“We can’t stop here! This is bat country!!”

This article from CSO magazine — “Symantec Warns of Mac Phishing Threat“ – cracked me up. At first, I wondered how there could be a specific Phishing attack for OS X. After all, Symantec’s Enrique Salem, president of consumer products, is talking specifically about the OS X userbase — and at least part of the time (turning into the majority of the time), that’s me! So let’s read the first two paragraphs of the article:

GAH!!!! The article is nothing but FUD. There’s no specific “Mac Phishing Threat” — that’s all a hallucination of Salem’s.

In my view, both Apple and Symantec are on the opposite ends of the FUD spectrum here. Apple knows that until there are specific malware threats, they can continue to run cute advertisements claiming there to be no threats to the current state of OS X. When I see these ads, I feel like Hunter S. Thompson’s Raoul Duke:

No point in mentioning these bats, I thought. Poor bastard(s) will see them soon enough.

At some point, the “bats” of malware will stop being my paranoid hallucinations, and start being real. It’s pretty much inevitable. I run MacScan and ClamX and caution other OS X users who make careless remarks about safety, but I always qualify it by talking about current and future state.

Symantec, on the other hand, knows that if they’re ever going to sell Norton Whizzbang for OS X, they’re going to need to prime the pump. So what better marketing method than have some empty threats leveled specifically at OS X - though Ubuntu, OpenBSD, VMS and BeOS are just as susceptible to Phishing threats for that matter. (Of course, they won’t be marketing Whizzbang for those other operating systems.) Just put on your PR facepaint, do the FUD dance and scare yourself up some “hacker clouds” on the horizon. I feel Like Duke again, but later on in the book:

Bad waves of paranoia, madness, fear and loathing, intolerable vibrations in this place. Get out! The (marketing?) weasels were closing in. I (can) smell the ugly brutes!

This is at least the second case of security professionals using OS X as a PR tool to make headlines. Which, of course, is ironic. If there’s any group of consumers who are skeptical of vendor claims, it’s security professionals. We know that Controls are only so good. We know there’s no “silver bullet.” In article after article and to our stakeholders and data owners we parrot nice phrases like “security is a people problem” and “there’s no silver bullet.” Yet time and time again, we allow vendors to make (and brake) those promises to us. “We stop zero day threats with proactive protection and zero false positives.” Or, even worse: “Product X is the silver bullet” — an actual claim quoted to us by (let us say) someone who knows better.

Complicating the problem are so-called reviews and independent certifications. It’s happened to all of us. We have a dog of a product that doesn’t work — the manual seems more fitting to keeping a “Hello Kitty” Tamaguchi alive than actually troubleshooting an installation, the vendor’s support group can’t even get the product to display a “Welcome” screen, and when it does start, the product either catches fire or explodes packets all over the place, somehow taking down the phone system in the works. It’s that point we open up our free security magazine and they’re giving the product with smoke coming out of the fan vents a “5 out of 5 star rating” with a recommendation badge. It’s a stupid game. As a former product manager, I can tell you that I’d have rather marketed a firewall with Marcus Ranum’s “Apparently OK” certification, as fabricated and absolutely fictitious as it was. It would have put our product under more scrutiny than certain other well known firewall product certification programs.

At the end of the day, it needs to stop. And we’re the ones that need to stop it, dear readers. Not being the type to complain and run, let me offer some ways we can foster accountability.

1. Never take a magazine rating at face value. In fact, tell magazine reviewers that they need to put a metric up: “How long the sales engineering team spent at our lab trying to get the stupid thing to start right.”
2. If a vendor wants to put a demo in, tell them you’d love to look at their product, but would like to invite a few friends. Have your friends put together a collection of the products minimum required hardware and a testing harness — then have the vendor put their money where their marketing is and demo in front of your entire local ISSA chapter using the hardware and testing environment you provided. If they can’t get the product up, running, and tested in a morning (and buy burritos for the ISSA)….
3. Watch your demo contracts. I know of one Fortune 500 that *had* to license the product for the enterprise because they demo’d too long, and the tricky vendor had specific clauses in their contract.
4. When appropriate, tell the vendors you don’t buy from that one of the reasons you’re not giving them the PO is because they use misleading marketing.
5. ALWAYS perform rigorous risk analysis on how the product will actually reduce risk to the organization before buying. I know of several cases where a FAIR risk analysis showed no real business NEED for a vendor’s technology - technology that was supposed to be “Best Practices” and every other similar company had dished out hundreds of thousands of dollars for.