I am of two minds. Here they both are.

PRO: Indeed, there is a historical precedent for the "user cultural" argument. Back in the early days of viruses (Yeass, back in myyy day, sonny...), the Microsoft DOS platform (which includes the first several generations of Windows that were essentially a GUI glued on top of, you guessed it, MS-DOS) had hundreds of viruses targeting it, while the Macintosh of its day -- we're talking late '80s here -- had MAYBE a dozen, if you were VERY generous in counting trivial variations of the same basic code. (Plus ça change, plus c'est la même chose, eh?)

Not only that, but it was a VERY long time before any Macintosh virus appeared that could be said to have a "malicious" in the sense of intentionally destructive payload. Meanwhile in DOSland, malware that ended with FORMAT C: or similar catastrophic lossage was endemic.

Many people at the time concluded that there was, in fact, a difference in the "user culture" of the two groups.

My conclusion was slightly different. The learning curve for writing Mac software was steeper than that required to gain just enough knowledge to produce yet another lousy knockoff DOS virus. So the folks who knew enough to write a "successful" Mac virus had BETTER things to do with their time, things that actually paid real money for example.

I suspect that we have a similar dynamic at play today. Lots of script k1ddi3z can fiddle around with a Windows 'sploit. The more advanced/ambitious of them can actually boot Linux on their systems. But give them a (PowerPC) platform on which their canned (Intel!) shellcode just flat out doesn't work, and it's Game Over Player 1. And rather than figure it out, it's so much easier to just continue on to the low-hanging fruit elsewhere.

CON: No platform is inherently secure. The belief that one IS secure is a mortal threat to security, because it undercuts the sense of justified paranoia that makes a truly effective security administrator.

It is axiomatic that a non-trivial program will ALWAYS contain flaws, and some flaws may have unanticipated effects on system security. One can design a system that is more or less resistant to such flaws (fill in your favorite examples on both sides), but some danger will always be there.

Risk = Threat x Vulnerability, after all, and the probability that either Threat or Vulnerability will ever be zero is, well, pretty darn close to zero. Therefore, it is highly improbable that Risk will ever be zero.

I speak as a long-time partisan not only of MacOS, but also of Ye Olde VMS, the bullet-resistant operating system whose practicioners used to laugh at Unix in much the same way that Unix users now laugh at Windows. But that didn't ever mean FOR A MINUTE that we'd fall behind on security patches. Complacency = doom.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/319/31461#31461