If you’re a Windows user who has ever been infected by malware, and you’ve posted about it on facebook, twitter, or a blog, some Apple fan-boi has likely told you “That wouldn’t have happened if you used a Mac!” There is some truth to that, but the implication that Macs are inherently safer or more secure than Windows machines is simply false.

Please don’t take any of this as a rant against Apple in general or Macs specifically, or believe that I think Windows is far safer than Mac OS X. I don’t own a Mac, but I love my several-year-old iPod as well as my son’s iPod Touch (way more than my wife’s Walkman). I’ve used Macs a number of times in the past few years and damn, they’re slick. Apple has by far the best visual design team in the world – things generally just work the way you expect them to and in some cases, even better.

I’m primarily a Windows developer, and I’ve written tons of software for Windows over the last twenty years. I am slightly less experienced when it comes to Macs, but I have plenty of experience on other unixes, and modern Macs aren’t that different. I have done some Mac work in recent years, and in my previous job I worked on NeXTStep, which was essentially the predecessor to Mac OS X. If you’re comparing the unix systems of the 90’s with Windows 95 or 98, then yes, you can certainly say that the Windows operating system itself is less secure, because security just wasn’t a consideration when those systems were created. Unix was built from the beginning to be a multi-user operating system, and so there had to be separation between different users on the same machine, and between normal uses and super users. But Windows was designed to be a single-user OS, so the assumption was that you were doing everything, and since this is your machine, you should have access to everything. Multiple users, administrative privileges, and even things like file permissions were added later and for a while, there were lots of things that just didn’t support these features very well. But over the years, more and more software was changed to use the new security features, and Microsoft gradually deprecated and then completely disabled the old insecure methods of doing things. I know we at Sybase had to make changes to our software to deal with security-related changes when new versions of Windows were released.

Right now, when it comes to spyware, viruses, worms, or things like that, I can’t really argue the fact that if you are using a Mac, you are less likely to get infected than if you are using a Windows machine. But the reasons for that have nothing to do with how safe the operating system is. There are two primary reasons:

1. Macs are simply less popular than Windows. This doesn’t mean that they’re inferior, but if you look at market share, Windows machines make up almost 90% of all the machines out there. If you’re going to write a virus that will take over a machine for use in your botnet or have it scan a machine and send you somebody’s credit card information, why would you write your virus specifically for a computer that only 5% of all computers are running? You’d write it so that it could infect as many people as possible, and that means Windows. I know of no viruses (virii?) that affect the BeOS operating system, but is that because it’s completely secure? No, it’s because nobody uses it.
2. Mac users are generally more computer-savvy than Windows users. We all have a brother or cousin or mom or Aunt Helen who knows nothing about computers but has one just for email and browsing facebook (and installing fifty browser toolbars). How many of those people own Macs?

Every year at the CanSecWest computer security show in Vancouver, they have a contest called “Pwn2Own” where contestants try to find and exploit security vulnerabilities in various pieces of software (usually browsers) on various platforms. The winner wins the hardware they broke (hence “Own” in the name) as well as cash. The contest began in 2007, and the only platform broken that year was the Mac, though it looks like it was a Mac-only thing at the time. Every year since, it’s definitely been a multi-platform contest, and every year (2008, 2009, 2010, 2011) the Mac is one of the first platforms cracked. In 2011, it took five seconds. It shouldn’t be surprising that Apple software developers are just as likely to write buggy software as the rest of us.

As the platform becomes more and more popular, people are indeed beginning to write viruses for the Mac. This one ironically poses as anti-malware software in order to get people to install it, just as many Windows malware programs do. This might be a good time to remind people that a web page cannot detect viruses on your computer. If you see a banner on a web site saying that your computer is infected (or your computer isn’t running as fast as it could) and you should click here to install something that will fix it, they are lying.

I find it ironic that Mac people keep advising their friends to get Macs in order to be safer. If people keep doing this, two things will happen: Apple’s market share will increase, and more and more non-techies will be using Macs. This will make Macs a bigger target, and more malware will end up being written for Macs. The act of telling people to use Macs for safety is actually making them less safe. So if you’re an Apple person who’s constantly telling all your friends that they should be using a Mac, it’s really in your own best interest to shut the hell up.

During a recent conversation at work, a colleague (John) mentioned that his phone bills are usually under $10/month. I thought about our $60+ phone bills (not including mobile) and asked how on earth that was possible. He said that he uses VOIP and not only does he pay almost nothing, but he gets more features than Bell supplies. Again I asked how, and he pointed me at voip.ms. After a little research, I decided to try it out. It’s working now, but getting everything working was far from simple.

