I still consider myself a relative newcomer to the Mac community. Despite being the Security Editor at TidBITS and an occasional contributor to Macworld (print and online), and having spoken at Macworld Expo a couple times, I only really switched to Macs back in 2005. To keep this in perspective, TidBITS has been published electronically since 1990.
Coming from the security world I had certain expectations of the Mac community. I thought they were naive and smug about security, and living in their own isolated world.
That couldn’t have been further from the truth.
Over the past 7 years, especially the past 5+ since I left Gartner and could start writing for Mac publications, I have learned that Mac users care about security every bit as much as Windows users. I haven’t met a single Mac pundit who ever dismissed Mac security issues or the potential for malware, or who thought their Mac ‘immune’. From Gruber, to Macworld, to TidBITS, and even The Macalope (a close personal friend when he isn’t busy shedding on my couch, drinking my beer out of the cat’s water bowl, or ripping up my drapes with his antlers) not one person I’ve met or worked with has expressed any of the “security smugness” attributed to them by articles like the following:
- Are MACS Safer then PCs
- Flashback Mac Trojan Shakes Apple Rep of Invulnerability
- Widespread Virus Proves Macs Are No Longer Safe From Hackers
- Expert: Mac users more vulnerable than Windows users
And countless tweets and other articles.
Worse yet, the vast majority of Mac users worry about security. When I first started getting out into the Mac community people didn’t say, “Well, we don’t need to worry about security.” They asked, “What do I need to worry about?” Typical Mac users from all walks of life knew they weren’t being exploited on a daily basis, but were generally worried that there might be something they were missing. Especially relatively recent converts who had spent years running Windows XP.
This is anecdotal, and I don’t have survey numbers to back it up, but I’ve been probably the most prominent writer on Mac security for the past 5 years, and talk to a ton of people in person and over email. Nearly universally Mac users are and have been, concerned about security and malware.
So where does this myth come from? I think it’s 3 sources:
- An overly vocal minority who fill up the comments on blog posts and news articles. Yep – a big chunk of them are trolls and asshats. There are zealots like this for every technology, cause, and meme on the face of the planet. They don’t represent our community, no matter how many Apple stickers are on the backs of their cars and work-mandated Windows laptops.
- One single advertisement where Apple made fun of the sick PC. One. Single. Singular. Unique. Apple only ever made that joke once, and it was in a single “I’m a Mac” spot. And it was 100% accurate at the time – there was no significant Mac malware then. But since then we have seen countless claims that Apple is ‘misleading’ users. Did Apple downplay security issues? Certainly… but nearly exclusively during a period when people weren’t being exploited. I’m not going to apologize for Apple’s security failings (especially their patching issues, which lad to the current Flashback issue), but those are very different than actively misleading users. Okay – one of the Securosis staff believe there may have been some print references from pre-2005, but we are still talking small numbers and nothing current.
- Antivirus vendors. Here I need to tread cautiously here because I have many friends at these companies who do very good work. Top-tier researchers that are vital to our community. But they have a contingent, just like the Mac4EVER zealots, who think people are stupid or naive if they don’t use AV. These are the same people who want Apple to remove iOS security so they can run their AV products on your phones. Who took out full page advertisements against Microsoft when MS was going to lock down parts of the Windows kernel (breaking their products) for better security. Who issue report after report designed only to frighten you into using their products. Who have been claiming that this year really will be the the year of mobile malware (eventually they’ll be right, if we wait long enough).
Here’s the thing. The very worst quotes and articles attacking smug Mac users usually use a line similar to the following:
Mac users think they are immune because they don’t install antivirus.
Which is a logical fallacy of the highest order. These people promote AV as providing the same immunity they say Mac zealots claim for ‘unprotected’ Macs. They gloss over the limited effectiveness of AV products. How even the AV vendors didn’t have signatures for Flashfake until weeks after the infections started. How Windows users are constantly infected despite using AV, to the point where most enterprise security pros I work with see desktop antivirus as more a compliance tool and high-level filter than a reliable security control.
