The Myth of Apple's Insecurities 


 


By Paul Venezia:

In case you missed it, there's a virus for the iPod. Yep, that's right, your MP3 player is a veritable hotbed of virus activity -- but only if you're running the iPod Linux distribution, and only if you take great pains to make the virus function, since it doesn't really work. We can argue about whether or not this code actually constitutes a virus, but that's not the point I'm trying to make.

The point here is that if it has a CPU, hackers will try to break it, and virus writers will try to write a virus for it. Given that there are probably only a few hundred -- maybe a thousand -- iPods running Linux out there, the fact that someone took the time to write this virus, or malicious code is an example of why Apple detractors clamoring that Macs aren't a target due to the lower market share are all wet. I ranted on MOAB two weeks ago, pointing out that most of their bugs were either local exploits or issues within third-party applications, and there has never been a virus in the wild for OS X, much like there's never been one for Linux. The difference isn't market share, it's the foundation of the operating systems. Given that most virus authors and hackers are in it for the ego, don't you think that there would be a huge incentive to be the first one to write a widespread OS X, Linux, or FreeBSD virus?

If an OS is built on shaky ground, everything layered on top will suffer. This is the position that Microsoft is in now. Apple was in this very position at the end of the last century. They decided to start over, providing a clear upgrade path and supporting legacy applications on the new platform. OS X was developed from BSD and NeXT, built on a foundation that dates back twenty years or more, with the OS base code freely available for download, yet there have been no significant security vulnerabilities in OS X. This isn't due to market share, this isn't due to lack of attention, this is due to proper coding and development. That isn't to say that there are no chinks in Apple's OS armor -- there definitely are -- but the foundation is solid, therefore those chinks aren't likely to destroy the whole shebang. The same is true of Linux, and most UNIX-derived operating systems.

Microsoft OSes began with no security. Windows 95 through ME had varying levels of front-end password-based security bolted on at some point, but it was hardly layered through the entire OS like UNIX. They weren't multi-user environments so interprocess security wasn't seen as an issue, and remote exploits were all over the place since they weren't built for network use. The NT base of Windows 2000, XP, and now Vista provided a much better security model and had some multi-user roots, but had to carry the burden of compatibility with code written for the original, completely insecure Win95 base. Simply put, Microsoft had the chance to beat Apple to the punch and make a giant leap back in 1997 or so, killing off the existing Win32 platform in favor of an NT-based client and server that did not have to run legacy applications natively. They didn't, and we are still paying the price for it today. Even if you're not running an MS OS, most of the spam in your mailbox came from zombie Windows systems in the control of spammers.

I also don't buy into the whole "Mac users are sheep" thing. You wouldn't have gotten me near a Mac before OS X. I didn't like the UI, I didn't like the hardware, and I certainly didn't like the IP stack. It was great in the 80's and early nineties, but by the time OS 9 was released, it was a joke. Way too many features had been bolted on the side, duct-taped to the rear, and glued on everywhere else. Apple had to rebuild their entire OS. They did, with a huge helping of public code vetted over the decades and proven secure and reliable. Microsoft didn't. They're faced with massive-scale exploits like the spreading ANI vulnerability. That affects every Microsoft OS, server and workstation alike, across the board. This gives us a glimpse into the code shared between generations of Microsoft OSes, and it's not a pretty view.

As Henry Spencer said, ""Those who don't understand UNIX are condemned to reinvent it, poorly." 

Posted: Wed - April 11, 2007 at 09:54 AM        

©