Slashdot Mirror
BBC Writer Responds To Mac Security Critiques
minimunchkin writes "BBC Correspondent Bill Thompson responds to the flaming he received for an article on the vulnerabilities in Mac security. He knows that there are no Mac OS X viruses in the wild, and he doesn't believe there ever will be." From the article: "However the wider point, that there are exploitable vulnerabilities and sometimes Apple puts them there, remains. Even if I'm careful to apply updates when they are made available, some people might not and their systems could be compromised. And there is always a gap between the discovery of an issue and an available fix, a gap which could be exploited. "
Mac users demonstrate an indefensible smugness when it comes to the dangers of having their systems compromised by malicious software and opened up to exploitation by others. It's time they started behaving a bit more responsibly.
Dear Mr. Thompson:
When you accuse several million people of demonstrating "indefensible smugness" based solely on the type of computer they're sitting in front of, you must certainly expect something of a backlash from those of us who do, in fact, take security seriously. When you tell the likes of systems administrators and security experts they should behave "a bit more responsibly", they're rightly going to tell you to go piss up a rope.
On the Internet, we refer to people who make statements such as the one quoted above as "trolls". Engaging in this type of behavior is generally frowned upon. For example, if I were to say "this is the sort of idioctic drivel the world has come to expect from those effete Brits," I, too would be guilty of trolling and would receive untold amounts of well-deserved invective from the readers of this post.
Fortunately for me, I know better than to make such outrageous statements.
Obliteracy: Words with explosions
Agree here. Even trying to cover this subject in "vendor neutral" manner, pointing out the pros and cons based of what the need or usage of the system would be, still be like the white guy.
But spyware and keyloggers are written for Mac OS as for other Unixes, and could be installed on a compromised system by a worm or even by a Trojan that is installed with user permission.
Gee, who would think? This statement gives the impression that Unix is especially vulnerable to this issue and that there is some solution to this problem. The fact that Unix's user segregation is one of the cleanest and most secure out there obviously doesn't factor into his security assessment and what I really wonder is what his suggestion for changing this "vulnerability" is. If he's looking for a technical one, I think he'll be looking for a while, since there is none. The human is always a security risk on the system. The question is only to what degree. Technology can help minimize the damage but in the end, it's always the same problem.
Please don't misuse the word "troll". Like it or not, he is pointing out a very serious issue that affects all operating systems, be it Windows, Mac OS X, OpenBSD, UnixWare, OS/2, MS-DOS, VMS, or basically any other operating system.
Frequent updates are necessary, especially when it comes to networked systems. Concurrently, many users (even experienced administrators) fail to keep their systems patched and up to date, be it for a lack of time or due to financial constraints.
Remember, Mac OS X is often targetted towards more inexperienced users, or those who just want a system that works. For the most part, that is true of Mac OS X. It does often just work. But likewise, it is necessary to keep it updated.
Now, he isn't a "troll" for pointing out that very real, very serious fact. Sure, it might have angered some people, but that's not his fault in any way.
If your doctor were to diagnose you with AIDS, and you did indeed have the syndrome, he would not be a "troll", regardless of how much you were angered by his diagnosis. In much the same way, this BBC author is not a "troll".
Cyric Zndovzny at your service.
Just because a legitimate, completely truthful opinion angers some, it does not make the opinion "flamebait".
Words like "flamebait" and "troll" are most often used seriously by those who are trying to incite trouble amongst people who are pointing out real, solid facts.
We see this today in the media, where various governments label their opponents as "terrorists". Of course, in many cases those governments are partking in the very same actions that may be construed as "terrorism".
These sorts of labels are useless just because they are misapplied so often, by so many different people and groups.
Cyric Zndovzny at your service.
And yet, being a white male in a discussion about discrimination does not necessarily make your position incorrect.
But those Microsoft advocates - GOD.
Web 2.0 == Giant Blogspam Circle Jerk
is that nothing is perfect. We flawed humans created flawed machines and flawed software. No matter what OS you run there will always be flaws that someone could exploit. I use Macs but I certainly don't count on OS X being secure enough for me to connect to the internet without using a correctly configured firewall.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
The whole matter of computer security comes down to make sure your system is just a little bit harder to exploit than the one down the street. Apple has done this. Microsoft systems are much easier to gain control of than just about any other system out there. Mind you that there are Microsoft Windows systems that are very secure. The admins on those systems have take the time to patch the holes and take measures to secure those systems. Is this true of all Windows systems? No. Are all Apple systems secure? No. It comes down to how much does the end user of that system care about security and how much time, effort, and money do they want to expend securing the system. This is true of all systems.
As another poster wrote the orginal article is at best flamebait.
It's not appropriate to generalize about UNIX these days, considering how many different UNIX-style systems there are.
Linux might be vulnerable in one case, while Mac OS X, UnixWare, FreeBSD, Solaris, AiX and other such systems are perfectly safe. Likewise, Solaris might be affected, while the other systems are not. And so on, and so forth.
Now, various UNIX-like systems have run into problems in the past with regards to security. Thanks to the relative degree of fragmentation, such incidents are usually isolated to a particular brand or product, and thus do not appear overly severe. But they still do exist, and we shouldn't forget that.
As users of UNIX-like systems, the best thing we can do for ourselves is always remember that our systems are vulnerable, even if they are often of a higher quality than other systems.
Cyric Zndovzny at your service.
Discrimination against white people is still discrimination even if they are the majority. Please read the Civil Rights Act of 1964, it says it is against the law to discriminate against race, religion, creed, color, national origin, and gender. It does not say that only minorities are covered and majorities are not.
Martin Luther King Jr. talked about everyone being equal and everyone being friendly with each other, not just minorities. He said not to judge someone by the color of their skin but as individuals. Discriminating against white people goes against MLK Jr's philosophy, and against the Civil Rights Act of 1964.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Firstly, saying that vunerabilities exist is akin to saying that there are bugs in someone's software. You're just about guaranteed to be right.
Smugness, I'm not sure about (I'm a linuxite). Certainly there is something that most Windows users don't experience, and that is actual *enjoyment* from their OS. Microsoft has never tried especially hard to make their OS enjoyable, only usable.
Would things be different if OS X were the predominant OS? Without doubt. However, OS X, both the kernel (Darwin), and user interface, have been precisely engineered. Windows, one might argue, more evolved. They claim complete rewrites of the OS occured, but I'm willing to bet tons of code was copied-and-pasted in the process.
This does not guarantee it is fool-proof. Only time can tell that. But I would be willing to hedge a bet that less exploits exist for OS X than for Windows.
Invariably the security of your data is dependent on the security of your OS. If you have some wonderfully encrypted data files you have to interact with them via the OS. So somebody exploits a vulnerability, you end up with a key logger on your machine, and now your intricate password to protect your encrypted files is forfeit.
As for the article's conclusion that viruses are unlikely, I think he's wrong. What makes Unix safer from viruses, etc, is the isolation between user level activity and administrator activity. Thus while one account may be compromised a whole system isn't. So this makes it harder for viruses, but not impossible by any stretch.
For example, a virus can be destructive without becoming root. It can, as you allude to, attack only your data, instead of a whole system's data, but in the end, it's still your data getting corrupted. Furthermore, most of the exploits I've seen of Linux systems involve taking a non-root exploit and then using another vulnerability to make it a root exploit.
Something else to consider on OSX is the sudo. As I understand it, any user on an OSX system can use sudo. So, if an exploit can gain user level privleges, it can then use social engineering, keylogging, etc, to gain the users password and then, in effect, gain root priveleges through sudo.
What protects OSX for now is that it has a smaller share of the market so there are less people trying to exploit it. Eventually if OSX gains market share, then there will be far more incentive to write malware for it. Certainly it will take greater skill to exploit OSX and it will be easier to defend against those exploits, but it only takes one clever hacker to completely ruin your day.
This sig has been temporarily disconnected or is no longer in service
The Slashdot story is misleading by saying "[Bill Thompson] knows that there are no Mac OS X viruses in the wild, and he doesn't believe there ever will be.". Actually Bill Thompson thinks it is possible but unlikely, quoting TFA: "I don't believe that Mac viruses already exist, and I think it's very unlikely that they ever will."
There is a big difference between saying "I don't believe in <foobar>" and "<foobar> is very unlikely". Such subtle differences in phrasing totally explain why some people agree with Bill and some others disagree.
OS X and Linux are currently less popular. This means they will be infected with less stuff. They are gaining popularity, though slowly. However, becuase of the nature of open-source software, patches can be applied every time there is a new vulnerability discovered or exploited, so that by the time it is a really big target most of the obvious problems will be fixed. At least that's the theory. I've heard that one current example of this is the fact that MS IIS is a fraction of its market compared to Apache, but that IIS gets a disproportionately large amount of attacks compared to Apache (which receives a very tiny number of attacks).
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
On a planet far far away live two races of people; The Gatesians (who make up 90-95% of the poulation) and the Jobsians (who make up the rest).
