Slashdot Mirror
Mac OS X Security Criticisms Countered
Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."
Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.
Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.
Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.
Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.
In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher Bill Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."
In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?
More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.
Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.
The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. Its also something Microsoft unfortunately cant accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder." (That alone would seriously improve Windows security, methinks.)
At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesnt have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Win
not much comparison when you start comparing your security to windows security.
Tho Forno is mostly correct in his assertions, I would take him MUCH more seriously if his argument wasn't riddled with immature name-calling.
"Ask not what your country can do for you." --John F. Kennedy
the bottom line is which are you going to trust anyway? the only computer that i would fully trust to protect my stuff would be a gentoo linux box custom made for a specific purpose. Self patching and very few applications installed for a person to take advantage of. the bottom line is though XP and Mac OSX may be "secure" they're not secure enough for anything important. (in my humble opinion.) I also work at a place where security is EVERYTHING so i guess i see it different... This pointless blathering about security shoudl convince no one of anything, especially when zealots are concerned.... I say use whatever works best for what you are doing. if you want REAL security, you shouldnt use either of those OS's
'In other words, you're either with him [Lance Ulanoff] or with the "zealots."'
If I have to choose sides, I'll go with the Zealots on this one. Apple's security and responses to breaches (so far) have been light years ahead of what I've dealt with from MS.
Tim
Drill baby drill - on Mars
The PC Magazine story was just about that - a story.
It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.
It's unfortunate that people need to write rebuttals to this sort of journalism, but some naive readers out there will simply take it at face value because it's in print, so it must be true.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
That is a great article, but for some reason it feels like he didn't really do that much research. For instance, his reference to DLL Hell is outdated - Windows XP doesn't suffer from that issue.
Saying that, I have to make the statement that I am an OS X user, and I love it. The simple fact that is asks for my username and password when I try to install applications is a wonder in itself.
You could have found a fairly accurate rebuttle right here at . as well.
Minus the trolls and such.
My windows all have locks on them. Do your apples?
.....
.....
Contrary to his article, the small market segment held by Apple doesn't automatically make the Mac OS less vulnerable to attack or exploitation. Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work. In other words, if, as he suggests, Mac OS was the dominant operating system, its users would still enjoy an inherently more secure and trustworthy computing environment even if the number of attacks against it increased. That's because unlike Windows, Mac OS was designed from the ground up with security in mind. Is it totally secure? Nothing will ever be totally secure. But when compared to Windows, Mac OS is proving to be a significantly more reliable and (exponentially) more secure computing environment for today's users, including this security professional.
When you add value to BSD software? You out-preform Microsoft.
... missed both UNIX and BSD.
Now what except the GUI is so specific to OS X that one may write an article related to security without at least touching the root(s).
CC.
TaijiQuan (Huang, 5 loosenings)
PC Mag (and other MS type mags) are dominated by authors who are devoted to MS. It was a given that they are going to write in this fashion (same style of writing has been going on against Linux for years). I say, do not worry about it. They will be going away sooner rather than later.
A blog entry (not mine) on the subject.
Enjoy.
Slashdot's first reaction to VMware
is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly. Wasn't the army using a few G4 towers with Webstar as html servers? I wouldn't go back to 9 from 10.3 - but it was amazingly secure.
That people pay him money to spew out crap like that (and that other people that are supposed to be fact-checking/editorially judging are as well) is truly depressing.
...right you are!
Blar.
Are there any viruses/trojans for OS X?
I know there was the ssh deal a while back, but does anyone know of any remote r00ting of an OS X box anywhere?
"or wrong, never fully read it or the rebuttal"
so why comment on the relationship between the two if you are obviously misinformed and you admit it?
The tone of the article has a lot to do with the assumption.
I mean, if I said, "I wish he'd just shut his mouth if he's not going to read the article," you can safely assume more malice there than if I said "He really should read the article before commenting," right?
19:56 cyprus ~ % uname -a
Linux cyprus 2.4.18-newpmac #1 Thu Mar 14 22:44:49 EST 2002 ppc GNU/Linux
If you work in a place where "security is EVERYTHING", then you should know that trust is *not* the bottom line.
Don't trust vendors.
Don't trust open source.
Trust no one.
Audit.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
My security is a big ax. Just try breaking into my computer, and I will HACK you.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
It's not too much of an assumption. The author of the orinigal piece said he was glad that there was finally a big vulnerability for Mac OS, and that he was tired of Mac users looking smug when SAMS edition Conquer the Internet in 12 Hours outlook viruses pass them over. The whole piece just had a tone of "I'm really sick of people bragging about Mac OS."
I think Apple has shown the way Microsoft should follow if they wish to bring security and stability to the Windows platform. Apple migrated over to the underpinnings of BSD without compromising the distinctness that only Apple brings to the table. If Microsoft truly cared about "trustworthy computing," they'd shift their gears and concentrate on gluing the Windows GUI and other applications to whatever BSD platform they chose to annoint. After their acquisition last year (the VirtualPC crew), Microsoft has the talents necessary to bring decent emulation of older Windows flavors to their new products. But apparently they [Microsoft] are too stubborn for their own good. It sounds like Longhorn will now be delayed until 2006 or 2007, and every year they slip, the more people and institutions will slip away to Linux and OS X for the very ideal of "trustworthy computing" they profess. Windows is broken as an OS, but as a GUI "bundled" on top of BSD, it would prove to be the magic Microsoft's shareholders are now searching for. And since Microsoft has been infusing SCO with cash, Microsoft would be "safe" from any litigation from SCO in regard to BSD or Linux...
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*
You are right, of course. But expecting Forno to avoid name-calling would mean expecting him to avoid feeding the Troll. This one was so cute, and looked so hungry... Maybe just a LITTLE food would be okay...
Crap. Slashdot picked it up. So much for keeping the Troll population down this Christmas season!
Also, Mac OS != Mac OS X, since the original article's autor used the interchangable.
This at least had some bullets that backed up the statements.
The PC Mag article read as a 'neener neener neener I hate you' article vs. something with content.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
From the original article:
How cocky are you feeling now, Mac elite?
While the original article's criticism may not have come from "zealous hate", it certainly didn't come from impartial journalism. This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
Blockquoth the article:
Oh joy, now we can't even have a decent "Mac versus Windows" flamewar without someone spinning off into gratuitous political trolling. May they both rot in /dev/null...
"Never attribute to malice what can be explained by stupidity."
Maybe we deserve this world ?
