security through obsurity myth again

[furcalchick]

i was talking to my dad just now when we were watching the uac get a mac ad about vista being required to cancel or allow anything. he then said that when the mac gets big, the macs will get as littered with viruses and adware as windows does now. he claims that the biggest advantage apple had was that nobody bought a mac and thus hackers saw no profit in killing a small market. i then told him that with macs having about 5% market share, that you would expect a few viruses on there. i told him the difference between dos and unix, and he kept saying that macs will be attacked more in the future with 144000 viruses coming soon.

i know hackers will probably attack the mac more with increased market share, but he believes that the mac is just as secure as windows. i need to tell him that macs are more secure than pc's and one of the reasons that macs have no viruses is because of the coding is more secure and harder to break.

any ideas?

 

[72930]

Tell him that every hacker's dream is to be famed as 'the guy who broke OSX'

 

[Mitthrawnuruodo]

In cryptography and computer security, security through obscurity (sometimes security by obscurity) is a controversial principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to ensure security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. The technique stands in contrast with Security by design, although many real-world projects include elements of both strategies.

[Link]

Wrong term: Mac OS X has lots of (known) holes, and is in large parts built on open standards, but still no (viable) exploits has made it out into the wild.

 

[Eraserhead]

[Link]

Wrong term: Mac OS X has lots of (known) holes, and is in large parts built on open standards, but still no (viable) exploits has made it out into the wild.

Security through obscurity is probably true to an extent, but what about Apache vs. IIS, IIS is used a lot less but gets hacked more. (IIS is Microsoft's internet server, Apache is the open source one btw.)

 

[Rodimus Prime]

well there is some truth. The adware and spyware writers really have no reason to pay any attention to OSX. The return is quite a it less than targeting windows based systems. So between between it being more difficult to hack OSX and next to no returns that cuts off a lot of the adware and spyware writers.

The only people who have targeting the mac are people who want to hack it and make a virus for it. A relatively small number compared to the ones doing it to make money.

So between that and being more difficult to hack really cuts off a lot of the problems.

Also IIS has another reason to be targeted. There is money in it. A huge number of major corps, most colleges have agreements with M$ that allow them to use M$ software and get support for it. But in doing so that means that there servers are going to run on IIS.

Also isn't IIS have the same base as windows? if so that would mean a lot of the same exploits can be used over again.

 

[bmaurer]

I see vulnerabilities ... there everywhere!

There are holes is just about everything. The US Computer Emergency Readiness Team keeps a database of know vulnerabilities.

http://www.us-cert.gov/cas/techalerts/

I subscribe to the security in obscurity philo and apply updates frequently.

 

[bmaurer]

The Month of Apple Bugs - Including POCs and Exploits

http://projects.info-pull.com/moab/index.html