Security Curve Weblog

Best and Worst Things about Apple

OK, so if you haven't seen it, check out Silicon.com's 10 Best Things about Apple and their 10 Worst Things about Apple. What I found particularly interesting about this is that (for the most part), these points exactly correlated with my own assessment as a Mac-owner.

One minor point that I would make is to point out that "security" should probably be represented somewhere on both lists. In my opinion, it should be on the best list because of the fact that Apple does have a track record of reduced malware (and you can't argue with success) but also on the worst list for a few reasons:

- It takes them longer to publish security fixes than any other OS vendor
- The disingenuous marketing (i.e. the Vista "shades" commercial)
- Encouraging users to not take security seriously on OS X

Anyway, I found it interesting that security wasn't represented on either list - especially since there's so much buzz about it in the press (and in the marketing) nowadays...

Atom Smasher does it again

Atom Smasher does it again. This time, it's a do it yourself puzzle generator. Awesome, right?

Apple "Vista Dude" Replaces Agent Smith as My Personal Hero

You know what's a great affectation? An ear piece... Seriously. I've always liked them. I guess it's because it's the stereotypical "man in black" thing - like a black suit (I have one of those) or some dark sunglasses (have them too). All sorts of interesting characters sport the ear piece, which makes sense because they're both chic and a mark of authority. Will Smith and Tommy Lee Jones had them in Men in Black (cool and chic) whereas Agent Smith from the matrix had one (mark of authority). Anyway, joining these ranks is Apple's new "Vista Dude" (pictured right.) Now, you've probably already seen the ad, but in case you didn't, here's the brief rundown - the "I'm a PC" guy has Vista installed and now he's gained a "security dude" that asks him "Cancel or Allow" whenever he says or does anything. Hilarious.

There's also an accompanying tagline from Apple: "114,000 Viruses? Not on a Mac. Mac OS X was designed for high security, so it isn't plagued by constant attacks from viruses and malware like PC's. Likewise, it isn't plagued by never-ending security dialog boxes like those in Vista. So you can safely go about your work - or fun - without interruption." Here it is so you can see I'm not lying:

Now, before I start in on this... remember that I'm a Mac user. Actually, I'm using my iBook to type this post. I'm also not one to arbitrarily make the claim that Vista is a secure platform. (Well, OK - some press folks did report me as saying that, but what I actually said had a bunch of qualifiers that didn't make it into the story.) Anyway, my point is the same one I've made all along (remember, as a Mac user); specifically, that Apple's current line of advertising (entertaining though it is) is problematic to Mac users in the long term. Why do I say that? Let's break it down:

1) The subtext is untrue. Apple says "Mac was designed for high security..." (implied subtext is that Vista and other OS'es were not.) Aside from it arguably not being a fair representation of Microsoft's approach to Vista, the statement is meaningless. I mean, it has an implied logic that doesn't hold up under scrutiny. For example, "it's designed to be secure, therefore it doesn't have malware" is crap. How about "the Titanic was designed for seaworthiness, ergo it didn't really sink?" Same logic - does it make sense there? No. Trying to make the case that users should take a vendor at their word based on a statement of their intent at the time of development is ludicrous.

2) Asking the user. Sometimes you have to ask the user for a decision. For security decisioins, you're more likely to have to ask the user for input. My Mac asks me to make security decisions all the time - like whether I should enter my root password when I'm installing new software.

3) It does down the earpiece. Respect the earpiece. I won't see it defamed in this way.

4) (and now the real reason this tweaks me...) Security is more than malware. Some of us Mac users happen to think that the current dearth of Mac malware has more to do with percentage of population and user base rather than inherent features of the Mac. If that's true, defining the Mac as being "secure" because it has less malware short-circuits Apple's position in the long term. Why? Because if they hope to become the dominant platform, they will have malware too. If they get us to buy-in that lack of malware equals security, aren't we going to view them in the same light that we view MSFT today? Not a good idea...

Anyway, I love these commercials. But I also want Mac to succeed. And they're not helping themselves in that regard.

My mouth gets me in trouble (once again)

OK, so I posted a while back about the whole QDSP training process, and the folks over at the PCI and Data Security Compliance Blog (rightly) called me on it for being overly negative toward the wrong people. Actually, I was mostly trying to be funny, but this was unquestionably the wrong way to go about doing it. Anyway, I felt it might be good to take a moment and lay out what my frustration actually is (and why it's not with them) and apologize to those folks for taking it personally (I actually respect their work quite highly)...

Anyway, my beef with the training is probably that I feel, as a QDSP, under-prepared for how Visa expects me to interpret the requirements of the standard. But that is not because the class wasn't as good as it could be; instead, I think it's because of the way the standard is implemented and assessors are qualified. Now, why should I be interpreting the requirements of the standard, you ask? Because, unlike the majority of other regulatory guidance, PCI is prescriptive. For example, PCI says that companies need to have a firewall. And they say that you have have to have anti-virus software, application-level firewall software (new version), etc. It's up to the assessor to interpret if they have done it and if it is done appropriately. To contrast, I just went through the ISO-27001 auditor training, and the auditors are not expected to evaluate the quality of a given implementation; for example, there's an example in there about damage to documents caused by a leaky roof (there's a requirement that documents be legible, retained appropriately, locatable, etc.) Anyway, the example asks if it's acceptable from the point of view of the standard to put those documents in Tupperware containers; now, if you were to judge qualitatively, you would say "that's crazy - fix the damn roof." But that'd be the wrong answer... because the standard does not define what you need to do technologically so long as the core issues are met.

So, I guess my frustration is with the fact that we, as assessors, are signing off on something that we are being asked to interpret. It's subjective and we're not being given guidance from Visa. But that's not the fault of the class, and it was inappropriate of me to imply that it is. So, sorry again to those guys.