I still consider myself a relative newcomer to the Mac community. Despite being the Security Editor at TidBITS and an occasional contributor to Macworld (print and online), and having spoken at Macworld Expo a couple times, I only really switched to Macs back in 2005. To keep this in perspective, TidBITS has been published electronically since 1990.
Coming from the security world I had certain expectations of the Mac community. I thought they were naive and smug about security, and living in their own isolated world.
That couldn’t have been further from the truth.
Over the past 7 years, especially the past 5+ since I left Gartner and could start writing for Mac publications, I have learned that Mac users care about security every bit as much as Windows users. I haven’t met a single Mac pundit who ever dismissed Mac security issues or the potential for malware, or who thought their Mac ‘immune’. From Gruber, to Macworld, to TidBITS, and even The Macalope (a close personal friend when he isn’t busy shedding on my couch, drinking my beer out of the cat’s water bowl, or ripping up my drapes with his antlers) not one person I’ve met or worked with has expressed any of the “security smugness” attributed to them by articles like the following:
- Are MACS Safer then PCs
- Flashback Mac Trojan Shakes Apple Rep of Invulnerability
- Widespread Virus Proves Macs Are No Longer Safe From Hackers
- Expert: Mac users more vulnerable than Windows users
And countless tweets and other articles.
Worse yet, the vast majority of Mac users worry about security. When I first started getting out into the Mac community people didn’t say, “Well, we don’t need to worry about security.” They asked, “What do I need to worry about?” Typical Mac users from all walks of life knew they weren’t being exploited on a daily basis, but were generally worried that there might be something they were missing. Especially relatively recent converts who had spent years running Windows XP.
This is anecdotal, and I don’t have survey numbers to back it up, but I’ve been probably the most prominent writer on Mac security for the past 5 years, and talk to a ton of people in person and over email. Nearly universally Mac users are and have been, concerned about security and malware.
So where does this myth come from? I think it’s 3 sources:
- An overly vocal minority who fill up the comments on blog posts and news articles. Yep – a big chunk of them are trolls and asshats. There are zealots like this for every technology, cause, and meme on the face of the planet. They don’t represent our community, no matter how many Apple stickers are on the backs of their cars and work-mandated Windows laptops.
- One single advertisement where Apple made fun of the sick PC. One. Single. Singular. Unique. Apple only ever made that joke once, and it was in a single “I’m a Mac” spot. And it was 100% accurate at the time – there was no significant Mac malware then. But since then we have seen countless claims that Apple is ‘misleading’ users. Did Apple downplay security issues? Certainly… but nearly exclusively during a period when people weren’t being exploited. I’m not going to apologize for Apple’s security failings (especially their patching issues, which lad to the current Flashback issue), but those are very different than actively misleading users. Okay – one of the Securosis staff believe there may have been some print references from pre-2005, but we are still talking small numbers and nothing current.
- Antivirus vendors. Here I need to tread cautiously here because I have many friends at these companies who do very good work. Top-tier researchers that are vital to our community. But they have a contingent, just like the Mac4EVER zealots, who think people are stupid or naive if they don’t use AV. These are the same people who want Apple to remove iOS security so they can run their AV products on your phones. Who took out full page advertisements against Microsoft when MS was going to lock down parts of the Windows kernel (breaking their products) for better security. Who issue report after report designed only to frighten you into using their products. Who have been claiming that this year really will be the the year of mobile malware (eventually they’ll be right, if we wait long enough).
Here’s the thing. The very worst quotes and articles attacking smug Mac users usually use a line similar to the following:
Mac users think they are immune because they don’t install antivirus.
Which is a logical fallacy of the highest order. These people promote AV as providing the same immunity they say Mac zealots claim for ‘unprotected’ Macs. They gloss over the limited effectiveness of AV products. How even the AV vendors didn’t have signatures for Flashfake until weeks after the infections started. How Windows users are constantly infected despite using AV, to the point where most enterprise security pros I work with see desktop antivirus as more a compliance tool and high-level filter than a reliable security control.
I’m not anti-AV. It plays a role, and some of the newer products (especially on the enterprise side) which rely less on signatures are showing better effectiveness (if you aren’t individually targeted). Plus most of those products include other security features, ranging from encryption to data loss prevention, that can be useful. I also recommend AV extensively for email and network filtering. Even on Macs, sometimes you need AV.
I am far more concerned about the false sense of immunity claimed by antivirus vendors than smug Mac users. Because the security-smug Mac user community is a myth, but the claims of the pro-AV community (mostly AV vendors) are very real, and backed by large marketing budgets.
