I recently attended a meeting in a conference room that had only a couple of available wired network connections and no wireless network access. I snagged one of the wired network connections for my iBook and offered to share my connection wirelessly with other users in the meeting.
Several thankful meeting participants hooked up to my connection, and one person—who was using a Windows-based laptop—remarked that he was glad he didnt have to worry about getting a virus from my Mac. Upon hearing this comment, another meeting participant—one who had obviously seen the then-recent headlines about security problems in Mac OS X—jumped in, saying, "Didnt you hear that Macs arent secure anymore?"
Most of us chuckled when this comment was made, and, for the most part, it seemed more like a joke than a sincere Opinion. But many people who saw these same headlines probably did jump to the conclusion that Macs cant be considered secure anymore.
Now, of course, anyone who actually read the stories about the Mac OS X issues likely understood that the problems caused by holes found in the Apple operating system—while potentially severe—would not be easily spread. In fact, some degree of ignorance on the part of a Mac user would be required.
If you were to ask any independent security analyst if Macs should now be considered as insecure as Windows systems can be, he or she would most likely laugh. Mac OS X and its underlying BSD Unix core have excellent security track records.
Apples own behavior just added fuel to the fire: Officials banged the drum of Apples security record perhaps a little more loudly than was prudent, especially given the general knowledge that BSD systems—like every operating system—have had security problems in the past. In addition, officials werent forthcoming with information about the problems or what the resulting patches fixed.
The underlying problem here isnt operating system security or even the vendor runaround but, rather, people who just read headlines or summaries of security news and then form Opinions based on this information—or lack thereof. And theres a very good chance that these people are making decisions based on these ill-informed Opinions.
The IT manager who read only the headlines about the Mac OS X problems may have pulled back on some Macintosh implementations. Or there may be an IT manager out there who read the headlines on recent reports about the first cell phone virus and put the kibosh on a cell phone rollout. The whole story, meanwhile, would have informed the IT manager that the reported cell phone virus was a proof of concept that hadnt actually appeared in the wild.
You might be thinking Im crazy to think someone would make decisions based on story headlines. But it doesnt take a lot to influence decisions. All an executive needs is a little voice in the back of his or her head whispering, "Its not secure—remember those headlines."
And once these Opinions are formed, it can be hard to change them, even with clear evidence that theyre misguided. One need only look at studies that show a majority of Americans still believe that weapons of mass destruction were found in Iraq, even after the government and every news outlet have stated otherwise.
Ive written before about the many hurdles security administrators have to overcome to do their jobs, ranging from users who never learn how to avoid viruses to security companies that hype every problem to security practices that are difficult to implement to company executives who dont want to pay for security or think they can handle security with one big application or appliance. You can now add to this list people who dont bother to get the story behind the headline. The old saying that a little bit of information is dangerous applies doubly to security.
From now on, whenever someone demonstrates a lack of understanding about security, I wont shrug or laugh it off. Ill figure out a way of politely but effectively giving that person the correct information in the hope that he or she will find out what the security issue really is all about. And maybe, down the line, Ill save some poor security administrator from having to deal with an executive decision based on a misguided Opinion.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.