« Embrace Murphy's Law | Main | How Not To Talk To Customers »

Actually, Possibility IS Probability (As Is Likelihood)

[[ Please Note: This post has been significantly redacted since it's original posting. The original opening of the post was a personal attack against an industry analyst. I found myself extremely offended by the tone and timbre of the analyst's responses in a Twitter thread, compounded by his publishing a follow-up blog post that changed the message completely and tried to make it sound like he had been reasonable all along. Regardless, it did not justify in any way my publicly lashing out like I did, and as such I have cut all that nasty BS out of this blog post. Hopefully now this thread will represent a worthwhile contribution to the community. Of course, with the change, the title of this piece doesn't really make as much sense, but I'm sure we'll get over it... ]]

The Twitter Thread That Started It All

The full transcript of our exchange is below for you to read. Allow me to preface all of this by saying that trying to get a point across in 140 characters is darn near impossible, as can be evidenced by the fact that the other party completely missed my point numerous times. It's not completely his fault, of course. Human nature makes us want to be consistent with our beliefs, even in the face of overwhelming evidence that we're being a total prat.

The original tweet that started it all was:

"Other than worms, viruses, botnets, and drive-bys, can anyone think of security threats Mac users don't really have to deal with?"

My immediate response was to ask if he was being serious. Because, honestly, I thought he was joking. Why would you ever tell anybody that they shouldn't have to be concerned about common malware or targeted attacks, regardless of platform? This is tantamount to telling people "move to Mac, you'll be safer" - which is not definitively true!

The problem throughout this exchange is that the other person uses circular reasoning to defend his original statement. I consistently question his assertions, and he simply points back into his own argument as proof that he's right. It's a pity, because I really would like to see his evidence that malware is not a threat to Mac users. Unfortunately, despite what his "1337 dudes who understand that stuff" tell him (I think his comment was in reference to 64-bit architecture), the people I've spoken with in the know say that Mac malware exists and is commonly used, though more in targeted, rather than widespread, attacks. I'll comment on this more below.

Complete Thread With Commentary

Without further adieu, here's the complete exchange between the analyst and me on Friday (12/4). Note that my comments to him are prefaced with "@[ANALYST]" while his responses to me are prefaced with "@falconsview".

(@[ANALYST] original post) - Other than worms, viruses, botnets, and drive-bys, can anyone think of security threats Mac users don't really have to deal with? 12:27 PM Dec 4th

@[ANALYST] are you joking or serious? on twitter nobody can hear you scream... 12:32 PM Dec 4th

@falconsview I'm serious- Mac users aren't being hit with this stuff. It exists, but near 0 encounter rate. 12:33 PM Dec 4th

Maybe it is only a matter of time. But we don't know the timeframe, and the risks aren't here now. 12:36 PM Dec 4th

Seriously, I know OS X is loaded with vulns, but that's not the point- not that Mac users should be complacent, but the risks are different 12:37 PM Dec 4th

Risk is a numbers game- and we do a disservice if we equate low risk threats with high risk just because something is possible. 12:40 PM Dec 4th


This exchange is fascinating, because we see immediately several problems. First, the analyst dismisses the threat of malware to Macs because he's deemed it to be a "low risk threat." Ironically, he talks about this in the context of "risk" as a "numbers games" without defining risk, context, or providing any numbers. Sorry, but you can't have it both ways. Pony up real numbers, or go home.

He also makes a curious assertion, that Mac users aren't being afflicted with malware, even going so far as to declare a "near 0 encounter rate." There is a fatal flaw in his logic. If people like him are telling users not to worry about malware, and they are not running AV or thinking about malware, then how to do they know whether or not they're being affected? It's an inherently false statement. If you're not paying attention or looking for malware, then you're unlikely to find it. Sure, infosec professionals might be fine in this regard, being more likely to notice something funky with their system, but the average user absolutely is not.

Now compound this issue by noting that enterprises are increasingly deploying Mac workstations for their users. We're creating the conditions for a very big malware problem. Of course, never worry, the analyst down-plays it with his fuzzy math in declarative assertions, so the world will most certainly be safe, because he said so.


@[ANALYST] ignorance is bliss... the average Mac user isn't really running any sort of AV on their system... how do they know? 12:50 PM Dec 4th

@[ANALYST] lots of cross-platform bugs these days... not to mention that phishing doesn't usually care what OS you're running... 12:51 PM Dec 4th

@falconsview Phishing wasn't on my list... that's on the list of *real* threats. I only have virus, worms, botnets, BT... 12:53 PM Dec 4th

@falconsview Oh please- there is no evidence for widespread Mac malware. No reason for AV for most users. 12:54 PM Dec 4th

@falconsview It isn't ignorance- I filter for viruses on email and never see Mac ones, just Windows ones. I don't use AV on Win7 either. 12:55 PM Dec 4th


Gosh, here we go, more faulty conclusions based on vacuum analysis. First off, phishing as often as not deploys malware. So, if phishing is, in fact, a concern, then why isn't malware? Also, to my point here, cross-platform vulnerabilities affect Mac users as much as Windows users, which means that malware is absolutely a threat for this platform, even if the attack is targeting an application and not the OS (at least not directly).

