Slashdot Mirror
Windows vs Mac Security
sdhorne writes "There is a good technical discussion over at InfoWorld on the merits of launchd and what is lacking in a comparable Windows secure solution. It is a throw back to the UNIX vs Windows security discussion that has been hashed out for many years." From the article: "it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners. Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through .Mac, and launchd. Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."
Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."
It seemed pretty wello written. That said, I which he would have said a little more about launchd, at least enough to explain why it gives OSX an advantage. It would have also been nice to have had some kind of side-by side comparing Windows and OSX, like how the windows System pseudo-user trumps the admin user, and how there is not way to trump the OSX root user.
Why this can't happen under OS X:
I don't know if I'd go that far. OSX isn't 100% immune - it just has more common sense.
"We are all geniuses when we dream"
- E.M. Cioran
Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through.
Don't you think that if Microsoft offered this that everyone would cry monopoly? Actually, I've seen other people on Slashdot cry this before at the announcement of Microsoft's OneCare program, which isn't even bundled with the OS!
Anyone notice the link at the bottom of the article?
Links to slashdot submit article. http://slashdot.org/submit.pl
Cute.
If you don't count a trojan as a virus, then you don't need an anti-virus if your OS is secure. Apple can work on securing its OS or on an anti-trojan, but any effort spent on an anti-virus is wasted.
Was I the only Mac user who didn't know what launchd was off the top of my head?
In Mac OS X v10.4 Tiger, Apple introduced a new system startup program called launchd. The launchd daemon takes over many tasks from cron, xinetd, mach_init, and init, which are UNIX programs that traditionally have handled system initialization, called systems scripts, run startup items, and generally prepared the system for the user. And they still exist on Mac OS X Tiger, but launchd has superseded them in many instances. These venerable programs are widely used by system administrators, open source developers, managers of web services, even consumers who want to use cron to manage iCal scheduling, and they can still be called with launchd.
The launchd daemon also provides a big performance boost to your system. At any given time, only those daemons that are actually used are launched; combined with the fact that daemons can shut themselves down and be relaunched as needed means that you can reduce the average memory footprint of the system.
http://developer.apple.com/macosx/launchd.html
Soccer Goal Plans
Macs are based on UNIX. It's not faked to appear like UNIX, it is actually UNIX. The permissions system means that a common virus could damage a user's home directory, but the system for the most part would remain unaffected, including other users. It is still possible to write root-kit style viruses that take advantages of subtle bugs in the operating system and other software to gain control of the system, but this is significantly more complicated to do, and IIRC it was Theo from the OpenBSD project who said that attacks like this require many steps that often must take advantage of many vulnerabilities to elevate priviledges, and by fixing even one bug, a whole category of vulnerabilities (even if other bugs remain) becomes inaccessible to a would-be attacker. This, in addition to much of the code underlying OS X being available for hacking up by anybody, in addition to other projects actually hacking on this code (improvements from projects like Samba, Apache, GCC, FreeBSD, even various Linux projects, make it into Darwin and OS X.... and most of all the fact that users don't run as administrators, all of these reasons make it much less likely that viruses could be as damaging as on Windows.
I think the conclusion that he draws is probably correct, but he doesn't really seem to explain why. The reason that systems like OS X and Linux are safer than Windows is not that launchd runs a shell, but that both Linux and OS X tend to run processes that don't need privileges as root.
This is a substantial win. However, if you manage to compromise a process that is running as root, you do have full control of the machine, and you can install your own privileged software on the machine without an authentication prompt appearing on the console.
Also, most of the man pages on OS X are woefully out of date, so giving the existence of these as a reason for why security is better on OS X is unfortunately a cruel joke. Third party apps from the Open Source community do often have better documentation, but the basic man pages from OS X are often years out of date - this is one of my pet peeves about OS X, I will admit.
It sounds like the hack he's describing occurred because he'd installed third-party software that ran as a service with an open port, as SYSTEM (i.e., with full privileges) and that took over his machine. The reason this is less likely (not impossible, just less likely) is because if you are running a third party server process on OS X, it's probably a piece of open source software like Apache, which has been vetted to within an inch of its life, because it is open source, and the many people who care that it is secure have the freedom to check that it is secure. And it probably doesn't run with full privileges, as the author says.
Anyway, like I said, he's right, but his reasoning is a little foggy. And it's important to be aware of the ways in which it's foggy, because this is your best chance of avoiding having your machine hacked.
