Slashdot Mirror
Windows vs Mac Security
sdhorne writes "There is a good technical discussion over at InfoWorld on the merits of launchd and what is lacking in a comparable Windows secure solution. It is a throw back to the UNIX vs Windows security discussion that has been hashed out for many years." From the article: "it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners. Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through .Mac, and launchd. Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."
Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."
It seemed pretty wello written. That said, I which he would have said a little more about launchd, at least enough to explain why it gives OSX an advantage. It would have also been nice to have had some kind of side-by side comparing Windows and OSX, like how the windows System pseudo-user trumps the admin user, and how there is not way to trump the OSX root user.
Why this can't happen under OS X:
I don't know if I'd go that far. OSX isn't 100% immune - it just has more common sense.
"We are all geniuses when we dream"
- E.M. Cioran
"Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down"
I would have though "(almost) no viruses" would have done the trick since OSX came out...
Or, we don't effectively force everyone to run as super user all the time - if you prefer
*''I can't believe it's not a hyperlink.''
Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through.
Don't you think that if Microsoft offered this that everyone would cry monopoly? Actually, I've seen other people on Slashdot cry this before at the announcement of Microsoft's OneCare program, which isn't even bundled with the OS!
What's worse than finding a worm in your Apple?
Finding half a worm in your Apple.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
It always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners
So if they bundled everything you list (anti-virus, anti-spam, encryption, etc.) into the operating system, you don't think they'd be accused of illegally leveraging their monopoly advantage? Just look what happened when they integrated a web browser into the OS a few years ago.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Anyone notice the link at the bottom of the article?
Links to slashdot submit article. http://slashdot.org/submit.pl
Cute.
I wonder if they would have been slapped with an antitrust lawsuit if they incorporated antivirus in the OS. It certainly would of had a big impact on the antivirus companies.
Maybe with apple incorporating it they have the green light to go ahead with it.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
I'm no network admin, but all I know is since I switched to Mac I have no Norton or Symantec software running and there's no signs of threats anywhere. boxlight
If you don't count a trojan as a virus, then you don't need an anti-virus if your OS is secure. Apple can work on securing its OS or on an anti-trojan, but any effort spent on an anti-virus is wasted.
Let me pre-empt OSX virus discussion. chanted like "tastes great, less filling" Still Vulnerable! Third Party Drivers! Still Vulnerable! Third Party Drivers! Still Vulnerable! Third Party Drivers! And back to actual security discussion...
Was I the only Mac user who didn't know what launchd was off the top of my head?
In Mac OS X v10.4 Tiger, Apple introduced a new system startup program called launchd. The launchd daemon takes over many tasks from cron, xinetd, mach_init, and init, which are UNIX programs that traditionally have handled system initialization, called systems scripts, run startup items, and generally prepared the system for the user. And they still exist on Mac OS X Tiger, but launchd has superseded them in many instances. These venerable programs are widely used by system administrators, open source developers, managers of web services, even consumers who want to use cron to manage iCal scheduling, and they can still be called with launchd.
The launchd daemon also provides a big performance boost to your system. At any given time, only those daemons that are actually used are launched; combined with the fact that daemons can shut themselves down and be relaunched as needed means that you can reduce the average memory footprint of the system.
http://developer.apple.com/macosx/launchd.html
Soccer Goal Plans
Macs are based on UNIX. It's not faked to appear like UNIX, it is actually UNIX. The permissions system means that a common virus could damage a user's home directory, but the system for the most part would remain unaffected, including other users. It is still possible to write root-kit style viruses that take advantages of subtle bugs in the operating system and other software to gain control of the system, but this is significantly more complicated to do, and IIRC it was Theo from the OpenBSD project who said that attacks like this require many steps that often must take advantage of many vulnerabilities to elevate priviledges, and by fixing even one bug, a whole category of vulnerabilities (even if other bugs remain) becomes inaccessible to a would-be attacker. This, in addition to much of the code underlying OS X being available for hacking up by anybody, in addition to other projects actually hacking on this code (improvements from projects like Samba, Apache, GCC, FreeBSD, even various Linux projects, make it into Darwin and OS X.... and most of all the fact that users don't run as administrators, all of these reasons make it much less likely that viruses could be as damaging as on Windows.
Lets see a goofy bar at the bottom of your screen that acts as a terrible task manager (OSX). I mach kernel and freebsd kernel combined to give extra slow performance(OSX)
Or spyware, memory hogging anti-virus software and overall fisher price ugliness with an evil registry(Windows)
I don't know which one is worse, secure or insecure; however steve jobs has been mentioned as a possible candidate for the anti-christ (I think david hasselhoff is a better candidate though).
but what do I know I compile all my software like a lunatic...I have tried to switch from gentoo, but they put something in my water...I enjoy it too much..
Math
He seems to argue that Windows is less secure than OS X partly because if your Windows system gets infected, you can't trace the source of the problem, but with OS X you have a better chance of doing so. However I think this is the wrong thing to emphasize. If a piece of malware gets true root access on a system then it can do what it likes, including loading new kernel modules to hide files in the filesystem and so on. It's only lack of skill by some rootkit authors that make them detectable (so in effect, it's security by obscurity; there's a good argument that operating systems should make it as easy as possible to do such nasty things once you get root, so nobody will be tempted to think 'such things are only theoretical').
Now he does mention that most services on OS X don't run with unrestricted privileges, so there is much less chance of malware getting root *in the first place*. This is the important thing to emphasize - not what to hopelessly fiddle with once you are already 0wned.
I guess by root I don't necessarily mean what OS X or BSD or even Linux call root, but the classical Unix notion of the Almighty user who can do anything. Many BSDs have securelevel settings meaning that even root is restricted from doing certain things.
-- Ed Avis ed@membled.com
Read the sig you know where I stand. But at least this is not another security through obscurity piece. He does do a decent analysis of Mac OSX unix sub-system and makes a good argument of how it is inherently more secure.
You don't have to be smart to use a Mac, you just have to be smart enough to buy one
I think this tension is impossible to avoid with proprietary software. Think about it for a minute: you can either dominate with an incomplete and insecure solution (so as to avoid monopoly programs), or you can be the complete-yet-far-less-popular alternative who avoids the monopoly accusations due to inferior market share.
A company that assembles a complete, secure, and free package won't have to choose one of these routes. Unfortunately, security and freedom don't guarantee adoption.
>[...]it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners.[...]
What bizarro-universe is the writer living in to write something so patently false?
Microsoft's Standard Operational Procedure is to wait-and-see which niche is picking up enough importance (and we all agree security is a major one this decade, right?) and then cutting off that vendor(s) oxygen by coming up with their own "superior" (guffaw) solution which MS gives away for free, next to nothing or by marrying it to some essential O.S. component.
Another piece of Microsoft-propaganda no doubt.
Sell it elsewhere, chum. I'm not interested in reading anything else you've written if this quote is representative of the drivel you are putting forth. Thank you.
Good artical, however I think the point is realtivly mute. It is true that currently OSX by default is less stupid then windows. However, I think it is truely the end user that decides how vulnerable a system is by what they do with that, OS independent, I could have a XP, OSX, and lets say Mandrake box, and they could all be equaly vulnerable depending on what I have done with them. With a straight base install, I would say windows would be at the bottom of the list, however, after you install a few firewalls on that box, put it behind a router(includes it's version of cheap firewall) it becaomes safer.
:)
So, I don't think out of box security has much importance as whether or not the person using it does. If you browse less then reputable sites you will get attacked, and no mater how good your secruity is some will slip through. So the key is, don't connect your box to the NET
I think the conclusion that he draws is probably correct, but he doesn't really seem to explain why. The reason that systems like OS X and Linux are safer than Windows is not that launchd runs a shell, but that both Linux and OS X tend to run processes that don't need privileges as root.
This is a substantial win. However, if you manage to compromise a process that is running as root, you do have full control of the machine, and you can install your own privileged software on the machine without an authentication prompt appearing on the console.
Also, most of the man pages on OS X are woefully out of date, so giving the existence of these as a reason for why security is better on OS X is unfortunately a cruel joke. Third party apps from the Open Source community do often have better documentation, but the basic man pages from OS X are often years out of date - this is one of my pet peeves about OS X, I will admit.
It sounds like the hack he's describing occurred because he'd installed third-party software that ran as a service with an open port, as SYSTEM (i.e., with full privileges) and that took over his machine. The reason this is less likely (not impossible, just less likely) is because if you are running a third party server process on OS X, it's probably a piece of open source software like Apache, which has been vetted to within an inch of its life, because it is open source, and the many people who care that it is secure have the freedom to check that it is secure. And it probably doesn't run with full privileges, as the author says.
Anyway, like I said, he's right, but his reasoning is a little foggy. And it's important to be aware of the ways in which it's foggy, because this is your best chance of avoiding having your machine hacked.
Conceptually, I agree that LaunchD is a really slick idea and I really hope Linux and the BSDs take a good hard look at this code and the possibility of adopting it. That said, it is not a security panacea by any means, just one more clean, sensible implementation that leaves less room for a vulnerability. The thing that makes me hesitate to laud this feature, however, is the implementation. Apple has a lot of smart people working for them and a lot of old school UNIX geeks to whom secure programming is as natural as breathing. They also have a lot of coders and managers who realize that OS X is not a primarily security minded OS. Sure, it is better than Windows and on par with a desktop Linux distro, but it isn't a locked down OpenBSD install or a super secure Linux distro. They don't focus their efforts on security and it shows sometimes when they introduce new code. LaunchD replaces a number of time tested bits of code and while it is (IMHO) a much cleaner, nicer design I haven't a clue about how well written and tested it is, especially from a security perspective. I'd feel a lot better about claiming it as a security feature if I knew some white hats had pounded on it for a while and exposed anything Apple did not bother to think of. I'd feel a lot better if the OSS community in general jumped on it and adopted it, thus helping with this security testing and adding more eyes.
I like LaunchD. I like OS X as a desktop. Lets just not get carried away here with random claims about security. OS X is inherently more secure than Windows, but that really isn't saying a lot. I'm not willing to just assume LaunchD is secure in and of itself, let alone that it will play a big part in securing the OS as a whole.
Windows has a lot of holes, sure. but ~95% of the people who use computers, use windows. including people who want to damage it, and just piss people off by sending out malware, and hacking the crap out of it.
If OSX had that kind of a market share, youd bet your ass that everyone would be breaking down its walls, in exactly the same way.
Lets say you want to create a virus, or an annoying spyware/malware thing. Would you rather it effect Apples measly market share, or Microsofts dominant machine?
Most mac users are just as dumb as most windows users, they just tend to have some sort of superiority complex. Ive worked with os9, osX, and windows, and theyve all got their major and minor flaws, neither is really better than the other, from a sheer 'does this work' standpoint.
being offered as a "reason why OS X is more secure than Windows."
The article claims that Administrator on Windows is equivalent to root; and that SYSTEM is more powerful than Administrator (and by implication more powerful than root). This is nonsense.
Administrator is indeed less powerful than SYSTEM. However, Administrator is equivalent to a user on the sudoers list and/or with group write access to system directories. SYSTEM is the correct equivalent to root.
We may quibble about how well Administrator accounts are protected from trojans; or whether non-Administrator accounts on Windows are of much use; those are valid arguments. However, claiming that, somehow, SYSTEM on Windows is magically more capable than root is ridiculous.
If anything, Windows has a somewhat better design in that it is possible to set up privileged accounts with a specific power that only root has on UNIX, yet not have any of the other root powers. However, this capability is quite underutilized, and in many ways is undermined by other (unfortunate) decisions that Microsoft made.
--- What?
If anyone believes the security holes are due to truly insurmountable hurdles, I've got some property for sale. It would be interesting to note how many physical document seizure warrants have been issue since MS Operating Systems became so prevalent in the corporate world. I'll bet the number is substantially less than before, even without accounting for the increased volume of business focused cases.
The simple fact that is obvious to most is that MS is government granted monopoly. The grant is not explicit, but rather contingent upon deep cooperation in monitoring business activities. Why else would one company be allowed to wield so much influence and determine the fate of every nontrivial business in the US? Microsoft is heavily involved in the success or failure of every significant business in the US.
With lots of propaganda, people in the old Soviet Union also believed the state owned companies were the only ones due to inherent superiority. MS is the US version of the Soviet state-owned telephone company - all communications must route through it.
"...it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners."
Since when has this been a "policy"?
With the DOD recommending that folks update their Windows PC's in the interest of National security, I don't think the same Government would launch an anti-trust campaign against Microsoft for including security tools in-the-box. If that were the case, Windows Vista with its built-in anti virus/anti-phishing/anti-spam/encryption/backup and a slew of other tools would be in real trouble and would ship late...
Oh wait...
In any case, I reckon the reason MS did not do security work until recently was simple economics. Folks bought the software anyway, so there was no incentive to spend up to 20% more on engineering costs with little return on investment. As security becomes a more mainstream topic, consumers and businesses are taking notice. Many corporations, including Microsoft, realize that there is money to be made in security.
As a network administrator I fix MS OS's daily. I run OS X @ home on my G5 which has pleased me greatly.
Which is more secure? None of my clients have ever been hacked in the traditional sense. What does happen is user error and poor backup solutions. You can't protect people from stupidity or malice.
Eighty percent of my user's problems can be solved by disabling their Internet Explorer and disabling personal email access.
The real solution is to enable, like every other decent OS, a limited account and make the "run as" a permenant feature. Everyone runs with local Admin rights and that is bad, in terms of security.
Hell, I'd love it if MS released a "security patch" that would disable adding items to the HKLM/../Run w/o a password. That's just plain stupid.
The malice that exists preys upon weak systems and stupidity. MS can help but it'd require some education and with the release of Vista, it's about time we do away with "always-local-admin" rights.
