There’s nothing like talking to users, and that’s pretty much all we’ve been doing for the past several weeks. In our case, that means digging into the nooks and crannies of how people manage trust, security and information online. Our last post exposed the stark difference between what users want versus what they get when using the private mode in their browsers.
This post focuses on Mac users and their perceptions of risk, which as it happens is quite timely given the rash of Mac attacks that have happened this week. Read this post for a predictably solid summary from Brian Krebs.
When interviewing Mac users, the aura of impenetrability was pretty interesting to observe and tough to describe. It was almost reflexive for people to quote, but when asked to explain why, we mostly heard a restatement of the belief...”Macs are secure because they’re less vulnerable to attack”. This triggered something in the recesses of my memory from growing up in Volvo-ville (= UK, 1980, suburbia)...
Like many, we had a Volvo. Girth, heft, flashing warning lights, tugboat bumpers. We knew it to be the safest thing on the road, and for a long while it was. But Volvos arguably enjoyed their safety halo for much longer than they deserved. Many things contributed to this extended halo, perhaps the key being the mix up between causation and correlation. In other words were Volvos really safer, or did safety-minded people buy Volvos and drive accordingly? Either would result in strong safety track record.
A similar kind of safety halo seems to have developed around Macs but for very different reasons. Most experts point out that criminals have simply ignored Macs because there are so many more PCs to attack and this explains their relative security. It’s a fair point, and it has allowed Macs to develop a justified security reputation over the years. But as with Volvo, the logical distinction between a strong security track record and something inherently secure is not something most users choose to see. Instead what we largely found in our interviews was unquestioning faith; the kind that gets people to focus so hard on a core belief that they lose peripheral vision.
Two sorts of blind spots jumped out.
Don’t worry about your brakes and tires
With a car - like any collection of components that operate together - people intuitively understand that one weak component can compromise the whole. And so it is with online security. For instance, many modern-day attacks rely on a vulnerability in the browser; an exploit designed to (say) redirect web traffic, grab information, tailgate a user into a sensitive account or surreptitiously load malware (to name a few).
Yet Mac users’ field of vision does not appear extend so far as to include the browser despite the choices they make (Firefox, Chrome, Safari). More puzzling was that some cited security as among their reasons for choosing Firefox or Chrome over Safari, implying they have some notion that the browser is important to overall security. But when it came back to the fundamental question of “why do you feel safer online,” almost all returned to their core belief ”because Macs are safer.”
Now the point isn’t to suggest that Windows and Mac OSX are indistinguishable from a security perspective and that hackers don't attempt to exploit the operating systems themselves. It simply serves to illustrate that attaching credit and blame to different components of the computer is entirely the user's prerogative. And for Mac users, the perceived security of the Mac seemed to permeate the entire system, including any software applications (Apple made or other) that run on it.
Forget about wet roads and potholes
Environmental factors also impact our road safety (other drivers, fatigue, road conditions, weather etc). In other words, the car itself cannot entirely guarantee our well being. The same is true online, yet users in general (but Mac users in particular) tend to ignore the vulnerabilities that live outside their machine; namely the network connection, the websites being accessed and the fleshy blob hitting the keys.
Most seemed aware of the socially engineered attacks like phishing (a fake email with a link that points to a bogus website) and were pretty confident that they wouldn’t be tricked by one. But fewer were aware of more insidious attacks where for instance a valid address entered into a browser is misdirected to a fake site, or private information is snooped over an open wireless network, or a man-in-the-middle impersonates a trusted website (even one that claims https).
These risks are entirely independent of the user’s machine and should in theory make online security a platform agnostic concern, or at least a broadly held concern with platform specific nuances. But again, the default Mac user reaction was to stretch the security perimeter of their Mac to encompass the entire Internet, and that’s a large area!
So are Mac users stupid?
No, we’re human. We all take history (good or bad) and extrapolate it. And so far Mac users have enjoyed obscurity and read it as security. But as we know, criminals are equal opportunity exploiters and so perhaps this is about to change? Certainly this week’s events might suggest so.
To summarize the perceptions of a far larger sample of users and get the perspective of a cross-section of security experts, here is a decent report from ESET summarized by CNET: In their words: Experts weigh in on Mac versus PC security
What do you think? Are you a Mac user with a different take? Are you red with anger at being equated to a Volvo driver? Let us know.
PS: I’m very happy Mac user. Love my Macs. Wouldn’t go back to PCs. But my reasons have nothing to do with security.