27 February 2006

Mac OS and Security

I've avoided posting on this topic until things had a chance to settle down. Now, I can look back on what appeared to be one of the worst weeks for Mac OS X in many years.

For those that have not been reading ANY news service, I am referring to the apparent arrival in about 1 week of three viruses/trojans/worms (choose your definitions) to affect specifically the Mac OS - the first since Mac OS X itself was released. Unfortunately some in the mainstream press (hands up BBC among others) were pretty quick to jump to rather silly conclusions.

The coverage at more measured publications was better. This Wired article by Leander Kahney was well-put. I also liked this point made in the comments by an anonymous reader:
I'm also intrigued by how these stories have all trickled out, day by day, in the same week, to give the impression new problems are being found on a daily basis. I'm also fed up with many reporters and security firms freely using words like 'exploit' and 'virus' as if they were interchangeable - I guess it's too hard to explain the difference.

It certainly seemed like a conspiracy. The mainstream press fell short primarily because it seemed to get quotes only from representatives of companies who would benefit if there was any increase in doubt about Mac security. This is like asking a prison-building company if sentencing is too lenient.

Now, I'm feeling smug on a couple of fronts. First I predicted this would happen sometime this year in my 4th January post on Top 5 2006 Predictions . I'd like to think, now the fuss has died down, that I also predicted the reaction. The other reason I'm smug is that I'm still a proud user of the most secure OS for personal computers.

Should we be so smug? To a degree, yes, I think we should. We have the best operating system, with the most productive environment. We neither need to spend money on multiple bits of software to protect our machines, nor do we need to waste precious time of ourselves (and slow down our computers constantly running this stuff) in keeping that up-to-date. That is a vast productivity gain. But, no OS is going to be immune from attacks forever. It is how the OS deals with such attacks. And in these cases, MacOS came out about 99% (though Safari didn't score as high). Indeed, one of the three examples had already been fixed several versions of the OS ago. None of the attacks could be spread unwittingly and all again required some form of user interaction. That renders them all pretty low in seriousness.

But no OS in the world will protect a user from paying money into a Nigerian bank account should they so wish. We all need to practice sceptical computing (thanks Ars for that advice - dated but still true). For me, that translates to a few simple rules:
1. Have my email virus-checked at source (more so I don't accidentally forward something on to some windows friends).
2. Block pop-ups whenever possible.
3. Only download from sites/people I trust.
4. Never double click anything I've downloaded without knowing what it is.
5. Never ever give my userid and password to a site unless I'm 100% sure I'm where I'm supposed to be.
6. Never send important information (passwords, userids, credit card info, bank acct info, identity info) in emails - even to trusted companies.
7. Run Firewall software wherever possible (router and computer)

But I do not see any need for Mac users to start running a/v software on their Mac yet, as long as they are comfortable with such steps. No Mac users were significantly affected by these exploits. But many, many more were seriously inconvenienced by the effects of a false positive in an a/v system. In such a case the cure can be worse than the disease - especially when you don't even have the disease. (Hands up Symantec for shooting themselves in the foot at the same time as telling Mac users that they need to be more careful!)

No comments: