FT.com / Technology - Google ditches Windows on security concerns. I do hope this turns out to be true. If so, it's about time some IT folks wised up about Windows. The myth that Windows security problems are all due to the OS' large market share continues to dominate mindshare, but it's just that… a myth. Microsoft is singlehandedly responsible for the Antivirus/Anti-malware growth industry, and all of the security patches needed to keep Windows secure is keeping a lot of IT guys employed. This doesn't mean that Windows insecurity is a good thing, folks.

Government going Apple? - Security Systems News. I guess I missed this little tidbit from last fall, courtesy of Security Systems News. If true, it sounds like there at least a few Federal IT execs who are beginning to listen to reason, rather than being always feeling like they're on the defensive about Macs.

Virtually every Windows PC at risk, says Secunia

There have been a rash of articles in recent weeks about a new Windows worm that takes several routes to PCs, including Facebook. Apparently, it is now building a huge "Botnet," a network of zombie PCs that can be commandeered to do various evil things, like sending junk mail.

In the midst of this, security firm Secunia now finds that 98% of Windows users work on PCs that already have some form of malware installed. Now, let's see... What percentage of Mac users have this problem? Oh yes, it's still 0%, but don't worry, as the "experts" have been telling us for years now, the hackers will get to the Mac platform eventually. Yeah, right.

Oops, I guess that makes me a "smug Mac user," right? How does that make me smug? Just stating the facts. Despite what they say, it's no accident... and no reflection on market share... that Mac OS X users aren't vulnerable to this kind of bull*hit. It's just good engineering and an attention to detail.

Apple's patch process a mess, say researchers - Computerworld

This is clearly a case of limited-brain humans thinking that something different is something bad. Also a bit of Microsoft-minded FUD here, with statements about Mac OS X's "aging code base" (huh?) and Microsoft being "way ahead" of Apple in its security-patching (huh?).

Why should a company like Apple, which has never had even a minor security incident affecting its users, follow the lead of a company like Microsoft, which defined the way to Not build a secure operating system?

Consumer Reports urges Mac users to dump Safari, cites lack of phishing protection

And to think I used to like Consumer Reports!

They keep writing me to "come back" and resubscribe, but I've told them that won't happen until they become objective and truly knowledgeable about the Mac... at least as knowledgeable as they are about Windows PCs.

And now, it turns out they're recommending that Mac users "dump Safari," which just happens to be the best web browser on the Mac platform. Oh, and since this article also appears on ZDNet, while other industry journals gave it little play, I begin to conclude that ZDNet is a rats nest of Microsoft zealots.

So, here's the little note I left them today about their latest phishing/Safari scare tactic:

There is nothing in common between phishing and viruses, adware, spyware, or other malware. Phishing is just an old-fashioned scam dressed up in new HTML clothing. Consumers need to be educated about it, and no anti-phishing technology is going to save them. For one thing, most phishing schemes come to consumers through their email client, not their browsers.

Oh, and 6 or 7 years ago, why didn't Consumer Reports advise Windows users to ditch IE? That would have been the single best way for them to avoid Internet malware, but I never heard them do such a thing. The phishing problem pales in comparison to the security nightmares we experienced after IE6 was released (and before SP2), and which millions of Windows users continue to experience today. Active/X is the most dangerous technology out there as far as security is concerned, but is MS being pressured to remove it from IE?

Unfortunately, I don't think we've heard the last of this... At least, until Apple goes ahead and joins the other browsers in adding "anti-phishing technology" to Safari. Like I noted above, it really makes a lot more sense to add this capability to users' mail clients, since phishing is just a form of junk mail in the end.

ZDNet: iPhone vulnerable to phishing, spamming flaws

There has lately been a rash of articles about how "insecure" Safari is because it has no anti-phishing mechanism. Frankly, I think this is a bunch of hogwash. It's an attempt to show how lax Apple is about security, and, by implication, how great Microsoft is.

It's not that I don't think phishing is a serious problem... I do! It's just that phishing is not a security issue, which is how the anti-Apple, pro-Microsoft (and pro-Firefox) zealots are trying to portray it.

Here's the comment I left on ZDNet's site about this article, dated 7/23/08:

Phishing scams are very bad, but they are not the same as viruses or malware that gets installed on your operating system. Not even in the same category. They are simply a sophisticated con, and unfortunately there are a lot of naive, clueless web users who will click on any link they're offered. Then again, I know people who are so paranoid they won't click on any link in an email at all... even if it comes from a trusted source (like a friend). I'm not at all convinced that anti-phishing software will work any better than junk-mail filters have, though I understand the need to try.

All you guys who are so hot to jump on Apple need to at least know what you're talking about. Though the companies who make money on security vulnerabilities like to lump phishing in with "security" flaws, in my opinion they aren't. Why? Because they pose no threat to the integrity of your computer or to your network.

Later, in reply to a reader who thought I was kidding with this opinion, I wrote:

Of course it's bothersome... on the same plane as the scum who trick old ladies out of their social security checks by conning them into some phony investment.

Phishing is more insidious, but if you have an ounce of common sense, it's easily avoided.

Not so with viruses and spyware, which can invade your system without any action on your part... not even clicking on a link. If following a link loads a virus, that's not phishing, defined as [blockquote] the activity of defrauding an online account holder of financial information by posing as a legitimate company[/blockquote].

My point is, phishing is not so much a security liability as it is a privacy issue... Phishing amounts to identity theft.

I'm not arguing that phishing isn't a serious concern that needs to be addressed. But I'm saying it's not a security issues in that it doesn't install software on your system, invade your network, or propagate itself to others.

I am arguing that it's more like spam, which is likewise a serious problem that can lead individuals to dangerous websites or tempt them into bad decisions. Like spam, I'm doubtful that any software solution to eradicate phishing is possible.

In this light, the urgency to correct a phishing vulnerability is much lower than that to correct a security vulnerability, and the fact that such a vulnerability exists should not alarm users to the same degree.

Turns out this "phishing" scam isn't over with the iPhone or Safari. See more of my ranting in Part 2 of this topic.

Gone in 2 minutes: Mac gets hacked first in contest The fact remains that neither I nor any other Mac user has ever had our machine infected with a virus, a worm, or any of the numerous forms of malware that Windows users have suffered from since 2001, when Mac OS X was released. The single biggest risks users have faced online during this period are (a) running Windows XP, (b) running Internet Explorer, and (c) running Microsoft email software. Why? Microsoft has called it various things over the years, but I know it best as Active/X. Microsoft argued in the aborted antitrust trial that tying IE tightly to the OS was in the best interests of consumers. Right. It certainly has been good for IT security firms. Heck, this gave rise to an entire industry that would never have existed without Microsoft's highly vulnerable system, and it made consumers and businesses spend billions of dollars on antivirus/antimalware software to combat the problem. Plus it created a generation of people who are afraid to use the web to the fullest, and who are neurotically suspicious of hyperlinks in emails... even when they come from people they know and trust.

Even if you believe these things would have happened if Apple's OS held the monopoly (which is a demonstrably false opinion), the burden of computer security has fallen exclusively on Windows users over the last 7 years. Exclusively... not just 90-95% of the burden. I have never spent a dime on security software or subscriptions, nor have I spent a moment worrying about going online. I've never had my machine hijacked by malware, or had my browser go haywire because I visited the "wrong" website. I take sensible precautions about suspicious emails, and I don't download files from suspicious websites.

If someone has developed a true exploit for hacking Mac OS X, I'm sure it'll be quickly squashed by Apple. And one or two such exploits in 7 years is a far more intelligent risk than dealing with thousands of such exploits a year over that period, don't you think?

Computerworld: Microsoft admits it knew about, didn’t patch, bugs

OK, Microsoft apologists, take a healthy bite of this one and see if it doesn’t taste as bad to you as it does to me. When are you guys gonna realize that Microsoft is only out for itself and cares nothing for anything but money and maintaining its illegally obtained monopoly? The fact that our government (I mean, specifically, the Bush Administration) has chosen to look the other way is just one more example of how our country has abdicated its moral leadership in economic, political, military, and environmental affairs.

Daring Fireball: Lies, Damned Lies, and Bill Gates If anybody is confused about whether this guy is honest or not, or thinks he might have turned over a new leaf since his wife is giving lots of money to charity, get a load of what he told Newsweek in a Vista-promo interview:

Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.

As John Gruber at Daring Fireball points out, "Gates’s claim about Mac OS X security is simply false. Flabbergastingly false." And that's just the latest example. This guy will say anything to win. Is that OK nowadays? Is "unscrupulous" an OK personality trait in today's world? Let's remember what "unscrupulous" means: "having or showing no moral principles; not honest or fair." In my book, that's a bad thing, which is why I continue to boycott Microsoft products and encourage others to do the same.

Just like Hit--you know who--ler, Bill Gates and his buddy Steve Ballmer are masters of telling the Big Lie to get their way. Heck, it's worked for them in the past, so now they're convinced no one will ever call them on it. Just like the Newsweek interviewer, who let the statement roll right on by without question! As Hitler discovered, people will believe Big Lies before they believe small ones. Too bad humanity has advanced so little since that experience that people are still willing to be misled like this.

MacSlash | Why Are Macs More Secure? This article is interesting as a virtual catalog of the ongoing argument about whether or not Macs are more secure than Windows. You have the doubters and the market-share believers, but you also have a huge number of intelligent folks who make a very reasonable, solid case that market share and security-through-obscurity just doesn't hold up to analysis.

From the Mac Observer - Apple, Microsoft and the War Mentality Here's a thought-provoking essay that makes a number of good points and asks a number of good questions about the IT world's continued reliance on Microsoft Windows despite clear evidence that it's a losing battle. In one of the author's most astute moments, he compares IT's war to shore up Microsoft Windows to the Bush Administration's war against terror. That's actually quite a good analogy. The author's perspective is the same as the one from which I wrote "Protecting Windows: How PC Malware Became A Way of Life" a couple of months ago.

Tom Yager, InfoWorld: Is Windows inherently more vulnerable to malware attacks than OS X? I was on vacation when Yager wrote this terrific article in late August... It's the best attempt I've seen to document in detail the many vulnerabilities in Windows that simply don't exist in Mac OS X. It also lists the built-in security features of Mac OS X that are missing from Windows. Absolutely essential to anyone who wants to have a serious talk with their Windows IT guys about letting Macs in the office door.

Safe storage, Mac style So much skepticism from Windows users that Macs could be better than Windows at anything important... yet here's a new article in Computerworld that points out more uncomfortable facts for Microsoft fans: Mac OS X's built-in File Vault, together with encrypted trash and virtual memory, simply tops Windows out of the box. This is not an opinion.

MacSlash: Gone In 60 Seconds The story about the MacBook that was compromised has been making the rounds the last day or so, supposedly pointing out a security flaw in Apple's Airport (wi-fi) implementation. On closer inspection, the flaw originated with a 3rd party wi-fi add-on, and had nothing to do with Apple or Mac OS X. I'm only documenting this incident for future reference.

Ah, computer security training. Don’t you just love it? Doesn’t it make you feel secure to know that your alert IT department is on patrol against the evil malware that slinks in and takes the network down every now and then, giving you a free afternoon off? Look at all the resources those wise caretakers have activated to keep you safe!

• Virulent antivirus software, which wakes up and takes over your PC several times a day (always, it seems, just at the moment when you actually needed to type something important).
• Very expensive, enterprise-class desktop-management software that happily recommends to management when you need more RAM, when you’ve downloaded peer-to-peer software contrary to company rules, and when you replaced the antivirus software the company provides with a brand that’s a little easier on your CPU.
• Silent, deadly, expensive, and nosy mail server software that reads your mail and removes files with suspicious-looking extensions, or with suspicious-looking subject lines like “I Love You“, while letting creepy-looking email with subject lines like “You didnt answer deniable antecedent” or “in beef gunk” get through.
• Expensive new security personnel, who get to hire even more expensive security contractors, who go on intrusion-detection rampages once or twice a year, spend lots of money, gum up the network, and make recommendations for the company to spend even more money on security the next year.
• Field trips to Redmond, Washington, to hear what Microsoft has to say for itself, returning with expensive new licenses for Groove and SharePoint Portal Server (why both? why either?), and other security-related software.
• New daily meetings that let everyone involved in protecting the network sit and wring their hands while listening to news about the latest computing vulnerabilities that have been discovered.
• And let’s not forget security training! My favorite! By all means, we need to educate the staff on the proper “code of conduct” for handling company information technology gear. Later in the article, I’ll tell you all about the interesting things I learned this year, which earned me an anonymous certificate for passing a new security test. Yay!

In fact, this article started out as a simple expose on the somewhat insulting online training I just took. But one thought led to another, and soon I was ruminating on the Information Technology organization as a whole, and about the effectiveness and rationality of its response to the troublesome invasion of micro-cyberorganisms of the last 6 or 7 years.

Protecting the network

Who makes decisions about computer security for your organization? Chances are, it’s the same guys who set up your network and desktop computer to begin with. When the plague of computer viruses, worms, and other malware began in earnest, the first instinct of these security Tzars was understandable: Protect!
          Protect the investment…
                    Protect the users…
                              Protect the network!

And the plague itself, which still ravages our computer systems… was this an event that our wise IT leaders had foreseen? Had they been warning employees about the danger of email, the sanctity of passwords, and the evil of internet downloads prior to the first big virus that struck? If your company’s IT staff is anything like mine, I seriously doubt it. Like everyone else, the IT folks in charge of our computing systems at the office only started paying attention after a high-profile disaster or two. Prior to that, it was business as usual for the IT operations types: “Ignore it until you can’t do so anymore.” A vulgar translation of this “code of conduct” is often used instead: “If it ain’t broke, don’t fix it.”

Unfortunately, the IT Powers-That-Be never moved beyond their initial defensive response. They never actually tried to investigate and treat the underlying cause of the plague. No, after they had finished setting up a shield around the perimeter, investing in enterprise antivirus and spam software, and other easy measures, it’s doubtful that your IT department ever stepped back to ask one simple question: How much of the plague has to do with our reliance on Microsoft Windows? Would we be better off by switching to another platform?

It’s doubtful that the question ever crossed their minds, but even if someone did raise it, someone else was ready with an easy put-down or three:

1. It’s only because Windows is on 95% of the world’s desktops.
2. It’s only because there are so many more hackers now.
3. And all the hackers attack Windows because it’s the biggest target.

At about this time in the Computer Virus Wars, the rallying cry of the typical IT shop transitioned from “Protect the network… users… etc.” to simply:
            Protect Windows!

Windows security myths

The “facts” about the root causes of the Virus Wars have been repeated so often in every forum where computer security is discussed—from the evening news to talk shows to internal memos and water-cooler chat—that most people quickly learned to simply shut the question out of their minds. There are so many things humans worry about in 2006, and so many things we wonder about, that the more answers we can actually find, the better. People nowadays cling to firm answers like lifelines, because there’s nothing worse than an unsolved mystery that could have a negative impact on you or your loved ones.

Only problem is, the computer security answers IT gave you are wrong. The rise of computer viruses, email worms, adware, spyware, and indeed the whole category now known as “malware” simply could not have happened without the Microsoft Windows monopoly of both PC’s and web browsing and the way the product’s corporate owners responded to the threat. In fact, the rise of the myth helped prolong the outbreak, and perhaps just made it worse, since it took Microsoft off the hook of responsibility… thus conveniently keeping the company’s consideration of the potentially expensive solutions at a very low priority.

