Liking The Blog Articles

Penelope Pitstop
Penelope Pitstop
Community Member
Just wanted to say that I really enjoy the generalist security articles on your blog. Please keep them coming. I'm surprised they don't stimulate more discussion and suggest you link to a specific thread at the end of each one.

I was a bit surprised by Jeff's mild stance on the importance of virus scanning in this article. Whilst I agree that it is relatively less important than other measures in terms of personal protection, I think it is everybody's collective duty to do all they can to avoid proliferating malware even if they are personally invulnerable to it.

Sophos published what I think is a reasonable clarification on the article that Jeff thought sensationalist. Mac users should, as Sophos puts it, "be a responsible member of society" and avoid passing on infected files even if they are benign as far as their Mac is concerned.

I used to have a cavalier attitude toward anti-virus software on my Mac until I started thinking this way.

Just my 2¢.

Comments

  • khad
    khad
    1Password Alumni
    My best friend with a masters degree in public health would probably agree with you. :)
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    That's a really good idea about providing links to specific threads for discussion, PP. I've tried to do that in the past, but missed it with these series.

    I am a big fan of "herd immunity". My security depends on your security, and so it is valuable for everyone to be good network citizens with respect to security. This is particularly true now that malware often works hard to not disrupt the system it is running on. We don't want people saying, "well my system is running fine. So what if it is infecting others."

    The original Sophos article was widely condemned, and was probably old news by the time Part 2 was published. But it did suggest that the instances of Windows viruses on Macs were a danger to Windows users that the Mac user interacts with. When I run a virus scan on my system, I find malware in three places.
    1. Where I have deliberately put it. (That is, I noticed some malware available, made a copy to look at).
    2. Some of my security tools (john the ripper, nmap) get flagged as "hacker tools" living on my machine
    3. Attachments in my spam folder.

    It's the last one that matters. That, I believe, is where the vast majority (Windows) malware on Macs live. There was effectively zero chance that these were going to spread from my Mac to Windows machines. They were already in a spam folder. So for these to get onto a Windows machine in a way where they could do damage, one of two things would need to happen. I would either need to open those attachments (sitting in a spam folder) on a Windows machine, or I would need to forward those messages (again from my spam folder) to a Windows user who would then open them.

    Now maybe there are circumstances where things like that are more likely. If your spam filtering isn't so good so that you get email attachments in non-spam folders. But let me ask you have ever had scanning on your Mac actually prevent you from sending the malware on to a Windows system in a dangerous way. That is, has there ever been a time when you would have done something that would have led to malware being launched on Windows, except that a virus scan on your Mac prevented you from doing it?

    There is one scenario I can imaging where AV on Mac actually helps reduce a Windows infection. If someone, not a spammer, innocently sends you a document with, say, a Word Macro Virus in it, and you detect this on your Mac, you can inform the Windows user that their files are infected. So I'm not saying it is impossible for AV on the Mac to do some real good. I just think that the opportunities are (still) rather small.

    I am not taking my responsibility to the health of the rest of the net lightly. After all, I've made exactly this point about why people should keep their systems secure even if they feel that they have nothing of value to the bad guys. My concerns about AV systems is about their efficacy. Do they make a big enough difference to be worth the costs of running them? I can't really make that judgment for anyone, but I can say that I don't think that they are as effective at preventing real threats as they might appear to be.

    Cheers,

    -j
  • danco
    danco
    Volunteer Moderator
    Liked your articles.

    But your advice to upgrade from Leopard or Tiger ignores one important issue - COST. Not the cost of the software, but the hardware. Case in point - a friend is still using my old Powerbook G4. That can't run Lion, or even Snow Leopard, and she can't afford another machine, even second-hand (and that has its own issues).

    I appreciate that Apple can't keep support for ancient machines for ever, but I wonder if they can estimate how many old machines are still in use, and maintain support accordingly.
  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    jpgoldberg wrote:
    That is, has there ever been a time when you would have done something that would have led to malware being launched on Windows, except that a virus scan on your Mac prevented you from doing it?

    There is one scenario I can imaging where AV on Mac actually helps reduce a Windows infection. If someone, not a spammer, innocently sends you a document with, say, a Word Macro Virus in it, and you detect this on your Mac, you can inform the Windows user that their files are infected. So I'm not saying it is impossible for AV on the Mac to do some real good. I just think that the opportunities are (still) rather small.

