January 05, 2007
Month of Apple Bugs... Does it Matter?
So, you've probably noticed that the month of Apple bugs is going on even as we speak... Much like the month of browser bugs, the month of kernel bugs, and the month of Oracle bugs (which kinda petered out), the plan is to post a full month's worth of bugs impacting Apple at a rate of one per day.
Now I saw that this Apple bug thing was going on and I didn't write about it 'cause I figured "ho-hum"... and then came the wall of controversy. Thomas Ptacek weighed in early, saying that there's no reason for a "bug a day" release schedule.
HD Moore to Dark Reading: “[A MOXB scheme] seems to be the answer to a ton of denial and hubris about whether Apple products are more secure than any other vendor.” It’s hard to criticise HD; he’s both nicer and smarter than me. But, here goes: “denial and hubris” about Apple security is not a problem that we need HD Moore to correct...
There are arguments to be made in favor of publishing exploits. There are arguments for going public with a finding immediately. What’s the argument for a bug-a-day release schedule?
To be fair, there was a well drawn-out argument in the above (where the ellipsis is) that he uses to justify the point; it's worth reading if you're interested in debating the usefulness of the MOAB (month of apple bugs), but too verbose to include it all here. Then Ross Brown weighed in too; both about the MOAB and about the reaction to it:
Having a hard time seeing the point of this exercise, but it seems somebody wasn't held enough as a child. Thomas isn't tied to vendors and asserting it just makes the whole project a lot sillier.
So, two folks who don't see how this is useful. Is it? First, let's get the elephant in the room out of the way. Which is that the ONLY reason there could possible be for doing a "month of xxx bugs" is to get attention... in other words, for the press. The press loves this stuff, they are sure to cover it, and you can use any ol' bug you find to fuel it. In terms of "bang for the buck" to get media attention, there's absolutely nothing better you can do. So the question becomes not "what's the point of the month of Apple bugs", but "what's the point of drawing press attention to Apple bugs?" And that's where I disagree with both Ross and Thomas. Because I think there is a point.
Specifically, I've argued all along that Apple's marketing does a disservice to Mac users. They put out a strong pro-security marketing message, and there's nothing wrong with that. However, one could argue that some of their marketing could lead users to believe things about the Mac that aren't entirely true. For example, one could interpret the Apple marketing to claim increased resistance to security vulnerabilities. If that were the case, it would put users in a dangerous position - they might be less inclined to apply updates or they might be less inclined to monitor their systems for intrusion. So, is that the case? Do Apple users have the perception that there are less bugs?
Take a look at the comments from Mac users in response to this article about the relative security of Mac and Windows;
- You can "believe" all you want about the Mac OSX having security flaws, but that won't make it so. Keep dreaming.
- If you talk with hackers, they'll tell you that at this point the Mac is considered THE prize, because everyone keeps claiming that it can't be done. Still, they don't succeed.
- What you need to do next is apologise for your ignorance and complete lack of understanding as to what makes a Mac (and by extension any Unix-based operating system) so much less vulnerable than any flavour of Windows.
- Arguing that gaping flaws like this are equivalent to as yet undiscovered flaws in Mac OS X is simply unsupportable.
- So, hackers *are* trying to crack the Mac, they just suck at it.
Need more? I got bored after page 3; feel free to have a gander yourself. There are pages and pages of Mac users saying that Mac doesn't have vulnerabilities. Not saying that there are *fewer* vulnerabilities... not saying that *maybe there are less*... saying that there are none...
So, is it useful for someone to get the press to point out that Apple has vulnerabilities? In general, I would prefer to know the truth about something rather than believing a lie. For example, as a Mac-owner (which I am one), I would rather know that there are Mac bugs so I can take action and be vigilant as opposed to not knowing about them and getting burned. Now, even if it is less likely that I'd get burned vs. somebody else, that's small consolation if it happens and it was avoidable had I known the facts. But maybe that's just me.
Posted by Ed at January 5, 2007 09:11 AM | TrackBackI've gotten a couple of calls from the press and their general take on it is, "Yeah, we know Apple's not exactly honest about security exposures in the Mac, but who expects a vendor to be honest? Moreover, who cares, given their limited installed base? This is like arguing about the relative crash worthiness of a Honda Civic (used by millions) vs. Jet packs (used by a few people)"
And I generally agree with the sentiment. It's not that Mac is more secure, it's that nobody cares due to their market share. And I own three Macs. I'm at work, so I'm writing this on a Thinkpad. I can't swing a dead cat in this office without hitting a PC, but no Macs to be found.
Posted by: Ross Brown at January 5, 2007 11:21 AMThe Month Of Apple Bugs is a very good idea, and very necessary
Posted by: robert at January 5, 2007 03:35 PM"And I own three Macs" nuff said.
Posted by: Smug at January 5, 2007 07:51 PMRoss:
"And I own three Macs. I'm at work, so I'm writing this on a Thinkpad. I can't swing a dead cat in this office without hitting a PC, but no Macs to be found."
That always seemed to be the eEye attitude that Mac's were for girls or something. I remember when I worked for eEye I expressed some interest in finding flaws in OS X, and was immediately shot down that I was stupid or something. Now, I know that eEye products are only for Win32 but still. Also, who cares if the install base is low, its growing and growing fast. Why not look for them now..?
Posted by: tom ferris at January 5, 2007 08:18 PM