Brennan’s Blog

There is a thread on Slashdot about smug Mac users on security. This is such an old debate and people who bring it up nearly always fall into two groups. The first group is one which does not understand security the same way industry experts do and will cite false examples to make their points. The second group is made up of people either trying to apologize for the lack of security of their system or trying to convince people to purchase virus protection from a company like Norton or McCafee.

For the first group completely misunderstands what it means to have a secure system. When something changes on your system without your knowledge or it behaves in a way you do not expect it is insecure. Maybe you thought you had it password protected but a network service is silently allowing remote users into your system. Or maybe your web browser or media viewer is installing components without your knowledge. These are the primary concerns when it comes to internet security. And if your co-worker deletes all of your email with direct access to your computer, that is physical security which is a completely different class of security.

The second group just wants you to feel your system can be just as insecure as theirs. And companies like Norton and McAfee want you to think your computer is extremely insecure without their protection. What they do not want you to realize is that some systems are much less secure than others and OS developers have learned to make their software much more secure in the last several years than the systems designed in the pre-internet days.

And this comes down to security policies. A typical home user will not think about their policy, so they will inherit the default security policy from their system. To secure a system a user would turn off all services they are not using, such as Windows sharing, IIS, Mail, FTP, etc. But Windows NT and Windows 2000 had these things running by default. And if your Windows 2000 server was just acting as a file sharing server, it would still be exploitable by an IIS/Frontpage exploit because it was running by default. Now with Windows Server 2003 that service is not running after the initial install. And if you do enable the IIS component you must explicitly enable ASP.NET or Frontpage extensions if you know you want them on. That is a much more secure security policy.

But all along MacOS X has followed this way of thinking. The OS has lots of useful features like a web server and file sharing but the user has to turn them on. And Apple Mail and Safari do not run ActiveX scripts which gives the platform an edge over Windows in terms of security. Lastly, the way Adminstrator accounts works on MacOS X is much different than on Windows. If I log into Windows with an account with Windows priviledges the applications I run will have rights to change the registry and files nearly everywhere on the system and potentially on remote servers if I log in as a domain user. On a Mac any critical changes will prompt me for my username and password and my account must be granted root privledges in order to change the core system.

I also feel much safer on the Mac due to the available applications. Anyone who has been paying attention to Windows the last several years has known that most exploits have come through MSIE and Outlook. The Mac equivalents are Safari and Apple Mail. As yet I have not seen any major exploits. And when Apple chose the base project for building their web browser they chose KHTML over Mozilla because it worked great and was made up of many fewer lines of code. Less code means less places where a security problem can creep in. Both Mozilla and MSIE built with a mountain of code (over 1 million lines of code) while KHTML started around 200,000 lines of code. (if I remember it properly)

So the superior security of the Mac is not due to the superior skills of the Mac developers to write most bulletproof code as much as it is due to the more conservative security policy they have been following since day one. In a couple of years when Vista has been out for a while we can revisit this debate as we will be debating two systems which were designed and built with internet security in mind.