• United States



Insecure but Safe – The Mayberry Paradox

Mar 27, 20094 mins
Data and Information SecurityPhysical Security

A report released this week on AppleInsider details the Pwn2Own hacking contest results indicating that Apple computers are less secure than their WinTel counterparts, but ultimately safer.

“Insecure but safe” sounds like a contradiction when taken at face value.  I’ve long been  told, and frankly seen for my self that there is precious little malware floating around cyberspace that is targeted specifically to OSX.  Apple’s own marketing touts their products as safer than Windows.  In my opinion this a perfect example of the Mayberry Paradox.

Now the Mayberry Paradox isn’t something that has undergone peer review.  It hasn’t been endorsed by the I.A.E.A., Underwriter’s Laboratories, and certainly doesn’t have the Good Housekeeping Seal of Approval.  The Maberry Paradox, simply put is a term that I use to describe the baffling belief that an inherently insecure environment can be rendered secure by the sheer absence of perceived threats.  That is to say that an environment with few, if any security controls can achieve some level of security through some type of isolation.

In the case of Apple, the powers that be have made a case that OS X can be called “secure” because of the relative handful of malware floating around.  Is this fair?  Are consumers being duped into a false sense of security?  Although I do love me some shiny Apple goodness, I have to say that I feel somewhat cheated every time I hear these claims.  In my consulting practice I ran into one CIO who summed it all up by saying, “people don’t do that here.  We don’t have thefts, robberies, or too much crime at all.”  Bear in mind that this particular engagement was an information security risk assessment and that the crimes he mentions are all location-based.  The criminal has to actually be present in a physical form to commit the illegal act.  Apple has taken a similar stance in that there is an assumption that because there isn’t much malware, that the platform must be secure.  I think that a more honest approach would be to say that, “no our platform isn’t as secure as others, but there is much less risk in our vulnerabilities being exploited”.  I suppose that wouldn’t sell too many MacBooks though, eh?

Those of you old enough to remember The Andy Griffith Show will know that Otis, the town drunk, would check in and out of the town jail using the key hanging on the wall.  Aunt Bee could be found with the front door not just unlocked, but open to catch the evening breeze, leaving nothing but a simple screen door protecting her from the ravages of Mayberry R.F.D.  Andy didn’t even carry a gun, while his deputy Barney was issued one bullet and required to keep it in his shirt pocket.  Would you consider this environment “secure”?  Probably not.  Safe yes, but not secure.

I think for Apple the word “secure” has become a marketing term more than a statement of fact.  Apple’s OS X is by no stretch of the imagination, “secure”.  The same Pwn2Own contest that declared OS X secure witnessed OS X being hacked in 15 seconds.  Not hours or minutes, but seconds.  In the time that you have read this article my MacBook Pro could have been hacked a handful of times.  Does that scream security to you?  Perhaps worse, this year’s winner won last year as well indicating to me that there haven’t been any massive improvements from Cupertino. 

I suppose despite all of the unwarranted hype about the security of OS X, there will still be folks like me that prefer the beach ball to the hour glass.  Although my MacBook isn’t necessarily as secure as it’s Windows and Linux counterparts, truth be told, there isn’t that big of a threat out in the wild targeting my laptop.  Sure that doesn’t guarantee security and frankly shouldn’t even allude to it, but in the end how much security do I need if I have relative safety.  Ultimately that is either a business or personal decision.  For me, I’m okay surfing with my proverbial pants down, it’s liberating.

The article at AppleInsider can be found at :

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.