2010-03-25 14:59:39 by chort
Apple's operating system has long been considered a refuge for those sick of viruses and malware that plague Windows systems, but this reputation for safety has been widely misinterpreted to mean the design is safe. In fact, as has been widely recognized in the security community, it's the relative rarity of Apple machines on networks that simply makes them an economically uninteresting target.
Apple for their part have enthusiastically encouraged this misconception, and while they've benefited from the positive PR, they haven't actually taken the concept of safety to heart. Much like the corporation in Redmond that they delight so much in mocking, they seem determined to ignore security issues until they affect public perception.
Read on for the ownage ->
This is why I'm please at the public flogging given to Apple by researcher Charlie Miller, who for the third year in a row has successfully "owned" Apple products. You can find a lot of online coverage about him in the Pwn2Own contest. The part that struck me is that he's not handing over his 20+ bugs to Apple, but rather describing the process by which he found them and urging Apple to do their own research.
It seems that most vendors, like Apple, still have the mentality that security means taking bug reports and--eventually--issuing patches. This means that they're tacitly accepting that their products have exploitable bugs at all times, and they're relying on benevolent third-parties to find the bugs and report them, before (too much) damage is done by malicious actors.
There is a huge financial incentive to find bugs for the "bad guys". Well-organized criminals rely on a steady steam of bugs to exploit for drive-by downloads and other methods of loading malware onto machines, to use for click-fraud, extortion, e-banking theft, and other lucrative illegal enterprises. With such personal gain available, what do you think the chances are that people will submit bugs to vendors, out of the goodness of their hearts, before they're widely exploited to harm customers? My guess is very close to zero.
Software and hardware vendors, such as Apple, are basically engaging in the same coldly calculating game as auto manufacturers, who usually see it as much cheaper to settle a few consumer lawsuits than to fix disastrously unsafe products. Dangerous vehicle defects aren't fixed until scores of people die or become maimed, even when the manufacturer had good reason to believe the defects would cause loss of life. You can see this being played-out now with Toyota, who is in some hot water for allegedly trying to cover-up flaws in their products. Unfortunately lawsuits by customers against computer companies are rare.
Just because people don't literally die in a fire from unsafe software doesn't make it less of an outrage that computer companies are being so callous about their customers' safety. What about people who lose tens of thousands of dollars from their bank accounts due trojans and keystroke loggers? What about the months to years it can take to clean up effects of identity theft? What about potential loss of employment and detriment to future employment if digital details of private life are leaked? These are real issues that have real impact on people's lives, not merely some virtual inconvenience.
I'm an Apple customer because of the convenience of using their products, and the relative safety provided by the low profile, but as Apple devices become increasingly popular, they becoming increasingly enticing targets for attackers. It's no longer safe to assume your Mac won't be owned, because there's an abundance of flaws and no shortage of people looking to profit from them.
Apple: It's time to get your act together. Stop paying lip-service to security for PR benefit; start putting some real effort into safety as the design. If you really are better than Microsoft (and Adobe), do this before public sentiment turns against you.
- Comments (0)