Slashdot Mirror
Apple Releases 31 Security Fixes
Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"
Apple has known security bugs and yet people still focus on killing Windows boxes. I'd like to know Apple's secret.
/whisper/ Thanks for the candy!
...will ever be perfect (except for GODOS). All we can hope for is the most amount of intuition and the least amount of irritation.
Cake or Death? Cake Please!
for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:
1. Run a firewall and only open what you need to be opened
2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that
Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.
Monstar L
...that OpenBSD whores will derail this entire discussion.
Vendors of commercial software would have you believe, free is supposed to be much worse: "Free and worth every penny"...
That it is even on par is great. If it is better, even if by "not much" — that's terrific!..
Personally, I'd rather the world used FreeBSD, of course, instead of imitations like "MacOS"/"Darwin", or "Linux" :-)
In Soviet Washington the swamp drains you.
Symptom is that Entourage quits 3 seconds after launching. Even if you're not an Entourage user, you might want to hold off because typically when a problem this big is found there are other undiscovered issues. Can't really blame Apple for trying to rush this through though, given the nature of what the patch is intended to do to your system.
Public Domain Freeware and Shareware is a good thing to create, trade and buy, but this GPL/FSF communism and their donate-buttons and book-selling "open source visionaries" are a bunch of posers.
Dear Slashdot editors,
your readers are all technically literate. Please don't post stories where dumb ideas like "how secure an operating system is = number of potential security holes fixed". That kind of stuff is for pointy haired bosses, not technically literate people.
Thanks!
1)being the most used OS ibn the world gives you the bonus of the publicity. If you do something bad or have some pretty terrble bugs, half the planet will know about it. If apple have terrible bugs their 3 and a half users will know about it. And that's all.
2) The bonus of the (in)simpathy. being the most used (and missused) OS in the worls affects the simpathy the user have for that products. Using MacOS or Linux makes you "cool" and "underground" so Windows will get that extra bashing.
3)An OS is a TERRIBLY complex thing, and you ***will*** have bugs. There is only a matter of time.
4)Everybody and their cats program (pr missprogram) for Windows. When a 6 years old boy begins programming, do you think they will program for Huniacs mainfrains or for Windows? Thus there will be more "hackers", "crackers", etc for the main OS.
If you want to maliciausly explote an OS to make Major damage/profit, do you want to target millions of Windows users or the 3 and a half Mac users?
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
The issue is having an actual usable vector for mass-propogation, resulting in the massive downtime and recovery time, billions of dollars of lost productivity, and tens of thousands of manhours in remediation. That's not to say no one could ever find some suitable vector for propagation that can strike large numbers of Mac OS X users effectively; just that it's very unlikely for a variety of reasons, not the least of which is that these days, most Mac OS X computers aren't exposed in such a way that anything could effectively spread en masse remotely without user interaction.
Almost everything relies on some form of user interaction, and yes, these things are still bad, especially ones that take advantage of some shortcoming in the OS. What's laughable about the submission is that it makes it look like it's "bad" that Apple fixed oh-so-many vulnerabilities, and then complains that it's not fixing enough. Apple does fix issues reported to them, period. And yes, we all have stories about this or that outstanding bug or vulnerability that is still open, but Apple has markedly, hugely improved, mostly because of listening to feedback from customers, particularly enterprise customers, in the security arena. It does have a way to go, and whether or not any fix is "fast enough" will always be subjective.
No one sane ever said Mac OS X was invulnerable. It has bugs and vulnerabilities like any OS. Apple responds to them. Someone will always think they're not responding fast enough, or correctly, or what have you, but the fact remains that Mac OS X has been on the market for over 5 years, and there has yet to be any substantial issue that has been exploited on any scale. And no, it's not exclusively because of marketshare.
First of all whats the URL for Linux? and second what's a URL?
I mean give me a fucking break I could write a trojan in 5 minutes that makes you delete your entire user folder... that doesnt make it a flaw unless your talking about the jackass who executed it instead of following the simple rule of the internet..... DONT RUN ANYTHING YOU HAVE NO CLUE IS SAFE... that means shutting off open up safe files after download too!
And likewise wasnt a bunch of the "flaws" proven to be so reliant on certain things to happen at certain times that it would be next to impossible to actually get them to do anything but kernal panic?
"Slashdot, where telling the truth is overrated but lying is insightful."
I wouldn't.
:-)
I'd prefer my current OS of choice to remain relatively safe. If everyone in the world used it, then people would bother to hack it more. Let them keep their sucky OSes
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
You do realize that Darwin is based on FreeBSD 5.0, right?
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
> Personally, I'd rather the world used FreeBSD, of course, instead of imitations like "MacOS"/"Darwin", or "Linux" :-)
You do realize that FreeBSD is an imitation of BSDLite and that "MacOS"/"Darwin" were architected from the official BSD 4.4 under the direction of one of the guys who created OpenBSD, right?
As far as Linux, it is a homebrew system inspired by the demo-os Minix that Andy Tannenbaum wrote about in his book on operating system theory and it is in no way related to BSD.
And further, all of the same reasons for choosing BSD over Linux (mainly, pre-integration) go double for choosing Apple Darwin over BSD.
My linux laptop is all crudded up with 9000 spyware bonzi buddy applets, and my OSX work machine was just discovered to be a spam zombie spewing out half a billion UBE's per week.
Bad, Apple, bad. *thwacks Apple with rolled up newspaper*
Don't break any fixes anymore, you're supposed to be perfect.
I do. That's why I called it "imitation".
In Soviet Washington the swamp drains you.
The main point they should make is that OpenBSD doesn't bundle in lots of other software packages.
... as Apple patched 31 vulnerabilities, but most of them were not part of the OS (applications like FontBook and FontImporter) and not even maintained by Apple (like OpenSSL, PHP, Samba, perl).
Therefore, they don't have people saying 'fixes for 31 vulnerabilities in its OS'
Build it, and they will come^Hplain.
I would imagine that in a parallel dimension where Apple's OS is by far the most widely used in the world, with Windows being a distant second, Mac OS would be known to have the most insecurities or viruses. All of the hackers with no lives who actively exploit these things (as well as the hackers with lives who report their findings so they can be fixed) would be focused on this OS because of its immense user base.
I'm not saying that it would be as insecure or virus-ridden as Windows really is, but in that parallel dimension it would have more known issues than Windows would because nobody would care about targeting the 2% of the market using Windows.
I agree with the "pick your poison" mentality, but in this real world case, it's the difference between choosing arsenic or just really strong orange juice.
/* No Comment */
You are relying on security through obscurity. There are arguments for it, but they are generally frowned upon. Certainly around Slasdhot :-)
In Soviet Washington the swamp drains you.
