Mac OS X Security Criticisms Countered

Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."

Attacking the author

[goldspider]

I did RTFA, and it would seem to me that the rebuttal would have sufficiently stood on the merit of the facts, without all the sniping at Ulanoff.

Tho Forno is mostly correct in his assertions, I would take him MUCH more seriously if his argument wasn't riddled with immature name-calling.

Re:Attacking the author

[Bill,+Shooter+of+Bul]

Exactly. The original article may have been flaimbait, but it really didn't require another article to point out all of the obvious flaws. Even if it did, this author could have avoided sinking to his level.

Re:Attacking the author

[Oculus+Habent]

Every work day, I use Mac OS X 10.3, Windows XP Pro, 2k Pro, NT 4, and 98 - sometimes 95, too. I like my Mac. I could go into why, but no one asked me, so I won't. How the original story managed to make some sort of grade for acceptability at PC Magazine makes me less interested in the publication.

I concur will your view - the correct answer, said rudely, still isn't right.

I'll take Zealots for 500, Alex

[TimTheFoolMan]

'In other words, you're either with him [Lance Ulanoff] or with the "zealots."'

If I have to choose sides, I'll go with the Zealots on this one. Apple's security and responses to breaches (so far) have been light years ahead of what I've dealt with from MS.

Tim

*sigh*

[Oculus+Habent]

The PC Magazine story was just about that - a story.

It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.

It's unfortunate that people need to write rebuttals to this sort of journalism, but some naive readers out there will simply take it at face value because it's in print, so it must be true.

Re:*sigh*

[ack154]

But what if many people read that and don't see it as just a "story"? What if people take it for what he wrote? (Essentially saying Mac is "as bad as" Windows based on this one vulnerability he mentioned).

While this new article does take maybe too much aim at the original author, it should at least help clarify what is really going on.

I'm far from a security expert or anything, but I would be far more apt to trust Mac OS security out of the box than Windows security...

Re:*sigh*

[Ringel]

It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.

Unfortunately, it is exactly that type of disingenuousness that is the hallmark of yellow journalism. You don't get to ex post facto decide whether something is a story or journalism. I assure you that there is no field for "story" or "journalism" in any standard bibliographic form. This is how people like Ann Coulter get away with slander, and then take a "ha ha only kidding just my opinion" stance to defend themselves.

As soon as a story is referenced, it becomes a reference, regardless of what the original motivations were.

Re:*sigh*

[Oculus+Habent]

The original article was poor. It shouldn't have made it to publication. There should have been an alarm in the mind of some editor, reviewer... someone.

The basis for a rebuttal is valid and appropriate. A correction by the author would be better, but we tend towards sensational announcements and very, very quiet retractions.

Re:*sigh*

[hellfire]

I disagree with you for several reasons:

1) If Lance can post something regarding his opinion of an operating system, then Richard can post his opinion of Lance's article.

2) Everyone's entitled to an opinion, but not all opinions are equally valid. This is a fundamental point of epistomology. Lance is spreading FUD. What his motivation is, is unclear. But that doesn't give Lance the right to be spreading false accusations. Someone has to stand up and say so. If I were as good a writer as Richard I might have done it.

3) Lance KNOWS what he's doing, and either he know he's wrong or he's so blinded by his opinion that he can't reason properly. However, some people are going to think he's right. That's not fair to anyone who enjoys using Apple products or is one of these "mac zealots" who want to expand the user base.

4) This isn't in the same degree as some gross mischaracterizations that the media is known for (such as overblowing safety warnings or terrorism alerts, or incorrectly running news stories on urban legends and hoaxes which aren't true; yes that has happened before and continues to do so!), but every article, factual or opinionated, that contains false facts must be refuted. The journalism industry is taken for granted, at least in America, and when one of them screws up in order to get more money or get a promotion or because someone ordered them to, or some other sleazy means, then better journalists, or the public in general, should stand up and say the media is dead wrong.

Re:Don't always assume a smear campaing

[proj_2501]

"or wrong, never fully read it or the rebuttal"

so why comment on the relationship between the two if you are obviously misinformed and you admit it?

Audit. WAS: Re:trust

[voixderaison]

If you work in a place where "security is EVERYTHING", then you should know that trust is *not* the bottom line.

Don't trust vendors.
Don't trust open source.
Trust no one.
Audit.

Re:Don't always assume a smear campaing

[pyros]

Not to say the original article was right (or wrong, never fully read it or the rebuttal) but it's shortsighted to assume criticism comes from zealous hate.

It's not too much of an assumption. The author of the orinigal piece said he was glad that there was finally a big vulnerability for Mac OS, and that he was tired of Mac users looking smug when SAMS edition Conquer the Internet in 12 Hours outlook viruses pass them over. The whole piece just had a tone of "I'm really sick of people bragging about Mac OS."

MS should learn from ship builders

[nv5]

One of the great breakthroughs in safety design came when ships started to be built with compartments, which would prevent a single hull puncture to sink the whole ship. (Sadly the Titanic's compartments were all aligned in one dimension, so when the puncture was very long, it compromised all compartments).

One of my greatest concerns with MS attitude towards design of their "ships", especially Windows and Office is, that they are integrated way too much. So any security "puncture" spills over way too easily into the rest of the ship. As a very annoying side effect, one ends up re-booting for way too many MS patches. Why should I have to reboot, if I patch my browser or e-mail client?

Of course, MSIE, Outlook and MS Office vulnerabilities have been a lot less worrying for me, since fully switching to Mozilla and OpenOffice over a year ago!

a few things

[BigBir3d]

Firstly, my new office machine is a Dell with XP Pro. My home machines are iBook with 10.3, and a ThinkPad with Mandrake 9.x (uptime near 60 days now). All 3 are stable machines that do what I want, when I want. The Thinkpad was the #1 machine until I had enough scratch to buy the iBook (apple.com does nice refurb sales from time to time). When sobig and the other malicious worms of 2003 came out, my office was all win98 machines, and a NT 4.0 server. Due to reading /. and using Norton Antivirus, the only machine affected by the onslaught were the machines I was not "allowed" to touch (#1 computer guy {I am the secondary guy}, and the owner of the company {"I did that already"}. In short, you can run any of these machines safely, with most all of the latest software. It just helps if you are not an idiot.

PEBKAC

Re:The main difference

[Trurl's+Machine]

Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work.

Please observe that the term "security through obscurity" is often used in two slightly different meanings, one that obviously doesn't work and one that is at least not so obvious. Let me separate them:
THE ONE THAT OBVIOUSLY DOES NOT WORK is "let us make our system as obscure as possible by refusing to supply any extensive documentation to the public, not to mention the source code; the less anyone knows about our system the better". Microsoft often resorted (still resorts?) to this kind of "s-t-o" strategy. It doesn't work, because sooner or later the internal documentation will leak, malicious crackers will get it anyway and the bona fide hackers won't provide you with their valuable security alerts, patches etc. This meaning of "s-t-o" has actually nothing to do with the popularity of a given system - it's a matter of a vendor's strategy, not a market share.
THE ONE THAT IS NOT THAT OBVIOUS AFTER ALL is "let us maximize our security by choosing a system that is not-so-popular, so at least the script kiddies would have to do some homework before they could even try to log in to our network, not to mention use any actual exploits". To some extent it works - script kiddies by very definition go for an easy prey and a not-so-popular system is not one.

Now, please observe that MacOS X does indeed offer "s-t-o", but only in the latter, not-so-obvious meaning. In the first meaning, it is not obscure at all. Everything related to network, communications, protocols etc. is open in MacOS X - only the GUI layer is proprietary.

I don't like the "security through obscurity doesn't work" mantra just because it is a mantra - people seem to just repeat it, without backing it with any examples. In some cases it's obvious, but in some - it is not. Just wanted to clarify that.

Mac Zealots or AnitMac Zealots

[Salvo]

I recently switched to MacOSX from BeOS. In my experience chatting to the Mac Community out there, they are not more fanatical than Any other Community. I've know Car Clubs who are more obsessive than the Macintosh Community.

The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics. For whatever reason, these individuals *hate* Macs. Not just Dislike Macs, but actively *hate* them, with a passion remeniscant of Religious Fundamentalists.

People who rebute these AntiMac Fanatics are Labeled Mac Zealots. This is only a half truth, they are really just qualifiers of the AntiMac FUD.

Anti-OS sentiments aren't restricted to MacOS, though, There are plenty of AntiMS, AntiLinux, AntiBSD and Anti[insert favourite OS here] Fanatics. Are you one of them?

Re:Not a fair comparison

[danigiri]

Look, I'm no MS fan, but they have not released an operating system since they started their "trustworthy" initiative. The Windows operating systems being discussed are old (WinXP came out in 2001), and obviously full of holes--so full of holes that MS had to start this whole focus on security.

XP might be old, but it is what people are allowed to buy *now*, so your point does not apply. It is insecure *now* and it is being sold *now* (read, not discontinued or the like).

So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).

I have just installed a network of computers, loaded with MS software I just bought. I need to be secure now, not in 2-3 years time.

dani++

Re:Don't always assume a smear campaing

[azav]

Macs CAN get virii. True. However, I was one of the first ten people in the world to identify the mac WDEF virus in 1990-1991. I've followed the virus trail since 1989 to this day on macs and pcs. I even did virus protection for fortune 500 companies once.

PCs are open holes with regards to virii.

Macs are a dream in this respect. Even the old OS 9 & lesser.

Obscurity DOES play a part. A small part. The win 95/98 verisons of windows that are STILL being used are horrors. The newer versions are much better (Me, 2000, XP) but still, the win computer ships with the doors unlocked and open. And the solutions made to close them are subpar. What if I WANT to email a .exe to a coworker?

I could regail you with tales of the reocurring Scsvr/brasil/ops32 virus at our old office but and all the times our pcs went down but I won't. The time wasted cost us enough.

The original reporter is a bitter man who is upset that the one part of the mac he chooses to address is much better than the same area on the pc and is despirate to "fight back" and say "nyah, nyah, I tooold you" to the mac crowd, painting them as elitist pinkie pointing beret toting espresso drinkers.

We need more rebuttals like the one that started this thread. I know many who claim that "less macs = less mac virii you stooge" without closely examining the situation.

At last check, there were about 60 mac virii. At most 100.
How many win virii are there out there? 50 thousand? 60 thousand?

The more the correct message gets published by competent professionals, the less win/mac virii FUD will be going around.

Cheers,

I said it...

[daveschroeder]

...once, Apple said it, and advertized it, but I'll say it again:

This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme. [There is a certain level of implicit trust of the local network that is assumed.]

This functionality - yes, functionality - has been in Mac OS X and its predecessors for YEARS. Just because all of a sudden someone paints it as a root exploit does not make it so. This is nothing like the standard fare of Windows remote exploits, some of which can be exploited against unpatched machines from any location on earth, at will, remotely, at any time, against any unprotected vulnerable machine. This "exploit" requires that a roque DHCP server be set up on your local network (!), and that a machine be rebooted (or otherwise perform a DHCP request) in this malicious environment. I repeat: just calling something a root exploit does not make it so.

Perhaps it's time to have a larger discussion about how much you can really trust your local network infrastructure services, be they in a home environment or in a corporate setting, because that's what this is really about.

Should Mac OS X have this default behavior?

What are the tradeoffs?

And so on.

I just find the distinct lack of understanding of this issue astounding.

(Note: and no, this isn't an issue of Apple glossing over something by calling something a "feature" when it's really an "exploit", as you could argue for some of MS's exploits. This really is a feature, and one that can be taken advantage of by rogue services on your network...like just about anything can in one way or another. If you're being affected by this so-called "exploit", you've got bigger problems on your hands...)