As long as corporations confuse interoperability with "windows compatibility" the scam will go on. Only when the commercial user who forks over billions of dollars to MS every year demand true interoperability and injects real competition, it will end. There is no advantage in being the first among the users pushing for it. Pepsi will not care as long as Coke is also spending relatively the same amount of money for similar services. But someday somewhere some corp will bite the bullet and spend what it takes to break the vendor-lock in, and only after that the security situation will improve.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Er... "monopoly programs" should read "monopoly accusations". Go brain function!
"Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through."
I had a look at this page:
http://www.apple.com/macosx/techspecs/
I didn't see any mention of an anti-virus app.
Did I miss something?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners. Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through .Mac, and launchd. Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down.
No, it's more like anti-trust policy prevents Microsoft from doing these things.
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Vista (whenever that gets out..)
I am the maverick of Slashdot
maintaining gaps in Windows security to avoid competing with 3rd party vendors
Whoever dreamed up this rationalization is gifted.
The holes are there by design. As in security wasn't a part of the overall design. I would argue that it still isn't.
Like all the versions that have come before, "It's more secure" for about a week after launch and then I'm back to cleaning out infected PC's. This works out great for me because it's my job. Personally, the people that take my advice to switch -always- thank me later for making a switch.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
offsite safe storage through .Mac
dot Mac is not in any way secure / "safe storage". Unfortunately I bought a subscription before I realised how dangerously unsecure it is. When I started to configure Backup, I thought I'd do some digging first to see what was going on. It turns out that credentials are sent in plaintext. Communication between the user and mac.com is not encrypted. Storage on iDrive is also not encrypted. Backup archives have no encryption.
It's completely wide-open to snooping attacks, and nobody should trust anything to it besides their weekly grocery list or other documents that they don't mind any snoopers (wireless interceptors or Apple employees) from freely browsing. I expect a major security breach is inevitable.. it's just a matter of time. It would take one person with a wireless snooper at Macworld, gathering hundreds of juicy high-profile targets to mess with - and dot Mac will be destroyed by a torrent of negative publicity.
Of the entire Apple product range, dot Mac is the one that is most stuck in the early 90's. It works.. but is a severely inadequate solution.
Apparently this guy had the experience switching from Mac -> Windows and see what happens. A lot of people say it has to do with market penetration (Thanks to the M$ FUD) but nothing is less true. There are far more hosts running on any flavor of Unix or using the GNU tools or somewhat compatible tools for that matter than Windows hosts connected to the Internet.
The biggest flaw in Windows is stuff running as SYSTEM. Try this in Windows: schedule a command in a terminal to run cmd.exe the next minute using the "at" command. As you will notice, you will get your cmd.exe... running as SYSTEM. You don't even have to be a very privileged user to do that, kill your own explorer.exe and start explorer.exe in that cmd.exe you have and guess what: you're running your system as SYSTEM. This would be like running Bash, KDE or Gnome as root, although possible, you can't elevate root out of standard user rights. Same thing for hooks into IIS (.NET) or any other application, they can all elevate to SYSTEM without too much trouble. Would be like suggesting to run Bind or Apache as root, and as any Unix guru would say: Blasphemy! Blasphemy! and you would feel the vibration of Rich Stevens (http://en.wikipedia.org/wiki/W._Richard_Stevens) spinning in his grave at the speed of the fan running in the server.
Custom electronics and digital signage for your business: www.evcircuits.com
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 95 (whenever that gets out..) Is that out yet?
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 98 (whenever that gets out..) Is that out yet?
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 2000 (whenever that gets out..) Is that out yet?
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows ME (whenever that gets out..) Is that out yet?
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows XP (whenever that gets out..) Is that out yet?
Sorry to be redundant, have you heard this joke before already?
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
[From the article]
SYSTEM doesn't trump Administrator(s): since either can control the kernel, they both represent full control. SYSTEM can't magically bypass security descriptors any more than administrators can; both have but indirect end runs available. SYSTEM's profile has the global system environment. In Win32, shells have considerably less importance, but SYSTEM processes can still have them. SYSTEM's actions can certainly be audited, so I'm not sure what they meant by impossible to log.
There are lots of services running as low privilege LOCAL SERVICE and NETWORK SERVICE. Perhaps there could be more. Note that a single svchost can represent several services.
The binaries that implement system services are protected by system file protection. SFP isn't a security feature; it's there to work around buggy installer behavior.
This isn't true on a domain where the admin has designated installable packages, and RunAs works fine for installation programs that are written properly.
I'm not sure what's meant by this, but if your kernel is owned on any OS, a rootkit can be installed to evade any kind of debugging.
Non-human-readable? Never used the registry editor? The key and value names seem to be in English... It's like saying that a filesystem isn't human-readable because you need ls. There are no plans to make the registry obsolete for system configuration. In fact, the new boot loader's config database is a registry hive. As for owning the computer throught the registry, every key is protected by an ACL. There's nothing inherant in the registry that allows an attack, privilege escilation or otherwise.
So then the admin takes ownership of the keys in question, forcibly with the SeTakeOwnershipPrivilege, and since the owner of an object can always set the DACL, the admin returns himself full control. Either that or use the SeRestorePrivilege to overwrite the key directly.
What's wrong with the shell's ACL editor? What's wrong with the default permissions?
Since root can ignore security, this isn't saying anything. In Windows, only the kernel can bypasss security.
What I thought was interesting in the article was how many of his complaints were probably due not to bad design per se, but to poor practices -- things like documentation, structural transparency, consistent use of system policies, etc.
What struck me is that there are definitely seeming flaws in Windows that make it insecure as-is, but that it doesn't have to be this way; Microsoft has chosen and continues to choose to operate in such a way that exacerbates rather than minimizes the effect of many of the inherent weaknesses of the platform. A similarly designed system, managed and documented differently, would probably be less problematic.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I see a whole bunch of people whining about lack of Linux drivers. Is ATI worried about losing money from such a small merket segment? Obviously not. Face facts: graphics card manufacturers are never going to give you the level of support for Linux you want until Linux has a *much* bigger share of the market. They are busy enough churning out new hardware every six months; hell, they can't even write good drivers for Windows at the current pace, let alone Linux.
You're bright, talented, resourceful guys/gals right? Instead of whining on Slashdot about closed-source drivers for a proprietary GPU architecture, why don't you design, manufacture, and sell "open" GPUs, CPUs, and systems? With complete documentation? So that I can write drivers that will let me take advantage of *all* the features the hardware has to offer? Bonus points if I don't have to sign abusive NDA's or fork over huge sums of money on licenses/royalties for access to the docs.
Open-source software is neat and all, but if I don't have complete documentation of every bit of circuitry/firmware/embedded software, etc. in the system, then running an open-source OS just means I won't be able to use all the features of the hardware that I paid for.
The software can only be as free (as in speech) as the hardware it runs on.
Insisting on "correct" English is like saying that there is only one, definitive recipe for chili.
