By Ed Bott
Summary: Discussions of malware have their own equivalent to Godwin’s Law: As the conversation grows longer, the probability that someone will derail the discussion by arguing over the meaning of ‘virus’ approaches near-certainty.
In the Talkback section of a post I published last week, a commenter told me I “blew it” with an illustration I used, which contained Apple’s reference to the Mac having no “PC viruses.” He (it’s always a “he”) went on at excruciating length to explain all the different types of viruses. It was a trip to a world of strange creatures that would have made Tolkien proud. It was erudite, in a 15th Century way. He closed by reminding me that I need to “pay more attention” to facts.
In response, I want to reprint something I wrote a year ago, updated to reference current events:
The hardest part of talking about computer security is getting everyone to agree on the nature of the problem. It’s especially frustrating when you’re trying to weigh the pros and cons of different strategies with someone whose view of the PC security landscape is outdated and inaccurate.
Case in point: What’s the best way to deal with malicious software on PCs and Macs?
You can’t answer that question—you can’t even start talking about it—until you know how malware gets installed in the first place. And there’s where the disconnect begins.
Much of the discussion I read comes down to shorthand, like this: “There’s malware [on Macs], yes. No viruses though.”
Anyway, that obsession with the word virus is a recurring theme in Apple’s support forums. Search for the phrase “there are no viruses” at discussions.apple.com and you’ll find plenty of examples, like this one from January 2011:
There are no viruses that run on OSX. None. Zip. Zero.
There is some “malware,” such as Trojans, for Macs, though. But (unlike viruses that can get onto your system without your knowledge), you must approve their installation (via your Admin password) and/or operation (via the “This application was downloaded from the internet …” prompt).
Sorry, but that’s not true. There are already plenty of examples of successful social engineering for PCs and Macs. This year the Flashback gang moved the ball forward impressively, proving that the drive-by downloads that worked with unpatched third-party software on Windows can be just as wildly successful against third-party vulnerabilities in Macs.
Repeat after me:
There are no viruses for Mac OS X. There are no viruses for Mac OS X. There are no…
That Level 4 Apple forum member went on to repeat the phrase more than 70 times.
Two months later, after Flashback had become well known, a Level 5 member added this comment to the thread:
Strictly speaking there are no OS X viruses. Viruses are self-replicating and, so far, none have been found “in the wild” for Macs. Not to say it couldn’t happen. The term ‘virus” is being used as a catch-all for any kind of malware or exploit. The Flashback Trojan, at least in one of its forms, is considered a “drive-by download.”
That level of pedantry over the names of categories, while perhaps technically accurate and even nitpickingly correct, is like arguing over the motivations of characters in Star Trek (and specify whether you mean TNG or TOS, dammit) or debating the origin of ideas in a William Gibson novel or being able to repeat more than one XKCD verbatim and cite its number without searching. It is cyber-wanking.
To deal with the pedantry briefly:
These days, actual viruses are almost unheard of. Melissa, back in the late 1990s, was a real virus, the kind that copied itself to documents and spread via e-mail it sent automatically. Today, security professionals are more interested in what a particular family of malicious code does. The delivery mechanism is usually separate.
If this were simply a matter of semantics, I would let it slide. But it’s not. The obsession with these labels reflects a dangerously outdated view of computer security. If you’re quibbling about meaningless distinctions for pseudo-technical terms coined in the previous century, you are not concentrating on the actual threats that modern computer networks face, which often defy categorization.
Different families of malware have common behaviors. Knowing that some types of malware inject code into executable files and others attempt to spread through network connections and still others try to autorun from USB flash drives moves the conversation along. Arguing over whether one of those things should be called a worm or a virus or a rogue derails the conversation.
If you can’t see past those labels and get an accurate view of the current threat landscape, you won’t be able to make smart, informed decisions for yourself or for others.
The plural of virus is viruses. Not virii. And if you hear someone talking about viruses on PCs and Macs you know exactly what they mean.
I’m just sayin’.