Slashdot Mirror
Mac OS X Security Criticisms Countered
Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."
Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.
Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.
Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.
Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.
In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher Bill Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."
In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?
More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.
Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.
The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. Its also something Microsoft unfortunately cant accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder." (That alone would seriously improve Windows security, methinks.)
At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesnt have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Win
not much comparison when you start comparing your security to windows security.
Tho Forno is mostly correct in his assertions, I would take him MUCH more seriously if his argument wasn't riddled with immature name-calling.
"Ask not what your country can do for you." --John F. Kennedy
the bottom line is which are you going to trust anyway? the only computer that i would fully trust to protect my stuff would be a gentoo linux box custom made for a specific purpose. Self patching and very few applications installed for a person to take advantage of. the bottom line is though XP and Mac OSX may be "secure" they're not secure enough for anything important. (in my humble opinion.) I also work at a place where security is EVERYTHING so i guess i see it different... This pointless blathering about security shoudl convince no one of anything, especially when zealots are concerned.... I say use whatever works best for what you are doing. if you want REAL security, you shouldnt use either of those OS's
'In other words, you're either with him [Lance Ulanoff] or with the "zealots."'
If I have to choose sides, I'll go with the Zealots on this one. Apple's security and responses to breaches (so far) have been light years ahead of what I've dealt with from MS.
Tim
Drill baby drill - on Mars
The PC Magazine story was just about that - a story.
It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.
It's unfortunate that people need to write rebuttals to this sort of journalism, but some naive readers out there will simply take it at face value because it's in print, so it must be true.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
You could have found a fairly accurate rebuttle right here at . as well.
Minus the trolls and such.
.....
.....
Contrary to his article, the small market segment held by Apple doesn't automatically make the Mac OS less vulnerable to attack or exploitation. Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work. In other words, if, as he suggests, Mac OS was the dominant operating system, its users would still enjoy an inherently more secure and trustworthy computing environment even if the number of attacks against it increased. That's because unlike Windows, Mac OS was designed from the ground up with security in mind. Is it totally secure? Nothing will ever be totally secure. But when compared to Windows, Mac OS is proving to be a significantly more reliable and (exponentially) more secure computing environment for today's users, including this security professional.
is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly. Wasn't the army using a few G4 towers with Webstar as html servers? I wouldn't go back to 9 from 10.3 - but it was amazingly secure.
Are there any viruses/trojans for OS X?
I know there was the ssh deal a while back, but does anyone know of any remote r00ting of an OS X box anywhere?
"or wrong, never fully read it or the rebuttal"
so why comment on the relationship between the two if you are obviously misinformed and you admit it?
The tone of the article has a lot to do with the assumption.
I mean, if I said, "I wish he'd just shut his mouth if he's not going to read the article," you can safely assume more malice there than if I said "He really should read the article before commenting," right?
If you work in a place where "security is EVERYTHING", then you should know that trust is *not* the bottom line.
Don't trust vendors.
Don't trust open source.
Trust no one.
Audit.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
It's not too much of an assumption. The author of the orinigal piece said he was glad that there was finally a big vulnerability for Mac OS, and that he was tired of Mac users looking smug when SAMS edition Conquer the Internet in 12 Hours outlook viruses pass them over. The whole piece just had a tone of "I'm really sick of people bragging about Mac OS."
I think Apple has shown the way Microsoft should follow if they wish to bring security and stability to the Windows platform. Apple migrated over to the underpinnings of BSD without compromising the distinctness that only Apple brings to the table. If Microsoft truly cared about "trustworthy computing," they'd shift their gears and concentrate on gluing the Windows GUI and other applications to whatever BSD platform they chose to annoint. After their acquisition last year (the VirtualPC crew), Microsoft has the talents necessary to bring decent emulation of older Windows flavors to their new products. But apparently they [Microsoft] are too stubborn for their own good. It sounds like Longhorn will now be delayed until 2006 or 2007, and every year they slip, the more people and institutions will slip away to Linux and OS X for the very ideal of "trustworthy computing" they profess. Windows is broken as an OS, but as a GUI "bundled" on top of BSD, it would prove to be the magic Microsoft's shareholders are now searching for. And since Microsoft has been infusing SCO with cash, Microsoft would be "safe" from any litigation from SCO in regard to BSD or Linux...
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*
You are right, of course. But expecting Forno to avoid name-calling would mean expecting him to avoid feeding the Troll. This one was so cute, and looked so hungry... Maybe just a LITTLE food would be okay...
Crap. Slashdot picked it up. So much for keeping the Troll population down this Christmas season!
This at least had some bullets that backed up the statements.
The PC Mag article read as a 'neener neener neener I hate you' article vs. something with content.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
From the original article:
How cocky are you feeling now, Mac elite?
While the original article's criticism may not have come from "zealous hate", it certainly didn't come from impartial journalism. This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
Hey, reading this is slow going. Anyone got a link to the PowerPoint slideshow version for dummies?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
One of the great breakthroughs in safety design came when ships started to be built with compartments, which would prevent a single hull puncture to sink the whole ship. (Sadly the Titanic's compartments were all aligned in one dimension, so when the puncture was very long, it compromised all compartments).
