By John Gruber
Kolide — User focused security for teams that Slack.
There was a great story yesterday by “technology writer” Dan Goodin at the Associated Press, and because it was from the AP, we can read it on several sites:
Washington Post: “Macs Are Virus Targets, Some Experts Warn”
CNN: “Viruses Catch Up to the Mac: Experts debate just how susceptible Apple is becoming”
MSNBC: “Macs No Longer Immune to Viruses, Experts Say: Apple’s growing market share, new chips said making it more of a target”
Wired News: “Macs Invulnerable No More”
What’s great about an AP story like this one is that if you’re only paying attention to the headlines, it creates the impression that there are multiple reports from all over the web corroborating the same point, when in fact it’s just one story, repeated many times over by news publications that regurgitate whatever comes in over the AP wire.
Oh, and I love the way both the CNN and MSNBC subheads conflate the Mac — which is a computer that can in fact be attacked by computer viruses — with “Apple”, which is a company, and therefore, one would think, not possibly “susceptible” or “targeted” by viruses. That’s good journalism, as it keeps the readers on their toes. Good god, now they’re going after entire companies.
Journalism this good deserves a close analysis. Let’s start with the lead:
Benjamin Daines was browsing the Web when he clicked on a series of links that promised pictures of an unreleased update to his computer’s operating system.
Instead, a window opened on the screen and strange commands ran as if the machine was under the control of someone — or something — else.
“Or something” — could it be gremlins? Or worse, poltergeists? Spooky.
Daines was the victim of a computer virus.
Damn, no poltergeists. But Goodin had me there for a second.
So what we’ve got is the classic “trend piece opening with a vignette” Mad Lib formula.
Such headaches are hardly unusual on PCs running Microsoft Corp.’s Windows operating system. Daines, however, was using a Mac — an Apple Computer Inc. machine often touted as being immune to such risks.
Oh, zing! Not just an opening vignette, but the opening vignette with the ironic twist! See, I thought he was going to say Daines was using a Windows PC, because, you know, that sort of scene plays out millions of times a year to Windows PC users. You’d think I would have seen the “but he was using a Mac” twist coming, given the various “Macs are not immune to viruses” headlines that the piece ran under. But Goodin’s masterful storytelling bamboozled me.
Who exactly is touting the Mac as “immune to such risks”? Goodin doesn’t say, but his word is good enough for me. I’m sure whoever they are, they’re experts.
I, on the other hand, had never been under the impression that the Mac was either magically or technically “immune” or “invulnerable” to viruses, Trojan horses, spyware, adware, malware, and so forth. Rather, I thought it was simply the case that, for whatever reasons, such software isn’t a problem for Mac users and hasn’t been for the last 15 years or so. I.e. that Macs aren’t magically protected, and that in theory, malware could be written to target the Mac, but that the point is that in practice, in the real world, they aren’t.
On the other hand, Macs do happen to be immune to Windows viruses and spyware and adware and Trojan horses, thousands of which are discovered every month. But why sweat the details?
He and at least one other person who clicked on the links were infected by what security experts call the first virus for Mac OS X, the operating system that has shipped with every Mac sold since 2001 and has survived virtually unscathed from the onslaught of malware unleashed on the Internet in recent years.
Good lord. Daines and “at least one other person” — that means at least two Mac users were hit by this virus. (And what’s funny about the “onslaught of malware unleashed on the Internet” is that it isn’t just Mac users who’ve emerged “virtually unscathed”, but just about everyone who isn’t using Microsoft Windows. It’s enough to make you think that the problem isn’t “Internet malware”, but “Windows malware”.)
What virus was it that hit Daines? What kind of havoc did it wreak? Goodin doesn’t say — who cares about the details, really? — but judging from his description that Daines caught the virus after he “clicked on a series of links that promised pictures of an unreleased update to his computer’s operating system,” it seems safe to assume it was the Oompa-Loompa Trojan horse described by Ambrosia Software’s Andrew Welch back in February.