2) Even before these patches you would be hard pressed to exploit any of these bugs just as your hard press to do anything with any of the bugs exposed in the month of fud.... er kernal bugs or whatever that guy called it.
Apple requires a lot of user interaction to exploit anything... on the other side of the coin, a xp box could just surf to a bad site and be completely hijaked if not properly protected from adware.
31 vulnerabilities are 31 less vulnerabilitys OSX has vs XP. Finding more vulnerabilities doesnt mean your less secure or that your software is buggy, the flip side of the coin is very easily there could be 31 or more vulnerabilites in XP that have NOT been found.
"Slashdot, where telling the truth is overrated but lying is insightful."
I'd like to find your rational for that statement. OS X is based off of the Mach Microkernel. The FreeBSD people, to my knowledge, never bought into the idiotic "Microkernel on a multipurpose OS" hype.
Additionally, I'm pretty sure MacOS came out before January 2003 When FreeBSD 5.0 was released
Actually, according to Wikipedia, though not the best source available, it was based on OPENSTEP/NEXTSTEP. This also reports the release as 1999/2001 depending on version.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
Could someone post a link to this Linux?
Lindsay Blanton
RadioReference.com
That's a fix for every day of the month!
Summation 2
...what is being suggested is that the more complex a system becomes the more points of failure it has - wow, I need me a ticker tape parade.
It's hardly news that if someone goes looking for problems they find them - what is more revealing is the general response to the issues discovered:
Windows: 'well that's what you get when you write closed source crap and you try and bleed money out of your customers'.
Apple: 'That'll wipe the smiles off their smarmy faces'.
Linux: 'Oh we so good - look at how open source instantaneously fixes these problems, cures cancer and helps little orphans'.
all these above responses are of course propaganda (please refrain from using that awful, awful word "fud").
It's ironic that one of the hottest topics on slashdot, climate warming is accused of being one of the most tainted sciences but when it comes to something much simpler, the efficacy of patches on modern systems it turns into the biggest mud slinging match you could imagine.
Promote Charity on Myspace, Show Your Colours!
Yeah, I mostly could care less what /.ers think in their oppinions. While the news is interesting, and the commentary is often amusing, in the end, I find I go for what works, not what looks good. Certain groups of /.ers tend to follow certain trains of thought that appear noble or righteous, but often ignore many aspects of reality.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
That said, what I really want to know is why big companies like MS and Apple don't explain more fully WHY they aren't releasing patches to known issues. As a software product manager, I spend a lot of my time determining what issues are deserving of patches, and there certainly ARE good reasons not to patch a bug, but I would probably take it an extra step and explain to my clients exactly why the decision not to patch was made. We don't necessarily want patches, we just want an explanation.
I was being stupid, but thanks for your detailed explanation.
Serious question, do you know anything I can do to make my windows XP secure?.. I used to have Agnitum outpost firewall but it really pissed me off, so I'm not using any firewall at all now.
Thanks.
The days of cracking just for "fun" or "reputation" are mostly over. Malware is driven by money now. Botnets, and spyware are the name of the game. No point in disabling ("owning") computers with malicious code when you can just silently commandeer them to make money. A lot of the malware spreading requires user intervention, which requires a mass audience, and a targeted spreading mechanism (e-mail is still the #1 way to spread).
You: "Microsoft makes such a bloated terrible operating system"
y -does-open-source-software-suck.html
Me: "XYZ in a OSS distro is crap"
You: "Well its free. what do you expect?" Exactly."
Classic example of this linux truth right in this post. Omg some of you linux nerds are unbelievable.
For a perfect explination of way OSS sucks, read http://microsoftisawesome.blogspot.com/2006/11/wh
I fixed over 50 bugs in my web-game during the past two days. Does that mean I'm less secure than windos?
These numbers mean nothing at all.
First, it's the number of fixed bugs, not of existing bugs. If product A has 500 holes and fixes 5 of them, and product B has 50 holes and fixes 10 of them - these dumbwit journalists would tell you that product A is more secure.
Two, quantity alone means nothing. If product A has 5 remote root holes and product B has 20 spelling bugs - these dumbwit journalists would tell you that product A is more secure.
The worst thing is that they get paid for producing this kind of misinformation. No, wait - the worst part is that there are lots of people out there who don't know technology and actually believe that crap.
Assorted stuff I do sometimes: Lemuria.org
May I ask what you mean by "pre-integration"? It doesn't sound like my reason for using BSD over Linux...
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
Apple took a great thing and used it to build a good thing. I think this is a good illustration of that.
People who use or support OS X because it's presumably more secure than Windows should consider taking the next half of that step and just run BSD/nix. Don't go half way if you're looking for a more secure OS; skip the pretty GUI and the skewed user management. Go with the whole advantage, not just the parts Apple left in.
From the blurb: Linux (if you need a URL for Linux, you are probably at this site by mistake)
Fantastic! So what the poster is saying is that "If you're on slashdot and you're not a Linux geek you're out of place here".
Out of place as in not welcome for the most part too considering some of the groupthink that goes on.
Just try to get a valid, non-snobbish answer to a n00b Linux question around here. I dare you. Just like the snobs on #Linux. Try it there and you'll get the same.
The day I decided that Linux wasn't for me was the day I went to #Linux and asked for the name of a good distro a n00b could run without pulling out his hair. The response was directing me to DistroWatch or some-such site with nothing more than a list of distros. Out of 40 people this is the lone answer I got.* Great. And yet Linux users still claim Joe Sixpack is welcome to try to adopt? It sounds more like throwing down the gauntlet as opposed to inviting him in.
* Later I tried DSL and Mepis. While I found nothing "wrong" with them I do find overall Linux support lukewarm at best and I don't have the problems with windows that most claim to have. I just don't see a reason to switch yet. Maybe in a few more years when some of the zealots mature a bit and realize that supporting a product is more than just shouting "OMFG~! It's the best, if you don't like it you're just a fucktard!!11!!" and start producing apps a little bit better than Gimp I'll give it another go.
No, no, one doesn't.
Number of Windows machines I've had to painstakingly remove highly virulent spyware/adware from: Dozens.
Number of Mac OS X machines I've had to painstakingly remove highly virulent spyware/adware from: ZERO.
This is far more than just anecdotal evidence; this is how things go in the real world. In the real world, 50+% of Windows machines are badly infected by spyware, and 0% of Mac OS X machines.
ZERO.