I’m not anti-AV. It plays a role, and some of the newer products (especially on the enterprise side) which rely less on signatures are showing better effectiveness (if you aren’t individually targeted). Plus most of those products include other security features, ranging from encryption to data loss prevention, that can be useful. I also recommend AV extensively for email and network filtering. Even on Macs, sometimes you need AV.
I am far more concerned about the false sense of immunity claimed by antivirus vendors than smug Mac users. Because the security-smug Mac user community is a myth, but the claims of the pro-AV community (mostly AV vendors) are very real, and backed by large marketing budgets.
Update: Andrew Jaquith nailed this issue a while ago over at SecurityWeek:
Note to readers: whenever you see or hear an author voicing contempt for customers by calling them arrogant, smug, complacent, oblivious, shiny-shiny obsessed members of a cabal, “living in a false paradise,” or “fanboys” (with or without the i-for-y substitution), take a whiff of the air nearby. You’ll sniff the sickly sweet smell of schadenfreude wafting in from the general vicinity of the speaker. The condescension doesn’t persuade customers to take security any more seriously, but it probably makes the speaker feel better, right?
Reader interactions
13 Replies to “The Myth of the Security-Smug Mac User”
It was Twitter wasn’t it? Get ’em!
“Antivirus firm Intego now reports that Flashback’s creators are using an interesting new tactic for communicating with machines infected by the trojan: Twitter. According to the report, Flashback is programmed to search Twitter for Tweets containing a unique 12-digit code that changes daily, with the malware’s authors being able to issue commands to infected computers by posting from any number of Twitter accounts simply by including the appropriate code as a hashtag.”
http://www.macrumors.com/2012/03/05/flashback-malware-authors-using-twitter-to-talk-to-infected-machines/
Since I’ve been hearing this “Mac users think they’re immune” from way before the first obvious example of serious troubles, I think that’s not schadenfreude — delight at others’ misfortunes— but rather envy or justification for “being smarter” about security but getting crappier outcomes.
There’s a point that needs to be made: when the “PC Viruses” ad ran, Windows users were at constant and severe risk from malware. (I haven’t heard anybody contradict my guess that XP was the vehicle for more malware than all other OS’s combined. One friend scrapped her PC after a fresh install still left her PC unusable, in control of bots.) But in their unique ways, all platforms have moved on from that tragic era, and either we’ve all learned how to cope, or viruses have been pretty much dealt with. Today’s attacks are more likely to be on communications or by social engineering, not virii. These need different protections.
In Apple’s case, we can expect MORE controls such as their allowing javascript only from sites that you explicitly visit. More controls on apps’ functionality & distribution and more emphasis on sandboxing. Seems virtually a given.
And more broadly, why is it that whatever ad network that let FlashBack into the wild, has gotten a free pass for total lack of quality control and knowing its customer? Everybody’s quick to blame Apple for its java policies, but the damage would’ve been just as severe if FlashBack had used a zero-day vulnerability that nobody could’ve stopped. A more comprehensive malware effort can’t just try to keep every hole patched and to cut off the money flow to the malware authors; it HAS to work on whose sloppy business practices abet the criminals in putting the gremlins into the wild, .
“An overly vocal minority who fill up the comments on blog posts and news articles. Yep – a big chunk of them are trolls and asshats. There are zealots like this for every technology, cause, and meme on the face of the planet. They don’t represent our community, no matter how many Apple stickers are on the backs of their cars and work-mandated Windows laptops.”
For example, the journalists that write for AllThingsD?
“The conventional wisdom has often held that Macs are targeted by malware less often than Windows machines because of their relatively small market share. This still has some merit, but the fact is that Windows is also where the vulnerabilities are. Historically, Mac OS X has been substantially less vulnerable to this sort of thing than Windows.
Does that let Apple off the hook entirely? No, though to its credit, Apple had a fix ready within a week of learning of this vulnerability. That’s not exactly a pokey response, especially when the problem lies not directly within Apple’s software, but in Oracle’s.”
https://allthingsd.com/20120406/whats-this-a-mac-virus-no-actually-its-a-weakness-in-java/
@jenapeoples
Demanding a better security response worked with Microsoft after the Blaster worm. They heard from their customers, improved the way they tested and released patches, and actually started an internal secure coding practice.
