Slashdot Mirror
Mac OS X Security Criticisms Countered
Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."
Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.
Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.
Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.
Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.
In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher Bill Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."
In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?
More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.
Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.
The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. Its also something Microsoft unfortunately cant accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder." (That alone would seriously improve Windows security, methinks.)
At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesnt have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Win
not much comparison when you start comparing your security to windows security.
Tho Forno is mostly correct in his assertions, I would take him MUCH more seriously if his argument wasn't riddled with immature name-calling.
"Ask not what your country can do for you." --John F. Kennedy
Drill baby drill - on Mars
The PC Magazine story was just about that - a story.
It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.
It's unfortunate that people need to write rebuttals to this sort of journalism, but some naive readers out there will simply take it at face value because it's in print, so it must be true.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
Are there any viruses/trojans for OS X?
I know there was the ssh deal a while back, but does anyone know of any remote r00ting of an OS X box anywhere?
"or wrong, never fully read it or the rebuttal"
so why comment on the relationship between the two if you are obviously misinformed and you admit it?
If you work in a place where "security is EVERYTHING", then you should know that trust is *not* the bottom line.
Don't trust vendors.
Don't trust open source.
Trust no one.
Audit.
Things should be made as simple as possible, but not any simpler. -- Albert Einstein
It's not too much of an assumption. The author of the orinigal piece said he was glad that there was finally a big vulnerability for Mac OS, and that he was tired of Mac users looking smug when SAMS edition Conquer the Internet in 12 Hours outlook viruses pass them over. The whole piece just had a tone of "I'm really sick of people bragging about Mac OS."
I think Apple has shown the way Microsoft should follow if they wish to bring security and stability to the Windows platform. Apple migrated over to the underpinnings of BSD without compromising the distinctness that only Apple brings to the table. If Microsoft truly cared about "trustworthy computing," they'd shift their gears and concentrate on gluing the Windows GUI and other applications to whatever BSD platform they chose to annoint. After their acquisition last year (the VirtualPC crew), Microsoft has the talents necessary to bring decent emulation of older Windows flavors to their new products. But apparently they [Microsoft] are too stubborn for their own good. It sounds like Longhorn will now be delayed until 2006 or 2007, and every year they slip, the more people and institutions will slip away to Linux and OS X for the very ideal of "trustworthy computing" they profess. Windows is broken as an OS, but as a GUI "bundled" on top of BSD, it would prove to be the magic Microsoft's shareholders are now searching for. And since Microsoft has been infusing SCO with cash, Microsoft would be "safe" from any litigation from SCO in regard to BSD or Linux...
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*
From the original article:
How cocky are you feeling now, Mac elite?
While the original article's criticism may not have come from "zealous hate", it certainly didn't come from impartial journalism. This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
Hey, reading this is slow going. Anyone got a link to the PowerPoint slideshow version for dummies?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
One of the great breakthroughs in safety design came when ships started to be built with compartments, which would prevent a single hull puncture to sink the whole ship. (Sadly the Titanic's compartments were all aligned in one dimension, so when the puncture was very long, it compromised all compartments).
One of my greatest concerns with MS attitude towards design of their "ships", especially Windows and Office is, that they are integrated way too much. So any security "puncture" spills over way too easily into the rest of the ship. As a very annoying side effect, one ends up re-booting for way too many MS patches. Why should I have to reboot, if I patch my browser or e-mail client?
Of course, MSIE, Outlook and MS Office vulnerabilities have been a lot less worrying for me, since fully switching to Mozilla and OpenOffice over a year ago!
Firstly, my new office machine is a Dell with XP Pro. My home machines are iBook with 10.3, and a ThinkPad with Mandrake 9.x (uptime near 60 days now). All 3 are stable machines that do what I want, when I want. The Thinkpad was the #1 machine until I had enough scratch to buy the iBook (apple.com does nice refurb sales from time to time). When sobig and the other malicious worms of 2003 came out, my office was all win98 machines, and a NT 4.0 server. Due to reading /. and using Norton Antivirus, the only machine affected by the onslaught were the machines I was not "allowed" to touch (#1 computer guy {I am the secondary guy}, and the owner of the company {"I did that already"}. In short, you can run any of these machines safely, with most all of the latest software. It just helps if you are not an idiot.
PEBKAC
As far as that goes, no operating system is 100% secure. The only way its secure is if its off. If you require a password to log on, its vunerable. If to nothing else, someone else on the inside figuring out that password. 80% of all the breaches we see are inside jobs. Either disgruntaled employee, sys admins don't remove passwords of terminated or former employees, or a hacker goes calls on the phone saying, "I'm joe from department x or branch y, and I forgot my password".
Even now, we have an internal network of 3 computers linked to a server that manages our accounting data. None of those boxes are connected to the Internet. That only leaves the possiblity of a breach from within or a unit being stolen physically from our office.
We do a lot of IT consulting and expaning into security, and the one question we always have to ask ourselves and clients, "Okay, nothing is going to be 100% secure, where do you draw the line?" Granted, most of our clients have 20 or fewer employees and aren't doing a lot that needs governmental levels of security. Usually Zone Alarm Pro and Norton is about the best defense these people are going to get for the money. Some larger companies elect on having a dedicated hardware firewall installed or an *BSD box configured as a firewall too.