VOIP, for those of you who don’t know, is short for Voice Over IP, which basically means your telephone service is provided over your internet connection. As long as you have broadband always-on internet service, you can use it to provide telephone service as well. In my case, I pay $1.99 per phone number and then 0.5¢ per minute per call (both incoming and outgoing). Note that there are no long distance charges, so a call to friends around the corner costs the same as calling the other side of the country – but a one-hour call costs all of 30¢.

To make this work, I first needed to sign up for a voip.ms account. This was free and very easy. Then you need something to convert your phone signals into internet traffic; in my case I bought an analog telephone adapter (ATA) from Linksys. My research for this purchase was not exactly extensive – it consisted entirely of asking John which one he bought, and then buying the same one. I plugged the device into my router and then plugged a phone into the adapter. Guess what? No dial tone. This made sense, since I hadn’t told the adapter how to get to the voip.ms server, nor did it have a phone number for me to use, which means that I have some configuring to do.

(Attention technophobes – you might want to skip this paragraph.) The adapter supports both a web interface and a phone interface. The phone interface is minimal and cumbersome – I had to pick up the phone and dial * four times and that gave me a voice menu. The menu options (not many of them) are listed in the manual and everything seemed very cryptic. Luckily there is also a web-based interface, which would make life a lot easier, but getting that enabled was a bit of work as well. The adapter had already been assigned an IP address by DHCP, but to get the VOIP stuff working, I had to open ports in the firewall which requires a static IP address. I entered a key sequence to disable DHCP and another to assign a static IP address, and then another to enable the web interface. Then I hung up and went to the IP address in a browser. Success! Now I could modify all the settings. Except that there were a zillion different settings, each with meaningless (to me) acronyms, and I didn’t know what the settings were supposed to be.

The web interface was orders of magnitude easier than the phone interface, but even so, you’d be lost without a good knowledge of telephony terminology. Unfortunately, I don’t have such knowledge. I eventually found a description of how to configure my particular device on the voip.ms page. Once that was done, things should have worked, in theory. To test it out, I ordered a new phone number (what they call a “DID”) from voip.ms, which cost me $1.99 / month. It gave me a Waterdown number (area code 289) instantly, and I was able to make outgoing calls. Incoming calls required a little more configuration but with more help from John, I soon had that working. I then started the process of moving my existing phone number over from Bell, and a week and $25 later, that was done. I cancelled the temporary number, physically disconnected the Bell line, and away we went.

Cool options available with voip.ms:

• You can set the name and number for call display. For example, when I call someone, I can set it so that their phone displays 867-5309 and “Jenny”.
• I get emailed every time someone leaves a voicemail. A .wav file is attached containing the message. When I dial the number to get my voicemail from home, I don’t need to enter a PIN.
• I can set up a dialing rule so that I don’t need to dial ‘905’ for local calls.
• If there is no answer (after a time period that I choose), I can:
  • go to voicemail
  • forward the call to another number (for example, my cell phone)
  • play a recording
  • give a busy signal
  • hang up
  • give a “this number is not in service” message
  • give a “this number has been disconnected” message
  • do nothing
• If the line is busy, I can choose any of the above options as well, and it doesn’t have to be the same as if there’s no answer.
• I can set up any number of phone numbers that all ring on my phone. These numbers can be anywhere in North America, and it would be a local call for people there. For example, I can set up a phone number in Huntsville (for $1.99/month) that my parents and Gail’s dad could call locally, and it would ring here. Nobody would pay long distance for that call.
• I can have the ring sound different depending on who’s calling or what number they dialled. In theory. John tried this, however, and couldn’t get it to work.
• I can add numbers into my local address book for speed dial on any phone. If they call me, I can set the name that’s displayed. This is handy, for example, because our cell phones always show up as “Unknown name” and the boys don’t answer the phone unless they recognize the name. (They haven’t memorized our cell numbers yet.) So I added our numbers to the address book and now my cell comes up as “Graeme cell”.
• I can set up multiple mailboxes and a “digital receptionist”. For example, I can say “Press 1 to leave a message for Graeme, 2 for Gail, 3 for Ryan, and 4 for Nicky”.
• I can put calls into a calling queue, complete with hold music. “Your call is important to us, and is being held in priority sequence. Please hold for the first available Perrow family member.”
• I can set up a “ring group” so that when a call comes in, both my home phone and my cell phone ring, and the first one to answer get it.
• I can make rules for specific numbers, so that telemarketers get the “This number has been disconnected” message, or some go straight to voicemail without ringing the phone.
• I can do almost anything above differently based on time of day. For example, I could say that between 11pm and 7am, only ring twice before going to voicemail, otherwise ring 5 times.
• I can get a complete list of every incoming and outgoing call, and how long it was. There are a number of graphs available, showing things like call lengths and total cost.
• 911 works, although it does not automatically forward our street address to the 911 operator. It also costs $1.99 / month extra.
• Other than 911, all of the above options are free included in the price.

