FUD For Thought

by Chris Howard Nov 30, 2005

Another week, and more FUD being spread about the Mac. This is a good thing of course, as it’s a sign the Mac is gaining credibility in the desktop PC market.

FUD, in case you didn’t know, is Fear, Uncertainty and Doubt. (That’s a tautology actually as uncertainty and doubt are synonyms. But of course FU doesn’t have the same ring to it.)

FUD is created by feeding half truths with whole lies. FUD takes some small negative that is true, exponentially inflates it thus blowing it way out of proportion, to be hopefully picked up and propagated by the media. FUD is obviously spread by vested interests and dates back in history to the mid-70s, with IBM trying to scare customers away from considering their rival, Amdahl’s, machines.

Thus FUD is generated to sell products or reinforce an argument. Bird Flu is a case in point. There’s so much Flu FUD flying around, you don’t know who to believe. There seems to be much exaggeration of the current risks, to the point people are refusing to eat chicken. I don’t want to digress or step into territory I’m not fully educated on, but I feel pretty safe saying you can currently, still eat chicken. Oops. Now using implication, you might automatically assume that you can catch bird flu from eating chicken. From what I’ve read so far, this is not the case. But don’t ask me, ask someone unbiased - like you’re local KFC… or pharmaceutical company…

An appropriate measuring stick when judging any argument is to ask “Who wants me to believe this?” If it’s a vested interest then you might want to counter the FUD propaganda with doubts of your own.

SANS Institute say keep Mac OS X security patches up to date
This week it was announced by the SANS Institute that Mac OS X is in their Top 20 Internet Security Vulnerabilities list. Again this reflects positively on the Mac, that it is considered worth listing, a sign that Macs are gaining more acceptance in corporate circles.

The information in the report was reasonably sound and didn’t tell us anything new. In a nutshell, it said that Mac OS X contains security vulnerabilities that as yet have not been knowingly exploited and that Apple regularly release security patches. It goes on to recommend the following:

U2.4. How to Protect against Mac OS X Vulnerabilities

  * Be sure to stay current and have all security updates for Apple products applied by turning on the Software Update System to automatically check for software updates released by Apple. Although different schedules are possible, we recommend that you configure it to check for updates on a weekly basis at least. For more information about how to check and run the Software Update System, see the Apple Software Updates webpage - http://www.apple.com/macosx/upgrade/softwareupdates.html
  * To avoid unauthorized access to your machine, turn on the built-in personal firewall. If you have authorized services running in your machine that need external access, be sure to explicitly permit them.

Nothing new there at all. Quite reasoned and sound. Certainly the first one almost all Mac OS X users would be doing, and most will have enacted the second (in System Preferences, Sharing, Firewall)

But what happens when this information falls into the wrong hands?

How you get FUDded
In an article posted on SecurityFocus website, Robert Lemos gives the FUD wagon a little nudge with these statements:

This year, the list had something different, however: The group flagged the collective vulnerabilities in Apple Computer’s Mac OS X operating system as a major threat. It’s the first time that the SANS Institute called out an entire operating system for its vulnerabilities.

Only a couple of paragraphs down in the same article, Rohit Dhamankar, the editor for the SANS Top-20 vulnerability list, is quoted as saying:

”We are not pointing at the entire Mac OS X and saying you have to worry about the entire operating system,” he said. “It is just that the Mac OS X is not entirely free of troubles.”

Now what gives? Who’s generating the FUD and why? By the subtle psychology of writing, a statement placed higher in a list is subconsciously implied to be more significant. Thus despite Lemos quoting Dhamankar to counter the opening misleading statements, the damage is done. Mac users have stopped reading and run off to get their flame throwers. Windows users have stopped reading because it’s proved to them what they thought all along about Macs, so don’t need to read any more.

Now the Mac faithful turned their flame throwers on to “vaporize” and attacked not Lemos, but the SANS Institute, who hastily posted the rather understated and restrained:

Multiple questions have been submitted asking whether the entire MacOS is a security risk. Of course not, any more than the entire Internet Explorer is a security risk. MacOS includes software that has critical vulnerabilities and Apple has a patch policy, described below, that do not allow us to be more specific in identifying the elements of MacOS that contain the critical vulnerabilities.

If you did keep reading, you’d find Lemos is now in full stride with his misinformation followed by correction style of writing, presenting one paragraph of mistruth, followed by another that corrects it.

He also reminds us that:

In its last two bi-annual reports, security firm Symantec has warned Apple users that the perceived security strengths of Mac OS X will not withstand determined attackers, especially with mounting vulnerabilities and at least one known rootkit tailored to the system. (Symantec is the owner of SecurityFocus.)

So he’s sowing quite a lot of FUD about OS X. And it doesn’t matter that he appears to do the right thing, by posing a counter-argument. Throw enough FUD and some will stick.

Oh but hang on! What’s that last snippet of seemingly unimportant information - since it’s contained in brackets - Lemos has tossed nonchalantly out? Who are SecurityFocus anyway? There is a possibility you won’t care, or assume they’re something to do with the SANS Institute. Fact is, they’re Lemos’s employer. Security Focus is the website the article is posted on. If you’ve found this article through a third party source, such as a news aggregator, you might not have become aware of that.

What was that question again? “Who wants me to believe this?”

Mr Lemos, who writes for a Symantec owned website, that’s who. Is that a vested interest in your pocket, Mr Lemos or are you just happy to see all the gullible readers?

Lemos’s article aims to be a win-win for Symantec. It either scares prospective Mac users off so they stick to Windows and buy Symantec security products; or if they are a Mac user, they might run out and buy Symantec security products for their Mac. Not much to lose for Symantec, except for a few Mac blogs flaming them. But as Sony found with their DRM root kit debacle, blogs are gaining more force in shaping the world. Blogs may be small fish, but small fish swim in big schools.