Machintosh/Apple makes a "car." A complete package. It comes bundled with pre-installed "tires" (OS X - to get you around in it, of course you can shoose to install something different.) It comes bundled with a stereo, headlight bulbs, mirrors, seats, carpet, you name it (ie: think software options.) All of which can be taken off of the car and something else replace it with ease.
.) install on their cars. However the "car" manufactures where being strong armed by the "tire" company in also include a particular stereo, bulbs, mirrors, seats and carpet, that where required to also be bundled, without modification.
Microsoft makes "tires," that "car" manufactures (Dell, HP, . .
I know not a great analogy, but you get the idea. Let the critics eat me alive is they so choose. Karma-shmarma.
Self proclaimed wannabe geek. You know how it is. Most of us who read this stuff probably fit in that category.
So instead of corrupting a part of the system I can reinstall from a boot CD, the virus only destroys my personal data I spent years collecting and inputing.
Whew! What a relief!
You convinced me! I'm going out, right now, to buy a Macintosh.
I honestly have to laugh at anyone that thinks they could even begin to compare windows with a unix based system for security.
It's like comparing your screened front door to a steel vault door.
Unless you like fresh air on your system files...STFU.
...if Windows were designed securely in the first place. This isn't a troll, just an observation.
In a sense everyone is trying to argue that Microsoft can't include additional security tools because they'd be accused of leveraging their monopoly. The enitire antivirus industry likely wouldn't exist, and this would be a moot point, if Windows were designed securely from the start.
What we seem to have now is pressure on Microsoft not to make things *too* much better because they would wipe out a lucrative business niche occupied by third parties. Microsoft is a slave to backwards compatibility, so they won't scrap everything and start from scratch. But they can't win because if they offer an antivirus solution they're leveraging their monopoly unfairly. Or they're an extortionist because they failed to secure Windows properly, but are getting more money from customers by forcing them to purchase their anti-malware solution.
OSX is better than Windows in terms of security. But Microsoft only have themselves to blame. They should break with backwards compatibility, buy themselves and Linux distro and layer the Windows GUI and APIs on top of it. Do it right and their security problems will be a thing of the past.
Microsoft made it easy for commercial applications to refuse a debugger's attempt to attach to a process or thread. Attackers use this same mechanism to cloak malware. A privileged user must never be denied access to a debugger on any system. My right to track down malware on my computers trumps vendors' interests in preventing piracy or reverse-engineering. Maintaining that right is one of the reasons that open source commercial OS kernels are so vital.
That right there is the most compelling point for me. If I install a copy of Windows, that copy of Windows isn't working for me. It's working for other people who want to control the machine. Whether these folks are software vendors or blackhats doesn't change the basic architectural issue.
Laws do not persuade just because they threaten. --Seneca
You have got to be kidding, right?
You've made the classic blunder of using the MS-fanboi rallying cry of "there are millions more Windows users" followed by the only slightly less-well-know Big Lie that "If OSX had that kind of a market share..." Apple would have an equal number of OS flaws.
If you don't think that there's are hackers out there who wouldn't give their eye-teeth for the fame that will come from writing the first successful Mac virus, you're on crack. Not only is there the notoriety, but you'd have spam-kings and Russian mofia dons beating down your door with fistfuls of money. 10% of 300 million computers is still a significant number by anyone's standards.
I'm typing this on a Windows PC, but from your post (despite the disclaimer) I think it's unlikely you have much experience with Mac OS.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Windows systems have been, are, and probably will be getting hacked - a lot - on all levels in the forseeable future, they talk up security but there is still the current (well publicized) vulnerabilities.
Other systems (Mac/Linux) aren't having such major issues - they tout security, and are blasted because 'they are obscure'. There is a lot of 'talk' of possible vulnerabilities, and there are speculations there may be vulnerabilities. But they are STILL more secure now and have a good track record.
What part of this would make me trust Windows more?"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
I'm just wondering if anyone has ever built a firewall device from a Windows box. When I search for "windows firewall" all I get are references to the application that runs on windows, not any kind of firewall device.
You could build (and Linksys, SMC, DLink etc have built) a firewall device from Linux, *BSD, maybe OSX of which I have no experience, but who could or would build a firewall device from Windows?
Would you really have to be off your gourd to trust one?
Once I was a four stone apology. Now I am two separate gorillas.
Mac is not dramatically more secure through launchd...
It is simple really. Six years into OS X, growing market share, and no viruses in the wild.
First principle. No ports open by default. Macs ship with a closed box. Plug it into the Internet, wait, and your machine will never get infected simply because it is not listening on any port, and no attacker has any foothold to get into the box. Over the years Windows has shipped with a wide variety of open ports, whether they be for netbios, smbd, messenger, IIS (on NT), or others. Many of these have been launching pads for viruses and worms.
Second principle. Design the OS from the ground up to support privilege descalation. That is, make it so that every action on the machine is executed with User privileges or less, unless you really need more privilege. Launchd is a part of this. On Windows, you still have ActiveX with escalatable privilege, and people get infected from web surfing or opening email.
That is really all it takes. Make it so a user cannot compromise the OS trivially, and there are no open ports, and you made a box as secure as a Mac. Once you start opening ports, you need to know what you are doing or you will be 0wn3d by some script kiddy. Make it secure by default, and force the user to take positive action to do anything that is a potential security problem (like installing executables from random places on the internet).
I've always thought that "to slashdot" something meant to break it, or cause it to stop functioning through large ammounts of http traffic.
Too bad that would violate the GPL.
I'm not picking on you, I've just seen this same error (confusion of "moot" with "mute") several times in the past week or so. The error seems to be reproducing. It's time for a brief vocabulary lesson.
A point of argument may be moot if it's debatable or of academic interest only.
People may be mute if they cannot speak.
If you mod me down, I shall become more powerful than you could possibly imagine.
Interesting read. I agree with most of his points, with comments on the following:
Microsoft does not sign or document the name and purpose of the files it places in SYSTEM32
Most, if not all of the files can be identified through a simple Google search. It doesn't get Microsoft off the hook -- they should provide proper documentation, but such information is available.
Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage.
Not all software. User-level installations should be possibly to non-restricted directories.
Windows requires extraordinary effort to extract the path to, and the files and TCP/UDP ports opened by, running services, and to certify that they are valid.
TCPView. Now you have it. And since Microsoft now owns Sysinternals, I guess they have it too.
Malicious code or data can be concealed in NTFS files' secondary streams. These are similar to HFS forks, but so few would think to look at these.
This is not really Microsoft's problem. If no one can remember the features of the OS, it's their fault when they overlook them.
Apple's daemons have man pages, and third parties are duty-bound to provide the same. Admins also expect to be able to run daemons, with verbose reporting, in a shell for testing.
Duty-bound? Sure, they probably all provide them because that's what everyone else does, but most Windows applications include a help file too.
Launchd can tripwire directories so that if they're altered unexpectedly, launchd triggers a response.
I believe TripWire exists for Windows too.