Drawbacks:

• The 911 thing I mentioned. It works, but we have to tell the operator our address. Not a big deal.
• No call waiting, but I don’t care. We didn’t have it for many years and only added it recently. I don’t remember why we even added it – we usually just let the second call go to voicemail.
• If we’re doing a lot of internet stuff, like the boys are watching YouTube videos or I’m watching a lacrosse game, call quality could drop. John said he’s noticed this a few times but not often.

As I said, it was non-trivial to get everything set up, and the ATA device cost about $60, and moving the phone number cost $25. But if I end up with $10 monthly phone bills rather than $60+, those extra costs get covered pretty quickly. We’ve only been live for four days, but I have not noticed any drop in voice quality. And if nothing else, damn it’s cool.

Attention Facebook readers: You might want to click the “View Original Post” link at the bottom of this note. Facebook sometimes messes up the formatting. Irony: Writing about Facebook in an article available on Facebook and telling people to go somewhere else to read it.

Facebook is one of the world’s most popular websites, with over 350 million users. An awful lot of those people share all kinds of information on Facebook that they wouldn’t normally share with people, and a lot of them seem to have forgotten who they’ve added as friends when they update their status. I’ve seen people who post status messages like “Woohoo! Got laid tonight!”, forgetting that mom, Aunt Mary, and the boss are all reading this. Privacy, or the lack thereof, has always been a big issue with Facebook. Thanks to some recent changes to their privacy policy and settings, an awful lot of people are sharing an awful lot of information with the world that they probably don’t really want to share, and may not even realize that they are sharing.

Gail and I attended a “Facebook 101” seminar at a local school a couple of months ago. A local (Oakville) parent started looking into Facebook privacy, and was appalled at (a) the amount of information available by default to the world, (b) the number of people who don’t know this, and (c) the number of kids joining Facebook and not considering the ramifications of what they post. He started doing this seminar so that parents unfamiliar with Facebook (and even those who are) were informed about the privacy aspects. There were a number of parents there who had older kids than ours, and whose kids were on Facebook. Some of them didn’t really have a good idea what Facebook was or what their kids used it for. After the meeting, I checked on my privacy settings. I was aware of most of the information given in the seminar, and I had already changed my privacy settings, so I didn’t have to make many changes. I then started poking around my friends’ settings and their friends and so on just to see how much information I could glean about these unknown people, to see if what this guy had told us was really true, or if he was more of an alarmist, pointing out the extreme cases. Fairly quickly, I came across a fair amount of information about people I don’t know, the best example of which was the page of my manager’s teenage daughter, who I have never met. Her privacy settings were set wide open. Despite the fact that I was not her friend, I could see who her friends are, pictures of her, where she went to school, and even her her email address, home address, and home and cell phone numbers. I immediately emailed my boss to tell him, and a day or two later her page had been locked down. Even my very limited research told me that this was not an isolated case, and that the guy running the seminar was not an alarmist at all.

Facebook has recently changed its privacy policy as well as the privacy settings. The settings are much more straightforward than before, and it seems easier to lock down your personal information, but there are three huge issues with Facebook’s privacy policy:

1. As I said, it’s easier to lock down your personal information – or at least it’s easier to lock down the information that Facebook allows you to lock down. There are now some pieces of information (for example, your networks, sex, what city you live in, and your list of friends) that Facebook now considers public information, which means that you cannot prevent people from seeing that information. It is more than a little disturbing to me that Facebook has decided that they have the right to decide that for you and won’t allow you to change it.
2. The old default security settings weren’t bad, for the most part – your friends and people in your network could generally see most of your information. There were some pieces of information that were available to everyone, but not everything was. But the second big change was to the default security settings – the new settings mean that by default, everything is globally visible. If you had modified your security settings before the change those settings were kept, so security-conscious people didn’t notice any difference. But the vast majority of Facebook users had never touched their security settings, and are now sharing all of their information with the world.
3. When you install a Facebook application, the application developers get access to all of your information, even if you’ve marked it as private. Even worse, the application developers get access to all of your friends’ information as well. (This has always been true, but you used to be able to turn it off. Now you can’t.) This means that every time you install an application on Facebook, my information (assuming I’m on your friends list) is sent to the developer, and not only do I not have any control over that, I am not even informed of it. The application developers are then free to do whatever they like with the information. Technically they are subject to Facebook’s terms of service, which says that they are not allowed to use the data in any manner inconsistent with the user’s privacy information, but there’s no way for Facebook to police that.

