Once upon a time, Apple could gloat with Mephistophilian glee at Microsoft, whose operating systems and applications where all but a veritable Petri dish for viruses, worms, and malware. No longer. According to an Information Week article:
Apple has always boasted that "Mac OS X isn't plagued by constant attacks from viruses and malware" because its operating system was "designed with security in mind."
But about two weeks ago, Apple updated an old note on its support Web site advising its customers to use more than one antivirus application to make their computers more secure, affirming a longstanding divergence between its marketing and its technical concerns.
Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult," the note explained.
It goes to show that most assertions about security by software manufacturers are cheap and easy to make because there are few negative consequences to software manufacturers when they're shown to be wrong again and again and again. Apple's announcement will hardly hurt the software maker's sales. Unfortunately, it was obscurity - not security - that made Apple appear more secure than other software manufacturers, which Apple buyers will learn too late.
It is a shame that an innovative company like Apple appears - by encouraging the use of anti-virus - to be making the same mistakes and using the same mistaken etiology of cyber security as other software manufacturers. So much for innovation. Software is simply not crashworthy - it cannot withstand the relatively simple (some might say, "stupid") mistakes of users, let alone the malicious actions of cyber attackers. Relying on anti-virus at this point in time is an errand for the foolish. [AusCERT]
Once again, the onus of cyber security will be placed on software buyers - this time on Apple users - to "behave properly," whether it be installing and keeping anti-virus up to date, practicing safe surfing habits, or following best practices regarding configuration. This has not stemmed the tide of cyber crime or cyber espionage yet and will not likely do so in the future (even with "perfect" behavior). Woe to Apple buyers, ye owners of the new Petri dish.
But before the hackles of my colleagues are raised too greatly, behavior modification is indeed an important part of cyber security. However, without a concomitant delegation of, and accountability for, software assurance to software manufacturers, behavior modification alone will not reverse the anemic state of cyber security around the world. Software must be crashworthy. Period. Full stop. It is simply not sufficient (or sane) to expect 500 million software buyers to habitually refrain from clicking on "suspicious" hyperlinks, abstain from visiting questionable web sites, or to comply with Byzantine configuration requirements (as well as frenetic patching cycles).
Let us hope Apple brings its famous innovative ability into the world of cyber security. So far, it doesn't look good.
I believe that the problems with Apple go much deeper. I honestly think Apple sells the least secure and least tested, yet mass consumed set of products on the planet. Apple, like Google (who also barely tests their always-in-beta products), is also very evil.
For example, the department that put out those AV notices is probably thinking that this is CYA for them. They probably think that if people complain that they got a virus (i.e. one that does not and cannot exist), that they can point the user to this support reference. "Hey, you should have had an anti-virus!", Apple would say.
Also note that there is plenty of malware for Mac OS X. It is not well documented, but there have been many breaches in many large media-based companies that have hundreds of desktops/laptops and clusters of Apple servers. They aren't talking, which is really no surprise. Since they aren't talking, they probably also are not suing Apple.
Does this support reference document protect Apple from lawyers? That could be a possibility, but [classically] IANAL. If you look at most of the other Apple support docs, it supports this theory.
Apple probably nicely redirects lawsuits to the potential AV vendor when the users find themselves with malware under third-party AV protection.
Thus, it's better to cover your ass than to recommend good security advice.
Posted by: Andre Gironda | December 03, 2008 at 08:57 AM
Dre,
You've touched on another aspect of the incentives model for software manufacturers. Indeed, it is likely far less expensive to provide a simple textual warning that AV *might* be necessary than to actually create a product that can withstand foreseeable events such as a malware infection. Fawning liability off a third party AV vendor is likely and plausible.
I've seen similar avoidance behavior in the corporate world regarding compliance. It is far less expensive to hire and fire a CSO for not achieving compliance, than to actually achieve compliance. If you think about it, it makes sense. A CSO "costs" perhaps around $300K USD (throw in a parachute for getting fired, and $500K USD is reasonable). However, the costs of compliance per year easily top $1M to $2M for large, publicly traded companies. The incentive under the compliance model is to provide to shareholders the appearance of action (by firing the CSO) while actually avoiding meaningful action altogether (as well as not improving cyber security). Ultimately, compliance is a risk to be managed, not a project to be completed.
In both examples above, utility is maximized by avoiding the "right thing to do" either by not building a robust product or complying with a legislative mandate. Under a distorted incentive model, "the right thing to do" becomes a liability, and is thus avoided, making everyone worse off. Mis-aligned incentives are a significant problem, especially in the field of cyber security.
Back to the topic of Apple...again, no product is perfect but perfection is not the point here. The point is that software buyers should have a reasonable expectation that software products should not enable or contribute to buyers' exploitation by cyber attackers. They should not find out their product is insecure only after it has become popular. That Apple might CYA is understandable...because the company likely thinks it is better off for doing so. But the buyers are not.
Posted by: David Rice | December 03, 2008 at 01:27 PM