Slashdot Mirror
Mac OS X Security Criticisms Countered
Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."
...to pay your $699 licensing fee you cock-smoking teabaggers.
that only flaming homosexuals use mac?
boogers!
Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.
Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.
Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.
Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.
In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher Bill Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."
In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?
More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.
Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.
The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. Its also something Microsoft unfortunately cant accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder." (That alone would seriously improve Windows security, methinks.)
At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesnt have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Win
I've been having trouble in school lately. The other kids won't leave me alone. Maybe it's my glasses, or that I'm better than them in math. I came home yesterday and cried. I know slashdotters have had to deal with this before. What did you do? My father has a handgun somewhere in his room. I've seen it before. THEY HAVE TO PAY, ALL OF THEM.
not much comparison when you start comparing your security to windows security.
I can't speak for sure what the motives were of the man who wrote the original article but based on this quote from the rebuttal article:
"Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy"
It seems that either he is a windows zealot ready to trounce anything non-windows or that the rebuttal author assumes this merely b/c he attacked Mac.
If it was the latter, don't make that assumption. Some people are just misinformed and like to go on spewing their mouths off on what they believe is exhaustively researched facts. There have been studies done in psychological research that shows how people who are misinformed tend to not know that they are misinformed (in fact, I think one paper was a story on slashdot at one point)
Not to say the original article was right (or wrong, never fully read it or the rebuttal) but it's shortsighted to assume criticism comes from zealous hate.
Tho Forno is mostly correct in his assertions, I would take him MUCH more seriously if his argument wasn't riddled with immature name-calling.
"Ask not what your country can do for you." --John F. Kennedy
What's up, nerds?
the bottom line is which are you going to trust anyway? the only computer that i would fully trust to protect my stuff would be a gentoo linux box custom made for a specific purpose. Self patching and very few applications installed for a person to take advantage of. the bottom line is though XP and Mac OSX may be "secure" they're not secure enough for anything important. (in my humble opinion.) I also work at a place where security is EVERYTHING so i guess i see it different... This pointless blathering about security shoudl convince no one of anything, especially when zealots are concerned.... I say use whatever works best for what you are doing. if you want REAL security, you shouldnt use either of those OS's
'In other words, you're either with him [Lance Ulanoff] or with the "zealots."'
If I have to choose sides, I'll go with the Zealots on this one. Apple's security and responses to breaches (so far) have been light years ahead of what I've dealt with from MS.
Tim
Apple Computer is the maker of the popular Macintosh line of computers. The real operating system hiding under the newest version of the Macintosh operating system (MacOS X) is called... Darwin! That's right, new Macs are based on Darwinism! While they currently don't advertise this fact to consumers, it is well known among the computer elite, who are mostly Atheists and Pagans. Furthermore, the Darwin OS is released under an "Open Source" license, which is just another name for Communism. They try to hide all of this under a facade of shiny, "lickable" buttons, but the truth has finally come out: Apple Computers promote Godless Darwinism and Communism.
But is this really such a shock? Lets look for a moment at Apple Computers. Founded by long haired hippies, this company has consistently supported 60's counter-cultural "values". But there are even darker undertones to this company than most are aware of. Consider the name of the company and its logo: an apple with a bite taken out of it. This is clearly a reference to the Fall, when Adam and Eve were tempted with an apple by the serpent. It is now Apple Computers offering us temptation, thereby aligning themselves with the forces of darkness.
This company is well known for its cult-like following. It isn't much of a stretch to say that it is a cult. Consider co-founder and leader Steve Jobs' constant exhortation through advertising (i.e. mind control) that its followers should "think different". We have to ask ourselves: "think different than whom or what?" The disturbing answer is that they want us to think different than our Christian upbringing, to reject all the values that we have been taught and to heed not the message of the Lord Jesus Christ!
Given the now obvious anti-Christian and cultish nature of Apple Computers, is it any wonder that they have decided to base their newest operating system on Darwinism? This just reaffirms the position that Darwinism is an inherently anti-Christian philosophy spread through propaganda and subliminal trickery, not a science as its brainwashed followers would have us believe.
Drill baby drill - on Mars
The PC Magazine story was just about that - a story.
It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.
It's unfortunate that people need to write rebuttals to this sort of journalism, but some naive readers out there will simply take it at face value because it's in print, so it must be true.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
That is a great article, but for some reason it feels like he didn't really do that much research. For instance, his reference to DLL Hell is outdated - Windows XP doesn't suffer from that issue.
Saying that, I have to make the statement that I am an OS X user, and I love it. The simple fact that is asks for my username and password when I try to install applications is a wonder in itself.
You could have found a fairly accurate rebuttle right here at . as well.
Minus the trolls and such.
My windows all have locks on them. Do your apples?
.....
.....
Contrary to his article, the small market segment held by Apple doesn't automatically make the Mac OS less vulnerable to attack or exploitation. Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work. In other words, if, as he suggests, Mac OS was the dominant operating system, its users would still enjoy an inherently more secure and trustworthy computing environment even if the number of attacks against it increased. That's because unlike Windows, Mac OS was designed from the ground up with security in mind. Is it totally secure? Nothing will ever be totally secure. But when compared to Windows, Mac OS is proving to be a significantly more reliable and (exponentially) more secure computing environment for today's users, including this security professional.
When you add value to BSD software? You out-preform Microsoft.
My linux box is a PC.
Frankly, Apple phreaks and Microsoft jocks deserve each other. They are like Republicans and Democrats; without each other they'd have no one to bait.
