Slashdot Mirror
PC Mag - Mac OS X Insecure
Suki writes "In this recent story a PC Mag writer concludes that "Panther and Jaguar were not better at outrunning vulnerabilities than Windows" and as my personal fav. ends by asking "How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here." The article discusses many previous Windows security holes against a recent Mac OS X security flaw."
and a known patch is on the way. it's a very easy vulnerability to avoid. there's no virus yet...
was it worth the rant, or has he just been waiting a long time to make it?
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
He's basically saying that since there was one widely-reported Mac security hole, Macs are as insecure as Windows? Odd comparison.
Mind you, I'm not too overwhelmed with his research; if he'd been paying attention, he'd have caught the SSH vulnerability the other month. It's not like Macs have been immune, and nobody with any clue claims they are.
What you can claim accurately is that Apple fixes holes promptly and fairly quickly, and that the MacOS X architecture does not have flaws which result in two or three active IE holes in the wild right now.
Apple isn't perfect, they're just pretty good. Microsoft isn't evil, they're just not as good as they should be. It's perfectly reasonable to use those two facts in making one's security decisions.
It's pretty sad when Windows-users feel they have to start defending themselves by pointing out that other operating systems are vulnerable too. The last paragraph pretty much says all in that regard...
The hole he's referring to requires some particular circumstances before it's even viable.
The attacker must:
Be on your local network
Already have control of your DHCP server
If both of the above are true, you already have much more serious problems.
While I agree that remote root/admin is bad juju, in this case it's hardly equivalent to the Windows remote admin exploits to which he's comparing it.
> a recent OS X security flaw
That's the significant word, I think. A single one
They will never know the simple pleasure of a monkey knife fight
We do not want to encourage behavior like this, do we? Reading the article, sheesh, what's next, checking for duplicates before posting?
Sigs for Nerds. Sigs that Matter.
The earlier slashdot story is here: http://apple.slashdot.org/article.pl?sid=03/11/28/ 2226226&mode=thread&tid=126&tid=172&tid=179&tid=18 5&tid=190
Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network."
There should be a moderation category "Dumbest Comment EVER"
... that you don't put your email in your attribution or anywhere in the article.. Luckily, thanks to Google, your bio reveals your email to be:
Lance_Ulanoff@ziffdavis.com
Share and enjoy!
It's about time Apple did something about the POS security in OS X!
Obliteracy: Words with explosions
That's the sound of no one caring what you think, Lance.
A series of what ifs, followed by the reaction of imaginary mac fields that exist only in Lance's head.
And the whole "Macs don't suffer viruses because there's so few" myth was dead and buried long ago. Sheesh. Who cares? If Lance is happy with his bloated, cheerless, abominable bugfest of an OS, more power to him.
And now, Obligatory Car Analogy: it's like Lance is sitting by the side of the road with his Chevy Vega that just flew to pieces for the fifth time that week, and he's pointing at the Lexus that just sped by because it had a defective radio knob that just fell off.
--- Ban humanity.
I read the article too, this guy using a valid point:
Mac OSX is not perfect
To bash Macs... it's paragraph after paragraph of "See? I told you so."
I own a mac, but I use PC's at work and home, I barely notice a difference between the two when I move between them because most of the apps that I use, like Office and Mozilla are fairly close in appearance and functionality.
BUT... the absolute, positive, no questions asked fact, is that last time my office of 300+ people had some worm running around, my mac was NOT infected and I was not required to jump through IT-hoops for hours to get rid of it or prevent it from happening.
Whether or not it has flaws or not is a stupid question, of course it does... but so far they haven't proven to be anywhere near as disasterous as the bullsh*t that we have to deal with from Windows.
there are also incredibly FEW network services turned on (come on, someone spoofing your DHCP server on YOUR network and inserting malicious code? You've got bigger problems, my friend, than your vulernable Mac) out of the box when you install a Mac.
This in and of itself is another 50 pounds of "bite my shiny metal ass, Micro Soft apologist" to hand to the author of this article (i RTFA as well - he carped on a LONG time about this one quite obscure vulnerability, and didn't bother to name a single Mac virus or mail.app worm.. i wonder why?)
Until Microsoft changes their ways on having every useless network service turned on by defualt and making it easy (read: not requireing use of Regedit) to turn off and on services (read: Sharing System Preference Panel - checkboxes for all services), Macs will continue to be far less vulnerable to attacks than Windows is.
guns kill people like spoons make Rosie O'Donnell fat.
Excellent comments. Please post them in our forum:
s p,
http://discuss.pcmag.com/pcmag/start/?msg=32413
-----Original Message-----
From: ***
Sent: Thursday, December 11, 2003 10:24 AM
To: Ulanoff, Lance
Subject: Eureka
Hello.
in your piece at http://www.pcmag.com/article2/0,4149,1408953,00.a
you have this to say in conclusion:
Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows. I expect other gaps will emerge, and while the Mac OS may still draw far fewer attacks, this discovery might suck a little wind (or is it Windows?) out of Mac radicals' sails. They can scarcely claim this was a minor hole. OS root access is serious stuff. How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.
So, that's all it takes for you? One potentially serious loophole in an
OS to declare it "no better at outrunning vulnerabilities than
windows"?
Have you recently counted the number of Cert advisory reports that have
come out for XP? Last I checked, more than a month ago, it was in the
40-some range. For XP alone. This year only. For the past few weeks,
those reports have come in bundles of 3-to-5 at a time. Nearly every
other week.
While gaining root access is serious on a Unix machine, you also need
to point out the fact that to be able to gain access to this loophole,
you absolutely need to be on the same subnet as the compromised
computer. Therefore shielding 60%-some percent of home Mac installation
(as those connect to the interner through some phone connection like
PPP) and a great deal (don't have numbers) of the remaining 40% still
not at risk, provided their Cable or ISDN, [A]DSL ISPs have done their
work properly.
It's not like one could attack the entire machine simply by sending an
email containing some VBL script. Right?
Of course I'm a Mac head. And I'm still as cocky as I've been since
roughly 1988. Because every time I see those IT folks around here
struggling to keep the company running when the next wave of Win
trouble appears, I'll be smiling at my desk, uninterrupted, and
occasionally offering to help (okay... I'm just pointing them to some
Linux site or Apple.com... but hey... I seriously believe that would
help
them).
Keep us entertained.
Have a good day.
If you don't use a DHCP / LDAP server then its recommended that you turn it off.
This is from the apple site:
You don't use a directory service
I've been a Mac user for four years now, but I still regularly use Windows and occasionally Linux. To me, Mr. Ulanoff seems to embody the worst type of Mac user - the cynical ex-user. All the Mac users I've talked to aren't snobby or "elite" but almost every single ex-mac user is. It's almost like they were upset that they had to leave MacOS and now all they do is spit insults at anyone who thinks that Macs are cool.
I feel bad for anyone who feels the need to put a group of users down simply due to their choice in tools. That goes for the "Mac elite" that Mr. Ulanoff has to deal with as well.
You can find a better article about the OS X vs. Windows with respect to viruses here.
I have never been able to shake my perception of PC Magazine/ZD as just a shill for their biggest advertisers. Just ask yourself: Who butters their bread?
I understand that a lot of you here on Slashdot are new to the Mac (since OS X) but those of us who have been on Macs for longer recognize this type of junk tech writing for exactly what it is: an attempt to stir the shit and increase readership. It's probably easier to sell advertising on your site or magazine if you can create just the right anti-Mac tempest in a teapot and sell a few more copies or increase your web site hits. This tactic used to run under the headline "Apple going out of business" or "Apple to close up." Now that's mutated into a "critique" of security or speed claims or whatever. Sadly, there is a fraction of Mac users out there who are still willing to take this bait and play into the game. I'm not even looking at the article. Been there, done that. I recommend that you stare out the window and observe the slow but steady growth of the grass outside--that would be far more productive that playing into this kind of shameless, professional trolling masquerading as tech reporting.
