1128 words on Software
January was a the Month of Apple Bugs – a child of the Month of Kernel Bugs they had in November focusing on bugs that can be enjoyed when using Mac OS X.
In the course of the month they revealed a number of dull problems which for sure are problems but look like they are rather unlikely to be exploited and a number of problems which look like they shouldn’t have happened if software companies actually cared about security. Those problems didn’t affect Mac OS X only but also included third party software like VLC, Transmit or the Application Enhancer system. And while that month of revelations doesn’t seem to have sparked any real exploits that I have heard of, it for sure attracted a huge number of comments and opinions. Most of them critical of the proceedings.
Personally, I don’t think I want to join those general critiques. Sure, publishing a way to exploit programming errors on the internet before notifying the software company who made them is not the most polite thing to do. But at least as far as Apple are concerned, they don’t seem to be particularly interested in customer feedback anyway. Their public bug reporters aren’t just reasonably well hidden but it is common knowledge that you shouldn’t assume what you send in there will be read by a human who is up to the task. And as Apple are usually quite uptight about admitting there were mistakes in their software, I assume that you need to be fairly clear about your intention to publish the bug you discovered if you want to get credit for it in the end.
And with all this in mind, it seems like a close call to me: Did publishing those bugs without sending them in first put users at a greater danger because the problem became public and the ‘hackers’ got another exploit to play with? Or was publishing those bugs actually beneficial for Apple users as it forces Apple to come up with fixes more quickly and thus reduces the time span in which the ‘hackers’ who knew about the exploit anyway could exploit it? I don’t know. And I am not sure whether anybody else does. At least I haven’t seen evidence to make either of those points more plausible.
But that’s just Apple. What about the other people involved? In my experience, Panic – the makers of Transmit – are quick to respond to bug reports and even to let you know about the progress in fixing them. And I only reported minor quibbles to them so far, so I guess they’d make an even better effort for bugs that are dangerous for their users. Still, Panic fixed the problem fairly quickly and moved on.
Even worse with VLC. Isn’t that application open source? Wouldn’t it be super simple for someone who is clever enough to figure out an exploit to just provide a patch? I guess it would be. But that someone didn’t want to extend that much courtesy to the programmers. Who, again, came up with a fix for the problem fairly quickly.
Finally, the Application Enhancer. I am not an expert on these issues, but the problem that was uncovered for the Application Enhancer seems to be related to a sloppiness in setting up those magic UNIX permissions for the related files. And the fact that such a problem could make it into the tool did disappoint me as over the years of using Application Enhancer I really got the impression that Unsanity may not be the friendliest software company but that they do really care for and work hard on issues of compatibility and stability of their little hacks.
Unfortunately the Month of Apple Bugs people were also disappointing on this point as their write-up of the problem sounded more like an Application Enhancer bitchfest than anything else. And similar low notes could be discovered in other of their ‘reports’ as well. Now what was the point of that? Why convey the whole motto of looking at security issues when a closer look gives the impression that the actual issue here is that people just disagree with others and want to demonstrate their superiority on the software field?
That really disappointed me. I quite liked the idea of a Month of Apple Bugs to be honest. As having it could have made clear once and for all that OS X is as buggy as any similar software. And it could have hopefully shut up all the zealots (and ‘Mac’ guys) claiming OS X cannot be exploited. This, in turn (I’m optimistic), could have led to some fruitful discussions and further awareness regarding security issues among Mac users. Which – while apparently not urgently needed today – wouldn’t have hurt.
But the Month of Apple Bugs failed to achieve any of that. It exposed some bugs. It even got some bugs fixed. But it managed to just attract more comments and zealotry related to its style rather than to its actual content – the discussion of which didn’t make it to the surface. So unless the actual goal of the Month of Apple Bugs was to prove that their are plenty of stupid Mac zealots (which would be a goal that only people who consider ‘making fun of pensioners’ as fun would consider a worthwhile goal), I don’t think it managed to reach any constructive goal.