An why the hell does he think that I give a FUCK???
after his ATV crash.
The real question is, was he breathing on his own BEFORE the crash?
... missed both UNIX and BSD.
Now what except the GUI is so specific to OS X that one may write an article related to security without at least touching the root(s).
CC.
TaijiQuan (Huang, 5 loosenings)
PC Mag (and other MS type mags) are dominated by authors who are devoted to MS. It was a given that they are going to write in this fashion (same style of writing has been going on against Linux for years). I say, do not worry about it. They will be going away sooner rather than later.
I AM Saddam Hussein!!!
A blog entry (not mine) on the subject.
Enjoy.
Slashdot's first reaction to VMware
is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly. Wasn't the army using a few G4 towers with Webstar as html servers? I wouldn't go back to 9 from 10.3 - but it was amazingly secure.
That people pay him money to spew out crap like that (and that other people that are supposed to be fact-checking/editorially judging are as well) is truly depressing.
...right you are!
Blar.
MY asshole is secure by design. CmdrTaco's asshole, however, is intentioanlly wwide open.
...to pay your $129 mandatory security upgrade to 10.3 fee you cock-smoking teabaggers.
Are there any viruses/trojans for OS X?
I know there was the ssh deal a while back, but does anyone know of any remote r00ting of an OS X box anywhere?
If you work in a place where "security is EVERYTHING", then you should know that trust is *not* the bottom line.
Don't trust vendors.
Don't trust open source.
Trust no one.
Audit.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
Don't forget your yearly $120 upgrade fee, you cocksmoking teabaggers!
My security is a big ax. Just try breaking into my computer, and I will HACK you.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
I think Apple has shown the way Microsoft should follow if they wish to bring security and stability to the Windows platform. Apple migrated over to the underpinnings of BSD without compromising the distinctness that only Apple brings to the table. If Microsoft truly cared about "trustworthy computing," they'd shift their gears and concentrate on gluing the Windows GUI and other applications to whatever BSD platform they chose to annoint. After their acquisition last year (the VirtualPC crew), Microsoft has the talents necessary to bring decent emulation of older Windows flavors to their new products. But apparently they [Microsoft] are too stubborn for their own good. It sounds like Longhorn will now be delayed until 2006 or 2007, and every year they slip, the more people and institutions will slip away to Linux and OS X for the very ideal of "trustworthy computing" they profess. Windows is broken as an OS, but as a GUI "bundled" on top of BSD, it would prove to be the magic Microsoft's shareholders are now searching for. And since Microsoft has been infusing SCO with cash, Microsoft would be "safe" from any litigation from SCO in regard to BSD or Linux...
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*
You are right, of course. But expecting Forno to avoid name-calling would mean expecting him to avoid feeding the Troll. This one was so cute, and looked so hungry... Maybe just a LITTLE food would be okay...
Crap. Slashdot picked it up. So much for keeping the Troll population down this Christmas season!
This at least had some bullets that backed up the statements.
The PC Mag article read as a 'neener neener neener I hate you' article vs. something with content.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
or how I learned to love the bomb.
Personally I love windows. As the Net slave of a 500 user installed base of windows xp & w2k. I owe my job to MS's buggy code. Shop was Mac originally but I was able to convert them to W2K and assured my employment due to constant patching, viruses and security problems. Dont change MS! Keep me employed maintaining sub-par software!
You're bright, study chemistry. Or biology. Your yield will be higher, hence more efficient. And you stand a good chance at getting away scott free! Sure is a terrible thing about the lunch ladies not exercising proper food hygeine and giving botuluism to 1100 of your dear classmates.
Blockquoth the article:
Oh joy, now we can't even have a decent "Mac versus Windows" flamewar without someone spinning off into gratuitous political trolling. May they both rot in /dev/null...
"Never attribute to malice what can be explained by stupidity."
Maybe we deserve this world ?
I can counter anything by countering it. It means I'm a clever zealot. More at 11.
Snippets from the article: ..."system's FreeBSD foundation"... ..."the Unix-based Mac OS X system"... ..."not the same as the Unix 'root' account password"...
:)
and
and
You must be referring to the *original* article... the first makes no reference to BSD or UNIX. Based on that, I wholeheartedly agree with your assessment - I do not think that the original author had a real understanding of OS X, BSB, UINX, or for that matter, even Windows.
We would never actually read a serious article of this nature because any person that takes the time to do a security review of Windows would find so many holes they would never finish their article. And they'd probably have to write it twice. And it would be posted on the internet before they could publish it.*
*I may have exaggerated slightly on the last few points
Hey, reading this is slow going. Anyone got a link to the PowerPoint slideshow version for dummies?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
One of the great breakthroughs in safety design came when ships started to be built with compartments, which would prevent a single hull puncture to sink the whole ship. (Sadly the Titanic's compartments were all aligned in one dimension, so when the puncture was very long, it compromised all compartments).
One of my greatest concerns with MS attitude towards design of their "ships", especially Windows and Office is, that they are integrated way too much. So any security "puncture" spills over way too easily into the rest of the ship. As a very annoying side effect, one ends up re-booting for way too many MS patches. Why should I have to reboot, if I patch my browser or e-mail client?
Of course, MSIE, Outlook and MS Office vulnerabilities have been a lot less worrying for me, since fully switching to Mozilla and OpenOffice over a year ago!
... should be more worried about his Job security. f00l!
