Insecure but Safe – The Mayberry Paradox

A report released this week on AppleInsider details the Pwn2Own hacking contest results indicating that Apple computers are less secure than their WinTel counterparts, but ultimately safer.

“Insecure but safe” sounds like a contradiction when taken at face value.  I’ve long been  told, and frankly seen for my self that there is precious little malware floating around cyberspace that is targeted specifically to OSX.  Apple’s own marketing touts their products as safer than Windows.  In my opinion this a perfect example of the Mayberry Paradox.

Now the Mayberry Paradox isn’t something that has undergone peer review.  It hasn’t been endorsed by the I.A.E.A., Underwriter’s Laboratories, and certainly doesn’t have the Good Housekeeping Seal of Approval.  The Maberry Paradox, simply put is a term that I use to describe the baffling belief that an inherently insecure environment can be rendered secure by the sheer absence of perceived threats.  That is to say that an environment with few, if any security controls can achieve some level of security through some type of isolation.

In the case of Apple, the powers that be have made a case that OS X can be called “secure” because of the relative handful of malware floating around.  Is this fair?  Are consumers being duped into a false sense of security?  Although I do love me some shiny Apple goodness, I have to say that I feel somewhat cheated every time I hear these claims.  In my consulting practice I ran into one CIO who summed it all up by saying, “people don’t do that here.  We don’t have thefts, robberies, or too much crime at all.”  Bear in mind that this particular engagement was an information security risk assessment and that the crimes he mentions are all location-based.  The criminal has to actually be present in a physical form to commit the illegal act.  Apple has taken a similar stance in that there is an assumption that because there isn’t much malware, that the platform must be secure.  I think that a more honest approach would be to say that, “no our platform isn’t as secure as others, but there is much less risk in our vulnerabilities being exploited”.  I suppose that wouldn’t sell too many MacBooks though, eh?

Those of you old enough to remember The Andy Griffith Show will know that Otis, the town drunk, would check in and out of the town jail using the key hanging on the wall.  Aunt Bee could be found with the front door not just unlocked, but open to catch the evening breeze, leaving nothing but a simple screen door protecting her from the ravages of Mayberry R.F.D.  Andy didn’t even carry a gun, while his deputy Barney was issued one bullet and required to keep it in his shirt pocket.  Would you consider this environment “secure”?  Probably not.  Safe yes, but not secure.

I think for Apple the word “secure” has become a marketing term more than a statement of fact.  Apple’s OS X is by no stretch of the imagination, “secure”.  The same Pwn2Own contest that declared OS X secure witnessed OS X being hacked in 15 seconds.  Not hours or minutes, but seconds.  In the time that you have read this article my MacBook Pro could have been hacked a handful of times.  Does that scream security to you?  Perhaps worse, this year’s winner won last year as well indicating to me that there haven’t been any massive improvements from Cupertino. 

I suppose despite all of the unwarranted hype about the security of OS X, there will still be folks like me that prefer the beach ball to the hour glass.  Although my MacBook isn’t necessarily as secure as it’s Windows and Linux counterparts, truth be told, there isn’t that big of a threat out in the wild targeting my laptop.  Sure that doesn’t guarantee security and frankly shouldn’t even allude to it, but in the end how much security do I need if I have relative safety.  Ultimately that is either a business or personal decision.  For me, I’m okay surfing with my proverbial pants down, it’s liberating.

The article at AppleInsider can be found at : http://www.appleinsider.com/articles/09/03/26/pwn2own_contest_winner_macs_are_safer_than_windows.html