--Rick "If it isn't broken, take it apart and find out why."
Wrong. There is something to be said for how security is considered in the design of an OS. For Windows, it wasn't much of a consideration, which contributed heavily to why there have been so many systemic vulnerabilities.
The system was designed to be user-friendly, not secure. They got their market-share because of that fact. I think it is much easier to make a secure system user-friendly than to make a user-friendly system secure. Microsoft is finding that out as well. You reap what you sow.
My beliefs do not require that you agree with them.
Notes From Under *nix: blas.phemo.us
Meanwhile, we can already see what happens when Apple has a broadly popular product that cuts across platforms. The Apple iPod is the number one MP3 player, and now that its companion computer utility, iTunes, is available for both the Mac and the PC, it has become a hack target. In fact, Jon Lech Johansen, the same Norwegian who cracked the DVD security code, recently circumvented the iTunes music protection scheme.
An event like that occurring makes sense to me, since iTunes' popularity makes it a target worth hacking -- and whatever mystical Mac mojo there may be, it didn't go far in protecting a popular Apple product.Steve Jobs stated when the iTunes music store was announced that the DRM would be hacked. The point was to provide a DRM solution that was not restrictive to honest users. That was delivered.
How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.
I think you can add Lance Ulanoff to the list of things that are "insecure".
Quick, send him an Outlook virus!
I think I already did.
The ______ Agenda
Actually, this is one of the more mind-bogglingly stupid articles from a Windows apologist I've read in a long time. It's even worse than most Slashdot wintrolls.
For the record, I'm not a Mac user and my few attempts at using it ended in annoyance and frustration. It does not, however, take a genius to recognize the logical leaps inherent in the author's petulant outburst.
To wit:
1) A single flaw does not compare to the egregious history of security problems on Windows.
2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.
3) The iTunes/iPod "hack" is not comparable to an operating system comprimise. It is a comprimise of a digital restrictions management (DRM) system. DRM systems are known to be inherently vulnerable and practically insecurable. Nobody but deluded content industry executives expect DRM systems to have any more than brief protection. Also, once broken, they can't be fixed.
4) The swipes at Mac "zealots" are irrelevant ad hominems
5) The complaint about the complexity of MacOS X is silly. All software is complex. Some is just done worse than other.
There's nothing here to see.
Personally I would not have made that choice, but at least there was check box to turn off the default DNS trust. If only windows came with checkboxes to remove its bugs. And I dont mean like checkboxes that say "turn off scripting and cripple my browser please".
In fact mac has not even fixed the so-called hole because its not neccessarily a mistake.
In any case the SSH vulnerability, and the screen-locker vulnerability were in fact true holes created by mistakes. These are what should be scrutinized. But these did not lead to widesperead network worms at least. they did not arrise out of a insecure by desing attitude that pervades all the Active-X philosopy, the power-user-by-default philosophy, the standards crushing embrace-and-extend, the optional log-in password philosophy, or the add features rather than fix bugs philosophy that rightfully inspires all the anti-windows zealotry.
Some drink at the fountain of knowledge. Others just gargle.
I take issue with your statement that Unix design is more elegant. I feel that NT is a wonderful, modern, design, with inherently more built-in security features than BSD or Linux variants.
Unix is a 35 year-old design that has stood the test of time _because_ of its elegance. It's based on 6 commands (open, close, read, write, fork and exec), takes an "everything's a file" approach, and relies heavily on small, reusable componets that are easier to fix and isolate than large monolitic code. The complexity if Unix likes in the mixing of those simple pieces.
Think of it as the difference between Playdough (Windows) and Lego (Unix). Windows is like a big lump of playdough. Sure it's pliable in the beginning, but over time it hardens into a big, unusable clump that needs to be tossed (reloaded). Unix on the other hand is like legos. Its modular design lends itself to be mixed and matched into unlimited configurations.