By far the most prevalent security and stability breaches "in the wild" are not rootkits or remote exploits... they're spyware and viruses, both of which are virtually exclusively Windows issues. You can claim that this is mostly or wholly due to the overwhelming dominance of Windows over all other operating systems (in terms of "market share"), but the fact remains.
Until I start getting calls from blue-haired grandmas to hand-pick bits of Hotbar and Bonzibuddy and porno pop-up daemons out of their Macs, I won't buy the "Macs aren't any more secure than Windows" FUD. And neither should you!
With spending like this, exactly what are "conservatives" conserving?
I keep looking for the sarcasm tags here. Where are they? Is this post for real?
Just yesterday I was down working with some developers. There were four rather old G4 Powerbooks and one new (3 months old) PC. Four PowerBooks running flawlessly. PC was already riddled with spyware and viruses and not working properly because of such. These poor people have an unusable computer because of all these security flaws...well...PC-specific flaws. Luckily they kept chugging along on their old Macs while the PC was being worked on.
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
I think you forgot to type "Not at".
There is a spark in every single flame bait point.
IMHO a technically inclined person can shave Linux down to the bare minimum services relatively easily. There are distributions that focus on rock-solid stability or security, and others that focus on being a Windows replacement.
Come on... that was funny. I chuckled.
Religion and politics, without the flame. godgab.org
If an exploit does nothing more than let you play solitare someplace you shouldn't, then it doesn't matter. And the thing is, even if OS X is only as secure as Windows (which I'd dispute), it's still good for overall security of the Internet. One of the biggest problems with the Internet today is that if 95% of the computers run one operating system, it becomes easier to write exploits that affect the majority of people.
On the other hand, if 50% of the people were running OS X, then no exploit could harm more than half the people at any given time. So in the long run, perversely, OS X is beneficial to the security of Windows.
This sig has been temporarily disconnected or is no longer in service
In case anyone happened to miss this on the MoKB site...
6 .html
Be sure to have your speakers turned on and up.
http://projects.info-pull.com/mokb/MOKB-26-11-200
Rich And Stupid is not so bad as Working For Rich And Stupid.
Here: http://malfy.org/
Anything that will trip up attacks (different OS, instruction set) can help. Certainly if there were a determined attacker who cared about getting into my server in particular the 'oddness' of it wouldn't stop them, but for worms expecting the usual suspects it should be enough.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?
Yeah, like, everyone knows that all OSes are, like, equal in all respect. It's not like they were designed differently or anything. It's all just 1s and 2s anyway. Every computer gets cloggged up with worms, viruses, and malware. It's just that there are more Windows users out there, and the Mac users just keep quiet about their virus infestations, so they can keep the Sacret Cult of the Mac going strong. I know plenty of Mac users who have to do clean installs all the time because their machines get so clogged up with worms and viruses. All of these whiners talk like that's not true!
Read the EFF's Fair Use FAQ
Nobody reads the articles silly!
No, it was supposed to be a successor to NeXTSTEP. And both OS's use a Mach kernel. IMHO, it's a poor successor, since NeXTSTEP had a unified filesystem structure. OS X lacks it, instead imitating OS 9 and below in the Finder and being rather UNIX-y everywhere else. And tools like Spotlight work poorly. Spotlight can be controlled (as root only) from a UNIX-shell. But it can't index networked volumes unless they're mounted via the Finder. No automounted volumes for example! Instead, in an office environment using LDAP, you need to automount a scripts directory then have a AppleScript in there that runs via a login job that mounts the volumes via Finder. Then have a script that runs via Cron and makes sure that volume's being indexed. Hopefully this shit will be addressed in 10,5.
Blech.
-b.
I would imagine that in a parallel dimension where armoured trucks are by far the most widely used vehicles in the world, with Ford Pintos being a distant second, armoured trucks would be known to have the most flaws and ways to break into them. All of the thieves with no lives who actively exploit these things would be focused on these vehicles because of the immense user base.
See how silly that sounds? Even if armoured trucks were more widely used, it would not imply that they would have the most vulnerabilities. It would still be easier to break into a Pinto, and I am certain that there would be far more "flaws" for the Ford. The same goes for *nix. It's been designed with security in mind, like an armoured truck. That doesn't mean it's perfect -- social engineering (ala "give me your root password") will still gain you access to the driver's seat. But market share does not necessaarily imply greater vulnerability.
Good thing I'm using Windows. Oh wait...
w00t
I use CP/M. I am not aware of any published security holes for it.
The philosophical differences are that the Linux user base can both find and fix the problems, but closed source can only find and report problems.
Although you multiply poison by the user base, the more people that use Linux the more secure it becomes. The more people that use an OS where the users cannot find and fix problems, the less secure it becomes as an overall platform.
A large part of the problem is finding it, and when a security flaw is found in Linux it is pretty much always fixed So, userbase for Linux is good because they can fix the problems themselves, or report it directly to someone who can.
But when you are sourceless, a large userbase can report a problem and they must depend on someone else to fix it. So, the more people that use it, the more people using it with a particular bug. Usually, the fix timeframe is based on Impact * number of reports, and although Microsoft has gotten pretty good about turnaround time for patches, they used to be horrible and if there's a lack of reports I suspect bugs will go unpatched for quite some time. However, you still have the issue that all closed source has: the user can't fix things for himself and that includes bugs.
Lastly, comparing OSX to Linux and WinXP isn't really fair to Apple... they're still relatively new to the scene and have a lot of bugs to shake out. And when comparing, you can't just say "N bugs in X OS over K days", you have to also multiply this by the impact. 31 local DoS security fixes is not as scary as 1 remote execution fix.
``With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands.''
It never did. First of all, you can't compare security of operating systems, because you can't eliminate bias from your tests. Secondly, Apple's OS is closed source, which you can never trust. Thirdly, much of the OS is written in unsafe languages (particularly C, C++, and, perhaps, Objective C - I don't know if the last is unsafe), and thus, the statistical probability that it will contain security holes is high. Finally, I don't think Mac OS X has been so thouroughly scrutinized by security experts as Windows has, so it's very well possible that Windows is more secure by now, regardless of it's starting position. However, we will never know that, because of the first point.
Please correct me if I got my facts wrong.
...the user security model. *nix-based systems like Mac OS X, Linux and *BSD are just truly multi-user systems with security in mind from the beginning. Granted, networking and kernel bugs can still exist, but it's just a lot different with Windows.
Windows was designed to be a single user system (like pre-OS X versions of Mac OS), and has just had supposed "multi-user" capability grafted on to it over the years. It is my understanding that they wanted to go the *nix way with Longhorn/Vista, but it just was too darn hard to maintain precious backwards compatibility. I could be wrong, because I really know jack crap about Windows. I have Parallels/XP on my MacBook for testing, and that's about it. Any Windows zealots (are there *any* here?) please feel free to correct me if I'm wrong about this pseudo-grafted multi-user security thing. I'm proud to be an IT pro who can honestly say "I don't do Windows."
