After your identity has been stolen, your bank accounts compromised, 53 critical patches and 27 reboots later, when will you decide that you've had enough?
"Just as Windows users have become accustomed to 140,000 viruses, Apple users have become accustomed to none."
I've never had a dystopian view of technology, but I do think we're pulling the general population forward into a realm of the underworld that they're simply never going to "get." Let's step beyond the growing privacy issues, the identity theft and so on for a moment. It's so easy to become accustomed to technology and all its failings, where viruses, trojans and such have become a fact of life -- for Microsoft Windows users, at least. We've come to accept the countless virus infections, the Trojan that steals passwords, and the loss of an average user's identity as inevitable and acceptable, and it makes me wonder if we're taking our users down the right path.
Same old story? Not really. Alternative environments like Apple and Linux are finally catching on. Unit sales of Apple Computer's OS X based computers grew by 43% in the past quarter, over the same time last year -- in business terms, that's incredible growth. Revenue grew by 70%, and profit grew by an unbelievable 530%, thanks to the little music revolution they call the iPod and the iTunes Music Store.
What's fueling Apple's growth, besides the infamous iPod halo effect? Security. Either it's the perceived security that is thought to be better in OS X, or it's the documented lack of security in the Windows world. By that, I mean that you can't assume everyone who owns Genuine Windows is running XP with Service Pack 2, which has some improved security features -- because there are a few hundred million people out there still running Windows 2000, 98, or something else. No, they don't have automatic updates, and no, they may never understand what a firewall is. Anyone who works hands-on in the security field has his own experience spending countless hours removing viruses and spyware, or becoming adept at formatting and reinstalling (or laying down a new image), patching, immunizing, and so on. Whether it's in your large corporate environment or your Uncle Bob's computer at home, it all takes time.
Here's a simple example of a recent virus incident, and one organization's lackluster information response. I discovered a nasty Trojan on a relative's computer. He's a prominent member of the federal government and uses his computer for online banking, so I urged him to contact his bank.
The response the customer received from the Royal Bank, the largest bank in Canada and one of the 10 largest banks in the world, was interesting. The representative said that their systems are secure enough that a Trojan or virus cannot infect them -- but she said thanks for calling to let them know his home computer had been infected, that his accounts may have been compromised, and have a nice day. No discussion about stolen passwords, identity theft, or even the need to change his online password. Get some better anti-virus software, she said. And again, have a nice day. The person on the line didn't "get it," and I can assure you that my relative didn't really "get it" either until after a long talk. With confirmation from his bank, he was now confident that his system, the same one with the Trojan and the keylogger still on it, was perfectly fine. A virus is normal; it's a fact of life. It's no big deal, right? Why not just email me your SSN, your credit card numbers, and date of birth then -- or print it out on paper and post it in the street? The typical user is now forced to use the computer on every desktop, but must he also become an MCSE to administer it?
Viruses don't have to be a fact of life. There are no viruses on OS X -- not a single one. The reason most often touted is Apple's lack of critical mass, but that argument has been beaten to death. There are millions of OS X computers out there. It's not that a virus couldn't be written for it either. Far from it. The soft underbelly of Unix (or Darwin, an open-source Unix like OS similar to FreeBSD) is just as vulnerable as the eye-candy applications that run on top of it. Step back from Apple's three-tiered user privilege system (user, GUI superuser, and root, which is disabled by default) and understand that users can still be tricked into clicking on anything -- social engineering will always work, and there will always be people who click.
Why, then, are there no viruses for OS X?
Just as Windows users have become accustomed to 140,000 viruses, Apple users have become accustomed to none. It's a major cultural difference that admittedly, sometimes causes Apple users to do stupid things -- and get away with them. It's hard to describe the freedom of using a system with no malware known to have spread. It's liberating.
Beyond critical mass, I would like to believe there's a better reason for the lack of viruses on OS X, and it's based on the culture of the Mac -- which is distinctly different from other platforms. Is it wrong to try a new computer system and actually enjoy the user experience, for a change? Can you imagine a world where (today) you can click on anything and never worry about malicious intent? Can we not continue this unwritten rule that there can be a platform out there that is simple, easy-to-use, with Unix (and a cool ports tree) underneath that has no threat at all from viruses?
Perhaps I'm living in a pipe dream, but that reality is here today. Linux is also close, but OS X is already there. Apple's big virus is really just the market enthusiasm that translates to new unit sales, spreading like a contagion, that fuels their 70% year-over-year revenue growth.
I held off writing this column for the better part of a year, because many SecurityFocus readers have the intellect, talent and ability to write a virus that could be quite nasty on OS X. There's the general notion that (shh!), any added exposure to the platform might bring it out of the limelight. But if a Windows programmer or security researcher can try a new operating system and enjoy it just enough to not want to destroy it, then there's hope for us all.
I should have also prefaced this column with the disclaimer that most SecurityFocus staff use OS X in some way or another, if not at work then at home, so we're somewhat biased. After covering multi-platform security news all day long, from WiFi penetration testing to intrusion detection and honeypots, at the end of the day it's nice to use a system that's not on everyone's radar for a change. Let's keep it that way.