PC Mag - Mac OS X Insecure

Suki writes "In this recent story a PC Mag writer concludes that "Panther and Jaguar were not better at outrunning vulnerabilities than Windows" and as my personal fav. ends by asking "How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here." The article discusses many previous Windows security holes against a recent Mac OS X security flaw."

Good points...

He raises good points (I actually read the article), but one thing that OSX will always have over current versions of Windows, however, is the fact that in OSX you don't run as root/admin by default when you start off or create new users.

Until this is fixed, the same attacks will be much more effective against Windows users just because of the rights the current user has on the box.

Re:Good points...

I could be wrong on this, but I believe home doesn't even ask you to set up a user. It just sets up Administrator as the default account, with no password. I should know for sure, but it's been 6 weeks or so since I did a Home install, but at any rate I think that's how it works.

Re:Good points...

Actually,

XP Home sets up the administrator account with a password and a local account with administrator rights without a password AND without inbound network access. (Important part there)

Re:Good points...

Well, that's a little cocky :-). Here's a story - I had a Win2k machine that I used for ICS a year or so ago. It got hacked because I hadn't installed a firewall on it.

Learning my lesson, I vaped the machine, then installed Win2k from a CD. Then I installed the ADSL modem drivers, and went to ZoneAlarm's website and installed Zone Alarm. Then I ran Windows Update, and got all the latest patches.

Finally I installed Norton Anti-Virus. It told me I had already been infected by a trojan (a different one to the one I had previously been hit by).

Basically, if you aint got all the patches on CD/HD, you can be hit quite easily during an install. It depends on the network you're using - on BT ADSL I used to get scanned all the time - I've moved to another provider, and I don't get anything like the number of attacks. My Dad is on dial-up, and he gets port-scanned about once every 30 seconds, sometimes more often.

Yes, this is 2k, not XP, but I believe it's not beyond the bounds of possibility that a similar thing could happen with XP. It's good news that MS is (thinking of) enabling the firewall by default in XP SP2 - but again, that's a service pack, that you have to download :)

And yes, you can have it downloaded, but by God, MS usually manage to make it as difficult as possible to just download the whole patch as one file that you can install later/on other PCs. Grr.

Re:Better way:

I have a router now - see, I can learn :)

Some people tell me I should set up an old PC to run Linux and configure that as a router, but they don't seem to understand that:

* That requires significant effort on my part
* My router is small (paperback book size)
* It doesn't make loads of noise and consume loads of power.
* When I occasionally get problems with my connection (about once every 2 months), whatever the problem, it's usually solved by toggling the router power switch, and takes a few seconds.

But you can't tell some people...

Re:Good points...

Actually, Power Users can do almost everything an Admin can do. They can't create Admin accounts, and they can install most programs. A nice reference table comparing accounts is at http://www.bc.edu/offices/help/meta-elements/doc/a rticles/html/SW-WinXPUserAccounts.shtml [bc.edu]

Re:Good points...

seem to remember that the OSX machine prompts for a password before making the changes though. That's a definite advantage.

Exactly, it's actually the root account and not the user account that installs the programs. Think of it as a GUI version of sudo.

Re:Good points...

"Actually to be fair, you don't run as the administrator account in XP by default."

As others have noted, yes, you do. The main user you are asked to create when you setup a machine is an admin, and that is the account that most home users use.

Re:Good points...

I don't think you stress the password thing enough - a mac administrative user can't wipe the system clean without knowing the password, while a windows admin can.

You may not think that's a big deal, but I've seen some good hacking done via console usurption -
root is installing software and gets phone call (or goes to the can - I've seen both happen). As soon as root user walks away, the guy at the terminal next to him suspends the install, adds his name to a .rhosts file or chmod's a uid/euid change program as 4755, clears the screen and resumes the install. A good uid (user ID) exploit program usually masquerades as something else and if placed in the right location, will probably never be found unless being watched for.

On the other hand, a hacked mac admin account where the password is known gives full access on macs and probably won't on UNIX unless the user was root (hacking a sudoer probably won't give you full access). Essentially, OSX relies more on passwords for security and Unix relies more on a specific user (root) for security and both have their advantages and disadvantages.

On Windows, though, an admin user is an admin user and has full permissions to do anything they want, including create more admin users or wipe the entire OS. The only good thing about Windows in this respect is that it is more difficult to remotely control the machine because of its single user origins.

I love using my XP Pro box for games - it dual boots linux, and has been amazingly stable for a MS OS, but I keep it safely behind a UNIX firewall for a reason - I don't like patching daily, I don't like the endless stream of worms I see trying to get in, and I don't want to give easy access to the script kiddie hackers that hit my firewall 100s of times every day (yes, they're logged and their IP automatically blocked after 50 failed attempts [hey, I'm generous - and I've screwed up login at least 5 times in a session myself]... now if only I could ban DHCP so they'd permanently go away...)

Quick, someone mod parent down!

We do not want to encourage behavior like this, do we? Reading the article, sheesh, what's next, checking for duplicates before posting?

Re:Good points...

It's almost root.

W/o some extra frobbing of permissions, all the Applications (in /Applications) are world writeable by users in the 'admin' group.

The first user in macosx is in the 'admin' group. Unless you make a 2nd user for yourself, you can basically overwrite anything in the Applications folder.

files /System/Library is root:wheel; 755, so that mitigates an OS-level attack... but still.

Re:Good points...

I read the article too, this guy using a valid point:

Mac OSX is not perfect

To bash Macs... it's paragraph after paragraph of "See? I told you so."

I own a mac, but I use PC's at work and home, I barely notice a difference between the two when I move between them because most of the apps that I use, like Office and Mozilla are fairly close in appearance and functionality.

BUT... the absolute, positive, no questions asked fact, is that last time my office of 300+ people had some worm running around, my mac was NOT infected and I was not required to jump through IT-hoops for hours to get rid of it or prevent it from happening.

Whether or not it has flaws or not is a stupid question, of course it does... but so far they haven't proven to be anywhere near as disasterous as the bullsh*t that we have to deal with from Windows.

Re:Good points...

Wrong. Windows is easier to write viruses for. You simply have to get someone to open an email message in Outlook, and a virus will automatically spread itself. If you wrote a virus for Mac OS (or linux, or any other OS), it would have to convince every person it was sent to, not only to open the email message but to intentionally run it. There's where the problem with Windows lies, and why no other OS is as virus-prone as Windows.

Re:Good points...

AC, his point is that with Windows, you don't have to socially engineer the user. Viruses can spread via eMail without the user doing actively running an executable. That can't happen on a Mac.

Re:Good points...

The implication of the article is that OS X would definitely have as many security holes as Windows, if it were the most popular OS. Where is the logic behind that conclusion? It is quite possible, perhaps even likely, that OS X really is a better operating system and would have a fraction of the security problems that Windows does. Popularity is not a valid measurement of security.

Re:Good points...

How can you be sure this is the only cause?

Yes, Mac has a lesser market share. So you're 100% sure that's the reason viruses don't exist?

Don't you think SOMEONE would like to brag about the writing the first Mac virus?

Re:Good points...

there are also incredibly FEW network services turned on (come on, someone spoofing your DHCP server on YOUR network and inserting malicious code? You've got bigger problems, my friend, than your vulernable Mac) out of the box when you install a Mac.

This in and of itself is another 50 pounds of "bite my shiny metal ass, Micro Soft apologist" to hand to the author of this article (i RTFA as well - he carped on a LONG time about this one quite obscure vulnerability, and didn't bother to name a single Mac virus or mail.app worm.. i wonder why?)

Until Microsoft changes their ways on having every useless network service turned on by defualt and making it easy (read: not requireing use of Regedit) to turn off and on services (read: Sharing System Preference Panel - checkboxes for all services), Macs will continue to be far less vulnerable to attacks than Windows is.