Firstly, my new office machine is a Dell with XP Pro. My home machines are iBook with 10.3, and a ThinkPad with Mandrake 9.x (uptime near 60 days now). All 3 are stable machines that do what I want, when I want. The Thinkpad was the #1 machine until I had enough scratch to buy the iBook (apple.com does nice refurb sales from time to time). When sobig and the other malicious worms of 2003 came out, my office was all win98 machines, and a NT 4.0 server. Due to reading /. and using Norton Antivirus, the only machine affected by the onslaught were the machines I was not "allowed" to touch (#1 computer guy {I am the secondary guy}, and the owner of the company {"I did that already"}. In short, you can run any of these machines safely, with most all of the latest software. It just helps if you are not an idiot.
PEBKAC
The original "commentary" was not just chock full of factual errors, improper syllogisms, et. al. It was dripping with such a malice-filled glee at the notion that OS X might be as insecure as Windows that one has to wonder as to real root of the author's problems. He mentions how angered he is by the laughing of OS X users every time he has to deal with another Windows virus/trojan/bug. Are "commentaries" like his the sad, pathetic result of not working on an OS that "just works"?
windows/system folder?
also - Win Server 2003 - ships with every service OFF.
bug ridden Explorer? say what you want about explorer and IE - but in my experience (web developer) IE can handle the most complicated of webpages - throw anything at it - it will display. Cant count the times netwcape bombs because there is an unclosed table in 500 lines of html
I realize this is an oft-repeated truism, and obscurity alone doesn't make a system truly secure...but it certainly helps. To make an analogy, I know of many friends who have been robbed, even when their valuables were well-locked. However, those who put their valuables in places theives never think to look are generally the ones who keep them - good security is never perfect, and is generally at best a deterrent, at worst a challenge. Hell, security through obscurity is the whole basis for steganography, though most would recommend encryption as part of a "why not?" sort of preprocessing step.
As such, I think it's a given that Windows is at least less secure because of its market share. Whether Mac is more secure because of its obecurity is debatable - I'm sure there are a number of generic unix exploits that macs would suffer from, and the general unix community is very high profile.
-Looking for a job as a materials chemist or multivariat
I Use, Run and Endorse OS X Server. For home and office use. I was co-incidentally running a Lab similar to that root exploit and guess what OSX is a ::real unix:: it has an exploit. I couldn't replicate because I use Kerberos. But this is the first and only time that I have had my development box (OBJ C / Java), Workgroup Server AND desktop on the same HW. with no loss of data in about three years. :-> ). The only way to really be sure is to try the mac. Yes Apple has some ::Issues:: it was only a matter of time before people clues into the OS a year plan. But the money goes into REAL r&d that makes my sysAdmin at home and work so much easier. From time to time I get a hack attempt. But my mac is set up as an Win2K ActiveDirectory PDC and my logs keep me laughing. I hardly even boot my PC as it would be a real security risk
In three years M$ will come out with supposedly secure computing, with more of an eye toward how to KEEP drm secure than how to prevent massive system intrusions violations. In the past seven years I have had none of this virus hype. It seems like the Mac users and the Linux users are having more in common every year (Except the OS X gets faster on the same HW
So before you bash the OS the real question is do you run it. And if not when was the last time you were really happy with your OS
-- P.S.> I will not go to Server 10.3 as I already implemented all of the documented features by 05/2003
--Shaddup and support your local PBS station Plan for it
There are after all literally hundreds, maybe thousands of Macs on the Internet these days. Imagine if a significant portion of them were compromised. The ensuing chaos would be a huge problem for Mac and Windows users alike.
Lance Ulanoff's article wasn`t actually that bad - it only produced a rebuttal because, as he correctly implied, large numbers of Apple users do tend to fall into the moronic zealot category - see Slashdot for examples. They`ve held the same superiority complex since the introduction of the Macintosh - and now with the release of OS X we have the ignorant blighters hanging around Slashdot. I`ve nothing against OS X/Apple but really loath a large component of it`s users who make Pavlov`s dogs seem rational. Trying to have a reasonable discussion with many Apple users is like asking a drunk for directions.
To sum up, this whole issue might be described as - "Two bald men fighting over a comb !".
However, Solairs is a fantastic car... food... er... movie.
To: Richard Forno
From: Lance Ulanoff
Subject: Re: Mac Security
YHL YHBT HAND
my point is kinda the lesser of two evils. who do you trust the most. and that is ALWAYS laced with your own resposibility. if you hire a body guard and trust him to protect you then you had better remember to pay him his wages. just as you'd better remember to keep an eye on everything and make sure everything is up to date...
News stories are supposed to be based on fact, or have factual content (not that there is ever completely bias free journalism). Editorials are bassed on opinion.
Unfortunetly the orignal story was an editorial, but not presented as such.
This may be off topic, but I am running Afterstep 1.6 and you guys seem like a pretty smart bunch so I thought I'd give you a try.
/etc/XF86Config and I have tried both the Microsoft setting and the pc102 settings. neither helped (I have one of those funky split keyboards. I don't know if it is a "true Microsoft natural" keyboard, but it is brand new. I got it with my new dell computer). Finally, this only happens in terminal windows. It does not happen in text editors or anything else. It will however happen in any application that runs "full screen" in the terminal (like pico).