What I find hilarious here is that the analyst's "evidence" that Mac malware is a minimal threat is based on his own limited analysis of his email AV?!? The problem here is that the analyst is suffering from the illusion that email-AV-filtering is some sort of definitive benchmark for malware. Sure, it's a great way to register the background noise, but it does nothing for targeted attacks.

More importantly, for his statement to mean anything, we'd have to believe that the AV vendors are investing tremendous resources into detecting and analyzing Mac-oriented malware. Unfortunately, since Mac users have been told not to worry about malware, there is not much market for Mac AV. More importantly, the number of people who are actively monitoring or noticeably affected by Mac malware is going to be dramatically less than the resources looking at Windows. We've literally created a blind spot here, all because of this fallacy promoted by analysts that users needn't worry about Mac malware. Again... his reasoning is circular here... you don't need to worry about Mac malware, thus you won't need to deploy Mac AV, thus there will be highly limited detection of Mac malware, which means you won't be aware of much Mac malware, thus you don't need to worry about Mac malware...


@[ANALYST] oh, man, you're not going to buy into Microsoft "64-bit is more secure" argument, too, are you? 12:59 PM Dec 4th

@[ANALYST] you're changing your parms, now... you asked what threats Mac users don't have to worry about... never said "widespread" there :) 1:01 PM Dec 4th from TweetDeck

@falconsview No- to worry about something it needs to be likely encountered by an average user. I didn't change anything. 1:03 PM Dec 4th

@falconsview If you learn 64 bit architectures and anti-exploitation techniques, you find that exploitation of memory flaws is much harder 1:04 PM Dec 4th

@falconsview At least that's what the 1337 dudes who understand that stuff tell me. 1:06 PM Dec 4th

@[ANALYST] it's a new architecture... *shrug* I think people too often equate new to hard(er)... we'll see how things actually play out... 1:10 PM Dec 4th

@[ANALYST] problem is, if the cross-plat apps continue to have issues, 32 vs 64, Win vs Mac will be decreasingly important... 1:11 PM Dec 4th

@falconsview Oh yeah- there will always be attack vectors, but 64 bit really does make it harder. 1:16 PM Dec 4th

@[ANALYST] harder based on how we do things today... it remains to be seen whether or not it makes it harder across the board... I assume "no" 1:17 PM Dec 4th


First, on Microsoft, 64-bit, and security... check out the article "64-bit Windows is More Secure, for Now" for more on that... basically, a malware fellow at Microsoft said that 64-bit architecture is inherently more secure. The truth is that, yes, 64-bit architecture changes the game a bit, but it is far, far, far too early to be declaring any sort of victory over hackers and malware developers. It always takes a little while for malware development on new platforms, so let's hold off a couple years before we try to make any declarations.

Back to the thread, the analyst has, in fact, changed the parameters. His original question asked about "security threats Mac users don't really have to deal with". He did not qualify that statement in any way, such as to say that the threats had to be widespread. He of course denies changing things up, but we all can read the thread here and see that, yes, he did in fact start changing the tune of his argument.

I'm also greatly amused by his "that's what the 1337 dudes who understand that stuff tell me" comment. Who cares? People say stuff blindly all the time (kind of like all of the analyst's assertions in this thread) without having any real backing. 64-bit is a new architecture, hooray, but pardon me for not celebrating prematurely. When 2011 rolls around and we still see a limited number of malware attacks for 64-bit, then I'll concede the point. However, I think that's extremely unlikely, so you'll excuse me if I don't jump on that bandwagon too quickly.


@falconsview I do think we'll see more cross platform via things like Flash. But pwnage will be more constrained. 1:17 PM Dec 4th

@[ANALYST] well-constructed targeted attacks can be far more devastating (& lucrative) than the old-school blast 'em all attacks... 1:18 PM Dec 4th

@falconsview How is that germane to the original question? 1:21 PM Dec 4th

@[ANALYST] your premise seems based in mainstream "hit 'em all" attacks to justify users skipping protection - seems faulty premise+logic... 1:29 PM Dec 4th

@falconsview No- my premise is that attacks that are very unlikely for someone to encounter in the real world are a low risk. 1:31 PM Dec 4th

@falconsview Your premise that we need to worry about anything possible has the flaw. 1:31 PM Dec 4th

@falconsview And the position that because platform security has sucked, it will always suck, is ad-hominum. Classic logic flaw. 1:31 PM Dec 4th


Here's where the "debate" starts going off the rails. It's interesting to me that the analyst views himself as a superior debater, yet his logic is constantly flawed. His ego is writing checks his logic can't cash.