I can counter anything by countering it. It means I'm a clever zealot. More at 11.
Snippets from the article: ..."system's FreeBSD foundation"... ..."the Unix-based Mac OS X system"... ..."not the same as the Unix 'root' account password"...
:)
and
and
You must be referring to the *original* article... the first makes no reference to BSD or UNIX. Based on that, I wholeheartedly agree with your assessment - I do not think that the original author had a real understanding of OS X, BSB, UINX, or for that matter, even Windows.
We would never actually read a serious article of this nature because any person that takes the time to do a security review of Windows would find so many holes they would never finish their article. And they'd probably have to write it twice. And it would be posted on the internet before they could publish it.*
*I may have exaggerated slightly on the last few points
Hey, reading this is slow going. Anyone got a link to the PowerPoint slideshow version for dummies?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
One of the great breakthroughs in safety design came when ships started to be built with compartments, which would prevent a single hull puncture to sink the whole ship. (Sadly the Titanic's compartments were all aligned in one dimension, so when the puncture was very long, it compromised all compartments).
One of my greatest concerns with MS attitude towards design of their "ships", especially Windows and Office is, that they are integrated way too much. So any security "puncture" spills over way too easily into the rest of the ship. As a very annoying side effect, one ends up re-booting for way too many MS patches. Why should I have to reboot, if I patch my browser or e-mail client?
Of course, MSIE, Outlook and MS Office vulnerabilities have been a lot less worrying for me, since fully switching to Mozilla and OpenOffice over a year ago!
... should be more worried about his Job security. f00l!
Firstly, my new office machine is a Dell with XP Pro. My home machines are iBook with 10.3, and a ThinkPad with Mandrake 9.x (uptime near 60 days now). All 3 are stable machines that do what I want, when I want. The Thinkpad was the #1 machine until I had enough scratch to buy the iBook (apple.com does nice refurb sales from time to time). When sobig and the other malicious worms of 2003 came out, my office was all win98 machines, and a NT 4.0 server. Due to reading /. and using Norton Antivirus, the only machine affected by the onslaught were the machines I was not "allowed" to touch (#1 computer guy {I am the secondary guy}, and the owner of the company {"I did that already"}. In short, you can run any of these machines safely, with most all of the latest software. It just helps if you are not an idiot.
PEBKAC
The original "commentary" was not just chock full of factual errors, improper syllogisms, et. al. It was dripping with such a malice-filled glee at the notion that OS X might be as insecure as Windows that one has to wonder as to real root of the author's problems. He mentions how angered he is by the laughing of OS X users every time he has to deal with another Windows virus/trojan/bug. Are "commentaries" like his the sad, pathetic result of not working on an OS that "just works"?
I know this is wrong, but in one respect I was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther...
I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.
I generally counter with what is apparently a secret carefully hidden from Mac zealots:...
But the mindlessly superior retort is always the same....
Given this recent development, my question is, "Will you be stuffing that superior attitude in your crow or eating it separately, sir?"
Those quotes alone comprise half the first few paragraphs. See, that wasn't too hard, was it?
I realize this is an oft-repeated truism, and obscurity alone doesn't make a system truly secure...but it certainly helps. To make an analogy, I know of many friends who have been robbed, even when their valuables were well-locked. However, those who put their valuables in places theives never think to look are generally the ones who keep them - good security is never perfect, and is generally at best a deterrent, at worst a challenge. Hell, security through obscurity is the whole basis for steganography, though most would recommend encryption as part of a "why not?" sort of preprocessing step.
As such, I think it's a given that Windows is at least less secure because of its market share. Whether Mac is more secure because of its obecurity is debatable - I'm sure there are a number of generic unix exploits that macs would suffer from, and the general unix community is very high profile.
-Looking for a job as a materials chemist or multivariat
LOL :)
I Use, Run and Endorse OS X Server. For home and office use. I was co-incidentally running a Lab similar to that root exploit and guess what OSX is a ::real unix:: it has an exploit. I couldn't replicate because I use Kerberos. But this is the first and only time that I have had my development box (OBJ C / Java), Workgroup Server AND desktop on the same HW. with no loss of data in about three years. :-> ). The only way to really be sure is to try the mac. Yes Apple has some ::Issues:: it was only a matter of time before people clues into the OS a year plan. But the money goes into REAL r&d that makes my sysAdmin at home and work so much easier. From time to time I get a hack attempt. But my mac is set up as an Win2K ActiveDirectory PDC and my logs keep me laughing. I hardly even boot my PC as it would be a real security risk
In three years M$ will come out with supposedly secure computing, with more of an eye toward how to KEEP drm secure than how to prevent massive system intrusions violations. In the past seven years I have had none of this virus hype. It seems like the Mac users and the Linux users are having more in common every year (Except the OS X gets faster on the same HW
So before you bash the OS the real question is do you run it. And if not when was the last time you were really happy with your OS
-- P.S.> I will not go to Server 10.3 as I already implemented all of the documented features by 05/2003
--Shaddup and support your local PBS station Plan for it
There are after all literally hundreds, maybe thousands of Macs on the Internet these days. Imagine if a significant portion of them were compromised. The ensuing chaos would be a huge problem for Mac and Windows users alike.
Sorry, but that's a bug. It should error. Not failing (or at least indicating) the flaw is wrong.
Look at all the security holes because IE tries to "help" you with the type of a file.
However, Solairs is a fantastic car... food... er... movie.
Alright, just so I don't get dubbed Troll by any Mac Fan(atic)s out there - THIS IS NOT A DEFENSE OF THE WINDOWS OPERATING SYSTEM OR A COMPARISON BETWEEN THE MAC OS AND WINDOWS. If you read Lance's original article, it's not saying "Windows rule, Macs drool" on the basis of the security flaw he mentions. It's about something bigger, which is an underlying issue in the Mac community: fixation on image.
No serious, knowledgeable Mac user is going to sit down and tell you that "their" OS is descended from heaven, perfect and secure in every facet. Albeit, it's a LOT better than Windows, but it's got a couple issues of its own. But I know a lot of guys who bought Macs because "My old computer got a virus, and a guy told me Macs don't get viruses" or "I don't know anything about computers, but I want something that can't break." These guys need to read Lance's article because Macs CAN get viruses and do have the occasional security holes (though still nothing like Windows, but again THIS IS NOT A COMPARISON).
