Monday, April 16, 2012

Time to go long Apple anti-virus products.

Not a week has gone by lately without a new report of vulnerabilities or viruses affecting Apple products. It is useful to know about these things so that you can apply patches and have some faint hope of not having your data and personal information pilfered by eastern european data brokers. For more of the same, see Ars Technica for the latest.

What is more interesting is how predictable this was. Four years ago, a fellow named Adam O'Donnell published a paper in the IEEE Security & Privacy journal that provided a game theoretic model of when attackers would switch their efforts from infecting PCs to Apple...

Prior to O'Donnell's work, the conventional supposition was that Apple customers did not have enough devices connected to the Internet to make the return on the effort at attacking them worthwhile. Writing a Mac virus would be like creating a herbicide for orchids. At the time, when compared against the entire installation base of PCs, which included computers that had been left running deep inside some company's data centre performing some specialized function for a decade - it was estimated that Macs made up for about %2-%3 of the total systems connected to the internet.

Conventional ideas about the "return on investment" for writing a virus that attacked Macs or PCs implied that you didn't need to buy anti-virus software for Macs because it wouldn't be worth writing viruses for them for the foreseeable future. Apple systems would have to make up at least 1/3 to 1/2 of all connected computers, that is, the population of Apple devices would have to multiply 10-15 times before it would become an issue.

What O'Donnell pointed out was that the likelihood of a virus being written, as a result of an implied reward to the attacker - given the likelihood that a random Mac would be unprotected - was a lot higher than it looked.

To over-simplify, the PC install base was massive, 30-50 times the size of the Mac base. However, a huge portion of that PC based had anti-virus software installed on it, and so even a successful virus had limited prospects for infecting all of it. The proliferation of PC anti-virus software in corporate environments has been fairly high, and is now probably greater than %85-%90. When you add Microsoft's "Windows Update" feature on modern versions of their products, the total set of unprotected PC machines is surprisingly low.

Security (or just adapting to any exogenous change) is an interesting and long term problem for Microsoft because of its massive size and economic footprint. Microsoft has done an improbably excellent job at securing Windows from hackers. As a result, the number of real PC targets for a virus is smaller than the utterly massive gross install base.

Enter Mac.

Macs are well designed on so many levels. We can say that because it is actually designed by a person, one who thought about these things from the top down. It is in many ways, elegant, even beautiful. Windows is the product of a messy evolution that had stakeholders from a myriad of business and political interests vying for influence and control of a computing platform cum marketing channel cum economic utility. Apple has always had the advantage of Steve Jobs essentially saying, "Fiat Mac", in what was essentially a political and customer vacuum.

To borrow from selectorate theory, Apple has had the advantages of being a small coalition company where Microsoft has been a large coalition company. There's probably an entire paper in that one, particularly about the endgame for RIM, Apple, Nokia and Microsoft, based on coalitions, influentials and interchangables taken from investors customers and developers, but back to the virus thing.

Objects in future are closer than they appear

When we are talking about percentage of the total install base, where Mac only has %2-%3 and Microsoft has the other, say, %90 the view of the attacker looks like it's a good bet to hit PCs. However, O'Donnell pointed out (predicted correctly, four years ago, no less) that if only a small portion of PCs are actually vulnerable because they are among the remaining few who do not have anti-virus - and effectively none of the Mac's have anti-virus, the tipping point for the worthwhileness of attacking Macs is much closer than it it seems.

Numerically, if the install base for Apple products in 2008 (think pre-iPad, pre-iPhone3 and 4, pre-Macbook Air) was %3, and the net vulnerable install base for PCs was about %13, if Apple doubled its total number of machines out there (e.g. all existing ones in 2008, plus new ones), an attacker would have a target environment half the size of the PC one, with the added benefit that his virus would successfully infect every one it detected, as opposed to less than 1 in 10 PCs it attempted to infect.

How could a rational attacker resist?

No comments:

Post a Comment