I (finally) got my linux going again (I got a new computer for Christmas and was fretting over drivers and X servers and the like). I grabbed XFree86 ver 3.3.3 and got it working (STB nVidia TNT 16 meg video card). But there's one strange problem. When I run X and open a terminal window, about once a minute a single ` character (the un-shifted tilde ~) appears in the terminal. Right where I would be typing in commands. It even sometimes puts them in right while I am typing. I don't even have to be at the computer doing anything. If I leave for a few minutes and come back, there will be a row of a dozen of them. This behavior does not happen if I don't run x and just stay in plain linux. It turns out that the ` characters appear in the terminal every 70 seconds like clockwork, but only if the terminal window has the focus. If it doesn't have the focus, the characters are not stored in a buffer, so that when xterm does get the focus again, there is not a quick stream of a bunch of them. I have double-checked my keyboard entries in
Is my computer possessed?
Skip
You're confusing Microsoft propaganda ("we fixed DLL Hell!") with reality.
.NET may manage to avoid most of DLL Hell (except for all the caveats like ADO problems), but this is of limited help with the existing DLL hell (eg, shell versions, which is a problem noone can fix but Microsoft, and they lack the money and incentive).
The reality is that new applications written specifically for
And I read the original article in the magazine when I got it. Contrary to the rebutters opinion, I did't see the article as "muckraking". The author may not be as well informed as he should be. Pointing out that a simple firewall is enabled by default and that changing system settings is more difficult in Mac OS X would have gone a long way toward mitigating this kind of response, but certainly would not have eliminated it. I get the feeling that merely suggesting that Mac OS X feels less pain from viruses, trojans, and other nasties in part because it has a smaller market share would result in this sort of response regardless of how well informed the journalist was about Macs.
I think the author of the original commentary article, Lance Ulanoff, is at least partially correct. I've seen other posts in this article thread stating that "security through obscurity doesn't work". Actually, it does, until the vulnerability is discovered. Does Mac OS X have undiscovered vulnerablities? I can almost assure you it does. No programmer, no matter how intelligent, can ever come up with every sneaky, crafty, or just odd tactic that crackers will try.
So is Mac OS X less of a target because of smaller market share? Yes.
Is Mac OS X more secure in a default configuration that Windows XP? Yes.
Its really pretty simple when you look at it objectively. I maintain that if you have a normal doofus user setting up an OS, you have an unsecure OS, Windows or not.
// harborpirate
// Slashbots off the starboard bow!
It is odd that a writer would make comparisons between OS X and Windows. I seem to remember the worlds computer systems grinding to a halt a few months ago due to Windows only worms, including Fortune 500 Companies, Government networks, and thousands of small businesses. In total I bet these worms cost the United States alone $10 billion in lost productivity and computer repair costs. Now I seem to forget the last time Macintosh had any sever problems that affected anyone seriously. I know this is flamebait for you Windows fans that disregard the Windows worms like it was all a haulocause type conspiracy to make light of your beloved Windows. To all those conspiracy theorists out there, I love you man.
- Kill Yourself, spare us all! -
-----BEGIN PGP SIGNED MESSAGE-----
c mq hbDcPqxQCfVsp+
- ----END PGP SIGNATURE-----
Hash: SHA1
As one of the local Network specialists at Macbidouille, I have never heard of a single rooted Mac user, even though a number came and alarmingly asked about strange network behaviour, when all they really had was ISP DNS problems or firewall misconfiguration.
There's also the casual shot at Mac antivirus software that only have definitions for PC-specific viruses.
And IIRC the recent ssh vulnerabilities did not affect Mac OS X (they affected OpenSSH 3.7 and 3.7.1, not the version provided by Apple).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/3hkF76Zattu5F5URAqV/AJ4rovUhMjucZ1dZTKj
pTy2e+aiWuwkaIFRkrOaErM=
=zAhE
Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure by design, default, and deployment."
That is true, right now, but it is not a fair comparison.
Look, I'm no MS fan, but they have not released an operating system since they started their "trustworthy" initiative. The Windows operating systems being discussed are old (WinXP came out in 2001), and obviously full of holes--so full of holes that MS had to start this whole focus on security.
So comparing anything to an admittedly weak and insecure operating system is just plain silly. Everyone knows Windows is insecure. Saying MacOSX is more secure than Windows means nothing, and in fact makes OSX security look comparable to that of Windows when in fact it is far better (regardless of what that PCMagazine moron wants to believe).
So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).
My summary of the situation:
- Nothing is totally secure, if it's at all useful.
- Windows is demonstrably NOT secure. IT's been riddled with nasty bugs for years.. and for Joe Average, WHY doesn't matter.
- OS X is without question far more secure than windows, and less buggy. That is not to say it's immune, or that it can't be hurt ever, but several factors both in low-level design, and in user interface design, specifically how easily users can turn on and off certain services, makes it less prone to exploits.
- Yes, it has a smaller market share, and hence, less attention is focused on it, and that certainly IS a factor.. but it doesn't change the fact that mac users don't have to worry about viruses on a dialy basis at the moment. It also isn't the only factor, and hardly means "Oh it's just as insecure as windows"
The #1 insecurities in windows are related to bad design... and a narrow interpretation of how the computer will be used in a network environment. Having all these services listening by default is bad. Having them difficult to shut off is even worse.
The provided blog entry is very interesting. Author cites relevant RFCs, great stuff. Miles from the bullshit the PC-Magazine idiot is saying.