It worked because MS needed its user base, whereas Wall Street has no need to be occupied. Different scenarios entirely.
Obviously this has not made it a secure product, but it has improved things. I would hate to be combating the computery-villains[1] that we have now, with the 2000 version of Microsoft security.
The same could be done with Apple if they chose to apply a bit more security, but it would come at the expense of the ‘user experience.’ which is always the trade-off. Apple would rather not break things than to push patches at the same sped as their competitors. It’s a valid choice, but one that comes with the perception that security is not a (big) concern. That is what gives rise to this article.
I was not coming down on Apple’s decision, trying to explain the perception.
@Michael Murphy
Lucky you. I distinctly remember cleaning up more than a few a floppies that had boot sector virii. They came in a big binder of freeware disks that I got loaned when I picked up an Apple ][.
-Xristopher
[1] “Replace “cyber” with “computery.” It is entertaining and approximates how “cyber” sounds to experts.” –@ScottStender
I dig this article. Always consider the source peeps! I like how you’re pointing out that people just want to have something to chime in with, Rich. So here I am.. chiming in.
There’s a good chance if you’re hearing someone speak on how secure Macs are, you wouldn’t listen to them for 2 seconds regarding other IT issues.. matter-o-fact they are probably baristas or plumbers. Its not their bag baby! If you’re expecting something substantial to be uttered from sheep that can’t tell the difference between an RJ-45 and -11 you should expect more headaches.
I prefer to think of how cute their lil brains are.
@Xristopher- demanding anyone fix security issues is about as effective as the OWS movement. Apple became aware of the exploit and had a patch for it within a matter of 1-2 weeks. I’m a noob though so maybe this timeframe is unacceptable? The vulnerability may have been there for quite sometime but I know for certain I wasn’t witnessing symptoms on machines much longer than a week or so.
It seems like we want to blame someone.. lets blame the cybervillians.
I hear it all the time, too. And it’s not just asshats in social media. My dad was shopping for a new computer and said “I’m thinking of going Mac because I don’t want to worry about viruses.”
My experience is that it takes a savvy and technical-minded person to not believe that “myth”. Even if the source of the belief is only from “one unique ad” or from one pundit who has convinced them.
I have used and helped others use Apple computers since 1985. I have never said that Apple computers are immune from viruses nor have I ever heard any other Mac user say so. I have said that I have never had a virus on any of my Apple computers nor have ever found a virus on the Apples of any of my clients.
I see the source of this misinformation is overzealous bloggers and one antivirus vender in particular.
Michael Murphy
“I’m not going to apologize for Apple’s security failings (especially their patching issues, which lad [sic] to the current Flashback issue),”
You alluded to the real source of the issue here, but did not really make the connection.
Mac users (as a whole) have failed to demand the response from Apple that need in order to properly secure their systems. MS and others learned a long time ago that the single best thing that you can do to protect a system is to quickly respond to known vulnerabilities.
When Apples insists on ‘rolling their own’ Java, and then takes over 6 months to incorporate the released fix, they obviously do not put a premium on security… and by extension, Mac users are okay with that.
I hear it all the time, too. And it’s not just asshats in social media. My dad was shopping for a new computer and said “I’m thinking of going Mac because I don’t want to worry about viruses.”
My experience is that it takes a savvy and technical-minded person to not believe that “myth”. Even if the source of the belief is only from “one unique ad” or from one pundit who has convinced them.
I have to disagree with you on this one. At least twice a week I see friends (sometimes even IT pros) posting on Facebook or twitter or some other public platform – about how safe Macs are, how they’re immune and how you can “just get a Mac instead of paying for AV.”
I hear it weekly. I hate it, I’m sure just as much as you do… but the truth is there are more of these people than you may think. Maybe you just hang out with smarter friends. 😉
-jj