Robert Hensing made an interesting observation, as to Apple’s OSX as the OS of choice among security professionals presenting the CanSecWest 2008 security conference. With all the latest news about the insecurities in OSX, why is it the OSX of choice in that circle?
The breakdown he observed from the presenters machines:
- 50% OSX
- 34% Windows XP
- 15% random Linux distros
- 1% Vista (me)
I am not a security expert by any means, but I have to wonder why OSX is in high usage amongst this niche group.
Of course such questions of why if Apple’s OSX is supposed to be so secure, then where are all of the vulnerabilities coming from?
So let us look at the questions Robert poses, and let me put my thoughts as to what the answers might be (with my own Rant of course).
"Security geeks favor pretty hardware / UIs over security? (i.e. "Do as I say – not as I do"?) "
Apple does make some sexy hardware no doubt, but it’s certainly not the hardware that would make them a security winner. (Do MacBooks have TPM chips? I am not sure…) Why does it seem almost every Mac user I see who uses their pc for more than simple web browsing, tend to be running a virtual copy of Windows? Is OSX really just a pretty and "cool" way to use Windows? I am sure we will never know of all the Mac Powerbooks, how many are running Windows?
Why can’t Apple package OSX for sale to be installed on non-Apple hardware? If the OS is so secure, let the people try it and find out if without having to buy into the Apple hardware platform.
"They like the OSX platform because they can run cooler Unix / Linux / open source tools easier?"
Of the security people I meet, I have asked "So what OSX only software do you run that you need to be running OSX for?", and I have yet to be told a single app. Sure someone may prefer to run an OSX app, but what does OSX bring to the table that Windows cannot do? What Linux only applications are out there as well?
Shouldn’t people who are focused on security, be intimate with the OS that has the largest target on it such as Windows?
So not being in the security crowd, what OSX applications exist that meant to help secure enterprises that run primarily windows? Are they more network/device focused security testing applications? I would really like to know what it is that OSX brings to the security tools game, that helps protect the majority of computer users.
If I search on SourceForge.net for open source software, and browse to the 3,675, and filter by requiring OS:
- 258 for All BSD platforms
- 161 Require OSX
- 664 Require some version of Windows
- 399 Require Windows 2000/XP
"They’re hoping for a little security through obscurity?"
I would say that obscurity IS OSX’s best security measure. It’s still a small population that uses the OS for more than just web browsing, and email reading.
What is the incentive to attack an OS that is still rarely used compared to the entire computing population? The spoils of attacking such a population would seem meager, compared to the riches of discovering an exploit that the majority of the population uses. I think it’s great that security experts are finding holes in OSX so they can be fixed, but is anyone really trying to exploit OSX users at all?
Is Apple their own worst enemy?
As Apple gains public adoption, it will also start to attract those people who which to exploit the new found population. I wonder if the overzealous consumers who bleed for Apple make better targets for scams and phishing attacks? If someone were to choose to attack OSX using an open exploit over the web, how hard would it be to bait fanboys to access a site with exploited code? Is a web site titled "Apple OSX is the suck!" or "Apple is the best!" just as good of bait as "Free PS3, come here!" that gets the rest of the publics attention? If the Mac Air was compromised in minutes after the user was directed to a web site, what if smug mac user’s willingness to run to the defense of the os directed them to a similar exploited web site?
As Apple promotes their software to run in larger populations, such as how they are pushing Safari to iTunes users on Windows (and OSX), they risk being out of their controlled population. If Safari is their browser debut into writing code for the every user, then their track record so far is not looking well for them. Safari could become the gateway that brings exploits that will target both Windows and OSX users who choose to use Safari as well.
With Apple’s anti-Vista campaign, it seems they are focused more on FUD-slinging, than in trying to convince the public they have a better product. Do they really feel the only way to make their product appear better, is to make another product look worse, even if their claims are false?
This is a stark contrast to Apple’s iPhone commercials which demonstrate what the product can actually do, instead of what competitors can’t do.
Ok, so this is turning into more the Anti-Apple rant (long overdue here), but maybe it’s because I just don’t "get" the desire to use a Mac, and certainly not for the security folks. I’ve used them, and while I think Apple (now a consumer product focuses company) makes some great hardware products, I just don’t see the appeal to running an OS that you need to virtual Windows on to do a large amount of tasks most people do.
The past evils of Windows security are well known, and better software in all OS’s is a result of the issues that the world has faced because of them. It was only through the exploits, and malware, that forced things to change for the better. If the latest trends are to continue, Vista is on track to hopefully change the way in which Security and Windows are used in the same sentence.
I would think Apple, having a single OS product, a smaller attack incentive, Zealous security folk, would be able to write a better OS that would not suffer from the bugs and exploits it does. It will be interest to see as OSX grows up, if history will be kind to all those smug commercials touting it’s superior security by putting down Vista.
So after all of that, why do security professionals use OSX? Maybe OSX is the right tool for the job, but that doesn’t mean it is the right tool for the masses.