Next paragraph, he complains that Windows's out-of-the box config (leaving so many things running) is bad. I agree. MS is improving in that area; WS2k3 is much better. Not being able to stop/disable RPC is an issue, however. I don't know what's so hard about disabling services anyway. You can even do it from the command line; just tell users to go Start->Run and type "sc stop messenger" to stop messenger, and "sc config messenger start= disabled" to disable it.
The next paragraph about installation is bogus. It is crappy installation programs that overwrite system files, and system file protection (min win2k) makes it a non-issue. I wish there was an example of a patch doing all of those things to configuration, since I don't know what he is talking about.
Don't like media player? Don't use it. There are plenty of alternatives; I recommend Winamp 2.
Many of the security concerns he points out are easily remidied by not running everything under admin, or at least avoiding crapware.What do you mean, unlike Windows? You have to be an admin to install mostly anything, or change most computer settings on Windows.
I used the app access control panel in Windows to use Mozilla, and it works fine. There is nothing forcing you to use MS Media Player, Outlook Express, or IE for the internet. It IS more work to use a different shell than explorer (which uses IE a lot), but there are alternatives to that too.
Yes, 'Trustworthy Computing' is a thin marketing slogan, but the issues the author tries to bring up are a combination of unsubstantiated and easy to work around.
Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.
Remember when everyone's domains (including aol.com) were getting hijacked because the default security was so laughable? (sarcasm)Network Solutions, now there's some credentials.
I recently switched to MacOSX from BeOS. In my experience chatting to the Mac Community out there, they are not more fanatical than Any other Community. I've know Car Clubs who are more obsessive than the Macintosh Community.
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics. For whatever reason, these individuals *hate* Macs. Not just Dislike Macs, but actively *hate* them, with a passion remeniscant of Religious Fundamentalists.
People who rebute these AntiMac Fanatics are Labeled Mac Zealots. This is only a half truth, they are really just qualifiers of the AntiMac FUD.
Anti-OS sentiments aren't restricted to MacOS, though, There are plenty of AntiMS, AntiLinux, AntiBSD and Anti[insert favourite OS here] Fanatics. Are you one of them?
Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:
This was written in 1997, note the last paragraph above. These issues has been discusses and documented in several RFCs, many years ago...
-- Leif
I've heard that Apple runs a x86 version that's parrallel to the current releases just in case they were to switch platforms someday. I would definately pay for OSX but I want to use my normal hardware. And I think Apple could even sell it and driver manufacturers would support it. ATI would have little trouble supporting the rest of their cards and many of them are mac compatible already.
APPLE Please get a clue you could tromp all over MS any day with our OS!!!
Congradulations! Unlike some other here, you actually read the articles before posting.
I think in order to educate the general users, such a rebuttal should be printed in the pages of which the original article was published on (pcmag). Maybe letters to the Editor?
But on the other hand, if someone writes an article saying how great it is to live in a sewer and you happen to live in a sewer you'd prolly feel good about your living situation. The writer of this article will probably argue that houses can have backed up toilets and so a house is just as stinky as a sewer.
If Lance wants to live in the sewer, let him write about it and feel good about his situation.
From the article:
Hmm, when I read this, I was intrigued and excited to see what the author had in mind. He then listed the following security differences:
Hmm, so which of these would require the "complete re-write" as the author claimed? None. Just about every service is turned off by default in newer versions of Windows. The newest version of IIS will not have to run as Administrator to work properly. DLL Hell has nothing to do with security, so I'm not sure why he went off on that tangent. Plus, the issue has been resolved nicely on WinXP for the most part. Plus, as more applications moved to managed code, it won't be an issue. Mess ups with the patching have nothing to do with the internals of the OS. DRM is another tangent he goes off on that has nothing to do with security. The interdependencies and tying together of Windows Media, etc. is just about the only point he really makes. Again though, this isn't an issue with the internals of the OS that would require a complete rewrite of the OS.
Ultimately, I have a feeling that the author knows very little about the internals of the Windows OS. Claiming that a complete rewrite is the only way to secure Windows is a laughable claim that reveals him to be quite ignorant.
Forget the whales - save the babies.
The one slide that describes everything is available here. ;-)
(Converted to PDF, though. Distributed under these terms.)
“Wait for Hurd if you want something real” –Linus
Execute the following in a terminal on your OSX system, and you will see:
At least on 10.2, the root directory is writable by the admin group.
Furthermore, when the OSX installer creates the first user on the system, this user is automatically added to said admin group. This means that a Joe Blow (l)user can write to the root directory (bearing the sticky bit limitations in mind).
Apple has circumvented the traditional UNIX security mechanisms, and added this "admin" functionality that really doesn't fit within the BSD environment. UNIX has already been vulnerable to an avalanche of buffer overflow vulnerabilities over the years; weakening a security model that has already had significant difficulties is a questionable practice.
Apple's policies on OS upgrades and patches are also not entirely to my liking.
Personally, I would avoid OSX on a critical system. Sun would be roasted alive if they tried something like a writable root directory in Solaris.
The problem is that because of the popularity of Windows everyone are exploiting it's security holes. I didn't even know that Mac OS exists anymore... so why anyone would bother to exploit it's security holes if very few people are using it ... same goes with Linux. It is a lot more attempting to attack against Windows because it is installed to most of the home computers. I would guess that anyone who has enough resources is able to break into any system.
...will release a secure operasting system Real Soon Now! So what if their last 95,102 attempts failed. They have said they are going to get serious about it! So there!!!!!
--- Ban humanity.
Personally, I feel like the word "commentary" implies that the text will be more analytical, akin to a news analysis piece, than merely an "opinion". But that's just my opin-- well, you get the idea.