Even though the IT managers who actually get to make decisions didn’t see this coming, it’s been several years now since some smart, brave (in at least one case, a job was lost) people raised a red flag about the vulnerability of our Microsoft “monoculture” to attack. They warned us that reliance on Microsoft Windows, and the impulse to consolidate an entire organization onto one company’s operating system, was a recipe for disaster. Because no one actually raised this warning beforehand, the folks in the mid-to-late 1990’s who were busily wiping out all competing desktops in their native habitat can perhaps be forgiven for doing so. However, IT leaders today who still don’t recognize the danger—and in fact actively resist or ignore the suggestion by others in their organization to change that policy—are being recklessly negligent with their organization’s IT infrastructure. It’s now generally accepted by knowledgeable, objective security experts that the Microsoft Windows “monoculture” is a key component that let the virus outbreak get so bad and stay around for so long. They strongly encourage organizations to loosen the reins on their “Windows only” desktop policy and allow a healthy “heteroculture” to thrive in their organization’s computer desktop environment.

Full disclosure: I was one of the folks who warned their IT organization about the Windows security problem and urged a change of course several years ago. From a white paper delivered to my CIO in November 2002, this was one of my arguments for allowing Mac OS X into my organization as a supported platform:

Promoting a heterogeneous computing environment is in NNN’s best interest from a security perspective. Mactinoshes continue to be far more resistant to computer viruses than Windows systems. The latest studies show that this is not just a matter of Windows being the dominant desktop operating system, but rather it relates to basic security flaws in Windows.

About a year later, when Cyberinsecurity was released, I provided a copy to my company’s Security Officer. But sadly, both efforts fell on deaf ears, and continue to do so.

1999: The plague begins

The first significant computer virus—probably the first one you and I noticed—was actually a worm. The “Melissa Worm” was introduced in March 1999 and quickly clogged Usenet newsgroups, shutting down a significant number of servers. Melissa spread as a worm in Microsoft Word documents. (Note: Wikipedia now maintains a Timeline of Notable Viruses and Worms from the 1980’s to the present.)

Now, as it so happens, 1999 was also the year when it became clear that Microsoft would win the browser war. In 1998, Internet Explorer had only 35% of the market, still a distant second to Netscape, with about 60%. Yet in 1999, Microsoft’s various illegal actions to extend its desktop monopoly to the browser produced a complete reversal: When history finished counting the year, IE had 65% of the market, and Netscape only 30%. IE’s share rose to over 80% the following year. This development is highly significant to the history of the virus/worm outbreak, yet how many of you have an IT department enlightened enough to help you switch from IE back to Firefox (Netscape’s great grandchild)? The browser war extended the growing desktop-OS monoculture to the web browser, which was the window through which a large chunk of malware was to enter the personal computer.

You see, by 1994, a year or so before the World Wide Web became widely known through the Mosaic and Netscape browsers, Microsoft had already achieved dominance of the desktop computer market, having a market share of more than 90%. A year later, Windows 95 nailed the lid on the coffin of its only significant competitor, Apple’s Macintosh operating system, which in that year had only about 9% of corporate desktops. Netscape was the only remaining threat to a true computing monoculture, since as the company had recognized, the web browser was going to become the operating system of the future.

Microsoft’s hardball tactics in beating back Netscape led directly to the insecure computer desktops of the 2000 decade by ensuring that viruses written in “Windows DNA” would be easy to disseminate through Internet Explorer’s Active/X layer. Active/X basically let Microsoft’s legions of Visual Basic semi-developers write garbage programs that could run inside IE, and it became a simple matter to write garbage programs as Trojan Horses to infect a Windows PC. Active/X was a heckuva lot easier to write to than Netscape’s cross-platform plug-in API, which gave IE a huge advantage as developers sought to include Windows OS and MS Office functionality directly in the web browser.

A similar strategy was taking place on the server side of the web, as Microsoft’s web server, Internet Information Server (IIS), had similarly magical tie-in’s to everybody’s favorite desktop OS. Fortunately for the business world, the guys in IT who had the job of managing servers were always a little bit brighter than the ones who managed desktops. They understood the virtues of Unix systems, especially in the realm of security. IT managers weren’t willing to fight for Windows at the server end of the business once IIS was revealed to have so many security holes. As a result, Windows, and IIS, never achieved the dominance of the server market that Microsoft hoped for, although you can be sure that the company hasn’t given up on that quest.

The other major avenue for viruses and worms has been Microsoft Office. As noted, Melissa attacked Microsoft Word documents, but this was a fairly unsophisticated tactic compared with the opportunity presented by Microsoft’s email program, Outlook. Companies with Microsoft Exchange servers in the background and Outlook mail clients up front, which by the late 1990’s had become the dominant culture for email in corporate America, presented irresistable targets for hackers.

Through the web browser, the email program, the word processor, and the web server, the opportunities for cybermischief simply multiplied. Heck, you didn’t even have to be a particularly good programmer to take advantage of all the security holes Microsoft offered, which numbered at least as many as would be needed to fill the Albert Hall (I’m still not sure how many that is).

So… the answer to the question of why viruses and worms disproportionately took down Windows servers, networks, and desktops starting in 1999 isn’t that Microsoft was the biggest target… It was because Microsoft Windows was the easiest target.

And the answer to why viruses and worms proliferated so rapidly in the 2000’s and with them the Windows-hacker hordes is simply that hacking Microsoft Windows became a rite of passage on your way to programmer immortality. Why try to attack the really difficult targets in the Unix world, which had already erected mature defenses by the time the Web arrived, when you could wreak havoc for a day or a week by letting your creation loose at another clueless Microsoft-Windows-dominated company? Once everyone was using both Windows and IE, spreading malware became child’s play. You could just put your code in a web page! IE would happily swallow the goodie, and once inside, the host was defenseless.

Which leads me to the next question whose answer has been obscured in myth: Exactly why was the host defenseless? That is, why couldn’t Windows fight off viruses and worms that it encountered? It doesn’t take a physician to know the answer to that one, folks. When you encounter an organism in nature that keeps getting sick when others don’t, it’s a pretty good bet that there’s something wrong with its immune system.

The trusting computer

It’s not commonly known or understood outside of the computer security field that Windows represents a kind of security model called “trusted computing.” Although you’d think this model would have been thoroughly discredited by our collective experience with it over the last decade, it’s a model that Microsoft and its allies still believe in… and still plan to include in their future products such as Windows Vista. Trusted computing has a meaning that’s shifted over the years, but as embodied by Microsoft Windows variants since the beginning of the species, it means that the operating system trusts the software that gets installed on it by default, rather than being suspicious of unknown software by default.

That description is admittedly a simplification, but this debate needs to be simplified so people can understand the difference between Windows and the competition (to the extent that Windows has competition, I’m talking about Mac OS X and Linux). The difference, which clearly explains why Windows is unable to defend itself from attack by viruses and worms, stems from the way Windows handles user accounts, compared with the way Unix-like systems, such as Linux and Mac OS X, handle them. Once you understand this, I think it will be obvious why the virus plague has so lopsidedly affected Windows systems, and it will dispel another of the myths that have been spread around to explain it.

Windows has always been a single-user system, and to do anything meaningful in configuring Windows, you had to be set up as an administrator for the system. If you’ve ever worked at a company that tried to prevent its users from being administrators of their desktop PC’s, you already know how impossible it is. You might as well ask employees to voluntarily replace their personal computer with a dumb terminal. [Update 8/7/06: I think some readers rolled their eyes at this characterization (I saw you!). You must be one of the folks stuck at a company that has more power over its employees than the ones I've worked for in the last 20-odd years. Lucky you! I don't have data on whose experience is more common, but naturally I suspect it's not yours. No matter... this is certainly true for home users ....] And home users are always administrators by default… besides, there’s nothing in the setup of a Windows PC at home that would clearly inform the owner that they had an alternative to setting up their user accounts. (Update 8/7/06: Note to Microsoft fans who take umbrage at this characterization of their favorite operating system: Here’s Microsoft’s own explanation of the User Accounts options in Windows XP Professional.)