Now on the desk of an average employee sets either a PowerMac G4 of various speeds, an iMac, iBook (yeah, I'm the President and I have an iBook), or a powerbook all running OS X.2 with my business partner's Powerbook the only 10.3 at the moment. We don't worry about the worm of the week on our machines.
At the end of the day, the way in which Windows is built and the intergration of IE, MP, etc. there is only so much you can do, and saying "Switch to Linux" often isn't the answer as well, at least to our small business clients. And I will defend that position with one word: Quickbooks. At least with Macintosh, they can have their Office, QuickBooks, Email, and Internet with a system they can understand, and provides more security than windows out of the box. Perfect, no, practical, yes.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
My summary of the situation:
- Nothing is totally secure, if it's at all useful.
- Windows is demonstrably NOT secure. IT's been riddled with nasty bugs for years.. and for Joe Average, WHY doesn't matter.
- OS X is without question far more secure than windows, and less buggy. That is not to say it's immune, or that it can't be hurt ever, but several factors both in low-level design, and in user interface design, specifically how easily users can turn on and off certain services, makes it less prone to exploits.
- Yes, it has a smaller market share, and hence, less attention is focused on it, and that certainly IS a factor.. but it doesn't change the fact that mac users don't have to worry about viruses on a dialy basis at the moment. It also isn't the only factor, and hardly means "Oh it's just as insecure as windows"
The #1 insecurities in windows are related to bad design... and a narrow interpretation of how the computer will be used in a network environment. Having all these services listening by default is bad. Having them difficult to shut off is even worse.
I recently switched to MacOSX from BeOS. In my experience chatting to the Mac Community out there, they are not more fanatical than Any other Community. I've know Car Clubs who are more obsessive than the Macintosh Community.
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics. For whatever reason, these individuals *hate* Macs. Not just Dislike Macs, but actively *hate* them, with a passion remeniscant of Religious Fundamentalists.
People who rebute these AntiMac Fanatics are Labeled Mac Zealots. This is only a half truth, they are really just qualifiers of the AntiMac FUD.
Anti-OS sentiments aren't restricted to MacOS, though, There are plenty of AntiMS, AntiLinux, AntiBSD and Anti[insert favourite OS here] Fanatics. Are you one of them?
Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:
This was written in 1997, note the last paragraph above. These issues has been discusses and documented in several RFCs, many years ago...
-- Leif
XP might be old, but it is what people are allowed to buy *now*, so your point does not apply. It is insecure *now* and it is being sold *now* (read, not discontinued or the like).
So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).
I have just installed a network of computers, loaded with MS software I just bought. I need to be secure now, not in 2-3 years time.
dani++
is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly.
You can see one anytime you want by just checking this test site. It works in a similar way as the infamous autostart worm that plagued MacOS Classic machines. The vulnerability works as follows:
1. You click on a link on a website like the above. It starts to download a stuffit-packed disk image to your desktop [without asking; that's the default configuration]
2. Stuffit unpacks and mounts the image [without asking; that's the default configuration]
3. Classic QuickTime sees a newly mounted image and initiates Autostart procedure [DEFAULT CONFIGURATION!]
4. Bingo - you allowed a remote source to execute arbitrary code on your system; and even under MacOS X, it started as a Classic layer process so it runs actually as root
The test site "attacks" you only with a very simple AppleScript applet that only opens your trashcan and that's it. But just think of the possibilites for a really malicious use. It was a very severe vulnerability for all vanilla-configured MacOS 9 (and earlier) machines; but unfortunately, also MacOS X machines with their Classic layer configured as the vanilla MacOS 9 were affected. THIS INCLUDES the MacOS X 10.3 "Panther". In fact, Classic layer always was and still is the biggest security hole in MacOS X, but that's another story. Anyway, Apple was crazy to provide Autostart option in QuickTime (who needs it, anyway?) but it was even more crazy to provide it as the DEFAULT configuration.
Macs CAN get virii. True. However, I was one of the first ten people in the world to identify the mac WDEF virus in 1990-1991. I've followed the virus trail since 1989 to this day on macs and pcs. I even did virus protection for fortune 500 companies once.
.exe to a coworker?
PCs are open holes with regards to virii.
Macs are a dream in this respect. Even the old OS 9 & lesser.
Obscurity DOES play a part. A small part. The win 95/98 verisons of windows that are STILL being used are horrors. The newer versions are much better (Me, 2000, XP) but still, the win computer ships with the doors unlocked and open. And the solutions made to close them are subpar. What if I WANT to email a
I could regail you with tales of the reocurring Scsvr/brasil/ops32 virus at our old office but and all the times our pcs went down but I won't. The time wasted cost us enough.
The original reporter is a bitter man who is upset that the one part of the mac he chooses to address is much better than the same area on the pc and is despirate to "fight back" and say "nyah, nyah, I tooold you" to the mac crowd, painting them as elitist pinkie pointing beret toting espresso drinkers.
We need more rebuttals like the one that started this thread. I know many who claim that "less macs = less mac virii you stooge" without closely examining the situation.
At last check, there were about 60 mac virii. At most 100.
How many win virii are there out there? 50 thousand? 60 thousand?
The more the correct message gets published by competent professionals, the less win/mac virii FUD will be going around.
Cheers,
- Zav - Imagine a Beowulf cluster of insensitive clods...