...or the equivalent number of ethernet cards, SCSI controllers, supported chipsets, etc. OSX can be stable because the hardware platform is under control.
Apple is also organized as a hardware company. They would have to sell much, much more software to stay alive.
They would probably die in the conversion to x86, and they would end up producing an OS than ran on a small subset of the available systems anyway.
And as you can get an OSX-capable system for under $100, why complain? The cost to try it out is negligable.
And after that article, I'm thinking that my next computer purchase might be a Mac.
Egads.
http://use.perl.org
notice how the pro PC article just rails on and on about the security flaw, but doesn't mention that there isn't any malware going around to exploit it like in windoze. and how it was fixed promptly within a week. and even if there was malware, how far could it really go in a *nix environment????
"You never want a serious crisis to go to waste." - Rahm Emanuel
Somedays I wonder if the bad hackers have given MS-windows undue attention, and hence it has a larger share of security attacks. It seems that OSX or and any *nix hasn't received the kind attention of bad hackers and hence are apparently more "secure"!!!
"...Unix-based Mac OS X system firewall simple enough protection for most users -- is enabled by default (in Mac OSX Server)..."
Actually, in all versions of server up to and including Jaguar, no, it isn't.
Not upgraded our XServe to Panther yet so I can't speak for that - anyone know if this is the default (for Panther SERVER)?
Panther Workstation does not start it by default. (Well not on my PowerBook after upgrade from Jaguar it didn't anyway).
Original article: "I have a microphone, and you don't, so YOU WILL LISTEN TO ME!"
Rebuttal: "I too have a microphone, so you will listen to ME!"
Do you know if any system other than OS/X had this vulnerability? From my (rather quick) reading of this, it seems this is a natural and seemingly benificial result of DHCP design and that plenty of Unix systems would have had this written into them as well. But nobody has mentioned any. Is this bug really unique to Apple?
While the original article's criticism may not have come from "zealous hate", it certainly didn't come from impartial journalism. This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.
It's called a "commentary"
(
Commentary
By Lance Ulanoff
PC Magazine
)
It drives eyeballs to the article. It's not like he's writing under for Associated Press about war crimes in Africa so let's please leave our expectations for impartial journalism at the door.
Its brilliant! Windows safer by design will prove that everyone is at least as insecure as they are! Bammo! Acceptably secure operating system.
I smell a Monty Python skit in here somewhere!
Quack, quack.
hehe banner ads. you crack me up!
Never say never. Ah!! I did it again!
Me? I'm giving away free money!
And where, and where is the Batman!?
He's at home washing his tights
So not anyone who flies balloons!
"Who's crowing now?"
Stay alert!
Trust no one!
Keep your laser handy!
Trust The Computer.
The Computer is your friend.
I guess that is the question. I don't think that they do, but after thinking about it I think that History has shown us that they do. Ok, but how can you get your rebuttal heard without starting a flame war? Looking at our political system, and everyone elses for that matter, I don't know if anyone has ever figured that out. Stupid Society.
Well.. maybe. Or Maybe not. But Definitely not sort of.
I get the feeling that merely suggesting that Mac OS X feels less pain from viruses, trojans, and other nasties in part because it has a smaller market share would result in this sort of response
So is Mac OS X less of a target because of smaller market share? Yes.
The original authour, like yourself, is confusing 2 things here, and this is why you see so many rebuttals to these sort of comments. A larger market share makes anything a bigger target. Duh. Anyone can figure that out. The problem is, it's a meaningless statement. People get so uppity about it because a bigger target != less secure.
The fact of the matter is, being a bigger target does not mean you're going to be compromised more often, which is what we're worried about when we talk security. If it did, Apache would be spitting out Code Reds and Nimdas every other month. Being a bigger target simply means people are going to TRY to compromise you more often.
Remember kids, we don't evaluate the security of something based on attempts. We evaluate it based on SUCCESSFUL attempts. This is why the "if Linux/Unix/BSD/OSX/Commodore 64 had a bigger market, it would be as insecure as Windows" argument is a fallacy, and why it gets rebutted every time.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
http://www.pcmag.com/author_bio/0,3055,a=204,00.as p
...once, Apple said it, and advertized it, but I'll say it again:
... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme. [There is a certain level of implicit trust of the local network that is assumed.]
This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3.
This functionality - yes, functionality - has been in Mac OS X and its predecessors for YEARS. Just because all of a sudden someone paints it as a root exploit does not make it so. This is nothing like the standard fare of Windows remote exploits, some of which can be exploited against unpatched machines from any location on earth, at will, remotely, at any time, against any unprotected vulnerable machine. This "exploit" requires that a roque DHCP server be set up on your local network (!), and that a machine be rebooted (or otherwise perform a DHCP request) in this malicious environment. I repeat: just calling something a root exploit does not make it so.
Perhaps it's time to have a larger discussion about how much you can really trust your local network infrastructure services, be they in a home environment or in a corporate setting, because that's what this is really about.
Should Mac OS X have this default behavior?
What are the tradeoffs?
And so on.
I just find the distinct lack of understanding of this issue astounding.
(Note: and no, this isn't an issue of Apple glossing over something by calling something a "feature" when it's really an "exploit", as you could argue for some of MS's exploits. This really is a feature, and one that can be taken advantage of by rogue services on your network...like just about anything can in one way or another. If you're being affected by this so-called "exploit", you've got bigger problems on your hands...)
