Slashdot Mirror
Mad as Hell, Switching to Mac
justAMan writes "Security dude, Winn Schwartau, has posted an article on Network World about switching his company to Macs because he's fed up with the security issues plaguing Windows-based systems. He also offers his view on why Windows is inherently flawed and why it will eventually fail because of those reasons.
From the article, 'This is my first column written on a Mac - ever. Maybe I should have done it a long time ago, but I never said I was smart, just obstinate. I was a PC bigot.
But now, I've had it. I'm mad as hell and I'm not going to take it anymore.'"
Actually, there was a operating system called Apple SOS. The initial S stood for Sophisticated, though. It ran on the Apple ///.
Apple "SOS". Cute, eh?
http://www.internet-nexus.com/2005_05_22_archive.h tm#111706797008800101
He basicly points out that a lot of the things the guy says are not Windows spesific at all, such as RAM, BIOS versions, different hardware etc. It's worth noting that just becuase Apple brands a product identically and doesn't tell you what's in it it doesn't mean it's the same thing (Different mainboards for PowerMac systems etc)
My 3D Texturing Skinning work (under construction)
Ever try running Windows as something other than admin?
There are a lot of applications that just won't run.
I've run OS X ony my home Macs for nearly 5 years now. (It was my great experience with NeXTSTEP back in '94 that let me know OS X is the only place I needed to be.) My XP box at work crashes hard or needs to be reset by me several times a month. Leaving it on at a stretch, I sometimes see unexplainable lags in responsiveness. It's a painful contrast.
Something that amuses me is the fact that OS X crashes out so infrequently (about once every 18 months) that when it does happen, I immediately assume I must have a hardware problem. That really is a testament to the solidity of an operating systemthat you might expect the hardware to go before the software crashes. And that's not to say I've had any hardware issues to speak of (outside of dropping an iBook onto a tile floor...)
Windows (and Linux) folks are really missing out, in my somewhat humble opinion. I'm most content with my G5, iBook, and new Mac mini.
blakespot
-- Heisenberg may have slept here.
iPod Hacks.com
I do use a 2003 Server at home and at work and I have yet to have a single virus or malware infection. I do apply patches, run a firewall etc.
Yes, it is possible to set it up such that you can execute remote content automatically and get infected. But it is also trivial, and now it is a default setting to configure it NOT to execute remote content. Since Mac can not run that content anyway - that will not be a loss of functionality compared to a Mac.
P.S. I do like Macs, especially their laptops. If I was back at university doing physics data analysis that would be my platform of choice nowdays instead of Linux. But I definitely do not feel a pressing need to switch from 2003.
<^>_<(ô ô)>_<^>
PS Woz was the hero.
We are talking about Macs. They have nothing to do with Steve Wozniak. Not only was he not on the Mac team, he wasn't even part of the company anymore when the Mac was being invented.
Woz is also a hero, but has nothing to do with the topic at hand.
XP SP2 and 2003 SP1 includes firewall, monthly spyware scanner and reasonable default settings for executing remote content (as in - don't) that make an infection an extremely unlikely thing to happen.
You do not need third party application to give a Wintel box a much better then basic level of security. That is a fact - and watch that getting moderated down on this forum.
<^>_<(ô ô)>_<^>
The Google toolbar 3.x on IE will check spelling as well.
I guess that's something to say about firefox, not the pc in general.
Yes, every Mac(and Mac OS X) ships with Apple's XCode. From my experience it is an amazingly powerful and easy to use development suite, the best I've ever used. I only wish I had the opportunity to use it at work.
I didn't like Mac OS X 10.0 or 10.1's look, but since then it's looked pretty good to me. It's worth mentioning there are theme changers available, although I'm not sure how well they work since I've been fairly happy with Aqua. I think there are some alternate themes over at www.resexcellence.com, you might wnat to start looking over there.
Just wait until it starts auto-correcting and auto-formatting and changing your text to "what you really meant".
Mea navis aericumbens anguillis abundat
And Firefox has a little addon extension called Spellbound that can also spellcheck.
