Safety Vs. Security

Dave G. | December 8th, 2006 | Filed Under: Apple, Industry Punditry

I know I am beating a dead horse, but someone has to make sure it isn’t breathing…

It is all too common that security practitioners and Mac OS X folks end up arguing about how secure OS X is, especially comparing it to Windows. We often talk past each other. I think it is because oftentimes one side is arguing about safety, and the other is arguing about security.

As a security researcher, it is hard to hear the phrases “Mac OS X is more secure than Windows”, “Mac OS X is immune to viruses”, “Mac OS X’s whim is the word of the people on Earth”. Our problem is that most folks fling around security memes without being able to give technical reasons for why their OS is more secure.

We argue that Mac OS X doesn’t get attacked because it isn’t a popular target. We say why we think that is. The other side of the coin argues that the reason has to do with how Mac OS X is architected. Some people present good arguments for it, some don’t. There is one thing that we both agree on though. Today, Mac OS X is less likely to be attacked (*).

The security practitioner is mostly saying that we know Mac OS X is safe. We think that running Mac OS X is like living in a nicer part of town. Houses in the suburbs aren’t more secure than apartments in New York City. Windows everywhere, fewer witnesses, and people tend to trust their neighbors. Yet, people move to the suburbs to be safer. Or if they live in New York, perhaps they no longer want the living room to be their dining room, bed room and kitchen.

Meanwhile, when we envision urban schools, we think about gangs and drug dealers. Video footage of kids in line at the metal detectors, with security guards watching everyone as they enter the school. Even if the threat of violence might be higher in city schools, I would think that a Columbine style shooting is more likely to be stopped at a school with security guards and metal detectors at the front door.

It’s an important distinction because well… neighborhoods change.

Viewing 11 Comments

    • ^
    • v
    As far as the whole Mac security thing goes, that is the best metaphor I have heard.
    • ^
    • v
    Of course I'm partial, but I like to say that OS X isn't significantly more or less secure, it's just a much lower risk.

    A big reason is what you're saying, we OS X users just don't see anywhere near the number of Threat Events as other operating systems. Why? Some of it has to do with controls ("how Mac OS X is architected", above), but most is because the threat community doesn't have the motivation yet.

    Unfortunately for OS X, this isn't a good situation. If I had to write a corporate report on the subject, I'd have to flag this as what we call an "Unstable Risk Situation" - in that we're relying almost solely on a low frequency of threat events in arriving at a "low" or "very low" risk rating. A nominal increase in threat events will dramatically change the risk landscape. We can model that out, and the results for a big/all Apple shop aren't pretty.
    • ^
    • v
    The most important feature to any security system is that it should be well understood by the users. For example, if you drive a compact economy car, you know that you're more vulnerable, and you drive accordingly. In other words, safety in an unsecured environment comes from knowledge.

    The folks at Apple have worked hard on the Mac to make sure that it is comprehensible to users. This is a far cry from the much more elaborate security methods used in recent editions of Windows. Is Windows security better? Well, it has more features. But in terms of comprehensiblity, I have to wonder. The average user doesn't understand what makes the security system work. And when it rejects something, they don't understand why that happens either.

    If you really want to talk about safety and security, you most confront what most of us engineers have known for ages: Most of the really chronic problem is sitting right there in front of the screen. Until we develop a good security UI, the rest of this problem is academic.
    • ^
    • v
    if you make yourself a target, Mac OS X is not a safe place to hide behind. you become a target when an adversary decides you are one. it's that simple.

    physical security with Mac OS X is usually non-existent. given the first scenario i had with setting up a local user on my brother's new shiny password-protected MacBookPro, i was able to create an adminstrator account and take my picture within 3 minutes. i simply booted into single user mode, followed the directions it gave right before the prompt, and ran System Preferences from the Applications folder.

    your risk is also relational to what you have to lose. some phishing groups do indeed target Mac OS X ("everyday" according to Charles Edge - speaker at Blackhat, et al). in particular, organizations that use Mac OS X (entertainment companies, such as Hollywood A/V, cartoon, and gaming types that employ Pro Tools, Final Cut, Shake, etc) heavily and do big production stuff with them are very valid targets. As are security researchers and vulnerability assessors. Wink.

    afaik, it's just as easy to upload embedded malware into a browser on Mac OS X as it is under Windows 95 (or Linux with grsecurity for that matter). who needs access to the OS when you have an OS-independent javascript zombie horde? since this is my argument, i propose that OS security is irrelevant as they aren't the targets anymore because they don't have much to lose. browsers (in combination with web application security) are highest at risk, and provide attackers the most gain.
    • ^
    • v
    This is a great observation. Proper risk management is all about balancing security with expenses. Perhaps Apple is applying the appropriate level of resources to keep the risk of using OS X lower than the risk of using Windows.