Having been through the pain of using Authenticode to sign ActiveX controls and creating Windows Install packages, I can tell you the security built into Windows can work if you configure it correctly. Having been hit with seven virii on my home machine, I can tell you the security built into Windows can work IF YOU CONFIGURE it correctly. :)
Windows Updates shouldn't reset security settings, that's obvious. But I've seen Linux defended with comments like "well, the default settings on that distro start all services known to man," etc. If you don't use a preview window in Outlook, you're halfway there. Don't run with admin privs.
Granted, the author did more work than the article he was rebutting...the author of the original article really sounds like a jackass. But it comes down to the same thing: Google for Windows security tips and you can have a secure system.
I am a technologist (biotechnology, genetic engineering and the like), and i can tell you that I've learned alot in the three and a half years I spent in school to get that title. What exactly are you useful for? Your attitude makes it difficult to take you seriously.
Lance Ulanoff's original article was utterly infantile. This was a nicely-written rebuttal, but the obviously ignorant, frustratingly boneheaded Ulanoff will probably not get the point.
Mac Elite man with hand in pocket feel cocky all day!
Is how many people, when they write about OS X credit Apple with coming up with the secure design or other features. If anyone should be credited, it should be the people who develop FreeBSD, because that is the real reason why OS X is secure.
SIGFAULT
Fornos' analysis is a bit flawed in the aspect of admin privileges, I think. Just last week, I needed to fix something on a Mac that I didn't have admin privilege for. It took only 5 minutes (plus physical control of the machine) to give my (network) account admin privileges.
"This is a fundamental point of epistomology."
Actually, it's a fundamental point of
"epistemology" - for those of us who are
illiterate and need correct spelling to
look up and determine the meaning of
such highbrow wordings.
LOL
Funny how that computer seemed to have pretty good security...
"I'm not paranoid because they're out to get me so much as the fact that my last name is 9."
--- Submission is feudal.
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics.
There's some kind of fundamental truth there. For example: I was a vegetarian for a decade, and during that time I noticed there was a type of person who looked upon my eating habits as a personal attack. These people would try to drag me into an argument about how I wasn't enough protein, etc. I realized I couldn't win: If I shrug it off, I'm a mindless cultist. If I try to disabuse them of their notions, I'm a fanatic.
Later I started eating meat and bought a Mac, and now I run into the OS version of these people.
One man's -1 Flamebait is another man's +5 Funny.
In a controlled environment, Windows admins can install trusted packages onto user's machines remotely, removing the need for regular users to do so.
Right. But the biggest problems on the net today stem from the home Windows PCs that n00bs run with a single user account that has admin rights.
Having to seesaw between a limited-privilege user account and an admin account is far too much hassle for people who can't even be bothered to click a button to turn on their built-in firewall.
You know how I spent my day today? Installing Spybot Search & Destroy on about 50 Windows 2000 workstations at a client my company just picked up. Those machines were utterly infested with all kinds of shit that was surrepetitously installed by God knows what. The most infested machine had 536(!) different tracking cookies, adware/spyware items, and porn dialers scattered around/buried on it. There was so much shit starting up in the background at boot time that it was about 7 minutes from I pressed the power button until I could actually DO something on the machine-- this on hardware that should boot Win2k in about 2 minutes. That kind of shit simply cannot happen on a Mac.
http://www.securityfocus.com/archive/1/347578
Get a life pal. What's the hell is wrong with you people!? You're a fucken retard if you're not going to take him seriousily because of his "name-calling". Ulanoff is clearly an idiot. He deserves to be called names. Besides, he wasn't even name calling. He said Ulanoff was whining, etc. He didn't call him any names. Can't you just reveal in the greatness of the rebuttal instead of looking at something wrong with it you pretentious assholes. Eat dicks... all of you.
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
Although for a good linux/mac system, none of that junk would execute with priveleges, meaning that the most it could do would be to spew stuff without damaging anything locally. I'm also not sure what Mac's better firewall system and such would prevent from running.
I tell ya, tho, I know what you're saying. The bane of my existence on the few machines I take care of at work is the morons who install that frigging adware crap.
-Looking for a job as a materials chemist or multivariat
This guy obviously works at MS. Kill him!
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
"security through obscurity" - what Lance is referring to toward the end of his article - doesn't work.
Just a reminder to everyone of why this fundamentally matters. The point is that if security depends on the secrecy of the mechanism, then any exposure of that mechanism puts all users of the mechanism at risk.
If only the secrecy of the key is important to security, then the exposure of a key is only a risk to the users of that particular key. Users of other keys are not affected.
Auguste Kerchoffs discussed this principle in 1883, so it's not exactly news. But it seems that senior people at Microsoft are still actively ignoring it in their quest to promote their software.
Closed source has no fundamental security advantages over open source. The best that we as security experts can can say is that it may offer some transient advantage, but at a very high cost if it is ever exposed or reverse engineered.
Windows is better than nothing.
Windows will be better than totally secure!
-- Stephen.
Usenet is all and everything. The Matrix has you.
There are two rules for success:
1. Never tell everything you know.
That would be 38% according to Google, by the way. That study you're misquoting only surveyed a small sample of a specific market segment.
Ugh, how many times to people have to explain this... google browser stats are a very poor meter of OS distribution... for two reasons. First of all, the average work PC sits in your dentist's office or your architect's drafing room. It's not often used for web searching, that's generally done at home or in businesses/schools that do a lot of research. Secondly, google users tend to a more up to date with technology than the average computer user. They don't have msn.com set as their home page, no are they using the same computer they "invested in" six years ago.