For the educated Mac user, Lance's article was "much ado about nothing." But there is a faction in the Mac community which claims that they know their OS is not invulnerable, but any criticism or discussion of a flaw results in personal attacks against the original author, their OS, their family, friends and pets, followed by an extensive feature-by-feature OS comparison. For these people, the security of the Mac OS has not been attacked; instead, their worth as individuals has been smeared (by means of their personal investment of self-worth in the Mac "image").
Long story short - I think the rebuttal was over the top and completely missed the point. But it nicely drew attention to a real problem: the Mac community needs to do something about the association of the Mac "image" with the identities of Mac users.
To: Richard Forno
From: Lance Ulanoff
Subject: Re: Mac Security
YHL YHBT HAND
my point is kinda the lesser of two evils. who do you trust the most. and that is ALWAYS laced with your own resposibility. if you hire a body guard and trust him to protect you then you had better remember to pay him his wages. just as you'd better remember to keep an eye on everything and make sure everything is up to date...
large numbers of Apple users do tend to fall into the moronic zealot category - see Slashdot for examples.
That would be the 'Linux' example eh?
News stories are supposed to be based on fact, or have factual content (not that there is ever completely bias free journalism). Editorials are bassed on opinion.
Unfortunetly the orignal story was an editorial, but not presented as such.
And $89 Windows upgrades every three years!
You're confusing Microsoft propaganda ("we fixed DLL Hell!") with reality.
.NET may manage to avoid most of DLL Hell (except for all the caveats like ADO problems), but this is of limited help with the existing DLL hell (eg, shell versions, which is a problem noone can fix but Microsoft, and they lack the money and incentive).
The reality is that new applications written specifically for
And I read the original article in the magazine when I got it. Contrary to the rebutters opinion, I did't see the article as "muckraking". The author may not be as well informed as he should be. Pointing out that a simple firewall is enabled by default and that changing system settings is more difficult in Mac OS X would have gone a long way toward mitigating this kind of response, but certainly would not have eliminated it. I get the feeling that merely suggesting that Mac OS X feels less pain from viruses, trojans, and other nasties in part because it has a smaller market share would result in this sort of response regardless of how well informed the journalist was about Macs.
I think the author of the original commentary article, Lance Ulanoff, is at least partially correct. I've seen other posts in this article thread stating that "security through obscurity doesn't work". Actually, it does, until the vulnerability is discovered. Does Mac OS X have undiscovered vulnerablities? I can almost assure you it does. No programmer, no matter how intelligent, can ever come up with every sneaky, crafty, or just odd tactic that crackers will try.
So is Mac OS X less of a target because of smaller market share? Yes.
Is Mac OS X more secure in a default configuration that Windows XP? Yes.
Its really pretty simple when you look at it objectively. I maintain that if you have a normal doofus user setting up an OS, you have an unsecure OS, Windows or not.
// harborpirate
// Slashbots off the starboard bow!
It is odd that a writer would make comparisons between OS X and Windows. I seem to remember the worlds computer systems grinding to a halt a few months ago due to Windows only worms, including Fortune 500 Companies, Government networks, and thousands of small businesses. In total I bet these worms cost the United States alone $10 billion in lost productivity and computer repair costs. Now I seem to forget the last time Macintosh had any sever problems that affected anyone seriously. I know this is flamebait for you Windows fans that disregard the Windows worms like it was all a haulocause type conspiracy to make light of your beloved Windows. To all those conspiracy theorists out there, I love you man.
- Kill Yourself, spare us all! -
-----BEGIN PGP SIGNED MESSAGE-----
c mq hbDcPqxQCfVsp+
- ----END PGP SIGNATURE-----
Hash: SHA1
As one of the local Network specialists at Macbidouille, I have never heard of a single rooted Mac user, even though a number came and alarmingly asked about strange network behaviour, when all they really had was ISP DNS problems or firewall misconfiguration.
There's also the casual shot at Mac antivirus software that only have definitions for PC-specific viruses.
And IIRC the recent ssh vulnerabilities did not affect Mac OS X (they affected OpenSSH 3.7 and 3.7.1, not the version provided by Apple).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/3hkF76Zattu5F5URAqV/AJ4rovUhMjucZ1dZTKj
pTy2e+aiWuwkaIFRkrOaErM=
=zAhE
Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure by design, default, and deployment."
That is true, right now, but it is not a fair comparison.
Look, I'm no MS fan, but they have not released an operating system since they started their "trustworthy" initiative. The Windows operating systems being discussed are old (WinXP came out in 2001), and obviously full of holes--so full of holes that MS had to start this whole focus on security.
So comparing anything to an admittedly weak and insecure operating system is just plain silly. Everyone knows Windows is insecure. Saying MacOSX is more secure than Windows means nothing, and in fact makes OSX security look comparable to that of Windows when in fact it is far better (regardless of what that PCMagazine moron wants to believe).
So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).
You expect anything different when the Macintosh is involved? :)
My summary of the situation:
- Nothing is totally secure, if it's at all useful.
- Windows is demonstrably NOT secure. IT's been riddled with nasty bugs for years.. and for Joe Average, WHY doesn't matter.
- OS X is without question far more secure than windows, and less buggy. That is not to say it's immune, or that it can't be hurt ever, but several factors both in low-level design, and in user interface design, specifically how easily users can turn on and off certain services, makes it less prone to exploits.
- Yes, it has a smaller market share, and hence, less attention is focused on it, and that certainly IS a factor.. but it doesn't change the fact that mac users don't have to worry about viruses on a dialy basis at the moment. It also isn't the only factor, and hardly means "Oh it's just as insecure as windows"
The #1 insecurities in windows are related to bad design... and a narrow interpretation of how the computer will be used in a network environment. Having all these services listening by default is bad. Having them difficult to shut off is even worse.
Yeah, that's true, but he's not very smart at all.
The provided blog entry is very interesting. Author cites relevant RFCs, great stuff. Miles from the bullshit the PC-Magazine idiot is saying.
For a moment everybody in America will know about you.
Yes, actually the ending sentence that comes right after that
Hmm. Suddenly it's gotten pretty quiet around here.
REALLY got on my nerves. Anyone who declares victory at the end of their own damn article...
and hell, Windows is the only OS I use on a daily basis, other than some Usenet in a Unix shell account.
