Darel Rex Finley in 888

Security Through Normalcy

2009.05.21   prev     next

NETWORK Security Podcast #144 (mckeay.net), though generally upbeat on the Mac, included a heavy dose of the “security through obscurity” argument — that the Mac doesn’t have the huge malware problem suffered by Windows users because the Mac has small market share. Choice quotes:

“One of the things we’re trying to counteract is the false sense of security that many [Mac] people have because their platform has not attracted the attention of malware authors. We believe that that false sense of security will end up harming these users, and the users of this platform, more when security threats do arise.” —Dino Dai Zovi

“There has been this assumption that Mac’s been more secure, and even when I first— very early on when I first started getting involved with Macs, I kind-of fell into that, until I started doing the research and digging into the operating system. It seems to me there are a lot of cracks here, particularly compared to what Microsoft’s been focusing on. What would you say [Dino] are some of the main areas that Apple probably needs to work on to improve? That’s part one of the question, and part two is: Do you think that they have enough time to do that before more bad stuff starts hitting?” —Rich Mogull

“So right now, there really aren’t many viruses or online threats to speak of. However, as OS X and Macs gain more market share — as I personally hope they do, because I like them — they will inevitably attract more attention from the cyber criminals. And my concern is that Apple isn’t doing enough to counteract that shift when it does occur.” —Dai Zovi

“Apple still has an opportunity to get ahead if they finish a lot of these anti-exploitation techniques. It doesn’t even need to be as good as Windows, and it doesn’t even need to be as good as Vista or Windows 7, because of the market-share issue ...” —Mogull

“If OS X is not secure enough, [malware authors] can just port a lot of this [malware] infrastructure, and invest it into attacking Macs, and then you’ll get the situation we have on Windows now.” —Dai Zovi

Yup, the experts agree: If not for its minority market share, the Mac would be suffering the same malware agony as Windows. And all the malware authors have to do is switch their attention to the Mac, and that’s exactly what will happen to it — or maybe worse, since it’s more vulnerable than Windows!

But pay careful attention to some other parts of this podcast, and you just might see reason to wonder if the above-illustrated argument really holds up. Reasons to suspect that hackers can’t do to other operating systems what they did to Windows, just by wanting to.

“I usually refer to this as the safety-vs.-security argument. And the best metaphor is leaving your front door unlocked. Depending on where you live— Leaving your front door unlocked is always insecure; someone could always enter your house just by turning the doorknob. However, depending on where you live, this may or may not be safe. At the present time, Mac OS X users are quite safe. There’s very little malware that is targeting them.” —Dai Zovi

Imagine two neighborhoods. One of them is just a normal neighborhood: streets, houses, a couple shopping strips. Nothing special about it.

The other neighborhood is a bizarre jumble of maze-like paths, alleys, and crumbling old buildings, many of them connected together by kludgy, patchwork tunnels. In fact, the whole neighborhood was force-built on top of a pre-existing neighborhood, which itself was force-built over a still older one. And that one was deliberately designed to resemble neighborhood schemes that were outdated then. And very little attempt has been made over the years to rip out and rebuild any significant portions of it.

This jumble neighborhood is very difficult, sometime impossible to successfully patrol. It has a much beefier police presence than the normal neighborhood, including cumbersome, sometimes draconian access gates. Most of the houses have bars over their windows, and nobody leaves their doors unlocked. Still, crime is a much bigger problem in this neighborhood than in the normal neighborhood. Why is that? Do the criminals not want to attack the normal neighborhood? Would they not like the things they could take there, or the mayhem they could cause there? No. They aren’t a problem there because the normal structure of the neighborhood just doesn’t give them much opportunity to engage in crime and keep doing it without being stopped.

Dai Zovi continues:

“And while there is some [Mac] malware, this malware is usually social engineering style, where they try and induce the user into installing a rogue application, and once they install this application, it installs a backdoor in their system, giving the attacker access.”

