SANS, Schadenfreude and the Mac

Andrew Jaquith
Andrew Jaquith ∙ Managing Director, Markerbench
3 min read ∙ May 2, 2006

I’ve got to wonder about the what planet the SANS people live on these days. Apparently, in an effort to make their semi-annual Top 10 list of vulnerabilities appear “fair and balanced,” they’ve decided to whip up panicky sentiments towards Mac OS X.

I won’t offer either of the usual obligatory and contrary platitudes on this subject (“Dood! Macs are invulnerable” or “of course, no system can ever be 100% secure”), because you know them already. Other folks, like Scott Bradner have made the latter argument well. But I will say that I think this stuff is a tempest in a teapot, designed to get some press for SANS.

I got a call from a reporter seeking comment on the SANS story. Here is what I told her:

SANS findings are broadly in agreement with our own observations. They’ve done a good job describing some of the key trends on the threat landscape.

That said, much of what they say is scaremongering. For example, they allege that cyber crime is “extremely lucrative” and name a figure of $10 billion. How did they come up with that number? I think they made it up, since they don’t substantiate it anywhere or cite sources.

I also think they’re jumping on the Mac-bashing bandwagon. It’s odd that they lead their report with a hysteria-inducing lead that gravely intones the “rapid growth” in Mac vulnerabilities… and then name exactly three vulnerabilities, one of which is zero-day. Somehow this enables them to claim that the Mac’s “bullet proof” reputation is in “tatters”. Oh really?

Meanwhile, two bullets down they rather casually mention that Internet Explorer has seen eleven new vulnerabilities, plus another SIX affecting Windows itself. So, if three vulnerabilities means the Mac’s “reputation” is in “tatters”, does that means Windows’ has been ground into a fine white powdery substance?

Schadenfreude comes to us via German, and is defined approximately as “taking delight in another’s suffering.” Ed Skodis’ rather snotty comment to ComputerWorld should tell you where his head is at: “Users often feel invincible when they have their shiny silver-colored Apple and they are surfing the Web with it.” Which users might that be, Ed? Want to source one for me?

This is a standard journalistic technique: when you can’t find someone to substantiate your own assertions, trot out your good friend Many People and his boon companion Experts Say. Ed’s characterization of Mac user attitudes are totally at odds with my personal experience. Nobody I know who uses a Mac feels “invincible,” and that includes my mom, my brother, my sister, my good friend Dave G., Dildog, Dan Geer, Kevin Soo Hoo, my ex-Yankee colleague Phebe Waterfield and many others.

Symantec went through a similar Mac-bashing period a while back. About six months ago, in their otherwise excellent Internet Security Threat Report they accused Mac users — as a single, undifferentiated species — of living in a “false paradise”. But they seem to have realized that painting with such a broad brush wasn’t doing much to enhance their credibility. In their latest report, there is not a single word about Macs. As in, the word “Mac” does not appear even once, nor does the phrase “OS X.” The report is a hundred-plus page document.

Security is about common sense, not just what makes for the best headline copy. SANS’ credibility with me has just dropped significantly. Facts are good. Overly dramatic headlines, scare-tactic language and slippery quotes are not.