Google toolbar would also be considered an extension...
1. No users ran with admin privelages, ever. That is huge, huge, huge. Even when I was logged in to a dev box, I was was not an administrator of anything. We heavily used RunAs techniques for slightly privelaged operations.
2. We used group policies to specify exactly which binaries a specific user or group of users could run. This is also huge.
3. ActiveX completely disabled.
4. All web content went through our web proxy, which aggresively filtered out potential problems.
5. Aggressive use of known good machine images. Each machine was literally one of 3 templates. We could log a user off remotely, reboot the box from the network RIS server, reload his/her machine image template, boot back up, log the user back in, and they'd never know that their entire hard drive had been erased, the OS and apps recopied, and reset. That process was an extreme measure, but it took about 6 minutes, start to finish. It was like a slightly longer version of a reboot to users.
Finally, it's worth noting, we never had an anti-virus package on the workstations, only on the mail server to scan incoming and outgoing mail. We used no anti-spyware packages! We ran two eight-hour shifts (big servicing center for a major worldwide insurance company) each with about 50K users. The users had "unrestricted" in a technical sense internet access - outgoing ports were watched but not restricted (we let them have an IM package installed, for those lulls in the action), and everything went through a proxy server, but otherwise, there was nothing stopping them from trying to visit any old dark corner.
Seriously: good IT policy uniformly set across the network (no exceptions for VIPs, the CEO, or the CIO), quality standard hardware, the best software products, and a liberal amount of scripting, testing, and process management. That's all it takes.
The expression you're looking for is "I'd just as soon"
I can state that Apple does indeed take security seriously. Filesystem ACLs, seperation of priveliges, secure swap, encrypted home directories, and frequent security updated separated from OS updates are good clues that Apple seriously thinks about security features and security of features.
Never ask for directions from a two-headed tourist! -Big Bird
Allow me to be the first one to welcome you to the 21st century. Security issues have changed a little since the late 1990s. Here's a short summary to cover your timejump:
* Fishy sites never turned out to be the major problem they were painted at. While they occasionally pop up as a problem, it's not any widespread trouble because exposure to the mainstream and speed of being shut down are linked very closely.
* Updates have improved considerably, but with them occasionally breaking critical functionality and an increasing trend to faster exploits, they are not as important as we thought they would. One day soon we hope everyone will be more or less up-to-date, but we fear that by that time most attacks will use either 0-days or social engineering attacks.
* Firewills are a big seller, but what they actually do for security is pretty tiny. Ever since they became widespread, attacks simply shifted to other channels. E-Mail is by far the major distribution channel at the moment, for example.
Windos is still busy countering attacks that were news 10 years ago. They are about 15 AUs away from facing the challenges of tomorrow.
Assorted stuff I do sometimes: Lemuria.org
I've seen a few comments along the lines of, "who is this guy and why do we care that he switched from PCs to Macs?" While he may be to security what Alvin Toffler is to science, Schwartau has been in the info security business for long time and has a fair amount of credibility, at least at the boardroom and executive level. So, if /.ers are going to take potshots, let's at least know something about the guy before we shoot.
:)
(Of course, why should we change now?)
Here's some background on Winn Schwartau:
Founder and CEO GetInsightU, Inc., www.GetInsightU.Com
President and founder of Interpact, Inc., The Security Awareness Company. Interpact develops information security awareness programs for private, public and government organizations.
He is the author of "Internet and Computer Ethics for Kids (and Parents and Teachers Without a Clue)" (2001/2002).
In 2002, he was honored as a "Power Thinker" and one of the 50 most powerful people in networking by Network World.
Founder of the InfowarCon conference, www.infowarcon.com.
Has been referred to as "the civilian architect of information warfare," he coined the term "Electronic Pearl Harbor" and was the Project Lead of the Manhattan Cyber Project Information Warfare and Electronic Civil Defense Team.
Books include:
Pearl Harbor Dot Com (2002)
Terminal Compromise (1991)
Cybershock (2000, 2001)
Time Based Security (1999, 2001)
General Abdication (2003)
Information Warfare: Chaos on the Electronic Superhighway (1994, 1996, 1997)
Information Warfare: Cyberterrorism, Second Edition," (1997/1998)
He has called for the creation of a National Information Policy, a Constitution in Cyberspace and an Electronic Bill of Rights. He was a contributor to all three of AFCEA's Cyberwar Books (Ethical Conundra of Information Warfare, Something Other Than War and The Carbon Unit as Target) and several international works on CyberWar and Espionage. "The Complete Internet Business Toolkit" (1996) is one of the first books to ever be banned from export out of the United States. His other writings include "CyberChrist Meets Lady Luck" and "CyberChrist Bites the Big Apple," "The Toaster Rebellion of '08", "Firewalls 101" (DPI Press), Information Warfare, (Schaffer/Poeschel, Germany), "Introduction to Internet Security" (DGI/ MecklerMedia), and chapters for Internet and Internetworking Security Handbook (Auerbach). His writing, interviews and profiles have appeared in Orbis, Wired, NY Times, Information Week, Network World, ComputerWorld, Network Security, St. Petersburg Times, Internet World, Virus Bulletin, Security Management, Infoworld, PC Week, plus dozens of magazines around the world.
Although not a hacker, he has been the popular host of DefCon's Hacker Jeopardy for nine years.
- Adjunct Professor: Norwich University
- Board of Advisors: ISAW, Information Security Awareness Week
- Board of Advisors: St. Petersburg College
- Contributing Editor: Infosecurity Magazine
- Contributing Editor: Journal of Information Warfare
- Advisory Board Member: CipherTrust www.ciphertrust.com
- Advisory Board Member: SSI, www.SecureSoftSystems.com
- Editorial Board Advisor: Network Security Magazine, (Elsevier), U.K.
- Contributor and Columnist: Network World (1994 - present)
- Consulting Security Expert: Giga Information Group
- Advisory Board Member: Milcom Technologies
- Advisory Board Member: 1GlobalCity.Com, Inc
- Member, Editorial Board of Advisors: InfoSecurity News. 1990 - present
- Advisory Board Member: Click2Send
- Contributing Editor: CartaCapital, Brazil
- Contributing Editor: Availability.Com
- Publisher and Founder: Security Insider Report (1992 - sold 1997)
- Contributing Editor: Secure Computing Online http://www.secure-computing.com/
- Contributing Columnist: PlanetIT, CMP Publications
- Former Member, Board of Directors: Tritheum Technologies, (company sol
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
Actually, there was an exploit, once.
It was some time ago, and I believe it was the result of a "hack the server, get a prize" type contest.
I'm too lazy to Google it right now but IIRC, the server that was hacked was running the classic Mac OS, WebSTAR, and Lasso, a tool that lets you webify FileMaker databases. There was a vulnerability in Lasso that was used to, per the contest rules, successfully alter the contents of a certain page on the WebSTAR-hosted site.
The prize was awarded, the vulnerability was quickly fixed, and that's the first, last and only time I have ever heard of any server on a classic Mac OS based machine getting hacked.
~Philly
"RAM isn't equal on ANY platform! There is cheap stuff being sold and bought everyday on the Macs too you know. People don't want to overpay Apple for RAM, so they try to get something cheap and WHAM, they end up with problems."
The difference is that cheap RAM is the default for consumers on Windows. Apple tends to use better-quality RAM.
"Last I checked, Apple used the same type of Hard disks as everyone else out there. I could take a HD out of an Apple and put it in my PC and vice-versa. So how is this a "windows" problem?"
First of all, he wasn't bashing Windows, but the WinTel mindset, culture, and marketplace.
He wasn't ragging on the interfaces -- of course you can put an Apple hard drive into a PC.
I think the point is manufacturing quality. Apple's products are a step above what you get in the PC world. They are probably even from the same vendors as the PC products, but manufactured to a higher specification. I don't know this for sure, but it certainly seems to be the case from my experience.
Likewise, you are more likely to get something that is well thought out for use from Apple. Apple desktops were the first ones to have a case which made sense from a maintenance perspective. Macs were the first to include, by default, ethernet cards which autosensed whether it was connected to a hub or another PC. Macs were the first mainstream computer to include a superdrive.
When you buy a Mac, you don't have to ask yourself, "is this going to work reliably?" or "is this going to work like I expect it to?" They have high engineering standards which really shine through on the final product. It's all the little things added up which turns your computer from a hassle to a productivity tool.
Engineering and the Ultimate
Last time I checked, Apple has it's share of quality-problems. Apple just recalled loads of iBooks and PowerBooks due to faulty batteries. Before that we have had iBooks with faulty logic-boards, overheating 12" PowerBooks, faulty latches on PowerBooks, Windtunnel G4 PowerMacs etc. etc. If Apple's quality is so high, why do Mac-users recommend NOT buying first-revision hardware?
Lots of people are asking that question when they buy Apple-hardware. No, I'm not saying that their quality sucks. I'm saying that they are not the be-all end-all when it comes to quality.
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
Install XP, then get back to us. I don't think anyone has had too many problems with Win2k as a desktop OS. I know I haven't. And although XP doesn't crash, per se, it still needs to be rebooted often. I use it at work, and have a nice dual monitor setup. Lots of windows open. But it still needs to be rebooted often either because of security updates (don't you install those? They require a reboot) or because *something* causes it to just come to a crawl. I haven't figured it out yet, and it has happened to me in the past on other work computers too.
No BSOD does not necessarily mean "stable".
To speak to Macs, I just don't get it. I am not saying I don't recognize the quality of the whole package, it just isn't for me. It all doesn't make sense to me. I have a G5 with OSX sitting on my desk at work (for testing out stuff with Mac browsers) and I hate when I have to use it. I just don't like the way it feels and the way things happen on it. It just isn't for me. I can see why some people might like it, but not me.
Personally, I run Linux when I can. It makes sense to me. I know it, I like it, and I am used to it. I can see why everyone wouldn't though, and I am OK with that. I don't have much desire to force people to like what I like. I have no desire for Linux to take over the desktop. I just want to use it. As long as I can do that, everyone else can use what they want. My machine is usually up 24/7. Current uptime is only 9 days, I had a hard drive issue. But it has been has high as the 300s. I find that I usually only have problems upon rebooting, for some reason. But nothing that has happened, and things happen with computers, that makes me want to switch to something else. Linux has made me angry, Windows has infuriated me, and Macs make me feel kind of creepy.
My beliefs do not require that you agree with them.
Okay, call me Kooky, but I don't see where you are going with the IIS thinking.
Take a look at what Secunia has to say about IIS 6.
Then compare it to what they say about Apache 2.0 over the same time period.
I am not claiming great wisdom in this area, but I do know that more little bars on the charts is a bad thing.
No reason to lie.
I can't remember the last time I heard of an IIS hack.
Here are the latest security reports regarding IIS 6 and Apache 2, since Jan 2003 (which is when IIS 6 was released):
Since Jan 2003: 1 of 3 advisories unpatched for IIS6:
http://secunia.com/product/1438/
Since Jan 2003: 2.5 of 24 unpatched for Apache 2 (2 unpatched and 1 partially patched):
http://secunia.com/product/73/
-- "I never gave these stories much credence." - HAL 9000
... and it was this "iPhoto was crashing when sorting only 18GB/15000 pictures and making thumbnails of them" experience, which shook the author to the bone ;-) Otherwise, he absolutely seems to love his Mac (have you RTFA?).
- If it is a simple runnable application, use runas. There are toolkits that dont even need the password to be passesd as a parameter
- If it is a system service, you already have a run-as option. Use it
It is not as if we are trying to restrict the user, rather restrict the applications that the user runs from doing bad things. Of course, IMO, the best option is to have any program needing higher rights makes the OS popup a dialog asking for confirmation specifying exactly what is needed (special file access, network access)But the one thing that WASN'T wrong with Macintosh was network security. It was ironclad and simple: Without a correctly-typed user name and password combination and the appropriate privileges to even SEE a volume, you didn't get in. Period. No hacking. No buffer overflows (well--there was one in a third-party server product, but they cleaned that up quick).
The reason the "nightmare" was "completely undocumented" was that it didn't exist.
We have multiple labs with Windows machines here that are for students, who get no admin access. In the main labs there are around 30 apps, mostly specialized engineering apps isntalled. Now engineering apps are famously picky about running without admin. Some do without complaint, but many won't. They all do in our labs, however. Why? Well when we find an app that doesn't work, we investigate why, what it is trying to do that it doesn't have permission for, and then we give it permission for that.
Number one problem is apps that want to write to their own directory. Users don't have write access to the Program Files tree. No problem, give users write to that program directory. Means they can fuck up the app, but nothing else and we keeps logs so we'll know who did it. Next biggest problem is write access to a temp directory other than the one they are supposed to be using. Again, no problem. After that, it's modification of registry keys. Same fix as before, and so on.
That's what the grandparent means by a competent admin. Not that when something doesn't work you throw your hands up and say "Oh well, admin access for everyone" that you go and find what the problem is and fix it.
We go through similar shit with apps on the Solaris systems all the time. Most of them won't install right off. Their installer is proke, their documentation is poor, their license server conflicts with an existing one, etc. Well there again we can't just give up and not install it, we work out how to fix it, get the app installed and running.
That's our job.
So it's perfectly possible to lock a Windows system down to user mode in a setting where there are admin(s) managing it. Yes, it may take some work, but that's what you gt payed for. You can lock it down so that the most a user can do is to screw up individual programs. Well, you just make sure to log all that, and then you can have a little talk with them when it happens.
It's really not that hard.
Sure, the Darwin kernel is Free, but the crown jewels of OS X are not.
First, Darwin is an OS, not just a kernel. And although, no, Cocoa is not open, there are quite a few Apple developed technologies that are open source or standardized.
I can load Cygwin on Windows and run Free software too.
The point is that when you install Mac OS X, you are getting a ton of free (!beer) software already. When you install Windows, that's not the case. There is a fundamental shift here and that's what a lot of us are excited about and willing to support at various levels.
Yes, in addition, I can install a ton of other open source software that includes most of the KDE and Gnome suites. But that's not the biggest deal here.
Still, my complaint with Apple isn't so much about the software. Apple's iron first control over hardware bothers me more. I know killing the licensed clones was a business decision to save the company. I know the $499 Mac Mini makes this less of an issue. I just prefer more freedom and choice on the hardware side.
I just brought in a 6-ish year old G3 Blue & White for a student to use. It was my home machine for much of that time. Over that span, I installed 4 additional disks, upgraded the video card, installed a 3rd-party modem, upgraded the RAM (3rd-party as well), used a variety of keyboards and mice with it, and installed a 3rd-party firewire card.
Now I'm not going to sit here and claim that the hardware is the most flexible, but I call BS on "iron fist control" over anything but the motherboard. I had a myriad of non-Apple CPU upgrade options over the years but decided it just wasn't quite worth the cost.
And, to hammer this point home on their "iron fist", you know how many 3rd-party drivers I needed to run all that stuff under 10.3? Zero. All included with OS X. ATI occasionally leapfrogged over a system update for a performance tweak, but that's about it. About the only 3rd-party driver I ever needed was for a USB scanner.
Couldn't the same be said about internet browsers? I want a browser to do just that.... browse. I don't need it to fix my spelling, that's what my dictionary is for.
FYI: Spellcheck is not a Safari Browser feature, it's an OS feature.
All OS X apps which are programmed correctly automatically take advantage of the OS X spellchecker for anywhere that standard text is going to be entered by the user. If I type something as truly stupid as "donesn't" in mail.app, a textbox in safari, or anywhere else, OS X will underline it with the squiggly red "you are a dumbass" line, and I will see it before sending it off.
For shitty typists like me, it's a terrific feature.
Information wants to be anthropomorphized.
You can use thirdparty apps to do it if you don't like the default look:
[unsanity] ShapeShifter - Unsanity - Makers of Haxies, small useful utilities that enhance and redefine how Mac OS X works.
Personally, I tend to change themes from time to time, and wander back to Aqua from time to time, but it's nice to be able to switch if I want to. Too bad too many menus etc. have hardcoded black letters and icons that assume the background is white and thus break dark themes.
i am a soviet space shuttle
Windows autocalculates the subnet when you type in an IP. Ive never seen it guess wrong.
/etc/resolv.conf. I bet that would even beat the 3.5minutes it takes for me to help an OSX user configure their machine...
We give out 64.x.x.x IPs. They need to have 255.255.255.0 subnets the way the our DSLAMs are set up. It's a class A IP though, so it autocalculates 255.0.0.0. However, we have a few 216.x.x.x IPs also. And while I don't see so many of those, I distinctly remember the customer saying "it already has 255.0.0.0 in there". The first is dumb, even people with 1.x.x.x - 126.x.x.x IPs are rarely on a network segment with 16 million other hosts. On the latter, it's just plain wrong. Score 0 for M$.
IPv6?? ROFL. thats just a lie. Ive never seen any PC that didnt have just one TCP/IP stack per interface ona default install.
New Dells. Has happened too often for me to chalk it up as a fluke. And it doesn't also include IPv4, it only has one. The wrong one. Score 0 for Dell.
typing the dots has no effect because MS assumes that you are typing the dots and moves the cursor to the next octet when a dot is typed.
Confuses the customer. If it's already there, they don't have to type it. When they don't, then it bitches about invalid octets. Score 0 for M$.
start menu -> control pannel -> network connections -> MENU -> view -> details
Wow, yet another way to do it. That's exactly what I need. Time will tell if this one is consistent, or inconsistent like the others. Judgement reserved.
When you click "use the following IP address" it doesnt let you obtain dns automatically. IT unghosted all the fields, not just some of them.
Then why does it have another radio selector? I only mentioned it because it sometimes seems to work, other times doesn't. If the top radio button set does, why put the other in their to confuse the casual user? Score 0 for M$.
of course on linux you can enter commands to change just about everything so that is, in your world, the easiest because i could just say ' ifconfig interface XXX add x.x.x.x netmask x.x.x.x ' or some such similar thing.
Yeh, nice isn't it? A single command, that nails 3 of the numbers right away, and only one more to add the nameservers to
Score 1 for unix.
I was just going to say that. Here's the link for those who are lazy: Spellbound
I think really it boils down to the experience. The average people don't want to know how the computer works or why it works or anything about it, they just want to use it to get info. They don't want to worry about virus scanners or pop-up blockers or spyware. You may not have any security problems, and your friends may not have had security problems, but there are hundreds of thousands of compromised Windows boxes out there filling up our spam boxes. I'm not anti-microsoft, I'm just an advocator of doing it right. In all honesty, I hope MS copies the hell out of Apple and does it right too, then we can all just sit and bitch about how things were copied instead of trying to say "My insecure OS is secure as hell, honestly! And stable too!"
They hide it in XP Home, but you can still do it from the command prompt. Run cmd, then type:
/?
/t /e /g computername\fredrick:C
cacls
That should tell you what you need to know to set the permissions. It'll probably be something along the lines of:
cacls "c:\program files\worms2"
Be civil to all; sociable to many; familiar with few; friend to one; enemy to none. --Benjamin Franklin
Guess what it installed? IIS.
I'd hardly call "in a default install" having "to go out of your way to install IIS."
"City hall" in German is "Rathaus" Kinda explains a few things......
Though the standard Mac mouse is only one button, Macs can use multibutton mice. Apple even sales them. They also sale scrolling mice.
FalconShould there be a Law?