Recently, a botnet of maybe a few thousand Macs was discovered. At first glance, it seems to confirm exactly what Dai Zovi and Mogull are saying: that as the Mac is getting more popular, malware is starting to move in. But take a closer look and what do you find? It seems that these particular Mac users became infected by downloading pirated copies of popular apps like Photoshop off of file sharing systems like BitTorrent. Exactly as described by Dai Zovi immediately above. So what it actually shows is (1) that malware authors do attack Macs when they can, and (2) that they have success only with the people who not only leave their doors unlocked, but invite well-dressed strangers in for tea. Guess what? There’s no way to protect those people from their own foolish actions. Whatever great security features Microsoft may have implemented, that Apple hasn’t, they aren’t going to stop a Trojan-loaded app downloaded by a naïve user. Dai Zovi came very close to admitting this when he said:

“The big problem is that a lot of the exploit mitigation defenses that other operating systems have — such as what’s called Address Space Layout Randomization, and Non-Executable Memory — Apple has partial implementations of these, and one of the things I show in the book, and I showed in these presentations, is that these partial implementations are actually very trivial to bypass. And their inclusion is almost more of a marketing point than an actual, technical barrier to attack.”

Yeah, it is a marketing point. How do you protect users against naïvely downloading malware directly on to their computer and commanding the OS to execute it? You can’t! Nobody can.

So what do you do about that? Two answers: 1. Warn people against acquiring Photoshop that way, and 2. Recommend that they use a normal OS.

It doesn’t have to be OS X. It could be Linux, for example. (Has Linux experienced the Windows malware nightmare? No, not at all. Did they avoid it via “obscurity?” Hardly! Linux has been very popular in IT departments for about as long as OS X has existed.)

“I’m a huge fan of Macs. I just really hope Apple starts paying more attention to these things, so down the road I don’t have to worry about security like I used to when I was on Windows.” —Mogull

Rich, I think the only thing you really need to worry about is that Microsoft will pull a rabbit out of a hat and find a way to keep everyone locked into their legacy systems forever. And I, for one, am not too worried about that.

If Windows as we’ve known it for the past twenty years ever fades into the sunset — either by being massively overhauled by Microsoft (essentially replacing it with a thoroughly modern OS), or by being beaten out of the market by OS X, Linux, or something else — then the era of rampant malware will simply come to an end. It won’t migrate to OS X. It can’t.


Update 2010.05.02 — Another way of putting it: To be effective, a virus (biological or computer) must be able to multiply faster than it is being removed. For a computer virus, that means that if information about how to easily and completely remove the virus spreads faster than the virus itself, then no significant epidemic can occur.


Update 2010.10.30 — It’s been almost a year and a half since Dai Zovi and Mogull made the above-quoted comments. The Mac is more popular than it’s ever been... Where’s the malware outbreak? I’m not seeing it.


Update 2011.01.20 — Apple’s latest numbers just came out, and they’re better than ever on practically every front. Still no malware outbreak.


Update 2011.05.05Ed Bott on ZDNet:

“Why malware for Macs is on its way”

“Oh, the rationalizations people come up with to explain away what they don’t want to hear.”

What about the rationalizations they come up with to explain what they don’t want to know? It’s been months since you wrote this, and I’ve never bought any anti-virus software for any of my Apple hardware. And I’m constantly using the internet. And nothing bad’s happened. So am I, like, magically immune, or what? Ed?


Update 2012.04.05 — OK, just heard that maybe 600,000 Macs are infected with something called the “Flashback trojan.” Big point for Dai Zovi, Mogull, and Bott. But it’s a trojan, not a virus, meaning that to get infected, you have to download a suspect executable (app) and intentionally launch it. And I’m not seeing any word that this thing is hard to detect or hard to remove.


Update 2012.04.10 — According to Mogull, Flashback doesn’t need you to intentionally run an app, just visit a website that is rigged to install Flashback on your Mac. But, also according to Mogull:

  • You’re immune from infection if you have Apple’s latest Java update on your Mac (available through the Software Update feature in your Mac’s dock), or if you have Java turned off.

  • The presence of Flashback can be easily detected without any special security software.

  • Flashback can be easily removed (Mogull links to step-by-step instructions) without any special security software.