    Jeff,

    Thanks for replying. You think about this stuff much more deeply than me. I'm sure you have forgotten more about security than I will ever learn. However, that's why I think these discussions are useful.

    Actually the scenario you describe is exactly what prompted me to start using AV software. Someone sent me a joke in the form of a mail attachment that they hadn't even opened yet. I looked at it, laughed and passed the message on to my joke distribution list. A few minutes later, the phone started ringing with messages of two flavours: "stop sending me viruses you idiot!" or "what the hell have you done to my computer? I opened that joke and it's f***** now!". These are from the two broad types of computer user that I interact with: corporate and home.

    This was obviously back in the day when malware tended to be more disruptive than covert and the only reason I could know that my message was the source of the problem. I probably wouldn't even know today. I didn't think about it that hard but I thought that I should not let this happen again and started using AV. I have been operating under the assumption that it is checking my inbound and outbound email for malware but now I'm not so sure although I am warned about new malware from time to time.

    The two camps of user I interact with provide different motives for me to use AV. Some commercial contracts force you to accept liability for direct or even consequential loss suffered by the recipient for transmission of malware. Not smart to accept those terms but sometimes you simply can't wiggle out of them and my only protection is AV software. Admittedly this should be done on the inbound/outbound server side but that doesn't help if I accidentally send an infected business email from a personal email account which is easy to do.

    I also don't want to make my elderly relatives or good friends any more frustrated with computers than they already are. The average ISP puts the onus on the user to manage their own protection by bundling optional AV software into the broadband or cable subscription. Most naive, home computer users I know don't install it (despite my advice) or are more interested in finding out how to uninstall it when the subscription to the AV updates expires because they want to get rid of that annoying pop up window.

    I accept your point that AV plays a relatively less important role than the other measures you advocate. However in an environment where not everyone is as diligent as you and me, more savvy users can still help to inhibit the proliferation of malware using AV.

    Do you know of a way to guarantee that every email going in and out of my Mac is checked for malware regardless of account without having AV switched on for all file access? Even then I'm not protecting myself or anyone else from the zero day threat but at least I'm doing the best I can.

    PP
  • Blu Zebra
    Blu Zebra
    Community Member
    danco wrote:
    But your advice to upgrade from Leopard or Tiger ignores one important issue - COST.

    Same here. Today I see another post in this direction, urging me, the reader, to "upgrade already". I am getting a bit annoyed reading the blog for 2 reasons:
    1. I, like probably everyone else reading the blog is AWARE of the security issues, so there's no need to patronize us with these issues, is there?
    2. I do have a Mac OSX Server running Leopard, and I can't upgrade it any further as the hardware is too old. So yes, it pains me, yet the blog rubbing that in every day isn't helping, other than giving me more troubles to think about.
    It would help me a lot (and seeing danco's post, there are probably others) if your recommendation would include at least some consideration for those whose hardware does not allow for an OS upgrade.

    Consider your audience:
    Either you think you're talking to 1pw customers, then you talk to those who are already aware of such issues, and won't help much with these repeated posts
    Or you imagine that these posts are forwarded to those who are unaware of security - but for them, your article is way too high-level - they do not even understand what you're talking about, they'd not know if their computer is running Leo or SL, and why it wouldn't upgrade if they tried.

    Either way, I think you're not helping much, you're rather talking with your peers. Which may feel great, but doesn't really help.

    Oh, now I'm ranting. Over a little annoyance. Damn. Sorry, I shouldn't have started.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Thank you both danco and Blu Zebra.

    Upgrades are costly, and people have different budgets. I'm very sorry that I was insensitive to this in my posts. It's sort of like me saying to someone complaining about the quality of their local schools by suggesting that they just move to a more expensive house in a richer neighborhood.

    Again, I'm sorry.

    I was well aware of the issue of price from the outset, but frankly I didn't know what to say about it, so I didn't address it at all. I still don't know what to say about it.

    I had "bet wrong" on how long Apple would support PowerPC systems and bought a refurb PowerMac (relatively cheap) after Intel machines introduced. I knew at the time, that I was betting on Apple continuing to support that hardware for a long time then they did. It was a bet that cost me a lot of money. I was fortunate in that I was in a position to take that loss and move to newer hardware. But I certainly understand that not everyone is.

