Apple’s Controlled Experiment

Stuffit Expander (and some parasites) in the App Store
Stuffit Expander (and some parasites) in the App Store

It occurs to me that Apple has created, perhaps by accident, something of a controlled experiment in terms of determining the pros and cons of different approaches to managing the user experience on a platform.

On the one side we have the Mac App Store, where users can choose to get their apps through Apple’s channel or any other way they please, and developers can choose to distribute their wares through the Mac App Store or any other way they please.

On the other side we have the iOS App Store, where users can (modulo “jail-breaking”) only get their apps through Apple’s channel, and developers can only distribute their wares through Apple’s channel.

Obviously this isn’t a perfect experiment — it’s the real world after all. iOS and Mac OS X are different platforms with different users, different use-cases, and very different use-histories. But I suspect it’s a good enough experiment that the outcomes are guaranteed to impact both platforms.

I think it’s safe to say that if the iOS ecosystem worked the way the Mac ecosystem did, then pretty much all the complaints about the App Store would disappear. (This doesn’t mean a whole bunch of new complaints wouldn’t appear, of course.) Right now, the Mac ecosystem seems like an ideal world. You can opt in to the “walled garden” or go hog wild with warez downloaded by bittorrent. As a parent, I’d love to have OS-level support for keeping your computers in the walled garden. And, as someone working in a library, I’d love public access computers to allow users to download and use their apps legally, and then remove them when the user logged out.

So, let’s suppose that the Mac App Store turns out to “vacuum up” more-or-less all of indy development community. If we see a huge proportion of developers voluntarily opting in to the App Store because the revenues are so much better there (which in turn would mean that users are flocking to it), Apple might be encouraged to either (a) make the walled garden mandatory on Mac OS X, or (b) relax the walled garden for iOS. Or some combination of the two — e.g. AppleCare might require you to stay inside the walled garden.

Apple doesn’t need to “vacuum up” the big guys because it’s fairly easy to deal with a few large vendors (e.g. create specific technical or legal exceptions for them). It’s the long tail of software developers that are difficult to deal with. Apple isn’t worried, for example, that Adobe might produce a version of Photoshop that is actually a trojan. (OK, maybe it’s a little worried.) But there’s no way to keep track of hundreds of thousands of tiny developers who might, at any time, either create a trojan or have a trojan made to look like one of their programs, e.g. a long, long time ago — when indy software was largely distributed on floppy disks by user groups — there was a trojan purporting to be Stuffit 2.0. The developer — a high school student at the time — hadn’t released an update for a long time because he was studying for exams, and ended up having to make announcements that there would never be a legitimate Stuffit 2.0.

So: watch this space. OS X and iOS are destined to merge or just look a lot more similar as time goes on. The question is whether (and in what respects) iOS becomes more like OS X and vice versa.

Annals of Insecurity: Please, don’t buy a Mac

Up to 88% of Fortune 500 companies may have been affected by the Zeus trojan, according to research by RSA’s Fraud Action Anti-Trojan division, part of EMC. The trojan installs keystroke loggers to steal login credentials to banking, social networking, and e-mail accounts.

The botnet was first identified in 2007 and is still around today. The malware tends to be difficult to detect and remove, and several million machines worldwide are believed to be infected.

And also:

The malware itself predominantly attacks Windows XP machines, though Windows Vista and Windows 7 variants are available for sale too.

And later:

Smaller companies (those with fewer than 75,000 employees) appeared to have a higher proportion of infected employees, suggesting that perhaps larger corporations are more effective at securing their systems and data. Home computers not subject to corporate IT policy but used to access corporate mail and networks are a particularly high risk.

From Ars Technica,  Almost all Fortune 500 companies show Zeus botnet activity

So, despite all the anti-malware software typical IT departments (and PC vendors) inflict on users and all the restrictions those users have to put up with (a typical user in a typical large corporation can’t install software for themselves, for example), we get this result. (I wonder if there’s a keylogger on my PC at work…

BTW Zeus is freaking scary. Of course, Microsoft is there to help:

About a year ago the state of the art in malware advanced to the point where Windows indexing or Outlook preview would automatically open PDF attachments and allow infection without any explicit user action at all.

From a comment on krebsonsecurity.com, Zeus Attack Spoofs NSA, Targets .gov and .mil

And, from the same series (of very intelligent comments) there’s this reminder that root access isn’t important:

Keep in mind that this is the same trojan which will, according to BK in a previous Security Fix column, happily run under LUAs. That would, in turn, defeat the previous advice to use a LUA for day-to-day use.

Users live in user accounts. User data lives in user accounts. Everything valuable is in user accounts. Root access is for compromising systems — when the system essentially has one user it’s no comfort to know that “well, they may have stolen my identity but my PC still boots”.

Now, it’s worth noting that the Zeus botnet is based on trojans (which should, of course, be called Greeks) — there’s pretty much nothing one can do about trojans short of never downloading or installing anything on your computer. Perhaps Charlie Miller and other security researchers should be called Cassandras.

(Meanwhile, the first reports of Apple’s latest patch I saw were along the lines of “Apple forced to release patch just two weeks after last one”. Either Apple is too slow to patch, or it’s forced to hurry I suppose. At least PCWorld has stopped being weirdly hostile again and pointed out that Microsoft is yet to patch the IE8 vulnerability revealed at Pwn2Own.)

I’m pretty sure I’ve linked this site before, but it remains simply staggering how much malware activity there is on the Windows side of things. If Apple’s lack of market share is preventing this from leaking over onto my favorite platform, I have just one thing to say: please do not buy a Mac. Thank you.