Good Journalism

Thomas Ptacek | May 2nd, 2006 | Filed Under: Defenses, Industry Punditry, Malware

If I was half as good a writer as John Gruber, who just quit his day job to work on Daring Fireball full-time, I’d be writing this blog post from the perspective of an anthropomorphized Windows Internet Connection Firewall (humorous incarnation: giggling teenage girl) IM’ing the Mac OS X “Sharing” firewall (humorous incarnation: ironically rearranged syslog output).

But I’m nowhere near as good as he is, and you should buy T-shirts from Gruber to keep him writing, and all you should do to keep me writing is buy consulting services from us. Meanwhile, I’m going to un-creatively shred his most recent point-by-point polemic against an AP story about Mac malware. In fact, I’m just going to ape his style, going point-by-point right back at him. The only difference will be, my points will be correct.

Let’s get started:

Oh, and I love the way both the CNN and MSNBC subheads conflate the Mac […] with “Apple” […] “Good god, now they’re going after entire companies”.

Yeah. That never happens to Microsoft. I mean, to look at CNN, you’d think they had some kind of love affair with Windows security.

Instead, a window opened on the screen and strange commands ran as if the machine was under the control of someone —- or something —- else. “Or something”? —- could it be gremlins? Or worse, poltergeists? Spooky.

Computer programs aren’t people, John.

Who exactly is touting the Mac as “immune to such risks”?

Apple, on national TV, and Walt Mossberg.

In theory, malware could be written to target the Mac, but [in practice], in the real world, they aren’t.

Except this time.

On the other hand, Macs do happen to be immune to Windows viruses

They are also invulnerable to Solaris remote code exec bugs and Commodore 64 diskette boot-block viruses. Why couldn’t the AP guy mention that?

And what does Oompa-Loompa do? It attempts to spread itself via iChat and Bonjour, and [if you open the file it sends as an attachment] all it will do is attempt to send itself to other local Macs on iChat.

Devastating and unstoppable.

All the Morris Worm (tagline: devastating and unstoppable) tried to do was spread itself, too. John Gruber is now claiming the incompetence of Mac malware developers as a unique defense for OS X.

Daine’s uninformed opinion [as a 29-year-old British (must be smart!) chemical engineer] that macs were “invulnerable” to such attacks [etc, etc].

Perhaps someday I’ll have an opportunity [as a popular Mac blogger] to make equally uninformed statements about chemical engineering [or computer security] —- a subject about which I am utterly ignorant —- in an Associated Press report.

Shit, I spent my snarky comments in the quotation.

That’s quite an interesting theory —- that the malware plaguing so many millions of PC’s running Windows isn’t necessarily the result of problems with Windows itself, but is rather the result of something related to their Intel “microprocessors”.

That’s an interesting “straw man argument” —- that the point the AP reporter was making was that it was “Intel” behind the Windows malware problem, and not the enormous “market share” Microsoft had obtained, making it an irresistable “target” for malware authors.

The actual point the AP was making was that adopting Intel made OS X a more viable target for mainstream malware authors, presumably because they didn’t need to learn another “instruction set” in order to write their “viruses”. I happen “not to agree” with this point, and believe that the PPC instruction set does “nothing to improve the security of OS X”, but it is not a “crazy” point to make.

The bugs reported by Ferris are legitimate bugs, but to my eyes […], they’re all just ways to make an application crash […] Ferris reports that this one, regarding Safari, “causes the application to crash, and or may allow for an attacker to execute arbitrary code”. Emphasis on the may in “may allow”, apparently, because the only thing his examples do is cause Safari to crash.

Advisory authors typically replace the word “may” with “will” when they accompany the advisory with an exploit. Troll the last N Cisco IOS advisories for similar weasel words. Then explain to me why a crashing bug in Safari is less likely to allow remote code execution than a crashing bug in Firefox or IE.

One of Ferris’s bugs is a NULL pointer dereference. We haven’t yet figured out how to make a NULL pointer dereference transfer execution to our own code. I apologize, we’re working on it. The other two flaws (tables with bizarre cellspacing, framesets with invalid parameters), I have no idea whether they do or don’t. Neither does John Gruber.

What I do know is, Safari does have remote code exec flaws, like every other moderately complex piece of software. And that crashers are their larval stage.

One can only hope that Apple will one day handle security issues as well as Microsoft does now.

Which might happen if Apple can find a security engineer Microsoft isn’t paying right now, and if Apple is given the benefit of being beaten upside the head for 5 years by attackers and researchers to the exclusion of almost any other target.

[quoting the AP copy] “Blasted” is such a great word. Much more exciting than something more accurate, such as “sent as an attachment”.

Yeah. I hate that too. Just like this copy, from CNN: The Sasser worm has raced around the world over the past week, exploiting a flaw in Microsoft Corp.’s Windows operating system. “Raced” is much more exciting than something more accurate, such as “made a remote procedure call connection”.

You can tell [Rodney Thayer] is a genuine computer security expert because he has long black hair and a beard.

You can tell John Gruber was so pissed off at this AP story that he didn’t even take the time to Google a name before writing something that implied that Rodney Thayer isn’t a security expert, or (equally inaccurate) that John Gruber is qualified to make that assessment.

As a Mac user and a security person, the narrative about OS X vulnerability drives me up a fucking wall.

There is a valid point to be made about the Mac’s susceptability to Windows malware, because there is a huge population of malicious code out there written to targets Windows users —- though just as the reason the majority of all “good” programs don’t target OS X has nothing to do with the operating system itself, not all “bad” programs rely on architectural flaws in Windows either.

But that valid point has nothing whatsoever to do with the vulnerability of modern Macs compared to that of modern Windows. Serious security people do not believe that the Mac is inherently and qualitatively less vulnerable than XPSP2; a single-user machine is a single-user machine whether you call the superuser “root” or “Administrator”. And in 2006, as a result of being targeted from every conceivable direction by attackers, Windows ships with demonstrably more countermeasures than OS X.

I’m sorry that the truth doesn’t make for a pithy sound bite, but if you bet your business on the security of Windows OR OS X, you’re playing to lose. There is a 100% chance that both will see game-over vulnerabilities within the next 18 months.