Certainly the lack of truly shattering bugs played a role here. [Would you say (a) those don’t exist, (b) the Month of Apple Bugs people aren’t smart enough to discover them or (c) the Month of Apple Bugs people were smart enough to not give those assets away?] But looking at the number of problems that ‘fixing privileges’ (which in a way seems to be OS X’s placebo repair action that the clueless are always keen to recommend) can cause, makes you wonder whether discussing the state of security on Mac OS X wouldn’t be worth the while. This even seems to be a problem at the level of UNIX permissions rather than requiring careful fiddling with some strings to create a somewhat dangerous buffer overflow. And surely several people must have considered exploiting its power.
I would have liked to see such a discussion for the benefit of us users. But the style of the Month of Apple Bugs prevented it from happening. With its participants seeming un-cooperative I can’t see how they should score a job in the software industry as a consequence of this. And with their exploits relatively harmless I can neither see how aspiring botnet owners come running with bundles of cash to buy their services either. So in total I’m not sure what this whole thing was about after all.
I just think that they picked a boring topic… what they really needed to do was start “A Month of Apple Annoyances” because those are things that EVERY Mac user can relate to.
I’d probably start off with a week devoted solely to Mail’s numerous annoyances, then move on to iSync (which still feels like beta software), and finish up with a run through the OS itself and save Spotlight (which is more annoying than everything else put together because it’s used so often) for the grand finale.
I don’t understand. Do you really think there are a bunch of Mac zealots out there who think that Mac OS X cannot be exploited whatsoever? I am constantly bewildered by this statement; yes, there are people who profess their love for Macs and bash everything Microsoft, but if you asked them point blank, I don’t think a single one of them would say that Macs are completely invulnerable. I don’t think they even say that on their own anyway!
I know I’m latching on to one sentence of an entire post, but I think it’s worth discussing. What most “Mac zealots” like to point out is that in practice, the Mac’s security is a thousand times better than Windows’. (Well, Windows XP, anyway… we’ll see how Vista fares.) There have been tens (hundreds?) of widespread viruses and worms that have actually infected millions of Windows PCs, that have caused billions of dollars in damages (by some metrics), and that have caused headaches around the world.
On the Mac? I can’t think of a single widespread virus or worm that has ever hit the Mac in recent memory. There have been some proofs of concept (mostly regarding Safari’s “open safe files” option), there was a lame OMG-IT’S-A-SHELL-SCRIPT-THAT-DELETES-YOUR-HOME-DIRECTORY-DISGUISED-AS-AN-ILLEGAL-MICROSOFT-OFFICE-2004-DOWNLOAD!!!11oneone “proof of concept”, there were some dubious claims about Wi-Fi exploits that remain dubious, and there have been numerous security holes that have been pointed out and fixed by Apple. But not one of them has caused any real damage on the Mac.
The last thing to really affect the Mac that I can remember was the MBDF A virus, that was easily stripped with a free utility called Disinfectant. That was over a decade ago, and that only affected Mac OS 9. (Might I point out that Intel Macs can’t even run Classic anymore, so the MBDF A is history, if that was ever in question.)
Sure, the Mac has plenty of security holes. But none so glaring that they can cause widespread attacks. (Granted, there could be one such glaring bug, but obviously it hasn’t yet been found or exposed.) And if Mac OS X “is as buggy as any similar software”, then why haven’t there been a number of widespread attacks proportional to Apple’s market share? Surely, what with the prestige of creating the first widespread Mac virus, and if it is true that “[e]very single day, they come out with a total exploit [of Mac OS X]” (c.f. Bill Gates), then why is it that Mac users can be totally nonchalant about security and not eventually get whacked in the face with a virus? Why is it that Windows gets 100% of the widespread infections and the Mac gets 0%, instead of Windows getting 95% and the Mac getting 5%? The point is that you can write all you want about theoretical vulnerabilities in Mac OS X, or about how buggy the operating system is, or how Apple is lax about security, but it doesn’t change the fact that Mac OS X is a safer platform than Windows, in practice.
By the way, can you also explain exactly how you know that Mac OS X “is as buggy as any similar software”? Do you have inside access to the Mac OS X source code and have found numerous bugs but decided not to tell any of the Apple engineers? Or are you secretly a security researcher who hordes all his information about possible exploits to himself? How do you back up this statement at all? This seems, again, to be an observation that at best, is a completely clouded opinion, and at worst is outright false. (If this were true, then again, shouldn’t the Mac be seeing 5% of the widespread virus outbreaks?)
