"but its reputation for offering a bullet-proof alternative is in tatters."

That is a bit strong.

The Institute's full name is actually Sans Indice which is a French phrase meaning "clueless."

I loved this quote: "The security firm acknowledged that the operating system 'still remains safer than Windows, but its reputation for offering a bullet-proof alternative is in tatters.'"

Hmm..."still safer?" At a score of 80,000 to ZERO for Windows vs. Mac OS X, I guess you might say that...

Since SANS makes its money selling training courses in computer security, dontcha think they may feel just a wee bit threatened by a system that doesn't need their services all that much?

I'd take what they say about Mac security with a grain or two of salt.

This is such a miserable representation of facts (Not by TMO, but SANS). They don't seem to do any critical analysis, just spew out random thoughts and ideas.

Have the attacks on Mac OS increased? Yes. To date, TWO have been accomplished.

Woo hoo.

And every Mac user I know is aware that the system isn't foolproof. We have all had NAV on our systems for years. Because smart people know an ounce of prevention is worth more than a pound of cure!

"automatically" downloaded and executed without the user being notified? Could it happen if the user isn't running as an administrator?

Norton Anti virus is more problems than it is helpful.

I just love statistics. "What do these figures mean?" "Well, what do you want them to mean?"

I currently work for Statistics New Zealand, and in the past I've worked for New Zealand Health Information Services, in the breast cancer screening area. One of the things which always got my dander up was journalists who don't realise how much they don't know referring to certain agents doubling or tripling the chance of breast cancer.

On the face of things, that sounds pretty serious. And for the women who get breast cancer, it is serious. But saying 'doubling' or 'tripling' is essentially meaningless when it refers to, for example, five cases per 100,000 turning into ten or fifteen. What is truly important is the absolute number of cases, not the standardised incidence.

The same thing applies to incidents of viruses on OS X. If the number of viral attacks has, say, increased ten-fold in the last year, I don't care. What I care about is the actual number of attacks. It's still low. What I also care about is the propagation of those attacks to other computers: lower still.

Statistics is a black art, which I don't pretend to understand beyond having good instincts. On the other hand, statistical ignorance can be, and is, harmful.

The security analyst market is an ugly business. They market fear.

All that may have changed now is that the security firms have likely decided that either

a) they can generate good business by making Mac users, particularly Mac-based businesses, afraid that there are security concerns that they can help with

or

b) that their current Windows security business is at risk if they don't head off this Mac juggernaut before it gets going (people, particularly businesses, start switching to Macs to avoid the well known security woes of WIndows)

Who needs security consultants if there are no security threats? It's an ugly business.

Nothing but FUD here. Move on.

The new vulnerabilities are all of the new Windows users on the Macs!

Let's not ignore the fact that these reports--and my local piddly newspaper had a big old page 2 article on the new vulnerability of the Mac--comes out on the day that Apple is releasing new ads touting its relative safety in comparison to Windows computers. What a coincidence

Here's a lnk to another article (sorry if it's a repeat):

http://news.yahoo.com/s/ap/20060430/ap_on_hi_te/apple_security;_ylt=AgHZ1z0WsbvTt_wnBdehOutj24cA;_ylu=X3oDMTA5aHJvMDdwBHNlYwN5bmNhdA--

Quote

Guest wrote:
The new vulnerabilities are all of the new Windows users on the Macs!

Ok that was just stupid.

Quote

Guest wrote:
"Was this file automatically" downloaded and executed without the user being notified? Could it happen if the user isn't running as an administrator?

A. Yes, it was, but it had to open Terminal to do it's work, which should have been a pretty huge clue that it wasn't actually a screenshot of Leapord. And it happened in February and was widely reported then, but most people won't realise it's the same story again.

(Governments do the same by announcing the same 'extra cash for schools and hospitals' over and over. People think it's new cash when it's the same 'extra cash' as before).

The main thing to consider is that no Mac AV program has yet been proven to work, but at least one has introduced 2 different security problems of it's own, as well as stability problems. Until proven otherwise, running Software Update on it's normal schedule is the best known measure.

Security firms do a useful job, but unfortunately have got into the habit of calling everything 'critical' rather than reserving critical for what they now call 'zero-day'.

A problem on Windows is not critical if I need to surf to a specially crafted website. A problem on Apache is not critical on a Mac or Linux box unless it's being used as a web server. Most networking problems aren't a problem unless the hacker is on your local network.

Hahahah.

Hey, is this the same SANS Institute that's predicted OS X would soon be rendered a smoldering crater by malware, every few months since OS X's very inception?

It IS!

What a surprise.

What morons.

The "zero-day vulnerability" they're talking about has long since been patched by Apple. The "rapid growth in critical vulnerabilities in Mac OS X" has yielded no results whatsoever, as there is still no functional malware for OS X. What's that mean, kids? It means the "critical vulnerabilities in Mac OS X" are actually the furthest things from BEING critical you can imagine.

But what do you expect from a security firm that warns you about the CLEAR AND PRESENT DANGER posed by a security hole that has, infact, already been fixed?

That's some good work, SANS Institute.