The authorization box in Vista sounds all wrong, and another futile attempt to copy the way *nix GUIs do it. The fact that they've tried to make a bash-like shell replace the DOS shell, along with the constant aping of the Aqua interface just shows that although they own the desktop market, they still fail miserably at stealing all the good ideas.
Guess I've gone off topic somewhat, but someone please at least mod me Interesting because the main point is security in Windows vs. security in *nix is just two entirely different ballparks.
:q!
Don't go to skeezy sites - porn indices & poker. Stick it behind a hardware firewall. I'd use a LinITX box running IPCop and Copfilter, but that's just me. Run good antivirus (Avast or Kaspersky seem to work for me, Norton/McAfee worked poorly and slowed things down too much).
-b.
You really want to have 500 network home directory users indexing your fileservers, possibly all at once?
Seems a bit harsh on the server.
I see your point for indexing some data volumes, but they're not typically automounted, unless you have a very static user profile.
There are two types of people in the world: Those who crave closure
Well, I only use firefox, opera, thunderbird and Gaim for msn/yahoo.
I don't visit porno sites, nor use p2p.
I have a hardware firewall (router one) and try to keep the open ports forwarded to a minimum.
I don't have an anti-virus either, but was wondering if there's a good software firewall someone might suggest, but it looks like those are rubbish and that you're better off with a hardware one.
Thanks
It doesn't have multiple computers index at once, believe it or not. It uses a protocol that designates one of the computers using the root directory of the resource as a "master" indexer, the others are "slaves." After the indexing is done, the copy of the index on the resource itself is "published" to a local copy on all the computers connected to the resource - that local copy is periodically updated. Since the kernel tracks file changes and sends them to the master index, indexing in theory is only needed once if all of the computers connected to the share are running Tiger or better. I have it re-index biweekly just to be safe.
-b.
An amount of the security Mac user's experience is simply because your not a big enough market to have fun with yet. No set of programmers is going to beat out users for finding ways to make their system vulnerable. There is value in not being noticed by the hacker community, don't spend it. There is also value in not being as exposed to people who should never have had a computer in the first place.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
"OS X is based off of the Mach Microkernel"
o nceptual/KernelProgramming/Mach/chapter_6_section_ 1.html#//apple_ref/doc/uid/TP30000905-CH209-TPXREF 101
"based off" isn't the same as "is", because the OS X kernel (XNU) isn't a Microkernel. This Apple document says as much:
http://developer.apple.com/documentation/Darwin/C
Here's the relevant quote:
"in Mac OS X, Mach is linked with other kernel components into a single kernel address space. This is primarily for performance; it is much faster to make a direct call between linked components than it is to send messages or do remote procedure calls (RPC) between separate tasks. This modular structure results in a more robust and extensible system than a monolithic kernel would allow, without the performance penalty of a pure microkernel.
Thus in Mac OS X, Mach is not primarily a communication hub between clients and servers. Instead, its value consists of its abstractions, its extensibility, and its flexibility."
"Additionally, I'm pretty sure MacOS came out before January 2003 When FreeBSD 5.0 was released"
It did indeed. OS X was (and is) based on FreeBSD 4.4, not 5 as the GP claims. Note though that once again, "based on" != "is", because there are a number of differences between Apples XNU kernel and the FreeBSD one.
I'm not going to change your sheets again, Mr. Hastings.
You've got some good points, but this:
Secondly, Apple's OS is closed source, which you can never trust.
is just wrong, which anyone who frequents slashdot should know by now. Apple Open Source includes most of the operating system, and much of the rest is built on other open source projects such as Apache and Mysql.
Heck, if you had looked at the list of fixes, many of them are actually updates to newer versions of open source packages, such as ClamAV.
Clear, Dark Skies
the funniest vulnerability I've ever seen. OS X is vulnerable to arbitrary code execution via a carefully crafted font !?!
On the other hand, the recently announced problem with DMG files is down right scary.
Clear, Dark Skies
I've been following Mac news for about 3ish years since I switched. It seems that on the run up to the Vista release there has been a bit of a Spike in "Macs aren't as secure as you think" articles. Is this a stealthy "Get the facts" campaign?....
There is a poster where I work. It reads: "The greatest security device ever created." Beneath that is a picture of a human brain. Unfortunately, the human brain is also the greatest security vulnerability ever created.
When you have behavior like computer users with administrator rights clicking "OK" on the "Install smiley faces now!" pop up, the vast majority of security breaches are due to poorly trained computer users and system/network administrators. If OS/X or Linux owned the desktop marketshare that Windows does, it still would not improve the behavior of the users and admins. I haven't found an O/S yet that trains people not to do stupid things on their computers.
Dedicated servers don't browse the web and install weather tracker toolbars, so they are a completely different discussion.
I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share. These new features make for a supremely usable OS, but it means that development is always too fast. Security flaws are invariably human logic errors, and when a lot of new code is written really fast, errors are made. Conversely, take OpenBSD, its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code. As complexity escalates, so will the number of bugs and until Apple's workforce is replaced with androids (Which I'm sure will have a negative impact on its cool reputation) errors will continue to be made. Although inevitable, we need not accept that there should be quite as many flaws as there are - Apple is in a uniquely privilege position over microsoft in using the unix permission system and the mature core that mach and FreeBSD provides, it must not become complacent. Increasingly, it appears that Apple is becoming sloppy - There are reports of Apple not using automated bound checking and the such. Such arrogance is inexcusable from any developer, and as Apple's popularity increases poor security will invariably become more of an issue. Its time for Apple to seriously take stock of this issue.
Nothing sucks like a Vax, nothing blows like a PowerMac G4
Why is there almost an endless number of malware for windows, and hardly any for mac. Is it because Mac has less holes? NO! It has nothing to do with this (I will moderate this statement later). The reason is that 95% (more or less) of users are running windows, and the rest is all other systems. What has this to do with it you ask? Try looking at it from Joe Hackers perspective. He wants to get lots of zombie computers to send spam to make money (this is a typical Hacker of 2006, hackers aren't what they used to be). The question he then asks himself is something like: "How can I get most zombies for the least amount of work? Lets see. If I make a website attacking all the visitors running safari on osx i'll get about 10-20, if I on the other hand attack IE on Windows I'll get 1-2 thousand. In other words: using 1 hour to attack safari on osx gives me a little money. Attacking ie on windows gives me MUCH money" I wonder what he chooses to do?