The Gatesians have weak immune systems and frequently suffer from viral and bacterial infections, often necessitating a hospital stay. The problem is so bad that almost all Gatesians wear face masks and rubber gloves, use copious amounts of anti-bacterial soap, sterilize all items they come in contact with and get immunisation shots on a weekly basis. And despite all this they continue to get sick.
Jobsians, on the other hand, have very strong immune systems, so strong that no Jobsian has gotten so much as the sniffles in the last few years. Many Gatesians make the claim that the Jobsians don't get sick simply because there aren't enough of them for an infection to spread. The Jobsians point out that there are no known viruses or bacteria that affect Jobsians (the odd rumoured virus built in a secret government lab aside).
A few scare mongers (like Bill Thompson) like to argue that the Jobsians need to take the same precautions against disease that the Gatesians do and that if they don't if a virus or bacteria that can infect them ever shows up will wipe them all out. For the most part the Jobsians just ignore the ranting and get on with enjoying their carefree life and laugh at all the sneezing, coughing and hospitalized Gatesians.
"Grab them by the pussy" -- President of the United States of America
It is also worth noting that "if Macs were as popular as Windows" is one of those hypotheses contrary-to-fact; perhaps, if that were the case, OS X would contain further safeguards. Perhaps Apple would bundle their own antivirus software, and perhaps it would work, and perhaps it would not pester me for yet another year's subscription to continue my protection. Perhaps they would release that information on an RSS feed, and perhaps they would propagate it via a peer-to-peer network. If I can assume that pigs fly (that a false thing is true), there's no limit to the possibilities. We can argue endlessly about what might be; what is, is an OS that is more secure by design (never had ActiveX, root privileges require a password for each activation, ports kept shut by default), that has not been host to anything like all the vermin that infest and attack Windows boxes.
...was that Mac users are smug and complacent, that they are ignoring their vulnerabilities. To wit, "I worry that we do not take security seriously enough as a community."
What, pray tell, are Mac users *not* doing (in their complacency) that they *should* be doing? Are they not updating their software as often as other users? Do they not run firewalls? Do they not backup data? Are they not spending millions of dollars for security software? Are they somehow *more* complacent than other users?
Where's the data? Whose *scientific* survey or research was quoted?
This is just another example of shoddy I-got-a-deadline tech journalism. The reference to the SANS trash should be enough to tip you off. If he really wanted to do the Mac community a service, he could expose the security software ripoff that's been sucking millions from Mac users for years to protect them from ghosts and goblins.
This is the original sin of mac users. I myself, a mac user, have told someone that it is okay to open an email because they are using a mac. Security needs to be an important consideration in all computer use. In the same way that the /. community has imposed upo the world that good passwords are important, we must impose that good security practices are important.
[Apple and Microsoft both] pursue that old-fashioned model of closing their codebases and asking developers to sign NDA's.
Um... Microsoft doesn't open source the basis of their OS. Apple does: http://developer.apple.com/darwin/.
Since "mission critical applications" are likely to be built on lower layers of the OS, I'd expect them to use Darwin directly, rather than OS X. Is it possible you are wearing open source colored goggles that distort your vision?
is like being a white male in a discussion on discrimination
It's fairly easy, actually. For example, prostate cancer kills about as many men as breast cancer kills women, and yet breast cancer gets 3x the funding. Or how men make up at least 35% of the victums of domestic violence, and yet receive virtually no funding, no outreach, and no respect.
Oddly geeks and nerds are not protected classes in discrimination laws. Perhaps they should be, but no law that I know of has been passed to protect them.
It's actually strange to me when people are banned from discriminating by religion but not by other beliefs. For instance, I can refuse to hire someone in a stock market job because they believe that analog cameras are worth investing in, but I can't refuse them because they believe in the bible (in my mind showing that they have no interest in scientific method, perhaps essential for stock trading).
I would rather the laws stop discrimination against phyiscal attributes only, rather than beliefs or other vague things that are hard to define.
"Being a Microsoft proponent in an argument about operating systems is like being a white male in a discussion on discrimination."
You are incorrect. Being a Microsoft proponent in an argument about operating systems is like being a Nazi, KKK member in a discussion on discrimination. White males are born that way and in no way predisposed to being racist. People who argue the superiority of Windows have made a choice to use and extoll that OS.
People who argue Windows is superior are like KKK members, generally misguided and misinformed. I'd also like to say that as a white male, I've had plenty of discussions about racism and I've noticed as many black people who are racist as white people.