Friday, December 7, 2007

How To Utterly Destroy The 'Security By Obscurity' Myth


One of the favorite baseless myths about Macintosh is that its incredible security record is due to 'obscurity'. This week the old scarecrow was foisted on the public once again:


The Financial Times tries spreading some Apple Mac security FUD
Thursday, December 06, 2007 - 12:10 PM EST
http://macdailynews.com/index.php/weblog/comments/15715/

So, in celebration I have updated a post I regularly make at the comp.sys.mac.advocacy UseNet newsgroup:
---------------------------------------------------------

How To Utterly Destroy The 'Security By Obscurity' Myth:

Use math.

1) Take the current number of known malware in the wild for Windows. The number is so huge that I never find any sources in agreement. But let's use the very out-of-date, conservative number of 114,000 Apple used in an ad a year ago.

2) Take the number of known malware in the wild for Mac. Just to rub it in I like to inflate this number by including both the number for Mac OS X of 1 (one) and add all the old Mac OS 1 - 9 malware, that being 55. Total = 56 malware for Mac in its entire history.

3) Divide: 114,000 / 56 = 2036.

4) Slowly and kindly explain this to the myth mongers: Using verifiable data there are 2036x more malware for Windows than Mac.

5) Now go in for the kill and calculate the number of malware on a per computer basis for each OS. You can do this using market share percentages. The current agreed percentages are 92% of the US market are Windows boxes and 6% are Macs. (If myth mongers complain that you should use world market numbers, go right ahead. You'll still shock them). Using proportional math:

114,000 is to 56 malware as 92% is to 6% market share times Y, where Y is the difference or disparity factor between the number of malware per computer user for each platform.

Y = (114,000 / 56) / (0.92 / 0.06) = 132

Conclusion: There are 132 times more malware per Windows user than there are per Mac user.

There are theories about why this massive disparity exists. Blame Microsoft incompetence, blame user hatred of the Windows, blame simplicity of hacking Windows. But does 'security of obscurity' of the Mac explain this number? Obviously not.

Then stomp on the grave of this myth:

(A) Take out of the calculations the friendly 55 old non-Mac OS X active malware and point out the figure of 114,000 times more active malware for Windows than Mac. Doing the math, that gives a disparity factor of 7434 times more malware per Windows user than per Mac user. How's that sound?

(B) If there was equality in the security of the Windows platform versus the Mac platform you would at least expect something dramatically closer to a 1:1 ratio of malware per user between the platforms. 132 times more malware per Windows user is utterly insane. What does that make 7434 times more malware?

(C) Considering these figures, why does anyone use Windows? Why are businesses, designed to make money, wasting billions every year on Windows security upkeep and security damage when simply switching to Mac would wipe out nearly all those costs?


Share and Enjoy,

:-Derek

1 comment:

  1. I think that you are wrong in a crucial part of this argument:


    If there was equality in the security of the Windows platform versus the Mac platform you would at least expect something dramatically closer to a 1:1 ratio of malware per user between the platforms.


    I do not that that attacks will be linearly proportional to user base but it will be more of a "winner take all" situation. Malware doesn't compete too much with other malware so the incentive to the malware creator will almost always to be to target the most popular system.

    I do believe that there are some underlying differences that make OS X far harder to attack than MS products, but I also think that there is some truth to what you are calling FUD.

    ReplyDelete