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Next paragraph, he complains that Windows's out-of-the box config (leaving so many things running) is bad. I agree. MS is improving in that area; WS2k3 is much better. Not being able to stop/disable RPC is an issue, however. I don't know what's so hard about disabling services anyway. You can even do it from the command line; just tell users to go Start->Run and type "sc stop messenger" to stop messenger, and "sc config messenger start= disabled" to disable it.
The next paragraph about installation is bogus. It is crappy installation programs that overwrite system files, and system file protection (min win2k) makes it a non-issue. I wish there was an example of a patch doing all of those things to configuration, since I don't know what he is talking about.
Don't like media player? Don't use it. There are plenty of alternatives; I recommend Winamp 2.
Many of the security concerns he points out are easily remidied by not running everything under admin, or at least avoiding crapware.What do you mean, unlike Windows? You have to be an admin to install mostly anything, or change most computer settings on Windows.
I used the app access control panel in Windows to use Mozilla, and it works fine. There is nothing forcing you to use MS Media Player, Outlook Express, or IE for the internet. It IS more work to use a different shell than explorer (which uses IE a lot), but there are alternatives to that too.
Yes, 'Trustworthy Computing' is a thin marketing slogan, but the issues the author tries to bring up are a combination of unsubstantiated and easy to work around.
Thanks for proving my point guys.
Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.
Remember when everyone's domains (including aol.com) were getting hijacked because the default security was so laughable? (sarcasm)Network Solutions, now there's some credentials.
I recently switched to MacOSX from BeOS. In my experience chatting to the Mac Community out there, they are not more fanatical than Any other Community. I've know Car Clubs who are more obsessive than the Macintosh Community.
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics. For whatever reason, these individuals *hate* Macs. Not just Dislike Macs, but actively *hate* them, with a passion remeniscant of Religious Fundamentalists.
People who rebute these AntiMac Fanatics are Labeled Mac Zealots. This is only a half truth, they are really just qualifiers of the AntiMac FUD.
Anti-OS sentiments aren't restricted to MacOS, though, There are plenty of AntiMS, AntiLinux, AntiBSD and Anti[insert favourite OS here] Fanatics. Are you one of them?
The thing is once I finished high school and got into college everything changed. I met people who actually understood me and were like me. No one made fun of me being a nerd, hell everyone was a nerd. I was actually happy.
Some of us have very rough times in school. Ignoring people is very hard and how to deal with what's going on really depends on a case to case basis. Sometimes you just need to find the right group of people. Some of the funest, and most accepting people that you'll ever meet are theatre geeks. It would help if you could give a few more details about what's really going on.
But using a gun would be a MISTAKE. This will not make things better, it will only make it worse. You'll spend the rest of your life in jail around people who are far, far worse then what you get in school. Absolutely nothing positive will come from physical violence at a school setting.
Trust me, these people will pay eventually. After 10 years of doing labor or working retail they'll maybe making 25 or 30k. You'll be making much more living in a lifestyle that they can only dream about. Even when the economy is down nerds make more money, because we can do more.
Plus, some of them will change. I've had a couple of people tell me how sorry they were for how they treated me when I was younger. If you're serious reply to this post with more info. We'll help you through this. Things will get better. DO NOT RESORT TO VIOLENCE.
Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:
This was written in 1997, note the last paragraph above. These issues has been discusses and documented in several RFCs, many years ago...
-- Leif
If it happens that often maybe you should stop reading slashdot and concentrate more on doing your job correctly!
I've heard that Apple runs a x86 version that's parrallel to the current releases just in case they were to switch platforms someday. I would definately pay for OSX but I want to use my normal hardware. And I think Apple could even sell it and driver manufacturers would support it. ATI would have little trouble supporting the rest of their cards and many of them are mac compatible already.
APPLE Please get a clue you could tromp all over MS any day with our OS!!!
This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.
Made it onto slashdot, didn't it? I'd say the tactic worked.
Congradulations! Unlike some other here, you actually read the articles before posting.
I think in order to educate the general users, such a rebuttal should be printed in the pages of which the original article was published on (pcmag). Maybe letters to the Editor?
But on the other hand, if someone writes an article saying how great it is to live in a sewer and you happen to live in a sewer you'd prolly feel good about your living situation. The writer of this article will probably argue that houses can have backed up toilets and so a house is just as stinky as a sewer.
If Lance wants to live in the sewer, let him write about it and feel good about his situation.
From the article:
Hmm, when I read this, I was intrigued and excited to see what the author had in mind. He then listed the following security differences:
Hmm, so which of these would require the "complete re-write" as the author claimed? None. Just about every service is turned off by default in newer versions of Windows. The newest version of IIS will not have to run as Administrator to work properly. DLL Hell has nothing to do with security, so I'm not sure why he went off on that tangent. Plus, the issue has been resolved nicely on WinXP for the most part. Plus, as more applications moved to managed code, it won't be an issue. Mess ups with the patching have nothing to do with the internals of the OS. DRM is another tangent he goes off on that has nothing to do with security. The interdependencies and tying together of Windows Media, etc. is just about the only point he really makes. Again though, this isn't an issue with the internals of the OS that would require a complete rewrite of the OS.
Ultimately, I have a feeling that the author knows very little about the internals of the Windows OS. Claiming that a complete rewrite is the only way to secure Windows is a laughable claim that reveals him to be quite ignorant.
Forget the whales - save the babies.
> Is my computer possessed?
yes.
The one slide that describes everything is available here. ;-)
(Converted to PDF, though. Distributed under these terms.)
“Wait for Hurd if you want something real” –Linus
No, you just chose a shitty OS.
Execute the following in a terminal on your OSX system, and you will see:
At least on 10.2, the root directory is writable by the admin group.
Furthermore, when the OSX installer creates the first user on the system, this user is automatically added to said admin group. This means that a Joe Blow (l)user can write to the root directory (bearing the sticky bit limitations in mind).
Apple has circumvented the traditional UNIX security mechanisms, and added this "admin" functionality that really doesn't fit within the BSD environment. UNIX has already been vulnerable to an avalanche of buffer overflow vulnerabilities over the years; weakening a security model that has already had significant difficulties is a questionable practice.
Apple's policies on OS upgrades and patches are also not entirely to my liking.
Personally, I would avoid OSX on a critical system. Sun would be roasted alive if they tried something like a writable root directory in Solaris.
Macs CAN get viruses
which viruses would these be? there are still no virii that attack mac os x.
WTF? Are you comparing Linux to Mac OS X now? Come on, at least have an argument worth arguing over! WIth Linux, where are the applications? What about a usable GUI? How about kick ass hardware? Linux has none of the above, huh? GOtta love it when the Linux shitheads come out of the woodwork to denounce Mac "zealots" but ignore their own idiotic zealotry to do it.
No, mac use is open to all homosexuals
B/c the point I was making wasn't directly tied to the content as much as people seem to think it was. That the rebuttal simply attributed what the orignal author said to be jealous zealotry and etc. can simply be explained by misinformation and lack of knowledge on the original authors part. I thought my post made it clear what it was about about but if not, there it is in black and white.
...will release a secure operasting system Real Soon Now! So what if their last 95,102 attempts failed. They have said they are going to get serious about it! So there!!!!!
--- Ban humanity.
Personally, I feel like the word "commentary" implies that the text will be more analytical, akin to a news analysis piece, than merely an "opinion". But that's just my opin-- well, you get the idea.
"See, that wasn't too hard, was it?"
Nope, it was just unecessary to the point I was trying to make.
usenet's an OS now? :)
...or the equivalent number of ethernet cards, SCSI controllers, supported chipsets, etc. OSX can be stable because the hardware platform is under control.
Apple is also organized as a hardware company. They would have to sell much, much more software to stay alive.
They would probably die in the conversion to x86, and they would end up producing an OS than ran on a small subset of the available systems anyway.
And as you can get an OSX-capable system for under $100, why complain? The cost to try it out is negligable.
Tone absolutely has a lot to do with it. However you can't safely assume more malice out of your example. Some people are just more blunt than others and don't doctor up their posts in hopes that most people won't be offended. They either don't care or don't realize that their tone can put people off sometimes.
You can make a reasonably justified assumption of malice out of the tone of the first article but you can't discount the fact that his malice is tied to lack of knowledge which is the point of my post.
Never let your enemies anger you and never hate your enemies. And don't always count people with differing opinions as your enemies.
And after that article, I'm thinking that my next computer purchase might be a Mac.
Egads.
http://use.perl.org
Oh yeah.. Two replies from AC's and your point is proven, right?
You really AREN'T a smart guy, are ya? Not at all.
Unless... Of course! Lance! It's you!
Cheers, chubbs!
notice how the pro PC article just rails on and on about the security flaw, but doesn't mention that there isn't any malware going around to exploit it like in windoze. and how it was fixed promptly within a week. and even if there was malware, how far could it really go in a *nix environment????
"You never want a serious crisis to go to waste." - Rahm Emanuel
Somedays I wonder if the bad hackers have given MS-windows undue attention, and hence it has a larger share of security attacks. It seems that OSX or and any *nix hasn't received the kind attention of bad hackers and hence are apparently more "secure"!!!
The advice you were given is still wise and still stands. Why bother to comment on a situation you admittedly know nothing about? Do you honestly think you've added anything of value to this discussion?
Just because there hasn't been a Mac OS X virus YET doesn't mean that there WON'T be one. The functional part of the sentence (read it again) is that "Macs CAN [expressing potential] get viruses". Read my original posting above and think about it: You bought ENHANCED SECURITY, not COMPLETE SECURITY (currently not available on any market). True: the Mac OS is much more security conscious than Windows, but that doesn't mean that it doesn't have its own vulnerabilities. Mac Fan(atic)s and the assorted zealots need to recognize that their systems may still be vulnerable and that while they can probably sleep easier at night than Windows users, they shouldn't buy into the marketing hype of the Mac "image" and get complacent about OS security. Luckily for all of you, there are folks out there finding the Mac OS vulnerabilities and making sure that they are secured, so that you can have as little in common with Windows users as possible.
As near as I can tell, your point can be rephrased as follows:
"I've never read the article you're talking about, but you have to admit that your interpretation might be inaccurate."
While this is technically true, it's laughable at best and quite content-free.
Never once did I admit to knowing nothing. Simply that I hadn't fully read the articles. That doesn't mean I hadn't read the articles at all. It means that I felt I hadn't read them well enough to make a complete decision on whether author a was just running his mouth or whether he actually had a good point or whether he just thought he had a good point.
I don't know if I added anything of value to the discussion but I do know I said what I wanted to say and that's enough for me. That the original post generated some extra discussion is also a bonus. I'd rather a post of mine get -1: Flamebait and have 50 responses, half of them being interesting ones than get a post modded to +5: anything and have no responses at all to it.
Jamie? Is that you?
"...Unix-based Mac OS X system firewall simple enough protection for most users -- is enabled by default (in Mac OSX Server)..."
Actually, in all versions of server up to and including Jaguar, no, it isn't.
Not upgraded our XServe to Panther yet so I can't speak for that - anyone know if this is the default (for Panther SERVER)?
Panther Workstation does not start it by default. (Well not on my PowerBook after upgrade from Jaguar it didn't anyway).
Original article: "I have a microphone, and you don't, so YOU WILL LISTEN TO ME!"
Rebuttal: "I too have a microphone, so you will listen to ME!"
Do you know if any system other than OS/X had this vulnerability? From my (rather quick) reading of this, it seems this is a natural and seemingly benificial result of DHCP design and that plenty of Unix systems would have had this written into them as well. But nobody has mentioned any. Is this bug really unique to Apple?
While the original article's criticism may not have come from "zealous hate", it certainly didn't come from impartial journalism. This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.
It's called a "commentary"
(
Commentary
By Lance Ulanoff
PC Magazine
)
It drives eyeballs to the article. It's not like he's writing under for Associated Press about war crimes in Africa so let's please leave our expectations for impartial journalism at the door.
Its brilliant! Windows safer by design will prove that everyone is at least as insecure as they are! Bammo! Acceptably secure operating system.
I smell a Monty Python skit in here somewhere!
Quack, quack.
How about I rephrase it in a short burst for you straight from the horses mouth.
"I have not fully read the articles enough to feel I can make a judgement on the original authors intent and as such am taking the viewpoint that the original author may have just been ill-informed rather than the rebuttal authors viewpoint seems to be as his rebuttal ".
Now, summed up that shortly, it doesn't completely say what I wanted to say but since you insist on summing things up, there's the best I can do for right now.
hehe banner ads. you crack me up!
Never say never. Ah!! I did it again!
Me? I'm giving away free money!
And where, and where is the Batman!?
He's at home washing his tights
So not anyone who flies balloons!
Perhaps for the unintentional irony of saying that some people are misinformed and "like spewing their mouths off" and then, two sentences later, admitting to being uninformed. Comedy gold!
OK...can agree that Win32 systems hold the market dominance at home, but in the corporate world you'll find a mixture of systems with critical systems being non-Win32 (in favor of *NIX, Mainframe, etc...).
If what you say is true that Win32 systems are popular, then it should have the resources to develop a quality product that can't be exploited by a 12 year old with some free time on their hands.
"Who's crowing now?"
Stay alert!
Trust no one!
Keep your laser handy!
Trust The Computer.
The Computer is your friend.
I guess that is the question. I don't think that they do, but after thinking about it I think that History has shown us that they do. Ok, but how can you get your rebuttal heard without starting a flame war? Looking at our political system, and everyone elses for that matter, I don't know if anyone has ever figured that out. Stupid Society.
Well.. maybe. Or Maybe not. But Definitely not sort of.
I get the feeling that merely suggesting that Mac OS X feels less pain from viruses, trojans, and other nasties in part because it has a smaller market share would result in this sort of response
So is Mac OS X less of a target because of smaller market share? Yes.
The original authour, like yourself, is confusing 2 things here, and this is why you see so many rebuttals to these sort of comments. A larger market share makes anything a bigger target. Duh. Anyone can figure that out. The problem is, it's a meaningless statement. People get so uppity about it because a bigger target != less secure.
The fact of the matter is, being a bigger target does not mean you're going to be compromised more often, which is what we're worried about when we talk security. If it did, Apache would be spitting out Code Reds and Nimdas every other month. Being a bigger target simply means people are going to TRY to compromise you more often.
Remember kids, we don't evaluate the security of something based on attempts. We evaluate it based on SUCCESSFUL attempts. This is why the "if Linux/Unix/BSD/OSX/Commodore 64 had a bigger market, it would be as insecure as Windows" argument is a fallacy, and why it gets rebutted every time.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
http://www.pcmag.com/author_bio/0,3055,a=204,00.as p
Macs CAN get virii. True. However, I was one of the first ten people in the world to identify the mac WDEF virus in 1990-1991. I've followed the virus trail since 1989 to this day on macs and pcs. I even did virus protection for fortune 500 companies once.
.exe to a coworker?
PCs are open holes with regards to virii.
Macs are a dream in this respect. Even the old OS 9 & lesser.
Obscurity DOES play a part. A small part. The win 95/98 verisons of windows that are STILL being used are horrors. The newer versions are much better (Me, 2000, XP) but still, the win computer ships with the doors unlocked and open. And the solutions made to close them are subpar. What if I WANT to email a
I could regail you with tales of the reocurring Scsvr/brasil/ops32 virus at our old office but and all the times our pcs went down but I won't. The time wasted cost us enough.
The original reporter is a bitter man who is upset that the one part of the mac he chooses to address is much better than the same area on the pc and is despirate to "fight back" and say "nyah, nyah, I tooold you" to the mac crowd, painting them as elitist pinkie pointing beret toting espresso drinkers.
We need more rebuttals like the one that started this thread. I know many who claim that "less macs = less mac virii you stooge" without closely examining the situation.
At last check, there were about 60 mac virii. At most 100.
How many win virii are there out there? 50 thousand? 60 thousand?
The more the correct message gets published by competent professionals, the less win/mac virii FUD will be going around.
Cheers,
- Zav - Imagine a Beowulf cluster of insensitive clods...
...once, Apple said it, and advertized it, but I'll say it again:
... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme. [There is a certain level of implicit trust of the local network that is assumed.]
This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3.
This functionality - yes, functionality - has been in Mac OS X and its predecessors for YEARS. Just because all of a sudden someone paints it as a root exploit does not make it so. This is nothing like the standard fare of Windows remote exploits, some of which can be exploited against unpatched machines from any location on earth, at will, remotely, at any time, against any unprotected vulnerable machine. This "exploit" requires that a roque DHCP server be set up on your local network (!), and that a machine be rebooted (or otherwise perform a DHCP request) in this malicious environment. I repeat: just calling something a root exploit does not make it so.
Perhaps it's time to have a larger discussion about how much you can really trust your local network infrastructure services, be they in a home environment or in a corporate setting, because that's what this is really about.
Should Mac OS X have this default behavior?
What are the tradeoffs?
And so on.
I just find the distinct lack of understanding of this issue astounding.
(Note: and no, this isn't an issue of Apple glossing over something by calling something a "feature" when it's really an "exploit", as you could argue for some of MS's exploits. This really is a feature, and one that can be taken advantage of by rogue services on your network...like just about anything can in one way or another. If you're being affected by this so-called "exploit", you've got bigger problems on your hands...)
Having been through the pain of using Authenticode to sign ActiveX controls and creating Windows Install packages, I can tell you the security built into Windows can work if you configure it correctly. Having been hit with seven virii on my home machine, I can tell you the security built into Windows can work IF YOU CONFIGURE it correctly. :)
Windows Updates shouldn't reset security settings, that's obvious. But I've seen Linux defended with comments like "well, the default settings on that distro start all services known to man," etc. If you don't use a preview window in Outlook, you're halfway there. Don't run with admin privs.
Granted, the author did more work than the article he was rebutting...the author of the original article really sounds like a jackass. But it comes down to the same thing: Google for Windows security tips and you can have a secure system.
I disagree. And yes, I read both articles.
I thought the PC magazine article was about as useful as the Viagra Spam in my Inbox. I use Linux, MacOS X, and Windows XP Pro.
I've had as many BSOD's on my XP (1 so far) as I have for my Mac OS X. I think that they are both useful Systems. BUT, I dread the problems of the Windows world. I just don't have them in the MAC world. Viruses and worms and security breeches seemingly galor.
The tone of the PC mag article was that of a guy bragging about how shitty your new car is because the rear view mirror got knocked off. A minor security hole that could be fixed without a patch by following some instructions provided by Apple. (And yes I read up on the security issue) It wasn't about how the MAC community (there is such a thing?) is in need of an attitude adjustment so much as it was a "HA HA! Looks who's in the shit now!!!" article. It was designed to provoke and it did.
I figured that somebody would calmly and precisely explain to Mr. Pot that, yes the Kettle is black in places too, but that the pot is all black, crusty, in need of an overhaul, and leaks frequently. And from the Cook's point of view, the kettle is in much better shape.
Creative Spelling Copyright (2002). May use without Persimmons
I am a technologist (biotechnology, genetic engineering and the like), and i can tell you that I've learned alot in the three and a half years I spent in school to get that title. What exactly are you useful for? Your attitude makes it difficult to take you seriously.
Lance Ulanoff's original article was utterly infantile. This was a nicely-written rebuttal, but the obviously ignorant, frustratingly boneheaded Ulanoff will probably not get the point.
Mac Elite man with hand in pocket feel cocky all day!
Is how many people, when they write about OS X credit Apple with coming up with the secure design or other features. If anyone should be credited, it should be the people who develop FreeBSD, because that is the real reason why OS X is secure.
SIGFAULT
No, it's also popular with artsy bi chicks.
Fornos' analysis is a bit flawed in the aspect of admin privileges, I think. Just last week, I needed to fix something on a Mac that I didn't have admin privilege for. It took only 5 minutes (plus physical control of the machine) to give my (network) account admin privileges.
"This is a fundamental point of epistomology."
Actually, it's a fundamental point of
"epistemology" - for those of us who are
illiterate and need correct spelling to
look up and determine the meaning of
such highbrow wordings.
LOL
Funny how that computer seemed to have pretty good security...
"I'm not paranoid because they're out to get me so much as the fact that my last name is 9."
--- Submission is feudal.
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics.
There's some kind of fundamental truth there. For example: I was a vegetarian for a decade, and during that time I noticed there was a type of person who looked upon my eating habits as a personal attack. These people would try to drag me into an argument about how I wasn't enough protein, etc. I realized I couldn't win: If I shrug it off, I'm a mindless cultist. If I try to disabuse them of their notions, I'm a fanatic.
Later I started eating meat and bought a Mac, and now I run into the OS version of these people.
One man's -1 Flamebait is another man's +5 Funny.
In a controlled environment, Windows admins can install trusted packages onto user's machines remotely, removing the need for regular users to do so.
Right. But the biggest problems on the net today stem from the home Windows PCs that n00bs run with a single user account that has admin rights.
Having to seesaw between a limited-privilege user account and an admin account is far too much hassle for people who can't even be bothered to click a button to turn on their built-in firewall.
You know how I spent my day today? Installing Spybot Search & Destroy on about 50 Windows 2000 workstations at a client my company just picked up. Those machines were utterly infested with all kinds of shit that was surrepetitously installed by God knows what. The most infested machine had 536(!) different tracking cookies, adware/spyware items, and porn dialers scattered around/buried on it. There was so much shit starting up in the background at boot time that it was about 7 minutes from I pressed the power button until I could actually DO something on the machine-- this on hardware that should boot Win2k in about 2 minutes. That kind of shit simply cannot happen on a Mac.
Don't spread more FUD. You claim there are 60 to 100 "mac virii." What you really meant is that there were viruses for MacOS 9. There are NO known MacOS X viruses.
http://www.securityfocus.com/archive/1/347578
You have gotten several mac zealots to throw their mod points away on your post and the replies chastising you for considering the possibility that the original person who DARED to suggest the Mac is not the most perfect creation we have ever seen was not an evil henchman of Bill Gates! We thank you for your service. Way to take one for the team. ;)
Get a life pal. What's the hell is wrong with you people!? You're a fucken retard if you're not going to take him seriousily because of his "name-calling". Ulanoff is clearly an idiot. He deserves to be called names. Besides, he wasn't even name calling. He said Ulanoff was whining, etc. He didn't call him any names. Can't you just reveal in the greatness of the rebuttal instead of looking at something wrong with it you pretentious assholes. Eat dicks... all of you.
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
Although for a good linux/mac system, none of that junk would execute with priveleges, meaning that the most it could do would be to spew stuff without damaging anything locally. I'm also not sure what Mac's better firewall system and such would prevent from running.
I tell ya, tho, I know what you're saying. The bane of my existence on the few machines I take care of at work is the morons who install that frigging adware crap.
-Looking for a job as a materials chemist or multivariat
This guy obviously works at MS. Kill him!
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
Umm.
I'm just curious, this is like the famous stopped watch at the train station problem.
How would a Mac OS X machine get a virus. Do you know? What vulnerbilities in the system would permit it to gain one? How you would go about constructing one?
Yes, it is possible. Yes, I know how. I'm curious if you are basing your statement off of anything other than an apologist mantra. I see a lot of that around here.
"I'm not a zealot, BUT...."
Slashdot. It's Not For Common Sense
"security through obscurity" - what Lance is referring to toward the end of his article - doesn't work.
Just a reminder to everyone of why this fundamentally matters. The point is that if security depends on the secrecy of the mechanism, then any exposure of that mechanism puts all users of the mechanism at risk.
If only the secrecy of the key is important to security, then the exposure of a key is only a risk to the users of that particular key. Users of other keys are not affected.
Auguste Kerchoffs discussed this principle in 1883, so it's not exactly news. But it seems that senior people at Microsoft are still actively ignoring it in their quest to promote their software.
Closed source has no fundamental security advantages over open source. The best that we as security experts can can say is that it may offer some transient advantage, but at a very high cost if it is ever exposed or reverse engineered.
Windows is better than nothing.
Windows will be better than totally secure!
-- Stephen.
Usenet is all and everything. The Matrix has you.
There are two rules for success:
1. Never tell everything you know.
That would be 38% according to Google, by the way. That study you're misquoting only surveyed a small sample of a specific market segment.
Ugh, how many times to people have to explain this... google browser stats are a very poor meter of OS distribution... for two reasons. First of all, the average work PC sits in your dentist's office or your architect's drafing room. It's not often used for web searching, that's generally done at home or in businesses/schools that do a lot of research. Secondly, google users tend to a more up to date with technology than the average computer user. They don't have msn.com set as their home page, no are they using the same computer they "invested in" six years ago.
I have a Bachelor of Technology and would never call myself a technologist. I am also entitled to call myself an engineer but don't bother thanks to IT companies ruining the term (would you like fries with your MCSE?).
Apache runs 67%, whereas IIS runs 22% of all webservers, according to netcraft. That's why we hear about so many critical Apache vulnarablilities every couple of months, right?
Well, if default settings in OS X made Lance Ulanoff excited, this is going to give him wet dreams... SecurityFocus's Bugtraq mailing list just posted this. The message seems to indicate other exploits exist but were not mentioned. The exploit in question appears to deal with Apple's ISO 9660 file system implementation. No word on whether "Max" alerted Apple or anyone outside of the Bugtraq mailing list though.
Don't trust vendors that won't let you audit their code.
.. *grin*
Open source is 100% audit friendly.
Mind you, a proper Audit means Auditing everything.
I wouldn't want to be the sucker that has to audit the whole damn Kernel, most of userspace, gcc, libc
It requires a local user to initiate the process. A remote host can't execute the attack on its own.
It is cowardly, and a betrayal of whatever it means to be a Jew, to act as a white man
-James Baldwin
I remember an old saying that went something like this:
Microsoft Windows is a 32 bit operating environment based on a 16 bit operating systems for a 8 bit processor developed from a 4 bit calculator by a 2 bit company which doesn't make 1 bit of sense.
Not quite the original, but you get the idea!
And the $30-$50 a month ISP charge since you have to be online all the time to get the weekly patch.
See what eaing meat brought you to using a Mac
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
I'm get a permission denial.
Maybe they fixed the problem?
I meant the "collective mac OSes" from day one 'till today since I was comparing mac virii to win virii on the "collective windows OSes".
It would be unfair to compare OS X to all windows versions. There are old macs not running OS X out there as there are old win boxes running 98 & the like.
It would be interesing to compare modern windows OS virii to modern mac OS virii. But I don't know where to start on the win side.
There are virii for mac OS X IF you count the MS word macro viruses. But as you mentioned, I don't know of any OS level viruses for OS X. Wonder if any unix worms might count?
- Zav - Imagine a Beowulf cluster of insensitive clods...
There are no homosexuals, only homosexual acts, like what I did to your daddy last night.
It is equally unfair to compare MacOS X to OS 9, they are different OSes. OS 9 is officially dead, just like Win95. I won't count Win95-specific viruses (if there is such a thing) against WinXP, so don't count OS9 viruses against OS X.
Unix worms have never hit MacOS X. Macro viruses don't count, they can't affect anything beyond the document. Most OS X users don't even have MSOffice or MSWord. And even if they did, the OS X version of Office is AFAIK the first version to have macro virus protection and have it turned on by default. It's a dead issue.
And while I'm being nitpicky here, FYI the plural of virus is viruses, not virii.
Take Ann Coulter -- not to pick sides, but just as the best example of this phenomenon that occurs to me. Coulter makes a big, long rant about how the New York Times didn't even cover Dale Earnhardt's death until days later into the centerpiece of one of her books. The Times, she says, didn't even run a story until days later, when they ran a snooty piece about how the Wal-Mart was silent in mourning. And so on. She's running down the Times in every possible way for its arrogance and elitism, and so on.
Al Franken, in his recent book, points out that this would be a great example for Ann to use, if only it were true. And he photocopies the front page of the Times the day after Earnhardt's death -- on which they ran a very large headline about the accident and Earnhardt's life.
Now, does it rank as a horrible insult and a discredit to his position that Franken includes Coulter among his list of "Liars"? Does it really discredit this guy's arguments when he describes the PC Magazine column by saying it "epitomizes the concept of yellow journalism"? To my mind, not if he makes that specific charge into more than a name. And he does -- he demonstrates how the PC Mag. article proceeded from its biases and manipulated the reader, seemingly out of malice and to promote a certain POV for its own sake.
Reading both opinion columns, this rebuttal was well within bounds. At most he fed a troll, but you know, a published troll is somehow fairer game than just anyone's /. post.
"Fundamentalism" isn't about divine morality. It's about human authority.
I suppose that things could be different for you CS folks, what with everyone and their dog having some kind of certification.
You seem to be off base here. Win 98 is supposed to be officially dead as well. But people still use it. I used OS 9 on Sunday and have a SCSI interface laptop running the speedy 8.5. My PC has win 98. My old office machine has 2000.
I do not have data to compare older mac OSes and older win OSes with regards to virus strains and I do not have the data to compare the new versions of each OS similarly. Therefore I can not honestly do a comparison at that depth. The only fair approach I can do is to approach the problem as a whole mac OS vs whole win OS issue. THAT SAID, both OS 9 and OS X have drastically lower numbers of viruses written for them. I'm sure we both agree on that.
You are wrong about macro viruses. A word glossary macro virus can (and has for me) disabled printing and saving for ANY opened word doc. This would definately be a problem for someone running classic on OS X.
Classic is for OS 9. Classis is still supported. You referring to it as a "dead" is incorrect. Apple still supports it through classic. In fact, the company producing Onadyme only has an OS 9 version. "I'm not dead yet".
The pural of virus is viruses in some cases and virii in others. My biology backgorund is showing. I'll tuck it in next time.
Virii = multiple strains.
Viruses = more than one of the same strain.
At least that's as I was taught in biology.
Cheers,
- Zav - Imagine a Beowulf cluster of insensitive clods...
You must mean the IT folk, last I checked there was no CS in a can degree out there.
-"I'm one of those Mac people that will break a bottle on the bar and hold it to your throat for bad-mouthing my system"
Exactly. IE rocks in that regard imho.
/*BEGIN self-thrashing RANT
For the last year, IE has been our self-admitted"-"mac-zealot"-employers' only way of finding a Mac node on our network, OS9 & Panther mix. (ironicly xserv-run network btw)
Plug'n-play-networking w/windows "out of the box" my arse.
And unlike our Win boxes, IF you are lucky enough to find another Mac on the network, you need a pass/user combo to access a dir.
Normal I know, but annoying, and costly in a production environ.
Everytime a win box wants to grab anything off another Mac machine, the Mac user has to setup a separate pseudo-shared pass/user protected folder, and copy the files there for us to grab.
On Windows, you right-click (no way! a multi-button mouse??? hehe.. yeah, a troll I know:) on any folder and make it shared.
And of story.
If any Mac folk wish to tell me wtf our "Mac-network-guy" is doing wrong, I'd be happy to tell him:)
Out of the box, a Mac can see others just fine. NOT the other way around as advertised by Apple MANY, MANY times.
(at least that was the bs our boss bought from his sales-retard at the Apple store)
END RANT*/
Where can I get a copy for my PC? Oh... You need a mac to run it... If mac users are so unhappy with windows why don't they uninstall it and use OS X? Ahh... You can't get Windows XP for a mac... What the hell are they arguing about then?
I ran a benchmark on my quantum computer, now I can't find it anywhere!
That syntax is wrong. You won't get any answers- nobody will read /*text inside comments*/. It's by definition irrelevant to the actual behavior of the program, so we just /*tune it out*/