Update 2012.04.18 — A new Mac trojan has been discovered; this one spreads via an infected Microsoft Word file. Since I don’t have Microsoft Word on my Mac, I am apparently immune.


Update 2016.03.07 — First-ever, in-the-wild, Mac ransomware has appeared, but reached no more than about 6,500 Macs before Apple informed OS X to block the infected app. Even before then, it couldn’t touch you if you didn’t use a now-obsolete version of the BitTorrent client “Transmission” (which I had never heard of until now). No word that anyone actually got their data scrambled.


Update 2017.02.09 — Mac hit with another malware that depends entirely on Microsoft Word’s macro feature. Again, since I don’t have Word on my Mac, I am totally immune.


Update 2017.02.28 — ESET anti-virus for Mac found to have a vulnerability that potentially can grant root access to malware. Since I have never installed ESET (or any other anti-virus software) on my Mac, I am fully immune.


Update 2017.05.05 — “Snake” malware, which originated on Windows, now appears on Mac, disguised as an Adobe Flash installer. Wouldn’t you know it — I don’t used Flash. So I’m immune.


See also:
Malware Isn’t About Total Control
Security Through Normalcy
Security Through Obscurity Redux — The Best of Both Worlds
Basic Reproduction Number


prev     next



Hear, hear

prev     next

Best Recent Articles

Method of Implementing A Secure Backdoor In Mobile Devices

When Starting A Game of Chicken With Apple, Expect To Lose

How I Clip My Cat’s Nails

Seasons By Temperature, Not Solstice

It’s Not A Criticism, It’s A Fact

Features (Regularly Updated)

A Memory of Gateway — news chronology of Apple’s ascendancy to the top of the technology mountain.

iPhone Party-Poopers Redux and Silly iPad Spoilsports — amusing litanies of industry pundits desperately hoping iPhone and iPad will go away and die.

Embittered Anti-Apple Belligerents — general anger at Apple’s gi-normous success.


My books

Now available on the iBookstore!



Daring Fireball

The Loop



Red Meat

Despair, Inc.

Real Solution #9 (Mambo Mania Mix) over stock nuke tests. (OK, somebody made them rip out the music — try this instead.)

Ernie & Bert In Casino

Great Explanation of Star Wars

Best commercials (IMO) from Superbowl 41, 43, 45, 46, and 47

Kirk & Spock get Closer

American football explained.

TV: Better Call Saul; Homeland; Survivor; The Jinx; Breaking Bad; Inside Amy Schumer

God’s kitchen

Celebrity Death Beeper — news you can use.

Making things for the web.

My vote for best commercial ever. (But this one’s a close second, and I love this one too.)

Recent commercials I admire: KFC, Audi

Best reggae song I’ve discovered in quite a while: Virgin Islands Nice

Pinball Arcade: Unbelievably accurate simulation of classic pinball machines from the late ’70s through the ’90s, with new ones added periodically. Like MAME for pinball — maybe better.

d120 dice: You too (like me) can be the ultimate dice nerd.

WiFi problems? I didn’t know just how bad my WiFi was until I got eero.

Favorite local pad thai: Pho Asian Noodle on Lane Ave. Yes, that place; blame Taco Bell for the amenities. Use the lime, chopsticks, and sriracha. Yummm.

Um, could there something wrong with me if I like this? Or this?