Conceptually, I agree that LaunchD is a really slick idea and I really hope Linux and the BSDs take a good hard look at this code and the possibility of adopting it. That said, it is not a security panacea by any means, just one more clean, sensible implementation that leaves less room for a vulnerability. The thing that makes me hesitate to laud this feature, however, is the implementation. Apple has a lot of smart people working for them and a lot of old school UNIX geeks to whom secure programming is as natural as breathing. They also have a lot of coders and managers who realize that OS X is not a primarily security minded OS. Sure, it is better than Windows and on par with a desktop Linux distro, but it isn't a locked down OpenBSD install or a super secure Linux distro. They don't focus their efforts on security and it shows sometimes when they introduce new code. LaunchD replaces a number of time tested bits of code and while it is (IMHO) a much cleaner, nicer design I haven't a clue about how well written and tested it is, especially from a security perspective. I'd feel a lot better about claiming it as a security feature if I knew some white hats had pounded on it for a while and exposed anything Apple did not bother to think of. I'd feel a lot better if the OSS community in general jumped on it and adopted it, thus helping with this security testing and adding more eyes.
I like LaunchD. I like OS X as a desktop. Lets just not get carried away here with random claims about security. OS X is inherently more secure than Windows, but that really isn't saying a lot. I'm not willing to just assume LaunchD is secure in and of itself, let alone that it will play a big part in securing the OS as a whole.
being offered as a "reason why OS X is more secure than Windows."
The article claims that Administrator on Windows is equivalent to root; and that SYSTEM is more powerful than Administrator (and by implication more powerful than root). This is nonsense.
Administrator is indeed less powerful than SYSTEM. However, Administrator is equivalent to a user on the sudoers list and/or with group write access to system directories. SYSTEM is the correct equivalent to root.
We may quibble about how well Administrator accounts are protected from trojans; or whether non-Administrator accounts on Windows are of much use; those are valid arguments. However, claiming that, somehow, SYSTEM on Windows is magically more capable than root is ridiculous.
If anything, Windows has a somewhat better design in that it is possible to set up privileged accounts with a specific power that only root has on UNIX, yet not have any of the other root powers. However, this capability is quite underutilized, and in many ways is undermined by other (unfortunate) decisions that Microsoft made.
--- What?
As long as corporations confuse interoperability with "windows compatibility" the scam will go on. Only when the commercial user who forks over billions of dollars to MS every year demand true interoperability and injects real competition, it will end. There is no advantage in being the first among the users pushing for it. Pepsi will not care as long as Coke is also spending relatively the same amount of money for similar services. But someday somewhere some corp will bite the bullet and spend what it takes to break the vendor-lock in, and only after that the security situation will improve.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
to be honest I would go after OS X. Why? Because no one else is. Those who get known are those who, "think different."
Self proclaimed wannabe geek. You know how it is. Most of us who read this stuff probably fit in that category.
offsite safe storage through .Mac
dot Mac is not in any way secure / "safe storage". Unfortunately I bought a subscription before I realised how dangerously unsecure it is. When I started to configure Backup, I thought I'd do some digging first to see what was going on. It turns out that credentials are sent in plaintext. Communication between the user and mac.com is not encrypted. Storage on iDrive is also not encrypted. Backup archives have no encryption.
It's completely wide-open to snooping attacks, and nobody should trust anything to it besides their weekly grocery list or other documents that they don't mind any snoopers (wireless interceptors or Apple employees) from freely browsing. I expect a major security breach is inevitable.. it's just a matter of time. It would take one person with a wireless snooper at Macworld, gathering hundreds of juicy high-profile targets to mess with - and dot Mac will be destroyed by a torrent of negative publicity.
Of the entire Apple product range, dot Mac is the one that is most stuck in the early 90's. It works.. but is a severely inadequate solution.
And Apple could never do the things Microsoft does:
1) Threaten Compaq with withholding OS licenses if Compaq installed Netscape Navigator as the default browser
2) Threaten IBM with increased OS license fees if IBM did not drop OS/2
Those were the lynchpins of the antitrust lawsuit. If Microsoft had ONLY bundled, they would not face monopoly abuse charges. Then HP could have UNBUNDLED IE and installed Firefox, or IBM could have unbundled Windows and installed OS/2.
Apple's bundles can be unbundled. That is the critical difference. Drag Safari, Mail, Virex, Appleworks, iCal, and Quicktime to the trash, and the OS still works.
GPL Deconstructed
Apparently this guy had the experience switching from Mac -> Windows and see what happens. A lot of people say it has to do with market penetration (Thanks to the M$ FUD) but nothing is less true. There are far more hosts running on any flavor of Unix or using the GNU tools or somewhat compatible tools for that matter than Windows hosts connected to the Internet.
The biggest flaw in Windows is stuff running as SYSTEM. Try this in Windows: schedule a command in a terminal to run cmd.exe the next minute using the "at" command. As you will notice, you will get your cmd.exe... running as SYSTEM. You don't even have to be a very privileged user to do that, kill your own explorer.exe and start explorer.exe in that cmd.exe you have and guess what: you're running your system as SYSTEM. This would be like running Bash, KDE or Gnome as root, although possible, you can't elevate root out of standard user rights. Same thing for hooks into IIS (.NET) or any other application, they can all elevate to SYSTEM without too much trouble. Would be like suggesting to run Bind or Apache as root, and as any Unix guru would say: Blasphemy! Blasphemy! and you would feel the vibration of Rich Stevens (http://en.wikipedia.org/wiki/W._Richard_Stevens) spinning in his grave at the speed of the fan running in the server.
Custom electronics and digital signage for your business: www.evcircuits.com
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 95 (whenever that gets out..) Is that out yet?
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 98 (whenever that gets out..) Is that out yet?
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 2000 (whenever that gets out..) Is that out yet?
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows ME (whenever that gets out..) Is that out yet?
Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows XP (whenever that gets out..) Is that out yet?
Sorry to be redundant, have you heard this joke before already?
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
[From the article]
SYSTEM doesn't trump Administrator(s): since either can control the kernel, they both represent full control. SYSTEM can't magically bypass security descriptors any more than administrators can; both have but indirect end runs available. SYSTEM's profile has the global system environment. In Win32, shells have considerably less importance, but SYSTEM processes can still have them. SYSTEM's actions can certainly be audited, so I'm not sure what they meant by impossible to log.
There are lots of services running as low privilege LOCAL SERVICE and NETWORK SERVICE. Perhaps there could be more. Note that a single svchost can represent several services.
The binaries that implement system services are protected by system file protection. SFP isn't a security feature; it's there to work around buggy installer behavior.
This isn't true on a domain where the admin has designated installable packages, and RunAs works fine for installation programs that are written properly.
I'm not sure what's meant by this, but if your kernel is owned on any OS, a rootkit can be installed to evade any kind of debugging.
Non-human-readable? Never used the registry editor? The key and value names seem to be in English... It's like saying that a filesystem isn't human-readable because you need ls. There are no plans to make the registry obsolete for system configuration. In fact, the new boot loader's config database is a registry hive. As for owning the computer throught the registry, every key is protected by an ACL. There's nothing inherant in the registry that allows an attack, privilege escilation or otherwise.
So then the admin takes ownership of the keys in question, forcibly with the SeTakeOwnershipPrivilege, and since the owner of an object can always set the DACL, the admin returns himself full control. Either that or use the SeRestorePrivilege to overwrite the key directly.
What's wrong with the shell's ACL editor? What's wrong with the default permissions?
Since root can ignore security, this isn't saying anything. In Windows, only the kernel can bypasss security.
What I thought was interesting in the article was how many of his complaints were probably due not to bad design per se, but to poor practices -- things like documentation, structural transparency, consistent use of system policies, etc.
What struck me is that there are definitely seeming flaws in Windows that make it insecure as-is, but that it doesn't have to be this way; Microsoft has chosen and continues to choose to operate in such a way that exacerbates rather than minimizes the effect of many of the inherent weaknesses of the platform. A similarly designed system, managed and documented differently, would probably be less problematic.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
There are PLENTY of hackers out there, of every level, who would absolutely love to be able to point to themselves as the first "l33t hax0r" to write a real world OS X virus and "wipe that stupid little grin off their [Mac user's] smug little faces."
And in the six years OS X has been out, not one, NOT ONE, has succeeded.
Mac is not dramatically more secure through launchd...
It is simple really. Six years into OS X, growing market share, and no viruses in the wild.
First principle. No ports open by default. Macs ship with a closed box. Plug it into the Internet, wait, and your machine will never get infected simply because it is not listening on any port, and no attacker has any foothold to get into the box. Over the years Windows has shipped with a wide variety of open ports, whether they be for netbios, smbd, messenger, IIS (on NT), or others. Many of these have been launching pads for viruses and worms.
Second principle. Design the OS from the ground up to support privilege descalation. That is, make it so that every action on the machine is executed with User privileges or less, unless you really need more privilege. Launchd is a part of this. On Windows, you still have ActiveX with escalatable privilege, and people get infected from web surfing or opening email.
That is really all it takes. Make it so a user cannot compromise the OS trivially, and there are no open ports, and you made a box as secure as a Mac. Once you start opening ports, you need to know what you are doing or you will be 0wn3d by some script kiddy. Make it secure by default, and force the user to take positive action to do anything that is a potential security problem (like installing executables from random places on the internet).
I'm just wondering if anyone has ever built a firewall device from a Windows box.
Please shut up right now before you give some braindead manager an idea. We have a projector some creep built on Windows and we can't even keep it from crashing all the time. Do you know how much of an idiot you look like when you're giving a presentation and your projector crashes, you have to pull the plug and listen to the Windows start-up chime? Its like telling people your monitor crashed. They look at you like your brains just dribbled out of your ears.
The very successful worms of the early 21st century were all about causing as much aggravation as possible. The creator of the ILOVEYOU virus didn't make any money from disrupting corporate email servers but he did get to cause a lot of aggravation. You think there are no virus writers wanting to stick it to smug Mac/Linux users? You think no-one would take the time and effort to annoy them? You don't understand human nature too well if you believe it's merely marketshare that's keeping malware away from OS X and Linux.