Security is chiefly NOT a technical issue, its a human issue, as it is humans that initiate security-attacks.
On the other hand, if it, technicaly, is a thousand times easier to attack mac than a windows, then it will be worth while to atack macs to.
The biggest reason we have so much spam in our mailboxes is windows and its marketshare, and its userfriendlyness.
I've stopped helping friends with windows that dont run an antivirusprogram. This I tell them is the hidden cost of running windows, and it has nothing to do with windows being technically inferior to mac securitywise, its purely numbers.
I can't hear you because I have my Powerbooks in my ears.
Apologies to Patrick Roy for stealing his quote.
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
my OSX work machine was just discovered to be a spam zombie spewing out half a billion UBE's per week.
Not so funny. Earlier this year, one of our local lusers turned on the webserver on his G5, and installed PHP and TikiWiki without telling IT. We learned he was using it when TikiWiki had a major security hole found a while back, and the machine probed 130k IP addresses in Brazil before compiling a spam proxybot. Fortunately, it only sent out a few thousand pieces of spam before NetOps came over and confiscated his machine.
He was lucky he zealously backed up all of his files regularly to DVDs; if it had been to a hard drive, they'd have taken that for inspection, too.
In addition to the points above, do not browse the internet with the Administrator, root, or admin accounts. Do not use these accounts for day-to-day work.
Under OSX, the admin account(s) have the privilege of writing to the root directory (which is unusual, even though sticky-bit protected). With the growing number of UNIX-functions assimilated into non-standard Apple software (/etc/passwd, /etc/inetd.conf [launchd], etc.), the security of the admin user should not be trusted or used unwisely.
Under Windows, create restricted users that do not have the power to install software and use those for day-to-day work (even a "power" user is too much). Use "Run-As" to elevate privilege when necessary. If you have a piece of suspected malware, run it as a restricted user or on a throwaway machine.
Windows (and I mean the VMS-derrived NT family) actually has the more flexible and powerful security environment, and it is quite good when used properly. It is a shame that the OS is shipped with all security disabled.
Seriously, I just can't stop hating that movie. 15 minutes into the movie I considered getting up, walking to the nearest train station, catch a train to France (I live in continental Europe), and skin Uderzo and Goscinny alive for allowing that story to see the light of day.
I considered strangling them, but peeling the skin off of their arms and forcing them to eat it seemed so much closer to just. And I'm usually a pacifist...
Then again, their last album should have been a warning.
Taking this further and further off-topic: I miss the old days...
Tiger's Darwin subsystem is based on FBSD 5.0. See:
http://developer.apple.com/opensource/index.html
After all, I am strangely colored.
Other than "eating their own dog food" does any major ( > 500 employees) run Mac Servers as their primary web presence? I think the "real" web server market is pretty well locked up by LINUX (not Apple OS X) and Windows. The reason Linux servers (as well as Windows Servers) don't get hacked is that most or the large "juicy targets" are run by professionals and protected by administered firewalls and other technology. These servers have the patches applied and logs are monitored.
The Root My Mac mini event you mention was a fraud and was demonstrated to be so at the time. The hacker was given on account on the machine. While it was pitched and reported as being a "remote exploit" the "hacker" was given SSH access to the machine so that what he really did was have full run of a local machine.
So, come on. While there may be some great examples of OS X vulnerabilities, this is not one.
The above post was +1 informative, because it actually told the truth. And then guess what, it's moderated 'overrated'. WTF? Fuck off, iInsecurefanboys.
The day I decided that Linux wasn't for me was the day I went to #Linux and asked for the name of a good distro a n00b could run without pulling out his hair.
That's like deciding not to shop at a particular grocery store because you went there the day the customers were all smarmy sophisticates who looked down their nose at you when they saw what you were putting in your cart. If the selection of goods relative to your needs is sub-par and the aisles are full of rat droppings, that's one thing, but what you're doing is pretty far removed from the realm of objectivity.
It's easy to make snap judgments about anything, particularly anything affiliated with a community, based on a single experience that happens to reinforce a stereotype. That doesn't mean it's a fair judgment or an informed judgment. By your reasoning, any of the following assumptions could be true, simply based on encounters that I myself have had which seem to confirm the common wisdom notion of "those people are like that":
-Windows users are corporate shills. Therefore Windows is not for me.
-Mac users are smug assholes incapable of dealing with objective criticism of their platform. As such, I will never own a Mac.
-Linux users are post-script kiddies "working" out of their parents' basement after flunking out of college. Subsequently, I can never use Linux.
-People who code in Perl don't give a damn about producing readable code. Perl will not be a good solution for anything I do, ever.
-Web designers who use Flash don't give a damn about standards, let alone understand them. Flash is a bad solution for everything all of the time.
I've paid witness to many incidents, conversations, and even altercations which suggest the above points, but I've also seen plenty of evidence to the contrary. Similarly, I could say you're prone to making a big deal out of first impressions and allowing them to severely color your general perception of others, but OTOH, you might be an intelligent fellow who does all sorts of great things with his time and throws terrific parties. I'd never know of it because the one thing close to an interaction that I've had with you was reading a comment that didn't come off as particularly well reasoned. If I knew any more about you, I might decide that, say, the car you drive isn't for me, or that any particularly ideology you embrace isn't worthwhile, but that wouldn't be fair, even if I posted-scripted the second-guessing of said generalized observation in a downright snotty fashion.
"based on" is never "is", based on implies changes to varying degrees.
Also, I thought earlier versions of OS X, at some point prior to X.4, they still had a microkernel. I know threads were actually added to the Kernel in X.4.
Having used both, I know OS X is not the same as FreeBSD, I much prefer the FreeBSD system to be honest, but that's just my not-so-humble oppinion.
What part of FreeBSD did Apple use I wonder? I thought userland was still pretty generic across BSD with only minor changes, the filesystem structure resembles that of FreeBSD less than Linux's, and as I said, FreeBSD never used Mach or any other microkernel to my knowledge.
It seems to me it's more of a sibling than a child.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
This does not seem to apply to the kernel, however. Apple's kernel programmer documentation (which claims to have been updated on 2006-11-07) says:
o nceptual/KernelProgramming/index.html
"Darwin is based on proven technology from many sources. A large portion of this technology is derived from FreeBSD, a version of 4.4BSD that offers advanced networking, performance, security, and compatibility features. Other parts of the system software, such as Mach, are based on technology previously used in Apple's MkLinux project, in Mac OS X Server, and in technology acquired from NeXT. Much of the code is platform-independent. All of the core operating-system code is available in source form."
