OS X Security is a Lot Better Than You Thought

Just about every week we see articles rolled out about how a security researcher has found a scary security flaw in OS X. It makes for great headlines, but how are the every day Mac users actually affected by these headlines, and how should they react?


An interesting, almost inflammatory article this week got me thinking again about OS X security. For your inspection, I present "Apple Leaves Two Obvious Security Weaknesses In Mac OS X El Capitan." What's happening here is that there are eyeballs to be captured and money to be made by pointing out various security flaws that researchers have found in OS X. This article is typical of Forbes, a publication often long on anti-Apple perspectives and correspondingly short on technical depth.

The reality is that there is a technology race between Apple software engineers and potential exploiters. Often, these security flaws are very theoretical, hard to implement, depend on user cooperation to do something stupid, and/or require physical access to the local network or the Mac. At the very least, it's a race between a fix rolled out by Apple and widely available kits for the black hats to add to their libraries.

Apple has a reputation for being focused on user security, and so these flaws are taken seriously by the company. One reason they take so long to fix is that a sound response often requires attention to the overall architecture of OS X. Put another way, Microsoft learned the hard way, about a decade ago, that hurried patches often just result in more problems down the road and yet more frantic offshoot patches that don't address the fundamentals.

When Apple works on security flaws in OS X, the engineers have to not only take into account how OS X is structured but also have to take into account future plans for how the next generation(s) of OS X will be architected.

The best way to analyze the real world progress is to not only monitor the potential flaws but to be alert to actual users who've been victimized by such flaws. More often than not, we don't hear about that because Apple manages to get the fixes out before the exploit is widely implemented.

Plus, Apple has other tools at its disposal, such as the XProtect mechanism. Finally, if the user has antivirus software installed that can scan the browser's incoming HTTP steam for the characteristic code signatures of exploits, there's an extra layer of protection. I always recommend that.

The end result is that in a few cases, inexperienced users report getting burned but, in the vast scheme of things, OS X remains a very safe environment, provided the user is also savvy and careful. The same can be said for Microsoft Windows ever since Microsoft got really serious about security starting with Windows 7.

In summary, OS X security is multi-layered. It's about smart Apple engineers, user awareness, smart practices, attention to updates, avoidance of known offenders like Adobe Flash and the use of antivirus software. This is why I always advise customers to move along with the technology timeline and, as quickly as reasonably possible, update to the latest version of OS X, now at version 10.11 El Capitan. 

Articles like the one I linked to at Forbes should be taken as part of one's modern technology education as opposed to a quantitative assessment of Apple's presumed incompetence.

There's more on the next page about OS security.

Next page: the tech news debris for the week of September 28. An Apple Watch for Christmas?

Page 2 - The Tech News Debris for the Week of September 28


It sounds like a blockbuster movie with Pierce Brosnan. The Athens Affair. It's all about what happens when lawful back doors are inserted into encrypted consumer products. The bad guys always find a way in. And yet, amazingly, the discussion about back doors continues. So. If you weren't concerned about reported attempts to have Apple and Google add back doors to their smartphones, this article should set you straight. "The 'Athens Affair' shows why we need encryption without back doors." Perhaps the atmosphere on that subject is changing for the better....

We should all be thankful for the stand Tim Cook has taken about customer privacy and security. Hear it from Mr. Cook's own lips in an NPR interview. "Tim Cook talks NSA, customer privacy, and more in NPR interview." He said:

I don’t think you will hear the [National Security Agency] asking for a back door. … There have been different conversations with the FBI, I think, over time. … But my own view is everyone’s coming around to some core tenants. And those core tenants are that encryption is a must in today’s world.

One more item on security. What should a company do when a researcher finds a security vulnerability in its software? Threaten the researcher with legal action? Or embrace them and work side by side? Graham Cluley, a security expert, fills us in on the state of the industry, and reports in the HEAT Security Blog that "Computer security vendors were told it was time for them to raise their game."

Moving on....

Have you been thinking that you'd wait until the December holidays to get an Apple Watch? Well, now you have a problem. The Apple Watch is due for its annual refresh (presumably) in April, 2016, and an Apple Watch bought as a holiday present will feel relatively obsolete by then.

It's true that watchOS 2 breathed new life into the original hardware, but better, faster hardware and either a better battery or a thinner design (or both) are on the way. As a result, if customers perceive that they should wait it out, Apple is going to have a disappointing 2016 first quarter when it comes to the Apple Watch. Here's the discussion: "Many consumers waiting for Apple Watch version 2."

It'll be interesting to see how Apple approaches the next generation Apple Watch. That means making people want the new watch without making the buyers of the original version feel betrayed. There are known ways to do that. It'll be fascinating to observe.

How did Google quietly get into the business of copying Apple, product for product, yet not doing as good a job? If there's anything Apple has taught its competitors it's that making only the best results in healthy profits. Making second best just reduces profits and gives the competitor a bad reputation. And yet, here we go. "Google unveils everything Apple launched, only cheaper."

However. While Apple makes great money on its MacBook/Air/Pro line, there is, in fact, something to be said for the influence to be had in the education market, especially since Apple has always considered education a core market. See: "Google Chromebooks: The most popular classroom computing device." Just how Apple can maintain its tradition of excellence yet offer competitive education products is now an interesting challenge for Apple.

Moving on....

It's October. You know what that means. The EMV (EuroPay, Matercard, Visa) transfer of liability kicks in. That means that if a merchant hasn't moved to a more secure method of point of sale transactions, they will bear the responsibility of fraudulent transactions, not the card issuer.

I've been monitoring all my favorite merchants. Some got their game together early last summer and some have dragged their feet until the October deadline. But make no mistake, the plastic credit card with its magnetic strip is on the way out—even if customers remain dubious and drag their feet.

Here are two good articles that will bring you further up to speed on mobile payments. The Samsung Magnetic Secure Ttransmission (MST) technique appears brilliant at first, but we'll have to wait to see how it works out in practice.

  1. Customer Patience To Be Tested As EMV Joins Android, Samsung And Apple Pay At The Register
  2. Review: Samsung Pays Where Apple Can’t

I grew up enthusiastic about both science and science fiction. Being familiar with both provides some perspective on how people predict the future. Basically, there are always some shrewd and experienced people, like Steve Jobs and Gordon Moore, who can make very good predictions about where the tech future is going. Their style is so easy and natural that it disguises years of experience and great intelligence.

As a result, when bloggers make predictions, they feel that a mere opinion is sufficient because it often works for other gifted people. But it isn't really that simple. Plus, they're never held accountable for their predictions. If you're fascinated, as I am, by the art of technology predictions, check this out. "Pundits are regularly outpredicted by people you’ve never heard of. Here’s how to change that."

Finally, speaking of Steve Jobs, here's a fabulous article by an expert Apple observer Steven Levy. It's about "How Steve Jobs Fleeced Carly Fiorina." The subtitle tells it all. "The former HP CEO boasted of her friendship with Apple’s leader — but he took her to the cleaners with the iPod."


Particle Debris is a generally a mix of John Martellaro's observations and opinions about a standout event or article of the week (preamble on page one) followed by a discussion of articles that didn't make the TMO headlines, the technical news debris. The column is published most every Friday except for holidays.