27 Comments

• Digg
• Bury

How could Apple be caught off guard?

They generally are not off-guard.

About the time the company put out job requisitions for a person to manage their efforts to foster games development (wildly successful effort on the iPhone/iPad iOS platform) they put out a job requisition for someone to manage security too.

Now, Apple has tons of games people carry in their shirt pocket's iPhones. They still are not getting hacked to death like legacy platforms are that hackers mastered long ago.

It is absurd to claim that Apple "ignores" malware. In fact, if the author was familiar withe the subject of the article - and he is not - he would have mentioned that Apple used to offer Virex antivirus software from MacAfee. In fact, it was free with .Mac subscriptions.

Apple dropped the product like a hot potato when it became clear it was flawed and its flaws were causing widespread problems on Macs. They were behaving like Windows systems: system slowdowns, crashes/instabilities, incompatibilities Virex had with current software prevented people from upgrading from older products. Just messy. Apple dropped it and

Apple was open-minded enough to try out a technology from the world of Windows, open-eyed enough to see it was not working, and responsive enough to kick it to the curb when its problems became evident. Exploits of antivirus software are a really serious problem.
http://reviews.cnet.com/8301-13727_7-10334894-263.html

As Microsoft itself would say, the antivirus software increases the "attack surface" of the system it is running on.

So you have to look at what it is protecting against. In the case of Virex, not much. So it added risk and did not really remove much. It was deemed a net loss.

That is the danger of having a core platform with many exploitable flaws, and then using the same flawed development tools/techniques/habits to create defenses.

Its normal nowadays for PCs running Windows and one of the top-selling antivirus products on Windows to get infected by malware. Just browsing the web on Windows is enough to do it.

There Windows community got complacent about using pattern matchers baked into 3rd party products to put a "band-aid" on the OS each time a new malware for Windows was detected.

The problem with this was two-fold. It sometimes took over a year to even notice a malware that was widespread; e.g. the Sony rootkit fiasco. it created a lax ecosystem where the OS vendor felt it did not have to fix exploitable flaws quickly, just hush up talk about exploits/vulnerabilities.

We saw this when the press reported a series of vulnerabilities reported to Microsoft about six months to over a year before they were exploited, yet the vendor had not released any patch.

It was so slow to respond that for years now, experts have recommended using a non-Windows computer for business & home banking. Booting a Linux CD and launching a web browser directly from the CD to access an online banking site is one technique they suggest.

Banks are not sympathetic to users who run Windows. Users running Windows and antivirus products still got their login credentials stolen and criminals used those credentials to rob the bank accounts. The money often flits over to Eastern Europe. By the time banks respond, which seems fairly quickly compared to typical business processes - the money is long gone, without a trace of where it ultimately went. Vanished.

Now, if that situation, which has been going on for years on Windows does not typify complacency - I do not know what does.

At present, Apple's actions seem adequate - and what is going on upon Windows systems is insufficient. Insufficient for banking customers, oil companies, government agencies around the world, computer gamers, etc.

Microsoft needs to speak more frankly, in simple terms, to how malware is getting control of their customers systems. Without vague descriptions or programmer/security lingo.

And they have to stop redefining terminology too, like "security by obscurity". In short, it really means a cover-up or lack of disclosure about vulnerabilities and dangerous features. Windows... has those in spades. Covering them up is mostly a PR/marketing move that enables hackers to harm the public unaware, and gives the public a false sense of security. When real security is noticeably not there.

What does that have to do with market share - what Microsoft claims the term means? Nothing, but apparently marketing flacks who run the company decided to ignore the real definition/importance of the term and make security by obscurity (a weakness) the backbone of their security strategy.

Microsoft is clinging to this practice. It is clear that it will have to stop it, do a lot of work for years, before hackers stop infecting just the latest and greatest Windows systems. In the meantime, even those are getting compromised.

The industry needs better programming languages - C/C++ have been known to be unsafe for decades. The programming errors that hackers typically exploit have been known and decent programmers have been avoiding them for decades. Clearly, clinging to bad practices - not emo-states - is what is bringing the US computing infrastructure down.

The industry needs more experienced, realistic programmers. Actually, mostly the latter but the main way you get that is through the former - though it is far from automatic.

The industry needs more technically aware managers so when a programmer points out an issue, the manager understands the issue & related ones - and can decide appropriately what actions to take and recommend.

Microsoft cannot just keep using wrong terminology and emo FUD to shore up its problems. Their customers perimeters are overrun. The enemy is not leaving or stopping.

Apple, Microsoft, and others do need development approaches that prevent more vulnerabilities from creeping into new software. But they also need to face that they have gigs of source code that has to be gone through with static/dynamic analyzer utilities and human teams to get cleaned out. That's the dark/blind spot that computers have right now.

There should probably be some major NSF grants to evolve techniques to a) detect existing problems in this body of software, b) replace it with software using programming languages/tools/techniques that are water-tight.

I don't believe the solution is FUD or complacency. But one thing I know is not going to solve the problem is spreading FUD to protect/promote complacency.

• Reply