Re:Good points...

Sorry, but i'm on a W2k machine here at work.

Just checked Start -> Control Panels -> --------

i have no Service control panel.

If this mythical beast is not located in the Control panels where mere mortals live - wherefore art those average users who could find it?

(after 3 minutes of looking around, and because i (conned) the guys at work to give me Admin privs on this machine (99% users here do not) - i found the gizmo under the Administrative Tools applications folder under the start menu.. AFTER i "turned on" that folder in my start menu - for clarity)

if that's "easy to use, checkbox for all services" i'm Paris Hilton.

Re:Good points...

Until Microsoft changes their ways on having every useless network service turned on by defualt and making it easy (read: not requireing use of Regedit) to turn off and on services (read: Sharing System Preference Panel - checkboxes for all services)

Control panel -> Administrative Tools -> services. easy as pie. That's not to say that the average windows user has a clue what a service is, let alone how to turn it off. The problem is that unnecessary services are on by default. But, hey, it's the age old compromise; out of the box simplicity vs. configurability.

Then how come...

OSX has the out of box simplicity edge while still having all these services off?

Re:Good points...

Control panel -> Administrative Tools -> services. easy as pie. That's not to say that the average windows user has a clue what a service is, let alone how to turn it off. The problem is that unnecessary services are on by default. But, hey, it's the age old compromise; out of the box simplicity vs. configurability.

Sure, unless you happen to turn off the RPC service, in which case the services panel will no longer work! Classic MS incestuous garbage; in order to use the GUI to enable/disable services you must have the (formerly horribly insecure) Remote Procedure Call service running!

Re:Good points...

Really this Mac exploit can be blamed on Microsoft.

Because of the hundreds of holes in Windows some attacker can compromise a Windows server in the local subnet and then use it to spoof the DHCP servers to gain access to the Mac.

Re:Good points...

That article had more flamebait than a Dvorak article. Yes it's an op-ed piece, but that was specifically designed for getting hits. When I went to PC Magazine's [pcmag.com] homepage, here is what I see on breaking news:

12.10.2003
Internet Explorer Spoofing Vulnerability Found
12.10.2003
Security Experts Warn of New Way to Attack Windows

This same "exploit" Apple claims is normal [slashdot.org]. One "exploit" will not make Mac users eat crow. Let's see some real OS X viruses and Apple having to release so many patches that it moves to a monthly bug release program first.

Re:Good points...

By the same token, you could also call the user, impersonate an Apple tech, and ask them to turn on SSH and tell you their username and password. Or, if a user leaves their front door unlocked, you could walk in and remove their computer. Both obviously point to glaring security holes in OSX.

The point, however, is that it's extrememly difficult and/or impossible to write an autonomously propogating virus or worm for OSX that doesn't require active user intervention. Contrast with Windows...

Not really

Mac OSX has a bad set of settings. Yep, that happens. That is a bug. Likewise, there were other bugs on OSX that were actually just as bad if not worse (they use a lot of OSS and they will have the same faults as the OSS world does).

The real problem is that Mac OSX (and most other systems) have a fundementally sound architecture, while none of the the current Windows do. I suspect that Longhorn is taking a long time to get around these huge design holes, but the current ones have them and there is nothing that can really stop these. In fact, MS has confirmed it numerous times in gov. and court hearings.
So yes, the *nix based system will continue to have holes (in fact what system does not), but they have a much more sound design from the ground up. Hopefully, Longhorn will as well.

Re:Not really

The real problem is that Mac OSX (and most other systems) have a fundementally sound architecture, while none of the the current Windows do.

Not quite.

In the NT kernel, most (all?) objects have ACLs associated with them which allows much finer granularity than under a traditional UNIX-y kernel.

Imagine UNIX with finer-grained security. Now run many network-enabled services without the end-user's knowledge. Add automatic execution of downloaded code in the form of ActiveX controls, and remove the ability of those running the binaries to examine the source code.

Now revise everything in the system several times, adding new APIs while keeping existing ones more or less intact. Don't worry about establishing system-wide conventions among development teams -- they have better things to do.

Add the need to throw in nifty technologies to dethrone competitors.(1)

Now stop and think about how you've gained your acceptance. Realize that what people like to use at home will carry across to work. Realize further that people don't want to deal with permissions, or ACLs, not having administrative access, and not being able to play the latest-greatest game.

To gain home acceptance, ship a home edition of your operating system which allows the default user to do damned near anything on the machine. Make auditing of running services difficult and obscure. Above all else, don't confuse the user, or ask them to slow down even enough to realize that certain actions may compromise system security more than others.

Now stop and think about how little having finer-grained security really did to make the OS more secure overall.

The problem isn't that Windows lacks a "fundamentally sound architecture." The problem is all of the extra crap that gets thrown on top without really thinking things through.

1) I'll see your Java sandbox and raise you an ActiveX control!

Re:Good points...

Actually, this is one of the more mind-bogglingly stupid articles from a Windows apologist I've read in a long time. It's even worse than most Slashdot wintrolls.

For the record, I'm not a Mac user and my few attempts at using it ended in annoyance and frustration. It does not, however, take a genius to recognize the logical leaps inherent in the author's petulant outburst.

To wit:

1) A single flaw does not compare to the egregious history of security problems on Windows.

2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.

3) The iTunes/iPod "hack" is not comparable to an operating system comprimise. It is a comprimise of a digital restrictions management (DRM) system. DRM systems are known to be inherently vulnerable and practically insecurable. Nobody but deluded content industry executives expect DRM systems to have any more than brief protection. Also, once broken, they can't be fixed.

4) The swipes at Mac "zealots" are irrelevant ad hominems

5) The complaint about the complexity of MacOS X is silly. All software is complex. Some is just done worse than other.

There's nothing here to see.

Re:Good points...

2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.

Actually on the 12/02/03 episode of the linux show, Eric Raymond made a very good point that pretty much debunks this particular piece of FUD spread by Microsoft and Windows apologists. He said that if the number of bugs/vernerabilities of a piece of software were merely a function of the number of deployments of the software, then we would see far more bugs and vernerabilities in Apache, which currently has 67% of webserver deployments, than in Microsoft IIS, which only has 20%. Instead we see the exact opposite with far more bugs and vernerabilies in IIS. So, unless MS or Mr. Ulanoff can provide proof for their claims, then they are just spreading FUD!

Re:Good points...

good points? He talks about ONE security hole in OS X. So because they found one flaw, it's just as insecure as windows. huh?

Ok, no OS is immune (not even the beloved linux) to security flaws. To compare one hole in OS X to thousands upon thousands in windows is stupid. I've heard the windows is more popular so thats why it has more viruses argument before and it's BS! Windows is insecure by design.

I use linux and Mac OS X exclusively. I haven't had a problem with either of them. It's kindof like locking your car door... can someone break in? Sure they can, so maybe you have the club or an alarm (or both)... can they still break in? Yes, it just takes a little more time and effort. Windows is like leaving your car unlocked and the windows rolled down. Linux and OS X at least lock the doors and set the alarm.

That's exactly why...

I do the majority of my computing work on my TI-92. Havn't had a virus yet!

Re:That's exactly why...

I wrote one actually

DISP "THIS IS A CALCULATOR "
DISP "VIRUS. GIVE IT TO YOUR"
DISP "FRIENDS AND CLEAR YOUR "
DISP "RAM"

i hate the lameness filter. ti code is all caps so i need to put a lot of non caps in here to balance it out. this is not capatilized. take that you worthless filter. the above wasn't yelling, but now i think i just night start.

Re:Mac isn't more secure, BUT:

No, he's doing the reasonable Mac observance that 50 versions of a greeting card program does not count.

reaping and sowing.

Security is only as good as how often the users patch.

Wrong. There is something to be said for how security is considered in the design of an OS. For Windows, it wasn't much of a consideration, which contributed heavily to why there have been so many systemic vulnerabilities.

The system was designed to be user-friendly, not secure. They got their market-share because of that fact. I think it is much easier to make a secure system user-friendly than to make a user-friendly system secure. Microsoft is finding that out as well. You reap what you sow.

so, there's a hole

and a known patch is on the way. it's a very easy vulnerability to avoid. there's no virus yet...

was it worth the rant, or has he just been waiting a long time to make it?

Re:Hum...

I can feel a big commentary fight coming on this post :)

Pro-MACs on my left, pro-PCs on my right.

I think Rush Limbaugh might take offense at being placed on the Left [macnn.com].

Re:Hum...

Pro-MACs on my left, pro-PCs on my right.

I'm Stuck in the Middle with you.
Yes I'm stuck in the middle with Linux.

Re:Hum...

Shouldn't that be:

Stuck in the middle with GNU..?

Not much of a comparison

He's basically saying that since there was one widely-reported Mac security hole, Macs are as insecure as Windows? Odd comparison.

Mind you, I'm not too overwhelmed with his research; if he'd been paying attention, he'd have caught the SSH vulnerability the other month. It's not like Macs have been immune, and nobody with any clue claims they are.

What you can claim accurately is that Apple fixes holes promptly and fairly quickly, and that the MacOS X architecture does not have flaws which result in two or three active IE holes in the wild right now.

Apple isn't perfect, they're just pretty good. Microsoft isn't evil, they're just not as good as they should be. It's perfectly reasonable to use those two facts in making one's security decisions.

Re:Not much of a comparison

What you can claim accurately is that Apple fixes holes promptly and fairly quickly, and that the MacOS X architecture does not have flaws which result in two or three active IE holes in the wild right now.

The other thing that you can claim is that Apple appears to perform more thorough testing of their security patches. I have been using OS X since beta and I have yet to have applied a patch that has caused any real pain. Windows on the other hand......Well, I cannot count the wasted hours I have spent either rolling back an update or scrubbing the hard drive clean and doing a reinstall due to Windows either seriously corrupting things or even worse, outright killing a machine. In fact, at our lab it was a W2k security update that killed a machine dead that was responsible for us replacing all of our W2k systems with 17in iMacs running OS X. I simply got tired of the grief associated with maintaining a Windows computer. We use our systems to get work done, not to goof around with maintaining Windows.

Re:MOD THIS DOWN

>Apple's response was that it doesn't happen in Panther, so just upgrade.

Those BASTARDS! How can you get any work done in Jaguar without this critical feature. I just can't believe that somebody inside Apple decided not to backport this.

*cough*

Jesus Christ.

Please also keep us posted on the progress of the bug whereby a 20" iMac cooled to nearly absolute zero incorrectly reports a temperature value of MAXINT. That one's really slowing me down at work and if they don't fix it soon I'm gonna have no choice but to switch back to Windows.

Re:Not much of a comparison

Very good points. People who bundle their sense of self with their machine seem to get their panties in a bunch when their platform gets owned more than others. They seem to 'jump for joy' whenever a security vulnerability is distributed for some other platform. Personally I think this author should seek a priest, hobby or sufficiently drunk woman to help disassociate his feeling of being a man with owning a Windows machine.

Lance writes: I know this is wrong, but in one respect I was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther versions (10.2 and 10.3, respectively) of the Apple operating system (OS).

Lance, let me tell you. It's not wrong for you to feel this way .... it's pathetic. Have you felt so diminished as a person this past summer, as wave after wave of virii pummeled your Windows box, that you now revel in the misfortune of others? Do you have these same insecurities about whether you purchased the correct toaster, hair dryer and nose hair clipper?

Get a grip on yourself, man! Stand up straight, take the panties off your head and start acting like you've got a pair! Repeat after me, I am not the products I buy. Sometimes the products I buy work out, sometimes they don't meet my expectations. When they fall short, it is not a reflection of who I am, my intelligence or the size of my magic wand. If the product fails, it is a reflection of the manufacturer.

Now go out there and do something useful with your life like kicking the butt of the manufacturers who sold you inferior products!

What a bunch of crap

Uh the so-called mac hole has been known since the days of NeXT. Its not a whole it was a deliberate choice for default settings. And that's the key difference. Windows security holes are totally blind siding bugs, whereas this so-called hole was a well documented and well considered choice.

Personally I would not have made that choice, but at least there was check box to turn off the default DNS trust. If only windows came with checkboxes to remove its bugs. And I dont mean like checkboxes that say "turn off scripting and cripple my browser please".

In fact mac has not even fixed the so-called hole because its not neccessarily a mistake.

In any case the SSH vulnerability, and the screen-locker vulnerability were in fact true holes created by mistakes. These are what should be scrutinized. But these did not lead to widesperead network worms at least. they did not arrise out of a insecure by desing attitude that pervades all the Active-X philosopy, the power-user-by-default philosophy, the standards crushing embrace-and-extend, the optional log-in password philosophy, or the add features rather than fix bugs philosophy that rightfully inspires all the anti-windows zealotry.

firmware password unsecure: Horrors!!! heavens!!!!

Several people have replyed here to this partent suggesting that the only interprestation of this "default" setting is as a bug. Consider an analogous "bug". Macs ship with the firmware password turned off.

This means anyone can walk up to your machine and boot it into single user mode and completely root you.

oh my god you mean someone with physical access could also somehow DNS spoof net info and get root access. Oh my alert the media.

The point is where one draw the line between ease of intergration versus security becomes cloudy once one gets to the point of requiring physical access to engage in a hack. The ONLY thing that I see distinguishing these analogous root attacks is that most people are aware of the single-user boot attack and though it was well documented the DNS attack was not well known and thus could have surprised a lot of people.

Fixing this now presents apple with a dilema. Consider that happens if they were to issue a security update that went around and turned off this feature. Suddenly all networks that had actually been using it suddenly stop working and some sysadmin has to figure out why then reconfigure every machine to turn it back on.

Thus you can see why they have not rushed to change the default. But one assumes that they will ship NEW os's and new computers with it turned off in the future.

this choice for easy configuration assuming the local network can be trusted dates back to the time of NFS. And NFS is still presents almost exactly the same potential security hole (if you remote NFS mount your home directory you just pulled your pants down, grabbed your ankles, and said "ah" if I can jack onto your network. ). NFS has not fixed this problem yet either cause doing so would break a lot of networks.

Got quiet, eh?

I like how he acts as though nobody is willing to write back in defense of MacOS X.

Can someone tell him that HIS WEBSITE IS NOT A BLOG, OTHERWISE HE WOULD BE INUNDATED WITH REPLIES!!!!

Thank you. ;-)

Go to the PC Mag URL instead

Go here [pcmag.com] to see the PC Mag version of the "commentary".

Then you can go here [pcmag.com] to discuss what a steaming load this "commentary" is. Oh, my gosh. Someone who already has access to your network can put a malicious machine on it that will lead to your Mac being owned when it reboots. That's so freakin' simple. Not like those astonishingly difficult Windows attacks of sending emails, setting up websites and/or having users download spyware. The sky is obviously falling. AAAAAHHHHHHH!

sad...

It's pretty sad when Windows-users feel they have to start defending themselves by pointing out that other operating systems are vulnerable too. The last paragraph pretty much says all in that regard...

Re:sad...

It wouldn't be as bad if it didn't stink of shit.

I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.

So what? I'm not a mac nut. If anything, I'm more partial to Linux, but I say the same thing. Is this guy trying to imply that anyone who cites this perfectly valid reason to prefer macs to PCs is a nut? Real mature.

I generally counter with what is apparently a secret carefully hidden from Mac zealots: "That's because only a fraction of the world uses Macs. What's the point of attacking a niche market? No one will notice!"

Actually, he's wrong. There are reasons beyond marketshare why macs are more secure than PCs, but frankly, who cares? When I go home at night, the last thing I want to do is spend my evening reinstalling my OS because my girlfriend clicked on a "see my vacation pictures" email. Fortunately, that's not something I've ever had to do. Whether that's because macs are more secure by design or because no one bothers to write virii for them really doesn't matter to me. All that does matter is that running my computer is a lot less of a pain in the ass.

So I am by no means a Windows apologist or Microsoft partisan.

So what? If your arguments were solid, it wouldn't matter if you were. If not, it also doesn't matter.

Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows.

Really? Got any evidence to back that up, mister
ulanoff? Or is just this your expert opinion? Because I just read your bio, and I didn't see a damn thing that indicates you know architecture or the security implications of design choices from a goatse.cx post.

Bill O'Reilly just called, and he wants his credibility back.

Mac elite!

"How cocky are you feeling now, Mac elite?"....Aha! At least they are now recognising that we are an elite! ;-)

Re:sad...

If you were a Linux user, this type of thing would be an old hat who was beaten to death.

I remember in the days of Win98. With every single Linux security story, the WinNuts would cry: "See! See! Linux is just as insecure as Windows!" They would even do this on stories about local compromises, yet Win98 has no local security whatsoever. No permissions. Nothing. It doesn't even keep track of which users own a file. And they'd still insist it overshadows all the Windows holes, which were in effect root level remote compromises.

I especially love when they'd play numbers games. They'd say Linux has twice as many vulnerabilities as Windows this month/year, yet if one would actually look at the reports, one would see the Linux ones weren't nearly as serious. Nearly all Windows ones would say something like "one packet from the internet will cause arbitrary code execution with admin rights." Yet the Linux "vulnerablilties" would be mostly obscure crap from packages almost no one uses. "Video game Boogerman3D will allow any user to change the high score list." Oh no! Some user might give himself a billion point high score...what do I do???

Welcome to the real world. Where a bunch of lusers try to point out the "inferiority" of your OS by claiming your relatively obscure and unimportant security flaws are much worse than glaring and suicidal ones.

Re:sad...

I'm using Windows...I don't feel like I have to defend myself...I'm not being attacked.

Umm... you are aware that this is Slashdot, right?

Re:sad...

No. The site appears to be Slashdot, and the URL above seems to point to slashdot.org, but this is really a hoax taking advantage of an Internet Explorer exploit allowing, through JavaScript, the location in the address bar to be spoofed.

Next Month...

But the mindlessly superior retort is always the same, "No, it's because the Apple OS does not have the same holes as Windows. OS X is just a better operating system."

Whatever. All OSes have their inherent problems, but next month, when Microsoft racks up another suit of deathly insecure vulnerabilities, OS X will probably be fixed and free from defects for another couple of months.

I'm not a Mac fanatic, but it's because OS X is based on Unix, and Unix is more elegant in its design that gives OS X its better security.

Re:Next Month...

I take issue with your statement that Unix design is more elegant. I feel that NT is a wonderful, modern, design, with inherently more built-in security features than BSD or Linux variants.

Unix is a 35 year-old design that has stood the test of time _because_ of its elegance. It's based on 6 commands (open, close, read, write, fork and exec), takes an "everything's a file" approach, and relies heavily on small, reusable componets that are easier to fix and isolate than large monolitic code. The complexity if Unix likes in the mixing of those simple pieces.

Think of it as the difference between Playdough (Windows) and Lego (Unix). Windows is like a big lump of playdough. Sure it's pliable in the beginning, but over time it hardens into a big, unusable clump that needs to be tossed (reloaded). Unix on the other hand is like legos. Its modular design lends itself to be mixed and matched into unlimited configurations.

When it comes to security, it's easier for coders to get their brains around smaller, more manageable code. Windows is so big and unwieldly, they're going to have to do a fourth rewrite if they ever hope to build something that's even close to being secure. Why else has Microsoft been promising security for almost two years since they announce "Trustworthy Computing" and yet they're worse off than they've ever been.

Like I said in the original post, next month we'll see a whole slew of major new problems with Windows, and Mac and the other Unix variants will probably be free from any major known flaws. Just like we have for years.

It's not just that

Unix is more elegant, but the fact that it grew up together with the Internet as a networked OS. This was not an afterthought. Neither was multiple users and security. When you work with something long enough, it becomes second nature and solid and secure. How did Windows start out? Single user. No Internet. No concept of services/daemons. You machine was its own little island. It was all about the single user GUI in the office to do one task.

And anyway, if XP is so secure, why are they scrapping it for a complete new rewrite - again? It's because it can't be fixed and it has more security leaks than a seive. Microsoft has tried and tried to reshape the Internet into what they want it to be and, thank god, it's failing. And in a way so stupendous that now those that get sacked regularly gotta go off and complain about it. Well boo hoo to them. I've never experienced a virus or worm on OS X or Linux/Unix and I don't suppose I will be anytime soon. There's a reason for that and m$ still doesn't get it.

One flaw

Mac OS X gets one flaw and it's suddenly on par with the truckload of Windows security problems? What a funny little man...

Re:If Mac OS X were REAL unix...

AFAIK, Joe Blow can write to / on a new 10.2 install. This is madness.

then, apparently, you don't know jack. you absolutely cannot write to / unless you (and follow this carefully):

1) open up a terminal
2) type sudo
3) then type say: cat /etc/hosts >> /hosts.txt
4) type password

you my friend, are full of shit. now, if like me, you create another user, which i always run at, then i have to open the term, su to an admin user, then sudo. osx turns off root by default. to enable it, you have to go into net info, and specifically enable root, THEN, you have to change it's terminal from /dev/null to /bin/bash (or whatever). apparently somebody at apple actually thought about security BEFORE they shipped the product. evn if yo install any application, the best you can do is install it into ~/Applications. if you want to install it into /Applications, then it asks for a admin user AND a password. make shit up in chat rooms. not /.

Uh

How does a default setting regarding a specific directory's permissions plus the fact it doesn't use /etc/passwd make it "unfit for production"?

OS X doesn't use /etc. That's just how it works. It uses the NetInfo database. This is one of the few actually well-documented parts of OS X. /etc is a vestigial limb, it's a dummy file which is involved in startup but it is not actually used for real user info. It's used in single user mode because single user mode is an emergency startup mode used for debugging, and NetInfo doesn't launch in this mode unless you launch it, because part of the single user mode's hypothetical purpose is to debug problems with NetInfo!

You might as well call Linux unfit for production because you can do some potentially nasty security-related things in some versions of Lilo.

Oh yawn..

.. This article was nothing more than +1 Flamebait. The author sounds like a little boy who finally gets to say "I told you so! I told you so!" when there really isn't anything to be told. All OSs have undiscovered holes and problems. The key is how fast the vendor deals with the problem.

It's all about the scope...

The hole he's referring to requires some particular circumstances before it's even viable.

The attacker must:
Be on your local network
Already have control of your DHCP server

If both of the above are true, you already have much more serious problems.

While I agree that remote root/admin is bad juju, in this case it's hardly equivalent to the Windows remote admin exploits to which he's comparing it.

Re:It's all about the scope...

The attacker must:
Be on your local network
Already have control of your DHCP server

You forgot one important thing - you must also reboot. If you don't reboot your Netinfo daemon doesn 't pick up the new information supplied by the poisoned DHCP server. So the attacker must also trick you into restarting your computer.

In short, yes this is a potential exploit but an extremely unlikely one. By the time the attacker does all of these things he probably would have been better off just walking over to your computer and stealing it from you.

The author is an idiot

First, let's get the obvious stuff out of the way. THIS VULNERABILITY IS NOT ON BY DEFAULT ON OSX! You have to go into an obscure app (Directory Access) that most users don't know about, and turn on an option that most users don't need, in order to be vulnerable. Also, this vulnerability was never exploited.

How can this idiot compare that to the hundreds of millions of computers ACTUALLY INFECTED by Windows vulnerabilities like Nimda, Code Red, Melissa, Klez, Sobig.f, and thousands of others? Using Windows is like buying random illegal drugs on the street to treat a headache.

The MacOS is not without its flaws, but Windows is the swiss cheese of the secure computing world. It's very telling that the author didn't allow for any feedback or provide his email address.

Re:The author is an idiot

In regards to the Directory Access / malicious DHCP vulnerability, the "use DHCP-supplied LDAP server" option is turned on by default. For this vulnerability to be exploited, either you're using an "untrusted" network or your network got hacked!

If you don't use a DHCP / LDAP server then its recommended that you turn it off.

This is from the apple site:
You don't use a directory service

1. Click the Finder icon in the Dock.
2. From the Go menu, choose Applications.
3. Find the Utilities folder and double-click to open it.
4. Open the Directory Access utility.
5. Click the lock button, type your password, and click OK
6. to authenticate.
7. Select the LDAP service and click Configure.
8. Deselect the "Use DCHP-supplied LDAP Server" option. See Figure 1.
9. Click OK. Your computer is no longer susceptible to this exploit.

unix vs windows security

sigh. this argument gets old. unix is designed to be more secure than windows. not only that, but it IS more secure than windows. no amount of screensaver errors, cocoa text field overflows, or netinfo exploits will change this. the day windows is more secure than mac os x is the day i can get by without ever needing the root (Administrator) account with access to everything. yes. everything. install apps, install libraries, use current apps, develop apps (with the exception of kernel code but this needs root no matter what OS).

Re:unix vs windows security

unix is designed to be more secure than windows

Sorry, but this is nonsense. UNIX *is* more secure than Windows, but Windows was *designed* with more security in mind. UNIX comes from an academic background where loose and free access is the norm (or was in the 70s). All of the security trappings are post-hoc.

Now if you want to say that UNIX's technical excellence is demonstrated by the fact that even security being a crude add-on, it's still superior to Windows' baked-in attempts, then you would of course be right. But UNIX was never designed for security from the ground up...

Re:unix vs windows security

Nonsense.

Unix was designed with security in mind. As they've added things (such as networking, which wasn't there initially) they've designed them with security in mind. Yes, sometimes they had to go back and add things or tweak things, but they designed it with security in mind.

Whereas I can't see that Windows was designed with security in mind. Maybe it was, maybe it wasn't. I'm not willing to take MS's word for it - they've lied to me far too many times.

Seems pretty cocky

Typical Windows User: Stupid virus, now I've got to use my restore disks. Stupid popups, I only want to look at the porn I ask for. Stupid spyware, I can't believe adaware only found 26 new spyware programs today.

Typical Mac User: Stupid virus, my computer is fine, but my ISP is down. Stupid popups, oops forgot to check the option in Safari, okay better now. Stupid spyware, it made me hit cancel when it tried to install itself.

Now understand I'm talking about the standard consumer, of course there are many of us that can keep the windows problems at bay.

How many recent flaws?

> a recent OS X security flaw

That's the significant word, I think. A single one

Same DHCP "Flaw"

It sounds like this is just the same "Flaw" in OSX's DHCP settup. There was a thread on this earlier. They essentially use a server to assign a number of items as well as IP. If I reacall correctly, this was never that big of a security flaw (at least not moreso than any other standard DHCP setup)

This is just some guy on a soapbox blabering on about how this "flaw" proves that OSX is just as bad as any Microsoft product. Hopefully others can see past this guy's rhetoric.

Re:Same DHCP "Flaw"

The earlier slashdot story is here: http://apple.slashdot.org/article.pl?sid=03/11/28/ 2226226&mode=thread&tid=126&tid=172&tid=179&tid=18 5&tid=190

Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network."

Yeesh

I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts..I generally counter with what is apparently a secret carefully hidden from Mac zealots..But the mindlessly superior retort is always the same..Given this recent development, my question is, "Will you be stuffing that superior attitude in your crow or eating it separately, sir?"

Geez, I write like that sometimes here, but only to blow off steam in a forum where it's not unacceptable, and even then I feel bad about it. Perhaps the local trolls should apply for a job writing for ABC News? I'd love to see the Greased Yoda Doll guy become a colleague of Peter Jennings.

Also, for the bazillionth time -- Jon Johansen did not crack DeCSS. He hung out with guys who did, and as a minor was the front man for distributing it. It's one of those myths that is too fun to allow truth to get in the way.

it's quiet because you're such a pussy....

... that you don't put your email in your attribution or anywhere in the article.. Luckily, thanks to Google, your bio reveals your email to be:

Lance_Ulanoff@ziffdavis.com

Share and enjoy!

Re:it's quiet because you're such a pussy....

Lance_Ulanoff@ziffdavis.com

An e-mail address! Quick, send him an Outlook virus!

Quick!

Quick, send him an Outlook virus!

I think I already did.

Re:Grow up

it seems far more constructive to discuss the merits here (which I am sure he will read)...

Heehee, (giggle), that was a good one.

Get real. This guy's job is to generate ad revenue by bringing in eyeballs. Writing an inflammatory article does just that. Having done so, he goes home. He doesn't give a shit whether he's right or wrong, and he certainly won't be following up the "community's" response. He will laugh all the way to the bank, however.

monoculture

His argument seems to be that although MacOS X is just as flawed as Windows, the flaws won't be exploited as much because MacOS X is rare, so hackers won't bother with it.

Well, this is one very good reason why the operating system monoculture is bad.

Security also isn't just a matter of the OS. My office-mate got her AOL account owned by someone who apparently did a dictionary attack on her password (which was her dog's name). If people open executable attachments in Outlook, it's the fault of the application, not the OS.

Is this really the same?

So an attacker who can gain access to your network -- over a wired connection or wirelessly -- can trick an affected system into trusting a rogue machine, and when the compromised machine reboots, take it over and even attack other systems on the network.

So, a guy has to get on my network, set up another machine as a trusted server, wait for me to reboot, and then...? Is this a fair comparison to email viruses, etc...?

My cube's been up for 90 days. I plan to take it down and upgrade it eventually. Does this mean I'm going to be vulnerable?

Whatever.

I'll second that...

...I swear, if I see one more SoBig.X, CodeAqua, or MacNimda entry in my logs, I'm gonna snap.

It's about time Apple did something about the POS security in OS X!

Not the right way to look at security

Look at what it means to a typical user, doing things the way such users typically do. Do some real risk analysis. That is what folks are truly interested in-the difference in risk to them when they plunk down their money for a PC vs. a Mac.

And this guy is an editor?

"How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here."

That's the sound of no one caring what you think, Lance.

A series of what ifs, followed by the reaction of imaginary mac fields that exist only in Lance's head.

And the whole "Macs don't suffer viruses because there's so few" myth was dead and buried long ago. Sheesh. Who cares? If Lance is happy with his bloated, cheerless, abominable bugfest of an OS, more power to him.

And now, Obligatory Car Analogy: it's like Lance is sitting by the side of the road with his Chevy Vega that just flew to pieces for the fifth time that week, and he's pointing at the Lexus that just sped by because it had a defective radio knob that just fell off.

Re:And this guy is an editor?

Apache killed it. Apache runs 70% of the web. IIS receives 90% of the attacks and hacks.

Claiming that OS X sufers fewer hacks because it's a smaller market is a post hoc fallacy.