And what does Oompa-Loompa do? It attempts to spread itself via iChat on Bonjour — but it can only be spread if the person whose Mac it attempts to infect opens its file attachment payload. So you can only get it via other Macs on your local network, and if you do, you have to manually open a file named “latestpics.tgz”, and if you do, all it will do is attempt to send itself to other local Macs on iChat.
Devastating and unstoppable.
“It just shows people that no matter what kind of computer you use you are still open to some level of attack,” said Daines, a 29-year-old British chemical engineer who once considered Macs invulnerable to such attacks.
Daines’s uninformed opinion that Macs were “invulnerable” to such attacks indicates that he believed it was safe to download and open any random file from the Internet, including gzipped archives from the sort of sites that traffic in bootleg screenshots of future Mac OS X releases.
Perhaps someday I’ll have an opportunity to make equally informed statements regarding chemical engineering — a subject about which I am utterly ignorant — in an Associated Press report.
Apple’s iconic status, growing market share and adoption of same microprocessors used in machines running Windows are making Macs a bigger target, some experts warn.
That’s quite an interesting theory — that the malware plaguing so many millions of PCs running Windows isn’t necessarily the result of problems with Windows itself, but is rather the result of something related to their Intel “microprocessors”.
I’ll bet that means all the other operating systems that run on Intel-compatible x86 processors, such as Linux and FreeBSD, are just as susceptible to malware as Windows.
Apple’s most recent wake-up call came last week, as a Southern California researcher reported seven new vulnerabilities. Tom Ferris said malicious Web sites can exploit the holes without a user’s knowledge, potentially allowing a criminal to execute code remotely and gain access to passwords and other sensitive information.
Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the Cupertino-based computer maker to Microsoft three years ago, when the world’s largest software company was criticized for being slow to respond to weaknesses in its products.
This is in contrast to Microsoft now, in 2006, when their Windows users are no longer plagued by security problems. And we know for a fact that at least two Mac OS X users have been hit by Oompa-Loompa just this year.
The bugs reported by Ferris are legitimate bugs, but to my eyes (and Rosyna’s — who thinks Ferris is counting the same TIFF rendering bug twice), they’re all just ways to make an application crash, one of which has already been fixed in 10.4.6. But Ferris reports that this one, regarding Safari, “causes the application to crash, and or [sic] may allow for an attacker to execute arbitrary code”. Emphasis on the may in “may allow”, apparently, because the only thing his examples do is cause Safari to crash.
Anything that causes Safari to crash certainly sucks. And presumably Apple is working not just to fix these particular bugs, but to fix the architecture of Safari to make it less vulnerable in general to these sort of bugs in the system’s image-parsing routines. But the genius here — and I’m not sure whether the credit goes to Ferris or Goodin, so let’s just credit them both — is in the leap from bugs which, as Ferris originally described, “may allow for an attacker to execute arbitrary code”, to bugs which, in Goodin’s article, “potentially [allow] a criminal to execute code remotely and gain access to passwords and other sensitive information”.
Because, see, in Ferris’s original report, he meant “may” in the sense that they may, or they may not, but that he didn’t actually know whether it was possible and has no evidence that they could. But in Goodin’s AP story, that changes to “potentially”, which means “capable of being but not yet in existence; latent”, which is good journalism because “potentially allowing a criminal to execute code remotely” is much scarier-sounding than “definitely allowing a jerk to crash your web browser”.
“[Microsoft] didn’t know how to deal with security, and I think Apple is in the same situation now,” said Ferris, himself a Mac user.
Where by “same situation”, Ferris is referring to, what?, the two guys who were hit by the Oompa-Loompa Trojan horse? One can only hope that Apple will one day handle security issues as well as Microsoft does now.
Apple officials point to the company’s virtually untarnished security track record and disputed claims that Mac OS X is more susceptible to attack now than in the past.
