By John Gruber
Endpoint security for teams that value privacy, transparency, and employee productivity. Try Kolide for free today!
Here we go again. Security experts warn that there is a hole in one of Apple’s products; Apple says there isn’t a problem; and a month later it releases a fix for it. I write a story pointing this out and am faced with mindless abuse from the Apple faithful.
Already wrong again, three times in the opening paragraph:
Please point out exactly where any “security expert” issued an unequivocal warning a month ago that there are holes in Apple’s AirPort products. Really. Show me where any self-proclaimed expert has stated this.
Apple never stated there was no problem. They stated that SecureWorks showed them no evidence of a problem.
Apple clearly stated when they released last week’s security update that the fixes were not for any issues reported by SecureWorks.
Exactly the same thing has happened several times in the past and it’s not just me, it’s anyone that points out the startingly obvious: that OS X, Safari, MacBooks, whatever, do not exist within some holy forcefield of invulnerability — they are just electronic products.
Somebody please page Artie MacStrawman.
It’s worth neither the time nor bytes to go through his weblog manifesto paragraph-by-paragraph, but a few of his accusations warrant comment. He writes:
Apple’s new Intel-based Mac laptops face random-shutdowns and a website, macbookrandomshutdown.com, is created. Apple refuses to discuss or acknowledge issue.
This is true — if you pretend this KnowledgeBase article, titled “MacBook: Shuts down intermittently”, doesn’t exist.
If a security company, frustrated at delays, goes public with the hole, Apple immediately criticises the company, and then claims the hole is not significant and it knows of no actual exploits. It does the same every time and this damage limitation is subsequently and consistently shown not to be true.
When exactly has this happened before? When? I’m not arguing that Apple’s response to security issues is perfect; I’ve personally complained about their tendency to treat them as marketing problems rather than technical problems (not entirely coincidentally in an article that also criticizes Kieren McCarthy’s “reporting”). But when, prior to this SecureWorks Wi-Fi saga, has Apple criticized a security company or researcher for going public with an issue in Mac OS X?
What you can say about Apple’s response to security issues is that they have a tendency to delay fixing them, so long as they aren’t made public. Cf. William Carrel’s timeline regarding the DHCP vulnerability in Mac OS X he discovered in 2003.
Yet McCarthy says Apple does this “the same every time”. That’s not mere inaccuracy; it’s flat-out making shit up.
What’s crazy is that these exact same criticisms used to made of Microsoft, to the extent that the company’s security image has never recovered. But rather than go Microsoft’s more open and honest route, Apple has decided to go the ostrich route and rely on its own customers’ fierce loyalty to protect it. I really don’t see how this approach is sustainable.
No, what’s crazy is that McCarthy apparently doesn’t understand that the reason Microsoft’s security image is terrible is that millions of their customers are plagued by actual security problems. Real Windows users are attacked by real viruses, spyware, and adware every day. [Update: Microsoft’s “open and honest route” is disputable, too.]
Yet, so far in 2006, the only Mac user anyone can find who’s suffered from Mac-specific malware is one single dipshit who double-clicked a trojan horse disguised as an archive of secret screenshots of Mac OS X 10.5 — and even in that case the trojan horse caused no harm to his system or data and was so poorly written that it was unable to spread itself.
Many Mac users are smug about security, but it’s not because they believe Mac OS X is magically invulnerable to malware — it’s because there don’t seem to be any Mac users with actual malware problems. Just because you’re happy that you have been healthy your entire life doesn’t mean you irrationally believe you couldn’t possibly get sick in the future.
That’s why Microsoft’s security reputation stinks, and why Apple’s is good. Is it good that Microsoft has become more open about its security process, and has started issuing patches to reported issues more quickly? Yes. Is it a problem that Apple has a tendency of sitting on non-public vulnerabilities? Yes.
But reputations are forged by results.