Go read Lemos’s article and the SANS Institute report and make your own mind up up about who’s spreading FUD. And remember to ask “Who wants me to believe this?”

FUD is here to stay and something us Apple (and Linux) users are going to encounter more and more. Although we have been known to fight fire with fire…




  • Nice article Chris, excellent stuff.

    Chris Seibold had this to say on Nov 30, 2005 Posts: 354
  • All Chris’ agree: Excellent article, Chris!

    Chris Christner had this to say on Nov 30, 2005 Posts: 1
  • Great title.

    And this is the best article I’ve seen posted on AppleMatters.

    matters had this to say on Nov 30, 2005 Posts: 21
  • Playing devil’s advocate, those huge high profile virus outbreaks on Windows would never had happened had Windows users followed those same safe computing practices. The Mac web (well, mostly MacDailyNews.com) is notorius for spreading that misinformation. Of course that sort of nonsense lead to Wil Shipley posting a Mac OS X virus bounty where the list of restrictions would actually disqualify most every Windows “virus” that made the news. (Particularly the restriction that it had to infect a fully patched system. Virus writers today are notoriously lazy. They don’t try to look though all of Windows for vulnerabilities. They wait until either F-Secure of somebody in a security firm makes a proof of concept, or they wait until MS releases a patch, and then do a file-diff to see what was fixed. This generally worked as most Windows users do not like patching their system, and up until SP2, patching their system consisted of actually loading WindowsUpdate.microsoft.com and tying up the browser for several minutes, and a reboot.)

    People on every side are using security as a kudgel to try to beat the other side, or to shore up their business.  Symantec would love for everyone to think that every email has a virus inside of it, and that it can even infect your printer if you print it out. The SANS institute is the same way, as they get publicity every time they release a white paper. MacDailyNews.com quite obviously has a war on against Microsoft and Windows.

    Now, i will go and state sometimes Apple does drop the ball when it comes to updates, like the update this summer which killed 64-bit applications, or letting some of its open-source found vulerabilities fester months after the OSS community patches it. Right now, that doesn’t matter for virus writers are lazy, and they’re not going to learn a new programming framework when they can still go after thousands of Windows users still on SP1 and steal their credit cards. It probably won’t ever matter, as I think the bad guys are going to move on from attacks on OS vunerabilities to vulnerabilities in remote websites… i.e. compromising banks sites and other places where a username/password stolen can get them at your bank account, social security number, or credit card numbers. This would be their way of future proofing their ill deeds in the time where Windows no longer commands 90% of the desktop.

    Ster had this to say on Nov 30, 2005 Posts: 12
  • The Mac web (well, mostly MacDailyNews.com) is notorius for spreading that misinformation.

    Yeah, there’s definitely enough FUD to go around on all sides.

    Beeblebrox had this to say on Nov 30, 2005 Posts: 2220
  • *g*

    Bad Beaver had this to say on Dec 01, 2005 Posts: 371
  • What an excellent article, Chris. You could write for Wired (don’t go write for Wired. - stay here.)

    But also an excellent comment by Ster, I left for a minute and when I returned I forgot I was reading a comment and not the actual article.

    Although I do agree with Beeblebrox that there is FUD from all sides, I don’t think it can be considered equal as the Mac side is usually just a slight extension of the truth. Whereas the other side resorts to pretty much outright made-up truths (lies.)

    Luke Mildenhall-Ward had this to say on Dec 01, 2005 Posts: 299
  • This is a great article for the reason that it doesn’t just apply to flu viruses, Macs, and IBM. It applies to everything. EVERYTHING. Every single newspaper, magazine, news programming on TV, and even non-news programming has an agenda that utilizes FUD. Most notorious for this? Fox News (which should be called Fox Current Events as Psuedo-Entertainment). Hell, our government does this ALL THE TIME.

    FUD is a huge problem because people are afraid of honesty and fairness. Every time a good article like this comes along to so clearly highlight flaws in humanity, it should become more clear why I can so often be heard saying. “I want to see the entire human race go away.” (And I’m serious. We’re nothing but trouble.)

    Waa had this to say on Dec 01, 2005 Posts: 110
  • Although I do agree with Beeblebrox that there is FUD from all sides, I don’t think it can be considered equal as the Mac side is usually just a slight extension of the truth.

    What a laugh.

    Beeblebrox had this to say on Dec 01, 2005 Posts: 2220
  • I agree with Waa about media fear-mongering in general, but I whereas the purpose of media FUD is to sell newspapers or boost ratings, computer FUD is different.

    Mac FUD is meant to keep people away from PCs.  PC FUD is meant to keep people away from Macs.  Computer FUD in general is more akin to political sides than the media at large.  Go to a political blog and you’ll see the exact same kind of shit you see here.  There is no difference in the tactics used by Rush Limbaugh or Mac Daily News.

    Beeblebrox had this to say on Dec 01, 2005 Posts: 2220
  • Thanks all!! smile

    FUD has probably been with us since human kind first got competitive. Also well known as scare mongering:

    Zogg: Zon, me hear her father bit old fashioned. No matey-mate with her unless you want head on spike

    Zon: Ooooo, scary. Maybe me don’t like her

    Zogg chuckles mischievously.

    Chris Howard had this to say on Dec 01, 2005 Posts: 1209
  • ^ what the hell kind of sitcoms do they have in Australia?!?

    Luke Mildenhall-Ward had this to say on Dec 02, 2005 Posts: 299
  • Page 1 of 1 pages
You need log in, or register, in order to comment