    As Dave says, Windows is in the middle of a huge U.S. city where many with criminal intent are close by and anonymous. OS X is way out beyond the suburbs. Not worth the criminals trip.

    I think security people admitting they think the risk of using OS X is lower than the risk of Windows is a good step in engaging in meaningful dialog with Mac fans. But the Mac fans need to also admit that the risk is lower because the threat space is different between the two platforms.

    Then we can move on to a security discussion. Topics such as, "What design decisions help make OS X or Windows more secure?" or "Is Apple using a secure SDLC approach to build its software?"

    Looking at the security bugs that are found on a monthly basis in OS X I can't believe some Mac fans think the security of the platform is significantly better than Windows, but they do.

    -Chris
    • ^
    • v
    Jake, the "Windows isn't more secure, it just has more features" claim is just a bromide. Firewalls and SSLs are just "features" of a secure network.
    • ^
    • v
    Jake, regarding you first paragraph:
    "For example, if you drive a compact economy car, you know that you’re more vulnerable, and you drive accordingly. In other words, safety in an unsecured environment comes from knowledge."

    No, I don't *know* that I am more vulnerable, I don't even assume so. Your statement about compact economy cars being more vulnerable than non-compact cars is based purely on *your* perception of the issue, it is not good enough for a rational assessment of a car's safety. In fact I could argue that driving a brand new, expensive, big fat car in the slums of Sao Pablo, Brazil under the stare of a lot of not very wealthy people armed with AK-47s is probably less safe than driving a 10 year old battered economy car. "Safety on an unsecured environment comes form knowledge".. knowledge of what? the tech specs of the car? the road? the neighborhood? what is, exactly, this "knowledge" that you talk about?

    Which brings me to the second point: "more vulnerable" to what? You need to qualify the threat, the attacker, etc.

    Ok, so leaving those clever and vivid analogies alone (neighborhoods, cars, c'mon some must come up with one about chicks!)...the one thing that I agree with is the "good security UI" remark but forced to think of it I would go further: the UI is not the problem, the human using it is the security problem. That sounds like a typical infosec community joke but I am serious about it:

    Designing a good security UI is no less "academic" than designing a secure kernel, if the designers don't understand that security is a human problem and not a technical one and if the users have no security awareness and have no interest in acquiring it then all the rest is irrelevant. Secure design principles, SDLC, product's security features, vendor incident response, etc. are all telltale signs of the security consciousness of the OS vendor but the security of the OS is not solely controlled by its vendor. As a matter of fact it is mostly controlled by third party ISVs and, fundamentally, by the users of the OS. If they are not security conscious then it doesn't really matter what the OS vendor thinks, claims or does.

    In that context, how do you see the security awareness of the user communities of the various OS vendors?
    • ^
    • v
    My issue with the 'security is a human problem' view is that it feels like a cop out on the technology side. If there is nothing a user can do to secure themselves because of a security vulnerability in their OS or third party software, that is not their fault. It shouldn't even be their fault that they visit an untrusted URL that knocks them around with clientsides, or they open a {insert file format} file.

    But I do think you ask a good question about the relative awareness of the user communities of various OS vendors. Of course, I would just extend my analogy (and I do know how much Ivan loves the use of non technical analogies :)) to say that people that live in safer communities think about security less. If you live in a place that is unsafe, you tend to think more about security. People in big cities tend to be more aware of their surroundings, know where dangerous locations are, and watch people more closely.
    • ^
    • v
    "safety vs security" is indeed the most apt analogy I've see so far on this issue. I wouldnt say its the be all and end all since both words express conditions which cant be quantified, however this is a more reasonable way to talk about the issue. BTW IMNSHO, security is both a technological and human problem. To try and view it as strictly one or the other dont do no help at all.

    dre,

    I've heard that sort of windbaggery before about how OSX users are being targeted "everyday" but the fact remains, I have not seen any evidence of it at all. Once I see it I'm sure I'll change my tune.
    • ^
    • v
    safety = security * exposure * malicious intent

    is my diagnosis of your ill horse.
    • ^
    • v
    safety is security

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus