Replies

FUD comparison of "vulnerabilities" between OSX and XP based on Secunia's exagerated threat levels that have been laughed at repeatedly and ignored as the desperately try to sell their anti-virus software.... PING!

Secunia consistently exagerates the threat levels of minor security issues for the Mac... they have been roundly criticized for it in the past by other security companies.

How do you tell that Apple has done something that might capture more market share? The FUD articles start appearing!

If you want on or off the Mac Ping List, Freepmail me.

Let's look at April 2004 where Secunia lists 4 Extremely Critrical vulnerabilities.

Secunia followed Intego's lead when they claimed to have found the first "OS X Trojan" and trumpeted it while attempting to scare Mac users into buying their software. Secunia jumped on that bandwagon. All four of the "extremely critical" issues were related to that "trojan".

April 19, 2004 - Security experts on Friday slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X.
On Thursday, Intego issued a press release saying it had found OS X's first Trojan Horse, a piece of malware called MP3Concept or MP3Virus.Gen that appears to be an MP3 file. If double-clicked and launched in the Finder, the Trojan accesses certain system files, the company claimed.
While Intego said the Trojan was benign, it said future versions could be authored to delete files or hijack infected machines. In the release, and in subsequent telephone interviews, Intego was vague about the purported Trojan's workings and its origins.
On Friday, Mac programmers and security experts accused the company of exaggerating the threat to sell its security software.
"They gave the impression that this is a threat, but it isn't," said Dave Schroeder, a systems engineer with the University of Wisconsin. "It is a benign proof of concept that was posted to a newsgroup. It isn't in the wild, and can't be spread in the wild. It's a non-issue."
"They are spreading FUD to sell their software," said Ryan Kaldari, a programmer from Nashville, Tennessee, referring to the shorthand for fear, uncertainty and doubt.

So much for four of the five "extremely critical" vulnerabilities. Secunia has retained its hyperbolic rating... even though no one lost any sleep over the issue.

I've got a better test. I'll run my iBook with OSX connected to the Internet for five years with no virus scanner, no spyware scanner, and no add-on firewall (Oh, wait! I've already done that) and someone with strong faith that Windows XP is more secure than Mac OSX can run their computer connected to the Internet for five years with no virus scanner, no spyware scanner, and no add-on firewall (do you know anyone who does this?) and let's see who fares better at the end of that five year period. You can, of course, install all the recommended patches provided by your OS provider.

I have spent the last four years conducting operational assessments of information assurance on fielded systems. The statistics to date:

Number of Windows boxes dropped: Several hundred thousand
Number of Linux boxes dropped: A few hundred
Number of Macintosh boxes dropped: Zero, zilch, nada

This in spite of the fact that Linux and Macintosh boxes each made up about 5% of the target population.

There are no publicly available exploits or tools to take down a Macintosh (or FreeBSD Unix) box.

There are no publicly available exploits or tools to take down some versions of Linux.

The BEST Intrusion Detection Systems detect have a probability of detection of about 20% against sophisticated threats.

The BEST Firewalls have a 10 - 20% probability of stoping a sophisticated attack.

Defense in depth and hybrid vigor are your friends.

Monocultures, whether it is all Cisco routers, or all Dell boxes, or identical versions of Windows XP with the latest patches installed are a hacker's playground.

Sleep well.