Update: Andrew Jaquith nailed this issue a while ago over at SecurityWeek:
Note to readers: whenever you see or hear an author voicing contempt for customers by calling them arrogant, smug, complacent, oblivious, shiny-shiny obsessed members of a cabal, “living in a false paradise,” or “fanboys” (with or without the i-for-y substitution), take a whiff of the air nearby. You’ll sniff the sickly sweet smell of schadenfreude wafting in from the general vicinity of the speaker. The condescension doesn’t persuade customers to take security any more seriously, but it probably makes the speaker feel better, right?
Reader interactions
13 Replies to “The Myth of the Security-Smug Mac User”
@Raymond Meyers
“Ergo, OS X is more secure than Windows.”
Your logic is faulty. Up until recently Macs have been safer (and may still be safer) because they have been attacked less. That doesn’t mean they are more secure. Rich quoted on CNET back in 2010 (http://news.cnet.com/8301-27080_3-10444561-245.html):
“But I want to give Microsoft credit because the more advanced features they put into their operating system are superior to what Apple has done. It’s really a balance because there’s little motivation for Apple to do more at this time. The Mac OS has got some holes in there that Microsoft has closed down. But since it’s attacked less there is less motivation for Apple to close the gap.”
Practically all the security experts quoted say something similar. Charlie Miller quoted in the same article:
“At some point the market share of Macs will reach a threshold to interest attackers, and then things will quickly turn bad for Mac users.”.
That time has come.
I’m a Mac user with 25 years of experience. I can seem a little smug. Not a single one of my machines has ever been infected, and until just now, I’ve never really felt the need to worry about security. I’ve been lucky.
I have installed an AV program on my two Macs at home. Why? Because I think the old walnut about “security by obscurity” had a kernel of truth to it. And that measure of protection is fading. I don’t think the AV software makes me bulletproof, but I do think it gives me a bit of an edge over just trusting Apple. Also, phishing and Trojans are becoming more sophisticated.
In every scenario, the bad guys innovate first and the good guys have to play catch-up.
Over the last 25 years, Macs have been attacked by fewer pieces of malignant code than Windows. OS X has been attacked successfully far, far fewer times than Windows over the last 10 years. Ergo, OS X is more secure than Windows. It’s arithmetic, not opinion. That doesn’t justify stupidly ignoring inexpensive security measures any more than living in a gated neighborhood justifies leaving the keys in your Ferrari and all your doors unlocked.
The users are less an issue than Apple. Apple doesn’t discuss security issues. The relationship with poeople who work on security issues outside the company seems less than great. As a result a lot of what Apple writes about security is marketing. And the marketing is hip and rather smug and elitist. Which isn’t to say those things are bad. A lot of marketing is smug and elitist, and involves a lot of lifestyle fantasy etc., and their marketing has been succesful.
You list one source of blame at Apple:
“One single advertisement where Apple made fun of the sick PC. One. Single. Singular. Unique. Apple only ever made that joke once, and it was in a single “I’m a Mac” spot. And it was 100% accurate at the time – there was no significant Mac malware then. But since then we have seen countless claims that Apple is “misleading” users.””
So are the following quotes accurate or misleading? These are taken from their website now; not something from 2006 or whenever that ad ran.
http://www.apple.com/why-mac/better-os/
“…unparalleled security…”
“It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.”
“Stay up to date, automatically. When a potential security threat arises, Apple responds quickly by providing software updates and security enhancements you can download automatically and install with a click. So you’re not tasked with tracking down updates yourself and installing all of them one by one.”
The “doesn’t get PC viruses” is disingenuous to say the least. A speaker at Blackhat last year said something like “doesn’t get get Mad Cow or HIV either”. So what? And is there anyone that works on security who believes that “Apple responds quickly”? Even just “in a timely manner” would be a stretch.
Text from a PDF on their website now and dated August 2011:
http://images.apple.com/education/docs/apple-10-reasons-macbook-in-education_20110826.pdf
“Security, stability, and simplicity at the core.
The OS X operating system provides innovations that make MacBook reliable, incredibly easy to use, and more secure. UNIX, the rock-solid platform upon which OS X is built, is tried and proven in the industry to be stable, secure, and free from PC viruses. Apple is the only technology provider that designs the hardware, the operating system, and many built-in applications, ensuring the highest level of stability right out of the box. And OS X delivers unmatched ease of use, keeping the focus on learning, not on the technology. No wonder OS X is described as the world’s most advanced operating system.”
“Security…at the core”. One of the refrains that’s common is that OS X is designed to be secure. It is secure by design or inherits a secure architecture from UNIX/BSD. This apparently explains why OS X is different (it’s a “better OS” and “more secure”) and doesn’t get viruses and doesn’t suffer from the security problems that plague Windows. (Apparently, Dave Culter never thought about security, SDL is a package delivery service, criminals don’t care about cost/opporunity, and there’s a secret mine of magic fairy dust in Cupertino.) And it’s so good it’s security “without any work on your part”! This is a technological fantasy, as dubious as any pitched by some scare-mongering anti-virus peddler. It may be good marketing but it’s lousy security.