This entire site as a zip file — last updated 2018.02.01

Previous articles

Nothing More Angry Than A Cornered Anti-Apple

Let ’Em Glow

The Ultimate, Simple, Fair Tax

Compassion and Vision

When Starting A Game of Chicken With Apple, Expect To Lose

The Caveat

Superb Owl


Basic Reproduction Number

iBook Price-Fixing Lawsuit Redux — Apple Won

Delusion Made By Google

Religion Is A Wall

It’s Not A Criticism, It’s A Fact

Michigan Wolverines 2014 Football Season In Review

Sprinkler Shopping

Why There’s No MagSafe On the New Mac­Book

Sundar Pichai Says Devices Will Fade Away

The Question Every Ap­ple Naysayer Must An­swer

Apple’s Move To TSMC Is Fine For Apple, Bad For Samsung

Method of Implementing A Secure Backdoor In Mobile Devices

How I Clip My Cat’s Nails

Die Trying

Merger Hindsight

Human Life Decades

Fire and the Wheel — Not Good Examples of A Broken Patent System

Nobody Wants Public Transportation

Seasons By Temperature, Not Solstice

Ode To Coffee

Starting Over

FaceBook Messenger — Why I Don’t Use It

Happy Birthday, Anton Leeuwenhoek

Standard Deviation De­fined

Not Hypocrisy

Simple Guide To Pro­gress Bar Correctness

A Secure Backdoor Is Feasible

Don’t Blink

Predictive Value

Answering the Toughest Question About Disruption Theory

SSD TRIM Command In A Nutshell

The Enderle Grope

Aha! A New Way To Screw Apple

Champagne, By Any Other Maker

iOS Jailbreaking — A Perhaps-Biased Assessment

Embittered Anti-Apple Belligerents

Before 2001, After 2001

What A Difference Six Years Doesn’t Make

Stupefying New Year’s Stupidity

The Innovator’s Victory

The Cult of Free

Fitness — The Ultimate Transparency

Millions of Strange Dev­o­tees and Fanatics

Remember the iPod Killers?

Theory As Simulation

Four Analysts

What Was Christensen Thinking?

The Grass Is Always Greener — Viewing An­gle

Is Using Your Own Pat­ent Still Allowed?

The Upside-Down Tech Future

Motive of the Anti-Ap­ple Pundit

Cheating Like A Human

Disremembering Mi­cro­soft

Security-Through-Obscurity Redux — The Best of Both Worlds

iPhone 2013 Score Card

Dominant and Recessive Traits, Demystified

Yes, You Do Have To Be the Best

The United States of Texas

Vertical Disintegration

He’s No Jobs — Fire Him

A Players

McEnroe, Not Borg, Had Class

Conflict Fades Away

Four-Color Theorem A­nal­y­sis — Rules To Limit the Problem

The Unusual Mo­nop­o­list

Reasonable Projection

Five Times What They Paid For It

Bypassable Security Certificates Are Useless

I’d Give My Right Arm To Go To Mars

Free Advice About Apple’s iOS App Store Guidelines

Inciting Violence

One Platform

Understanding IDC’s Tablet Market Share Graph

I Vote Socialist Be­cause...

That Person

Product Naming — Google Is the Other Microsoft

Antecessor Hypotheticum

Apple Paves the Way For Apple

Why — A Poem

App Anger — the Supersized-Mastodon-In-the-Room That Marco Arment Doesn’t See

Apple’s Graphic Failure

Why Microsoft Copies Apple (and Google)

Coders Code, Bosses Boss

Droidfood For Thought

Investment Is Not A Sure Thing

Exercise is Two Thirds of Everything

Dan “Real Enderle” Ly­ons


Ignoring the iPod touch

Manual Intervention Should Never Make A Computer Faster

Predictions ’13


Zeroth — Why the Century Number Is One More Than the Year Number

Longer Than It Seems

Partners: Believe In Ap­ple

Gun Control: Best Ar­gu­ments

John C. Dvorak — Translation To English

Destructive Youth

Wiens’s Whine

Free Will — The Grand Equivocation

What Windows-vs.-Mac Actually Proved

A Tale of Two Logos

Microsoft’s Three Paths

Amazon Won’t Be A Big Winner In the DOJ’s Price-Fixing Suit

Infinite Sets, Infinite Authority

Strategy Analytics and Long Term Ac­count­a­bil­i­ty

The Third Stage of Computing

Why 1 Isn’t Prime, 2 Is Prime, and 2 Is the Only Even Prime

Readability BS

Lie Detection and Psy­chos



Microsoft’s Dim Pros­pects

Humanity — Just Barely

Hanke-Henry Calendar Won’t Be Adopted

Collatz Conjecture A­nal­y­sis (But No Proof; Sorry)

Rock-Solid iOS App Stability

Microsoft’s Uncreative Character

Microsoft’s Alternate Reality Bubble

Microsoft’s Three Ruts

Society’s Fascination With Mass Murder

PlaysForSure and Wikipedia — Revisionism At Its Finest


Patent Reform?

