Thursday, June 3

Security: Not the fault of the OS anymore

The headline of the article I've linked below is spot-on. Security isn't about measures taken by the operating system any longer, it's about measures taken by users themselves.

For instance, as an IT professional with a good knowledge of computer security practices, if I wanted to I could work every day with Windows and remain malware-free just by being conscientious about what I do with the computer. Windows is certainly an unstable house of cards in that regard, but if you know how to use it you can be just as safe as anyone else, even without anti-malware software installed.

Even OS X has recently had an outbreak of malware, but it requires unwary users to install unverified software in order to infect machines. I still maintain that it requires a much less watchful eye on system processes to keep a Mac clean, but it is by no means immune.

However, I do take issue with the final paragraphs of the linked article. It's true that Microsoft is still the biggest target, and that very fact makes exploitation more lucrative and therefore more likely to be attempted. However, the underpinnings of the operating system still rely on legacy code with a much more relaxed security model. The Unix architecture on which OS X is based is by far a much more stable design.

Windows isn't attacked day and night merely because it's got larger market share; while that's a contributing factor, it's also got many more exploitable attack vectors. And, as John Gruber has pointed out in the past, OS X isn't "utterly impervious to attack because it’s protected by magic leprechauns." It's just better.

But, to reiterate the main point here, either one is only as secure as its users, who have to be quite a bit more fastidious if they've got a Windows machine on their desk.

When it comes to security, it's the user, not the OS | Macworld

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. Permissions beyond the scope of this license may be available by emailing the author (use the link above).

The Geek Code desperately needs updating, but in any case here's mine (as of 2010-02-28):

Version: 3.12
GIT/MU d+(-) s:+>: a C++> ULXB++++$ L+++ M++ w--() !O !V P+ E---
W+++ N o++ K? PS PE++ Y+ PGP t !5 X- R- tv+@ b++ DI++++ D--- e*++
h--- r+++ y+++ G+

If you really care about knowing what that all means, you either know the code already, or you can get it decoded for you here.