    So, if you have to be running an unsupported system, please try to keep as up to date with anything you can, including web browsers and any plug-ins for web browsers as these are the vulnerabilities most likely to be exploited.

    From another perspective, you may be lucky in that things like Flashback are written for Intel only.

    I really wish I had something better to offer and advise people in situations like yours. But I will certainly try to at least be more sensitive to it in future posts.

    Again, thank you for setting me straight on this.

    Cheers,

    -j
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Among the things I should apologize for is not addressing the excellent point that PP raises in her comment. (I had thought that I'd already done so, but obviously never actually posted my response. Seem's like I'll have to recreate it.)

    You, PP, are absolutely correct that through email we can forward malware to Windows users, and so that is a legitimate reason for being concerned about Windows malware sitting in our mailboxes. I've been using Fastmail for the past 10 years or so, which can be configured to perform virus scanning of incoming mail. They can't catch everything of course, but it does provide some very substantial protection. (I've turned that off for my personal mail because, well, I'm peculiar.) Just as a personal recommendation, Fastmail provided encrypted IMAP and HTTPS access from its inception, more than a decade before over email services did.

    I don't know what kinds of virus scanning other mail service providers offer. But I would expect that most do offer something.

    I do want to emphasize the distinction between how effective AV systems are at detecting malware against how effective they are at actually preventing the malware from being installed. This is why I ask whether the detected malware would have gone on to infect systems had it not been detected.

    [font=helvetica, arial, sans-serif]Someone sent me a joke in the form of a mail attachment that they hadn't even opened yet. I looked at it, laughed and passed the message on to my joke distribution list. A few minutes later, the phone started ringing with messages of two flavours: "stop sending me viruses you idiot!" or "what the hell have you done to my computer? I opened that joke and it's f***** now!". These are from the two broad types of computer user that I interact with: corporate and home.
    [/font]
    Ouch! I can definitely agree that on your behalf and on those who you interact with that you don't want a repeat of that.

    In your estimation has AV software running on your Mac prevented such a repeat? I'm not asking that with the expectation of any particular answer. I can just as easily imagine that your answer will be "yes" as "no". If your answer is indeed yes, then we have a clear demonstration of the value of AV software running on a Mac, and I will be (a little) more open to it.

    Cheers! And please continue to challenge me on anything I say.

    -j
  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    jpgoldberg wrote:
    In your estimation has AV software running on your Mac prevented such a repeat? I'm not asking that with the expectation of any particular answer. I can just as easily imagine that your answer will be "yes" as "no". If your answer is indeed yes, then we have a clear demonstration of the value of AV software running on a Mac, and I will be (a little) more open to it.
    Not sure. As I alluded to in my previous post, you have me questioning if it would have prevented a recurrence of that same exact scenario — I didn't spend too much time thinking about how the AV software worked, I just thought it was the only preventative measure I could take at the time. I'm not about to test the idea by trying to replicate the scenario! ;-)

    It has detected some infected files and usually as a result of my interaction with email. Maybe that has seduced me into thinking that it is doing some good. I admit that this has only happened on the odd occasion which does tend to validate your argument but once was enough for me.

    The only argument I can see against using AV is the performance degradation and possible system instability. I found that some of the earlier AV offerings I tried were resource intensive but I don't really notice the latest one I'm using. Nor is it making my system unstable. Maybe if it does I will be less reluctant to turn off the dynamic scanning and just run it regularly.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Thanks Penelope!

    It is good to have real people report on whether running an AV interferes with stuff. I'm glad that it doesn't for you.

    Also, I've only started recently thinking seriously about AV. So it's not something that I have that much expertise with. My opinions are subject to change.

    (On the matter of opinions subject to change, I recently came across something I wrote 10 years ago in which I encouraged people to use PDFs for document exchange specifically because PDFs wouldn't carry malware.)

    Cheers,

    -j
  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    jpgoldberg wrote:

    Thanks Penelope!

    It is good to have real people report on whether running an AV interferes with stuff. I'm glad that it doesn't for you.

    Also, I've only started recently thinking seriously about AV. So it's not something that I have that much expertise with. My opinions are subject to change.

    (On the matter of opinions subject to change, I recently came across something I wrote 10 years ago in which I encouraged people to use PDFs for document exchange specifically because PDFs wouldn't carry malware.)

    Cheers,

    -j
    LOL. Like you say, security is a process :)
This discussion has been closed.