Slashdot Mirror
FBI Agent Talks Crime, Macs
hype7 writes "There's an article at SecurityFocus describing a visit an FBI agent to Washington University. His visit was ostensibly about computer security and the general public's complete lack of any idea on computer security whatsoever: 'I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are.' His talk ranged from some of the pranks he's seen played on unsuspecting users, to Eastern European extortion of big banks." WeakGeek added, "FBI security guys are using Macs because, 'those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box.' Another good quote: 'If you're a bad guy and you want to frustrate law enforcement, use a Mac.'"
Oh my, we are ignorant, aren't we?
In theory you are right, the vunerabilitys in Outlook could apply to any Unix mail client. In practice they don't though. All unix mailers that I know of (pine, mutt, kmail, and so on) do not by default run programs they get from email. You might be able to configure kmail to do so, but it isn't the default. I'm sure that some mailers considered it, but once outlook got exploited a few times they re-considered. (I have no idea why Microsoft still hasn't).
If that isn't enough for you, most unix systems allow the sysadmin to prevent the user from running arbitary programs. If the sysadmin didn't install it you can't run it, (just mount /home and /tmp with -noexec) after which time you just make sure that the installed mail clients don't allow scripts. Okay, it is slightly more complex than that, but a good sysadmin can deal with it. AFAIK, Windows doesn't have this ability so an admin can't lock things down this way.
OS X 10.3 has a feature called "File Vault" that encrypts your home dir with 128 bit AES.. Maybe that's what he is referring to.
Of course, NTFS also allows for encrypted files.. Though, I've never seen any details about how good it is.
In OS X, it's a simple system preferences option to enable this feature.
Time to strike up the drumbeat:
1. Windows defaults to let users run as root. Neither Mac OS X nor Linux do that.
2. (already noted) Macs ship with most ports shut down.
3. BSD has been combed over for years, and many eyes have searched for vulnerabilities. A lot have already been solved. Nobody can look at Windows code.
4. Macs have fewer application vulnerabilities (because unlike Windows, most applications can't make root system calls and run programs as root (for example, MS Outlook).
Sorry to be repetitive.
The tool you want is "otool" (with -l) - and sources are available, and it comes standard with the system (possibly with developer tools, but that comes in the standard package).
"The slave who knows his master's will and does not get ready...will be be beaten with many blows."Luke 12:47-48
I love how people always seem to think that there are fewer vulnerabilities simply because the mac has a much smaller market share. Sure, it makes sense unless you're actually paying attention. Yes, Apple has had to issue some security updates recently. No, Mac OS X is not perfect. But it beats the hell out of operating systems that ship with holes so big you can drive a truck through with room to spare.
The first thing you have to do when you install the OS is create a user account and a new password. Macs ship with most services disabled by default, and they've got a point-and-click firewall that can be enabled in a matter of seconds. Macs are not secure because no one uses them. They are secure because they do not make the same common mistakes that Microsoft seems to do constantly. They're secure because you don't hear about huge break-ins, loss of data, or life-threatening situations caused by failed security systems. And they're secure because the folks that depend most upon security seem to turn their head more and more these days towards that odd fruit on the other side of the fence. The fact that Apple has issued patches recently is not a red flag. Everyone has to patch their OS. It would be a red flag if they hadn't patched it in a timely manner, like some others that we always seem to hear about.
Of course, they're expensive as all hell, and their isn't enough software for them, but that's another story. ;-)
Sorry, what consolation prize do we have for our departing guest?
m l
Honestly, the security by obscurity thing has been disproven so many times, in so many ways for Mac OS X that I find it impossible that you're unaware. Granted, Mac OS X has security issues patches, but don't make me get into the horrid falacy: "macs are just as insecure as any other OS." They are, by design, far more secure. The exploits possible on a PC are not possible on a Mac due to Outlook, IE, messenger services, etc.
Seriously. Thanks for a good laugh. In case you're missing out on the needed information, here it is. This article sums it up very well.
http://www.theregister.co.uk/content/4/34554.ht
"Politicians find new names for institutions which under old names have become odious to the people."
I'm sitting here in front of my PC with a G4 Mac keyboard and 6 button MX700 wireless logitech mouse. ;-)
PSA -- Mac keyboards are very handy on a PC. They will detect in XP as a Mac USB Keyboard, and will run without having to install any additional drivers.
The only unfortunate thing, Mac designed them for little girl's fingers, so there are no gaps between the function keys. But the feedback is amazingly light, lighter than any PC keyboard I tried during my visits to CompUSA and MicroCenter. Not bad, at all, for $60. There is also no funky side-crunch. You know, like on the MS ergonomic keyboards from a couple of years ago. You can hit any part of the key and it still presses silently and smoothly.
My next plan is to put a couple of blue LEDs under the acrylic on the bottom. Since it's clear, it should illuminate very well.
I find it somewhat amusing that he harps on and on and on about the slightest little problem with any other platform -- particularly the mac -- but has almost completely ignored the latest couple of mail worms pestering his platform-of-choice.
the register was running this story yesterday here:
http://theregister.co.uk/content/55/35175.html
Those who trade in their freedom for security, deserve neither.
Um... duh? If you have physical access to ANY computer, you can get at the information on it. The only exception is a system in which all the data on the disk is encrypted.
Of course, you CAN do that on a Mac. Very easily. Either by using FileVault (extremely easy--one checkbox) or by using an encrypted disk image (slightly less easy, but still pointy-clicky).
Old tried and tested tools also aren't available.
:w
Obviously you've never heard of the Unix Rosetta Stone. It's certainly the case that you don't know all Unix systems by knowing one. However, I found when I learned my second Unix system, that I understood much better what made it "Unix" as opposed to Solaris, Linux, BSD, whatever. Flexibility is hard, but worth learning.
Illegally, I thought that was pretty well documented...
Finkployd
from post: "WeakGeek added, "FBI security guys are using Macs because, 'those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box.' "
from article: "many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box."
The post quote implies that all FBI computer security agents, or at least the majority, use Macs. The second quote, from the actual article, implies that only some unspecified number of FBI computer secuirty agents use Macs. Please don't butcher wuotes to mislead.
Vote for Pedro
If you're a bad guy and you want to frustrate law enforcement, use a Mac.
I am an expert witness who works against these (FBI) guys in criminal cases. They have a whole division of the D.C. computer forensics office dedicated to Macs. A stock question they ask in trial is "OK, general computer forensics dude, what percentage of your time is spent working with Macs?" For most general security experts, this is 10-20%. Then they pull somebody out who does nothing but analyze Macs.
who are those slashdot people? they swept over like Mongol-Tartars.
apple has been doing unix since 1996, NeXT has been doing it since 1988.
Apple has also been doing unix since 1987 (if I have my years correct) with it's first release of A/UX, a product they supported for almost 10 years afterwards, and through three versions. If that's counted along with their work on NeXTSTEP->OSX, then that's 17 straight years of UNIX experience within the company.
Also don't forget Apache runs on multiple platforms and when made from source, might have countless build variationst. That alone makes many exploits much, much harder to pull off since even if you do manage to overflow a buffer, you can't count on the memory layout being the same.
It's not too unlike how genetic variation limits the spread of real viruses.
The G4 when it first recieved it's Super Computer status. Apple ran a few ads the the effect.
T Money
World Domination with a plastic spoon since 1984
ldd is called "otool -L" on OS X. Hope that helps.
No, but you can easily install most of your favorite GNU and Open Source tools. Just use Fink. It's a very easy-to-use package management system based on Debian's apt-get.
That way you don't have to "Forget using "ldd" to figure out how to resolve the situation.".
Guess what? Different unixes have different dynamic linkers. This is no big surprise.
/lib. So what, they decided to keep libraries in /usr/lib? this doesnt really present too much of a problem, as it takes about five seconds to notice and adjust to that.
./configure ; make; make install's out of box. It's posix compliant, it comes with X, etc...
If you're from linux, be aware that this is BSDish and linux tends towards the sysV style of things. I migrated my personal settings from my linux box and sync them regularly with *no* effort. Just copy vimrc, bashrc, etc.
It is very much unixlike. The file system, even. Yes, the apple stuff is in a seperate place. They keep it out of the unix tree cause it is distinctly non-unixlike. Really, the biggest difference I noticed is that there is no
The naming conventions are UNIX and MAC. what did you expect but a combination? Mac OS X currently ships with an X server that can run fullscreen or managed as apple windows (I use both on different occasions). It's relatively stable, as fast as linux, and very very convenient.
Does it integrate perfectly? no. But it is certainly good enough for everyday use. I use a mac laptop and a headless linux machine. I run apps over X forwarding *all the time* with no trouble, as well as run things like gimp and gnome locally.
Install fink and it gets even more unix-y, if that is what you want. Most common unix apps are available and easy to install using fink, of course even without that, you're stil running something that's very very BSDish.
I think the FBI man was speaking of a few things-
-Auto hard disk encryption at the click of a button makes it too easy for someone engaged in illegal activities to hide their tracks.
-Macs resemble unix machines in many many ways and I'd imagine it's hard to tell the difference over a network at first glance.
-Their equipment is probably not well equipped for HFS+ yet. That will take little time as darwin is open source and supports it (via changes that apple folded in) and it should be simple to use that code in order to make support for other operating systems, if they are so inclined.
Parent obviously is not aware of the realities of Mac OS X today. It practically
Brian
1. No shared library problems on OS X. Frameworks include versioning to solve that particular problem.
;)
You're not quite correct. Like I said, this was due to a troubleshooting problem. Your assertion is proven false simply because I had to learn this stuff to troubleshoot a problem with shared library compatibility problems.
2. ldd is hardly universal.
Show me an operating system that *doesn't* have ldd as a utility. Other than MacOS X. I know AIX, Solaris, Linux, HP-UX support that utility. I'm not sure about Tru64, but I'm pretty sure that it does, too. MacOS was the only operating system I had problems with with regards to troubleshooting "ldd" problems.
Actually, what he was talking about is the fact that a Mac OS X box when first turned on is as close to impregnable as we can hope to see in this life. No services are running, not even SSH. If nobody's listening, you ain't getting in.
Well, that is in fact what I call good security. It's hard to break into a door when the door doesn't exist in the first place.
Admittedly, I missed that part when I read the article the first time. No more Summit Winter Ale for me tonight, I guess.
--- Journals are boring; Go to my web page instead
EFS doesn't encrypt filenames, so there's little point trying to do the entire disk. They'd be able to see what software you have installed either way.
Mac OS X has otool(1), specifically otool -L, and it's been in Mac OS X since the beginning. See the man page for more details. This is no more security by obscurity than a Windows developer not knowing about ldd.
otool is a bit more flexible than ldd, since ldd requires that you actually execute the code in question and watches what gets loaded. otool looks at the binary directly and determines what libraries are needed without executing anything. This makes it usable on shared libraries that depend on other shared libraries, without having to create a separate test executable for use with ldd.
--Paul
I have not only my home dir (and tmp and spool dirs) encrypted, but also my swap space. No use encrypting a file if they can lift the decrypted version from swap.
You might want to check out this nice UNIX family tree..
You can easily see who's related to who. I might note that Solaris is much further from what we modernly call BSD than some of the others you named. I won't speak of IRIX, but AIX is a weird kind of BSD variant, as is HPUX. OSX is very very close to FreeBSD.
Slashdot. It's Not For Common Sense
For instance, how do you configure networking on a Mac with no GUI?
ipconfig and ifconfig. underneath everything is darwin. all the gui apps are is front ends for command line utils. even all the netinfo functions, (ni*) are all command line functions. i won't get into the whole "is os x unix " flame war, however, it seems to me that the *nix way for most gui config tools is to be simply a front end for command line apps. in fact, when you buy os x server, you are really buying the config and monitoring tools. even apple pimps the fact that if you are a unix savy cli guru, you won't need all the gui tools. and if you are, than you can run all the servers off of plain ole' panther.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Don't forget the Workgroup Servers running AIX.
The rest of the *NIX development world would be much nicer if they adopted a similar scheme.
Standard shared object libraries in OS X are just that, and are subject to all the pitfalls normally found... ohh.. except one. Since Apple uses a two-level namespace scheme, you see name collisions less. Oh, and they do prebinding very aggressively.
It's pretty much a superior setup to the average linux world. But then, we paid for something besides just iCandy, right?
Show me a reason why OS X should have ldd when the superior otool exists. C'mon! To make you feel more comfortable? To make you feel more loved?
Dude, if you're a developer doing cross platform development, then turn around and complain how annoyed you were at not finding ldd, discontinue cross-platform development. If you can't even be bothered to check the unix rosetta stone for something that simple, then you're not the kind of battle-hardened, talented person that is required to do real cross-platform development.
Perhaps you were just porting? Still no sympathy. Learn your target platform. It's not even like it's hard anymore! You have libtool, autoconf and automake these days. Cross platform development is actually feasible these days, albeit difficult!
Even with services running, it's harder to break into a mac. Apple's security update scheme is extremely aggressive. This is especially true when dealing with holes in trusted services like SSH and Apache.Slashdot. It's Not For Common Sense
Nothing specific to Windows here. If you have a virgin installation of Mac OS 10.2, or Linux, or whatever, you'll still have a bunch of system updates to download.
(already noted) Macs ship with most ports shut down.
No, they ship with ALL ports shut down. You have to explicitly turn a service on to open the port.
Hell, even root is turned off and needs to be manually enabled.
In the late 80's and until the mid 90's many computers above a certain level (many desktops of the day fell under the rule) and lots of common everyday software were classified as munitions and could not be exported to certain countries. It wasn't just Apples. After a few years the laws became unenforcable because of global markets. They may still be on the books.
uh oracle runs on OSX. at work, most of us developers have duplicated almost exactly the way our java/servlet/oracle-db-based web application (portal, 5 million unique page views/day, can't tell u more) runs on our sun solaris production boxes, onto our OS X laptops. yes that includes a copy of Oracle which officially supports OS X. mysql works just fine on OS X too. so does postgres. in fact, just about anything written in C and designed to be compiled with gcc works just fine on OS X. Oh, Apple also implemented its own *fast* version of X11. it's free with your OS. Any Desktop app u can run on linux runs on OS X just fine. yes that includes everything from Gimp, to Gnome and KDE, i mainly just use Gimp, and it's fast.
you want a free video editing software? how about iMovie, which smacks the living shit out of anything the open source community has ever dreamt to produce. the whole iLife suite comes for free with ur new mac. Last xmas i made a few videos using my mom's sony handycam, edited them in iMovie, exported them back to tape, no quality loss as u remain in DV format during the entire process. Then used iDVD to create a DVD with 4 movies and an image slideshow created from selecting one of my iPhoto albums within iDVD. Guess how i picked my movie soundtracks in iMovie? by browsing my iTunes library from iMovie and dragging songs onto the iMovie timeline. Did i mention i did all that on the same laptop i use for application development without breaking anything close to a sweat? After my vacation, i use Apple's free Backup.app to back-up all my movies and dvds projects to DVD to keep my hard drive uncluttered before getting back into work. oh and during this whole process i never ever installed a single piece of software. I simply used my operating system and what came with it out of the box.
Every single USB/1.0-2.0 and/or FireWire-400/800 device you can get your hands on is already compatible with OS X. yeah that includes my nifty USB IBM laser mouse, with 2 buttons, a clickable wheel, and another button to the side, all of which i have configured in OS X thru system preferences to trigger various aspects of expose. If you can plug it into your mac, it works. oh and you might have heard of bluetooth? i've got a sony ericsson t610 phone (t-mobile as my carrier, they rock!). i use iSync, a generic Apple-developed sync'ing API to which all PDA makers already adhere, to synchronize my Address Book and Calendar info onto the phone, and vice-versa. it doesn't stop here.
All bluetooth devices work out of the box too. no software installation required, just run the Apple bluetooth wizard for your laptop to register your device and bickity-bam, you're done.
let's talk more about interoperability here. Apple created cute little applications, disconcerting in their simplicity and ease of use: AddressBook.app, Calendar.app. Most of my IM programs automatically interoperate with my address book, so does Apple's Mail.app, my Calendar can subscribe to others' calendars over HTTP thru standard formats, other applications can interact with it as well. They're simple applications as well as powerful open APIs, all of which interoperate with iSync. iSync essentially means you can have your Palm Pilot, your iPod, your bluetooh phone, your online .MAC account, and whatever exotic PDA-ish device you can think of that somehow plugs into or connects to ur mac, all remain in accurate Sync using Apple's iSync. FOR FREE with your OS. In the windows world, such functionality is partly mimicked by 3rd party services such as intellisync that pick the few most popular devices on the market, creates separate conduits for each one, to in the end sell you a solution that allows you to sync a limited set of devices. If more devices come to the market they'll have to update their software, you'll h
Extraordinary Vacations. Exceptional Prices
Oh, and your network doesn't need to be compromised if you're on or near a malicious wireless network, as OS X will cheerfully auto-discover that one as well.
It's not some earth shattering "all your base" sort of flaw, but then, there really aren't very many of those. It IS, however, a real, verifiable flaw. Part of the flaw is in the design. You don't need to jump up and down defending OS X here, it makes you look like a drooling fanboy.
Local exploits are still exploits - the vast majority of Windows exploits are local only, for example.
Uh, OSX 1.3 is only a few months old and has had a half dozen security updates and two complete OS upgrades. The latest is 1.3.2.
XP, on the other hand, came out in 2002. It's 2 years old. Apple's OS from 2 years ago, 10.1, has had at LEAST 13 upgrades since then.
The only real difference here is that Apple's OS has come out with far more distinct versions of their OS than Microsoft has. And they've charged for each one. Since I bought OS 10, I've probably sunk more than $300 for operating systems from Apple ($130 for 10, $30 for a 10.1 disc, $130 for 10.2, $130 for 10.3) just to maintain the best performance of my system. On the other hand, I'm still running on my PC the copy of Windows 2000 I got in 1999 for $99.
Granted, i didn't mind spending it. I love my mac. But that "pretty fucking sad" event that you prevented by buying a G5 cost you quite a bit more money. And said money could buy a pretty awesome firewall and some great antivirus software. If you're looking at computing from a cost-benefit point of view -- the way somebody who buys an eMachine probably does -- the Mac is an insanely expensive choice simply to prevent the minor inconvenience of some hacker getting control of your login to Allrecipes.com.
Hey freaks: now you're ju