I have a Bachelor of Technology and would never call myself a technologist. I am also entitled to call myself an engineer but don't bother thanks to IT companies ruining the term (would you like fries with your MCSE?).
Well, if default settings in OS X made Lance Ulanoff excited, this is going to give him wet dreams... SecurityFocus's Bugtraq mailing list just posted this. The message seems to indicate other exploits exist but were not mentioned. The exploit in question appears to deal with Apple's ISO 9660 file system implementation. No word on whether "Max" alerted Apple or anyone outside of the Bugtraq mailing list though.
Don't trust vendors that won't let you audit their code.
.. *grin*
Open source is 100% audit friendly.
Mind you, a proper Audit means Auditing everything.
I wouldn't want to be the sucker that has to audit the whole damn Kernel, most of userspace, gcc, libc
It requires a local user to initiate the process. A remote host can't execute the attack on its own.
It is cowardly, and a betrayal of whatever it means to be a Jew, to act as a white man
-James Baldwin
See what eaing meat brought you to using a Mac
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
I'm get a permission denial.
Maybe they fixed the problem?
I meant the "collective mac OSes" from day one 'till today since I was comparing mac virii to win virii on the "collective windows OSes".
It would be unfair to compare OS X to all windows versions. There are old macs not running OS X out there as there are old win boxes running 98 & the like.
It would be interesing to compare modern windows OS virii to modern mac OS virii. But I don't know where to start on the win side.
There are virii for mac OS X IF you count the MS word macro viruses. But as you mentioned, I don't know of any OS level viruses for OS X. Wonder if any unix worms might count?
- Zav - Imagine a Beowulf cluster of insensitive clods...
It is equally unfair to compare MacOS X to OS 9, they are different OSes. OS 9 is officially dead, just like Win95. I won't count Win95-specific viruses (if there is such a thing) against WinXP, so don't count OS9 viruses against OS X.
Unix worms have never hit MacOS X. Macro viruses don't count, they can't affect anything beyond the document. Most OS X users don't even have MSOffice or MSWord. And even if they did, the OS X version of Office is AFAIK the first version to have macro virus protection and have it turned on by default. It's a dead issue.
And while I'm being nitpicky here, FYI the plural of virus is viruses, not virii.
Take Ann Coulter -- not to pick sides, but just as the best example of this phenomenon that occurs to me. Coulter makes a big, long rant about how the New York Times didn't even cover Dale Earnhardt's death until days later into the centerpiece of one of her books. The Times, she says, didn't even run a story until days later, when they ran a snooty piece about how the Wal-Mart was silent in mourning. And so on. She's running down the Times in every possible way for its arrogance and elitism, and so on.
Al Franken, in his recent book, points out that this would be a great example for Ann to use, if only it were true. And he photocopies the front page of the Times the day after Earnhardt's death -- on which they ran a very large headline about the accident and Earnhardt's life.
Now, does it rank as a horrible insult and a discredit to his position that Franken includes Coulter among his list of "Liars"? Does it really discredit this guy's arguments when he describes the PC Magazine column by saying it "epitomizes the concept of yellow journalism"? To my mind, not if he makes that specific charge into more than a name. And he does -- he demonstrates how the PC Mag. article proceeded from its biases and manipulated the reader, seemingly out of malice and to promote a certain POV for its own sake.
Reading both opinion columns, this rebuttal was well within bounds. At most he fed a troll, but you know, a published troll is somehow fairer game than just anyone's /. post.
"Fundamentalism" isn't about divine morality. It's about human authority.
I suppose that things could be different for you CS folks, what with everyone and their dog having some kind of certification.
You seem to be off base here. Win 98 is supposed to be officially dead as well. But people still use it. I used OS 9 on Sunday and have a SCSI interface laptop running the speedy 8.5. My PC has win 98. My old office machine has 2000.
I do not have data to compare older mac OSes and older win OSes with regards to virus strains and I do not have the data to compare the new versions of each OS similarly. Therefore I can not honestly do a comparison at that depth. The only fair approach I can do is to approach the problem as a whole mac OS vs whole win OS issue. THAT SAID, both OS 9 and OS X have drastically lower numbers of viruses written for them. I'm sure we both agree on that.
You are wrong about macro viruses. A word glossary macro virus can (and has for me) disabled printing and saving for ANY opened word doc. This would definately be a problem for someone running classic on OS X.
Classic is for OS 9. Classis is still supported. You referring to it as a "dead" is incorrect. Apple still supports it through classic. In fact, the company producing Onadyme only has an OS 9 version. "I'm not dead yet".
The pural of virus is viruses in some cases and virii in others. My biology backgorund is showing. I'll tuck it in next time.
Virii = multiple strains.
Viruses = more than one of the same strain.
At least that's as I was taught in biology.
Cheers,
- Zav - Imagine a Beowulf cluster of insensitive clods...
You must mean the IT folk, last I checked there was no CS in a can degree out there.
-"I'm one of those Mac people that will break a bottle on the bar and hold it to your throat for bad-mouthing my system"
Where can I get a copy for my PC? Oh... You need a mac to run it... If mac users are so unhappy with windows why don't they uninstall it and use OS X? Ahh... You can't get Windows XP for a mac... What the hell are they arguing about then?
I ran a benchmark on my quantum computer, now I can't find it anywhere!