Getting real about security

October 24th, 2006 | by ian |

Adam (crypto nerd extraordinaire, former evil-genius at Zero Knowledge) from the Emergent Chaos “jazz combo” throws us a reference and ties it in with an amusing story about misguided security concepts.

The Emporer’s New ComputerBoris' Flickr photo of Apple security

Affixing a Mac logo to my PC was, after all, motivated by a combination of personal amusement and social engineering and not the absurd notion that it would confer some of the touted security advantages of Macs. No doubt Apple’s cute, oft parodied advertising campaign “I’m a Mac” has misled many folks to believe that Macs are more secure and crash less frequently than PCs. The truth is sadly more complex, Macs are now equally capable of running an improperly configured Windows OS and thus able to contract all kinds of fun and exciting malware. PC hardware can theoretically run OSX, which has been quietly innovating in the shadows of a Windows world. Apple has a few advantages with their OS, notably that most folks don’t bother to write malware for it, there is strict control over what hardware goes into a Mac versus the wild kingdom of PC hardware, and they have somewhat well respected conventions about graphical interfaces. But stability and security seem to have taken a way-in-the-back seat to cool features and a sexy GUI. By all expert accounts they have taken BSD, one of the best engineered OSes from a security perspective and transformed it into a ticking time bomb of potential expoitability, all the while lulling their user base into a false sense of security.

Which brings me back to the problems inherent in a design culture which isn’t overly concerned with performance, reliability, security or scalability which are the four pillars of my outsourced web operations business. These are all application design considerations that you won’t need to worry about much if you don’t succeed in building a web application which people want to use (unless you have the luxury of being able to ram it down users’ throats but that’s a topic for future posts). But I would argue that they need to be part of your design process assuming you are designing an application to be wildly popular. End user focused application design is sorely lacking in most software, the Getting Real approach is part of a much needed revolution in software, the age of bloated featureware complete with a mandatory kitchen sink that takes an hour to install is coming to a close. This probably means I will drink less coffee and get more work done (I have mixed feelings about this). I need to reiterate here that the 37Signals folks are able to downplay security and scalability because they can afford to, their liabilities are minimized in their approach to application design and the problems they choose to tackle. The same does not apply to Apple as one would have to assume they have all manner of critically confidential data stored and running in their software. They want your digital life in their software.

Whither security and reliability by design?

Secure Apple by Wysz on FlickrSo why the aversion of so many design focused companies like Apple to security and reliability by design? Well it has some difficult economics. Thoughtful user interface design is challenging and pretty rare but it is not necessarily expensive. Software reliability and security tend to be asymptotic goals, impossible to achieve absolutely and expensive to do extremely well without removing most of your features. Companies like Apple appear to be focusing on what will make them popular and worry about the economically challenging stuff afterwards.

Sound familiar? Because it also explains how Microsoft managed to get themselves into such a security nightmare, albeit by focusing more on building kitchen sinks than objects of beauty. Both Microsoft and Apple were perhaps overly influenced by what their end users wanted or thought they needed. The 37signals folks thankfully have a very strong position on feature requests, and while this is not a popular policy with many users, it also works mimimizes their exposure. Luckily for Microsoft they might just have the cash and a newfound drive to work their way out of having painted themselves into a corner with all the hues of malware. At least they have a strategy and are taking steps to execute on it, partly by hiring folks like Adam. Can anyone tell me what Appl\’s stance is on security and code quality? The first song I played on my new iPod crashed the device and the first time I ran iTunes 7 it promptly crashed. Not impressive. But the look and feel and even the packaging of the product was amazing.

My next laptop may well be Mac, as Apple is bringing thoughtful design such as their magnetic power cord connector to the world of PC hardware. I am skeptical about relying on OSX for anything other than fun stuff and so will probably to continue to run Ubuntu and Windows as well. I will probably only be comfortable running once the current bravado and hubris fades and Apple gets serious about security. When hackers no longer chuckle to themselves about the security compromises imposed on the Unix-derived OS.

That said, 37Signals would probably say that Apple’s security and reliability is “good enough” and perhaps I will agree once I am reunited with an Apple computer after many years of being separated from my beloved Apple IIe and particularly the Apple Logo. The 37Signals guys believe enough in Apple that they did a promo video with them recently (hi res version on Apple’s site) check it out here:

Bonus material:

Good for a chuckle, Apple ships video iPods with Windows viruses and then states “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.” Wow.

And if you’re the proud owner of a Mac, consider this cool mod. I would do it, if only to avoid the eerie mind controlling white glow…

Post a Comment