Link here:
http://developer.apple.com/documentation/Darwin/C
If this document is wrong, then Apple are to blame for that, not me.
I'm not going to change your sheets again, Mr. Hastings.
Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?I'd propose that it makes no difference in the long run. All OSes (or apps in general) have bugs and vulnerabilities. Security-wise, your job is to accept the fact, manage the risk, and make sure it doesn't get out of hand. Dealing with 500 Windows boxen vs. 500 Linux boxen vs. 500 Macs just changes what you need to watch for. You're still sitting on 500 targets, and if the information on those targets is attractive enough, the OS you're running won't matter. You'll still get slammed.
This reads to me that Apple hasn't fixed flaws found in November. As a reminder, the month isn't over yet; bugs can't be fixed instantly. The first impression is somebody whining "we found it, is it fixed yet why isn't it fixed yet we told you about it a whole week ago what's taking so long is it done yet?"
That's just my impression.
Fixes take time and testing; would you prefer that a half-assed fix be put in place?
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
What? This has nothing to do with windows. All this tells us is that OSX has 31 fewer vulnerabilities than it did yesterday.
In Soviet Russia, backwards is everything.
for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:
1. Run a firewall and only open what you need to be opened
2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that
Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.Emphisis is mine where I find it unbelievable people think that this is "advice". The way the modern computer operating system HMI works is "users click on things". Windows and MacOS are designed to present the user with an interface to click on things. What in the world kind of advice is it is to say "don't click on stuff!"??
Browsing files is normal operation. Browsing web pages is normal user activity. Looking at email is a normal user activity. Clicking on objects presented by the shell is a normal user activity. All of these activites are things users do normally and yet are "dangerous by default" in some systems and require a high level of diligence or more (sometimes expensive) software to handle. Stating stuff like "don't click on bad stuff" shifts the blame away from the vendor and onto the user. I'm not saying the user isn't to fault but lets not forget the vendor here since they are equally culpable.
How about this instead: Your computer shouldn't self destruct doing normal user activies. If your computer does self destruct doing normal user activities then it is a bug. Bugs happen in any complex piece of software. What isn't excusable is when the vendor refuses to address the issue. The vendor should fix the flaw. And before you ask, no amount of confirmation dialogs counts as a fix. No amount of "blame the user" is sufficient either.
More specifically: The operating system should handle browsing files without destroying itself. The operating system should be able to handle browsing to web pages without destroying itself. Your operating system should handle looking at email without destroying itself. Your operating system should handle "clicking on stupid stuff" without destroying itself. If the operating system can't handle these nominal activies without a high degree of confidence then it needs to be redesigned and engineered to do. This is not an issue with "users being stupid" but a flaw in the design and engineering.
Baring things like "wear", most people would consider a machine that breaks from normal usage as "flawed". But all too often in Operating Systems when the machine breaks down when the user performances a normal activity it isn't the system but the user's fault. How in the world did we get to this state where the responsibility for function is not on the system designer but on the users??
I do get what you mean in that there should be some "common sense" but on the other hand lets not let the vendors get off the hook because of a lack thereof. The user should have some common sense **and** the vendor should provide a system that is robust, just in case the user's judgement slips.
I love this idea of the "vector for mass-propagation".
A good friend of mine went through the Masters of Public Health program at our local university a few years ago. The one big thing that I learned from him is that the severity of a disease on a population is a function of a lot of factors added together. No one factor can be held up as the most important. The bird flu is very deadly, but is very difficult to catch from another person (so far-- knock on wood). The regular, run-of-the-mill flu will kill more people this year than the bird flu ever has. Why? It spreads easily.
What's the difference between the bacteria in yogurt and the bacteria in uncooked meat? Why does my body care? Why am I confident that neither one will make me sick (as long as I'm cooking for myself)? No two bugs/exploits are alike.
The devil is in the details, and with computer exploits and viruses it seems very similar. The idea of "disease vectors" applied to OSes and software seems so appropriate.
"Also, I thought earlier versions of OS X, at some point prior to X.4, they still had a microkernel."
It never had a microkernel. The confusion about the OS X kernel comes from that fact that it incorporates elements from Mach 3, which was a microkernel. Apple did not however ever use it as a true microkernel AFAIK, but linked in a whole bunch of other stuff which operates in the same address space, thereby ending up with a sort of hybrid that combines various aspects of both microkernels and monolithic kernels.
"Having used both, I know OS X is not the same as FreeBSD, I much prefer the FreeBSD system to be honest, but that's just my not-so-humble oppinion."
FreeBSD does have some advantages, but IMO Apple are to be lauded for putting an OS with sound UNIX underpinnings onto millions of desktops in a fairly short period of time.
"What part of FreeBSD did Apple use I wonder? "
This list of kernel differences is lifted from Apple's own developer docs:
"Although the BSD portion of Mac OS X is primarily derived from FreeBSD, some changes have been made:
-The sbrk() system call for memory management is deprecated. Its use is not recommended in Mac OS X.
-The Mac OS X runtime model uses a different object file format for executables and shared objects, and a different mechanism for executing some of those executables.
-The primary native format is Mach-O. This format is supported by the dynamic link editor (dyld).
The PEF binary file format is supported by the Code Fragment Manager (CFM).
The kernel supports execve() with Mach-O binaries. Mapping and management of Mach-O dynamic shared libraries, as well as launching of PEF-based applications, are performed by user-space code.
- Mac OS X does not support memory-mapped devices through the mmap() function. (Graphic device support and other subsystems provide similar functionality, but using different APIs.) In Mac OS X, this interface should be done through user clients. See the Apple I/O Kit documents for additional information.
- The swapon() call is not supported; macx_swapon() is the equivalent call from the Mach pager.
- The Unified Buffer Cache implementation in Mac OS X differs from that found in FreeBSD.
- Mach provides a number of IPC primitives that are not traditionally found in UNIX. See "Boundary Crossings" for more information on Mach IPC. Some System V primitives are supported, but - their use is discouraged in favor of POSIX equivalents.
- Several changes have been made to the BSD security model to support single-user and multiple-administrator configurations, including the ability to disable ownership and permissions on a volume-by-volume basis.
- The locking mechanism used throughout the kernel differs substantially from the mechanism used in FreeBSD.
- The kernel extension mechanism used by Mac OS X is completely different. The Mac OS X driver layer, the I/O Kit, is an object-oriented driver stack written in C++. The general kernel programming interfaces, or KPIs, are used to write non-driver kernel extensions. These mechanisms are described more in "I/O Kit Overview" and KPI Reference, respectively.
In addition, several new features have been added that are specific to the Mac OS X (Darwin) implementation of BSD. These features are not found in FreeBSD.
