a fool.

If you're using technical bullet-points to evaluate security than you're an idiot.

Vista was just released, why are you comparing the experience of family members with certainly older versions of Windows (XP and back) and using it as evidence to support your point?

Because Vista is a continuation of the same codebase. The Vista code is basically a superset of the XP code. Many of the defects present in the latter will still remain in the former. Eg: the pointer animation bug posted a few days ago was in code dating back to Win2k.

More generally, there are three important things to remember about software:

1) It's hard to unf--kup a broken system; Security isn't something you add to insecure code, it's something you design into the system.
2) If developer A wrote insecure crap last time, the odds of him writing secure stuff this time around are not great.

Security isn't solely about protecting the user from himself, it's about protecting the user and his data from outside attacks. Appearantly, Vista's built in technologies stop most of these attacks right in their tracks.

We'll see about this when Vista has had some time out in the wild. Who knows, Vista could be another NT 3.1. Or it could be another XP...

Reply Parent Score: 5

Nelson Member since:
2005-11-29

Maybe the marketshare bit was just poking fun ;)

Vista is built off of the Windows 2003 Codebase which (iirc) is an audited version of the XP sourcecode with a lot of buffer overflow exploits found and removed.
I think it's inherently more secure than XP but sure some simple bugs (like the cursor exploit) will remain because it's something that's relatively unchanged from WinXP to WinVista.

I do find it interesting to how the .ani exploit bypassed the /GS, ALSR, etc.. in Windows Vista..

Obviously, things like this will not make Vista bullet proof but it will stop a great deal of it. Point being, that Vista is more secure than XP so comparing your experiences with XP isnt' exaclty accurate.

I agree whole heartedly that you can't insert security into insecure code. it needs to be designed that way. However given the complexity of the Windows Operating System I think that these "obstacles" that exploits now face is a good thing.

The attack surface is greatly minimized from what I can see.

Anyhow, I'm tired and I'll mod you up for a good post.

Reply Parent Score: 3

skingers6894 Member since:
2005-08-10

"BECAUSE MAC HAS 2.86 PERCENT OF THE MARKET. That's why she has seen no malware or viruses."

OK let's assume this is true. At which share of the market do we need to worry? 5%? 10%, 25%, 50%?

I think if that number is anywhere near double digits then it's a security problem that Apple would like to have.

Right now it seems, his mom's mac is safe.

Reply Parent Score: 5

Vargol Member since:
2006-02-28

BECAUSE MAC HAS 2.86 PERCENT OF THE MARKET


iPod's running linux have no market what so ever yet there are more wild viruses for that combo than they are for OSX. Where does that leave you're market share arguement ?

Reply Parent Score: 3

dylansmrjones Member since:
2005-10-02

Anything above 0.5-1.0% is a target for malware. However, at the moment only Windows ships with the API required for malware to work.

Reply Parent Score: 4

Wowbagger Member since:
2005-07-06

Yes and you go on tell me that market share is also the reason that there are more exploits for IIS than Apache, because we all now that IIS has the bigger... oh, wait...

hmmmm I guess that's how the cookie crumbles....

Reply Parent Score: 1

MollyC Member since:
2006-07-04

"Yes and you go on tell me that market share is also the reason that there are more exploits for IIS than Apache, because we all now that IIS has the bigger... oh, wait...

hmmmm I guess that's how the cookie crumbles...."


----------------------------

*sigh* Here we go again.

The security records for IIS6 and Apache 2.x since 2003 (the date that IIS6 was released):

IIS6:
http://secunia.com/product/1438/?task=statistics
Summary: Three advisories, none "highly" or "extremely" critical, all patched.

Apache 2.x:
http://secunia.com/product/73/?task=statistics
Summary: 33 advisories, 3% "highly" critical, 10% unpatched, and 3% only partially patched.

How many times is someone going to bring out the Apache vs IIS canard and get owned? Really, it's old, it's well-known to be a canard, and should no longer be used for your side of the argument.

Edited 2007-05-02 02:21

Reply Parent Score: 2