[CS-FSLUG] Apple's Big Virus

["國產 Wei-Yee Chan (Made in Chinar)"]

 http://www.securityfocus.com/columnists/319

Apple's Big Virus

By Kelly Martin Apr 20 2005 02:14PM PT
Back in 1984, William Gibson's Neuromancer had an incredibly bleak view
of our future with technology -- from social decay to daily security
breaches based on greed and corruption. This dystopian view is one that
many people forget, because Gibson of course coined the term cyberspace
even before he'd ever used a computer to any great extent. As a favorite
author of mine, he seems to have since discovered there's some joy to
the Internet after all, and you might even say that he's never looked back.

I've never had a dystopian view of technology, but I do think we're
pulling the general population forward into a realm of the underworld
that they're simply never going to "get." Let's step beyond the growing
privacy issues, the identity theft and so on for a moment. It's so easy
to become accustomed to technology and all its failings, where viruses,
trojans and such have become a fact of life -- for Microsoft Windows
users, at least. We've come to accept the countless virus infections,
the Trojan that steals passwords, and the loss of an average user's
identity as inevitable and acceptable, and it makes me wonder if we're
taking our users down the right path.

Same old story? Not really. Alternative environments like Apple and
Linux are finally catching on. Unit sales of Apple Computer's OS X based
computers grew by 43% in the past quarter, over the same time last year
-- in business terms, that's incredible growth. Revenue grew by 70%, and
profit grew by an unbelievable 530%, thanks to the little music
revolution they call the iPod and the iTunes Music Store.

What's fueling Apple's growth, besides the infamous iPod halo effect?
Security. Either it's the perceived security that is thought to be
better in OS X, or it's the documented lack of security in the Windows
world. By that, I mean that you can't assume everyone who owns Genuine
Windows is running XP with Service Pack 2, which has some improved
security features -- because there are a few hundred million people out
there still running Windows 2000, 98, or something else. No, they don't
have automatic updates, and no, they may never understand what a
firewall is. Anyone who works hands-on in the security field has his own
experience spending countless hours removing viruses and spyware, or
becoming adept at formatting and reinstalling (or laying down a new
image), patching, immunizing, and so on. Whether it's in your large
corporate environment or your Uncle Bob's computer at home, it all takes
time.

Here's a simple example of a recent virus incident, and one
organization's lackluster information response. I discovered a nasty
Trojan on a relative's computer. He's a prominent member of the federal
government and uses his computer for online banking, so I urged him to
contact his bank.

The response the customer received from the Royal Bank, the largest bank
in Canada and one of the 10 largest banks in the world, was interesting.
The representative said that their systems are secure enough that a
Trojan or virus cannot infect them -- but she said thanks for calling to
let them know his home computer had been infected, that his accounts may
have been compromised, and have a nice day. No discussion about stolen
passwords, identity theft, or even the need to change his online
password. Get some better anti-virus software, she said. And again, have
a nice day. The person on the line didn't "get it," and I can assure you
that my relative didn't really "get it" either until after a long talk.
With confirmation from his bank, he was now confident that his system,
the same one with the Trojan and the keylogger still on it, was
perfectly fine. A virus is normal; it's a fact of life. It's no big
deal, right? Why not just email me your SSN, your credit card numbers,
and date of birth then -- or print it out on paper and post it in the
street? The typical user is now forced to use the computer on every
desktop, but must he also become an MCSE to administer it?

Viruses don't have to be a fact of life. There are no viruses on OS X --
not a single one. The reason most often touted is Apple's lack of
critical mass, but that argument has been beaten to death. There are
millions of OS X computers out there. It's not that a virus couldn't be
written for it either. Far from it. The soft underbelly of Unix (or
Darwin, an open-source Unix like OS similar to FreeBSD) is just as
vulnerable as the eye-candy applications that run on top of it. Step
back from Apple's three-tiered user privilege system (user, GUI
superuser, and root, which is disabled by default) and understand that
users can still be tricked into clicking on anything -- social
engineering will always work, and there will always be people who click.

Why, then, are there no viruses for OS X?

Just as Windows users have become accustomed to 140,000 viruses, Apple
users have become accustomed to none. It's a major cultural difference
that admittedly, sometimes causes Apple users to do stupid things -- and
get away with them. It's hard to describe the freedom of using a system
with no malware known to have spread. It's liberating.

Beyond critical mass, I would like to believe there's a better reason
for the lack of viruses on OS X, and it's based on the culture of the
Mac -- which is distinctly different from other platforms. Is it wrong
to try a new computer system and actually enjoy the user experience, for
a change? Can you imagine a world where (today) you can click on
anything and never worry about malicious intent? Can we not continue
this unwritten rule that there can be a platform out there that is
simple, easy-to-use, with Unix (and a cool ports tree) underneath that
has no threat at all from viruses?

Perhaps I'm living in a pipe dream, but that reality is here today.
Linux is also close, but OS X is already there. Apple's big virus is
really just the market enthusiasm that translates to new unit sales,
spreading like a contagion, that fuels their 70% year-over-year revenue
growth.

I held off writing this column for the better part of a year, because
many SecurityFocus readers have the intellect, talent and ability to
write a virus that could be quite nasty on OS X. There's the general
notion that (shh!), any added exposure to the platform might bring it
out of the limelight. But if a Windows programmer or security researcher
can try a new operating system and enjoy it just enough to not want to
destroy it, then there's hope for us all.

I should have also prefaced this column with the disclaimer that most
SecurityFocus staff use OS X in some way or another, if not at work then
at home, so we're somewhat biased. After covering multi-platform
security news all day long, from WiFi penetration testing to intrusion
detection and honeypots, at the end of the day it's nice to use a system
that's not on everyone's radar for a change. Let's keep it that way.

Kelly Martin has been working with networks and security for 18 years,
from VAX to XML, and is currently the content editor for Symantec's
independent online magazine, SecurityFocus.