Apple plans to patch the holes reported by Ferris in the next automatic update of Mac OS X, and there have been no reports of them being exploited, spokeswoman Natalie Kerris said. She disagreed that the vulnerabilities make it possible for a criminal to run code on a targeted machine.
Classic he-said/she-said situation: He said criminals can take over your Mac; she said they can’t. One way to resolve this would be to emphasize the fact that Ferris has no proof to back up his claim. But a good journalist like Goodin knows that would just take the oomph right out of the story. And oomph — not facts or accuracy — is at the heart of every good story.
In Daines’ infection, a bug in the virus’ code prevented it from doing much damage. Still, several of his operating system files were deleted, several new files were created and several applications, including a program for recording audio, were crippled.
Behind the scenes, the virus also managed to hijack his instant messaging program, so the rogue file was blasted to 10 people on his buddy list.
“Blasted” is a great word. Much more exciting than something more accurate, such as “sent as an attachment”.
“A lot of Mac users are in denial and have blinders on that say, ‘Nothing is ever going to get to us,’ ” said Neil Fryer, a computer security consultant who works for an international financial institution in Britain. “I can’t say I agree with them.”
Fryer, also a Mac user, said he has begun taking additional precautions over the past year to make sure he doesn’t fall victim to an attack. He spends more time than in the past scrutinizing his security logs for signs of intruders, and he uses a firewall and additional security applications, just as he would with a Windows-based machine.
It’s so obvious that horrible things would happen to Fryer’s Mac if he hadn’t taken these steps that there’s no need to mention what those horrible things are. Next thing you know, Apple is going to have to start shipping a firewall as part of the OS. I can see it now: right there as a tab in the Sharing panel in System Preferences.
The Mac’s vulnerability could also increase as Apple transitions to a product line that uses microprocessors made by Intel Corp., security experts said.
With new Macs running the same processor that powers Windows-based machines, far more people will know how to exploit weaknesses in Apple machines than in the past, when they ran on the PowerPC chips made by IBM Corp. and Motorola Corp. spinoff Freescale Semiconductor Inc.
“They have eliminated their genetic diversity,” said independent security consultant Rodney Thayer. “The fear is that we’re going to run into a new class of attacks.”
Thayer’s photograph accompanied the article in many publications:
You can tell he’s a genuine computer security expert because he has long black hair and a beard.
The article closes:
But as Daines can attest, there are no guarantees.
“We’re all sort of waiting with bated breath to see if any problem will happen and the jury is still out,” said Thayer, the independent security consultant. “I don’t think you’ll find a consensus.”
Only here, at the very end, does Goodin’s article fall short. Rather than a devastating gut punch, it just sort of fades out with a reasonable “we’ll see what happens” whimper.
With Apple yesterday launching a new television ad campaign that draws specific, pointed attention to the fact that Macs are not besieged by malware — this sort of bogus “trend piece” that purposefully conflates the issues of whether Macs are in theory potentially vulnerable to malware (yes) with whether Macs are in reality under attack (no) is just what the doctor ordered. But it deserves to end with another sucker punch.
If Goodin wanted to be reasonable or accurate, he could have written a story titled “Some Guy Double-Clicked a Trojan Horse Virus for Mac OS X but It Didn’t Actually Spread to Anyone Else”, but what kind of story would that be? OK, it’d be a true story, but it wouldn’t be a good story.
No one would have linked to such a story except to make fun of it: What would be the point of making a big stink out of one guy who got hit by a Mac OS X Trojan horse — which was so poorly written that it couldn’t even successfully spread to another computer — when there are hundreds of thousands (millions?) of Windows users suffering from malware every single day?
What good journalism calls for is taking that one guy, and writing an article that presents his episode as though it were part of a trend of increasing Mac virus attacks. No one is going to make fun of Dan Goodin — or the Associated Press, or the dozens of reputable news outlets that ran the story — for that.