The UNIX/POSIX API, standard command-line tools and open source tools leave malware unable to hide from a competent OS X administrator. It takes a new UNIX programmer longer to choose an editor than it does to write a console app that walks the process tree listing privileged processes. Finding the owners of open TCP/UDP ports or open files is similarly trivial. The "system" is not opaque.
I may be wrong here, but aren't their other ways of injecting malware into a system than setting it up as a detectable process? I know on Windows machines there are a number of ways to get around a process walk -- does the same thing exist in *nix?
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
You mean like this ?
A nice read. After that I'm kind of scared to go back to my work PC. Seriously though, all of these Windows shortcomings really point to a need to rebuild Windows from the ground up. Any needs for backwards compatibility could be handled via emulation or virtual machines. In the change of hardware going from Xbox to Xbox 360, Microsoft essentially did just this. Windows is way overdue for similar treatment.
To the making of books there is no end, so let's get started
>> whereas Windows is an animal which continues to be re-invented
> I'm not sure that 're-invented' is how I'd describe windows, or their efforts at security.
Re-innovated?
"it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners."
And if they did, a lot of the same people who praise Apple for including such features would scream "MONOPOLY!!!" Microsoft can't win on this issue. Either they're not secure, or they're being anticompetitive.
I'd prefer the latter, but then MS learned that such "bundling" lands them in court long before Apple released OSX.
120 characters for a sig? That's bloody useless.
It is not that hard to argue for OSX security over Windows security due to the track-records, but this article is total crap. A few of the points:
With all that said I can easily see people going to OSX to improve security, that does not make that article anything but deeply flawed however.
This board is filled with jokes, sarcasim, and crying about IE being bundled in Windows. MS bundling IE and not allowing the engine to be uninstalled is the correct solution for Windows. The fact that so many slashdoters continue to harp on this is dishartening...
The IE engine is just important to many Windows devleopers as the winsock controls, button, image, or even the media controls. Windows is the #1 OS because of developers making software for the OS, and they do that because MS makes it easy for them. You can use visual studio to just drop a browser engine on the form... virtually no coding, and for many ISVs it means the difference from having a full featured app and not having one at all.
And for the record, you CAN remove/uninstall IE's shortcuts and icons from the OS (for many years now). Once removed, and for all practical purposes, IE is not available to the end user. The engine stays because it is not just for the blue IE icon on the desktop, its used in Help files, its used by developers, etc.
So PLEASE, stop your F*ing crying and get over it... IE is bundled in windows, and it has been GOOD for Windows software development. And incase you hypocrites forgot, Safari is bundled in OSX and can't be removed fully either.
The hell it would. They'd just have to be willing to distribute source code to the actual OS, while keeping their own window manager and Wine-like software proprietary.
There's nothing about the GPL that requires all software running under a GPL system to be licensed to the GPL, unless you're linking against GPL code. If we can have a proprietary Doom 3 and Quake 4 run on Linux, we can have a proprietary Windows compatibility layer and UI run on Linux.
Don't thank God, thank a doctor!
leaves much room for speculation as to the true 'security' of this system.
While it's all well and good to discuss system security from the standpoint of the software, it is a moot point in light of an insecure hardware implementation.
'I don't want to get on a rant here but...'
The Trusted Computing Group (the industry group responsible for TPM (previously known as Palladium, TCPA etc.))has posted their best practices and principles for the use of TPM.
You will note (if you bother to read these) that the aims of the TCG are to:
i. preserving privacy, backward compatibility, and owner control
ii. promoting ease-of-use
iii. designing the technology so that it is interoperable
iv. ensuring that the user's data, while secure and protected, remains portable and accessible as needed in alternative modalities
Is it me, or is it curious that Apple is not a member of the TCG, nor have they implemented the TPM Control panel that is requisite with its implementation? There is NO end-user control or validation of the settings of the TPM. Therefore, no-one, save your remote Cupertino overlords will know who it's set up to trust! How cool is that?
Given the properties of transitive trust relationships, I'm sure you ALL want to trust Apple, and hell, while you're at it, ANYONE they trust (No Such Agency comes to mind here) How cool is that?
At least with all of the Windows based offerings, as flawed as their software implementation is, they give you the OWNER of the PC hardware the respect of letting you see how it's set up. That makes me feel a damn sight more secure than what Apple is currently foisting on an unsuspecting public.
With an Apple computer it turns out you're not BUYING a PC, but RENTING an EXPERIENCE. Because with the TPM shipping enabled, it's definitely remotely owned.
if I claimed I was emperor just because some watery tart lobbed a scimitar at me they'd put me away!
I'm sure OS X is more secure then windows but give me a real unix operating system,os x is so hacked up and different it doesent even feel like a real unix operating system.You cant even mount ext2/3 in os x,whats up with that?
Shawn's Tech Articles
I know windows has horrible security and whatnot, and to the point of the summary, MS shot themselves in the foot with this by not fixing system vulnerabilities and bundling it with anti-virus back in the early 90's, and created the market for antivirus software. Then they kinda screwed themselves over with all the anti-trust mess they dug themselves into, so now even if they wanted to bundle antivirus or even just fix the vulnerabilities, I wonder if they would even be allowed to since it would be considered anti-competitive against the antivirus companies.
So my question is (I'm trying to make it as neutral and unbiased as I can) - is Apple bundling antivirus and whatnot with their Mac systems fair on the part of MS?
Now, if you could please keep this from being a flamewar, I'm not really against Apple bundling antivirus, because I think that the OS manufacturer should be the one to fix any problems/+ provide antivirus with the system for free - I just think that if Apple is allowed to do this, MS should too (it would also raise the standard of security on windows systems and create more competition for the antivirus companies because people would hopefully wonder why they pay for it, making the companies make better software)...
As a fellow Mac user it also surprises me to see how many common software packages used in the OS trail the open source releases by long shots. Perhaps the folk at Apple need a lot of time to ensure that all the OSS packages will play nice with each other. On the other hand, whenever there are drastic issues, the Cupertino folk tend to release a fix in days, not months. That, combined with a easy-to-use update control panel, better user privilege control, and a paranoid firewall make it harder to infect Mac OS systems w/o the user helping along (i.e. running a trojan horse, visiting a bad site, etc.)
However, many of the infections that sweep the web could be reduced drastically if users were forced to use a router whenever they have a high-speed connection. This would reduce threats significantly, since you'd now depend on users to do a bad thing, rather than the Windows machine inviting an open attack. Also, I wish that routers were easier to use, so that people don't resort to DMZ'ing machines on their network to play with MMPORGs/iTunes/etc.
The last hole big enough to drive several trucks through is e-mail, IM, and other communications means that allow vast quantities to flow between machines. I wish that IE and other browsers would be written with a greater nod towards security. That is, a sandbox for Java that keeps all the toys inside, no way to open a "picture" and execute a program instead, no ActiveX or Visual Basic routines allowed, etc. Better, transparent, security here would be a big boon to everyone.
At the end of the day, it's all about user education and making people understand the implications of having their machines on the internet 24/7. Those users that "don't get it" or who don't care ought to have their connection privileges pulled by their ISPs for the greater good.
I am always amazed when I read a piece on software security--in almost every case, one of the problems that gets mentioned is buffer overflow. My amazement comes from how deeply ingrained it has become in much of the world's programming community (certainly the American branch) to use an inappropriate programming language for such important work.
I have heard that Microsoft has modified its own compiler to do array range checking. I wonder if they have ever used it--a simple re-compile with range checking turned should turn up no problems. Surely no programmer would ever write a program that _depended_ on a buffer overflow in order to work correctly. If one such programmer was ever found, surely he would be hung up by his testicles at the employee entrance to the Microsoft campus.
(N.B. All programmers have testicles 8^).
"The default in Windows is now to have no open ports as well due to the Firewall,"
The Windows Firewall is worthless, and does very little against any kind of attack. See the results of http://www.firewallleaktester.com/. The windows firewall in reality is more "security blanket" than Security. The point of many complaints that you wil see here is that there are so many backdoors to the core components of MS operating systems that security is a nightmare. Personally I agree with your analysis of the state of anti-malware. I just think that there is too much financial incentive for a completely secure end-user OS to not be designed. Just my cynicism speaking.
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
Getting extra mod points these days. Rather than informing themselves by actually reading the specifications and informing themselves on the issue at hand, they mod real problems down, preventing other users from the opportunity to inform themselves as well.
I thought that this was news for nerds, and stuff that matters. Well, if it doesn't matter that there are no protections in place for owners of TPM enabled equipment to Slashdot, I guess they're already cashing their cheques from Apple. In light of the consistent pro-Apple slant to this site, I will refrain from recommending this site to new tech-people as one of the 'go-to' sites for stuff that matters.
Frankly I'm disgusted by your incredulity, as any self-respecting tech would first inform themselves as to the issue, and then make their decision, rather than mod down a story that is a) on topic (if we're actually discussing Windows v. Apple security) b) relevant as software runs on hardware c) not an attempt to troll for (un)favourable responses, but rather an attempt to elucidate a very clear and present issue facing computer users today.
In closing, to whoever modded me down: 'Bite Me Fanboy' to quote the Main Man.
if I claimed I was emperor just because some watery tart lobbed a scimitar at me they'd put me away!
One big advantage to launchd, especially as far as improving boot time, is that it can launch services in parallel.
I'm not sure about other distros, but I know gentoo has Initng and runit, both of which can start services in parallel to improve boot time.
What an asinine article. Macs HAVE NO ENTERPRISE SOFTWARE!!! And before the Mac buttboys try to refute this - all the enterprise software the Mac does have is available on Linux and its a hell of a lot cheaper.
Kool-Aid, Kool-Aid - Tastes Great! I Wish I Had Some - Can't Wait!
or... they could have been applying different rules from the very beginning.
I guess a scene in the move "Pirates of Silicon Valley" sums it all up. It's just a movie, yes, and the dialogue is almost certainly not a line-by-line quote of the actual conversation that took place. But I think it does portray the fundamental difference in approach between the two.
The scene was when Jobs finally saw proof that Microsoft copied their design and shipped it as part of Windows.
Steve: You know our software is better than yours.
Bill: You still don't get it, Steve. It doesn't matter!!!
You actually do have to be a "very priviledged user to do that." You have to be an Administrator, which you could generally consider to be root. If you already have access as an Administrator, it's not very significant that you can get to System. You could do it in any number of other ways, besides escalating with at. Moral of the story: don't run as Administrator.
I find your excuse of legacy software annoying.
The subject line is a short summary of the solution that Microsoft should have implemented a long time ago---to implement a union of file systems so some files are drawn from a read-only file systems and others from a read-write file system.
See http://en.wikipedia.org/wiki/UnionFS.
Basically, the program folder has only read access to users, but unionfs of the program folder and a user folder in "Documents and Settings" would allow each user to modify content of that program folder independently. Users do not see each other's changes, and the main copy is left intact. You also don't need to be a privileged user to run that program.
Mac OS X also has it. See http://www.kernelthread.com/mac/osx/arch_fs.html.
I apologize in advance if Microsoft has already included that feature, but I would get even further irritated because there is absolutely no excuse now to make everyone administrators.
I once had a signature.
My submission to http://mydreamapp.com/:
A worm for OS X call SmugWiper. It does nothing more than fly a plane across the screen every few minutes with a Samuel L. Jackson clip playing from the movie where he calmly states that he's not happy about all of these unpleasant snakes.
It's important to fully consider the virus model. There are two -completely separable- parts to an infection, regardless of whether it's computer or biological:
/., please stand up and take a bow!)
1. there has to be a vulnerability
2. there has to be a vector
Now market share has substantial impact on -vectors-, but has -no impact- on the core vulnerability. This is the point so many people miss when they claim that the only reason MacOS X is not infected is because of market share. This is not my original thought, but I'm very sorry I do not remember who first pointed this out to me. (If you read
For a long time (I don't know if this is still true), the Army corporate Intranet, Army Knowledge Online (AKO,) was run on top of a whole ton of Macs. This was after the Nth infection of their previous Win NT baseline, and the 3-star said "Fix it." It's my understanding from about 5 years ago from a friend who worked on that project that there were a few first-stage penetrations/DoS attacks, but NO (zero, nada, zilch) successful infections of the Macs, even when they were running WebStar on OS9, and then none when they moved to OS X. (He provided no details for security reasons, and I didn't ask. But having known this guy for 12 years at that point, I take him at his word.)
So to those who claim that "there's no reason for a hacker to infect a Mac-based system," I'd point to both the big-time hacker glory that people in that culture would get for screwing up www.us.army.mil, and to the much more serious impact of a deliberate cyber-attack (e.g. Al Queda, Hezbollah, Chinese espionage, etc - all of which I believe are documented as attacking US military web sites, and unfortunately with some success for sites other than AKO.) Most well-run websites can detect a penetration, even without a change to the home page.
Anyway, my point is that the lack of infections has to be attributed primarily to lack of vulnerability, and in evidence I offer the big headlines that come out whenever someone thinks they've found a vulnerability in OS X. But so far, to the best of my knowledge, there's been no successful infection "in the wild", and certainly NOTHING to resemble the Windoze viruses that seem to spread across the 'Net about every year or so. This canNOT be attributed only to "lack of market share".
dave
Just for the record, they really did earn their "Damned If You Do, Damned If You Don't" moderation.
Regrettably a car analogy. If in a particular city, most people drive Toyota Corollas, you can bet car thiefs will learn how to break into Corollas and they will be broken into more frequently than the 2-3% of Daewoos. Because they're already so familiar with Corollas, those cars will probably be stolen in an even higher percentage than its marketshare. So it has at least some significance in some cases.
Your IIS/Apache analogy may show a different story though. I'm just saying that comparing a security system to a non-security system isn't the best analogy. Of course the thieves would do the one that doesn't require any work.
The author of this article has *no* idea what he is talking about.
* The server service is the service that allows file/printer sharing in Windows and other remote admin capabilities. Since things that only administrators might have access to might be accessed through the server service, running it under a lesser priviledged account cannot be done since the server service must be able to access everything that it provides access too. The bottom line is, the server service is an extermely sensitive service that must be protected. It's Microsoft's fault for enabling/exposing this service by default, but this has nothing to do with the fact that the server service needs "root" permissions. In OSX and other unix-type OS's, there are several different daemons that for one reason or another have to have root permissions.
* Contrary to what the author writes, the SYSTEM account can be logged, audited, and access rights can be taken away from it...and no, it's not hard to do.
* In one of his "bullet points" the author says "One of the strongest tools that Microsoft has to protect users from malware is Access Control Lists (ACLs), but standard tools make ACLs difficult to employ, so most opt for NTFS's inadequate standard access rights.". Boo frikken hoo! If you are a Windows server admin, and you can't grasp the concept of filesystem (and registry) ACLs, then you are in the wrong proffession.
* The author says "All Windows background processes/daemons are spawned from a single hyper-privileged process and referred to as services." This is flat out wrong. The "Services" exactuable is used to run many services, but it is not required to run all services, and the priviledges it carries depend on how the induvivual service is configured. It's very easy to run Windows services as regular user accounts, and the "services.exe" executable need not be involved at all. I've run MSSQL server and several other third party services as "guest" users on Windows. They work just fine.
* The author says, "By default, Windows launches all services with SYSTEM-level privileges.". Again, the author is dead wrong. The "LocalService" and "NetworkService" accounts do nOT have system-level priviledges. In fact they are severly limited in what they can do.
I could go on four hours refuting his "bullet points" (85% of them are flat out wrong),but what's the point?
happy ignorance everyone!
to see if my good friend jrock made a biting comment about "debugging" shit under OS X, so I'll mention it anyway...
OS X gives you a system-supported method for being debugger-unfriendly. Invoking ptrace with a special flag will kill any further attempts to ptrace the processes. Try gdb'ing iTunes. Oh whats that? SIGSEGV?
He needs a +1 Insightful.
WebKit isn't Explorer. The Windows equivalent of the Finder, the Explorer, shares (many) DLLs with Internet Explorer; it even seems to share resources at run-time with it. The OSX Finder doesn't use WebKit (at least not up until now). The only thing you will damage by removing the WebKit framework is applications that use it to display HTML or provide other simple browsing functionality, not any system application. Under Windows though, you would take away the entire interface.
Frankly, if you can't see that 'the Apple solution' is the one and only correct answer to crap software that wants admin level privileges to run, then you are part of the problem.
That feeds in directly to your first point: given that most malware comes in via the browser (or any other software that 'sees out' of the computer in any way, from SMTP daemons to thin clients), allowing excessive privileges (or worse, making IE part of the OS rather than just an app!) causes a substantial part of the overall insecurity of a system.
Justin.
You're only jealous cos the little penguins are talking to me.
Uhm, yes, you can. Four points:
So yeah, you can be annoyed at Microsoft's behaviour and still think that Apple's behaviour is okay or even good.
...isn't property of Apple. It belongs to the Fraunhofer Institute, the makers of the MPEG standard. AAC stands for Advanced Audio Compression. In theory anybody could license the format from Fraunhofer and add their own DRM key.
...and I think you're 100% wrong on this. It is not illegal [sic] for them to bundle software where a marketplace exists. The problem comes where you can't unbundle (such as IE) or where you force the suppliers not to preload with your competitor's wares (such as Netscape). ...and "some courts have already begun to investigate...". I think you're talking out of the wrong end. What courts? In any judiciary I've come across, courts don't investigate they adjudicate. If it was a crime (if's not) then the police investigate. If it's a civil offense then it is up to the competitors to mount a legal challenge.
Any opinion expressed is also that of my employer - another benefit of being self-employed.
Anti-virus: Is only as good as the threats it knows about. It takes only one unknown virus to compromise your system. This is known as default permit, a bad idea as distinct from default deny.
anti-spam: Design an email system that has built in encryption and authentication.
Obviously OS X is more secure, the reasons being its roots in BSD Unix.
davecb5620@gmail.com
Having been in situations where I (as a user) see a different filesystem to other users and to the system itself, I have to say that while it's a nice idea on paper it's very confusing in practice. For example, try using the "subst" command in NT. This creates a symbolic link in the kernel's object tree between a drive letter and a directory on some filesystem, effectively aliasing that directory onto a drive letter. However, since each session has its own view on the object tree this drive letter appears only for the user that ran subst.
This works just fine as long as you don't try to talk to a system service, since that service will be running in a separate session and won't be able to "see" your drive letter. The UI for this system service asks you to choose a file, and since the UI is running as you it allows you to pick a file from your alias path. However, the service itself is running in a separate session which either doesn't have that drive letter at all or has it pointing somewhere else entirely. Strange things happen and it can be hard to figure out exactly what's causing it.
Taking this outside the realm of the hypothetical: parts of Windows Installer run as a service, so you can't actually run MSI files from a substed drive: the service parts of Windows Installer can't "see" the substed drive to access the MSI file. Also, taking Windows Services out of the picture, several non-technical users at my company have sent me email telling me to look at T:\document.doc, where T: is a mounted volume from a server. Of course, that volume is mounted under a different letter on my computer, so I have to figure out what their idea of T is so that I can map it onto my equivilent.
But don't take my word for it, read what Steve and Leo say:
http://www.grc.com/sn/SN-051.htm
Here's the short version:
1. Network code takes years to secure. There is no shortcut.
2. Vista supposedly ships early next year.
3. ???
4. Security firms (oh i forgot, Microsoft too) and blackhats profit.
Now back to your Mac vs XP playground squabble....
insecurity asks the wrong question irritation gives the wrong answer
I'm really fed up of reading bull like this... (I don't refer to the article posted, but the comments posted by fellow slash-dotters).
Having read several hundred comments I find it surprising that half the people here are still alowed keyboards!!
Firstly, we have Apple being applauded at every turn in the road that they decide to make. Fair enough they are doing a good job. but that doesn't necessarily mean that Microsoft isn't.
I find Apple as a corperation somewhat amusing... perhaps sly would be a better word...
(yes I refere to the advertising videos on their websites about security, which judging by this article, cannot possibly be true).
it wasn't so long ago that OSX was 'entierly' secure, there were no viruses (viri?) and that was pushed into the face of every windows user. -in those adverts and in comments on this, (and everyother site that dared to question Macs).
until wait... yes, a virus was released. and that could no longer be said anymore... or could it?... the entier point of this article is that Macs come with security features enabled that are simply better than windows, yet there are still some idiots arguing with comments that Macs are completly secure... now don't get me wrong, they [Macs] are either completly secure (which would be great), or they are possibly insecure and need to have rootkit detectors/spyware finders/AVsoftware etc...
since the latter is provided, I'll assume that the latter situation is true.
Macs are not inherintly or infinitly secure!!
and I'm fine with that... The only Mac that I have is a (older) laptop and I'm happy to apply this 'extra' software that didn't used to be provided (even if that does mean I have to buy the new OS), I'm happy to apply security updates, I have to do that on my windows PC at work, I apply updates to my Linux machine at home and I have no bones about doing it on my Mac either. -it's just I'd rather that Mac were upfront and honest about it, rather than giving us that totally secure line for so long and then admitting through their actions that might have been a lie!
There is some comment that says about how Mac shouldn't be rolling out all this software with their default OS..
we see Apple rool apps into their OS
we see Apple rollout security kits
we see apple rollout the OS with media players and such, yet it is a problem when microsoft do it... to some extent I agree entierly with the anti competition suits against microsoft, but I also agree that they should be able to roll out software with the OS, albeit that people can choose to remove this software afterwards.
to the person who said that you can't rempove media player, (bull shit!) start control pannel add remove software, add remove windows components and just deselect the media player.
this is no more or less difficult than it is to remove apps on my mac, and a very similar process to how I have to remove he default media player on my linux box, applications > add remove preogram> list programs and unchec the software I wish to reomve!
it's not hard, and if you find it so bloody difficult then in reality windows, (probably one of the most intelectually dumbed down OSs in the world) probably isn't for you... in fact if you find it so hard why don't you buy a windows for dummys book, or google it...
the person who said that many applications start out small and end big and are hence redesigned, an said that's what windows do/are doing, yes that's completly true, Microsoft do seem to throw away a lot of development when they seem to realise that it wasn't done in the best possible way...
however the people who said that you don't get this with Macs (again Bullshit!!!) Mac threw away their entier development history when they switched to a Unix core, they didn't develop they just adopted some of microsofts business stratagy and bought the best thing on the market and tweaked/developed it a little more.. stuck their branding on it and sold it for a huge mark up!!
IMHO Macs are far from their clean white
and do you REALLY think that microsoft would do such a thing?
OK, that's a valid point for some hackers with respect to intent to target. We need some sort of taxonomy for hackers:
- thillseekers
- evildoers looking for zombies
- evildoers looking for personal information
- evildoers looking to interfere with the operation of the machine/website (e.g. those that change websites to make some sort of political statement)
- others?
I concede your point on Type 2 Hackers. My comment on Army AKO covers Type 1 and Type 4 hackers, and to some degree on Type 3 hackers. (There are hundreds of thousands of AKO accounts, based on every soldier having an AKO account...)But still, 'motivation' is 'motivation for exploiting a vulnerability'. It says nothing about the existence of a vulnerability. I don't buy the argument that the distribution of vulnerability is constant over Operating Systems, and it's only the number of attacks that has any impact on the number of recorded infections.
dave
Windows Step 1: Install Windows with normal user ID of Samantha Step 2: Patch Windows Step 3: Logoff and logon as Administrator Step 4: Try to change Samantha to a "Power User" instead of "Administrator" *NIX and Mac Rinse and repeat steps 1-3 Is Samantha a superuser/administrator? nuff said??
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
OS X does not require that a user be logged in as an administrator to install software. The user or someone aiding the install needs to know the name and password of a local administrative user to complete the install. On a network, most software is installed using Remote Desktop, an inexpensive Systems Management Server-like console.
.Mac doesn't count. I need to be able to backup 200Gb of data on a regular basis. Disk images are simply too unwieldly - I need a decent backup program that will backup only the changed files since my last backup - it's the difference between a 6 hour backup while redlining the hard drives and a 6 minute one. The best backup program I've seen for OSX is Deja Vu (a version ships with Toast I think). Apple should bundle this with the OS instead of attempting to push .Mac on people.
Neither does WindowsXP - 'Runas'
Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore
OSX does not ship with any form of Anti-virus or anti-spam. It supports encryption through the use of encrypted disk images (fair enough). Image backup and restore is ok so long as you don't want to make anything too big for Apple Software Restore with Apple's own tools otherwise it screws up.
One HUGE whopping omission which ships with Windows but not OSX is a decent backup program for OSX. I'm sorry but
I own a Mini and used OSX for months before giving up and going with Debian simply because there is no single approach to installing drivers, software, codecs, etc. Need a printer driver? You'll probably also need to install GhostScript and at least one other driver (good luck finding it). Want to install a general hardware driver? Pick from thirteen different versions and - if you have no idea what you're doing, like most Apple users I know - hope that you got the right one for your kernel. Want to uninstall a driver? Good luck with that. Codecs? Which installation location do you go for? OSX is a mess that makes Windows look pristine, and most decent Linux distros make them both look like they have no idea what they're doing.
Of course the distribution of vulns is not constant over O/Ses. I never said it was. I'd say that OSX and Windows aren't really that different from the security design and exploitability point of view.
0 &l=30&c=12&op=display_list&vendor=Apple
I'll only claim that the lack of infections is not primarily due to lack of vulnerability and it is more due to lack of motivation - and that is related to marketshare.
Firefox has had plenty of vulnerabilities (and I'm willing to bet it has plenty more unreported ones)- why haven't the baddies bothered installing their malware using them? Those vulnerabilities are definitely exploitable.
Why? I say it's because the malware people can't achieve what they want - lots of infections.
Why? The overall market share is lower and the sub-monoculture shares are even lower.
What I mean by sub-monoculture shares are machines that can be exploited by the same binary/exploit. An exploit on windows tends to work across many versions of Windows. Whereas an exploit on say one linux distro might not work on other distros.
If OSX actually got really popular, things could change significantly - since it is likely that an exploit could work across multiple versions of OSX, and OSX has lots of preinstalled software that an infector could use (applescript, perl etc).
The sort of hackers who are not interested in lots of infections and are interested in just taking over specific machines are more likely to be the sort to take it over _unnoticed_ - go in, get what they want, get out (often all in a few seconds).
The sort who are interested in fame just have announce OSX vulnerabilities from time to time and they do, but they don't have to release an _exploit_ to get their fame. They could write an actual exploit, but they don't have to release it to get their fame or bother infecting a single machine in the wild. All they need to do is publish and show up here:
http://www.securityfocus.com/cgi-bin/index.cgi?o=
Go look, plenty of exploitable bugs. Be glad there's that avenue for such people.
If you are going to say the vulns are not in the OSX kernel, well there haven't been that many bugs in the Windows kernel either - the hackers you should be worried about aren't going to bother debating which is Apple code and which is not, to them what's important is what runs/exists on all their targets.
Lastly, OSX is definitely safer to use than Windows. But the sort of safety is "living in a safer neighborhood" safety. Not living in a fortress safety.
Note, though, that it is the author, Tom Yager, who is abusing language in this manner. Apple never claims the .Mac services are provided in the box. I use .Mac, though I can't really endorse it and probably won't resubscribe--it's overpriced and has an inadequate (read: insecure) backup system.