The Unix difference: “Don’t trust anyone!”

On Unix systems, which have always been multiuser systems, the system permissions of a Windows administrator are virtually the same as those granted to the “superuser,” or “root” user. In the Unix world, ordinary users grow up living in awe of the person who has root access to the system, since it’s typically only one or two system administrators. Root users can do anything, just as a Windows administrator can.

But here’s the huge difference: A root user can give administrator access to other users, granting them privileges that let them do the things a Windows administrator normally needs to do—system administration, configuration, software installing and testing, etc—but without giving them all the keys to the kingdom. A Unix user with administrator access can’t overwrite most of the key files that hackers like to fool with—passwords, system-level files that maintain the OS, files that establish trusted relationships with other computers in the network, and so on.

Windows lacks this intermediate-level administrator account, as well as other finer-grained account types, primarily because Windows has always been designed as a single-user system. As a result, software that a Windows user installs is typically running with privileges equivalent to those of a Unix superuser, so it can do anything it wants on their system. A virus or worm that infects a Unix system, on the other hand, can only do damage to that user’s files and to the settings they have access to as a Unix administrator. It can’t touch the system files or the sensitive files that would help a virus replicate itself across the network.

This crucial difference is one of the main ways in which Mac OS X and Linux are inherently more secure than Windows is. On Mac OS X, the root user isn’t even activated by default. Therefore, there’s absolutely no chance that a hacker could log in as root: The root user exists only as a background-system entity until a Mac user deliberately instantiates her, and very few people ever do. I don’t think this is the case on Linux or other Unix OS’s, but it’s one of the things that makes Mac OS X one of the most secure operating systems available today.

There are many other mistakes Microsoft has made in designing its insecure operating system—things it could have learned from the Unix experience if it had wanted to. But this one is the doozy that all by itself puts to rest the notion that Microsoft Windows has been attacked more because people don’t like Microsoft, or because it’s the biggest target, or all the other excuses that have been promulgated.

The security awareness class

In response to the cybersecurity crisis, one of the steps our Nation’s IT cowards leaders have taken across the country is to purchase and customize computer security “training.” Such training is now mandatory in the Federal Government and is widely employed in the private sector. I have been forced to endure it for three years now, and I’ve had to pass a quiz at the end for the last two. As a Macintosh user, I naturally find the training offensive, because so much of it is irrelevant to me. It’s also offensive because it is the byproduct of decisions my organization’s IT management has made over the years that in my view are patently absurd. If the decisions had been mine, I would never have allowed my company to become completely dependent on the technological leadership of a single company, especially not one whose product was so difficult to maintain.

It’s a truism to me, and has been for several years now, that Windows computers should simply not be allowed to connect to the Internet. They are too hard to keep secure. Despite the millions that have been spent at my organization alone, does anybody actually believe that our Windows monoculture is free from worry about another worm- or virus-induced network meltdown? Of course not. And why not? Why, it’s because these same IT cowards leaders think such meltdowns are inevitable.

The inevitability of this century’s computer virus outbreaks is one of the implicit myths about their origin:

“Why switch to another operating system, since all operating systems are equally vulnerable? As soon as the alternative OS becomes dominant, viruses geared to that OS will simply return, and we’ll have to fight all over again in an unknown environment.”

My hope is that if you’ve been following my argument thus far, you now realize that this type of attitude is baseless, and simply an excuse to maintain the status quo.

Indeed, the same IT cowards leaders who actually believe this are feeding Microsoft propaganda about computer security to their frightened and techno-ignorant employees through “security awareness” courses such as this. Keep in mind that, as some of the notions point out, companies attempting to train their employees in computer security are doing so not only for their office PC, but for their home PC as well. The rise of telecommuting, another social upheaval caused by the Internet’s easy availability, means that the two are often the same nowadays. So the lessons American workers are learning are true only if they have Windows computers at home, and only if Windows computers are an inevitable and immutable technology in the corporate landscape, like desks and chairs.

Here are some of the things I learned from my organization’s “Computer Security Awareness” class:

1. Always use Internet Explorer when browsing the web.
   How many times must employees beg their companies to use Firefox, merely because it’s faster and has better features, before they will listen? In the meantime, to ensure that as many viruses and worms can enter the organization as possible, so that the expensive antivirus software we’ve purchased has something to do, IT management makes sure that as many people continue using IE as possible. I’m being facetious here. The reason they do this is that it’s what the training vendor told them to say, and today’s Federal IT managers always do as instructed by their contractors.

   While you can find data on the web to support the view that IE is at least as secure as Firefox, common sense should guide your decisionmaking here rather than the questionable advice of dueling experts. The presence of Active/X in IE, all by itself, should be enough to make anyone in charge of an organization’s security jump up and down to keep IE from being the default browser. And that’s not even usually listed as a vulnerability, because it’s no longer “new”. The “shootouts” that you read now and then pertain to new vulnerabilities that are found, and to the tally of vulnerabilities a given browser maker has “fixed”… not to inherent architectural vulnerabilities like Active/X and JScript (Microsoft’s proprietary extension to JavaScript).

2. Use Windows computers at home.
   The belief among IT management in recent years is that if we can get everyone to use the same desktop “image” at work and at home, we can control the configuration and everything will be better. Um, no. Mac users don’t have any fear of these strange Windows file types, and organizations that encourage users to switch to Mac OS X or to Linux, instead of discouraging such switching, immediately improve their security posture. For example, here’s some recent advice from a security expert at Sophos:
   

   “It seems likely that Macs will continue to be the safer place for computer users for some time to come.”

   And from a top expert at Symantec comes this recent news:
   

   Simply put, at the time of writing this article, there are no file-infecting viruses that can infect Mac OS X… From the 30,000 foot viewpoint of the current security landscape, … Mac OS X security threats are almost completely lost in the shadows cast by the rocky security mountains of other platforms.

3. All computers on the Internet can be infected within 30 minutes if not protected.
   No… of all currently available operating systems, this is true only of Microsoft Windows. Mac OS X is an example of a Unix system that’s been designed to use the best security features of the Unix platform by default, and no user action or configuration is required to ensure this.
   Here’s one of the URL’s (from the SANS Institute) that the course provided, which actually makes pretty clear that Windows systems are the most insecure computers you can give your employees today: Computer Survival History.
4. Spyware is a problem for all computers.
   I imagine that spyware is the most crippling day-to-day aspect of using Windows. My son insisted on trying Virtual PC a couple of years ago, and on his own, his virtual Windows XP was completely unusable because of malware of various kinds within about 20 minutes. He was using Internet Explorer, of course, because that’s what he had on his computer. I installed Firefox for him, and his web surfing in Windows has been much smoother since then. He still has to run antivirus and antiadware software to keep the place “clean,” but needless to say, he has never asked to use IE again. This experience alone demonstrated what I had already read to be true: The web is not a safe place in the 21st century if you’re using Windows. This is one of the primary reasons I use Mac OS X: In all the 5 years I’ve used Mac OS X, I have never once encountered adware. And that has absolutely nothing to do with what websites I surf, or don’t surf, on the web. (And that’s all I’m going to say about it!)
5. Viruses are a threat to all home computers.
   What I said previously about adware, ditto for computer viruses. To this day, there is not a single virus that has successfully infected a Mac OS X machine. (The one you heard about earlier this year was a worm, not a virus, and it only affected a handful of Macs, doing very little damage in any case.) As even Apple will warn you, that doesn’t mean it’s impossible and will never happen. However, it does mean that if Macs rise up and take over the world, amateur virus writers will all have to retire, and you’ll cut the supply line of new virus hackers to the bone. Without Windows to hack, it simply won’t be fun anymore. No quick kills. No instant wins. Creating a successful virus for Mac OS X will take years, not days. Human nature being what it is, I just know there aren’t many hackers who would have the patience for that.

   A huge side benefit for Mac users in not having to worry about viruses and worms is that you don’t have to run CPU-sucking antivirus software constantly. Scheduling it to run once a week wouldn’t be a bad idea, but you can do that when you’re sleeping and not have to suffer the annoying slowdowns that are a fact of PC users’ lives every time those antivirus hordes sally forth to fight the evil intruders. Or… you could disconnect your Windows PC from the Internet, and then you could turn that antivirus/antispyware thingy off for good.

6. Malicious email attachments are a threat to all.
   **Y A W N** Can we go home now?
   Sometimes, I open evil Windows attachments just for the fun of it… to show that I can do so with impunity. Then I send them on to the Help Desk to study.:-) (Just kidding.)

Change resisters in charge

Other than Microsoft, why would anyone with a degree in computer science or otherwise holding the keys to a company’s IT resources want to promulgate such tales and ignore the truth behind the virus plague? That’s a simple one: They fear change.

To admit that Windows is fundamentally flawed and needs to be replaced or phased out in an organization is to face the gargantuan task of transitioning a company’s user base from one OS to another. In most companies, this has never been done, except to exorcise the stubborn Mac population. Although its operating system is to blame for the millions of dollars a company typically has had to spend in the name of IT security over the last 5 years, Microsoft represents a big security blanket for the IT managers and executives who must make that decision. Windows means the status quo… it means “business as usual”… it means understood support contracts and costs. All of these things are comforting to the typical IT exec, who would rather spend huge amounts of his organization’s money and endure sleepless nights worrying about the next virus outbreak than to seriously investigate the alternatives.

Managers like this, who have a vested interest in protecting Microsoft’s monopoly, are the main source of the Windows security myths, and it’s a very expensive National embarrassment. The IT organization is simply no place for people who resist change, because change is the very essence of IT. And yet, the very nature of IT operations management has ensured that change-resisters predominate.

Note that I said IT operations. As a subject for a future article, I would very much like to elaborate on my increasingly firm belief that IT management should never be handed to the IT segment that’s responsible for operations—for “keeping the trains running.” Operations is an activity that likes routines, well defined processes, and known components. People who like operations work have a fondness for standard procedures. They like to know exactly which steps to take in a given situation, and they prefer that those steps be written down and well-thumbed.

By contrast, the developer side of the IT organization is where new ideas originate, where change is welcomed, where innovation occurs. Both sides of the operation are needed, but all too often the purse strings and decisionmaking reside with the operations group, which is always going to resist the new ideas generated by the other guys. In this particular situation, solutions can only come from the developer mindset, and organizations need to learn how to let the developer’s voice be heard above the fearful, warning voices of Operations.

Custer’s last stand… again

So please, Mr. or Ms. CIO, no more silly security training that teaches me how to [try to] keep secure an operating system I don’t use, one that I don’t want to use, and one that I wish to hell my organization wouldn’t use. Please don’t waste any more precious IT resources spreading myths about computer security to my fellow staffers, all the while ignoring every piece of advice you receive on how to make fundamental improvements to our network and desktop security, just because the advice contradicts what you “already know.”

It really is true that switching from Windows to a Unix-based OS will make our computers and network more secure. I recommend switching to Mac OS X only because it’s got the best designed, most usable interface to the complex and powerful computing platform that lies beneath its attractive surface. Hopefully, Linux variants like Ubuntu will continue to thrive and provide Apple a run for its money. The world would be a much safer place if the cowards leaders who make decisions about our computing desktop would wake up, get their heads out of the sand, smell the roses, and see Microsoft Windows for what it is: The worst thing to happen to computing since… well, … since ever!

Before my recommendation is distorted beyond recognition, let me make clear that I don’t advocate ripping out all the Windows desktops in your company and replacing them with Macs. Although that’s an end-point that here, today seems like a worthy goal, it would be too disruptive to force users to switch, and you’d just end up with the kind of resentment that the Macintosh purges left behind as the 1990’s ended. Instead, I’ve always recommended a sane, transitional approach, such as this one from my November 2002 paper on the subject (note that names have been changed to protect the guilty):

Allow employees to choose a Macintosh for desktop computing at NNN. This option is particularly important for employees who come to NNN from an environment where Macintoshes are currently supported, as they typically are in academia. In an ideal environment, DITS would offer Macintoshes (I would recommend the flat-panel iMacs) as one of the options for desktop support at NNN. These users can perform all necessary functions for working at NNN without a Windows PC.

This approach simply opens the door to allow employees who want to use Macs to do so without feeling like pariah or second-class citizens.

As long ago as 2002, Mac OS X was able to navigate a Windows network with ease, and assuming your company already has a Citrix server in place, Mac users can access your legacy Windows client-server apps just as well as Windows clients can. This strategy will gradually lower security costs—and probably support costs as well—as the ratio of Windows PCs to Macs in your organization goes down, while lowering the risk of successful malware attacks. As a side benefit, I would expect this strategy to improve user satisfaction as well. Since the cost of Apple desktops today is roughly the same as big-brand PCs like Dell, the ongoing operational cost of buying new and replacement machines wouldn’t take a hit, as the IT mythmakers would have you believe. In fact, did you know that all new Apple computers come with built-in support for grid computing? Certainly! Flick a switch, and your organization can tap into all the Mac desktops you own to supplement the company’s gross computing power. What’s not to like? (My 2002 report didn’t cover grid computing — it was a new feature in Mac OS X 10.4 last year — but it did address all the issues, pros, and cons an organization would face in integrating Macs with PCs; however, it’s too large a subject to discuss further here.)

But how do you convince IT managers of this, when operating systems from Microsoft are the only kind they’ve ever known? I certainly had no luck with mine. Heck, I didn’t even gain an audience to discuss it, and my fellow mid-level IT managers were aghast that I had even broached the subject. After all, many of them were still smarting from the bruising—but successful—war against Mac users they had waged during 1994-96. The fact that in the meantime Apple had completely rewritten its operating system, abandoning the largely proprietary one it built for the original Macintosh and building a new, much more powerful one on top of the secure and open foundation of Unix made no difference to these folks whatsoever. It’s not that they disagreed with any of the points I was trying to make… they didn’t even want to hear the points in the first place!

A new approach for IT managers

For the most part, the managers who, like “hear no evil” chimps, muffled their ears back in 2002 were in charge of IT operations. To them, change itself is evil, and the thought of changing your decision of 5 years ago for any reason was simply unthinkable. And yet… consider how much the computer landscape changes in a single year nowadays, let alone in 5 years. Individuals with good technical skills for operations management but no tolerance for change should simply not be allowed to participate in decisions that require objective analysis of the alternatives to current practice. And at the pace of change in today’s technology market, inquiry into alternatives needs to become an embedded component of IT management.

For what it’s worth, here are a few principles from the Martian Code of Conduct for IT management:

1. Make decisions, and make them quickly.
2. Decisions should always consider your escape route in case you make a bad choice
3. Escape routes should enable quick recovery with as little disruption to users as possible
4. Open source options should always be considered along with commercial ones.
5. COTS doesn’t stand for “Choose Only The Software” Microsoft makes.
6. Sometimes it’s better to build than to buy. Sometimes it’s better to buy than to build. A wise IT manager knows the difference.
7. Reevaluate your decisions every year, to determine if improvements can be made.
8. Don’t cling to past decisions just because they were yours.
9. Never lock yourself in to one vendor’s solution. Always have an escape route. (Wait… I said that already, didn’t I?)
10. Know thy enemy. Or at least know thy vendor’s enemy.
11. Be prepared to throw out facts you’ve learned if new information proves them wrong.
12. IT is a service function, not a police function. Remember that the purpose of the IT group is to skillfully deploy the power of information technology to improve productivity, communictions, and information management at your organization.
13. Never let contractors make strategic IT decisions for your company.
14. Never take the recommendation of a contractor who stands to gain if you do. (In other fields, this is called “conflict of interest.” In some IT shops I know, it’s called “standard practice.”)
15. Don’t be afraid to consider new products and services. When you reject a technology or tool a customer inquires about, be sure you understand why, and be prepared to explain the pros and cons of that particular technology or tool in language the customer will understand.
16. Make sure your IT organization has components to manage the following two primary activities on an ongoing basis, each of which has its requirements at the table when you compile budget requests for a given year:
    • Application developers capable of handling a multitude of RAD tasks. This group should maintain an up-to-date laboratory where new technology and tools can be evaluated quickly.
    • Operations group with subcomponents for dealing with networking, telecommunications, desktop management, security, data, and application/server maintenance.
17. Always obtain independent estimates of whatever resource requirements the operations group tells you are needed to make significant changes in technology platforms at your organization, because an operations manager will always exaggerate the true costs.
18. The success of your organization is measured not by the size of the desktop support group’s Help Desk, but rather by continued progress in reducing the number of requests and complaints that are referred to the Help Desk. A rise in Help Desk requests over time is a symptom that something is probably wrong—not a signal to ask for a larger Help Desk budget.
19. Similarly, the percentage of a company’s budget that gets devoted to IT should become smaller over time if the IT group is successfully discharging its mission. Calls for larger IT budgets should be viewed skeptically by the COO, since it often symptomizes an IT group that is unable or unwilling to find better alternatives to current practice.

From the perspective of an IT manager who has never worked with anything but Windows desktops, the prospect of having to welcome Macintosh or Linux systems into your Windows-only network must be a frightening one indeed. If you know absolutely nothing about Mac OS X and your only experience with a Mac was a brief hour or two with OS 7 a decade ago, your brain will very likely shut down at such a thought, and your hands will plant themselves on your ears if a colleague begins speaking in that direction. This is entirely understandable, and it’s equally understandable that the vast majority of your existing Windows users will want to remain on the only computing platform they’ve ever known.

But don’t you see that this fear doesn’t mean a decision to support Mac OS X in your organization is wrong! Such fears should certainly be considered in a transition plan, but they shouldn’t be considered as a reason to oppose development of a transition plan. Fears like these, and the sometimes irrational attitudes they bring to bear in technology decisionmaking, is why we desperately need new blood in the Nation’s IT departments, and why applicants to the job whose only (or only recent) training has been in MCSE shops should be filtered out from the get-go. You often hear Macintosh users “accused” of being cultish, but from my perspective, steadfast Microsoft Windows partisans are much more likely to meet the following definition of “cultish” than the Mac users I’ve known:

A misplaced or excessive admiration for a particular person or thing.

By fostering the myths about malware threats, the cult of Microsoft has already poisoned the computing experience for millions of people and wasted billions of dollars trying to shore up the bad past decisions of its Microsoft-trained hordes.

It’s time to give some new ideas a shot. It’s time to begin a migration off of the Microsoft Windows platform in U.S. corporate and government offices. Only once we dismantle the Microsoft computing monoculture will we begin to beat back the malware plague. Until then, IT security will simply spin its wheels, implement security policies that punish the whole software development life cycle because of Microsoft’s sins, and require Mac OS X users to take online security training that simply teaches all the things we have to fear from using Windows computers.

Addendum: A few articles for further reading:

Macs And Viruses. Fact vs. FUD, Mac360, May 2006

Melissa and Monoculture, Gerry McGovern, April 1999

Cyberinsecurity, CCIA, September 2003

Beware the Microsoft Monoculture, CNET, May 2006

Fears Over New Mac OS X Trojan Unfounded, Ars Technica, February 2006.

Network Managers Flee IE, trimMail, January 2006

A Crawler Based Study of Spyware on the Web, University of Washington, February 2006

Mad As Hell, Switching to Mac, Winn Schwartau in NetworkWorld, May 2005.

Colophon

This article is the first time I’ve used a new, very useful JavaScript called Image Caption from the Arc90 lab site. Image Caption makes it easy to include text captions with the graphics you publish to illustrate your text. It includes a small JavaScript file and some sample CSS code. To implement, you simply add a class attribute to the images you want to caption, add the caption text as a “title” attribute, and include the script in the head of your HTML code.

I also had fun using the terrific JavaScript called simply Reflection.js. It’s recently shed about 30kb of file size and is down to only about 5kb, works great alongside Prototype/Script.aculo.us, and is childishly simple to execute. Besides adding a link to the JavaScript file, you add a class attribute to the images you want to reflect. For each reflection, you can tweak the reflection height and its opacity by adding specific measures in two additional class attributes. Unlike other reflection scripts I’ve tried, this one automatically reflows the text once the reflected image is added to the layout.

iTWire - Vista not for home users: security expert This is interesting, especially since improved security is one of Vista's supposed best features. The article explains and follows up on Sophos' recent recommendation that Windows users who are concerned about security should switch to the Mac. Pretty damn straightforward.

MacDailyNews: Symantec researcher: At this time, there are no file-infecting viruses that can infect Mac OS X Here's a great quote from this Symantec security expert, Todd Woodward. Speaking about the teeny and rare security incidents Mac OS X has been subject to in recent months, he says:

From the 30,000 foot viewpoint of the current security landscape, these Mac OS X security threats are almost completely lost in the shadows cast by the rocky security mountains of other platforms.

Well worth reading the entire article from Woodward's blog on the Symantec website.

BBC News: Web perils advise switch to Macs This advice comes despite the fact that Windows Vista, with its enhanced security features, is still expected to be released within 12 months or so: "It seems likely that Macs will continue to be the safer place for computer users for some time to come." The report says that viruses and worms have become less of a threat to Windows, but Trojans have increased dramatically. Sophos is one of the world's leading security consulting firms. Gee, I wonder if anyone will pay attention now?

Mac360: Macs And Viruses. Fact vs. FUD. From Mac360, this is a two-part article addressing five myths the authors identify that have become common regarding the Mac and Windows Viruses:

1. Macs are just as vulnerable to Viruses, Worms, and Trojans as Windows computers.
2. Macs using Intel Processors are more vulnerable now because they use the same processors found in generic PCs.
3. Mac vulnerabilities have increased 228% since 2003, but Windows vulnerabilities have increased a much smaller amount. That means the Mac is MORE vulnerable than Windows!
4. Now that Macs are getting more popular, aren’t virus writers going to start attacking the Mac more?
5. Mac users now have to purchase and run Anti-virus software, install firewalls and scan their computers for spyware the same as Windows users.

Good list of myths! I haven't read their analysis yet, but they're off to a great start!

Both the Yankee Group and Paul Thurrott chronicle Vista's Failed Security Model I love this, from the Yankee Group:

Vista's new security features will make for such a disruptive user experience that business users might want to steer clear of the operating system for the time being... the new features will make it difficult for many enterprises to upgrade their users, because of usability issues..."

You know Microsoft... nothing like making software that's always "in your face," especially when they really want you to know they're there for you.

MacDailyNews: Unix expert: Mac OS X much more secure than Windows; recent Mac OS X security stories are media hype One of the bad journalists who started this week's anti-Mac ruckus is back, apparently trying to make amends. At his side is a respected Unix security expert who verifies that the outcry the journalist has been hearing from Mac users is justified. Macs are not susceptible to viruses, and Windows is. Macs are better protected by design, not by market share, and Windows are attacked often because it's easy to do so, not because there are so many of them. Makes sense. Of course, as the MacDailyNews editor asks the journalist in question, Stan Beer, "Why the truth now?... Get it right the first time, before you publish it."

AppleInsider: Apple launches "Get a Mac" TV campaign These are indeed the commercials Mac fans have been waiting for... a long time. Check them out at http://www.apple.com/getamac/ads/ Apple posted a couple other pages for potential switchers, including this one, which has the following hidden gem--a quick dispelling of some favorite Mac myths:

Dan Goodin: Macs are virus targets, some experts warn It's articles like this that make me say nasty things like "Windows users are stupid." Where do guys like this come off acting like they know what they're talking about? MacDailyNews has a good lampoon of a few mis-facts here.

E-Commerce News:Apple May Be Low-Hanging Fruit for IT Columnist suggests IT departments should rethink their long-standing aversion to Apple computers and gives three specific reasons why now is the time: (1) Apple's switch to Intel processors, (2) Boot Camp, letting Windows XP run natively on Macs, and (3) Vista, which has suffered disappointing delays and may not be worth the upgrade anyway. Those are th main reasons, but the writer also points out a number of other Apple pluses, including Mac OS X's better security.

Why Windows is less secure than Linux: Two System-Call Diagrams Explain All This is a pretty neat idea... Graph out all of the system calls that get made in an OS when it displays an HTML page and associated files and graphics. Compare it with another OS. In this case, the author is comparing Windows with Linux, and it's a prime example of a picture being worth a thousand words.

From Yahoo News: Symantec Rethinks Firefox vs IE Security, Using Its Brain This Time I wasn't the only one who was incredulous when Symantec gave the security edge to IE in a study they released last year. Now, it seems that some in Symantec were not pleased, either. That study was driven more by vendor payments than objective analysis, unlike the new one, which clearly gives the edge to Firefox. Symantec isn't the only company that really needs to worry about its credibility when accepting money from a vendor for doing analysis. The sham results we see so often make it impossible to engage in reasonable debate on matters like this... and reasonable debates on OS security, ROI, usability, and much more are very much needed nowadays!

Attacking the Misleading ZDnet article, Wisconsin U Has Issued a Mac OS X Security Challenge The ZDnet article was (deliberately?) misleading, claiming that Mac OS X had been hacked in under 30 minutes... Oh, and by the way, the person who "hacked" it was granted access with a local account! Duh. Really fair, wasn't it? So some smart folks at the University of Wisconsin have issued an honest challenge in response: Alter the web page on test.doit.wisc.edu, which is a Mac mini running OSX 10.4.5. I like that one!

Winn Schwartau Gives the Numbers of Network World: Macs Are Half The Cost Schwartau is a security expert who recently converted to the Mac... this article is a frank assessment using standard TCO tools, which show the Mac costs only 50% as much as comparable PC's when you consider reliability, downtime, productivity, and system maintenance.

MacSlash | Interview With The "Virus" Creator All this brouhaha about the pitiful worm that was let loose to exploit some security weaknesses in Mac OS X is perhaps understandable. After all, many of us have been bleating loudly about the Mac's superiority over Windows in security. Doesn't the worm prove us wrong? This interview, and the fascinating dialogue on MacSlash that accompanies it, only reinforces my view that Mac OS X is far safer to use than Windows. Does it have weaknesses? Certainly! Are they truly exploitable by a virus? Highly doubtful. How about by worms or adware? More likely, but as attempts like this are made, the opportunities for doing so will shrink even further.

Spyware Barely Touches Firefox - Yahoo! News Cool study from the University of Washington compared exposure to malware between IE and Firefox. Guess which one won?

Ancient flaws leave OS X vulnerable?: ZDNet Australia: News: Security I'm not sure what to make of this... It comes from a credible source, a security consulting firm called Suresec. However, I'm inclined to agree with many of the commentators on the ZDNet website, who charge the writer with a kind of blackmail against Apple. After all, they're in the business to make money by finding security vulnerabilities. Apparently, Apple declined to pay for their services, and they're miffed. The whole security industry is suspicious, in my opinion. They exist because of vulnerabilities in Windows and now they want to extend their "market" to Mac OS X as well. Hmmm.

Microsoft admits to Wi-Fi security hole - ZDNet UK News I don't have the hard disk space to store every Microsoft security-hole story that comes along, but this one seemed particularly interesting in light of the fact that Microsoft is putting rushing Vista to market ahead of fixing security problems. Microsoft has obviously gotten the message that they can let security slide endlessly with no consequences, and so they will.

Mac Security Concerns Answered by BBC Security Reporter This British expert led Mac readers to think he was exaggerating concerns about the Mac's security against viruses and the like. Turns out he was a bit misunderstood, but he admits to a bit of exaggeration as a result of his desire that Mac users not become too complacent. (Note: He's a Mac user himself.)

InfoWorld Daily | InfoWorld | Time for a class-action suit against Microsoft? | January 5, 2006 04:55 AM | By Tom Sullivan It's great to see a discussion like this springing from one of the top IT news magazines. With the failure of the Federal antitrust trial to make Microsoft pay for their many misdeeds, perhaps consumers will actually realize that the security problems in Windows computers is Microsoft's fault and demand compensation.

MacDailyNews - Apple and Mac News - Welcome Home This one sounds pretty serious... When are these idiots going to learn you don't have to be vulnerable to virus scares? Switch to a Mac before it's too late!

Browser Wars: Network Managers Flee IE Interesting article suggesting that when IT wakes up to the fact that Firefox is easier to support than IE, the game will be over for Microsoft's dominance of the web.

Consumer Reports: Intel chips may cause Mac viruses?? Unfortunately, Consumer Reports continues to allow technologically illiterate writers/editors to prepare their personal computer report. Besides misreporting the Mac security versus Window security data, they now speculate that Macs may be more susceptib

Ask MacSlash: How Safe Is An OS X User From Spyware? A user asks about OS X security, and the (occasionally uninformed) readership responds.

Cincinnati E Technology Kim Komando - Personal Tech News, Video Game Reviews, Gadget Reviews and more from Gannett News Service Macintoshes ARE personal computers. This article is based on a prejudice against Macs, by not even mentioning them in an article about windows in-security.

I don’t question that Apple is great for multimedia applications… However, I don’t do video or photo editing, compose music on my computer, make graphics, do desk-top publishing, or design web pages.

Yesterday I had a major epiphany* about what to get my Dad for his 86th birthday this weekend. Until yesterday, I had bought into his belief that he would never learn how to use a computer, because he found it too confusing. The implication of this, of course, is that he was never to experience the many positive enhancements to his life that email and the Web could bring. Yesterday I realized there was a great solution, thanks to Apple’s new Mac Mini.

Some background will help explain my thinking…. You see, for years after the Web and email became a standard part of the life of working folks in America, my Dad has poo-poo’d their value. Left out of this huge communications revolution, he had to be content ranting about the negative side of the Web… namely, increased access to pornography and other forms of “dangerous” information (some of legitimate concern, I might add, like how-to sites on building bombs). As far as email goes, he couldn’t see how email would improve on old-fashioned print communication or on the good old telephone. And what about all that spam he keeps reading about? Lucky for him he doesn’t have to deal with it!

So, a couple of years ago one of his wife’s children had the bright idea to buy him a computer and set him up with internet access. They did, and the computer has sat virtually unused on a small table in their bedroom ever since. My Dad says that whenever he tried to use it, he could never figure out what to do.

OK, so he’s had a computer for 2 years and hasn’t used it. What makes me think giving him a Mac Mini will help?

To answer that, let me get back to the title of this essay, which is also related to the quote that opens it, from a friend of mine who doesn’t understand how a Mac would be any better than a Windows system as a personal computer, unless you’re doing multimedia work.

You see, although IBM coined the term “personal computer” when it rolled out its DOS-based systems back in 1981, it has never been marketed at “people”, really. (For an excellent history of the IBM PC, check out this article at about.com.) Instead, the PC was aimed squarely at the business world, which is one of the main reasons for its success over Apple’s computers.

There are numerous sub-topics to this thread which I’ll have to explore in other articles, but suffice it for now to say that at the time the IBM PC arrived, the Apple II was the most popular “personal computer” on the market. Like IBM/Microsoft’s DOS, the Apple II used a text-based interface and was designed to appeal primarily to computer aficionados. The Apple II was a hobbiest’s dream and was very popular with programmers. It was on the Apple II that the personal computer first demonstrated the usefulness and power of productivity applications like word processors, spreadsheets, drawing programs, and the like. It was also used to build and play games. But it was certainly not appropriate for the home market–that is, for nontechnical, computer-illiterate people who just want a useful appliance at home to do certain kinds of tasks.

And neither was IBM’s PC. And neither is Microsoft Windows, even after its long, torturous evolution to Windows XP. Microsoft, like IBM, had its sights set squarely on the business market. They understood that the first major applications of “personal” computers (meaning, computers that employees had at their individual workstations) would be as assets to boosting productivity and profits for private enterprises. (And oh yes, by the way, they could make a lot of money by selling them to the government and nonprofit sectors, too.) And indeed, despite their basic user-unfriendliness, they were wildly successful in that environment. (Separate topic alert! The rise of the Help Desk coincided with the introduction of the PC in the business place.)

Then, employees began to want to do work at home. So they would buy a Windows machine to maintain compatibility with what they were using at the office (not knowing that it wasn’t really necessary to do so, but making the assumption that it was). Thus was born the early market for computers in the home. But again, they weren’t used for anything “personal.” These were just business computers that, to the delight of employers across coporate America, employees were suddenly willing to provide at their own cost in order to continue working at home! What a great deal for business!

In the course of things, these “personal” computers did begin to allow some personal activities, as the computer gaming industry took hold and developed some killer products like Myst. After that, home computers were typically used by working people for doing work and by their kids for playing games. (If you were lucky to have the time, you working stiffs might be able to have some fun playing games, too. But more of you were likely inclined to engage in passive activities like TV and rental movies, I suspect.)

Meanwhile, in 1984 Apple introduced the Macintosh. This revolutionary product was aimed squarely at “people” as opposed to businesses. It was truly a “personal” computer that would actually talk to you! (All Macs to the present day do this, by the way, if you let them.) The Mac provided all sorts of fun ways to interact with it, as well as fun programs for creating things and doing personal work, like family finances, writing letters, etc. And you could do all these things without knowing any computing commands, all by moving a little pointer around a screen with a new device called the “mouse”. I won’t go into the many sad mistakes that future Apple management made as they tried to market and enhance this product, but suffice it to say that the Macs of today are still primarily oriented to personal activities and nontechnical users. Yes, they are also widely used in business (especially in publishing and the creative industries–film, music, design, art), and they are great for that–especially for small businesses. They also appeal to highly technical subculture of computer programmers, luring hard-core Linux junkies to a glorious computing nirvana where the text-based Unix command line mingles with a gorgeous graphical user interface.

But even as the IBM PC gradually evolved, through advances in Microsoft Windows, to being very much like the Macintosh of 1984, it remained far too complex for doing simple “personal” things. One of my favorites is volume control. Good grief… do you think Microsoft could have made a simple task like turning the volume up or down on your PC any more difficult than they did? It’s getting easier, but it’s still ridiculously complicated compared with the Mac.

And that’s because the Macintosh user interface was designed (and is being enhanced) by people who understand how to make difficult computing tasks easy. Why do this? Because Apple engineers have a vision and dedication to making innovative computing applications accessible to nontechnical users. If you’re going to bring a computer into your home and try to make it useful for an 86-year-old man who’s never used one before, you want this shiny new appliance to be inviting, not intimidating. You want to make it so that this computer neophyte can become immediately productive without having to worry about a lot of complexities. Why make someone set a preference or open a dialog box if you don’t have to. Computer neophytes find preference panels and dialog boxes very confusing. I know that’s hard for computer literate types to grasp, but it’s true.

I once spent 20 minutes on the phone with a Citibank employee when I worked there managing their corporate intranet, trying to explain how to find the toolbar on one of their Windows “windows”. One of the key differences between the Mac OS and Windows, still today, is that the Mac only ever has ONE toolbar open… and it’s anchored securely to the top of the monitor window. In their infinite wisdom, Microsoft user interface “specialists” decided that it would be better to have toolbars anchored to the top of every application window. As a result of which you have a huge proliferation in widget confusion for the neophyte user. And there’s no technically good reason why you would do this, except that it was probably easier for the Microsoft programmers.

Well, this certainly is turning into a long rant, isn’t it? To bring the topic back on point, I think the reason my Dad is still missing out on the Internet revolution (including the Web and email) is that it’s totally inappropriate to give such a person a Windows computer and expect them to use it. It’s inappropriate in the first place because Windows was never designed to be a personal computing system. Personal computing artifacts have been tacked on to the Windows interface as time has gone on in an attempt to match the elegance of the Mac interface, but it still leaves a huge amount to be desired. Another example: If my Dad wanted to use his computer as a DVD player, he would expect it to behave like a DVD player. He would expect that by putting the DVD in, the DVD would start to play. Apple understands this, and that, of course, is how a Mac acts. But not so a Windows machine (one day, I’m sure it will). Microsoft expects Dad to know (a) where to find the DVD player on the computer and (b) how to start it up. They might also make Dad respond to some dialogue boxes along the way. This is personal computing?

The seamless simplicity Apple engineered into the interaction between the iPod and iTunes is one reason for its runaway success. If Microsoft had its way, this interaction would be as complicated as necessary to keep costs down. And besides, if its complicated it’s Roxio’s fault, or Real’s, or… As a matter of fact, why don’t you just use MSN?

Besides the usability factor, there’s the more recent problem with computer viruses, adware, and popups that have infected Windows systems. Having to deal with these kinds of afflictions is much more than you can reasonably expect a non-technical computer user to do. And so they won’t deal with them if you give them a new Windows system. And so they’ll browse around the internet a few times, fall victim to nasty viruses through simple downloads or innocent-looking email attachments, and quickly get their machine infected. After that, the machine starts to slow down and to act funny…. unpredictably. And the last thing you want in a home appliance is for it to be unpredictable. I remember the last time my refrigerator crashed, and it wasn’t a pretty sight, I can tell you! Fortunately, my frig crashes only once every couple of years, and then it’s time to get a new one anyway…

So I’ve decided to give my Dad a Mac Mini for his birthday. At $500, it’s not too expensive, and he can use his existing bulky monitor and wired mouse/keyboard until I can get him something better. It’s got more than enough power and disk space for his needs. And I’m convinced that I can set up the system so that it’s easy for him to use for email and web browsing. (I really don’t think he’ll want to do much more than that at first. If he gets into it, he will always have at his disposal, in iLife, the easiest tools for managing digital pictures, music, and video.) And once I get it set up for him, I’ll be completely confident that there’s nothing he can do to screw it up by wandering cluelessly into some unnecessary dialog boxes and changing critical settings, nor will it be vulnerable to malicious attacks from marauding hackers in the new digital Wild West we call the Internet. And he won’t even need a Help Desk to support him! What a novel concept!

And one more thing… If he encounters a PDF file he wants to read, he won’t have to go to Adobe’s website and learn how to download and install any software to use it. Why? Well, whereas Microsoft views PDF as a threat to their monopoly and refuses to make a PDF reader a standard component of their operating system, Apple took advantage of the fact that Adobe has freely published the PDF specification and has actually made PDF the basis for their “Quartz” graphics engine. So every application can not only read PDF files, but write them as well. And Dad never has to even think about it!

I honestly think the very best gift I can give my 86 year old Dad is to let him enjoy the wonders of the Good Side of the web a little before his life is over. After all, he knows all about cable TV… why not discover the true information miracle of our age?

Gee, you don’t think he would start downloading porn, do you?

* Forgive me for using a religious term here… it’s dangerous when Mac users talk about “revelations” or “epiphanies”, because it’s too easy for Windows users to think the Mac is some kind of religion, and this kind of talk just enforces that impression. Nevertheless, I refuse to change the way I talk just because of the anti-Mac prejudice that exists out there.