What bloggers are saying about the latest in information technology


There is plenty of righteous indignation around the blogosphere this week in response to the CanSecWest "hack-a-Mac" contest. Of course, the inevitable happened, and a software engineer named Shane Macaulay, along with his associate Dino Dai Zovi, won the prize, hacking into a MacBook through a zero-day security flaw in Safari. The response varies from "say it ain't so!" to just plain "it ain't so."

Unfortunately, regardless of platform, denial is the biggest security flaw of all. Corporate America is full of IT managers who put up a firewall and some anti-virus software then forget they exist, believing that's all they need. Managers sometimes get lulled into a false sense of security because they think their platforms are unhackable, or they think their firewall will provide absolute protection under all circumstances, or that their internal users are trustworthy when they are not. Security czars will tell you, the best policy is to trust nothing and no one. That means Macs, too.

Some Windows cheerleaders are blowing raspberries to Apple cheerleaders, noting that just before the contest, Apple released a security update that repaired 25 vulnerabilities, and that this was the fourth security update for the Mac OS this year. In all fairness, I can't fault Apple for releasing the security updates. Operating systems are huge monstrosities of code, and it's virtually impossible to foretell all possible flaws and vulnerabilities ahead of time. Flaws are inevitable. They are inevitable on Windows, and they are inevitable on the Mac. I am not worried that Apple released security patches. On the contrary, I would be very worried if they had not.
Macaulay agrees. In an interview with eWeek, he said, "there's nothing special about one platform that makes it impervious to vulnerabilities." In fact, Macaulay said in the interview that he is primarily a Mac user.

That there have been security patches simply means that the Mac engineers are doing their jobs. The Mac marketing people on the other hand, trivialize security, which can be dangerous. If you believe your platform is impenetrable, you will get lazy. You'll create simple passwords that can be guessed. Maybe you won't bother to tighten up your firewall policies, or won't bother to get the latest antivirus updates. And once you go down that slippery slope, you're going to get hacked. Yes, even if you're running a Mac.

The chatter in response to the CNet blog on the contest is regrettably, full of denial, with participants claiming that it was not a legitimate flaw, it didn't happen, and Apple is God and therefore infallible.

There are fewer attacks against the Mac than there are against Windows PCs. And while it's fair to say that Apple does a good job on security, the main reason that there are fewer attacks on the Mac OS is that there are fewer Macs. Attackers are for the most part, in it for the money. They are opportunistic, and will go for the biggest return, and there's simply less financial reward involved in hacking Macs. If Macs were the dominant platform in business, they would be the primary target, and the illusion of airtight security currently enjoyed by the Mac, would fall to Windows PCs by default.

ITworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine