The biggest problem is that everyone seems to think that changing the OSes was possible. It was not-- this was volunteer work for volunteers who needed laptop security, not a corporate scenario where we could swap everything out on a whim just because Apple took years to get IPsec support and full disk encryption.
The oldest machines that will run Lion have Core 2 Duos - so pretty much any Intel Mac released, with the exception of some of the very earliest ones that have Core Solo and Core Duo chips.
Aside from how irrelevant it was (limited time frame for work and training doesnt lend itself to an OS upgrade), there were several PowerPC macs which could not run Lion.
This really is amusing / alarming / disquieting-- apparently there are IT folks out there who think that "just upgrade the OS and / or machine" is a suitable rebuttal to "your 5 year old OS doesnt have consistent IPsec support". Quiz of the day, if this was volunteer work for volunteers, what makes you think theres a budget for buying 20 or so new macbooks? Especially when we could have spent 40% of the cost and just gotten them core i3 Windows PCs and had a ready to go solution that was homogenous with the rest of the platforms (Linux, Windows)-- supporting PGP, Cisco client, and Truecrypt?
Is this enforced software and training diversity with a 250% markup somehow supposed to contribute to the whole Mac experience?
I should have clarified-- the single Linux system was a PITA because it was one off, and because we couldnt plan for it in advance, not because it was terribly difficult to secure. I just had to secure another one, and the biggest pain about it was having to reinstall the system to get the full disk encryption into place; everything else was pretty quick and easy.
Simulate a disk failure by changing two bytes randomly, one in the registry blob, the other on the disk where/etc lives.
On windows you now can not boot even into safe mode to fix it. You must now lay hands upon the system physically. If it's a coloed server, enjoy your flight!
I wasnt aware *nix systems could boot with a corrupted fstab or grub.conf. Silly me.
And it seems to me if it was colo'd youd be using KVM-over-IP or similar, if not running on ESX.
Mac OS X has built-in encryption (called File Vault), built-in VPN (managed in the network control panel), and one-click VPN configuration files for your users to click on.
Not to absolutely beat this to death, but whole disk encryption and IPsec vpn are NOT supported in 10.5, and only the IPsec support was added in 10.6.
First, you should have standardized the machines and OSs.
Not possible. These were not our machines, and we were volunteers.
On VPNs, you sent everyone to use Cisco VPN by default. This is what Windows users do, this is what you do Macs. You don't futz with multiple solutions for no reason.
As stated, OSX Lion did not support the Cisco client, and OSX Leopard required it (no IPsec support). Set the two solutions up we did, but it added extra complexity to training the users. We couldnt just say "make sure you have a lock symbol by the clock", since for half the systems it would not be there. It also complicates auditing, etc.
Filevault has been around in OS X since 10.3. and in 10.7 supported full disk encryption.
But it did not support it in 10.5, or 10.6, which made up the vast majority of our userbase. Im not terribly impressed that theyre just adding this, and that until the majority of our userbase is on 10.7 we cannot use it either.
I'd bet money you had problems because you clearly don't know what you were doing on the macs, because anything you listed would not have been a problem to a knowledgeable mac admin a year ago.
Fair enough; I would be greatful if you could kindly inform me how to script disabling Sleep mode, turning off all forms of network sharing, remote access, bonjour, etc, and enabling the firewall.
Most machines on Leopard arent gonna support Lion. Good luck convincing users that its a good thing that they need to purchase a new, $1000 macbook to run Lion.
Its super clever of you to imply that all I know is Windows; obviously its not possible for someone to have expertise in both *nix and Windows, without being enamored of OSX's failings.
We supported XP vanilla through Win7 x64. We automated things with WPIW, and it wasnt really an issue at all. Updates were a breeze to do (admittedly they were on OSX as well, though hillariously enough they took longer on OSX).
So yes, for the record, we supported 10 years of Windows OSes with less trouble than 5 years of Mac OSes.
Oh and btw Lion was brand new last summer. Its wonderful that FDE finally makes it onto the scene 10 days before our work but thats not exactly impressive and doesnt really answer the question of securing the other 95% of our mac computers-- unless we should have yet another difference between the platforms?
Wait, its someone elses issue that 10.5 OSX doesnt support a bog standard IPSEC connection? What world do you live in?
That full disk encryption is for Lion, which was a whopping 5% of our Mac userbase. Call me when theres a solution for Leopard or Snow Leopard. And the idea that we should implement different solutions for our different platforms is absolutely absurd, and demonstrates the issue I was talking about.
I dont remember the full details on the certificate, the import went fine on the newer OSes but not on older. I believe it was a trusted root cert that we were trying to import to the system store, and it the commands simply werent fully implemented on the older OSX (10.4,10.5?)-- I might be misremembering.
The defaults command is documented; but that site is incomplete. For example, how would i disable sleep mode with defaults? That particular setting doesnt seem to be documented, and is a pretty big security hazard if you are using any kind of encrypted containers. Or how would i disable network sharing? How would we completely lock the firewall down? Those do not seem to be supported.
You can call it ignorance, but it isnt terribly impressive when your example of "well documented" is a third party site that DOESNT document the things we need to do. Why no apple.com link?
We didnt want home folder encryption, we wanted whole disk encryption. Theres a gigantic security difference, especially when it comes to stuff like temporary log files and paging files.
And yes, the registry is less arcane than plist files, because the registry is fully documented. Google "how to change wallpaper registry" for example, see how many zillion hits you get. I did look at automator, and hours of documentation, and it wasnt sufficient for what we needed to do.
What really sucks is that there doesnt seem to be an equivalent to something like AutoIt for automating GUI interaction. There are some built in apps, but they seem to have spotty support and dont really give full GUI control. Thats the thing that REALLY got on my nerves-- with AutoIT, I can literally automate any task, with enough patience. With OSX, thats just not true.
I wasnt aware that bog-standard *nix had an/Applications directory, or that it pushed "defaults" as "THE" way to automate system preference changes.
As parent said, a lot of those assumptions go straight out the window with OSX. Last I checked, neither Linux nor BSD supported booting off of HFS+ out of the box.
Ive used various linux systems for the past 6 or so years, rolled my own live cd (buntu based, but with a bunch of boot script tweaks, and stuff ripped from various one-off distros), supported solaris servers, supported BSD systems (pfsense, freebsd)-- and I DONT just mean the web-GUIs, etc etc. A lot of the stuff I have done has tended to be outside the box (or webGUI), so I have a pretty decent experience with the CLI.
I wouldnt call myself expert, and there are a good many commands I dont know, but generally if I come across a problem I can find a solution. I did manage to work out a semi-working automation script for OSX, but there were several things that just couldnt be done (in contrast with the linux boxes Ive dealt with, where it could). Im not really sure what you want in the way of proof, im sure you wouldnt find whatever I offered satisfactory (so Im not sure why you asked).
And really, whether im an expert or not doesnt address the woeful VPN and encryption support on OSX. Glad to hear they have better support in 10.7, not impressed that the cisco client isnt working, and definately not impressed that Truecrypt doesnt work from boot. Dont really care whose fault it is, either.
Wow rampant ignorance and/or misrepresentation of sources gets modded up on slashdot, who would have thought.
The article youre referencing doesnt mention once anyone getting killed, tried, arrested, detained, or targetted for saying ANYTHING about the president.
It DOES discuss whether the president can target people, in this case overseas (and cooperating with foreign beligerents), who also happen to be citizens. Which might be an interesting discussion to have, except it has absolutely nothing to do with first amendment issues or free speech or lack thereof, which is what we were discussing.
Let me share my experience with OSX and "how great" it is.
Last summer, as part of some volunteer work I was doing, I was tasked with locking down about 100 user laptops. About 60-70 were Windows based, 1 was Linux, the rest were Apple.
The tasks were to set up full disk encryption (or as close as possible with the host OS), some kind of email encryption, set up the mail client, set up a Cisco (or equivalent) vpn client, and make sure the computers were generally up to snuff (updates and whatnot).
The Windows machines took maybe 3-4 hours each, if that. I spent the better part of a day and hashed together a program that automated 90% of the work, including the installation of many of the programs (through AutoIT scripting), which made most of the process hands-off. There were about a bazillion options for automation, forcing updates, scripted certificate installation, etc. We could have used a WSUS server, if we had desired (though we did not). The various OSes (XP, Vista 32/64, 7 32/64) basically worked the same; though there were some "if {os}=" clauses that had to be used, it was mostly for picking the proper executable (32bit Cisco vpn vs 64 bit).
The Linux machine was of course a PITA, since we did not know ahead of time we would be dealing with it.
Then there were the OSX computers. They were a gigantic PITA. How? Let me list the ways:
VPN support was completely inconsistent. There were no options for 10.4; 10.5 had no built in client, but could use Cisco VPN; 10.6 had a built in client and could use the Cisco client; and 10.7 had built in client but could NOT use the cisco client (due to awful 32-bit compatibility). Great, that really simplifies support and training.
There is (was) no support for full disk encryption. Truecrypt simply cannot handle that on OSX, and I am not aware of a native solution; we had to use an encrypted container and do a bunch of work to symlink profiles into that container.
The new 10.7 introduced "launch on startup" preferences, which means that most of the 10.7 machines we worked on were dog slow-- generally worse or on par with the XP and Vista machines.
Importing Certificates gave us issues for some reason. I believe its because of the spotty implementation of whatever the commands were-- I believe some of the commands worked on 10.6, fewer on 10.5, and basically none on 10.4.
And generally, most of the things we wanted to do simply couldnt be automated from command line-- system preferences and whatnot. I know there is a command to alter them ("defaults" i think) but there were several things that we had to lock down which it simply couldnt handle, or which required you to know an arcane and completely undocumented path to a preference file. On windows of course, you can google "registry entry for X" and have a well documented article on MSDN and support.microsoft.com
And there were various other quirks which branded OSX in my mind as "decent, with a decent CLI, but vastly overrated"; but the big issues were that the system really wasnt designed to be administered quickly in batches, and the documentation was very often less than stellar. For all the flak Windows gets for its registry, at least every bit of it is documented, and you can find articles out the wazoo about how to automate X on windows.
People talking about the new wave of OSX boxes on corporate networks are either bad admins, way more clever at this kind of thing than I am, or ignorant reporters. It might be a different story if there were a capability (on both the Windows Server, and the OSX client side) to launch logon scripts, and if those scripts could install printers and map network paths; call me when that happens.
I imagine it would also matter whether a financial transaction took place. Not being terribly versed with how MegaUpload works, do you have to pay to host files? If not, wouldnt that make it a "no contract, no guarentees" sort of situation?
I mean, as people like to point out, theyre only making a copy of your data (not theft!), so I imagine the law would treat it differently unless there was a contract that guaranteed availability.
One would expect a rational response to the ideas presented in a post on slashdot, but I guess not if they have decided to fall back on ridicule and grammar nazism.
So I ask for evidence that authorities have used "badmouthing the president" as a basis for a court case, and you respond with some completely off topic incident.
Im a little lost here, what were you trying to prove? That UK citizens have an irrevocable right to enter the US, protocol be damned?
At first it was just anti-immigrant propaganda, you know, kinda like how people are blaming all of America's ills on illegal immigrants lately?
Pretty sure we're not blaming anything on any kind of Muslim immigration problem, and I havent heard anyone (at least in the DC metro area) blaming lack of skilled jobs on hispanic immigrants.
That said, that doesnt mean that Im pro-amnesty either. It IS possible to believe that illegal immigration is A problem without thinking it is THE problem.
If I recall, a good part of the founding of our country was because it was believed that the laws werent actually being followed by the British government, our rights were being violated, and that that was a just provocation for us to sever ties.
We may not be throwing them in camps and forced to work, but we have no problem shipping them off to Gitmo and holding them as long as we want without trial...
We're not "shipping them off to Gitmo", these arent folks who were grabbed off of the streets of Everytown, KS. Unless my memory is faulty, basically every one of them were captured overseas as "enemy combatants" in what is basically a war zone.
So points taken about slippery slopes and all the rest, but things are not what youre making them out to be.
When someone says "zeig heil, der DHS", its not the witty political commentary you seem to think it is. Its someone who would, if you engaged them, declare that we are right now as bad as nazi germany and that we have our own gestapo that will detain you for badmouthing the president.
Seriously, this is what people actually think, and it really does drag the whole conversation into a gutter. Calling the US the equivalent of Nazi Germany isnt a warning, its either ignorant or a troll.
The biggest problem is that everyone seems to think that changing the OSes was possible. It was not-- this was volunteer work for volunteers who needed laptop security, not a corporate scenario where we could swap everything out on a whim just because Apple took years to get IPsec support and full disk encryption.
The oldest machines that will run Lion have Core 2 Duos - so pretty much any Intel Mac released, with the exception of some of the very earliest ones that have Core Solo and Core Duo chips.
Aside from how irrelevant it was (limited time frame for work and training doesnt lend itself to an OS upgrade), there were several PowerPC macs which could not run Lion.
This really is amusing / alarming / disquieting-- apparently there are IT folks out there who think that "just upgrade the OS and / or machine" is a suitable rebuttal to "your 5 year old OS doesnt have consistent IPsec support". Quiz of the day, if this was volunteer work for volunteers, what makes you think theres a budget for buying 20 or so new macbooks? Especially when we could have spent 40% of the cost and just gotten them core i3 Windows PCs and had a ready to go solution that was homogenous with the rest of the platforms (Linux, Windows)-- supporting PGP, Cisco client, and Truecrypt?
Is this enforced software and training diversity with a 250% markup somehow supposed to contribute to the whole Mac experience?
I should have clarified-- the single Linux system was a PITA because it was one off, and because we couldnt plan for it in advance, not because it was terribly difficult to secure. I just had to secure another one, and the biggest pain about it was having to reinstall the system to get the full disk encryption into place; everything else was pretty quick and easy.
Simulate a disk failure by changing two bytes randomly, one in the registry blob, the other on the disk where /etc lives.
On windows you now can not boot even into safe mode to fix it.
You must now lay hands upon the system physically. If it's a coloed server, enjoy your flight!
I wasnt aware *nix systems could boot with a corrupted fstab or grub.conf. Silly me.
And it seems to me if it was colo'd youd be using KVM-over-IP or similar, if not running on ESX.
Mac OS X has built-in encryption (called File Vault), built-in VPN (managed in the network control panel), and one-click VPN configuration files for your users to click on.
Not to absolutely beat this to death, but whole disk encryption and IPsec vpn are NOT supported in 10.5, and only the IPsec support was added in 10.6.
So no, its not that simple.
First, you should have standardized the machines and OSs.
Not possible. These were not our machines, and we were volunteers.
On VPNs, you sent everyone to use Cisco VPN by default. This is what Windows users do, this is what you do Macs. You don't futz with multiple solutions for no reason.
As stated, OSX Lion did not support the Cisco client, and OSX Leopard required it (no IPsec support).
Set the two solutions up we did, but it added extra complexity to training the users. We couldnt just say "make sure you have a lock symbol by the clock", since for half the systems it would not be there. It also complicates auditing, etc.
Filevault has been around in OS X since 10.3. and in 10.7 supported full disk encryption.
But it did not support it in 10.5, or 10.6, which made up the vast majority of our userbase. Im not terribly impressed that theyre just adding this, and that until the majority of our userbase is on 10.7 we cannot use it either.
I'd bet money you had problems because you clearly don't know what you were doing on the macs, because anything you listed would not have been a problem to a knowledgeable mac admin a year ago.
Fair enough; I would be greatful if you could kindly inform me how to script disabling Sleep mode, turning off all forms of network sharing, remote access, bonjour, etc, and enabling the firewall.
Most machines on Leopard arent gonna support Lion. Good luck convincing users that its a good thing that they need to purchase a new, $1000 macbook to run Lion.
Its super clever of you to imply that all I know is Windows; obviously its not possible for someone to have expertise in both *nix and Windows, without being enamored of OSX's failings.
I blame apple for not supporting IPsec in a 5 year old OS. Should I be blaming someone else for that?
We supported XP vanilla through Win7 x64. We automated things with WPIW, and it wasnt really an issue at all. Updates were a breeze to do (admittedly they were on OSX as well, though hillariously enough they took longer on OSX).
So yes, for the record, we supported 10 years of Windows OSes with less trouble than 5 years of Mac OSes.
Oh and btw Lion was brand new last summer. Its wonderful that FDE finally makes it onto the scene 10 days before our work but thats not exactly impressive and doesnt really answer the question of securing the other 95% of our mac computers-- unless we should have yet another difference between the platforms?
Can you explain to me why the registry is worse than gconf or defaults? Thanks in advance.
Wait, its someone elses issue that 10.5 OSX doesnt support a bog standard IPSEC connection? What world do you live in?
That full disk encryption is for Lion, which was a whopping 5% of our Mac userbase. Call me when theres a solution for Leopard or Snow Leopard. And the idea that we should implement different solutions for our different platforms is absolutely absurd, and demonstrates the issue I was talking about.
I dont remember the full details on the certificate, the import went fine on the newer OSes but not on older. I believe it was a trusted root cert that we were trying to import to the system store, and it the commands simply werent fully implemented on the older OSX (10.4,10.5?)-- I might be misremembering.
The defaults command is documented; but that site is incomplete. For example, how would i disable sleep mode with defaults? That particular setting doesnt seem to be documented, and is a pretty big security hazard if you are using any kind of encrypted containers. Or how would i disable network sharing? How would we completely lock the firewall down? Those do not seem to be supported.
You can call it ignorance, but it isnt terribly impressive when your example of "well documented" is a third party site that DOESNT document the things we need to do. Why no apple.com link?
We didnt want home folder encryption, we wanted whole disk encryption. Theres a gigantic security difference, especially when it comes to stuff like temporary log files and paging files.
And yes, the registry is less arcane than plist files, because the registry is fully documented. Google "how to change wallpaper registry" for example, see how many zillion hits you get. I did look at automator, and hours of documentation, and it wasnt sufficient for what we needed to do.
What really sucks is that there doesnt seem to be an equivalent to something like AutoIt for automating GUI interaction. There are some built in apps, but they seem to have spotty support and dont really give full GUI control. Thats the thing that REALLY got on my nerves-- with AutoIT, I can literally automate any task, with enough patience. With OSX, thats just not true.
I wasnt aware that bog-standard *nix had an /Applications directory, or that it pushed "defaults" as "THE" way to automate system preference changes.
As parent said, a lot of those assumptions go straight out the window with OSX. Last I checked, neither Linux nor BSD supported booting off of HFS+ out of the box.
Ive used various linux systems for the past 6 or so years, rolled my own live cd (buntu based, but with a bunch of boot script tweaks, and stuff ripped from various one-off distros), supported solaris servers, supported BSD systems (pfsense, freebsd)-- and I DONT just mean the web-GUIs, etc etc. A lot of the stuff I have done has tended to be outside the box (or webGUI), so I have a pretty decent experience with the CLI.
I wouldnt call myself expert, and there are a good many commands I dont know, but generally if I come across a problem I can find a solution. I did manage to work out a semi-working automation script for OSX, but there were several things that just couldnt be done (in contrast with the linux boxes Ive dealt with, where it could). Im not really sure what you want in the way of proof, im sure you wouldnt find whatever I offered satisfactory (so Im not sure why you asked).
And really, whether im an expert or not doesnt address the woeful VPN and encryption support on OSX. Glad to hear they have better support in 10.7, not impressed that the cisco client isnt working, and definately not impressed that Truecrypt doesnt work from boot. Dont really care whose fault it is, either.
Wow rampant ignorance and /or misrepresentation of sources gets modded up on slashdot, who would have thought.
The article youre referencing doesnt mention once anyone getting killed, tried, arrested, detained, or targetted for saying ANYTHING about the president.
It DOES discuss whether the president can target people, in this case overseas (and cooperating with foreign beligerents), who also happen to be citizens. Which might be an interesting discussion to have, except it has absolutely nothing to do with first amendment issues or free speech or lack thereof, which is what we were discussing.
Let me share my experience with OSX and "how great" it is.
Last summer, as part of some volunteer work I was doing, I was tasked with locking down about 100 user laptops. About 60-70 were Windows based, 1 was Linux, the rest were Apple.
The tasks were to set up full disk encryption (or as close as possible with the host OS), some kind of email encryption, set up the mail client, set up a Cisco (or equivalent) vpn client, and make sure the computers were generally up to snuff (updates and whatnot).
The Windows machines took maybe 3-4 hours each, if that. I spent the better part of a day and hashed together a program that automated 90% of the work, including the installation of many of the programs (through AutoIT scripting), which made most of the process hands-off. There were about a bazillion options for automation, forcing updates, scripted certificate installation, etc. We could have used a WSUS server, if we had desired (though we did not). The various OSes (XP, Vista 32/64, 7 32/64) basically worked the same; though there were some "if {os}=" clauses that had to be used, it was mostly for picking the proper executable (32bit Cisco vpn vs 64 bit).
The Linux machine was of course a PITA, since we did not know ahead of time we would be dealing with it.
Then there were the OSX computers. They were a gigantic PITA. How? Let me list the ways:
And there were various other quirks which branded OSX in my mind as "decent, with a decent CLI, but vastly overrated"; but the big issues were that the system really wasnt designed to be administered quickly in batches, and the documentation was very often less than stellar. For all the flak Windows gets for its registry, at least every bit of it is documented, and you can find articles out the wazoo about how to automate X on windows.
People talking about the new wave of OSX boxes on corporate networks are either bad admins, way more clever at this kind of thing than I am, or ignorant reporters. It might be a different story if there were a capability (on both the Windows Server, and the OSX client side) to launch logon scripts, and if those scripts could install printers and map network paths; call me when that happens.
Turns out private events actually have rules and protocol.
I imagine it would also matter whether a financial transaction took place. Not being terribly versed with how MegaUpload works, do you have to pay to host files? If not, wouldnt that make it a "no contract, no guarentees" sort of situation?
I mean, as people like to point out, theyre only making a copy of your data (not theft!), so I imagine the law would treat it differently unless there was a contract that guaranteed availability.
One would expect a rational response to the ideas presented in a post on slashdot, but I guess not if they have decided to fall back on ridicule and grammar nazism.
So I ask for evidence that authorities have used "badmouthing the president" as a basis for a court case, and you respond with some completely off topic incident.
Im a little lost here, what were you trying to prove? That UK citizens have an irrevocable right to enter the US, protocol be damned?
At first it was just anti-immigrant propaganda, you know, kinda like how people are blaming all of America's ills on illegal immigrants lately?
Pretty sure we're not blaming anything on any kind of Muslim immigration problem, and I havent heard anyone (at least in the DC metro area) blaming lack of skilled jobs on hispanic immigrants.
That said, that doesnt mean that Im pro-amnesty either. It IS possible to believe that illegal immigration is A problem without thinking it is THE problem.
If I recall, a good part of the founding of our country was because it was believed that the laws werent actually being followed by the British government, our rights were being violated, and that that was a just provocation for us to sever ties.
These might be good for brushing up on the details:
http://en.wikipedia.org/wiki/Boston_Tea_Party
http://en.wikipedia.org/wiki/Intolerable_Acts
http://en.wikipedia.org/wiki/No_taxation_without_representation
http://en.wikipedia.org/wiki/Consent_of_the_governed
We may not be throwing them in camps and forced to work, but we have no problem shipping them off to Gitmo and holding them as long as we want without trial...
We're not "shipping them off to Gitmo", these arent folks who were grabbed off of the streets of Everytown, KS. Unless my memory is faulty, basically every one of them were captured overseas as "enemy combatants" in what is basically a war zone.
So points taken about slippery slopes and all the rest, but things are not what youre making them out to be.
When someone says "zeig heil, der DHS", its not the witty political commentary you seem to think it is. Its someone who would, if you engaged them, declare that we are right now as bad as nazi germany and that we have our own gestapo that will detain you for badmouthing the president.
Seriously, this is what people actually think, and it really does drag the whole conversation into a gutter. Calling the US the equivalent of Nazi Germany isnt a warning, its either ignorant or a troll.