- enhancements to file-system buffer cache and file I/O clustering
- adaptive and speculative read ahead
- user-process controlled read ahead
- time aging of the file-system buffer cache
- enhancements to file-system support
- implementation of Apple extensions for ISO-9660 file systems
- multithreaded asynchronous I/O for NFS
- addition of system calls to support semantics of Mac OS Extended (HFS+) file systems
- additions to naming conventions for pathnames, as required for accessing multiple forks in Mac OS Extended file systems
"I thought userland was still pretty generic across BSD with only minor changes"
The main change that has any impact is the use of MACH-
I'm not going to change your sheets again, Mr. Hastings.
Personally I interpret the article summary as anti-Apple FUD. Everyone has security problems, and everyone can do better. I'm not - at all - trying to say that Apple shouldn't be better. They should. But there are two huge problems that make Windows worlds worse than anything else, and will continue to do so until they're actually fixed... Until then, comparing Windows to OS X in desktop* security is merely FUD.
I. ActiveX. ActiveX is DESIGNED to give a web server full control over your machine. With Flash or Java, even if they're enabled a website can only do stuff if they also exploit a - very rare - flaw in your Virtual Machine. In ActiveX, if you let that control run it can basically do anything. They have some checks to try to block the probably-worst applets, but in the end it runs the code unprotected. Until ActiveX is limited to a VM, it should be totally disabled.
I'd personally guess that this alone accounts for more regular attacks than everything-else-put-together. Don't use ActiveX. And if you're not using ActiveX, there's little reason to use IE...
II. Administrator use is chronic. Basically nobody runs OSX in root or sudo-d mode. LOTS of people run Windows routinely in Administrator mode, for a few main reasons: 1) Lots of software only runs that way, and switching is a pain. NO user app should need to be root to run. 2) LOTS of software is very hard to install so a nonAdmin can use it properly, for starters because it only works on the account it was installed into.
I will completely admit that if all the ISVs behaved perfectly 1 & 2 wouldn't be a problem - but it is VERY plausible for Microsoft to exert enough control to make this better for the vast majority of users. Also, I don't believe all these ISVs do it just to be stupid - my guess is that the structure of Windows makes it MUCH easier to do it that way.
3) Lots of software that shouldn't even need admin privs to install does for no good reason. (I presume because of the way DLLs and the registry work they need to modify system folders even if they're only going to run as a local user - but that's definitely a Windows problem that it's structured that way.) And once you give those pieces of software admin privs, they can do anything - like installing themself as System so you can't kill them even WITH admin privs. All software should be installable with the MINIMUM possible privs. (Obviously system software or a virus checker needs admin privs.)
There are plenty of smaller reasons to be unhappy with Windows security, and I'm not trying to say I love their track record. I didn't address at all the fact that it comes out of the box extremely remote exploitable, (average of ~20 minutes for an unpatched box to be exploited on the internet - and several hours to download the patches!) But those are problems other OSes at least sometimes have and you can make reasonable comparisons. Until the two above are fixed, you shouldn't even COMPARE Windows desktop* security to OS X or Linux.
*Note that I said desktop. While there are some problems, neither of the above super-problems is a server problems. In fact, if you have to choose a server OS, you should probably choose based on what your admin is experienced in - better to have a well administered box than ANY badly admined box.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
"""Most of the OSX people that I know do not even run antivirus....."""
Why are smallpox vaccines not given out en masse the way they once were?
Two reasons, one is that smallpox is not an issue for the vast majority of people.
The second is that the vaccine causes more damage over the years and has more side effects than smallpox causes in the same timeframe without vaccinations (particularly throwing into account the question of whether the vaccine would even still work if there were an outbreak today).
Antivirus programs are the same way. In the windows world, the risk of damage from the antivirus program is relatively small compared to the risk of a virus. In the mac world, there have been demonstrated problems with the antivirus programs that are available causing all sorts of nastiness, data loss, and slowdowns on people's systems to a much greater degree and number than has happened by people actually being hit by viruses (or who are likely to be hit by viruses, worms, or trojans in the foreseeable future). This becomes particularly true with the features being added in 10.5.
Why run antivirus when the odds of it doing harm are more likely than the odds of it doing good?
Integrate Keynote and LaTeX
That quote doesn't really deny my claim. FreeBSD branched from 4.4BSD, and that's all the quote seems to say.
After all, I am strangely colored.
Excellent point. Suppose your network is 99% secure. That means nearly four days a year all your boxen could be owned by them. Alternatively, 1% of your boxen at any given time are owned by them and you don't even know it. The phrase "nothing is 100% secure" should be abandonned. It says nothing useful whilst attempting to intimidate those who disagree. If you provide a retainer, I'll be glad to come to your organization and uncover a few reasons that you could use to justify firing yourself. Preferably, you would learn these things before your manager learns them in the aftermath of your first experience of being 0wn3d.
If you mod me down, I shall become more powerful than you could possibly imagine.
I don't normally reply to my own posts, but I thought it might be interesting to note that apparently Apple pulled the mention of this feature from their Website. I don't know if that means it is not going to be in Leopard or if they're just keeping it all secret.
You're right, they good be. Snort doesn't seem to think so. The AV software doesn't seem to think so. The users whose computers are working fine don't seem to think so. But ya, you're right... they could be pwnt right now. Hell, right now I'm reading Slashdot with IE... you could be owning my box at this very moment.
If you provide a retainer, I'll be glad to come to your organization and uncover a few reasons that you could use to justify firing yourself. Preferably, you would learn these things before your manager learns them in the aftermath of your first experience of being 0wn3d.
Okay. Then after that, how about you give me the keys to your house, and I'll let you have your first experience with being robbed? =) And on the way out, I'll stop by your garage and borrow your car... don't worry about the keys for that one, I'll make it work.
If you mod me down, I shall become more powerful than you could possibly imagine.
Until ActiveX is limited to a VM, it should be totally disabled.
Your problems should be solved in Vista: IE7 Security in Brief. From the blog post:
In IE7, we built a containment wall around IE by running it in Protected Mode. In this mode, IE can browse the web but cannot install software (good or bad) or change settings on the user's computer without explicit user consent. Because the foundation work to make this possible is in Windows Vista, this feature is not available on the XP version of IE7.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Not at all. All I'm implying that me inviting you into my network to do an audit is sort of like me auditing your home security by asking you for the keys to your house.
It's really not that big an impact. A product like ZoneAlarm (a windows product) produces exactly the situation where outbound connections require user approval... but the user has the option to approve them permanently, i.e. "ALWAYS let MyNiftyEmailClient open connections on port 25". About ten approvals after installation of zonealarm, you never get bugged again, until some virus tries to do something nasty, at which point you're REALLY HAPPY you have this information coming your way.
- First they ignore you, then they laugh at you, then ???, then profit.
Macs can and do have problems, like all computers -- no argument here. But these problems to *not* include worms or virus infections. I have been working as a Mac tech professionally for about five years now, and I have *never*, and I repeat *never* seen a Mac infected with any virus other than MS Office macro virus.
Not the same. He asked for clearance to attempt to violate your network, you asked for access to his house (key). One implies that if your competent your safe, the other says "let me in" with no relevance to competency at all.
I remember when that happened; it was widely ridiculed as a meaningless stunt. It wasn't the sort of hack you couldn't just apply to any Mac that's sitting on the Internet, it was more of a privilege escalation challenge that you could apply to a machine that you already had a user account on. So either you'd need to have an account on the machine, or you'd need to have some sort of phishing/bruteforce/social-engineering attack to get a user's password. The take-home lesson was "don't give user accounts to people you really don't trust, duh." It was not a true remote-root or zombification.
I also remember after the press release about 'Hack My Mac Mini,' some fairly high-profile Mac sysadmin (for some uni, IIRC he posts here on Slashdot) announced a challenge in response under more typical circumstances where the machine was exposed to the internet and was running typical services. I never heard about it again, which makes me suspect it wasn't hacked. (If anyone knows what happened to that, I'd love to know.)
Not that the plural of anecdote is data, but I have had a Mac OS X machine sitting with a few ports (usually only 22 for sshd but sometimes also 80 for apache and 25 for postfix) exposed to the Internet for years, and the only thing I've ever had happen to it is that it gets regular bruteforce attempts via SSH. If OS X were as insecure as the '30 minute' claims would have you believe, surely I'd have been thoroughly pwned by now. (In the same amount of time, I've had several Windows machines without any exposed services turn into spam zombies by virtue of IE's ActiveX controls.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It says nothing about what FreeBSD branched from, but what Darwin branched from (Apple have no control over, or influence on, FreeBSD). The Apple document you cite is a piece of marketing bumph that does not say which parts of Tiger are derived from BSD 5, so it could be just a couple of userland utilities, or a much larger portion -- there's no way of knowing. This technical document on the other hand _specifically_ claims that the kernel is derived from 4.4, and other technical documents say the same about the networking stack and various other bits of core OS X technologies, so unless Apple have neglected to update their documentation for Tiger (doubtful when one considers that other parts have already been updated for Leopard, which isn't out yet), then it would indeed seem to deny your claim.
NB: most Slashdotters give more weight to technical documentation written by the people who are doing the actual programming than advertising material put together by marketers who know little if anything about the technology they're trying to sell.
I'm not going to change your sheets again, Mr. Hastings.
Macs can and do have problems, like all computers -- no argument here. But these problems to *not* include worms or virus infections.
I agree. I was actually making fun of those who pretend that there are no security differences between OSes.
Read the EFF's Fair Use FAQ
Sheesh.
I've been writing C code for almost 25 years now. Including device drivers for OS X.
Did you have your sense of humor shot off in the war?
Clear, Dark Skies
You're right. I should have said, "Gimme your address and I'll let you have mine." And then, "I bet it takes me less time to audit your home security than it takes you to audit my network security."
"4.4BSD" is not the same as "FreeBSD 4.4". "4.4BSD", specifically "4.4BSD-Lite", was the last Berkeley Software Distribution release of the OS, after the ATT v. UC-Berkeley case was decided, where the last of the ATT-copyrighted code was excised and rewritten. FreeBSD and NetBSD (as well as BSDi, I believe) used 4.4BSD-Lite as the starting point for their development. NeXT also used BSD (originally earlier iterations in the 4BSD line - 4.2BSD, I think) as its starting point, and was the codebase which the first versions of MacOS X used, though OS X has used developments (mostly in userspace, to my understanding) from both FreeBSD and NetBSD to incorporate into Darwin, and by proxy, OS X.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Off topic, but...
The primary reason AI is seen as unsuccessful is because as soon as some aspect of the problem has been solved and the code works, we rename it to something else: speech synthesis, speech recognition, character recognition, motion capture, genetic algorithms, neural nets, edge finding, adaptive control systems, fuzzy logic, etc. etc..
AI research has been very successful, in general, but in specific it has about as much chance as being recognized as successful as a nuclear power plant has of completing construction under the same regulations environment it was designed in, or a four year lame duck president seeing his "five year plan" followed through to completion.
-- Terry
I've been using a _client_ Mac OS X box as my personal website server for several years now, 80 for apache. I have basically the same results, lots of brute force attempts, no successes.
As demon said in a previous reply, 4.4BSD is not the same thing as FreeBSD. 4.4BSD was the last Berkeley produced BSD distro. FreeBSD branched from it. Here is the quote again:
Emphasis and link mine. Your quote says that OS X uses FreeBSD technologies, and explains that FreeBSD is a 4.4BSD fork. It says nothing about which version of FreeBSD is used in Darwin. Therefore, the quote does not deny my claim.
I will, however, grant that the quote I provided is not particularly informative. But it does explicitly say that FreeBSD 5.0 is in use, unlike your quote, which is completely irrelevant to the issue at hand.
N.B. I'm getting really sick of people with poor reading comprehension. Especially when they don't know what they're talking about. Condescension under such circumstances is particularly irksome.
After all, I am strangely colored.
"As demon said in a previous reply, 4.4BSD is not the same thing as FreeBSD."
Demon was correct, and I was wrong.
"Therefore, the quote does not deny my claim."
Indeed it does not. Please accept my apologies.
I'm not going to change your sheets again, Mr. Hastings.
Of course. Please accept mine for my rudeness at the end of my last post.
After all, I am strangely colored.
According to your post:
IE7 Protected Mode lets you browse without installing any controls. Which is great. Somewhat better than just turning ActiveX off entirely in an earlier version of IE.
But that does NOT fix the problem. Because with it off things won't work, and it's not going to ship off by default because people will then think it's "broken" Microsoft created the problem with ActiveX security. They can only fix the problem in two ways:
1. Force ActiveX into a tight, tight virtual machine. Which will be a real pain, and the occasional applet will still fail.
2. Turn ActiveX off by default and do it to SO MANY machines that people are forced to replace it on their websites with something else.
(Note, for the purposes of this discussion, it doesn't matter if "something else" is "ActiveX2.0" - as long as THAT _IS_ in a sandbox. Or it can be Flash or Java or Javascript - all of which have potential flaws but all of which are not wide open.)
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot