Slashdot Mirror
Mac OS X Security Criticisms Countered
Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."
Tho Forno is mostly correct in his assertions, I would take him MUCH more seriously if his argument wasn't riddled with immature name-calling.
"Ask not what your country can do for you." --John F. Kennedy
'In other words, you're either with him [Lance Ulanoff] or with the "zealots."'
If I have to choose sides, I'll go with the Zealots on this one. Apple's security and responses to breaches (so far) have been light years ahead of what I've dealt with from MS.
Tim
The PC Magazine story was just about that - a story.
It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.
It's unfortunate that people need to write rebuttals to this sort of journalism, but some naive readers out there will simply take it at face value because it's in print, so it must be true.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
For instance, his reference to DLL Hell is outdated - Windows XP doesn't suffer from that issue.
Excuse me? Why not? If XP uses (or even supports) the same DLL system as previous versions of windows, I don't see any way you could avoid DLL hell other than careful control of where and how software is installed.
Javascript + Nintendo DSi = DSiCade
A blog entry (not mine) on the subject.
Enjoy.
is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly. Wasn't the army using a few G4 towers with Webstar as html servers? I wouldn't go back to 9 from 10.3 - but it was amazingly secure.
"or wrong, never fully read it or the rebuttal"
so why comment on the relationship between the two if you are obviously misinformed and you admit it?
If you work in a place where "security is EVERYTHING", then you should know that trust is *not* the bottom line.
Don't trust vendors.
Don't trust open source.
Trust no one.
Audit.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
It's not too much of an assumption. The author of the orinigal piece said he was glad that there was finally a big vulnerability for Mac OS, and that he was tired of Mac users looking smug when SAMS edition Conquer the Internet in 12 Hours outlook viruses pass them over. The whole piece just had a tone of "I'm really sick of people bragging about Mac OS."
One of the great breakthroughs in safety design came when ships started to be built with compartments, which would prevent a single hull puncture to sink the whole ship. (Sadly the Titanic's compartments were all aligned in one dimension, so when the puncture was very long, it compromised all compartments).
One of my greatest concerns with MS attitude towards design of their "ships", especially Windows and Office is, that they are integrated way too much. So any security "puncture" spills over way too easily into the rest of the ship. As a very annoying side effect, one ends up re-booting for way too many MS patches. Why should I have to reboot, if I patch my browser or e-mail client?
Of course, MSIE, Outlook and MS Office vulnerabilities have been a lot less worrying for me, since fully switching to Mozilla and OpenOffice over a year ago!
Firstly, my new office machine is a Dell with XP Pro. My home machines are iBook with 10.3, and a ThinkPad with Mandrake 9.x (uptime near 60 days now). All 3 are stable machines that do what I want, when I want. The Thinkpad was the #1 machine until I had enough scratch to buy the iBook (apple.com does nice refurb sales from time to time). When sobig and the other malicious worms of 2003 came out, my office was all win98 machines, and a NT 4.0 server. Due to reading /. and using Norton Antivirus, the only machine affected by the onslaught were the machines I was not "allowed" to touch (#1 computer guy {I am the secondary guy}, and the owner of the company {"I did that already"}. In short, you can run any of these machines safely, with most all of the latest software. It just helps if you are not an idiot.
PEBKAC
I Use, Run and Endorse OS X Server. For home and office use. I was co-incidentally running a Lab similar to that root exploit and guess what OSX is a ::real unix:: it has an exploit. I couldn't replicate because I use Kerberos. But this is the first and only time that I have had my development box (OBJ C / Java), Workgroup Server AND desktop on the same HW. with no loss of data in about three years. :-> ). The only way to really be sure is to try the mac. Yes Apple has some ::Issues:: it was only a matter of time before people clues into the OS a year plan. But the money goes into REAL r&d that makes my sysAdmin at home and work so much easier. From time to time I get a hack attempt. But my mac is set up as an Win2K ActiveDirectory PDC and my logs keep me laughing. I hardly even boot my PC as it would be a real security risk
In three years M$ will come out with supposedly secure computing, with more of an eye toward how to KEEP drm secure than how to prevent massive system intrusions violations. In the past seven years I have had none of this virus hype. It seems like the Mac users and the Linux users are having more in common every year (Except the OS X gets faster on the same HW
So before you bash the OS the real question is do you run it. And if not when was the last time you were really happy with your OS
-- P.S.> I will not go to Server 10.3 as I already implemented all of the documented features by 05/2003
--Shaddup and support your local PBS station Plan for it
Sorry, but that's a bug. It should error. Not failing (or at least indicating) the flaw is wrong.
Look at all the security holes because IE tries to "help" you with the type of a file.
You're confusing Microsoft propaganda ("we fixed DLL Hell!") with reality.
.NET may manage to avoid most of DLL Hell (except for all the caveats like ADO problems), but this is of limited help with the existing DLL hell (eg, shell versions, which is a problem noone can fix but Microsoft, and they lack the money and incentive).
The reality is that new applications written specifically for
And I read the original article in the magazine when I got it. Contrary to the rebutters opinion, I did't see the article as "muckraking". The author may not be as well informed as he should be. Pointing out that a simple firewall is enabled by default and that changing system settings is more difficult in Mac OS X would have gone a long way toward mitigating this kind of response, but certainly would not have eliminated it. I get the feeling that merely suggesting that Mac OS X feels less pain from viruses, trojans, and other nasties in part because it has a smaller market share would result in this sort of response regardless of how well informed the journalist was about Macs.
I think the author of the original commentary article, Lance Ulanoff, is at least partially correct. I've seen other posts in this article thread stating that "security through obscurity doesn't work". Actually, it does, until the vulnerability is discovered. Does Mac OS X have undiscovered vulnerablities? I can almost assure you it does. No programmer, no matter how intelligent, can ever come up with every sneaky, crafty, or just odd tactic that crackers will try.
So is Mac OS X less of a target because of smaller market share? Yes.
Is Mac OS X more secure in a default configuration that Windows XP? Yes.
Its really pretty simple when you look at it objectively. I maintain that if you have a normal doofus user setting up an OS, you have an unsecure OS, Windows or not.
// harborpirate
// Slashbots off the starboard bow!
Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work.
Please observe that the term "security through obscurity" is often used in two slightly different meanings, one that obviously doesn't work and one that is at least not so obvious. Let me separate them:
THE ONE THAT OBVIOUSLY DOES NOT WORK is "let us make our system as obscure as possible by refusing to supply any extensive documentation to the public, not to mention the source code; the less anyone knows about our system the better". Microsoft often resorted (still resorts?) to this kind of "s-t-o" strategy. It doesn't work, because sooner or later the internal documentation will leak, malicious crackers will get it anyway and the bona fide hackers won't provide you with their valuable security alerts, patches etc. This meaning of "s-t-o" has actually nothing to do with the popularity of a given system - it's a matter of a vendor's strategy, not a market share.
THE ONE THAT IS NOT THAT OBVIOUS AFTER ALL is "let us maximize our security by choosing a system that is not-so-popular, so at least the script kiddies would have to do some homework before they could even try to log in to our network, not to mention use any actual exploits". To some extent it works - script kiddies by very definition go for an easy prey and a not-so-popular system is not one.
Now, please observe that MacOS X does indeed offer "s-t-o", but only in the latter, not-so-obvious meaning. In the first meaning, it is not obscure at all. Everything related to network, communications, protocols etc. is open in MacOS X - only the GUI layer is proprietary.
I don't like the "security through obscurity doesn't work" mantra just because it is a mantra - people seem to just repeat it, without backing it with any examples. In some cases it's obvious, but in some - it is not. Just wanted to clarify that.
Yes, actually the ending sentence that comes right after that
Hmm. Suddenly it's gotten pretty quiet around here.
REALLY got on my nerves. Anyone who declares victory at the end of their own damn article...
and hell, Windows is the only OS I use on a daily basis, other than some Usenet in a Unix shell account.
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.
Remember when everyone's domains (including aol.com) were getting hijacked because the default security was so laughable? (sarcasm)Network Solutions, now there's some credentials.
I recently switched to MacOSX from BeOS. In my experience chatting to the Mac Community out there, they are not more fanatical than Any other Community. I've know Car Clubs who are more obsessive than the Macintosh Community.
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics. For whatever reason, these individuals *hate* Macs. Not just Dislike Macs, but actively *hate* them, with a passion remeniscant of Religious Fundamentalists.
People who rebute these AntiMac Fanatics are Labeled Mac Zealots. This is only a half truth, they are really just qualifiers of the AntiMac FUD.
Anti-OS sentiments aren't restricted to MacOS, though, There are plenty of AntiMS, AntiLinux, AntiBSD and Anti[insert favourite OS here] Fanatics. Are you one of them?
If it happens that often maybe you should stop reading slashdot and concentrate more on doing your job correctly!
This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.
Made it onto slashdot, didn't it? I'd say the tactic worked.
XP might be old, but it is what people are allowed to buy *now*, so your point does not apply. It is insecure *now* and it is being sold *now* (read, not discontinued or the like).
So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).
I have just installed a network of computers, loaded with MS software I just bought. I need to be secure now, not in 2-3 years time.
dani++
Do not speak unless you can improve on the silence.
Enjoyez-vous.
:)
/.er out there take advantage of the euro / dollar exchange rate to buy an us mac? A 2000 dollars powerbook costs 3000 in France, given the exchange rate that's, well, a sweet commission for apple store france!
Ah nom de dieu c'est fou ce que je m'enjoie la, thanks dude, best cyber ever
Side note: Did any euro mac
notice how the pro PC article just rails on and on about the security flaw, but doesn't mention that there isn't any malware going around to exploit it like in windoze. and how it was fixed promptly within a week. and even if there was malware, how far could it really go in a *nix environment????
"You never want a serious crisis to go to waste." - Rahm Emanuel
I get the feeling that merely suggesting that Mac OS X feels less pain from viruses, trojans, and other nasties in part because it has a smaller market share would result in this sort of response
So is Mac OS X less of a target because of smaller market share? Yes.
The original authour, like yourself, is confusing 2 things here, and this is why you see so many rebuttals to these sort of comments. A larger market share makes anything a bigger target. Duh. Anyone can figure that out. The problem is, it's a meaningless statement. People get so uppity about it because a bigger target != less secure.
The fact of the matter is, being a bigger target does not mean you're going to be compromised more often, which is what we're worried about when we talk security. If it did, Apache would be spitting out Code Reds and Nimdas every other month. Being a bigger target simply means people are going to TRY to compromise you more often.
Remember kids, we don't evaluate the security of something based on attempts. We evaluate it based on SUCCESSFUL attempts. This is why the "if Linux/Unix/BSD/OSX/Commodore 64 had a bigger market, it would be as insecure as Windows" argument is a fallacy, and why it gets rebutted every time.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Macs CAN get virii. True. However, I was one of the first ten people in the world to identify the mac WDEF virus in 1990-1991. I've followed the virus trail since 1989 to this day on macs and pcs. I even did virus protection for fortune 500 companies once.
.exe to a coworker?
PCs are open holes with regards to virii.
Macs are a dream in this respect. Even the old OS 9 & lesser.
Obscurity DOES play a part. A small part. The win 95/98 verisons of windows that are STILL being used are horrors. The newer versions are much better (Me, 2000, XP) but still, the win computer ships with the doors unlocked and open. And the solutions made to close them are subpar. What if I WANT to email a
I could regail you with tales of the reocurring Scsvr/brasil/ops32 virus at our old office but and all the times our pcs went down but I won't. The time wasted cost us enough.
The original reporter is a bitter man who is upset that the one part of the mac he chooses to address is much better than the same area on the pc and is despirate to "fight back" and say "nyah, nyah, I tooold you" to the mac crowd, painting them as elitist pinkie pointing beret toting espresso drinkers.
We need more rebuttals like the one that started this thread. I know many who claim that "less macs = less mac virii you stooge" without closely examining the situation.
At last check, there were about 60 mac virii. At most 100.
How many win virii are there out there? 50 thousand? 60 thousand?
The more the correct message gets published by competent professionals, the less win/mac virii FUD will be going around.
Cheers,
- Zav - Imagine a Beowulf cluster of insensitive clods...
...once, Apple said it, and advertized it, but I'll say it again:
... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme. [There is a certain level of implicit trust of the local network that is assumed.]
This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3.
This functionality - yes, functionality - has been in Mac OS X and its predecessors for YEARS. Just because all of a sudden someone paints it as a root exploit does not make it so. This is nothing like the standard fare of Windows remote exploits, some of which can be exploited against unpatched machines from any location on earth, at will, remotely, at any time, against any unprotected vulnerable machine. This "exploit" requires that a roque DHCP server be set up on your local network (!), and that a machine be rebooted (or otherwise perform a DHCP request) in this malicious environment. I repeat: just calling something a root exploit does not make it so.
Perhaps it's time to have a larger discussion about how much you can really trust your local network infrastructure services, be they in a home environment or in a corporate setting, because that's what this is really about.
Should Mac OS X have this default behavior?
What are the tradeoffs?
And so on.
I just find the distinct lack of understanding of this issue astounding.
(Note: and no, this isn't an issue of Apple glossing over something by calling something a "feature" when it's really an "exploit", as you could argue for some of MS's exploits. This really is a feature, and one that can be taken advantage of by rogue services on your network...like just about anything can in one way or another. If you're being affected by this so-called "exploit", you've got bigger problems on your hands...)
Is how many people, when they write about OS X credit Apple with coming up with the secure design or other features. If anyone should be credited, it should be the people who develop FreeBSD, because that is the real reason why OS X is secure.
SIGFAULT
Considering that only about 8% of the windows users are running XP (95, 98 and 2000 are the majority), then his comments still stand. The recent spate of articles on MS dropping support for Win98 has posted the ratios quite clearly.
That would be 38% according to Google, by the way. That study you're misquoting only surveyed a small sample of a specific market segment.
Coming soon - pyrogyra
Thank you... more evidence that slashdot needs a flame resistant spell checker
:)
Ever think that maybe this was just a typo? They happen yanno. Not every mistake is made by a "low brow" trying to sound fancy. Some philosophers are just not good spellers
"All great wisdom is contained in .signature files"
Apache runs 67%, whereas IIS runs 22% of all webservers, according to netcraft. That's why we hear about so many critical Apache vulnarablilities every couple of months, right?