Apple MacBook Review: Part 2

Features
By Alan Dang
published

Security

Macs are NOT hack-proof. They are not inherently more secure than Windows PCs. In real-world use, however, OS X is more secure. Why is that so?

Myth #1: The average Mac OS user may be more tech savvy than the average Windows user and less likely to succumb to social engineering.

This may actually be true. Before you fire off that email to complain, keep in mind that the Tom’s Hardware audience isn’t the average Windows user. You’re at the upper echelon of the group that builds PCs, keeps up with the latest technology trends, and does its own research before making a tech purchase. I’m not saying that Mac users are smarter than Windows users. Just the averages. If you think about the ubiquity of computers in North America, Europe, and Asia, then the average Windows user should in fact be close to the 50 percentile for the global population. If you think you’re better than 50 percentile, then you, too, are better than the average.

If you look at the market, it makes sense. US Census data has long shown the association between level of education and household income. Since Macs are inherently more expensive, it would follow that the average income of a Mac owner should be higher than the average income of a Windows owner, and along those lines, the average education of a Mac owner should be higher than that of a Windows user. That bears out in large surveys. About 70% of Mac users have a college education whereas only 54% of Windows users have a college education according to a 2002 Nielsen study.

Ultimately, it’s not the “average” that matters--it’s the least tech savvy in any group that ruins it for the rest of us.  Take spam for example.  Recent work from UC Berkeley and UCSD determined that out of 350 million pharmaceutical spam messages sent via the Storm botnet, 10,522 users visited the site and 28 people tried to actually make a purchase. It’s those users that make spam profitable and make it a problem for the rest of us.

At another level, there is some truth to this claim because Mac owners have to be consciously making a switch to the Mac. Either they’re technically savvy users who are comfortable dealing with cross-platform issues or they're technical neophytes who are still smart enough to know that they don’t know anything and therefore choose the Mac as their one method of trying to stay safe. It’s the Windows users who don’t know even know that they’re vulnerable who drive the statistics up.

This myth is true if you consider the statistics; the myth is unimportant.

Myth #2: Mac OS X have a superior design

In theory, Vista should be the better-designed operating system. Microsoft actively invests in extensive security capabilities and the Address Space Layout Randomization in Windows Vista and recent security analyses comparing number of risks and “days at risk” show that Windows Vista users actually fare better than Mac OS X users.

The problem is that these analyses are limited to “security holes we know about” and get patched. Suppose two operating systems have 1000 holes in them. If one manufacturer patches 400 of them, and the other only patches 40, which is the more secure system?

The answer is neither. It only takes one hole to compromise the entire system.

Myth #3: Macs are targeted less frequently.

Malware is profit-driven. Since there are fewer Macs on the market, the hypothesis is that commercial malware operators will not target the Mac until they reach a critical threshold market share. At some point, Macs will reach critical mass and it will be as big of a target at Windows.

An analysis performed by the Director of Emerging Technologies at Cloudmark and published in the IEEE Security and Privacy has an interesting hypothesis. Using game theory, he predicts that Macs will become an economically-feasible target once the platform breaks 16% market share. Even with the success of the Mac, we don’t see Apple reaching that level for a few years (if that). Then, once the Mac reaches that level of market share, the assumption has to be that developing malware for that Mac costs the same as developing malware for the PC, and this may not be the case.

In 2008, there were 1.5 million different pieces of malware targeting Windows machines. There are less than 200 pieces of malware targeting the Mac.

Myth #4: Pwn2Own

This one comes from the comments section of our State of the Personal Computer piece from late last year.

The story about the Pwn2Own contest is that a hacking contest was held to see if Windows Vista, Ubuntu, or Mac OS X was more secure. Hack the machine, and you win the computer. The MacBook Air fell 2 minutes after the start of the contest. Windows Vista fell the next day. Ubuntu remained unhacked for the entire 3 day competition. Therefore, Macs are the least secure, followed by Windows Vista, followed by Ubuntu Linux.

That’s how the story goes.

The details are where things get interesting. It’s easy to imagine Pwn2Own as this free-for-all death match with hundreds of hackers going at it for glory and fame. In fact, Pwn2Own was a contest with very rigid rules. You had to wait in line to attack a target. Only one team had an opportunity to hack a machine at any time. Each opportunity was 30 minutes, and if you are unsuccessful, you have to go back to the end of the line and wait your turn. You can only wait in one line at a time, and you can only win the contest once. First come, first serve.

Only four teams participated.

Day 1: Win the notebook if you can do a true remote execution attack. No attempt was made.

Day 2: Web browsers and mail application will now be allowed. The organizers of the competition will visit a Web site or receive an email. The winner of the MacBook Air knew that he had a previously undescribed flaw in Safari that would win the competition. He was the first in line that day. Hacked in 2 minutes.

The two minute story makes for a great story and lots of publicity for both the conference and the security researcher, but no one really talks about the time spent BEFORE the contest to discover the exploit.

Day 3: Common plug-ins are now installed. The Vista notebook is hacked via an Adobe Flash exploit.

The two-man team that took down Vista did so with their personal MacBook Pro notebooks. Although the Vista notebook wasn’t the first to go that morning, the Flash exploit that affected Windows Vista also affected the Ubuntu Linux machine that had Adobe Flash installed. The contestants just weren’t interested in trying to win the Ubuntu machine. No one signed up to try to hack the Ubuntu Linux notebook according to the organizers.

So, when you read an article talking about Pwn2own, the fact still remains that OS X has not been the target of active remote execution exploits or browser holes in real-life. Current OS X malware exists only in the form of Trojans in which the user is willingly installing software and willingly entering the administrator password.