If you don’t like these rules, you can just delete your account, right? Well, sort of, but that still doesn’t solve the problem. First off, Facebook doesn’t give you any easy way to delete your account. There is a way to “deactivate” your account, but there’s no “delete” button there. Apparently if you search hard enough you can find a way to delete it, but does Facebook actually delete your information from their servers, or just make it harder to find? Secondly, even if they do delete it, they still have backups of everything, so the information is all still available to them. Thirdly, (and this isn’t specific to Facebook) if someone on the internet can see your data, then they can save it to their hard disk, and nothing Facebook does can delete that. At the seminar I mentioned, the guy showed pictures that were taken at a frat party back in the 90’s, where two obviously drunk guys were standing at a party next to a stand-up cardboard cut-out of Hilary Clinton, and one of them had his hand on her breast. That guy, years later, became a speechwriter for Barack Obama, and when that photo re-appeared, he got into some serious trouble, jeopardizing not only his job but his entire career. Think about that when you post those pictures from last weekend’s kegger.

I read a comment online somewhere that said something like “Facebook shouldn’t be sharing information about their customers”. Another commenter responded succinctly and summed up everything: “You are not Facebook’s customer. Advertisers are Facebook’s customers. You are the product.” The more public information Facebook has on you, the more they can offer advertisers.

The easiest rule of thumb for internet security is: if you ever put anything on the internet, whether through Facebook, YouTube, a blog, a message board, or even email, whether it’s information, pictures, or videos, whether it’s intended to be publicly visible or not, you must always assume that it will be accessible by everyone – forever. Facebook is proving this – if you post information or pictures on Facebook and expect that only the people you allow to see it will be able to see it, you’re wrong, and it’s not because of some glitch that may or may not come up in the future, and it’s not because someone might squirrel the information away and publish it themselves later. It’s because Facebook is less concerned with your privacy than with how much they can make by selling it.

Here are a couple of related articles: one from the Electronic Frontier Foundation (EFF) and one from Jason Calacanis.

I read an article recently about a significant virus or some other kind of security problem that people were being warned about. One of the comments on the article said something like “Yeah, well they warned us about Y2K as well, and that was a bust.” I have read similar comments before and even heard similar sentiments from people I know. The truth is that Y2K was a real problem that would have caused real chaos if it hadn’t been fixed in time. However it was fixed in time, and the fact that no significant problems occurred on January 1, 2000 is a testament to the amount of planning and work that went into fixing it. The fact that the general public thinks it was a bust proves that it was successful.

I know that there were Y2K problems in the database server that I worked on at the time (and continue to work on), and I know that they were fixed beforehand. Our problems were fairly minor, but I know of other problems that were not. Gail worked for a large steel company at the time (still does, kinda), and some time in the late 90’s, they did some Y2K testing. They simultaneously reset all the clocks on all the computers in the plant to 11:30pm December 31, 1999 and fired ’em all up again. A few seconds after the clocks hit midnight, everything shut down. The problem was eventually traced to an exhaust fan deep in the bowels of the plant, which decided that it hadn’t had any scheduled maintenance in a hundred years, so it shut down. All the systems that depended on that fan to be running also shut down, and the failure cascaded upwards until nothing was running.

If they hadn’t done the testing, the plant would have shut down a few seconds after midnight on New Year’s Day, and it might have taken them a couple of days to find the problem and a couple more to get a new fan installed. This is assuming that the fan was the only problem. When every hour not producing steel costs your company hundreds of thousands (if not millions) of dollars, a five-day outage would be devastating. Now think: what if that same brand of exhaust fan was used in your local power or water treatment plant? Could half your city live without power or running water for a week in January? What if a similar failure occurred in an air traffic control system? Or some safety-related subsystem in a nuclear power plant? Or the computer controlling the respirators in your local ICU?

The fan was fixed or replaced and the test was repeated. I don’t know how many times they ran the test, but when the real December 31, 1999 arrived, the plant kept producing steel like it does through every other midnight. Many hours and dollars were spent in advance to make sure that the problem was solved before it happened. This was done in countless other factories, businesses, hospitals, airlines, and such (not to mention every software development company) so that when January 1, 2000 arrived, all the hardware and software would handle it.

The people who were expecting nationwide blackouts or planes to start dropping out of the sky at midnight were surprised to find that the number of actual problems was very small. Many people assumed that this meant the whole “Y2K problem” was overblown or some kind of industry hype. It wasn’t. It was a real problem with an absolute deadline that could not slip. It was solved in time thanks to the combined effort of thousands of software developers (who, admittedly, created the problem in the first place) and IT professionals who put in a lot of effort so that people would never know there was a problem.

This, of course, is part of the thankless world that IT professionals live in – if they do their job properly, you don’t notice them. You might even mistakenly think that they do nothing. Every morning, you arrive at work and check your email or internet connection and find that everything is working properly. How many of those mornings have come after nights where the IT staff were up until 4am fixing some network or hardware problem? I’m sure you don’t know, but I’ll bet that it’s more than zero. Tell ya what – next time you see your sys admin walking through the halls at work, say thanks.