His reply to an e-mail I send him earlier today

Excellent comments. Please post them in our forum:
http://discuss.pcmag.com/pcmag/start/?msg=32413 [pcmag.com]

-----Original Message-----
From: ***
Sent: Thursday, December 11, 2003 10:24 AM
To: Ulanoff, Lance
Subject: Eureka

Hello.

in your piece at http://www.pcmag.com/article2/0,4149,1408953,00.as p,
you have this to say in conclusion:

Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows. I expect other gaps will emerge, and while the Mac OS may still draw far fewer attacks, this discovery might suck a little wind (or is it Windows?) out of Mac radicals' sails. They can scarcely claim this was a minor hole. OS root access is serious stuff. How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.

So, that's all it takes for you? One potentially serious loophole in an
OS to declare it "no better at outrunning vulnerabilities than
windows"?

Have you recently counted the number of Cert advisory reports that have
come out for XP? Last I checked, more than a month ago, it was in the
40-some range. For XP alone. This year only. For the past few weeks,
those reports have come in bundles of 3-to-5 at a time. Nearly every
other week.

While gaining root access is serious on a Unix machine, you also need
to point out the fact that to be able to gain access to this loophole,
you absolutely need to be on the same subnet as the compromised
computer. Therefore shielding 60%-some percent of home Mac installation
(as those connect to the interner through some phone connection like
PPP) and a great deal (don't have numbers) of the remaining 40% still
not at risk, provided their Cable or ISDN, [A]DSL ISPs have done their
work properly.

It's not like one could attack the entire machine simply by sending an
email containing some VBL script. Right?

Of course I'm a Mac head. And I'm still as cocky as I've been since
roughly 1988. Because every time I see those IT folks around here
struggling to keep the company running when the next wave of Win
trouble appears, I'll be smiling at my desk, uninterrupted, and
occasionally offering to help (okay... I'm just pointing them to some
Linux site or Apple.com... but hey... I seriously believe that would
help
them).

Keep us entertained.

Have a good day.

Superiority dance?

Remember, this is PC Magazine, so naturally they will be very PC-centric, for lack of a better term. And most PC users will show anything from mere ennui to full blown fear and loathing about anything that is fruit-flavored.

yeah punk, I'm feeling lucky

How cocky are you feeling now, Mac elite?

• Number of Macs reported/suspected to be cracked by recent vulnerabilities: ZERO
• Number of Windows PCs known to be cracked by recent vulnerabilities: MILLIONS [google.com]

So... I'm feeling pretty damn cocky, thanks for asking.

Re:yeah punk, I'm feeling lucky

Your google link returns 19 documents. I checked them all. NONE of them give any evidence of millions "of Windows PCs known to be cracked by recent vulnerabilities". One, one of them quotes an unnamed employee of a security firm estimating that "tens of millions" of machines could be infected by a recently-seen virus.

Most of them speak of the millions of emails caused by viruses self-propagating by emailing to all contacts in address books, or of millions of dollars being cost companies by viruses, etc.

It took me about 5 minutes to check your link, and yet at time of posting this, you're at +5, Insightful. Yet more proof, as if any were needed, that most "moderators" round here just see that a post is anti-"M$" and mod it up.

If you have some hard data to back up your claim that millions of Windows PCs have been cracked by recent vulnerabilities, I'd love to see it. Otherwise, quit trolling for easy karma.

Re:yeah punk, I'm feeling lucky

His google link may or may not be accurate. Regardless, his point remains. I run Linux on my servers, and Macs on my desktops. I can't tell you how many times I've gotten Mail spammed with various outlook virii. That one a few months ago...was it SoBig? I forget. Anyway, I woke up in the morning, and overnight my inbox had received 200 messages, all that virus. Of course, they didn't do a damn thing to me. Then, I remember when Code Red was going around, and I'd check my Apache logs, and see I'd gotten spammed by it a few dozen times every hour. The fact of the matter is, millions of windows boxes are cracked with their stupid vulnerabilities, and OSX users are not.

I love my G5.

Mac Elite?

I've been a Mac user for four years now, but I still regularly use Windows and occasionally Linux. To me, Mr. Ulanoff seems to embody the worst type of Mac user - the cynical ex-user. All the Mac users I've talked to aren't snobby or "elite" but almost every single ex-mac user is. It's almost like they were upset that they had to leave MacOS and now all they do is spit insults at anyone who thinks that Macs are cool.

I feel bad for anyone who feels the need to put a group of users down simply due to their choice in tools. That goes for the "Mac elite" that Mr. Ulanoff has to deal with as well.

WSJ Article vs. PC Magazine

You can find a better article about the OS X vs. Windows with respect to viruses here [wsj.com].

I have never been able to shake my perception of PC Magazine/ZD as just a shill for their biggest advertisers. Just ask yourself: Who butters their bread?

The new variant of "Apple's dying"

I understand that a lot of you here on Slashdot are new to the Mac (since OS X) but those of us who have been on Macs for longer recognize this type of junk tech writing for exactly what it is: an attempt to stir the shit and increase readership. It's probably easier to sell advertising on your site or magazine if you can create just the right anti-Mac tempest in a teapot and sell a few more copies or increase your web site hits. This tactic used to run under the headline "Apple going out of business" or "Apple to close up." Now that's mutated into a "critique" of security or speed claims or whatever. Sadly, there is a fraction of Mac users out there who are still willing to take this bait and play into the game. I'm not even looking at the article. Been there, done that. I recommend that you stare out the window and observe the slow but steady growth of the grass outside--that would be far more productive that playing into this kind of shameless, professional trolling masquerading as tech reporting.

Ego Trip

Heebie JEEBUS, If this guy isnt someone that is desperately looking to validate his existence I don't know anyone who is. To go about comparing one, frankly obscure, dhcp exploit compared to the neverending cavalcade of windows holes. I wonder if mr self satisfaction actually has a timeline of windows exploits and issued patches. I doubt his wall would be long enough to hang such a thing.

Hmm, bias attitude?

Wow, this writer for PC Magazine obviously has some issues when it comes to attitudes. This article is written mostly as an "IN YOUR FACE" to the Mac community. I also find humorous the huge, honkin' HP advertisement right in the middle of the article.

Anyway, while it may be true that there have been some insecurities with OS X (as you'll have with _any_ operating system), most of them have been what I'd classify as low-risk. Go read all the advisories for them, they all require either physical access to the local box/network or are vulnerabilities with the open source components of OS X (like OpenSSL) that affect everybody in our (Geek) community.

So quite frankly, I see this as overreacting on the writer's part and worse, it's not terribly objective and horribly whiney.

(btw, as you read my sig, you'll say I'm just as bias and you're right. But I'm not whining am I?)

PC Mag proves once again its writers are inept

This guy should obviously keep to using PageMaker, and fixing fonts. He obviously doesn't know much about computers, and even less about OS security.

Microsoft's less-than-stellar OS security took a while to become apparent. In fact, the problem wasn't epidemic until a few years after the Internet took off. Windows' market domination makes it a target for the virus authoring community.

Um maybe that's because Microsoft built the OS around the paradigm of security by obscurity, where there was any security at all. The Internet was added as an afterthought to the OS. It wasn't built for a hostile environment. It was built around the idea of some knuckle-head sitting in front of it, playing games, writing Office Documents, printing office documents. It wasn't built (as UNIX and Linux systems were) to live in a hostile environment.

If the Macintosh OS ever became dominant, the tables would turn, and there would be just as many reports of viruses, security holes, and attacks on it as we currently have with Windows.

This argument is ridiculous. Apache hosts over 60% of the websites out there, and it's certainly not getting hit like IIS has. People who associate things like security problems with market share prove just how little they know about what OS security means.

In fact, Jon Lech Johansen, the same Norwegian who cracked the DVD security code, recently circumvented the iTunes music protection scheme.

Sorry, Jon neither cracked CSS nor the iTunes music protection. Both these items were posted to a bulletin board hosted by Jon. Being that this has not thing one to do with security, I'm baffled by this. It's truly an idiotic stretch to associate the popularity of iPod with iTunes DRM being cracked (which, by the way, it wasn't).

Security

Is being secure the same as security? Let us take a look and see. Starting out let us compare raw numbers.

Building A has one broken window, that is kind of small and can only be breached if you can get passed the outer gate (with its own security), and have the right (specialized) equipment.

Building B has many broken windows, and windows breaks as fast as they fix them. Many of the broken windows can be breached from down the street. The latest broken window could allow anyone to imitate building C, and only when you have entered the building do you realize that you have been duped into entering Goat's house of cx.

Which building is more secure?

The issue is that security is offered in LEVELS. No place is 100% secure, however some places offer much higher levels of security, providing a safer place to be.

So which building is more secure?

iTunes

To quote part of the article:

Meanwhile, we can already see what happens when Apple has a broadly popular product that cuts across platforms. The Apple iPod is the number one MP3 player, and now that its companion computer utility, iTunes, is available for both the Mac and the PC, it has become a hack target. In fact, Jon Lech Johansen, the same Norwegian who cracked the DVD security code, recently circumvented the iTunes music protection scheme.

An event like that occurring makes sense to me, since iTunes' popularity makes it a target worth hacking -- and whatever mystical Mac mojo there may be, it didn't go far in protecting a popular Apple product.

Steve Jobs stated when the iTunes music store was announced that the DRM would be hacked. The point was to provide a DRM solution that was not restrictive to honest users. That was delivered.

The author also says: DRM is NOT Evil

DRM is not Evil [eweek.com]

His email address: Lance_Ulanoff@ziffdavis.com

His brief bio here [pcmag.com]

Re:The author also says: DRM is NOT Evil

Hilarious quote from his 'DRM is not wrong' article:

If we suddenly had a way to make perfect copies of objects as big as, say, cars, I imagine that thousands of shiny red Mustang convertible clones would instantly appear on the road. Most of us would find that wrong.

What? What? What? Being able to make perfect copies of objects the size of cars would, I think, be the greatest moment in the history of humanity! Hello!?! The end of hunger? The end of want? The end of shortages of essential, life-saving medicines? Barrels of clean water for the third world? Bueller? Bueller?

If we were in a position to do this (and how would it be *stealing* anything, anyway? The original is still in possession of the owner, so - guh! - it's copyright infringement at best ;), then I think IP rights would be the last thing on anybody's mind, because *the capitalist system would be instantly destroyed*! Frankly, I'd welcome that. Capitalism may be the best of a bad bunch of socio-economic systems right now, but if something demonstrably better shows up, most people would take it in an instant.

Although maybe it's possible that he just really, *really* hates Mustangs.

The guy's an idiot. Even ignoring a ridiculous brain-dead analogy like replicated Mustangs, the fact he can compare OS X's few security holes (and I don't even *use* OS X - I'm no fan) to the gaping net that is Windows shows he must be blowing somebody to keep writing this garbage...

He's Right!

It did get really quiet around there. I'm sure that everyone was gathered around to see if he really was going to click 'Submit'.

Overheard whispers: "He's not going do it" "Yes, he is - you didn't see last months rant against one button mice?" "I dare you" "I bet his ethernet cables not plugged in" "It's been a pleasure working with you" "I knew he was an idiot, but nobody's that dumb" "Didn't his last article get taken out by the Melissa virus?"

Insecure?

How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.

I think you can add Lance Ulanoff to the list of things that are "insecure".

Scale

I said nearly the same thing about Linux last time somebody spouted junk about Linux not really being any more secure:

When OS X has a vulnerability, it shows up in a few specialty news sites, a few people tsk, and maybe a few people even get hacked.

When Windows has a vulnerability, it shows up as a worm that takes over millions of machines in a matter of hours and cripples the entire internet.

The OS X vulnerability in the article isn't even a remote vulnerability. You need access to the machine's local network to pull at off, and you need to do it when the machine boots.

Major Windows vulnerabilities, on the other hand, let anybody who can ping the machine take it over completely and at will. You don't even need to be that smart; a small computer program can do it automatically.

Which one is more secure?

The default configuration is insecure.

If you have to change your configuration from the default in order to have a secure system, then you have a security hole. Most of the really big microsoft security hacks are things just like this - the system is configured open by default when it should be configured closed by default.

The rationale for configuring the system this way is that it's easier to administer - you just plug it in and it starts working. This is why Microsoft used to configure the system insecure by default. This is why Apple is still configuring the system insecure by default. But part of what you're plugging in, with no authentication at all, is your authentication system. So if the thing that tells you what authentication system to use lies, you're hosed.

This is less severe than the recent Microsoft bugs because the attack is hard to do from the outside of a firewall. So probably Apple is not going to get the kind of bad publicity for this security hole that Microsoft has gotten for, e.g., the Blaster worm. But this is actually a much worse security hole, in a sense, because there is no Software Update coming down the pike that fixes it - Apple has, so far, taken the position that this is a feature, not a bug.

Because the number of people who run software update automatically is much higher than the number of people who pay attention to security alerts and do what is recommended in them, this particular security hole is going to remain on pretty much every MacOS X install in existence. So I can see why the guy from the PC magazine is acting all smug.

The right thing would be for Apple to fix this, but I don't see them doing it - there's no way to secure the DHCP transaction, and there's no way to secure the LDAP transactions either. I hope there's someone in a back room at Apple working on closing this gap, but they've been silent on the issue so far, other than maintaining that because it's a configuration thing, it's not a problem.

lame.

Mac OS X is not a secure OS, neither is windows or linux. A secure OS is one that is competently adminned with all services except the bare essentials disabled, all patches applied and is constantly auditted for holes.

"security is a process, not a product" - Bruce Schneier

So Mac OS X has security problems, so what? so does do linux and windows. Too bad for those two mac os certainly makes up with its superior gui and os design.

But Apple does fix the holes!

When I went from OS 9 to OS X, I knew that I was giving up a large amount of security to get a *nix base and loads of features never before seen in a Mac "OS". I think that was well worth it.

What else that has definitely made it worth the move is that Apple has been very fast, IMHO, in offering patches for security holes (note: the recent cookie vulnerability).

There are dozens, maybe hundreds of more holes in Windows and we all know that many of them will never be fixed.

At least Apple acknowledges security holes and makes effort to fix them.

-A

Computer magazine "journalism"

1. Notice flagging readership, reduced ad revenue
2. Write audacious, insupportable story that will anger people
3. Submit to Slashdot
4. Profit!

another funny thing.

Anyone notice this?

From Mac Fan(atic) to Windows User

...So I am by no means a Windows apologist or Microsoft partisan. I began my computing career as a Mac patriot, in fact. I used a Mac SE/30 with PageMaker version 1.2 and laughed at the lowly IBM PS/2, which could just hobble along on the subpar Windows 3.0... But even back then, I had this gnawing suspicion that 18-month software development cycles could somehow hurt the platform. Before the tide really turned, however, I switched to PCs. I had joined PC Magazine, and the editorial staff used them... ...

Please, please, tell me that he's not trying to convince us of his "Apple cred" by noting that the last time he used a Mac in a serious capacity was ten years ago?

Actually, This Article is Great

You know why? It marks the point at which Macs have climbed back into the ire of PC Mag editors everywhere. 3 years ago, a mac article wasn't worth the soy ink and electrons it took to create an anti-mac article.

Wow, it's like it's 1988 all over again. Some Tool nitpicks one or two items to make himself feel better because he's a Windows user for whatever reason.

Next we'll hear how overpriced Macs are.

Actually, the only difference between this and 1988 is that games used to come out first for the Mac (Real business users don't need games! Was the rallying cry).

So this is the best we can do?

"If the Macintosh OS ever became dominant, the tables would turn, and there would be just as many reports of viruses, security holes, and attacks on it as we currently have with Windows."

Apparently the author thinks that it is impossible for the dominant OS, whatever that may be, to be more secure than Windows. He belives that a products percentage of proliferation in the marketplace determines its security. Not the programming.

He's saying that UNIX based operating systems with as much exposure as Windows will be subject to as many vulnerabilities and exploits as Windows is. He thinks it is not possible for an operating system to be made more secure and less vulnerable.

In effect, what he is saying is that Windows is the best the human race can do. This is it. This is the culmination of our species ability to write software. No operating system can ever improve on the constant barrage of patches and updates that must be done to keep Windows safe.

Obviously, while humans can not ever write flawless code, I certainly hope for our sake someone somewhere can do it better than Microsoft. If that someone is Apple, great. If it's a Linux distro, that's fine, too. But I am certainly going to hold on to the belief that there exists the possibility that an OS can be as dominant as Windows without being as insecure. Otherwise, we don't have much to look forward to in the realm of computing, do we?

Rebuttal by The Mac Observer

Bryan Chaffin from The Mac Observer goes into some of the points mentioned in the original article: The Back Page: PC Apologist Asks If We Mac Users Are Now Humble [macobserver.com]

One interesting point made is that those who say that Mac OS X suffers fewer security and virus problems than Windows only because there are fewer Mac users just don't have a leg to stand on.

Overzealous, but then....

First of all, any operating system can have a bug in it, just like any other piece of software can have a bug in it. Some are serious, some are not. And anybody who knows anything about internet security can tell you that the next thing to get you will almost always be the thing that nobody thought of. If you're depending entirely open your OS security to keep you safe, you have a problem.

When bugs are found and updates are released, this is a good thing. If the vendor doesn't get an update out in a reasonable amount of time, that's a different issue.

Having said all that, I should say that OS X being Unix underneath certainly does come in handy for security issues that come up. Windows users do not have (and often could not use anyway) that luxury. Yes, I'm an OS X user, although I am a long-time Windows user (since 3.1) who still has a Windows box. Both of them are behind a firewall so I don't spend a whole lot of time sweating every little security hole that comes up in my operating systems.

RP

two things to say

After reading the article, I bave two things to say:

1. These aren't exactly easily exploitable remote root's like windows has had 50 of. There really is no comparison.

2. Installing XP yesterday, I was r00ted before I could get to Windows Update. This is just. plain. ridiculous.

I don't know about you guys, but there really is no question of what OS to use if you really want it to work right, be stable, and be secure. NO QUESTION. "usability" is close enough in Linux for me. AND ISN'T A VIRUS EVERY FIFTEEN MINUTES SOME SORT OF USABILITY PROBLEM?>??

Same bug in most Windows versions

A bug in Windows 3.1 and forward allows a malicious attacker with access to the local network to hijack your machine and run any program he wants on the users machine.

The attack goes like this:
He sets up a DHCP server
Feeeds computers booting with fake IPs for DNS and WINS servers.
Redirects the NETLOGON server shares to a share under his control. Makes sure the login script runs his software.

It is thus recommended that all Windows users, especially coorporate users, disables DHCP in the TCP/IP settings, until Microsoft starts shippign support for DHCPS - which is DHCP over SSL/TLS.

It is important to do this, since if only some users does it, it might be difficult for thew machines to connect to each other.

To summarize the article ...

"HAHAHAHAH!! Mac OS X isn't perfect! Duh, I'm so smart!"

Is this guy for real? How does a vulnerability which involves an attacker having to break into your home network (much less a corporate one), take over a machine and then set it up as a rogue DHCP server anywhere near equivalent to something like Blaster, which spread automatically, with no machine spoofing required? Honestly, if your network is so utterly open to attack that it's a trivial task to spoof a DHCP server, there are bigger problems than OS X's security flaw there.

The claim that Mac OS X would have more viruses if it was more popular holds some merit, but it says nothing about the lethality of those viruses. OS X has all sharing network services off by default, unlike Windows, shutting down a large avenue for virus propagation. Mail shows the entire file name of an attachment, preventing attackers from hiding extensions. Mail also does not automatically execute attachments. Furthermore, any application wishing to do anything as administrator has to ask for a password by default, and root is disabled by default. This is not the case in Windows, where tales of administrator accounts with blank passwords abound. While there may be more attempts at writing viruses for OS X if it was more popular, far fewer of them would actually reach the scale of damage that things like Blaster did. Windows is an ideal virus propagation platform not just because it's popular, but more importantly, because it's default setup is insecure as well.

Flawed Arguments...

I'll admit, right away, that I'm a Mac user. Then again, I'm also a Windows user, Linux user, SunOS user, etc. I'm really not *that* platform dependant. I guess I really don't understand the reasoning behind arguing over an OS. The argument is rather petty if you are not doing anything to improve upon the security of the operating system you favor. No OS is perfect, and no OS is totally secure.

I did find a few problems with the article (beside the fact that the author was bashing mac users who bash windows users...circular logic, anyone?). The author claimed that due to the fact that DVD Jon cracked quicktime encryption of ACC streams (used by the iTunes Music Store) doesn't mean it's going to bring either the MacOS or Windows to its knees. It's a f**king MP3 player for Chrissakes. Sure, vulnerability that could circumvent OS security might exist within iTunes, but the specific nature of DVD Jon's crack has nothing to do with OS security.

The author made this claim about the cross-platform iTunes "exploit" while failing to mention anything at all about Macros, and the possible for viruses that accompany them. To me, it seems that the author was grasping at straws without having any concrete evidence to back up his claims.

Whenever I read an article from one side of the OS wars bashing the other side, I tend to think that the author was in danger of missing his deadline and needed to come up with something in a hurry. Why does this issue never get old? Perhaps we should think about ways to make our OS of choice more secure rather than bashing others' flaws.

AgentOJ

My Favorite Part

But even back then, I had this gnawing suspicion that 18-month software development cycles could somehow hurt the platform. Before the tide really turned, however, I switched to PCs. I had joined PC Magazine, and the editorial staff used them.

That's the Mac's problem! He has nailed it! Apple develops new and vastly improved features (in the range of 150+ [apple.com]) - basically an overhaul of the operating system - every 18 months. Rather than this whole OS X thing, they should have just created a new theme for OS 9 (oooh, maybe with Green highlights) and changed its name every so often...

If you can't taste the sarcasm, just smile and nod...

Huge security risk

We all know the mac has a huge security risk. It's a major issue. From now on OS X is as virus prone as XP. And Apple's DRM has been Hacked. People are pirating the iTMS as we speak.

And in other news, SCO really was attacked from outside by an evil DDOS. Those Open Source Commy Bastards.

Believe everything you read folks. ;-)

OS X is, by and large, more secure than Windows

How many Safari-related security problems have you seen reported? Compared to Internet Explorer?

How many ActiveX-related security problems have you seen on OS X?

How many scripting, or RPC, or buffer overrun-related problems have you seen on OS X?

Have you ever seen any AppleScript-related security problems like the VB-related ones on Windows? (you can call it macros, Windows Scripting Host, .ASP or whatever - it's still VB)

Most of the problems I've seen on OS X thus far are problems in the open source pieces that affect that product across the industry, including distros in Linux. This is one of the few security flaws that is _native_ to OS X - I can't even remember the last one I've seen. And it does require you to go through plenty of hoops - having control over the local DHCP server, for instance.

Yes - we're going to see security problems with OS X. But not ridiculously stupid ones that could have easily been prevented like we've seen on Windows... I think it's silly to even put them in the same league with each other.