So, the accusation the analyst makes here is that I'm making an "ad hominem" argument (he misspelled it). What is that, exactly? Well, he's trying to say that I'm attacking him as a person rather than his argument. However, if you read back into the thread above, I'm not at any point attacking him, just his faulty, unfounded, and often idiotic assertions.

The irony here is that his accusation of using an ad hominem argument is in fact tantamount to making an ad hominem argument. He's assertions have no backing, so he instead decides to start attacking me. He consistently mischaracterizes my questioning of his assertions and seems to lack comprehension of the counter-arguments being made.

Also curious here is his acquiescence that cross-platform attacks are valid and will continue to be a threat (even against Mac users). He quickly qualifies his agreement, however, saying that the success of these attacks will be "more constrained." Yes, this is absolutely true, but also further supports my primary argument. It's not the widespread attacks that I'm worried about, it's the targeted attacks. Read "Ending the PCI Blame Game" to hear about the so-called "third wave" in infosec and how the world is changing.

Unfortunately, the analyst is missing all of these counter-points. He's too invested in being consistent and "right" that he's not only refusing to entertain counter-arguments, but he's also decided to devolve into ad hominem arguments in his own defense.


@[ANALYST] you're implying and assuming points I didn't make... my assertion is we can't assume "better" just because "different"... 1:33 PM Dec 4th

@[ANALYST] and I never said anything ad-hominum... I never said "hey, it's Windows, it will be pwnd"... 1:33 PM Dec 4th


I went and looked up ad hominem for this post - it's clear from my comment here that I was thinking of something else.

@[ANALYST] in fact, just the opposite, I'm saying "just cuz it's Mac doesn't make it more secure" - that's a completely bogus argument... 1:34 PM Dec 4th

@[ANALYST] this is akin to the classic mono-culture thesis... it's only valid if 1 slice of the pie is much, much bigger than the others... 1:35 PM Dec 4th

@[ANALYST] if the slices are all relatively similar in size, then it will increase target diversity, while giving the illusion of decreased... 1:36 PM Dec 4th

@[ANALYST] ...threat per platform... you need to look at the whole pie, and right now we're not really doing that (not well, anyway)... 1:36 PM Dec 4th


I tried to introduce an analogy here, but the analyst missed the point... my point, quite simply, was that he was making a false assertion about an entire class of systems predicated on fuzzy data. Similarly, the mono-culture argument of several years ago does not necessarily hold as true today. So it goes for Mac malware. What may have been true several years ago is not a safe bet today.

@falconsview You aren't making a cogent argument- my position is that Macs are at much lower risk of certain threats. That's the reality. 1:40 PM Dec 4th

@falconsview Remember, I'm talking *today*, not trying to predict the future (on Macs) 1:41 PM Dec 4th


Of course the analyst doesn't find my argument believable, because I'm challenging all of his assertions. Note that he once again changes the actual basis of his argument. Remember that his first question was about what threats Mac users can ignore. He may have meant to imply all of these other things, but they were not stated, and thus cannot be assumed.

The interesting thing here is that in changing his argument he is effectively conceding the point. Malware is a threat for Macs, and thus it should not be completely ignored. Now he's saying - generically - that it's a "lower risk." In what context? In what environment? How can he make this statement and have it be true for all people in all environments? He can't. This is exactly the risk-as-FUD contention I made in my recent post "BeFUDdled by Risk".


@falconsview I never claimed Macs were more secure, only that they face less risk of certain attacks. 1:41 PM Dec 4th

@[ANALYST] yes, you're right, Macs are not as likely to be compromised by Windows exploits - great argument 1:45 PM Dec 4th

@[ANALYST] lack of data/evidence does not a case make - you cannot prove the negative - you cannot prove your original assertion 1:46 PM Dec 4th

@[ANALYST] anecdotally, while you're hearing Macs have far less malware, I've heard that they make great squishy targets... 1:47 PM Dec 4th

@[ANALYST] as for cogent, 140chars is hardly conducive to extensive arguments like these... 1:47 PM Dec 4th

@falconsview I can completely prove my position- Mac infection rates are practically 0. 1:51 PM Dec 4th

@falconsview Mac malware rates, according to the AV and cloud filtering vendors, are practically 0. 1:52 PM Dec 4th

@[ANALYST] prove that assertion - show me data that evaluates a statistically significant population of Macs that are not infected... 1:52 PM Dec 4th


More baseless "less risk" statements. Where's the evidence? He claims he can "completely prove" his assertions, yet where is the data? As you'll see below, he sandbags my request for proof and tells me it's "all over the place". More importantly, though, is that he's basing his arguments on undefined "risk" and undefined data sources and, as such, has in no way established any credibility. He instead turns nasty in his arguments, gets frustrated, and then begins making almost exclusively ad hominem arguments (attacking me, rather than my questions).

@falconsview You have nothing but FUD on your side. macs have vulns, but they aren't being exploited, and the numbers show that. 1:53 PM Dec 4th

Oh, sigh... it's funny, isn't it? He uses risk-as-FUD arguments, but then turns around and accuses me of using FUD when I question his assertions. I mean, seriously, read back... all I do is challenge his assertion. I don't make any of my own. That isn't FUD. He's fallen into this trap where I question what he says and he simply bristles and lashes out. Provide a data source, show some credibility for your argument, and then this discussion would change dramatically.

@[ANALYST] you're relying on data from vendors who don't provide products for the platform?!? seriously?? 1:53 PM Dec 4th

@[ANALYST] it's not FUD - I am challenging your assertion based on lack of data, and because you cannot prove a negative 1:54 PM Dec 4th

BTW- for those listening I firmly believe Apple has serious security problems with OS X. I'm not in the "invulnerable" crowd at all. 1:55 PM Dec 4th

But I can't equate possibility with probability when doing a risk assessment. 1:56 PM Dec 4th


Ah, sigh, here again we have a problem with semantics. His entire argument devolves to the semantic issue discussed at the top of this post. Too bad he can't just admit the problem and move on. Of course, he'd also have to provide real evidence, real data, real sources, real references. That's all I ask for, but he's unable or unwilling to provide it.

@falconsview Actually, those vendors *do* have products for the platform. Go talk to them yourself like I do. 1:57 PM Dec 4th

@falconsview I don't have time in Twitter to review all the malware numbers and infection rates from many reports- go look it up yourself. 1:58 PM Dec 4th


And here we have the cop-out. Again, assertions with no backing. He deflect, he defers, he makes allegations and acts condescendingly, but he doesn't provide any proof. Unfounded assertions, which was my entire point of contention with all of his comments.

@[ANALYST] there are, what, 2 vendors who have Mac-based AV, and they've released them this year? clearly there's a biz case based on threat. 1:59 PM Dec 4th

@[ANALYST] provide links if you have such conclusive evidence... 2:00 PM Dec 4th

@falconsview The evidence/data is all over the place, go look it up before you challenge my assertion. 2:00 PM Dec 4th

@falconsview All major AV companies offer mac AV. Every single one. Some going back decades. You clearly don't know the topic. 2:01 PM Dec 4th

@[ANALYST] fine, I quit - end of day here 2:03 PM Dec 4th



Once again, he makes some interesting assertions. Who qualifies as a "major AV company"? As far as I know, in terms of commercial solutions, only McAfee, Symantec, and Kaspersky have solutions, of which I'm pretty sure Symantec and Kaspersky just (re)launched this past year. Sure, there are lots of "free" AV solutions for the Mac, but I'm not overly confident in them (ClamAV and AVAST are ok, I suppose, but these are not "enterprise" solutions). It looks like Trend Micro released a Mac AV solution this year, too, with a bit more googling.

The point is this: what's causing AV vendors to now, in 2009, start releasing Mac AV products? Presumably because there's a market for it? What's driving the creation of that market? Merely "FUD" and pretty brochures? I find that rather unlikely. AV companies have invested significantly in Mac AV this year - there has to be a strong possibility for an up-side, or they wouldn't do it. What drives this belief? The increased likelihood of a threat, of course.

The funny thing here is that I don't even care if he's right or not, I just want him to actually provide some form of evidence. We spent an hour on this thread and all he did was bluster and back-pedal, changing his parameters a couple times. Oh, and degrade into derisive accusations, probably because his assertions were bogus.

Update: Ironically, Schneier has come out and said that Mac and Linux users can ignore AV, too. *sigh* Not the point, but still, these broad assertions are very dangerous, especially when they come from high-profile, reasonable-well-respected infosec people.

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/965

Comments (2)

Terrific rant Ben!

To me many Mac users don't quite understand simple numbers. The vast majority of computers (in the business world and commercial) are still Windows PCs. Therefore, the bad guys are going to go after the larger target. This gives the Macs a false aura of invincibility. As the younger generations are adopting Macs more so than PCs the target area will shift to the Mac OS.

I made a posting regarding the false sense of security that many Mac users have developed on my blog. Let me know what you think.

Ben:

Thanks, Dominic! I thought your post was spot-on. I can't decide if it's ignorance, arrogance, or a sense of invincibility that causes people to down-play malware for Macs. To me it seems a bit like a self-fulfilling prophecy: invest the majority of your resources in Windows malware research, and then celebrate how little is found for Macs.

-ben

Post a comment

About

This page contains a single entry from the blog posted on December 8, 2009 10:32 AM.

The previous post in this blog was Embrace Murphy's Law.

The next post in this blog is How Not To Talk To Customers.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.