When it comes to security, it's easier for coders to get their brains around smaller, more manageable code. Windows is so big and unwieldly, they're going to have to do a fourth rewrite if they ever hope to build something that's even close to being secure. Why else has Microsoft been promising security for almost two years since they announce "Trustworthy Computing" and yet they're worse off than they've ever been.
Like I said in the original post, next month we'll see a whole slew of major new problems with Windows, and Mac and the other Unix variants will probably be free from any major known flaws. Just like we have for years.
Ruby on Rails Screencast
Shouldn't that be:
Stuck in the middle with GNU..?
Because of the hundreds of holes in Windows some attacker can compromise a Windows server in the local subnet and then use it to spoof the DHCP servers to gain access to the Mac.
"How cocky are you feeling now, Mac elite?"....Aha! At least they are now recognising that we are an elite! ;-)
"This is crazy, you realise we could all go to jail for this?" - my manager, somewhere I used to work.
OSX has the out of box simplicity edge while still having all these services off?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
By the same token, you could also call the user, impersonate an Apple tech, and ask them to turn on SSH and tell you their username and password. Or, if a user leaves their front door unlocked, you could walk in and remove their computer. Both obviously point to glaring security holes in OSX.
The point, however, is that it's extrememly difficult and/or impossible to write an autonomously propogating virus or worm for OSX that doesn't require active user intervention. Contrast with Windows...
I'll admit, right away, that I'm a Mac user. Then again, I'm also a Windows user, Linux user, SunOS user, etc. I'm really not *that* platform dependant. I guess I really don't understand the reasoning behind arguing over an OS. The argument is rather petty if you are not doing anything to improve upon the security of the operating system you favor. No OS is perfect, and no OS is totally secure.
I did find a few problems with the article (beside the fact that the author was bashing mac users who bash windows users...circular logic, anyone?). The author claimed that due to the fact that DVD Jon cracked quicktime encryption of ACC streams (used by the iTunes Music Store) doesn't mean it's going to bring either the MacOS or Windows to its knees. It's a f**king MP3 player for Chrissakes. Sure, vulnerability that could circumvent OS security might exist within iTunes, but the specific nature of DVD Jon's crack has nothing to do with OS security.
The author made this claim about the cross-platform iTunes "exploit" while failing to mention anything at all about Macros, and the possible for viruses that accompany them. To me, it seems that the author was grasping at straws without having any concrete evidence to back up his claims.
Whenever I read an article from one side of the OS wars bashing the other side, I tend to think that the author was in danger of missing his deadline and needed to come up with something in a hurry. Why does this issue never get old? Perhaps we should think about ways to make our OS of choice more secure rather than bashing others' flaws.
AgentOJ
But even back then, I had this gnawing suspicion that 18-month software development cycles could somehow hurt the platform. Before the tide really turned, however, I switched to PCs. I had joined PC Magazine, and the editorial staff used them.
That's the Mac's problem! He has nailed it! Apple develops new and vastly improved features (in the range of 150+) - basically an overhaul of the operating system - every 18 months. Rather than this whole OS X thing, they should have just created a new theme for OS 9 (oooh, maybe with Green highlights) and changed its name every so often...
If you can't taste the sarcasm, just smile and nod...
Disclaimer: This comment was generated by a Flock of Trained Microsoft Programmers for Aqua_Geek.
2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.
Actually on the 12/02/03 episode of the linux show, Eric Raymond made a very good point that pretty much debunks this particular piece of FUD spread by Microsoft and Windows apologists. He said that if the number of bugs/vernerabilities of a piece of software were merely a function of the number of deployments of the software, then we would see far more bugs and vernerabilities in Apache, which currently has 67% of webserver deployments, than in Microsoft IIS, which only has 20%. Instead we see the exact opposite with far more bugs and vernerabilies in IIS. So, unless MS or Mr. Ulanoff can provide proof for their claims, then they are just spreading FUD!