Dave2: Great idea. That certainly would bring up more topics which hinder people’s daily work with the Mac today. Although all previous attempts I have seen at such lists, inevitably contained completely vacuous points and points that are a question of preference or taste. It’s probably much harder to ‘prove’ UI problems because they depend your way of using things. — Hence the frustrating ‘Behaves as specified’ status that Apple likes to assign to bug reports you file with them.
Simone: If there are no such Mac zealots out there, I wonder where all that noise from people claiming the Mac is a ‘secure’ system comes from. If people claim this in public, it doesn’t matter if they take on a more reasonable point once you ask them in private, because they already sent the ‘all-secure all-the-time’ message.
Sure Mac OS X has been spared serious and widespread problems so far. But what does that prove? We don’t know the future developments as far es exploits are concerned and I don’t see how our experience of the past few years can give us evidence for what to expect in the future. If anything, the virus and worm business is only starting to develop and I’m sure those guys are getting smarter and more experienced every day.
Of course I do not have access to OS X source code. So I can only guess as anybody else does. And I consider it to be a reasonable guess to say that Apple started out with something based on BSD stuff long ago. Then I’d be optimistic and give them credit for putting some paid people at tracking down a few problems. And then I’d take into consideration that they added a lot of non-trivial features and thus code to the OS which should have made it more buggy again. And thus, with that bit of optimism, they end up where they started. Which isn’t too bad but no reason to be complacent.
Being secure doesn’t mean “all-secure all-the-time” and doesn’t mean secure in the future for all eternity. Secure means that you can be confident that in the near future, you won’t have your computer taken over by random people on the ‘net. Confident? Yes. Absolutely sure? No. That’s the state of the Mac right now: you can be confident that your Mac won’t be taken over. Yes, the Mac is a ‘secure’ system, and no, that does not make me a Mac zealot. It’s quite a reasonable statement.
Equating secure with absolutely-positively-secure-with-no-exceptions makes the whole discussion pretty useless. With your definition of secure, there’s no possible way an operating system can never be secure.
(In any case, I’d also be interested to see if you can actually cite a single “Mac zealot” who thinks that the Mac can never, ever be compromised. I stand by my statement that no one has ever asserted this.)
You’re also making a burden-of-proof fallacy with regards to Mac OS X’s security. You acknowledge that “Mac OS X has been spared serious and widespread problems so far”, but then turn around and say that that doesn’t prove anything with regards to Mac OS X’s security. So I have to wait 10 more years to show you that Mac OS X still hasn’t been compromised, and even then you can still say that I have to wait another 10 years to prove that Mac OS X is secure.
You say that Mac OS X not being compromised speaks nothing about its security. Sure it does! By analogy, say you buy a safe and in all of 6 years, there hasn’t been a successful attempt — and there have been attempts — to illegitamately gain access to the contents. Do you tell your friend that the safe you bought is as secure as his safe that has been compromised tens to hundreds of times? Of course not. But saying that your safe is more secure doesn’t mean that you say that it can never be compromised.
Even the best security systems can be eventually compromised. Adhering to a strict 100%-effective definition of “secure” is pretty pointless.
With your definition of secure, there’s no possible way an operating system can never be secure.
Which is exactly why I don’t like people speaking about secure systems. And thus I don’t like people advertising the security of their system. It just comes down to promising something vague which companies cannot be held responsible for. So it’s worth nothing.
I’d be perfectly happy if Apple and the pro-Mac zealots restricted themselves to saying that the world is mostly worry free today for Mac users. That would be reasonable and there would be no need to argue. But apparently people prefer to make (and hear) strong claims about security and the future.
I do not think I’m making a “burden of proof fallacy” here as whoever claims that something is ‘secure’ is the one owing us a proof. And if not that, a precise explanation of what they mean by ‘security’. Anything else is just a piece of puff.
Ultimately, in our wonderful capitalistic world, I’d only start believing about security if Apple offered some of our money back if things go wrong (just like Knuth offered cash for bugs people find in TeX). That’d show that they are reasonably serious and confident about their software being secure. And I doubt they are.