Two security researchers have kicked off 2007 with a "Month of Apple Bugs," promising to feature a new vulnerability related to Mac software each day in January.
It follows two similar monthlong campaigns last year that focused on browser flaws and kernel flaws.
However, some experts and users have questioned the purpose of these projects, wondering how much security value they have. To find out what people on the street make of it, we asked our Mac Views panel, made up of ordinary readers, this question: "Do these kind of bug-publicizing campaigns do any good for the general Net public?"
While I generally dislike these near-extortion-like tactics, I have a greater dislike of weak security and the problems that can arise from it. In a perfect world, software vendors such as Apple would respond immediately to all reports of security problems, but having worked for a very large software company myself, I know that resources are limited and issues get prioritized. Putting a little public pressure on their prioritization scheme might be effective. (Then again, in a perfect world, all software would be perfect!)
Of course, this needs to be balanced with any potential risk associated with publicizing security issues and their possible exploits.
From a public perception standpoint, I do worry that continuously publishing new security bugs gives ammunition to any fence-sitting Windows user to unfairly compare the general security of OS X to that of Windows.Silicon Valley-based Brooks Graham is a Veritas Software veteran who now splits his time between an early-phase Silicon Valley start-up and working in post-production for local independent film projects.
From my perspective, these bug-publicizing campaigns do more harm than good, if misused.
I feel that their only use should be to prod action when a behind-the- scenes heads-up fails to elicit any response from the company. If these two security researchers had alerted Apple to these issues a couple of months ago, and Apple failed to act on them, then by all means make them public. Embarrass the company. Use collective pressure to achieve improvement.
However, just highlighting bugs for no apparent reason, or picking on one company or whatever program does not really help. Their purpose would be to... what? Ensure that people do not trust Apple? Or Microsoft? Sure there are bugs. If you look for problems hard enough and long enough, you're going to find them, no matter what program or platform or company.Michael Halsall is an elementary teacher who got into Macs while working in Singapore.
It really depends on the intent of those who are doing this. If the intent is purely to create more public awareness of recent system vulnerabilities, so the folks at Apple can quickly address these issues, I suppose this serves quite a great deal of good.
However, if the intent is instead to more or less try to draw some element of bug-related parity between Mac OS X and Windows, in order to somehow demonstrate that Macs are equally prone to security vulnerabilities, then I would say this effort doesn't not serve any greater good. Mac OS X is simply a more secure operating system. I am guessing that for every "Month of Apple Bugs" there could likely be a "Month of Twice as Many Windows Bugs."Paul Cesarini is an assistant professor in the Department of Visual Communication and Technology Education, in the Advanced Technological Education program at Bowling Green State University.
I think they're good from a variety of standpoints.
First, they help dispel the myth Apple likes to perpetuate in its advertising that Mac OS X is completely solid and secure. Users who buy into this myth won't take appropriate steps to protect their systems from viruses, adware, spyware, rootkits, and other malware. As a result, their infected systems will cause everyone to be at risk.
Second, odds are whoever is publicizing these bugs has known about them for a while, and they've existed for a while. Focusing some attention on them will help raise Apple's awareness and spur them to fixing the problems.
Third, these kinds of publicity campaigns remind everyone (not just Mac users) to think about security.
I'd have preferred to see this particular campaign submit all the bugs to Apple at least a month before going public with them. That would reduce the risk to Mac users that one of these would be exploited by the wrong sort of person. But then again, if someone manages to get away with a significant exploit before Apple gets the bug patched, that just underscores my first point. Also, in my experience, the bugs I've reported to Apple seem to fall into a black hole, including one very serious one that would allow anyone physically present at the keyboard to create an administrator account without even logging in, has not been fixed in over a year.Michael Salsbury works for a large nonprofit organization as a Macintosh and PC administrator who has been working with Macs since they were introduced and with Windows since about 1995.
Yes and no. It is always good to have peer review, regardless of the field studied. However, publishing "bugs" or "vulnerabilities" of an operating system or application to the general public without first notifying the company and allowing a reasonable amount of time for a patch/repair/update is irresponsible at best.
My past experience with Apple and their operating systems has shown a willingness to address the serious issues with their software on an as needed basis (i.e., when a fix is needed, a software update is distributed).Damon Osborne is an assistant professor of education and coordinator for online curriculum development at Mount Vernon Nazarene University.
The answer is yes. Just like a strong virus makes the population stronger (by killing off all those who have lowered immune response), this kind of action will cause software updates.
However, unless these kind of people have first notified the responsible companies and received a rebuff, then I tend to think of them as glory-seeking "butt holes" that could care less about the health of the general computer-using public.Norm Ennis is an East Texas-based quality manager, at a NASA launch facility who has used PCs and Macs for years.
I personally do not see the point in any manner of posting flaws in public. If there are flaws, then vendors should have the chance to review those flaws and begin work on fixes BEFORE the public is aware.
And I do not see the 01/03/07 posted VLC flaw as a Mac flaw. VLC is provided by a 3rd party for Mac systems, yet Mac did not create this flaw nor is it Mac's job to fix such flaw. I was expecting the flaws to focus on Mac OS flaws from the title of "Month of Apple Bugs" rather than 3rd party software vendors. I'll be curious of the ratio of Apple vs 3rd party flaws at the end of this month.Michael J. Prather is a Florida-based mailroom supervisor who says he often kicks himself for not switching from Windows to Macs years, if not a decade, sooner.
This sort of thing does absolutely no good at all for the general Net public. It would be different if they were identifying bugs or vulnerabilities which could be exposed under normal circumstances and situations. Instead, most of these represent "worst case" scenarios that would not normally be exposures under normal usage situations. They are typically a means of trying to attract attention--especially this one, which is being launched during the week leading up to one of the most anticipated MacWorld conferences ever.Tony Trippe is an innovation manager for a chemical abstracts service who has been a Mac fan since the mid-1980s.
I'd like to be positive about the Month of Apple Bugs, and assume that the researchers merely want to dispel the myth (held by many Mac users) that OS X is bulletproof. But I think it's rather more likely that the goal is simply publicity for the researchers themselves--OS X is widely known to be secure enough that any security exploit, no matter how harmless or unexploitable, makes front-page news in the tech world. And so far it seems that the information provided isn't really intended to be useful or helpful, to the average user or to Apple.
It's also easy to imagine the researchers are motivated more than a little bit by anger towards the legendary smugness of Mac users. Like people who buy a non-iPod MP3 player simply because they're sick of seeing white earbuds everywhere, there's probably some weird feeling of rebellion involved.
That said, hopefully Mac users, rather than getting their backs up or simply being dismissive, will remember that they need to take security precautions with their machines as well.Jeff Edsell works on Macs as a Web and print designer, and as a desktop publisher before that. He's been a regular Mac user for about 15 years.
I do think campaigns of this nature are good for users. It dispels the propaganda that Macs are invulnerable to attack and makes (the conscious) users more careful. Additionally, it puts well-deserved pressure on developers to address these issues quickly.
I do think it's a bit irresponsible for them to not report the issues to the developers first, though. This form of grandstanding is not in the spirit of goodwill and encourages abuse.Chris Lawrence is the CIO for Clients & Profits, a maker of software for ad agencies based in Oceanside, Calif.
As with any software, there will always be bugs and vulnerabilities at various levels. Some are going to be easily exploitable, while others will take work and a veritable software crowbar to be a threat to the average user.
That said, to publish the vulnerabilities is good for the general public, in that it keeps us all aware of the need to keep our software up-to-date, and to be aware of what channels and tricks a hacker might use to gain access to those bugs. For example, if there is a file download vulnerability, then knowing that should allow the average user the protection to choose to avoid such downloads.Rev. Ted Rodrigues grew up in Silicon Valley in the 1960s and finds that Macs are user friendly for the volunteers and hired staff for his work as a priest in Oregon.
We should not be too critical with Apple at this time as the current OS 10.4 (Tiger) reaches the end of its life-span and we prepare for the launch of OS 10.5 (Leopard). Personally, as a decade-long Apple user, I've experienced very few issues and have taken the advice of my local Apple outlet not to install third-party AV and firewalls.Andrew October is a tech media consultant who also freelances as a consumer technology reporter with various South African publications.
I am reminded of the brouhaha this August regarding the "researchers" Maynor and Ellch with the wireless attack on the third party wireless card on the MacBook. Like the current "researchers," Maynor and Ellch made comments about smug Mac users as a motive for their actions. While these guys have not been as insulting as the cigarette in the eye thing was, their comments betray their motives, which are, simply, for the publicity.Robert Ahrens is employed by the Food and Drug Administration as an IT specialist, supporting a training facility and all the IT assets they use.
I think the general public is largely oblivious to these security campaigns, and only takes notice when a security flaw is exploited to cause widespread damage. Nevertheless, there is value in publicizing such flaws. Software makers are likely to take a more vigilant stance on security when there is increased public scrutiny. This is a good opportunity for Apple to show they are responsive to the concerns of security experts.Dennis Burges is an independent video producer (and occasional database developer) who has been using Macs as long as there have been Macs.
I have been both a Mac and PC user for over 20 years. Macs are clearly, in my experience, the most stable platform when it comes to security. An interesting question is, "Is this because Macs make up so small a part of the overall market?" I do NOT think it a good idea to publish flaws in Mac OS software--it seems to me an invitation for hackers to take advantage.Tom Merrill is an assistant professor of Music at Xavier University in Cincinnati, Ohio.
Publicizing bugs found on any system is generally a good thing, but this campaign seems to go a bit far. The bugs seem to focus on exploitable ones (access a machine that doesn't want to be accessed), not just ones that are obscure "this isn't working right."
General bug ID work and subsequent publishing of that work is a great thing, it helps the company who writes the stuff and helps the consumer when he/she might encounter the problem. NET active bugs might be a different matter. We should be careful not to posit challenges to the hacker communities.Patrick Evans, who now owns a small fish-and-chip restaurant on the Oregon coast, was previously a computer network designer for Motorola and owned a network installation company.
The Mac Views panel is being brought together by CNET News.com to get feedback from people on the street on the latest happenings at Apple Computer, whether it's a battery recall or plans for the next iPod.
We're looking for a range of perspectives--from Mac fans to business users to mobile music lovers.
Interested in joining the panel pool? Here's how it works:
Whenever key Apple news breaks, we'll send an e-mail to contributors for their response. Sometimes, we'll ask a yes/no question and use the results as a simple poll. Other times, we'll look for more in-depth feedback on Mac or iPod current events. It doesn't matter whether you send us two pages or two sentences--we value all your comments. And if you don't have an opinion on a particular story, or you don't have time to respond, that's good too.
The feedback will often reach our readers. Our writers may quote panel remarks in stories. Or we may pull together comments--your 2 cents--in an article of their own. Occasionally, we'll ask contributors to take part in a weekly podcast, to discuss their views with CNET News.com editors and industry experts.
Take a look at our panel on Microsoft's Windows Vista, to get an idea of how our readers participate.
We want to know what our readers think, as Apple switches over to Intel chips and as Microsoft and others gear up to challenge iPod and iTunes. If you haven't signed up yet, send us an e-mail to firstname.lastname@example.org.
Design: Gautama Swamy
Production: Kristina Wood