Halloween Special: three zombie security myths that just won’t die

What better way to stir the IT pot at Halloween than to investigate Three Zombie Security Myths That Just Won’t Die?

We sent Naked Security’s Paul Ducklin on a ghoulish tour of the graveyard of the Computer Security Undead, and here are the spectres that haunted him on his Halloween hunt.

Here’s what he found.

Undead myth #1. Macs don’t get malware

Actually, we’ve got to be honest here: as far as this Zombie Myth goes, things are improving all the time, even though we aren’t quite there yet.

Mac malware arguments used to go like this:

Fanboy: Macs don't get malware.
Denouncer: Yes they do.
Fanboy: No, they don't.
Denouncer: Do so.
Fanboy: Do not.

There wasn’t much you could add to this, other than to say, “In truth, Macs can, and have, and do get malware, albeit not very often due to Macs being a minority platform,” but that only served to head the argument off into another dead end.

The thing about Macs and malware is not so much whether Macs do or don’t get it as the sorts of misleading explanations that we still hear from a small core of Mac evangelists, such as:

  • Macs may get malware, but they don’t get viruses, and that’s what matters.

Viruses, indeed, are a special subset of malware that can spread all on its own, but the truth is that most malware threats these days, for Windows, Mac, Linux or even the Internet of Things, are non-viral.

Of course, once your passwords are copied, your files stolen, your data ransomed and your customers are out of pocket, then the distinction between self-spreading viruses and malware distributed directly by cybercrooks becomes largely irrelevant.

  • If a user has to click on anything to help along the infection, it doesn’t count as malware.

Tell that to the Privacy Commissioner.

  • Macs are more secure because they’re based on Unix.

So was the infamous Morris Worm, the world’s first fast-spreading internet virus of 2 November 1988

Undead myth #2. With many eyes, all bugs are shallow

In the previous myth, we mentioned Unix, and that segues nicely to Linux, which is very definitely not Unix, for both legal and technical reasons, but is conveniently close.

Linux, as we are frequently reminded, is not merely open source, meaning that you can acquire and study the source code yourself, but open source under the GNU Public Licence (GPL), meaning that if you mix any of it in with your software, you have to go public with your source code, too.

One benefit of this – at first sight, anyway – is that GPLed software projects can’t hide any nasty secrets, such as sloppily coded security bugs that keep getting swept under the carpet, or deliberate backdoors that give the vendor (or the vendor’s political masters) undocumented ways to subvert a product.

That sort of blunder or treachery would simply never take root, say the Bugshallowists, because everyone has access to the code; anyone can look at it; someone would find the holes; and nobody would get away with it.

But for all that this sounds obvious, we’ve all heard those aphorisms about Everybody, Anybody, Somebody and Nobody…

…and what happens in real life, at least from time to time, is that anyone could look at the source code hard enough to find the bugs, but everyone assumes that someone else will do so, and in the end, no one finds the hole.

Indeed, a recent study suggests that many bugs, after they’re introduced into the Linux kernel by mistake, sit around for one to 10 years before they finally get noticed by the sort of person who’s willing and able to fix them.

In short: even in parts of the computer security world where secrets are hard to keep, actually finding and fixing security problems requires organisation, co-operation and continuing effort.

Undead myth #3. Windows XP is good enough

We left the toughest myth for last.

Windows XP came out 15 years ago, and even looking back through rose-tinted spectacles, we remember the first few years of its life as ones during which the only thing that matched the scale of its adoption was the amount of vitriol that was poured all over it.

Indeed, XP was almost recklessly insecure by modern standards: no stack protection, no data execution prevention, no address randomisation, hardly any heap protection…

…and if those digital countermeasures mean nothing to you, all that matters is to know that XP had a rather limited ability to protect itself from buggy software that wrote to the wrong places in memory.

Those who remembered MS-DOS knew that Windows was far better than DOS: under DOS you could always play with other people’s files, programs and memory, and even legitimate programs often did so in order to squeeze extra performance out of the slow and limited PCs of the day.

Windows protected you from yourself, up to a point, but determined crooks quickly learned to find holes and security bypasses with what would be considered disdainful ease today.

Malware, some people went so far as to say, was actually Microsoft’s fault, and any and all security software was essentially a cop-out that simply helped Microsoft hide in denial, instead of forcing it to face its foes.

In truth, most other operating systems at that time were architecturally very similar to Windows, and shared the same sort of security weaknesses, such as frangible stacks and heaps, predictable load addresses, bug-prone software development languages and practices and haphazard procedures for patching.

So we just can’t understand, in 2016, why a significant minority is now vocally trumpeting that Windows XP is, in fact, the best thing ever; that all newer Windows versions are inferior; and that it’s all a scam by Microsoft to get them to spend $120 for an upgrade for the first time in more than a decade.


(Audio player above not working? Download, or listen on Soundcloud.)

Where next?

Halloween gets its name because it’s the evening before All Hallows, also known as All Saints’ Day, which is a festival to honour and remember the dead, in a way that is positive, affirming – and forward-looking.

In English churches, for example, you’ll probably hear a hymn that starts with these well-known words:

     For all the Saints
          Who from their labours rest.

Let’s try to have a similar attitude to the security attitudes of the past!

Remember them fondly if you like, think positively about the fact that we know (and care) a lot more about security because of them…

…but, for goodness’ sake, let them rest in peace.

Especially Windows XP.

What to do?

We may have joked above about the truism that “security is a journey, not a destination,” but truisms get that name primarily because they’re true.

We really need to learn to take security, privacy and data protection ever more seriously.

And we need the will to keep on doing so even when it puts us at loggerheads with companies that want to know more and more about us for commercial reasons; with governments that insist on collecting more and more personal data under the vague assurance that it will never be lost or misused; and with product vendors who prefer to sweep programming problems and security shortcuts under the carpet.

So let’s give these three myths in particular the well-earned chance to rest, at last, from their labours.

Macs suffer from fewer malware attacks, but that’s not really down to any sort of extra baked-in security magic.

Open source often gets fixed faster, or at least more transparently, but that’s not down simply to the fact that it’s open.

And the last generation of operating systems were, in general, much safer than the ones they replaced, but not as safe as the ones that have replaced them.

Onwards… and upwards!