One of my greatest concerns with MS attitude towards design of their "ships", especially Windows and Office is, that they are integrated way too much. So any security "puncture" spills over way too easily into the rest of the ship. As a very annoying side effect, one ends up re-booting for way too many MS patches. Why should I have to reboot, if I patch my browser or e-mail client?
Of course, MSIE, Outlook and MS Office vulnerabilities have been a lot less worrying for me, since fully switching to Mozilla and OpenOffice over a year ago!
Firstly, my new office machine is a Dell with XP Pro. My home machines are iBook with 10.3, and a ThinkPad with Mandrake 9.x (uptime near 60 days now). All 3 are stable machines that do what I want, when I want. The Thinkpad was the #1 machine until I had enough scratch to buy the iBook (apple.com does nice refurb sales from time to time). When sobig and the other malicious worms of 2003 came out, my office was all win98 machines, and a NT 4.0 server. Due to reading /. and using Norton Antivirus, the only machine affected by the onslaught were the machines I was not "allowed" to touch (#1 computer guy {I am the secondary guy}, and the owner of the company {"I did that already"}. In short, you can run any of these machines safely, with most all of the latest software. It just helps if you are not an idiot.
PEBKAC
The original "commentary" was not just chock full of factual errors, improper syllogisms, et. al. It was dripping with such a malice-filled glee at the notion that OS X might be as insecure as Windows that one has to wonder as to real root of the author's problems. He mentions how angered he is by the laughing of OS X users every time he has to deal with another Windows virus/trojan/bug. Are "commentaries" like his the sad, pathetic result of not working on an OS that "just works"?
I know this is wrong, but in one respect I was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther...
I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.
I generally counter with what is apparently a secret carefully hidden from Mac zealots:...
But the mindlessly superior retort is always the same....
Given this recent development, my question is, "Will you be stuffing that superior attitude in your crow or eating it separately, sir?"
Those quotes alone comprise half the first few paragraphs. See, that wasn't too hard, was it?
I realize this is an oft-repeated truism, and obscurity alone doesn't make a system truly secure...but it certainly helps. To make an analogy, I know of many friends who have been robbed, even when their valuables were well-locked. However, those who put their valuables in places theives never think to look are generally the ones who keep them - good security is never perfect, and is generally at best a deterrent, at worst a challenge. Hell, security through obscurity is the whole basis for steganography, though most would recommend encryption as part of a "why not?" sort of preprocessing step.
As such, I think it's a given that Windows is at least less secure because of its market share. Whether Mac is more secure because of its obecurity is debatable - I'm sure there are a number of generic unix exploits that macs would suffer from, and the general unix community is very high profile.
-Looking for a job as a materials chemist or multivariat
To: Richard Forno
From: Lance Ulanoff
Subject: Re: Mac Security
YHL YHBT HAND
With all due respect any "elite" user is pretty abhorrent to be around...
I'm sure we all know a:
Mac Zealot
Microsft Apologist
Pompus Unix Geek
Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure by design, default, and deployment."
That is true, right now, but it is not a fair comparison.
Look, I'm no MS fan, but they have not released an operating system since they started their "trustworthy" initiative. The Windows operating systems being discussed are old (WinXP came out in 2001), and obviously full of holes--so full of holes that MS had to start this whole focus on security.
So comparing anything to an admittedly weak and insecure operating system is just plain silly. Everyone knows Windows is insecure. Saying MacOSX is more secure than Windows means nothing, and in fact makes OSX security look comparable to that of Windows when in fact it is far better (regardless of what that PCMagazine moron wants to believe).
So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).
My summary of the situation:
- Nothing is totally secure, if it's at all useful.
- Windows is demonstrably NOT secure. IT's been riddled with nasty bugs for years.. and for Joe Average, WHY doesn't matter.
- OS X is without question far more secure than windows, and less buggy. That is not to say it's immune, or that it can't be hurt ever, but several factors both in low-level design, and in user interface design, specifically how easily users can turn on and off certain services, makes it less prone to exploits.
- Yes, it has a smaller market share, and hence, less attention is focused on it, and that certainly IS a factor.. but it doesn't change the fact that mac users don't have to worry about viruses on a dialy basis at the moment. It also isn't the only factor, and hardly means "Oh it's just as insecure as windows"
The #1 insecurities in windows are related to bad design... and a narrow interpretation of how the computer will be used in a network environment. Having all these services listening by default is bad. Having them difficult to shut off is even worse.
I recently switched to MacOSX from BeOS. In my experience chatting to the Mac Community out there, they are not more fanatical than Any other Community. I've know Car Clubs who are more obsessive than the Macintosh Community.
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics. For whatever reason, these individuals *hate* Macs. Not just Dislike Macs, but actively *hate* them, with a passion remeniscant of Religious Fundamentalists.
People who rebute these AntiMac Fanatics are Labeled Mac Zealots. This is only a half truth, they are really just qualifiers of the AntiMac FUD.
Anti-OS sentiments aren't restricted to MacOS, though, There are plenty of AntiMS, AntiLinux, AntiBSD and Anti[insert favourite OS here] Fanatics. Are you one of them?
Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:
This was written in 1997, note the last paragraph above. These issues has been discusses and documented in several RFCs, many years ago...
-- Leif
But now you can be a Mac Zealot and a Pompus Unix Geek at the same time! Its great!
Macs CAN get viruses
which viruses would these be? there are still no virii that attack mac os x.
Windows XP doesn't suffer from that issue
Considering that only about 8% of the windows users are running XP (95, 98 and 2000 are the majority), then his comments still stand. The recent spate of articles on MS dropping support for Win98 has posted the ratios quite clearly.
BWP
Wally -- "You're one of those condescending UNIX computer users!"
UNIX-guy-- "Here's a nickel, kid. Get yourself a better computer."
--Dilbert, c. 1994
Rule #1 -- Politics always trumps technology.
Its brilliant! Windows safer by design will prove that everyone is at least as insecure as they are! Bammo! Acceptably secure operating system.
I smell a Monty Python skit in here somewhere!
Quack, quack.
The original point was about / being writable. The problem is that if / is writable (but not sticky), then it'd be possible to do this:
./
cp -r etc myetc; mv etc etc.old ; mv myetc etc
And then you control etc.
However, due to the sticky bit:
dustin2wti:/tmp/test 520% ls -ld . etc
drwxrwxr-t 3 root admin 102 15 Dec 14:10
drwxr-xr-x 2 root wheel 68 15 Dec 14:10 etc/
dustin2wti:/tmp/test 521% mv etc newetc
mv: rename etc to newetc: Operation not permitted
(because of the sticky bit and my lack of ownership over etc)
Remember, renames are *directory* modifications, not file modifications. The sticky bit fills in the difference.
-- The world is watching America, and America is watching TV.
Macs CAN get virii. True. However, I was one of the first ten people in the world to identify the mac WDEF virus in 1990-1991. I've followed the virus trail since 1989 to this day on macs and pcs. I even did virus protection for fortune 500 companies once.
.exe to a coworker?
PCs are open holes with regards to virii.
Macs are a dream in this respect. Even the old OS 9 & lesser.
Obscurity DOES play a part. A small part. The win 95/98 verisons of windows that are STILL being used are horrors. The newer versions are much better (Me, 2000, XP) but still, the win computer ships with the doors unlocked and open. And the solutions made to close them are subpar. What if I WANT to email a
I could regail you with tales of the reocurring Scsvr/brasil/ops32 virus at our old office but and all the times our pcs went down but I won't. The time wasted cost us enough.
The original reporter is a bitter man who is upset that the one part of the mac he chooses to address is much better than the same area on the pc and is despirate to "fight back" and say "nyah, nyah, I tooold you" to the mac crowd, painting them as elitist pinkie pointing beret toting espresso drinkers.
We need more rebuttals like the one that started this thread. I know many who claim that "less macs = less mac virii you stooge" without closely examining the situation.
At last check, there were about 60 mac virii. At most 100.
How many win virii are there out there? 50 thousand? 60 thousand?
The more the correct message gets published by competent professionals, the less win/mac virii FUD will be going around.
Cheers,
- Zav - Imagine a Beowulf cluster of insensitive clods...
...once, Apple said it, and advertized it, but I'll say it again:
... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme. [There is a certain level of implicit trust of the local network that is assumed.]
This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3.
This functionality - yes, functionality - has been in Mac OS X and its predecessors for YEARS. Just because all of a sudden someone paints it as a root exploit does not make it so. This is nothing like the standard fare of Windows remote exploits, some of which can be exploited against unpatched machines from any location on earth, at will, remotely, at any time, against any unprotected vulnerable machine. This "exploit" requires that a roque DHCP server be set up on your local network (!), and that a machine be rebooted (or otherwise perform a DHCP request) in this malicious environment. I repeat: just calling something a root exploit does not make it so.
Perhaps it's time to have a larger discussion about how much you can really trust your local network infrastructure services, be they in a home environment or in a corporate setting, because that's what this is really about.
Should Mac OS X have this default behavior?
What are the tradeoffs?
And so on.
I just find the distinct lack of understanding of this issue astounding.
(Note: and no, this isn't an issue of Apple glossing over something by calling something a "feature" when it's really an "exploit", as you could argue for some of MS's exploits. This really is a feature, and one that can be taken advantage of by rogue services on your network...like just about anything can in one way or another. If you're being affected by this so-called "exploit", you've got bigger problems on your hands...)
Is how many people, when they write about OS X credit Apple with coming up with the secure design or other features. If anyone should be credited, it should be the people who develop FreeBSD, because that is the real reason why OS X is secure.
SIGFAULT