Alan Dang
145 Comments Comment from the forums
  • pereira5375
    While I was wrighting the follwing on the Part 1 of this article Part 2 was posted. After reading part 2 I think what I wrote holds true. Here it is:

    I believe this is an advertisement. Whether the author knows that or not is debatable, but certainly the big whigs at Tom's HARDWARE know it.

    Apple seems to have a very good stealth advertising campaign. To expand their market they have developed a very good stealth campaign. They advertise on Rush and Fox both, but stealthily. They have to. Their very tolerant hippie base wouldn't tolerate otherwise.

    BTW this is Tom's HARDWARE. I build my own PC. If I want to read fan boy praises of Apple there are a million other sites I can go to and read that. Why am I reading it here? When I can build my own McIntosh I'll appreciate fan boy articles like this.
    Reply
  • pereira5375
    Whoops: writing.
    Reply
  • pereira5375
    Again I feel a need to point out I am a hardware enthusiast because I build my own computer. This is Tom's HARDWARE. There are three feature articles on the homepage. Usually there is a new one about each week day. Currently there are two Apple feature articles up there. Add one more and this site will officially be useless to me.
    Reply
  • Inneandar
    more or less the same sentiment here. The first article, although also heavily debated, at least tried to focus on the hardware and was informative to some extent. But this... I dont see any need to throw up endless fanboy discussions, and other than that, I fail to see anything this article will achieve. Frankly, who is interested in why os X is better because the hacked version runs the CPU slower - common.
    I extremely liked the part on 'MAC users are smarter' though. I one fell swoop you boost your ego, try to insult me, and put the amount of trustworthy information in this article on the same level as a london tabloid.
    Reply
  • BertrumPantyshield
    Myth 2 on page 2 seems completely stupid. Yes it only takes one hole for a system to be compromised, however, there are still 960 possible holes on one and 600 on the other. This reduces the chance of a hole being found, and thus, exploited. For example: a system has 1,000,000 holes the other has 1. Both are equally secure? Its far easier to find 1 hole in million, than the only hole in the system.
    Reply
  • bachok83
    @pereira5375
    OMG, you are right. I havent realized about this fact until i read your comment. Mac OS X accounts for less than 10% of users and yet 90% of the news these days are about Apple.

    I admit Apple has created so much technical advancements over the years, but they cant even display things right:
    http://www.scavey.com/index.php/should-i-migrate-to-mac-os-knowing-renderers/

    hmm.. so, let's all read about Windows 7 then.. i read it's working :)
    Reply
  • ravenware
    About 70% of Mac users have a college education whereas only 54% of Windows users have a college education according to a 2002 Nielsen study.

    A college education is only as useful as the person who obtains it.
    I work with several college educated people who don't appear to have enough intelligence or knowledge to be considered high school educated.

    Security wise, the computers operating system is only as secure as the person who uses it.

    My home machine had been uninfected for nearly 3 years, no crashes nothing. As soon as my sister starts using my machine on myspace BAM! Reformat city. :)

    Anyway, I would like to see a video review of the Mac OSX done by THG.
    There is just not enough information in this article or the one from Tuan Nguyen about the OS.

    If not I will have to hack one on to my machine, if it is even possible with an AMD CPU. I am not going to shell out an ass load of money for something that I may not even want.

    Hey apple there is an idea! You want more users to switch to your OS? Release some sort of PC capable demo OS for users to try.
    Reply
  • bachok83
    ravenwareHey apple there is an idea! You want more users to switch to your OS? Release some sort of PC capable demo OS for users to try.
    I dont think Apple cares as much as how many people are using their OS. Otherwise they wouldnt even care creating BootCamp software to run windows on Mac machines.

    The only major concern from Apple is how many people buying their hardware. Apple has been a hardware company and always has been. Little that they know that they could be a great software company.... wait...

    Nahh, they dont care about that either since they are moving pass that to a service oriented company. Does iTunes, MobileMe, Apps Store ring any bells, anyone?
    Reply
  • ravenware
    bachok83I dont think Apple cares as much as how many people are using their OS. Otherwise they wouldnt even care creating BootCamp software to run windows on Mac machines. The only major concern from Apple is how many people buying their hardware. Apple has been a hardware company and always has been. Little that they know that they could be a great software company.... wait...Nahh, they dont care about that either since they are moving pass that to a service oriented company. Does iTunes, MobileMe, Apps Store ring any bells, anyone?
    Hence the usage of the word "demo". Why would someone buy an apple computer if they didn't like their operating system?

    Release a demo on the PC to convince users to by their machine.
    Reply
  • justjc
    @Author Alan Dang: It's all good and well that you like you new toy, the Macbook, I had a simular feel when I got my ASUS notebook. Not that it was faster than my desktop, it just felt better because it was the new one. For me that feeling lasted more than two months, so perhaps it's the same thing that makes you say you'll by Apple again.

    That aside you mention the reason for switching to the Mac is that you'll be able to run Adobe Creative Suite and Microsoft Office on it. Yet here at the software part, of your article, you fail to mention how that part of the switch went.
    It's no secret that there have been compatibility issues between PC and Mac versions of the same programs in the past, have you had any?
    How does it feel to work with the usual programs in their new enviroment?
    Do you still instinctively right click to get the right click menu, or do you use Ctrl + left key?
    A couple of benchmarks on those programs wouldn't be bad either.

    Thanks for the articles, hope to see one on the needed programs as well ;)
    Reply