How Many Licks

Microsoft’s Incredible Run

Voting Socialist

Darwin Saves

The Size of Things In the Universe

The Self-Fulfilling Prophecy That Wasn’t


Nobody Was In Love With Windows

Apples To Apples — How Anti-Apple Pundits Shoot Themselves In the Foot

No Holds Barred

Betting Against Hu­man­i­ty

Apple’s Premium Features Are Free

Why So Many Computer Guys Hate Apple

3D TV With No Glasses and No Parallax/Focus Issues

Waves With Particle-Like Properties

Gridlock Is Just Fine

Sex Is A Fantasy

Major Player

Why the iPad Wannabes Will Definitely Flop

Predators and Parasites

Prison Is For Lotto Losers

The False Dichotomy

Wait and See — Windows-vs-Mac Will Repeat Itself

Dishonesty For the Greater Good

Barr Part 2

Enough Information

Zune Is For Apple Haters

Good Open, Bad Open

Beach Bodies — Who’s Really Shallow?

Upgrade? Maybe Not

Eliminating the Im­pos­si­ble

Selfish Desires

Farewell, Pirate Cachet

The Two Risk-Takers

Number of Companies — the Idiocy That Never Dies

Holding On To the Solution

Apple Religion

Long-Term Planning

What You Have To Give Up

The End of Elitism

Good and Evil


How Religion Distorts Science

Laziness and Creativity

Sideloading and the Supersized-Mastodon-In-the-Room That Snell Doesn’t See

Long-Term Self-De­lu­sion

App Store Success Won’t Translate To Books, Movies, and Shows

Silly iPad Spoilsports

I Disagree

Five Rational Coun­ter­ar­gu­ments

Majority Report

Simply Unjust

Zooman Science

Reaganomics — Like A Diet — Works

Free R&D?

Apple’s On the Right Track

Mountains of Evidence

What We Do

Hope Conquers All

Humans Are Special — Just Not That Special

Life = Survival of the Fittest

Excuse Me, We’re Going To Build On Your Property

No Trademark iWorries


Twisted Excuses

The Fall of Google

Real Painters

The Meaning of Kicking Ass

How To Really Stop Casual Movie Disc Ripping

The Solitary Path of the High-Talent Pro­gram­mer

Fixing, Not Preaching

Why Blackmail Is Still Illegal

Designers Cannot Do Anything Imaginable

Wise Dr. Drew

Rats In A Too-Small Cage

Coming To Reason

Everything Isn’t Moving To the Web

Pragmatics, Not Rights

Grey Zone

Methodologically Dogmatic

The Purpose of Lan­guage

The Punishment Defines the Crime

Two Many Cooks


One Last Splurge

Making Money

What Heaven and Hell Are Really About

America — The Last Suburb


What the Cloud Isn’t For

Diminishing Returns

What You’re Seeing

What My Life Needs To Be

Taking An Early Re­tire­ment

Office Buildings

A, B, C, D, Pointless Relativity

Stephen Meyer and Michael Medved — Where Is ID Going?

If You Didn’t Vote — Complain Away

iPhone Party-Poopers Redux

What Free Will Is Really About

Spectacularly Well

Pointless Wrappers

PTED — The P Is Silent

Out of Sync

Stupid Stickers

Security Through Nor­mal­cy

The Case For Corporate Bonuses

Movie Copyrights Are Forever

Permitted By Whom?

Quantum Cognition and Other Hogwash

The Problem With Message Theory

Bell’s Boring Inequality and the Insanity of the Gaps

Paying the Rent At the 6 Park Avenue A­part­ments

Primary + Reviewer — An Alternative IT Plan For Corporations

Yes Yes Yes


Hey Hey Whine Whine

Microsoft About Microsoft Visual Microsoft Studio Microsoft

Hidden Purple Tiger

Forest Fair Mall and the Second Lamborghini

Intelligent Design — The Straight Dope

Maxwell’s Demon — Three Real-World Ex­am­ples


Entitlement BS



Einstein’s Error — The Confusion of Laws With Their Effects

The Museum Is the Art

Polly Sooth the Air Rage

The Truth

The Darkness

Morality = STDs?

