FBI Agent Talks Crime, Macs

hype7 writes "There's an article at SecurityFocus describing a visit an FBI agent to Washington University. His visit was ostensibly about computer security and the general public's complete lack of any idea on computer security whatsoever: 'I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are.' His talk ranged from some of the pranks he's seen played on unsuspecting users, to Eastern European extortion of big banks." WeakGeek added, "FBI security guys are using Macs because, 'those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box.' Another good quote: 'If you're a bad guy and you want to frustrate law enforcement, use a Mac.'"

Re:Security by Obscurity?

[bluGill]

In theory you are right, the vunerabilitys in Outlook could apply to any Unix mail client. In practice they don't though. All unix mailers that I know of (pine, mutt, kmail, and so on) do not by default run programs they get from email. You might be able to configure kmail to do so, but it isn't the default. I'm sure that some mailers considered it, but once outlook got exploited a few times they re-considered. (I have no idea why Microsoft still hasn't).

If that isn't enough for you, most unix systems allow the sysadmin to prevent the user from running arbitary programs. If the sysadmin didn't install it you can't run it, (just mount /home and /tmp with -noexec) after which time you just make sure that the installed mail clients don't allow scripts. Okay, it is slightly more complex than that, but a good sysadmin can deal with it. AFAIK, Windows doesn't have this ability so an admin can't lock things down this way.

Re:Security by Obscurity?

[soapbox]

Time to strike up the drumbeat:

1. Windows defaults to let users run as root. Neither Mac OS X nor Linux do that.

2. (already noted) Macs ship with most ports shut down.

3. BSD has been combed over for years, and many eyes have searched for vulnerabilities. A lot have already been solved. Nobody can look at Windows code.

4. Macs have fewer application vulnerabilities (because unlike Windows, most applications can't make root system calls and run programs as root (for example, MS Outlook).

Sorry to be repetitive.

Re:Apple's in the news now...

[aurum42]

The tool you want is "otool" (with -l) - and sources are available, and it comes standard with the system (possibly with developer tools, but that comes in the standard package).

Bzzzt. Wrong.

[Frobozz0]

Sorry, what consolation prize do we have for our departing guest?

Honestly, the security by obscurity thing has been disproven so many times, in so many ways for Mac OS X that I find it impossible that you're unaware. Granted, Mac OS X has security issues patches, but don't make me get into the horrid falacy: "macs are just as insecure as any other OS." They are, by design, far more secure. The exploits possible on a PC are not possible on a Mac due to Outlook, IE, messenger services, etc.

Seriously. Thanks for a good laugh. In case you're missing out on the needed information, here it is. This article sums it up very well.

http://www.theregister.co.uk/content/4/34554.htm l

Re:Apple's in the news now...

Um... duh? If you have physical access to ANY computer, you can get at the information on it. The only exception is a system in which all the data on the disk is encrypted.

Of course, you CAN do that on a Mac. Very easily. Either by using FileVault (extremely easy--one checkbox) or by using an encrypted disk image (slightly less easy, but still pointy-clicky).

Re:Apple's in the news now...

[More+Trouble]

Old tried and tested tools also aren't available.

Obviously you've never heard of the Unix Rosetta Stone. It's certainly the case that you don't know all Unix systems by knowing one. However, I found when I learned my second Unix system, that I understood much better what made it "Unix" as opposed to Solaris, Linux, BSD, whatever. Flexibility is hard, but worth learning.

:w

Re:Not secure out of the box

[questamor]

apple has been doing unix since 1996, NeXT has been doing it since 1988.

Apple has also been doing unix since 1987 (if I have my years correct) with it's first release of A/UX, a product they supported for almost 10 years afterwards, and through three versions. If that's counted along with their work on NeXTSTEP->OSX, then that's 17 straight years of UNIX experience within the company.

Re:Apple's in the news now...

[ImTwoSlick]

Old tried and tested tools also aren't available.

No, but you can easily install most of your favorite GNU and Open Source tools. Just use Fink. It's a very easy-to-use package management system based on Debian's apt-get.
That way you don't have to "Forget using "ldd" to figure out how to resolve the situation.".

Re:Less of a target != less secure

[blackmonday]

Apple offers $800 laptops and $600 desktops with an included monitor (at the Apple Store special deals section - thats an everyday price not an educational deal). That is not expensive as hell, its actually quite cheap comparing the hardware / software package included. Troll Apple all you want, but their prices are quite reasonable. Have you spec'd out a top of the line G5 against a top of the line Dell? Do your homework, kid.

Re:Apple's in the news now...

[zorander]

Guess what? Different unixes have different dynamic linkers. This is no big surprise.

If you're from linux, be aware that this is BSDish and linux tends towards the sysV style of things. I migrated my personal settings from my linux box and sync them regularly with *no* effort. Just copy vimrc, bashrc, etc.

It is very much unixlike. The file system, even. Yes, the apple stuff is in a seperate place. They keep it out of the unix tree cause it is distinctly non-unixlike. Really, the biggest difference I noticed is that there is no /lib. So what, they decided to keep libraries in /usr/lib? this doesnt really present too much of a problem, as it takes about five seconds to notice and adjust to that.

The naming conventions are UNIX and MAC. what did you expect but a combination? Mac OS X currently ships with an X server that can run fullscreen or managed as apple windows (I use both on different occasions). It's relatively stable, as fast as linux, and very very convenient.

Does it integrate perfectly? no. But it is certainly good enough for everyday use. I use a mac laptop and a headless linux machine. I run apps over X forwarding *all the time* with no trouble, as well as run things like gimp and gnome locally.

Install fink and it gets even more unix-y, if that is what you want. Most common unix apps are available and easy to install using fink, of course even without that, you're stil running something that's very very BSDish.

I think the FBI man was speaking of a few things-
-Auto hard disk encryption at the click of a button makes it too easy for someone engaged in illegal activities to hide their tracks.
-Macs resemble unix machines in many many ways and I'd imagine it's hard to tell the difference over a network at first glance.
-Their equipment is probably not well equipped for HFS+ yet. That will take little time as darwin is open source and supports it (via changes that apple folded in) and it should be simple to use that code in order to make support for other operating systems, if they are so inclined.

Parent obviously is not aware of the realities of Mac OS X today. It practically ./configure ; make; make install's out of box. It's posix compliant, it comes with X, etc...

Brian

Re: IRIX != Solaris != HPUX != AIX != SCO != OS X

[Paradox]

You might want to check out this nice UNIX family tree..

You can easily see who's related to who. I might note that Solaris is much further from what we modernly call BSD than some of the others you named. I won't speak of IRIX, but AIX is a weird kind of BSD variant, as is HPUX. OSX is very very close to FreeBSD.

Re:More good quotes...

[valmont]

uh oracle runs on OSX. at work, most of us developers have duplicated almost exactly the way our java/servlet/oracle-db-based web application (portal, 5 million unique page views/day, can't tell u more) runs on our sun solaris production boxes, onto our OS X laptops. yes that includes a copy of Oracle which officially supports OS X. mysql works just fine on OS X too. so does postgres. in fact, just about anything written in C and designed to be compiled with gcc works just fine on OS X. Oh, Apple also implemented its own *fast* version of X11. it's free with your OS. Any Desktop app u can run on linux runs on OS X just fine. yes that includes everything from Gimp, to Gnome and KDE, i mainly just use Gimp, and it's fast.

you want a free video editing software? how about iMovie, which smacks the living shit out of anything the open source community has ever dreamt to produce. the whole iLife suite comes for free with ur new mac. Last xmas i made a few videos using my mom's sony handycam, edited them in iMovie, exported them back to tape, no quality loss as u remain in DV format during the entire process. Then used iDVD to create a DVD with 4 movies and an image slideshow created from selecting one of my iPhoto albums within iDVD. Guess how i picked my movie soundtracks in iMovie? by browsing my iTunes library from iMovie and dragging songs onto the iMovie timeline. Did i mention i did all that on the same laptop i use for application development without breaking anything close to a sweat? After my vacation, i use Apple's free Backup.app to back-up all my movies and dvds projects to DVD to keep my hard drive uncluttered before getting back into work. oh and during this whole process i never ever installed a single piece of software. I simply used my operating system and what came with it out of the box.

Every single USB/1.0-2.0 and/or FireWire-400/800 device you can get your hands on is already compatible with OS X. yeah that includes my nifty USB IBM laser mouse, with 2 buttons, a clickable wheel, and another button to the side, all of which i have configured in OS X thru system preferences to trigger various aspects of expose. If you can plug it into your mac, it works. oh and you might have heard of bluetooth? i've got a sony ericsson t610 phone (t-mobile as my carrier, they rock!). i use iSync, a generic Apple-developed sync'ing API to which all PDA makers already adhere, to synchronize my Address Book and Calendar info onto the phone, and vice-versa. it doesn't stop here.

All bluetooth devices work out of the box too. no software installation required, just run the Apple bluetooth wizard for your laptop to register your device and bickity-bam, you're done.

let's talk more about interoperability here. Apple created cute little applications, disconcerting in their simplicity and ease of use: AddressBook.app, Calendar.app. Most of my IM programs automatically interoperate with my address book, so does Apple's Mail.app, my Calendar can subscribe to others' calendars over HTTP thru standard formats, other applications can interact with it as well. They're simple applications as well as powerful open APIs, all of which interoperate with iSync. iSync essentially means you can have your Palm Pilot, your iPod, your bluetooh phone, your online .MAC account, and whatever exotic PDA-ish device you can think of that somehow plugs into or connects to ur mac, all remain in accurate Sync using Apple's iSync. FOR FREE with your OS. In the windows world, such functionality is partly mimicked by 3rd party services such as intellisync that pick the few most popular devices on the market, creates separate conduits for each one, to in the end sell you a solution that allows you to sync a limited set of devices. If more devices come to the market they'll have to update their software, you'll h