Fulfilling the Moral Du­ty To Disdain



Real Design

The Two Rules of Great Programming


The End of the Nerds

Poverty — Humanity’s Damage Control

Berners-Lee’s Rating System = Google

The Secret Anti-MP3 Trick In “Independent Women” and “You Sang To Me”

ID and the Large Had­ron Collider Scare

Not A Bluff

The Fall of Microsoft

Life Sucks When You’re Not Winning


The Old-Fashioned Way

The Old People Who Pop Into Existence

Theodicy — A Big Stack of Papers

The Designed, Cause-and-Effect Brain


IC Counterarguments

The Capitalist’s Imaginary Line

Education Isn’t Eve­ry­thing

I Don’t Know

Funny iPhone Party-Poopers

Avoiding Conflict At All Costs

Behavior and Free Will, Unconfused

“Reduced To” Ab­sur­dum

Suzie and Bubba Redneck — the Carriers of Intelligence

Everything You Need To Know About Haldane’s Dilemma

Darwin + Hitler = Ba­lo­ney


Designed For Combat

Speed Racer R Us

Bold — Uh-huh

Conscious of Con­scious­ness

Future Perfect

Where Real and Yahoo Went Wrong

The Purpose of Surface

Eradicating Religion Won’t Eradicate War

Documentation Overkill

A Tale of Two Movies

The Changing Face of Sam Adams

Dinesh D’Souza On ID

Why Quintic (and Higher) Polynomials Have No Algebraic Solution

Translation of Paul Graham’s Footnote To Plain English

What Happened To Moore’s Law?

Goldston On ID

The End of Martial Law

The Two Faces of Ev­o­lu­tion

A Fine Rec­om­men­da­tion

Free Will and Population Statistics

Dennett/D’Souza Debate — D’Souza

Dennett/D’Souza Debate — Dennett

The Non-Euclidean Ge­om­e­try That Wasn’t There

Defective Attitude Towards Suburbia

The Twin Deficit Phan­toms

Sleep Sync and Vertical Hold

More FUD In Your Eye

The Myth of Rub­ber­neck­ing

Keeping Intelligent Design Honest

Failure of the Amiga — Not Just Mis­man­age­ment

Maxwell’s Silver Hammer = Be My Honey Do?

End Unsecured Debt

The Digits of Pi Cannot Be Sequentially Generated By A Computer Program

Faster Is Better

Goals Can’t Be Avoided

Propped-Up Products

Ignoring ID Won’t Work

The Crabs and the Bucket

Communism As A Side Effect of the Transition To Capitalism

Google and Wikipedia, Revisited

National Geographic’s Obesity BS


Theodicy Is For Losers

Seattle Redux


Living Well

A Memory of Gateway

Is Apple’s Font Rendering Really Non-Pixel-Aware?

Humans Are Complexity, Not Choice

A Subtle Shift

Moralism — The Emperor’s New Success

Code Is Our Friend

The Edge of Religion

The Dark Side of Pixel-Aware Font Rendering

The Futility of DVD En­cryp­tion

ID Isn’t About Size or Speed

Blood-Curdling Screams

ID Venn Diagram

Rich and Good-Looking? Why Libertarianism Goes Nowhere

FUV — Fear, Uncertainty, and Vista

Malware Isn’t About Total Control

Howard = Second Com­ing?

Doomsday? Or Just Another Sunday

The Real Function of Wikipedia In A Google World

Objective-C Philosophy

Clarity From Cisco

2007 Macworld Keynote Prediction

FUZ — Fear, Uncertainty, and Zune

No Fear — The Most Important Thing About Intelligent Design

How About A Rational Theodicy

Napster and the Subscription Model

Intelligent Design — Introduction

The One Feature I Want To See In Apple’s Safari.